sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-22 05:57:43 +03:00
Code

r19604: This is a massive commit, and I appologise in advance for it's size.

Browse Source 
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.

This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted:  we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code.  We have adapted to upstream's choice of API in these cases.

In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC.  This matches windows behavour.  We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).

This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.

Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
This commit is contained in:
Andrew Bartlett 2006-11-07 06:59:56 +00:00 committed by Gerald (Jerry) Carter
parent 8b91594e09
commit 3c1e780ec7
264 changed files with 25834 additions and 10896 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
source4/auth/credentials/credentials_krb5.h
View File

@ -21,9 +21,7 @@
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
struct EncryptionKey;
#include "heimdal/lib/gssapi/gssapi.h"
#include "heimdal/lib/gssapi/gssapi/gssapi.h"
struct ccache_container;

127
source4/auth/gensec/gensec_gssapi.c
View File

@ -24,7 +24,7 @@
#include "includes.h"
#include "system/kerberos.h"
#include "heimdal/lib/gssapi/gssapi.h"
#include "heimdal/lib/gssapi/gssapi/gssapi.h"
#include "auth/kerberos/kerberos.h"
#include "librpc/gen_ndr/krb5pac.h"
#include "auth/auth.h"
@ -73,6 +73,7 @@ struct gensec_gssapi_state {
* layer... */
size_t max_wrap_buf_size;
int gss_exchange_count;
};
static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
@ -133,12 +134,14 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
{
struct gensec_gssapi_state *gensec_gssapi_state;
krb5_error_code ret;
struct gsskrb5_send_to_kdc send_to_kdc;
gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
if (!gensec_gssapi_state) {
return NT_STATUS_NO_MEMORY;
}
gensec_gssapi_state->gss_exchange_count = 0;
gensec_gssapi_state->max_wrap_buf_size
= lp_parm_int(-1, "gensec_gssapi", "max wrap buf size", 65536);
@ -186,10 +189,18 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->gss_oid = gss_mech_krb5;
send_to_kdc.func = smb_krb5_send_and_recv_func;
send_to_kdc.ptr = gensec_security->event_ctx;
ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
if (ret) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
return NT_STATUS_INTERNAL_ERROR;
}
ret = smb_krb5_init_context(gensec_gssapi_state,
&gensec_gssapi_state->smb_krb5_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
error_message(ret)));
return NT_STATUS_INTERNAL_ERROR;
}
@ -431,6 +442,8 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
}
gensec_gssapi_state->gss_exchange_count++;
if (maj_stat == GSS_S_COMPLETE) {
*out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
gss_release_buffer(&min_stat2, &output_token);
@ -493,12 +506,14 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
/* garbage input, possibly from the auto-mech detection */
return NT_STATUS_INVALID_PARAMETER;
default:
DEBUG(1, ("GSS(krb5) Update failed: %s\n",
DEBUG(1, ("GSS Update(krb5)(%d) Update failed: %s\n",
gensec_gssapi_state->gss_exchange_count,
gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
return nt_status;
}
} else {
DEBUG(1, ("GSS Update failed: %s\n",
DEBUG(1, ("GSS Update(%d) failed: %s\n",
gensec_gssapi_state->gss_exchange_count,
gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
return nt_status;
}
@ -583,7 +598,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
&conf_state,
&output_token);
if (GSS_ERROR(maj_stat)) {
DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n",
DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
return NT_STATUS_ACCESS_DENIED;
}
@ -648,7 +663,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
&conf_state,
&output_token);
if (GSS_ERROR(maj_stat)) {
DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n",
DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
return NT_STATUS_ACCESS_DENIED;
}
@ -1185,38 +1200,57 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
return NT_STATUS_NO_MEMORY;
}
maj_stat = gss_krb5_copy_service_keyblock(&min_stat,
gensec_gssapi_state->gssapi_context,
&keyblock);
if (maj_stat == 0) {
maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
gensec_gssapi_state->gssapi_context,
&authtime);
}
if (maj_stat == 0) {
maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
gensec_gssapi_state->gssapi_context,
KRB5_AUTHDATA_WIN2K_PAC,
&pac);
}
maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
gensec_gssapi_state->gssapi_context,
KRB5_AUTHDATA_WIN2K_PAC,
&pac);
if (maj_stat == 0) {
pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length);
gss_release_buffer(&min_stat, &pac);
} else {
pac_blob = data_blob(NULL, 0);
}
/* IF we have the PAC - otherwise we need to get this
* data from elsewere - local ldb, or (TODO) lookup of some
* kind...
*/
if (maj_stat == 0) {
if (pac_blob.length) {
krb5_error_code ret;
union netr_Validation validation;
ret = krb5_parse_name(gensec_gssapi_state->smb_krb5_context->krb5_context,
principal_string, &principal);
maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
gensec_gssapi_state->gssapi_context,
&authtime);
if (GSS_ERROR(maj_stat)) {
DEBUG(1, ("gsskrb5_extract_authtime_from_sec_context: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
talloc_free(mem_ctx);
return NT_STATUS_FOOBAR;
}
maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
gensec_gssapi_state->gssapi_context,
&keyblock);
if (GSS_ERROR(maj_stat)) {
DEBUG(1, ("gsskrb5_copy_service_keyblock failed: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
talloc_free(mem_ctx);
return NT_STATUS_FOOBAR;
}
ret = krb5_parse_name_flags(gensec_gssapi_state->smb_krb5_context->krb5_context,
principal_string,
KRB5_PRINCIPAL_PARSE_MUST_REALM,
&principal);
if (ret) {
krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context,
keyblock);
talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
@ -1226,25 +1260,25 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
gensec_gssapi_state->smb_krb5_context->krb5_context,
NULL, keyblock, principal, authtime, NULL);
krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context,
keyblock);
if (NT_STATUS_IS_OK(nt_status)) {
union netr_Validation validation;
validation.sam3 = &logon_info->info3;
nt_status = make_server_info_netlogon_validation(gensec_gssapi_state,
NULL,
3, &validation,
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
} else {
maj_stat = 1;
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
}
if (maj_stat) {
DEBUG(1, ("Unable to use PAC, resorting to local user lookup!\n"));
validation.sam3 = &logon_info->info3;
nt_status = make_server_info_netlogon_validation(gensec_gssapi_state,
NULL,
3, &validation,
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
} else if (!lp_parm_bool(-1, "gensec", "require_pac", False)) {
DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
&server_info);
@ -1252,6 +1286,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
talloc_free(mem_ctx);
return nt_status;
}
} else {
DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n",
principal_string,
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
return NT_STATUS_ACCESS_DENIED;
}
/* references the server_info into the session_info */

98
source4/auth/gensec/gensec_krb5.c
View File

@ -527,6 +527,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
struct PAC_LOGON_INFO *logon_info;
krb5_principal client_principal;
char *principal_string;
DATA_BLOB pac;
krb5_data pac_data;
@ -538,30 +539,63 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
return NT_STATUS_NO_MEMORY;
}
ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
if (ret) {
DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context,
client_principal, &principal_string);
if (ret) {
DEBUG(1, ("Unable to parse client principal: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket,
KRB5_AUTHDATA_WIN2K_PAC,
&pac_data);
if (ret) {
if (ret && lp_parm_bool(-1, "gensec", "require_pac", False)) {
DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
principal_string,
smb_get_krb5_error_message(context,
ret, mem_ctx)));
krb5_free_principal(context, client_principal);
free(principal_string);
return NT_STATUS_ACCESS_DENIED;
} else if (ret) {
/* NO pac */
DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
&server_info);
krb5_free_principal(context, client_principal);
free(principal_string);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
} else {
/* Found pac */
union netr_Validation validation;
free(principal_string);
pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
if (!pac.data) {
krb5_free_principal(context, client_principal);
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
if (ret) {
DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
/* decode and verify the pac */
nt_status = kerberos_pac_logon_info(gensec_krb5_state, &logon_info, pac,
gensec_krb5_state->smb_krb5_context->krb5_context,
@ -570,46 +604,16 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
gensec_krb5_state->ticket->ticket.authtime, NULL);
krb5_free_principal(context, client_principal);
if (NT_STATUS_IS_OK(nt_status)) {
union netr_Validation validation;
validation.sam3 = &logon_info->info3;
nt_status = make_server_info_netlogon_validation(mem_ctx,
NULL,
3, &validation,
&server_info);
}
}
/* IF we have the PAC - otherwise we need to get this
* data from elsewere - local ldb, or (TODO) lookup of some
* kind...
*/
if (!NT_STATUS_IS_OK(nt_status)) {
/* NO pac, or can't parse or verify it */
char *principal_string;
ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
if (ret) {
DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context,
client_principal, &principal_string);
krb5_free_principal(context, client_principal);
if (ret) {
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
return nt_status;
}
nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
&server_info);
free(principal_string);
validation.sam3 = &logon_info->info3;
nt_status = make_server_info_netlogon_validation(mem_ctx,
NULL,
3, &validation,
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;

4
source4/auth/kerberos/kerberos.c
View File

@ -45,6 +45,8 @@
krb5_get_init_creds_opt_init(&options);
krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options);
if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
0, NULL, &options))) {
return code;
@ -87,6 +89,8 @@
krb5_get_init_creds_opt_init(&options);
krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options);
if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password,
NULL,
NULL, 0, NULL, &options))) {

6
source4/auth/kerberos/kerberos_pac.c
View File

@ -280,7 +280,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
return NT_STATUS_ACCESS_DENIED;
}
ret = krb5_parse_name_norealm(context, logon_name->account_name, &client_principal_pac);
ret = krb5_parse_name_flags(context, logon_name->account_name, KRB5_PRINCIPAL_PARSE_NO_REALM,
&client_principal_pac);
if (ret) {
DEBUG(2, ("Could not parse name from incoming PAC: [%s]: %s\n",
logon_name->account_name,
@ -591,7 +592,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
u_LOGON_INFO->logon_info.info = LOGON_INFO;
LOGON_INFO->info3 = *sam3;
ret = krb5_unparse_name_norealm(context, client_principal, &name);
ret = krb5_unparse_name_flags(context, client_principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret) {
return ret;
}

32
source4/auth/kerberos/krb5_init_context.c
View File

@ -23,6 +23,7 @@
#include "includes.h"
#include "system/kerberos.h"
#include "heimdal/lib/krb5/krb5_locl.h"
#include "auth/kerberos/kerberos.h"
#include "lib/socket/socket.h"
#include "system/network.h"
@ -69,7 +70,7 @@ static void smb_krb5_debug_close(void *private) {
static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private)
{
DEBUG(3, ("Kerberos: %s\n", msg));
DEBUG(2, ("Kerberos: %s\n", msg));
}
/*
@ -224,11 +225,11 @@ static void smb_krb5_socket_handler(struct event_context *ev, struct fd_event *f
}
static krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
void *data,
krb5_krbhst_info *hi,
const krb5_data *send_buf,
krb5_data *recv_buf)
krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
void *data,
krb5_krbhst_info *hi,
const krb5_data *send_buf,
krb5_data *recv_buf)
{
krb5_error_code ret;
NTSTATUS status;
@ -363,13 +364,6 @@ static krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
return KRB5_KDC_UNREACH;
}
/* NO internal data, so nothing to free */
static void smb_krb5_send_and_recv_close_func(krb5_context context, void *data)
{
return;
}
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct smb_krb5_context **smb_krb5_context)
{
@ -437,9 +431,9 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
ev = event_context_find(*smb_krb5_context);
/* Set use of our socket lib */
ret = krb5_set_send_recv_func((*smb_krb5_context)->krb5_context,
smb_krb5_send_and_recv_func,
smb_krb5_send_and_recv_close_func, ev);
ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context,
smb_krb5_send_and_recv_func,
ev);
if (ret) {
DEBUG(1,("krb5_set_send_recv_func failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
@ -454,12 +448,8 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
/* Set options in kerberos */
(*smb_krb5_context)->krb5_context->fdns = FALSE;
krb5_set_dns_canonicalize_hostname((*smb_krb5_context)->krb5_context, FALSE);
return 0;
}
void smb_krb5_free_context(struct smb_krb5_context *smb_krb5_context)
{
talloc_free(smb_krb5_context);
}

5
source4/auth/kerberos/krb5_init_context.h
View File

@ -27,3 +27,8 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct smb_krb5_context **smb_krb5_context);
void smb_krb5_free_context(struct smb_krb5_context *smb_krb5_context);
krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
void *data,
krb5_krbhst_info *hi,
const krb5_data *send_buf,
krb5_data *recv_buf);

22
source4/dsdb/samdb/cracknames.c
View File

@ -154,8 +154,8 @@ static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_c
enum drsuapi_DsNameStatus namestatus;
/* parse principal */
ret = krb5_parse_name_norealm(smb_krb5_context->krb5_context,
name, &principal);
ret = krb5_parse_name_flags(smb_krb5_context->krb5_context,
name, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
if (ret) {
DEBUG(2, ("Could not parse principal: %s: %s",
name, smb_get_krb5_error_message(smb_krb5_context->krb5_context,
@ -196,7 +196,8 @@ static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_c
}
/* reform principal */
ret = krb5_unparse_name_norealm(smb_krb5_context->krb5_context, principal, &new_princ);
ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &new_princ);
krb5_free_principal(smb_krb5_context->krb5_context, principal);
@ -231,7 +232,8 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
return WERR_OK;
}
ret = krb5_parse_name_mustrealm(smb_krb5_context->krb5_context, name, &principal);
ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal);
if (ret) {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
return WERR_OK;
@ -243,7 +245,8 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
"(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))",
ldb_binary_encode_string(mem_ctx, *realm),
ldb_binary_encode_string(mem_ctx, *realm));
ret = krb5_unparse_name_norealm(smb_krb5_context->krb5_context, principal, &unparsed_name_short);
ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short);
krb5_free_principal(smb_krb5_context->krb5_context, principal);
if (ret) {
@ -445,11 +448,13 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
krb5_principal principal;
char *unparsed_name_short;
char *service;
ret = krb5_parse_name_norealm(smb_krb5_context->krb5_context, name, &principal);
ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
if (ret) {
/* perhaps it's a principal with a realm, so return the right 'domain only' response */
char **realm;
ret = krb5_parse_name_mustrealm(smb_krb5_context->krb5_context, name, &principal);
ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal);
if (ret) {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
return WERR_OK;
@ -473,7 +478,8 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
domain_filter = NULL;
ret = krb5_unparse_name_norealm(smb_krb5_context->krb5_context, principal, &unparsed_name_short);
ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short);
if (ret) {
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return WERR_NOMEM;

11
source4/heimdal/kdc/524.c
View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: 524.c,v 1.37 2006/04/27 11:33:20 lha Exp $");
RCSID("$Id: 524.c,v 1.40 2006/10/06 17:06:30 lha Exp $");
#include <krb5-v4compat.h>
@ -53,7 +53,8 @@ fetch_server (krb5_context context,
krb5_error_code ret;
krb5_principal sprinc;
ret = _krb5_principalname2krb5_principal(context, &sprinc, t->sname, t->realm);
ret = _krb5_principalname2krb5_principal(context, &sprinc,
t->sname, t->realm);
if (ret) {
kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text(context, ret));
@ -66,7 +67,8 @@ fetch_server (krb5_context context,
krb5_get_err_text(context, ret));
return ret;
}
ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, server);
ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER,
NULL, server);
krb5_free_principal(context, sprinc);
if (ret) {
kdc_log(context, config, 0,
@ -90,7 +92,8 @@ log_524 (krb5_context context,
char *cpn;
krb5_error_code ret;
ret = _krb5_principalname2krb5_principal(context, &client, et->cname, et->crealm);
ret = _krb5_principalname2krb5_principal(context, &client,
et->cname, et->crealm);
if (ret) {
kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text (context, ret));

3
source4/heimdal/kdc/default_config.c
View File

@ -42,8 +42,9 @@
void
krb5_kdc_default_config(krb5_kdc_configuration *config)
{
memset(config, 0, sizeof(*config));
config->require_preauth = TRUE;
config->kdc_warn_pwexpire = -1;
config->kdc_warn_pwexpire = 0;
config->encode_as_rep_as_tgs_rep = FALSE; /* bug compatibility */
config->check_ticket_addresses = TRUE;
config->allow_null_ticket_addresses = TRUE;

712
source4/heimdal/kdc/digest.c Normal file
View File

@ -0,0 +1,712 @@
/*
* Copyright (c) 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
#include <digest_asn1.h>
#include <hex.h>
RCSID("$Id: digest.c,v 1.7 2006/10/22 20:11:44 lha Exp $");
krb5_error_code
_kdc_do_digest(krb5_context context,
krb5_kdc_configuration *config,
const DigestREQ *req, krb5_data *reply,
const char *from, struct sockaddr *addr)
{
krb5_error_code ret = 0;
krb5_ticket *ticket = NULL;
krb5_auth_context ac = NULL;
krb5_keytab id = NULL;
krb5_crypto crypto = NULL;
DigestReqInner ireq;
DigestRepInner r;
DigestREP rep;
krb5_flags ap_req_options;
krb5_data buf;
size_t size;
krb5_storage *sp = NULL;
Checksum res;
hdb_entry_ex *server = NULL, *user = NULL;
char *password = NULL;
krb5_data serverNonce;
if(!config->enable_digest) {
kdc_log(context, config, 0, "Rejected digest request from %s", from);
return KRB5KDC_ERR_POLICY;
}
krb5_data_zero(&buf);
krb5_data_zero(reply);
krb5_data_zero(&serverNonce);
memset(&ireq, 0, sizeof(ireq));
memset(&r, 0, sizeof(r));
memset(&rep, 0, sizeof(rep));
kdc_log(context, config, 0, "Digest request from %s", from);
ret = krb5_kt_resolve(context, "HDB:", &id);
if (ret) {
kdc_log(context, config, 0, "Can't open database for digest");
goto out;
}
ret = krb5_rd_req(context,
&ac,
&req->apReq,
NULL,
id,
&ap_req_options,
&ticket);
if (ret)
goto out;
/* check the server principal in the ticket matches digest/R@R */
{
krb5_principal principal = NULL;
const char *p, *r;
ret = krb5_ticket_get_server(context, ticket, &principal);
if (ret)
goto out;
ret = EINVAL;
krb5_set_error_string(context, "Wrong digest server principal used");
p = krb5_principal_get_comp_string(context, principal, 0);
if (p == NULL) {
krb5_free_principal(context, principal);
goto out;
}
if (strcmp(p, KRB5_DIGEST_NAME) != 0) {
krb5_free_principal(context, principal);
goto out;
}
p = krb5_principal_get_comp_string(context, principal, 1);
if (p == NULL) {
krb5_free_principal(context, principal);
goto out;
}
r = krb5_principal_get_realm(context, principal);
if (r == NULL) {
krb5_free_principal(context, principal);
goto out;
}
if (strcmp(p, r) != 0) {
krb5_free_principal(context, principal);
goto out;
}
ret = _kdc_db_fetch(context, config, principal,
HDB_F_GET_SERVER, NULL, &server);
if (ret)
goto out;
krb5_free_principal(context, principal);
}
/* check the client is allowed to do digest auth */
{
krb5_principal principal = NULL;
hdb_entry_ex *client;
ret = krb5_ticket_get_client(context, ticket, &principal);
if (ret)
goto out;
ret = _kdc_db_fetch(context, config, principal,
HDB_F_GET_CLIENT, NULL, &client);
krb5_free_principal(context, principal);
if (ret)
goto out;
if (client->entry.flags.allow_digest == 0) {
krb5_set_error_string(context,
"Client is not permitted to use digest");
ret = KRB5KDC_ERR_POLICY;
_kdc_free_ent (context, client);
goto out;
}
_kdc_free_ent (context, client);
}
/* unpack request */
{
krb5_keyblock *key;
ret = krb5_auth_con_getremotesubkey(context, ac, &key);
if (ret)
goto out;
if (key == NULL) {
krb5_set_error_string(context, "digest: remote subkey not found");
ret = EINVAL;
goto out;
}
ret = krb5_crypto_init(context, key, 0, &crypto);
krb5_free_keyblock (context, key);
if (ret)
goto out;
}
ret = krb5_decrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT,
&req->innerReq, &buf);
krb5_crypto_destroy(context, crypto);
crypto = NULL;
if (ret)
goto out;
ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL);
krb5_data_free(&buf);
if (ret) {
krb5_set_error_string(context, "Failed to decode digest inner request");
goto out;
}
/*
* Process the inner request
*/
switch (ireq.element) {
case choice_DigestReqInner_init: {
unsigned char server_nonce[16], identifier;
RAND_pseudo_bytes(&identifier, sizeof(identifier));
RAND_pseudo_bytes(server_nonce, sizeof(server_nonce));
server_nonce[0] = kdc_time & 0xff;
server_nonce[1] = (kdc_time >> 8) & 0xff;
server_nonce[2] = (kdc_time >> 16) & 0xff;
server_nonce[3] = (kdc_time >> 24) & 0xff;
r.element = choice_DigestRepInner_initReply;
hex_encode(server_nonce, sizeof(server_nonce), &r.u.initReply.nonce);
if (r.u.initReply.nonce == NULL) {
krb5_set_error_string(context, "Failed to decode server nonce");
ret = ENOMEM;
goto out;
}
sp = krb5_storage_emem();
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
goto out;
}
ret = krb5_store_stringz(sp, ireq.u.init.type);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
if (ireq.u.init.channel) {
char *s;
asprintf(&s, "%s-%s:%s", r.u.initReply.nonce,
ireq.u.init.channel->cb_type,
ireq.u.init.channel->cb_binding);
if (s == NULL) {
krb5_set_error_string(context, "Failed to allocate "
"channel binding");
ret = ENOMEM;
goto out;
}
free(r.u.initReply.nonce);
r.u.initReply.nonce = s;
}
ret = krb5_store_stringz(sp, r.u.initReply.nonce);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
if (strcasecmp(ireq.u.init.type, "CHAP") == 0) {
r.u.initReply.identifier =
malloc(sizeof(*r.u.initReply.identifier));
if (r.u.initReply.identifier == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
asprintf(r.u.initReply.identifier, "%02X", identifier & 0xff);
if (*r.u.initReply.identifier == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
ret = krb5_store_stringz(sp, *r.u.initReply.identifier);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
} else
r.u.initReply.identifier = NULL;
if (ireq.u.init.hostname) {
ret = krb5_store_stringz(sp, *ireq.u.init.hostname);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
}
ret = krb5_storage_to_data(sp, &buf);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
{
Key *key;
krb5_enctype enctype;
ret = _kdc_get_preferred_key(context,
config,
server,
"digest-service",
&enctype,
&key);
if (ret)
goto out;
ret = krb5_crypto_init(context, &key->key, 0, &crypto);
if (ret)
goto out;
}
ret = krb5_create_checksum(context,
crypto,
KRB5_KU_DIGEST_OPAQUE,
0,
buf.data,
buf.length,
&res);
krb5_crypto_destroy(context, crypto);
crypto = NULL;
krb5_data_free(&buf);
if (ret)
goto out;
ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret);
free_Checksum(&res);
if (ret) {
krb5_set_error_string(context, "Failed to encode "
"checksum in digest request");
goto out;
}
if (size != buf.length)
krb5_abortx(context, "ASN1 internal error");
hex_encode(buf.data, buf.length, &r.u.initReply.opaque);
free(buf.data);
if (r.u.initReply.opaque == NULL) {
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
break;
}
case choice_DigestReqInner_digestRequest: {
krb5_principal clientprincipal;
HDB *db;
sp = krb5_storage_emem();
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
goto out;
}
krb5_store_stringz(sp, ireq.u.digestRequest.type);
krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce);
if (ireq.u.digestRequest.identifier) {
ret = krb5_store_stringz(sp, *ireq.u.digestRequest.identifier);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
}
if (ireq.u.digestRequest.hostname) {
ret = krb5_store_stringz(sp, *ireq.u.digestRequest.hostname);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
}
buf.length = strlen(ireq.u.digestRequest.opaque);
buf.data = malloc(buf.length);
if (buf.data == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
ret = hex_decode(ireq.u.digestRequest.opaque, buf.data, buf.length);
if (ret <= 0) {
krb5_set_error_string(context, "Failed to decode opaque");
ret = ENOMEM;
goto out;
}
buf.length = ret;
ret = decode_Checksum(buf.data, buf.length, &res, NULL);
free(buf.data);
if (ret) {
krb5_set_error_string(context, "Failed to decode digest Checksum");
goto out;
}
ret = krb5_storage_to_data(sp, &buf);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
serverNonce.length = strlen(ireq.u.digestRequest.serverNonce);
serverNonce.data = malloc(serverNonce.length);
if (serverNonce.data == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
/*
* CHAP does the checksum of the raw nonce, but do it for all
* types, since we need to check the timestamp.
*/
{
ssize_t ssize;
ssize = hex_decode(ireq.u.digestRequest.serverNonce,
serverNonce.data, serverNonce.length);
if (ssize <= 0) {
krb5_set_error_string(context, "Failed to decode serverNonce");
ret = ENOMEM;
goto out;
}
serverNonce.length = ssize;
}
{
Key *key;
krb5_enctype enctype;
ret = _kdc_get_preferred_key(context,
config,
server,
"digest-service",
&enctype,
&key);
if (ret)
goto out;
ret = krb5_crypto_init(context, &key->key, 0, &crypto);
if (ret)
goto out;
}
ret = krb5_verify_checksum(context, crypto,
KRB5_KU_DIGEST_OPAQUE,
buf.data, buf.length, &res);
krb5_crypto_destroy(context, crypto);
crypto = NULL;
if (ret)
goto out;
/* verify time */
{
unsigned char *p = serverNonce.data;
uint32_t t;
if (serverNonce.length < 4) {
krb5_set_error_string(context, "server nonce too short");
ret = EINVAL;
goto out;
}
t = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
if (abs((kdc_time & 0xffffffff) - t) > context->max_skew) {
krb5_set_error_string(context, "time screw in server nonce ");
ret = EINVAL;
goto out;
}
}
/* get username */
ret = krb5_parse_name(context,
ireq.u.digestRequest.username,
&clientprincipal);
if (ret)
goto out;
ret = _kdc_db_fetch(context, config, clientprincipal,
HDB_F_GET_CLIENT, &db, &user);
krb5_free_principal(context, clientprincipal);
if (ret)
goto out;
ret = hdb_entry_get_password(context, db, &user->entry, &password);
if (ret || password == NULL) {
if (ret == 0) {
ret = EINVAL;
krb5_set_error_string(context, "password missing");
}
goto out;
}
if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
MD5_CTX ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char id;
if (ireq.u.digestRequest.identifier == NULL) {
krb5_set_error_string(context, "Identifier missing "
"from CHAP request");
ret = EINVAL;
goto out;
}
if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
krb5_set_error_string(context, "failed to decode identifier");
ret = EINVAL;
goto out;
}
MD5_Init(&ctx);
MD5_Update(&ctx, &id, 1);
MD5_Update(&ctx, password, strlen(password));
MD5_Update(&ctx, serverNonce.data, serverNonce.length);
MD5_Final(md, &ctx);
r.element = choice_DigestRepInner_response;
hex_encode(md, sizeof(md), &r.u.response.responseData);
if (r.u.response.responseData == NULL) {
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
MD5_CTX ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *A1, *A2;
if (ireq.u.digestRequest.nonceCount == NULL)
goto out;
if (ireq.u.digestRequest.clientNonce == NULL)
goto out;
if (ireq.u.digestRequest.qop == NULL)
goto out;
if (ireq.u.digestRequest.realm == NULL)
goto out;
MD5_Init(&ctx);
MD5_Update(&ctx, ireq.u.digestRequest.username,
strlen(ireq.u.digestRequest.username));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.realm,
strlen(*ireq.u.digestRequest.realm));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, password, strlen(password));
MD5_Final(md, &ctx);
MD5_Init(&ctx);
MD5_Update(&ctx, md, sizeof(md));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
strlen(ireq.u.digestRequest.serverNonce));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
strlen(*ireq.u.digestRequest.nonceCount));
if (ireq.u.digestRequest.authid) {
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.authid,
strlen(*ireq.u.digestRequest.authid));
}
MD5_Final(md, &ctx);
hex_encode(md, sizeof(md), &A1);
if (A1 == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
MD5_Init(&ctx);
MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
MD5_Update(&ctx, *ireq.u.digestRequest.uri,
strlen(*ireq.u.digestRequest.uri));
/* conf|int */
if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
static char conf_zeros[] = ":00000000000000000000000000000000";
MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1);
}
MD5_Final(md, &ctx);
hex_encode(md, sizeof(md), &A2);
if (A2 == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
free(A1);
goto out;
}
MD5_Init(&ctx);
MD5_Update(&ctx, A1, strlen(A2));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
strlen(ireq.u.digestRequest.serverNonce));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
strlen(*ireq.u.digestRequest.nonceCount));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce,
strlen(*ireq.u.digestRequest.clientNonce));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.qop,
strlen(*ireq.u.digestRequest.qop));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, A2, strlen(A2));
MD5_Final(md, &ctx);
r.element = choice_DigestRepInner_response;
hex_encode(md, sizeof(md), &r.u.response.responseData);
free(A1);
free(A2);
if (r.u.response.responseData == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
} else {
r.element = choice_DigestRepInner_error;
asprintf(&r.u.error.reason, "unsupported digest type %s",
ireq.u.digestRequest.type);
if (r.u.error.reason == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
r.u.error.code = EINVAL;
}
break;
}
default:
r.element = choice_DigestRepInner_error;
r.u.error.reason = strdup("unknown operation");
if (r.u.error.reason == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
r.u.error.code = EINVAL;
break;
}
ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret);
if (ret) {
krb5_set_error_string(context, "Failed to encode inner digest reply");
goto out;
}
if (size != buf.length)
krb5_abortx(context, "ASN1 internal error");
krb5_auth_con_addflags(context, ac, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL);
ret = krb5_mk_rep (context, ac, &rep.apRep);
if (ret)
goto out;
{
krb5_keyblock *key;
ret = krb5_auth_con_getlocalsubkey(context, ac, &key);
if (ret)
goto out;
ret = krb5_crypto_init(context, key, 0, &crypto);
krb5_free_keyblock (context, key);
if (ret)
goto out;
}
ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT,
buf.data, buf.length, 0,
&rep.innerRep);
ASN1_MALLOC_ENCODE(DigestREP, reply->data, reply->length, &rep, &size, ret);
if (ret) {
krb5_set_error_string(context, "Failed to encode digest reply");
goto out;
}
if (size != reply->length)
krb5_abortx(context, "ASN1 internal error");
out:
if (ac)
krb5_auth_con_free(context, ac);
if (ret)
krb5_warn(context, ret, "Digest request from %s failed", from);
if (ticket)
krb5_free_ticket(context, ticket);
if (id)
krb5_kt_close(context, id);
if (crypto)
krb5_crypto_destroy(context, crypto);
if (sp)
krb5_storage_free(sp);
if (user)
_kdc_free_ent (context, user);
if (server)
_kdc_free_ent (context, server);
if (password) {
memset(password, 0, strlen(password));
free (password);
}
krb5_data_free(&buf);
krb5_data_free(&serverNonce);
free_DigestREP(&rep);
free_DigestRepInner(&r);
free_DigestReqInner(&ireq);
return ret;
}

7
source4/heimdal/kdc/headers.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -32,7 +32,7 @@
*/
/*
* $Id: headers.h,v 1.16 2005/04/24 13:49:00 lha Exp $
* $Id: headers.h,v 1.18 2006/10/17 02:22:17 lha Exp $
*/
#ifndef __HEADERS_H__
@ -88,9 +88,10 @@
#include <parse_units.h>
#include <krb5.h>
#include <krb5_locl.h>
#include <digest_asn1.h>
#include <hdb.h>
#include <hdb_err.h>
#include <der.h> /* copy_octet_string */
#include <der.h>
#undef ALLOC
#define ALLOC(X) ((X) = malloc(sizeof(*(X))))

5
source4/heimdal/kdc/kaserver.c
View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: kaserver.c,v 1.35 2006/05/05 10:49:50 lha Exp $");
RCSID("$Id: kaserver.c,v 1.36 2006/08/23 11:43:44 lha Exp $");
#include <krb5-v4compat.h>
#include <rx.h>
@ -465,7 +465,8 @@ do_authenticate (krb5_context context,
client_name, from, server_name);
ret = _kdc_db_fetch4 (context, config, name, instance,
config->v4_realm, HDB_F_GET_CLIENT, &client_entry);
config->v4_realm, HDB_F_GET_CLIENT,
&client_entry);
if (ret) {
kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret));

87
source4/heimdal/kdc/kdc-private.h
View File

@ -4,6 +4,16 @@
#include <stdarg.h>
krb5_error_code
_kdc_add_KRB5SignedPath (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
hdb_entry_ex */*krbtgt*/,
krb5_enctype /*enctype*/,
krb5_const_principal /*server*/,
KRB5SignedPathPrincipals */*principals*/,
EncTicketPart */*tkt*/);
krb5_error_code
_kdc_as_rep (
krb5_context /*context*/,
@ -12,7 +22,15 @@ _kdc_as_rep (
const krb5_data */*req_buffer*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr */*from_addr*/);
struct sockaddr */*from_addr*/,
int /*datagram_reply*/);
krb5_boolean
_kdc_check_addresses (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
HostAddresses */*addresses*/,
const struct sockaddr */*from*/);
krb5_error_code
_kdc_check_flags (
@ -30,6 +48,7 @@ _kdc_db_fetch (
krb5_kdc_configuration */*config*/,
krb5_const_principal /*principal*/,
unsigned /*flags*/,
HDB **/*db*/,
hdb_entry_ex **/*h*/);
krb5_error_code
@ -51,6 +70,15 @@ _kdc_do_524 (
const char */*from*/,
struct sockaddr */*addr*/);
krb5_error_code
_kdc_do_digest (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
const DigestREQ */*req*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr */*addr*/);
krb5_error_code
_kdc_do_kaserver (
krb5_context /*context*/,
@ -71,6 +99,21 @@ _kdc_do_version4 (
const char */*from*/,
struct sockaddr_in */*addr*/);
krb5_error_code
_kdc_encode_reply (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
KDC_REP */*rep*/,
const EncTicketPart */*et*/,
EncKDCRepPart */*ek*/,
krb5_enctype /*etype*/,
int /*skvno*/,
const EncryptionKey */*skey*/,
int /*ckvno*/,
const EncryptionKey */*ckey*/,
const char **/*e_text*/,
krb5_data */*reply*/);
krb5_error_code
_kdc_encode_v4_ticket (
krb5_context /*context*/,
@ -81,6 +124,24 @@ _kdc_encode_v4_ticket (
const PrincipalName */*service*/,
size_t */*size*/);
krb5_error_code
_kdc_find_etype (
krb5_context /*context*/,
const hdb_entry_ex */*princ*/,
krb5_enctype */*etypes*/,
unsigned /*len*/,
Key **/*ret_key*/,
krb5_enctype */*ret_etype*/);
PA_DATA*
_kdc_find_padata (
KDC_REQ */*req*/,
int */*start*/,
int /*type*/);
void
_kdc_fix_time (time_t **/*t*/);
void
_kdc_free_ent (
krb5_context /*context*/,
@ -94,6 +155,28 @@ _kdc_get_des_key (
krb5_boolean /*prefer_afs_key*/,
Key **/*ret_key*/);
krb5_error_code
_kdc_get_preferred_key (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
hdb_entry_ex */*h*/,
const char */*name*/,
krb5_enctype */*enctype*/,
Key **/*key*/);
void
_kdc_log_timestamp (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
const char */*type*/,
KerberosTime /*authtime*/,
KerberosTime */*starttime*/,
KerberosTime /*endtime*/,
KerberosTime */*renew_till*/);
krb5_error_code
_kdc_make_anonymous_principalname (PrincipalName */*pn*/);
int
_kdc_maybe_version4 (
unsigned char */*buf*/,
@ -120,7 +203,7 @@ _kdc_pk_initialize (
const char */*user_id*/,
const char */*anchors*/,
char **/*pool*/,
char **/*revoke*/);
char **/*revoke_list*/);
krb5_error_code
_kdc_pk_mk_pa_reply (

26
source4/heimdal/kdc/kdc-protos.h
View File

@ -40,17 +40,6 @@ kdc_openlog (
void
krb5_kdc_default_config (krb5_kdc_configuration */*config*/);
int
krb5_kdc_process_generic_request (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
unsigned char */*buf*/,
size_t /*len*/,
krb5_data */*reply*/,
krb5_boolean */*prependlength*/,
const char */*from*/,
struct sockaddr */*addr*/);
int
krb5_kdc_process_krb5_request (
krb5_context /*context*/,
@ -59,7 +48,20 @@ krb5_kdc_process_krb5_request (
size_t /*len*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr */*addr*/);
struct sockaddr */*addr*/,
int /*datagram_reply*/);
int
krb5_kdc_process_request (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
unsigned char */*buf*/,
size_t /*len*/,
krb5_data */*reply*/,
krb5_boolean */*prependlength*/,
const char */*from*/,
struct sockaddr */*addr*/,
int /*datagram_reply*/);
#ifdef __cplusplus
}

13
source4/heimdal/kdc/kdc.h
View File

@ -35,7 +35,7 @@
*/
/*
* $Id: kdc.h,v 1.6 2006/05/03 12:03:29 lha Exp $
* $Id: kdc.h,v 1.9 2006/10/09 15:34:07 lha Exp $
*/
#ifndef __KDC_H__
@ -65,10 +65,12 @@ typedef struct krb5_kdc_configuration {
char *v4_realm;
krb5_boolean enable_v4;
krb5_boolean enable_kaserver;
krb5_boolean enable_524;
krb5_boolean enable_v4_cross_realm;
krb5_boolean enable_v4_per_principal;
krb5_boolean enable_kaserver;
krb5_boolean enable_524;
krb5_boolean enable_pkinit;
krb5_boolean enable_pkinit_princ_in_cert;
@ -78,6 +80,9 @@ typedef struct krb5_kdc_configuration {
int pkinit_dh_min_bits;
int enable_digest;
size_t max_datagram_reply_length;
} krb5_kdc_configuration;
#include <kdc-protos.h>

23
source4/heimdal/kdc/kerberos4.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -35,7 +35,7 @@
#include <krb5-v4compat.h>
RCSID("$Id: kerberos4.c,v 1.60 2006/05/05 10:50:44 lha Exp $");
RCSID("$Id: kerberos4.c,v 1.63 2006/10/08 13:43:27 lha Exp $");
#ifndef swap32
static uint32_t
@ -80,7 +80,7 @@ valid_princ(krb5_context context,
ret = krb5_unparse_name(context, princ, &s);
if (ret)
return FALSE;
ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, &ent);
ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent);
if (ret) {
kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
krb5_get_err_text (context, ret));
@ -111,7 +111,7 @@ _kdc_db_fetch4(krb5_context context,
valid_princ, &ctx, 0, &p);
if(ret)
return ret;
ret = _kdc_db_fetch(context, config, p, flags, ent);
ret = _kdc_db_fetch(context, config, p, flags, NULL, ent);
krb5_free_principal(context, p);
return ret;
}
@ -221,6 +221,17 @@ _kdc_do_version4(krb5_context context,
goto out1;
}
if (config->enable_v4_per_principal &&
client->entry.flags.allow_kerberos4 == 0)
{
kdc_log(context, config, 0,
"Per principal Kerberos 4 flag not turned on for %s",
client_name);
make_err_reply(context, reply, KERB_ERR_NULL_KEY,
"allow kerberos4 flag required");
goto out1;
}
/*
* There's no way to do pre-authentication in v4 and thus no
* good error code to return if preauthentication is required.
@ -372,7 +383,7 @@ _kdc_do_version4(krb5_context context,
}
ret = _kdc_db_fetch(context, config, tgt_princ,
HDB_F_GET_KRBTGT, &tgt);
HDB_F_GET_KRBTGT, NULL, &tgt);
if(ret){
char *s;
s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
@ -668,7 +679,7 @@ _kdc_encode_v4_ticket(krb5_context context,
if(ret)
return ret;
_krb5_principalname2krb5_principal(context,
_krb5_principalname2krb5_principal(context,
&princ,
et->cname,
et->crealm);

1337
source4/heimdal/kdc/kerberos5.c
View File

File diff suppressed because it is too large Load Diff

1781
source4/heimdal/kdc/krb5tgs.c Normal file
View File

File diff suppressed because it is too large Load Diff

38
source4/heimdal/kdc/misc.c
View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: misc.c,v 1.29 2006/04/27 11:33:21 lha Exp $");
RCSID("$Id: misc.c,v 1.32 2006/08/28 14:41:49 lha Exp $");
struct timeval _kdc_now;
@ -42,6 +42,7 @@ _kdc_db_fetch(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_principal principal,
unsigned flags,
HDB **db,
hdb_entry_ex **h)
{
hdb_entry_ex *ent;
@ -66,6 +67,8 @@ _kdc_db_fetch(krb5_context context,
ent);
config->db[i]->hdb_close(context, config->db[i]);
if(ret == 0) {
if (db)
*db = config->db[i];
*h = ent;
return 0;
}
@ -81,3 +84,36 @@ _kdc_free_ent(krb5_context context, hdb_entry_ex *ent)
free (ent);
}
/*
* Use the order list of preferred encryption types and sort the
* available keys and return the most preferred key.
*/
krb5_error_code
_kdc_get_preferred_key(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *h,
const char *name,
krb5_enctype *enctype,
Key **key)
{
const krb5_enctype *p;
krb5_error_code ret;
int i;
p = krb5_kerberos_enctypes(context);
for (i = 0; p[i] != ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
ret = hdb_enctype2key(context, &h->entry, p[i], key);
if (ret == 0) {
*enctype = p[i];
return 0;
}
}
krb5_set_error_string(context, "No valid kerberos key found for %s", name);
return EINVAL;
}

105
source4/heimdal/kdc/pkinit.c
View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: pkinit.c,v 1.65 2006/05/06 13:22:33 lha Exp $");
RCSID("$Id: pkinit.c,v 1.72 2006/10/24 17:51:33 lha Exp $");
#ifdef PKINIT
@ -156,7 +156,7 @@ pk_check_pkauthenticator(krb5_context context,
goto out;
}
if (heim_octet_string_cmp(a->paChecksum, &checksum.checksum) != 0) {
if (der_heim_octet_string_cmp(a->paChecksum, &checksum.checksum) != 0) {
krb5_clear_error_string(context);
ret = KRB5KRB_ERR_GENERIC;
}
@ -269,7 +269,7 @@ get_dh_param(krb5_context context,
memset(&dhparam, 0, sizeof(dhparam));
if (heim_oid_cmp(&dh_key_info->algorithm.algorithm, oid_id_dhpublicnumber())) {
if (der_heim_oid_cmp(&dh_key_info->algorithm.algorithm, oid_id_dhpublicnumber())) {
krb5_set_error_string(context,
"PKINIT invalid oid in clientPublicValue");
return KRB5_BADMSGTYPE;
@ -338,7 +338,7 @@ get_dh_param(krb5_context context,
client_params->dh_public_key = integer_to_BN(context,
"subjectPublicKey",
&glue);
free_heim_integer(&glue);
der_free_heim_integer(&glue);
if (client_params->dh_public_key == NULL)
goto out;
}
@ -426,7 +426,7 @@ _kdc_pk_rd_padata(krb5_context context,
krb5_data signed_content = { 0, NULL };
const char *type = "unknown type";
const heim_oid *pa_contentType;
int have_data;
int have_data = 0;
*ret_params = NULL;
@ -444,7 +444,6 @@ _kdc_pk_rd_padata(krb5_context context,
if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) {
PA_PK_AS_REQ_Win2k r;
int have_data;
type = "PK-INIT-Win2k";
pa_contentType = oid_id_pkcs7_data();
@ -502,7 +501,7 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
ret = heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData());
ret = der_heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData());
if (ret != 0) {
krb5_set_error_string(context, "PK-AS-REQ-Win2k invalid content "
"type oid");
@ -542,7 +541,7 @@ _kdc_pk_rd_padata(krb5_context context,
}
/* Signature is correct, now verify the signed message */
if (heim_oid_cmp(&eContentType, pa_contentType)) {
if (der_heim_oid_cmp(&eContentType, pa_contentType)) {
krb5_set_error_string(context, "got wrong oid for pkauthdata");
ret = KRB5_BADMSGTYPE;
goto out;
@ -621,8 +620,8 @@ out:
if (signed_content.data)
free(signed_content.data);
krb5_data_free(&eContent);
free_oid(&eContentType);
free_oid(&contentInfoOid);
der_free_oid(&eContentType);
der_free_oid(&contentInfoOid);
if (ret)
_kdc_pk_free_client_param(context, client_params);
else
@ -657,10 +656,11 @@ pk_mk_pa_reply_enckey(krb5_context context,
ContentInfo *content_info)
{
krb5_error_code ret;
krb5_data buf, o;
krb5_data buf, signed_data;
size_t size;
krb5_data_zero(&buf);
krb5_data_zero(&signed_data);
switch (client_params->type) {
case PKINIT_COMPAT_WIN2K: {
@ -678,6 +678,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
buf.data, buf.length,
&kp, &size,ret);
free_ReplyKeyPack_Win2k(&kp);
break;
}
case PKINIT_COMPAT_27: {
krb5_crypto ascrypto;
@ -724,21 +725,55 @@ pk_mk_pa_reply_enckey(krb5_context context,
if (buf.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
{
hx509_query *q;
hx509_cert cert;
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
if (ret)
goto out;
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
ret = hx509_certs_find(kdc_identity->hx509ctx,
kdc_identity->certs,
q,
&cert);
hx509_query_free(kdc_identity->hx509ctx, q);
if (ret)
goto out;
ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
oid_id_pkrkeydata(),
buf.data,
buf.length,
NULL,
cert,
kdc_identity->anchors,
kdc_identity->certpool,
&signed_data);
hx509_cert_free(cert);
}
krb5_data_free(&buf);
if (ret)
goto out;
ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
client_params->cert,
buf.data, buf.length, NULL,
oid_id_pkcs7_signedData(), &o);
signed_data.data, signed_data.length, NULL,
oid_id_pkcs7_signedData(), &buf);
if (ret)
goto out;
ret = _krb5_pk_mk_ContentInfo(context,
&o,
&buf,
oid_id_pkcs7_envelopedData(),
content_info);
free_octet_string(&o);
out:
out:
krb5_data_free(&buf);
krb5_data_free(&signed_data);
return ret;
}
@ -1195,6 +1230,7 @@ _kdc_pk_check_client(krb5_context context,
pk_client_params *client_params,
char **subject_name)
{
const HDB_Ext_PKINIT_acl *acl;
krb5_error_code ret;
hx509_name name;
int i;
@ -1210,8 +1246,8 @@ _kdc_pk_check_client(krb5_context context,
if (ret)
return ret;
kdc_log(context, config, 5,
"Trying to authorize subject DN %s",
kdc_log(context, config, 0,
"Trying to authorize PK-INIT subject DN %s",
*subject_name);
if (config->enable_pkinit_princ_in_cert) {
@ -1225,6 +1261,28 @@ _kdc_pk_check_client(krb5_context context,
}
}
ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
if (ret == 0 && acl != NULL) {
/*
* Cheat here and compare the generated name with the string
* and not the reverse.
*/
for (i = 0; i < acl->len; i++) {
if (strcmp(*subject_name, acl->val[0].subject) != 0)
continue;
/* Don't support isser and anchor checking right now */
if (acl->val[0].issuer)
continue;
if (acl->val[0].anchor)
continue;
kdc_log(context, config, 5,
"Found matching PK-INIT database ACL");
return 0;
}
}
for (i = 0; i < principal_mappings.len; i++) {
krb5_boolean b;
@ -1235,11 +1293,14 @@ _kdc_pk_check_client(krb5_context context,
continue;
if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0)
continue;
kdc_log(context, config, 5,
"Found matching PK-INIT FILE ACL");
return 0;
}
free(*subject_name);
free(*subject_name);
*subject_name = NULL;
krb5_set_error_string(context, "PKINIT no matching principals");
return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
}
@ -1282,7 +1343,7 @@ _kdc_pk_initialize(krb5_context context,
const char *user_id,
const char *anchors,
char **pool,
char **revoke)
char **revoke_list)
{
const char *file;
krb5_error_code ret;
@ -1305,7 +1366,7 @@ _kdc_pk_initialize(krb5_context context,
user_id,
anchors,
pool,
revoke,
revoke_list,
NULL,
NULL,
NULL);

31
source4/heimdal/kdc/process.c
View File

@ -34,7 +34,7 @@
#include "kdc_locl.h"
RCSID("$Id: process.c,v 1.3 2005/08/12 08:25:48 lha Exp $");
RCSID("$Id: process.c,v 1.5 2006/10/09 15:37:39 lha Exp $");
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
@ -42,17 +42,19 @@ RCSID("$Id: process.c,v 1.3 2005/08/12 08:25:48 lha Exp $");
*/
int
krb5_kdc_process_generic_request(krb5_context context,
krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr)
krb5_kdc_process_request(krb5_context context,
krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr,
int datagram_reply)
{
KDC_REQ req;
Ticket ticket;
DigestREQ digestreq;
krb5_error_code ret;
size_t i;
@ -64,7 +66,7 @@ krb5_kdc_process_generic_request(krb5_context context,
req_buffer.length = len;
ret = _kdc_as_rep(context, config, &req, &req_buffer,
reply, from, addr);
reply, from, addr, datagram_reply);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
@ -75,6 +77,10 @@ krb5_kdc_process_generic_request(krb5_context context,
ret = _kdc_do_524(context, config, &ticket, reply, from, addr);
free_Ticket(&ticket);
return ret;
}else if(decode_DigestREQ(buf, len, &digestreq, &i) == 0){
ret = _kdc_do_digest(context, config, &digestreq, reply, from, addr);
free_DigestREQ(&digestreq);
return ret;
} else if(_kdc_maybe_version4(buf, len)){
*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
_kdc_do_version4(context, config, buf, len, reply, from,
@ -103,7 +109,8 @@ krb5_kdc_process_krb5_request(krb5_context context,
size_t len,
krb5_data *reply,
const char *from,
struct sockaddr *addr)
struct sockaddr *addr,
int datagram_reply)
{
KDC_REQ req;
krb5_error_code ret;
@ -117,7 +124,7 @@ krb5_kdc_process_krb5_request(krb5_context context,
req_buffer.length = len;
ret = _kdc_as_rep(context, config, &req, &req_buffer,
reply, from, addr);
reply, from, addr, datagram_reply);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){

10
source4/heimdal/lib/asn1/CMS.asn1
View File

@ -1,5 +1,5 @@
-- From RFC 3369 --
-- $Id: CMS.asn1,v 1.4 2006/04/15 10:53:25 lha Exp $ --
-- $Id: CMS.asn1,v 1.5 2006/09/07 12:20:42 lha Exp $ --
CMS DEFINITIONS ::= BEGIN
@ -17,7 +17,13 @@ id-pkcs7-signedAndEnvelopedData OBJECT IDENTIFIER ::= { id-pkcs7 4 }
id-pkcs7-digestedData OBJECT IDENTIFIER ::= { id-pkcs7 5 }
id-pkcs7-encryptedData OBJECT IDENTIFIER ::= { id-pkcs7 6 }
CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
CMSVersion ::= INTEGER {
CMSVersion_v0(0),
CMSVersion_v1(1),
CMSVersion_v2(2),
CMSVersion_v3(3),
CMSVersion_v4(4)
}
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier

5
source4/heimdal/lib/asn1/asn1-common.h
View File

@ -1,4 +1,4 @@
/* $Id: asn1-common.h,v 1.5 2005/07/12 06:27:14 lha Exp $ */
/* $Id: asn1-common.h,v 1.6 2006/10/14 05:09:47 lha Exp $ */
#include <stddef.h>
#include <time.h>
@ -43,6 +43,9 @@ typedef struct heim_bit_string {
void *data;
} heim_bit_string;
typedef struct heim_octet_string heim_any;
typedef struct heim_octet_string heim_any_set;
#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R) \
do { \
(BL) = length_##T((S)); \

542
source4/heimdal/lib/asn1/der-protos.h Normal file
View File

@ -0,0 +1,542 @@
/* This is a generated file */
#ifndef __der_protos_h__
#define __der_protos_h__
#include <stdarg.h>
#ifdef __cplusplus
extern "C" {
#endif
int
copy_heim_any (
const heim_any */*from*/,
heim_any */*to*/);
int
copy_heim_any_set (
const heim_any_set */*from*/,
heim_any_set */*to*/);
int
decode_heim_any (
const unsigned char */*p*/,
size_t /*len*/,
heim_any */*data*/,
size_t */*size*/);
int
decode_heim_any_set (
const unsigned char */*p*/,
size_t /*len*/,
heim_any_set */*data*/,
size_t */*size*/);
int
der_copy_bit_string (
const heim_bit_string */*from*/,
heim_bit_string */*to*/);
int
der_copy_bmp_string (
const heim_bmp_string */*from*/,
heim_bmp_string */*to*/);
int
der_copy_general_string (
const heim_general_string */*from*/,
heim_general_string */*to*/);
int
der_copy_heim_integer (
const heim_integer */*from*/,
heim_integer */*to*/);
int
der_copy_ia5_string (
const heim_printable_string */*from*/,
heim_printable_string */*to*/);
int
der_copy_octet_string (
const heim_octet_string */*from*/,
heim_octet_string */*to*/);
int
der_copy_oid (
const heim_oid */*from*/,
heim_oid */*to*/);
int
der_copy_printable_string (
const heim_printable_string */*from*/,
heim_printable_string */*to*/);
int
der_copy_universal_string (
const heim_universal_string */*from*/,
heim_universal_string */*to*/);
int
der_copy_utf8string (
const heim_utf8_string */*from*/,
heim_utf8_string */*to*/);
void
der_free_bit_string (heim_bit_string */*k*/);
void
der_free_bmp_string (heim_bmp_string */*k*/);
void
der_free_general_string (heim_general_string */*str*/);
void
der_free_heim_integer (heim_integer */*k*/);
void
der_free_ia5_string (heim_ia5_string */*str*/);
void
der_free_octet_string (heim_octet_string */*k*/);
void
der_free_oid (heim_oid */*k*/);
void
der_free_printable_string (heim_printable_string */*str*/);
void
der_free_universal_string (heim_universal_string */*k*/);
void
der_free_utf8string (heim_utf8_string */*str*/);
int
der_get_bit_string (
const unsigned char */*p*/,
size_t /*len*/,
heim_bit_string */*data*/,
size_t */*size*/);
int
der_get_bmp_string (
const unsigned char */*p*/,
size_t /*len*/,
heim_bmp_string */*data*/,
size_t */*size*/);
int
der_get_boolean (
const unsigned char */*p*/,
size_t /*len*/,
int */*data*/,
size_t */*size*/);
const char *
der_get_class_name (unsigned /*num*/);
int
der_get_class_num (const char */*name*/);
int
der_get_general_string (
const unsigned char */*p*/,
size_t /*len*/,
heim_general_string */*str*/,
size_t */*size*/);
int
der_get_generalized_time (
const unsigned char */*p*/,
size_t /*len*/,
time_t */*data*/,
size_t */*size*/);
int
der_get_heim_integer (
const unsigned char */*p*/,
size_t /*len*/,
heim_integer */*data*/,
size_t */*size*/);
int
der_get_ia5_string (
const unsigned char */*p*/,
size_t /*len*/,
heim_ia5_string */*str*/,
size_t */*size*/);
int
der_get_integer (
const unsigned char */*p*/,
size_t /*len*/,
int */*ret*/,
size_t */*size*/);
int
der_get_length (
const unsigned char */*p*/,
size_t /*len*/,
size_t */*val*/,
size_t */*size*/);
int
der_get_octet_string (
const unsigned char */*p*/,
size_t /*len*/,
heim_octet_string */*data*/,
size_t */*size*/);
int
der_get_oid (
const unsigned char */*p*/,
size_t /*len*/,
heim_oid */*data*/,
size_t */*size*/);
int
der_get_printable_string (
const unsigned char */*p*/,
size_t /*len*/,
heim_printable_string */*str*/,
size_t */*size*/);
int
der_get_tag (
const unsigned char */*p*/,
size_t /*len*/,
Der_class */*class*/,
Der_type */*type*/,
unsigned int */*tag*/,
size_t */*size*/);
const char *
der_get_tag_name (unsigned /*num*/);
int
der_get_tag_num (const char */*name*/);
const char *
der_get_type_name (unsigned /*num*/);
int
der_get_type_num (const char */*name*/);
int
der_get_universal_string (
const unsigned char */*p*/,
size_t /*len*/,
heim_universal_string */*data*/,
size_t */*size*/);
int
der_get_unsigned (
const unsigned char */*p*/,
size_t /*len*/,
unsigned */*ret*/,
size_t */*size*/);
int
der_get_utctime (
const unsigned char */*p*/,
size_t /*len*/,
time_t */*data*/,
size_t */*size*/);
int
der_get_utf8string (
const unsigned char */*p*/,
size_t /*len*/,
heim_utf8_string */*str*/,
size_t */*size*/);
int
der_heim_bit_string_cmp (
const heim_bit_string */*p*/,
const heim_bit_string */*q*/);
int
der_heim_bmp_string_cmp (
const heim_bmp_string */*p*/,
const heim_bmp_string */*q*/);
int
der_heim_integer_cmp (
const heim_integer */*p*/,
const heim_integer */*q*/);
int
der_heim_octet_string_cmp (
const heim_octet_string */*p*/,
const heim_octet_string */*q*/);
int
der_heim_oid_cmp (
const heim_oid */*p*/,
const heim_oid */*q*/);
int
der_heim_universal_string_cmp (
const heim_universal_string */*p*/,
const heim_universal_string */*q*/);
size_t
der_length_bit_string (const heim_bit_string */*k*/);
size_t
der_length_bmp_string (const heim_bmp_string */*data*/);
size_t
der_length_boolean (const int */*k*/);
size_t
der_length_enumerated (const unsigned */*data*/);
size_t
der_length_general_string (const heim_general_string */*data*/);
size_t
der_length_generalized_time (const time_t */*t*/);
size_t
der_length_heim_integer (const heim_integer */*k*/);
size_t
der_length_ia5_string (const heim_ia5_string */*data*/);
size_t
der_length_integer (const int */*data*/);
size_t
der_length_len (size_t /*len*/);
size_t
der_length_octet_string (const heim_octet_string */*k*/);
size_t
der_length_oid (const heim_oid */*k*/);
size_t
der_length_printable_string (const heim_printable_string */*data*/);
size_t
der_length_universal_string (const heim_universal_string */*data*/);
size_t
der_length_unsigned (const unsigned */*data*/);
size_t
der_length_utctime (const time_t */*t*/);
size_t
der_length_utf8string (const heim_utf8_string */*data*/);
int
der_match_tag (
const unsigned char */*p*/,
size_t /*len*/,
Der_class /*class*/,
Der_type /*type*/,
unsigned int /*tag*/,
size_t */*size*/);
int
der_match_tag_and_length (
const unsigned char */*p*/,
size_t /*len*/,
Der_class /*class*/,
Der_type /*type*/,
unsigned int /*tag*/,
size_t */*length_ret*/,
size_t */*size*/);
int
der_parse_heim_oid (
const char */*str*/,
const char */*sep*/,
heim_oid */*data*/);
int
der_parse_hex_heim_integer (
const char */*p*/,
heim_integer */*data*/);
int
der_print_heim_oid (
const heim_oid */*oid*/,
char /*delim*/,
char **/*str*/);
int
der_print_hex_heim_integer (
const heim_integer */*data*/,
char **/*p*/);
int
der_put_bit_string (
unsigned char */*p*/,
size_t /*len*/,
const heim_bit_string */*data*/,
size_t */*size*/);
int
der_put_bmp_string (
unsigned char */*p*/,
size_t /*len*/,
const heim_bmp_string */*data*/,
size_t */*size*/);
int
der_put_boolean (
unsigned char */*p*/,
size_t /*len*/,
const int */*data*/,
size_t */*size*/);
int
der_put_general_string (
unsigned char */*p*/,
size_t /*len*/,
const heim_general_string */*str*/,
size_t */*size*/);
int
der_put_generalized_time (
unsigned char */*p*/,
size_t /*len*/,
const time_t */*data*/,
size_t */*size*/);
int
der_put_heim_integer (
unsigned char */*p*/,
size_t /*len*/,
const heim_integer */*data*/,
size_t */*size*/);
int
der_put_ia5_string (
unsigned char */*p*/,
size_t /*len*/,
const heim_ia5_string */*str*/,
size_t */*size*/);
int
der_put_integer (
unsigned char */*p*/,
size_t /*len*/,
const int */*v*/,
size_t */*size*/);
int
der_put_length (
unsigned char */*p*/,
size_t /*len*/,
size_t /*val*/,
size_t */*size*/);
int
der_put_length_and_tag (
unsigned char */*p*/,
size_t /*len*/,
size_t /*len_val*/,
Der_class /*class*/,
Der_type /*type*/,
unsigned int /*tag*/,
size_t */*size*/);
int
der_put_octet_string (
unsigned char */*p*/,
size_t /*len*/,
const heim_octet_string */*data*/,
size_t */*size*/);
int
der_put_oid (
unsigned char */*p*/,
size_t /*len*/,
const heim_oid */*data*/,
size_t */*size*/);
int
der_put_printable_string (
unsigned char */*p*/,
size_t /*len*/,
const heim_printable_string */*str*/,
size_t */*size*/);
int
der_put_tag (
unsigned char */*p*/,
size_t /*len*/,
Der_class /*class*/,
Der_type /*type*/,
unsigned int /*tag*/,
size_t */*size*/);
int
der_put_universal_string (
unsigned char */*p*/,
size_t /*len*/,
const heim_universal_string */*data*/,
size_t */*size*/);
int
der_put_unsigned (
unsigned char */*p*/,
size_t /*len*/,
const unsigned */*v*/,
size_t */*size*/);
int
der_put_utctime (
unsigned char */*p*/,
size_t /*len*/,
const time_t */*data*/,
size_t */*size*/);
int
der_put_utf8string (
unsigned char */*p*/,
size_t /*len*/,
const heim_utf8_string */*str*/,
size_t */*size*/);
int
encode_heim_any (
unsigned char */*p*/,
size_t /*len*/,
const heim_any */*data*/,
size_t */*size*/);
int
encode_heim_any_set (
unsigned char */*p*/,
size_t /*len*/,
const heim_any_set */*data*/,
size_t */*size*/);
void
free_heim_any (heim_any */*data*/);
void
free_heim_any_set (heim_any_set */*data*/);
int
heim_any_cmp (
const heim_any_set */*p*/,
const heim_any_set */*q*/);
size_t
length_heim_any (const heim_any */*data*/);
size_t
length_heim_any_set (const heim_any */*data*/);
#ifdef __cplusplus
}
#endif
#endif /* __der_protos_h__ */

157
source4/heimdal/lib/asn1/der.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: der.h,v 1.32 2006/01/30 15:25:25 lha Exp $ */
/* $Id: der.h,v 1.36 2006/10/14 05:16:08 lha Exp $ */
#ifndef __DER_H__
#define __DER_H__
@ -83,164 +83,21 @@ enum {
#define ASN1_INDEFINITE 0xdce0deed
typedef struct asn1_der_time_t {
typedef struct heim_der_time_t {
time_t dt_sec;
unsigned long dt_nsec;
} asn1_der_time_t;
} heim_der_time_t;
typedef struct asn1_ber_time_t {
typedef struct heim_ber_time_t {
time_t bt_sec;
unsigned bt_nsec;
int bt_zone;
} asn1_ber_time_t;
} heim_ber_time_t;
int der_get_unsigned (const unsigned char *p, size_t len,
unsigned *ret, size_t *size);
int der_get_integer (const unsigned char *p, size_t len,
int *ret, size_t *size);
int der_get_heim_integer (const unsigned char *p, size_t len,
heim_integer *ret, size_t *size);
int der_get_boolean(const unsigned char *p, size_t len,
int *data, size_t *size);
int der_get_length (const unsigned char *p, size_t len,
size_t *val, size_t *size);
int der_get_general_string (const unsigned char *p, size_t len,
heim_general_string *str, size_t *size);
int der_get_utf8string (const unsigned char *p, size_t len,
heim_utf8_string *str, size_t *size);
int der_get_universal_string (const unsigned char *p, size_t len,
heim_universal_string *str, size_t *size);
int der_get_bmp_string (const unsigned char *p, size_t len,
heim_bmp_string *str, size_t *size);
int der_get_printable_string (const unsigned char *p, size_t len,
heim_printable_string *str, size_t *size);
int der_get_ia5_string (const unsigned char *p, size_t len,
heim_ia5_string *str, size_t *size);
int der_get_octet_string (const unsigned char *p, size_t len,
heim_octet_string *data, size_t *size);
int der_get_generalized_time (const unsigned char *p, size_t len,
time_t *data, size_t *size);
int der_get_generalized_time_der (const unsigned char *p, size_t len,
asn1_der_time_t *data, size_t *size);
int der_get_generalized_time_ber (const unsigned char *p, size_t len,
asn1_ber_time_t *data, size_t *size);
int der_get_utctime (const unsigned char *p, size_t len,
time_t *data, size_t *size);
int der_get_oid (const unsigned char *p, size_t len,
heim_oid *data, size_t *size);
int der_get_bit_string (const unsigned char *p, size_t len,
heim_bit_string *data, size_t *size);
int der_get_tag (const unsigned char *p, size_t len,
Der_class *class, Der_type *type,
unsigned int *tag, size_t *size);
int der_match_tag (const unsigned char *p, size_t len,
Der_class class, Der_type type,
unsigned int tag, size_t *size);
int der_match_tag_and_length (const unsigned char *p, size_t len,
Der_class class, Der_type type, unsigned int tag,
size_t *length_ret, size_t *size);
int der_put_unsigned (unsigned char *p, size_t len, const unsigned *val, size_t*);
int der_put_integer (unsigned char *p, size_t len, const int *val, size_t*);
int der_put_heim_integer (unsigned char *p, size_t len,
const heim_integer *val, size_t*);
int der_put_boolean (unsigned char *p, size_t len, const int *val, size_t*);
int der_put_length (unsigned char *p, size_t len, size_t val, size_t*);
int der_put_general_string (unsigned char *p, size_t len,
const heim_general_string *str, size_t*);
int der_put_utf8string (unsigned char *p, size_t len,
const heim_utf8_string *str, size_t*);
int der_put_universal_string (unsigned char *p, size_t len,
const heim_universal_string *str, size_t*);
int der_put_bmp_string (unsigned char *p, size_t len,
const heim_bmp_string *str, size_t*);
int der_put_printable_string (unsigned char *p, size_t len,
const heim_printable_string *str, size_t*);
int der_put_ia5_string (unsigned char *p, size_t len,
const heim_ia5_string *str, size_t*);
int der_put_octet_string (unsigned char *p, size_t len,
const heim_octet_string *data, size_t*);
int der_put_generalized_time (unsigned char *p, size_t len,
const time_t *data, size_t *size);
int der_put_utctime (unsigned char *p, size_t len,
const time_t *data, size_t *size);
int der_put_oid (unsigned char *p, size_t len,
const heim_oid *data, size_t *size);
int der_put_bit_string (unsigned char *p, size_t len,
const heim_bit_string *data, size_t *size);
int der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
unsigned int tag, size_t*);
int der_put_length_and_tag (unsigned char*, size_t, size_t,
Der_class, Der_type, unsigned int, size_t*);
void free_integer (int *num);
void free_heim_integer (heim_integer *num);
void free_octet_string (heim_octet_string *k);
void free_general_string (heim_general_string *str);
void free_octet_string (heim_octet_string *k);
void free_oid (heim_oid *k);
void free_bit_string (heim_bit_string *k);
void free_generalized_time (time_t *t);
void free_utctime (time_t *t);
void free_utf8string (heim_utf8_string*);
void free_printable_string (heim_printable_string*);
void free_ia5_string (heim_ia5_string*);
void free_universal_string (heim_universal_string*);
void free_bmp_string (heim_bmp_string*);
size_t length_len (size_t len);
size_t length_integer (const int *data);
size_t length_heim_integer (const heim_integer *data);
size_t length_unsigned (const unsigned *data);
size_t length_enumerated (const unsigned *data);
size_t length_general_string (const heim_general_string *data);
size_t length_octet_string (const heim_octet_string *k);
size_t length_oid (const heim_oid *k);
size_t length_bit_string (const heim_bit_string *k);
size_t length_generalized_time (const time_t *t);
size_t length_utctime (const time_t *t);
size_t length_utf8string (const heim_utf8_string*);
size_t length_printable_string (const heim_printable_string*);
size_t length_ia5_string (const heim_ia5_string*);
size_t length_bmp_string (const heim_bmp_string*);
size_t length_universal_string (const heim_universal_string*);
size_t length_boolean (const int*);
int copy_heim_integer (const heim_integer *, heim_integer *);
int copy_general_string (const heim_general_string *, heim_general_string *);
int copy_octet_string (const heim_octet_string *, heim_octet_string *);
int copy_oid (const heim_oid *from, heim_oid *to);
int copy_bit_string (const heim_bit_string *from, heim_bit_string *to);
int copy_utf8string (const heim_utf8_string*, heim_utf8_string*);
int copy_printable_string (const heim_printable_string*,heim_printable_string*);
int copy_ia5_string (const heim_ia5_string*,heim_ia5_string*);
int copy_universal_string(const heim_universal_string*,heim_universal_string*);
int copy_bmp_string (const heim_bmp_string*,heim_bmp_string*);
int heim_oid_cmp(const heim_oid *, const heim_oid *);
int heim_octet_string_cmp(const heim_octet_string *,const heim_octet_string *);
int heim_bit_string_cmp(const heim_bit_string *, const heim_bit_string *);
int heim_integer_cmp(const heim_integer *, const heim_integer *);
int heim_bmp_string_cmp(const heim_bmp_string *, const heim_bmp_string *);
int heim_universal_string_cmp(const heim_universal_string *,
const heim_universal_string *);
int der_parse_oid(const char *, heim_oid *);
#include <der-protos.h>
int _heim_fix_dce(size_t reallen, size_t *len);
int _heim_der_set_sort(const void *, const void *);
int _heim_time2generalizedtime (time_t, heim_octet_string *, int);
const char * der_get_class_name(unsigned);
int der_get_class_num(const char *);
const char * der_get_type_name(unsigned);
int der_get_type_num(const char *);
const char * der_get_tag_name(unsigned);
int der_get_tag_num(const char *);
int der_parse_hex_heim_integer(const char *, heim_integer *);
int der_print_hex_heim_integer(const heim_integer *, char **);
#endif /* __DER_H__ */

17
source4/heimdal/lib/asn1/der_cmp.c
View File

@ -34,7 +34,7 @@
#include "der_locl.h"
int
heim_oid_cmp(const heim_oid *p, const heim_oid *q)
der_heim_oid_cmp(const heim_oid *p, const heim_oid *q)
{
if (p->length != q->length)
return p->length - q->length;
@ -44,7 +44,8 @@ heim_oid_cmp(const heim_oid *p, const heim_oid *q)
}
int
heim_octet_string_cmp(const heim_octet_string *p, const heim_octet_string *q)
der_heim_octet_string_cmp(const heim_octet_string *p,
const heim_octet_string *q)
{
if (p->length != q->length)
return p->length - q->length;
@ -52,7 +53,8 @@ heim_octet_string_cmp(const heim_octet_string *p, const heim_octet_string *q)
}
int
heim_bit_string_cmp(const heim_bit_string *p, const heim_bit_string *q)
der_heim_bit_string_cmp(const heim_bit_string *p,
const heim_bit_string *q)
{
int i, r1, r2;
if (p->length != q->length)
@ -72,7 +74,8 @@ heim_bit_string_cmp(const heim_bit_string *p, const heim_bit_string *q)
}
int
heim_integer_cmp(const heim_integer *p, const heim_integer *q)
der_heim_integer_cmp(const heim_integer *p,
const heim_integer *q)
{
if (p->negative != q->negative)
return q->negative - p->negative;
@ -82,7 +85,7 @@ heim_integer_cmp(const heim_integer *p, const heim_integer *q)
}
int
heim_bmp_string_cmp(const heim_bmp_string *p, const heim_bmp_string *q)
der_heim_bmp_string_cmp(const heim_bmp_string *p, const heim_bmp_string *q)
{
if (p->length != q->length)
return p->length - q->length;
@ -90,8 +93,8 @@ heim_bmp_string_cmp(const heim_bmp_string *p, const heim_bmp_string *q)
}
int
heim_universal_string_cmp(const heim_universal_string *p,
const heim_universal_string *q)
der_heim_universal_string_cmp(const heim_universal_string *p,
const heim_universal_string *q)
{
if (p->length != q->length)
return p->length - q->length;

35
source4/heimdal/lib/asn1/der_copy.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -33,10 +33,11 @@
#include "der_locl.h"
RCSID("$Id: der_copy.c,v 1.14 2006/01/04 23:41:29 lha Exp $");
RCSID("$Id: der_copy.c,v 1.16 2006/10/14 05:30:02 lha Exp $");
int
copy_general_string (const heim_general_string *from, heim_general_string *to)
der_copy_general_string (const heim_general_string *from,
heim_general_string *to)
{
*to = strdup(*from);
if(*to == NULL)
@ -45,27 +46,27 @@ copy_general_string (const heim_general_string *from, heim_general_string *to)
}
int
copy_utf8string (const heim_utf8_string *from, heim_utf8_string *to)
der_copy_utf8string (const heim_utf8_string *from, heim_utf8_string *to)
{
return copy_general_string(from, to);
return der_copy_general_string(from, to);
}
int
copy_printable_string (const heim_printable_string *from,
der_copy_printable_string (const heim_printable_string *from,
heim_printable_string *to)
{
return copy_general_string(from, to);
return der_copy_general_string(from, to);
}
int
copy_ia5_string (const heim_printable_string *from,
heim_printable_string *to)
der_copy_ia5_string (const heim_printable_string *from,
heim_printable_string *to)
{
return copy_general_string(from, to);
return der_copy_general_string(from, to);
}
int
copy_bmp_string (const heim_bmp_string *from, heim_bmp_string *to)
der_copy_bmp_string (const heim_bmp_string *from, heim_bmp_string *to)
{
to->length = from->length;
to->data = malloc(to->length * sizeof(to->data[0]));
@ -76,8 +77,8 @@ copy_bmp_string (const heim_bmp_string *from, heim_bmp_string *to)
}
int
copy_universal_string (const heim_universal_string *from,
heim_universal_string *to)
der_copy_universal_string (const heim_universal_string *from,
heim_universal_string *to)
{
to->length = from->length;
to->data = malloc(to->length * sizeof(to->data[0]));
@ -88,7 +89,7 @@ copy_universal_string (const heim_universal_string *from,
}
int
copy_octet_string (const heim_octet_string *from, heim_octet_string *to)
der_copy_octet_string (const heim_octet_string *from, heim_octet_string *to)
{
to->length = from->length;
to->data = malloc(to->length);
@ -99,7 +100,7 @@ copy_octet_string (const heim_octet_string *from, heim_octet_string *to)
}
int
copy_heim_integer (const heim_integer *from, heim_integer *to)
der_copy_heim_integer (const heim_integer *from, heim_integer *to)
{
to->length = from->length;
to->data = malloc(to->length);
@ -111,7 +112,7 @@ copy_heim_integer (const heim_integer *from, heim_integer *to)
}
int
copy_oid (const heim_oid *from, heim_oid *to)
der_copy_oid (const heim_oid *from, heim_oid *to)
{
to->length = from->length;
to->components = malloc(to->length * sizeof(*to->components));
@ -123,7 +124,7 @@ copy_oid (const heim_oid *from, heim_oid *to)
}
int
copy_bit_string (const heim_bit_string *from, heim_bit_string *to)
der_copy_bit_string (const heim_bit_string *from, heim_bit_string *to)
{
size_t len;

72
source4/heimdal/lib/asn1/der_format.c
View File

@ -34,7 +34,7 @@
#include "der_locl.h"
#include <hex.h>
RCSID("$Id: der_format.c,v 1.2 2006/01/16 23:01:11 lha Exp $");
RCSID("$Id: der_format.c,v 1.6 2006/10/21 18:24:15 lha Exp $");
int
der_parse_hex_heim_integer (const char *p, heim_integer *data)
@ -73,13 +73,13 @@ der_parse_hex_heim_integer (const char *p, heim_integer *data)
}
{
unsigned char *p = data->data;
while(*p == 0 && len > 0) {
p++;
unsigned char *q = data->data;
while(*q == 0 && len > 0) {
q++;
len--;
}
data->length = len;
memmove(data->data, p, len);
memmove(data->data, q, len);
}
return 0;
}
@ -103,3 +103,65 @@ der_print_hex_heim_integer (const heim_integer *data, char **p)
}
return 0;
}
int
der_print_heim_oid (const heim_oid *oid, char delim, char **str)
{
struct rk_strpool *p = NULL;
int i;
for (i = 0; i < oid->length ; i++) {
p = rk_strpoolprintf(p, "%d%s",
oid->components[i],
i < oid->length - 1 ? " " : "");
if (p == NULL) {
*str = NULL;
return ENOMEM;
}
}
*str = rk_strpoolcollect(p);
if (*str == NULL)
return ENOMEM;
return 0;
}
int
der_parse_heim_oid (const char *str, const char *sep, heim_oid *data)
{
char *s, *w, *brkt, *endptr;
unsigned int *c;
long l;
data->length = 0;
data->components = NULL;
if (sep == NULL)
sep = ".";
s = strdup(str);
for (w = strtok_r(s, sep, &brkt);
w != NULL;
w = strtok_r(NULL, sep, &brkt)) {
c = realloc(data->components,
(data->length + 1) * sizeof(data->components[0]));
if (c == NULL) {
der_free_oid(data);
free(s);
return ENOMEM;
}
data->components = c;
l = strtol(w, &endptr, 10);
if (*endptr != '\0' || l < 0 || l > INT_MAX) {
der_free_oid(data);
free(s);
return EINVAL;
}
data->components[data->length++] = l;
}
free(s);
return 0;
}

25
source4/heimdal/lib/asn1/der_free.c
View File

@ -33,37 +33,38 @@
#include "der_locl.h"
RCSID("$Id: der_free.c,v 1.11 2005/07/12 06:27:21 lha Exp $");
RCSID("$Id: der_free.c,v 1.13 2006/10/14 05:30:47 lha Exp $");
void
free_general_string (heim_general_string *str)
der_free_general_string (heim_general_string *str)
{
free(*str);
*str = NULL;
}
void
free_utf8string (heim_utf8_string *str)
der_free_utf8string (heim_utf8_string *str)
{
free(*str);
*str = NULL;
}
void
free_printable_string (heim_printable_string *str)
der_free_printable_string (heim_printable_string *str)
{
free(*str);
*str = NULL;
}
void
free_ia5_string (heim_ia5_string *str)
der_free_ia5_string (heim_ia5_string *str)
{
free_general_string(str);
free(*str);
*str = NULL;
}
void
free_bmp_string (heim_bmp_string *k)
der_free_bmp_string (heim_bmp_string *k)
{
free(k->data);
k->data = NULL;
@ -71,7 +72,7 @@ free_bmp_string (heim_bmp_string *k)
}
void
free_universal_string (heim_universal_string *k)
der_free_universal_string (heim_universal_string *k)
{
free(k->data);
k->data = NULL;
@ -79,7 +80,7 @@ free_universal_string (heim_universal_string *k)
}
void
free_octet_string (heim_octet_string *k)
der_free_octet_string (heim_octet_string *k)
{
free(k->data);
k->data = NULL;
@ -87,7 +88,7 @@ free_octet_string (heim_octet_string *k)
}
void
free_heim_integer (heim_integer *k)
der_free_heim_integer (heim_integer *k)
{
free(k->data);
k->data = NULL;
@ -95,7 +96,7 @@ free_heim_integer (heim_integer *k)
}
void
free_oid (heim_oid *k)
der_free_oid (heim_oid *k)
{
free(k->components);
k->components = NULL;
@ -103,7 +104,7 @@ free_oid (heim_oid *k)
}
void
free_bit_string (heim_bit_string *k)
der_free_bit_string (heim_bit_string *k)
{
free(k->data);
k->data = NULL;

13
source4/heimdal/lib/asn1/der_get.c
View File

@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_get.c,v 1.45 2006/01/20 10:03:50 lha Exp $");
RCSID("$Id: der_get.c,v 1.50 2006/10/19 16:27:44 lha Exp $");
#include <version.h>
@ -254,6 +254,8 @@ der_get_heim_integer (const unsigned char *p, size_t len,
data->data = malloc(data->length);
if (data->data == NULL) {
data->length = 0;
if (size)
*size = 0;
return ENOMEM;
}
q = &((unsigned char*)data->data)[data->length - 1];
@ -276,6 +278,8 @@ der_get_heim_integer (const unsigned char *p, size_t len,
data->data = malloc(data->length);
if (data->data == NULL && data->length != 0) {
data->length = 0;
if (size)
*size = 0;
return ENOMEM;
}
memcpy(data->data, p, data->length);
@ -305,9 +309,10 @@ generalizedtime2time (const char *s, time_t *t)
}
tm.tm_year -= 1900;
tm.tm_mon -= 1;
*t = timegm (&tm);
*t = _der_timegm (&tm);
return 0;
}
#undef timegm
static int
der_get_time (const unsigned char *p, size_t len,
@ -378,7 +383,7 @@ der_get_oid (const unsigned char *p, size_t len,
u1 = u * 128 + (*p++ % 128);
/* check that we don't overflow the element */
if (u1 < u) {
free_oid(data);
der_free_oid(data);
return ASN1_OVERRUN;
}
u = u1;
@ -386,7 +391,7 @@ der_get_oid (const unsigned char *p, size_t len,
data->components[n] = u;
}
if (n > 2 && p[-1] & 0x80) {
free_oid (data);
der_free_oid (data);
return ASN1_OVERRUN;
}
data->length = n;

36
source4/heimdal/lib/asn1/der_length.c
View File

@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_length.c,v 1.18 2006/01/20 10:04:46 lha Exp $");
RCSID("$Id: der_length.c,v 1.19 2006/10/14 05:26:06 lha Exp $");
size_t
_heim_len_unsigned (unsigned val)
@ -98,7 +98,7 @@ len_oid (const heim_oid *oid)
}
size_t
length_len (size_t len)
der_length_len (size_t len)
{
if (len < 128)
return 1;
@ -113,67 +113,67 @@ length_len (size_t len)
}
size_t
length_integer (const int *data)
der_length_integer (const int *data)
{
return _heim_len_int (*data);
}
size_t
length_unsigned (const unsigned *data)
der_length_unsigned (const unsigned *data)
{
return _heim_len_unsigned(*data);
}
size_t
length_enumerated (const unsigned *data)
der_length_enumerated (const unsigned *data)
{
return _heim_len_int (*data);
}
size_t
length_general_string (const heim_general_string *data)
der_length_general_string (const heim_general_string *data)
{
return strlen(*data);
}
size_t
length_utf8string (const heim_utf8_string *data)
der_length_utf8string (const heim_utf8_string *data)
{
return strlen(*data);
}
size_t
length_printable_string (const heim_printable_string *data)
der_length_printable_string (const heim_printable_string *data)
{
return strlen(*data);
}
size_t
length_ia5_string (const heim_ia5_string *data)
der_length_ia5_string (const heim_ia5_string *data)
{
return strlen(*data);
}
size_t
length_bmp_string (const heim_bmp_string *data)
der_length_bmp_string (const heim_bmp_string *data)
{
return data->length * 2;
}
size_t
length_universal_string (const heim_universal_string *data)
der_length_universal_string (const heim_universal_string *data)
{
return data->length * 4;
}
size_t
length_octet_string (const heim_octet_string *k)
der_length_octet_string (const heim_octet_string *k)
{
return k->length;
}
size_t
length_heim_integer (const heim_integer *k)
der_length_heim_integer (const heim_integer *k)
{
if (k->length == 0)
return 1;
@ -184,13 +184,13 @@ length_heim_integer (const heim_integer *k)
}
size_t
length_oid (const heim_oid *k)
der_length_oid (const heim_oid *k)
{
return len_oid (k);
}
size_t
length_generalized_time (const time_t *t)
der_length_generalized_time (const time_t *t)
{
heim_octet_string k;
size_t ret;
@ -202,7 +202,7 @@ length_generalized_time (const time_t *t)
}
size_t
length_utctime (const time_t *t)
der_length_utctime (const time_t *t)
{
heim_octet_string k;
size_t ret;
@ -214,13 +214,13 @@ length_utctime (const time_t *t)
}
size_t
length_boolean (const int *k)
der_length_boolean (const int *k)
{
return 1;
}
size_t
length_bit_string (const heim_bit_string *k)
der_length_bit_string (const heim_bit_string *k)
{
return (k->length + 7) / 8 + 1;
}

7
source4/heimdal/lib/asn1/der_locl.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: der_locl.h,v 1.6 2005/07/12 06:27:22 lha Exp $ */
/* $Id: der_locl.h,v 1.8 2006/10/19 16:24:02 lha Exp $ */
#ifndef __DER_LOCL_H__
#define __DER_LOCL_H__
@ -53,10 +53,7 @@
#include <asn1_err.h>
#include <der.h>
#ifndef HAVE_TIMEGM
time_t timegm (struct tm *);
#endif
time_t _der_timegm (struct tm *);
size_t _heim_len_unsigned (unsigned);
size_t _heim_len_int (int);

3
source4/heimdal/lib/asn1/der_put.c
View File

@ -335,6 +335,9 @@ der_put_utctime (unsigned char *p, size_t len,
return 0;
}
/* This API is not what you might expect. p is a pointer to the *end*
* (last byte) of the buffer, of length len */
int
der_put_oid (unsigned char *p, size_t len,
const heim_oid *data, size_t *size)

115
source4/heimdal/lib/asn1/digest.asn1 Normal file
View File

@ -0,0 +1,115 @@
-- $Id: digest.asn1,v 1.9 2006/08/25 11:57:54 lha Exp $
DIGEST DEFINITIONS ::=
BEGIN
IMPORTS EncryptedData, Principal FROM krb5;
DigestInit ::= SEQUENCE {
type UTF8String, -- http, sasl, chap, cram-md5 --
channel [0] SEQUENCE {
cb-type UTF8String,
cb-binding UTF8String
} OPTIONAL,
hostname [1] UTF8String OPTIONAL -- for chap/cram-md5
}
DigestInitReply ::= SEQUENCE {
nonce UTF8String, -- service nonce/challange
opaque UTF8String, -- server state
identifier [0] UTF8String OPTIONAL
}
DigestRequest ::= SEQUENCE {
type UTF8String, -- http, sasl-md5, chap, cram-md5 --
digest UTF8String, -- http:md5/md5-sess sasl:clear/int/conf --
username UTF8String, -- username user used
authid [0] UTF8String OPTIONAL,
authentication-user [1] Principal OPTIONAL, -- principal to get key from
realm [2] UTF8String OPTIONAL,
method [3] UTF8String OPTIONAL,
uri [4] UTF8String OPTIONAL,
serverNonce UTF8String, -- same as "DigestInitReply.nonce"
clientNonce [5] UTF8String OPTIONAL,
nonceCount [6] UTF8String OPTIONAL,
qop [7] UTF8String OPTIONAL,
identifier [8] UTF8String OPTIONAL,
hostname [9] UTF8String OPTIONAL,
opaque UTF8String -- same as "DigestInitReply.opaque"
}
-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key))
-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding)
DigestError ::= SEQUENCE {
reason UTF8String,
code INTEGER (-2147483648..2147483647)
}
DigestResponse ::= SEQUENCE {
responseData UTF8String,
rsp [0] UTF8String OPTIONAL,
tickets [1] SEQUENCE OF OCTET STRING OPTIONAL,
channel [2] SEQUENCE {
cb-type UTF8String,
cb-binding UTF8String
} OPTIONAL,
hash-a1 [3] OCTET STRING OPTIONAL
}
DigestReqInner ::= CHOICE {
init [0] DigestInit,
digestRequest [1] DigestRequest
}
DigestREQ ::= [APPLICATION 128] SEQUENCE {
apReq [0] OCTET STRING,
innerReq [1] EncryptedData
}
DigestRepInner ::= CHOICE {
error [0] DigestError,
initReply [1] DigestInitReply,
response [2] DigestResponse
}
DigestREP ::= [APPLICATION 129] SEQUENCE {
apRep [0] OCTET STRING,
innerRep [1] EncryptedData
}
-- HTTP
-- md5
-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd
-- md5-sess
-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value))
-- qop == auth
-- A2 = Method ":" digest-uri-value
-- qop == auth-int
-- A2 = Method ":" digest-uri-value ":" H(entity-body)
-- request-digest = HEX(KD(HEX(H(A1)),
-- unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2))))
-- no "qop"
-- request-digest = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2))))
-- SASL:
-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } )
-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) }
-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) }
-- A2 = "AUTHENTICATE:", ":", digest-uri-value
-- qop == auth-int,auth-conf
-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000"
-- response-value = HEX( KD ( HEX(H(A1)),
-- { unq(nonce-value), ":" nc-value, ":",
-- unq(cnonce-value), ":", qop-value, ":",
-- HEX(H(A2)) }))
END

6
source4/heimdal/lib/asn1/gen.c
View File

@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen.c,v 1.67 2006/03/31 02:52:21 lha Exp $");
RCSID("$Id: gen.c,v 1.69 2006/10/14 05:11:52 lha Exp $");
FILE *headerfile, *codefile, *logfile;
@ -145,6 +145,9 @@ init_generate (const char *filename, const char *base)
" size_t length;\n"
" void *data;\n"
"} heim_bit_string;\n\n");
fprintf (headerfile,
"typedef struct heim_octet_string heim_any;\n"
"typedef struct heim_octet_string heim_any_set;\n\n");
fputs("#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R) \\\n"
" do { \\\n"
" (BL) = length_##T((S)); \\\n"
@ -774,6 +777,7 @@ generate_type (const Symbol *s)
generate_type_free (s);
generate_type_length (s);
generate_type_copy (s);
generate_type_seq (s);
generate_glue (s->type, s->gen_name);
fprintf(headerfile, "\n\n");
close_codefile();

8
source4/heimdal/lib/asn1/gen_copy.c
View File

@ -33,14 +33,14 @@
#include "gen_locl.h"
RCSID("$Id: gen_copy.c,v 1.16 2005/07/12 06:27:26 lha Exp $");
RCSID("$Id: gen_copy.c,v 1.18 2006/10/14 05:34:19 lha Exp $");
static int used_fail;
static void
copy_primitive (const char *typename, const char *from, const char *to)
{
fprintf (codefile, "if(copy_%s(%s, %s)) goto fail;\n",
fprintf (codefile, "if(der_copy_%s(%s, %s)) goto fail;\n",
typename, from, to);
used_fail++;
}
@ -86,7 +86,7 @@ copy_type (const char *from, const char *to, const Type *t, int preserve)
if ((t->type == TSequence || t->type == TChoice) && preserve) {
fprintf(codefile,
"{ int ret;\n"
"ret = copy_octet_string(&(%s)->_save, &(%s)->_save);\n"
"ret = der_copy_octet_string(&(%s)->_save, &(%s)->_save);\n"
"if (ret) goto fail;\n"
"}\n",
from, to);
@ -140,7 +140,7 @@ copy_type (const char *from, const char *to, const Type *t, int preserve)
if (have_ellipsis) {
fprintf(codefile, "case %s: {\n"
"int ret;\n"
"ret = copy_octet_string(&(%s)->u.%s, &(%s)->u.%s);\n"
"ret=der_copy_octet_string(&(%s)->u.%s, &(%s)->u.%s);\n"
"if (ret) goto fail;\n"
"break;\n"
"}\n",

7
source4/heimdal/lib/asn1/gen_decode.c
View File

@ -34,7 +34,7 @@
#include "gen_locl.h"
#include "lex.h"
RCSID("$Id: gen_decode.c,v 1.29 2005/09/21 00:30:37 lha Exp $");
RCSID("$Id: gen_decode.c,v 1.30 2006/09/24 09:13:12 lha Exp $");
static void
decode_primitive (const char *typename, const char *name, const char *forwstr)
@ -307,7 +307,7 @@ decode_type (const char *name, const Type *t, int optional,
decode_type (s, m->type, m->optional, forwstr, m->gen_name);
free (s);
}
break;
}
case TSet: {
@ -632,7 +632,7 @@ generate_type_decode (const Symbol *s)
case TType:
case TChoice:
fprintf (codefile,
"size_t ret = 0, reallen;\n"
"size_t ret = 0;\n"
"size_t l;\n"
"int e;\n");
if (preserve)
@ -640,7 +640,6 @@ generate_type_decode (const Symbol *s)
fprintf (codefile, "\n");
fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */
fprintf (codefile, "reallen = 0;\n");
decode_type ("data", s->type, 0, "goto fail", "Top");
if (preserve)

8
source4/heimdal/lib/asn1/gen_free.c
View File

@ -33,12 +33,12 @@
#include "gen_locl.h"
RCSID("$Id: gen_free.c,v 1.14 2005/07/25 21:28:29 lha Exp $");
RCSID("$Id: gen_free.c,v 1.16 2006/10/14 05:33:58 lha Exp $");
static void
free_primitive (const char *typename, const char *name)
{
fprintf (codefile, "free_%s(%s);\n", typename, name);
fprintf (codefile, "der_free_%s(%s);\n", typename, name);
}
static void
@ -78,7 +78,7 @@ free_type (const char *name, const Type *t, int preserve)
break;
if ((t->type == TSequence || t->type == TChoice) && preserve)
fprintf(codefile, "free_octet_string(&data->_save);\n");
fprintf(codefile, "der_free_octet_string(&data->_save);\n");
if(t->type == TChoice)
fprintf(codefile, "switch((%s)->element) {\n", name);
@ -115,7 +115,7 @@ free_type (const char *name, const Type *t, int preserve)
if (have_ellipsis)
fprintf(codefile,
"case %s:\n"
"free_octet_string(&(%s)->u.%s);\n"
"der_free_octet_string(&(%s)->u.%s);\n"
"break;",
have_ellipsis->label,
name, have_ellipsis->gen_name);

6
source4/heimdal/lib/asn1/gen_length.c
View File

@ -33,14 +33,14 @@
#include "gen_locl.h"
RCSID("$Id: gen_length.c,v 1.19 2005/08/23 11:51:41 lha Exp $");
RCSID("$Id: gen_length.c,v 1.21 2006/10/14 05:28:28 lha Exp $");
static void
length_primitive (const char *typename,
const char *name,
const char *variable)
{
fprintf (codefile, "%s += length_%s(%s);\n", variable, typename, name);
fprintf (codefile, "%s += der_length_%s(%s);\n", variable, typename, name);
}
static size_t
@ -247,7 +247,7 @@ length_type (const char *name, const Type *t,
if (tname == NULL)
errx(1, "malloc");
length_type (name, t->subtype, variable, tname);
fprintf (codefile, "ret += %lu + length_len (ret);\n",
fprintf (codefile, "ret += %lu + der_length_len (ret);\n",
(unsigned long)length_tag(t->tag.tagvalue));
free(tname);
break;

6
source4/heimdal/lib/asn1/gen_locl.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gen_locl.h,v 1.13 2005/08/23 10:48:15 lha Exp $ */
/* $Id: gen_locl.h,v 1.14 2006/09/05 12:29:18 lha Exp $ */
#ifndef __GEN_LOCL_H__
#define __GEN_LOCL_H__
@ -58,11 +58,10 @@ void generate_type (const Symbol *);
void generate_constant (const Symbol *);
void generate_type_encode (const Symbol *);
void generate_type_decode (const Symbol *);
void generate_seq_type_decode (const Symbol *);
void generate_type_free (const Symbol *);
void generate_type_length (const Symbol *);
void generate_type_copy (const Symbol *);
void generate_type_maybe (const Symbol *);
void generate_type_seq (const Symbol *);
void generate_glue (const Type *, const char*);
const char *classname(Der_class);
@ -79,6 +78,7 @@ void add_import(const char *);
int yyparse(void);
int preserve_type(const char *);
int seq_type(const char *);
extern FILE *headerfile, *codefile, *logfile;
extern int dce_fix;

119
source4/heimdal/lib/asn1/gen_seq.c Normal file
View File

@ -0,0 +1,119 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "gen_locl.h"
RCSID("$Id: gen_seq.c,v 1.4 2006/10/04 10:18:10 lha Exp $");
void
generate_type_seq (const Symbol *s)
{
char *subname;
Type *type;
if (!seq_type(s->name))
return;
type = s->type;
while(type->type == TTag)
type = type->subtype;
if (type->type != TSequenceOf) {
printf("%s not seq of %d\n", s->name, (int)type->type);
return;
}
/*
* Require the subtype to be a type so we can name it and use
* copy_/free_
*/
if (type->subtype->type != TType) {
fprintf(stderr, "%s subtype is not a type, can't generate "
"sequence code for this case: %d\n",
s->name, (int)type->subtype->type);
exit(1);
}
subname = type->subtype->symbol->gen_name;
fprintf (headerfile,
"int add_%s (%s *, const %s *);\n"
"int remove_%s (%s *, unsigned int);\n",
s->gen_name, s->gen_name, subname,
s->gen_name, s->gen_name);
fprintf (codefile, "int\n"
"add_%s(%s *data, const %s *element)\n"
"{\n",
s->gen_name, s->gen_name, subname);
fprintf (codefile,
"int ret;\n"
"void *ptr;\n"
"\n"
"ptr = realloc(data->val, \n"
"\t(data->len + 1) * sizeof(data->val[0]));\n"
"if (ptr == NULL) return ENOMEM;\n"
"data->val = ptr;\n\n"
"ret = copy_%s(element, &data->val[data->len]);\n"
"if (ret) return ret;\n"
"data->len++;\n"
"return 0;\n",
subname);
fprintf (codefile, "}\n\n");
fprintf (codefile, "int\n"
"remove_%s(%s *data, unsigned int element)\n"
"{\n",
s->gen_name, s->gen_name);
fprintf (codefile,
"void *ptr;\n"
"\n"
"if (data->len == 0 || element >= data->len)\n"
"\treturn ASN1_OVERRUN;\n"
"free_%s(&data->val[element]);\n"
"data->len--;\n"
/* don't move if its the last element */
"if (element < data->len)\n"
"\tmemmove(&data->val[element], &data->val[element + 1], \n"
"\t\tsizeof(data->val[0]) * data->len);\n"
/* resize but don't care about failures since it doesn't matter */
"ptr = realloc(data->val, data->len * sizeof(data->val[0]));\n"
"if (ptr) data->val = ptr;\n"
"return 0;\n",
subname);
fprintf (codefile, "}\n\n");
}

3
source4/heimdal/lib/asn1/heim_asn1.h
View File

@ -34,9 +34,6 @@
#ifndef __HEIM_ANY_H__
#define __HEIM_ANY_H__ 1
typedef struct heim_octet_string heim_any;
typedef struct heim_octet_string heim_any_set;
int encode_heim_any(unsigned char *, size_t, const heim_any *, size_t *);
int decode_heim_any(const unsigned char *, size_t, heim_any *, size_t *);
void free_heim_any(heim_any *);

48
source4/heimdal/lib/asn1/k5.asn1
View File

@ -1,4 +1,4 @@
-- $Id: k5.asn1,v 1.47 2006/03/27 22:52:11 lha Exp $
-- $Id: k5.asn1,v 1.50 2006/09/11 13:28:59 lha Exp $
KERBEROS5 DEFINITIONS ::=
BEGIN
@ -70,10 +70,11 @@ PADATA-TYPE ::= INTEGER {
KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
KRB5-PADATA-PK-AS-09-BINDING(132) -- client send this to
KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
-- tell KDC that is supports
-- the asCheckSum in the
-- PK-AS-REP
KRB5-PADATA-S4U2SELF(-17)
}
AUTHDATA-TYPE ::= INTEGER {
@ -89,7 +90,8 @@ AUTHDATA-TYPE ::= INTEGER {
KRB5-AUTHDATA-SESAME(65),
KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
KRB5-AUTHDATA-WIN2K-PAC(128),
KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129) -- Authenticator only
KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
KRB5-AUTHDATA-SIGNTICKET(-17)
}
-- checksumtypes
@ -138,12 +140,7 @@ ENCTYPE ::= INTEGER {
ETYPE_DES_CFB64_NONE(-0x1002),
ETYPE_DES_PCBC_NONE(-0x1003),
ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
ETYPE_CRAM_MD5_NONE(-0x1005), -- private use, lukeh@padl.com
ETYPE_RC2_CBC_NONE(-0x1006),
ETYPE_AES128_CBC_NONE(-0x1007),
ETYPE_AES192_CBC_NONE(-0x1008),
ETYPE_AES256_CBC_NONE(-0x1009),
ETYPE_DES3_CBC_NONE_CMS(-0x100a)
ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
}
@ -186,11 +183,13 @@ HostAddresses ::= SEQUENCE OF HostAddress
KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
AuthorizationData ::= SEQUENCE OF SEQUENCE {
AuthorizationDataElement ::= SEQUENCE {
ad-type[0] krb5int32,
ad-data[1] OCTET STRING
}
AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
APOptions ::= BIT STRING {
reserved(0),
use-session-key(1),
@ -307,7 +306,7 @@ Authenticator ::= [APPLICATION 2] SEQUENCE {
subkey[6] EncryptionKey OPTIONAL,
seq-number[7] krb5uint32 OPTIONAL,
authorization-data[8] AuthorizationData OPTIONAL
}
}
PA-DATA ::= SEQUENCE {
-- might be encoded AP-REQ
@ -601,16 +600,29 @@ PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
...
}
-- This is really part of CMS, but its here because KCRYPTO provides
-- the crypto framework for CMS glue in heimdal.
RC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion krb5int32,
iv OCTET STRING -- exactly 8 octets
PA-S4U2Self ::= SEQUENCE {
name[0] PrincipalName,
realm[1] Realm,
cksum[2] Checksum,
auth[3] GeneralString
}
CBCParameter ::= OCTET STRING
KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
-- never encoded on the wire, just used to checksum over
KRB5SignedPathData ::= SEQUENCE {
encticket[0] EncTicketPart,
delegated[1] KRB5SignedPathPrincipals OPTIONAL
}
KRB5SignedPath ::= SEQUENCE {
-- DERcoded KRB5SignedPathData
-- krbtgt key (etype), KeyUsage = XXX
etype[0] ENCTYPE,
cksum[1] Checksum,
-- srvs delegated though
delegated[2] KRB5SignedPathPrincipals OPTIONAL
}
END

1576
source4/heimdal/lib/asn1/lex.c
View File

File diff suppressed because it is too large Load Diff

14
source4/heimdal/lib/asn1/main.c
View File

@ -35,11 +35,12 @@
#include <getarg.h>
#include "lex.h"
RCSID("$Id: main.c,v 1.15 2005/08/23 10:50:12 lha Exp $");
RCSID("$Id: main.c,v 1.16 2006/09/05 12:27:29 lha Exp $");
extern FILE *yyin;
static getarg_strings preserve;
static getarg_strings seq;
int
preserve_type(const char *p)
@ -51,6 +52,16 @@ preserve_type(const char *p)
return 0;
}
int
seq_type(const char *p)
{
int i;
for (i = 0; i < seq.num_strings; i++)
if (strcmp(seq.strings[i], p) == 0)
return 1;
return 0;
}
int dce_fix;
int rfc1510_bitstring;
int version_flag;
@ -59,6 +70,7 @@ struct getargs args[] = {
{ "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring },
{ "decode-dce-ber", 0, arg_flag, &dce_fix },
{ "preserve-binary", 0, arg_strings, &preserve },
{ "sequence", 0, arg_strings, &seq },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
};

356
source4/heimdal/lib/asn1/parse.c
View File

@ -1,7 +1,7 @@
/* A Bison parser, made by GNU Bison 2.0. */
/* A Bison parser, made by GNU Bison 2.1. */
/* Skeleton parser for Yacc-like parsing with Bison,
Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -15,8 +15,8 @@
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA. */
Foundation, Inc., 51 Franklin Street, Fifth Floor,
Boston, MA 02110-1301, USA. */
/* As a special exception, when this file is copied by Bison into a
Bison output file, you may use that output file without restriction.
@ -36,6 +36,9 @@
/* Identify Bison output. */
#define YYBISON 1
/* Bison version. */
#define YYBISON_VERSION "2.1"
/* Skeleton name. */
#define YYSKELETON_NAME "yacc.c"
@ -142,6 +145,7 @@
NUMBER = 344
};
#endif
/* Tokens. */
#define kw_ABSENT 258
#define kw_ABSTRACT_SYNTAX 259
#define kw_ALL 260
@ -277,6 +281,11 @@ struct string_list {
# define YYERROR_VERBOSE 0
#endif
/* Enabling the token table. */
#ifndef YYTOKEN_TABLE
# define YYTOKEN_TABLE 0
#endif
#if ! defined (YYSTYPE) && ! defined (YYSTYPE_IS_DECLARED)
#line 65 "parse.y"
typedef union YYSTYPE {
@ -293,8 +302,8 @@ typedef union YYSTYPE {
struct memhead *members;
struct constraint_spec *constraint_spec;
} YYSTYPE;
/* Line 190 of yacc.c. */
#line 298 "parse.c"
/* Line 196 of yacc.c. */
#line 307 "parse.c"
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
# define YYSTYPE_IS_TRIVIAL 1
@ -305,18 +314,37 @@ typedef union YYSTYPE {
/* Copy the second part of user declarations. */
/* Line 213 of yacc.c. */
#line 310 "parse.c"
/* Line 219 of yacc.c. */
#line 319 "parse.c"
#if ! defined (YYSIZE_T) && defined (__SIZE_TYPE__)
# define YYSIZE_T __SIZE_TYPE__
#endif
#if ! defined (YYSIZE_T) && defined (size_t)
# define YYSIZE_T size_t
#endif
#if ! defined (YYSIZE_T) && (defined (__STDC__) || defined (__cplusplus))
# include <stddef.h> /* INFRINGES ON USER NAME SPACE */
# define YYSIZE_T size_t
#endif
#if ! defined (YYSIZE_T)
# define YYSIZE_T unsigned int
#endif
#ifndef YY_
# if YYENABLE_NLS
# if ENABLE_NLS
# include <libintl.h> /* INFRINGES ON USER NAME SPACE */
# define YY_(msgid) dgettext ("bison-runtime", msgid)
# endif
# endif
# ifndef YY_
# define YY_(msgid) msgid
# endif
#endif
#if ! defined (yyoverflow) || YYERROR_VERBOSE
# ifndef YYFREE
# define YYFREE free
# endif
# ifndef YYMALLOC
# define YYMALLOC malloc
# endif
/* The parser invokes alloca or malloc; define the necessary symbols. */
# ifdef YYSTACK_USE_ALLOCA
@ -325,6 +353,10 @@ typedef union YYSTYPE {
# define YYSTACK_ALLOC __builtin_alloca
# else
# define YYSTACK_ALLOC alloca
# if defined (__STDC__) || defined (__cplusplus)
# include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
# define YYINCLUDED_STDLIB_H
# endif
# endif
# endif
# endif
@ -332,13 +364,39 @@ typedef union YYSTYPE {
# ifdef YYSTACK_ALLOC
/* Pacify GCC's `empty if-body' warning. */
# define YYSTACK_FREE(Ptr) do { /* empty */; } while (0)
# else
# if defined (__STDC__) || defined (__cplusplus)
# include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
# define YYSIZE_T size_t
# ifndef YYSTACK_ALLOC_MAXIMUM
/* The OS might guarantee only one guard page at the bottom of the stack,
and a page size can be as small as 4096 bytes. So we cannot safely
invoke alloca (N) if N exceeds 4096. Use a slightly smaller number
to allow for a few compiler-allocated temporary stack slots. */
# define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2005 */
# endif
# else
# define YYSTACK_ALLOC YYMALLOC
# define YYSTACK_FREE YYFREE
# ifndef YYSTACK_ALLOC_MAXIMUM
# define YYSTACK_ALLOC_MAXIMUM ((YYSIZE_T) -1)
# endif
# ifdef __cplusplus
extern "C" {
# endif
# ifndef YYMALLOC
# define YYMALLOC malloc
# if (! defined (malloc) && ! defined (YYINCLUDED_STDLIB_H) \
&& (defined (__STDC__) || defined (__cplusplus)))
void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
# endif
# endif
# ifndef YYFREE
# define YYFREE free
# if (! defined (free) && ! defined (YYINCLUDED_STDLIB_H) \
&& (defined (__STDC__) || defined (__cplusplus)))
void free (void *); /* INFRINGES ON USER NAME SPACE */
# endif
# endif
# ifdef __cplusplus
}
# endif
# endif
#endif /* ! defined (yyoverflow) || YYERROR_VERBOSE */
@ -373,7 +431,7 @@ union yyalloc
# define YYCOPY(To, From, Count) \
do \
{ \
register YYSIZE_T yyi; \
YYSIZE_T yyi; \
for (yyi = 0; yyi < (Count); yyi++) \
(To)[yyi] = (From)[yyi]; \
} \
@ -423,7 +481,7 @@ union yyalloc
#define YYUNDEFTOK 2
#define YYMAXUTOK 344
#define YYTRANSLATE(YYX) \
#define YYTRANSLATE(YYX) \
((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX. */
@ -548,8 +606,8 @@ static const unsigned short int yyrline[] =
};
#endif
#if YYDEBUG || YYERROR_VERBOSE
/* YYTNME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE
/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
First, the terminals, then, starting at YYNTOKENS, nonterminals. */
static const char *const yytname[] =
{
@ -804,22 +862,6 @@ static const unsigned char yystos[] =
154
};
#if ! defined (YYSIZE_T) && defined (__SIZE_TYPE__)
# define YYSIZE_T __SIZE_TYPE__
#endif
#if ! defined (YYSIZE_T) && defined (size_t)
# define YYSIZE_T size_t
#endif
#if ! defined (YYSIZE_T)
# if defined (__STDC__) || defined (__cplusplus)
# include <stddef.h> /* INFRINGES ON USER NAME SPACE */
# define YYSIZE_T size_t
# endif
#endif
#if ! defined (YYSIZE_T)
# define YYSIZE_T unsigned int
#endif
#define yyerrok (yyerrstatus = 0)
#define yyclearin (yychar = YYEMPTY)
#define YYEMPTY (-2)
@ -849,8 +891,8 @@ do \
goto yybackup; \
} \
else \
{ \
yyerror ("syntax error: cannot back up");\
{ \
yyerror (YY_("syntax error: cannot back up")); \
YYERROR; \
} \
while (0)
@ -929,7 +971,7 @@ do { \
if (yydebug) \
{ \
YYFPRINTF (stderr, "%s ", Title); \
yysymprint (stderr, \
yysymprint (stderr, \
Type, Value); \
YYFPRINTF (stderr, "\n"); \
} \
@ -977,13 +1019,13 @@ yy_reduce_print (yyrule)
#endif
{
int yyi;
unsigned int yylno = yyrline[yyrule];
YYFPRINTF (stderr, "Reducing stack by rule %d (line %u), ",
unsigned long int yylno = yyrline[yyrule];
YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu), ",
yyrule - 1, yylno);
/* Print the symbols being reduced, and their result. */
for (yyi = yyprhs[yyrule]; 0 <= yyrhs[yyi]; yyi++)
YYFPRINTF (stderr, "%s ", yytname [yyrhs[yyi]]);
YYFPRINTF (stderr, "-> %s\n", yytname [yyr1[yyrule]]);
YYFPRINTF (stderr, "%s ", yytname[yyrhs[yyi]]);
YYFPRINTF (stderr, "-> %s\n", yytname[yyr1[yyrule]]);
}
# define YY_REDUCE_PRINT(Rule) \
@ -1012,7 +1054,7 @@ int yydebug;
if the built-in stack extension method is used).
Do not make this value too large; the results are undefined if
SIZE_MAX < YYSTACK_BYTES (YYMAXDEPTH)
YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH)
evaluated with infinite-precision integer arithmetic. */
#ifndef YYMAXDEPTH
@ -1036,7 +1078,7 @@ yystrlen (yystr)
const char *yystr;
# endif
{
register const char *yys = yystr;
const char *yys = yystr;
while (*yys++ != '\0')
continue;
@ -1061,8 +1103,8 @@ yystpcpy (yydest, yysrc)
const char *yysrc;
# endif
{
register char *yyd = yydest;
register const char *yys = yysrc;
char *yyd = yydest;
const char *yys = yysrc;
while ((*yyd++ = *yys++) != '\0')
continue;
@ -1072,7 +1114,55 @@ yystpcpy (yydest, yysrc)
# endif
# endif
#endif /* !YYERROR_VERBOSE */
# ifndef yytnamerr
/* Copy to YYRES the contents of YYSTR after stripping away unnecessary
quotes and backslashes, so that it's suitable for yyerror. The
heuristic is that double-quoting is unnecessary unless the string
contains an apostrophe, a comma, or backslash (other than
backslash-backslash). YYSTR is taken from yytname. If YYRES is
null, do not copy; instead, return the length of what the result
would have been. */
static YYSIZE_T
yytnamerr (char *yyres, const char *yystr)
{
if (*yystr == '"')
{
size_t yyn = 0;
char const *yyp = yystr;
for (;;)
switch (*++yyp)
{
case '\'':
case ',':
goto do_not_strip_quotes;
case '\\':
if (*++yyp != '\\')
goto do_not_strip_quotes;
/* Fall through. */
default:
if (yyres)
yyres[yyn] = *yyp;
yyn++;
break;
case '"':
if (yyres)
yyres[yyn] = '\0';
return yyn;
}
do_not_strip_quotes: ;
}
if (! yyres)
return yystrlen (yystr);
return yystpcpy (yyres, yystr) - yyres;
}
# endif
#endif /* YYERROR_VERBOSE */
@ -1197,8 +1287,8 @@ yyparse ()
#endif
{
register int yystate;
register int yyn;
int yystate;
int yyn;
int yyresult;
/* Number of tokens to shift before error messages enabled. */
int yyerrstatus;
@ -1216,12 +1306,12 @@ yyparse ()
/* The state stack. */
short int yyssa[YYINITDEPTH];
short int *yyss = yyssa;
register short int *yyssp;
short int *yyssp;
/* The semantic value stack. */
YYSTYPE yyvsa[YYINITDEPTH];
YYSTYPE *yyvs = yyvsa;
register YYSTYPE *yyvsp;
YYSTYPE *yyvsp;
@ -1253,9 +1343,6 @@ yyparse ()
yyssp = yyss;
yyvsp = yyvs;
yyvsp[0] = yylval;
goto yysetstate;
/*------------------------------------------------------------.
@ -1288,7 +1375,7 @@ yyparse ()
data in use in that stack, in bytes. This used to be a
conditional around just the two extra args, but that might
be undefined if yyoverflow is a macro. */
yyoverflow ("parser stack overflow",
yyoverflow (YY_("memory exhausted"),
&yyss1, yysize * sizeof (*yyssp),
&yyvs1, yysize * sizeof (*yyvsp),
@ -1299,11 +1386,11 @@ yyparse ()
}
#else /* no yyoverflow */
# ifndef YYSTACK_RELOCATE
goto yyoverflowlab;
goto yyexhaustedlab;
# else
/* Extend the stack our own way. */
if (YYMAXDEPTH <= yystacksize)
goto yyoverflowlab;
goto yyexhaustedlab;
yystacksize *= 2;
if (YYMAXDEPTH < yystacksize)
yystacksize = YYMAXDEPTH;
@ -1313,7 +1400,7 @@ yyparse ()
union yyalloc *yyptr =
(union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
if (! yyptr)
goto yyoverflowlab;
goto yyexhaustedlab;
YYSTACK_RELOCATE (yyss);
YYSTACK_RELOCATE (yyvs);
@ -2143,10 +2230,11 @@ yyreduce:
break;
default: break;
}
/* Line 1037 of yacc.c. */
#line 2150 "parse.c"
/* Line 1126 of yacc.c. */
#line 2238 "parse.c"
yyvsp -= yylen;
yyssp -= yylen;
@ -2185,12 +2273,36 @@ yyerrlab:
if (YYPACT_NINF < yyn && yyn < YYLAST)
{
YYSIZE_T yysize = 0;
int yytype = YYTRANSLATE (yychar);
const char* yyprefix;
char *yymsg;
YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
YYSIZE_T yysize = yysize0;
YYSIZE_T yysize1;
int yysize_overflow = 0;
char *yymsg = 0;
# define YYERROR_VERBOSE_ARGS_MAXIMUM 5
char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
int yyx;
#if 0
/* This is so xgettext sees the translatable formats that are
constructed on the fly. */
YY_("syntax error, unexpected %s");
YY_("syntax error, unexpected %s, expecting %s");
YY_("syntax error, unexpected %s, expecting %s or %s");
YY_("syntax error, unexpected %s, expecting %s or %s or %s");
YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
#endif
char *yyfmt;
char const *yyf;
static char const yyunexpected[] = "syntax error, unexpected %s";
static char const yyexpecting[] = ", expecting %s";
static char const yyor[] = " or %s";
char yyformat[sizeof yyunexpected
+ sizeof yyexpecting - 1
+ ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
* (sizeof yyor - 1))];
char const *yyprefix = yyexpecting;
/* Start YYX at -YYN if negative to avoid negative indexes in
YYCHECK. */
int yyxbegin = yyn < 0 ? -yyn : 0;
@ -2198,48 +2310,68 @@ yyerrlab:
/* Stay within bounds of both yycheck and yytname. */
int yychecklim = YYLAST - yyn;
int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
int yycount = 0;
int yycount = 1;
yyarg[0] = yytname[yytype];
yyfmt = yystpcpy (yyformat, yyunexpected);
yyprefix = ", expecting ";
for (yyx = yyxbegin; yyx < yyxend; ++yyx)
if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
{
yysize += yystrlen (yyprefix) + yystrlen (yytname [yyx]);
yycount += 1;
if (yycount == 5)
if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
{
yysize = 0;
yycount = 1;
yysize = yysize0;
yyformat[sizeof yyunexpected - 1] = '\0';
break;
}
yyarg[yycount++] = yytname[yyx];
yysize1 = yysize + yytnamerr (0, yytname[yyx]);
yysize_overflow |= yysize1 < yysize;
yysize = yysize1;
yyfmt = yystpcpy (yyfmt, yyprefix);
yyprefix = yyor;
}
yysize += (sizeof ("syntax error, unexpected ")
+ yystrlen (yytname[yytype]));
yymsg = (char *) YYSTACK_ALLOC (yysize);
if (yymsg != 0)
{
char *yyp = yystpcpy (yymsg, "syntax error, unexpected ");
yyp = yystpcpy (yyp, yytname[yytype]);
if (yycount < 5)
yyf = YY_(yyformat);
yysize1 = yysize + yystrlen (yyf);
yysize_overflow |= yysize1 < yysize;
yysize = yysize1;
if (!yysize_overflow && yysize <= YYSTACK_ALLOC_MAXIMUM)
yymsg = (char *) YYSTACK_ALLOC (yysize);
if (yymsg)
{
/* Avoid sprintf, as that infringes on the user's name space.
Don't have undefined behavior even if the translation
produced a string with the wrong number of "%s"s. */
char *yyp = yymsg;
int yyi = 0;
while ((*yyp = *yyf))
{
yyprefix = ", expecting ";
for (yyx = yyxbegin; yyx < yyxend; ++yyx)
if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
{
yyp = yystpcpy (yyp, yyprefix);
yyp = yystpcpy (yyp, yytname[yyx]);
yyprefix = " or ";
}
if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
{
yyp += yytnamerr (yyp, yyarg[yyi++]);
yyf += 2;
}
else
{
yyp++;
yyf++;
}
}
yyerror (yymsg);
YYSTACK_FREE (yymsg);
}
else
yyerror ("syntax error; also virtual memory exhausted");
{
yyerror (YY_("syntax error"));
goto yyexhaustedlab;
}
}
else
#endif /* YYERROR_VERBOSE */
yyerror ("syntax error");
yyerror (YY_("syntax error"));
}
@ -2251,18 +2383,9 @@ yyerrlab:
if (yychar <= YYEOF)
{
/* If at end of input, pop the error token,
then the rest of the stack, then return failure. */
/* Return failure if at end of input. */
if (yychar == YYEOF)
for (;;)
{
YYPOPSTACK;
if (yyssp == yyss)
YYABORT;
yydestruct ("Error: popping",
yystos[*yyssp], yyvsp);
}
YYABORT;
}
else
{
@ -2281,12 +2404,11 @@ yyerrlab:
`---------------------------------------------------*/
yyerrorlab:
#ifdef __GNUC__
/* Pacify GCC when the user code never invokes YYERROR and the label
yyerrorlab therefore never appears in user code. */
/* Pacify compilers like GCC when the user code never invokes
YYERROR and the label yyerrorlab therefore never appears in user
code. */
if (0)
goto yyerrorlab;
#endif
yyvsp -= yylen;
yyssp -= yylen;
@ -2349,23 +2471,29 @@ yyacceptlab:
| yyabortlab -- YYABORT comes here. |
`-----------------------------------*/
yyabortlab:
yydestruct ("Error: discarding lookahead",
yytoken, &yylval);
yychar = YYEMPTY;
yyresult = 1;
goto yyreturn;
#ifndef yyoverflow
/*----------------------------------------------.
| yyoverflowlab -- parser overflow comes here. |
`----------------------------------------------*/
yyoverflowlab:
yyerror ("parser stack overflow");
/*-------------------------------------------------.
| yyexhaustedlab -- memory exhaustion comes here. |
`-------------------------------------------------*/
yyexhaustedlab:
yyerror (YY_("memory exhausted"));
yyresult = 2;
/* Fall through. */
#endif
yyreturn:
if (yychar != YYEOF && yychar != YYEMPTY)
yydestruct ("Cleanup: discarding lookahead",
yytoken, &yylval);
while (yyssp != yyss)
{
yydestruct ("Cleanup: popping",
yystos[*yyssp], yyvsp);
YYPOPSTACK;
}
#ifndef yyoverflow
if (yyss != yyssa)
YYSTACK_FREE (yyss);

13
source4/heimdal/lib/asn1/parse.h
View File

@ -1,7 +1,7 @@
/* A Bison parser, made by GNU Bison 2.0. */
/* A Bison parser, made by GNU Bison 2.1. */
/* Skeleton parser for Yacc-like parsing with Bison,
Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -15,8 +15,8 @@
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA. */
Foundation, Inc., 51 Franklin Street, Fifth Floor,
Boston, MA 02110-1301, USA. */
/* As a special exception, when this file is copied by Bison into a
Bison output file, you may use that output file without restriction.
@ -118,6 +118,7 @@
NUMBER = 344
};
#endif
/* Tokens. */
#define kw_ABSENT 258
#define kw_ABSTRACT_SYNTAX 259
#define kw_ALL 260
@ -225,8 +226,8 @@ typedef union YYSTYPE {
struct memhead *members;
struct constraint_spec *constraint_spec;
} YYSTYPE;
/* Line 1318 of yacc.c. */
#line 230 "parse.h"
/* Line 1447 of yacc.c. */
#line 231 "parse.h"
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
# define YYSTYPE_IS_TRIVIAL 1

161
source4/heimdal/lib/asn1/pkinit.asn1 Normal file
View File

@ -0,0 +1,161 @@
-- $Id$ --
PKINIT DEFINITIONS ::= BEGIN
IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum FROM krb5
IssuerAndSerialNumber, ContentInfo FROM cms
SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
heim_any FROM heim;
id-pkinit OBJECT IDENTIFIER ::=
{ iso (1) org (3) dod (6) internet (1) security (5)
kerberosv5 (2) pkinit (3) }
id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 }
id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 }
id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
id-pkinit-san OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
x509-sanan(2) }
id-pkinit-ms-san OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) foo1(4)
foo2(1) foo3(311) foo4(20) foo5(2) foo6(3) }
pa-pk-as-req INTEGER ::= 16
pa-pk-as-rep INTEGER ::= 17
ad-initial-verified-cas INTEGER ::= 9
td-trusted-certifiers INTEGER ::= 104
td-invalid-certificates INTEGER ::= 105
td-dh-parameters INTEGER ::= 109
DHNonce ::= OCTET STRING
TrustedCA ::= SEQUENCE {
caName [0] IMPLICIT OCTET STRING,
certificateSerialNumber [1] INTEGER OPTIONAL,
subjectKeyIdentifier [2] OCTET STRING OPTIONAL,
...
}
ExternalPrincipalIdentifier ::= SEQUENCE {
subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
...
}
ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
PA-PK-AS-REQ ::= SEQUENCE {
signedAuthPack [0] IMPLICIT OCTET STRING,
trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL,
kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL,
...
}
PKAuthenticator ::= SEQUENCE {
cusec [0] INTEGER -- (0..999999) --,
ctime [1] KerberosTime,
nonce [2] INTEGER (0..4294967295),
paChecksum [3] OCTET STRING OPTIONAL,
...
}
AuthPack ::= SEQUENCE {
pkAuthenticator [0] PKAuthenticator,
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
clientDHNonce [3] DHNonce OPTIONAL,
...
}
TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
KRB5PrincipalName ::= SEQUENCE {
realm [0] Realm,
principalName [1] PrincipalName
}
AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
DHRepInfo ::= SEQUENCE {
dhSignedData [0] IMPLICIT OCTET STRING,
serverDHNonce [1] DHNonce OPTIONAL
}
PA-PK-AS-REP ::= CHOICE {
dhInfo [0] DHRepInfo,
encKeyPack [1] IMPLICIT OCTET STRING,
...
}
KDCDHKeyInfo ::= SEQUENCE {
subjectPublicKey [0] BIT STRING,
nonce [1] INTEGER (0..4294967295),
dhKeyExpiration [2] KerberosTime OPTIONAL,
...
}
ReplyKeyPack ::= SEQUENCE {
replyKey [0] EncryptionKey,
asChecksum [1] Checksum,
...
}
TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
-- Windows compat glue --
PKAuthenticator-Win2k ::= SEQUENCE {
kdcName [0] PrincipalName,
kdcRealm [1] Realm,
cusec [2] INTEGER (0..4294967295),
ctime [3] KerberosTime,
nonce [4] INTEGER (-2147483648..2147483647)
}
AuthPack-Win2k ::= SEQUENCE {
pkAuthenticator [0] PKAuthenticator-Win2k,
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
}
TrustedCA-Win2k ::= CHOICE {
caName [1] heim_any,
issuerAndSerial [2] IssuerAndSerialNumber
}
PA-PK-AS-REQ-Win2k ::= SEQUENCE {
signed-auth-pack [0] IMPLICIT OCTET STRING,
trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
}
PA-PK-AS-REP-Win2k ::= CHOICE {
dhSignedData [0] IMPLICIT OCTET STRING,
encKeyPack [1] IMPLICIT OCTET STRING
}
KDCDHKeyInfo-Win2k ::= SEQUENCE {
nonce [0] INTEGER (-2147483648..2147483647),
subjectPublicKey [2] BIT STRING
}
ReplyKeyPack-Win2k ::= SEQUENCE {
replyKey [0] EncryptionKey,
nonce [1] INTEGER (0..4294967295),
...
}
END

426
source4/heimdal/lib/asn1/rfc2459.asn1 Normal file
View File

@ -0,0 +1,426 @@
-- $Id$ --
-- Definitions from rfc2459/rfc3280
RFC2459 DEFINITIONS ::= BEGIN
IMPORTS heim_any FROM heim;
Version ::= INTEGER {
rfc3280_version_1(0),
rfc3280_version_2(1),
rfc3280_version_3(2)
}
id-pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) 1 }
id-pkcs1-rsaEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 1 }
id-pkcs1-md2WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 2 }
id-pkcs1-md5WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 4 }
id-pkcs1-sha1WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 5 }
id-pkcs1-sha256WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 11 }
id-pkcs1-sha384WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 12 }
id-pkcs1-sha512WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 13 }
id-pkcs-2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) 2 }
id-pkcs2-md2 OBJECT IDENTIFIER ::= { id-pkcs-2 2 }
id-pkcs2-md4 OBJECT IDENTIFIER ::= { id-pkcs-2 4 }
id-pkcs2-md5 OBJECT IDENTIFIER ::= { id-pkcs-2 5 }
id-rsa-digestAlgorithm OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) 2 }
id-rsa-digest-md2 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 2 }
id-rsa-digest-md4 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 4 }
id-rsa-digest-md5 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 5 }
id-pkcs-3 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) 3 }
id-pkcs3-rc2-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 2 }
id-pkcs3-rc4 OBJECT IDENTIFIER ::= { id-pkcs-3 4 }
id-pkcs3-des-ede3-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 7 }
id-rsadsi-encalg OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) 3 }
id-rsadsi-rc2-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 2 }
id-rsadsi-des-ede3-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 7 }
id-secsig-sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
oiw(14) secsig(3) algorithm(2) 26 }
id-nistAlgorithm OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 }
id-nist-aes-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 1 }
id-aes-128-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 2 }
id-aes-192-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 22 }
id-aes-256-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 42 }
id-nist-sha-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 2 }
id-sha256 OBJECT IDENTIFIER ::= { id-nist-sha-algs 1 }
id-sha224 OBJECT IDENTIFIER ::= { id-nist-sha-algs 4 }
id-sha384 OBJECT IDENTIFIER ::= { id-nist-sha-algs 2 }
id-sha512 OBJECT IDENTIFIER ::= { id-nist-sha-algs 3 }
id-dhpublicnumber OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-x942(10046)
number-type(2) 1 }
id-x9-57 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-x942(10046)
4 }
id-dsa OBJECT IDENTIFIER ::= { id-x9-57 1 }
id-dsa-with-sha1 OBJECT IDENTIFIER ::= { id-x9-57 3 }
-- x.520 names types
id-x520-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
id-at-commonName OBJECT IDENTIFIER ::= { id-x520-at 3 }
id-at-surname OBJECT IDENTIFIER ::= { id-x520-at 4 }
id-at-serialNumber OBJECT IDENTIFIER ::= { id-x520-at 5 }
id-at-countryName OBJECT IDENTIFIER ::= { id-x520-at 6 }
id-at-localityName OBJECT IDENTIFIER ::= { id-x520-at 7 }
id-at-stateOrProvinceName OBJECT IDENTIFIER ::= { id-x520-at 8 }
id-at-organizationName OBJECT IDENTIFIER ::= { id-x520-at 10 }
id-at-organizationalUnitName OBJECT IDENTIFIER ::= { id-x520-at 11 }
id-at-name OBJECT IDENTIFIER ::= { id-x520-at 41 }
id-at-givenName OBJECT IDENTIFIER ::= { id-x520-at 42 }
id-at-initials OBJECT IDENTIFIER ::= { id-x520-at 43 }
id-at-generationQualifier OBJECT IDENTIFIER ::= { id-x520-at 44 }
id-at-pseudonym OBJECT IDENTIFIER ::= { id-x520-at 65 }
-- RFC 2247
id-Userid OBJECT IDENTIFIER ::=
{ 0 9 2342 19200300 100 1 1 }
id-domainComponent OBJECT IDENTIFIER ::=
{ 0 9 2342 19200300 100 1 25 }
-- rfc3280
id-x509-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters heim_any OPTIONAL
}
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= heim_any
TeletexStringx ::= [UNIVERSAL 20] IMPLICIT OCTET STRING
DirectoryString ::= CHOICE {
ia5String IA5String,
teletexString TeletexStringx,
printableString PrintableString,
universalString UniversalString,
utf8String UTF8String,
bmpString BMPString
}
Attribute ::= SEQUENCE {
type AttributeType,
value SET OF -- AttributeValue -- heim_any
}
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value DirectoryString
}
RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
Name ::= CHOICE {
rdnSequence RDNSequence
}
CertificateSerialNumber ::= INTEGER
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime
}
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time
}
UniqueIdentifier ::= BIT STRING
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING
}
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN OPTIONAL, -- DEFAULT FALSE XXX
extnValue OCTET STRING
}
Extensions ::= SEQUENCE OF Extension -- SIZE (1..MAX)
TBSCertificate ::= SEQUENCE {
version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL,
-- If present, version shall be v2 or v3
subjectUniqueID [2] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL,
-- If present, version shall be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version shall be v3
}
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
Certificates ::= SEQUENCE OF Certificate
ValidationParms ::= SEQUENCE {
seed BIT STRING,
pgenCounter INTEGER
}
DomainParameters ::= SEQUENCE {
p INTEGER, -- odd prime, p=jq +1
g INTEGER, -- generator, g
q INTEGER, -- factor of p-1
j INTEGER OPTIONAL, -- subgroup factor
validationParms ValidationParms OPTIONAL -- ValidationParms
}
DHPublicKey ::= INTEGER
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT heim_any
}
GeneralName ::= CHOICE {
otherName [0] IMPLICIT -- OtherName -- SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT heim_any
},
rfc822Name [1] IMPLICIT IA5String,
dNSName [2] IMPLICIT IA5String,
-- x400Address [3] IMPLICIT ORAddress,--
directoryName [4] IMPLICIT -- Name -- CHOICE {
rdnSequence RDNSequence
},
-- ediPartyName [5] IMPLICIT EDIPartyName, --
uniformResourceIdentifier [6] IMPLICIT IA5String,
iPAddress [7] IMPLICIT OCTET STRING,
registeredID [8] IMPLICIT OBJECT IDENTIFIER
}
GeneralNames ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralName
id-x509-ce-keyUsage OBJECT IDENTIFIER ::= { id-x509-ce 15 }
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8)
}
id-x509-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 35 }
KeyIdentifier ::= OCTET STRING
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] IMPLICIT OCTET STRING OPTIONAL,
authorityCertIssuer [1] IMPLICIT -- GeneralName --
SEQUENCE -- SIZE (1..MAX) -- OF GeneralName OPTIONAL,
authorityCertSerialNumber [2] IMPLICIT INTEGER OPTIONAL
}
id-x509-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 14 }
SubjectKeyIdentifier ::= KeyIdentifier
id-x509-ce-basicConstraints OBJECT IDENTIFIER ::= { id-x509-ce 19 }
BasicConstraints ::= SEQUENCE {
cA BOOLEAN OPTIONAL -- DEFAULT FALSE --,
pathLenConstraint INTEGER (0..4294967295) OPTIONAL
}
id-x509-ce-nameConstraints OBJECT IDENTIFIER ::= { id-x509-ce 30 }
BaseDistance ::= INTEGER -- (0..MAX) --
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] IMPLICIT -- BaseDistance -- INTEGER OPTIONAL -- DEFAULT 0 --,
maximum [1] IMPLICIT -- BaseDistance -- INTEGER OPTIONAL
}
GeneralSubtrees ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralSubtree
NameConstraints ::= SEQUENCE {
permittedSubtrees [0] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL,
excludedSubtrees [1] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL
}
id-x509-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-x509-ce 16 }
id-x509-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-x509-ce 32 }
id-x509-ce-policyMappings OBJECT IDENTIFIER ::= { id-x509-ce 33 }
id-x509-ce-subjectAltName OBJECT IDENTIFIER ::= { id-x509-ce 17 }
id-x509-ce-issuerAltName OBJECT IDENTIFIER ::= { id-x509-ce 18 }
id-x509-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-x509-ce 9 }
id-x509-ce-policyConstraints OBJECT IDENTIFIER ::= { id-x509-ce 36 }
id-x509-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-x509-ce 37}
ExtKeyUsage ::= SEQUENCE OF OBJECT IDENTIFIER
id-x509-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-x509-ce 31 }
id-x509-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-x509-ce 27 }
id-x509-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-x509-ce 28 }
id-x509-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-x509-ce 23 }
id-x509-ce-invalidityDate OBJECT IDENTIFIER ::= { id-x509-ce 24 }
id-x509-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-x509-ce 29 }
id-x509-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-x509-ce 54 }
-- rfc3279
DSASigValue ::= SEQUENCE {
r INTEGER,
s INTEGER
}
DSAPublicKey ::= INTEGER
DSAParams ::= SEQUENCE {
p INTEGER,
q INTEGER,
g INTEGER
}
-- really pkcs1
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER -- e
}
RSAPrivateKey ::= SEQUENCE {
version INTEGER (0..4294967295),
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER -- (inverse of q) mod p
}
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}
-- some ms ext
-- szOID_ENROLL_CERTTYPE_EXTENSION "1.3.6.1.4.1.311.20.2" is Encoded as a
-- UNICODESTRING (0x1E tag)
-- szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" is Encoded as:
-- TemplateVersion ::= INTEGER (0..4294967295)
-- CertificateTemplate ::= SEQUENCE {
-- templateID OBJECT IDENTIFIER,
-- templateMajorVersion TemplateVersion,
-- templateMinorVersion TemplateVersion OPTIONAL
-- }
--
-- CRL
--
TBSCRLCertList ::= SEQUENCE {
version Version OPTIONAL, -- if present, MUST be v2
signature AlgorithmIdentifier,
issuer Name,
thisUpdate Time,
nextUpdate Time OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate Time,
crlEntryExtensions Extensions OPTIONAL
-- if present, MUST be v2
} OPTIONAL,
crlExtensions [0] EXPLICIT Extensions OPTIONAL
-- if present, MUST be v2
}
CRLCertificateList ::= SEQUENCE {
tbsCertList TBSCRLCertList,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
id-x509-ce-cRLNumber OBJECT IDENTIFIER ::= { id-x509-ce 20 }
id-x509-ce-freshestCRL OBJECT IDENTIFIER ::= { id-x509-ce 46 }
id-x509-ce-cRLReason OBJECT IDENTIFIER ::= { id-x509-ce 21 }
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10)
}
-- RFC 3820 Proxy Certificate Profile
id-pkix-pe OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 1 }
id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
ProxyPolicy ::= SEQUENCE {
policyLanguage OBJECT IDENTIFIER,
policy OCTET STRING OPTIONAL
}
ProxyCertInfo ::= SEQUENCE {
pCPathLenConstraint INTEGER (0..4294967295) OPTIONAL, -- really MAX
proxyPolicy ProxyPolicy
}
END

4
source4/heimdal/lib/asn1/test.asn1
View File

@ -1,4 +1,4 @@
-- $Id: test.asn1,v 1.8 2006/01/31 09:42:04 lha Exp $ --
-- $Id: test.asn1,v 1.9 2006/09/05 14:00:44 lha Exp $ --
TEST DEFINITIONS ::=
@ -83,4 +83,6 @@ TESTUSERCONSTRAINED ::= OCTET STRING (CONSTRAINED BY { -- meh -- })
-- TESTUSERCONSTRAINED3 ::= OCTET STRING (CONSTRAINED BY { INTEGER })
-- TESTUSERCONSTRAINED4 ::= OCTET STRING (CONSTRAINED BY { INTEGER : 1 })
TESTSeqOf ::= SEQUENCE OF TESTInteger
END

86
source4/heimdal/lib/asn1/timegm.c Normal file
View File

@ -0,0 +1,86 @@
/*
* Copyright (c) 1997 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "der_locl.h"
RCSID("$Id: timegm.c,v 1.11 2006/10/19 16:19:32 lha Exp $");
static int
is_leap(unsigned y)
{
y += 1900;
return (y % 4) == 0 && ((y % 100) != 0 || (y % 400) == 0);
}
/*
* This is a simplifed version of _der_timegm that doesn't accept out
* of bound values that timegm(3) normally accepts but those are not
* valid in asn1 encodings.
*/
time_t
_der_timegm (struct tm *tm)
{
static const unsigned ndays[2][12] ={
{31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
{31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}};
time_t res = 0;
unsigned i;
if (tm->tm_year < 0)
return -1;
if (tm->tm_mon < 0 || tm->tm_mon > 11)
return -1;
if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon])
return -1;
if (tm->tm_hour < 0 || tm->tm_hour > 23)
return -1;
if (tm->tm_min < 0 || tm->tm_min > 59)
return -1;
if (tm->tm_sec < 0 || tm->tm_sec > 59)
return -1;
for (i = 70; i < tm->tm_year; ++i)
res += is_leap(i) ? 366 : 365;
for (i = 0; i < tm->tm_mon; ++i)
res += ndays[is_leap(tm->tm_year)][i];
res += tm->tm_mday - 1;
res *= 24;
res += tm->tm_hour;
res *= 60;
res += tm->tm_min;
res *= 60;
res += tm->tm_sec;
return res;
}

1416
source4/heimdal/lib/com_err/lex.c
View File

File diff suppressed because it is too large Load Diff

1810
source4/heimdal/lib/com_err/parse.c
View File

File diff suppressed because it is too large Load Diff

75
source4/heimdal/lib/com_err/parse.h
View File

@ -1,70 +1,15 @@
/* A Bison parser, made by GNU Bison 2.0. */
/* Skeleton parser for Yacc-like parsing with Bison,
Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA. */
/* As a special exception, when this file is copied by Bison into a
Bison output file, you may use that output file without restriction.
This special exception was added by the Free Software Foundation
in version 1.24 of Bison. */
/* Tokens. */
#ifndef YYTOKENTYPE
# define YYTOKENTYPE
/* Put the tokens into the symbol table, so that GDB and other debuggers
know about them. */
enum yytokentype {
ET = 258,
INDEX = 259,
PREFIX = 260,
EC = 261,
ID = 262,
END = 263,
STRING = 264,
NUMBER = 265
};
#endif
#define ET 258
#define INDEX 259
#define PREFIX 260
#define EC 261
#define ID 262
#define END 263
#define STRING 264
#define NUMBER 265
#if ! defined (YYSTYPE) && ! defined (YYSTYPE_IS_DECLARED)
#line 53 "parse.y"
typedef union YYSTYPE {
typedef union {
char *string;
int number;
} YYSTYPE;
/* Line 1318 of yacc.c. */
#line 62 "parse.h"
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
# define YYSTYPE_IS_TRIVIAL 1
#endif
#define ET 257
#define INDEX 258
#define PREFIX 259
#define EC 260
#define ID 261
#define END 262
#define STRING 263
#define NUMBER 264
extern YYSTYPE yylval;

83
source4/heimdal/lib/des/evp.c
View File

@ -17,14 +17,19 @@
#include <md4.h>
#include <md5.h>
typedef int (*evp_md_init)(EVP_MD_CTX *);
typedef int (*evp_md_update)(EVP_MD_CTX *,const void *, size_t);
typedef int (*evp_md_final)(void *, EVP_MD_CTX *);
typedef int (*evp_md_cleanup)(EVP_MD_CTX *);
struct hc_evp_md {
int hash_size;
int block_size;
int ctx_size;
int (*init)(EVP_MD_CTX *);
int (*update)(EVP_MD_CTX *,const void *, size_t );
int (*final)(void *, EVP_MD_CTX *);
int (*cleanup)(EVP_MD_CTX *);
evp_md_init init;
evp_md_update update;
evp_md_final final;
evp_md_cleanup cleanup;
};
/*
@ -151,19 +156,18 @@ EVP_Digest(const void *data, size_t dsize, void *hash, unsigned int *hsize,
*
*/
static const struct hc_evp_md sha256 = {
32,
64,
sizeof(SHA256_CTX),
(void *)SHA256_Init,
(void *)SHA256_Update,
(void *)SHA256_Final,
NULL
};
const EVP_MD *
EVP_sha256(void)
{
static const struct hc_evp_md sha256 = {
32,
64,
sizeof(SHA256_CTX),
(evp_md_init)SHA256_Init,
(evp_md_update)SHA256_Update,
(evp_md_final)SHA256_Final,
NULL
};
return &sha256;
}
@ -171,9 +175,9 @@ static const struct hc_evp_md sha1 = {
20,
64,
sizeof(SHA_CTX),
(void *)SHA1_Init,
(void *)SHA1_Update,
(void *)SHA1_Final,
(evp_md_init)SHA1_Init,
(evp_md_update)SHA1_Update,
(evp_md_final)SHA1_Final,
NULL
};
@ -196,9 +200,9 @@ EVP_md5(void)
16,
64,
sizeof(MD5_CTX),
(void *)MD5_Init,
(void *)MD5_Update,
(void *)MD5_Final,
(evp_md_init)MD5_Init,
(evp_md_update)MD5_Update,
(evp_md_final)MD5_Final,
NULL
};
return &md5;
@ -211,9 +215,9 @@ EVP_md4(void)
16,
64,
sizeof(MD4_CTX),
(void *)MD4_Init,
(void *)MD4_Update,
(void *)MD4_Final,
(evp_md_init)MD4_Init,
(evp_md_update)MD4_Update,
(evp_md_final)MD4_Final,
NULL
};
return &md4;
@ -226,9 +230,9 @@ EVP_md2(void)
16,
16,
sizeof(MD2_CTX),
(void *)MD2_Init,
(void *)MD2_Update,
(void *)MD2_Final,
(evp_md_init)MD2_Init,
(evp_md_update)MD2_Update,
(evp_md_final)MD2_Final,
NULL
};
return &md2;
@ -258,9 +262,9 @@ EVP_md_null(void)
0,
0,
0,
(void *)null_Init,
(void *)null_Update,
(void *)null_Final,
(evp_md_init)null_Init,
(evp_md_update)null_Update,
(evp_md_final)null_Final,
NULL
};
return &null;
@ -878,3 +882,24 @@ EVP_BytesToKey(const EVP_CIPHER *type,
return EVP_CIPHER_key_length(type);
}
/*
*
*/
void
OpenSSL_add_all_algorithms(void)
{
return;
}
void
OpenSSL_add_all_algorithms_conf(void)
{
return;
}
void
OpenSSL_add_all_algorithms_noconf(void)
{
return;
}

13
source4/heimdal/lib/des/evp.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: evp.h,v 1.8 2006/04/21 15:00:54 lha Exp $ */
/* $Id: evp.h,v 1.11 2006/10/07 17:21:24 lha Exp $ */
#ifndef HEIM_EVP_H
#define HEIM_EVP_H 1
@ -89,6 +89,9 @@
#define PKCS5_PBKDF2_HMAC_SHA1 hc_PKCS5_PBKDF2_HMAC_SHA1
#define EVP_BytesToKey hc_EVP_BytesToKey
#define EVP_get_cipherbyname hc_EVP_get_cipherbyname
#define OpenSSL_add_all_algorithms hc_OpenSSL_add_all_algorithms
#define OpenSSL_add_all_algorithms_conf hc_OpenSSL_add_all_algorithms_conf
#define OpenSSL_add_all_algorithms_noconf hc_OpenSSL_add_all_algorithms_noconf
/*
*
@ -241,4 +244,12 @@ int EVP_BytesToKey(const EVP_CIPHER *, const EVP_MD *,
unsigned int, void *, void *);
/*
*
*/
void OpenSSL_add_all_algorithms(void);
void OpenSSL_add_all_algorithms_conf(void);
void OpenSSL_add_all_algorithms_noconf(void);
#endif /* HEIM_EVP_H */

4
source4/heimdal/lib/des/hmac.c
View File

@ -29,8 +29,8 @@ HMAC_CTX_cleanup(HMAC_CTX *ctx)
ctx->ipad = NULL;
}
if (ctx->ctx) {
EVP_MD_CTX_destroy(ctx->ctx);
ctx->ctx = NULL;
EVP_MD_CTX_destroy(ctx->ctx);
ctx->ctx = NULL;
}
}

153
source4/heimdal/lib/des/rand-unix.c Normal file
View File

@ -0,0 +1,153 @@
/*
* Copyright (c) 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id: rand-unix.c,v 1.2 2006/10/21 21:09:14 lha Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <rand.h>
#include <roken.h>
/*
* Unix /dev/random
*/
static int
get_device_fd(int flags)
{
static const char *rnd_devices[] = {
"/dev/urandom",
"/dev/random",
"/dev/srandom",
"/dev/arandom",
NULL
};
const char **p;
for(p = rnd_devices; *p; p++) {
int fd = open(*p, flags | O_NDELAY);
if(fd >= 0)
return fd;
}
return -1;
}
static void
unix_seed(const void *indata, int size)
{
int fd;
if (size <= 0)
return;
fd = get_device_fd(O_WRONLY);
if (fd < 0)
return;
write(fd, indata, size);
close(fd);
}
static int
unix_bytes(unsigned char *outdata, int size)
{
ssize_t count;
int fd;
if (size <= 0)
return 0;
fd = get_device_fd(O_RDONLY);
if (fd < 0)
return 0;
while (size > 0) {
count = read (fd, outdata, size);
if (count < 0 && errno == EINTR)
continue;
else if (count <= 0) {
close(fd);
return 0;
}
outdata += count;
size -= count;
}
close(fd);
return 1;
}
static void
unix_cleanup(void)
{
}
static void
unix_add(const void *indata, int size, double entropi)
{
unix_seed(indata, size);
}
static int
unix_pseudorand(unsigned char *outdata, int size)
{
return unix_bytes(outdata, size);
}
static int
unix_status(void)
{
int fd;
fd = get_device_fd(O_RDONLY);
if (fd < 0)
return 0;
close(fd);
return 1;
}
const RAND_METHOD hc_rand_unix_method = {
unix_seed,
unix_bytes,
unix_cleanup,
unix_add,
unix_pseudorand,
unix_status
};

120
source4/heimdal/lib/des/rand.c Normal file
View File

@ -0,0 +1,120 @@
/*
* Copyright (c) 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id: rand.c,v 1.7 2006/10/16 10:23:01 lha Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <rand.h>
#include <roken.h>
extern RAND_METHOD hc_rand_unix_method;
static const RAND_METHOD *selected_meth = &hc_rand_unix_method;
void
RAND_seed(const void *indata, size_t size)
{
(*selected_meth->seed)(indata, size);
}
int
RAND_bytes(void *outdata, size_t size)
{
return (*selected_meth->bytes)(outdata, size);
}
void
RAND_cleanup(void)
{
(*selected_meth->cleanup)();
}
void
RAND_add(const void *indata, size_t size, double entropi)
{
(*selected_meth->add)(indata, size, entropi);
}
int
RAND_pseudo_bytes(void *outdata, size_t size)
{
return (*selected_meth->pseudorand)(outdata, size);
}
int
RAND_status(void)
{
return (*selected_meth->status)();
}
int
RAND_set_rand_method(const RAND_METHOD *meth)
{
selected_meth = meth;
return 1;
}
const RAND_METHOD *
RAND_get_rand_method(void)
{
return selected_meth;
}
int
RAND_set_rand_engine(ENGINE *engine)
{
return 1;
}
int
RAND_load_file(const char *filename, size_t size)
{
return 1;
}
int
RAND_write_file(const char *filename)
{
return 1;
}
int
RAND_egd(const char *filename)
{
return 1;
}

22
source4/heimdal/lib/des/ui.c
View File

@ -33,7 +33,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
RCSID("$Id: ui.c,v 1.5 2006/01/08 21:47:29 lha Exp $");
RCSID("$Id: ui.c,v 1.6 2006/09/22 15:45:57 lha Exp $");
#endif
#include <stdio.h>
@ -53,11 +53,16 @@ intr(int sig)
intr_flag++;
}
#ifndef NSIG
#define NSIG 47
#endif
static int
read_string(const char *preprompt, const char *prompt,
char *buf, size_t len, int echo)
{
struct sigaction sigs[47];
struct sigaction sigs[NSIG];
int oksigs[NSIG];
struct sigaction sa;
FILE *tty;
int ret = 0;
@ -68,12 +73,16 @@ read_string(const char *preprompt, const char *prompt,
struct termios t_new, t_old;
memset(&oksigs, 0, sizeof(oksigs));
memset(&sa, 0, sizeof(sa));
sa.sa_handler = intr;
sigemptyset(&sa.sa_mask);
sa.sa_flags = 0;
for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
if (i != SIGALRM) sigaction(i, &sa, &sigs[i]);
for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++)
if (i != SIGALRM)
if (sigaction(i, &sa, &sigs[i]) == 0)
oksigs[i] = 1;
if((tty = fopen("/dev/tty", "r")) == NULL)
tty = stdin;
@ -114,8 +123,9 @@ read_string(const char *preprompt, const char *prompt,
if(tty != stdin)
fclose(tty);
for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
if (i != SIGALRM) sigaction(i, &sigs[i], NULL);
for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++)
if (oksigs[i])
sigaction(i, &sigs[i], NULL);
if(ret)
return -3;

1176
source4/heimdal/lib/gssapi/accept_sec_context.c
View File

File diff suppressed because it is too large Load Diff

797
source4/heimdal/lib/gssapi/gssapi.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* Copyright (c) 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -31,802 +31,11 @@
* SUCH DAMAGE.
*/
/* $Id: gssapi.h,v 1.40 2006/05/05 11:08:29 lha Exp $ */
/* $Id: gssapi.h,v 1.50 2006/10/07 20:57:15 lha Exp $ */
#ifndef GSSAPI_H_
#define GSSAPI_H_
/*
* First, include stddef.h to get size_t defined.
*/
#include <stddef.h>
#include <gssapi/gssapi.h>
#include <krb5-types.h>
/*
* Now define the three implementation-dependent types.
*/
typedef uint32_t OM_uint32;
typedef uint32_t gss_uint32;
/*
* This is to avoid having to include <krb5.h>
*/
struct krb5_auth_context_data;
struct Principal;
/* typedef void *gss_name_t; */
typedef struct Principal *gss_name_t;
struct gss_ctx_id_t_desc_struct;
typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t;
typedef struct gss_OID_desc_struct {
OM_uint32 length;
void *elements;
} gss_OID_desc, *gss_OID;
typedef struct gss_OID_set_desc_struct {
size_t count;
gss_OID elements;
} gss_OID_set_desc, *gss_OID_set;
struct krb5_keytab_data;
struct krb5_ccache_data;
typedef int gss_cred_usage_t;
struct gss_cred_id_t_desc_struct;
typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t;
typedef struct gss_buffer_desc_struct {
size_t length;
void *value;
} gss_buffer_desc, *gss_buffer_t;
typedef struct gss_channel_bindings_struct {
OM_uint32 initiator_addrtype;
gss_buffer_desc initiator_address;
OM_uint32 acceptor_addrtype;
gss_buffer_desc acceptor_address;
gss_buffer_desc application_data;
} *gss_channel_bindings_t;
/*
* For now, define a QOP-type as an OM_uint32
*/
typedef OM_uint32 gss_qop_t;
/*
* Flag bits for context-level services.
*/
#define GSS_C_DELEG_FLAG 1 /* 0x00000001 */
#define GSS_C_MUTUAL_FLAG 2 /* 0x00000002 */
#define GSS_C_REPLAY_FLAG 4 /* 0x00000004 */
#define GSS_C_SEQUENCE_FLAG 8 /* 0x00000008 */
#define GSS_C_CONF_FLAG 16 /* 0x00000010 */
#define GSS_C_INTEG_FLAG 32 /* 0x00000020 */
#define GSS_C_ANON_FLAG 64 /* 0x00000040 */
#define GSS_C_PROT_READY_FLAG 128 /* 0x00000080 */
#define GSS_C_TRANS_FLAG 256 /* 0x00000100 */
/* these are from draft-brezak-win2k-krb-rc4-hmac-04.txt */
#define GSS_C_DCE_STYLE 4096 /* 0x00001000 */
#define GSS_C_IDENTIFY_FLAG 8192 /* 0x00002000 */
#define GSS_C_EXTENDED_ERROR_FLAG 16384 /* 0x00004000 */
/*
* Credential usage options
*/
#define GSS_C_BOTH 0
#define GSS_C_INITIATE 1
#define GSS_C_ACCEPT 2
/*
* Status code types for gss_display_status
*/
#define GSS_C_GSS_CODE 1
#define GSS_C_MECH_CODE 2
/*
* The constant definitions for channel-bindings address families
*/
#define GSS_C_AF_UNSPEC 0
#define GSS_C_AF_LOCAL 1
#define GSS_C_AF_INET 2
#define GSS_C_AF_IMPLINK 3
#define GSS_C_AF_PUP 4
#define GSS_C_AF_CHAOS 5
#define GSS_C_AF_NS 6
#define GSS_C_AF_NBS 7
#define GSS_C_AF_ECMA 8
#define GSS_C_AF_DATAKIT 9
#define GSS_C_AF_CCITT 10
#define GSS_C_AF_SNA 11
#define GSS_C_AF_DECnet 12
#define GSS_C_AF_DLI 13
#define GSS_C_AF_LAT 14
#define GSS_C_AF_HYLINK 15
#define GSS_C_AF_APPLETALK 16
#define GSS_C_AF_BSC 17
#define GSS_C_AF_DSS 18
#define GSS_C_AF_OSI 19
#define GSS_C_AF_X25 21
#define GSS_C_AF_INET6 24
#define GSS_C_AF_NULLADDR 255
/*
* Various Null values
*/
#define GSS_C_NO_NAME ((gss_name_t) 0)
#define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
#define GSS_C_NO_OID ((gss_OID) 0)
#define GSS_C_NO_OID_SET ((gss_OID_set) 0)
#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
#define GSS_C_EMPTY_BUFFER {0, NULL}
/*
* Some alternate names for a couple of the above
* values. These are defined for V1 compatibility.
*/
#define GSS_C_NULL_OID GSS_C_NO_OID
#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
/*
* Define the default Quality of Protection for per-message
* services. Note that an implementation that offers multiple
* levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
* (as done here) to mean "default protection", or to a specific
* explicit QOP value. However, a value of 0 should always be
* interpreted by a GSSAPI implementation as a request for the
* default protection level.
*/
#define GSS_C_QOP_DEFAULT 0
#define GSS_KRB5_CONF_C_QOP_DES 0x0100
#define GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200
/*
* Expiration time of 2^32-1 seconds means infinite lifetime for a
* credential or security context
*/
#define GSS_C_INDEFINITE 0xfffffffful
#ifdef __cplusplus
extern "C" {
#endif
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x01"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
* GSS_C_NT_USER_NAME should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_USER_NAME;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x02"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
* The constant GSS_C_NT_MACHINE_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x03"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
* The constant GSS_C_NT_STRING_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_STRING_UID_NAME;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
* corresponding to an object-identifier value of
* {iso(1) org(3) dod(6) internet(1) security(5)
* nametypes(6) gss-host-based-services(2)). The constant
* GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
* to that gss_OID_desc. This is a deprecated OID value, and
* implementations wishing to support hostbased-service names
* should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
* defined below, to identify such names;
* GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
* for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
* parameter, but should not be emitted by GSS-API
* implementations
*/
extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x04"}, corresponding to an
* object-identifier value of {iso(1) member-body(2)
* Unites States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) service_name(4)}. The constant
* GSS_C_NT_HOSTBASED_SERVICE should be initialized
* to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\01\x05\x06\x03"},
* corresponding to an object identifier value of
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
* 6(nametypes), 3(gss-anonymous-name)}. The constant
* and GSS_C_NT_ANONYMOUS should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_ANONYMOUS;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
* corresponding to an object-identifier value of
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
* 6(nametypes), 4(gss-api-exported-name)}. The constant
* GSS_C_NT_EXPORT_NAME should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_EXPORT_NAME;
/*
* RFC2478, SPNEGO:
* The security mechanism of the initial
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
extern gss_OID GSS_SPNEGO_MECHANISM;
/*
* This if for kerberos5 names.
*/
extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
extern gss_OID GSS_KRB5_NT_USER_NAME;
extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
extern gss_OID GSS_KRB5_MECHANISM;
/* for compatibility with MIT api */
#define gss_mech_krb5 GSS_KRB5_MECHANISM
#define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME
/* Major status codes */
#define GSS_S_COMPLETE 0
/*
* Some "helper" definitions to make the status code macros obvious.
*/
#define GSS_C_CALLING_ERROR_OFFSET 24
#define GSS_C_ROUTINE_ERROR_OFFSET 16
#define GSS_C_SUPPLEMENTARY_OFFSET 0
#define GSS_C_CALLING_ERROR_MASK 0377ul
#define GSS_C_ROUTINE_ERROR_MASK 0377ul
#define GSS_C_SUPPLEMENTARY_MASK 0177777ul
/*
* The macros that test status codes for error conditions.
* Note that the GSS_ERROR() macro has changed slightly from
* the V1 GSSAPI so that it now evaluates its argument
* only once.
*/
#define GSS_CALLING_ERROR(x) \
(x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
#define GSS_ROUTINE_ERROR(x) \
(x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
#define GSS_SUPPLEMENTARY_INFO(x) \
(x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
#define GSS_ERROR(x) \
(x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
(GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
/*
* Now the actual status code definitions
*/
/*
* Calling errors:
*/
#define GSS_S_CALL_INACCESSIBLE_READ \
(1ul << GSS_C_CALLING_ERROR_OFFSET)
#define GSS_S_CALL_INACCESSIBLE_WRITE \
(2ul << GSS_C_CALLING_ERROR_OFFSET)
#define GSS_S_CALL_BAD_STRUCTURE \
(3ul << GSS_C_CALLING_ERROR_OFFSET)
/*
* Routine errors:
*/
#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_MIC GSS_S_BAD_SIG
#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
/*
* Supplementary info bits:
*/
#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
/*
* From RFC1964:
*
* 4.1.1. Non-Kerberos-specific codes
*/
#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1
/* "No @ in SERVICE-NAME name string" */
#define GSS_KRB5_S_G_BAD_STRING_UID 2
/* "STRING-UID-NAME contains nondigits" */
#define GSS_KRB5_S_G_NOUSER 3
/* "UID does not resolve to username" */
#define GSS_KRB5_S_G_VALIDATE_FAILED 4
/* "Validation error" */
#define GSS_KRB5_S_G_BUFFER_ALLOC 5
/* "Couldn't allocate gss_buffer_t data" */
#define GSS_KRB5_S_G_BAD_MSG_CTX 6
/* "Message context invalid" */
#define GSS_KRB5_S_G_WRONG_SIZE 7
/* "Buffer is the wrong size" */
#define GSS_KRB5_S_G_BAD_USAGE 8
/* "Credential usage type is unknown" */
#define GSS_KRB5_S_G_UNKNOWN_QOP 9
/* "Unknown quality of protection specified" */
/*
* 4.1.2. Kerberos-specific-codes
*/
#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10
/* "Principal in credential cache does not match desired name" */
#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11
/* "No principal in keytab matches desired name" */
#define GSS_KRB5_S_KG_TGT_MISSING 12
/* "Credential cache has no TGT" */
#define GSS_KRB5_S_KG_NO_SUBKEY 13
/* "Authenticator has no subkey" */
#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14
/* "Context is already fully established" */
#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15
/* "Unknown signature type in token" */
#define GSS_KRB5_S_KG_BAD_LENGTH 16
/* "Invalid field length in token" */
#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17
/* "Attempt to use incomplete security context" */
/*
* Finally, function prototypes for the GSS-API routines.
*/
OM_uint32 gss_acquire_cred
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
OM_uint32 /*time_req*/,
const gss_OID_set /*desired_mechs*/,
gss_cred_usage_t /*cred_usage*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_release_cred
(OM_uint32 * /*minor_status*/,
gss_cred_id_t * /*cred_handle*/
);
OM_uint32 gss_init_sec_context
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*initiator_cred_handle*/,
gss_ctx_id_t * /*context_handle*/,
const gss_name_t /*target_name*/,
const gss_OID /*mech_type*/,
OM_uint32 /*req_flags*/,
OM_uint32 /*time_req*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
const gss_buffer_t /*input_token*/,
gss_OID * /*actual_mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_accept_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
const gss_cred_id_t /*acceptor_cred_handle*/,
const gss_buffer_t /*input_token_buffer*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
gss_name_t * /*src_name*/,
gss_OID * /*mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * /*time_rec*/,
gss_cred_id_t * /*delegated_cred_handle*/
);
OM_uint32 gss_process_context_token
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*token_buffer*/
);
OM_uint32 gss_delete_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*output_token*/
);
OM_uint32 gss_context_time
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_get_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
);
OM_uint32 gss_verify_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_wrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_unwrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_display_status
(OM_uint32 * /*minor_status*/,
OM_uint32 /*status_value*/,
int /*status_type*/,
const gss_OID /*mech_type*/,
OM_uint32 * /*message_context*/,
gss_buffer_t /*status_string*/
);
OM_uint32 gss_indicate_mechs
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*mech_set*/
);
OM_uint32 gss_compare_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*name1*/,
const gss_name_t /*name2*/,
int * /*name_equal*/
);
OM_uint32 gss_display_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*output_name_buffer*/,
gss_OID * /*output_name_type*/
);
OM_uint32 gss_import_name
(OM_uint32 * /*minor_status*/,
const gss_buffer_t /*input_name_buffer*/,
const gss_OID /*input_name_type*/,
gss_name_t * /*output_name*/
);
OM_uint32 gss_export_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*exported_name*/
);
OM_uint32 gss_release_name
(OM_uint32 * /*minor_status*/,
gss_name_t * /*input_name*/
);
OM_uint32 gss_release_buffer
(OM_uint32 * /*minor_status*/,
gss_buffer_t /*buffer*/
);
OM_uint32 gss_release_oid_set
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*set*/
);
OM_uint32 gss_inquire_cred
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
gss_name_t * /*name*/,
OM_uint32 * /*lifetime*/,
gss_cred_usage_t * /*cred_usage*/,
gss_OID_set * /*mechanisms*/
);
OM_uint32 gss_inquire_context (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_name_t * /*src_name*/,
gss_name_t * /*targ_name*/,
OM_uint32 * /*lifetime_rec*/,
gss_OID * /*mech_type*/,
OM_uint32 * /*ctx_flags*/,
int * /*locally_initiated*/,
int * /*open_context*/
);
OM_uint32 gsskrb5_wrap_size (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_input_size*/,
OM_uint32 * /*output_size*/
);
OM_uint32 gss_wrap_size_limit (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_output_size*/,
OM_uint32 * /*max_input_size*/
);
OM_uint32 gss_add_cred (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*input_cred_handle*/,
const gss_name_t /*desired_name*/,
const gss_OID /*desired_mech*/,
gss_cred_usage_t /*cred_usage*/,
OM_uint32 /*initiator_time_req*/,
OM_uint32 /*acceptor_time_req*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*initiator_time_rec*/,
OM_uint32 * /*acceptor_time_rec*/
);
OM_uint32 gss_inquire_cred_by_mech (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
const gss_OID /*mech_type*/,
gss_name_t * /*name*/,
OM_uint32 * /*initiator_lifetime*/,
OM_uint32 * /*acceptor_lifetime*/,
gss_cred_usage_t * /*cred_usage*/
);
OM_uint32 gss_export_sec_context (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*interprocess_token*/
);
OM_uint32 gss_import_sec_context (
OM_uint32 * /*minor_status*/,
const gss_buffer_t /*interprocess_token*/,
gss_ctx_id_t * /*context_handle*/
);
OM_uint32 gss_create_empty_oid_set (
OM_uint32 * /*minor_status*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_add_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member_oid*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_test_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member*/,
const gss_OID_set /*set*/,
int * /*present*/
);
OM_uint32 gss_inquire_names_for_mech (
OM_uint32 * /*minor_status*/,
const gss_OID /*mechanism*/,
gss_OID_set * /*name_types*/
);
OM_uint32 gss_inquire_mechs_for_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_OID_set * /*mech_types*/
);
OM_uint32 gss_canonicalize_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
const gss_OID /*mech_type*/,
gss_name_t * /*output_name*/
);
OM_uint32 gss_duplicate_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*src_name*/,
gss_name_t * /*dest_name*/
);
/*
* The following routines are obsolete variants of gss_get_mic,
* gss_verify_mic, gss_wrap and gss_unwrap. They should be
* provided by GSSAPI V2 implementations for backwards
* compatibility with V1 applications. Distinct entrypoints
* (as opposed to #defines) should be provided, both to allow
* GSSAPI V1 applications to link against GSSAPI V2 implementations,
* and to retain the slight parameter type differences between the
* obsolete versions of these routines and their current forms.
*/
OM_uint32 gss_sign
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*qop_req*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
);
OM_uint32 gss_verify
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*token_buffer*/,
int * /*qop_state*/
);
OM_uint32 gss_seal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
int /*qop_req*/,
gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_unseal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
int * /*qop_state*/
);
/*
* kerberos mechanism specific functions
*/
OM_uint32
gss_krb5_ccache_name(OM_uint32 * /*minor_status*/,
const char * /*name */,
const char ** /*out_name */);
OM_uint32 gsskrb5_register_acceptor_identity
(const char */*identity*/);
OM_uint32 gss_krb5_copy_ccache
(OM_uint32 */*minor*/,
gss_cred_id_t /*cred*/,
struct krb5_ccache_data */*out*/);
OM_uint32 gss_krb5_copy_service_keyblock
(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
OM_uint32 gss_krb5_import_cred(OM_uint32 *minor_status,
struct krb5_ccache_data * /* id */,
struct Principal * /* keytab_principal */,
struct krb5_keytab_data * /* keytab */,
gss_cred_id_t */* cred */);
OM_uint32 gss_krb5_get_tkt_flags
(OM_uint32 */*minor*/,
gss_ctx_id_t /*context_handle*/,
OM_uint32 */*tkt_flags*/);
OM_uint32
gsskrb5_extract_authz_data_from_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*ad_type*/,
gss_buffer_t /*ad_data*/);
OM_uint32
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
time_t *authtime);
OM_uint32
gsskrb5_get_initiator_subkey
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t context_handle,
gss_buffer_t /* subkey */);
#define GSS_C_KRB5_COMPAT_DES3_MIC 1
OM_uint32
gss_krb5_compat_des3_mic(OM_uint32 *, gss_ctx_id_t, int);
#ifdef __cplusplus
}
#endif
#endif /* GSSAPI_H_ */

837
source4/heimdal/lib/gssapi/gssapi/gssapi.h Normal file
View File

@ -0,0 +1,837 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id: gssapi.h,v 1.5 2006/10/19 07:11:14 lha Exp $ */
#ifndef GSSAPI_GSSAPI_H_
#define GSSAPI_GSSAPI_H_
/*
* First, include stddef.h to get size_t defined.
*/
#include <stddef.h>
#include <krb5-types.h>
/*
* Now define the three implementation-dependent types.
*/
typedef uint32_t OM_uint32;
typedef uint64_t OM_uint64;
typedef uint32_t gss_uint32;
struct gss_name_t_desc_struct;
typedef struct gss_name_t_desc_struct *gss_name_t;
struct gss_ctx_id_t_desc_struct;
typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t;
typedef struct gss_OID_desc_struct {
OM_uint32 length;
void *elements;
} gss_OID_desc, *gss_OID;
typedef struct gss_OID_set_desc_struct {
size_t count;
gss_OID elements;
} gss_OID_set_desc, *gss_OID_set;
typedef int gss_cred_usage_t;
struct gss_cred_id_t_desc_struct;
typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t;
typedef struct gss_buffer_desc_struct {
size_t length;
void *value;
} gss_buffer_desc, *gss_buffer_t;
typedef struct gss_channel_bindings_struct {
OM_uint32 initiator_addrtype;
gss_buffer_desc initiator_address;
OM_uint32 acceptor_addrtype;
gss_buffer_desc acceptor_address;
gss_buffer_desc application_data;
} *gss_channel_bindings_t;
/* GGF extension data types */
typedef struct gss_buffer_set_desc_struct {
size_t count;
gss_buffer_desc *elements;
} gss_buffer_set_desc, *gss_buffer_set_t;
/*
* For now, define a QOP-type as an OM_uint32
*/
typedef OM_uint32 gss_qop_t;
/*
* Flag bits for context-level services.
*/
#define GSS_C_DELEG_FLAG 1
#define GSS_C_MUTUAL_FLAG 2
#define GSS_C_REPLAY_FLAG 4
#define GSS_C_SEQUENCE_FLAG 8
#define GSS_C_CONF_FLAG 16
#define GSS_C_INTEG_FLAG 32
#define GSS_C_ANON_FLAG 64
#define GSS_C_PROT_READY_FLAG 128
#define GSS_C_TRANS_FLAG 256
#define GSS_C_DCE_STYLE 4096
#define GSS_C_IDENTIFY_FLAG 8192
#define GSS_C_EXTENDED_ERROR_FLAG 16384
/*
* Credential usage options
*/
#define GSS_C_BOTH 0
#define GSS_C_INITIATE 1
#define GSS_C_ACCEPT 2
/*
* Status code types for gss_display_status
*/
#define GSS_C_GSS_CODE 1
#define GSS_C_MECH_CODE 2
/*
* The constant definitions for channel-bindings address families
*/
#define GSS_C_AF_UNSPEC 0
#define GSS_C_AF_LOCAL 1
#define GSS_C_AF_INET 2
#define GSS_C_AF_IMPLINK 3
#define GSS_C_AF_PUP 4
#define GSS_C_AF_CHAOS 5
#define GSS_C_AF_NS 6
#define GSS_C_AF_NBS 7
#define GSS_C_AF_ECMA 8
#define GSS_C_AF_DATAKIT 9
#define GSS_C_AF_CCITT 10
#define GSS_C_AF_SNA 11
#define GSS_C_AF_DECnet 12
#define GSS_C_AF_DLI 13
#define GSS_C_AF_LAT 14
#define GSS_C_AF_HYLINK 15
#define GSS_C_AF_APPLETALK 16
#define GSS_C_AF_BSC 17
#define GSS_C_AF_DSS 18
#define GSS_C_AF_OSI 19
#define GSS_C_AF_X25 21
#define GSS_C_AF_INET6 24
#define GSS_C_AF_NULLADDR 255
/*
* Various Null values
*/
#define GSS_C_NO_NAME ((gss_name_t) 0)
#define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
#define GSS_C_NO_BUFFER_SET ((gss_buffer_set_t) 0)
#define GSS_C_NO_OID ((gss_OID) 0)
#define GSS_C_NO_OID_SET ((gss_OID_set) 0)
#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
#define GSS_C_EMPTY_BUFFER {0, NULL}
/*
* Some alternate names for a couple of the above
* values. These are defined for V1 compatibility.
*/
#define GSS_C_NULL_OID GSS_C_NO_OID
#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
/*
* Define the default Quality of Protection for per-message
* services. Note that an implementation that offers multiple
* levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
* (as done here) to mean "default protection", or to a specific
* explicit QOP value. However, a value of 0 should always be
* interpreted by a GSSAPI implementation as a request for the
* default protection level.
*/
#define GSS_C_QOP_DEFAULT 0
#define GSS_KRB5_CONF_C_QOP_DES 0x0100
#define GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200
/*
* Expiration time of 2^32-1 seconds means infinite lifetime for a
* credential or security context
*/
#define GSS_C_INDEFINITE 0xfffffffful
#ifdef __cplusplus
extern "C" {
#endif
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x01"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
* GSS_C_NT_USER_NAME should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_USER_NAME;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x02"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
* The constant GSS_C_NT_MACHINE_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x03"},
* corresponding to an object-identifier value of
* {iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
* The constant GSS_C_NT_STRING_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_STRING_UID_NAME;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
* corresponding to an object-identifier value of
* {iso(1) org(3) dod(6) internet(1) security(5)
* nametypes(6) gss-host-based-services(2)). The constant
* GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
* to that gss_OID_desc. This is a deprecated OID value, and
* implementations wishing to support hostbased-service names
* should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
* defined below, to identify such names;
* GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
* for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
* parameter, but should not be emitted by GSS-API
* implementations
*/
extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
* "\x01\x02\x01\x04"}, corresponding to an
* object-identifier value of {iso(1) member-body(2)
* Unites States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) service_name(4)}. The constant
* GSS_C_NT_HOSTBASED_SERVICE should be initialized
* to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\01\x05\x06\x03"},
* corresponding to an object identifier value of
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
* 6(nametypes), 3(gss-anonymous-name)}. The constant
* and GSS_C_NT_ANONYMOUS should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_ANONYMOUS;
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
* corresponding to an object-identifier value of
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
* 6(nametypes), 4(gss-api-exported-name)}. The constant
* GSS_C_NT_EXPORT_NAME should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_EXPORT_NAME;
/*
* Digest mechanism
*/
extern gss_OID GSS_SASL_DIGEST_MD5_MECHANISM;
/* Major status codes */
#define GSS_S_COMPLETE 0
/*
* Some "helper" definitions to make the status code macros obvious.
*/
#define GSS_C_CALLING_ERROR_OFFSET 24
#define GSS_C_ROUTINE_ERROR_OFFSET 16
#define GSS_C_SUPPLEMENTARY_OFFSET 0
#define GSS_C_CALLING_ERROR_MASK 0377ul
#define GSS_C_ROUTINE_ERROR_MASK 0377ul
#define GSS_C_SUPPLEMENTARY_MASK 0177777ul
/*
* The macros that test status codes for error conditions.
* Note that the GSS_ERROR() macro has changed slightly from
* the V1 GSSAPI so that it now evaluates its argument
* only once.
*/
#define GSS_CALLING_ERROR(x) \
(x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
#define GSS_ROUTINE_ERROR(x) \
(x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
#define GSS_SUPPLEMENTARY_INFO(x) \
(x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
#define GSS_ERROR(x) \
(x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
(GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
/*
* Now the actual status code definitions
*/
/*
* Calling errors:
*/
#define GSS_S_CALL_INACCESSIBLE_READ \
(1ul << GSS_C_CALLING_ERROR_OFFSET)
#define GSS_S_CALL_INACCESSIBLE_WRITE \
(2ul << GSS_C_CALLING_ERROR_OFFSET)
#define GSS_S_CALL_BAD_STRUCTURE \
(3ul << GSS_C_CALLING_ERROR_OFFSET)
/*
* Routine errors:
*/
#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_MIC GSS_S_BAD_SIG
#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
/*
* Supplementary info bits:
*/
#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
/*
* From RFC1964:
*
* 4.1.1. Non-Kerberos-specific codes
*/
#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1
/* "No @ in SERVICE-NAME name string" */
#define GSS_KRB5_S_G_BAD_STRING_UID 2
/* "STRING-UID-NAME contains nondigits" */
#define GSS_KRB5_S_G_NOUSER 3
/* "UID does not resolve to username" */
#define GSS_KRB5_S_G_VALIDATE_FAILED 4
/* "Validation error" */
#define GSS_KRB5_S_G_BUFFER_ALLOC 5
/* "Couldn't allocate gss_buffer_t data" */
#define GSS_KRB5_S_G_BAD_MSG_CTX 6
/* "Message context invalid" */
#define GSS_KRB5_S_G_WRONG_SIZE 7
/* "Buffer is the wrong size" */
#define GSS_KRB5_S_G_BAD_USAGE 8
/* "Credential usage type is unknown" */
#define GSS_KRB5_S_G_UNKNOWN_QOP 9
/* "Unknown quality of protection specified" */
/*
* 4.1.2. Kerberos-specific-codes
*/
#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10
/* "Principal in credential cache does not match desired name" */
#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11
/* "No principal in keytab matches desired name" */
#define GSS_KRB5_S_KG_TGT_MISSING 12
/* "Credential cache has no TGT" */
#define GSS_KRB5_S_KG_NO_SUBKEY 13
/* "Authenticator has no subkey" */
#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14
/* "Context is already fully established" */
#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15
/* "Unknown signature type in token" */
#define GSS_KRB5_S_KG_BAD_LENGTH 16
/* "Invalid field length in token" */
#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17
/* "Attempt to use incomplete security context" */
/*
* This is used to make sure mechs that don't want to have external
* references don't get any prototypes, and thus can get warnings.
*/
/*
* Finally, function prototypes for the GSS-API routines.
*/
OM_uint32 gss_acquire_cred
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
OM_uint32 /*time_req*/,
const gss_OID_set /*desired_mechs*/,
gss_cred_usage_t /*cred_usage*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_release_cred
(OM_uint32 * /*minor_status*/,
gss_cred_id_t * /*cred_handle*/
);
OM_uint32 gss_init_sec_context
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*initiator_cred_handle*/,
gss_ctx_id_t * /*context_handle*/,
const gss_name_t /*target_name*/,
const gss_OID /*mech_type*/,
OM_uint32 /*req_flags*/,
OM_uint32 /*time_req*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
const gss_buffer_t /*input_token*/,
gss_OID * /*actual_mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_accept_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
const gss_cred_id_t /*acceptor_cred_handle*/,
const gss_buffer_t /*input_token_buffer*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
gss_name_t * /*src_name*/,
gss_OID * /*mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * /*time_rec*/,
gss_cred_id_t * /*delegated_cred_handle*/
);
OM_uint32 gss_process_context_token
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*token_buffer*/
);
OM_uint32 gss_delete_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*output_token*/
);
OM_uint32 gss_context_time
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_get_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
);
OM_uint32 gss_verify_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_wrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_unwrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_display_status
(OM_uint32 * /*minor_status*/,
OM_uint32 /*status_value*/,
int /*status_type*/,
const gss_OID /*mech_type*/,
OM_uint32 * /*message_context*/,
gss_buffer_t /*status_string*/
);
OM_uint32 gss_indicate_mechs
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*mech_set*/
);
OM_uint32 gss_compare_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*name1*/,
const gss_name_t /*name2*/,
int * /*name_equal*/
);
OM_uint32 gss_display_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*output_name_buffer*/,
gss_OID * /*output_name_type*/
);
OM_uint32 gss_import_name
(OM_uint32 * /*minor_status*/,
const gss_buffer_t /*input_name_buffer*/,
const gss_OID /*input_name_type*/,
gss_name_t * /*output_name*/
);
OM_uint32 gss_export_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*exported_name*/
);
OM_uint32 gss_release_name
(OM_uint32 * /*minor_status*/,
gss_name_t * /*input_name*/
);
OM_uint32 gss_release_buffer
(OM_uint32 * /*minor_status*/,
gss_buffer_t /*buffer*/
);
OM_uint32 gss_release_oid_set
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*set*/
);
OM_uint32 gss_inquire_cred
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
gss_name_t * /*name*/,
OM_uint32 * /*lifetime*/,
gss_cred_usage_t * /*cred_usage*/,
gss_OID_set * /*mechanisms*/
);
OM_uint32 gss_inquire_context (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_name_t * /*src_name*/,
gss_name_t * /*targ_name*/,
OM_uint32 * /*lifetime_rec*/,
gss_OID * /*mech_type*/,
OM_uint32 * /*ctx_flags*/,
int * /*locally_initiated*/,
int * /*open_context*/
);
OM_uint32 gss_wrap_size_limit (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_output_size*/,
OM_uint32 * /*max_input_size*/
);
OM_uint32 gss_add_cred (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*input_cred_handle*/,
const gss_name_t /*desired_name*/,
const gss_OID /*desired_mech*/,
gss_cred_usage_t /*cred_usage*/,
OM_uint32 /*initiator_time_req*/,
OM_uint32 /*acceptor_time_req*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*initiator_time_rec*/,
OM_uint32 * /*acceptor_time_rec*/
);
OM_uint32 gss_inquire_cred_by_mech (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
const gss_OID /*mech_type*/,
gss_name_t * /*name*/,
OM_uint32 * /*initiator_lifetime*/,
OM_uint32 * /*acceptor_lifetime*/,
gss_cred_usage_t * /*cred_usage*/
);
OM_uint32 gss_export_sec_context (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*interprocess_token*/
);
OM_uint32 gss_import_sec_context (
OM_uint32 * /*minor_status*/,
const gss_buffer_t /*interprocess_token*/,
gss_ctx_id_t * /*context_handle*/
);
OM_uint32 gss_create_empty_oid_set (
OM_uint32 * /*minor_status*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_add_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member_oid*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_test_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member*/,
const gss_OID_set /*set*/,
int * /*present*/
);
OM_uint32 gss_inquire_names_for_mech (
OM_uint32 * /*minor_status*/,
const gss_OID /*mechanism*/,
gss_OID_set * /*name_types*/
);
OM_uint32 gss_inquire_mechs_for_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_OID_set * /*mech_types*/
);
OM_uint32 gss_canonicalize_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
const gss_OID /*mech_type*/,
gss_name_t * /*output_name*/
);
OM_uint32 gss_duplicate_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*src_name*/,
gss_name_t * /*dest_name*/
);
OM_uint32 gss_duplicate_oid (
OM_uint32 * /* minor_status */,
gss_OID /* src_oid */,
gss_OID * /* dest_oid */
);
OM_uint32
gss_release_oid
(OM_uint32 * /*minor_status*/,
gss_OID * /* oid */
);
OM_uint32
gss_oid_to_str(
OM_uint32 * /*minor_status*/,
gss_OID /* oid */,
gss_buffer_t /* str */
);
OM_uint32
gss_inquire_sec_context_by_oid(
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set
);
OM_uint32
gss_set_sec_context_option (OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
const gss_buffer_t value);
OM_uint32
gss_set_cred_option (OM_uint32 *minor_status,
gss_cred_id_t *cred_handle,
const gss_OID object,
const gss_buffer_t value);
int
gss_oid_equal(const gss_OID a, const gss_OID b);
OM_uint32
gss_create_empty_buffer_set
(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set);
OM_uint32
gss_add_buffer_set_member
(OM_uint32 * minor_status,
const gss_buffer_t member_buffer,
gss_buffer_set_t *buffer_set);
OM_uint32
gss_release_buffer_set
(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set);
OM_uint32
gss_inquire_cred_by_oid(OM_uint32 *minor_status,
const gss_cred_id_t cred_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set);
/*
* The following routines are obsolete variants of gss_get_mic,
* gss_verify_mic, gss_wrap and gss_unwrap. They should be
* provided by GSSAPI V2 implementations for backwards
* compatibility with V1 applications. Distinct entrypoints
* (as opposed to #defines) should be provided, both to allow
* GSSAPI V1 applications to link against GSSAPI V2 implementations,
* and to retain the slight parameter type differences between the
* obsolete versions of these routines and their current forms.
*/
OM_uint32 gss_sign
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*qop_req*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
);
OM_uint32 gss_verify
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*token_buffer*/,
int * /*qop_state*/
);
OM_uint32 gss_seal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
int /*qop_req*/,
gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_unseal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
int * /*qop_state*/
);
/*
*
*/
OM_uint32
gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set);
OM_uint32
gss_encapsulate_token(gss_buffer_t /* input_token */,
gss_OID /* oid */,
gss_buffer_t /* output_token */);
OM_uint32
gss_decapsulate_token(gss_buffer_t /* input_token */,
gss_OID /* oid */,
gss_buffer_t /* output_token */);
#ifdef __cplusplus
}
#endif
#include <gssapi/gssapi_krb5.h>
#include <gssapi/gssapi_spnego.h>
#endif /* GSSAPI_GSSAPI_H_ */

209
source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h Normal file
View File

@ -0,0 +1,209 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id: gssapi_krb5.h,v 1.10 2006/10/20 22:04:03 lha Exp $ */
#ifndef GSSAPI_KRB5_H_
#define GSSAPI_KRB5_H_
#include <gssapi/gssapi.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* This is for kerberos5 names.
*/
extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
extern gss_OID GSS_KRB5_NT_USER_NAME;
extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
extern gss_OID GSS_KRB5_MECHANISM;
/* for compatibility with MIT api */
#define gss_mech_krb5 GSS_KRB5_MECHANISM
#define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME
/* Extensions set contexts options */
extern gss_OID GSS_KRB5_COPY_CCACHE_X;
extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X;
extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
extern gss_OID GSS_KRB5_SEND_TO_KDC_X;
/* Extensions inquire context */
extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;
extern gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO;
extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X;
extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X;
extern gss_OID GSS_KRB5_GET_SUBKEY_X;
extern gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X;
extern gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X;
extern gss_OID GSS_KRB5_GET_AUTHTIME_X;
extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
/* Extensions creds */
extern gss_OID GSS_KRB5_IMPORT_CRED_X;
/*
* kerberos mechanism specific functions
*/
struct krb5_keytab_data;
struct krb5_ccache_data;
struct Principal;
OM_uint32
gss_krb5_ccache_name(OM_uint32 * /*minor_status*/,
const char * /*name */,
const char ** /*out_name */);
OM_uint32 gsskrb5_register_acceptor_identity
(const char */*identity*/);
OM_uint32 gss_krb5_copy_ccache
(OM_uint32 */*minor*/,
gss_cred_id_t /*cred*/,
struct krb5_ccache_data */*out*/);
OM_uint32
gss_krb5_import_cred(OM_uint32 */*minor*/,
struct krb5_ccache_data * /*in*/,
struct Principal * /*keytab_principal*/,
struct krb5_keytab_data * /*keytab*/,
gss_cred_id_t */*out*/);
OM_uint32 gss_krb5_get_tkt_flags
(OM_uint32 */*minor*/,
gss_ctx_id_t /*context_handle*/,
OM_uint32 */*tkt_flags*/);
OM_uint32
gsskrb5_extract_authz_data_from_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*ad_type*/,
gss_buffer_t /*ad_data*/);
OM_uint32
gsskrb5_set_dns_canonicalize(int);
struct gsskrb5_send_to_kdc {
void *func;
void *ptr;
};
OM_uint32
gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *);
OM_uint32
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *);
struct EncryptionKey;
OM_uint32
gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
OM_uint32
gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
OM_uint32
gsskrb5_get_subkey(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
/*
* Lucid - NFSv4 interface to GSS-API KRB5 to expose key material to
* do GSS content token handling in-kernel.
*/
typedef struct gss_krb5_lucid_key {
OM_uint32 type;
OM_uint32 length;
void * data;
} gss_krb5_lucid_key_t;
typedef struct gss_krb5_rfc1964_keydata {
OM_uint32 sign_alg;
OM_uint32 seal_alg;
gss_krb5_lucid_key_t ctx_key;
} gss_krb5_rfc1964_keydata_t;
typedef struct gss_krb5_cfx_keydata {
OM_uint32 have_acceptor_subkey;
gss_krb5_lucid_key_t ctx_key;
gss_krb5_lucid_key_t acceptor_subkey;
} gss_krb5_cfx_keydata_t;
typedef struct gss_krb5_lucid_context_v1 {
OM_uint32 version;
OM_uint32 initiate;
OM_uint32 endtime;
OM_uint64 send_seq;
OM_uint64 recv_seq;
OM_uint32 protocol;
gss_krb5_rfc1964_keydata_t rfc1964_kd;
gss_krb5_cfx_keydata_t cfx_kd;
} gss_krb5_lucid_context_v1_t;
typedef struct gss_krb5_lucid_context_version {
OM_uint32 version; /* Structure version number */
} gss_krb5_lucid_context_version_t;
/*
* Function declarations
*/
OM_uint32
gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
OM_uint32 version,
void **kctx);
OM_uint32
gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
void *kctx);
#ifdef __cplusplus
}
#endif
#endif /* GSSAPI_SPNEGO_H_ */

58
source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h Normal file
View File

@ -0,0 +1,58 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id: gssapi_spnego.h,v 1.1 2006/10/07 22:26:21 lha Exp $ */
#ifndef GSSAPI_SPNEGO_H_
#define GSSAPI_SPNEGO_H_
#include <gssapi.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* RFC2478, SPNEGO:
* The security mechanism of the initial
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
extern gss_OID GSS_SPNEGO_MECHANISM;
#define gss_mech_spnego GSS_SPNEGO_MECHANISM
#ifdef __cplusplus
}
#endif
#endif /* GSSAPI_SPNEGO_H_ */

315
source4/heimdal/lib/gssapi/gssapi_locl.h
View File

@ -1,315 +0,0 @@
/*
* Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id: gssapi_locl.h,v 1.45 2006/05/04 11:56:14 lha Exp $ */
#ifndef GSSAPI_LOCL_H
#define GSSAPI_LOCL_H
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <krb5_locl.h>
#include <gssapi.h>
#include <assert.h>
#include "cfx.h"
#include "arcfour.h"
#include "spnego_asn1.h"
/*
*
*/
struct gss_msg_order;
typedef struct gss_ctx_id_t_desc_struct {
struct krb5_auth_context_data *auth_context;
gss_name_t source, target;
enum gss_ctx_id_t_state {
INITIATOR_START = 1, INITIATOR_WAIT_FOR_MUTAL = 2, INITIATOR_READY= 3,
ACCEPTOR_START = 11, ACCEPTOR_WAIT_FOR_DCESTYLE = 12, ACCEPTOR_READY = 13
} state;
OM_uint32 flags;
enum {LOCAL = 1,
OPEN = 2,
COMPAT_OLD_DES3 = 4,
COMPAT_OLD_DES3_SELECTED = 8,
ACCEPTOR_SUBKEY = 16
} more_flags;
struct krb5_ticket *ticket;
krb5_keyblock *service_keyblock;
krb5_data fwd_data;
OM_uint32 lifetime;
HEIMDAL_MUTEX ctx_id_mutex;
struct gss_msg_order *order;
} gss_ctx_id_t_desc;
typedef struct gss_cred_id_t_desc_struct {
gss_name_t principal;
int cred_flags;
#define GSS_CF_DESTROY_CRED_ON_RELEASE 1
struct krb5_keytab_data *keytab;
OM_uint32 lifetime;
gss_cred_usage_t usage;
gss_OID_set mechanisms;
struct krb5_ccache_data *ccache;
HEIMDAL_MUTEX cred_id_mutex;
} gss_cred_id_t_desc;
/*
*
*/
extern krb5_context gssapi_krb5_context;
extern krb5_keytab gssapi_krb5_keytab;
extern HEIMDAL_MUTEX gssapi_keytab_mutex;
struct gssapi_thr_context {
HEIMDAL_MUTEX mutex;
char *error_string;
};
/*
* Prototypes
*/
krb5_error_code gssapi_krb5_init (void);
krb5_error_code gssapi_krb5_init_ev (void *);
#define GSSAPI_KRB5_INIT() do { \
krb5_error_code kret_gss_init; \
if((kret_gss_init = gssapi_krb5_init ()) != 0) { \
*minor_status = kret_gss_init; \
return GSS_S_FAILURE; \
} \
} while (0)
struct gssapi_thr_context *
gssapi_get_thread_context(int);
OM_uint32
_gsskrb5_create_ctx(
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
const gss_channel_bindings_t input_chan_bindings,
enum gss_ctx_id_t_state state);
void
gsskrb5_is_cfx(gss_ctx_id_t, int *);
OM_uint32
gssapi_krb5_create_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 flags,
const krb5_data *fwd_data,
Checksum *result);
OM_uint32
gssapi_krb5_verify_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
const Checksum *cksum,
OM_uint32 *flags,
krb5_data *fwd_data);
void
_gssapi_encap_length (size_t data_len,
size_t *len,
size_t *total_len,
const gss_OID mech);
void
gssapi_krb5_encap_length (size_t data_len,
size_t *len,
size_t *total_len,
const gss_OID mech);
OM_uint32
_gssapi_encapsulate(OM_uint32 *minor_status,
const krb5_data *in_data,
gss_buffer_t output_token,
const gss_OID mech);
OM_uint32
gssapi_krb5_encapsulate(OM_uint32 *minor_status,
const krb5_data *in_data,
gss_buffer_t output_token,
const u_char *type,
const gss_OID mech);
OM_uint32
gssapi_krb5_decapsulate(OM_uint32 *minor_status,
gss_buffer_t input_token_buffer,
krb5_data *out_data,
const char *type,
gss_OID oid);
u_char *
gssapi_krb5_make_header (u_char *p,
size_t len,
const u_char *type,
const gss_OID mech);
u_char *
_gssapi_make_mech_header(u_char *p,
size_t len,
const gss_OID mech);
OM_uint32
_gssapi_verify_mech_header(u_char **str,
size_t total_len,
gss_OID oid);
OM_uint32
gssapi_krb5_verify_header(u_char **str,
size_t total_len,
const u_char *type,
gss_OID oid);
OM_uint32
_gssapi_decapsulate(OM_uint32 *minor_status,
gss_buffer_t input_token_buffer,
krb5_data *out_data,
const gss_OID mech);
ssize_t
gssapi_krb5_get_mech (const u_char *, size_t, const u_char **);
OM_uint32
_gssapi_verify_pad(gss_buffer_t, size_t, size_t *);
OM_uint32
gss_verify_mic_internal(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
char * type);
OM_uint32
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
krb5_keyblock **key);
krb5_error_code
gss_address_to_krb5addr(OM_uint32 gss_addr_type,
gss_buffer_desc *gss_addr,
int16_t port,
krb5_address *address);
/* sec_context flags */
#define SC_LOCAL_ADDRESS 0x01
#define SC_REMOTE_ADDRESS 0x02
#define SC_KEYBLOCK 0x04
#define SC_LOCAL_SUBKEY 0x08
#define SC_REMOTE_SUBKEY 0x10
int
gss_oid_equal(const gss_OID a, const gss_OID b);
void
gssapi_krb5_clear_status (void);
void
gssapi_krb5_set_status (const char *fmt, ...);
void
gssapi_krb5_set_error_string (void);
char *
gssapi_krb5_get_error_string (void);
OM_uint32
_gss_DES3_get_mic_compat(OM_uint32 *, gss_ctx_id_t);
OM_uint32
_gss_spnego_require_mechlist_mic(OM_uint32 *, gss_ctx_id_t, krb5_boolean *);
krb5_error_code
_gss_check_compat(OM_uint32 *, gss_name_t, const char *,
krb5_boolean *, krb5_boolean);
OM_uint32
gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *);
OM_uint32
_gssapi_krb5_ccache_lifetime(OM_uint32 *, krb5_ccache,
krb5_principal, OM_uint32 *);
/* sequence */
OM_uint32
_gssapi_msg_order_create(OM_uint32 *, struct gss_msg_order **,
OM_uint32, OM_uint32, OM_uint32, int);
OM_uint32
_gssapi_msg_order_destroy(struct gss_msg_order **);
OM_uint32
_gssapi_msg_order_check(struct gss_msg_order *, OM_uint32);
OM_uint32
_gssapi_msg_order_f(OM_uint32);
OM_uint32
_gssapi_msg_order_import(OM_uint32 *, krb5_storage *,
struct gss_msg_order **);
krb5_error_code
_gssapi_msg_order_export(krb5_storage *, struct gss_msg_order *);
/* 8003 */
krb5_error_code
gssapi_encode_om_uint32(OM_uint32, u_char *);
krb5_error_code
gssapi_encode_be_om_uint32(OM_uint32, u_char *);
krb5_error_code
gssapi_decode_om_uint32(const void *, OM_uint32 *);
krb5_error_code
gssapi_decode_be_om_uint32(const void *, OM_uint32 *);
#endif

348
source4/heimdal/lib/gssapi/gssapi_mech.h Normal file
View File

@ -0,0 +1,348 @@
/*-
* Copyright (c) 2005 Doug Rabson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/lib/libgssapi/mech_switch.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
*/
#ifndef GSSAPI_MECH_H
#define GSSAPI_MECH_H 1
#include <gssapi.h>
typedef OM_uint32 _gss_acquire_cred_t
(OM_uint32 *, /* minor_status */
const gss_name_t, /* desired_name */
OM_uint32, /* time_req */
const gss_OID_set, /* desired_mechs */
gss_cred_usage_t, /* cred_usage */
gss_cred_id_t *, /* output_cred_handle */
gss_OID_set *, /* actual_mechs */
OM_uint32 * /* time_rec */
);
typedef OM_uint32 _gss_release_cred_t
(OM_uint32 *, /* minor_status */
gss_cred_id_t * /* cred_handle */
);
typedef OM_uint32 _gss_init_sec_context_t
(OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* initiator_cred_handle */
gss_ctx_id_t *, /* context_handle */
const gss_name_t, /* target_name */
const gss_OID, /* mech_type */
OM_uint32, /* req_flags */
OM_uint32, /* time_req */
const gss_channel_bindings_t,
/* input_chan_bindings */
const gss_buffer_t, /* input_token */
gss_OID *, /* actual_mech_type */
gss_buffer_t, /* output_token */
OM_uint32 *, /* ret_flags */
OM_uint32 * /* time_rec */
);
typedef OM_uint32 _gss_accept_sec_context_t
(OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
const gss_cred_id_t, /* acceptor_cred_handle */
const gss_buffer_t, /* input_token_buffer */
const gss_channel_bindings_t,
/* input_chan_bindings */
gss_name_t *, /* src_name */
gss_OID *, /* mech_type */
gss_buffer_t, /* output_token */
OM_uint32 *, /* ret_flags */
OM_uint32 *, /* time_rec */
gss_cred_id_t * /* delegated_cred_handle */
);
typedef OM_uint32 _gss_process_context_token_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
const gss_buffer_t /* token_buffer */
);
typedef OM_uint32 _gss_delete_sec_context_t
(OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
gss_buffer_t /* output_token */
);
typedef OM_uint32 _gss_context_time_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
OM_uint32 * /* time_rec */
);
typedef OM_uint32 _gss_get_mic_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
gss_qop_t, /* qop_req */
const gss_buffer_t, /* message_buffer */
gss_buffer_t /* message_token */
);
typedef OM_uint32 _gss_verify_mic_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
const gss_buffer_t, /* message_buffer */
const gss_buffer_t, /* token_buffer */
gss_qop_t * /* qop_state */
);
typedef OM_uint32 _gss_wrap_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
int, /* conf_req_flag */
gss_qop_t, /* qop_req */
const gss_buffer_t, /* input_message_buffer */
int *, /* conf_state */
gss_buffer_t /* output_message_buffer */
);
typedef OM_uint32 _gss_unwrap_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
const gss_buffer_t, /* input_message_buffer */
gss_buffer_t, /* output_message_buffer */
int *, /* conf_state */
gss_qop_t * /* qop_state */
);
typedef OM_uint32 _gss_display_status_t
(OM_uint32 *, /* minor_status */
OM_uint32, /* status_value */
int, /* status_type */
const gss_OID, /* mech_type */
OM_uint32 *, /* message_context */
gss_buffer_t /* status_string */
);
typedef OM_uint32 _gss_indicate_mechs_t
(OM_uint32 *, /* minor_status */
gss_OID_set * /* mech_set */
);
typedef OM_uint32 _gss_compare_name_t
(OM_uint32 *, /* minor_status */
const gss_name_t, /* name1 */
const gss_name_t, /* name2 */
int * /* name_equal */
);
typedef OM_uint32 _gss_display_name_t
(OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
gss_buffer_t, /* output_name_buffer */
gss_OID * /* output_name_type */
);
typedef OM_uint32 _gss_import_name_t
(OM_uint32 *, /* minor_status */
const gss_buffer_t, /* input_name_buffer */
const gss_OID, /* input_name_type */
gss_name_t * /* output_name */
);
typedef OM_uint32 _gss_export_name_t
(OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
gss_buffer_t /* exported_name */
);
typedef OM_uint32 _gss_release_name_t
(OM_uint32 *, /* minor_status */
gss_name_t * /* input_name */
);
typedef OM_uint32 _gss_inquire_cred_t
(OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* cred_handle */
gss_name_t *, /* name */
OM_uint32 *, /* lifetime */
gss_cred_usage_t *, /* cred_usage */
gss_OID_set * /* mechanisms */
);
typedef OM_uint32 _gss_inquire_context_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
gss_name_t *, /* src_name */
gss_name_t *, /* targ_name */
OM_uint32 *, /* lifetime_rec */
gss_OID *, /* mech_type */
OM_uint32 *, /* ctx_flags */
int *, /* locally_initiated */
int * /* open */
);
typedef OM_uint32 _gss_wrap_size_limit_t
(OM_uint32 *, /* minor_status */
const gss_ctx_id_t, /* context_handle */
int, /* conf_req_flag */
gss_qop_t, /* qop_req */
OM_uint32, /* req_output_size */
OM_uint32 * /* max_input_size */
);
typedef OM_uint32 _gss_add_cred_t (
OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* input_cred_handle */
const gss_name_t, /* desired_name */
const gss_OID, /* desired_mech */
gss_cred_usage_t, /* cred_usage */
OM_uint32, /* initiator_time_req */
OM_uint32, /* acceptor_time_req */
gss_cred_id_t *, /* output_cred_handle */
gss_OID_set *, /* actual_mechs */
OM_uint32 *, /* initiator_time_rec */
OM_uint32 * /* acceptor_time_rec */
);
typedef OM_uint32 _gss_inquire_cred_by_mech_t (
OM_uint32 *, /* minor_status */
const gss_cred_id_t, /* cred_handle */
const gss_OID, /* mech_type */
gss_name_t *, /* name */
OM_uint32 *, /* initiator_lifetime */
OM_uint32 *, /* acceptor_lifetime */
gss_cred_usage_t * /* cred_usage */
);
typedef OM_uint32 _gss_export_sec_context_t (
OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
gss_buffer_t /* interprocess_token */
);
typedef OM_uint32 _gss_import_sec_context_t (
OM_uint32 *, /* minor_status */
const gss_buffer_t, /* interprocess_token */
gss_ctx_id_t * /* context_handle */
);
typedef OM_uint32 _gss_inquire_names_for_mech_t (
OM_uint32 *, /* minor_status */
const gss_OID, /* mechanism */
gss_OID_set * /* name_types */
);
typedef OM_uint32 _gss_inquire_mechs_for_name_t (
OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
gss_OID_set * /* mech_types */
);
typedef OM_uint32 _gss_canonicalize_name_t (
OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
const gss_OID, /* mech_type */
gss_name_t * /* output_name */
);
typedef OM_uint32 _gss_duplicate_name_t (
OM_uint32 *, /* minor_status */
const gss_name_t, /* src_name */
gss_name_t * /* dest_name */
);
typedef OM_uint32 _gss_inquire_sec_context_by_oid (
OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set
);
typedef OM_uint32 _gss_inquire_cred_by_oid (
OM_uint32 *minor_status,
const gss_cred_id_t cred,
const gss_OID desired_object,
gss_buffer_set_t *data_set
);
typedef OM_uint32 _gss_set_sec_context_option (
OM_uint32 *minor_status,
gss_ctx_id_t *cred_handle,
const gss_OID desired_object,
const gss_buffer_t value
);
typedef OM_uint32 _gss_set_cred_option (
OM_uint32 *minor_status,
gss_cred_id_t *cred_handle,
const gss_OID desired_object,
const gss_buffer_t value
);
#define GMI_VERSION 1
typedef struct gssapi_mech_interface_desc {
unsigned gm_version;
const char *gm_name;
gss_OID_desc gm_mech_oid;
_gss_acquire_cred_t *gm_acquire_cred;
_gss_release_cred_t *gm_release_cred;
_gss_init_sec_context_t *gm_init_sec_context;
_gss_accept_sec_context_t *gm_accept_sec_context;
_gss_process_context_token_t *gm_process_context_token;
_gss_delete_sec_context_t *gm_delete_sec_context;
_gss_context_time_t *gm_context_time;
_gss_get_mic_t *gm_get_mic;
_gss_verify_mic_t *gm_verify_mic;
_gss_wrap_t *gm_wrap;
_gss_unwrap_t *gm_unwrap;
_gss_display_status_t *gm_display_status;
_gss_indicate_mechs_t *gm_indicate_mechs;
_gss_compare_name_t *gm_compare_name;
_gss_display_name_t *gm_display_name;
_gss_import_name_t *gm_import_name;
_gss_export_name_t *gm_export_name;
_gss_release_name_t *gm_release_name;
_gss_inquire_cred_t *gm_inquire_cred;
_gss_inquire_context_t *gm_inquire_context;
_gss_wrap_size_limit_t *gm_wrap_size_limit;
_gss_add_cred_t *gm_add_cred;
_gss_inquire_cred_by_mech_t *gm_inquire_cred_by_mech;
_gss_export_sec_context_t *gm_export_sec_context;
_gss_import_sec_context_t *gm_import_sec_context;
_gss_inquire_names_for_mech_t *gm_inquire_names_for_mech;
_gss_inquire_mechs_for_name_t *gm_inquire_mechs_for_name;
_gss_canonicalize_name_t *gm_canonicalize_name;
_gss_duplicate_name_t *gm_duplicate_name;
_gss_inquire_sec_context_by_oid *gm_inquire_sec_context_by_oid;
_gss_inquire_cred_by_oid *gm_inquire_cred_by_oid;
_gss_set_sec_context_option *gm_set_sec_context_option;
_gss_set_cred_option *gm_set_cred_option;
} gssapi_mech_interface_desc, *gssapi_mech_interface;
gssapi_mech_interface
__gss_get_mechanism(gss_OID /* oid */);
gssapi_mech_interface __gss_spnego_initialize(void);
gssapi_mech_interface __gss_krb5_initialize(void);
#endif /* GSSAPI_MECH_H */

1261
source4/heimdal/lib/gssapi/init_sec_context.c
View File

File diff suppressed because it is too large Load Diff

123
source4/heimdal/lib/gssapi/inquire_cred.c
View File

@ -1,123 +0,0 @@
/*
* Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
RCSID("$Id: inquire_cred.c,v 1.7 2004/11/30 19:27:11 lha Exp $");
OM_uint32 gss_inquire_cred
(OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
gss_name_t * name,
OM_uint32 * lifetime,
gss_cred_usage_t * cred_usage,
gss_OID_set * mechanisms
)
{
gss_cred_id_t cred;
OM_uint32 ret;
*minor_status = 0;
if (name)
*name = NULL;
if (mechanisms)
*mechanisms = GSS_C_NO_OID_SET;
if (cred_handle == GSS_C_NO_CREDENTIAL) {
ret = gss_acquire_cred(minor_status,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
&cred,
NULL,
NULL);
if (ret)
return ret;
} else
cred = (gss_cred_id_t)cred_handle;
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (name != NULL) {
if (cred->principal != NULL) {
ret = gss_duplicate_name(minor_status, cred->principal,
name);
if (ret)
goto out;
} else if (cred->usage == GSS_C_ACCEPT) {
*minor_status = krb5_sname_to_principal(gssapi_krb5_context, NULL,
NULL, KRB5_NT_SRV_HST, name);
if (*minor_status) {
ret = GSS_S_FAILURE;
goto out;
}
} else {
*minor_status = krb5_get_default_principal(gssapi_krb5_context,
name);
if (*minor_status) {
ret = GSS_S_FAILURE;
goto out;
}
}
}
if (lifetime != NULL) {
ret = gssapi_lifetime_left(minor_status,
cred->lifetime,
lifetime);
if (ret)
goto out;
}
if (cred_usage != NULL)
*cred_usage = cred->usage;
if (mechanisms != NULL) {
ret = gss_create_empty_oid_set(minor_status, mechanisms);
if (ret)
goto out;
ret = gss_add_oid_set_member(minor_status,
&cred->mechanisms->elements[0],
mechanisms);
if (ret)
goto out;
}
ret = GSS_S_COMPLETE;
out:
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (cred_handle == GSS_C_NO_CREDENTIAL)
ret = gss_release_cred(minor_status, &cred);
return ret;
}

34
source4/heimdal/lib/gssapi/8003.c → source4/heimdal/lib/gssapi/krb5/8003.c
View File

@ -31,12 +31,12 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: 8003.c,v 1.18 2006/05/04 11:55:40 lha Exp $");
RCSID("$Id: 8003.c,v 1.20 2006/10/07 22:13:51 lha Exp $");
krb5_error_code
gssapi_encode_om_uint32(OM_uint32 n, u_char *p)
_gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p)
{
p[0] = (n >> 0) & 0xFF;
p[1] = (n >> 8) & 0xFF;
@ -46,7 +46,7 @@ gssapi_encode_om_uint32(OM_uint32 n, u_char *p)
}
krb5_error_code
gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p)
_gsskrb5_encode_be_om_uint32(OM_uint32 n, u_char *p)
{
p[0] = (n >> 24) & 0xFF;
p[1] = (n >> 16) & 0xFF;
@ -56,7 +56,7 @@ gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p)
}
krb5_error_code
gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n)
_gsskrb5_decode_om_uint32(const void *ptr, OM_uint32 *n)
{
const u_char *p = ptr;
*n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
@ -64,7 +64,7 @@ gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n)
}
krb5_error_code
gssapi_decode_be_om_uint32(const void *ptr, OM_uint32 *n)
_gsskrb5_decode_be_om_uint32(const void *ptr, OM_uint32 *n)
{
const u_char *p = ptr;
*n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
@ -79,23 +79,23 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
MD5_CTX md5;
MD5_Init(&md5);
gssapi_encode_om_uint32 (b->initiator_addrtype, num);
_gsskrb5_encode_om_uint32 (b->initiator_addrtype, num);
MD5_Update (&md5, num, sizeof(num));
gssapi_encode_om_uint32 (b->initiator_address.length, num);
_gsskrb5_encode_om_uint32 (b->initiator_address.length, num);
MD5_Update (&md5, num, sizeof(num));
if (b->initiator_address.length)
MD5_Update (&md5,
b->initiator_address.value,
b->initiator_address.length);
gssapi_encode_om_uint32 (b->acceptor_addrtype, num);
_gsskrb5_encode_om_uint32 (b->acceptor_addrtype, num);
MD5_Update (&md5, num, sizeof(num));
gssapi_encode_om_uint32 (b->acceptor_address.length, num);
_gsskrb5_encode_om_uint32 (b->acceptor_address.length, num);
MD5_Update (&md5, num, sizeof(num));
if (b->acceptor_address.length)
MD5_Update (&md5,
b->acceptor_address.value,
b->acceptor_address.length);
gssapi_encode_om_uint32 (b->application_data.length, num);
_gsskrb5_encode_om_uint32 (b->application_data.length, num);
MD5_Update (&md5, num, sizeof(num));
if (b->application_data.length)
MD5_Update (&md5,
@ -112,7 +112,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
*/
OM_uint32
gssapi_krb5_create_8003_checksum (
_gsskrb5_create_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 flags,
@ -136,7 +136,7 @@ gssapi_krb5_create_8003_checksum (
}
p = result->checksum.data;
gssapi_encode_om_uint32 (16, p);
_gsskrb5_encode_om_uint32 (16, p);
p += 4;
if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) {
memset (p, 0, 16);
@ -144,7 +144,7 @@ gssapi_krb5_create_8003_checksum (
hash_input_chan_bindings (input_chan_bindings, p);
}
p += 16;
gssapi_encode_om_uint32 (flags, p);
_gsskrb5_encode_om_uint32 (flags, p);
p += 4;
if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) {
@ -167,7 +167,7 @@ gssapi_krb5_create_8003_checksum (
*/
OM_uint32
gssapi_krb5_verify_8003_checksum(
_gsskrb5_verify_8003_checksum(
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
const Checksum *cksum,
@ -192,7 +192,7 @@ gssapi_krb5_verify_8003_checksum(
}
p = cksum->checksum.data;
gssapi_decode_om_uint32(p, &length);
_gsskrb5_decode_om_uint32(p, &length);
if(length != sizeof(hash)) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
@ -214,7 +214,7 @@ gssapi_krb5_verify_8003_checksum(
p += sizeof(hash);
gssapi_decode_om_uint32(p, flags);
_gsskrb5_decode_om_uint32(p, flags);
p += 4;
if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {

774
source4/heimdal/lib/gssapi/krb5/accept_sec_context.c Normal file
View File

@ -0,0 +1,774 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: accept_sec_context.c,v 1.64 2006/10/25 04:19:45 lha Exp $");
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
OM_uint32
_gsskrb5_register_acceptor_identity (const char *identity)
{
krb5_error_code ret;
ret = _gsskrb5_init();
if(ret)
return GSS_S_FAILURE;
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if(_gsskrb5_keytab != NULL) {
krb5_kt_close(_gsskrb5_context, _gsskrb5_keytab);
_gsskrb5_keytab = NULL;
}
if (identity == NULL) {
ret = krb5_kt_default(_gsskrb5_context, &_gsskrb5_keytab);
} else {
char *p;
asprintf(&p, "FILE:%s", identity);
if(p == NULL) {
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
return GSS_S_FAILURE;
}
ret = krb5_kt_resolve(_gsskrb5_context, p, &_gsskrb5_keytab);
free(p);
}
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
if(ret)
return GSS_S_FAILURE;
return GSS_S_COMPLETE;
}
void
_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx)
{
krb5_keyblock *key;
int acceptor = (ctx->more_flags & LOCAL) == 0;
*is_cfx = 0;
if (acceptor) {
if (ctx->auth_context->local_subkey)
key = ctx->auth_context->local_subkey;
else
key = ctx->auth_context->remote_subkey;
} else {
if (ctx->auth_context->remote_subkey)
key = ctx->auth_context->remote_subkey;
else
key = ctx->auth_context->local_subkey;
}
if (key == NULL)
key = ctx->auth_context->keyblock;
if (key == NULL)
return;
switch (key->keytype) {
case ETYPE_DES_CBC_CRC:
case ETYPE_DES_CBC_MD4:
case ETYPE_DES_CBC_MD5:
case ETYPE_DES3_CBC_MD5:
case ETYPE_DES3_CBC_SHA1:
case ETYPE_ARCFOUR_HMAC_MD5:
case ETYPE_ARCFOUR_HMAC_MD5_56:
break;
default :
*is_cfx = 1;
if ((acceptor && ctx->auth_context->local_subkey) ||
(!acceptor && ctx->auth_context->remote_subkey))
ctx->more_flags |= ACCEPTOR_SUBKEY;
break;
}
}
static OM_uint32
gsskrb5_accept_delegated_token
(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
gss_cred_id_t * delegated_cred_handle
)
{
krb5_ccache ccache = NULL;
krb5_error_code kret;
int32_t ac_flags, ret = GSS_S_COMPLETE;
*minor_status = 0;
/* XXX Create a new delegated_cred_handle? */
if (delegated_cred_handle == NULL) {
kret = krb5_cc_default (_gsskrb5_context, &ccache);
} else {
*delegated_cred_handle = NULL;
kret = krb5_cc_gen_new (_gsskrb5_context, &krb5_mcc_ops, &ccache);
}
if (kret) {
ctx->flags &= ~GSS_C_DELEG_FLAG;
goto out;
}
kret = krb5_cc_initialize(_gsskrb5_context, ccache, ctx->source);
if (kret) {
ctx->flags &= ~GSS_C_DELEG_FLAG;
goto out;
}
krb5_auth_con_removeflags(_gsskrb5_context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
&ac_flags);
kret = krb5_rd_cred2(_gsskrb5_context,
ctx->auth_context,
ccache,
&ctx->fwd_data);
if (kret)
_gsskrb5_set_error_string();
krb5_auth_con_setflags(_gsskrb5_context,
ctx->auth_context,
ac_flags);
if (kret) {
ctx->flags &= ~GSS_C_DELEG_FLAG;
ret = GSS_S_FAILURE;
*minor_status = kret;
goto out;
}
if (delegated_cred_handle) {
gsskrb5_cred handle;
ret = _gsskrb5_import_cred(minor_status,
ccache,
NULL,
NULL,
delegated_cred_handle);
if (ret != GSS_S_COMPLETE)
goto out;
handle = (gsskrb5_cred) *delegated_cred_handle;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
krb5_cc_close(_gsskrb5_context, ccache);
ccache = NULL;
}
out:
if (ccache) {
if (delegated_cred_handle == NULL)
krb5_cc_close(_gsskrb5_context, ccache);
else
krb5_cc_destroy(_gsskrb5_context, ccache);
}
return ret;
}
static OM_uint32
gsskrb5_acceptor_ready(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
gss_cred_id_t *delegated_cred_handle)
{
OM_uint32 ret;
int32_t seq_number;
int is_cfx = 0;
krb5_auth_getremoteseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
_gsskrb5i_is_cfx(ctx, &is_cfx);
ret = _gssapi_msg_order_create(minor_status,
&ctx->order,
_gssapi_msg_order_f(ctx->flags),
seq_number, 0, is_cfx);
if (ret)
return ret;
/*
* If requested, set local sequence num to remote sequence if this
* isn't a mutual authentication context
*/
if (!(ctx->flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(ctx->flags)) {
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
ctx->auth_context,
seq_number);
}
/*
* We should handle the delegation ticket, in case it's there
*/
if (ctx->fwd_data.length > 0 && (ctx->flags & GSS_C_DELEG_FLAG)) {
ret = gsskrb5_accept_delegated_token(minor_status,
ctx,
delegated_cred_handle);
if (ret)
return ret;
} else {
/* Well, looks like it wasn't there after all */
ctx->flags &= ~GSS_C_DELEG_FLAG;
}
ctx->state = ACCEPTOR_READY;
ctx->more_flags |= OPEN;
return GSS_S_COMPLETE;
}
static OM_uint32
gsskrb5_acceptor_start(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
const gss_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token_buffer,
const gss_channel_bindings_t input_chan_bindings,
gss_name_t * src_name,
gss_OID * mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec,
gss_cred_id_t * delegated_cred_handle)
{
krb5_error_code kret;
OM_uint32 ret = GSS_S_COMPLETE;
krb5_data indata;
krb5_flags ap_options;
krb5_ticket *ticket = NULL;
krb5_keytab keytab = NULL;
krb5_keyblock *keyblock = NULL;
int is_cfx = 0;
const gsskrb5_cred acceptor_cred = (gsskrb5_cred)acceptor_cred_handle;
/*
* We may, or may not, have an escapsulation.
*/
ret = _gsskrb5_decapsulate (minor_status,
input_token_buffer,
&indata,
"\x01\x00",
GSS_KRB5_MECHANISM);
if (ret) {
/* Assume that there is no OID wrapping. */
indata.length = input_token_buffer->length;
indata.data = input_token_buffer->value;
}
/*
* We need to get our keytab
*/
if (acceptor_cred == NULL) {
if (_gsskrb5_keytab != NULL)
keytab = _gsskrb5_keytab;
} else if (acceptor_cred->keytab != NULL) {
keytab = acceptor_cred->keytab;
}
/*
* We need to check the ticket and create the AP-REP packet
*/
kret = krb5_rd_req_return_keyblock(_gsskrb5_context,
&ctx->auth_context,
&indata,
(acceptor_cred == NULL) ? NULL : acceptor_cred->principal,
keytab,
&ap_options,
&ticket,
&keyblock);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
/*
* We need to remember some data on the context_handle.
*/
ctx->ticket = ticket;
ctx->service_keyblock = keyblock;
ctx->lifetime = ticket->ticket.endtime;
/*
* We need to copy the principal names to the context and the
* calling layer.
*/
kret = krb5_copy_principal(_gsskrb5_context,
ticket->client,
&ctx->source);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
}
kret = krb5_copy_principal(_gsskrb5_context, ticket->server, &ctx->target);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
/*
* We need to setup some compat stuff, this assumes that
* context_handle->target is already set.
*/
ret = _gss_DES3_get_mic_compat(minor_status, ctx);
if (ret)
return ret;
if (src_name != NULL) {
kret = krb5_copy_principal (_gsskrb5_context,
ticket->client,
(gsskrb5_name*)src_name);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
}
/*
* We need to get the flags out of the 8003 checksum.
*/
{
krb5_authenticator authenticator;
kret = krb5_auth_con_getauthenticator(_gsskrb5_context,
ctx->auth_context,
&authenticator);
if(kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
ret = _gsskrb5_verify_8003_checksum(minor_status,
input_chan_bindings,
authenticator->cksum,
&ctx->flags,
&ctx->fwd_data);
krb5_free_authenticator(_gsskrb5_context, &authenticator);
if (ret) {
return ret;
}
} else {
krb5_crypto crypto;
kret = krb5_crypto_init(_gsskrb5_context,
ctx->auth_context->keyblock,
0, &crypto);
if(kret) {
krb5_free_authenticator(_gsskrb5_context, &authenticator);
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
/*
* Windows accepts Samba3's use of a kerberos, rather than
* GSSAPI checksum here
*/
kret = krb5_verify_checksum(_gsskrb5_context,
crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
authenticator->cksum);
krb5_free_authenticator(_gsskrb5_context, &authenticator);
krb5_crypto_destroy(_gsskrb5_context, crypto);
if(kret) {
ret = GSS_S_BAD_SIG;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
/*
* Samba style get some flags (but not DCE-STYLE)
*/
ctx->flags =
GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
}
}
if(ctx->flags & GSS_C_MUTUAL_FLAG) {
krb5_data outbuf;
_gsskrb5i_is_cfx(ctx, &is_cfx);
if (is_cfx != 0
|| (ap_options & AP_OPTS_USE_SUBKEY)) {
kret = krb5_auth_con_addflags(_gsskrb5_context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_USE_SUBKEY,
NULL);
ctx->more_flags |= ACCEPTOR_SUBKEY;
}
kret = krb5_mk_rep(_gsskrb5_context,
ctx->auth_context,
&outbuf);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
if (ctx->flags & GSS_C_DCE_STYLE) {
output_token->length = outbuf.length;
output_token->value = outbuf.data;
} else {
ret = _gsskrb5_encapsulate(minor_status,
&outbuf,
output_token,
"\x02\x00",
GSS_KRB5_MECHANISM);
krb5_data_free (&outbuf);
if (ret)
return ret;
}
}
ctx->flags |= GSS_C_TRANS_FLAG;
/* Remember the flags */
ctx->lifetime = ticket->ticket.endtime;
ctx->more_flags |= OPEN;
if (mech_type)
*mech_type = GSS_KRB5_MECHANISM;
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
ctx->lifetime,
time_rec);
if (ret) {
return ret;
}
}
/*
* When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from
* the client.
*/
if (ctx->flags & GSS_C_DCE_STYLE) {
/*
* Return flags to caller, but we haven't processed
* delgations yet
*/
if (ret_flags)
*ret_flags = (ctx->flags & ~GSS_C_DELEG_FLAG);
ctx->state = ACCEPTOR_WAIT_FOR_DCESTYLE;
return GSS_S_CONTINUE_NEEDED;
}
ret = gsskrb5_acceptor_ready(minor_status, ctx, delegated_cred_handle);
if (ret_flags)
*ret_flags = ctx->flags;
return ret;
}
static OM_uint32
acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
const gss_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token_buffer,
const gss_channel_bindings_t input_chan_bindings,
gss_name_t * src_name,
gss_OID * mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec,
gss_cred_id_t * delegated_cred_handle)
{
OM_uint32 ret;
krb5_error_code kret;
krb5_data inbuf;
int32_t r_seq_number, l_seq_number;
/*
* We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP
*/
inbuf.length = input_token_buffer->length;
inbuf.data = input_token_buffer->value;
/*
* We need to remeber the old remote seq_number, then check if the
* client has replied with our local seq_number, and then reset
* the remote seq_number to the old value
*/
{
kret = krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
ctx->auth_context,
&l_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_auth_getremoteseqnumber(_gsskrb5_context,
ctx->auth_context,
&r_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_auth_con_setremoteseqnumber(_gsskrb5_context,
ctx->auth_context,
l_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
}
/*
* We need to verify the AP_REP, but we need to flag that this is
* DCE_STYLE, so don't check the timestamps this time, but put the
* flag DO_TIME back afterward.
*/
{
krb5_ap_rep_enc_part *repl;
int32_t auth_flags;
krb5_auth_con_removeflags(_gsskrb5_context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
&auth_flags);
kret = krb5_rd_rep(_gsskrb5_context, ctx->auth_context, &inbuf, &repl);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
krb5_free_ap_rep_enc_part(_gsskrb5_context, repl);
krb5_auth_con_setflags(_gsskrb5_context, ctx->auth_context, auth_flags);
}
/* We need to check the liftime */
{
OM_uint32 lifetime_rec;
ret = _gsskrb5_lifetime_left(minor_status,
ctx->lifetime,
&lifetime_rec);
if (ret) {
return ret;
}
if (lifetime_rec == 0) {
return GSS_S_CONTEXT_EXPIRED;
}
if (time_rec) *time_rec = lifetime_rec;
}
/* We need to give the caller the flags which are in use */
if (ret_flags) *ret_flags = ctx->flags;
if (src_name) {
kret = krb5_copy_principal(_gsskrb5_context,
ctx->source,
(gsskrb5_name*)src_name);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
}
/*
* After the krb5_rd_rep() the remote and local seq_number should
* be the same, because the client just replies the seq_number
* from our AP-REP in its AP-REP, but then the client uses the
* seq_number from its AP-REQ for GSS_wrap()
*/
{
int32_t tmp_r_seq_number, tmp_l_seq_number;
kret = krb5_auth_getremoteseqnumber(_gsskrb5_context,
ctx->auth_context,
&tmp_r_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
ctx->auth_context,
&tmp_l_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
/*
* Here we check if the client has responsed with our local seq_number,
*/
if (tmp_r_seq_number != tmp_l_seq_number) {
return GSS_S_UNSEQ_TOKEN;
}
}
/*
* We need to reset the remote seq_number, because the client will use,
* the old one for the GSS_wrap() calls
*/
{
kret = krb5_auth_con_setremoteseqnumber(_gsskrb5_context,
ctx->auth_context,
r_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
}
return gsskrb5_acceptor_ready(minor_status, ctx, delegated_cred_handle);
}
OM_uint32
_gsskrb5_accept_sec_context(OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
const gss_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token_buffer,
const gss_channel_bindings_t input_chan_bindings,
gss_name_t * src_name,
gss_OID * mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec,
gss_cred_id_t * delegated_cred_handle)
{
OM_uint32 ret;
gsskrb5_ctx ctx;
GSSAPI_KRB5_INIT();
output_token->length = 0;
output_token->value = NULL;
if (src_name != NULL)
*src_name = NULL;
if (mech_type)
*mech_type = GSS_KRB5_MECHANISM;
if (*context_handle == GSS_C_NO_CONTEXT) {
ret = _gsskrb5_create_ctx(minor_status,
context_handle,
input_chan_bindings,
ACCEPTOR_START);
if (ret)
return ret;
}
ctx = (gsskrb5_ctx)*context_handle;
/*
* TODO: check the channel_bindings
* (above just sets them to krb5 layer)
*/
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
switch (ctx->state) {
case ACCEPTOR_START:
ret = gsskrb5_acceptor_start(minor_status,
ctx,
acceptor_cred_handle,
input_token_buffer,
input_chan_bindings,
src_name,
mech_type,
output_token,
ret_flags,
time_rec,
delegated_cred_handle);
break;
case ACCEPTOR_WAIT_FOR_DCESTYLE:
ret = acceptor_wait_for_dcestyle(minor_status,
ctx,
acceptor_cred_handle,
input_token_buffer,
input_chan_bindings,
src_name,
mech_type,
output_token,
ret_flags,
time_rec,
delegated_cred_handle);
break;
case ACCEPTOR_READY:
/*
* If we get there, the caller have called
* gss_accept_sec_context() one time too many.
*/
ret = GSS_S_BAD_STATUS;
break;
default:
/* TODO: is this correct here? --metze */
ret = GSS_S_BAD_STATUS;
break;
}
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (GSS_ERROR(ret)) {
OM_uint32 min2;
_gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER);
}
return ret;
}

174
source4/heimdal/lib/gssapi/acquire_cred.c → source4/heimdal/lib/gssapi/krb5/acquire_cred.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -31,12 +31,12 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: acquire_cred.c,v 1.27 2005/12/01 16:26:02 lha Exp $");
RCSID("$Id: acquire_cred.c,v 1.31 2006/10/07 22:13:55 lha Exp $");
OM_uint32
_gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
__gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
krb5_ccache id,
krb5_principal principal,
OM_uint32 *lifetime)
@ -48,32 +48,32 @@ _gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
memset(&in_cred, 0, sizeof(in_cred));
in_cred.client = principal;
realm = krb5_principal_get_realm(gssapi_krb5_context, principal);
realm = krb5_principal_get_realm(_gsskrb5_context, principal);
if (realm == NULL) {
gssapi_krb5_clear_status ();
_gsskrb5_clear_status ();
*minor_status = KRB5_PRINC_NOMATCH; /* XXX */
return GSS_S_FAILURE;
}
kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server,
kret = krb5_make_principal(_gsskrb5_context, &in_cred.server,
realm, KRB5_TGS_NAME, realm, NULL);
if (kret) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_get_credentials(gssapi_krb5_context, 0,
kret = krb5_get_credentials(_gsskrb5_context, 0,
id, &in_cred, &out_cred);
krb5_free_principal(gssapi_krb5_context, in_cred.server);
krb5_free_principal(_gsskrb5_context, in_cred.server);
if (kret) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = kret;
return GSS_S_FAILURE;
}
*lifetime = out_cred->times.endtime;
krb5_free_creds(gssapi_krb5_context, out_cred);
krb5_free_creds(_gsskrb5_context, out_cred);
return GSS_S_COMPLETE;
}
@ -82,21 +82,21 @@ _gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
static krb5_error_code
get_keytab(krb5_context context, krb5_keytab *keytab)
get_keytab(krb5_keytab *keytab)
{
char kt_name[256];
krb5_error_code kret;
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if (gssapi_krb5_keytab != NULL) {
kret = krb5_kt_get_name(context,
gssapi_krb5_keytab,
if (_gsskrb5_keytab != NULL) {
kret = krb5_kt_get_name(_gsskrb5_context,
_gsskrb5_keytab,
kt_name, sizeof(kt_name));
if (kret == 0)
kret = krb5_kt_resolve(context, kt_name, keytab);
kret = krb5_kt_resolve(_gsskrb5_context, kt_name, keytab);
} else
kret = krb5_kt_default(context, keytab);
kret = krb5_kt_default(_gsskrb5_context, keytab);
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
@ -105,12 +105,11 @@ get_keytab(krb5_context context, krb5_keytab *keytab)
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t handle,
gsskrb5_cred handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
@ -120,9 +119,10 @@ static OM_uint32 acquire_initiator_cred
krb5_principal def_princ;
krb5_get_init_creds_opt *opt;
krb5_ccache ccache;
krb5_error_code kret;
krb5_keytab keytab;
krb5_error_code kret;
keytab = NULL;
ccache = NULL;
def_princ = NULL;
ret = GSS_S_FAILURE;
@ -132,33 +132,33 @@ static OM_uint32 acquire_initiator_cred
* caches, otherwise, fall back to default cache. Ignore
* errors. */
if (handle->principal)
kret = krb5_cc_cache_match (gssapi_krb5_context,
kret = krb5_cc_cache_match (_gsskrb5_context,
handle->principal,
NULL,
&ccache);
if (ccache == NULL) {
kret = krb5_cc_default(gssapi_krb5_context, &ccache);
kret = krb5_cc_default(_gsskrb5_context, &ccache);
if (kret)
goto end;
}
kret = krb5_cc_get_principal(context, ccache,
kret = krb5_cc_get_principal(_gsskrb5_context, ccache,
&def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
krb5_cc_destroy(context, ccache);
krb5_cc_destroy(_gsskrb5_context, ccache);
ccache = NULL;
kret = 0;
} else if (handle->principal == NULL) {
kret = krb5_copy_principal(context, def_princ,
kret = krb5_copy_principal(_gsskrb5_context, def_princ,
&handle->principal);
if (kret)
goto end;
} else if (handle->principal != NULL &&
krb5_principal_compare(context, handle->principal,
krb5_principal_compare(_gsskrb5_context, handle->principal,
def_princ) == FALSE) {
/* Before failing, lets check the keytab */
krb5_free_principal(context, def_princ);
krb5_free_principal(_gsskrb5_context, def_princ);
def_princ = NULL;
}
if (def_princ == NULL) {
@ -166,37 +166,37 @@ static OM_uint32 acquire_initiator_cred
* so attempt to get a TGT using a keytab.
*/
if (handle->principal == NULL) {
kret = krb5_get_default_principal(context,
kret = krb5_get_default_principal(_gsskrb5_context,
&handle->principal);
if (kret)
goto end;
}
kret = get_keytab(context, &keytab);
kret = get_keytab(&keytab);
if (kret)
goto end;
kret = krb5_get_init_creds_opt_alloc(gssapi_krb5_context, &opt);
kret = krb5_get_init_creds_opt_alloc(_gsskrb5_context, &opt);
if (kret)
goto end;
kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
kret = krb5_get_init_creds_keytab(_gsskrb5_context, &cred,
handle->principal, keytab, 0, NULL, opt);
krb5_get_init_creds_opt_free(opt);
if (kret)
goto end;
kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
kret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops,
&ccache);
if (kret)
goto end;
kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client);
kret = krb5_cc_initialize(_gsskrb5_context, ccache, cred.client);
if (kret)
goto end;
kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred);
kret = krb5_cc_store_cred(_gsskrb5_context, ccache, &cred);
if (kret)
goto end;
handle->lifetime = cred.times.endtime;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
} else {
ret = _gssapi_krb5_ccache_lifetime(minor_status,
ret = __gsskrb5_ccache_lifetime(minor_status,
ccache,
handle->principal,
&handle->lifetime);
@ -210,17 +210,17 @@ static OM_uint32 acquire_initiator_cred
end:
if (cred.client != NULL)
krb5_free_cred_contents(context, &cred);
krb5_free_cred_contents(_gsskrb5_context, &cred);
if (def_princ != NULL)
krb5_free_principal(context, def_princ);
krb5_free_principal(_gsskrb5_context, def_princ);
if (keytab != NULL)
krb5_kt_close(context, keytab);
krb5_kt_close(_gsskrb5_context, keytab);
if (ret != GSS_S_COMPLETE) {
if (ccache != NULL)
krb5_cc_close(gssapi_krb5_context, ccache);
krb5_cc_close(_gsskrb5_context, ccache);
if (kret != 0) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
}
}
return (ret);
@ -228,11 +228,11 @@ end:
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t handle,
gsskrb5_cred handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
@ -242,7 +242,7 @@ static OM_uint32 acquire_acceptor_cred
kret = 0;
ret = GSS_S_FAILURE;
kret = get_keytab(context, &handle->keytab);
kret = get_keytab(&handle->keytab);
if (kret)
goto end;
@ -250,37 +250,38 @@ static OM_uint32 acquire_acceptor_cred
if (handle->principal) {
krb5_keytab_entry entry;
kret = krb5_kt_get_entry(gssapi_krb5_context, handle->keytab,
kret = krb5_kt_get_entry(_gsskrb5_context, handle->keytab,
handle->principal, 0, 0, &entry);
if (kret)
goto end;
krb5_kt_free_entry(gssapi_krb5_context, &entry);
krb5_kt_free_entry(_gsskrb5_context, &entry);
}
ret = GSS_S_COMPLETE;
end:
if (ret != GSS_S_COMPLETE) {
krb5_kt_close(context, handle->keytab);
if (handle->keytab != NULL)
krb5_kt_close(_gsskrb5_context, handle->keytab);
if (kret != 0) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
}
}
return (ret);
}
OM_uint32 gss_acquire_cred
(OM_uint32 * minor_status,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
OM_uint32 _gsskrb5_acquire_cred
(OM_uint32 * minor_status,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
{
gss_cred_id_t handle;
gsskrb5_cred handle;
OM_uint32 ret;
if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
@ -299,8 +300,8 @@ OM_uint32 gss_acquire_cred
if (desired_mechs) {
int present = 0;
ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
desired_mechs, &present);
ret = _gsskrb5_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
desired_mechs, &present);
if (ret)
return ret;
if (!present) {
@ -309,66 +310,63 @@ OM_uint32 gss_acquire_cred
}
}
handle = (gss_cred_id_t)malloc(sizeof(*handle));
if (handle == GSS_C_NO_CREDENTIAL) {
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
memset(handle, 0, sizeof (*handle));
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
if (desired_name != GSS_C_NO_NAME) {
ret = gss_duplicate_name(minor_status, desired_name,
&handle->principal);
if (ret != GSS_S_COMPLETE) {
krb5_principal name = (krb5_principal)desired_name;
ret = krb5_copy_principal(_gsskrb5_context, name, &handle->principal);
if (ret) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
_gsskrb5_set_error_string();
*minor_status = ret;
free(handle);
return (ret);
return GSS_S_FAILURE;
}
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, gssapi_krb5_context,
desired_name, time_req,
desired_mechs, cred_usage,
handle, actual_mechs, time_rec);
ret = acquire_initiator_cred(minor_status, desired_name, time_req,
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
return (ret);
}
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, gssapi_krb5_context,
time_req,
desired_mechs, cred_usage,
handle, actual_mechs, time_rec);
ret = acquire_acceptor_cred(minor_status, desired_name, time_req,
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
return (ret);
}
}
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL,
actual_mechs);
ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
NULL, time_rec, NULL, actual_mechs);
if (ret != GSS_S_COMPLETE) {
if (handle->mechanisms != NULL)
gss_release_oid_set(NULL, &handle->mechanisms);
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
return (ret);
}
*minor_status = 0;
if (time_rec) {
ret = gssapi_lifetime_left(minor_status,
ret = _gsskrb5_lifetime_left(minor_status,
handle->lifetime,
time_rec);
@ -376,8 +374,6 @@ OM_uint32 gss_acquire_cred
return ret;
}
handle->usage = cred_usage;
*output_cred_handle = handle;
*output_cred_handle = (gss_cred_id_t)handle;
return (GSS_S_COMPLETE);
}

249
source4/heimdal/lib/gssapi/krb5/add_cred.c Normal file
View File

@ -0,0 +1,249 @@
/*
* Copyright (c) 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: add_cred.c,v 1.9 2006/10/07 22:13:58 lha Exp $");
OM_uint32 _gsskrb5_add_cred (
OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
const gss_name_t desired_name,
const gss_OID desired_mech,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
OM_uint32 ret, lifetime;
gsskrb5_cred cred, handle;
krb5_const_principal dname;
handle = NULL;
cred = (gsskrb5_cred)input_cred_handle;
dname = (krb5_const_principal)desired_name;
if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_S_BAD_MECH;
}
if (cred == NULL && output_cred_handle == NULL) {
*minor_status = 0;
return GSS_S_NO_CRED;
}
if (cred == NULL) { /* XXX standard conformance failure */
*minor_status = 0;
return GSS_S_NO_CRED;
}
/* check if requested output usage is compatible with output usage */
if (output_cred_handle != NULL) {
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return(GSS_S_FAILURE);
}
}
/* check that we have the same name */
if (dname != NULL &&
krb5_principal_compare(_gsskrb5_context, dname,
cred->principal) != FALSE) {
if (output_cred_handle)
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_BAD_NAME;
}
/* make a copy */
if (output_cred_handle) {
krb5_error_code kret;
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
handle->usage = cred_usage;
handle->lifetime = cred->lifetime;
handle->principal = NULL;
handle->keytab = NULL;
handle->ccache = NULL;
handle->mechanisms = NULL;
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
ret = GSS_S_FAILURE;
kret = krb5_copy_principal(_gsskrb5_context, cred->principal,
&handle->principal);
if (kret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
free(handle);
*minor_status = kret;
return GSS_S_FAILURE;
}
if (cred->keytab) {
char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN];
int len;
ret = GSS_S_FAILURE;
kret = krb5_kt_get_type(_gsskrb5_context, cred->keytab,
name, KRB5_KT_PREFIX_MAX_LEN);
if (kret) {
*minor_status = kret;
goto failure;
}
len = strlen(name);
name[len++] = ':';
kret = krb5_kt_get_name(_gsskrb5_context, cred->keytab,
name + len,
sizeof(name) - len);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_kt_resolve(_gsskrb5_context, name,
&handle->keytab);
if (kret){
*minor_status = kret;
goto failure;
}
}
if (cred->ccache) {
const char *type, *name;
char *type_name;
ret = GSS_S_FAILURE;
type = krb5_cc_get_type(_gsskrb5_context, cred->ccache);
if (type == NULL){
*minor_status = ENOMEM;
goto failure;
}
if (strcmp(type, "MEMORY") == 0) {
ret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops,
&handle->ccache);
if (ret) {
*minor_status = ret;
goto failure;
}
ret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache,
handle->ccache);
if (ret) {
*minor_status = ret;
goto failure;
}
} else {
name = krb5_cc_get_name(_gsskrb5_context, cred->ccache);
if (name == NULL) {
*minor_status = ENOMEM;
goto failure;
}
asprintf(&type_name, "%s:%s", type, name);
if (type_name == NULL) {
*minor_status = ENOMEM;
goto failure;
}
kret = krb5_cc_resolve(_gsskrb5_context, type_name,
&handle->ccache);
free(type_name);
if (kret) {
*minor_status = kret;
goto failure;
}
}
}
ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
if (ret)
goto failure;
ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret)
goto failure;
}
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred,
NULL, &lifetime, NULL, actual_mechs);
if (ret)
goto failure;
if (initiator_time_rec)
*initiator_time_rec = lifetime;
if (acceptor_time_rec)
*acceptor_time_rec = lifetime;
if (output_cred_handle) {
*output_cred_handle = (gss_cred_id_t)handle;
}
*minor_status = 0;
return ret;
failure:
if (handle) {
if (handle->principal)
krb5_free_principal(_gsskrb5_context, handle->principal);
if (handle->keytab)
krb5_kt_close(_gsskrb5_context, handle->keytab);
if (handle->ccache)
krb5_cc_destroy(_gsskrb5_context, handle->ccache);
if (handle->mechanisms)
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
free(handle);
}
if (output_cred_handle)
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
return ret;
}

9
source4/heimdal/lib/gssapi/add_oid_set_member.c → source4/heimdal/lib/gssapi/krb5/add_oid_set_member.c
View File

@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: add_oid_set_member.c,v 1.8 2003/03/16 17:50:49 lha Exp $");
RCSID("$Id: add_oid_set_member.c,v 1.10 2006/10/07 22:14:00 lha Exp $");
OM_uint32 gss_add_oid_set_member (
OM_uint32 _gsskrb5_add_oid_set_member (
OM_uint32 * minor_status,
const gss_OID member_oid,
gss_OID_set * oid_set
@ -46,7 +46,8 @@ OM_uint32 gss_add_oid_set_member (
OM_uint32 res;
int present;
res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present);
res = _gsskrb5_test_oid_set_member(minor_status, member_oid,
*oid_set, &present);
if (res != GSS_S_COMPLETE)
return res;

14
source4/heimdal/lib/gssapi/address_to_krb5addr.c → source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c
View File

@ -31,15 +31,15 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
#include <roken.h>
krb5_error_code
gss_address_to_krb5addr(OM_uint32 gss_addr_type,
gss_buffer_desc *gss_addr,
int16_t port,
krb5_address *address)
_gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type,
gss_buffer_desc *gss_addr,
int16_t port,
krb5_address *address)
{
int addr_type;
struct sockaddr sa;
@ -61,7 +61,7 @@ gss_address_to_krb5addr(OM_uint32 gss_addr_type,
return GSS_S_FAILURE;
}
problem = krb5_h_addr2sockaddr (gssapi_krb5_context,
problem = krb5_h_addr2sockaddr (_gsskrb5_context,
addr_type,
gss_addr->value,
&sa,
@ -70,7 +70,7 @@ gss_address_to_krb5addr(OM_uint32 gss_addr_type,
if (problem)
return GSS_S_FAILURE;
problem = krb5_sockaddr2address (gssapi_krb5_context, &sa, address);
problem = krb5_sockaddr2address (_gsskrb5_context, &sa, address);
return problem;
}

263
source4/heimdal/lib/gssapi/arcfour.c → source4/heimdal/lib/gssapi/krb5/arcfour.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
* Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -31,9 +31,9 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: arcfour.c,v 1.19 2006/05/04 11:56:50 lha Exp $");
RCSID("$Id: arcfour.c,v 1.29 2006/10/07 22:14:05 lha Exp $");
/*
* Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
@ -57,6 +57,17 @@ RCSID("$Id: arcfour.c,v 1.19 2006/05/04 11:56:50 lha Exp $");
* Confounder[8]
*/
/*
* WRAP in DCE-style have a fixed size header, the oid and length over
* the WRAP header is a total of
* GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE +
* GSS_ARCFOUR_WRAP_TOKEN_SIZE byte (ie total of 45 bytes overhead,
* remember the 2 bytes from APPL [0] SEQ).
*/
#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32
#define GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE 13
static krb5_error_code
arcfour_mic_key(krb5_context context, krb5_keyblock *key,
@ -127,13 +138,13 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
memcpy(ptr + l1, v2, l2);
memcpy(ptr + l1 + l2, v3, l3);
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret) {
free(ptr);
return ret;
}
ret = krb5_create_checksum(gssapi_krb5_context,
ret = krb5_create_checksum(_gsskrb5_context,
crypto,
usage,
0,
@ -144,7 +155,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz);
free_Checksum(&CKSUM);
}
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return ret;
}
@ -152,7 +163,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
OM_uint32
_gssapi_get_mic_arcfour(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@ -164,7 +175,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
u_char k6_data[16], *p0, *p;
RC4_KEY rc4_key;
gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
_gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
message_token->length = total_len;
message_token->value = malloc (total_len);
@ -195,28 +206,28 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
message_buffer->value, message_buffer->length,
NULL, 0);
if (ret) {
gss_release_buffer(minor_status, message_token);
_gsskrb5_release_buffer(minor_status, message_token);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = arcfour_mic_key(gssapi_krb5_context, key,
ret = arcfour_mic_key(_gsskrb5_context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
gss_release_buffer(minor_status, message_token);
_gsskrb5_release_buffer(minor_status, message_token);
*minor_status = ret;
return GSS_S_FAILURE;
}
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
context_handle->auth_context,
&seq_number);
p = p0 + 8; /* SND_SEQ */
gssapi_encode_be_om_uint32(seq_number, p);
_gsskrb5_encode_be_om_uint32(seq_number, p);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@ -236,7 +247,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
OM_uint32
_gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@ -244,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
char *type)
{
krb5_error_code ret;
int32_t seq_number;
uint32_t seq_number;
OM_uint32 omret;
u_char SND_SEQ[8], cksum_data[8], *p;
char k6_data[16];
@ -254,7 +265,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
*qop_state = 0;
p = token_buffer->value;
omret = gssapi_krb5_verify_header (&p,
omret = _gsskrb5_verify_header (&p,
token_buffer->length,
(u_char *)type,
GSS_KRB5_MECHANISM);
@ -278,7 +289,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_FAILURE;
}
ret = arcfour_mic_key(gssapi_krb5_context, key,
ret = arcfour_mic_key(_gsskrb5_context, key,
cksum_data, sizeof(cksum_data),
k6_data, sizeof(k6_data));
if (ret) {
@ -302,7 +313,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
memset(k6_data, 0, sizeof(k6_data));
}
gssapi_decode_be_om_uint32(SND_SEQ, &seq_number);
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
@ -325,40 +336,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_COMPLETE;
}
OM_uint32
_gssapi_wrap_size_arcfour(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_input_size,
OM_uint32 * output_size,
OM_uint32 * padlen,
krb5_keyblock *key)
{
size_t len, total_len, datalen;
*padlen = 0;
datalen = req_input_size;
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
/* if GSS_C_DCE_STYLE is in use:
* - we only need to encapsulate the WRAP token
* - we should not add padding
*/
if (!(context_handle->flags & GSS_C_DCE_STYLE)) {
datalen += 1 /* padding */;
len += datalen;
}
_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
if (context_handle->flags & GSS_C_DCE_STYLE) {
total_len += datalen;
}
*output_size = total_len;
return GSS_S_COMPLETE;
}
OM_uint32
_gssapi_wrap_arcfour(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@ -375,19 +355,17 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
if (conf_state)
*conf_state = 0;
datalen = input_message_buffer->length;
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
/* if GSS_C_DCE_STYLE is in use:
* - we only need to encapsulate the WRAP token
* - we should not add padding
*/
if (!(context_handle->flags & GSS_C_DCE_STYLE)) {
datalen += 1 /* padding */;
len += datalen;
}
_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
if (context_handle->flags & GSS_C_DCE_STYLE) {
total_len += datalen;
if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
datalen = input_message_buffer->length + 1 /* padding */;
len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
} else {
datalen = input_message_buffer->length;
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
total_len += datalen;
}
output_message_buffer->length = total_len;
@ -419,13 +397,13 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
p = NULL;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
context_handle->auth_context,
&seq_number);
gssapi_encode_be_om_uint32(seq_number, p0 + 8);
_gsskrb5_encode_be_om_uint32(seq_number, p0 + 8);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@ -439,9 +417,9 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
/* p points to data */
p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
memcpy(p, input_message_buffer->value, input_message_buffer->length);
/* only add padding when GSS_C_DCE_STYLE is not in use */
if (!(context_handle->flags & GSS_C_DCE_STYLE)) {
p[input_message_buffer->length] = 1; /* PADDING */
if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
p[input_message_buffer->length] = 1; /* PADDING */
}
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
@ -452,7 +430,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
datalen);
if (ret) {
*minor_status = ret;
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
@ -466,12 +444,12 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
for (i = 0; i < 16; i++)
Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
}
ret = arcfour_mic_key(gssapi_krb5_context, &Klocal,
ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
p0 + 8, 4, /* SND_SEQ */
k6_data, sizeof(k6_data));
memset(Klocaldata, 0, sizeof(Klocaldata));
if (ret) {
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = ret;
return GSS_S_FAILURE;
}
@ -487,11 +465,11 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
}
memset(k6_data, 0, sizeof(k6_data));
ret = arcfour_mic_key(gssapi_krb5_context, key,
ret = arcfour_mic_key(_gsskrb5_context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = ret;
return GSS_S_FAILURE;
}
@ -513,7 +491,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
}
OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
@ -523,15 +501,15 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
u_char Klocaldata[16];
krb5_keyblock Klocal;
krb5_error_code ret;
int32_t seq_number;
size_t len, datalen;
uint32_t seq_number;
size_t datalen;
OM_uint32 omret;
u_char k6_data[16], SND_SEQ[8], Confounder[8];
u_char cksum_data[8];
u_char *p, *p0;
int cmp;
int conf_flag;
size_t padlen = 0;
size_t padlen = 0, len;
if (conf_state)
*conf_state = 0;
@ -539,25 +517,34 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
*qop_state = 0;
p0 = input_message_buffer->value;
len = input_message_buffer->length;
/* if we have GSS_C_DCE_STYLE in use, we only need to decapsulate the WRAP token */
if (context_handle->flags & GSS_C_DCE_STYLE) {
if (input_message_buffer->length < (GSS_ARCFOUR_WRAP_TOKEN_OFFSET+GSS_ARCFOUR_WRAP_TOKEN_SIZE)) {
return GSS_S_BAD_MECH;
}
len = GSS_ARCFOUR_WRAP_TOKEN_OFFSET+GSS_ARCFOUR_WRAP_TOKEN_SIZE;
if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
len = input_message_buffer->length;
} else {
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE +
GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
if (input_message_buffer->length < len)
return GSS_S_BAD_MECH;
}
omret = _gssapi_verify_mech_header(&p0,
len,
GSS_KRB5_MECHANISM);
if (omret)
return omret;
p = p0;
datalen = input_message_buffer->length -
(p - ((u_char *)input_message_buffer->value)) -
/* length of mech header */
len = (p0 - (u_char *)input_message_buffer->value) +
GSS_ARCFOUR_WRAP_TOKEN_SIZE;
if (len > input_message_buffer->length)
return GSS_S_BAD_MECH;
/* length of data */
datalen = input_message_buffer->length - len;
p = p0;
if (memcmp(p, "\x02\x01", 2) != 0)
return GSS_S_BAD_SIG;
p += 2;
@ -577,7 +564,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
return GSS_S_BAD_MIC;
p = NULL;
ret = arcfour_mic_key(gssapi_krb5_context, key,
ret = arcfour_mic_key(_gsskrb5_context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
@ -594,7 +581,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
memset(k6_data, 0, sizeof(k6_data));
}
gssapi_decode_be_om_uint32(SND_SEQ, &seq_number);
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
@ -616,7 +603,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
for (i = 0; i < 16; i++)
Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
}
ret = arcfour_mic_key(gssapi_krb5_context, &Klocal,
ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
SND_SEQ, 4,
k6_data, sizeof(k6_data));
memset(Klocaldata, 0, sizeof(Klocaldata));
@ -648,14 +635,14 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
}
memset(k6_data, 0, sizeof(k6_data));
if (!(context_handle->flags & GSS_C_DCE_STYLE)) {
ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
if (ret) {
gss_release_buffer(minor_status, output_message_buffer);
if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
if (ret) {
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = 0;
return ret;
}
output_message_buffer->length -= padlen;
}
output_message_buffer->length -= padlen;
}
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
@ -665,14 +652,14 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
output_message_buffer->value,
output_message_buffer->length + padlen);
if (ret) {
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = ret;
return GSS_S_FAILURE;
}
cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
if (cmp) {
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = 0;
return GSS_S_BAD_MIC;
}
@ -689,3 +676,79 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
*minor_status = 0;
return GSS_S_COMPLETE;
}
static OM_uint32
max_wrap_length_arcfour(const gsskrb5_ctx ctx,
krb5_crypto crypto,
size_t input_length,
OM_uint32 *max_input_size)
{
/*
* if GSS_C_DCE_STYLE is in use:
* - we only need to encapsulate the WRAP token
* However, since this is a fixed since, we just
*/
if (ctx->flags & GSS_C_DCE_STYLE) {
size_t len, total_len;
len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
if (input_length < len)
*max_input_size = 0;
else
*max_input_size = input_length - len;
} else {
size_t extrasize = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
size_t blocksize = 8;
size_t len, total_len;
len = 8 + input_length + blocksize + extrasize;
_gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
total_len -= input_length; /* token length */
if (total_len < input_length) {
*max_input_size = (input_length - total_len);
(*max_input_size) &= (~(OM_uint32)(blocksize - 1));
} else {
*max_input_size = 0;
}
}
return GSS_S_COMPLETE;
}
OM_uint32
_gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
const gsskrb5_ctx ctx,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
OM_uint32 *max_input_size,
krb5_keyblock *key)
{
krb5_error_code ret;
krb5_crypto crypto;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = max_wrap_length_arcfour(ctx, crypto,
req_output_size, max_input_size);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_COMPLETE;
}

46
source4/heimdal/lib/gssapi/krb5/canonicalize_name.c Normal file
View File

@ -0,0 +1,46 @@
/*
* Copyright (c) 1997 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: canonicalize_name.c,v 1.4 2006/10/07 22:14:08 lha Exp $");
OM_uint32 _gsskrb5_canonicalize_name (
OM_uint32 * minor_status,
const gss_name_t input_name,
const gss_OID mech_type,
gss_name_t * output_name
)
{
return _gsskrb5_duplicate_name (minor_status, input_name, output_name);
}

286
source4/heimdal/lib/gssapi/cfx.c → source4/heimdal/lib/gssapi/krb5/cfx.c
View File

@ -30,9 +30,9 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: cfx.c,v 1.19 2006/05/05 10:26:43 lha Exp $");
RCSID("$Id: cfx.c,v 1.24 2006/10/24 21:13:22 lha Exp $");
/*
* Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
@ -42,14 +42,13 @@ RCSID("$Id: cfx.c,v 1.19 2006/05/05 10:26:43 lha Exp $");
#define CFXSealed (1 << 1)
#define CFXAcceptorSubkey (1 << 2)
static krb5_error_code
wrap_length_cfx(krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
size_t *output_length,
size_t *cksumsize,
uint16_t *padlength,
size_t *padsize)
krb5_error_code
_gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
size_t *output_length,
size_t *cksumsize,
uint16_t *padlength)
{
krb5_error_code ret;
krb5_cksumtype type;
@ -58,39 +57,37 @@ wrap_length_cfx(krb5_crypto crypto,
*output_length = sizeof(gss_cfx_wrap_token_desc);
*padlength = 0;
ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto, &type);
if (ret) {
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type);
if (ret)
return ret;
}
ret = krb5_checksumsize(gssapi_krb5_context, type, cksumsize);
if (ret) {
ret = krb5_checksumsize(_gsskrb5_context, type, cksumsize);
if (ret)
return ret;
}
if (conf_req_flag) {
size_t padsize;
/* Header is concatenated with data before encryption */
input_length += sizeof(gss_cfx_wrap_token_desc);
ret = krb5_crypto_getpadsize(gssapi_krb5_context, crypto, padsize);
ret = krb5_crypto_getpadsize(_gsskrb5_context, crypto, &padsize);
if (ret) {
return ret;
}
if (*padsize > 1) {
if (padsize > 1) {
/* XXX check this */
*padlength = *padsize - (input_length % *padsize);
*padlength = padsize - (input_length % padsize);
/* We add the pad ourselves (noted here for completeness only) */
input_length += *padlength;
}
/* We add the pad ourselves (noted here for completeness only) */
input_length += *padlength;
*output_length += krb5_get_wrapped_length(gssapi_krb5_context,
*output_length += krb5_get_wrapped_length(_gsskrb5_context,
crypto, input_length);
} else {
/* Checksum is concatenated with data */
*output_length += input_length + *cksumsize;
*padsize = 0;
}
assert(*output_length > input_length);
@ -98,42 +95,94 @@ wrap_length_cfx(krb5_crypto crypto,
return 0;
}
krb5_error_code
_gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
OM_uint32 *output_length)
{
krb5_error_code ret;
*output_length = 0;
/* 16-byte header is always first */
if (input_length < 16)
return 0;
input_length -= 16;
if (conf_req_flag) {
size_t wrapped_size, sz;
wrapped_size = input_length + 1;
do {
wrapped_size--;
sz = krb5_get_wrapped_length(_gsskrb5_context,
crypto, wrapped_size);
} while (wrapped_size && sz > input_length);
if (wrapped_size == 0) {
*output_length = 0;
return 0;
}
/* inner header */
if (wrapped_size < 16) {
*output_length = 0;
return 0;
}
wrapped_size -= 16;
*output_length = wrapped_size;
} else {
krb5_cksumtype type;
size_t cksumsize;
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type);
if (ret)
return ret;
ret = krb5_checksumsize(_gsskrb5_context, type, &cksumsize);
if (ret)
return ret;
if (input_length < cksumsize)
return 0;
/* Checksum is concatenated with data */
*output_length = input_length - cksumsize;
}
return 0;
}
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_input_size,
OM_uint32 *output_len,
OM_uint32 *padsize,
OM_uint32 req_output_size,
OM_uint32 *max_input_size,
krb5_keyblock *key)
{
krb5_error_code ret;
krb5_crypto crypto;
uint16_t pad_length;
size_t pad_size;
size_t output_length, cksumsize;
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = wrap_length_cfx(crypto, conf_req_flag,
req_input_size,
&output_length, &cksumsize, &pad_length, &pad_size);
ret = _gsskrb5cfx_max_wrap_length_cfx(crypto, conf_req_flag,
req_output_size, max_input_size);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
*output_len = output_length;
*padsize = pad_size;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_COMPLETE;
}
@ -183,7 +232,7 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
}
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@ -199,23 +248,22 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
size_t wrapped_len, cksumsize;
uint16_t padlength, rrc = 0;
int32_t seq_number;
size_t padsize;
u_char *p;
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = wrap_length_cfx(crypto, conf_req_flag,
input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength, &padsize);
ret = _gsskrb5cfx_wrap_length_cfx(crypto, conf_req_flag,
input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@ -226,7 +274,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(output_message_buffer->length);
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@ -276,12 +324,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
token->RRC[1] = 0;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(gssapi_krb5_context,
krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
context_handle->auth_context,
&seq_number);
gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]);
gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(gssapi_krb5_context,
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@ -316,16 +364,16 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
memcpy(p + input_message_buffer->length + padlength,
token, sizeof(*token));
ret = krb5_encrypt(gssapi_krb5_context, crypto,
ret = krb5_encrypt(_gsskrb5_context, crypto,
usage, p,
input_message_buffer->length + padlength +
sizeof(*token),
&cipher);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
assert(sizeof(*token) + cipher.length == wrapped_len);
@ -334,10 +382,10 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
memcpy(p, cipher.data, cipher.length);
@ -349,23 +397,23 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
buf = malloc(input_message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
memcpy(buf, input_message_buffer->value, input_message_buffer->length);
memcpy(buf + input_message_buffer->length, token, sizeof(*token));
ret = krb5_create_checksum(gssapi_krb5_context, crypto,
ret = krb5_create_checksum(_gsskrb5_context, crypto,
usage, 0, buf,
input_message_buffer->length +
sizeof(*token),
&cksum);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free(buf);
return GSS_S_FAILURE;
}
@ -386,17 +434,17 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(p,
input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free_Checksum(&cksum);
return GSS_S_FAILURE;
}
free_Checksum(&cksum);
}
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
if (conf_state != NULL) {
*conf_state = conf_req_flag;
@ -407,7 +455,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
}
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
@ -470,8 +518,8 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/*
* Check sequence number
*/
gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
if (seq_number_hi) {
/* no support for 64-bit sequence numbers */
*minor_status = ERANGE;
@ -483,7 +531,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
if (ret != 0) {
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
gss_release_buffer(minor_status, output_message_buffer);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return ret;
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@ -491,9 +539,9 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/*
* Decrypt and/or verify checksum
*/
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@ -511,23 +559,23 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Rotate by RRC; bogus to do this in-place XXX */
*minor_status = rrc_rotate(p, len, rrc, TRUE);
if (*minor_status != 0) {
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
if (token_flags & CFXSealed) {
ret = krb5_decrypt(gssapi_krb5_context, crypto, usage,
ret = krb5_decrypt(_gsskrb5_context, crypto, usage,
p, len, &data);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_BAD_MIC;
}
/* Check that there is room for the pad and token header */
if (data.length < ec + sizeof(*token)) {
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_data_free(&data);
return GSS_S_DEFECTIVE_TOKEN;
}
@ -540,7 +588,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check the integrity of the header */
if (memcmp(p, token, sizeof(*token)) != 0) {
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_data_free(&data);
return GSS_S_BAD_MIC;
}
@ -551,12 +599,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
Checksum cksum;
/* Determine checksum type */
ret = krb5_crypto_get_checksum_type(gssapi_krb5_context,
ret = krb5_crypto_get_checksum_type(_gsskrb5_context,
crypto, &cksum.cksumtype);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@ -565,7 +613,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check we have at least as much data as the checksum */
if (len < cksum.checksum.length) {
*minor_status = ERANGE;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_BAD_MIC;
}
@ -577,7 +625,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(len + sizeof(*token));
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@ -594,21 +642,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
token->RRC[0] = 0;
token->RRC[1] = 0;
ret = krb5_verify_checksum(gssapi_krb5_context, crypto,
ret = krb5_verify_checksum(_gsskrb5_context, crypto,
usage,
output_message_buffer->value,
len + sizeof(*token),
&cksum);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
gss_release_buffer(minor_status, output_message_buffer);
krb5_crypto_destroy(_gsskrb5_context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_BAD_MIC;
}
}
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
if (qop_state != NULL) {
*qop_state = GSS_C_QOP_DEFAULT;
@ -619,7 +667,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
}
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@ -634,9 +682,9 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
size_t len;
int32_t seq_number;
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@ -645,7 +693,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
buf = malloc(len);
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@ -662,12 +710,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
memset(token->Filler, 0xFF, 5);
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(gssapi_krb5_context,
krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
context_handle->auth_context,
&seq_number);
gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]);
gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(gssapi_krb5_context,
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@ -678,16 +726,16 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
}
ret = krb5_create_checksum(gssapi_krb5_context, crypto,
ret = krb5_create_checksum(_gsskrb5_context, crypto,
usage, 0, buf, len, &cksum);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
free(buf);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
/* Determine MIC length */
message_token->length = sizeof(*token) + cksum.checksum.length;
@ -712,7 +760,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
}
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state,
@ -763,8 +811,8 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
/*
* Check sequence number
*/
gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
if (seq_number_hi) {
*minor_status = ERANGE;
return GSS_S_UNSEQ_TOKEN;
@ -782,19 +830,19 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
/*
* Verify checksum
*/
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto,
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto,
&cksum.cksumtype);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
@ -810,21 +858,21 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
buf = malloc(message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
krb5_crypto_destroy(_gsskrb5_context, crypto);
return GSS_S_FAILURE;
}
memcpy(buf, message_buffer->value, message_buffer->length);
memcpy(buf + message_buffer->length, token, sizeof(*token));
ret = krb5_verify_checksum(gssapi_krb5_context, crypto,
ret = krb5_verify_checksum(_gsskrb5_context, crypto,
usage,
buf,
sizeof(*token) + message_buffer->length,
&cksum);
krb5_crypto_destroy(_gsskrb5_context, crypto);
if (ret != 0) {
gssapi_krb5_set_error_string();
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
free(buf);
return GSS_S_BAD_MIC;
}

51
source4/heimdal/lib/gssapi/cfx.h → source4/heimdal/lib/gssapi/krb5/cfx.h
View File

@ -30,7 +30,7 @@
* SUCH DAMAGE.
*/
/* $Id: cfx.h,v 1.5 2003/09/22 21:48:35 lha Exp $ */
/* $Id: cfx.h,v 1.7 2006/07/19 14:16:33 lha Exp $ */
#ifndef GSSAPI_CFX_H_
#define GSSAPI_CFX_H_ 1
@ -62,44 +62,19 @@ typedef struct gss_cfx_delete_token_desc_struct {
u_char SND_SEQ[8];
} gss_cfx_delete_token_desc, *gss_cfx_delete_token;
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
krb5_error_code
_gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
size_t *output_length,
size_t *cksumsize,
uint16_t *padlength);
krb5_error_code
_gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_input_size,
OM_uint32 *output_len,
OM_uint32 *padlen,
krb5_keyblock *key);
size_t input_length,
OM_uint32 *output_length);
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
int *conf_state,
gss_buffer_t output_message_buffer,
krb5_keyblock *key);
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
gss_qop_t *qop_state,
krb5_keyblock *key);
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
krb5_keyblock *key);
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state,
krb5_keyblock *key);
#endif /* GSSAPI_CFX_H_ */

54
source4/heimdal/lib/gssapi/krb5/compare_name.c Normal file
View File

@ -0,0 +1,54 @@
/*
* Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: compare_name.c,v 1.7 2006/10/07 22:14:15 lha Exp $");
OM_uint32 _gsskrb5_compare_name
(OM_uint32 * minor_status,
const gss_name_t name1,
const gss_name_t name2,
int * name_equal
)
{
krb5_const_principal princ1 = (krb5_const_principal)name1;
krb5_const_principal princ2 = (krb5_const_principal)name2;
GSSAPI_KRB5_INIT();
*name_equal = krb5_principal_compare (_gsskrb5_context,
princ1, princ2);
*minor_status = 0;
return GSS_S_COMPLETE;
}

65
source4/heimdal/lib/gssapi/compat.c → source4/heimdal/lib/gssapi/krb5/compat.c
View File

@ -31,42 +31,42 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: compat.c,v 1.10 2005/05/30 20:51:51 lha Exp $");
RCSID("$Id: compat.c,v 1.13 2006/10/07 22:14:17 lha Exp $");
krb5_error_code
_gss_check_compat(OM_uint32 *minor_status, gss_name_t name,
const char *option, krb5_boolean *compat,
krb5_boolean match_val)
static krb5_error_code
check_compat(OM_uint32 *minor_status, krb5_const_principal name,
const char *option, krb5_boolean *compat,
krb5_boolean match_val)
{
krb5_error_code ret = 0;
char **p, **q;
krb5_principal match;
p = krb5_config_get_strings(gssapi_krb5_context, NULL, "gssapi",
p = krb5_config_get_strings(_gsskrb5_context, NULL, "gssapi",
option, NULL);
if(p == NULL)
return 0;
match = NULL;
for(q = p; *q; q++) {
ret = krb5_parse_name(gssapi_krb5_context, *q, &match);
ret = krb5_parse_name(_gsskrb5_context, *q, &match);
if (ret)
break;
if (krb5_principal_match(gssapi_krb5_context, name, match)) {
if (krb5_principal_match(_gsskrb5_context, name, match)) {
*compat = match_val;
break;
}
krb5_free_principal(gssapi_krb5_context, match);
krb5_free_principal(_gsskrb5_context, match);
match = NULL;
}
if (match)
krb5_free_principal(gssapi_krb5_context, match);
krb5_free_principal(_gsskrb5_context, match);
krb5_config_free_strings(p);
if (ret) {
@ -83,18 +83,18 @@ _gss_check_compat(OM_uint32 *minor_status, gss_name_t name,
*/
OM_uint32
_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx)
_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gsskrb5_ctx ctx)
{
krb5_boolean use_compat = FALSE;
OM_uint32 ret;
if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) {
ret = _gss_check_compat(minor_status, ctx->target,
"broken_des3_mic", &use_compat, TRUE);
ret = check_compat(minor_status, ctx->target,
"broken_des3_mic", &use_compat, TRUE);
if (ret)
return ret;
ret = _gss_check_compat(minor_status, ctx->target,
"correct_des3_mic", &use_compat, FALSE);
ret = check_compat(minor_status, ctx->target,
"correct_des3_mic", &use_compat, FALSE);
if (ret)
return ret;
@ -105,6 +105,7 @@ _gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx)
return 0;
}
#if 0
OM_uint32
gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
{
@ -121,34 +122,4 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
return 0;
}
/*
* For compatability with the Windows SPNEGO implementation, the
* default is to ignore the mechListMIC unless the initiator specified
* CFX or configured in krb5.conf with the option
* [gssapi]require_mechlist_mic=target-principal-pattern.
* The option is valid for both initiator and acceptor.
*/
OM_uint32
_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
gss_ctx_id_t ctx,
krb5_boolean *require_mic)
{
OM_uint32 ret;
int is_cfx = 0;
gsskrb5_is_cfx(ctx, &is_cfx);
if (is_cfx) {
/* CFX session key was used */
*require_mic = TRUE;
} else {
*require_mic = FALSE;
ret = _gss_check_compat(minor_status, ctx->target,
"require_mechlist_mic",
require_mic, TRUE);
if (ret)
return ret;
}
*minor_status = 0;
return GSS_S_COMPLETE;
}
#endif

21
source4/heimdal/lib/gssapi/context_time.c → source4/heimdal/lib/gssapi/krb5/context_time.c
View File

@ -31,12 +31,12 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: context_time.c,v 1.11 2005/12/05 09:19:52 lha Exp $");
RCSID("$Id: context_time.c,v 1.13 2006/10/07 22:14:19 lha Exp $");
OM_uint32
gssapi_lifetime_left(OM_uint32 *minor_status,
_gsskrb5_lifetime_left(OM_uint32 *minor_status,
OM_uint32 lifetime,
OM_uint32 *lifetime_rec)
{
@ -48,10 +48,10 @@ gssapi_lifetime_left(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
kret = krb5_timeofday(gssapi_krb5_context, &timeret);
kret = krb5_timeofday(_gsskrb5_context, &timeret);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
@ -64,7 +64,7 @@ gssapi_lifetime_left(OM_uint32 *minor_status,
}
OM_uint32 gss_context_time
OM_uint32 _gsskrb5_context_time
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
OM_uint32 * time_rec
@ -72,14 +72,15 @@ OM_uint32 gss_context_time
{
OM_uint32 lifetime;
OM_uint32 major_status;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
GSSAPI_KRB5_INIT ();
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
lifetime = context_handle->lifetime;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
lifetime = ctx->lifetime;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec);
major_status = _gsskrb5_lifetime_left(minor_status, lifetime, time_rec);
if (major_status != GSS_S_COMPLETE)
return major_status;

147
source4/heimdal/lib/gssapi/copy_ccache.c → source4/heimdal/lib/gssapi/krb5/copy_ccache.c
View File

@ -31,10 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: copy_ccache.c,v 1.13 2005/11/28 23:05:44 lha Exp $");
RCSID("$Id: copy_ccache.c,v 1.15 2006/10/07 22:14:22 lha Exp $");
#if 0
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
gss_cred_id_t cred,
@ -50,36 +51,37 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out);
kret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, out);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
*minor_status = 0;
return GSS_S_COMPLETE;
}
#endif
OM_uint32
gss_krb5_import_cred(OM_uint32 *minor_status,
_gsskrb5_import_cred(OM_uint32 *minor_status,
krb5_ccache id,
krb5_principal keytab_principal,
krb5_keytab keytab,
gss_cred_id_t *cred)
{
krb5_error_code kret;
gss_cred_id_t handle;
gsskrb5_cred handle;
OM_uint32 ret;
*cred = NULL;
GSSAPI_KRB5_INIT ();
handle = (gss_cred_id_t)calloc(1, sizeof(*handle));
if (handle == GSS_C_NO_CREDENTIAL) {
gssapi_krb5_clear_status ();
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
_gsskrb5_clear_status ();
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
@ -92,11 +94,11 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
handle->usage |= GSS_C_INITIATE;
kret = krb5_cc_get_principal(gssapi_krb5_context, id,
kret = krb5_cc_get_principal(_gsskrb5_context, id,
&handle->principal);
if (kret) {
free(handle);
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@ -104,34 +106,34 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
if (keytab_principal) {
krb5_boolean match;
match = krb5_principal_compare(gssapi_krb5_context,
match = krb5_principal_compare(_gsskrb5_context,
handle->principal,
keytab_principal);
if (match == FALSE) {
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
gssapi_krb5_clear_status ();
_gsskrb5_clear_status ();
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
}
ret = _gssapi_krb5_ccache_lifetime(minor_status,
ret = __gsskrb5_ccache_lifetime(minor_status,
id,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE) {
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
free(handle);
return ret;
}
kret = krb5_cc_get_full_name(gssapi_krb5_context, id, &str);
kret = krb5_cc_get_full_name(_gsskrb5_context, id, &str);
if (kret)
goto out;
kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache);
kret = krb5_cc_resolve(_gsskrb5_context, str, &handle->ccache);
free(str);
if (kret)
goto out;
@ -144,18 +146,18 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
handle->usage |= GSS_C_ACCEPT;
if (keytab_principal && handle->principal == NULL) {
kret = krb5_copy_principal(gssapi_krb5_context,
kret = krb5_copy_principal(_gsskrb5_context,
keytab_principal,
&handle->principal);
if (kret)
goto out;
}
kret = krb5_kt_get_full_name(gssapi_krb5_context, keytab, &str);
kret = krb5_kt_get_full_name(_gsskrb5_context, keytab, &str);
if (kret)
goto out;
kret = krb5_kt_resolve(gssapi_krb5_context, str, &handle->keytab);
kret = krb5_kt_resolve(_gsskrb5_context, str, &handle->keytab);
free(str);
if (kret)
goto out;
@ -163,10 +165,10 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
if (id || keytab) {
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret != GSS_S_COMPLETE) {
kret = *minor_status;
goto out;
@ -174,107 +176,16 @@ gss_krb5_import_cred(OM_uint32 *minor_status,
}
*minor_status = 0;
*cred = handle;
*cred = (gss_cred_id_t)handle;
return GSS_S_COMPLETE;
out:
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
if (handle->principal)
krb5_free_principal(gssapi_krb5_context, handle->principal);
krb5_free_principal(_gsskrb5_context, handle->principal);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = kret;
return GSS_S_FAILURE;
}
OM_uint32
gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int ad_type,
gss_buffer_t ad_data)
{
krb5_error_code ret;
krb5_data data;
ad_data->value = NULL;
ad_data->length = 0;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
if (context_handle->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = krb5_ticket_get_authorization_data_type(gssapi_krb5_context,
context_handle->ticket,
ad_type,
&data);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ad_data->value = malloc(data.length);
if (ad_data->value == NULL) {
krb5_data_free(&data);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ad_data->length = data.length;
memcpy(ad_data->value, data.data, ad_data->length);
krb5_data_free(&data);
*minor_status = 0;
return GSS_S_COMPLETE;
}
OM_uint32
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
time_t *authtime)
{
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
if (context_handle->ticket == NULL) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
*authtime = context_handle->ticket->ticket.authtime;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = 0;
return GSS_S_COMPLETE;
}
OM_uint32 gss_krb5_copy_service_keyblock
(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
struct EncryptionKey **out)
{
krb5_error_code ret;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
if (context_handle->service_keyblock == NULL) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = krb5_copy_keyblock(gssapi_krb5_context,
context_handle->service_keyblock,
out);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
*minor_status = 0;
return GSS_S_COMPLETE;
}

6
source4/heimdal/lib/gssapi/create_emtpy_oid_set.c → source4/heimdal/lib/gssapi/krb5/create_emtpy_oid_set.c
View File

@ -31,11 +31,11 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: create_emtpy_oid_set.c,v 1.5 2003/03/16 17:47:07 lha Exp $");
RCSID("$Id: create_emtpy_oid_set.c,v 1.7 2006/10/07 22:14:24 lha Exp $");
OM_uint32 gss_create_empty_oid_set (
OM_uint32 _gsskrb5_create_empty_oid_set (
OM_uint32 * minor_status,
gss_OID_set * oid_set
)

20
source4/heimdal/lib/gssapi/decapsulate.c → source4/heimdal/lib/gssapi/krb5/decapsulate.c
View File

@ -31,9 +31,9 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: decapsulate.c,v 1.12 2005/06/16 20:40:49 lha Exp $");
RCSID("$Id: decapsulate.c,v 1.16 2006/10/07 22:14:26 lha Exp $");
/*
* return the length of the mechanism in token or -1
@ -41,7 +41,7 @@ RCSID("$Id: decapsulate.c,v 1.12 2005/06/16 20:40:49 lha Exp $");
*/
ssize_t
gssapi_krb5_get_mech (const u_char *ptr,
_gsskrb5_get_mech (const u_char *ptr,
size_t total_len,
const u_char **mech_ret)
{
@ -76,7 +76,7 @@ _gssapi_verify_mech_header(u_char **str,
const u_char *p;
ssize_t mech_len;
mech_len = gssapi_krb5_get_mech (*str, total_len, &p);
mech_len = _gsskrb5_get_mech (*str, total_len, &p);
if (mech_len < 0)
return GSS_S_DEFECTIVE_TOKEN;
@ -92,9 +92,9 @@ _gssapi_verify_mech_header(u_char **str,
}
OM_uint32
gssapi_krb5_verify_header(u_char **str,
_gsskrb5_verify_header(u_char **str,
size_t total_len,
const u_char *type,
const void *type,
gss_OID oid)
{
OM_uint32 ret;
@ -110,7 +110,7 @@ gssapi_krb5_verify_header(u_char **str,
if (len < 2)
return GSS_S_DEFECTIVE_TOKEN;
if ((*str)[0] != type[0] || (*str)[1] != type[1])
if (memcmp (*str, type, 2) != 0)
return GSS_S_DEFECTIVE_TOKEN;
*str += 2;
@ -154,17 +154,17 @@ _gssapi_decapsulate(
*/
OM_uint32
gssapi_krb5_decapsulate(OM_uint32 *minor_status,
_gsskrb5_decapsulate(OM_uint32 *minor_status,
gss_buffer_t input_token_buffer,
krb5_data *out_data,
const char *type,
const void *type,
gss_OID oid)
{
u_char *p;
OM_uint32 ret;
p = input_token_buffer->value;
ret = gssapi_krb5_verify_header(&p,
ret = _gsskrb5_verify_header(&p,
input_token_buffer->length,
type,
oid);

61
source4/heimdal/lib/gssapi/delete_sec_context.c → source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
View File

@ -31,16 +31,17 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: delete_sec_context.c,v 1.16 2006/01/16 13:12:29 lha Exp $");
RCSID("$Id: delete_sec_context.c,v 1.19 2006/10/07 22:14:28 lha Exp $");
OM_uint32 gss_delete_sec_context
(OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_buffer_t output_token
)
OM_uint32
_gsskrb5_delete_sec_context(OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_buffer_t output_token)
{
gsskrb5_ctx ctx;
GSSAPI_KRB5_INIT ();
*minor_status = 0;
@ -53,31 +54,27 @@ OM_uint32 gss_delete_sec_context
if (*context_handle == GSS_C_NO_CONTEXT)
return GSS_S_COMPLETE;
HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex);
krb5_auth_con_free (gssapi_krb5_context,
(*context_handle)->auth_context);
if((*context_handle)->source)
krb5_free_principal (gssapi_krb5_context,
(*context_handle)->source);
if((*context_handle)->target)
krb5_free_principal (gssapi_krb5_context,
(*context_handle)->target);
if ((*context_handle)->ticket)
krb5_free_ticket (gssapi_krb5_context,
(*context_handle)->ticket);
if ((*context_handle)->service_keyblock)
krb5_free_keyblock (gssapi_krb5_context,
(*context_handle)->service_keyblock);
if((*context_handle)->order)
_gssapi_msg_order_destroy(&(*context_handle)->order);
if ((*context_handle)->fwd_data.length > 0)
free((*context_handle)->fwd_data.data);
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex);
memset(*context_handle, 0, sizeof(**context_handle));
free (*context_handle);
ctx = (gsskrb5_ctx) *context_handle;
*context_handle = GSS_C_NO_CONTEXT;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_free (_gsskrb5_context, ctx->auth_context);
if(ctx->source)
krb5_free_principal (_gsskrb5_context, ctx->source);
if(ctx->target)
krb5_free_principal (_gsskrb5_context, ctx->target);
if (ctx->ticket)
krb5_free_ticket (_gsskrb5_context, ctx->ticket);
if(ctx->order)
_gssapi_msg_order_destroy(&ctx->order);
if (ctx->service_keyblock)
krb5_free_keyblock (_gsskrb5_context, ctx->service_keyblock);
krb5_data_free(&ctx->fwd_data);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
memset(ctx, 0, sizeof(*ctx));
free (ctx);
return GSS_S_COMPLETE;
}

13
source4/heimdal/lib/gssapi/display_name.c → source4/heimdal/lib/gssapi/krb5/display_name.c
View File

@ -31,28 +31,27 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: display_name.c,v 1.9 2003/03/16 17:46:11 lha Exp $");
RCSID("$Id: display_name.c,v 1.12 2006/10/07 22:14:31 lha Exp $");
OM_uint32 gss_display_name
OM_uint32 _gsskrb5_display_name
(OM_uint32 * minor_status,
const gss_name_t input_name,
gss_buffer_t output_name_buffer,
gss_OID * output_name_type
)
{
krb5_const_principal name = (krb5_const_principal)input_name;
krb5_error_code kret;
char *buf;
size_t len;
GSSAPI_KRB5_INIT ();
kret = krb5_unparse_name (gssapi_krb5_context,
input_name,
&buf);
kret = krb5_unparse_name (_gsskrb5_context, name, &buf);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
len = strlen (buf);

32
source4/heimdal/lib/gssapi/display_status.c → source4/heimdal/lib/gssapi/krb5/display_status.c
View File

@ -31,9 +31,9 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: display_status.c,v 1.14 2005/10/12 07:23:03 lha Exp $");
RCSID("$Id: display_status.c,v 1.16 2006/10/07 22:14:33 lha Exp $");
static const char *
calling_error(OM_uint32 v)
@ -112,9 +112,9 @@ supplementary_error(OM_uint32 v)
}
void
gssapi_krb5_clear_status (void)
_gsskrb5_clear_status (void)
{
struct gssapi_thr_context *ctx = gssapi_get_thread_context(1);
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1);
if (ctx == NULL)
return;
HEIMDAL_MUTEX_lock(&ctx->mutex);
@ -125,9 +125,9 @@ gssapi_krb5_clear_status (void)
}
void
gssapi_krb5_set_status (const char *fmt, ...)
_gsskrb5_set_status (const char *fmt, ...)
{
struct gssapi_thr_context *ctx = gssapi_get_thread_context(1);
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1);
va_list args;
if (ctx == NULL)
@ -143,22 +143,22 @@ gssapi_krb5_set_status (const char *fmt, ...)
}
void
gssapi_krb5_set_error_string (void)
_gsskrb5_set_error_string (void)
{
char *e;
e = krb5_get_error_string(gssapi_krb5_context);
e = krb5_get_error_string(_gsskrb5_context);
if (e) {
gssapi_krb5_set_status("%s", e);
krb5_free_error_string(gssapi_krb5_context, e);
_gsskrb5_set_status("%s", e);
krb5_free_error_string(_gsskrb5_context, e);
} else
gssapi_krb5_clear_status();
_gsskrb5_clear_status();
}
char *
gssapi_krb5_get_error_string (void)
_gsskrb5_get_error_string (void)
{
struct gssapi_thr_context *ctx = gssapi_get_thread_context(0);
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(0);
char *ret;
if (ctx == NULL)
@ -170,7 +170,7 @@ gssapi_krb5_get_error_string (void)
return ret;
}
OM_uint32 gss_display_status
OM_uint32 _gsskrb5_display_status
(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
@ -200,9 +200,9 @@ OM_uint32 gss_display_status
calling_error(GSS_CALLING_ERROR(status_value)),
routine_error(GSS_ROUTINE_ERROR(status_value)));
} else if (status_type == GSS_C_MECH_CODE) {
buf = gssapi_krb5_get_error_string ();
buf = _gsskrb5_get_error_string ();
if (buf == NULL) {
const char *tmp = krb5_get_err_text (gssapi_krb5_context,
const char *tmp = krb5_get_err_text (_gsskrb5_context,
status_value);
if (tmp == NULL)
asprintf(&buf, "unknown mech error-code %u",

14
source4/heimdal/lib/gssapi/duplicate_name.c → source4/heimdal/lib/gssapi/krb5/duplicate_name.c
View File

@ -31,26 +31,26 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: duplicate_name.c,v 1.7 2003/03/16 17:44:26 lha Exp $");
RCSID("$Id: duplicate_name.c,v 1.10 2006/10/07 22:14:35 lha Exp $");
OM_uint32 gss_duplicate_name (
OM_uint32 _gsskrb5_duplicate_name (
OM_uint32 * minor_status,
const gss_name_t src_name,
gss_name_t * dest_name
)
{
krb5_const_principal src = (krb5_const_principal)src_name;
krb5_principal *dest = (krb5_principal *)dest_name;
krb5_error_code kret;
GSSAPI_KRB5_INIT ();
kret = krb5_copy_principal (gssapi_krb5_context,
src_name,
dest_name);
kret = krb5_copy_principal (_gsskrb5_context, src, dest);
if (kret) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
} else {
*minor_status = 0;

32
source4/heimdal/lib/gssapi/encapsulate.c → source4/heimdal/lib/gssapi/krb5/encapsulate.c
View File

@ -31,9 +31,9 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: encapsulate.c,v 1.8 2003/09/04 18:08:55 lha Exp $");
RCSID("$Id: encapsulate.c,v 1.12 2006/10/14 10:02:56 lha Exp $");
void
_gssapi_encap_length (size_t data_len,
@ -45,13 +45,13 @@ _gssapi_encap_length (size_t data_len,
*len = 1 + 1 + mech->length + data_len;
len_len = length_len(*len);
len_len = der_length_len(*len);
*total_len = 1 + len_len + *len;
}
void
gssapi_krb5_encap_length (size_t data_len,
_gsskrb5_encap_length (size_t data_len,
size_t *len,
size_t *total_len,
const gss_OID mech)
@ -59,28 +59,30 @@ gssapi_krb5_encap_length (size_t data_len,
_gssapi_encap_length(data_len + 2, len, total_len, mech);
}
u_char *
gssapi_krb5_make_header (u_char *p,
void *
_gsskrb5_make_header (void *ptr,
size_t len,
const u_char *type,
const void *type,
const gss_OID mech)
{
u_char *p = ptr;
p = _gssapi_make_mech_header(p, len, mech);
memcpy (p, type, 2);
p += 2;
return p;
}
u_char *
_gssapi_make_mech_header(u_char *p,
void *
_gssapi_make_mech_header(void *ptr,
size_t len,
const gss_OID mech)
{
u_char *p = ptr;
int e;
size_t len_len, foo;
*p++ = 0x60;
len_len = length_len(len);
len_len = der_length_len(len);
e = der_put_length (p + len_len - 1, len_len, len, &foo);
if(e || foo != len_len)
abort ();
@ -105,7 +107,7 @@ _gssapi_encapsulate(
)
{
size_t len, outer_len;
u_char *p;
void *p;
_gssapi_encap_length (in_data->length, &len, &outer_len, mech);
@ -127,18 +129,18 @@ _gssapi_encapsulate(
*/
OM_uint32
gssapi_krb5_encapsulate(
_gsskrb5_encapsulate(
OM_uint32 *minor_status,
const krb5_data *in_data,
gss_buffer_t output_token,
const u_char *type,
const void *type,
const gss_OID mech
)
{
size_t len, outer_len;
u_char *p;
gssapi_krb5_encap_length (in_data->length, &len, &outer_len, mech);
_gsskrb5_encap_length (in_data->length, &len, &outer_len, mech);
output_token->length = outer_len;
output_token->value = malloc (outer_len);
@ -147,7 +149,7 @@ gssapi_krb5_encapsulate(
return GSS_S_FAILURE;
}
p = gssapi_krb5_make_header (output_token->value, len, type, mech);
p = _gsskrb5_make_header (output_token->value, len, type, mech);
memcpy (p, in_data->data, in_data->length);
return GSS_S_COMPLETE;
}

93
source4/heimdal/lib/gssapi/krb5/export_name.c Normal file
View File

@ -0,0 +1,93 @@
/*
* Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: export_name.c,v 1.8 2006/10/07 22:14:40 lha Exp $");
OM_uint32 _gsskrb5_export_name
(OM_uint32 * minor_status,
const gss_name_t input_name,
gss_buffer_t exported_name
)
{
krb5_const_principal princ = (krb5_const_principal)input_name;
krb5_error_code kret;
char *buf, *name;
size_t len;
GSSAPI_KRB5_INIT ();
kret = krb5_unparse_name (_gsskrb5_context, princ, &name);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
len = strlen (name);
exported_name->length = 10 + len + GSS_KRB5_MECHANISM->length;
exported_name->value = malloc(exported_name->length);
if (exported_name->value == NULL) {
free (name);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
/* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */
buf = exported_name->value;
memcpy(buf, "\x04\x01", 2);
buf += 2;
buf[0] = ((GSS_KRB5_MECHANISM->length + 2) >> 8) & 0xff;
buf[1] = (GSS_KRB5_MECHANISM->length + 2) & 0xff;
buf+= 2;
buf[0] = 0x06;
buf[1] = (GSS_KRB5_MECHANISM->length) & 0xFF;
buf+= 2;
memcpy(buf, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length);
buf += GSS_KRB5_MECHANISM->length;
buf[0] = (len >> 24) & 0xff;
buf[1] = (len >> 16) & 0xff;
buf[2] = (len >> 8) & 0xff;
buf[3] = (len) & 0xff;
buf += 4;
memcpy (buf, name, len);
free (name);
*minor_status = 0;
return GSS_S_COMPLETE;
}

239
source4/heimdal/lib/gssapi/krb5/export_sec_context.c Normal file
View File

@ -0,0 +1,239 @@
/*
* Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: export_sec_context.c,v 1.11 2006/10/07 22:14:42 lha Exp $");
OM_uint32
_gsskrb5_export_sec_context (
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_buffer_t interprocess_token
)
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) *context_handle;
krb5_storage *sp;
krb5_auth_context ac;
OM_uint32 ret = GSS_S_COMPLETE;
krb5_data data;
gss_buffer_desc buffer;
int flags;
OM_uint32 minor;
krb5_error_code kret;
GSSAPI_KRB5_INIT ();
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (!(ctx->flags & GSS_C_TRANS_FLAG)) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*minor_status = 0;
return GSS_S_UNAVAILABLE;
}
sp = krb5_storage_emem ();
if (sp == NULL) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ac = ctx->auth_context;
/* flagging included fields */
flags = 0;
if (ac->local_address)
flags |= SC_LOCAL_ADDRESS;
if (ac->remote_address)
flags |= SC_REMOTE_ADDRESS;
if (ac->keyblock)
flags |= SC_KEYBLOCK;
if (ac->local_subkey)
flags |= SC_LOCAL_SUBKEY;
if (ac->remote_subkey)
flags |= SC_REMOTE_SUBKEY;
kret = krb5_store_int32 (sp, flags);
if (kret) {
*minor_status = kret;
goto failure;
}
/* marshall auth context */
kret = krb5_store_int32 (sp, ac->flags);
if (kret) {
*minor_status = kret;
goto failure;
}
if (ac->local_address) {
kret = krb5_store_address (sp, *ac->local_address);
if (kret) {
*minor_status = kret;
goto failure;
}
}
if (ac->remote_address) {
kret = krb5_store_address (sp, *ac->remote_address);
if (kret) {
*minor_status = kret;
goto failure;
}
}
kret = krb5_store_int16 (sp, ac->local_port);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int16 (sp, ac->remote_port);
if (kret) {
*minor_status = kret;
goto failure;
}
if (ac->keyblock) {
kret = krb5_store_keyblock (sp, *ac->keyblock);
if (kret) {
*minor_status = kret;
goto failure;
}
}
if (ac->local_subkey) {
kret = krb5_store_keyblock (sp, *ac->local_subkey);
if (kret) {
*minor_status = kret;
goto failure;
}
}
if (ac->remote_subkey) {
kret = krb5_store_keyblock (sp, *ac->remote_subkey);
if (kret) {
*minor_status = kret;
goto failure;
}
}
kret = krb5_store_int32 (sp, ac->local_seqnumber);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, ac->remote_seqnumber);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, ac->keytype);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, ac->cksumtype);
if (kret) {
*minor_status = kret;
goto failure;
}
/* names */
ret = _gsskrb5_export_name (minor_status,
(gss_name_t)ctx->source, &buffer);
if (ret)
goto failure;
data.data = buffer.value;
data.length = buffer.length;
kret = krb5_store_data (sp, data);
_gsskrb5_release_buffer (&minor, &buffer);
if (kret) {
*minor_status = kret;
goto failure;
}
ret = _gsskrb5_export_name (minor_status,
(gss_name_t)ctx->target, &buffer);
if (ret)
goto failure;
data.data = buffer.value;
data.length = buffer.length;
ret = GSS_S_FAILURE;
kret = krb5_store_data (sp, data);
_gsskrb5_release_buffer (&minor, &buffer);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, ctx->flags);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, ctx->more_flags);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_store_int32 (sp, ctx->lifetime);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = _gssapi_msg_order_export(sp, ctx->order);
if (kret ) {
*minor_status = kret;
goto failure;
}
kret = krb5_storage_to_data (sp, &data);
krb5_storage_free (sp);
if (kret) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*minor_status = kret;
return GSS_S_FAILURE;
}
interprocess_token->length = data.length;
interprocess_token->value = data.data;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
ret = _gsskrb5_delete_sec_context (minor_status, context_handle,
GSS_C_NO_BUFFER);
if (ret != GSS_S_COMPLETE)
_gsskrb5_release_buffer (NULL, interprocess_token);
*minor_status = 0;
return ret;
failure:
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
krb5_storage_free (sp);
return ret;
}

171
source4/heimdal/lib/gssapi/external.c → source4/heimdal/lib/gssapi/krb5/external.c
View File

@ -31,9 +31,10 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
#include <gssapi_mech.h>
RCSID("$Id: external.c,v 1.7 2005/08/23 11:59:47 lha Exp $");
RCSID("$Id: external.c,v 1.18 2006/10/20 21:50:24 lha Exp $");
/*
* The implementation must reserve static storage for a
@ -225,18 +226,6 @@ static gss_OID_desc gss_krb5_mechanism_oid_desc =
gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
/*
* RFC2478, SPNEGO:
* The security mechanism of the initial
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
static gss_OID_desc gss_spnego_mechanism_oid_desc =
{6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02")};
gss_OID GSS_SPNEGO_MECHANISM = &gss_spnego_mechanism_oid_desc;
/*
* draft-ietf-cat-iakerb-09, IAKERB:
* The mechanism ID for IAKERB proxy GSS-API Kerberos, in accordance
@ -260,8 +249,160 @@ static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc =
gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc;
/*
*
*/
static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc =
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"};
gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc;
/*
* 1.2.752.43.13 Heimdal GSS-API Extentions
*/
/* 1.2.752.43.13.1 */
static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")};
gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc;
/* 1.2.752.43.13.2 */
static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")};
gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc;
/* 1.2.752.43.13.3 */
static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")};
gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
/* 1.2.752.43.13.4 */
static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")};
gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc;
/* 1.2.752.43.13.5 */
static gss_OID_desc gss_krb5_register_acceptor_identity_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = &gss_krb5_register_acceptor_identity_x_desc;
/* 1.2.752.43.13.6 */
static gss_OID_desc gss_krb5_export_lucid_context_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")};
gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X = &gss_krb5_export_lucid_context_x_desc;
/* 1.2.752.43.13.6.1 */
static gss_OID_desc gss_krb5_export_lucid_context_v1_x_desc =
{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")};
gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = &gss_krb5_export_lucid_context_v1_x_desc;
/* 1.2.752.43.13.7 */
static gss_OID_desc gss_krb5_set_dns_canonicalize_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")};
gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X = &gss_krb5_set_dns_canonicalize_x_desc;
/* 1.2.752.43.13.8 */
static gss_OID_desc gss_krb5_get_subkey_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")};
gss_OID GSS_KRB5_GET_SUBKEY_X = &gss_krb5_get_subkey_x_desc;
/* 1.2.752.43.13.9 */
static gss_OID_desc gss_krb5_get_initiator_subkey_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")};
gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X = &gss_krb5_get_initiator_subkey_x_desc;
/* 1.2.752.43.13.10 */
static gss_OID_desc gss_krb5_get_acceptor_subkey_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")};
gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = &gss_krb5_get_acceptor_subkey_x_desc;
/* 1.2.752.43.13.11 */
static gss_OID_desc gss_krb5_send_to_kdc_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")};
gss_OID GSS_KRB5_SEND_TO_KDC_X = &gss_krb5_send_to_kdc_x_desc;
/* 1.2.752.43.13.12 */
static gss_OID_desc gss_krb5_get_authtime_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")};
gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc;
/* 1.2.752.43.13.14 */
static gss_OID_desc gss_krb5_get_service_keyblock_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc;
/* 1.2.752.43.14.1 */
static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc;
/*
* Context for krb5 calls.
*/
krb5_context gssapi_krb5_context;
krb5_context _gsskrb5_context;
/*
*
*/
static gssapi_mech_interface_desc krb5_mech = {
GMI_VERSION,
"kerberos 5",
{9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
_gsskrb5_acquire_cred,
_gsskrb5_release_cred,
_gsskrb5_init_sec_context,
_gsskrb5_accept_sec_context,
_gsskrb5_process_context_token,
_gsskrb5_delete_sec_context,
_gsskrb5_context_time,
_gsskrb5_get_mic,
_gsskrb5_verify_mic,
_gsskrb5_wrap,
_gsskrb5_unwrap,
_gsskrb5_display_status,
_gsskrb5_indicate_mechs,
_gsskrb5_compare_name,
_gsskrb5_display_name,
_gsskrb5_import_name,
_gsskrb5_export_name,
_gsskrb5_release_name,
_gsskrb5_inquire_cred,
_gsskrb5_inquire_context,
_gsskrb5_wrap_size_limit,
_gsskrb5_add_cred,
_gsskrb5_inquire_cred_by_mech,
_gsskrb5_export_sec_context,
_gsskrb5_import_sec_context,
_gsskrb5_inquire_names_for_mech,
_gsskrb5_inquire_mechs_for_name,
_gsskrb5_canonicalize_name,
_gsskrb5_duplicate_name,
_gsskrb5_inquire_sec_context_by_oid,
_gsskrb5_inquire_cred_by_oid,
_gsskrb5_set_sec_context_option,
_gsskrb5_set_cred_option
};
gssapi_mech_interface
__gss_krb5_initialize(void)
{
return &krb5_mech;
}

87
source4/heimdal/lib/gssapi/get_mic.c → source4/heimdal/lib/gssapi/krb5/get_mic.c
View File

@ -31,14 +31,14 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: get_mic.c,v 1.31 2006/05/08 09:55:37 lha Exp $");
RCSID("$Id: get_mic.c,v 1.34 2006/10/18 15:59:23 lha Exp $");
static OM_uint32
mic_des
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx ctx,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@ -54,7 +54,7 @@ mic_des
int32_t seq_number;
size_t len, total_len;
gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
_gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
message_token->length = total_len;
message_token->value = malloc (total_len);
@ -64,7 +64,7 @@ mic_des
return GSS_S_FAILURE;
}
p = gssapi_krb5_make_header(message_token->value,
p = _gsskrb5_make_header(message_token->value,
len,
"\x01\x01", /* TOK_ID */
GSS_KRB5_MECHANISM);
@ -92,10 +92,10 @@ mic_des
&schedule, &zero);
memcpy (p - 8, hash, 8); /* SGN_CKSUM */
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
p -= 16; /* SND_SEQ */
@ -104,17 +104,17 @@ mic_des
p[2] = (seq_number >> 16) & 0xFF;
p[3] = (seq_number >> 24) & 0xFF;
memset (p + 4,
(context_handle->more_flags & LOCAL) ? 0 : 0xFF,
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
DES_set_key (&deskey, &schedule);
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
memset (deskey, 0, sizeof(deskey));
memset (&schedule, 0, sizeof(schedule));
@ -126,7 +126,7 @@ mic_des
static OM_uint32
mic_des3
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gsskrb5_ctx ctx,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@ -146,7 +146,7 @@ mic_des3
char *tmp;
char ivec[8];
gssapi_krb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM);
_gsskrb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM);
message_token->length = total_len;
message_token->value = malloc (total_len);
@ -156,7 +156,7 @@ mic_des3
return GSS_S_FAILURE;
}
p = gssapi_krb5_make_header(message_token->value,
p = _gsskrb5_make_header(message_token->value,
len,
"\x01\x01", /* TOK-ID */
GSS_KRB5_MECHANISM);
@ -180,18 +180,18 @@ mic_des3
memcpy (tmp, p - 8, 8);
memcpy (tmp + 8, message_buffer->value, message_buffer->length);
kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
kret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
free (tmp);
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_create_checksum (gssapi_krb5_context,
kret = krb5_create_checksum (_gsskrb5_context,
crypto,
KRB5_KU_USAGE_SIGN,
0,
@ -199,22 +199,22 @@ mic_des3
message_buffer->length + 8,
&cksum);
free (tmp);
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
seq[0] = (seq_number >> 0) & 0xFF;
@ -222,35 +222,35 @@ mic_des3
seq[2] = (seq_number >> 16) & 0xFF;
seq[3] = (seq_number >> 24) & 0xFF;
memset (seq + 4,
(context_handle->more_flags & LOCAL) ? 0 : 0xFF,
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
kret = krb5_crypto_init(gssapi_krb5_context, key,
kret = krb5_crypto_init(_gsskrb5_context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
if (context_handle->more_flags & COMPAT_OLD_DES3)
if (ctx->more_flags & COMPAT_OLD_DES3)
memset(ivec, 0, 8);
else
memcpy(ivec, p + 8, 8);
kret = krb5_encrypt_ivec (gssapi_krb5_context,
kret = krb5_encrypt_ivec (_gsskrb5_context,
crypto,
KRB5_KU_USAGE_SEQ,
seq, 8, &encdata, ivec);
krb5_crypto_destroy (gssapi_krb5_context, crypto);
krb5_crypto_destroy (_gsskrb5_context, crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@ -260,17 +260,17 @@ mic_des3
memcpy (p, encdata.data, encdata.length);
krb5_data_free (&encdata);
krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
context_handle->auth_context,
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free_Checksum (&cksum);
*minor_status = 0;
return GSS_S_COMPLETE;
}
OM_uint32 gss_get_mic
OM_uint32 _gsskrb5_get_mic
(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
gss_qop_t qop_req,
@ -278,37 +278,40 @@ OM_uint32 gss_get_mic
gss_buffer_t message_token
)
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
ret = gss_krb5_get_subkey(context_handle, &key);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
gssapi_krb5_set_error_string ();
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = mic_des (minor_status, context_handle, qop_req,
ret = mic_des (minor_status, ctx, qop_req,
message_buffer, message_token, key);
break;
case KEYTYPE_DES3 :
ret = mic_des3 (minor_status, context_handle, qop_req,
ret = mic_des3 (minor_status, ctx, qop_req,
message_buffer, message_token, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req,
ret = _gssapi_get_mic_arcfour (minor_status, ctx, qop_req,
message_buffer, message_token, key);
break;
default :
ret = _gssapi_mic_cfx (minor_status, context_handle, qop_req,
ret = _gssapi_mic_cfx (minor_status, ctx, qop_req,
message_buffer, message_token, key);
break;
}
krb5_free_keyblock (gssapi_krb5_context, key);
krb5_free_keyblock (_gsskrb5_context, key);
return ret;
}

705
source4/heimdal/lib/gssapi/krb5/gsskrb5-private.h Normal file
View File

@ -0,0 +1,705 @@
/* This is a generated file */
#ifndef __gsskrb5_private_h__
#define __gsskrb5_private_h__
#include <stdarg.h>
gssapi_mech_interface
__gss_krb5_initialize (void);
OM_uint32
__gsskrb5_ccache_lifetime (
OM_uint32 */*minor_status*/,
krb5_ccache /*id*/,
krb5_principal /*principal*/,
OM_uint32 */*lifetime*/);
OM_uint32
_gss_DES3_get_mic_compat (
OM_uint32 */*minor_status*/,
gsskrb5_ctx /*ctx*/);
OM_uint32
_gssapi_decapsulate (
OM_uint32 */*minor_status*/,
gss_buffer_t /*input_token_buffer*/,
krb5_data */*out_data*/,
const gss_OID mech );
void
_gssapi_encap_length (
size_t /*data_len*/,
size_t */*len*/,
size_t */*total_len*/,
const gss_OID /*mech*/);
OM_uint32
_gssapi_encapsulate (
OM_uint32 */*minor_status*/,
const krb5_data */*in_data*/,
gss_buffer_t /*output_token*/,
const gss_OID mech );
OM_uint32
_gssapi_get_mic_arcfour (
OM_uint32 * /*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/,
krb5_keyblock */*key*/);
void *
_gssapi_make_mech_header (
void */*ptr*/,
size_t /*len*/,
const gss_OID /*mech*/);
OM_uint32
_gssapi_mic_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/,
krb5_keyblock */*key*/);
OM_uint32
_gssapi_msg_order_check (
struct gss_msg_order */*o*/,
OM_uint32 /*seq_num*/);
OM_uint32
_gssapi_msg_order_create (
OM_uint32 */*minor_status*/,
struct gss_msg_order **/*o*/,
OM_uint32 /*flags*/,
OM_uint32 /*seq_num*/,
OM_uint32 /*jitter_window*/,
int /*use_64*/);
OM_uint32
_gssapi_msg_order_destroy (struct gss_msg_order **/*m*/);
krb5_error_code
_gssapi_msg_order_export (
krb5_storage */*sp*/,
struct gss_msg_order */*o*/);
OM_uint32
_gssapi_msg_order_f (OM_uint32 /*flags*/);
OM_uint32
_gssapi_msg_order_import (
OM_uint32 */*minor_status*/,
krb5_storage */*sp*/,
struct gss_msg_order **/*o*/);
OM_uint32
_gssapi_unwrap_arcfour (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int */*conf_state*/,
gss_qop_t */*qop_state*/,
krb5_keyblock */*key*/);
OM_uint32
_gssapi_unwrap_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int */*conf_state*/,
gss_qop_t */*qop_state*/,
krb5_keyblock */*key*/);
OM_uint32
_gssapi_verify_mech_header (
u_char **/*str*/,
size_t /*total_len*/,
gss_OID /*mech*/);
OM_uint32
_gssapi_verify_mic_arcfour (
OM_uint32 * /*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t * /*qop_state*/,
krb5_keyblock */*key*/,
char */*type*/);
OM_uint32
_gssapi_verify_mic_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t */*qop_state*/,
krb5_keyblock */*key*/);
OM_uint32
_gssapi_verify_pad (
gss_buffer_t /*wrapped_token*/,
size_t /*datalen*/,
size_t */*padlen*/);
OM_uint32
_gssapi_wrap_arcfour (
OM_uint32 * /*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/,
krb5_keyblock */*key*/);
OM_uint32
_gssapi_wrap_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*input_message_buffer*/,
int */*conf_state*/,
gss_buffer_t /*output_message_buffer*/,
krb5_keyblock */*key*/);
OM_uint32
_gssapi_wrap_size_arcfour (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*ctx*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_output_size*/,
OM_uint32 */*max_input_size*/,
krb5_keyblock */*key*/);
OM_uint32
_gssapi_wrap_size_cfx (
OM_uint32 */*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_output_size*/,
OM_uint32 */*max_input_size*/,
krb5_keyblock */*key*/);
OM_uint32
_gsskrb5_accept_sec_context (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
const gss_cred_id_t /*acceptor_cred_handle*/,
const gss_buffer_t /*input_token_buffer*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
gss_name_t * /*src_name*/,
gss_OID * /*mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * /*time_rec*/,
gss_cred_id_t * /*delegated_cred_handle*/);
OM_uint32
_gsskrb5_acquire_cred (
OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
OM_uint32 /*time_req*/,
const gss_OID_set /*desired_mechs*/,
gss_cred_usage_t /*cred_usage*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * time_rec );
OM_uint32
_gsskrb5_add_cred (
OM_uint32 */*minor_status*/,
const gss_cred_id_t /*input_cred_handle*/,
const gss_name_t /*desired_name*/,
const gss_OID /*desired_mech*/,
gss_cred_usage_t /*cred_usage*/,
OM_uint32 /*initiator_time_req*/,
OM_uint32 /*acceptor_time_req*/,
gss_cred_id_t */*output_cred_handle*/,
gss_OID_set */*actual_mechs*/,
OM_uint32 */*initiator_time_rec*/,
OM_uint32 */*acceptor_time_rec*/);
OM_uint32
_gsskrb5_add_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member_oid*/,
gss_OID_set * oid_set );
OM_uint32
_gsskrb5_canonicalize_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
const gss_OID /*mech_type*/,
gss_name_t * output_name );
void
_gsskrb5_clear_status (void);
OM_uint32
_gsskrb5_compare_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*name1*/,
const gss_name_t /*name2*/,
int * name_equal );
OM_uint32
_gsskrb5_context_time (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
OM_uint32 * time_rec );
OM_uint32
_gsskrb5_create_8003_checksum (
OM_uint32 */*minor_status*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
OM_uint32 /*flags*/,
const krb5_data */*fwd_data*/,
Checksum */*result*/);
OM_uint32
_gsskrb5_create_ctx (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
enum gss_ctx_id_t_state /*state*/);
OM_uint32
_gsskrb5_create_empty_oid_set (
OM_uint32 * /*minor_status*/,
gss_OID_set * oid_set );
OM_uint32
_gsskrb5_decapsulate (
OM_uint32 */*minor_status*/,
gss_buffer_t /*input_token_buffer*/,
krb5_data */*out_data*/,
const void */*type*/,
gss_OID /*oid*/);
krb5_error_code
_gsskrb5_decode_be_om_uint32 (
const void */*ptr*/,
OM_uint32 */*n*/);
krb5_error_code
_gsskrb5_decode_om_uint32 (
const void */*ptr*/,
OM_uint32 */*n*/);
OM_uint32
_gsskrb5_delete_sec_context (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*output_token*/);
OM_uint32
_gsskrb5_display_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*output_name_buffer*/,
gss_OID * output_name_type );
OM_uint32
_gsskrb5_display_status (
OM_uint32 */*minor_status*/,
OM_uint32 /*status_value*/,
int /*status_type*/,
const gss_OID /*mech_type*/,
OM_uint32 */*message_context*/,
gss_buffer_t /*status_string*/);
OM_uint32
_gsskrb5_duplicate_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*src_name*/,
gss_name_t * dest_name );
void
_gsskrb5_encap_length (
size_t /*data_len*/,
size_t */*len*/,
size_t */*total_len*/,
const gss_OID /*mech*/);
OM_uint32
_gsskrb5_encapsulate (
OM_uint32 */*minor_status*/,
const krb5_data */*in_data*/,
gss_buffer_t /*output_token*/,
const void */*type*/,
const gss_OID mech );
krb5_error_code
_gsskrb5_encode_be_om_uint32 (
OM_uint32 /*n*/,
u_char */*p*/);
krb5_error_code
_gsskrb5_encode_om_uint32 (
OM_uint32 /*n*/,
u_char */*p*/);
OM_uint32
_gsskrb5_export_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t exported_name );
OM_uint32
_gsskrb5_export_sec_context (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t interprocess_token );
char *
_gsskrb5_get_error_string (void);
ssize_t
_gsskrb5_get_mech (
const u_char */*ptr*/,
size_t /*total_len*/,
const u_char **/*mech_ret*/);
OM_uint32
_gsskrb5_get_mic (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*message_buffer*/,
gss_buffer_t message_token );
struct gssapi_thr_context *
_gsskrb5_get_thread_context (int /*createp*/);
OM_uint32
_gsskrb5_get_tkt_flags (
OM_uint32 */*minor_status*/,
gsskrb5_ctx /*ctx*/,
OM_uint32 */*tkt_flags*/);
OM_uint32
_gsskrb5_import_cred (
OM_uint32 */*minor_status*/,
krb5_ccache /*id*/,
krb5_principal /*keytab_principal*/,
krb5_keytab /*keytab*/,
gss_cred_id_t */*cred*/);
OM_uint32
_gsskrb5_import_name (
OM_uint32 * /*minor_status*/,
const gss_buffer_t /*input_name_buffer*/,
const gss_OID /*input_name_type*/,
gss_name_t * output_name );
OM_uint32
_gsskrb5_import_sec_context (
OM_uint32 * /*minor_status*/,
const gss_buffer_t /*interprocess_token*/,
gss_ctx_id_t * context_handle );
OM_uint32
_gsskrb5_indicate_mechs (
OM_uint32 * /*minor_status*/,
gss_OID_set * mech_set );
krb5_error_code
_gsskrb5_init (void);
OM_uint32
_gsskrb5_init_sec_context (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*initiator_cred_handle*/,
gss_ctx_id_t * /*context_handle*/,
const gss_name_t /*target_name*/,
const gss_OID /*mech_type*/,
OM_uint32 /*req_flags*/,
OM_uint32 /*time_req*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
const gss_buffer_t /*input_token*/,
gss_OID * /*actual_mech_type*/,
gss_buffer_t /*output_token*/,
OM_uint32 * /*ret_flags*/,
OM_uint32 * time_rec );
OM_uint32
_gsskrb5_inquire_context (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_name_t * /*src_name*/,
gss_name_t * /*targ_name*/,
OM_uint32 * /*lifetime_rec*/,
gss_OID * /*mech_type*/,
OM_uint32 * /*ctx_flags*/,
int * /*locally_initiated*/,
int * open_context );
OM_uint32
_gsskrb5_inquire_cred (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
gss_name_t * /*output_name*/,
OM_uint32 * /*lifetime*/,
gss_cred_usage_t * /*cred_usage*/,
gss_OID_set * mechanisms );
OM_uint32
_gsskrb5_inquire_cred_by_mech (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
const gss_OID /*mech_type*/,
gss_name_t * /*name*/,
OM_uint32 * /*initiator_lifetime*/,
OM_uint32 * /*acceptor_lifetime*/,
gss_cred_usage_t * cred_usage );
OM_uint32
_gsskrb5_inquire_cred_by_oid (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
const gss_OID /*desired_object*/,
gss_buffer_set_t */*data_set*/);
OM_uint32
_gsskrb5_inquire_mechs_for_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_OID_set * mech_types );
OM_uint32
_gsskrb5_inquire_names_for_mech (
OM_uint32 * /*minor_status*/,
const gss_OID /*mechanism*/,
gss_OID_set * name_types );
OM_uint32
_gsskrb5_inquire_sec_context_by_oid (
OM_uint32 */*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_OID /*desired_object*/,
gss_buffer_set_t */*data_set*/);
OM_uint32
_gsskrb5_krb5_ccache_name (
OM_uint32 */*minor_status*/,
const char */*name*/,
const char **/*out_name*/);
OM_uint32
_gsskrb5_lifetime_left (
OM_uint32 */*minor_status*/,
OM_uint32 /*lifetime*/,
OM_uint32 */*lifetime_rec*/);
void *
_gsskrb5_make_header (
void */*ptr*/,
size_t /*len*/,
const void */*type*/,
const gss_OID /*mech*/);
OM_uint32
_gsskrb5_process_context_token (
OM_uint32 */*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t token_buffer );
OM_uint32
_gsskrb5_register_acceptor_identity (const char */*identity*/);
OM_uint32
_gsskrb5_release_buffer (
OM_uint32 * /*minor_status*/,
gss_buffer_t buffer );
OM_uint32
_gsskrb5_release_cred (
OM_uint32 * /*minor_status*/,
gss_cred_id_t * cred_handle );
OM_uint32
_gsskrb5_release_name (
OM_uint32 * /*minor_status*/,
gss_name_t * input_name );
OM_uint32
_gsskrb5_release_oid_set (
OM_uint32 * /*minor_status*/,
gss_OID_set * set );
OM_uint32
_gsskrb5_seal (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
int /*qop_req*/,
gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t output_message_buffer );
OM_uint32
_gsskrb5_set_cred_option (
OM_uint32 */*minor_status*/,
gss_cred_id_t */*cred_handle*/,
const gss_OID /*desired_object*/,
const gss_buffer_t /*value*/);
void
_gsskrb5_set_error_string (void);
OM_uint32
_gsskrb5_set_sec_context_option (
OM_uint32 */*minor_status*/,
gss_ctx_id_t */*context_handle*/,
const gss_OID /*desired_object*/,
const gss_buffer_t /*value*/);
void
_gsskrb5_set_status (
const char */*fmt*/,
...);
OM_uint32
_gsskrb5_sign (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*qop_req*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t message_token );
OM_uint32
_gsskrb5_test_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member*/,
const gss_OID_set /*set*/,
int * present );
OM_uint32
_gsskrb5_unseal (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
int * qop_state );
OM_uint32
_gsskrb5_unwrap (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
gss_qop_t * qop_state );
OM_uint32
_gsskrb5_verify (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*token_buffer*/,
int * qop_state );
OM_uint32
_gsskrb5_verify_8003_checksum (
OM_uint32 */*minor_status*/,
const gss_channel_bindings_t /*input_chan_bindings*/,
const Checksum */*cksum*/,
OM_uint32 */*flags*/,
krb5_data */*fwd_data*/);
OM_uint32
_gsskrb5_verify_header (
u_char **/*str*/,
size_t /*total_len*/,
const void */*type*/,
gss_OID /*oid*/);
OM_uint32
_gsskrb5_verify_mic (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t * qop_state );
OM_uint32
_gsskrb5_verify_mic_internal (
OM_uint32 * /*minor_status*/,
const gsskrb5_ctx /*context_handle*/,
const gss_buffer_t /*message_buffer*/,
const gss_buffer_t /*token_buffer*/,
gss_qop_t * /*qop_state*/,
char * type );
OM_uint32
_gsskrb5_wrap (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
const gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t output_message_buffer );
OM_uint32
_gsskrb5_wrap_size_limit (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_qop_t /*qop_req*/,
OM_uint32 /*req_output_size*/,
OM_uint32 * max_input_size );
krb5_error_code
_gsskrb5cfx_max_wrap_length_cfx (
krb5_crypto /*crypto*/,
int /*conf_req_flag*/,
size_t /*input_length*/,
OM_uint32 */*output_length*/);
krb5_error_code
_gsskrb5cfx_wrap_length_cfx (
krb5_crypto /*crypto*/,
int /*conf_req_flag*/,
size_t /*input_length*/,
size_t */*output_length*/,
size_t */*cksumsize*/,
uint16_t */*padlength*/);
krb5_error_code
_gsskrb5i_address_to_krb5addr (
OM_uint32 /*gss_addr_type*/,
gss_buffer_desc */*gss_addr*/,
int16_t /*port*/,
krb5_address */*address*/);
krb5_error_code
_gsskrb5i_get_acceptor_subkey (
const gsskrb5_ctx /*ctx*/,
krb5_keyblock **/*key*/);
krb5_error_code
_gsskrb5i_get_initiator_subkey (
const gsskrb5_ctx /*ctx*/,
krb5_keyblock **/*key*/);
OM_uint32
_gsskrb5i_get_token_key (
const gsskrb5_ctx /*ctx*/,
krb5_keyblock **/*key*/);
void
_gsskrb5i_is_cfx (
gsskrb5_ctx /*ctx*/,
int */*is_cfx*/);
#endif /* __gsskrb5_private_h__ */

133
source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h Normal file
View File

@ -0,0 +1,133 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id: gsskrb5_locl.h,v 1.6 2006/10/07 22:14:49 lha Exp $ */
#ifndef GSSKRB5_LOCL_H
#define GSSKRB5_LOCL_H
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <krb5_locl.h>
#include <gssapi.h>
#include <gssapi_mech.h>
#include <assert.h>
#include "cfx.h"
/*
*
*/
struct gss_msg_order;
typedef struct {
struct krb5_auth_context_data *auth_context;
krb5_principal source, target;
OM_uint32 flags;
enum { LOCAL = 1, OPEN = 2,
COMPAT_OLD_DES3 = 4,
COMPAT_OLD_DES3_SELECTED = 8,
ACCEPTOR_SUBKEY = 16
} more_flags;
enum gss_ctx_id_t_state {
/* initiator states */
INITIATOR_START,
INITIATOR_WAIT_FOR_MUTAL,
INITIATOR_READY,
/* acceptor states */
ACCEPTOR_START,
ACCEPTOR_WAIT_FOR_DCESTYLE,
ACCEPTOR_READY
} state;
struct krb5_ticket *ticket;
OM_uint32 lifetime;
HEIMDAL_MUTEX ctx_id_mutex;
struct gss_msg_order *order;
krb5_keyblock *service_keyblock;
krb5_data fwd_data;
} *gsskrb5_ctx;
typedef struct {
krb5_principal principal;
int cred_flags;
#define GSS_CF_DESTROY_CRED_ON_RELEASE 1
struct krb5_keytab_data *keytab;
OM_uint32 lifetime;
gss_cred_usage_t usage;
gss_OID_set mechanisms;
struct krb5_ccache_data *ccache;
HEIMDAL_MUTEX cred_id_mutex;
} *gsskrb5_cred;
typedef struct Principal *gsskrb5_name;
/*
*
*/
extern krb5_context _gsskrb5_context;
extern krb5_keytab _gsskrb5_keytab;
extern HEIMDAL_MUTEX gssapi_keytab_mutex;
struct gssapi_thr_context {
HEIMDAL_MUTEX mutex;
char *error_string;
};
/*
* Prototypes
*/
#include <krb5/gsskrb5-private.h>
#define GSSAPI_KRB5_INIT() do { \
krb5_error_code kret_gss_init; \
if((kret_gss_init = _gsskrb5_init ()) != 0) { \
*minor_status = kret_gss_init; \
return GSS_S_FAILURE; \
} \
} while (0)
/* sec_context flags */
#define SC_LOCAL_ADDRESS 0x01
#define SC_REMOTE_ADDRESS 0x02
#define SC_KEYBLOCK 0x04
#define SC_LOCAL_SUBKEY 0x08
#define SC_REMOTE_SUBKEY 0x10
#endif

63
source4/heimdal/lib/gssapi/import_name.c → source4/heimdal/lib/gssapi/krb5/import_name.c
View File

@ -31,30 +31,31 @@
* SUCH DAMAGE.
*/
#include "gssapi_locl.h"
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: import_name.c,v 1.14 2006/02/15 11:59:10 lha Exp $");
RCSID("$Id: import_name.c,v 1.17 2006/10/07 22:14:51 lha Exp $");
static OM_uint32
parse_krb5_name (OM_uint32 *minor_status,
const char *name,
gss_name_t *output_name)
{
krb5_principal princ;
krb5_error_code kerr;
kerr = krb5_parse_name (gssapi_krb5_context, name, output_name);
kerr = krb5_parse_name (_gsskrb5_context, name, &princ);
if (kerr == 0)
if (kerr == 0) {
*output_name = (gss_name_t)princ;
return GSS_S_COMPLETE;
else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) {
gssapi_krb5_set_error_string ();
*minor_status = kerr;
return GSS_S_BAD_NAME;
} else {
gssapi_krb5_set_error_string ();
*minor_status = kerr;
return GSS_S_FAILURE;
}
_gsskrb5_set_error_string ();
*minor_status = kerr;
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
return GSS_S_BAD_NAME;
return GSS_S_FAILURE;
}
static OM_uint32
@ -91,8 +92,7 @@ import_hostbased_name (OM_uint32 *minor_status,
char *p;
char *host;
char local_hostname[MAXHOSTNAMELEN];
*output_name = NULL;
krb5_principal princ = NULL;
tmp = malloc (input_name_buffer->length + 1);
if (tmp == NULL) {
@ -117,24 +117,24 @@ import_hostbased_name (OM_uint32 *minor_status,
host = local_hostname;
}
kerr = krb5_sname_to_principal (gssapi_krb5_context,
kerr = krb5_sname_to_principal (_gsskrb5_context,
host,
tmp,
KRB5_NT_SRV_HST,
output_name);
&princ);
free (tmp);
*minor_status = kerr;
if (kerr == 0)
if (kerr == 0) {
*output_name = (gss_name_t)princ;
return GSS_S_COMPLETE;
else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) {
gssapi_krb5_set_error_string ();
*minor_status = kerr;
return GSS_S_BAD_NAME;
} else {
gssapi_krb5_set_error_string ();
*minor_status = kerr;
return GSS_S_FAILURE;
}
_gsskrb5_set_error_string ();
*minor_status = kerr;
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
return GSS_S_BAD_NAME;
return GSS_S_FAILURE;
}
static OM_uint32
@ -184,18 +184,7 @@ import_export_name (OM_uint32 *minor_status,
return ret;
}
int
gss_oid_equal(const gss_OID a, const gss_OID b)
{
if (a == b)
return 1;
else if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length)
return 0;
else
return memcmp(a->elements, b->elements, a->length) == 0;
}
OM_uint32 gss_import_name
OM_uint32 _gsskrb5_import_name
(OM_uint32 * minor_status,
const gss_buffer_t input_name_buffer,
const gss_OID input_name_type,

229
source4/heimdal/lib/gssapi/krb5/import_sec_context.c Normal file
View File

@ -0,0 +1,229 @@
/*
* Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: import_sec_context.c,v 1.17 2006/10/07 22:14:53 lha Exp $");
OM_uint32
_gsskrb5_import_sec_context (
OM_uint32 * minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t * context_handle
)
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_error_code kret;
krb5_storage *sp;
krb5_auth_context ac;
krb5_address local, remote;
krb5_address *localp, *remotep;
krb5_data data;
gss_buffer_desc buffer;
krb5_keyblock keyblock;
int32_t tmp;
int32_t flags;
gsskrb5_ctx ctx;
gss_name_t name;
GSSAPI_KRB5_INIT ();
*context_handle = GSS_C_NO_CONTEXT;
localp = remotep = NULL;
sp = krb5_storage_from_mem (interprocess_token->value,
interprocess_token->length);
if (sp == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ctx = calloc(1, sizeof(*ctx));
if (ctx == NULL) {
*minor_status = ENOMEM;
krb5_storage_free (sp);
return GSS_S_FAILURE;
}
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (_gsskrb5_context,
&ctx->auth_context);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
/* flags */
*minor_status = 0;
if (krb5_ret_int32 (sp, &flags) != 0)
goto failure;
/* retrieve the auth context */
ac = ctx->auth_context;
if (krb5_ret_uint32 (sp, &ac->flags) != 0)
goto failure;
if (flags & SC_LOCAL_ADDRESS) {
if (krb5_ret_address (sp, localp = &local) != 0)
goto failure;
}
if (flags & SC_REMOTE_ADDRESS) {
if (krb5_ret_address (sp, remotep = &remote) != 0)
goto failure;
}
krb5_auth_con_setaddrs (_gsskrb5_context, ac, localp, remotep);
if (localp)
krb5_free_address (_gsskrb5_context, localp);
if (remotep)
krb5_free_address (_gsskrb5_context, remotep);
localp = remotep = NULL;
if (krb5_ret_int16 (sp, &ac->local_port) != 0)
goto failure;
if (krb5_ret_int16 (sp, &ac->remote_port) != 0)
goto failure;
if (flags & SC_KEYBLOCK) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
}
if (flags & SC_LOCAL_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setlocalsubkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
}
if (flags & SC_REMOTE_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setremotesubkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
}
if (krb5_ret_uint32 (sp, &ac->local_seqnumber))
goto failure;
if (krb5_ret_uint32 (sp, &ac->remote_seqnumber))
goto failure;
if (krb5_ret_int32 (sp, &tmp) != 0)
goto failure;
ac->keytype = tmp;
if (krb5_ret_int32 (sp, &tmp) != 0)
goto failure;
ac->cksumtype = tmp;
/* names */
if (krb5_ret_data (sp, &data))
goto failure;
buffer.value = data.data;
buffer.length = data.length;
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&name);
if (ret) {
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
&name);
if (ret) {
krb5_data_free (&data);
goto failure;
}
}
ctx->source = (krb5_principal)name;
krb5_data_free (&data);
if (krb5_ret_data (sp, &data) != 0)
goto failure;
buffer.value = data.data;
buffer.length = data.length;
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&name);
if (ret) {
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
&name);
if (ret) {
krb5_data_free (&data);
goto failure;
}
}
ctx->target = (krb5_principal)name;
krb5_data_free (&data);
if (krb5_ret_int32 (sp, &tmp))
goto failure;
ctx->flags = tmp;
if (krb5_ret_int32 (sp, &tmp))
goto failure;
ctx->more_flags = tmp;
if (krb5_ret_int32 (sp, &tmp))
goto failure;
ctx->lifetime = tmp;
ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order);
if (ret)
goto failure;
krb5_storage_free (sp);
*context_handle = (gss_ctx_id_t)ctx;
return GSS_S_COMPLETE;
failure:
krb5_auth_con_free (_gsskrb5_context,
ctx->auth_context);
if (ctx->source != NULL)
krb5_free_principal(_gsskrb5_context, ctx->source);
if (ctx->target != NULL)
krb5_free_principal(_gsskrb5_context, ctx->target);
if (localp)
krb5_free_address (_gsskrb5_context, localp);
if (remotep)
krb5_free_address (_gsskrb5_context, remotep);
if(ctx->order)
_gssapi_msg_order_destroy(&ctx->order);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
krb5_storage_free (sp);
free (ctx);
*context_handle = GSS_C_NO_CONTEXT;
return ret;
}

58
source4/heimdal/lib/gssapi/krb5/indicate_mechs.c Normal file
View File

@ -0,0 +1,58 @@
/*
* Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: indicate_mechs.c,v 1.9 2006/10/07 22:14:56 lha Exp $");
OM_uint32 _gsskrb5_indicate_mechs
(OM_uint32 * minor_status,
gss_OID_set * mech_set
)
{
OM_uint32 ret, junk;
ret = _gsskrb5_create_empty_oid_set(minor_status, mech_set);
if (ret)
return ret;
ret = _gsskrb5_add_oid_set_member(minor_status,
GSS_KRB5_MECHANISM, mech_set);
if (ret) {
_gsskrb5_release_oid_set(&junk, mech_set);
return ret;
}
*minor_status = 0;
return GSS_S_COMPLETE;
}

Some files were not shown because too many files have changed in this diff Show More