sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-10 04:23:50 +03:00
Code Activity

r20640: Commit part 2/2

Browse Source 
Update Heimdal to match current lorikeet-heimdal.  This includes
integrated PAC hooks, so Samba doesn't have to handle this any more.

This also brings in the PKINIT code, hence so many new files.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett
2007-01-10 01:57:32 +00:00
committed by Gerald (Jerry) Carter
parent 75fddbbc08
commit 351f7040f7
176 changed files with 30918 additions and 2906 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
source/heimdal/cf/check-var.m4
View File

@@ -23,3 +23,5 @@ if test "$ac_foo" = yes; then
fi
])
AC_WARNING_ENABLE([obsolete])
AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo])

542
source/heimdal/kdc/digest.c
View File

@@ -32,10 +32,112 @@
*/
#include "kdc_locl.h"
#include <digest_asn1.h>
#include <hex.h>
RCSID("$Id: digest.c,v 1.7 2006/10/22 20:11:44 lha Exp $");
RCSID("$Id: digest.c,v 1.19 2006/12/28 17:03:51 lha Exp $");
#define CHAP_MD5 0x10
#define DIGEST_MD5 0x08
#define NTLM_V2 0x04
#define NTLM_V1_SESSION 0x02
#define NTLM_V1 0x01
const struct units _kdc_digestunits[] = {
{"chap-md5", 1U << 4},
{"digest-md5", 1U << 3},
{"ntlm-v2", 1U << 2},
{"ntlm-v1-session", 1U << 1},
{"ntlm-v1", 1U << 0},
{NULL, 0}
};
static krb5_error_code
get_digest_key(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *server,
krb5_crypto *crypto)
{
krb5_error_code ret;
krb5_enctype enctype;
Key *key;
ret = _kdc_get_preferred_key(context,
config,
server,
"digest-service",
&enctype,
&key);
if (ret)
return ret;
return krb5_crypto_init(context, &key->key, 0, crypto);
}
/*
*
*/
static char *
get_ntlm_targetname(krb5_context context,
hdb_entry_ex *client)
{
char *targetname, *p;
targetname = strdup(krb5_principal_get_realm(context,
client->entry.principal));
if (targetname == NULL)
return NULL;
p = strchr(targetname, '.');
if (p)
*p = '\0';
strupr(targetname);
return targetname;
}
static krb5_error_code
fill_targetinfo(krb5_context context,
char *targetname,
hdb_entry_ex *client,
krb5_data *data)
{
struct ntlm_targetinfo ti;
krb5_error_code ret;
struct ntlm_buf d;
krb5_principal p;
const char *str;
memset(&ti, 0, sizeof(ti));
ti.domainname = targetname;
p = client->entry.principal;
str = krb5_principal_get_comp_string(context, p, 0);
if (str != NULL &&
(strcmp("host", str) == 0 ||
strcmp("ftp", str) == 0 ||
strcmp("imap", str) == 0 ||
strcmp("pop", str) == 0 ||
strcmp("smtp", str)))
{
str = krb5_principal_get_comp_string(context, p, 1);
ti.dnsservername = rk_UNCONST(str);
}
ret = heim_ntlm_encode_targetinfo(&ti, 1, &d);
if (ret)
return ret;
data->data = d.data;
data->length = d.length;
return 0;
}
/*
*
*/
krb5_error_code
_kdc_do_digest(krb5_context context,
@@ -57,11 +159,13 @@ _kdc_do_digest(krb5_context context,
krb5_storage *sp = NULL;
Checksum res;
hdb_entry_ex *server = NULL, *user = NULL;
char *password = NULL;
hdb_entry_ex *client = NULL;
char *client_name = NULL, *password = NULL;
krb5_data serverNonce;
if(!config->enable_digest) {
kdc_log(context, config, 0, "Rejected digest request from %s", from);
kdc_log(context, config, 0,
"Rejected digest request (disabled) from %s", from);
return KRB5KDC_ERR_POLICY;
}
@@ -125,6 +229,7 @@ _kdc_do_digest(krb5_context context,
krb5_free_principal(context, principal);
goto out;
}
krb5_clear_error_string(context);
ret = _kdc_db_fetch(context, config, principal,
HDB_F_GET_SERVER, NULL, &server);
@@ -137,12 +242,17 @@ _kdc_do_digest(krb5_context context,
/* check the client is allowed to do digest auth */
{
krb5_principal principal = NULL;
hdb_entry_ex *client;
ret = krb5_ticket_get_client(context, ticket, &principal);
if (ret)
goto out;
ret = krb5_unparse_name(context, principal, &client_name);
if (ret) {
krb5_free_principal(context, principal);
goto out;
}
ret = _kdc_db_fetch(context, config, principal,
HDB_F_GET_CLIENT, NULL, &client);
krb5_free_principal(context, principal);
@@ -150,13 +260,15 @@ _kdc_do_digest(krb5_context context,
goto out;
if (client->entry.flags.allow_digest == 0) {
kdc_log(context, config, 0,
"Client %s tried to use digest "
"but is not allowed to",
client_name);
krb5_set_error_string(context,
"Client is not permitted to use digest");
ret = KRB5KDC_ERR_POLICY;
_kdc_free_ent (context, client);
goto out;
}
_kdc_free_ent (context, client);
}
/* unpack request */
@@ -192,6 +304,9 @@ _kdc_do_digest(krb5_context context,
goto out;
}
kdc_log(context, config, 0, "Valid digest request from %s (%s)",
client_name, from);
/*
* Process the inner request
*/
@@ -289,22 +404,9 @@ _kdc_do_digest(krb5_context context,
goto out;
}
{
Key *key;
krb5_enctype enctype;
ret = _kdc_get_preferred_key(context,
config,
server,
"digest-service",
&enctype,
&key);
if (ret)
goto out;
ret = krb5_crypto_init(context, &key->key, 0, &crypto);
if (ret)
goto out;
}
ret = get_digest_key(context, config, server, &crypto);
if (ret)
goto out;
ret = krb5_create_checksum(context,
crypto,
@@ -337,6 +439,9 @@ _kdc_do_digest(krb5_context context,
goto out;
}
kdc_log(context, config, 0, "Digest %s init request successful from %s",
ireq.u.init.type, from);
break;
}
case choice_DigestReqInner_digestRequest: {
@@ -349,7 +454,11 @@ _kdc_do_digest(krb5_context context,
krb5_set_error_string(context, "out of memory");
goto out;
}
krb5_store_stringz(sp, ireq.u.digestRequest.type);
ret = krb5_store_stringz(sp, ireq.u.digestRequest.type);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce);
if (ireq.u.digestRequest.identifier) {
@@ -421,22 +530,9 @@ _kdc_do_digest(krb5_context context,
serverNonce.length = ssize;
}
{
Key *key;
krb5_enctype enctype;
ret = _kdc_get_preferred_key(context,
config,
server,
"digest-service",
&enctype,
&key);
if (ret)
goto out;
ret = krb5_crypto_init(context, &key->key, 0, &crypto);
if (ret)
goto out;
}
ret = get_digest_key(context, config, server, &crypto);
if (ret)
goto out;
ret = krb5_verify_checksum(context, crypto,
KRB5_KU_DIGEST_OPAQUE,
@@ -493,6 +589,11 @@ _kdc_do_digest(krb5_context context,
unsigned char md[MD5_DIGEST_LENGTH];
char id;
if ((config->digests_allowed & CHAP_MD5) == 0) {
kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
goto out;
}
if (ireq.u.digestRequest.identifier == NULL) {
krb5_set_error_string(context, "Identifier missing "
"from CHAP request");
@@ -524,6 +625,11 @@ _kdc_do_digest(krb5_context context,
unsigned char md[MD5_DIGEST_LENGTH];
char *A1, *A2;
if ((config->digests_allowed & DIGEST_MD5) == 0) {
kdc_log(context, config, 0, "Digest SASL MD5 not allowed");
goto out;
}
if (ireq.u.digestRequest.nonceCount == NULL)
goto out;
if (ireq.u.digestRequest.clientNonce == NULL)
@@ -627,6 +733,358 @@ _kdc_do_digest(krb5_context context,
r.u.error.code = EINVAL;
}
kdc_log(context, config, 0, "Digest %s request successful %s",
ireq.u.digestRequest.type, from);
break;
}
case choice_DigestReqInner_ntlmInit:
if ((config->digests_allowed & (NTLM_V1|NTLM_V1_SESSION|NTLM_V2)) == 0) {
kdc_log(context, config, 0, "NTLM not allowed");
goto out;
}
r.element = choice_DigestRepInner_ntlmInitReply;
r.u.ntlmInitReply.flags = NTLM_NEG_UNICODE;
if ((ireq.u.ntlmInit.flags & NTLM_NEG_UNICODE) == 0) {
kdc_log(context, config, 0, "NTLM client have no unicode");
goto out;
}
if (ireq.u.ntlmInit.flags & NTLM_NEG_NTLM)
r.u.ntlmInitReply.flags |= NTLM_NEG_NTLM;
else {
kdc_log(context, config, 0, "NTLM client doesn't support NTLM");
goto out;
}
r.u.ntlmInitReply.flags |=
NTLM_NEG_TARGET_DOMAIN |
NTLM_ENC_128;
#define ALL \
NTLM_NEG_SIGN| \
NTLM_NEG_SEAL| \
NTLM_NEG_ALWAYS_SIGN| \
NTLM_NEG_NTLM2_SESSION| \
NTLM_NEG_KEYEX
r.u.ntlmInitReply.flags |= (ireq.u.ntlmInit.flags & (ALL));
#undef ALL
r.u.ntlmInitReply.targetname =
get_ntlm_targetname(context, client);
if (r.u.ntlmInitReply.targetname == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
r.u.ntlmInitReply.challange.data = malloc(8);
if (r.u.ntlmInitReply.challange.data == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
r.u.ntlmInitReply.challange.length = 8;
if (RAND_bytes(r.u.ntlmInitReply.challange.data,
r.u.ntlmInitReply.challange.length) != 1)
{
krb5_set_error_string(context, "out of random error");
ret = ENOMEM;
goto out;
}
/* XXX fix targetinfo */
ALLOC(r.u.ntlmInitReply.targetinfo);
if (r.u.ntlmInitReply.targetinfo == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
ret = fill_targetinfo(context,
r.u.ntlmInitReply.targetname,
client,
r.u.ntlmInitReply.targetinfo);
if (ret) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
/*
* Save data encryted in opaque for the second part of the
* ntlm authentication
*/
sp = krb5_storage_emem();
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
goto out;
}
ret = krb5_storage_write(sp, r.u.ntlmInitReply.challange.data, 8);
if (ret != 8) {
ret = ENOMEM;
krb5_set_error_string(context, "storage write challange");
goto out;
}
ret = krb5_store_uint32(sp, r.u.ntlmInitReply.flags);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
ret = krb5_storage_to_data(sp, &buf);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
ret = get_digest_key(context, config, server, &crypto);
if (ret)
goto out;
ret = krb5_encrypt(context, crypto, KRB5_KU_DIGEST_OPAQUE,
buf.data, buf.length, &r.u.ntlmInitReply.opaque);
krb5_data_free(&buf);
krb5_crypto_destroy(context, crypto);
crypto = NULL;
if (ret)
goto out;
kdc_log(context, config, 0, "NTLM init from %s", from);
break;
case choice_DigestReqInner_ntlmRequest: {
krb5_principal clientprincipal;
unsigned char sessionkey[16];
unsigned char challange[8];
uint32_t flags;
Key *key = NULL;
int version;
r.element = choice_DigestRepInner_ntlmResponse;
r.u.ntlmResponse.success = 0;
r.u.ntlmResponse.flags = 0;
r.u.ntlmResponse.sessionkey = NULL;
r.u.ntlmResponse.tickets = NULL;
/* get username */
ret = krb5_parse_name(context,
ireq.u.ntlmRequest.username,
&clientprincipal);
if (ret)
goto out;
ret = _kdc_db_fetch(context, config, clientprincipal,
HDB_F_GET_CLIENT, NULL, &user);
krb5_free_principal(context, clientprincipal);
if (ret) {
krb5_set_error_string(context, "NTLM user %s not in database",
ireq.u.ntlmRequest.username);
goto out;
}
ret = get_digest_key(context, config, server, &crypto);
if (ret)
goto out;
ret = krb5_decrypt(context, crypto, KRB5_KU_DIGEST_OPAQUE,
ireq.u.ntlmRequest.opaque.data,
ireq.u.ntlmRequest.opaque.length, &buf);
krb5_crypto_destroy(context, crypto);
crypto = NULL;
if (ret)
goto out;
sp = krb5_storage_from_data(&buf);
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
goto out;
}
ret = krb5_storage_read(sp, challange, sizeof(challange));
if (ret != sizeof(challange)) {
krb5_set_error_string(context, "NTLM storage read challange");
ret = ENOMEM;
goto out;
}
ret = krb5_ret_uint32(sp, &flags);
if (ret) {
krb5_set_error_string(context, "NTLM storage read flags");
goto out;
}
krb5_data_free(&buf);
if ((flags & NTLM_NEG_NTLM) == 0) {
ret = EINVAL;
krb5_set_error_string(context, "NTLM not negotiated");
goto out;
}
ret = hdb_enctype2key(context, &user->entry,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_string(context, "NTLM missing arcfour key");
goto out;
}
/* check if this is NTLMv2 */
if (ireq.u.ntlmRequest.ntlm.length != 24) {
struct ntlm_buf infotarget, answer;
char *targetname;
if ((config->digests_allowed & NTLM_V2) == 0) {
kdc_log(context, config, 0, "NTLM v2 not allowed");
goto out;
}
version = 2;
targetname = get_ntlm_targetname(context, client);
if (targetname == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
answer.length = ireq.u.ntlmRequest.ntlm.length;
answer.data = ireq.u.ntlmRequest.ntlm.data;
ret = heim_ntlm_verify_ntlm2(key->key.keyvalue.data,
key->key.keyvalue.length,
ireq.u.ntlmRequest.username,
targetname,
0,
challange,
&answer,
&infotarget,
sessionkey);
free(targetname);
if (ret) {
krb5_set_error_string(context, "NTLM v2 verify failed");
goto out;
}
/* XXX verify infotarget matches client (checksum ?) */
free(infotarget.data);
/* */
} else {
struct ntlm_buf answer;
version = 1;
if (flags & NTLM_NEG_NTLM2_SESSION) {
char sessionhash[MD5_DIGEST_LENGTH];
MD5_CTX md5ctx;
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
kdc_log(context, config, 0, "NTLM v1-session not allowed");
goto out;
}
if (ireq.u.ntlmRequest.lm.length != 24) {
krb5_set_error_string(context, "LM hash have wrong length "
"for NTLM session key");
ret = EINVAL;
goto out;
}
MD5_Init(&md5ctx);
MD5_Update(&md5ctx, challange, sizeof(challange));
MD5_Update(&md5ctx, ireq.u.ntlmRequest.lm.data, 8);
MD5_Final(sessionhash, &md5ctx);
memcpy(challange, sessionhash, sizeof(challange));
} else {
if ((config->digests_allowed & NTLM_V1) == 0) {
kdc_log(context, config, 0, "NTLM v1 not allowed");
goto out;
}
}
ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
key->key.keyvalue.length,
challange, &answer);
if (ret) {
krb5_set_error_string(context, "NTLM missing arcfour key");
goto out;
}
if (ireq.u.ntlmRequest.ntlm.length != answer.length ||
memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0)
{
free(answer.data);
ret = EINVAL;
krb5_set_error_string(context, "NTLM hash mismatch");
goto out;
}
free(answer.data);
{
MD4_CTX ctx;
MD4_Init(&ctx);
MD4_Update(&ctx,
key->key.keyvalue.data, key->key.keyvalue.length);
MD4_Final(sessionkey, &ctx);
}
}
if (ireq.u.ntlmRequest.sessionkey) {
unsigned char masterkey[MD4_DIGEST_LENGTH];
RC4_KEY rc4;
size_t len;
if ((flags & NTLM_NEG_KEYEX) == 0) {
krb5_set_error_string(context,
"NTLM client failed to neg key "
"exchange but still sent key");
goto out;
}
len = ireq.u.ntlmRequest.sessionkey->length;
if (len != sizeof(masterkey)){
krb5_set_error_string(context,
"NTLM master key wrong length: %lu",
(unsigned long)len);
goto out;
}
RC4_set_key(&rc4, sizeof(sessionkey), sessionkey);
RC4(&rc4, sizeof(masterkey),
ireq.u.ntlmRequest.sessionkey->data,
masterkey);
memset(&rc4, 0, sizeof(rc4));
r.u.ntlmResponse.sessionkey =
malloc(sizeof(*r.u.ntlmResponse.sessionkey));
if (r.u.ntlmResponse.sessionkey == NULL) {
krb5_set_error_string(context, "out of memory");
goto out;
}
ret = krb5_data_copy(r.u.ntlmResponse.sessionkey,
masterkey, sizeof(masterkey));
if (ret) {
krb5_set_error_string(context, "out of memory");
goto out;
}
}
r.u.ntlmResponse.success = 1;
kdc_log(context, config, 0, "NTLM version %d successful for %s",
version, ireq.u.ntlmRequest.username);
break;
}
default:
@@ -698,10 +1156,14 @@ out:
_kdc_free_ent (context, user);
if (server)
_kdc_free_ent (context, server);
if (client)
_kdc_free_ent (context, client);
if (password) {
memset(password, 0, strlen(password));
free (password);
}
if (client_name)
free (client_name);
krb5_data_free(&buf);
krb5_data_free(&serverNonce);
free_DigestREP(&rep);

9
source/heimdal/kdc/headers.h
View File

@@ -32,7 +32,7 @@
*/
/*
* $Id: headers.h,v 1.18 2006/10/17 02:22:17 lha Exp $
* $Id: headers.h,v 1.22 2007/01/04 00:15:34 lha Exp $
*/
#ifndef __HEADERS_H__
@@ -72,6 +72,9 @@
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_SYS_WAIT_H
#include <sys/wait.h>
#endif
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
@@ -89,10 +92,14 @@
#include <krb5.h>
#include <krb5_locl.h>
#include <digest_asn1.h>
#include <kx509_asn1.h>
#include <hdb.h>
#include <hdb_err.h>
#include <der.h>
#include <heimntlm.h>
#include <windc_plugin.h>
#undef ALLOC
#define ALLOC(X) ((X) = malloc(sizeof(*(X))))
#undef ALLOC_SEQ

56
source/heimdal/kdc/kdc-private.h
View File

@@ -14,6 +14,13 @@ _kdc_add_KRB5SignedPath (
KRB5SignedPathPrincipals */*principals*/,
EncTicketPart */*tkt*/);
krb5_error_code
_kdc_add_inital_verified_cas (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
pk_client_params */*params*/,
EncTicketPart */*tkt*/);
krb5_error_code
_kdc_as_rep (
krb5_context /*context*/,
@@ -89,6 +96,15 @@ _kdc_do_kaserver (
const char */*from*/,
struct sockaddr_in */*addr*/);
krb5_error_code
_kdc_do_kx509 (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
const Kx509Request */*req*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr */*addr*/);
krb5_error_code
_kdc_do_version4 (
krb5_context /*context*/,
@@ -182,6 +198,20 @@ _kdc_maybe_version4 (
unsigned char */*buf*/,
int /*len*/);
krb5_error_code
_kdc_pac_generate (
krb5_context /*context*/,
hdb_entry_ex */*client*/,
krb5_pac */*pac*/);
krb5_error_code
_kdc_pac_verify (
krb5_context /*context*/,
const krb5_principal /*client_principal*/,
hdb_entry_ex */*client*/,
hdb_entry_ex */*server*/,
krb5_pac */*pac*/);
krb5_error_code
_kdc_pk_check_client (
krb5_context /*context*/,
@@ -230,6 +260,30 @@ _kdc_tgs_rep (
KDC_REQ */*req*/,
krb5_data */*data*/,
const char */*from*/,
struct sockaddr */*from_addr*/);
struct sockaddr */*from_addr*/,
int /*datagram_reply*/);
krb5_error_code
_kdc_tkt_add_if_relevant_ad (
krb5_context /*context*/,
EncTicketPart */*tkt*/,
int /*type*/,
const krb5_data */*data*/);
krb5_error_code
_kdc_try_kx509_request (
void */*ptr*/,
size_t /*len*/,
Kx509Request */*req*/,
size_t */*size*/);
krb5_error_code
_kdc_windc_client_access (
krb5_context /*context*/,
struct hdb_entry_ex */*client*/,
KDC_REQ */*req*/);
krb5_error_code
_kdc_windc_init (krb5_context /*context*/);
#endif /* __kdc_private_h__ */

6
source/heimdal/kdc/kdc.h
View File

@@ -35,7 +35,7 @@
*/
/*
* $Id: kdc.h,v 1.9 2006/10/09 15:34:07 lha Exp $
* $Id: kdc.h,v 1.11 2006/12/28 21:06:56 lha Exp $
*/
#ifndef __KDC_H__
@@ -81,8 +81,12 @@ typedef struct krb5_kdc_configuration {
int pkinit_dh_min_bits;
int enable_digest;
int digests_allowed;
size_t max_datagram_reply_length;
int enable_kx509;
} krb5_kdc_configuration;
#include <kdc-protos.h>

4
source/heimdal/kdc/kdc_locl.h
View File

@@ -32,7 +32,7 @@
*/
/*
* $Id: kdc_locl.h,v 1.74 2005/12/12 12:23:33 lha Exp $
* $Id: kdc_locl.h,v 1.76 2006/12/26 17:18:14 lha Exp $
*/
#ifndef __KDC_LOCL_H__
@@ -55,6 +55,8 @@ extern int enable_http;
extern int detach_from_console;
extern const struct units _kdc_digestunits[];
#define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf"
#define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log"

271
source/heimdal/kdc/kerberos5.c
View File

@@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: kerberos5.c,v 1.225 2006/11/10 03:36:32 lha Exp $");
RCSID("$Id: kerberos5.c,v 1.231 2007/01/04 13:27:27 lha Exp $");
#define MAX_TIME ((time_t)((1U << 31) - 1))
@@ -634,6 +634,69 @@ get_pa_etype_info2(krb5_context context,
return 0;
}
/*
*
*/
static void
log_as_req(krb5_context context,
krb5_kdc_configuration *config,
krb5_enctype cetype,
krb5_enctype setype,
const KDC_REQ_BODY *b)
{
krb5_error_code ret;
struct rk_strpool *p = NULL;
char *str;
int i;
for (i = 0; i < b->etype.len; i++) {
ret = krb5_enctype_to_string(context, b->etype.val[i], &str);
if (ret == 0) {
p = rk_strpoolprintf(p, "%s", str);
free(str);
} else
p = rk_strpoolprintf(p, "%d", b->etype.val[i]);
if (p && i + 1 < b->etype.len)
p = rk_strpoolprintf(p, ", ");
if (p == NULL) {
kdc_log(context, config, 0, "out of memory");
return;
}
}
if (p == NULL)
p = rk_strpoolprintf(p, "no encryption types");
str = rk_strpoolcollect(p);
kdc_log(context, config, 0, "Client supported enctypes: %s", str);
free(str);
{
char *cet;
char *set;
ret = krb5_enctype_to_string(context, cetype, &cet);
if(ret == 0) {
ret = krb5_enctype_to_string(context, setype, &set);
if (ret == 0) {
kdc_log(context, config, 5, "Using %s/%s", cet, set);
free(set);
}
free(cet);
}
if (ret != 0)
kdc_log(context, config, 5, "Using e-types %d/%d", cetype, setype);
}
{
char str[128];
unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(),
str, sizeof(str));
if(*str)
kdc_log(context, config, 2, "Requested flags: %s", str);
}
}
/*
* verify the flags on `client' and `server', returning 0
* if they are OK and generating an error messages and returning
@@ -798,6 +861,39 @@ _kdc_check_addresses(krb5_context context,
return result;
}
/*
*
*/
static krb5_boolean
send_pac_p(krb5_context context, KDC_REQ *req)
{
krb5_error_code ret;
PA_PAC_REQUEST pacreq;
PA_DATA *pa;
int i = 0;
pa = _kdc_find_padata(req, &i, KRB5_PADATA_PA_PAC_REQUEST);
if (pa == NULL)
return TRUE;
ret = decode_PA_PAC_REQUEST(pa->padata_value.data,
pa->padata_value.length,
&pacreq,
NULL);
if (ret)
return TRUE;
i = pacreq.include_pac;
free_PA_PAC_REQUEST(&pacreq);
if (i == 0)
return FALSE;
return TRUE;
}
/*
*
*/
krb5_error_code
_kdc_as_rep(krb5_context context,
krb5_kdc_configuration *config,
@@ -882,6 +978,10 @@ _kdc_as_rep(krb5_context context,
goto out;
}
ret = _kdc_windc_client_access(context, client, req);
if(ret)
goto out;
ret = _kdc_check_flags(context, config,
client, client_name,
server, server_name,
@@ -889,13 +989,6 @@ _kdc_as_rep(krb5_context context,
if(ret)
goto out;
if (client->check_client_access) {
ret = client->check_client_access(context, client,
b->addresses);
if(ret)
goto out;
}
memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek));
@@ -1224,57 +1317,7 @@ _kdc_as_rep(krb5_context context,
}
}
{
struct rk_strpool *p = NULL;
char *str;
int i;
for (i = 0; i < b->etype.len; i++) {
ret = krb5_enctype_to_string(context, b->etype.val[i], &str);
if (ret == 0) {
p = rk_strpoolprintf(p, "%s", str);
free(str);
} else
p = rk_strpoolprintf(p, "%d", b->etype.val[i]);
if (p && i + 1 < b->etype.len)
p = rk_strpoolprintf(p, ", ");
if (p == NULL) {
kdc_log(context, config, 0, "out of memory");
goto out;
}
}
if (p == NULL)
p = rk_strpoolprintf(p, "no encryption types");
str = rk_strpoolcollect(p);
kdc_log(context, config, 0, "Client supported enctypes: %s", str);
free(str);
}
{
char *cet;
char *set;
ret = krb5_enctype_to_string(context, cetype, &cet);
if(ret == 0) {
ret = krb5_enctype_to_string(context, setype, &set);
if (ret == 0) {
kdc_log(context, config, 5, "Using %s/%s", cet, set);
free(set);
}
free(cet);
}
if (ret != 0)
kdc_log(context, config, 5, "Using e-types %d/%d", cetype, setype);
}
{
char str[128];
unparse_flags(KDCOptions2int(f), asn1_KDCOptions_units(),
str, sizeof(str));
if(*str)
kdc_log(context, config, 2, "Requested flags: %s", str);
}
log_as_req(context, config, cetype, setype, b);
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
|| (f.request_anonymous && !config->allow_anonymous)) {
@@ -1330,7 +1373,9 @@ _kdc_as_rep(krb5_context context,
goto out;
}
krb5_generate_random_keyblock(context, sessionetype, &et.key);
ret = krb5_generate_random_keyblock(context, sessionetype, &et.key);
if (ret)
goto out;
copy_PrincipalName(&rep.cname, &et.cname);
copy_Realm(&rep.crealm, &et.crealm);
@@ -1469,6 +1514,12 @@ _kdc_as_rep(krb5_context context,
&reply_key, rep.padata);
if (ret)
goto out;
ret = _kdc_add_inital_verified_cas(context,
config,
pkp,
&et);
if (ret)
goto out;
}
#endif
@@ -1479,16 +1530,37 @@ _kdc_as_rep(krb5_context context,
rep.padata = NULL;
}
/* Add the PAC, via a HDB abstraction */
if (client->authz_data_as_req) {
ret = client->authz_data_as_req(context, client,
req->padata,
et.authtime,
&skey->key,
&et.key,
&et.authorization_data);
/* Add the PAC */
if (send_pac_p(context, req)) {
krb5_pac p = NULL;
krb5_data data;
ret = _kdc_pac_generate(context, client, &p);
if (ret) {
kdc_log(context, config, 0, "PAC generation failed for -- %s",
client_name);
goto out;
}
if (p != NULL) {
ret = _krb5_pac_sign(context, p, et.authtime,
client->entry.principal,
&skey->key, /* Server key */
&skey->key, /* FIXME: should be krbtgt key */
&data);
krb5_pac_free(context, p);
if (ret) {
kdc_log(context, config, 0, "PAC signing failed for -- %s",
client_name);
goto out;
}
ret = _kdc_tkt_add_if_relevant_ad(context, &et,
KRB5_AUTHDATA_WIN2K_PAC,
&data);
krb5_data_free(&data);
if (ret)
goto out;
goto out;
}
}
_kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime,
@@ -1552,3 +1624,64 @@ out2:
_kdc_free_ent(context, server);
return ret;
}
/*
* Add the AuthorizationData `data<74> of `type<70> to the last element in
* the sequence of authorization_data in `tkt<6B> wrapped in an IF_RELEVANT
*/
krb5_error_code
_kdc_tkt_add_if_relevant_ad(krb5_context context,
EncTicketPart *tkt,
int type,
const krb5_data *data)
{
krb5_error_code ret;
size_t size;
if (tkt->authorization_data == NULL) {
tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
if (tkt->authorization_data == NULL) {
krb5_set_error_string(context, "out of memory");
return ENOMEM;
}
}
/* add the entry to the last element */
{
AuthorizationData ad = { 0, NULL };
AuthorizationDataElement ade;
ade.ad_type = type;
ade.ad_data = *data;
ret = add_AuthorizationData(&ad, &ade);
if (ret) {
krb5_set_error_string(context, "add AuthorizationData failed");
return ret;
}
ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT;
ASN1_MALLOC_ENCODE(AuthorizationData,
ade.ad_data.data, ade.ad_data.length,
&ad, &size, ret);
free_AuthorizationData(&ad);
if (ret) {
krb5_set_error_string(context, "ASN.1 encode of "
"AuthorizationData failed");
return ret;
}
if (ade.ad_data.length != size)
krb5_abortx(context, "internal asn.1 encoder error");
ret = add_AuthorizationData(tkt->authorization_data, &ade);
der_free_octet_string(&ade.ad_data);
if (ret) {
krb5_set_error_string(context, "add AuthorizationData failed");
return ret;
}
}
return 0;
}

336
source/heimdal/kdc/krb5tgs.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
* Copyright (c) 1997-2006 Kungliga Tekniska H<EFBFBD>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: krb5tgs.c,v 1.16 2006/10/22 15:54:37 lha Exp $");
RCSID("$Id: krb5tgs.c,v 1.25 2007/01/04 12:49:45 lha Exp $");
/*
* return the realm of a krbtgt-ticket or NULL
@@ -119,7 +119,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
if (server && principals) {
ret = add_KRB5SignedPathPrincipals(principals, server);
if (ret)
goto out;
return ret;
}
{
@@ -131,7 +131,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
&spd, &size, ret);
if (ret)
goto out;
return ret;
if (data.length != size)
krb5_abortx(context, "internal asn.1 encoder error");
}
@@ -159,12 +159,12 @@ _kdc_add_KRB5SignedPath(krb5_context context,
krb5_crypto_destroy(context, crypto);
free(data.data);
if (ret)
goto out;
return ret;
ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
free_Checksum(&sp.cksum);
if (ret)
goto out;
return ret;
if (data.length != size)
krb5_abortx(context, "internal asn.1 encoder error");
@@ -174,46 +174,11 @@ _kdc_add_KRB5SignedPath(krb5_context context,
* authorization data field.
*/
if (tkt->authorization_data == NULL) {
tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
if (tkt->authorization_data == NULL) {
ret = ENOMEM;
goto out;
}
}
ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
KRB5_AUTHDATA_SIGNTICKET, &data);
krb5_data_free(&data);
/* add the entry to the last element */
{
AuthorizationData ad = { 0, NULL };
AuthorizationDataElement ade;
ade.ad_type = KRB5_AUTHDATA_SIGNTICKET;
ade.ad_data = data;
ret = add_AuthorizationData(&ad, &ade);
krb5_data_free(&data);
if (ret)
return ret;
ASN1_MALLOC_ENCODE(AuthorizationData, data.data, data.length,
&ad, &size, ret);
free_AuthorizationData(&ad);
if (ret)
return ret;
if (data.length != size)
krb5_abortx(context, "internal asn.1 encoder error");
ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT;
ade.ad_data = data;
ret = add_AuthorizationData(tkt->authorization_data, &ade);
krb5_data_free(&data);
if (ret)
return ret;
}
out:
return 0;
return ret;
}
static krb5_error_code
@@ -307,6 +272,87 @@ check_KRB5SignedPath(krb5_context context,
return 0;
}
/*
*
*/
static krb5_error_code
check_PAC(krb5_context context,
krb5_kdc_configuration *config,
const krb5_principal client_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
const EncryptionKey *server_key,
const EncryptionKey *krbtgt_key,
EncTicketPart *tkt,
krb5_data *rspac,
int *require_signedpath)
{
AuthorizationData *ad = tkt->authorization_data;
unsigned i, j;
krb5_error_code ret;
if (ad == NULL || ad->len == 0)
return 0;
for (i = 0; i < ad->len; i++) {
AuthorizationData child;
if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
continue;
ret = decode_AuthorizationData(ad->val[i].ad_data.data,
ad->val[i].ad_data.length,
&child,
NULL);
if (ret) {
krb5_set_error_string(context, "Failed to decode "
"IF_RELEVANT with %d", ret);
return ret;
}
for (j = 0; j < child.len; j++) {
if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
krb5_pac pac;
/* Found PAC */
ret = krb5_pac_parse(context,
child.val[j].ad_data.data,
child.val[j].ad_data.length,
&pac);
free_AuthorizationData(&child);
if (ret)
return ret;
ret = krb5_pac_verify(context, pac, tkt->authtime,
client_principal,
krbtgt_key, NULL);
if (ret) {
krb5_pac_free(context, pac);
return ret;
}
ret = _kdc_pac_verify(context, client_principal,
client, server, &pac);
if (ret) {
krb5_pac_free(context, pac);
return ret;
}
*require_signedpath = 0;
ret = _krb5_pac_sign(context, pac, tkt->authtime,
client_principal,
server_key, krbtgt_key, rspac);
krb5_pac_free(context, pac);
return ret;
}
}
free_AuthorizationData(&child);
}
return 0;
}
/*
*
@@ -610,9 +656,10 @@ tgs_make_reply(krb5_context context,
KDC_REQ_BODY *b,
krb5_const_principal tgt_name,
const EncTicketPart *tgt,
const EncTicketPart *adtkt,
const EncryptionKey *ekey,
const krb5_keyblock *sessionkey,
krb5_kvno kvno,
AuthorizationData *auth_data,
krb5_ticket *tgs_ticket,
hdb_entry_ex *server,
const char *server_name,
hdb_entry_ex *client,
@@ -620,7 +667,7 @@ tgs_make_reply(krb5_context context,
hdb_entry_ex *krbtgt,
krb5_enctype krbtgt_etype,
KRB5SignedPathPrincipals *spp,
EncryptionKey *tgtkey,
const krb5_data *rspac,
const char **e_text,
krb5_data *reply)
{
@@ -629,32 +676,6 @@ tgs_make_reply(krb5_context context,
EncTicketPart et;
KDCOptions f = b->kdc_options;
krb5_error_code ret;
krb5_enctype etype;
Key *skey;
const EncryptionKey *ekey;
AuthorizationData *new_auth_data = NULL;
if(adtkt) {
int i;
ekey = &adtkt->key;
for(i = 0; i < b->etype.len; i++)
if (b->etype.val[i] == adtkt->key.keytype)
break;
if(i == b->etype.len) {
krb5_clear_error_string(context);
return KRB5KDC_ERR_ETYPE_NOSUPP;
}
etype = b->etype.val[i];
}else{
ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
&skey, &etype);
if(ret) {
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", server_name);
return ret;
}
ekey = &skey->key;
}
memset(&rep, 0, sizeof(rep));
memset(&et, 0, sizeof(et));
@@ -768,26 +789,47 @@ tgs_make_reply(krb5_context context,
et.flags.anonymous = tgt->flags.anonymous;
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
if (auth_data) {
/* XXX Check enc-authorization-data */
et.authorization_data = calloc(1, sizeof(*et.authorization_data));
if (et.authorization_data == NULL) {
ret = ENOMEM;
goto out;
}
ret = copy_AuthorizationData(auth_data, et.authorization_data);
if (ret)
goto out;
krb5_generate_random_keyblock(context, etype, &et.key);
if (server->authz_data_tgs_req) {
ret = server->authz_data_tgs_req(context, server,
client_principal,
tgs_ticket->ticket.authorization_data,
tgs_ticket->ticket.authtime,
tgtkey,
ekey,
&et.key,
&new_auth_data);
if (ret) {
new_auth_data = NULL;
/* Filter out type KRB5SignedPath */
ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
if (ret == 0) {
if (et.authorization_data->len == 1) {
free_AuthorizationData(et.authorization_data);
free(et.authorization_data);
et.authorization_data = NULL;
} else {
AuthorizationData *ad = et.authorization_data;
free_AuthorizationDataElement(&ad->val[ad->len - 1]);
ad->len--;
}
}
}
/* XXX Check enc-authorization-data */
et.authorization_data = new_auth_data;
if(rspac->length) {
/*
* No not need to filter out the any PAC from the
* auth_data since its signed by the KDC.
*/
ret = _kdc_tkt_add_if_relevant_ad(context, &et,
KRB5_AUTHDATA_WIN2K_PAC,
rspac);
if (ret)
goto out;
}
ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
if (ret)
goto out;
et.crealm = tgt->crealm;
et.cname = tgt_name->name;
@@ -795,6 +837,10 @@ tgs_make_reply(krb5_context context,
/* MIT must have at least one last_req */
ek.last_req.len = 1;
ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
if (ek.last_req.val == NULL) {
ret = ENOMEM;
goto out;
}
ek.nonce = b->nonce;
ek.flags = et.flags;
ek.authtime = et.authtime;
@@ -817,7 +863,7 @@ tgs_make_reply(krb5_context context,
krbtgt,
krbtgt_etype,
NULL,
NULL,
spp,
&et);
if (ret)
goto out;
@@ -835,8 +881,8 @@ tgs_make_reply(krb5_context context,
etype list, even if we don't want a session key with
DES3? */
ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, etype,
adtkt ? 0 : server->entry.kvno,
&rep, &et, &ek, et.key.keytype,
kvno,
ekey, 0, &tgt->key, e_text, reply);
out:
free_TGS_REP(&rep);
@@ -973,8 +1019,7 @@ tgs_parse_request(krb5_context context,
const struct sockaddr *from_addr,
time_t **csec,
int **cusec,
AuthorizationData **auth_data,
EncryptionKey **tgtkey)
AuthorizationData **auth_data)
{
krb5_ap_req ap_req;
krb5_error_code ret;
@@ -1061,8 +1106,6 @@ tgs_parse_request(krb5_context context,
goto out;
}
*tgtkey = &tkey->key;
if (b->kdc_options.validate)
verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
else
@@ -1201,8 +1244,8 @@ tgs_build_reply(krb5_context context,
const char *from,
const char **e_text,
AuthorizationData *auth_data,
EncryptionKey *tgtkey,
const struct sockaddr *from_addr)
const struct sockaddr *from_addr,
int datagram_reply)
{
krb5_error_code ret;
krb5_principal cp = NULL, sp = NULL;
@@ -1211,6 +1254,10 @@ tgs_build_reply(krb5_context context,
hdb_entry_ex *server = NULL, *client = NULL;
EncTicketPart *tgt = &ticket->ticket;
KRB5SignedPathPrincipals *spp = NULL;
const EncryptionKey *ekey;
krb5_keyblock sessionkey;
krb5_kvno kvno;
krb5_data rspac;
PrincipalName *s;
Realm r;
@@ -1219,7 +1266,9 @@ tgs_build_reply(krb5_context context,
char opt_str[128];
int require_signedpath = 0;
memset(&sessionkey, 0, sizeof(sessionkey));
memset(&adtkt, 0, sizeof(adtkt));
krb5_data_zero(&rspac);
s = b->sname;
r = b->realm;
@@ -1436,7 +1485,7 @@ server_lookup:
ret = krb5_verify_checksum(context,
crypto,
KRB5_KU_TGS_IMPERSONATE,
KRB5_KU_OTHER_CKSUM,
datack.data,
datack.length,
&self.cksum);
@@ -1617,6 +1666,67 @@ server_lookup:
goto out;
}
/*
* Select enctype, return key and kvno.
*/
{
krb5_enctype etype;
if(b->kdc_options.enc_tkt_in_skey) {
int i;
ekey = &adtkt.key;
for(i = 0; i < b->etype.len; i++)
if (b->etype.val[i] == adtkt.key.keytype)
break;
if(i == b->etype.len) {
krb5_clear_error_string(context);
return KRB5KDC_ERR_ETYPE_NOSUPP;
}
etype = b->etype.val[i];
kvno = 0;
} else {
Key *skey;
ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
&skey, &etype);
if(ret) {
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spp);
return ret;
}
ekey = &skey->key;
kvno = server->entry.kvno;
}
ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
if (ret)
goto out;
}
/* check PAC if there is one */
{
Key *tkey;
ret = hdb_enctype2key(context, &krbtgt->entry,
krbtgt_etype, &tkey);
if(ret) {
kdc_log(context, config, 0,
"Failed to find key for krbtgt PAC check");
goto out;
}
ret = check_PAC(context, config, client_principal,
client, server, ekey, &tkey->key,
tgt, &rspac, &require_signedpath);
if (ret) {
kdc_log(context, config, 0,
"check_PAC check failed for %s (%s) from %s with %s",
spn, cpn, from, krb5_get_err_text(context, ret));
goto out;
}
}
/* also check the krbtgt for signature */
ret = check_KRB5SignedPath(context,
config,
@@ -1640,9 +1750,10 @@ server_lookup:
b,
client_principal,
tgt,
b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,
ekey,
&sessionkey,
kvno,
auth_data,
ticket,
server,
spn,
client,
@@ -1650,7 +1761,7 @@ server_lookup:
krbtgt,
krbtgt_etype,
spp,
tgtkey,
&rspac,
e_text,
reply);
@@ -1658,6 +1769,8 @@ out:
free(spn);
free(cpn);
krb5_data_free(&rspac);
krb5_free_keyblock_contents(context, &sessionkey);
if(server)
_kdc_free_ent(context, server);
if(client)
@@ -1685,7 +1798,8 @@ _kdc_tgs_rep(krb5_context context,
KDC_REQ *req,
krb5_data *data,
const char *from,
struct sockaddr *from_addr)
struct sockaddr *from_addr,
int datagram_reply)
{
AuthorizationData *auth_data = NULL;
krb5_error_code ret;
@@ -1696,8 +1810,6 @@ _kdc_tgs_rep(krb5_context context,
krb5_ticket *ticket = NULL;
const char *e_text = NULL;
krb5_enctype krbtgt_etype = ETYPE_NULL;
EncryptionKey *tgtkey = NULL;
time_t *csec = NULL;
int *cusec = NULL;
@@ -1726,8 +1838,7 @@ _kdc_tgs_rep(krb5_context context,
&e_text,
from, from_addr,
&csec, &cusec,
&auth_data,
&tgtkey);
&auth_data);
if (ret) {
kdc_log(context, config, 0,
"Failed parsing TGS-REQ from %s", from);
@@ -1745,14 +1856,21 @@ _kdc_tgs_rep(krb5_context context,
from,
&e_text,
auth_data,
tgtkey,
from_addr);
from_addr,
datagram_reply);
if (ret) {
kdc_log(context, config, 0,
"Failed building TGS-REP to %s", from);
goto out;
}
/* */
if (datagram_reply && data->length > config->max_datagram_reply_length) {
krb5_data_free(data);
ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
e_text = "Reply packet too large";
}
out:
if(ret && data->data == NULL){
krb5_mk_error(context,

370
source/heimdal/kdc/kx509.c Normal file
View File

@@ -0,0 +1,370 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
#include <hex.h>
RCSID("$Id: kx509.c,v 1.1 2006/12/28 21:03:53 lha Exp $");
/*
*
*/
krb5_error_code
_kdc_try_kx509_request(void *ptr, size_t len, Kx509Request *req, size_t *size)
{
if (len < 4)
return -1;
if (memcmp("\x00\x00\x02\x00", ptr, 4) != 0)
return -1;
return decode_Kx509Request(((unsigned char *)ptr) + 4, len - 4, req, size);
}
/*
*
*/
static const char version_2_0[4] = {0 , 0, 2, 0};
static krb5_error_code
verify_req_hash(krb5_context context,
const Kx509Request *req,
krb5_keyblock *key)
{
unsigned char digest[SHA_DIGEST_LENGTH];
HMAC_CTX ctx;
if (req->pk_hash.length != sizeof(digest)) {
krb5_set_error_string(context, "pk-hash have wrong length: %lu",
(unsigned long)req->pk_hash.length);
return KRB5KDC_ERR_PREAUTH_FAILED;
}
HMAC_CTX_init(&ctx);
HMAC_Init_ex(&ctx,
key->keyvalue.data, key->keyvalue.length,
EVP_sha1(), NULL);
if (sizeof(digest) != HMAC_size(&ctx))
krb5_abortx(context, "runtime error, hmac buffer wrong size in kx509");
HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
HMAC_Update(&ctx, req->pk_key.data, req->pk_key.length);
HMAC_Final(&ctx, digest, 0);
HMAC_CTX_cleanup(&ctx);
if (memcmp(req->pk_hash.data, digest, sizeof(digest)) != 0) {
krb5_set_error_string(context, "pk-hash is not correct");
return KRB5KDC_ERR_PREAUTH_FAILED;
}
return 0;
}
static krb5_error_code
calculate_reply_hash(krb5_context context,
krb5_keyblock *key,
Kx509Response *rep)
{
HMAC_CTX ctx;
HMAC_CTX_init(&ctx);
HMAC_Init_ex(&ctx,
key->keyvalue.data, key->keyvalue.length,
EVP_sha1(), NULL);
rep->hash->length = HMAC_size(&ctx);
rep->hash->data = malloc(rep->hash->length);
if (rep->hash->data == NULL) {
HMAC_CTX_cleanup(&ctx);
krb5_set_error_string(context, "out of memory");
return ENOMEM;
}
HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
if (rep->error_code) {
int32_t t = *rep->error_code;
do {
unsigned char p = (t & 0xff);
HMAC_Update(&ctx, &p, 1);
t >>= 8;
} while (t);
}
if (rep->certificate)
HMAC_Update(&ctx, rep->certificate->data, rep->certificate->length);
if (rep->e_text)
HMAC_Update(&ctx, *rep->e_text, strlen(*rep->e_text));
HMAC_Final(&ctx, rep->hash->data, 0);
HMAC_CTX_cleanup(&ctx);
return 0;
}
/*
* Build a certifate for `principal<61> that will expire at `endtime<6D>.
*/
static krb5_error_code
build_certificate(krb5_context context,
krb5_kdc_configuration *config,
const krb5_data *key,
time_t endtime,
krb5_principal principal,
krb5_data *certificate)
{
/* XXX write code here to generate certificates */
FILE *in, *out;
krb5_error_code ret;
const char *program;
char *str, *strkey;
char tstr[64];
pid_t pid;
snprintf(tstr, sizeof(tstr), "%lu", (unsigned long)endtime);
ret = base64_encode(key->data, key->length, &strkey);
if (ret < 0) {
krb5_set_error_string(context, "failed to base64 encode key");
return ENOMEM;
}
program = krb5_config_get_string(context,
NULL,
"kdc",
"kx509_cert_program",
NULL);
if (program == NULL) {
free(strkey);
krb5_set_error_string(context, "no certificate program configured");
return ENOENT;
}
ret = krb5_unparse_name(context, principal, &str);
if (ret) {
free(strkey);
return ret;
}
pid = pipe_execv(&in, &out, NULL, program, str, tstr, NULL);
free(str);
if (pid <= 0) {
free(strkey);
krb5_set_error_string(context,
"Failed to run the cert program %s",
program);
return ret;
}
fprintf(in, "%s\n", strkey);
fclose(in);
free(strkey);
{
unsigned buf[1024 * 10];
size_t len;
len = fread(buf, 1, sizeof(buf), out);
fclose(out);
if(len == 0) {
krb5_set_error_string(context,
"Certificate program returned no data");
return KRB5KDC_ERR_PREAUTH_FAILED;
}
ret = krb5_data_copy(certificate, buf, len);
if (ret) {
krb5_set_error_string(context, "Failed To copy certificate");
return ret;
}
}
kill(pid, SIGKILL);
waitpid(pid, NULL, 0);
return 0;
}
/*
*
*/
krb5_error_code
_kdc_do_kx509(krb5_context context,
krb5_kdc_configuration *config,
const Kx509Request *req, krb5_data *reply,
const char *from, struct sockaddr *addr)
{
krb5_error_code ret;
krb5_ticket *ticket = NULL;
krb5_flags ap_req_options;
krb5_auth_context ac = NULL;
krb5_keytab id = NULL;
krb5_principal sprincipal = NULL, cprincipal = NULL;
char *cname = NULL;
Kx509Response rep;
size_t size;
krb5_keyblock *key = NULL;
krb5_data_zero(reply);
memset(&rep, 0, sizeof(rep));
if(!config->enable_kx509) {
kdc_log(context, config, 0,
"Rejected kx509 request (disabled) from %s", from);
return KRB5KDC_ERR_POLICY;
}
kdc_log(context, config, 0, "Kx509 request from %s", from);
ret = krb5_kt_resolve(context, "HDB:", &id);
if (ret) {
kdc_log(context, config, 0, "Can't open database for digest");
goto out;
}
ret = krb5_rd_req(context,
&ac,
&req->authenticator,
NULL,
id,
&ap_req_options,
&ticket);
if (ret)
goto out;
ret = krb5_ticket_get_client(context, ticket, &cprincipal);
if (ret)
goto out;
ret = krb5_unparse_name(context, cprincipal, &cname);
if (ret)
goto out;
/* verify server principal */
ret = krb5_sname_to_principal(context, NULL, "kca_service",
KRB5_NT_UNKNOWN, &sprincipal);
if (ret)
goto out;
{
krb5_principal principal = NULL;
ret = krb5_ticket_get_server(context, ticket, &principal);
if (ret)
goto out;
ret = krb5_principal_compare(context, sprincipal, principal);
krb5_free_principal(context, principal);
if (ret != TRUE) {
ret = KRB5KDC_ERR_SERVER_NOMATCH;
krb5_set_error_string(context,
"User %s used wrong Kx509 service principal",
cname);
goto out;
}
}
ret = krb5_auth_con_getkey(context, ac, &key);
if (ret || key == NULL) {
krb5_set_error_string(context, "Kx509 can't get session key");
goto out;
}
ret = verify_req_hash(context, req, key);
if (ret)
goto out;
ALLOC(rep.certificate);
if (rep.certificate == NULL)
goto out;
krb5_data_zero(rep.certificate);
ALLOC(rep.hash);
if (rep.hash == NULL)
goto out;
krb5_data_zero(rep.hash);
ret = build_certificate(context, config, &req->pk_key,
krb5_ticket_get_endtime(context, ticket),
cprincipal, rep.certificate);
if (ret)
goto out;
ret = calculate_reply_hash(context, key, &rep);
if (ret)
goto out;
/*
* Encode reply, [ version | Kx509Response ]
*/
{
krb5_data data;
ASN1_MALLOC_ENCODE(Kx509Response, data.data, data.length, &rep,
&size, ret);
if (ret) {
krb5_set_error_string(context, "Failed to encode kx509 reply");
goto out;
}
if (size != data.length)
krb5_abortx(context, "ASN1 internal error");
ret = krb5_data_alloc(reply, data.length + sizeof(version_2_0));
if (ret) {
free(data.data);
goto out;
}
memcpy(reply->data, version_2_0, sizeof(version_2_0));
memcpy(((unsigned char *)reply->data) + sizeof(version_2_0),
data.data, data.length);
free(data.data);
}
kdc_log(context, config, 0, "Successful Kx509 request for %s", cname);
out:
if (ac)
krb5_auth_con_free(context, ac);
if (ret)
krb5_warn(context, ret, "Kx509 request from %s failed", from);
if (ticket)
krb5_free_ticket(context, ticket);
if (id)
krb5_kt_close(context, id);
if (sprincipal)
krb5_free_principal(context, sprincipal);
if (cprincipal)
krb5_free_principal(context, cprincipal);
if (key)
krb5_free_keyblock (context, key);
if (cname)
free(cname);
free_Kx509Response(&rep);
return 0;
}

202
source/heimdal/kdc/pkinit.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2003 - 2005 Kungliga Tekniska H<>gskolan
* Copyright (c) 2003 - 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: pkinit.c,v 1.74 2006/11/10 03:37:43 lha Exp $");
RCSID("$Id: pkinit.c,v 1.86 2007/01/04 12:54:09 lha Exp $");
#ifdef PKINIT
@@ -68,6 +68,8 @@ struct pk_client_params {
DH *dh;
EncryptionKey reply_key;
char *dh_group_name;
hx509_peer_info peer;
hx509_certs client_anchors;
};
struct pk_principal_mapping {
@@ -180,6 +182,10 @@ _kdc_pk_free_client_param(krb5_context context,
krb5_free_keyblock_contents(context, &client_params->reply_key);
if (client_params->dh_group_name)
free(client_params->dh_group_name);
if (client_params->peer)
hx509_peer_info_free(client_params->peer);
if (client_params->client_anchors)
hx509_certs_free(&client_params->client_anchors);
memset(client_params, 0, sizeof(*client_params));
free(client_params);
}
@@ -302,8 +308,10 @@ get_dh_param(krb5_context context,
ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits,
&dhparam.p, &dhparam.g, &dhparam.q, moduli,
&client_params->dh_group_name);
if (ret)
if (ret) {
/* XXX send back proposal of better group */
goto out;
}
dh = DH_new();
if (dh == NULL) {
@@ -354,64 +362,6 @@ get_dh_param(krb5_context context,
return ret;
}
#if 0
/*
* XXX We only need this function if there are several certs for the
* KDC to choose from, and right now, we can't handle that so punt for
* now.
*
* If client has sent a list of CA's trusted by him, make sure our
* CA is in the list.
*
*/
static void
verify_trusted_ca(PA_PK_AS_REQ_19 *r)
{
if (r.trustedCertifiers != NULL) {
X509_NAME *kdc_issuer;
X509 *kdc_cert;
kdc_cert = sk_X509_value(kdc_identity->cert, 0);
kdc_issuer = X509_get_issuer_name(kdc_cert);
/* XXX will work for heirarchical CA's ? */
/* XXX also serial_number should be compared */
ret = KRB5_KDC_ERR_KDC_NOT_TRUSTED;
for (i = 0; i < r.trustedCertifiers->len; i++) {
TrustedCA_19 *ca = &r.trustedCertifiers->val[i];
switch (ca->element) {
case choice_TrustedCA_19_caName: {
X509_NAME *name;
unsigned char *p;
p = ca->u.caName.data;
name = d2i_X509_NAME(NULL, &p, ca->u.caName.length);
if (name == NULL) /* XXX should this be a failure instead ? */
break;
if (X509_NAME_cmp(name, kdc_issuer) == 0)
ret = 0;
X509_NAME_free(name);
break;
}
case choice_TrustedCA_19_issuerAndSerial:
/* IssuerAndSerialNumber issuerAndSerial */
break;
default:
break;
}
if (ret == 0)
break;
}
if (ret)
goto out;
}
}
#endif /* 0 */
krb5_error_code
_kdc_pk_rd_padata(krb5_context context,
krb5_kdc_configuration *config,
@@ -483,7 +433,61 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
/* XXX look at r.trustedCertifiers and r.kdcPkId */
/* XXX look at r.kdcPkId */
if (r.trustedCertifiers) {
ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
unsigned int i;
ret = hx509_certs_init(kdc_identity->hx509ctx,
"MEMORY:client-anchors",
0, NULL,
&client_params->client_anchors);
if (ret) {
krb5_set_error_string(context, "Can't allocate client anchors: %d", ret);
goto out;
}
for (i = 0; i < edi->len; i++) {
IssuerAndSerialNumber iasn;
hx509_query *q;
hx509_cert cert;
size_t size;
if (edi->val[i].issuerAndSerialNumber == NULL)
continue;
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
if (ret) {
krb5_set_error_string(context,
"Failed to allocate hx509_query");
goto out;
}
ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data,
edi->val[i].issuerAndSerialNumber->length,
&iasn,
&size);
if (ret || size != 0) {
hx509_query_free(kdc_identity->hx509ctx, q);
continue;
}
ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber);
free_IssuerAndSerialNumber(&iasn);
if (ret)
continue;
ret = hx509_certs_find(kdc_identity->hx509ctx,
kdc_identity->certs,
q,
&cert);
hx509_query_free(kdc_identity->hx509ctx, q);
if (ret)
continue;
hx509_certs_add(kdc_identity->hx509ctx,
client_params->client_anchors, cert);
hx509_cert_free(cert);
}
}
ret = hx509_cms_unwrap_ContentInfo(&r.signedAuthPack,
&contentInfoOid,
@@ -611,6 +615,23 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
}
if (ap.supportedCMSTypes) {
ret = hx509_peer_info_alloc(kdc_identity->hx509ctx,
&client_params->peer);
if (ret) {
free_AuthPack(&ap);
goto out;
}
ret = hx509_peer_info_set_cms_algs(kdc_identity->hx509ctx,
client_params->peer,
ap.supportedCMSTypes->val,
ap.supportedCMSTypes->len);
if (ret) {
free_AuthPack(&ap);
goto out;
}
}
free_AuthPack(&ap);
} else
krb5_abortx(context, "internal pkinit error");
@@ -752,7 +773,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
buf.length,
NULL,
cert,
kdc_identity->anchors,
client_params->peer,
client_params->client_anchors,
kdc_identity->certpool,
&signed_data);
hx509_cert_free(cert);
@@ -864,7 +886,8 @@ pk_mk_pa_reply_dh(krb5_context context,
buf.length,
NULL,
cert,
kdc_identity->anchors,
client_params->peer,
client_params->client_anchors,
kdc_identity->certpool,
&signed_data);
*kdc_cert = cert;
@@ -948,8 +971,12 @@ _kdc_pk_mk_pa_reply(krb5_context context,
rep.element = choice_PA_PK_AS_REP_encKeyPack;
krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key);
ret = krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
client_params,
req,
@@ -1039,8 +1066,12 @@ _kdc_pk_mk_pa_reply(krb5_context context,
pa_type = KRB5_PADATA_PK_AS_REP_19;
rep.element = choice_PA_PK_AS_REP_encKeyPack;
krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key);
ret = krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key);
if (ret) {
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
client_params,
req,
@@ -1337,6 +1368,35 @@ add_principal_mapping(krb5_context context,
return 0;
}
krb5_error_code
_kdc_add_inital_verified_cas(krb5_context context,
krb5_kdc_configuration *config,
pk_client_params *params,
EncTicketPart *tkt)
{
AD_INITIAL_VERIFIED_CAS cas;
krb5_error_code ret;
krb5_data data;
size_t size;
memset(&cas, 0, sizeof(cas));
/* XXX add CAs to cas here */
ASN1_MALLOC_ENCODE(AD_INITIAL_VERIFIED_CAS, data.data, data.length,
&cas, &size, ret);
if (ret)
return ret;
if (data.length != size)
krb5_abortx(context, "internal asn.1 encoder error");
ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
ad_initial_verified_cas, &data);
krb5_data_free(&data);
return ret;
}
krb5_error_code
_kdc_pk_initialize(krb5_context context,
@@ -1372,7 +1432,7 @@ _kdc_pk_initialize(krb5_context context,
NULL,
NULL);
if (ret) {
krb5_warn(context, ret, "PKINIT: failed to load");
krb5_warn(context, ret, "PKINIT: ");
config->enable_pkinit = 0;
return ret;
}
@@ -1411,7 +1471,7 @@ _kdc_pk_initialize(krb5_context context,
NULL,
FALSE,
"kdc",
"pki-allow-proxy-certificate",
"pkinit_allow_proxy_certificate",
NULL);
_krb5_pk_allow_proxy_certificate(kdc_identity, ret);
@@ -1419,7 +1479,7 @@ _kdc_pk_initialize(krb5_context context,
NULL,
HDB_DB_DIR "/pki-mapping",
"kdc",
"pki-mappings-file",
"pkinit_mappings_file",
NULL);
f = fopen(file, "r");
if (f == NULL) {

11
source/heimdal/kdc/process.c
View File

@@ -34,7 +34,7 @@
#include "kdc_locl.h"
RCSID("$Id: process.c,v 1.5 2006/10/09 15:37:39 lha Exp $");
RCSID("$Id: process.c,v 1.7 2006/12/28 21:09:35 lha Exp $");
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
@@ -55,6 +55,7 @@ krb5_kdc_process_request(krb5_context context,
KDC_REQ req;
Ticket ticket;
DigestREQ digestreq;
Kx509Request kx509req;
krb5_error_code ret;
size_t i;
@@ -70,7 +71,7 @@ krb5_kdc_process_request(krb5_context context,
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = _kdc_tgs_rep(context, config, &req, reply, from, addr);
ret = _kdc_tgs_rep(context, config, &req, reply, from, addr, datagram_reply);
free_TGS_REQ(&req);
return ret;
}else if(decode_Ticket(buf, len, &ticket, &i) == 0){
@@ -81,6 +82,10 @@ krb5_kdc_process_request(krb5_context context,
ret = _kdc_do_digest(context, config, &digestreq, reply, from, addr);
free_DigestREQ(&digestreq);
return ret;
} else if (_kdc_try_kx509_request(buf, len, &kx509req, &i) == 0) {
ret = _kdc_do_kx509(context, config, &kx509req, reply, from, addr);
free_Kx509Request(&kx509req);
return ret;
} else if(_kdc_maybe_version4(buf, len)){
*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
_kdc_do_version4(context, config, buf, len, reply, from,
@@ -128,7 +133,7 @@ krb5_kdc_process_krb5_request(krb5_context context,
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = _kdc_tgs_rep(context, config, &req, reply, from, addr);
ret = _kdc_tgs_rep(context, config, &req, reply, from, addr, datagram_reply);
free_TGS_REQ(&req);
return ret;
}

108
source/heimdal/kdc/windc.c Normal file
View File

@@ -0,0 +1,108 @@
/*
* Copyright (c) 2007 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
RCSID("$Id: windc.c,v 1.3 2007/01/04 11:10:06 lha Exp $");
static krb5plugin_windc_ftable *windcft;
static void *windcctx;
/*
* Pick the first WINDC module that we find.
*/
krb5_error_code
_kdc_windc_init(krb5_context context)
{
struct krb5_plugin *list = NULL, *e;
krb5_error_code ret;
ret = _krb5_plugin_find(context, PLUGIN_TYPE_DATA, "windc", &list);
if(ret != 0 || list == NULL)
return 0;
for (e = list; e != NULL; e = _krb5_plugin_get_next(e)) {
windcft = _krb5_plugin_get_symbol(e);
if (windcft->minor_version < KRB5_WINDC_PLUGING_MINOR)
continue;
(*windcft->init)(context, &windcctx);
break;
}
if (e == NULL) {
_krb5_plugin_free(list);
krb5_set_error_string(context, "Did not find any WINDC plugin");
windcft = NULL;
return ENOENT;
}
return 0;
}
krb5_error_code
_kdc_pac_generate(krb5_context context,
hdb_entry_ex *client,
krb5_pac *pac)
{
*pac = NULL;
if (windcft == NULL)
return 0;
return (windcft->pac_generate)(windcctx, context, client, pac);
}
krb5_error_code
_kdc_pac_verify(krb5_context context,
const krb5_principal client_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
krb5_pac *pac)
{
if (windcft == NULL) {
krb5_set_error_string(context, "Can't verify WINDC, no function");
return EINVAL;
}
return (windcft->pac_verify)(windcctx, context, client_principal, client, server, pac);
}
krb5_error_code
_kdc_windc_client_access(krb5_context context,
struct hdb_entry_ex *client,
KDC_REQ *req)
{
if (windcft == NULL)
return 0;
return (windcft->client_access)(windcctx, context, client, req);
}

80
source/heimdal/kdc/windc_plugin.h Normal file
View File

@@ -0,0 +1,80 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id: windc_plugin.h,v 1.2 2007/01/04 11:13:51 lha Exp $ */
#ifndef HEIMDAL_KRB5_PAC_PLUGIN_H
#define HEIMDAL_KRB5_PAC_PLUGIN_H 1
#include <krb5.h>
/*
* The PAC generate function should allocate a krb5_pac using
* krb5_pac_init and fill in the PAC structure for the principal using
* krb5_pac_add_buffer.
*
* The PAC verify function should verify all components in the PAC
* using krb5_pac_get_types and krb5_pac_get_buffer for all types.
*
* Check client access function check if the client is authorized.
*/
struct hdb_entry_ex;
typedef krb5_error_code
(*krb5plugin_windc_pac_generate)(void *, krb5_context,
struct hdb_entry_ex *, krb5_pac *);
typedef krb5_error_code
(*krb5plugin_windc_pac_verify)(void *, krb5_context,
const krb5_principal,
struct hdb_entry_ex *, struct hdb_entry_ex *, krb5_pac *);
typedef krb5_error_code
(*krb5plugin_windc_client_access)(
void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *);
#define KRB5_WINDC_PLUGING_MINOR 2
typedef struct krb5plugin_windc_ftable {
int minor_version;
krb5_error_code (*init)(krb5_context, void **);
void (*fini)(void *);
krb5plugin_windc_pac_generate pac_generate;
krb5plugin_windc_pac_verify pac_verify;
krb5plugin_windc_client_access client_access;
} krb5plugin_windc_ftable;
#endif /* HEIMDAL_KRB5_PAC_PLUGIN_H */

3
source/heimdal/lib/asn1/asn1-common.h
View File

@@ -1,4 +1,4 @@
/* $Id: asn1-common.h,v 1.6 2006/10/14 05:09:47 lha Exp $ */
/* $Id: asn1-common.h,v 1.7 2006/12/28 17:14:10 lha Exp $ */
#include <stddef.h>
#include <time.h>
@@ -32,6 +32,7 @@ typedef struct heim_universal_string {
uint32_t *data;
} heim_universal_string;
typedef char *heim_visible_string;
typedef struct heim_oid {
size_t length;

25
source/heimdal/lib/asn1/der-protos.h
View File

@@ -82,6 +82,11 @@ der_copy_utf8string (
const heim_utf8_string */*from*/,
heim_utf8_string */*to*/);
int
der_copy_visible_string (
const heim_visible_string */*from*/,
heim_visible_string */*to*/);
void
der_free_bit_string (heim_bit_string */*k*/);
@@ -112,6 +117,9 @@ der_free_universal_string (heim_universal_string */*k*/);
void
der_free_utf8string (heim_utf8_string */*str*/);
void
der_free_visible_string (heim_visible_string */*str*/);
int
der_get_bit_string (
const unsigned char */*p*/,
@@ -251,6 +259,13 @@ der_get_utf8string (
heim_utf8_string */*str*/,
size_t */*size*/);
int
der_get_visible_string (
const unsigned char */*p*/,
size_t /*len*/,
heim_visible_string */*str*/,
size_t */*size*/);
int
der_heim_bit_string_cmp (
const heim_bit_string */*p*/,
@@ -332,6 +347,9 @@ der_length_utctime (const time_t */*t*/);
size_t
der_length_utf8string (const heim_utf8_string */*data*/);
size_t
der_length_visible_string (const heim_visible_string */*data*/);
int
der_match_tag (
const unsigned char */*p*/,
@@ -504,6 +522,13 @@ der_put_utf8string (
const heim_utf8_string */*str*/,
size_t */*size*/);
int
der_put_visible_string (
unsigned char */*p*/,
size_t /*len*/,
const heim_visible_string */*str*/,
size_t */*size*/);
int
encode_heim_any (
unsigned char */*p*/,

9
source/heimdal/lib/asn1/der_copy.c
View File

@@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_copy.c,v 1.16 2006/10/14 05:30:02 lha Exp $");
RCSID("$Id: der_copy.c,v 1.17 2006/12/28 17:14:17 lha Exp $");
int
der_copy_general_string (const heim_general_string *from,
@@ -88,6 +88,13 @@ der_copy_universal_string (const heim_universal_string *from,
return 0;
}
int
der_copy_visible_string (const heim_visible_string *from,
heim_visible_string *to)
{
return der_copy_general_string(from, to);
}
int
der_copy_octet_string (const heim_octet_string *from, heim_octet_string *to)
{

11
source/heimdal/lib/asn1/der_format.c
View File

@@ -34,7 +34,7 @@
#include "der_locl.h"
#include <hex.h>
RCSID("$Id: der_format.c,v 1.6 2006/10/21 18:24:15 lha Exp $");
RCSID("$Id: der_format.c,v 1.8 2006/11/27 10:32:21 lha Exp $");
int
der_parse_hex_heim_integer (const char *p, heim_integer *data)
@@ -110,10 +110,13 @@ der_print_heim_oid (const heim_oid *oid, char delim, char **str)
struct rk_strpool *p = NULL;
int i;
if (oid->length == 0)
return EINVAL;
for (i = 0; i < oid->length ; i++) {
p = rk_strpoolprintf(p, "%d%s",
oid->components[i],
i < oid->length - 1 ? " " : "");
p = rk_strpoolprintf(p, "%d", oid->components[i]);
if (p && i < oid->length - 1)
p = rk_strpoolprintf(p, "%c", delim);
if (p == NULL) {
*str = NULL;
return ENOMEM;

9
source/heimdal/lib/asn1/der_free.c
View File

@@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_free.c,v 1.13 2006/10/14 05:30:47 lha Exp $");
RCSID("$Id: der_free.c,v 1.14 2006/12/28 17:14:21 lha Exp $");
void
der_free_general_string (heim_general_string *str)
@@ -79,6 +79,13 @@ der_free_universal_string (heim_universal_string *k)
k->length = 0;
}
void
der_free_visible_string (heim_visible_string *str)
{
free(*str);
*str = NULL;
}
void
der_free_octet_string (heim_octet_string *k)
{

9
source/heimdal/lib/asn1/der_get.c
View File

@@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_get.c,v 1.50 2006/10/19 16:27:44 lha Exp $");
RCSID("$Id: der_get.c,v 1.51 2006/12/28 17:14:25 lha Exp $");
#include <version.h>
@@ -214,6 +214,13 @@ der_get_universal_string (const unsigned char *p, size_t len,
return 0;
}
int
der_get_visible_string (const unsigned char *p, size_t len,
heim_visible_string *str, size_t *size)
{
return der_get_general_string(p, len, str, size);
}
int
der_get_octet_string (const unsigned char *p, size_t len,
heim_octet_string *data, size_t *size)

8
source/heimdal/lib/asn1/der_length.c
View File

@@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_length.c,v 1.19 2006/10/14 05:26:06 lha Exp $");
RCSID("$Id: der_length.c,v 1.20 2006/12/28 17:14:28 lha Exp $");
size_t
_heim_len_unsigned (unsigned val)
@@ -166,6 +166,12 @@ der_length_universal_string (const heim_universal_string *data)
return data->length * 4;
}
size_t
der_length_visible_string (const heim_visible_string *data)
{
return strlen(*data);
}
size_t
der_length_octet_string (const heim_octet_string *k)
{

9
source/heimdal/lib/asn1/der_put.c
View File

@@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_put.c,v 1.33 2005/07/12 06:27:23 lha Exp $");
RCSID("$Id: der_put.c,v 1.34 2006/12/28 17:14:33 lha Exp $");
/*
* All encoding functions take a pointer `p' to first position in
@@ -230,6 +230,13 @@ der_put_universal_string (unsigned char *p, size_t len,
return 0;
}
int
der_put_visible_string (unsigned char *p, size_t len,
const heim_visible_string *str, size_t *size)
{
return der_put_general_string(p, len, str, size);
}
int
der_put_octet_string (unsigned char *p, size_t len,
const heim_octet_string *data, size_t *size)

42
source/heimdal/lib/asn1/digest.asn1
View File

@@ -1,4 +1,4 @@
-- $Id: digest.asn1,v 1.9 2006/08/25 11:57:54 lha Exp $
-- $Id: digest.asn1,v 1.10 2006/12/15 19:13:39 lha Exp $
DIGEST DEFINITIONS ::=
BEGIN
@@ -58,9 +58,43 @@ DigestResponse ::= SEQUENCE {
hash-a1 [3] OCTET STRING OPTIONAL
}
NTLMInit ::= SEQUENCE {
flags [0] INTEGER (0..4294967295),
hostname [1] UTF8String OPTIONAL,
domain [1] UTF8String OPTIONAL
}
NTLMInitReply ::= SEQUENCE {
flags [0] INTEGER (0..4294967295),
opaque [1] OCTET STRING,
targetname [2] UTF8String,
challange [3] OCTET STRING,
targetinfo [4] OCTET STRING OPTIONAL
}
NTLMRequest ::= SEQUENCE {
flags [0] INTEGER (0..4294967295),
opaque [1] OCTET STRING,
username [2] UTF8String,
targetname [3] UTF8String,
targetinfo [4] OCTET STRING OPTIONAL,
lm [5] OCTET STRING,
ntlm [6] OCTET STRING,
sessionkey [7] OCTET STRING OPTIONAL
}
NTLMResponse ::= SEQUENCE {
success [0] BOOLEAN,
flags [1] INTEGER (0..4294967295),
sessionkey [2] OCTET STRING OPTIONAL,
tickets [3] SEQUENCE OF OCTET STRING OPTIONAL
}
DigestReqInner ::= CHOICE {
init [0] DigestInit,
digestRequest [1] DigestRequest
digestRequest [1] DigestRequest,
ntlmInit [2] NTLMInit,
ntlmRequest [3] NTLMRequest
}
DigestREQ ::= [APPLICATION 128] SEQUENCE {
@@ -71,7 +105,9 @@ DigestREQ ::= [APPLICATION 128] SEQUENCE {
DigestRepInner ::= CHOICE {
error [0] DigestError,
initReply [1] DigestInitReply,
response [2] DigestResponse
response [2] DigestResponse,
ntlmInitReply [3] NTLMInitReply,
ntlmResponse [4] NTLMResponse
}
DigestREP ::= [APPLICATION 129] SEQUENCE {

13
source/heimdal/lib/asn1/gen.c
View File

@@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen.c,v 1.69 2006/10/14 05:11:52 lha Exp $");
RCSID("$Id: gen.c,v 1.70 2006/12/28 17:14:37 lha Exp $");
FILE *headerfile, *codefile, *logfile;
@@ -135,6 +135,9 @@ init_generate (const char *filename, const char *base)
" size_t length;\n"
" uint32_t *data;\n"
"} heim_universal_string;\n\n");
fprintf (headerfile,
"typedef char *heim_visible_string;\n\n"
);
fprintf (headerfile,
"typedef struct heim_oid {\n"
" size_t length;\n"
@@ -504,6 +507,10 @@ define_asn1 (int level, Type *t)
space(level);
fprintf (headerfile, "UniversalString");
break;
case TVisibleString:
space(level);
fprintf (headerfile, "VisibleString");
break;
case TOID :
space(level);
fprintf(headerfile, "OBJECT IDENTIFIER");
@@ -736,6 +743,10 @@ define_type (int level, const char *name, Type *t, int typedefp, int preservep)
space(level);
fprintf (headerfile, "heim_universal_string %s;\n", name);
break;
case TVisibleString:
space(level);
fprintf (headerfile, "heim_visible_string %s;\n", name);
break;
case TOID :
space(level);
fprintf (headerfile, "heim_oid %s;\n", name);

5
source/heimdal/lib/asn1/gen_copy.c
View File

@@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_copy.c,v 1.18 2006/10/14 05:34:19 lha Exp $");
RCSID("$Id: gen_copy.c,v 1.19 2006/12/28 17:14:42 lha Exp $");
static int used_fail;
@@ -202,6 +202,9 @@ copy_type (const char *from, const char *to, const Type *t, int preserve)
case TUniversalString:
copy_primitive ("universal_string", from, to);
break;
case TVisibleString:
copy_primitive ("visible_string", from, to);
break;
case TTag:
copy_type (from, to, t->subtype, preserve);
break;

14
source/heimdal/lib/asn1/gen_decode.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2005 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997 - 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -34,7 +34,7 @@
#include "gen_locl.h"
#include "lex.h"
RCSID("$Id: gen_decode.c,v 1.30 2006/09/24 09:13:12 lha Exp $");
RCSID("$Id: gen_decode.c,v 1.32 2006/12/29 17:30:32 lha Exp $");
static void
decode_primitive (const char *typename, const char *name, const char *forwstr)
@@ -74,6 +74,7 @@ is_primitive_type(int type)
case TIA5String:
case TBMPString:
case TUniversalString:
case TVisibleString:
case TNull:
return 1;
default:
@@ -191,6 +192,11 @@ find_tag (const Type *t,
*ty = PRIM;
*tag = UT_UniversalString;
break;
case TVisibleString:
*cl = ASN1_C_UNIV;
*ty = PRIM;
*tag = UT_VisibleString;
break;
default:
abort();
}
@@ -580,6 +586,9 @@ decode_type (const char *name, const Type *t, int optional,
case TUniversalString:
decode_primitive ("universal_string", name, forwstr);
break;
case TVisibleString:
decode_primitive ("visible_string", name, forwstr);
break;
case TNull:
fprintf (codefile, "/* NULL */\n");
break;
@@ -620,6 +629,7 @@ generate_type_decode (const Symbol *s)
case TIA5String:
case TBMPString:
case TUniversalString:
case TVisibleString:
case TUTCTime:
case TNull:
case TEnumerated:

44
source/heimdal/lib/asn1/gen_encode.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2005 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997 - 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_encode.c,v 1.19 2005/08/23 11:52:16 lha Exp $");
RCSID("$Id: gen_encode.c,v 1.22 2006/12/29 17:30:03 lha Exp $");
static void
encode_primitive (const char *typename, const char *name)
@@ -151,7 +151,6 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
case TBitString: {
Member *m;
int pos;
int rest;
if (ASN1_TAILQ_EMPTY(t->members)) {
encode_primitive("bit_string", name);
@@ -163,6 +162,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
"unsigned char c = 0;\n");
if (!rfc1510_bitstring)
fprintf (codefile,
"int rest = 0;\n"
"int bit_set = 0;\n");
#if 0
pos = t->members->prev->val;
@@ -181,9 +181,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
if (rfc1510_bitstring) {
if (pos < 31)
pos = 31;
rest = 7 - (pos % 8);
} else
rest = 0;
}
ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
while (m->val / 8 < pos / 8) {
@@ -192,20 +190,27 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
"if (c != 0 || bit_set) {\n");
fprintf (codefile,
"if (len < 1) return ASN1_OVERFLOW;\n"
"*p-- = c; len--; ret++;\n"
"c = 0;\n");
"*p-- = c; len--; ret++;\n");
if (!rfc1510_bitstring)
fprintf (codefile,
"if (!bit_set) {\n"
"rest = 0;\n"
"while(c) { \n"
"if (c & 1) break;\n"
"c = c >> 1;\n"
"rest++;\n"
"}\n"
"bit_set = 1;\n"
"}\n"
"}\n");
fprintf (codefile,
"c = 0;\n");
pos -= 8;
}
fprintf (codefile,
"if((%s)->%s) {\n"
"c |= 1<<%d;\n",
name, m->gen_name, 7 - m->val % 8);
if (!rfc1510_bitstring)
rest = 7 - m->val % 8;
fprintf (codefile,
"}\n");
}
@@ -218,15 +223,25 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
"*p-- = c; len--; ret++;\n");
if (!rfc1510_bitstring)
fprintf (codefile,
"if (!bit_set) {\n"
"rest = 0;\n"
"if(c) { \n"
"while(c) { \n"
"if (c & 1) break;\n"
"c = c >> 1;\n"
"rest++;\n"
"}\n"
"}\n"
"}\n"
"}\n");
fprintf (codefile,
"if (len < 1) return ASN1_OVERFLOW;\n"
"*p-- = %d;\n"
"*p-- = %s;\n"
"len -= 1;\n"
"ret += 1;\n"
"}\n\n",
rest);
rfc1510_bitstring ? "0" : "rest");
constructed = 0;
break;
}
@@ -467,6 +482,10 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
encode_primitive ("universal_string", name);
constructed = 0;
break;
case TVisibleString:
encode_primitive ("visible_string", name);
constructed = 0;
break;
case TNull:
fprintf (codefile, "/* NULL */\n");
constructed = 0;
@@ -503,6 +522,7 @@ generate_type_encode (const Symbol *s)
case TIA5String:
case TBMPString:
case TUniversalString:
case TVisibleString:
case TNull:
case TBitString:
case TEnumerated:

5
source/heimdal/lib/asn1/gen_free.c
View File

@@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_free.c,v 1.16 2006/10/14 05:33:58 lha Exp $");
RCSID("$Id: gen_free.c,v 1.17 2006/12/28 17:14:54 lha Exp $");
static void
free_primitive (const char *typename, const char *name)
@@ -160,6 +160,9 @@ free_type (const char *name, const Type *t, int preserve)
case TUniversalString:
free_primitive ("universal_string", name);
break;
case TVisibleString:
free_primitive ("visible_string", name);
break;
case TTag:
free_type (name, t->subtype, preserve);
break;

5
source/heimdal/lib/asn1/gen_length.c
View File

@@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_length.c,v 1.21 2006/10/14 05:28:28 lha Exp $");
RCSID("$Id: gen_length.c,v 1.22 2006/12/28 17:14:57 lha Exp $");
static void
length_primitive (const char *typename,
@@ -238,6 +238,9 @@ length_type (const char *name, const Type *t,
case TUniversalString:
length_primitive ("universal_string", name, variable);
break;
case TVisibleString:
length_primitive ("visible_string", name, variable);
break;
case TNull:
fprintf (codefile, "/* NULL */\n");
break;

6
source/heimdal/lib/asn1/k5.asn1
View File

@@ -1,4 +1,4 @@
-- $Id: k5.asn1,v 1.50 2006/09/11 13:28:59 lha Exp $
-- $Id: k5.asn1,v 1.51 2006/11/21 05:17:47 lha Exp $
KERBEROS5 DEFINITIONS ::=
BEGIN
@@ -70,11 +70,11 @@ PADATA-TYPE ::= INTEGER {
KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
KRB5-PADATA-S4U2SELF(129),
KRB5-PADATA-PK-AS-09-BINDING(132) -- client send this to
-- tell KDC that is supports
-- the asCheckSum in the
-- PK-AS-REP
KRB5-PADATA-S4U2SELF(-17)
}
AUTHDATA-TYPE ::= INTEGER {

20
source/heimdal/lib/asn1/kx509.asn1 Normal file
View File

@@ -0,0 +1,20 @@
-- $Id: kx509.asn1,v 1.1 2006/12/28 21:05:23 lha Exp $
KX509 DEFINITIONS ::=
BEGIN
Kx509Request ::= SEQUENCE {
authenticator OCTET STRING,
pk-hash OCTET STRING,
pk-key OCTET STRING
}
Kx509Response ::= SEQUENCE {
error-code[0] INTEGER (-2147483648..2147483647)
OPTIONAL -- DEFAULT 0 --,
hash[1] OCTET STRING OPTIONAL,
certificate[2] OCTET STRING OPTIONAL,
e-text[3] VisibleString OPTIONAL
}
END

8
source/heimdal/lib/asn1/lex.l
View File

@@ -32,7 +32,7 @@
* SUCH DAMAGE.
*/
/* $Id: lex.l,v 1.27 2005/09/13 18:17:16 lha Exp $ */
/* $Id: lex.l,v 1.31 2006/10/21 11:57:22 lha Exp $ */
#ifdef HAVE_CONFIG_H
#include <config.h>
@@ -58,6 +58,12 @@ static void unterminated(const char *, unsigned);
%}
/* This is for broken old lexes (solaris 10 and hpux) */
%e 2000
%p 5000
%a 5000
%n 1000
%o 10000
%%
ABSENT { return kw_ABSENT; }

398
source/heimdal/lib/asn1/parse.c
View File

@@ -251,7 +251,7 @@
#include "gen_locl.h"
#include "der.h"
RCSID("$Id: parse.y,v 1.28 2006/04/28 10:51:35 lha Exp $");
RCSID("$Id: parse.y,v 1.29 2006/12/28 17:15:02 lha Exp $");
static Type *new_type (Typetype t);
static struct constraint_spec *new_constraint_spec(enum ctype);
@@ -466,16 +466,16 @@ union yyalloc
/* YYFINAL -- State number of the termination state. */
#define YYFINAL 4
/* YYLAST -- Last index in YYTABLE. */
#define YYLAST 168
#define YYLAST 169
/* YYNTOKENS -- Number of terminals. */
#define YYNTOKENS 98
/* YYNNTS -- Number of nonterminals. */
#define YYNNTS 67
/* YYNRULES -- Number of rules. */
#define YYNRULES 130
#define YYNRULES 131
/* YYNRULES -- Number of states. */
#define YYNSTATES 201
#define YYNSTATES 202
/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX. */
#define YYUNDEFTOK 2
@@ -538,11 +538,11 @@ static const unsigned short int yyprhs[] =
167, 171, 176, 180, 184, 189, 191, 193, 195, 197,
199, 202, 206, 208, 210, 212, 215, 219, 225, 230,
234, 239, 240, 242, 244, 246, 247, 249, 251, 256,
258, 260, 262, 264, 266, 268, 270, 272, 276, 280,
283, 285, 288, 292, 294, 298, 303, 305, 306, 310,
311, 314, 319, 321, 323, 325, 327, 329, 331, 333,
258, 260, 262, 264, 266, 268, 270, 272, 274, 278,
282, 285, 287, 290, 294, 296, 300, 305, 307, 308,
312, 313, 316, 321, 323, 325, 327, 329, 331, 333,
335, 337, 339, 341, 343, 345, 347, 349, 351, 353,
355
355, 357
};
/* YYRHS -- A `-1'-separated list of the rules' RHS. */
@@ -574,16 +574,16 @@ static const short int yyrhs[] =
139, 141, 111, -1, 96, 140, 89, 97, -1, -1,
76, -1, 6, -1, 60, -1, -1, 27, -1, 38,
-1, 86, 111, 84, 154, -1, 144, -1, 33, -1,
78, -1, 61, -1, 36, -1, 10, -1, 79, -1,
147, -1, 145, 91, 147, -1, 145, 91, 85, -1,
86, 111, -1, 146, -1, 146, 54, -1, 146, 20,
154, -1, 149, -1, 148, 91, 149, -1, 86, 92,
89, 93, -1, 151, -1, -1, 94, 152, 95, -1,
-1, 153, 152, -1, 86, 92, 89, 93, -1, 86,
-1, 89, -1, 155, -1, 156, -1, 160, -1, 159,
-1, 161, -1, 164, -1, 163, -1, 157, -1, 158,
-1, 86, -1, 88, -1, 71, -1, 31, -1, 162,
-1, 89, -1, 49, -1, 151, -1
78, -1, 61, -1, 81, -1, 36, -1, 10, -1,
79, -1, 147, -1, 145, 91, 147, -1, 145, 91,
85, -1, 86, 111, -1, 146, -1, 146, 54, -1,
146, 20, 154, -1, 149, -1, 148, 91, 149, -1,
86, 92, 89, 93, -1, 151, -1, -1, 94, 152,
95, -1, -1, 153, 152, -1, 86, 92, 89, 93,
-1, 86, -1, 89, -1, 155, -1, 156, -1, 160,
-1, 159, -1, 161, -1, 164, -1, 163, -1, 157,
-1, 158, -1, 86, -1, 88, -1, 71, -1, 31,
-1, 162, -1, 89, -1, 49, -1, 151, -1
};
/* YYRLINE[YYN] -- source line where rule number YYN was defined. */
@@ -598,11 +598,11 @@ static const unsigned short int yyrline[] =
456, 464, 470, 478, 486, 493, 494, 497, 508, 513,
520, 536, 542, 545, 546, 549, 555, 563, 573, 579,
592, 601, 604, 608, 612, 619, 622, 626, 633, 644,
647, 652, 657, 662, 667, 672, 680, 686, 691, 702,
713, 719, 725, 733, 739, 746, 759, 760, 763, 770,
773, 784, 788, 799, 805, 806, 809, 810, 811, 812,
813, 816, 819, 822, 833, 841, 847, 855, 863, 866,
871
647, 652, 657, 662, 667, 672, 677, 685, 691, 696,
707, 718, 724, 730, 738, 744, 751, 764, 765, 768,
775, 778, 789, 793, 804, 810, 811, 814, 815, 816,
817, 818, 821, 824, 827, 838, 846, 852, 860, 868,
871, 876
};
#endif
@@ -682,11 +682,11 @@ static const unsigned char yyr1[] =
125, 126, 126, 127, 128, 129, 129, 130, 131, 131,
132, 133, 134, 135, 135, 136, 136, 136, 137, 138,
139, 140, 140, 140, 140, 141, 141, 141, 142, 143,
144, 144, 144, 144, 144, 144, 145, 145, 145, 146,
147, 147, 147, 148, 148, 149, 150, 150, 151, 152,
152, 153, 153, 153, 154, 154, 155, 155, 155, 155,
155, 156, 157, 158, 159, 160, 160, 161, 162, 163,
164
144, 144, 144, 144, 144, 144, 144, 145, 145, 145,
146, 147, 147, 147, 148, 148, 149, 150, 150, 151,
152, 152, 153, 153, 153, 154, 154, 155, 155, 155,
155, 155, 156, 157, 158, 159, 160, 160, 161, 162,
163, 164
};
/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN. */
@@ -701,11 +701,11 @@ static const unsigned char yyr2[] =
3, 4, 3, 3, 4, 1, 1, 1, 1, 1,
2, 3, 1, 1, 1, 2, 3, 5, 4, 3,
4, 0, 1, 1, 1, 0, 1, 1, 4, 1,
1, 1, 1, 1, 1, 1, 1, 3, 3, 2,
1, 2, 3, 1, 3, 4, 1, 0, 3, 0,
2, 4, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 3, 3,
2, 1, 2, 3, 1, 3, 4, 1, 0, 3,
0, 2, 4, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1
1, 1
};
/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
@@ -716,76 +716,76 @@ static const unsigned char yydefact[] =
0, 0, 0, 6, 1, 0, 0, 0, 8, 5,
3, 4, 0, 0, 7, 0, 10, 14, 0, 0,
23, 0, 13, 15, 0, 2, 0, 9, 18, 20,
21, 0, 11, 16, 0, 0, 94, 42, 0, 0,
90, 68, 93, 44, 57, 0, 0, 92, 0, 0,
69, 91, 95, 0, 67, 81, 0, 25, 29, 33,
32, 28, 35, 36, 34, 37, 38, 39, 40, 31,
26, 65, 66, 27, 41, 85, 30, 89, 19, 22,
107, 53, 0, 0, 0, 0, 45, 55, 56, 0,
0, 0, 0, 24, 83, 84, 82, 0, 0, 0,
70, 86, 87, 0, 109, 17, 106, 0, 0, 0,
100, 96, 0, 52, 47, 0, 126, 129, 125, 123,
124, 128, 130, 0, 114, 115, 121, 122, 117, 116,
118, 127, 120, 119, 0, 60, 59, 0, 63, 62,
0, 0, 88, 0, 0, 0, 0, 72, 73, 74,
79, 112, 113, 0, 109, 0, 0, 103, 99, 0,
64, 0, 101, 0, 0, 51, 0, 46, 58, 61,
80, 0, 75, 0, 71, 0, 108, 110, 0, 0,
54, 98, 97, 102, 0, 49, 48, 0, 0, 0,
76, 0, 0, 104, 50, 43, 78, 0, 111, 105,
77
21, 0, 11, 16, 0, 0, 95, 42, 0, 0,
90, 68, 94, 44, 57, 0, 0, 92, 0, 0,
69, 91, 96, 93, 0, 67, 81, 0, 25, 29,
33, 32, 28, 35, 36, 34, 37, 38, 39, 40,
31, 26, 65, 66, 27, 41, 85, 30, 89, 19,
22, 108, 53, 0, 0, 0, 0, 45, 55, 56,
0, 0, 0, 0, 24, 83, 84, 82, 0, 0,
0, 70, 86, 87, 0, 110, 17, 107, 0, 0,
0, 101, 97, 0, 52, 47, 0, 127, 130, 126,
124, 125, 129, 131, 0, 115, 116, 122, 123, 118,
117, 119, 128, 121, 120, 0, 60, 59, 0, 63,
62, 0, 0, 88, 0, 0, 0, 0, 72, 73,
74, 79, 113, 114, 0, 110, 0, 0, 104, 100,
0, 64, 0, 102, 0, 0, 51, 0, 46, 58,
61, 80, 0, 75, 0, 71, 0, 109, 111, 0,
0, 54, 99, 98, 103, 0, 49, 48, 0, 0,
0, 76, 0, 0, 105, 50, 43, 78, 0, 112,
106, 77
};
/* YYDEFGOTO[NTERM-NUM]. */
static const short int yydefgoto[] =
{
-1, 2, 8, 13, 18, 19, 21, 22, 23, 27,
28, 24, 29, 56, 57, 58, 86, 59, 113, 114,
60, 115, 61, 62, 63, 64, 65, 66, 67, 68,
69, 70, 71, 72, 73, 100, 146, 147, 148, 149,
74, 75, 97, 103, 30, 76, 77, 109, 110, 111,
156, 157, 105, 122, 153, 154, 123, 124, 125, 126,
127, 128, 129, 130, 131, 132, 133
28, 24, 29, 57, 58, 59, 87, 60, 114, 115,
61, 116, 62, 63, 64, 65, 66, 67, 68, 69,
70, 71, 72, 73, 74, 101, 147, 148, 149, 150,
75, 76, 98, 104, 30, 77, 78, 110, 111, 112,
157, 158, 106, 123, 154, 155, 124, 125, 126, 127,
128, 129, 130, 131, 132, 133, 134
};
/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
STATE-NUM. */
#define YYPACT_NINF -99
#define YYPACT_NINF -100
static const short int yypact[] =
{
-46, 20, 13, 21, -99, 11, 23, 25, 54, -99,
-99, -99, 58, 6, -99, 90, -34, 15, 80, 19,
16, 18, 15, -99, 74, -99, -7, -99, 19, -99,
-99, 15, -99, -99, 24, 42, -99, -99, 17, 26,
-99, -99, -99, -73, -99, 76, 50, -99, -45, -44,
-99, -99, -99, 51, -99, 4, -67, -99, -99, -99,
-99, -99, -99, -99, -99, -99, -99, -99, -99, -99,
-99, -99, -99, -99, -99, -16, -99, -99, -99, -99,
27, 28, 33, 37, 47, 37, -99, -99, -99, 51,
-72, 51, -71, 22, -99, -99, -99, 35, 47, 12,
-99, -99, -99, 51, 2, -99, -99, 39, 51, -75,
-8, -99, 34, 36, -99, 43, -99, -99, -99, -99,
-99, -99, -99, 48, -99, -99, -99, -99, -99, -99,
-99, -99, -99, -99, -57, 22, -99, -48, 22, -99,
-22, 45, -99, 120, 51, 122, 46, -99, -99, -99,
22, 52, -99, 53, 2, 57, -9, -99, 22, -53,
-99, 47, -99, 56, -19, -99, 47, -99, -99, -99,
-99, 49, -18, 47, -99, 61, -99, -99, 62, 39,
-99, -99, -99, -99, 59, -99, -99, 60, 63, 128,
-99, 64, 66, -99, -99, -99, -99, 47, -99, -99,
-99
-65, 19, 33, 5, -100, -29, -17, 11, 53, -100,
-100, -100, 47, 13, -100, 90, -34, 18, 81, 20,
16, 21, 18, -100, 76, -100, -7, -100, 20, -100,
-100, 18, -100, -100, 23, 43, -100, -100, 24, 25,
-100, -100, -100, -4, -100, 77, 46, -100, -48, -45,
-100, -100, -100, -100, 51, -100, 4, -64, -100, -100,
-100, -100, -100, -100, -100, -100, -100, -100, -100, -100,
-100, -100, -100, -100, -100, -100, -16, -100, -100, -100,
-100, 26, 27, 31, 36, 52, 36, -100, -100, -100,
51, -71, 51, -70, 32, -100, -100, -100, 37, 52,
12, -100, -100, -100, 51, -39, -100, -100, 39, 51,
-78, -6, -100, 35, 40, -100, 38, -100, -100, -100,
-100, -100, -100, -100, 56, -100, -100, -100, -100, -100,
-100, -100, -100, -100, -100, -72, 32, -100, -57, 32,
-100, -36, 45, -100, 122, 51, 123, 50, -100, -100,
-100, 32, 44, -100, 49, -39, 57, -22, -100, 32,
-19, -100, 52, -100, 59, 10, -100, 52, -100, -100,
-100, -100, 58, -14, 52, -100, 61, -100, -100, 62,
39, -100, -100, -100, -100, 60, -100, -100, 63, 64,
133, -100, 65, 67, -100, -100, -100, -100, 52, -100,
-100, -100
};
/* YYPGOTO[NTERM-NUM]. */
static const yysigned_char yypgoto[] =
static const short int yypgoto[] =
{
-99, -99, -99, -99, -99, -99, -99, -99, 124, 126,
-99, 125, -99, -52, -99, -99, -99, -99, 70, -4,
-99, -99, -99, -99, -99, -99, -99, -99, -99, -99,
-99, -99, -99, -99, -99, -99, -99, -99, -99, -99,
-99, -99, -99, -99, -99, -99, -99, -37, -99, 3,
-99, -15, -99, 81, 9, -99, -98, -99, -99, -99,
-99, -99, -99, -99, 5, -99, -99
-100, -100, -100, -100, -100, -100, -100, -100, 132, 127,
-100, 126, -100, -53, -100, -100, -100, -100, 75, -3,
-100, -100, -100, -100, -100, -100, -100, -100, -100, -100,
-100, -100, -100, -100, -100, -100, -100, -100, -100, -100,
-100, -100, -100, -100, -100, -100, -100, 0, -100, 3,
-100, -15, -100, 83, 14, -100, -99, -100, -100, -100,
-100, -100, -100, -100, 2, -100, -100
};
/* YYTABLE[YYPACT[STATE-NUM]]. What to do in state STATE-NUM. If
@@ -795,44 +795,44 @@ static const yysigned_char yypgoto[] =
#define YYTABLE_NINF -13
static const short int yytable[] =
{
142, 93, 35, 36, 37, 189, 17, 38, 89, 91,
94, 101, 161, 4, 108, 108, 159, 98, 39, 84,
160, 85, 102, 136, 139, 99, 40, 41, 5, 42,
143, 144, 181, 108, 164, 145, 43, 135, 167, 138,
1, 3, 44, 159, 45, 46, 162, 168, 6, 90,
92, 150, -12, 137, 47, 140, 158, 48, 49, 7,
35, 36, 37, 183, 95, 38, 185, 112, 187, 159,
50, 51, 52, 169, 99, 190, 39, 53, 116, 54,
96, 9, 179, 12, 40, 41, 180, 42, 151, 55,
15, 152, 172, 10, 43, 11, 117, 14, 16, 200,
44, 20, 45, 46, 25, 26, 34, 31, 32, 81,
80, 82, 47, 87, 99, 48, 49, 88, 118, 108,
83, 104, 107, 112, 141, 155, 163, 164, 50, 51,
52, 166, 171, 119, 173, 120, 121, 54, 165, 174,
197, 104, 170, 188, 175, 121, 33, 55, 176, 178,
191, 192, 194, 195, 78, 134, 79, 198, 196, 199,
186, 106, 182, 177, 193, 0, 0, 0, 184
143, 94, 35, 36, 37, 90, 17, 38, 92, 190,
95, 102, 5, 160, 162, 109, 109, 161, 39, 165,
99, 1, 103, 168, 137, 140, 40, 41, 100, 42,
144, 145, 6, 4, 160, 146, 43, 136, 169, 139,
3, 9, 44, 7, 45, 46, 91, 152, 163, 93,
153, 151, -12, 10, 47, 160, 159, 48, 49, 170,
35, 36, 37, 184, 96, 38, 182, 109, 188, 180,
50, 51, 52, 181, 53, 191, 39, 54, 100, 55,
97, 11, 12, 117, 40, 41, 14, 42, 85, 56,
86, 138, 173, 141, 43, 186, 113, 15, 16, 201,
44, 118, 45, 46, 20, 25, 26, 31, 34, 81,
82, 32, 47, 89, 88, 48, 49, 109, 83, 84,
105, 108, 113, 119, 100, 156, 142, 164, 50, 51,
52, 165, 53, 166, 172, 174, 176, 55, 120, 167,
121, 122, 171, 175, 177, 198, 105, 56, 122, 179,
192, 193, 189, 195, 33, 79, 196, 80, 199, 197,
200, 135, 187, 183, 107, 194, 185, 0, 0, 178
};
static const short int yycheck[] =
{
98, 53, 9, 10, 11, 23, 40, 14, 53, 53,
6, 27, 20, 0, 86, 86, 91, 84, 25, 92,
95, 94, 38, 95, 95, 92, 33, 34, 7, 36,
18, 19, 85, 86, 91, 23, 43, 89, 95, 91,
86, 21, 49, 91, 51, 52, 54, 95, 27, 94,
94, 103, 86, 90, 61, 92, 108, 64, 65, 38,
9, 10, 11, 161, 60, 14, 85, 86, 166, 91,
77, 78, 79, 95, 92, 173, 25, 84, 31, 86,
76, 70, 91, 29, 33, 34, 95, 36, 86, 96,
84, 89, 144, 70, 43, 70, 49, 39, 8, 197,
49, 86, 51, 52, 24, 86, 32, 91, 90, 67,
86, 94, 61, 37, 92, 64, 65, 67, 71, 86,
94, 94, 94, 86, 89, 86, 92, 91, 77, 78,
79, 83, 12, 86, 12, 88, 89, 86, 95, 93,
12, 94, 97, 94, 92, 89, 22, 96, 95, 92,
89, 89, 93, 93, 28, 85, 31, 93, 95, 93,
164, 80, 159, 154, 179, -1, -1, -1, 163
99, 54, 9, 10, 11, 53, 40, 14, 53, 23,
6, 27, 7, 91, 20, 86, 86, 95, 25, 91,
84, 86, 38, 95, 95, 95, 33, 34, 92, 36,
18, 19, 27, 0, 91, 23, 43, 90, 95, 92,
21, 70, 49, 38, 51, 52, 94, 86, 54, 94,
89, 104, 86, 70, 61, 91, 109, 64, 65, 95,
9, 10, 11, 162, 60, 14, 85, 86, 167, 91,
77, 78, 79, 95, 81, 174, 25, 84, 92, 86,
76, 70, 29, 31, 33, 34, 39, 36, 92, 96,
94, 91, 145, 93, 43, 85, 86, 84, 8, 198,
49, 49, 51, 52, 86, 24, 86, 91, 32, 86,
67, 90, 61, 67, 37, 64, 65, 86, 94, 94,
94, 94, 86, 71, 92, 86, 89, 92, 77, 78,
79, 91, 81, 95, 12, 12, 92, 86, 86, 83,
88, 89, 97, 93, 95, 12, 94, 96, 89, 92,
89, 89, 94, 93, 22, 28, 93, 31, 93, 95,
93, 86, 165, 160, 81, 180, 164, -1, -1, 155
};
/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
@@ -844,22 +844,22 @@ static const unsigned char yystos[] =
86, 104, 105, 106, 109, 24, 86, 107, 108, 110,
142, 91, 90, 106, 32, 9, 10, 11, 14, 25,
33, 34, 36, 43, 49, 51, 52, 61, 64, 65,
77, 78, 79, 84, 86, 96, 111, 112, 113, 115,
118, 120, 121, 122, 123, 124, 125, 126, 127, 128,
129, 130, 131, 132, 138, 139, 143, 144, 107, 109,
86, 67, 94, 94, 92, 94, 114, 37, 67, 53,
94, 53, 94, 111, 6, 60, 76, 140, 84, 92,
133, 27, 38, 141, 94, 150, 151, 94, 86, 145,
146, 147, 86, 116, 117, 119, 31, 49, 71, 86,
88, 89, 151, 154, 155, 156, 157, 158, 159, 160,
161, 162, 163, 164, 116, 111, 95, 145, 111, 95,
145, 89, 154, 18, 19, 23, 134, 135, 136, 137,
111, 86, 89, 152, 153, 86, 148, 149, 111, 91,
95, 20, 54, 92, 91, 95, 83, 95, 95, 95,
97, 12, 111, 12, 93, 92, 95, 152, 92, 91,
95, 85, 147, 154, 162, 85, 117, 154, 94, 23,
154, 89, 89, 149, 93, 93, 95, 12, 93, 93,
154
77, 78, 79, 81, 84, 86, 96, 111, 112, 113,
115, 118, 120, 121, 122, 123, 124, 125, 126, 127,
128, 129, 130, 131, 132, 138, 139, 143, 144, 107,
109, 86, 67, 94, 94, 92, 94, 114, 37, 67,
53, 94, 53, 94, 111, 6, 60, 76, 140, 84,
92, 133, 27, 38, 141, 94, 150, 151, 94, 86,
145, 146, 147, 86, 116, 117, 119, 31, 49, 71,
86, 88, 89, 151, 154, 155, 156, 157, 158, 159,
160, 161, 162, 163, 164, 116, 111, 95, 145, 111,
95, 145, 89, 154, 18, 19, 23, 134, 135, 136,
137, 111, 86, 89, 152, 153, 86, 148, 149, 111,
91, 95, 20, 54, 92, 91, 95, 83, 95, 95,
95, 97, 12, 111, 12, 93, 92, 95, 152, 92,
91, 95, 85, 147, 154, 162, 85, 117, 154, 94,
23, 154, 89, 89, 149, 93, 93, 95, 12, 93,
93, 154
};
#define yyerrok (yyerrstatus = 0)
@@ -1987,29 +1987,37 @@ yyreduce:
case 93:
#line 663 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String,
TE_EXPLICIT, new_type(TIA5String));
(yyval.type) = new_tag(ASN1_C_UNIV, UT_VisibleString,
TE_EXPLICIT, new_type(TVisibleString));
}
break;
case 94:
#line 668 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString,
TE_EXPLICIT, new_type(TBMPString));
(yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String,
TE_EXPLICIT, new_type(TIA5String));
}
break;
case 95:
#line 673 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString,
TE_EXPLICIT, new_type(TBMPString));
}
break;
case 96:
#line 678 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString,
TE_EXPLICIT, new_type(TUniversalString));
}
break;
case 96:
#line 681 "parse.y"
case 97:
#line 686 "parse.y"
{
(yyval.members) = emalloc(sizeof(*(yyval.members)));
ASN1_TAILQ_INIT((yyval.members));
@@ -2017,16 +2025,16 @@ yyreduce:
}
break;
case 97:
#line 687 "parse.y"
case 98:
#line 692 "parse.y"
{
ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members);
(yyval.members) = (yyvsp[-2].members);
}
break;
case 98:
#line 692 "parse.y"
case 99:
#line 697 "parse.y"
{
struct member *m = ecalloc(1, sizeof(*m));
m->name = estrdup("...");
@@ -2037,8 +2045,8 @@ yyreduce:
}
break;
case 99:
#line 703 "parse.y"
case 100:
#line 708 "parse.y"
{
(yyval.member) = emalloc(sizeof(*(yyval.member)));
(yyval.member)->name = (yyvsp[-1].name);
@@ -2049,8 +2057,8 @@ yyreduce:
}
break;
case 100:
#line 714 "parse.y"
case 101:
#line 719 "parse.y"
{
(yyval.member) = (yyvsp[0].member);
(yyval.member)->optional = 0;
@@ -2058,8 +2066,8 @@ yyreduce:
}
break;
case 101:
#line 720 "parse.y"
case 102:
#line 725 "parse.y"
{
(yyval.member) = (yyvsp[-1].member);
(yyval.member)->optional = 1;
@@ -2067,8 +2075,8 @@ yyreduce:
}
break;
case 102:
#line 726 "parse.y"
case 103:
#line 731 "parse.y"
{
(yyval.member) = (yyvsp[-2].member);
(yyval.member)->optional = 0;
@@ -2076,8 +2084,8 @@ yyreduce:
}
break;
case 103:
#line 734 "parse.y"
case 104:
#line 739 "parse.y"
{
(yyval.members) = emalloc(sizeof(*(yyval.members)));
ASN1_TAILQ_INIT((yyval.members));
@@ -2085,16 +2093,16 @@ yyreduce:
}
break;
case 104:
#line 740 "parse.y"
case 105:
#line 745 "parse.y"
{
ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members);
(yyval.members) = (yyvsp[-2].members);
}
break;
case 105:
#line 747 "parse.y"
case 106:
#line 752 "parse.y"
{
(yyval.member) = emalloc(sizeof(*(yyval.member)));
(yyval.member)->name = (yyvsp[-3].name);
@@ -2107,27 +2115,27 @@ yyreduce:
}
break;
case 107:
#line 760 "parse.y"
case 108:
#line 765 "parse.y"
{ (yyval.objid) = NULL; }
break;
case 108:
#line 764 "parse.y"
case 109:
#line 769 "parse.y"
{
(yyval.objid) = (yyvsp[-1].objid);
}
break;
case 109:
#line 770 "parse.y"
case 110:
#line 775 "parse.y"
{
(yyval.objid) = NULL;
}
break;
case 110:
#line 774 "parse.y"
case 111:
#line 779 "parse.y"
{
if ((yyvsp[0].objid)) {
(yyval.objid) = (yyvsp[0].objid);
@@ -2138,15 +2146,15 @@ yyreduce:
}
break;
case 111:
#line 785 "parse.y"
case 112:
#line 790 "parse.y"
{
(yyval.objid) = new_objid((yyvsp[-3].name), (yyvsp[-1].constant));
}
break;
case 112:
#line 789 "parse.y"
case 113:
#line 794 "parse.y"
{
Symbol *s = addsym((yyvsp[0].name));
if(s->stype != SValue ||
@@ -2159,15 +2167,15 @@ yyreduce:
}
break;
case 113:
#line 800 "parse.y"
case 114:
#line 805 "parse.y"
{
(yyval.objid) = new_objid(NULL, (yyvsp[0].constant));
}
break;
case 123:
#line 823 "parse.y"
case 124:
#line 828 "parse.y"
{
Symbol *s = addsym((yyvsp[0].name));
if(s->stype != SValue)
@@ -2178,8 +2186,8 @@ yyreduce:
}
break;
case 124:
#line 834 "parse.y"
case 125:
#line 839 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = stringvalue;
@@ -2187,17 +2195,8 @@ yyreduce:
}
break;
case 125:
#line 842 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = booleanvalue;
(yyval.value)->u.booleanvalue = 0;
}
break;
case 126:
#line 848 "parse.y"
#line 847 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = booleanvalue;
@@ -2206,7 +2205,16 @@ yyreduce:
break;
case 127:
#line 856 "parse.y"
#line 853 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = booleanvalue;
(yyval.value)->u.booleanvalue = 0;
}
break;
case 128:
#line 861 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = integervalue;
@@ -2214,14 +2222,14 @@ yyreduce:
}
break;
case 129:
#line 867 "parse.y"
case 130:
#line 872 "parse.y"
{
}
break;
case 130:
#line 872 "parse.y"
case 131:
#line 877 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = objectidentifiervalue;
@@ -2234,7 +2242,7 @@ yyreduce:
}
/* Line 1126 of yacc.c. */
#line 2238 "parse.c"
#line 2246 "parse.c"
yyvsp -= yylen;
yyssp -= yylen;
@@ -2502,7 +2510,7 @@ yyreturn:
}
#line 879 "parse.y"
#line 884 "parse.y"
void

11
source/heimdal/lib/asn1/parse.y
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: parse.y,v 1.27 2005/12/14 09:44:36 lha Exp $ */
/* $Id: parse.y,v 1.29 2006/12/28 17:15:02 lha Exp $ */
%{
#ifdef HAVE_CONFIG_H
@@ -45,7 +45,7 @@
#include "gen_locl.h"
#include "der.h"
RCSID("$Id: parse.y,v 1.27 2005/12/14 09:44:36 lha Exp $");
RCSID("$Id: parse.y,v 1.29 2006/12/28 17:15:02 lha Exp $");
static Type *new_type (Typetype t);
static struct constraint_spec *new_constraint_spec(enum ctype);
@@ -537,8 +537,10 @@ Constraint : '(' ConstraintSpec ')'
{
$$ = $2;
}
;
ConstraintSpec : GeneralConstraint
;
GeneralConstraint: ContentsConstraint
| UserDefinedConstraint
@@ -657,6 +659,11 @@ RestrictedCharactedStringType: kw_GeneralString
$$ = new_tag(ASN1_C_UNIV, UT_PrintableString,
TE_EXPLICIT, new_type(TPrintableString));
}
| kw_VisibleString
{
$$ = new_tag(ASN1_C_UNIV, UT_VisibleString,
TE_EXPLICIT, new_type(TVisibleString));
}
| kw_IA5String
{
$$ = new_tag(ASN1_C_UNIV, UT_IA5String,

22
source/heimdal/lib/asn1/rfc2459.asn1
View File

@@ -406,13 +406,31 @@ CRLReason ::= ENUMERATED {
aACompromise (10)
}
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-pkix-on OBJECT IDENTIFIER ::= { id-pkix 8 }
id-pkix-on-dnsSRV OBJECT IDENTIFIER ::= { id-pkix-on 7 }
id-pkix-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
id-pkix-kp-serverAuth OBJECT IDENTIFIER ::= { id-pkix-kp 1 }
id-pkix-kp-clientAuth OBJECT IDENTIFIER ::= { id-pkix-kp 2 }
id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 }
id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 }
id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 }
-- RFC 3820 Proxy Certificate Profile
id-pkix-pe OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 1 }
id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
id-pkix-ppl OBJECT IDENTIFIER ::= { id-pkix 21 }
id-pkix-ppl-anyLanguage OBJECT IDENTIFIER ::= { id-pkix-ppl 0 }
id-pkix-ppl-inheritAll OBJECT IDENTIFIER ::= { id-pkix-ppl 1 }
id-pkix-ppl-independent OBJECT IDENTIFIER ::= { id-pkix-ppl 2 }
ProxyPolicy ::= SEQUENCE {
policyLanguage OBJECT IDENTIFIER,
policy OCTET STRING OPTIONAL

5
source/heimdal/lib/asn1/symbol.h
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: symbol.h,v 1.13 2005/12/06 19:59:52 lha Exp $ */
/* $Id: symbol.h,v 1.14 2006/12/28 17:15:05 lha Exp $ */
#ifndef _SYMBOL_H
#define _SYMBOL_H
@@ -60,7 +60,8 @@ enum typetype {
TUTCTime,
TUTF8String,
TBMPString,
TUniversalString
TUniversalString,
TVisibleString
};
typedef enum typetype Typetype;

74
source/heimdal/lib/com_err/lex.c
View File

@@ -1,7 +1,8 @@
/* A lexical scanner generated by flex */
#include "config.h"
/* A lexical scanner generated by flex*/
/* Scanner skeleton version:
* $Header: /cvs/root/flex/flex/skel.c,v 1.2 2004/05/07 00:28:17 jkh Exp $
* $Header: /home/daffy/u0/vern/flex/RCS/flex.skl,v 2.91 96/09/10 16:58:48 vern Exp $
*/
#define FLEX_SCANNER
@@ -9,6 +10,7 @@
#define YY_FLEX_MINOR_VERSION 5
#include <stdio.h>
#include <unistd.h>
/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */
@@ -22,7 +24,6 @@
#ifdef __cplusplus
#include <stdlib.h>
#include <unistd.h>
/* Use prototypes in function declarations. */
#define YY_USE_PROTOS
@@ -134,6 +135,15 @@ extern FILE *yyin, *yyout;
#define unput(c) yyunput( c, yytext_ptr )
/* Some routines like yy_flex_realloc() are emitted as static but are
not called by all lexers. This generates warnings in some compilers,
notably GCC. Arrange to suppress these. */
#ifdef __GNUC__
#define YY_MAY_BE_UNUSED __attribute__((unused))
#else
#define YY_MAY_BE_UNUSED
#endif
/* The following is because we cannot portably get our hands on size_t
* (without autoconf's help, which isn't available because we want
* flex-generated scanners to compile on their own).
@@ -240,7 +250,7 @@ YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len ));
static void *yy_flex_alloc YY_PROTO(( yy_size_t ));
static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t ));
static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t )) YY_MAY_BE_UNUSED;
static void yy_flex_free YY_PROTO(( void * ));
#define yy_new_buffer yy_create_buffer
@@ -385,9 +395,9 @@ static char *yy_last_accepting_cpos;
#define YY_MORE_ADJ 0
#define YY_RESTORE_YY_MORE_OFFSET
char *yytext;
#line 1 "../../../lib/com_err/lex.l"
#line 1 "lex.l"
#define INITIAL 0
#line 2 "../../../lib/com_err/lex.l"
#line 2 "lex.l"
/*
* Copyright (c) 1998 - 2000 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
@@ -442,7 +452,7 @@ static int getstring(void);
#undef ECHO
#line 446 "lex.c"
#line 455 "lex.yy.c"
/* Macros after this point can all be overridden by user definitions in
* section 1.
@@ -590,12 +600,12 @@ YY_MALLOC_DECL
YY_DECL
{
register yy_state_type yy_current_state;
register char *yy_cp, *yy_bp;
register char *yy_cp = NULL, *yy_bp = NULL;
register int yy_act;
#line 59 "../../../lib/com_err/lex.l"
#line 59 "lex.l"
#line 599 "lex.c"
#line 608 "lex.yy.c"
if ( yy_init )
{
@@ -680,85 +690,85 @@ do_action: /* This label is used only to access EOF actions. */
case 1:
YY_RULE_SETUP
#line 60 "../../../lib/com_err/lex.l"
#line 60 "lex.l"
{ return ET; }
YY_BREAK
case 2:
YY_RULE_SETUP
#line 61 "../../../lib/com_err/lex.l"
#line 61 "lex.l"
{ return ET; }
YY_BREAK
case 3:
YY_RULE_SETUP
#line 62 "../../../lib/com_err/lex.l"
#line 62 "lex.l"
{ return EC; }
YY_BREAK
case 4:
YY_RULE_SETUP
#line 63 "../../../lib/com_err/lex.l"
#line 63 "lex.l"
{ return EC; }
YY_BREAK
case 5:
YY_RULE_SETUP
#line 64 "../../../lib/com_err/lex.l"
#line 64 "lex.l"
{ return PREFIX; }
YY_BREAK
case 6:
YY_RULE_SETUP
#line 65 "../../../lib/com_err/lex.l"
#line 65 "lex.l"
{ return INDEX; }
YY_BREAK
case 7:
YY_RULE_SETUP
#line 66 "../../../lib/com_err/lex.l"
#line 66 "lex.l"
{ return ID; }
YY_BREAK
case 8:
YY_RULE_SETUP
#line 67 "../../../lib/com_err/lex.l"
#line 67 "lex.l"
{ return END; }
YY_BREAK
case 9:
YY_RULE_SETUP
#line 68 "../../../lib/com_err/lex.l"
#line 68 "lex.l"
{ yylval.number = atoi(yytext); return NUMBER; }
YY_BREAK
case 10:
YY_RULE_SETUP
#line 69 "../../../lib/com_err/lex.l"
#line 69 "lex.l"
;
YY_BREAK
case 11:
YY_RULE_SETUP
#line 70 "../../../lib/com_err/lex.l"
#line 70 "lex.l"
;
YY_BREAK
case 12:
YY_RULE_SETUP
#line 71 "../../../lib/com_err/lex.l"
#line 71 "lex.l"
{ lineno++; }
YY_BREAK
case 13:
YY_RULE_SETUP
#line 72 "../../../lib/com_err/lex.l"
#line 72 "lex.l"
{ return getstring(); }
YY_BREAK
case 14:
YY_RULE_SETUP
#line 73 "../../../lib/com_err/lex.l"
#line 73 "lex.l"
{ yylval.string = strdup(yytext); return STRING; }
YY_BREAK
case 15:
YY_RULE_SETUP
#line 74 "../../../lib/com_err/lex.l"
#line 74 "lex.l"
{ return *yytext; }
YY_BREAK
case 16:
YY_RULE_SETUP
#line 75 "../../../lib/com_err/lex.l"
#line 75 "lex.l"
ECHO;
YY_BREAK
#line 762 "lex.c"
#line 771 "lex.yy.c"
case YY_STATE_EOF(INITIAL):
yyterminate();
@@ -1140,6 +1150,7 @@ register char *yy_bp;
#endif /* ifndef YY_NO_UNPUT */
#ifndef YY_NO_INPUT
#ifdef __cplusplus
static int yyinput()
#else
@@ -1211,7 +1222,7 @@ static int input()
return c;
}
#endif /* YY_NO_INPUT */
#ifdef YY_USE_PROTOS
void yyrestart( FILE *input_file )
@@ -1322,11 +1333,6 @@ YY_BUFFER_STATE b;
}
#ifndef YY_ALWAYS_INTERACTIVE
#ifndef YY_NEVER_INTERACTIVE
extern int isatty YY_PROTO(( int ));
#endif
#endif
#ifdef YY_USE_PROTOS
void yy_init_buffer( YY_BUFFER_STATE b, FILE *file )
@@ -1644,7 +1650,7 @@ int main()
return 0;
}
#endif
#line 75 "../../../lib/com_err/lex.l"
#line 75 "lex.l"
#ifndef yywrap /* XXX */

1960
source/heimdal/lib/com_err/parse.c
View File

File diff suppressed because it is too large Load Diff

76
source/heimdal/lib/com_err/parse.h
View File

@@ -1,15 +1,71 @@
typedef union {
/* A Bison parser, made by GNU Bison 2.1. */
/* Skeleton parser for Yacc-like parsing with Bison,
Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor,
Boston, MA 02110-1301, USA. */
/* As a special exception, when this file is copied by Bison into a
Bison output file, you may use that output file without restriction.
This special exception was added by the Free Software Foundation
in version 1.24 of Bison. */
/* Tokens. */
#ifndef YYTOKENTYPE
# define YYTOKENTYPE
/* Put the tokens into the symbol table, so that GDB and other debuggers
know about them. */
enum yytokentype {
ET = 258,
INDEX = 259,
PREFIX = 260,
EC = 261,
ID = 262,
END = 263,
STRING = 264,
NUMBER = 265
};
#endif
/* Tokens. */
#define ET 258
#define INDEX 259
#define PREFIX 260
#define EC 261
#define ID 262
#define END 263
#define STRING 264
#define NUMBER 265
#if ! defined (YYSTYPE) && ! defined (YYSTYPE_IS_DECLARED)
#line 53 "parse.y"
typedef union YYSTYPE {
char *string;
int number;
} YYSTYPE;
#define ET 257
#define INDEX 258
#define PREFIX 259
#define EC 260
#define ID 261
#define END 262
#define STRING 263
#define NUMBER 264
/* Line 1447 of yacc.c. */
#line 63 "parse.h"
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
# define YYSTYPE_IS_TRIVIAL 1
#endif
extern YYSTYPE yylval;

445
source/heimdal/lib/des/bn.c Normal file
View File

@@ -0,0 +1,445 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id: bn.c,v 1.9 2006/10/14 09:21:09 lha Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include <krb5-types.h>
#include <rfc2459_asn1.h> /* XXX */
#include <der.h>
#include <bn.h>
#include <rand.h>
#include <hex.h>
BIGNUM *
BN_new(void)
{
heim_integer *hi;
hi = calloc(1, sizeof(*hi));
return (BIGNUM *)hi;
}
void
BN_free(BIGNUM *bn)
{
BN_clear(bn);
free(bn);
}
void
BN_clear(BIGNUM *bn)
{
heim_integer *hi = (heim_integer *)bn;
if (hi->data) {
memset(hi->data, 0, hi->length);
free(hi->data);
}
memset(hi, 0, sizeof(*hi));
}
void
BN_clear_free(BIGNUM *bn)
{
BN_free(bn);
}
BIGNUM *
BN_dup(const BIGNUM *bn)
{
BIGNUM *b = BN_new();
if (der_copy_heim_integer((const heim_integer *)bn, (heim_integer *)b)) {
BN_free(b);
return NULL;
}
return b;
}
/*
* If the caller really want to know the number of bits used, subtract
* one from the length, multiply by 8, and then lookup in the table
* how many bits the hightest byte uses.
*/
int
BN_num_bits(const BIGNUM *bn)
{
static unsigned char num2bits[256] = {
0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4, 5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,
6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6, 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
};
const heim_integer *i = (const void *)bn;
if (i->length == 0)
return 0;
return (i->length - 1) * 8 + num2bits[((unsigned char *)i->data)[0]];
}
int
BN_num_bytes(const BIGNUM *bn)
{
return ((const heim_integer *)bn)->length;
}
/*
* Ignore negative flag.
*/
BIGNUM *
BN_bin2bn(const void *s, int len, BIGNUM *bn)
{
heim_integer *hi = (void *)bn;
if (len < 0)
return NULL;
if (hi == NULL) {
hi = (heim_integer *)BN_new();
if (hi == NULL)
return NULL;
}
if (hi->data)
BN_clear((BIGNUM *)hi);
hi->negative = 0;
hi->data = malloc(len);
if (hi->data == NULL && len != 0) {
if (bn == NULL)
BN_free((BIGNUM *)hi);
return NULL;
}
hi->length = len;
memcpy(hi->data, s, len);
return (BIGNUM *)hi;
}
int
BN_bn2bin(const BIGNUM *bn, void *to)
{
const heim_integer *hi = (const void *)bn;
memcpy(to, hi->data, hi->length);
return hi->length;
}
int
BN_hex2bn(BIGNUM **bnp, const char *in)
{
int negative;
ssize_t ret;
size_t len;
void *data;
len = strlen(in);
data = malloc(len);
if (data == NULL)
return 0;
if (*in == '-') {
negative = 1;
in++;
} else
negative = 0;
ret = hex_decode(in, data, len);
if (ret < 0) {
free(data);
return 0;
}
*bnp = BN_bin2bn(data, ret, NULL);
free(data);
if (*bnp == NULL)
return 0;
BN_set_negative(*bnp, negative);
return 1;
}
char *
BN_bn2hex(const BIGNUM *bn)
{
ssize_t ret;
size_t len;
void *data;
char *str;
len = BN_num_bytes(bn);
data = malloc(len);
if (data == NULL)
return 0;
len = BN_bn2bin(bn, data);
ret = hex_encode(data, len, &str);
free(data);
if (ret < 0)
return 0;
return str;
}
int
BN_cmp(const BIGNUM *bn1, const BIGNUM *bn2)
{
return der_heim_integer_cmp((const heim_integer *)bn1,
(const heim_integer *)bn2);
}
void
BN_set_negative(BIGNUM *bn, int flag)
{
((heim_integer *)bn)->negative = (flag ? 1 : 0);
}
int
BN_is_negative(BIGNUM *bn)
{
return ((heim_integer *)bn)->negative ? 1 : 0;
}
static const unsigned char is_set[8] = { 1, 2, 4, 8, 16, 32, 64, 128 };
int
BN_is_bit_set(const BIGNUM *bn, int bit)
{
heim_integer *hi = (heim_integer *)bn;
unsigned char *p = hi->data;
if ((bit / 8) > hi->length || hi->length == 0)
return 0;
return p[hi->length - 1 - (bit / 8)] & is_set[bit % 8];
}
int
BN_set_bit(BIGNUM *bn, int bit)
{
heim_integer *hi = (heim_integer *)bn;
unsigned char *p;
if ((bit / 8) > hi->length || hi->length == 0) {
size_t len = (bit + 7) / 8;
void *d = realloc(hi->data, len);
if (d == NULL)
return 0;
hi->data = d;
p = hi->data;
memset(&p[hi->length], 0, len);
hi->length = len;
} else
p = hi->data;
p[hi->length - 1 - (bit / 8)] |= is_set[bit % 8];
return 1;
}
int
BN_clear_bit(BIGNUM *bn, int bit)
{
heim_integer *hi = (heim_integer *)bn;
unsigned char *p = hi->data;
if ((bit / 8) > hi->length || hi->length == 0)
return 0;
p[hi->length - 1 - (bit / 8)] &= (unsigned char)(~(is_set[bit % 8]));
return 1;
}
int
BN_set_word(BIGNUM *bn, unsigned long num)
{
unsigned char p[sizeof(num)];
unsigned long num2;
int i, len;
for (num2 = num, i = 0; num2 > 0; i++)
num2 = num2 >> 8;
len = i - 1;
for (; i > 0; i--) {
p[i - 1] = (num & 0xff);
num = num >> 8;
}
bn = BN_bin2bn(p, len + 1, bn);
return bn != NULL;
}
unsigned long
BN_get_word(const BIGNUM *bn)
{
heim_integer *hi = (heim_integer *)bn;
unsigned long num = 0;
int i;
if (hi->negative || hi->length > sizeof(num))
return ULONG_MAX;
for (i = 0; i < hi->length; i++)
num = ((unsigned char *)hi->data)[i] | (num << 8);
return num;
}
int
BN_rand(BIGNUM *bn, int bits, int top, int bottom)
{
size_t len = (bits + 7) / 8;
heim_integer *i = (heim_integer *)bn;
BN_clear(bn);
i->negative = 0;
i->data = malloc(len);
if (i->data == NULL && len != 0)
return 0;
i->length = len;
if (RAND_bytes(i->data, i->length) != 1) {
free(i->data);
i->data = NULL;
return 0;
}
{
size_t j = len * 8;
while(j > bits) {
BN_clear_bit(bn, j - 1);
j--;
}
}
if (top == -1) {
;
} else if (top == 0 && bits > 0) {
BN_set_bit(bn, bits - 1);
} else if (top == 1 && bits > 1) {
BN_set_bit(bn, bits - 1);
BN_set_bit(bn, bits - 2);
} else {
BN_clear(bn);
return 0;
}
if (bottom && bits > 0)
BN_set_bit(bn, 0);
return 1;
}
/*
*
*/
int
BN_uadd(BIGNUM *res, const BIGNUM *a, const BIGNUM *b)
{
const heim_integer *ai = (const heim_integer *)a;
const heim_integer *bi = (const heim_integer *)b;
const unsigned char *ap, *bp;
unsigned char *cp;
heim_integer ci;
int carry = 0;
ssize_t len;
if (ai->negative && bi->negative)
return 0;
if (ai->length < bi->length) {
const heim_integer *si = bi;
bi = ai; ai = si;
}
ci.negative = 0;
ci.length = ai->length + 1;
ci.data = malloc(ci.length);
if (ci.data == NULL)
return 0;
ap = &((const unsigned char *)ai->data)[ai->length - 1];
bp = &((const unsigned char *)bi->data)[bi->length - 1];
cp = &((unsigned char *)ci.data)[ci.length - 1];
for (len = bi->length; len > 0; len--) {
carry = *ap + *bp + carry;
*cp = carry & 0xff;
carry = (carry & ~0xff) ? 1 : 0;
ap--; bp--; cp--;
}
for (len = ai->length - bi->length; len > 0; len--) {
carry = *ap + carry;
*cp = carry & 0xff;
carry = (carry & ~0xff) ? 1 : 0;
ap--; cp--;
}
if (!carry)
memmove(cp, cp + 1, --ci.length);
else
*cp = carry;
BN_clear(res);
*((heim_integer *)res) = ci;
return 1;
}
/*
* Callback when doing slow generation of numbers, like primes.
*/
void
BN_GENCB_set(BN_GENCB *gencb, int (*cb_2)(int, int, BN_GENCB *), void *ctx)
{
gencb->ver = 2;
gencb->cb.cb_2 = cb_2;
gencb->arg = ctx;
}
int
BN_GENCB_call(BN_GENCB *cb, int a, int b)
{
if (cb == NULL || cb->cb.cb_2 == NULL)
return 1;
return cb->cb.cb_2(a, b, cb);
}

243
source/heimdal/lib/des/dh-imath.c Normal file
View File

@@ -0,0 +1,243 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <dh.h>
#include <roken.h>
#include "imath/imath.h"
RCSID("$Id: dh-imath.c,v 1.6 2006/10/20 06:56:57 lha Exp $");
static void
BN2mpz(mpz_t *s, const BIGNUM *bn)
{
size_t len;
void *p;
len = BN_num_bytes(bn);
p = malloc(len);
BN_bn2bin(bn, p);
mp_int_read_unsigned(s, p, len);
free(p);
}
static BIGNUM *
mpz2BN(mpz_t *s)
{
size_t size;
BIGNUM *bn;
void *p;
size = mp_int_unsigned_len(s);
p = malloc(size);
if (p == NULL && size != 0)
return NULL;
mp_int_to_unsigned(s, p, size);
bn = BN_bin2bn(p, size, NULL);
free(p);
return bn;
}
/*
*
*/
#define DH_NUM_TRIES 10
static int
dh_generate_key(DH *dh)
{
mpz_t pub, priv_key, g, p;
int have_private_key = (dh->priv_key != NULL);
int codes, times = 0;
mp_result res;
if (dh->p == NULL || dh->g == NULL)
return 0;
while (times++ < DH_NUM_TRIES) {
if (!have_private_key) {
size_t bits = BN_num_bits(dh->p);
if (dh->priv_key)
BN_free(dh->priv_key);
dh->priv_key = BN_new();
if (dh->priv_key == NULL)
return 0;
if (!BN_rand(dh->priv_key, bits - 1, 0, 0)) {
BN_clear_free(dh->priv_key);
dh->priv_key = NULL;
return 0;
}
}
if (dh->pub_key)
BN_free(dh->pub_key);
mp_int_init(&pub);
mp_int_init(&priv_key);
mp_int_init(&g);
mp_int_init(&p);
BN2mpz(&priv_key, dh->priv_key);
BN2mpz(&g, dh->g);
BN2mpz(&p, dh->p);
res = mp_int_exptmod(&g, &priv_key, &p, &pub);
mp_int_clear(&priv_key);
mp_int_clear(&g);
mp_int_clear(&p);
if (res != MP_OK)
continue;
dh->pub_key = mpz2BN(&pub);
mp_int_clear(&pub);
if (dh->pub_key == NULL)
return 0;
if (DH_check_pubkey(dh, dh->pub_key, &codes) && codes == 0)
break;
if (have_private_key)
return 0;
}
if (times >= DH_NUM_TRIES) {
if (!have_private_key && dh->priv_key) {
BN_free(dh->priv_key);
dh->priv_key = NULL;
}
if (dh->pub_key) {
BN_free(dh->pub_key);
dh->pub_key = NULL;
}
return 0;
}
return 1;
}
static int
dh_compute_key(unsigned char *shared, const BIGNUM * pub, DH *dh)
{
mpz_t s, priv_key, p, peer_pub;
size_t size = 0;
mp_result res;
if (dh->pub_key == NULL || dh->g == NULL || dh->priv_key == NULL)
return -1;
mp_int_init(&p);
BN2mpz(&p, dh->p);
mp_int_init(&peer_pub);
BN2mpz(&peer_pub, pub);
/* check if peers pubkey is reasonable */
if (MP_SIGN(&peer_pub) == MP_NEG
|| mp_int_compare(&peer_pub, &p) >= 0
|| mp_int_compare_value(&peer_pub, 1) <= 0)
{
mp_int_clear(&p);
mp_int_clear(&peer_pub);
return -1;
}
mp_int_init(&priv_key);
BN2mpz(&priv_key, dh->priv_key);
mp_int_init(&s);
mp_int_exptmod(&peer_pub, &priv_key, &p, &s);
mp_int_clear(&p);
mp_int_clear(&peer_pub);
mp_int_clear(&priv_key);
size = mp_int_unsigned_len(&s);
res = mp_int_to_unsigned(&s, shared, size);
mp_int_clear(&s);
return (res == MP_OK) ? size : -1;
}
static int
dh_generate_params(DH *dh, int a, int b, BN_GENCB *callback)
{
/* groups should already be known, we don't care about this */
return 0;
}
static int
dh_init(DH *dh)
{
return 1;
}
static int
dh_finish(DH *dh)
{
return 1;
}
/*
*
*/
const DH_METHOD hc_dh_imath_method = {
"hcrypto imath DH",
dh_generate_key,
dh_compute_key,
NULL,
dh_init,
dh_finish,
0,
NULL,
dh_generate_params
};
const DH_METHOD *
DH_imath_method(void)
{
return &hc_dh_imath_method;
}

294
source/heimdal/lib/des/dh.c Normal file
View File

@@ -0,0 +1,294 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id: dh.c,v 1.10 2006/10/19 17:31:51 lha Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <dh.h>
#include <roken.h>
/*
*
*/
DH *
DH_new(void)
{
return DH_new_method(NULL);
}
DH *
DH_new_method(ENGINE *engine)
{
DH *dh;
dh = calloc(1, sizeof(*dh));
if (dh == NULL)
return NULL;
dh->references = 1;
if (engine) {
ENGINE_up_ref(engine);
dh->engine = engine;
} else {
dh->engine = ENGINE_get_default_DH();
}
if (dh->engine) {
dh->meth = ENGINE_get_DH(dh->engine);
if (dh->meth == NULL) {
ENGINE_finish(engine);
free(dh);
return 0;
}
}
if (dh->meth == NULL)
dh->meth = DH_get_default_method();
(*dh->meth->init)(dh);
return dh;
}
void
DH_free(DH *dh)
{
if (dh->references <= 0)
abort();
if (--dh->references > 0)
return;
(*dh->meth->finish)(dh);
if (dh->engine)
ENGINE_finish(dh->engine);
#define free_if(f) if (f) { BN_free(f); }
free_if(dh->p);
free_if(dh->g);
free_if(dh->pub_key);
free_if(dh->priv_key);
free_if(dh->q);
free_if(dh->j);
free_if(dh->counter);
#undef free_if
memset(dh, 0, sizeof(*dh));
free(dh);
}
int
DH_up_ref(DH *dh)
{
return ++dh->references;
}
int
DH_size(const DH *dh)
{
return BN_num_bytes(dh->p);
}
int
DH_set_ex_data(DH *dh, int idx, void *data)
{
dh->ex_data.sk = data;
return 1;
}
void *
DH_get_ex_data(DH *dh, int idx)
{
return dh->ex_data.sk;
}
int
DH_generate_parameters_ex(DH *dh, int prime_len, int generator, BN_GENCB *cb)
{
if (dh->meth->generate_params)
return dh->meth->generate_params(dh, prime_len, generator, cb);
return 0;
}
/*
* Check that
*
* pub_key > 1 and pub_key < p - 1
*
* to avoid small subgroups attack.
*/
int
DH_check_pubkey(const DH *dh, const BIGNUM *pub_key, int *codes)
{
BIGNUM *bn = NULL, *sum = NULL;
int ret = 0;
*codes = 0;
bn = BN_new();
if (bn == NULL)
goto out;
if (!BN_set_word(bn, 1))
goto out;
if (BN_cmp(bn, pub_key) >= 0)
*codes |= DH_CHECK_PUBKEY_TOO_SMALL;
sum = BN_new();
if (sum == NULL)
goto out;
BN_uadd(sum, pub_key, bn);
if (BN_cmp(sum, dh->p) >= 0)
*codes |= DH_CHECK_PUBKEY_TOO_LARGE;
ret = 1;
out:
if (bn)
BN_free(bn);
if (sum)
BN_free(sum);
return ret;
}
int
DH_generate_key(DH *dh)
{
return dh->meth->generate_key(dh);
}
int
DH_compute_key(unsigned char *shared_key,
const BIGNUM *peer_pub_key, DH *dh)
{
int codes;
if (!DH_check_pubkey(dh, peer_pub_key, &codes) || codes != 0)
return -1;
return dh->meth->compute_key(shared_key, peer_pub_key, dh);
}
int
DH_set_method(DH *dh, const DH_METHOD *method)
{
(*dh->meth->finish)(dh);
if (dh->engine) {
ENGINE_finish(dh->engine);
dh->engine = NULL;
}
dh->meth = method;
(*dh->meth->init)(dh);
return 1;
}
/*
*
*/
static int
dh_null_generate_key(DH *dh)
{
return 0;
}
static int
dh_null_compute_key(unsigned char *shared,const BIGNUM *pub, DH *dh)
{
return 0;
}
static int
dh_null_init(DH *dh)
{
return 1;
}
static int
dh_null_finish(DH *dh)
{
return 1;
}
static int
dh_null_generate_params(DH *dh, int prime_num, int len, BN_GENCB *cb)
{
return 0;
}
static const DH_METHOD dh_null_method = {
"hcrypto null DH",
dh_null_generate_key,
dh_null_compute_key,
NULL,
dh_null_init,
dh_null_finish,
0,
NULL,
dh_null_generate_params
};
extern const DH_METHOD hc_dh_imath_method;
static const DH_METHOD *dh_default_method = &hc_dh_imath_method;
const DH_METHOD *
DH_null_method(void)
{
return &dh_null_method;
}
void
DH_set_default_method(const DH_METHOD *meth)
{
dh_default_method = meth;
}
const DH_METHOD *
DH_get_default_method(void)
{
return dh_default_method;
}

125
source/heimdal/lib/des/dsa.c Normal file
View File

@@ -0,0 +1,125 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id: dsa.c,v 1.2 2006/05/07 11:31:58 lha Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <dsa.h>
#include <roken.h>
/*
*
*/
DSA *
DSA_new(void)
{
DSA *dsa = calloc(1, sizeof(*dsa));
dsa->meth = rk_UNCONST(DSA_get_default_method());
dsa->references = 1;
return dsa;
}
void
DSA_free(DSA *dsa)
{
if (dsa->references <= 0)
abort();
if (--dsa->references > 0)
return;
(*dsa->meth->finish)(dsa);
#define free_if(f) if (f) { BN_free(f); }
free_if(dsa->p);
free_if(dsa->q);
free_if(dsa->g);
free_if(dsa->pub_key);
free_if(dsa->priv_key);
free_if(dsa->kinv);
free_if(dsa->r);
#undef free_if
memset(dsa, 0, sizeof(*dsa));
free(dsa);
}
int
DSA_up_ref(DSA *dsa)
{
return ++dsa->references;
}
/*
*
*/
static const DSA_METHOD dsa_null_method = {
"hcrypto null DSA"
};
const DSA_METHOD *
DSA_null_method(void)
{
return &dsa_null_method;
}
const DSA_METHOD *dsa_default_mech = &dsa_null_method;
void
DSA_set_default_method(const DSA_METHOD *mech)
{
dsa_default_mech = mech;
}
const DSA_METHOD *
DSA_get_default_method(void)
{
return dsa_default_mech;
}
int
DSA_verify(int type, const unsigned char * digest, int digest_len,
const unsigned char *sig, int sig_len, DSA *dsa)
{
return -1;
}

345
source/heimdal/lib/des/engine.c Normal file
View File

@@ -0,0 +1,345 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id: engine.c,v 1.11 2006/10/19 14:23:00 lha Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <engine.h>
#ifdef HAVE_DLFCN_H
#include <dlfcn.h>
#ifndef RTLD_NOW
#define RTLD_NOW 0
#endif
#endif
struct hc_engine {
int references;
char *name;
char *id;
void (*destroy)(ENGINE *);
const RSA_METHOD *rsa;
const DH_METHOD *dh;
const RAND_METHOD *rand;
};
int
ENGINE_finish(ENGINE *engine)
{
if (engine->references-- <= 0)
abort();
if (engine->references > 0)
return 1;
if (engine->name)
free(engine->name);
if (engine->id)
free(engine->id);
if(engine->destroy)
(*engine->destroy)(engine);
memset(engine, 0, sizeof(engine));
engine->references = -1;
free(engine);
return 1;
}
int
ENGINE_up_ref(ENGINE *engine)
{
if (engine->references < 0)
abort();
engine->references++;
return 1;
}
int
ENGINE_set_id(ENGINE *engine, const char *id)
{
engine->id = strdup(id);
return (engine->id == NULL) ? 0 : 1;
}
int
ENGINE_set_name(ENGINE *engine, const char *name)
{
engine->name = strdup(name);
return (engine->name == NULL) ? 0 : 1;
}
int
ENGINE_set_RSA(ENGINE *engine, const RSA_METHOD *method)
{
engine->rsa = method;
return 1;
}
int
ENGINE_set_DH(ENGINE *engine, const DH_METHOD *method)
{
engine->dh = method;
return 1;
}
int
ENGINE_set_destroy_function(ENGINE *e, void (*destroy)(ENGINE *))
{
e->destroy = destroy;
return 1;
}
const char *
ENGINE_get_id(const ENGINE *engine)
{
return engine->id;
}
const char *
ENGINE_get_name(const ENGINE *engine)
{
return engine->name;
}
const RSA_METHOD *
ENGINE_get_RSA(const ENGINE *engine)
{
return engine->rsa;
}
const DH_METHOD *
ENGINE_get_DH(const ENGINE *engine)
{
return engine->dh;
}
const RAND_METHOD *
ENGINE_get_RAND(const ENGINE *engine)
{
return engine->rand;
}
/*
*
*/
#define SG_default_engine(type) \
static ENGINE *type##_engine; \
int \
ENGINE_set_default_##type(ENGINE *engine) \
{ \
if (type##_engine) \
ENGINE_finish(type##_engine); \
type##_engine = engine; \
if (type##_engine) \
ENGINE_up_ref(type##_engine); \
return 1; \
} \
ENGINE * \
ENGINE_get_default_##type(void) \
{ \
if (type##_engine) \
ENGINE_up_ref(type##_engine); \
return type##_engine; \
}
SG_default_engine(RSA)
SG_default_engine(DH)
#undef SG_default_engine
/*
*
*/
static ENGINE **engines;
static unsigned int num_engines;
static int
add_engine(ENGINE *engine)
{
ENGINE **d, *dup;
dup = ENGINE_by_id(engine->id);
if (dup) {
ENGINE_finish(dup);
return 0;
}
d = realloc(engines, (num_engines + 1) * sizeof(*engines));
if (d == NULL)
return 1;
engines = d;
engines[num_engines++] = engine;
return 1;
}
void
ENGINE_load_builtin_engines(void)
{
ENGINE *engine;
int ret;
engine = calloc(1, sizeof(*engine));
if (engine == NULL)
return;
ENGINE_set_id(engine, "builtin");
ENGINE_set_name(engine,
"Heimdal crypto builtin engine version " PACKAGE_VERSION);
ENGINE_set_RSA(engine, RSA_imath_method());
ENGINE_set_DH(engine, DH_imath_method());
ret = add_engine(engine);
if (ret != 1)
ENGINE_finish(engine);
}
ENGINE *
ENGINE_by_dso(const char *path, const char *id)
{
#ifdef HAVE_DLOPEN
ENGINE *engine;
void *handle;
int ret;
engine = calloc(1, sizeof(*engine));
if (engine == NULL)
return NULL;
handle = dlopen(path, RTLD_NOW);
if (handle == NULL) {
/* printf("error: %s\n", dlerror()); */
free(engine);
return NULL;
}
{
unsigned long version;
openssl_v_check v_check;
v_check = (openssl_v_check)dlsym(handle, "v_check");
if (v_check == NULL) {
dlclose(handle);
free(engine);
return NULL;
}
version = (*v_check)(OPENSSL_DYNAMIC_VERSION);
if (version == 0) {
dlclose(handle);
free(engine);
return NULL;
}
}
{
openssl_bind_engine bind_engine;
bind_engine = (openssl_bind_engine)dlsym(handle, "bind_engine");
if (bind_engine == NULL) {
dlclose(handle);
free(engine);
return NULL;
}
ret = (*bind_engine)(engine, id, NULL); /* XXX fix third arg */
if (ret != 1) {
dlclose(handle);
free(engine);
return NULL;
}
}
ENGINE_up_ref(engine);
ret = add_engine(engine);
if (ret != 1) {
dlclose(handle);
ENGINE_finish(engine);
return NULL;
}
return engine;
#else
return NULL;
#endif
}
ENGINE *
ENGINE_by_id(const char *id)
{
int i;
for (i = 0; i < num_engines; i++) {
if (strcmp(id, engines[i]->id) == 0) {
ENGINE_up_ref(engines[i]);
return engines[i];
}
}
return NULL;
}
void
ENGINE_add_conf_module(void)
{
ENGINE *engine;
/*
* XXX Parse configuration file instead
*/
engine = ENGINE_by_dso("/usr/heimdal/lib/hc-modules/hc-gmp.so", NULL);
if (engine == NULL)
return;
{
const RSA_METHOD *method = ENGINE_get_RSA(engine);
if (method)
RSA_set_default_method(method);
}
{
const DH_METHOD *method = ENGINE_get_DH(engine);
if (method)
DH_set_default_method(method);
}
}

21
source/heimdal/lib/des/imath/LICENSE Normal file
View File

@@ -0,0 +1,21 @@
IMath is Copyright 2002-2006 Michael J. Fromberger
You may use it subject to the following Licensing Terms:
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

3246
source/heimdal/lib/des/imath/imath.c Executable file
View File

File diff suppressed because it is too large Load Diff

220
source/heimdal/lib/des/imath/imath.h Executable file
View File

@@ -0,0 +1,220 @@
/*
Name: imath.h
Purpose: Arbitrary precision integer arithmetic routines.
Author: M. J. Fromberger <http://www.dartmouth.edu/~sting/>
Info: $Id: imath.h,v 1.3 2006/10/21 16:32:15 lha Exp $
Copyright (C) 2002 Michael J. Fromberger, All Rights Reserved.
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation files
(the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software,
and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
#ifndef IMATH_H_
#define IMATH_H_
#include <limits.h>
#ifdef __cplusplus
extern "C" {
#endif
typedef unsigned char mp_sign;
typedef unsigned int mp_size;
typedef int mp_result;
#ifdef USE_LONG_LONG
typedef unsigned int mp_digit;
typedef unsigned long long mp_word;
#else
typedef unsigned short mp_digit;
typedef unsigned int mp_word;
#endif
typedef struct mpz {
mp_digit single;
mp_digit *digits;
mp_size alloc;
mp_size used;
mp_sign sign;
} mpz_t, *mp_int;
#define MP_DIGITS(Z) ((Z)->digits)
#define MP_ALLOC(Z) ((Z)->alloc)
#define MP_USED(Z) ((Z)->used)
#define MP_SIGN(Z) ((Z)->sign)
extern const mp_result MP_OK;
extern const mp_result MP_FALSE;
extern const mp_result MP_TRUE;
extern const mp_result MP_MEMORY;
extern const mp_result MP_RANGE;
extern const mp_result MP_UNDEF;
extern const mp_result MP_TRUNC;
extern const mp_result MP_BADARG;
#define MP_DIGIT_BIT (sizeof(mp_digit) * CHAR_BIT)
#define MP_WORD_BIT (sizeof(mp_word) * CHAR_BIT)
#ifdef USE_LONG_LONG
# ifndef ULONG_LONG_MAX
# ifdef ULLONG_MAX
# define ULONG_LONG_MAX ULLONG_MAX
# else
# error "Maximum value of unsigned long long not defined!"
# endif
# endif
# define MP_DIGIT_MAX (ULONG_MAX * 1ULL)
# define MP_WORD_MAX ULONG_LONG_MAX
#else
# define MP_DIGIT_MAX (USHRT_MAX * 1UL)
# define MP_WORD_MAX (UINT_MAX * 1UL)
#endif
#define MP_MIN_RADIX 2
#define MP_MAX_RADIX 36
/* Values with fewer than this many significant digits use the
standard multiplication algorithm; otherwise, a recursive algorithm
is used. Choose a value to suit your platform.
*/
#define MP_MULT_THRESH 32
#define MP_DEFAULT_PREC 8 /* default memory allocation, in digits */
extern const mp_sign MP_NEG;
extern const mp_sign MP_ZPOS;
#define mp_int_is_odd(Z) ((Z)->digits[0] & 1)
#define mp_int_is_even(Z) !((Z)->digits[0] & 1)
mp_result mp_int_init(mp_int z);
mp_int mp_int_alloc(void);
mp_result mp_int_init_size(mp_int z, mp_size prec);
mp_result mp_int_init_copy(mp_int z, mp_int old);
mp_result mp_int_init_value(mp_int z, int value);
mp_result mp_int_set_value(mp_int z, int value);
void mp_int_clear(mp_int z);
void mp_int_free(mp_int z);
mp_result mp_int_copy(mp_int a, mp_int c); /* c = a */
void mp_int_swap(mp_int a, mp_int c); /* swap a, c */
void mp_int_zero(mp_int z); /* z = 0 */
mp_result mp_int_abs(mp_int a, mp_int c); /* c = |a| */
mp_result mp_int_neg(mp_int a, mp_int c); /* c = -a */
mp_result mp_int_add(mp_int a, mp_int b, mp_int c); /* c = a + b */
mp_result mp_int_add_value(mp_int a, int value, mp_int c);
mp_result mp_int_sub(mp_int a, mp_int b, mp_int c); /* c = a - b */
mp_result mp_int_sub_value(mp_int a, int value, mp_int c);
mp_result mp_int_mul(mp_int a, mp_int b, mp_int c); /* c = a * b */
mp_result mp_int_mul_value(mp_int a, int value, mp_int c);
mp_result mp_int_mul_pow2(mp_int a, int p2, mp_int c);
mp_result mp_int_sqr(mp_int a, mp_int c); /* c = a * a */
mp_result mp_int_div(mp_int a, mp_int b, /* q = a / b */
mp_int q, mp_int r); /* r = a % b */
mp_result mp_int_div_value(mp_int a, int value, /* q = a / value */
mp_int q, int *r); /* r = a % value */
mp_result mp_int_div_pow2(mp_int a, int p2, /* q = a / 2^p2 */
mp_int q, mp_int r); /* r = q % 2^p2 */
mp_result mp_int_mod(mp_int a, mp_int m, mp_int c); /* c = a % m */
#define mp_int_mod_value(A, V, R) mp_int_div_value((A), (V), 0, (R))
mp_result mp_int_expt(mp_int a, int b, mp_int c); /* c = a^b */
mp_result mp_int_expt_value(int a, int b, mp_int c); /* c = a^b */
int mp_int_compare(mp_int a, mp_int b); /* a <=> b */
int mp_int_compare_unsigned(mp_int a, mp_int b); /* |a| <=> |b| */
int mp_int_compare_zero(mp_int z); /* a <=> 0 */
int mp_int_compare_value(mp_int z, int value); /* a <=> v */
/* Returns true if v|a, false otherwise (including errors) */
int mp_int_divisible_value(mp_int a, int v);
/* Returns k >= 0 such that z = 2^k, if one exists; otherwise < 0 */
int mp_int_is_pow2(mp_int z);
mp_result mp_int_exptmod(mp_int a, mp_int b, mp_int m,
mp_int c); /* c = a^b (mod m) */
mp_result mp_int_exptmod_evalue(mp_int a, int value,
mp_int m, mp_int c); /* c = a^v (mod m) */
mp_result mp_int_exptmod_bvalue(int value, mp_int b,
mp_int m, mp_int c); /* c = v^b (mod m) */
mp_result mp_int_exptmod_known(mp_int a, mp_int b,
mp_int m, mp_int mu,
mp_int c); /* c = a^b (mod m) */
mp_result mp_int_redux_const(mp_int m, mp_int c);
mp_result mp_int_invmod(mp_int a, mp_int m, mp_int c); /* c = 1/a (mod m) */
mp_result mp_int_gcd(mp_int a, mp_int b, mp_int c); /* c = gcd(a, b) */
mp_result mp_int_egcd(mp_int a, mp_int b, mp_int c, /* c = gcd(a, b) */
mp_int x, mp_int y); /* c = ax + by */
mp_result mp_int_sqrt(mp_int a, mp_int c); /* c = floor(sqrt(q)) */
/* Convert to an int, if representable (returns MP_RANGE if not). */
mp_result mp_int_to_int(mp_int z, int *out);
/* Convert to nul-terminated string with the specified radix, writing at
most limit characters including the nul terminator */
mp_result mp_int_to_string(mp_int z, mp_size radix,
char *str, int limit);
/* Return the number of characters required to represent
z in the given radix. May over-estimate. */
mp_result mp_int_string_len(mp_int z, mp_size radix);
/* Read zero-terminated string into z */
mp_result mp_int_read_string(mp_int z, mp_size radix, const char *str);
mp_result mp_int_read_cstring(mp_int z, mp_size radix, const char *str,
char **end);
/* Return the number of significant bits in z */
mp_result mp_int_count_bits(mp_int z);
/* Convert z to two's complement binary, writing at most limit bytes */
mp_result mp_int_to_binary(mp_int z, unsigned char *buf, int limit);
/* Read a two's complement binary value into z from the given buffer */
mp_result mp_int_read_binary(mp_int z, unsigned char *buf, int len);
/* Return the number of bytes required to represent z in binary. */
mp_result mp_int_binary_len(mp_int z);
/* Convert z to unsigned binary, writing at most limit bytes */
mp_result mp_int_to_unsigned(mp_int z, unsigned char *buf, int limit);
/* Read an unsigned binary value into z from the given buffer */
mp_result mp_int_read_unsigned(mp_int z, unsigned char *buf, int len);
/* Return the number of bytes required to represent z as unsigned output */
mp_result mp_int_unsigned_len(mp_int z);
/* Return a statically allocated string describing error code res */
const char *mp_error_string(mp_result res);
#if DEBUG
void s_print(char *tag, mp_int z);
void s_print_buf(char *tag, mp_digit *buf, mp_size num);
#endif
#ifdef __cplusplus
}
#endif
#endif /* end IMATH_H_ */

186
source/heimdal/lib/des/imath/iprime.c Executable file
View File

@@ -0,0 +1,186 @@
/*
Name: iprime.c
Purpose: Pseudoprimality testing routines
Author: M. J. Fromberger <http://www.dartmouth.edu/~sting/>
Info: $Id: iprime.c,v 1.5 2007/01/05 21:01:48 lha Exp $
Copyright (C) 2002 Michael J. Fromberger, All Rights Reserved.
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation files
(the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software,
and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
#include "iprime.h"
#include <stdlib.h>
static const int s_ptab[] = {
3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43,
47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,
103, 107, 109, 113, 127, 131, 137, 139, 149, 151,
157, 163, 167, 173, 179, 181, 191, 193, 197, 199,
211, 223, 227, 229, 233, 239, 241, 251, 257, 263,
269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
331, 337, 347, 349, 353, 359, 367, 373, 379, 383,
389, 397, 401, 409, 419, 421, 431, 433, 439, 443,
449, 457, 461, 463, 467, 479, 487, 491, 499, 503,
509, 521, 523, 541, 547, 557, 563, 569, 571, 577,
587, 593, 599, 601, 607, 613, 617, 619, 631, 641,
643, 647, 653, 659, 661, 673, 677, 683, 691, 701,
709, 719, 727, 733, 739, 743, 751, 757, 761, 769,
773, 787, 797, 809, 811, 821, 823, 827, 829, 839,
853, 857, 859, 863, 877, 881, 883, 887, 907, 911,
919, 929, 937, 941, 947, 953, 967, 971, 977, 983,
991, 997, 1009, 1013, 1019, 1021, 1031, 1033,
1039, 1049, 1051, 1061, 1063, 1069, 1087, 1091,
1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,
1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277,
1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307,
1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399,
1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451,
1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493,
1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559,
1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609,
1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667,
1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733,
1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789,
1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931,
1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997,
1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053,
2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111,
2113, 2129, 2131, 2137, 2141, 2143, 2153, 2161,
2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243,
2251, 2267, 2269, 2273, 2281, 2287, 2293, 2297,
2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357,
2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411,
2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473,
2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633,
2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687,
2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729,
2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791,
2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851,
2857, 2861, 2879, 2887, 2897, 2903, 2909, 2917,
2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999,
3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061,
3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137,
3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209,
3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331,
3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391,
3407, 3413, 3433, 3449, 3457, 3461, 3463, 3467,
3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533,
3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583,
3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643,
3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709,
3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779,
3793, 3797, 3803, 3821, 3823, 3833, 3847, 3851,
3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917,
3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049,
4051, 4057, 4073, 4079, 4091, 4093, 4099, 4111,
4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177,
4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243,
4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297,
4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391,
4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457,
4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519,
4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597,
4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657,
4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799,
4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889,
4903, 4909, 4919, 4931, 4933, 4937, 4943, 4951,
4957, 4967, 4969, 4973, 4987, 4993, 4999
};
static const int s_ptab_size = sizeof(s_ptab)/sizeof(s_ptab[0]);
/* {{{ mp_int_is_prime(z) */
/* Test whether z is likely to be prime:
MP_TRUE means it is probably prime
MP_FALSE means it is definitely composite
*/
mp_result mp_int_is_prime(mp_int z)
{
int i, rem;
mp_result res;
/* First check for divisibility by small primes; this eliminates a
large number of composite candidates quickly
*/
for(i = 0; i < s_ptab_size; ++i) {
if((res = mp_int_div_value(z, s_ptab[i], NULL, &rem)) != MP_OK)
return res;
if(rem == 0)
return MP_FALSE;
}
/* Now try Fermat's test for several prime witnesses (since we now
know from the above that z is not a multiple of any of them)
*/
{
mpz_t tmp;
if((res = mp_int_init(&tmp)) != MP_OK) return res;
for(i = 0; i < 10 && i < s_ptab_size; ++i) {
if((res = mp_int_exptmod_bvalue(s_ptab[i], z, z, &tmp)) != MP_OK)
return res;
if(mp_int_compare_value(&tmp, s_ptab[i]) != 0) {
mp_int_clear(&tmp);
return MP_FALSE;
}
}
mp_int_clear(&tmp);
}
return MP_TRUE;
}
/* }}} */
/* {{{ mp_int_find_prime(z) */
/* Find the first apparent prime in ascending order from z */
mp_result mp_int_find_prime(mp_int z)
{
mp_result res;
if(mp_int_is_even(z) && ((res = mp_int_add_value(z, 1, z)) != MP_OK))
return res;
while((res = mp_int_is_prime(z)) == MP_FALSE) {
if((res = mp_int_add_value(z, 2, z)) != MP_OK)
break;
}
return res;
}
/* }}} */
/* Here there be dragons */

51
source/heimdal/lib/des/imath/iprime.h Executable file
View File

@@ -0,0 +1,51 @@
/*
Name: iprime.h
Purpose: Pseudoprimality testing routines
Author: M. J. Fromberger <http://www.dartmouth.edu/~sting/>
Info: $Id: iprime.h,v 1.3 2006/10/21 16:32:30 lha Exp $
Copyright (C) 2002 Michael J. Fromberger, All Rights Reserved.
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation files
(the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software,
and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
#ifndef IPRIME_H_
#define IPRIME_H_
#include "imath.h"
#ifdef __cplusplus
extern "C" {
#endif
/* Test whether z is likely to be prime
MP_YES means it is probably prime
MP_NO means it is definitely composite
*/
mp_result mp_int_is_prime(mp_int z);
/* Find the first apparent prime in ascending order from z */
mp_result mp_int_find_prime(mp_int z);
#ifdef __cplusplus
}
#endif
#endif /* IPRIME_H_ */

145
source/heimdal/lib/des/pkcs12.c Normal file
View File

@@ -0,0 +1,145 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id: pkcs12.c,v 1.1 2006/01/13 08:26:49 lha Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <pkcs12.h>
#include <bn.h>
#include <roken.h>
int
PKCS12_key_gen(const void *key, size_t keylen,
const void *salt, size_t saltlen,
int id, int iteration, size_t outkeysize,
void *out, const EVP_MD *md)
{
unsigned char *v, *I, hash[EVP_MAX_MD_SIZE];
unsigned int size, size_I = 0;
unsigned char idc = id;
EVP_MD_CTX ctx;
unsigned char *outp = out;
int i, vlen;
EVP_MD_CTX_init(&ctx);
vlen = EVP_MD_block_size(md);
v = malloc(vlen + 1);
if (v == NULL)
return 0;
I = calloc(1, vlen * 2);
if (I == NULL) {
free(v);
return 0;
}
if (salt && saltlen > 0) {
for (i = 0; i < vlen; i++)
I[i] = ((unsigned char*)salt)[i % saltlen];
size_I += vlen;
}
if (key && keylen > 0) {
for (i = 0; i < vlen / 2; i++) {
I[(i * 2) + size_I] = 0;
I[(i * 2) + size_I + 1] = ((unsigned char*)key)[i % (keylen + 1)];
}
size_I += vlen;
}
while (1) {
BIGNUM *bnB, *bnOne;
if (!EVP_DigestInit_ex(&ctx, md, NULL))
return 0;
for (i = 0; i < vlen; i++)
EVP_DigestUpdate(&ctx, &idc, 1);
EVP_DigestUpdate(&ctx, I, size_I);
EVP_DigestFinal_ex(&ctx, hash, &size);
for (i = 1; i < iteration; i++)
EVP_Digest(hash, size, hash, &size, md, NULL);
memcpy(outp, hash, min(outkeysize, size));
if (outkeysize < size)
break;
outkeysize -= size;
outp += size;
for (i = 0; i < vlen; i++)
v[i] = hash[i % size];
bnB = BN_bin2bn(v, vlen, NULL);
bnOne = BN_new();
BN_set_word(bnOne, 1);
BN_uadd(bnB, bnB, bnOne);
for (i = 0; i < vlen * 2; i += vlen) {
BIGNUM *bnI;
int j;
bnI = BN_bin2bn(I + i, vlen, NULL);
BN_uadd(bnI, bnI, bnB);
j = BN_num_bytes(bnI);
if (j > vlen) {
assert(j == vlen + 1);
BN_bn2bin(bnI, v);
memcpy(I + i, v + 1, vlen);
} else {
memset(I + i, 0, vlen - j);
BN_bn2bin(bnI, I + i + vlen - j);
}
BN_free(bnI);
}
BN_free(bnB);
BN_free(bnOne);
size_I = vlen * 2;
}
EVP_MD_CTX_cleanup(&ctx);
free(I);
free(v);
return 1;
}

18
source/heimdal/lib/des/resource.h Normal file
View File

@@ -0,0 +1,18 @@
//{{NO_DEPENDENCIES}}
// Microsoft Developer Studio generated include file.
// Used by passwd_dialog.rc
//
#define IDD_PASSWD_DIALOG 101
#define IDC_EDIT1 1000
#define IDC_PASSWD_EDIT 1001
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 102
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1002
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif

661
source/heimdal/lib/des/rsa-imath.c Normal file
View File

@@ -0,0 +1,661 @@
/*
* Copyright (c) 2006 - 2007 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id: rsa-imath.c,v 1.23 2007/01/06 13:45:25 lha Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <krb5-types.h>
#include <assert.h>
#include <rsa.h>
#include <roken.h>
#include "imath/imath.h"
#include "imath/iprime.h"
static void
BN2mpz(mpz_t *s, const BIGNUM *bn)
{
size_t len;
void *p;
mp_int_init(s);
len = BN_num_bytes(bn);
p = malloc(len);
BN_bn2bin(bn, p);
mp_int_read_unsigned(s, p, len);
free(p);
}
static BIGNUM *
mpz2BN(mpz_t *s)
{
size_t size;
BIGNUM *bn;
void *p;
size = mp_int_unsigned_len(s);
p = malloc(size);
if (p == NULL && size != 0)
return NULL;
mp_int_to_unsigned(s, p, size);
bn = BN_bin2bn(p, size, NULL);
free(p);
return bn;
}
static int random_num(mp_int, size_t);
static void
setup_blind(mp_int n, mp_int b, mp_int bi)
{
mp_int_init(b);
mp_int_init(bi);
random_num(b, mp_int_count_bits(n));
mp_int_mod(b, n, b);
mp_int_invmod(b, n, bi);
}
static void
blind(mp_int in, mp_int b, mp_int e, mp_int n)
{
mpz_t t1;
mp_int_init(&t1);
/* in' = (in * b^e) mod n */
mp_int_exptmod(b, e, n, &t1);
mp_int_mul(&t1, in, in);
mp_int_mod(in, n, in);
mp_int_clear(&t1);
}
static void
unblind(mp_int out, mp_int bi, mp_int n)
{
/* out' = (out * 1/b) mod n */
mp_int_mul(out, bi, out);
mp_int_mod(out, n, out);
}
static mp_result
rsa_private_calculate(mp_int in, mp_int p, mp_int q,
mp_int dmp1, mp_int dmq1, mp_int iqmp,
mp_int out)
{
mpz_t vp, vq, u;
mp_int_init(&vp); mp_int_init(&vq); mp_int_init(&u);
/* vq = c ^ (d mod (q - 1)) mod q */
/* vp = c ^ (d mod (p - 1)) mod p */
mp_int_mod(in, p, &u);
mp_int_exptmod(&u, dmp1, p, &vp);
mp_int_mod(in, q, &u);
mp_int_exptmod(&u, dmq1, q, &vq);
/* C2 = 1/q mod p (iqmp) */
/* u = (vp - vq)C2 mod p. */
mp_int_sub(&vp, &vq, &u);
if (mp_int_compare_zero(&u) < 0)
mp_int_add(&u, p, &u);
mp_int_mul(&u, iqmp, &u);
mp_int_mod(&u, p, &u);
/* c ^ d mod n = vq + u q */
mp_int_mul(&u, q, &u);
mp_int_add(&u, &vq, out);
mp_int_clear(&vp);
mp_int_clear(&vq);
mp_int_clear(&u);
return MP_OK;
}
/*
*
*/
static int
imath_rsa_public_encrypt(int flen, const unsigned char* from,
unsigned char* to, RSA* rsa, int padding)
{
unsigned char *p, *p0;
mp_result res;
size_t size, padlen;
mpz_t enc, dec, n, e;
if (padding != RSA_PKCS1_PADDING)
return -1;
size = RSA_size(rsa);
if (size < RSA_PKCS1_PADDING_SIZE || size - RSA_PKCS1_PADDING_SIZE < flen)
return -2;
BN2mpz(&n, rsa->n);
BN2mpz(&e, rsa->e);
p = p0 = malloc(size - 1);
if (p0 == NULL) {
mp_int_clear(&e);
mp_int_clear(&n);
return -3;
}
padlen = size - flen - 3;
assert(padlen >= 8);
*p++ = 2;
if (RAND_bytes(p, padlen) != 1) {
mp_int_clear(&e);
mp_int_clear(&n);
free(p0);
return -4;
}
while(padlen) {
if (*p == 0)
*p = 1;
padlen--;
p++;
}
*p++ = 0;
memcpy(p, from, flen);
p += flen;
assert((p - p0) == size - 1);
mp_int_init(&enc);
mp_int_init(&dec);
mp_int_read_unsigned(&dec, p0, size - 1);
free(p0);
res = mp_int_exptmod(&dec, &e, &n, &enc);
mp_int_clear(&dec);
mp_int_clear(&e);
mp_int_clear(&n);
{
size_t ssize;
ssize = mp_int_unsigned_len(&enc);
assert(size >= ssize);
mp_int_to_unsigned(&enc, to, ssize);
size = ssize;
}
mp_int_clear(&enc);
return size;
}
static int
imath_rsa_public_decrypt(int flen, const unsigned char* from,
unsigned char* to, RSA* rsa, int padding)
{
unsigned char *p;
mp_result res;
size_t size;
mpz_t s, us, n, e;
if (padding != RSA_PKCS1_PADDING)
return -1;
if (flen > RSA_size(rsa))
return -2;
BN2mpz(&n, rsa->n);
BN2mpz(&e, rsa->e);
#if 0
/* Check that the exponent is larger then 3 */
if (mp_int_compare_value(&e, 3) <= 0) {
mp_int_clear(&n);
mp_int_clear(&e);
return -3;
}
#endif
mp_int_init(&s);
mp_int_init(&us);
mp_int_read_unsigned(&s, rk_UNCONST(from), flen);
if (mp_int_compare(&s, &n) >= 0) {
mp_int_clear(&n);
mp_int_clear(&e);
return -4;
}
res = mp_int_exptmod(&s, &e, &n, &us);
mp_int_clear(&s);
mp_int_clear(&n);
mp_int_clear(&e);
if (res != MP_OK)
return -5;
p = to;
size = mp_int_unsigned_len(&us);
assert(size <= RSA_size(rsa));
mp_int_to_unsigned(&us, p, size);
mp_int_clear(&us);
/* head zero was skipped by mp_int_to_unsigned */
if (*p == 0)
return -6;
if (*p != 1)
return -7;
size--; p++;
while (size && *p == 0xff) {
size--; p++;
}
if (size == 0 || *p != 0)
return -8;
size--; p++;
memmove(to, p, size);
return size;
}
static int
imath_rsa_private_encrypt(int flen, const unsigned char* from,
unsigned char* to, RSA* rsa, int padding)
{
unsigned char *p, *p0;
mp_result res;
size_t size;
mpz_t in, out, n, e, b, bi;
int blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0;
if (padding != RSA_PKCS1_PADDING)
return -1;
size = RSA_size(rsa);
if (size < RSA_PKCS1_PADDING_SIZE || size - RSA_PKCS1_PADDING_SIZE < flen)
return -2;
p0 = p = malloc(size);
*p++ = 0;
*p++ = 1;
memset(p, 0xff, size - flen - 3);
p += size - flen - 3;
*p++ = 0;
memcpy(p, from, flen);
p += flen;
assert((p - p0) == size);
BN2mpz(&n, rsa->n);
BN2mpz(&e, rsa->e);
mp_int_init(&in);
mp_int_init(&out);
mp_int_read_unsigned(&in, p0, size);
free(p0);
if(mp_int_compare_zero(&in) < 0 ||
mp_int_compare(&in, &n) >= 0) {
size = 0;
goto out;
}
if (blinding) {
setup_blind(&n, &b, &bi);
blind(&in, &b, &e, &n);
}
if (rsa->p && rsa->q && rsa->dmp1 && rsa->dmq1 && rsa->iqmp) {
mpz_t p, q, dmp1, dmq1, iqmp;
BN2mpz(&p, rsa->p);
BN2mpz(&q, rsa->q);
BN2mpz(&dmp1, rsa->dmp1);
BN2mpz(&dmq1, rsa->dmq1);
BN2mpz(&iqmp, rsa->iqmp);
res = rsa_private_calculate(&in, &p, &q, &dmp1, &dmq1, &iqmp, &out);
mp_int_clear(&p);
mp_int_clear(&q);
mp_int_clear(&dmp1);
mp_int_clear(&dmq1);
mp_int_clear(&iqmp);
} else {
mpz_t d;
BN2mpz(&d, rsa->d);
res = mp_int_exptmod(&in, &d, &n, &out);
mp_int_clear(&d);
if (res != MP_OK) {
size = 0;
goto out;
}
}
if (blinding) {
unblind(&out, &bi, &n);
mp_int_clear(&b);
mp_int_clear(&bi);
}
{
size_t ssize;
ssize = mp_int_unsigned_len(&out);
assert(size >= ssize);
mp_int_to_unsigned(&out, to, size);
size = ssize;
}
out:
mp_int_clear(&e);
mp_int_clear(&n);
mp_int_clear(&in);
mp_int_clear(&out);
return size;
}
static int
imath_rsa_private_decrypt(int flen, const unsigned char* from,
unsigned char* to, RSA* rsa, int padding)
{
unsigned char *ptr;
mp_result res;
size_t size;
mpz_t in, out, n, e, b, bi;
int blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0;
if (padding != RSA_PKCS1_PADDING)
return -1;
size = RSA_size(rsa);
if (flen > size)
return -2;
mp_int_init(&in);
mp_int_init(&out);
BN2mpz(&n, rsa->n);
BN2mpz(&e, rsa->e);
res = mp_int_read_unsigned(&in, rk_UNCONST(from), flen);
if (res != MP_OK) {
size = -1;
goto out;
}
if(mp_int_compare_zero(&in) < 0 ||
mp_int_compare(&in, &n) >= 0) {
size = 0;
goto out;
}
if (blinding) {
setup_blind(&n, &b, &bi);
blind(&in, &b, &e, &n);
}
if (rsa->p && rsa->q && rsa->dmp1 && rsa->dmq1 && rsa->iqmp) {
mpz_t p, q, dmp1, dmq1, iqmp;
BN2mpz(&p, rsa->p);
BN2mpz(&q, rsa->q);
BN2mpz(&dmp1, rsa->dmp1);
BN2mpz(&dmq1, rsa->dmq1);
BN2mpz(&iqmp, rsa->iqmp);
res = rsa_private_calculate(&in, &p, &q, &dmp1, &dmq1, &iqmp, &out);
mp_int_clear(&p);
mp_int_clear(&q);
mp_int_clear(&dmp1);
mp_int_clear(&dmq1);
mp_int_clear(&iqmp);
} else {
mpz_t d;
if(mp_int_compare_zero(&in) < 0 ||
mp_int_compare(&in, &n) >= 0)
return MP_RANGE;
BN2mpz(&d, rsa->d);
res = mp_int_exptmod(&in, &d, &n, &out);
mp_int_clear(&d);
if (res != MP_OK) {
size = 0;
goto out;
}
}
if (blinding) {
unblind(&out, &bi, &n);
mp_int_clear(&b);
mp_int_clear(&bi);
}
ptr = to;
{
size_t ssize;
ssize = mp_int_unsigned_len(&out);
assert(size >= ssize);
mp_int_to_unsigned(&out, ptr, ssize);
size = ssize;
}
/* head zero was skipped by mp_int_to_unsigned */
if (*ptr != 2)
return -3;
size--; ptr++;
while (size && *ptr != 0) {
size--; ptr++;
}
if (size == 0)
return -4;
size--; ptr++;
memmove(to, ptr, size);
out:
mp_int_clear(&e);
mp_int_clear(&n);
mp_int_clear(&in);
mp_int_clear(&out);
return size;
}
static int
random_num(mp_int num, size_t len)
{
unsigned char *p;
mp_result res;
len = (len + 7) / 8;
p = malloc(len);
if (p == NULL)
return 1;
if (RAND_bytes(p, len) != 1) {
free(p);
return 1;
}
res = mp_int_read_unsigned(num, p, len);
free(p);
if (res != MP_OK)
return 1;
return 0;
}
#define CHECK(f, v) if ((f) != (v)) { goto out; }
static int
imath_rsa_generate_key(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
{
mpz_t el, p, q, n, d, dmp1, dmq1, iqmp, t1, t2, t3;
int counter, ret;
if (bits < 789)
return -1;
ret = -1;
mp_int_init(&el);
mp_int_init(&p);
mp_int_init(&q);
mp_int_init(&n);
mp_int_init(&d);
mp_int_init(&dmp1);
mp_int_init(&dmq1);
mp_int_init(&iqmp);
mp_int_init(&t1);
mp_int_init(&t2);
mp_int_init(&t3);
BN2mpz(&el, e);
/* generate p and q so that p != q and bits(pq) ~ bits */
counter = 0;
do {
BN_GENCB_call(cb, 2, counter++);
CHECK(random_num(&p, bits / 2 + 1), 0);
CHECK(mp_int_find_prime(&p), MP_TRUE);
CHECK(mp_int_sub_value(&p, 1, &t1), MP_OK);
CHECK(mp_int_gcd(&t1, &el, &t2), MP_OK);
} while(mp_int_compare_value(&t2, 1) != 0);
BN_GENCB_call(cb, 3, 0);
counter = 0;
do {
BN_GENCB_call(cb, 2, counter++);
CHECK(random_num(&q, bits / 2 + 1), 0);
CHECK(mp_int_find_prime(&q), MP_TRUE);
if (mp_int_compare(&p, &q) == 0) /* don't let p and q be the same */
continue;
CHECK(mp_int_sub_value(&q, 1, &t1), MP_OK);
CHECK(mp_int_gcd(&t1, &el, &t2), MP_OK);
} while(mp_int_compare_value(&t2, 1) != 0);
/* make p > q */
if (mp_int_compare(&p, &q) < 0)
mp_int_swap(&p, &q);
BN_GENCB_call(cb, 3, 1);
/* calculate n, n = p * q */
CHECK(mp_int_mul(&p, &q, &n), MP_OK);
/* calculate d, d = 1/e mod (p - 1)(q - 1) */
CHECK(mp_int_sub_value(&p, 1, &t1), MP_OK);
CHECK(mp_int_sub_value(&q, 1, &t2), MP_OK);
CHECK(mp_int_mul(&t1, &t2, &t3), MP_OK);
CHECK(mp_int_invmod(&el, &t3, &d), MP_OK);
/* calculate dmp1 dmp1 = d mod (p-1) */
CHECK(mp_int_mod(&d, &t1, &dmp1), MP_OK);
/* calculate dmq1 dmq1 = d mod (q-1) */
CHECK(mp_int_mod(&d, &t2, &dmq1), MP_OK);
/* calculate iqmp iqmp = 1/q mod p */
CHECK(mp_int_invmod(&q, &p, &iqmp), MP_OK);
/* fill in RSA key */
rsa->e = mpz2BN(&el);
rsa->p = mpz2BN(&p);
rsa->q = mpz2BN(&q);
rsa->n = mpz2BN(&n);
rsa->d = mpz2BN(&d);
rsa->dmp1 = mpz2BN(&dmp1);
rsa->dmq1 = mpz2BN(&dmq1);
rsa->iqmp = mpz2BN(&iqmp);
ret = 1;
out:
mp_int_clear(&el);
mp_int_clear(&p);
mp_int_clear(&q);
mp_int_clear(&n);
mp_int_clear(&d);
mp_int_clear(&dmp1);
mp_int_clear(&dmq1);
mp_int_clear(&iqmp);
mp_int_clear(&t1);
mp_int_clear(&t2);
mp_int_clear(&t3);
return ret;
}
static int
imath_rsa_init(RSA *rsa)
{
return 1;
}
static int
imath_rsa_finish(RSA *rsa)
{
return 1;
}
const RSA_METHOD hc_rsa_imath_method = {
"hcrypto imath RSA",
imath_rsa_public_encrypt,
imath_rsa_public_decrypt,
imath_rsa_private_encrypt,
imath_rsa_private_decrypt,
NULL,
NULL,
imath_rsa_init,
imath_rsa_finish,
0,
NULL,
NULL,
NULL,
imath_rsa_generate_key
};
const RSA_METHOD *
RSA_imath_method(void)
{
return &hc_rsa_imath_method;
}

471
source/heimdal/lib/des/rsa.c Normal file
View File

@@ -0,0 +1,471 @@
/*
* Copyright (c) 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id: rsa.c,v 1.19 2007/01/09 10:04:20 lha Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <krb5-types.h>
#include <rfc2459_asn1.h>
#include <rsa.h>
#include <roken.h>
RSA *
RSA_new(void)
{
return RSA_new_method(NULL);
}
RSA *
RSA_new_method(ENGINE *engine)
{
RSA *rsa;
rsa = calloc(1, sizeof(*rsa));
if (rsa == NULL)
return NULL;
rsa->references = 1;
if (engine) {
ENGINE_up_ref(engine);
rsa->engine = engine;
} else {
rsa->engine = ENGINE_get_default_RSA();
}
if (rsa->engine) {
rsa->meth = ENGINE_get_RSA(rsa->engine);
if (rsa->meth == NULL) {
ENGINE_finish(engine);
free(rsa);
return 0;
}
}
if (rsa->meth == NULL)
rsa->meth = rk_UNCONST(RSA_get_default_method());
(*rsa->meth->init)(rsa);
return rsa;
}
void
RSA_free(RSA *rsa)
{
if (rsa->references <= 0)
abort();
if (--rsa->references > 0)
return;
(*rsa->meth->finish)(rsa);
if (rsa->engine)
ENGINE_finish(rsa->engine);
#define free_if(f) if (f) { BN_free(f); }
free_if(rsa->n);
free_if(rsa->e);
free_if(rsa->d);
free_if(rsa->p);
free_if(rsa->q);
free_if(rsa->dmp1);
free_if(rsa->dmq1);
#undef free_if
memset(rsa, 0, sizeof(*rsa));
free(rsa);
}
int
RSA_up_ref(RSA *rsa)
{
return ++rsa->references;
}
const RSA_METHOD *
RSA_get_method(const RSA *rsa)
{
return rsa->meth;
}
int
RSA_set_method(RSA *rsa, const RSA_METHOD *method)
{
(*rsa->meth->finish)(rsa);
if (rsa->engine) {
ENGINE_finish(rsa->engine);
rsa->engine = NULL;
}
rsa->meth = method;
(*rsa->meth->init)(rsa);
return 1;
}
int
RSA_set_app_data(RSA *rsa, void *arg)
{
rsa->ex_data.sk = arg;
return 1;
}
void *
RSA_get_app_data(RSA *rsa)
{
return rsa->ex_data.sk;
}
int
RSA_check_key(const RSA *key)
{
static const unsigned char inbuf[] = "hello, world!";
RSA *rsa = rk_UNCONST(key);
void *buffer;
int ret;
/*
* XXX I have no clue how to implement this w/o a bignum library.
* Well, when we have a RSA key pair, we can try to encrypt/sign
* and then decrypt/verify.
*/
if ((rsa->d == NULL || rsa->n == NULL) &&
(rsa->p == NULL || rsa->q || rsa->dmp1 == NULL || rsa->dmq1 == NULL || rsa->iqmp == NULL))
return 0;
buffer = malloc(RSA_size(rsa));
if (buffer == NULL)
return 0;
ret = RSA_private_encrypt(sizeof(inbuf), inbuf, buffer,
rsa, RSA_PKCS1_PADDING);
if (ret == -1) {
free(buffer);
return 0;
}
ret = RSA_public_decrypt(ret, buffer, buffer,
rsa, RSA_PKCS1_PADDING);
if (ret == -1) {
free(buffer);
return 0;
}
if (ret == sizeof(inbuf) && memcmp(buffer, inbuf, sizeof(inbuf)) == 0) {
free(buffer);
return 1;
}
free(buffer);
return 0;
}
int
RSA_size(const RSA *rsa)
{
return BN_num_bytes(rsa->n);
}
#define RSAFUNC(name, body) \
int \
name(int flen,const unsigned char* f, unsigned char* t, RSA* r, int p){\
return body; \
}
RSAFUNC(RSA_public_encrypt, (r)->meth->rsa_pub_enc(flen, f, t, r, p))
RSAFUNC(RSA_public_decrypt, (r)->meth->rsa_pub_dec(flen, f, t, r, p))
RSAFUNC(RSA_private_encrypt, (r)->meth->rsa_priv_enc(flen, f, t, r, p))
RSAFUNC(RSA_private_decrypt, (r)->meth->rsa_priv_dec(flen, f, t, r, p))
/* XXX */
int
RSA_sign(int type, const unsigned char *from, unsigned int flen,
unsigned char *to, unsigned int *tlen, RSA *rsa)
{
return -1;
}
int
RSA_verify(int type, const unsigned char *from, unsigned int flen,
unsigned char *to, unsigned int tlen, RSA *rsa)
{
return -1;
}
/*
* A NULL RSA_METHOD that returns failure for all operations. This is
* used as the default RSA method is we don't have any native
* support.
*/
static RSAFUNC(null_rsa_public_encrypt, -1)
static RSAFUNC(null_rsa_public_decrypt, -1)
static RSAFUNC(null_rsa_private_encrypt, -1)
static RSAFUNC(null_rsa_private_decrypt, -1)
/*
*
*/
int
RSA_generate_key_ex(RSA *r, int bits, BIGNUM *e, BN_GENCB *cb)
{
if (r->meth->rsa_keygen)
return (*r->meth->rsa_keygen)(r, bits, e, cb);
return 0;
}
/*
*
*/
static int
null_rsa_init(RSA *rsa)
{
return 1;
}
static int
null_rsa_finish(RSA *rsa)
{
return 1;
}
static const RSA_METHOD rsa_null_method = {
"hcrypto null RSA",
null_rsa_public_encrypt,
null_rsa_public_decrypt,
null_rsa_private_encrypt,
null_rsa_private_decrypt,
NULL,
NULL,
null_rsa_init,
null_rsa_finish,
0,
NULL,
NULL,
NULL
};
const RSA_METHOD *
RSA_null_method(void)
{
return &rsa_null_method;
}
extern const RSA_METHOD hc_rsa_imath_method;
static const RSA_METHOD *default_rsa_method = &hc_rsa_imath_method;
const RSA_METHOD *
RSA_get_default_method(void)
{
return default_rsa_method;
}
void
RSA_set_default_method(const RSA_METHOD *meth)
{
default_rsa_method = meth;
}
/*
*
*/
static BIGNUM *
heim_int2BN(const heim_integer *i)
{
BIGNUM *bn;
bn = BN_bin2bn(i->data, i->length, NULL);
if (bn)
BN_set_negative(bn, i->negative);
return bn;
}
static int
bn2heim_int(BIGNUM *bn, heim_integer *integer)
{
integer->length = BN_num_bytes(bn);
integer->data = malloc(integer->length);
if (integer->data == NULL) {
integer->length = 0;
return ENOMEM;
}
BN_bn2bin(bn, integer->data);
integer->negative = BN_is_negative(bn);
return 0;
}
RSA *
d2i_RSAPrivateKey(RSA *rsa, const unsigned char **pp, size_t len)
{
RSAPrivateKey data;
RSA *k = rsa;
size_t size;
int ret;
ret = decode_RSAPrivateKey(*pp, len, &data, &size);
if (ret)
return NULL;
*pp += size;
if (k == NULL) {
k = RSA_new();
if (k == NULL) {
free_RSAPrivateKey(&data);
return NULL;
}
}
k->n = heim_int2BN(&data.modulus);
k->e = heim_int2BN(&data.publicExponent);
k->d = heim_int2BN(&data.privateExponent);
k->p = heim_int2BN(&data.prime1);
k->q = heim_int2BN(&data.prime2);
k->dmp1 = heim_int2BN(&data.exponent1);
k->dmq1 = heim_int2BN(&data.exponent2);
k->iqmp = heim_int2BN(&data.coefficient);
free_RSAPrivateKey(&data);
if (k->n == NULL || k->e == NULL || k->d == NULL || k->p == NULL ||
k->q == NULL || k->dmp1 == NULL || k->dmq1 == NULL || k->iqmp == NULL)
{
RSA_free(k);
return NULL;
}
return k;
}
int
i2d_RSAPrivateKey(RSA *rsa, unsigned char **pp)
{
RSAPrivateKey data;
size_t size;
int ret;
if (rsa->n == NULL || rsa->e == NULL || rsa->d == NULL || rsa->p == NULL ||
rsa->q == NULL || rsa->dmp1 == NULL || rsa->dmq1 == NULL ||
rsa->iqmp == NULL)
return -1;
memset(&data, 0, sizeof(data));
ret = bn2heim_int(rsa->n, &data.modulus);
ret |= bn2heim_int(rsa->e, &data.publicExponent);
ret |= bn2heim_int(rsa->d, &data.privateExponent);
ret |= bn2heim_int(rsa->p, &data.prime1);
ret |= bn2heim_int(rsa->q, &data.prime2);
ret |= bn2heim_int(rsa->dmp1, &data.exponent1);
ret |= bn2heim_int(rsa->dmq1, &data.exponent2);
ret |= bn2heim_int(rsa->iqmp, &data.coefficient);
if (ret) {
free_RSAPrivateKey(&data);
return -1;
}
if (pp == NULL) {
size = length_RSAPrivateKey(&data);
free_RSAPrivateKey(&data);
} else {
void *p;
size_t len;
ASN1_MALLOC_ENCODE(RSAPrivateKey, p, len, &data, &size, ret);
free_RSAPrivateKey(&data);
if (ret)
return -1;
if (len != size)
abort();
memcpy(*pp, p, size);
free(p);
*pp += size;
}
return size;
}
int
i2d_RSAPublicKey(RSA *rsa, unsigned char **pp)
{
RSAPublicKey data;
size_t size;
int ret;
memset(&data, 0, sizeof(data));
if (bn2heim_int(rsa->n, &data.modulus) ||
bn2heim_int(rsa->e, &data.publicExponent))
{
free_RSAPublicKey(&data);
return -1;
}
if (pp == NULL) {
size = length_RSAPublicKey(&data);
free_RSAPublicKey(&data);
} else {
void *p;
size_t len;
ASN1_MALLOC_ENCODE(RSAPublicKey, p, len, &data, &size, ret);
free_RSAPublicKey(&data);
if (ret)
return -1;
if (len != size)
abort();
memcpy(*pp, p, size);
free(p);
*pp += size;
}
return size;
}

11
source/heimdal/lib/des/rsa.h
View File

@@ -32,7 +32,7 @@
*/
/*
* $Id: rsa.h,v 1.5 2006/05/07 11:34:02 lha Exp $
* $Id: rsa.h,v 1.9 2007/01/05 20:26:23 lha Exp $
*/
#ifndef _HEIM_RSA_H
@@ -59,7 +59,9 @@
#define RSA_private_decrypt hc_RSA_private_decrypt
#define RSA_sign hc_RSA_sign
#define RSA_verify hc_RSA_verify
#define RSA_generate_key_ex hc_RSA_generate_key_ex
#define d2i_RSAPrivateKey hc_d2i_RSAPrivateKey
#define i2d_RSAPrivateKey hc_i2d_RSAPrivateKey
#define i2d_RSAPublicKey hc_i2d_RSAPublicKey
/*
@@ -119,9 +121,10 @@ struct RSA {
void *mt_blinding;
};
#define RSA_FLAG_SIGN_VER 0x40
#define RSA_FLAG_NO_BLINDING 0x0080
#define RSA_PKCS1_PADDING 1
#define RSA_PKCS1_OAEP_PADDING 4
#define RSA_PKCS1_PADDING_SIZE 11
/*
@@ -162,7 +165,11 @@ int RSA_sign(int, const unsigned char *, unsigned int,
int RSA_verify(int, const unsigned char *, unsigned int,
unsigned char *, unsigned int, RSA *);
int RSA_generate_key_ex(RSA *, int, BIGNUM *, BN_GENCB *);
RSA * d2i_RSAPrivateKey(RSA *, const unsigned char **, size_t);
int i2d_RSAPrivateKey(RSA *, unsigned char **);
int i2d_RSAPublicKey(RSA *, unsigned char **);
#endif /* _HEIM_RSA_H */

8
source/heimdal/lib/gssapi/gssapi/gssapi.h
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gssapi.h,v 1.6 2006/11/10 00:39:50 lha Exp $ */
/* $Id: gssapi.h,v 1.7 2006/12/15 20:02:54 lha Exp $ */
#ifndef GSSAPI_GSSAPI_H_
#define GSSAPI_GSSAPI_H_
@@ -300,6 +300,12 @@ extern gss_OID GSS_C_NT_EXPORT_NAME;
extern gss_OID GSS_SASL_DIGEST_MD5_MECHANISM;
/*
* NTLM mechanism
*/
extern gss_OID GSS_NTLM_MECHANISM;
/* Major status codes */
#define GSS_S_COMPLETE 0

1
source/heimdal/lib/gssapi/gssapi_mech.h
View File

@@ -344,5 +344,6 @@ __gss_get_mechanism(gss_OID /* oid */);
gssapi_mech_interface __gss_spnego_initialize(void);
gssapi_mech_interface __gss_krb5_initialize(void);
gssapi_mech_interface __gss_ntlm_initialize(void);
#endif /* GSSAPI_MECH_H */

143
source/heimdal/lib/gssapi/krb5/accept_sec_context.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: accept_sec_context.c,v 1.65 2006/11/07 14:52:05 lha Exp $");
RCSID("$Id: accept_sec_context.c,v 1.66 2006/11/13 18:00:54 lha Exp $");
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
@@ -41,20 +41,21 @@ krb5_keytab _gsskrb5_keytab;
OM_uint32
_gsskrb5_register_acceptor_identity (const char *identity)
{
krb5_context context;
krb5_error_code ret;
ret = _gsskrb5_init();
ret = _gsskrb5_init(&context);
if(ret)
return GSS_S_FAILURE;
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if(_gsskrb5_keytab != NULL) {
krb5_kt_close(_gsskrb5_context, _gsskrb5_keytab);
krb5_kt_close(context, _gsskrb5_keytab);
_gsskrb5_keytab = NULL;
}
if (identity == NULL) {
ret = krb5_kt_default(_gsskrb5_context, &_gsskrb5_keytab);
ret = krb5_kt_default(context, &_gsskrb5_keytab);
} else {
char *p;
@@ -63,7 +64,7 @@ _gsskrb5_register_acceptor_identity (const char *identity)
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
return GSS_S_FAILURE;
}
ret = krb5_kt_resolve(_gsskrb5_context, p, &_gsskrb5_keytab);
ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab);
free(p);
}
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
@@ -120,6 +121,7 @@ static OM_uint32
gsskrb5_accept_delegated_token
(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
gss_cred_id_t * delegated_cred_handle
)
{
@@ -131,33 +133,31 @@ gsskrb5_accept_delegated_token
/* XXX Create a new delegated_cred_handle? */
if (delegated_cred_handle == NULL) {
kret = krb5_cc_default (_gsskrb5_context, &ccache);
kret = krb5_cc_default (context, &ccache);
} else {
*delegated_cred_handle = NULL;
kret = krb5_cc_gen_new (_gsskrb5_context, &krb5_mcc_ops, &ccache);
kret = krb5_cc_gen_new (context, &krb5_mcc_ops, &ccache);
}
if (kret) {
ctx->flags &= ~GSS_C_DELEG_FLAG;
goto out;
}
kret = krb5_cc_initialize(_gsskrb5_context, ccache, ctx->source);
kret = krb5_cc_initialize(context, ccache, ctx->source);
if (kret) {
ctx->flags &= ~GSS_C_DELEG_FLAG;
goto out;
}
krb5_auth_con_removeflags(_gsskrb5_context,
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
&ac_flags);
kret = krb5_rd_cred2(_gsskrb5_context,
kret = krb5_rd_cred2(context,
ctx->auth_context,
ccache,
&ctx->fwd_data);
if (kret)
_gsskrb5_set_error_string();
krb5_auth_con_setflags(_gsskrb5_context,
krb5_auth_con_setflags(context,
ctx->auth_context,
ac_flags);
if (kret) {
@@ -181,16 +181,16 @@ gsskrb5_accept_delegated_token
handle = (gsskrb5_cred) *delegated_cred_handle;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
ccache = NULL;
}
out:
if (ccache) {
if (delegated_cred_handle == NULL)
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
else
krb5_cc_destroy(_gsskrb5_context, ccache);
krb5_cc_destroy(context, ccache);
}
return ret;
}
@@ -198,13 +198,14 @@ out:
static OM_uint32
gsskrb5_acceptor_ready(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
gss_cred_id_t *delegated_cred_handle)
{
OM_uint32 ret;
int32_t seq_number;
int is_cfx = 0;
krb5_auth_getremoteseqnumber (_gsskrb5_context,
krb5_auth_getremoteseqnumber (context,
ctx->auth_context,
&seq_number);
@@ -222,7 +223,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
* isn't a mutual authentication context
*/
if (!(ctx->flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(ctx->flags)) {
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
krb5_auth_con_setlocalseqnumber(context,
ctx->auth_context,
seq_number);
}
@@ -233,6 +234,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
if (ctx->fwd_data.length > 0 && (ctx->flags & GSS_C_DELEG_FLAG)) {
ret = gsskrb5_accept_delegated_token(minor_status,
ctx,
context,
delegated_cred_handle);
if (ret)
return ret;
@@ -250,6 +252,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
static OM_uint32
gsskrb5_acceptor_start(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
const gss_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token_buffer,
const gss_channel_bindings_t input_chan_bindings,
@@ -301,49 +304,46 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
krb5_rd_req_in_ctx in = NULL;
krb5_rd_req_out_ctx out = NULL;
kret = krb5_rd_req_in_ctx_alloc(_gsskrb5_context, &in);
kret = krb5_rd_req_in_ctx_alloc(context, &in);
if (kret == 0)
kret = krb5_rd_req_in_set_keytab(_gsskrb5_context, in, keytab);
kret = krb5_rd_req_in_set_keytab(context, in, keytab);
if (kret) {
if (in)
krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
krb5_rd_req_in_ctx_free(context, in);
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
kret = krb5_rd_req_ctx(_gsskrb5_context,
kret = krb5_rd_req_ctx(context,
&ctx->auth_context,
&indata,
(acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
in, &out);
krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
krb5_rd_req_in_ctx_free(context, in);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
/*
* We need to remember some data on the context_handle.
*/
kret = krb5_rd_req_out_get_ap_req_options(_gsskrb5_context, out,
kret = krb5_rd_req_out_get_ap_req_options(context, out,
&ap_options);
if (kret == 0)
kret = krb5_rd_req_out_get_ticket(_gsskrb5_context, out,
kret = krb5_rd_req_out_get_ticket(context, out,
&ctx->ticket);
if (kret == 0)
kret = krb5_rd_req_out_get_keyblock(_gsskrb5_context, out,
kret = krb5_rd_req_out_get_keyblock(context, out,
&ctx->service_keyblock);
ctx->lifetime = ctx->ticket->ticket.endtime;
krb5_rd_req_out_ctx_free(_gsskrb5_context, out);
krb5_rd_req_out_ctx_free(context, out);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
}
@@ -353,22 +353,20 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
* We need to copy the principal names to the context and the
* calling layer.
*/
kret = krb5_copy_principal(_gsskrb5_context,
kret = krb5_copy_principal(context,
ctx->ticket->client,
&ctx->source);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
}
kret = krb5_copy_principal(_gsskrb5_context,
kret = krb5_copy_principal(context,
ctx->ticket->server,
&ctx->target);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
@@ -376,18 +374,17 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
* We need to setup some compat stuff, this assumes that
* context_handle->target is already set.
*/
ret = _gss_DES3_get_mic_compat(minor_status, ctx);
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
return ret;
if (src_name != NULL) {
kret = krb5_copy_principal (_gsskrb5_context,
kret = krb5_copy_principal (context,
ctx->ticket->client,
(gsskrb5_name*)src_name);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
}
@@ -398,13 +395,12 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
{
krb5_authenticator authenticator;
kret = krb5_auth_con_getauthenticator(_gsskrb5_context,
kret = krb5_auth_con_getauthenticator(context,
ctx->auth_context,
&authenticator);
if(kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
@@ -415,22 +411,21 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
&ctx->flags,
&ctx->fwd_data);
krb5_free_authenticator(_gsskrb5_context, &authenticator);
krb5_free_authenticator(context, &authenticator);
if (ret) {
return ret;
}
} else {
krb5_crypto crypto;
kret = krb5_crypto_init(_gsskrb5_context,
kret = krb5_crypto_init(context,
ctx->auth_context->keyblock,
0, &crypto);
if(kret) {
krb5_free_authenticator(_gsskrb5_context, &authenticator);
krb5_free_authenticator(context, &authenticator);
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
@@ -439,16 +434,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
* GSSAPI checksum here
*/
kret = krb5_verify_checksum(_gsskrb5_context,
kret = krb5_verify_checksum(context,
crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
authenticator->cksum);
krb5_free_authenticator(_gsskrb5_context, &authenticator);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_free_authenticator(context, &authenticator);
krb5_crypto_destroy(context, crypto);
if(kret) {
ret = GSS_S_BAD_SIG;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
@@ -467,23 +461,22 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if (is_cfx != 0
|| (ap_options & AP_OPTS_USE_SUBKEY)) {
kret = krb5_auth_con_addflags(_gsskrb5_context,
kret = krb5_auth_con_addflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_USE_SUBKEY,
NULL);
ctx->more_flags |= ACCEPTOR_SUBKEY;
}
kret = krb5_mk_rep(_gsskrb5_context,
kret = krb5_mk_rep(context,
ctx->auth_context,
&outbuf);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
if (ctx->flags & GSS_C_DCE_STYLE) {
if (IS_DCE_STYLE(ctx)) {
output_token->length = outbuf.length;
output_token->value = outbuf.data;
} else {
@@ -510,6 +503,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
time_rec);
if (ret) {
@@ -521,7 +515,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
* When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from
* the client.
*/
if (ctx->flags & GSS_C_DCE_STYLE) {
if (IS_DCE_STYLE(ctx)) {
/*
* Return flags to caller, but we haven't processed
* delgations yet
@@ -533,7 +527,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
return GSS_S_CONTINUE_NEEDED;
}
ret = gsskrb5_acceptor_ready(minor_status, ctx, delegated_cred_handle);
ret = gsskrb5_acceptor_ready(minor_status, ctx, context,
delegated_cred_handle);
if (ret_flags)
*ret_flags = ctx->flags;
@@ -544,6 +539,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
static OM_uint32
acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
const gss_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token_buffer,
const gss_channel_bindings_t input_chan_bindings,
@@ -572,29 +568,26 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
* the remote seq_number to the old value
*/
{
kret = krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
kret = krb5_auth_con_getlocalseqnumber(context,
ctx->auth_context,
&l_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_auth_getremoteseqnumber(_gsskrb5_context,
kret = krb5_auth_getremoteseqnumber(context,
ctx->auth_context,
&r_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_auth_con_setremoteseqnumber(_gsskrb5_context,
kret = krb5_auth_con_setremoteseqnumber(context,
ctx->auth_context,
l_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -609,19 +602,18 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
krb5_ap_rep_enc_part *repl;
int32_t auth_flags;
krb5_auth_con_removeflags(_gsskrb5_context,
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
&auth_flags);
kret = krb5_rd_rep(_gsskrb5_context, ctx->auth_context, &inbuf, &repl);
kret = krb5_rd_rep(context, ctx->auth_context, &inbuf, &repl);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
krb5_free_ap_rep_enc_part(_gsskrb5_context, repl);
krb5_auth_con_setflags(_gsskrb5_context, ctx->auth_context, auth_flags);
krb5_free_ap_rep_enc_part(context, repl);
krb5_auth_con_setflags(context, ctx->auth_context, auth_flags);
}
/* We need to check the liftime */
@@ -629,6 +621,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
OM_uint32 lifetime_rec;
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
&lifetime_rec);
if (ret) {
@@ -645,12 +638,11 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
if (ret_flags) *ret_flags = ctx->flags;
if (src_name) {
kret = krb5_copy_principal(_gsskrb5_context,
kret = krb5_copy_principal(context,
ctx->source,
(gsskrb5_name*)src_name);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
}
@@ -664,20 +656,19 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
{
int32_t tmp_r_seq_number, tmp_l_seq_number;
kret = krb5_auth_getremoteseqnumber(_gsskrb5_context,
kret = krb5_auth_getremoteseqnumber(context,
ctx->auth_context,
&tmp_r_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
kret = krb5_auth_con_getlocalseqnumber(context,
ctx->auth_context,
&tmp_l_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -695,17 +686,17 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
* the old one for the GSS_wrap() calls
*/
{
kret = krb5_auth_con_setremoteseqnumber(_gsskrb5_context,
kret = krb5_auth_con_setremoteseqnumber(context,
ctx->auth_context,
r_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
}
return gsskrb5_acceptor_ready(minor_status, ctx, delegated_cred_handle);
return gsskrb5_acceptor_ready(minor_status, ctx, context,
delegated_cred_handle);
}
@@ -722,10 +713,11 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
OM_uint32 * time_rec,
gss_cred_id_t * delegated_cred_handle)
{
krb5_context context;
OM_uint32 ret;
gsskrb5_ctx ctx;
GSSAPI_KRB5_INIT();
GSSAPI_KRB5_INIT(&context);
output_token->length = 0;
output_token->value = NULL;
@@ -738,6 +730,7 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
if (*context_handle == GSS_C_NO_CONTEXT) {
ret = _gsskrb5_create_ctx(minor_status,
context_handle,
context,
input_chan_bindings,
ACCEPTOR_START);
if (ret)
@@ -758,6 +751,7 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
case ACCEPTOR_START:
ret = gsskrb5_acceptor_start(minor_status,
ctx,
context,
acceptor_cred_handle,
input_token_buffer,
input_chan_bindings,
@@ -771,6 +765,7 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
case ACCEPTOR_WAIT_FOR_DCESTYLE:
ret = acceptor_wait_for_dcestyle(minor_status,
ctx,
context,
acceptor_cred_handle,
input_token_buffer,
input_chan_bindings,

112
source/heimdal/lib/gssapi/krb5/acquire_cred.c
View File

@@ -33,13 +33,14 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: acquire_cred.c,v 1.31 2006/10/07 22:13:55 lha Exp $");
RCSID("$Id: acquire_cred.c,v 1.33 2006/11/20 18:09:30 lha Exp $");
OM_uint32
__gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
krb5_ccache id,
krb5_principal principal,
OM_uint32 *lifetime)
krb5_context context,
krb5_ccache id,
krb5_principal principal,
OM_uint32 *lifetime)
{
krb5_creds in_cred, *out_cred;
krb5_const_realm realm;
@@ -48,32 +49,30 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
memset(&in_cred, 0, sizeof(in_cred));
in_cred.client = principal;
realm = krb5_principal_get_realm(_gsskrb5_context, principal);
realm = krb5_principal_get_realm(context, principal);
if (realm == NULL) {
_gsskrb5_clear_status ();
*minor_status = KRB5_PRINC_NOMATCH; /* XXX */
return GSS_S_FAILURE;
}
kret = krb5_make_principal(_gsskrb5_context, &in_cred.server,
kret = krb5_make_principal(context, &in_cred.server,
realm, KRB5_TGS_NAME, realm, NULL);
if (kret) {
_gsskrb5_set_error_string();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_get_credentials(_gsskrb5_context, 0,
kret = krb5_get_credentials(context, 0,
id, &in_cred, &out_cred);
krb5_free_principal(_gsskrb5_context, in_cred.server);
krb5_free_principal(context, in_cred.server);
if (kret) {
_gsskrb5_set_error_string();
*minor_status = kret;
return GSS_S_FAILURE;
}
*lifetime = out_cred->times.endtime;
krb5_free_creds(_gsskrb5_context, out_cred);
krb5_free_creds(context, out_cred);
return GSS_S_COMPLETE;
}
@@ -82,7 +81,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
static krb5_error_code
get_keytab(krb5_keytab *keytab)
get_keytab(krb5_context context, krb5_keytab *keytab)
{
char kt_name[256];
krb5_error_code kret;
@@ -90,13 +89,13 @@ get_keytab(krb5_keytab *keytab)
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if (_gsskrb5_keytab != NULL) {
kret = krb5_kt_get_name(_gsskrb5_context,
kret = krb5_kt_get_name(context,
_gsskrb5_keytab,
kt_name, sizeof(kt_name));
if (kret == 0)
kret = krb5_kt_resolve(_gsskrb5_context, kt_name, keytab);
kret = krb5_kt_resolve(context, kt_name, keytab);
} else
kret = krb5_kt_default(_gsskrb5_context, keytab);
kret = krb5_kt_default(context, keytab);
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
@@ -105,6 +104,7 @@ get_keytab(krb5_keytab *keytab)
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -132,33 +132,33 @@ static OM_uint32 acquire_initiator_cred
* caches, otherwise, fall back to default cache. Ignore
* errors. */
if (handle->principal)
kret = krb5_cc_cache_match (_gsskrb5_context,
kret = krb5_cc_cache_match (context,
handle->principal,
NULL,
&ccache);
if (ccache == NULL) {
kret = krb5_cc_default(_gsskrb5_context, &ccache);
kret = krb5_cc_default(context, &ccache);
if (kret)
goto end;
}
kret = krb5_cc_get_principal(_gsskrb5_context, ccache,
kret = krb5_cc_get_principal(context, ccache,
&def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
krb5_cc_destroy(_gsskrb5_context, ccache);
krb5_cc_destroy(context, ccache);
ccache = NULL;
kret = 0;
} else if (handle->principal == NULL) {
kret = krb5_copy_principal(_gsskrb5_context, def_princ,
kret = krb5_copy_principal(context, def_princ,
&handle->principal);
if (kret)
goto end;
} else if (handle->principal != NULL &&
krb5_principal_compare(_gsskrb5_context, handle->principal,
krb5_principal_compare(context, handle->principal,
def_princ) == FALSE) {
/* Before failing, lets check the keytab */
krb5_free_principal(_gsskrb5_context, def_princ);
krb5_free_principal(context, def_princ);
def_princ = NULL;
}
if (def_princ == NULL) {
@@ -166,30 +166,30 @@ static OM_uint32 acquire_initiator_cred
* so attempt to get a TGT using a keytab.
*/
if (handle->principal == NULL) {
kret = krb5_get_default_principal(_gsskrb5_context,
kret = krb5_get_default_principal(context,
&handle->principal);
if (kret)
goto end;
}
kret = get_keytab(&keytab);
kret = get_keytab(context, &keytab);
if (kret)
goto end;
kret = krb5_get_init_creds_opt_alloc(_gsskrb5_context, &opt);
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
kret = krb5_get_init_creds_keytab(_gsskrb5_context, &cred,
kret = krb5_get_init_creds_keytab(context, &cred,
handle->principal, keytab, 0, NULL, opt);
krb5_get_init_creds_opt_free(opt);
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
kret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops,
kret = krb5_cc_gen_new(context, &krb5_mcc_ops,
&ccache);
if (kret)
goto end;
kret = krb5_cc_initialize(_gsskrb5_context, ccache, cred.client);
kret = krb5_cc_initialize(context, ccache, cred.client);
if (kret)
goto end;
kret = krb5_cc_store_cred(_gsskrb5_context, ccache, &cred);
kret = krb5_cc_store_cred(context, ccache, &cred);
if (kret)
goto end;
handle->lifetime = cred.times.endtime;
@@ -197,9 +197,10 @@ static OM_uint32 acquire_initiator_cred
} else {
ret = __gsskrb5_ccache_lifetime(minor_status,
ccache,
handle->principal,
&handle->lifetime);
context,
ccache,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE)
goto end;
kret = 0;
@@ -210,17 +211,16 @@ static OM_uint32 acquire_initiator_cred
end:
if (cred.client != NULL)
krb5_free_cred_contents(_gsskrb5_context, &cred);
krb5_free_cred_contents(context, &cred);
if (def_princ != NULL)
krb5_free_principal(_gsskrb5_context, def_princ);
krb5_free_principal(context, def_princ);
if (keytab != NULL)
krb5_kt_close(_gsskrb5_context, keytab);
krb5_kt_close(context, keytab);
if (ret != GSS_S_COMPLETE) {
if (ccache != NULL)
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
if (kret != 0) {
*minor_status = kret;
_gsskrb5_set_error_string ();
}
}
return (ret);
@@ -228,6 +228,7 @@ end:
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -242,7 +243,7 @@ static OM_uint32 acquire_acceptor_cred
kret = 0;
ret = GSS_S_FAILURE;
kret = get_keytab(&handle->keytab);
kret = get_keytab(context, &handle->keytab);
if (kret)
goto end;
@@ -250,21 +251,20 @@ static OM_uint32 acquire_acceptor_cred
if (handle->principal) {
krb5_keytab_entry entry;
kret = krb5_kt_get_entry(_gsskrb5_context, handle->keytab,
kret = krb5_kt_get_entry(context, handle->keytab,
handle->principal, 0, 0, &entry);
if (kret)
goto end;
krb5_kt_free_entry(_gsskrb5_context, &entry);
krb5_kt_free_entry(context, &entry);
}
ret = GSS_S_COMPLETE;
end:
if (ret != GSS_S_COMPLETE) {
if (handle->keytab != NULL)
krb5_kt_close(_gsskrb5_context, handle->keytab);
krb5_kt_close(context, handle->keytab);
if (kret != 0) {
*minor_status = kret;
_gsskrb5_set_error_string ();
}
}
return (ret);
@@ -281,6 +281,7 @@ OM_uint32 _gsskrb5_acquire_cred
OM_uint32 * time_rec
)
{
krb5_context context;
gsskrb5_cred handle;
OM_uint32 ret;
@@ -289,7 +290,7 @@ OM_uint32 _gsskrb5_acquire_cred
return GSS_S_FAILURE;
}
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT(&context);
*output_cred_handle = NULL;
if (time_rec)
@@ -320,31 +321,33 @@ OM_uint32 _gsskrb5_acquire_cred
if (desired_name != GSS_C_NO_NAME) {
krb5_principal name = (krb5_principal)desired_name;
ret = krb5_copy_principal(_gsskrb5_context, name, &handle->principal);
ret = krb5_copy_principal(context, name, &handle->principal);
if (ret) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
_gsskrb5_set_error_string();
*minor_status = ret;
free(handle);
return GSS_S_FAILURE;
}
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, desired_name, time_req,
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
ret = acquire_initiator_cred(minor_status, context,
desired_name, time_req,
desired_mechs, cred_usage, handle,
actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
return (ret);
}
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, desired_name, time_req,
ret = acquire_acceptor_cred(minor_status, context,
desired_name, time_req,
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
return (ret);
}
@@ -360,15 +363,16 @@ OM_uint32 _gsskrb5_acquire_cred
if (handle->mechanisms != NULL)
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
return (ret);
}
*minor_status = 0;
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
handle->lifetime,
time_rec);
context,
handle->lifetime,
time_rec);
if (ret)
return ret;

31
source/heimdal/lib/gssapi/krb5/add_cred.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: add_cred.c,v 1.9 2006/10/07 22:13:58 lha Exp $");
RCSID("$Id: add_cred.c,v 1.10 2006/11/13 18:01:01 lha Exp $");
OM_uint32 _gsskrb5_add_cred (
OM_uint32 *minor_status,
@@ -48,6 +48,7 @@ OM_uint32 _gsskrb5_add_cred (
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
krb5_context context;
OM_uint32 ret, lifetime;
gsskrb5_cred cred, handle;
krb5_const_principal dname;
@@ -56,6 +57,8 @@ OM_uint32 _gsskrb5_add_cred (
cred = (gsskrb5_cred)input_cred_handle;
dname = (krb5_const_principal)desired_name;
GSSAPI_KRB5_INIT (&context);
if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_S_BAD_MECH;
@@ -83,7 +86,7 @@ OM_uint32 _gsskrb5_add_cred (
/* check that we have the same name */
if (dname != NULL &&
krb5_principal_compare(_gsskrb5_context, dname,
krb5_principal_compare(context, dname,
cred->principal) != FALSE) {
if (output_cred_handle)
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
@@ -112,7 +115,7 @@ OM_uint32 _gsskrb5_add_cred (
ret = GSS_S_FAILURE;
kret = krb5_copy_principal(_gsskrb5_context, cred->principal,
kret = krb5_copy_principal(context, cred->principal,
&handle->principal);
if (kret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
@@ -127,7 +130,7 @@ OM_uint32 _gsskrb5_add_cred (
ret = GSS_S_FAILURE;
kret = krb5_kt_get_type(_gsskrb5_context, cred->keytab,
kret = krb5_kt_get_type(context, cred->keytab,
name, KRB5_KT_PREFIX_MAX_LEN);
if (kret) {
*minor_status = kret;
@@ -136,7 +139,7 @@ OM_uint32 _gsskrb5_add_cred (
len = strlen(name);
name[len++] = ':';
kret = krb5_kt_get_name(_gsskrb5_context, cred->keytab,
kret = krb5_kt_get_name(context, cred->keytab,
name + len,
sizeof(name) - len);
if (kret) {
@@ -144,7 +147,7 @@ OM_uint32 _gsskrb5_add_cred (
goto failure;
}
kret = krb5_kt_resolve(_gsskrb5_context, name,
kret = krb5_kt_resolve(context, name,
&handle->keytab);
if (kret){
*minor_status = kret;
@@ -158,21 +161,21 @@ OM_uint32 _gsskrb5_add_cred (
ret = GSS_S_FAILURE;
type = krb5_cc_get_type(_gsskrb5_context, cred->ccache);
type = krb5_cc_get_type(context, cred->ccache);
if (type == NULL){
*minor_status = ENOMEM;
goto failure;
}
if (strcmp(type, "MEMORY") == 0) {
ret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops,
ret = krb5_cc_gen_new(context, &krb5_mcc_ops,
&handle->ccache);
if (ret) {
*minor_status = ret;
goto failure;
}
ret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache,
ret = krb5_cc_copy_cache(context, cred->ccache,
handle->ccache);
if (ret) {
*minor_status = ret;
@@ -180,7 +183,7 @@ OM_uint32 _gsskrb5_add_cred (
}
} else {
name = krb5_cc_get_name(_gsskrb5_context, cred->ccache);
name = krb5_cc_get_name(context, cred->ccache);
if (name == NULL) {
*minor_status = ENOMEM;
goto failure;
@@ -192,7 +195,7 @@ OM_uint32 _gsskrb5_add_cred (
goto failure;
}
kret = krb5_cc_resolve(_gsskrb5_context, type_name,
kret = krb5_cc_resolve(context, type_name,
&handle->ccache);
free(type_name);
if (kret) {
@@ -234,11 +237,11 @@ OM_uint32 _gsskrb5_add_cred (
if (handle) {
if (handle->principal)
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
if (handle->keytab)
krb5_kt_close(_gsskrb5_context, handle->keytab);
krb5_kt_close(context, handle->keytab);
if (handle->ccache)
krb5_cc_destroy(_gsskrb5_context, handle->ccache);
krb5_cc_destroy(context, handle->ccache);
if (handle->mechanisms)
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
free(handle);

7
source/heimdal/lib/gssapi/krb5/address_to_krb5addr.c
View File

@@ -36,7 +36,8 @@
#include <roken.h>
krb5_error_code
_gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type,
_gsskrb5i_address_to_krb5addr(krb5_context context,
OM_uint32 gss_addr_type,
gss_buffer_desc *gss_addr,
int16_t port,
krb5_address *address)
@@ -61,7 +62,7 @@ _gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type,
return GSS_S_FAILURE;
}
problem = krb5_h_addr2sockaddr (_gsskrb5_context,
problem = krb5_h_addr2sockaddr (context,
addr_type,
gss_addr->value,
&sa,
@@ -70,7 +71,7 @@ _gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type,
if (problem)
return GSS_S_FAILURE;
problem = krb5_sockaddr2address (_gsskrb5_context, &sa, address);
problem = krb5_sockaddr2address (context, &sa, address);
return problem;
}

56
source/heimdal/lib/gssapi/krb5/arcfour.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: arcfour.c,v 1.30 2006/11/07 19:05:16 lha Exp $");
RCSID("$Id: arcfour.c,v 1.31 2006/11/13 18:01:08 lha Exp $");
/*
* Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
@@ -114,7 +114,8 @@ arcfour_mic_key(krb5_context context, krb5_keyblock *key,
static krb5_error_code
arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
arcfour_mic_cksum(krb5_context context,
krb5_keyblock *key, unsigned usage,
u_char *sgn_cksum, size_t sgn_cksum_sz,
const u_char *v1, size_t l1,
const void *v2, size_t l2,
@@ -138,13 +139,13 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
memcpy(ptr + l1, v2, l2);
memcpy(ptr + l1 + l2, v3, l3);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
free(ptr);
return ret;
}
ret = krb5_create_checksum(_gsskrb5_context,
ret = krb5_create_checksum(context,
crypto,
usage,
0,
@@ -155,7 +156,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz);
free_Checksum(&CKSUM);
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return ret;
}
@@ -164,6 +165,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
OM_uint32
_gssapi_get_mic_arcfour(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -200,7 +202,8 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
p = NULL;
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN,
ret = arcfour_mic_cksum(context,
key, KRB5_KU_USAGE_SIGN,
p0 + 16, 8, /* SGN_CKSUM */
p0, 8, /* TOK_ID, SGN_ALG, Filer */
message_buffer->value, message_buffer->length,
@@ -211,7 +214,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_FAILURE;
}
ret = arcfour_mic_key(_gsskrb5_context, key,
ret = arcfour_mic_key(context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
@@ -221,13 +224,13 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
}
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
context_handle->auth_context,
&seq_number);
p = p0 + 8; /* SND_SEQ */
_gsskrb5_encode_be_om_uint32(seq_number, p);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -248,6 +251,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
OM_uint32
_gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -279,7 +283,8 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_BAD_MIC;
p += 4;
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN,
ret = arcfour_mic_cksum(context,
key, KRB5_KU_USAGE_SIGN,
cksum_data, sizeof(cksum_data),
p - 8, 8,
message_buffer->value, message_buffer->length,
@@ -289,7 +294,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_FAILURE;
}
ret = arcfour_mic_key(_gsskrb5_context, key,
ret = arcfour_mic_key(context, key,
cksum_data, sizeof(cksum_data),
k6_data, sizeof(k6_data));
if (ret) {
@@ -339,6 +344,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
OM_uint32
_gssapi_wrap_arcfour(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -396,13 +402,13 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
p = NULL;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
context_handle->auth_context,
&seq_number);
_gsskrb5_encode_be_om_uint32(seq_number, p0 + 8);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -420,7 +426,8 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
if (!IS_DCE_STYLE(context_handle))
p[input_message_buffer->length] = 1; /* padding */
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
ret = arcfour_mic_cksum(context,
key, KRB5_KU_USAGE_SEAL,
p0 + 16, 8, /* SGN_CKSUM */
p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
p0 + 24, 8, /* Confounder */
@@ -442,7 +449,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
for (i = 0; i < 16; i++)
Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
}
ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
ret = arcfour_mic_key(context, &Klocal,
p0 + 8, 4, /* SND_SEQ */
k6_data, sizeof(k6_data));
memset(Klocaldata, 0, sizeof(Klocaldata));
@@ -463,7 +470,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
}
memset(k6_data, 0, sizeof(k6_data));
ret = arcfour_mic_key(_gsskrb5_context, key,
ret = arcfour_mic_key(context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
@@ -490,6 +497,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
@@ -562,7 +570,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
return GSS_S_BAD_MIC;
p = NULL;
ret = arcfour_mic_key(_gsskrb5_context, key,
ret = arcfour_mic_key(context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
@@ -601,7 +609,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
for (i = 0; i < 16; i++)
Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
}
ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
ret = arcfour_mic_key(context, &Klocal,
SND_SEQ, 4,
k6_data, sizeof(k6_data));
memset(Klocaldata, 0, sizeof(Klocaldata));
@@ -643,7 +651,8 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
output_message_buffer->length -= padlen;
}
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
ret = arcfour_mic_cksum(context,
key, KRB5_KU_USAGE_SEAL,
cksum_data, sizeof(cksum_data),
p0, 8,
Confounder, sizeof(Confounder),
@@ -721,6 +730,7 @@ max_wrap_length_arcfour(const gsskrb5_ctx ctx,
OM_uint32
_gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
@@ -730,9 +740,8 @@ _gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
krb5_error_code ret;
krb5_crypto crypto;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -740,13 +749,12 @@ _gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
ret = max_wrap_length_arcfour(ctx, crypto,
req_output_size, max_input_size);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_COMPLETE;
}

133
source/heimdal/lib/gssapi/krb5/cfx.c
View File

@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: cfx.c,v 1.24 2006/10/24 21:13:22 lha Exp $");
RCSID("$Id: cfx.c,v 1.25 2006/11/13 18:01:14 lha Exp $");
/*
* Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
@@ -43,7 +43,8 @@ RCSID("$Id: cfx.c,v 1.24 2006/10/24 21:13:22 lha Exp $");
#define CFXAcceptorSubkey (1 << 2)
krb5_error_code
_gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
_gsskrb5cfx_wrap_length_cfx(krb5_context context,
krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
size_t *output_length,
@@ -57,11 +58,11 @@ _gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
*output_length = sizeof(gss_cfx_wrap_token_desc);
*padlength = 0;
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type);
ret = krb5_crypto_get_checksum_type(context, crypto, &type);
if (ret)
return ret;
ret = krb5_checksumsize(_gsskrb5_context, type, cksumsize);
ret = krb5_checksumsize(context, type, cksumsize);
if (ret)
return ret;
@@ -71,7 +72,7 @@ _gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
/* Header is concatenated with data before encryption */
input_length += sizeof(gss_cfx_wrap_token_desc);
ret = krb5_crypto_getpadsize(_gsskrb5_context, crypto, &padsize);
ret = krb5_crypto_getpadsize(context, crypto, &padsize);
if (ret) {
return ret;
}
@@ -83,7 +84,7 @@ _gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
input_length += *padlength;
}
*output_length += krb5_get_wrapped_length(_gsskrb5_context,
*output_length += krb5_get_wrapped_length(context,
crypto, input_length);
} else {
/* Checksum is concatenated with data */
@@ -96,7 +97,8 @@ _gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
}
krb5_error_code
_gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
_gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
OM_uint32 *output_length)
@@ -116,7 +118,7 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
wrapped_size = input_length + 1;
do {
wrapped_size--;
sz = krb5_get_wrapped_length(_gsskrb5_context,
sz = krb5_get_wrapped_length(context,
crypto, wrapped_size);
} while (wrapped_size && sz > input_length);
if (wrapped_size == 0) {
@@ -136,11 +138,11 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
krb5_cksumtype type;
size_t cksumsize;
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type);
ret = krb5_crypto_get_checksum_type(context, crypto, &type);
if (ret)
return ret;
ret = krb5_checksumsize(_gsskrb5_context, type, &cksumsize);
ret = krb5_checksumsize(context, type, &cksumsize);
if (ret)
return ret;
@@ -157,6 +159,7 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
@@ -166,23 +169,21 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
krb5_error_code ret;
krb5_crypto crypto;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5cfx_max_wrap_length_cfx(crypto, conf_req_flag,
ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag,
req_output_size, max_input_size);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_COMPLETE;
}
@@ -233,6 +234,7 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -250,20 +252,19 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
int32_t seq_number;
u_char *p;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5cfx_wrap_length_cfx(crypto, conf_req_flag,
ret = _gsskrb5cfx_wrap_length_cfx(context,
crypto, conf_req_flag,
input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -274,7 +275,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(output_message_buffer->length);
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -324,12 +325,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
token->RRC[1] = 0;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
krb5_auth_con_getlocalseqnumber(context,
context_handle->auth_context,
&seq_number);
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
krb5_auth_con_setlocalseqnumber(context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -364,15 +365,14 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
memcpy(p + input_message_buffer->length + padlength,
token, sizeof(*token));
ret = krb5_encrypt(_gsskrb5_context, crypto,
ret = krb5_encrypt(context, crypto,
usage, p,
input_message_buffer->length + padlength +
sizeof(*token),
&cipher);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
@@ -382,9 +382,8 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
@@ -397,22 +396,21 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
buf = malloc(input_message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
memcpy(buf, input_message_buffer->value, input_message_buffer->length);
memcpy(buf + input_message_buffer->length, token, sizeof(*token));
ret = krb5_create_checksum(_gsskrb5_context, crypto,
ret = krb5_create_checksum(context, crypto,
usage, 0, buf,
input_message_buffer->length +
sizeof(*token),
&cksum);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free(buf);
return GSS_S_FAILURE;
@@ -434,9 +432,8 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(p,
input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free_Checksum(&cksum);
return GSS_S_FAILURE;
@@ -444,7 +441,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
free_Checksum(&cksum);
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (conf_state != NULL) {
*conf_state = conf_req_flag;
@@ -456,6 +453,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
@@ -539,9 +537,8 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/*
* Decrypt and/or verify checksum
*/
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -559,23 +556,22 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Rotate by RRC; bogus to do this in-place XXX */
*minor_status = rrc_rotate(p, len, rrc, TRUE);
if (*minor_status != 0) {
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
if (token_flags & CFXSealed) {
ret = krb5_decrypt(_gsskrb5_context, crypto, usage,
ret = krb5_decrypt(context, crypto, usage,
p, len, &data);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_BAD_MIC;
}
/* Check that there is room for the pad and token header */
if (data.length < ec + sizeof(*token)) {
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data);
return GSS_S_DEFECTIVE_TOKEN;
}
@@ -588,7 +584,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check the integrity of the header */
if (memcmp(p, token, sizeof(*token)) != 0) {
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data);
return GSS_S_BAD_MIC;
}
@@ -599,12 +595,11 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
Checksum cksum;
/* Determine checksum type */
ret = krb5_crypto_get_checksum_type(_gsskrb5_context,
ret = krb5_crypto_get_checksum_type(context,
crypto, &cksum.cksumtype);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -613,7 +608,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check we have at least as much data as the checksum */
if (len < cksum.checksum.length) {
*minor_status = ERANGE;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_BAD_MIC;
}
@@ -625,7 +620,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(len + sizeof(*token));
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -642,21 +637,20 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
token->RRC[0] = 0;
token->RRC[1] = 0;
ret = krb5_verify_checksum(_gsskrb5_context, crypto,
ret = krb5_verify_checksum(context, crypto,
usage,
output_message_buffer->value,
len + sizeof(*token),
&cksum);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_BAD_MIC;
}
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (qop_state != NULL) {
*qop_state = GSS_C_QOP_DEFAULT;
@@ -668,6 +662,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -682,9 +677,8 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
size_t len;
int32_t seq_number;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -693,7 +687,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
buf = malloc(len);
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -710,12 +704,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
memset(token->Filler, 0xFF, 5);
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
krb5_auth_con_getlocalseqnumber(context,
context_handle->auth_context,
&seq_number);
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
krb5_auth_con_setlocalseqnumber(context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -726,16 +720,15 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
}
ret = krb5_create_checksum(_gsskrb5_context, crypto,
ret = krb5_create_checksum(context, crypto,
usage, 0, buf, len, &cksum);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
free(buf);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
/* Determine MIC length */
message_token->length = sizeof(*token) + cksum.checksum.length;
@@ -761,6 +754,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state,
@@ -830,19 +824,17 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
/*
* Verify checksum
*/
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto,
ret = krb5_crypto_get_checksum_type(context, crypto,
&cksum.cksumtype);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -858,20 +850,19 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
buf = malloc(message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
memcpy(buf, message_buffer->value, message_buffer->length);
memcpy(buf + message_buffer->length, token, sizeof(*token));
ret = krb5_verify_checksum(_gsskrb5_context, crypto,
ret = krb5_verify_checksum(context, crypto,
usage,
buf,
sizeof(*token) + message_buffer->length,
&cksum);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
free(buf);
return GSS_S_BAD_MIC;

17
source/heimdal/lib/gssapi/krb5/cfx.h
View File

@@ -30,7 +30,7 @@
* SUCH DAMAGE.
*/
/* $Id: cfx.h,v 1.7 2006/07/19 14:16:33 lha Exp $ */
/* $Id: cfx.h,v 1.8 2006/11/13 18:01:17 lha Exp $ */
#ifndef GSSAPI_CFX_H_
#define GSSAPI_CFX_H_ 1
@@ -62,19 +62,4 @@ typedef struct gss_cfx_delete_token_desc_struct {
u_char SND_SEQ[8];
} gss_cfx_delete_token_desc, *gss_cfx_delete_token;
krb5_error_code
_gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
size_t *output_length,
size_t *cksumsize,
uint16_t *padlength);
krb5_error_code
_gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
OM_uint32 *output_length);
#endif /* GSSAPI_CFX_H_ */

7
source/heimdal/lib/gssapi/krb5/compare_name.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: compare_name.c,v 1.7 2006/10/07 22:14:15 lha Exp $");
RCSID("$Id: compare_name.c,v 1.8 2006/11/13 18:01:20 lha Exp $");
OM_uint32 _gsskrb5_compare_name
(OM_uint32 * minor_status,
@@ -44,10 +44,11 @@ OM_uint32 _gsskrb5_compare_name
{
krb5_const_principal princ1 = (krb5_const_principal)name1;
krb5_const_principal princ2 = (krb5_const_principal)name2;
krb5_context context;
GSSAPI_KRB5_INIT();
GSSAPI_KRB5_INIT(&context);
*name_equal = krb5_principal_compare (_gsskrb5_context,
*name_equal = krb5_principal_compare (context,
princ1, princ2);
*minor_status = 0;
return GSS_S_COMPLETE;

23
source/heimdal/lib/gssapi/krb5/compat.c
View File

@@ -33,11 +33,12 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: compat.c,v 1.13 2006/10/07 22:14:17 lha Exp $");
RCSID("$Id: compat.c,v 1.14 2006/11/13 18:01:23 lha Exp $");
static krb5_error_code
check_compat(OM_uint32 *minor_status, krb5_const_principal name,
check_compat(OM_uint32 *minor_status,
krb5_context context, krb5_const_principal name,
const char *option, krb5_boolean *compat,
krb5_boolean match_val)
{
@@ -46,27 +47,27 @@ check_compat(OM_uint32 *minor_status, krb5_const_principal name,
krb5_principal match;
p = krb5_config_get_strings(_gsskrb5_context, NULL, "gssapi",
p = krb5_config_get_strings(context, NULL, "gssapi",
option, NULL);
if(p == NULL)
return 0;
match = NULL;
for(q = p; *q; q++) {
ret = krb5_parse_name(_gsskrb5_context, *q, &match);
ret = krb5_parse_name(context, *q, &match);
if (ret)
break;
if (krb5_principal_match(_gsskrb5_context, name, match)) {
if (krb5_principal_match(context, name, match)) {
*compat = match_val;
break;
}
krb5_free_principal(_gsskrb5_context, match);
krb5_free_principal(context, match);
match = NULL;
}
if (match)
krb5_free_principal(_gsskrb5_context, match);
krb5_free_principal(context, match);
krb5_config_free_strings(p);
if (ret) {
@@ -83,17 +84,19 @@ check_compat(OM_uint32 *minor_status, krb5_const_principal name,
*/
OM_uint32
_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gsskrb5_ctx ctx)
_gss_DES3_get_mic_compat(OM_uint32 *minor_status,
gsskrb5_ctx ctx,
krb5_context context)
{
krb5_boolean use_compat = FALSE;
OM_uint32 ret;
if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) {
ret = check_compat(minor_status, ctx->target,
ret = check_compat(minor_status, context, ctx->target,
"broken_des3_mic", &use_compat, TRUE);
if (ret)
return ret;
ret = check_compat(minor_status, ctx->target,
ret = check_compat(minor_status, context, ctx->target,
"correct_des3_mic", &use_compat, FALSE);
if (ret)
return ret;

16
source/heimdal/lib/gssapi/krb5/context_time.c
View File

@@ -33,12 +33,13 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: context_time.c,v 1.13 2006/10/07 22:14:19 lha Exp $");
RCSID("$Id: context_time.c,v 1.14 2006/11/13 18:01:26 lha Exp $");
OM_uint32
_gsskrb5_lifetime_left(OM_uint32 *minor_status,
OM_uint32 lifetime,
OM_uint32 *lifetime_rec)
krb5_context context,
OM_uint32 lifetime,
OM_uint32 *lifetime_rec)
{
krb5_timestamp timeret;
krb5_error_code kret;
@@ -48,10 +49,9 @@ _gsskrb5_lifetime_left(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
kret = krb5_timeofday(_gsskrb5_context, &timeret);
kret = krb5_timeofday(context, &timeret);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
@@ -70,17 +70,19 @@ OM_uint32 _gsskrb5_context_time
OM_uint32 * time_rec
)
{
krb5_context context;
OM_uint32 lifetime;
OM_uint32 major_status;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
lifetime = ctx->lifetime;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
major_status = _gsskrb5_lifetime_left(minor_status, lifetime, time_rec);
major_status = _gsskrb5_lifetime_left(minor_status, context,
lifetime, time_rec);
if (major_status != GSS_S_COMPLETE)
return major_status;

38
source/heimdal/lib/gssapi/krb5/copy_ccache.c
View File

@@ -33,11 +33,12 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: copy_ccache.c,v 1.16 2006/11/08 02:42:50 lha Exp $");
RCSID("$Id: copy_ccache.c,v 1.17 2006/11/13 18:01:29 lha Exp $");
#if 0
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
krb5_context context,
gss_cred_id_t cred,
krb5_ccache out)
{
@@ -51,11 +52,10 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
kret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, out);
kret = krb5_cc_copy_cache(context, cred->ccache, out);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
*minor_status = 0;
@@ -71,13 +71,14 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
krb5_keytab keytab,
gss_cred_id_t *cred)
{
krb5_context context;
krb5_error_code kret;
gsskrb5_cred handle;
OM_uint32 ret;
*cred = NULL;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
@@ -94,11 +95,10 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
handle->usage |= GSS_C_INITIATE;
kret = krb5_cc_get_principal(_gsskrb5_context, id,
kret = krb5_cc_get_principal(context, id,
&handle->principal);
if (kret) {
free(handle);
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -106,11 +106,11 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
if (keytab_principal) {
krb5_boolean match;
match = krb5_principal_compare(_gsskrb5_context,
match = krb5_principal_compare(context,
handle->principal,
keytab_principal);
if (match == FALSE) {
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
_gsskrb5_clear_status ();
*minor_status = EINVAL;
@@ -119,21 +119,22 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
}
ret = __gsskrb5_ccache_lifetime(minor_status,
id,
handle->principal,
&handle->lifetime);
context,
id,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE) {
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
return ret;
}
kret = krb5_cc_get_full_name(_gsskrb5_context, id, &str);
kret = krb5_cc_get_full_name(context, id, &str);
if (kret)
goto out;
kret = krb5_cc_resolve(_gsskrb5_context, str, &handle->ccache);
kret = krb5_cc_resolve(context, str, &handle->ccache);
free(str);
if (kret)
goto out;
@@ -146,18 +147,18 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
handle->usage |= GSS_C_ACCEPT;
if (keytab_principal && handle->principal == NULL) {
kret = krb5_copy_principal(_gsskrb5_context,
kret = krb5_copy_principal(context,
keytab_principal,
&handle->principal);
if (kret)
goto out;
}
kret = krb5_kt_get_full_name(_gsskrb5_context, keytab, &str);
kret = krb5_kt_get_full_name(context, keytab, &str);
if (kret)
goto out;
kret = krb5_kt_resolve(_gsskrb5_context, str, &handle->keytab);
kret = krb5_kt_resolve(context, str, &handle->keytab);
free(str);
if (kret)
goto out;
@@ -180,9 +181,8 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
out:
_gsskrb5_set_error_string ();
if (handle->principal)
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = kret;

15
source/heimdal/lib/gssapi/krb5/delete_sec_context.c
View File

@@ -33,16 +33,17 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: delete_sec_context.c,v 1.19 2006/10/07 22:14:28 lha Exp $");
RCSID("$Id: delete_sec_context.c,v 1.20 2006/11/13 18:01:32 lha Exp $");
OM_uint32
_gsskrb5_delete_sec_context(OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_buffer_t output_token)
{
krb5_context context;
gsskrb5_ctx ctx;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
*minor_status = 0;
@@ -59,17 +60,17 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_free (_gsskrb5_context, ctx->auth_context);
krb5_auth_con_free (context, ctx->auth_context);
if(ctx->source)
krb5_free_principal (_gsskrb5_context, ctx->source);
krb5_free_principal (context, ctx->source);
if(ctx->target)
krb5_free_principal (_gsskrb5_context, ctx->target);
krb5_free_principal (context, ctx->target);
if (ctx->ticket)
krb5_free_ticket (_gsskrb5_context, ctx->ticket);
krb5_free_ticket (context, ctx->ticket);
if(ctx->order)
_gssapi_msg_order_destroy(&ctx->order);
if (ctx->service_keyblock)
krb5_free_keyblock (_gsskrb5_context, ctx->service_keyblock);
krb5_free_keyblock (context, ctx->service_keyblock);
krb5_data_free(&ctx->fwd_data);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

9
source/heimdal/lib/gssapi/krb5/display_name.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: display_name.c,v 1.12 2006/10/07 22:14:31 lha Exp $");
RCSID("$Id: display_name.c,v 1.13 2006/11/13 18:01:36 lha Exp $");
OM_uint32 _gsskrb5_display_name
(OM_uint32 * minor_status,
@@ -42,16 +42,17 @@ OM_uint32 _gsskrb5_display_name
gss_OID * output_name_type
)
{
krb5_context context;
krb5_const_principal name = (krb5_const_principal)input_name;
krb5_error_code kret;
char *buf;
size_t len;
GSSAPI_KRB5_INIT ();
kret = krb5_unparse_name (_gsskrb5_context, name, &buf);
GSSAPI_KRB5_INIT (&context);
kret = krb5_unparse_name (context, name, &buf);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
len = strlen (buf);

154
source/heimdal/lib/gssapi/krb5/display_status.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1998 - 2005 Kungliga Tekniska H<>gskolan
* Copyright (c) 1998 - 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: display_status.c,v 1.16 2006/10/07 22:14:33 lha Exp $");
RCSID("$Id: display_status.c,v 1.17 2006/11/13 18:01:38 lha Exp $");
static const char *
calling_error(OM_uint32 v)
@@ -114,117 +114,87 @@ supplementary_error(OM_uint32 v)
void
_gsskrb5_clear_status (void)
{
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1);
if (ctx == NULL)
krb5_context context;
if (_gsskrb5_init (&context) != 0)
return;
HEIMDAL_MUTEX_lock(&ctx->mutex);
if (ctx->error_string)
free(ctx->error_string);
ctx->error_string = NULL;
HEIMDAL_MUTEX_unlock(&ctx->mutex);
krb5_clear_error_string(context);
}
void
_gsskrb5_set_status (const char *fmt, ...)
{
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1);
krb5_context context;
va_list args;
char *str;
if (ctx == NULL)
if (_gsskrb5_init (&context) != 0)
return;
HEIMDAL_MUTEX_lock(&ctx->mutex);
va_start(args, fmt);
if (ctx->error_string)
free(ctx->error_string);
/* ignore failures, will use status code instead */
vasprintf(&ctx->error_string, fmt, args);
vasprintf(&str, fmt, args);
va_end(args);
HEIMDAL_MUTEX_unlock(&ctx->mutex);
}
void
_gsskrb5_set_error_string (void)
{
char *e;
e = krb5_get_error_string(_gsskrb5_context);
if (e) {
_gsskrb5_set_status("%s", e);
krb5_free_error_string(_gsskrb5_context, e);
} else
_gsskrb5_clear_status();
}
char *
_gsskrb5_get_error_string (void)
{
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(0);
char *ret;
if (ctx == NULL)
return NULL;
HEIMDAL_MUTEX_lock(&ctx->mutex);
ret = ctx->error_string;
ctx->error_string = NULL;
HEIMDAL_MUTEX_unlock(&ctx->mutex);
return ret;
if (str) {
krb5_set_error_string(context, str);
free(str);
}
}
OM_uint32 _gsskrb5_display_status
(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
OM_uint32 *message_context,
gss_buffer_t status_string)
(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
OM_uint32 *message_context,
gss_buffer_t status_string)
{
char *buf;
krb5_context context;
char *buf;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
status_string->length = 0;
status_string->value = NULL;
status_string->length = 0;
status_string->value = NULL;
if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 &&
gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_C_GSS_CODE;
}
if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 &&
gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_C_GSS_CODE;
}
if (status_type == GSS_C_GSS_CODE) {
if (GSS_SUPPLEMENTARY_INFO(status_value))
asprintf(&buf, "%s",
supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value)));
else
asprintf (&buf, "%s %s",
calling_error(GSS_CALLING_ERROR(status_value)),
routine_error(GSS_ROUTINE_ERROR(status_value)));
} else if (status_type == GSS_C_MECH_CODE) {
buf = _gsskrb5_get_error_string ();
if (buf == NULL) {
const char *tmp = krb5_get_err_text (_gsskrb5_context,
status_value);
if (tmp == NULL)
asprintf(&buf, "unknown mech error-code %u",
(unsigned)status_value);
else
buf = strdup(tmp);
}
} else {
*minor_status = EINVAL;
return GSS_S_BAD_STATUS;
}
if (status_type == GSS_C_GSS_CODE) {
if (GSS_SUPPLEMENTARY_INFO(status_value))
asprintf(&buf, "%s",
supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value)));
else
asprintf (&buf, "%s %s",
calling_error(GSS_CALLING_ERROR(status_value)),
routine_error(GSS_ROUTINE_ERROR(status_value)));
} else if (status_type == GSS_C_MECH_CODE) {
buf = krb5_get_error_string(context);
if (buf == NULL) {
const char *tmp = krb5_get_err_text (context, status_value);
if (tmp == NULL)
asprintf(&buf, "unknown mech error-code %u",
(unsigned)status_value);
else
buf = strdup(tmp);
}
} else {
*minor_status = EINVAL;
return GSS_S_BAD_STATUS;
}
if (buf == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
if (buf == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
*message_context = 0;
*minor_status = 0;
*message_context = 0;
*minor_status = 0;
status_string->length = strlen(buf);
status_string->value = buf;
status_string->length = strlen(buf);
status_string->value = buf;
return GSS_S_COMPLETE;
return GSS_S_COMPLETE;
}

8
source/heimdal/lib/gssapi/krb5/duplicate_name.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: duplicate_name.c,v 1.10 2006/10/07 22:14:35 lha Exp $");
RCSID("$Id: duplicate_name.c,v 1.11 2006/11/13 18:01:42 lha Exp $");
OM_uint32 _gsskrb5_duplicate_name (
OM_uint32 * minor_status,
@@ -41,16 +41,16 @@ OM_uint32 _gsskrb5_duplicate_name (
gss_name_t * dest_name
)
{
krb5_context context;
krb5_const_principal src = (krb5_const_principal)src_name;
krb5_principal *dest = (krb5_principal *)dest_name;
krb5_error_code kret;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
kret = krb5_copy_principal (_gsskrb5_context, src, dest);
kret = krb5_copy_principal (context, src, dest);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
} else {
*minor_status = 0;

9
source/heimdal/lib/gssapi/krb5/export_name.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: export_name.c,v 1.8 2006/10/07 22:14:40 lha Exp $");
RCSID("$Id: export_name.c,v 1.9 2006/11/13 18:01:50 lha Exp $");
OM_uint32 _gsskrb5_export_name
(OM_uint32 * minor_status,
@@ -41,16 +41,17 @@ OM_uint32 _gsskrb5_export_name
gss_buffer_t exported_name
)
{
krb5_context context;
krb5_const_principal princ = (krb5_const_principal)input_name;
krb5_error_code kret;
char *buf, *name;
size_t len;
GSSAPI_KRB5_INIT ();
kret = krb5_unparse_name (_gsskrb5_context, princ, &name);
GSSAPI_KRB5_INIT (&context);
kret = krb5_unparse_name (context, princ, &name);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
len = strlen (name);

5
source/heimdal/lib/gssapi/krb5/export_sec_context.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: export_sec_context.c,v 1.11 2006/10/07 22:14:42 lha Exp $");
RCSID("$Id: export_sec_context.c,v 1.12 2006/11/13 18:01:55 lha Exp $");
OM_uint32
_gsskrb5_export_sec_context (
@@ -42,6 +42,7 @@ _gsskrb5_export_sec_context (
gss_buffer_t interprocess_token
)
{
krb5_context context;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) *context_handle;
krb5_storage *sp;
krb5_auth_context ac;
@@ -52,7 +53,7 @@ _gsskrb5_export_sec_context (
OM_uint32 minor;
krb5_error_code kret;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);

4
source/heimdal/lib/gssapi/krb5/external.c
View File

@@ -34,7 +34,7 @@
#include "krb5/gsskrb5_locl.h"
#include <gssapi_mech.h>
RCSID("$Id: external.c,v 1.22 2006/11/08 23:00:20 lha Exp $");
RCSID("$Id: external.c,v 1.23 2006/11/13 18:01:57 lha Exp $");
/*
* The implementation must reserve static storage for a
@@ -369,7 +369,7 @@ gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc;
* Context for krb5 calls.
*/
krb5_context _gsskrb5_context;
krb5_context context;
/*
*

50
source/heimdal/lib/gssapi/krb5/get_mic.c
View File

@@ -33,12 +33,13 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: get_mic.c,v 1.34 2006/10/18 15:59:23 lha Exp $");
RCSID("$Id: get_mic.c,v 1.35 2006/11/13 18:02:00 lha Exp $");
static OM_uint32
mic_des
(OM_uint32 * minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -94,9 +95,9 @@ mic_des
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
krb5_auth_con_getlocalseqnumber (context,
ctx->auth_context,
&seq_number);
p -= 16; /* SND_SEQ */
p[0] = (seq_number >> 0) & 0xFF;
@@ -111,7 +112,7 @@ mic_des
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -127,6 +128,7 @@ static OM_uint32
mic_des3
(OM_uint32 * minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -180,18 +182,17 @@ mic_des3
memcpy (tmp, p - 8, 8);
memcpy (tmp + 8, message_buffer->value, message_buffer->length);
kret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
kret = krb5_crypto_init(context, key, 0, &crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
free (tmp);
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_create_checksum (_gsskrb5_context,
kret = krb5_create_checksum (context,
crypto,
KRB5_KU_USAGE_SIGN,
0,
@@ -199,12 +200,11 @@ mic_des3
message_buffer->length + 8,
&cksum);
free (tmp);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -213,7 +213,7 @@ mic_des3
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
ctx->auth_context,
&seq_number);
@@ -225,13 +225,12 @@ mic_des3
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
kret = krb5_crypto_init(_gsskrb5_context, key,
kret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -241,16 +240,15 @@ mic_des3
else
memcpy(ivec, p + 8, 8);
kret = krb5_encrypt_ivec (_gsskrb5_context,
kret = krb5_encrypt_ivec (context,
crypto,
KRB5_KU_USAGE_SEQ,
seq, 8, &encdata, ivec);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -260,7 +258,7 @@ mic_des3
memcpy (p, encdata.data, encdata.length);
krb5_data_free (&encdata);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -278,40 +276,42 @@ OM_uint32 _gsskrb5_get_mic
gss_buffer_t message_token
)
{
krb5_context context;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, &key);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = mic_des (minor_status, ctx, qop_req,
ret = mic_des (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
case KEYTYPE_DES3 :
ret = mic_des3 (minor_status, ctx, qop_req,
ret = mic_des3 (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_get_mic_arcfour (minor_status, ctx, qop_req,
ret = _gssapi_get_mic_arcfour (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
default :
ret = _gssapi_mic_cfx (minor_status, ctx, qop_req,
ret = _gssapi_mic_cfx (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
return ret;
}

34
source/heimdal/lib/gssapi/krb5/gsskrb5-private.h
View File

@@ -10,6 +10,7 @@ __gss_krb5_initialize (void);
OM_uint32
__gsskrb5_ccache_lifetime (
OM_uint32 */*minor_status*/,
krb5_context /*context*/,
krb5_ccache /*id*/,
krb5_principal /*principal*/,
OM_uint32 */*lifetime*/);
@@ -17,7 +18,8 @@ __gsskrb5_ccache_lifetime (
OM_uint32
_gss_DES3_get_mic_compat (
OM_uint32 */*minor_status*/,
gsskrb5_ctx /*ctx*/);
gsskrb5_ctx /*ctx*/,
krb5_context /*context*/);
OM_uint32
_gssapi_decapsulate (
@@ -44,6 +46,7 @@ OM_uint32
_gssapi_get_mic_arcfour (
OM_uint32 * /*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/,
@@ -59,6 +62,7 @@ OM_uint32
_gssapi_mic_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/,
@@ -99,6 +103,7 @@ OM_uint32
_gssapi_unwrap_arcfour (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int */*conf_state*/,
@@ -109,6 +114,7 @@ OM_uint32
_gssapi_unwrap_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int */*conf_state*/,
@@ -125,6 +131,7 @@ OM_uint32
_gssapi_verify_mic_arcfour (
OM_uint32 * /*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t * /*qop_state*/,
@@ -135,6 +142,7 @@ OM_uint32
_gssapi_verify_mic_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t */*qop_state*/,
@@ -150,6 +158,7 @@ OM_uint32
_gssapi_wrap_arcfour (
OM_uint32 * /*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*input_message_buffer*/,
@@ -161,6 +170,7 @@ OM_uint32
_gssapi_wrap_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*input_message_buffer*/,
@@ -172,6 +182,7 @@ OM_uint32
_gssapi_wrap_size_arcfour (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*ctx*/,
krb5_context /*context*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_output_size*/,
@@ -182,6 +193,7 @@ OM_uint32
_gssapi_wrap_size_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_output_size*/,
@@ -268,6 +280,7 @@ OM_uint32
_gsskrb5_create_ctx (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
krb5_context /*context*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
enum gss_ctx_id_t_state /*state*/);
@@ -359,9 +372,6 @@ _gsskrb5_export_sec_context (
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t interprocess_token );
char *
_gsskrb5_get_error_string (void);
ssize_t
_gsskrb5_get_mech (
const u_char */*ptr*/,
@@ -376,9 +386,6 @@ _gsskrb5_get_mic (
const gss_buffer_t /*message_buffer*/,
gss_buffer_t message_token );
struct gssapi_thr_context *
_gsskrb5_get_thread_context (int /*createp*/);
OM_uint32
_gsskrb5_get_tkt_flags (
OM_uint32 */*minor_status*/,
@@ -412,7 +419,7 @@ _gsskrb5_indicate_mechs (
gss_OID_set * mech_set );
krb5_error_code
_gsskrb5_init (void);
_gsskrb5_init (krb5_context */*context*/);
OM_uint32
_gsskrb5_init_sec_context (
@@ -496,6 +503,7 @@ _gsskrb5_krb5_ccache_name (
OM_uint32
_gsskrb5_lifetime_left (
OM_uint32 */*minor_status*/,
krb5_context /*context*/,
OM_uint32 /*lifetime*/,
OM_uint32 */*lifetime_rec*/);
@@ -552,9 +560,6 @@ _gsskrb5_set_cred_option (
const gss_OID /*desired_object*/,
const gss_buffer_t /*value*/);
void
_gsskrb5_set_error_string (void);
OM_uint32
_gsskrb5_set_sec_context_option (
OM_uint32 */*minor_status*/,
@@ -635,6 +640,7 @@ OM_uint32
_gsskrb5_verify_mic_internal (
OM_uint32 * /*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t * /*qop_state*/,
@@ -661,6 +667,7 @@ _gsskrb5_wrap_size_limit (
krb5_error_code
_gsskrb5cfx_max_wrap_length_cfx (
krb5_context /*context*/,
krb5_crypto /*crypto*/,
int /*conf_req_flag*/,
size_t /*input_length*/,
@@ -668,6 +675,7 @@ _gsskrb5cfx_max_wrap_length_cfx (
krb5_error_code
_gsskrb5cfx_wrap_length_cfx (
krb5_context /*context*/,
krb5_crypto /*crypto*/,
int /*conf_req_flag*/,
size_t /*input_length*/,
@@ -677,6 +685,7 @@ _gsskrb5cfx_wrap_length_cfx (
krb5_error_code
_gsskrb5i_address_to_krb5addr (
krb5_context /*context*/,
OM_uint32 /*gss_addr_type*/,
gss_buffer_desc */*gss_addr*/,
int16_t /*port*/,
@@ -685,16 +694,19 @@ _gsskrb5i_address_to_krb5addr (
krb5_error_code
_gsskrb5i_get_acceptor_subkey (
const gsskrb5_ctx /*ctx*/,
krb5_context /*context*/,
krb5_keyblock **/*key*/);
krb5_error_code
_gsskrb5i_get_initiator_subkey (
const gsskrb5_ctx /*ctx*/,
krb5_context /*context*/,
krb5_keyblock **/*key*/);
OM_uint32
_gsskrb5i_get_token_key (
const gsskrb5_ctx /*ctx*/,
krb5_context /*context*/,
krb5_keyblock **/*key*/);
void

8
source/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
View File

@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gsskrb5_locl.h,v 1.8 2006/11/10 00:36:40 lha Exp $ */
/* $Id: gsskrb5_locl.h,v 1.9 2006/11/13 18:02:03 lha Exp $ */
#ifndef GSSKRB5_LOCL_H
#define GSSKRB5_LOCL_H
@@ -100,8 +100,6 @@ typedef struct Principal *gsskrb5_name;
*
*/
extern krb5_context _gsskrb5_context;
extern krb5_keytab _gsskrb5_keytab;
extern HEIMDAL_MUTEX gssapi_keytab_mutex;
@@ -116,9 +114,9 @@ struct gssapi_thr_context {
#include <krb5/gsskrb5-private.h>
#define GSSAPI_KRB5_INIT() do { \
#define GSSAPI_KRB5_INIT(ctx) do { \
krb5_error_code kret_gss_init; \
if((kret_gss_init = _gsskrb5_init ()) != 0) { \
if((kret_gss_init = _gsskrb5_init (ctx)) != 0) { \
*minor_status = kret_gss_init; \
return GSS_S_FAILURE; \
} \

24
source/heimdal/lib/gssapi/krb5/import_name.c
View File

@@ -33,23 +33,23 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: import_name.c,v 1.17 2006/10/07 22:14:51 lha Exp $");
RCSID("$Id: import_name.c,v 1.18 2006/11/13 18:02:06 lha Exp $");
static OM_uint32
parse_krb5_name (OM_uint32 *minor_status,
krb5_context context,
const char *name,
gss_name_t *output_name)
{
krb5_principal princ;
krb5_error_code kerr;
kerr = krb5_parse_name (_gsskrb5_context, name, &princ);
kerr = krb5_parse_name (context, name, &princ);
if (kerr == 0) {
*output_name = (gss_name_t)princ;
return GSS_S_COMPLETE;
}
_gsskrb5_set_error_string ();
*minor_status = kerr;
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
@@ -60,6 +60,7 @@ parse_krb5_name (OM_uint32 *minor_status,
static OM_uint32
import_krb5_name (OM_uint32 *minor_status,
krb5_context context,
const gss_buffer_t input_name_buffer,
gss_name_t *output_name)
{
@@ -76,7 +77,7 @@ import_krb5_name (OM_uint32 *minor_status,
input_name_buffer->length);
tmp[input_name_buffer->length] = '\0';
ret = parse_krb5_name(minor_status, tmp, output_name);
ret = parse_krb5_name(minor_status, context, tmp, output_name);
free(tmp);
return ret;
@@ -84,6 +85,7 @@ import_krb5_name (OM_uint32 *minor_status,
static OM_uint32
import_hostbased_name (OM_uint32 *minor_status,
krb5_context context,
const gss_buffer_t input_name_buffer,
gss_name_t *output_name)
{
@@ -117,7 +119,7 @@ import_hostbased_name (OM_uint32 *minor_status,
host = local_hostname;
}
kerr = krb5_sname_to_principal (_gsskrb5_context,
kerr = krb5_sname_to_principal (context,
host,
tmp,
KRB5_NT_SRV_HST,
@@ -128,8 +130,6 @@ import_hostbased_name (OM_uint32 *minor_status,
*output_name = (gss_name_t)princ;
return GSS_S_COMPLETE;
}
_gsskrb5_set_error_string ();
*minor_status = kerr;
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
return GSS_S_BAD_NAME;
@@ -139,6 +139,7 @@ import_hostbased_name (OM_uint32 *minor_status,
static OM_uint32
import_export_name (OM_uint32 *minor_status,
krb5_context context,
const gss_buffer_t input_name_buffer,
gss_name_t *output_name)
{
@@ -178,7 +179,7 @@ import_export_name (OM_uint32 *minor_status,
memcpy(name, p, length);
name[length] = '\0';
ret = parse_krb5_name(minor_status, name, output_name);
ret = parse_krb5_name(minor_status, context, name, output_name);
free(name);
return ret;
@@ -191,14 +192,17 @@ OM_uint32 _gsskrb5_import_name
gss_name_t * output_name
)
{
GSSAPI_KRB5_INIT ();
krb5_context context;
*minor_status = 0;
*output_name = GSS_C_NO_NAME;
GSSAPI_KRB5_INIT (&context);
if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE) ||
gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE_X))
return import_hostbased_name (minor_status,
context,
input_name_buffer,
output_name);
else if (gss_oid_equal(input_name_type, GSS_C_NO_OID)
@@ -206,10 +210,12 @@ OM_uint32 _gsskrb5_import_name
|| gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME))
/* default printable syntax */
return import_krb5_name (minor_status,
context,
input_name_buffer,
output_name);
else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) {
return import_export_name(minor_status,
context,
input_name_buffer,
output_name);
} else {

36
source/heimdal/lib/gssapi/krb5/import_sec_context.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: import_sec_context.c,v 1.17 2006/10/07 22:14:53 lha Exp $");
RCSID("$Id: import_sec_context.c,v 1.18 2006/11/13 18:02:09 lha Exp $");
OM_uint32
_gsskrb5_import_sec_context (
@@ -43,6 +43,7 @@ _gsskrb5_import_sec_context (
)
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_context context;
krb5_error_code kret;
krb5_storage *sp;
krb5_auth_context ac;
@@ -56,7 +57,7 @@ _gsskrb5_import_sec_context (
gsskrb5_ctx ctx;
gss_name_t name;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
*context_handle = GSS_C_NO_CONTEXT;
@@ -77,10 +78,9 @@ _gsskrb5_import_sec_context (
}
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (_gsskrb5_context,
kret = krb5_auth_con_init (context,
&ctx->auth_context);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@@ -108,11 +108,11 @@ _gsskrb5_import_sec_context (
goto failure;
}
krb5_auth_con_setaddrs (_gsskrb5_context, ac, localp, remotep);
krb5_auth_con_setaddrs (context, ac, localp, remotep);
if (localp)
krb5_free_address (_gsskrb5_context, localp);
krb5_free_address (context, localp);
if (remotep)
krb5_free_address (_gsskrb5_context, remotep);
krb5_free_address (context, remotep);
localp = remotep = NULL;
if (krb5_ret_int16 (sp, &ac->local_port) != 0)
@@ -123,20 +123,20 @@ _gsskrb5_import_sec_context (
if (flags & SC_KEYBLOCK) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
krb5_auth_con_setkey (context, ac, &keyblock);
krb5_free_keyblock_contents (context, &keyblock);
}
if (flags & SC_LOCAL_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setlocalsubkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
krb5_auth_con_setlocalsubkey (context, ac, &keyblock);
krb5_free_keyblock_contents (context, &keyblock);
}
if (flags & SC_REMOTE_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setremotesubkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
krb5_auth_con_setremotesubkey (context, ac, &keyblock);
krb5_free_keyblock_contents (context, &keyblock);
}
if (krb5_ret_uint32 (sp, &ac->local_seqnumber))
goto failure;
@@ -209,16 +209,16 @@ _gsskrb5_import_sec_context (
return GSS_S_COMPLETE;
failure:
krb5_auth_con_free (_gsskrb5_context,
krb5_auth_con_free (context,
ctx->auth_context);
if (ctx->source != NULL)
krb5_free_principal(_gsskrb5_context, ctx->source);
krb5_free_principal(context, ctx->source);
if (ctx->target != NULL)
krb5_free_principal(_gsskrb5_context, ctx->target);
krb5_free_principal(context, ctx->target);
if (localp)
krb5_free_address (_gsskrb5_context, localp);
krb5_free_address (context, localp);
if (remotep)
krb5_free_address (_gsskrb5_context, remotep);
krb5_free_address (context, remotep);
if(ctx->order)
_gssapi_msg_order_destroy(&ctx->order);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);

86
source/heimdal/lib/gssapi/krb5/init.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997 - 2001, 2003, 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,79 +33,51 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: init.c,v 1.9 2006/10/07 22:14:58 lha Exp $");
RCSID("$Id: init.c,v 1.10 2006/11/13 18:02:12 lha Exp $");
static HEIMDAL_MUTEX _gsskrb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER;
static HEIMDAL_MUTEX context_mutex = HEIMDAL_MUTEX_INITIALIZER;
static int created_key;
static HEIMDAL_thread_key gssapi_context_key;
static HEIMDAL_thread_key context_key;
static void
gssapi_destroy_thread_context(void *ptr)
destroy_context(void *ptr)
{
struct gssapi_thr_context *ctx = ptr;
krb5_context context = ptr;
if (ctx == NULL)
if (context == NULL)
return;
if (ctx->error_string)
free(ctx->error_string);
HEIMDAL_MUTEX_destroy(&ctx->mutex);
free(ctx);
}
struct gssapi_thr_context *
_gsskrb5_get_thread_context(int createp)
{
struct gssapi_thr_context *ctx;
int ret;
HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex);
if (!created_key)
abort();
ctx = HEIMDAL_getspecific(gssapi_context_key);
if (ctx == NULL) {
if (!createp)
goto fail;
ctx = malloc(sizeof(*ctx));
if (ctx == NULL)
goto fail;
ctx->error_string = NULL;
HEIMDAL_MUTEX_init(&ctx->mutex);
HEIMDAL_setspecific(gssapi_context_key, ctx, ret);
if (ret)
goto fail;
}
HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex);
return ctx;
fail:
HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex);
if (ctx)
free(ctx);
return NULL;
krb5_free_context(context);
}
krb5_error_code
_gsskrb5_init (void)
_gsskrb5_init (krb5_context *context)
{
krb5_error_code ret = 0;
HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex);
HEIMDAL_MUTEX_lock(&context_mutex);
if(_gsskrb5_context == NULL)
ret = krb5_init_context (&_gsskrb5_context);
if (ret == 0 && !created_key) {
HEIMDAL_key_create(&gssapi_context_key,
gssapi_destroy_thread_context,
ret);
if (!created_key) {
HEIMDAL_key_create(&context_key, destroy_context, ret);
if (ret) {
krb5_free_context(_gsskrb5_context);
_gsskrb5_context = NULL;
} else
created_key = 1;
HEIMDAL_MUTEX_unlock(&context_mutex);
return ret;
}
created_key = 1;
}
HEIMDAL_MUTEX_unlock(&context_mutex);
HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex);
*context = HEIMDAL_getspecific(context_key);
if (*context == NULL) {
ret = krb5_init_context(context);
if (ret == 0) {
HEIMDAL_setspecific(context_key, *context, ret);
if (ret) {
krb5_free_context(*context);
*context = NULL;
}
}
}
return ret;
}

130
source/heimdal/lib/gssapi/krb5/init_sec_context.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: init_sec_context.c,v 1.73 2006/11/07 17:40:01 lha Exp $");
RCSID("$Id: init_sec_context.c,v 1.75 2006/12/13 10:33:20 lha Exp $");
/*
* copy the addresses from `input_chan_bindings' (if any) to
@@ -41,7 +41,8 @@ RCSID("$Id: init_sec_context.c,v 1.73 2006/11/07 17:40:01 lha Exp $");
*/
static OM_uint32
set_addresses (krb5_auth_context ac,
set_addresses (krb5_context context,
krb5_auth_context ac,
const gss_channel_bindings_t input_chan_bindings)
{
/* Port numbers are expected to be in application_data.value,
@@ -64,29 +65,31 @@ set_addresses (krb5_auth_context ac,
ac->remote_port =
*((int16_t *) input_chan_bindings->application_data.value + 1);
kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
kret = _gsskrb5i_address_to_krb5addr(context,
input_chan_bindings->acceptor_addrtype,
&input_chan_bindings->acceptor_address,
ac->remote_port,
&acceptor_addr);
if (kret)
return kret;
kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
kret = _gsskrb5i_address_to_krb5addr(context,
input_chan_bindings->initiator_addrtype,
&input_chan_bindings->initiator_address,
ac->local_port,
&initiator_addr);
if (kret) {
krb5_free_address (_gsskrb5_context, &acceptor_addr);
krb5_free_address (context, &acceptor_addr);
return kret;
}
kret = krb5_auth_con_setaddrs(_gsskrb5_context,
kret = krb5_auth_con_setaddrs(context,
ac,
&initiator_addr, /* local address */
&acceptor_addr); /* remote address */
krb5_free_address (_gsskrb5_context, &initiator_addr);
krb5_free_address (_gsskrb5_context, &acceptor_addr);
krb5_free_address (context, &initiator_addr);
krb5_free_address (context, &acceptor_addr);
#if 0
free(input_chan_bindings->application_data.value);
@@ -101,6 +104,7 @@ OM_uint32
_gsskrb5_create_ctx(
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
krb5_context context,
const gss_channel_bindings_t input_chan_bindings,
enum gss_ctx_id_t_state state)
{
@@ -127,23 +131,22 @@ _gsskrb5_create_ctx(
ctx->order = NULL;
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (_gsskrb5_context, &ctx->auth_context);
kret = krb5_auth_con_init (context, &ctx->auth_context);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
kret = set_addresses(ctx->auth_context, input_chan_bindings);
kret = set_addresses(context, ctx->auth_context, input_chan_bindings);
if (kret) {
*minor_status = kret;
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
krb5_auth_con_free(_gsskrb5_context, ctx->auth_context);
krb5_auth_con_free(context, ctx->auth_context);
return GSS_S_BAD_BINDINGS;
}
@@ -152,7 +155,7 @@ _gsskrb5_create_ctx(
* We need a sequence number
*/
krb5_auth_con_addflags(_gsskrb5_context,
krb5_auth_con_addflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE |
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
@@ -167,6 +170,7 @@ _gsskrb5_create_ctx(
static OM_uint32
gsskrb5_get_creds(
OM_uint32 * minor_status,
krb5_context context,
krb5_ccache ccache,
gsskrb5_ctx ctx,
krb5_const_principal target_name,
@@ -188,7 +192,7 @@ gsskrb5_get_creds(
if (time_req && time_req != GSS_C_INDEFINITE) {
krb5_timestamp ts;
krb5_timeofday (_gsskrb5_context, &ts);
krb5_timeofday (context, &ts);
this_cred.times.endtime = ts + time_req;
} else {
this_cred.times.endtime = 0;
@@ -196,20 +200,20 @@ gsskrb5_get_creds(
this_cred.session.keytype = KEYTYPE_NULL;
kret = krb5_get_credentials(_gsskrb5_context,
kret = krb5_get_credentials(context,
0,
ccache,
&this_cred,
cred);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
ctx->lifetime = (*cred)->times.endtime;
ret = _gsskrb5_lifetime_left(minor_status, ctx->lifetime, &lifetime_rec);
ret = _gsskrb5_lifetime_left(minor_status, context,
ctx->lifetime, &lifetime_rec);
if (ret) return ret;
if (lifetime_rec == 0) {
@@ -225,14 +229,15 @@ gsskrb5_get_creds(
static OM_uint32
gsskrb5_initiator_ready(
OM_uint32 * minor_status,
gsskrb5_ctx ctx)
gsskrb5_ctx ctx,
krb5_context context)
{
OM_uint32 ret;
int32_t seq_number;
int is_cfx = 0;
OM_uint32 flags = ctx->flags;
krb5_auth_getremoteseqnumber (_gsskrb5_context,
krb5_auth_getremoteseqnumber (context,
ctx->auth_context,
&seq_number);
@@ -255,7 +260,8 @@ gsskrb5_initiator_ready(
*/
static void
do_delegation (krb5_auth_context ac,
do_delegation (krb5_context context,
krb5_auth_context ac,
krb5_ccache ccache,
krb5_creds *cred,
krb5_const_principal name,
@@ -269,11 +275,11 @@ do_delegation (krb5_auth_context ac,
memset (&creds, 0, sizeof(creds));
krb5_data_zero (fwd_data);
kret = krb5_cc_get_principal(_gsskrb5_context, ccache, &creds.client);
kret = krb5_cc_get_principal(context, ccache, &creds.client);
if (kret)
goto out;
kret = krb5_build_principal(_gsskrb5_context,
kret = krb5_build_principal(context,
&creds.server,
strlen(creds.client->realm),
creds.client->realm,
@@ -293,7 +299,7 @@ do_delegation (krb5_auth_context ac,
name->name.name_string.len < 2)
goto out;
kret = krb5_get_forwarded_creds(_gsskrb5_context,
kret = krb5_get_forwarded_creds(context,
ac,
ccache,
KDCOptions2int(fwd_flags),
@@ -308,9 +314,9 @@ do_delegation (krb5_auth_context ac,
*flags |= GSS_C_DELEG_FLAG;
if (creds.client)
krb5_free_principal(_gsskrb5_context, creds.client);
krb5_free_principal(context, creds.client);
if (creds.server)
krb5_free_principal(_gsskrb5_context, creds.server);
krb5_free_principal(context, creds.server);
}
/*
@@ -322,6 +328,7 @@ init_auth
(OM_uint32 * minor_status,
gsskrb5_cred initiator_cred_handle,
gsskrb5_ctx ctx,
krb5_context context,
krb5_const_principal name,
const gss_OID mech_type,
OM_uint32 req_flags,
@@ -356,9 +363,8 @@ init_auth
*actual_mech_type = GSS_KRB5_MECHANISM;
if (initiator_cred_handle == NULL) {
kret = krb5_cc_default (_gsskrb5_context, &ccache);
kret = krb5_cc_default (context, &ccache);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@@ -366,28 +372,27 @@ init_auth
} else
ccache = initiator_cred_handle->ccache;
kret = krb5_cc_get_principal (_gsskrb5_context, ccache, &ctx->source);
kret = krb5_cc_get_principal (context, ccache, &ctx->source);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
kret = krb5_copy_principal (_gsskrb5_context, name, &ctx->target);
kret = krb5_copy_principal (context, name, &ctx->target);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
ret = _gss_DES3_get_mic_compat(minor_status, ctx);
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
goto failure;
ret = gsskrb5_get_creds(minor_status,
context,
ccache,
ctx,
ctx->target,
@@ -400,8 +405,9 @@ init_auth
ctx->lifetime = cred->times.endtime;
ret = _gsskrb5_lifetime_left(minor_status,
ctx->lifetime,
&lifetime_rec);
context,
ctx->lifetime,
&lifetime_rec);
if (ret) {
goto failure;
}
@@ -412,15 +418,14 @@ init_auth
goto failure;
}
krb5_auth_con_setkey(_gsskrb5_context,
krb5_auth_con_setkey(context,
ctx->auth_context,
&cred->session);
kret = krb5_auth_con_generatelocalsubkey(_gsskrb5_context,
kret = krb5_auth_con_generatelocalsubkey(context,
ctx->auth_context,
&cred->session);
if(kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@@ -436,7 +441,7 @@ init_auth
if (!cred->flags.b.ok_as_delegate) {
krb5_boolean delegate;
krb5_appdefault_boolean(_gsskrb5_context,
krb5_appdefault_boolean(context,
"gssapi", name->realm,
"ok-as-delegate", FALSE, &delegate);
if (delegate)
@@ -446,7 +451,8 @@ init_auth
flags = 0;
ap_options = 0;
if (req_flags & GSS_C_DELEG_FLAG)
do_delegation (ctx->auth_context,
do_delegation (context,
ctx->auth_context,
ccache, cred, name, &fwd_data, &flags);
if (req_flags & GSS_C_MUTUAL_FLAG) {
@@ -471,9 +477,9 @@ init_auth
flags |= GSS_C_EXTENDED_ERROR_FLAG;
if (req_flags & GSS_C_CONF_FLAG)
flags |= GSS_C_CONF_FLAG;
flags |= GSS_C_CONF_FLAG;
if (req_flags & GSS_C_INTEG_FLAG)
flags |= GSS_C_INTEG_FLAG;
flags |= GSS_C_INTEG_FLAG;
flags |= GSS_C_TRANS_FLAG;
@@ -493,7 +499,7 @@ init_auth
enctype = ctx->auth_context->keyblock->keytype;
kret = krb5_build_authenticator (_gsskrb5_context,
kret = krb5_build_authenticator (context,
ctx->auth_context,
enctype,
cred,
@@ -503,13 +509,12 @@ init_auth
KRB5_KU_AP_REQ_AUTH);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
kret = krb5_build_ap_req (_gsskrb5_context,
kret = krb5_build_ap_req (context,
enctype,
cred,
ap_options,
@@ -517,7 +522,6 @@ init_auth
&outbuf);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@@ -529,22 +533,22 @@ init_auth
goto failure;
krb5_data_free (&outbuf);
krb5_free_creds(_gsskrb5_context, cred);
krb5_free_creds(context, cred);
free_Checksum(&cksum);
if (initiator_cred_handle == NULL)
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
if (flags & GSS_C_MUTUAL_FLAG) {
ctx->state = INITIATOR_WAIT_FOR_MUTAL;
return GSS_S_CONTINUE_NEEDED;
}
return gsskrb5_initiator_ready(minor_status, ctx);
return gsskrb5_initiator_ready(minor_status, ctx, context);
failure:
if(cred)
krb5_free_creds(_gsskrb5_context, cred);
krb5_free_creds(context, cred);
if (ccache && initiator_cred_handle == NULL)
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
return ret;
@@ -554,6 +558,7 @@ static OM_uint32
repl_mutual
(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
@@ -593,28 +598,27 @@ repl_mutual
}
}
kret = krb5_rd_rep (_gsskrb5_context,
kret = krb5_rd_rep (context,
ctx->auth_context,
&indata,
&repl);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
krb5_free_ap_rep_enc_part (_gsskrb5_context,
krb5_free_ap_rep_enc_part (context,
repl);
_gsskrb5i_is_cfx(ctx, &is_cfx);
if (is_cfx) {
krb5_keyblock *key = NULL;
kret = krb5_auth_con_getremotesubkey(_gsskrb5_context,
kret = krb5_auth_con_getremotesubkey(context,
ctx->auth_context,
&key);
if (kret == 0 && key != NULL) {
ctx->more_flags |= ACCEPTOR_SUBKEY;
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
}
}
@@ -622,6 +626,7 @@ repl_mutual
*minor_status = 0;
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
time_rec);
} else {
@@ -635,16 +640,15 @@ repl_mutual
krb5_data outbuf;
/* Do don't do sequence number for the mk-rep */
krb5_auth_con_removeflags(_gsskrb5_context,
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE,
&con_flags);
kret = krb5_mk_rep(_gsskrb5_context,
kret = krb5_mk_rep(context,
ctx->auth_context,
&outbuf);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -652,13 +656,13 @@ repl_mutual
output_token->length = outbuf.length;
output_token->value = outbuf.data;
krb5_auth_con_removeflags(_gsskrb5_context,
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE,
NULL);
}
return gsskrb5_initiator_ready(minor_status, ctx);
return gsskrb5_initiator_ready(minor_status, ctx, context);
}
/*
@@ -681,12 +685,13 @@ OM_uint32 _gsskrb5_init_sec_context
OM_uint32 * time_rec
)
{
krb5_context context;
gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle;
krb5_const_principal name = (krb5_const_principal)target_name;
gsskrb5_ctx ctx;
OM_uint32 ret;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
output_token->length = 0;
output_token->value = NULL;
@@ -722,6 +727,7 @@ OM_uint32 _gsskrb5_init_sec_context
ret = _gsskrb5_create_ctx(minor_status,
context_handle,
context,
input_chan_bindings,
INITIATOR_START);
if (ret)
@@ -742,6 +748,7 @@ OM_uint32 _gsskrb5_init_sec_context
ret = init_auth(minor_status,
cred,
ctx,
context,
name,
mech_type,
req_flags,
@@ -756,6 +763,7 @@ OM_uint32 _gsskrb5_init_sec_context
case INITIATOR_WAIT_FOR_MUTAL:
ret = repl_mutual(minor_status,
ctx,
context,
mech_type,
req_flags,
time_req,

6
source/heimdal/lib/gssapi/krb5/inquire_context.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: inquire_context.c,v 1.10 2006/10/07 22:15:03 lha Exp $");
RCSID("$Id: inquire_context.c,v 1.11 2006/11/13 18:02:18 lha Exp $");
OM_uint32 _gsskrb5_inquire_context (
OM_uint32 * minor_status,
@@ -47,6 +47,7 @@ OM_uint32 _gsskrb5_inquire_context (
int * open_context
)
{
krb5_context context;
OM_uint32 ret;
gsskrb5_ctx ctx = (gsskrb5_ctx)context_handle;
gss_name_t name;
@@ -56,6 +57,8 @@ OM_uint32 _gsskrb5_inquire_context (
if (targ_name)
*targ_name = GSS_C_NO_NAME;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (src_name) {
@@ -74,6 +77,7 @@ OM_uint32 _gsskrb5_inquire_context (
if (lifetime_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
lifetime_rec);
if (ret)

10
source/heimdal/lib/gssapi/krb5/inquire_cred.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: inquire_cred.c,v 1.12 2006/10/07 22:15:06 lha Exp $");
RCSID("$Id: inquire_cred.c,v 1.13 2006/11/13 18:02:21 lha Exp $");
OM_uint32 _gsskrb5_inquire_cred
(OM_uint32 * minor_status,
@@ -44,6 +44,7 @@ OM_uint32 _gsskrb5_inquire_cred
gss_OID_set * mechanisms
)
{
krb5_context context;
gss_cred_id_t aqcred_init = GSS_C_NO_CREDENTIAL;
gss_cred_id_t aqcred_accept = GSS_C_NO_CREDENTIAL;
gsskrb5_cred acred = NULL, icred = NULL;
@@ -56,6 +57,8 @@ OM_uint32 _gsskrb5_inquire_cred
if (mechanisms)
*mechanisms = GSS_C_NO_OID_SET;
GSSAPI_KRB5_INIT (&context);
if (cred_handle == GSS_C_NO_CREDENTIAL) {
ret = _gsskrb5_acquire_cred(minor_status,
GSS_C_NO_NAME,
@@ -105,7 +108,7 @@ OM_uint32 _gsskrb5_inquire_cred
goto out;
} else if (acred && acred->usage == GSS_C_ACCEPT) {
krb5_principal princ;
*minor_status = krb5_sname_to_principal(_gsskrb5_context, NULL,
*minor_status = krb5_sname_to_principal(context, NULL,
NULL, KRB5_NT_SRV_HST,
&princ);
if (*minor_status) {
@@ -115,7 +118,7 @@ OM_uint32 _gsskrb5_inquire_cred
*output_name = (gss_name_t)princ;
} else {
krb5_principal princ;
*minor_status = krb5_get_default_principal(_gsskrb5_context,
*minor_status = krb5_get_default_principal(context,
&princ);
if (*minor_status) {
ret = GSS_S_FAILURE;
@@ -131,6 +134,7 @@ OM_uint32 _gsskrb5_inquire_cred
if (icred) ilife = icred->lifetime;
ret = _gsskrb5_lifetime_left(minor_status,
context,
min(alife,ilife),
lifetime);
if (ret)

8
source/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c
View File

@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: inquire_cred_by_oid.c,v 1.4 2006/10/07 22:15:10 lha Exp $");
RCSID("$Id: inquire_cred_by_oid.c,v 1.5 2006/11/13 18:02:24 lha Exp $");
OM_uint32 _gsskrb5_inquire_cred_by_oid
(OM_uint32 * minor_status,
@@ -40,11 +40,14 @@ OM_uint32 _gsskrb5_inquire_cred_by_oid
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
krb5_context context;
gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
krb5_error_code ret;
gss_buffer_desc buffer;
char *str;
GSSAPI_KRB5_INIT (&context);
if (gss_oid_equal(desired_object, GSS_KRB5_COPY_CCACHE_X) == 0) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
@@ -58,11 +61,10 @@ OM_uint32 _gsskrb5_inquire_cred_by_oid
return GSS_S_FAILURE;
}
ret = krb5_cc_get_full_name(_gsskrb5_context, cred->ccache, &str);
ret = krb5_cc_get_full_name(context, cred->ccache, &str);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (ret) {
*minor_status = ret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}

49
source/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
View File

@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: inquire_sec_context_by_oid.c,v 1.11 2006/11/07 14:34:35 lha Exp $");
RCSID("$Id: inquire_sec_context_by_oid.c,v 1.12 2006/11/13 18:02:27 lha Exp $");
static int
oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
@@ -106,6 +106,7 @@ enum keytype { ACCEPTOR_KEY, INITIATOR_KEY, TOKEN_KEY };
static OM_uint32 inquire_sec_context_get_subkey
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
enum keytype keytype,
gss_buffer_set_t *data_set)
{
@@ -127,19 +128,13 @@ static OM_uint32 inquire_sec_context_get_subkey
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
switch(keytype) {
case ACCEPTOR_KEY:
ret = _gsskrb5i_get_acceptor_subkey(context_handle, &key);
if (ret)
_gsskrb5_set_error_string ();
ret = _gsskrb5i_get_acceptor_subkey(context_handle, context, &key);
break;
case INITIATOR_KEY:
ret = _gsskrb5i_get_initiator_subkey(context_handle, &key);
if (ret)
_gsskrb5_set_error_string ();
ret = _gsskrb5i_get_initiator_subkey(context_handle, context, &key);
break;
case TOKEN_KEY:
ret = _gsskrb5i_get_token_key(context_handle, &key);
if (ret)
_gsskrb5_set_error_string ();
ret = _gsskrb5i_get_token_key(context_handle, context, &key);
break;
default:
_gsskrb5_set_status("%d is not a valid subkey type", keytype);
@@ -156,17 +151,13 @@ static OM_uint32 inquire_sec_context_get_subkey
}
ret = krb5_store_keyblock(sp, *key);
krb5_free_keyblock (_gsskrb5_context, key);
if (ret) {
_gsskrb5_set_error_string ();
krb5_free_keyblock (context, key);
if (ret)
goto out;
}
ret = krb5_storage_to_data(sp, &data);
if (ret) {
_gsskrb5_set_error_string ();
if (ret)
goto out;
}
{
gss_buffer_desc value;
@@ -193,6 +184,7 @@ out:
static OM_uint32 inquire_sec_context_authz_data
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
unsigned ad_type,
gss_buffer_set_t *data_set)
{
@@ -211,13 +203,12 @@ static OM_uint32 inquire_sec_context_authz_data
return GSS_S_NO_CONTEXT;
}
ret = krb5_ticket_get_authorization_data_type(_gsskrb5_context,
ret = krb5_ticket_get_authorization_data_type(context,
context_handle->ticket,
ad_type,
&data);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -276,6 +267,7 @@ static OM_uint32 inquire_sec_context_has_updated_spnego
static OM_uint32
export_lucid_sec_context_v1(OM_uint32 *minor_status,
gsskrb5_ctx context_handle,
krb5_context context,
gss_buffer_set_t *data_set)
{
krb5_storage *sp = NULL;
@@ -288,8 +280,6 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
*minor_status = 0;
GSSAPI_KRB5_INIT ();
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
_gsskrb5i_is_cfx(context_handle, &is_cfx);
@@ -307,12 +297,12 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
if (ret) goto out;
ret = krb5_store_int32(sp, context_handle->lifetime);
if (ret) goto out;
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
context_handle->auth_context,
&number);
ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
ret = krb5_store_uint32(sp, (uint32_t)number);
krb5_auth_getremoteseqnumber (_gsskrb5_context,
krb5_auth_getremoteseqnumber (context,
context_handle->auth_context,
&number);
ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
@@ -320,7 +310,7 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
ret = krb5_store_int32(sp, (is_cfx) ? 1 : 0);
if (ret) goto out;
ret = _gsskrb5i_get_token_key(context_handle, &key);
ret = _gsskrb5i_get_token_key(context_handle, context, &key);
if (ret) goto out;
if (is_cfx == 0) {
@@ -387,7 +377,7 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
out:
if (key)
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
if (sp)
krb5_storage_free(sp);
if (ret) {
@@ -485,7 +475,6 @@ out:
if (sp)
krb5_storage_free(sp);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
maj_stat = GSS_S_FAILURE;
}
@@ -501,6 +490,7 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
krb5_context context;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
unsigned suffix;
@@ -509,6 +499,8 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
return GSS_S_NO_CONTEXT;
}
GSSAPI_KRB5_INIT (&context);
if (gss_oid_equal(desired_object, GSS_KRB5_GET_TKT_FLAGS_X)) {
return inquire_sec_context_tkt_flags(minor_status,
ctx,
@@ -520,16 +512,19 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SUBKEY_X)) {
return inquire_sec_context_get_subkey(minor_status,
ctx,
context,
TOKEN_KEY,
data_set);
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_INITIATOR_SUBKEY_X)) {
return inquire_sec_context_get_subkey(minor_status,
ctx,
context,
INITIATOR_KEY,
data_set);
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X)) {
return inquire_sec_context_get_subkey(minor_status,
ctx,
context,
ACCEPTOR_KEY,
data_set);
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
@@ -539,6 +534,7 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
&suffix)) {
return inquire_sec_context_authz_data(minor_status,
ctx,
context,
suffix,
data_set);
} else if (oid_prefix_equal(desired_object,
@@ -547,6 +543,7 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
if (suffix == 1)
return export_lucid_sec_context_v1(minor_status,
ctx,
context,
data_set);
*minor_status = 0;
return GSS_S_FAILURE;

6
source/heimdal/lib/gssapi/krb5/process_context_token.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: process_context_token.c,v 1.4 2006/10/07 22:15:19 lha Exp $");
RCSID("$Id: process_context_token.c,v 1.5 2006/11/13 18:02:30 lha Exp $");
OM_uint32 _gsskrb5_process_context_token (
OM_uint32 *minor_status,
@@ -41,6 +41,7 @@ OM_uint32 _gsskrb5_process_context_token (
const gss_buffer_t token_buffer
)
{
krb5_context context;
OM_uint32 ret = GSS_S_FAILURE;
gss_buffer_desc empty_buffer;
gss_qop_t qop_state;
@@ -48,10 +49,13 @@ OM_uint32 _gsskrb5_process_context_token (
empty_buffer.length = 0;
empty_buffer.value = NULL;
GSSAPI_KRB5_INIT (&context);
qop_state = GSS_C_QOP_DEFAULT;
ret = _gsskrb5_verify_mic_internal(minor_status,
(gsskrb5_ctx)context_handle,
context,
token_buffer, &empty_buffer,
GSS_C_QOP_DEFAULT, "\x01\x02");

15
source/heimdal/lib/gssapi/krb5/release_cred.c
View File

@@ -33,13 +33,14 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: release_cred.c,v 1.13 2006/10/07 22:15:24 lha Exp $");
RCSID("$Id: release_cred.c,v 1.14 2006/11/13 18:02:34 lha Exp $");
OM_uint32 _gsskrb5_release_cred
(OM_uint32 * minor_status,
gss_cred_id_t * cred_handle
)
{
krb5_context context;
gsskrb5_cred cred;
*minor_status = 0;
@@ -50,21 +51,21 @@ OM_uint32 _gsskrb5_release_cred
cred = (gsskrb5_cred)*cred_handle;
*cred_handle = GSS_C_NO_CREDENTIAL;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (cred->principal != NULL)
krb5_free_principal(_gsskrb5_context, cred->principal);
krb5_free_principal(context, cred->principal);
if (cred->keytab != NULL)
krb5_kt_close(_gsskrb5_context, cred->keytab);
krb5_kt_close(context, cred->keytab);
if (cred->ccache != NULL) {
const krb5_cc_ops *ops;
ops = krb5_cc_get_ops(_gsskrb5_context, cred->ccache);
ops = krb5_cc_get_ops(context, cred->ccache);
if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE)
krb5_cc_destroy(_gsskrb5_context, cred->ccache);
krb5_cc_destroy(context, cred->ccache);
else
krb5_cc_close(_gsskrb5_context, cred->ccache);
krb5_cc_close(context, cred->ccache);
}
_gsskrb5_release_oid_set(NULL, &cred->mechanisms);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);

9
source/heimdal/lib/gssapi/krb5/release_name.c
View File

@@ -33,23 +33,24 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: release_name.c,v 1.10 2006/10/07 22:15:26 lha Exp $");
RCSID("$Id: release_name.c,v 1.11 2006/11/13 18:02:37 lha Exp $");
OM_uint32 _gsskrb5_release_name
(OM_uint32 * minor_status,
gss_name_t * input_name
)
{
krb5_context context;
krb5_principal name = (krb5_principal)*input_name;
GSSAPI_KRB5_INIT ();
if (minor_status)
*minor_status = 0;
GSSAPI_KRB5_INIT (&context);
*input_name = GSS_C_NO_NAME;
krb5_free_principal(_gsskrb5_context, name);
krb5_free_principal(context, name);
return GSS_S_COMPLETE;
}

21
source/heimdal/lib/gssapi/krb5/set_cred_option.c
View File

@@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: set_cred_option.c,v 1.4 2006/10/24 20:14:13 lha Exp $");
RCSID("$Id: set_cred_option.c,v 1.5 2006/11/13 18:02:39 lha Exp $");
static gss_OID_desc gss_krb5_import_cred_x_oid_desc =
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */
@@ -41,6 +41,7 @@ gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc;
static OM_uint32
import_cred(OM_uint32 *minor_status,
krb5_context context,
gss_cred_id_t *cred_handle,
const gss_buffer_t value)
{
@@ -71,7 +72,7 @@ import_cred(OM_uint32 *minor_status,
goto out;
}
if (str[0]) {
ret = krb5_cc_resolve(_gsskrb5_context, str, &id);
ret = krb5_cc_resolve(context, str, &id);
if (ret) {
*minor_status = ret;
major_stat = GSS_S_FAILURE;
@@ -84,7 +85,7 @@ import_cred(OM_uint32 *minor_status,
/* keytab principal name */
ret = krb5_ret_string(sp, &str);
if (ret == 0 && str[0])
ret = krb5_parse_name(_gsskrb5_context, str, &keytab_principal);
ret = krb5_parse_name(context, str, &keytab_principal);
if (ret) {
*minor_status = ret;
major_stat = GSS_S_FAILURE;
@@ -101,7 +102,7 @@ import_cred(OM_uint32 *minor_status,
goto out;
}
if (str[0]) {
ret = krb5_kt_resolve(_gsskrb5_context, str, &keytab);
ret = krb5_kt_resolve(context, str, &keytab);
if (ret) {
*minor_status = ret;
major_stat = GSS_S_FAILURE;
@@ -115,11 +116,11 @@ import_cred(OM_uint32 *minor_status,
keytab, cred_handle);
out:
if (id)
krb5_cc_close(_gsskrb5_context, id);
krb5_cc_close(context, id);
if (keytab_principal)
krb5_free_principal(_gsskrb5_context, keytab_principal);
krb5_free_principal(context, keytab_principal);
if (keytab)
krb5_kt_close(_gsskrb5_context, keytab);
krb5_kt_close(context, keytab);
if (str)
free(str);
if (sp)
@@ -136,7 +137,9 @@ _gsskrb5_set_cred_option
const gss_OID desired_object,
const gss_buffer_t value)
{
GSSAPI_KRB5_INIT ();
krb5_context context;
GSSAPI_KRB5_INIT (&context);
if (value == GSS_C_NO_BUFFER) {
*minor_status = EINVAL;
@@ -144,7 +147,7 @@ _gsskrb5_set_cred_option
}
if (gss_oid_equal(desired_object, GSS_KRB5_IMPORT_CRED_X)) {
return import_cred(minor_status, cred_handle, value);
return import_cred(minor_status, context, cred_handle, value);
}
*minor_status = EINVAL;

15
source/heimdal/lib/gssapi/krb5/set_sec_context_option.c
View File

@@ -36,7 +36,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: set_sec_context_option.c,v 1.8 2006/11/08 23:06:42 lha Exp $");
RCSID("$Id: set_sec_context_option.c,v 1.10 2006/12/14 11:02:16 lha Exp $");
static OM_uint32
get_bool(OM_uint32 *minor_status,
@@ -58,9 +58,10 @@ _gsskrb5_set_sec_context_option
const gss_OID desired_object,
const gss_buffer_t value)
{
krb5_context context;
OM_uint32 maj_stat;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
if (value == GSS_C_NO_BUFFER) {
*minor_status = EINVAL;
@@ -96,7 +97,7 @@ _gsskrb5_set_sec_context_option
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
krb5_set_dns_canonicalize_hostname(_gsskrb5_context, flag);
krb5_set_dns_canonicalize_hostname(context, flag);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) {
@@ -128,14 +129,14 @@ _gsskrb5_set_sec_context_option
return GSS_S_CALL_INACCESSIBLE_READ;
}
str = malloc(value->length + 1);
if (str) {
if (str == NULL) {
*minor_status = 0;
return GSS_S_UNAVAILABLE;
}
memcpy(str, value->value, value->length);
str[value->length] = '\0';
krb5_set_default_realm(_gsskrb5_context, str);
krb5_set_default_realm(context, str);
free(str);
*minor_status = 0;
@@ -144,7 +145,7 @@ _gsskrb5_set_sec_context_option
} else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
if (value == NULL || value->length == 0) {
krb5_set_send_to_kdc_func(_gsskrb5_context, NULL, NULL);
krb5_set_send_to_kdc_func(context, NULL, NULL);
} else {
struct gsskrb5_send_to_kdc c;
@@ -153,7 +154,7 @@ _gsskrb5_set_sec_context_option
return GSS_S_FAILURE;
}
memcpy(&c, value->value, sizeof(c));
krb5_set_send_to_kdc_func(_gsskrb5_context,
krb5_set_send_to_kdc_func(context,
(krb5_send_to_kdc_func)c.func,
c.ptr);
}

43
source/heimdal/lib/gssapi/krb5/unwrap.c
View File

@@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: unwrap.c,v 1.38 2006/10/18 15:59:28 lha Exp $");
RCSID("$Id: unwrap.c,v 1.39 2006/11/13 18:02:51 lha Exp $");
static OM_uint32
unwrap_des
@@ -175,6 +175,7 @@ static OM_uint32
unwrap_des3
(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int * conf_state,
@@ -226,18 +227,16 @@ unwrap_des3
/* decrypt data */
krb5_data tmp;
ret = krb5_crypto_init(_gsskrb5_context, key,
ret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_decrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL,
ret = krb5_decrypt(context, crypto, KRB5_KU_USAGE_SEAL,
p, input_message_buffer->length - len, &tmp);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -259,10 +258,9 @@ unwrap_des3
p -= 28;
ret = krb5_crypto_init(_gsskrb5_context, key,
ret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_FAILURE;
@@ -271,15 +269,14 @@ unwrap_des3
DES_cblock ivec;
memcpy(&ivec, p + 8, 8);
ret = krb5_decrypt_ivec (_gsskrb5_context,
ret = krb5_decrypt_ivec (context,
crypto,
KRB5_KU_USAGE_SEQ,
p, 8, &seq_data,
&ivec);
}
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_FAILURE;
@@ -325,21 +322,19 @@ unwrap_des3
csum.checksum.length = 20;
csum.checksum.data = cksum;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_verify_checksum (_gsskrb5_context, crypto,
ret = krb5_verify_checksum (context, crypto,
KRB5_KU_USAGE_SIGN,
p + 20,
input_message_buffer->length - len + 8,
&csum);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -367,6 +362,7 @@ OM_uint32 _gsskrb5_unwrap
)
{
krb5_keyblock *key;
krb5_context context;
OM_uint32 ret;
krb5_keytype keytype;
gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle;
@@ -374,17 +370,18 @@ OM_uint32 _gsskrb5_unwrap
output_message_buffer->value = NULL;
output_message_buffer->length = 0;
GSSAPI_KRB5_INIT (&context);
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, &key);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
*minor_status = 0;
@@ -395,22 +392,22 @@ OM_uint32 _gsskrb5_unwrap
conf_state, qop_state, key);
break;
case KEYTYPE_DES3 :
ret = unwrap_des3 (minor_status, ctx,
ret = unwrap_des3 (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_unwrap_arcfour (minor_status, ctx,
ret = _gssapi_unwrap_arcfour (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
default :
ret = _gssapi_unwrap_cfx (minor_status, ctx,
ret = _gssapi_unwrap_cfx (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
return ret;
}

45
source/heimdal/lib/gssapi/krb5/verify_mic.c
View File

@@ -33,12 +33,13 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: verify_mic.c,v 1.36 2006/10/18 15:59:30 lha Exp $");
RCSID("$Id: verify_mic.c,v 1.37 2006/11/13 18:02:54 lha Exp $");
static OM_uint32
verify_mic_des
(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -131,6 +132,7 @@ static OM_uint32
verify_mic_des3
(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -164,10 +166,9 @@ verify_mic_des3
return GSS_S_BAD_MIC;
p += 4;
ret = krb5_crypto_init(_gsskrb5_context, key,
ret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret){
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -180,14 +181,13 @@ retry:
else
memcpy(ivec, p + 8, 8);
ret = krb5_decrypt_ivec (_gsskrb5_context,
ret = krb5_decrypt_ivec (context,
crypto,
KRB5_KU_USAGE_SEQ,
p, 8, &seq_data, ivec);
if (ret) {
if (docompat++) {
_gsskrb5_set_error_string ();
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
*minor_status = ret;
return GSS_S_FAILURE;
} else
@@ -197,7 +197,7 @@ retry:
if (seq_data.length != 8) {
krb5_data_free (&seq_data);
if (docompat++) {
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
return GSS_S_BAD_MIC;
} else
goto retry;
@@ -215,7 +215,7 @@ retry:
krb5_data_free (&seq_data);
if (cmp != 0) {
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_BAD_MIC;
@@ -223,7 +223,7 @@ retry:
ret = _gssapi_msg_order_check(context_handle->order, seq_number);
if (ret) {
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return ret;
@@ -233,7 +233,7 @@ retry:
tmp = malloc (message_buffer->length + 8);
if (tmp == NULL) {
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
@@ -246,21 +246,20 @@ retry:
csum.checksum.length = 20;
csum.checksum.data = p + 8;
ret = krb5_verify_checksum (_gsskrb5_context, crypto,
ret = krb5_verify_checksum (context, crypto,
KRB5_KU_USAGE_SIGN,
tmp, message_buffer->length + 8,
&csum);
free (tmp);
if (ret) {
_gsskrb5_set_error_string ();
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
*minor_status = ret;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_BAD_MIC;
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
return GSS_S_COMPLETE;
}
@@ -268,6 +267,7 @@ OM_uint32
_gsskrb5_verify_mic_internal
(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -279,39 +279,40 @@ _gsskrb5_verify_mic_internal
krb5_keytype keytype;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(context_handle, &key);
ret = _gsskrb5i_get_token_key(context_handle, context, &key);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
*minor_status = 0;
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = verify_mic_des (minor_status, context_handle,
ret = verify_mic_des (minor_status, context_handle, context,
message_buffer, token_buffer, qop_state, key,
type);
break;
case KEYTYPE_DES3 :
ret = verify_mic_des3 (minor_status, context_handle,
ret = verify_mic_des3 (minor_status, context_handle, context,
message_buffer, token_buffer, qop_state, key,
type);
break;
case KEYTYPE_ARCFOUR :
case KEYTYPE_ARCFOUR_56 :
ret = _gssapi_verify_mic_arcfour (minor_status, context_handle,
context,
message_buffer, token_buffer,
qop_state, key, type);
break;
default :
ret = _gssapi_verify_mic_cfx (minor_status, context_handle,
context,
message_buffer, token_buffer, qop_state,
key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
return ret;
}
@@ -325,13 +326,17 @@ _gsskrb5_verify_mic
gss_qop_t * qop_state
)
{
krb5_context context;
OM_uint32 ret;
GSSAPI_KRB5_INIT (&context);
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
ret = _gsskrb5_verify_mic_internal(minor_status,
(gsskrb5_ctx)context_handle,
context,
message_buffer, token_buffer,
qop_state, "\x01\x01");

109
source/heimdal/lib/gssapi/krb5/wrap.c
View File

@@ -33,74 +33,80 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: wrap.c,v 1.37 2006/10/18 15:59:33 lha Exp $");
RCSID("$Id: wrap.c,v 1.39 2006/11/14 09:49:56 lha Exp $");
/*
* Return initiator subkey, or if that doesn't exists, the subkey.
*/
krb5_error_code
_gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx, krb5_keyblock **key)
_gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx,
krb5_context context,
krb5_keyblock **key)
{
krb5_error_code ret;
*key = NULL;
if (ctx->more_flags & LOCAL) {
ret = krb5_auth_con_getlocalsubkey(_gsskrb5_context,
ret = krb5_auth_con_getlocalsubkey(context,
ctx->auth_context,
key);
} else {
ret = krb5_auth_con_getremotesubkey(_gsskrb5_context,
ret = krb5_auth_con_getremotesubkey(context,
ctx->auth_context,
key);
}
if (*key == NULL)
ret = krb5_auth_con_getkey(_gsskrb5_context,
if (ret == 0 && *key == NULL)
ret = krb5_auth_con_getkey(context,
ctx->auth_context,
key);
if (*key == NULL) {
_gsskrb5_set_status("No initiator subkey available");
if (ret == 0 && *key == NULL) {
krb5_set_error_string(context, "No initiator subkey available");
return GSS_KRB5_S_KG_NO_SUBKEY;
}
return ret;
}
krb5_error_code
_gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx, krb5_keyblock **key)
_gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx,
krb5_context context,
krb5_keyblock **key)
{
krb5_error_code ret;
*key = NULL;
if (ctx->more_flags & LOCAL) {
ret = krb5_auth_con_getremotesubkey(_gsskrb5_context,
ret = krb5_auth_con_getremotesubkey(context,
ctx->auth_context,
key);
} else {
ret = krb5_auth_con_getlocalsubkey(_gsskrb5_context,
ret = krb5_auth_con_getlocalsubkey(context,
ctx->auth_context,
key);
}
if (*key == NULL) {
_gsskrb5_set_status("No acceptor subkey available");
if (ret == 0 && *key == NULL) {
krb5_set_error_string(context, "No acceptor subkey available");
return GSS_KRB5_S_KG_NO_SUBKEY;
}
return ret;
}
OM_uint32
_gsskrb5i_get_token_key(const gsskrb5_ctx ctx, krb5_keyblock **key)
_gsskrb5i_get_token_key(const gsskrb5_ctx ctx,
krb5_context context,
krb5_keyblock **key)
{
_gsskrb5i_get_acceptor_subkey(ctx, key);
_gsskrb5i_get_acceptor_subkey(ctx, context, key);
if(*key == NULL) {
/*
* Only use the initiator subkey or ticket session key if an
* acceptor subkey was not required.
*/
if ((ctx->more_flags & ACCEPTOR_SUBKEY) == 0)
_gsskrb5i_get_initiator_subkey(ctx, key);
_gsskrb5i_get_initiator_subkey(ctx, context, key);
}
if (*key == NULL) {
_gsskrb5_set_status("No token key available");
krb5_set_error_string(context, "No token key available");
return GSS_KRB5_S_KG_NO_SUBKEY;
}
return 0;
@@ -140,20 +146,22 @@ _gsskrb5_wrap_size_limit (
OM_uint32 * max_input_size
)
{
krb5_context context;
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, &key);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
@@ -161,7 +169,7 @@ _gsskrb5_wrap_size_limit (
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_wrap_size_arcfour(minor_status, ctx,
ret = _gssapi_wrap_size_arcfour(minor_status, ctx, context,
conf_req_flag, qop_req,
req_output_size, max_input_size, key);
break;
@@ -169,12 +177,12 @@ _gsskrb5_wrap_size_limit (
ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
break;
default :
ret = _gssapi_wrap_size_cfx(minor_status, ctx,
ret = _gssapi_wrap_size_cfx(minor_status, ctx, context,
conf_req_flag, qop_req,
req_output_size, max_input_size, key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
*minor_status = 0;
return ret;
}
@@ -183,6 +191,7 @@ static OM_uint32
wrap_des
(OM_uint32 * minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -257,9 +266,9 @@ wrap_des
/* sequence number */
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
krb5_auth_con_getlocalseqnumber (context,
ctx->auth_context,
&seq_number);
p -= 16;
p[0] = (seq_number >> 0) & 0xFF;
@@ -274,7 +283,7 @@ wrap_des
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -309,6 +318,7 @@ static OM_uint32
wrap_des3
(OM_uint32 * minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -365,9 +375,8 @@ wrap_des3
input_message_buffer->length);
memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -375,16 +384,15 @@ wrap_des3
return GSS_S_FAILURE;
}
ret = krb5_create_checksum (_gsskrb5_context,
ret = krb5_create_checksum (context,
crypto,
KRB5_KU_USAGE_SIGN,
0,
p + 20,
datalen + 8,
&cksum);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -400,7 +408,7 @@ wrap_des3
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
ctx->auth_context,
&seq_number);
@@ -413,7 +421,7 @@ wrap_des3
4);
ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE,
ret = krb5_crypto_init(context, key, ETYPE_DES3_CBC_NONE,
&crypto);
if (ret) {
free (output_message_buffer->value);
@@ -427,15 +435,14 @@ wrap_des3
DES_cblock ivec;
memcpy (&ivec, p + 8, 8);
ret = krb5_encrypt_ivec (_gsskrb5_context,
ret = krb5_encrypt_ivec (context,
crypto,
KRB5_KU_USAGE_SEQ,
seq, 8, &encdata,
&ivec);
}
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -448,7 +455,7 @@ wrap_des3
memcpy (p, encdata.data, encdata.length);
krb5_data_free (&encdata);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -459,21 +466,19 @@ wrap_des3
if(conf_req_flag) {
krb5_data tmp;
ret = krb5_crypto_init(_gsskrb5_context, key,
ret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_encrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL,
ret = krb5_encrypt(context, crypto, KRB5_KU_USAGE_SEAL,
p, datalen, &tmp);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -501,44 +506,46 @@ OM_uint32 _gsskrb5_wrap
gss_buffer_t output_message_buffer
)
{
krb5_context context;
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, &key);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = wrap_des (minor_status, ctx, conf_req_flag,
ret = wrap_des (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
case KEYTYPE_DES3 :
ret = wrap_des3 (minor_status, ctx, conf_req_flag,
ret = wrap_des3 (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_wrap_arcfour (minor_status, ctx, conf_req_flag,
ret = _gssapi_wrap_arcfour (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
default :
ret = _gssapi_wrap_cfx (minor_status, ctx, conf_req_flag,
ret = _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
return ret;
}

13
source/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
View File

@@ -27,7 +27,7 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_accept_sec_context.c,v 1.7 2006/11/10 03:30:12 lha Exp $");
RCSID("$Id: gss_accept_sec_context.c,v 1.9 2006/12/15 20:12:20 lha Exp $");
static OM_uint32
parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
@@ -91,6 +91,8 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
static gss_OID_desc krb5_mechanism =
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
static gss_OID_desc ntlm_mechanism =
{10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")};
static gss_OID_desc spnego_mechanism =
{6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02")};
@@ -112,7 +114,14 @@ choose_mech(const gss_buffer_t input, gss_OID mech_oid)
* Lets guess what mech is really is, callback function to mech ??
*/
if (input->length != 0 && ((const char *)input->value)[0] == 0x6E) {
if (input->length > 8 &&
memcmp((const char *)input->value, "NTLMSSP\x00", 8) == 0)
{
*mech_oid = ntlm_mechanism;
return GSS_S_COMPLETE;
} else if (input->length != 0 &&
((const char *)input->value)[0] == 0x6E)
{
/* Could be a raw AP-REQ (check for APPLICATION tag) */
*mech_oid = krb5_mechanism;
return GSS_S_COMPLETE;

30
source/heimdal/lib/gssapi/mech/gss_init_sec_context.c
View File

@@ -27,7 +27,23 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_init_sec_context.c,v 1.3 2006/07/06 22:30:09 lha Exp $");
RCSID("$Id: gss_init_sec_context.c,v 1.4 2006/11/14 12:33:11 lha Exp $");
static gss_cred_id_t
_gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
{
struct _gss_cred *cred = (struct _gss_cred *)cred_handle;
struct _gss_mechanism_cred *mc;
if (cred == NULL)
return GSS_C_NO_CREDENTIAL;
SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
if (gss_oid_equal(mech_type, mc->gmc_mech_oid))
return mc->gmc_cred;
}
return GSS_C_NO_CREDENTIAL;
}
OM_uint32
gss_init_sec_context(OM_uint32 * minor_status,
@@ -49,8 +65,6 @@ gss_init_sec_context(OM_uint32 * minor_status,
struct _gss_name *name = (struct _gss_name *) target_name;
struct _gss_mechanism_name *mn;
struct _gss_context *ctx = (struct _gss_context *) *context_handle;
struct _gss_cred *cred = (struct _gss_cred *) initiator_cred_handle;
struct _gss_mechanism_cred *mc;
gss_cred_id_t cred_handle;
int allocated_ctx;
gss_OID mech_type = input_mech_type;
@@ -97,15 +111,7 @@ gss_init_sec_context(OM_uint32 * minor_status,
/*
* If we have a cred, find the cred for this mechanism.
*/
cred_handle = GSS_C_NO_CREDENTIAL;
if (cred) {
SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
if (gss_oid_equal(mech_type, mc->gmc_mech_oid)) {
cred_handle = mc->gmc_cred;
break;
}
}
}
cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type);
major_status = m->gm_init_sec_context(minor_status,
cred_handle,

5
source/heimdal/lib/gssapi/mech/gss_mech_switch.c
View File

@@ -28,7 +28,7 @@
#include "mech_locl.h"
#include <heim_threads.h>
RCSID("$Id: gss_mech_switch.c,v 1.7 2006/10/09 11:13:30 lha Exp $");
RCSID("$Id: gss_mech_switch.c,v 1.8 2006/12/15 20:05:43 lha Exp $");
#ifndef _PATH_GSS_MECH
#define _PATH_GSS_MECH "/etc/gss/mech"
@@ -169,6 +169,8 @@ add_builtin(gssapi_mech_interface mech)
{
struct _gss_mech_switch *m;
OM_uint32 minor_status;
if (!mech)
return 0;
m = malloc(sizeof(*m));
if (m == NULL)
@@ -214,6 +216,7 @@ _gss_load_mech(void)
add_builtin(__gss_krb5_initialize());
add_builtin(__gss_spnego_initialize());
add_builtin(__gss_ntlm_initialize());
fp = fopen(_PATH_GSS_MECH, "r");
if (!fp) {

4
source/heimdal/lib/gssapi/mech/gss_set_cred_option.c
View File

@@ -31,7 +31,7 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_set_cred_option.c,v 1.7 2006/07/01 08:50:49 lha Exp $");
RCSID("$Id: gss_set_cred_option.c,v 1.8 2006/11/13 08:59:43 lha Exp $");
OM_uint32
gss_set_cred_option (OM_uint32 *minor_status,
@@ -102,7 +102,7 @@ gss_set_cred_option (OM_uint32 *minor_status,
major_status = m->gm_set_cred_option(minor_status,
&mc->gmc_cred, object, value);
if (major_status == GSS_S_BAD_MECH)
if (major_status == GSS_S_COMPLETE)
one_ok = 1;
}
}

13
source/heimdal/lib/gssapi/mech/gss_utils.c
View File

@@ -27,7 +27,7 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_utils.c,v 1.2 2006/06/28 09:00:25 lha Exp $");
RCSID("$Id: gss_utils.c,v 1.3 2006/12/18 13:01:25 lha Exp $");
OM_uint32
_gss_copy_oid(OM_uint32 *minor_status,
@@ -46,6 +46,17 @@ _gss_copy_oid(OM_uint32 *minor_status,
return (GSS_S_COMPLETE);
}
OM_uint32
_gss_free_oid(OM_uint32 *minor_status, gss_OID oid)
{
*minor_status = 0;
if (oid->elements) {
free(oid->elements);
oid->elements = NULL;
oid->length = 0;
}
return (GSS_S_COMPLETE);
}
OM_uint32
_gss_copy_buffer(OM_uint32 *minor_status,

3
source/heimdal/lib/gssapi/mech/utils.h
View File

@@ -24,9 +24,10 @@
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/utils.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
* $Id: utils.h,v 1.3 2006/07/20 01:48:25 lha Exp $
* $Id: utils.h,v 1.4 2006/12/18 13:01:40 lha Exp $
*/
OM_uint32 _gss_free_oid(OM_uint32 *, gss_OID);
OM_uint32 _gss_copy_oid(OM_uint32 *, const gss_OID, gss_OID);
OM_uint32 _gss_copy_buffer(OM_uint32 *minor_status,
const gss_buffer_t from_buf, gss_buffer_t to_buf);

992
source/heimdal/lib/gssapi/spnego/accept_sec_context.c
View File

File diff suppressed because it is too large Load Diff

180
source/heimdal/lib/gssapi/spnego/compat.c
View File

@@ -32,7 +32,7 @@
#include "spnego/spnego_locl.h"
RCSID("$Id: compat.c,v 1.6 2006/10/07 22:26:59 lha Exp $");
RCSID("$Id: compat.c,v 1.9 2006/12/18 17:52:26 lha Exp $");
/*
* Apparently Microsoft got the OID wrong, and used
@@ -42,10 +42,10 @@ RCSID("$Id: compat.c,v 1.6 2006/10/07 22:26:59 lha Exp $");
* prefer to deal with this here rather than inside the
* Kerberos mechanism.
*/
static gss_OID_desc gss_mskrb_mechanism_oid_desc =
gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc =
{9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"};
static gss_OID_desc gss_krb5_mechanism_oid_desc =
gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc =
{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
/*
@@ -191,8 +191,8 @@ _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
if (*require_mic) {
if (gss_oid_equal(ctx->negotiated_mech_type, ctx->preferred_mech_type)) {
*require_mic = 0;
} else if (gss_oid_equal(ctx->negotiated_mech_type, &gss_krb5_mechanism_oid_desc) &&
gss_oid_equal(ctx->preferred_mech_type, &gss_mskrb_mechanism_oid_desc)) {
} else if (gss_oid_equal(ctx->negotiated_mech_type, &_gss_spnego_krb5_mechanism_oid_desc) &&
gss_oid_equal(ctx->preferred_mech_type, &_gss_spnego_mskrb_mechanism_oid_desc)) {
*require_mic = 0;
}
}
@@ -200,86 +200,122 @@ _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
int _gss_spnego_add_mech_type(gss_OID mech_type,
int includeMSCompatOID,
MechTypeList *mechtypelist)
static int
add_mech_type(gss_OID mech_type,
int includeMSCompatOID,
MechTypeList *mechtypelist)
{
MechType mech;
int ret;
if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM))
return 0;
if (includeMSCompatOID &&
gss_oid_equal(mech_type, &gss_krb5_mechanism_oid_desc)) {
ret = der_get_oid(gss_mskrb_mechanism_oid_desc.elements,
gss_mskrb_mechanism_oid_desc.length,
&mechtypelist->val[mechtypelist->len],
gss_oid_equal(mech_type, &_gss_spnego_krb5_mechanism_oid_desc)) {
ret = der_get_oid(_gss_spnego_mskrb_mechanism_oid_desc.elements,
_gss_spnego_mskrb_mechanism_oid_desc.length,
&mech,
NULL);
if (ret)
return ret;
mechtypelist->len++;
ret = add_MechTypeList(mechtypelist, &mech);
free_MechType(&mech);
if (ret)
return ret;
}
ret = der_get_oid(mech_type->elements,
mech_type->length,
&mechtypelist->val[mechtypelist->len],
NULL);
ret = der_get_oid(mech_type->elements, mech_type->length, &mech, NULL);
if (ret)
return ret;
mechtypelist->len++;
return 0;
}
OM_uint32
_gss_spnego_select_mech(OM_uint32 *minor_status,
MechType *mechType,
gss_OID *mech_p)
{
char mechbuf[64];
size_t mech_len;
gss_OID_desc oid;
OM_uint32 ret;
ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1,
sizeof(mechbuf),
mechType,
&mech_len);
if (ret) {
return GSS_S_DEFECTIVE_TOKEN;
}
oid.length = mech_len;
oid.elements = mechbuf + sizeof(mechbuf) - mech_len;
if (gss_oid_equal(&oid, GSS_SPNEGO_MECHANISM)) {
return GSS_S_BAD_MECH;
}
*minor_status = 0;
/* Translate broken MS Kebreros OID */
if (gss_oid_equal(&oid, &gss_mskrb_mechanism_oid_desc)) {
gssapi_mech_interface mech;
mech = __gss_get_mechanism(&gss_krb5_mechanism_oid_desc);
if (mech == NULL)
return GSS_S_BAD_MECH;
ret = gss_duplicate_oid(minor_status,
&gss_mskrb_mechanism_oid_desc,
mech_p);
} else {
gssapi_mech_interface mech;
mech = __gss_get_mechanism(&oid);
if (mech == NULL)
return GSS_S_BAD_MECH;
ret = gss_duplicate_oid(minor_status,
&mech->gm_mech_oid,
mech_p);
}
ret = add_MechTypeList(mechtypelist, &mech);
free_MechType(&mech);
return ret;
}
OM_uint32
_gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
gss_name_t target_name,
OM_uint32 (*func)(gss_name_t, gss_OID),
int includeMSCompatOID,
const gssspnego_cred cred_handle,
MechTypeList *mechtypelist,
gss_OID *preferred_mech)
{
gss_OID_set supported_mechs = GSS_C_NO_OID_SET;
gss_OID first_mech = GSS_C_NO_OID;
OM_uint32 ret;
int i;
mechtypelist->len = 0;
mechtypelist->val = NULL;
if (cred_handle != NULL) {
ret = gss_inquire_cred(minor_status,
cred_handle->negotiated_cred_id,
NULL,
NULL,
NULL,
&supported_mechs);
} else {
ret = gss_indicate_mechs(minor_status, &supported_mechs);
}
if (ret != GSS_S_COMPLETE) {
return ret;
}
if (supported_mechs->count == 0) {
*minor_status = ENOENT;
gss_release_oid_set(minor_status, &supported_mechs);
return GSS_S_FAILURE;
}
ret = (*func)(target_name, GSS_KRB5_MECHANISM);
if (ret == GSS_S_COMPLETE) {
ret = add_mech_type(GSS_KRB5_MECHANISM,
includeMSCompatOID,
mechtypelist);
if (!GSS_ERROR(ret))
first_mech = GSS_KRB5_MECHANISM;
}
ret = GSS_S_COMPLETE;
for (i = 0; i < supported_mechs->count; i++) {
OM_uint32 subret;
if (gss_oid_equal(&supported_mechs->elements[i], GSS_SPNEGO_MECHANISM))
continue;
if (gss_oid_equal(&supported_mechs->elements[i], GSS_KRB5_MECHANISM))
continue;
subret = (*func)(target_name, &supported_mechs->elements[i]);
if (subret != GSS_S_COMPLETE)
continue;
ret = add_mech_type(&supported_mechs->elements[i],
includeMSCompatOID,
mechtypelist);
if (ret != 0) {
*minor_status = ret;
ret = GSS_S_FAILURE;
break;
}
if (first_mech == GSS_C_NO_OID)
first_mech = &supported_mechs->elements[i];
}
if (mechtypelist->len == 0) {
gss_release_oid_set(minor_status, &supported_mechs);
*minor_status = 0;
return GSS_S_BAD_MECH;
}
if (preferred_mech != NULL) {
ret = gss_duplicate_oid(minor_status, first_mech, preferred_mech);
if (ret != GSS_S_COMPLETE)
free_MechTypeList(mechtypelist);
}
gss_release_oid_set(minor_status, &supported_mechs);
return ret;
}

Some files were not shown because too many files have changed in this diff Show More