1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

heimdal: update to lorikeet-heimdal rev 801

metze
This commit is contained in:
Stefan Metzmacher 2008-08-01 07:08:51 +02:00
parent 8bd30a7b43
commit d6c54a66fb
233 changed files with 10213 additions and 3600 deletions

View File

@ -1,6 +1,19 @@
This directory contains a copy of portions of a project known as
'lorikeet-heimdal', a branch of the Heimdal Kerberos distribution.
$Id: README 8839 2000-07-27 02:33:54Z assar $
The purpose of these files is to provide kerberos support to Samba4 in
a predicatable manner, without reliance on the system kerberos
libraries.
Heimdal is a Kerberos 5 implementation.
Please see the manual in doc, by default installed in
/usr/heimdal/info/heimdal.info for information on how to install.
There are also briefer man pages for most of the commands.
Bug reports and bugs are appreciated, see more under Bug reports in
the manual on how we prefer them.
For more information see the web-page at
<http://www.pdc.kth.se/heimdal/> or the mailing lists:
heimdal-announce@sics.se low-volume announcement
heimdal-discuss@sics.se high-volume discussion
send a mail to heimdal-announce-request@sics.se and
heimdal-discuss-request@sics.se respectively to subscribe.

View File

@ -1,4 +1,4 @@
dnl $Id: check-var.m4,v 1.12 2005/06/16 18:59:10 lha Exp $
dnl $Id: check-var.m4 15422 2005-06-16 18:59:29Z lha $
dnl
dnl rk_CHECK_VAR(variable, includes)
AC_DEFUN([rk_CHECK_VAR], [
@ -23,4 +23,5 @@ if test "$ac_foo" = yes; then
fi
])
dnl AC_WARNING_ENABLE([obsolete])
AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo])

View File

@ -1,4 +1,4 @@
dnl $Id: find-func-no-libs.m4,v 1.6 2004/02/12 14:20:45 lha Exp $
dnl $Id: find-func-no-libs.m4 13338 2004-02-12 14:21:14Z lha $
dnl
dnl
dnl Look for function in any of the specified libraries

View File

@ -1,4 +1,4 @@
dnl $Id: find-func-no-libs2.m4,v 1.9 2004/08/26 12:35:42 joda Exp $
dnl $Id: find-func-no-libs2.m4 14166 2004-08-26 12:35:42Z joda $
dnl
dnl
dnl Look for function in any of the specified libraries

View File

@ -1,4 +1,4 @@
dnl $Id: find-func.m4,v 1.2 2004/02/12 14:20:47 lha Exp $
dnl $Id: find-func.m4 13338 2004-02-12 14:21:14Z lha $
dnl
dnl AC_FIND_FUNC(func, libraries, includes, arguments)
AC_DEFUN([AC_FIND_FUNC], [

View File

@ -1,6 +1,6 @@
dnl stuff used by DNS resolv code in roken
dnl
dnl $Id: resolv.m4,v 1.1 2005/09/02 10:17:38 lha Exp $
dnl $Id: resolv.m4 16009 2005-09-02 10:17:38Z lha $
dnl
AC_DEFUN([rk_RESOLV],[

View File

@ -36,7 +36,7 @@
#include <getarg.h>
#include <parse_bytes.h>
RCSID("$Id: default_config.c 21405 2007-07-04 10:35:45Z lha $");
RCSID("$Id: default_config.c 23316 2008-06-23 04:32:32Z lha $");
krb5_error_code
krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
@ -45,7 +45,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c = calloc(1, sizeof(*c));
if (c == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}

View File

@ -34,7 +34,7 @@
#include "kdc_locl.h"
#include <hex.h>
RCSID("$Id: digest.c 22374 2007-12-28 18:36:52Z lha $");
RCSID("$Id: digest.c 23316 2008-06-23 04:32:32Z lha $");
#define MS_CHAP_V2 0x20
#define CHAP_MD5 0x10
@ -186,7 +186,7 @@ get_password_entry(krb5_context context,
if (ret || password == NULL) {
if (ret == 0) {
ret = EINVAL;
krb5_set_error_string(context, "password missing");
krb5_set_error_message(context, ret, "password missing");
}
memset(user, 0, sizeof(*user));
}
@ -263,7 +263,7 @@ _kdc_do_digest(krb5_context context,
goto out;
ret = EINVAL;
krb5_set_error_string(context, "Wrong digest server principal used");
krb5_set_error_message(context, ret, "Wrong digest server principal used");
p = krb5_principal_get_comp_string(context, principal, 0);
if (p == NULL) {
krb5_free_principal(context, principal);
@ -323,9 +323,9 @@ _kdc_do_digest(krb5_context context,
"Client %s tried to use digest "
"but is not allowed to",
client_name);
krb5_set_error_string(context,
"Client is not permitted to use digest");
ret = KRB5KDC_ERR_POLICY;
krb5_set_error_message(context, ret,
"Client is not permitted to use digest");
goto out;
}
}
@ -338,8 +338,8 @@ _kdc_do_digest(krb5_context context,
if (ret)
goto out;
if (key == NULL) {
krb5_set_error_string(context, "digest: remote subkey not found");
ret = EINVAL;
krb5_set_error_message(context, ret, "digest: remote subkey not found");
goto out;
}
@ -359,7 +359,7 @@ _kdc_do_digest(krb5_context context,
ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL);
krb5_data_free(&buf);
if (ret) {
krb5_set_error_string(context, "Failed to decode digest inner request");
krb5_set_error_message(context, ret, "Failed to decode digest inner request");
goto out;
}
@ -386,15 +386,15 @@ _kdc_do_digest(krb5_context context,
hex_encode(server_nonce, sizeof(server_nonce), &r.u.initReply.nonce);
if (r.u.initReply.nonce == NULL) {
krb5_set_error_string(context, "Failed to decode server nonce");
ret = ENOMEM;
krb5_set_error_message(context, ret, "Failed to decode server nonce");
goto out;
}
sp = krb5_storage_emem();
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = krb5_store_stringz(sp, ireq.u.init.type);
@ -410,9 +410,9 @@ _kdc_do_digest(krb5_context context,
ireq.u.init.channel->cb_type,
ireq.u.init.channel->cb_binding);
if (s == NULL) {
krb5_set_error_string(context, "Failed to allocate "
"channel binding");
ret = ENOMEM;
krb5_set_error_message(context, ret,
"Failed to allocate channel binding");
goto out;
}
free(r.u.initReply.nonce);
@ -429,15 +429,15 @@ _kdc_do_digest(krb5_context context,
r.u.initReply.identifier =
malloc(sizeof(*r.u.initReply.identifier));
if (r.u.initReply.identifier == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
asprintf(r.u.initReply.identifier, "%02X", identifier & 0xff);
if (*r.u.initReply.identifier == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
@ -478,7 +478,7 @@ _kdc_do_digest(krb5_context context,
ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret);
free_Checksum(&res);
if (ret) {
krb5_set_error_string(context, "Failed to encode "
krb5_set_error_message(context, ret, "Failed to encode "
"checksum in digest request");
goto out;
}
@ -502,7 +502,7 @@ _kdc_do_digest(krb5_context context,
sp = krb5_storage_emem();
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = krb5_store_stringz(sp, ireq.u.digestRequest.type);
@ -524,15 +524,15 @@ _kdc_do_digest(krb5_context context,
buf.length = strlen(ireq.u.digestRequest.opaque);
buf.data = malloc(buf.length);
if (buf.data == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = hex_decode(ireq.u.digestRequest.opaque, buf.data, buf.length);
if (ret <= 0) {
krb5_set_error_string(context, "Failed to decode opaque");
ret = ENOMEM;
krb5_set_error_message(context, ret, "Failed to decode opaque");
goto out;
}
buf.length = ret;
@ -540,7 +540,7 @@ _kdc_do_digest(krb5_context context,
ret = decode_Checksum(buf.data, buf.length, &res, NULL);
free(buf.data);
if (ret) {
krb5_set_error_string(context, "Failed to decode digest Checksum");
krb5_set_error_message(context, ret, "Failed to decode digest Checksum");
goto out;
}
@ -553,8 +553,8 @@ _kdc_do_digest(krb5_context context,
serverNonce.length = strlen(ireq.u.digestRequest.serverNonce);
serverNonce.data = malloc(serverNonce.length);
if (serverNonce.data == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
@ -568,8 +568,8 @@ _kdc_do_digest(krb5_context context,
ssize = hex_decode(ireq.u.digestRequest.serverNonce,
serverNonce.data, serverNonce.length);
if (ssize <= 0) {
krb5_set_error_string(context, "Failed to decode serverNonce");
ret = ENOMEM;
krb5_set_error_message(context, ret, "Failed to decode serverNonce");
goto out;
}
serverNonce.length = ssize;
@ -593,15 +593,15 @@ _kdc_do_digest(krb5_context context,
uint32_t t;
if (serverNonce.length < 4) {
krb5_set_error_string(context, "server nonce too short");
ret = EINVAL;
krb5_set_error_message(context, ret, "server nonce too short");
goto out;
}
t = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
if (abs((kdc_time & 0xffffffff) - t) > context->max_skew) {
krb5_set_error_string(context, "time screw in server nonce ");
ret = EINVAL;
krb5_set_error_message(context, ret, "time screw in server nonce ");
goto out;
}
}
@ -618,15 +618,15 @@ _kdc_do_digest(krb5_context context,
}
if (ireq.u.digestRequest.identifier == NULL) {
krb5_set_error_string(context, "Identifier missing "
"from CHAP request");
ret = EINVAL;
krb5_set_error_message(context, ret, "Identifier missing "
"from CHAP request");
goto out;
}
if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
krb5_set_error_string(context, "failed to decode identifier");
ret = EINVAL;
krb5_set_error_message(context, ret, "failed to decode identifier");
goto out;
}
@ -714,8 +714,8 @@ _kdc_do_digest(krb5_context context,
MD5_Final(md, &ctx);
hex_encode(md, sizeof(md), &A1);
if (A1 == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto failed;
}
@ -733,8 +733,8 @@ _kdc_do_digest(krb5_context context,
MD5_Final(md, &ctx);
hex_encode(md, sizeof(md), &A2);
if (A2 == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
free(A1);
goto failed;
}
@ -795,15 +795,15 @@ _kdc_do_digest(krb5_context context,
}
if (ireq.u.digestRequest.clientNonce == NULL) {
krb5_set_error_string(context,
"MS-CHAP-V2 clientNonce missing");
ret = EINVAL;
krb5_set_error_message(context, ret,
"MS-CHAP-V2 clientNonce missing");
goto failed;
}
if (serverNonce.length != 16) {
krb5_set_error_string(context,
"MS-CHAP-V2 serverNonce wrong length");
ret = EINVAL;
krb5_set_error_message(context, ret,
"MS-CHAP-V2 serverNonce wrong length");
goto failed;
}
@ -824,16 +824,16 @@ _kdc_do_digest(krb5_context context,
clientNonce.data = malloc(clientNonce.length);
if (clientNonce.data == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ssize = hex_decode(*ireq.u.digestRequest.clientNonce,
clientNonce.data, clientNonce.length);
if (ssize != 16) {
krb5_set_error_string(context,
"Failed to decode clientNonce");
ret = ENOMEM;
krb5_set_error_message(context, ret,
"Failed to decode clientNonce");
goto out;
}
SHA1_Update(&ctx, clientNonce.data, ssize);
@ -852,7 +852,7 @@ _kdc_do_digest(krb5_context context,
HDB_F_GET_CLIENT, NULL, &user);
krb5_free_principal(context, clientprincipal);
if (ret) {
krb5_set_error_string(context,
krb5_set_error_message(context, ret,
"MS-CHAP-V2 user %s not in database",
username);
goto failed;
@ -861,7 +861,7 @@ _kdc_do_digest(krb5_context context,
ret = hdb_enctype2key(context, &user->entry,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_string(context,
krb5_set_error_message(context, ret,
"MS-CHAP-V2 missing arcfour key %s",
username);
goto failed;
@ -872,7 +872,7 @@ _kdc_do_digest(krb5_context context,
key->key.keyvalue.length,
challange, &answer);
if (ret) {
krb5_set_error_string(context, "NTLM missing arcfour key");
krb5_set_error_message(context, ret, "NTLM missing arcfour key");
goto failed;
}
@ -967,8 +967,8 @@ _kdc_do_digest(krb5_context context,
asprintf(&r.u.error.reason, "Unsupported digest type %s",
ireq.u.digestRequest.type);
if (r.u.error.reason == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
r.u.error.code = EINVAL;
@ -1021,29 +1021,29 @@ _kdc_do_digest(krb5_context context,
r.u.ntlmInitReply.targetname =
get_ntlm_targetname(context, client);
if (r.u.ntlmInitReply.targetname == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
r.u.ntlmInitReply.challange.data = malloc(8);
if (r.u.ntlmInitReply.challange.data == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
r.u.ntlmInitReply.challange.length = 8;
if (RAND_bytes(r.u.ntlmInitReply.challange.data,
r.u.ntlmInitReply.challange.length) != 1)
{
krb5_set_error_string(context, "out of random error");
ret = ENOMEM;
krb5_set_error_message(context, ret, "out of random error");
goto out;
}
/* XXX fix targetinfo */
ALLOC(r.u.ntlmInitReply.targetinfo);
if (r.u.ntlmInitReply.targetinfo == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
@ -1052,8 +1052,8 @@ _kdc_do_digest(krb5_context context,
client,
r.u.ntlmInitReply.targetinfo);
if (ret) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
@ -1064,14 +1064,14 @@ _kdc_do_digest(krb5_context context,
sp = krb5_storage_emem();
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = krb5_storage_write(sp, r.u.ntlmInitReply.challange.data, 8);
if (ret != 8) {
ret = ENOMEM;
krb5_set_error_string(context, "storage write challange");
krb5_set_error_message(context, ret, "storage write challange");
goto out;
}
ret = krb5_store_uint32(sp, r.u.ntlmInitReply.flags);
@ -1127,7 +1127,7 @@ _kdc_do_digest(krb5_context context,
HDB_F_GET_CLIENT, NULL, &user);
krb5_free_principal(context, clientprincipal);
if (ret) {
krb5_set_error_string(context, "NTLM user %s not in database",
krb5_set_error_message(context, ret, "NTLM user %s not in database",
ireq.u.ntlmRequest.username);
goto failed;
}
@ -1150,33 +1150,33 @@ _kdc_do_digest(krb5_context context,
sp = krb5_storage_from_data(&buf);
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = krb5_storage_read(sp, challange, sizeof(challange));
if (ret != sizeof(challange)) {
krb5_set_error_string(context, "NTLM storage read challange");
ret = ENOMEM;
krb5_set_error_message(context, ret, "NTLM storage read challange");
goto out;
}
ret = krb5_ret_uint32(sp, &flags);
if (ret) {
krb5_set_error_string(context, "NTLM storage read flags");
krb5_set_error_message(context, ret, "NTLM storage read flags");
goto out;
}
krb5_data_free(&buf);
if ((flags & NTLM_NEG_NTLM) == 0) {
ret = EINVAL;
krb5_set_error_string(context, "NTLM not negotiated");
krb5_set_error_message(context, ret, "NTLM not negotiated");
goto out;
}
ret = hdb_enctype2key(context, &user->entry,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_string(context, "NTLM missing arcfour key");
krb5_set_error_message(context, ret, "NTLM missing arcfour key");
goto out;
}
@ -1194,8 +1194,8 @@ _kdc_do_digest(krb5_context context,
targetname = get_ntlm_targetname(context, client);
if (targetname == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
@ -1213,7 +1213,7 @@ _kdc_do_digest(krb5_context context,
sessionkey);
free(targetname);
if (ret) {
krb5_set_error_string(context, "NTLM v2 verify failed");
krb5_set_error_message(context, ret, "NTLM v2 verify failed");
goto failed;
}
@ -1238,9 +1238,9 @@ _kdc_do_digest(krb5_context context,
}
if (ireq.u.ntlmRequest.lm.length != 24) {
krb5_set_error_string(context, "LM hash have wrong length "
"for NTLM session key");
ret = EINVAL;
krb5_set_error_message(context, ret, "LM hash have wrong length "
"for NTLM session key");
goto failed;
}
@ -1260,7 +1260,7 @@ _kdc_do_digest(krb5_context context,
key->key.keyvalue.length,
challange, &answer);
if (ret) {
krb5_set_error_string(context, "NTLM missing arcfour key");
krb5_set_error_message(context, ret, "NTLM missing arcfour key");
goto failed;
}
@ -1269,7 +1269,7 @@ _kdc_do_digest(krb5_context context,
{
free(answer.data);
ret = EINVAL;
krb5_set_error_string(context, "NTLM hash mismatch");
krb5_set_error_message(context, ret, "NTLM hash mismatch");
goto failed;
}
free(answer.data);
@ -1290,16 +1290,17 @@ _kdc_do_digest(krb5_context context,
size_t len;
if ((flags & NTLM_NEG_KEYEX) == 0) {
krb5_set_error_string(context,
ret = EINVAL;
krb5_set_error_message(context, ret,
"NTLM client failed to neg key "
"exchange but still sent key");
ret = EINVAL;
goto failed;
}
len = ireq.u.ntlmRequest.sessionkey->length;
if (len != sizeof(masterkey)){
krb5_set_error_string(context,
ret = EINVAL;
krb5_set_error_message(context, ret,
"NTLM master key wrong length: %lu",
(unsigned long)len);
goto failed;
@ -1315,14 +1316,15 @@ _kdc_do_digest(krb5_context context,
r.u.ntlmResponse.sessionkey =
malloc(sizeof(*r.u.ntlmResponse.sessionkey));
if (r.u.ntlmResponse.sessionkey == NULL) {
krb5_set_error_string(context, "out of memory");
ret = EINVAL;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = krb5_data_copy(r.u.ntlmResponse.sessionkey,
masterkey, sizeof(masterkey));
if (ret) {
krb5_set_error_string(context, "out of memory");
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
}
@ -1354,9 +1356,9 @@ _kdc_do_digest(krb5_context context,
break;
default: {
char *s;
krb5_set_error_string(context, "unknown operation to digest");
const char *s;
ret = EINVAL;
krb5_set_error_message(context, ret, "unknown operation to digest");
failed:
@ -1370,10 +1372,10 @@ _kdc_do_digest(krb5_context context,
r.element = choice_DigestRepInner_error;
r.u.error.reason = strdup("unknown error");
krb5_free_error_string(context, s);
krb5_free_error_message(context, s);
if (r.u.error.reason == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
r.u.error.code = EINVAL;
@ -1383,7 +1385,7 @@ _kdc_do_digest(krb5_context context,
ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret);
if (ret) {
krb5_set_error_string(context, "Failed to encode inner digest reply");
krb5_set_error_message(context, ret, "Failed to encode inner digest reply");
goto out;
}
if (size != buf.length)
@ -1414,14 +1416,14 @@ _kdc_do_digest(krb5_context context,
ASN1_MALLOC_ENCODE(DigestREP, reply->data, reply->length, &rep, &size, ret);
if (ret) {
krb5_set_error_string(context, "Failed to encode digest reply");
krb5_set_error_message(context, ret, "Failed to encode digest reply");
goto out;
}
if (size != reply->length)
krb5_abortx(context, "ASN1 internal error");
out:
out:
if (ac)
krb5_auth_con_free(context, ac);
if (ret)

View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: kaserver.c 21654 2007-07-21 17:30:18Z lha $");
RCSID("$Id: kaserver.c 23110 2008-04-27 18:51:17Z lha $");
#include <krb5-v4compat.h>
#include <rx.h>
@ -366,7 +366,7 @@ create_reply_ticket (krb5_context context,
DES_cblock deskey;
memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
DES_pcbc_encrypt (enc_data.data,
enc_data.data,
enc_data.length,
@ -524,7 +524,7 @@ do_authenticate (krb5_context context,
/* try to decode the `request' */
memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
DES_set_key (&key, &schedule);
DES_set_key_unchecked (&key, &schedule);
DES_pcbc_encrypt (request.data,
request.data,
request.length,
@ -801,7 +801,7 @@ do_getticket (krb5_context context,
/* decrypt the times */
memcpy(&session, ad.session.keyvalue.data, sizeof(session));
DES_set_key (&session, &schedule);
DES_set_key_unchecked (&session, &schedule);
DES_ecb_encrypt (times.data,
times.data,
&schedule,

View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: kerberos5.c 22071 2007-11-14 20:04:50Z lha $");
RCSID("$Id: kerberos5.c 23316 2008-06-23 04:32:32Z lha $");
#define MAX_TIME ((time_t)((1U << 31) - 1))
@ -1648,7 +1648,7 @@ _kdc_as_rep(krb5_context context,
memset(&canon, 0, sizeof(canon));
canon.names.requested_name = *b->cname;
canon.names.real_name = client->entry.principal->name;
canon.names.mapped_name = client->entry.principal->name;
ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
&canon.names, &len, ret);
@ -1807,7 +1807,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
if (tkt->authorization_data == NULL) {
tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
if (tkt->authorization_data == NULL) {
krb5_set_error_string(context, "out of memory");
krb5_set_error_message(context, ENOMEM, "out of memory");
return ENOMEM;
}
}
@ -1822,7 +1822,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
ret = add_AuthorizationData(&ad, &ade);
if (ret) {
krb5_set_error_string(context, "add AuthorizationData failed");
krb5_set_error_message(context, ret, "add AuthorizationData failed");
return ret;
}
@ -1833,7 +1833,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
&ad, &size, ret);
free_AuthorizationData(&ad);
if (ret) {
krb5_set_error_string(context, "ASN.1 encode of "
krb5_set_error_message(context, ret, "ASN.1 encode of "
"AuthorizationData failed");
return ret;
}
@ -1843,7 +1843,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
ret = add_AuthorizationData(tkt->authorization_data, &ade);
der_free_octet_string(&ade.ad_data);
if (ret) {
krb5_set_error_string(context, "add AuthorizationData failed");
krb5_set_error_message(context, ret, "add AuthorizationData failed");
return ret;
}
}

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
* Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: krb5tgs.c 22071 2007-11-14 20:04:50Z lha $");
RCSID("$Id: krb5tgs.c 23316 2008-06-23 04:32:32Z lha $");
/*
* return the realm of a krbtgt-ticket or NULL
@ -80,7 +80,7 @@ find_KRB5SignedPath(krb5_context context,
&child,
NULL);
if (ret) {
krb5_set_error_string(context, "Failed to decode "
krb5_set_error_message(context, ret, "Failed to decode "
"IF_RELEVANT with %d", ret);
return ret;
}
@ -187,12 +187,13 @@ check_KRB5SignedPath(krb5_context context,
hdb_entry_ex *krbtgt,
EncTicketPart *tkt,
KRB5SignedPathPrincipals **delegated,
int require_signedpath)
int *signedpath)
{
krb5_error_code ret;
krb5_data data;
krb5_crypto crypto = NULL;
if (delegated)
*delegated = NULL;
ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
@ -246,7 +247,7 @@ check_KRB5SignedPath(krb5_context context,
return ret;
}
if (sp.delegated) {
if (delegated && sp.delegated) {
*delegated = malloc(sizeof(*sp.delegated));
if (*delegated == NULL) {
@ -264,9 +265,7 @@ check_KRB5SignedPath(krb5_context context,
}
free_KRB5SignedPath(&sp);
} else {
if (require_signedpath)
return KRB5KDC_ERR_BADOPTION;
*signedpath = 1;
}
return 0;
@ -286,7 +285,7 @@ check_PAC(krb5_context context,
const EncryptionKey *krbtgt_key,
EncTicketPart *tkt,
krb5_data *rspac,
int *require_signedpath)
int *signedpath)
{
AuthorizationData *ad = tkt->authorization_data;
unsigned i, j;
@ -306,7 +305,7 @@ check_PAC(krb5_context context,
&child,
NULL);
if (ret) {
krb5_set_error_string(context, "Failed to decode "
krb5_set_error_message(context, ret, "Failed to decode "
"IF_RELEVANT with %d", ret);
return ret;
}
@ -338,7 +337,7 @@ check_PAC(krb5_context context,
krb5_pac_free(context, pac);
return ret;
}
*require_signedpath = 0;
*signedpath = 1;
ret = _krb5_pac_sign(context, pac, tkt->authtime,
client_principal,
@ -554,7 +553,7 @@ fix_transited_encoding(krb5_context context,
{
krb5_error_code ret = 0;
char **realms, **tmp;
int num_realms;
unsigned int num_realms;
int i;
switch (tr->tr_type) {
@ -589,7 +588,7 @@ fix_transited_encoding(krb5_context context,
}
if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
/* not us, so add the previous realm to transited set */
if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
ret = ERANGE;
goto free_realms;
}
@ -670,6 +669,7 @@ tgs_make_reply(krb5_context context,
krb5_enctype krbtgt_etype,
KRB5SignedPathPrincipals *spp,
const krb5_data *rspac,
const METHOD_DATA *enc_pa_data,
const char **e_text,
krb5_data *reply)
{
@ -874,6 +874,17 @@ tgs_make_reply(krb5_context context,
}
}
if (enc_pa_data->len) {
rep.padata = calloc(1, sizeof(*rep.padata));
if (rep.padata == NULL) {
ret = ENOMEM;
goto out;
}
ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
if (ret)
goto out;
}
/* It is somewhat unclear where the etype in the following
encryption should come from. What we have is a session
key in the passed tgt, and a list of preferred etypes
@ -1000,14 +1011,25 @@ find_rpath(krb5_context context, Realm crealm, Realm srealm)
static krb5_boolean
need_referral(krb5_context context, krb5_principal server, krb5_realm **realms)
need_referral(krb5_context context, krb5_kdc_configuration *config,
const KDCOptions * const options, krb5_principal server,
krb5_realm **realms)
{
if(server->name.name_type != KRB5_NT_SRV_INST ||
server->name.name_string.len != 2)
const char *name;
if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
return FALSE;
return _krb5_get_host_realm_int(context, server->name.name_string.val[1],
FALSE, realms) == 0;
if (server->name.name_string.len == 1)
name = server->name.name_string.val[0];
if (server->name.name_string.len > 1)
name = server->name.name_string.val[1];
else
return FALSE;
kdc_log(context, config, 0, "Searching referral for %s", name);
return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
}
static krb5_error_code
@ -1242,6 +1264,84 @@ out:
return ret;
}
static krb5_error_code
build_server_referral(krb5_context context,
krb5_kdc_configuration *config,
krb5_crypto session,
krb5_const_realm referred_realm,
const PrincipalName *true_principal_name,
const PrincipalName *requested_principal,
krb5_data *outdata)
{
PA_ServerReferralData ref;
krb5_error_code ret;
EncryptedData ed;
krb5_data data;
size_t size;
memset(&ref, 0, sizeof(ref));
if (referred_realm) {
ref.referred_realm = malloc(sizeof(ref.referred_realm));
if (ref.referred_realm == NULL)
goto eout;
*ref.referred_realm = strdup(referred_realm);
if (*ref.referred_realm == NULL)
goto eout;
}
if (true_principal_name) {
ref.true_principal_name =
malloc(sizeof(ref.true_principal_name));
if (ref.true_principal_name == NULL)
goto eout;
ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
if (ret)
goto eout;
}
if (requested_principal) {
ref.requested_principal_name =
malloc(sizeof(ref.requested_principal_name));
if (ref.requested_principal_name == NULL)
goto eout;
ret = copy_PrincipalName(requested_principal,
ref.requested_principal_name);
if (ret)
goto eout;
}
ASN1_MALLOC_ENCODE(PA_ServerReferralData,
data.data, data.length,
&ref, &size, ret);
free_PA_ServerReferralData(&ref);
if (ret)
return ret;
if (data.length != size)
krb5_abortx(context, "internal asn.1 encoder error");
ret = krb5_encrypt_EncryptedData(context, session,
KRB5_KU_PA_SERVER_REFERRAL,
data.data, data.length,
0 /* kvno */, &ed);
free(data.data);
if (ret)
return ret;
ASN1_MALLOC_ENCODE(EncryptedData,
outdata->data, outdata->length,
&ed, &size, ret);
free_EncryptedData(&ed);
if (ret)
return ret;
if (outdata->length != size)
krb5_abortx(context, "internal asn.1 encoder error");
return 0;
eout:
free_PA_ServerReferralData(&ref);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
static krb5_error_code
tgs_build_reply(krb5_context context,
krb5_kdc_configuration *config,
@ -1253,7 +1353,7 @@ tgs_build_reply(krb5_context context,
krb5_data *reply,
const char *from,
const char **e_text,
AuthorizationData *auth_data,
AuthorizationData **auth_data,
const struct sockaddr *from_addr,
int datagram_reply)
{
@ -1262,6 +1362,7 @@ tgs_build_reply(krb5_context context,
krb5_principal client_principal = NULL;
char *spn = NULL, *cpn = NULL;
hdb_entry_ex *server = NULL, *client = NULL;
krb5_realm ref_realm = NULL;
EncTicketPart *tgt = &ticket->ticket;
KRB5SignedPathPrincipals *spp = NULL;
const EncryptionKey *ekey;
@ -1270,16 +1371,19 @@ tgs_build_reply(krb5_context context,
krb5_data rspac;
int cross_realm = 0;
METHOD_DATA enc_pa_data;
PrincipalName *s;
Realm r;
int nloop = 0;
EncTicketPart adtkt;
char opt_str[128];
int require_signedpath = 0;
int signedpath = 0;
memset(&sessionkey, 0, sizeof(sessionkey));
memset(&adtkt, 0, sizeof(adtkt));
krb5_data_zero(&rspac);
memset(&enc_pa_data, 0, sizeof(enc_pa_data));
s = b->sname;
r = b->realm;
@ -1379,11 +1483,14 @@ server_lookup:
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
auth_data = NULL; /* ms don't handle AD in referals */
if (ref_realm)
free(ref_realm);
ref_realm = strdup(new_rlm);
goto server_lookup;
}
}
} else if(need_referral(context, sp, &realms)) {
} else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
if (strcmp(realms[0], sp->realm) != 0) {
kdc_log(context, config, 5,
"Returning a referral to realm %s for "
@ -1396,8 +1503,12 @@ server_lookup:
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
if (ref_realm)
free(ref_realm);
ref_realm = strdup(realms[0]);
krb5_free_host_realm(context, realms);
auth_data = NULL; /* ms don't handle AD in referals */
goto server_lookup;
}
krb5_free_host_realm(context, realms);
@ -1438,6 +1549,50 @@ server_lookup:
cross_realm = 1;
}
/*
* Select enctype, return key and kvno.
*/
{
krb5_enctype etype;
if(b->kdc_options.enc_tkt_in_skey) {
int i;
ekey = &adtkt.key;
for(i = 0; i < b->etype.len; i++)
if (b->etype.val[i] == adtkt.key.keytype)
break;
if(i == b->etype.len) {
kdc_log(context, config, 0,
"Addition ticket have not matching etypes", spp);
krb5_clear_error_string(context);
return KRB5KDC_ERR_ETYPE_NOSUPP;
}
etype = b->etype.val[i];
kvno = 0;
} else {
Key *skey;
ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
&skey, &etype);
if(ret) {
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spn);
return ret;
}
ekey = &skey->key;
kvno = server->entry.kvno;
}
ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
if (ret)
goto out;
}
/*
* Validate authoriation data
*/
/*
* Check that service is in the same realm as the krbtgt. If it's
* not the same, it's someone that is using a uni-directional trust
@ -1459,8 +1614,45 @@ server_lookup:
goto out;
}
/* check PAC if not cross realm and if there is one */
if (!cross_realm) {
Key *tkey;
ret = hdb_enctype2key(context, &krbtgt->entry,
krbtgt_etype, &tkey);
if(ret) {
kdc_log(context, config, 0,
"Failed to find key for krbtgt PAC check");
goto out;
}
ret = check_PAC(context, config, cp,
client, server, ekey, &tkey->key,
tgt, &rspac, &signedpath);
if (ret) {
kdc_log(context, config, 0,
"Verify PAC failed for %s (%s) from %s with %s",
spn, cpn, from, krb5_get_err_text(context, ret));
goto out;
}
}
/* also check the krbtgt for signature */
ret = check_KRB5SignedPath(context,
config,
krbtgt,
tgt,
&spp,
&signedpath);
if (ret) {
kdc_log(context, config, 0,
"KRB5SignedPath check failed for %s (%s) from %s with %s",
spn, cpn, from, krb5_get_err_text(context, ret));
goto out;
}
/*
*
* Process request
*/
client_principal = cp;
@ -1566,10 +1758,23 @@ server_lookup:
&& b->additional_tickets->len != 0
&& b->kdc_options.enc_tkt_in_skey == 0)
{
int ad_signedpath = 0;
Key *clientkey;
Ticket *t;
char *str;
/*
* Require that the KDC have issued the service's krbtgt (not
* self-issued ticket with kimpersonate(1).
*/
if (!signedpath) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 0,
"Constrained delegation done on service ticket %s/%s",
cpn, spn);
goto out;
}
t = &b->additional_tickets->val[0];
ret = hdb_enctype2key(context, &client->entry,
@ -1588,12 +1793,11 @@ server_lookup:
}
/* check that ticket is valid */
if (adtkt.flags.forwardable == 0) {
kdc_log(context, config, 0,
"Missing forwardable flag on ticket for "
"constrained delegation from %s to %s ", spn, cpn);
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
ret = KRB5KDC_ERR_BADOPTION;
goto out;
}
@ -1623,16 +1827,16 @@ server_lookup:
}
/*
* Check KRB5SignedPath in authorization data and add new entry to
* make sure servers can't fake a ticket to us.
* Check that the KDC issued the user's ticket.
*/
ret = check_KRB5SignedPath(context,
config,
krbtgt,
&adtkt,
&spp,
1);
NULL,
&ad_signedpath);
if (ret == 0 && !ad_signedpath)
ret = KRB5KDC_ERR_BADOPTION;
if (ret) {
kdc_log(context, config, 0,
"KRB5SignedPath check from service %s failed "
@ -1646,12 +1850,6 @@ server_lookup:
kdc_log(context, config, 0, "constrained delegation for %s "
"from %s to %s", str, cpn, spn);
free(str);
/*
* Also require that the KDC have issue the service's krbtgt
* used to do the request.
*/
require_signedpath = 1;
}
/*
@ -1682,79 +1880,38 @@ server_lookup:
}
/*
* Select enctype, return key and kvno.
* If this is an referral, add server referral data to the
* auth_data reply .
*/
if (ref_realm) {
PA_DATA pa;
krb5_crypto crypto;
{
krb5_enctype etype;
if(b->kdc_options.enc_tkt_in_skey) {
int i;
ekey = &adtkt.key;
for(i = 0; i < b->etype.len; i++)
if (b->etype.val[i] == adtkt.key.keytype)
break;
if(i == b->etype.len) {
krb5_clear_error_string(context);
return KRB5KDC_ERR_ETYPE_NOSUPP;
}
etype = b->etype.val[i];
kvno = 0;
} else {
Key *skey;
ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
&skey, &etype);
if(ret) {
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spp);
return ret;
}
ekey = &skey->key;
kvno = server->entry.kvno;
}
"Adding server referral to %s", ref_realm);
ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
if (ret)
goto out;
}
/* check PAC if not cross realm and if there is one */
if (!cross_realm) {
Key *tkey;
ret = hdb_enctype2key(context, &krbtgt->entry,
krbtgt_etype, &tkey);
if(ret) {
kdc_log(context, config, 0,
"Failed to find key for krbtgt PAC check");
goto out;
}
ret = check_PAC(context, config, client_principal,
client, server, ekey, &tkey->key,
tgt, &rspac, &require_signedpath);
ret = build_server_referral(context, config, crypto, ref_realm,
NULL, s, &pa.padata_value);
krb5_crypto_destroy(context, crypto);
if (ret) {
kdc_log(context, config, 0,
"Verify PAC failed for %s (%s) from %s with %s",
spn, cpn, from, krb5_get_err_text(context, ret));
"Failed building server referral");
goto out;
}
}
pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
/* also check the krbtgt for signature */
ret = check_KRB5SignedPath(context,
config,
krbtgt,
tgt,
&spp,
require_signedpath);
ret = add_METHOD_DATA(&enc_pa_data, &pa);
krb5_data_free(&pa.padata_value);
if (ret) {
kdc_log(context, config, 0,
"KRB5SignedPath check failed for %s (%s) from %s with %s",
spn, cpn, from, krb5_get_err_text(context, ret));
"Add server referral METHOD-DATA failed");
goto out;
}
}
/*
*
@ -1768,7 +1925,7 @@ server_lookup:
ekey,
&sessionkey,
kvno,
auth_data,
*auth_data,
server,
spn,
client,
@ -1777,6 +1934,7 @@ server_lookup:
krbtgt_etype,
spp,
&rspac,
&enc_pa_data,
e_text,
reply);
@ -1797,6 +1955,9 @@ out:
krb5_free_principal(context, cp);
if (sp)
krb5_free_principal(context, sp);
if (ref_realm)
free(ref_realm);
free_METHOD_DATA(&enc_pa_data);
free_EncTicketPart(&adtkt);
@ -1870,7 +2031,7 @@ _kdc_tgs_rep(krb5_context context,
data,
from,
&e_text,
auth_data,
&auth_data,
from_addr,
datagram_reply);
if (ret) {

View File

@ -36,7 +36,7 @@
#include <rfc2459_asn1.h>
#include <hx509.h>
RCSID("$Id: kx509.c 21607 2007-07-17 07:04:52Z lha $");
RCSID("$Id: kx509.c 23316 2008-06-23 04:32:32Z lha $");
/*
*
@ -67,7 +67,8 @@ verify_req_hash(krb5_context context,
HMAC_CTX ctx;
if (req->pk_hash.length != sizeof(digest)) {
krb5_set_error_string(context, "pk-hash have wrong length: %lu",
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
"pk-hash have wrong length: %lu",
(unsigned long)req->pk_hash.length);
return KRB5KDC_ERR_PREAUTH_FAILED;
}
@ -84,7 +85,8 @@ verify_req_hash(krb5_context context,
HMAC_CTX_cleanup(&ctx);
if (memcmp(req->pk_hash.data, digest, sizeof(digest)) != 0) {
krb5_set_error_string(context, "pk-hash is not correct");
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
"pk-hash is not correct");
return KRB5KDC_ERR_PREAUTH_FAILED;
}
return 0;
@ -106,7 +108,7 @@ calculate_reply_hash(krb5_context context,
rep->hash->data = malloc(rep->hash->length);
if (rep->hash->data == NULL) {
HMAC_CTX_cleanup(&ctx);
krb5_set_error_string(context, "out of memory");
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
@ -158,11 +160,7 @@ build_certificate(krb5_context context,
if (ret)
goto out;
ret = hx509_env_init(hxctx, &env);
if (ret)
goto out;
ret = hx509_env_add(hxctx, env, "principal-name",
ret = hx509_env_add(hxctx, &env, "principal-name",
krb5_principal_get_comp_string(context, principal, 0));
if (ret)
goto out;
@ -280,7 +278,7 @@ out:
hx509_cert_free(signer);
if (hxctx)
hx509_context_free(&hxctx);
krb5_set_error_string(context, "cert creation failed");
krb5_set_error_message(context, ret, "cert creation failed");
return ret;
}
@ -358,7 +356,7 @@ _kdc_do_kx509(krb5_context context,
krb5_free_principal(context, principal);
if (ret != TRUE) {
ret = KRB5KDC_ERR_SERVER_NOMATCH;
krb5_set_error_string(context,
krb5_set_error_message(context, ret,
"User %s used wrong Kx509 service principal",
cname);
goto out;
@ -366,8 +364,10 @@ _kdc_do_kx509(krb5_context context,
}
ret = krb5_auth_con_getkey(context, ac, &key);
if (ret || key == NULL) {
krb5_set_error_string(context, "Kx509 can't get session key");
if (ret == 0 && key == NULL)
ret = KRB5KDC_ERR_NULL_KEY;
if (ret) {
krb5_set_error_message(context, ret, "Kx509 can't get session key");
goto out;
}
@ -418,7 +418,7 @@ _kdc_do_kx509(krb5_context context,
ASN1_MALLOC_ENCODE(Kx509Response, data.data, data.length, &rep,
&size, ret);
if (ret) {
krb5_set_error_string(context, "Failed to encode kx509 reply");
krb5_set_error_message(context, ret, "Failed to encode kx509 reply");
goto out;
}
if (size != data.length)

View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: misc.c 21106 2007-06-18 10:18:11Z lha $");
RCSID("$Id: misc.c 23316 2008-06-23 04:32:32Z lha $");
struct timeval _kdc_now;
@ -51,7 +51,7 @@ _kdc_db_fetch(krb5_context context,
ent = calloc (1, sizeof (*ent));
if (ent == NULL) {
krb5_set_error_string(context, "out of memory");
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
@ -76,7 +76,7 @@ _kdc_db_fetch(krb5_context context,
}
}
free(ent);
krb5_set_error_string(context, "no such entry found in hdb");
krb5_set_error_message(context, HDB_ERR_NOENTRY, "no such entry found in hdb");
return HDB_ERR_NOENTRY;
}
@ -116,7 +116,8 @@ _kdc_get_preferred_key(krb5_context context,
}
}
krb5_set_error_string(context, "No valid kerberos key found for %s", name);
krb5_set_error_message(context, EINVAL,
"No valid kerberos key found for %s", name);
return EINVAL;
}

View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: pkinit.c 22243 2007-12-08 23:39:30Z lha $");
RCSID("$Id: pkinit.c 23316 2008-06-23 04:32:32Z lha $");
#ifdef PKINIT
@ -45,23 +45,8 @@ RCSID("$Id: pkinit.c 22243 2007-12-08 23:39:30Z lha $");
#include <hx509.h>
#include "crypto-headers.h"
/* XXX copied from lib/krb5/pkinit.c */
struct krb5_pk_identity {
hx509_context hx509ctx;
hx509_verify_ctx verify_ctx;
hx509_certs certs;
hx509_certs anchors;
hx509_certs certpool;
hx509_revoke_ctx revoke;
};
enum pkinit_type {
PKINIT_COMPAT_WIN2K = 1,
PKINIT_COMPAT_27 = 3
};
struct pk_client_params {
enum pkinit_type type;
enum krb5_pk_type type;
BIGNUM *dh_public_key;
hx509_cert cert;
unsigned nonce;
@ -202,13 +187,13 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
memset(&key, 0, sizeof(key));
if (!DH_generate_key(client_params->dh)) {
krb5_set_error_string(context, "Can't generate Diffie-Hellman keys");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "Can't generate Diffie-Hellman keys");
goto out;
}
if (client_params->dh_public_key == NULL) {
krb5_set_error_string(context, "dh_public_key");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "dh_public_key");
goto out;
}
@ -219,8 +204,8 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
memset(dh_gen_key, 0, size - dh_gen_keylen);
@ -229,8 +214,8 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
client_params->dh_public_key,
client_params->dh);
if (dh_gen_keylen == -1) {
krb5_set_error_string(context, "Can't compute Diffie-Hellman key");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "Can't compute Diffie-Hellman key");
goto out;
}
@ -256,7 +241,8 @@ integer_to_BN(krb5_context context, const char *field, heim_integer *f)
bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
if (bn == NULL) {
krb5_set_error_string(context, "PKINIT: parsing BN failed %s", field);
krb5_set_error_message(context, KRB5_BADMSGTYPE,
"PKINIT: parsing BN failed %s", field);
return NULL;
}
BN_set_negative(bn, f->negative);
@ -276,13 +262,14 @@ get_dh_param(krb5_context context,
memset(&dhparam, 0, sizeof(dhparam));
if (der_heim_oid_cmp(&dh_key_info->algorithm.algorithm, oid_id_dhpublicnumber())) {
krb5_set_error_string(context,
krb5_set_error_message(context, KRB5_BADMSGTYPE,
"PKINIT invalid oid in clientPublicValue");
return KRB5_BADMSGTYPE;
}
if (dh_key_info->algorithm.parameters == NULL) {
krb5_set_error_string(context, "PKINIT missing algorithm parameter "
krb5_set_error_message(context, KRB5_BADMSGTYPE,
"PKINIT missing algorithm parameter "
"in clientPublicValue");
return KRB5_BADMSGTYPE;
}
@ -292,14 +279,15 @@ get_dh_param(krb5_context context,
&dhparam,
NULL);
if (ret) {
krb5_set_error_string(context, "Can't decode algorithm "
krb5_set_error_message(context, ret, "Can't decode algorithm "
"parameters in clientPublicValue");
goto out;
}
if ((dh_key_info->subjectPublicKey.length % 8) != 0) {
ret = KRB5_BADMSGTYPE;
krb5_set_error_string(context, "PKINIT: subjectPublicKey not aligned "
krb5_set_error_message(context, ret,
"PKINIT: subjectPublicKey not aligned "
"to 8 bit boundary");
goto out;
}
@ -315,8 +303,8 @@ get_dh_param(krb5_context context,
dh = DH_new();
if (dh == NULL) {
krb5_set_error_string(context, "Cannot create DH structure");
ret = ENOMEM;
krb5_set_error_message(context, ret, "Cannot create DH structure");
goto out;
}
ret = KRB5_BADMSGTYPE;
@ -347,9 +335,11 @@ get_dh_param(krb5_context context,
"subjectPublicKey",
&glue);
der_free_heim_integer(&glue);
if (client_params->dh_public_key == NULL)
if (client_params->dh_public_key == NULL) {
ret = KRB5_BADMSGTYPE;
goto out;
}
}
client_params->dh = dh;
dh = NULL;
@ -385,7 +375,7 @@ _kdc_pk_rd_padata(krb5_context context,
return 0;
}
hx509_verify_set_time(kdc_identity->verify_ctx, _kdc_now.tv_sec);
hx509_verify_set_time(kdc_identity->verify_ctx, kdc_time);
client_params = calloc(1, sizeof(*client_params));
if (client_params == NULL) {
@ -404,7 +394,7 @@ _kdc_pk_rd_padata(krb5_context context,
&r,
NULL);
if (ret) {
krb5_set_error_string(context, "Can't decode "
krb5_set_error_message(context, ret, "Can't decode "
"PK-AS-REQ-Win2k: %d", ret);
goto out;
}
@ -415,7 +405,8 @@ _kdc_pk_rd_padata(krb5_context context,
&have_data);
free_PA_PK_AS_REQ_Win2k(&r);
if (ret) {
krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret);
krb5_set_error_message(context, ret,
"Can't decode PK-AS-REQ: %d", ret);
goto out;
}
@ -429,7 +420,7 @@ _kdc_pk_rd_padata(krb5_context context,
&r,
NULL);
if (ret) {
krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret);
krb5_set_error_message(context, ret, "Can't decode PK-AS-REQ: %d", ret);
goto out;
}
@ -443,7 +434,7 @@ _kdc_pk_rd_padata(krb5_context context,
0, NULL,
&client_params->client_anchors);
if (ret) {
krb5_set_error_string(context, "Can't allocate client anchors: %d", ret);
krb5_set_error_message(context, ret, "Can't allocate client anchors: %d", ret);
goto out;
}
@ -458,7 +449,7 @@ _kdc_pk_rd_padata(krb5_context context,
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
if (ret) {
krb5_set_error_string(context,
krb5_set_error_message(context, ret,
"Failed to allocate hx509_query");
goto out;
}
@ -495,7 +486,8 @@ _kdc_pk_rd_padata(krb5_context context,
&have_data);
free_PA_PK_AS_REQ(&r);
if (ret) {
krb5_set_error_string(context, "Can't unwrap ContentInfo: %d", ret);
krb5_set_error_message(context, ret,
"Can't unwrap ContentInfo: %d", ret);
goto out;
}
@ -507,16 +499,16 @@ _kdc_pk_rd_padata(krb5_context context,
ret = der_heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData());
if (ret != 0) {
krb5_set_error_string(context, "PK-AS-REQ-Win2k invalid content "
"type oid");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"PK-AS-REQ-Win2k invalid content type oid");
goto out;
}
if (!have_data) {
krb5_set_error_string(context,
"PK-AS-REQ-Win2k no signed auth pack");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"PK-AS-REQ-Win2k no signed auth pack");
goto out;
}
@ -551,8 +543,8 @@ _kdc_pk_rd_padata(krb5_context context,
if (der_heim_oid_cmp(&eContentType, oid_id_pkcs7_data()) != 0 &&
der_heim_oid_cmp(&eContentType, oid_id_pkauthdata()) != 0)
{
krb5_set_error_string(context, "got wrong oid for pkauthdata");
ret = KRB5_BADMSGTYPE;
krb5_set_error_message(context, ret, "got wrong oid for pkauthdata");
goto out;
}
@ -564,7 +556,7 @@ _kdc_pk_rd_padata(krb5_context context,
&ap,
NULL);
if (ret) {
krb5_set_error_string(context, "can't decode AuthPack: %d", ret);
krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret);
goto out;
}
@ -576,12 +568,12 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
client_params->type = PKINIT_COMPAT_WIN2K;
client_params->type = PKINIT_WIN2K;
client_params->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) {
krb5_set_error_string(context, "DH not supported for windows");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "DH not supported for windows");
goto out;
}
free_AuthPack_Win2k(&ap);
@ -594,7 +586,7 @@ _kdc_pk_rd_padata(krb5_context context,
&ap,
NULL);
if (ret) {
krb5_set_error_string(context, "can't decode AuthPack: %d", ret);
krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret);
free_AuthPack(&ap);
goto out;
}
@ -607,7 +599,7 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
client_params->type = PKINIT_COMPAT_27;
client_params->type = PKINIT_27;
client_params->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) {
@ -700,7 +692,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
*/
switch (client_params->type) {
case PKINIT_COMPAT_WIN2K: {
case PKINIT_WIN2K: {
int i = 0;
if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL
&& config->pkinit_require_binding == 0)
@ -709,7 +701,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
}
break;
}
case PKINIT_COMPAT_27:
case PKINIT_27:
break;
default:
krb5_abortx(context, "internal pkinit error");
@ -769,7 +761,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
free_ReplyKeyPack(&kp);
}
if (ret) {
krb5_set_error_string(context, "ASN.1 encoding of ReplyKeyPack "
krb5_set_error_message(context, ret, "ASN.1 encoding of ReplyKeyPack "
"failed (%d)", ret);
goto out;
}
@ -813,7 +805,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
if (ret)
goto out;
if (client_params->type == PKINIT_COMPAT_WIN2K) {
if (client_params->type == PKINIT_WIN2K) {
ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(),
&signed_data,
&buf);
@ -874,9 +866,8 @@ pk_mk_pa_reply_dh(krb5_context context,
ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
if (ret) {
krb5_set_error_string(context, "ASN.1 encoding of "
krb5_set_error_message(context, ret, "ASN.1 encoding of "
"DHPublicKey failed (%d)", ret);
krb5_clear_error_string(context);
return ret;
}
if (buf.length != size)
@ -890,7 +881,7 @@ pk_mk_pa_reply_dh(krb5_context context,
ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size,
ret);
if (ret) {
krb5_set_error_string(context, "ASN.1 encoding of "
krb5_set_error_message(context, ret, "ASN.1 encoding of "
"KdcDHKeyInfo failed (%d)", ret);
goto out;
}
@ -990,7 +981,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
break;
if (req->req_body.etype.len <= i) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_string(context,
krb5_set_error_message(context, ret,
"No valid enctype available from client");
goto out;
}
@ -998,7 +989,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
} else
enctype = ETYPE_DES3_CBC_SHA1;
if (client_params->type == PKINIT_COMPAT_27) {
if (client_params->type == PKINIT_27) {
PA_PK_AS_REP rep;
const char *type, *other = "";
@ -1035,7 +1026,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_string(context, "encoding of Key ContentInfo "
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
@ -1068,7 +1059,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_string(context, "encoding of Key ContentInfo "
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
@ -1085,7 +1076,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP(&rep);
if (ret) {
krb5_set_error_string(context, "encode PA-PK-AS-REP failed %d",
krb5_set_error_message(context, ret, "encode PA-PK-AS-REP failed %d",
ret);
goto out;
}
@ -1094,13 +1085,13 @@ _kdc_pk_mk_pa_reply(krb5_context context,
kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
} else if (client_params->type == PKINIT_COMPAT_WIN2K) {
} else if (client_params->type == PKINIT_WIN2K) {
PA_PK_AS_REP_Win2k rep;
ContentInfo info;
if (client_params->dh) {
krb5_set_error_string(context, "Windows PK-INIT doesn't support DH");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "Windows PK-INIT doesn't support DH");
goto out;
}
@ -1131,7 +1122,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_string(context, "encoding of Key ContentInfo "
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
@ -1142,7 +1133,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP_Win2k(&rep);
if (ret) {
krb5_set_error_string(context,
krb5_set_error_message(context, ret,
"encode PA-PK-AS-REP-Win2k failed %d", ret);
goto out;
}
@ -1155,7 +1146,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = krb5_padata_add(context, md, pa_type, buf, len);
if (ret) {
krb5_set_error_string(context, "failed adding PA-PK-AS-REP %d", ret);
krb5_set_error_message(context, ret, "failed adding PA-PK-AS-REP %d", ret);
free(buf);
goto out;
}
@ -1229,7 +1220,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
KRB5_PADATA_PA_PK_OCSP_RESPONSE,
ocsp.data.data, ocsp.data.length);
if (ret) {
krb5_set_error_string(context,
krb5_set_error_message(context, ret,
"Failed adding OCSP response %d", ret);
goto out;
}
@ -1453,7 +1444,8 @@ _kdc_pk_check_client(krb5_context context,
return 0;
}
krb5_set_error_string(context,
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
krb5_set_error_message(context, ret,
"PKINIT no matching principals for %s",
*subject_name);
@ -1464,7 +1456,7 @@ _kdc_pk_check_client(krb5_context context,
free(*subject_name);
*subject_name = NULL;
return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
return ret;
}
static krb5_error_code

View File

@ -34,7 +34,7 @@
#include "kdc_locl.h"
RCSID("$Id: process.c 20959 2007-06-07 04:46:06Z lha $");
RCSID("$Id: process.c 23316 2008-06-23 04:32:32Z lha $");
/*
*
@ -177,14 +177,15 @@ krb5_kdc_save_request(krb5_context context,
fd = open(fn, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (fd < 0) {
krb5_set_error_string(context, "Failed to open: %s", fn);
return errno;
int saved_errno = errno;
krb5_set_error_message(context, saved_errno, "Failed to open: %s", fn);
return saved_errno;
}
sp = krb5_storage_from_fd(fd);
close(fd);
if (sp == NULL) {
krb5_set_error_string(context, "Storage failed to open fd");
krb5_set_error_message(context, ENOMEM, "Storage failed to open fd");
return ENOMEM;
}

View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: windc.c 20559 2007-04-24 16:00:07Z lha $");
RCSID("$Id: windc.c 23316 2008-06-23 04:32:32Z lha $");
static krb5plugin_windc_ftable *windcft;
static void *windcctx;
@ -63,7 +63,7 @@ krb5_kdc_windc_init(krb5_context context)
}
if (e == NULL) {
_krb5_plugin_free(list);
krb5_set_error_string(context, "Did not find any WINDC plugin");
krb5_set_error_message(context, ENOENT, "Did not find any WINDC plugin");
windcft = NULL;
return ENOENT;
}
@ -91,7 +91,7 @@ _kdc_pac_verify(krb5_context context,
krb5_pac *pac)
{
if (windcft == NULL) {
krb5_set_error_string(context, "Can't verify PAC, no function");
krb5_set_error_message(context, EINVAL, "Can't verify PAC, no function");
return EINVAL;
}
return (windcft->pac_verify)(windcctx, context,

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: windc_plugin.h 19798 2007-01-10 15:24:51Z lha $ */
/* $Id: windc_plugin.h 22693 2008-03-19 08:57:49Z lha $ */
#ifndef HEIMDAL_KRB5_PAC_PLUGIN_H
#define HEIMDAL_KRB5_PAC_PLUGIN_H 1
@ -67,7 +67,7 @@ typedef krb5_error_code
void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *, krb5_data *);
#define KRB5_WINDC_PLUGING_MINOR 2
#define KRB5_WINDC_PLUGING_MINOR 3
typedef struct krb5plugin_windc_ftable {
int minor_version;

View File

@ -32,7 +32,7 @@
*/
#include "kuser_locl.h"
RCSID("$Id: kinit.c 22116 2007-12-03 21:22:58Z lha $");
RCSID("$Id: kinit.c 23418 2008-07-26 18:36:48Z lha $");
#include "krb5-v4compat.h"
@ -66,6 +66,8 @@ char *pk_user_id = NULL;
char *pk_x509_anchors = NULL;
int pk_use_enckey = 0;
static int canonicalize_flag = 0;
static int ok_as_delegate_flag = 0;
static int windows_flag = 0;
static char *ntlm_domain;
static char *krb4_cc_name;
@ -161,6 +163,12 @@ static struct getargs args[] = {
{ "ntlm-domain", 0, arg_string, &ntlm_domain,
"NTLM domain", "domain" },
{ "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
"honor ok-as-delegate on tickets" },
{ "windows", 0, arg_flag, &windows_flag,
"get windows behavior" },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
};
@ -330,35 +338,24 @@ out:
static krb5_error_code
store_ntlmkey(krb5_context context, krb5_ccache id,
const char *domain, krb5_const_principal client,
struct ntlm_buf *buf)
const char *domain, struct ntlm_buf *buf)
{
krb5_error_code ret;
krb5_creds cred;
krb5_data data;
char *name;
memset(&cred, 0, sizeof(cred));
asprintf(&name, "ntlm-key-%s", domain);
if (name == NULL) {
krb5_clear_error_string(context);
return ENOMEM;
}
ret = krb5_make_principal(context, &cred.server,
krb5_principal_get_realm(context, client),
"@ntlm-key", domain, NULL);
if (ret)
goto out;
ret = krb5_copy_principal(context, client, &cred.client);
if (ret)
goto out;
data.length = buf->length;
data.data = buf->data;
cred.times.authtime = time(NULL);
cred.times.endtime = time(NULL) + 3600 * 24 * 30; /* XXX */
cred.session.keytype = ENCTYPE_ARCFOUR_HMAC_MD5;
ret = krb5_data_copy(&cred.session.keyvalue, buf->data, buf->length);
if (ret)
goto out;
ret = krb5_cc_store_cred(context, id, &cred);
out:
krb5_free_cred_contents (context, &cred);
return 0;
ret = krb5_cc_set_config(context, id, NULL, name, &data);
free(name);
return ret;
}
static krb5_error_code
@ -598,7 +595,17 @@ get_new_tickets(krb5_context context,
krb5_err (context, 1, ret, "krb5_cc_move");
if (ntlm_domain && ntlmkey.data)
store_ntlmkey(context, ccache, ntlm_domain, principal, &ntlmkey);
store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
if (ok_as_delegate_flag || windows_flag) {
krb5_data data;
data.length = 1;
data.data = "\x01";
krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
}
if (enctype)
free(enctype);

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: der.h 18437 2006-10-14 05:16:08Z lha $ */
/* $Id: der.h 23183 2008-05-22 09:56:51Z lha $ */
#ifndef __DER_H__
#define __DER_H__

View File

@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_free.c 19539 2006-12-28 17:15:05Z lha $");
RCSID("$Id: der_free.c 23182 2008-05-22 02:59:04Z lha $");
void
der_free_general_string (heim_general_string *str)

View File

@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen.c 22429 2008-01-13 10:25:50Z lha $");
RCSID("$Id: gen.c 22896 2008-04-07 18:52:24Z lha $");
FILE *headerfile, *codefile, *logfile;
@ -294,13 +294,18 @@ generate_constant (const Symbol *s)
break;
case objectidentifiervalue: {
struct objid *o, **list;
int i, len;
unsigned int i, len;
generate_header_of_codefile(s->gen_name);
len = 0;
for (o = s->value->u.objectidentifiervalue; o != NULL; o = o->next)
len++;
if (len == 0) {
printf("s->gen_name: %s",s->gen_name);
fflush(stdout);
break;
}
list = emalloc(sizeof(*list) * len);
i = 0;
@ -308,8 +313,8 @@ generate_constant (const Symbol *s)
list[i++] = o;
fprintf (headerfile, "/* OBJECT IDENTIFIER %s ::= { ", s->name);
for (i = len - 1 ; i >= 0; i--) {
o = list[i];
for (i = len ; i > 0; i--) {
o = list[i - 1];
fprintf(headerfile, "%s(%d) ",
o->label ? o->label : "label-less", o->value);
}
@ -320,8 +325,8 @@ generate_constant (const Symbol *s)
fprintf (codefile, "static unsigned oid_%s_variable_num[%d] = {",
s->gen_name, len);
for (i = len - 1 ; i >= 0; i--) {
fprintf(codefile, "%d%s ", list[i]->value, i > 0 ? "," : "");
for (i = len ; i > 0; i--) {
fprintf(codefile, "%d%s ", list[i - 1]->value, i > 1 ? "," : "");
}
fprintf(codefile, "};\n");

View File

@ -1,4 +1,4 @@
-- $Id: k5.asn1 21965 2007-10-18 18:24:36Z lha $
-- $Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $
KERBEROS5 DEFINITIONS ::=
BEGIN
@ -635,7 +635,7 @@ KRB5SignedPath ::= SEQUENCE {
PA-ClientCanonicalizedNames ::= SEQUENCE{
requested-name [0] PrincipalName,
real-name [1] PrincipalName
mapped-name [1] PrincipalName
}
PA-ClientCanonicalized ::= SEQUENCE {
@ -654,6 +654,16 @@ PA-SvrReferralData ::= SEQUENCE {
referred-realm [0] Realm
}
PA-SERVER-REFERRAL-DATA ::= EncryptedData
PA-ServerReferralData ::= SEQUENCE {
referred-realm [0] Realm OPTIONAL,
true-principal-name [1] PrincipalName OPTIONAL,
requested-principal-name [2] PrincipalName OPTIONAL,
referral-valid-until [3] KerberosTime OPTIONAL,
...
}
END
-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1

View File

@ -1,5 +1,6 @@
#include "config.h"
#line 3 "lex.c"
#line 3 "heimdal/lib/asn1/lex.c"
#define YY_INT_ALIGNED short int
@ -8,7 +9,7 @@
#define FLEX_SCANNER
#define YY_FLEX_MAJOR_VERSION 2
#define YY_FLEX_MINOR_VERSION 5
#define YY_FLEX_SUBMINOR_VERSION 33
#define YY_FLEX_SUBMINOR_VERSION 34
#if YY_FLEX_SUBMINOR_VERSION > 0
#define FLEX_BETA
#endif
@ -30,7 +31,7 @@
/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
#if __STDC_VERSION__ >= 199901L
#if defined (__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
* if you want the limit (max/min) macros for int types.
@ -93,11 +94,12 @@ typedef unsigned int flex_uint32_t;
#else /* ! __cplusplus */
#if __STDC__
/* C99 requires __STDC__ to be defined as 1. */
#if defined (__STDC__)
#define YY_USE_CONST
#endif /* __STDC__ */
#endif /* defined (__STDC__) */
#endif /* ! __cplusplus */
#ifdef YY_USE_CONST
@ -180,11 +182,13 @@ extern FILE *yyin, *yyout;
/* The following is because we cannot portably get our hands on size_t
* (without autoconf's help, which isn't available because we want
* flex-generated scanners to compile on their own).
* Given that the standard has decreed that size_t exists since 1989,
* I guess we can afford to depend on it. Manoj.
*/
#ifndef YY_TYPEDEF_YY_SIZE_T
#define YY_TYPEDEF_YY_SIZE_T
typedef unsigned int yy_size_t;
typedef size_t yy_size_t;
#endif
#ifndef YY_STRUCT_YY_BUFFER_STATE
@ -851,7 +855,7 @@ static unsigned lineno = 1;
static void unterminated(const char *, unsigned);
/* This is for broken old lexes (solaris 10 and hpux) */
#line 855 "lex.c"
#line 858 "heimdal/lib/asn1/lex.c"
#define INITIAL 0
@ -869,35 +873,6 @@ static void unterminated(const char *, unsigned);
static int yy_init_globals (void );
/* Accessor methods to globals.
These are made visible to non-reentrant scanners for convenience. */
int yylex_destroy (void );
int yyget_debug (void );
void yyset_debug (int debug_flag );
YY_EXTRA_TYPE yyget_extra (void );
void yyset_extra (YY_EXTRA_TYPE user_defined );
FILE *yyget_in (void );
void yyset_in (FILE * in_str );
FILE *yyget_out (void );
void yyset_out (FILE * out_str );
int yyget_leng (void );
char *yyget_text (void );
int yyget_lineno (void );
void yyset_lineno (int line_number );
/* Macros after this point can all be overridden by user definitions in
* section 1.
*/
@ -940,7 +915,7 @@ static int input (void );
/* This used to be an fputs(), but since the string might contain NUL's,
* we now use fwrite().
*/
#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
#define ECHO fwrite( yytext, yyleng, 1, yyout )
#endif
/* Gets input and stuffs it into "buf". number of characters read, or YY_NULL,
@ -951,7 +926,7 @@ static int input (void );
if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
{ \
int c = '*'; \
size_t n; \
int n; \
for ( n = 0; n < max_size && \
(c = getc( yyin )) != EOF && c != '\n'; ++n ) \
buf[n] = (char) c; \
@ -1035,7 +1010,7 @@ YY_DECL
#line 68 "lex.l"
#line 1039 "lex.c"
#line 1013 "heimdal/lib/asn1/lex.c"
if ( !(yy_init) )
{
@ -1704,7 +1679,7 @@ YY_RULE_SETUP
#line 274 "lex.l"
ECHO;
YY_BREAK
#line 1708 "lex.c"
#line 1682 "heimdal/lib/asn1/lex.c"
case YY_STATE_EOF(INITIAL):
yyterminate();
@ -1935,7 +1910,7 @@ static int yy_get_next_buffer (void)
/* Read in more data. */
YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
(yy_n_chars), num_to_read );
(yy_n_chars), (size_t) num_to_read );
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
}
@ -1959,6 +1934,14 @@ static int yy_get_next_buffer (void)
else
ret_val = EOB_ACT_CONTINUE_SCAN;
if ((yy_size_t) ((yy_n_chars) + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
/* Extend the array by 50%, plus the number we really need. */
yy_size_t new_size = (yy_n_chars) + number_to_move + ((yy_n_chars) >> 1);
YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size );
if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
}
(yy_n_chars) += number_to_move;
YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
@ -2374,6 +2357,8 @@ static void yyensure_buffer_stack (void)
(yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
(num_to_alloc * sizeof(struct yy_buffer_state*)
);
if ( ! (yy_buffer_stack) )
YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
@ -2392,6 +2377,8 @@ static void yyensure_buffer_stack (void)
((yy_buffer_stack),
num_to_alloc * sizeof(struct yy_buffer_state*)
);
if ( ! (yy_buffer_stack) )
YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
/* zero only the new slots.*/
memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
@ -2436,7 +2423,7 @@ YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size )
/** Setup the input buffer state to scan a string. The next call to yylex() will
* scan from a @e copy of @a str.
* @param str a NUL-terminated string to scan
* @param yystr a NUL-terminated string to scan
*
* @return the newly allocated buffer state object.
* @note If you want to scan bytes that may contain NUL values, then use

View File

@ -32,7 +32,7 @@
* SUCH DAMAGE.
*/
/* $Id: lex.l,v 1.31 2006/10/21 11:57:22 lha Exp $ */
/* $Id: lex.l 18738 2006-10-21 11:57:22Z lha $ */
#ifdef HAVE_CONFIG_H
#include <config.h>

View File

@ -17,6 +17,11 @@ id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit 6 }
id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER ::= { id-pkinit-kdf 1 }
id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
id-pkinit-san OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
x509-sanan(2) }
@ -171,6 +176,14 @@ ReplyKeyPack-Win2k ::= SEQUENCE {
...
}
PkinitSP80056AOtherInfo ::= SEQUENCE {
algorithmID AlgorithmIdentifier,
partyUInfo [0] OCTET STRING,
partyVInfo [1] OCTET STRING,
suppPubInfo [2] OCTET STRING OPTIONAL,
suppPrivInfo [3] OCTET STRING OPTIONAL
}
PkinitSuppPubInfo ::= SEQUENCE {
enctype [0] INTEGER (-2147483648..2147483647),
as-REQ [1] OCTET STRING,

View File

@ -1,4 +1,4 @@
# $Id: test.gen,v 1.2 2005/07/12 06:27:41 lha Exp $
# $Id: test.gen 15617 2005-07-12 06:27:42Z lha $
# Sample for TESTSeq in test.asn1
#

View File

@ -1,5 +1,6 @@
#include "config.h"
#line 3 "lex.c"
#line 3 "heimdal/lib/com_err/lex.c"
#define YY_INT_ALIGNED short int
@ -8,7 +9,7 @@
#define FLEX_SCANNER
#define YY_FLEX_MAJOR_VERSION 2
#define YY_FLEX_MINOR_VERSION 5
#define YY_FLEX_SUBMINOR_VERSION 33
#define YY_FLEX_SUBMINOR_VERSION 34
#if YY_FLEX_SUBMINOR_VERSION > 0
#define FLEX_BETA
#endif
@ -30,7 +31,7 @@
/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
#if __STDC_VERSION__ >= 199901L
#if defined (__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
* if you want the limit (max/min) macros for int types.
@ -93,11 +94,12 @@ typedef unsigned int flex_uint32_t;
#else /* ! __cplusplus */
#if __STDC__
/* C99 requires __STDC__ to be defined as 1. */
#if defined (__STDC__)
#define YY_USE_CONST
#endif /* __STDC__ */
#endif /* defined (__STDC__) */
#endif /* ! __cplusplus */
#ifdef YY_USE_CONST
@ -180,11 +182,13 @@ extern FILE *yyin, *yyout;
/* The following is because we cannot portably get our hands on size_t
* (without autoconf's help, which isn't available because we want
* flex-generated scanners to compile on their own).
* Given that the standard has decreed that size_t exists since 1989,
* I guess we can afford to depend on it. Manoj.
*/
#ifndef YY_TYPEDEF_YY_SIZE_T
#define YY_TYPEDEF_YY_SIZE_T
typedef unsigned int yy_size_t;
typedef size_t yy_size_t;
#endif
#ifndef YY_STRUCT_YY_BUFFER_STATE
@ -532,7 +536,7 @@ static int getstring(void);
#undef ECHO
#line 536 "lex.c"
#line 539 "heimdal/lib/com_err/lex.c"
#define INITIAL 0
@ -550,35 +554,6 @@ static int getstring(void);
static int yy_init_globals (void );
/* Accessor methods to globals.
These are made visible to non-reentrant scanners for convenience. */
int yylex_destroy (void );
int yyget_debug (void );
void yyset_debug (int debug_flag );
YY_EXTRA_TYPE yyget_extra (void );
void yyset_extra (YY_EXTRA_TYPE user_defined );
FILE *yyget_in (void );
void yyset_in (FILE * in_str );
FILE *yyget_out (void );
void yyset_out (FILE * out_str );
int yyget_leng (void );
char *yyget_text (void );
int yyget_lineno (void );
void yyset_lineno (int line_number );
/* Macros after this point can all be overridden by user definitions in
* section 1.
*/
@ -621,7 +596,7 @@ static int input (void );
/* This used to be an fputs(), but since the string might contain NUL's,
* we now use fwrite().
*/
#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
#define ECHO fwrite( yytext, yyleng, 1, yyout )
#endif
/* Gets input and stuffs it into "buf". number of characters read, or YY_NULL,
@ -632,7 +607,7 @@ static int input (void );
if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
{ \
int c = '*'; \
size_t n; \
int n; \
for ( n = 0; n < max_size && \
(c = getc( yyin )) != EOF && c != '\n'; ++n ) \
buf[n] = (char) c; \
@ -716,7 +691,7 @@ YY_DECL
#line 59 "lex.l"
#line 720 "lex.c"
#line 694 "heimdal/lib/com_err/lex.c"
if ( !(yy_init) )
{
@ -880,7 +855,7 @@ YY_RULE_SETUP
#line 75 "lex.l"
ECHO;
YY_BREAK
#line 884 "lex.c"
#line 858 "heimdal/lib/com_err/lex.c"
case YY_STATE_EOF(INITIAL):
yyterminate();
@ -1111,7 +1086,7 @@ static int yy_get_next_buffer (void)
/* Read in more data. */
YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
(yy_n_chars), num_to_read );
(yy_n_chars), (size_t) num_to_read );
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
}
@ -1135,6 +1110,14 @@ static int yy_get_next_buffer (void)
else
ret_val = EOB_ACT_CONTINUE_SCAN;
if ((yy_size_t) ((yy_n_chars) + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
/* Extend the array by 50%, plus the number we really need. */
yy_size_t new_size = (yy_n_chars) + number_to_move + ((yy_n_chars) >> 1);
YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size );
if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
}
(yy_n_chars) += number_to_move;
YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
@ -1550,6 +1533,8 @@ static void yyensure_buffer_stack (void)
(yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
(num_to_alloc * sizeof(struct yy_buffer_state*)
);
if ( ! (yy_buffer_stack) )
YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
@ -1568,6 +1553,8 @@ static void yyensure_buffer_stack (void)
((yy_buffer_stack),
num_to_alloc * sizeof(struct yy_buffer_state*)
);
if ( ! (yy_buffer_stack) )
YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
/* zero only the new slots.*/
memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
@ -1612,7 +1599,7 @@ YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size )
/** Setup the input buffer state to scan a string. The next call to yylex() will
* scan from a @e copy of @a str.
* @param str a NUL-terminated string to scan
* @param yystr a NUL-terminated string to scan
*
* @return the newly allocated buffer state object.
* @note If you want to scan bytes that may contain NUL values, then use

View File

@ -44,7 +44,7 @@
#include "parse.h"
#include "lex.h"
RCSID("$Id: lex.l,v 1.8 2005/05/16 08:52:54 lha Exp $");
RCSID("$Id: lex.l 15143 2005-05-16 08:52:54Z lha $");
static unsigned lineno = 1;
static int getstring(void);

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gssapi.h 21004 2007-06-08 01:53:10Z lha $ */
/* $Id: gssapi.h 23025 2008-04-17 10:01:57Z lha $ */
#ifndef GSSAPI_GSSAPI_H_
#define GSSAPI_GSSAPI_H_
@ -43,6 +43,16 @@
#include <krb5-types.h>
#ifndef BUILD_GSSAPI_LIB
#if defined(_WIN32)
#define GSSAPI_LIB_FUNCTION _stdcall __declspec(dllimport)
#define GSSAPI_LIB_VARIABLE __declspec(dllimport)
#else
#define GSSAPI_LIB_FUNCTION
#define GSSAPI_LIB_VARIABLE
#endif
#endif
/*
* Now define the three implementation-dependent types.
*/
@ -210,7 +220,7 @@ extern "C" {
* GSS_C_NT_USER_NAME should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_USER_NAME;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_USER_NAME;
/*
* The implementation must reserve static storage for a
@ -223,7 +233,7 @@ extern gss_OID GSS_C_NT_USER_NAME;
* The constant GSS_C_NT_MACHINE_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_MACHINE_UID_NAME;
/*
* The implementation must reserve static storage for a
@ -236,7 +246,7 @@ extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
* The constant GSS_C_NT_STRING_UID_NAME should be
* initialized to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_STRING_UID_NAME;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_STRING_UID_NAME;
/*
* The implementation must reserve static storage for a
@ -255,7 +265,7 @@ extern gss_OID GSS_C_NT_STRING_UID_NAME;
* parameter, but should not be emitted by GSS-API
* implementations
*/
extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
/*
* The implementation must reserve static storage for a
@ -268,7 +278,7 @@ extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
* GSS_C_NT_HOSTBASED_SERVICE should be initialized
* to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_HOSTBASED_SERVICE;
/*
* The implementation must reserve static storage for a
@ -280,7 +290,7 @@ extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
* and GSS_C_NT_ANONYMOUS should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_ANONYMOUS;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_ANONYMOUS;
/*
* The implementation must reserve static storage for a
@ -292,19 +302,19 @@ extern gss_OID GSS_C_NT_ANONYMOUS;
* GSS_C_NT_EXPORT_NAME should be initialized to point
* to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_EXPORT_NAME;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_EXPORT_NAME;
/*
* Digest mechanism
*/
extern gss_OID GSS_SASL_DIGEST_MD5_MECHANISM;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_SASL_DIGEST_MD5_MECHANISM;
/*
* NTLM mechanism
*/
extern gss_OID GSS_NTLM_MECHANISM;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_NTLM_MECHANISM;
/* Major status codes */
@ -387,7 +397,7 @@ extern gss_OID GSS_NTLM_MECHANISM;
* Finally, function prototypes for the GSS-API routines.
*/
OM_uint32 gss_acquire_cred
OM_uint32 GSSAPI_LIB_FUNCTION gss_acquire_cred
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
OM_uint32 /*time_req*/,
@ -398,12 +408,12 @@ OM_uint32 gss_acquire_cred
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_release_cred
OM_uint32 GSSAPI_LIB_FUNCTION gss_release_cred
(OM_uint32 * /*minor_status*/,
gss_cred_id_t * /*cred_handle*/
);
OM_uint32 gss_init_sec_context
OM_uint32 GSSAPI_LIB_FUNCTION gss_init_sec_context
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*initiator_cred_handle*/,
gss_ctx_id_t * /*context_handle*/,
@ -419,7 +429,7 @@ OM_uint32 gss_init_sec_context
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_accept_sec_context
OM_uint32 GSSAPI_LIB_FUNCTION gss_accept_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
const gss_cred_id_t /*acceptor_cred_handle*/,
@ -433,25 +443,25 @@ OM_uint32 gss_accept_sec_context
gss_cred_id_t * /*delegated_cred_handle*/
);
OM_uint32 gss_process_context_token
OM_uint32 GSSAPI_LIB_FUNCTION gss_process_context_token
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*token_buffer*/
);
OM_uint32 gss_delete_sec_context
OM_uint32 GSSAPI_LIB_FUNCTION gss_delete_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*output_token*/
);
OM_uint32 gss_context_time
OM_uint32 GSSAPI_LIB_FUNCTION gss_context_time
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
OM_uint32 * /*time_rec*/
);
OM_uint32 gss_get_mic
OM_uint32 GSSAPI_LIB_FUNCTION gss_get_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_qop_t /*qop_req*/,
@ -459,7 +469,7 @@ OM_uint32 gss_get_mic
gss_buffer_t /*message_token*/
);
OM_uint32 gss_verify_mic
OM_uint32 GSSAPI_LIB_FUNCTION gss_verify_mic
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*message_buffer*/,
@ -467,7 +477,7 @@ OM_uint32 gss_verify_mic
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_wrap
OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
@ -477,7 +487,7 @@ OM_uint32 gss_wrap
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_unwrap
OM_uint32 GSSAPI_LIB_FUNCTION gss_unwrap
(OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t /*input_message_buffer*/,
@ -486,7 +496,7 @@ OM_uint32 gss_unwrap
gss_qop_t * /*qop_state*/
);
OM_uint32 gss_display_status
OM_uint32 GSSAPI_LIB_FUNCTION gss_display_status
(OM_uint32 * /*minor_status*/,
OM_uint32 /*status_value*/,
int /*status_type*/,
@ -495,54 +505,54 @@ OM_uint32 gss_display_status
gss_buffer_t /*status_string*/
);
OM_uint32 gss_indicate_mechs
OM_uint32 GSSAPI_LIB_FUNCTION gss_indicate_mechs
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*mech_set*/
);
OM_uint32 gss_compare_name
OM_uint32 GSSAPI_LIB_FUNCTION gss_compare_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*name1*/,
const gss_name_t /*name2*/,
int * /*name_equal*/
);
OM_uint32 gss_display_name
OM_uint32 GSSAPI_LIB_FUNCTION gss_display_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*output_name_buffer*/,
gss_OID * /*output_name_type*/
);
OM_uint32 gss_import_name
OM_uint32 GSSAPI_LIB_FUNCTION gss_import_name
(OM_uint32 * /*minor_status*/,
const gss_buffer_t /*input_name_buffer*/,
const gss_OID /*input_name_type*/,
gss_name_t * /*output_name*/
);
OM_uint32 gss_export_name
OM_uint32 GSSAPI_LIB_FUNCTION gss_export_name
(OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_buffer_t /*exported_name*/
);
OM_uint32 gss_release_name
OM_uint32 GSSAPI_LIB_FUNCTION gss_release_name
(OM_uint32 * /*minor_status*/,
gss_name_t * /*input_name*/
);
OM_uint32 gss_release_buffer
OM_uint32 GSSAPI_LIB_FUNCTION gss_release_buffer
(OM_uint32 * /*minor_status*/,
gss_buffer_t /*buffer*/
);
OM_uint32 gss_release_oid_set
OM_uint32 GSSAPI_LIB_FUNCTION gss_release_oid_set
(OM_uint32 * /*minor_status*/,
gss_OID_set * /*set*/
);
OM_uint32 gss_inquire_cred
OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred
(OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
gss_name_t * /*name*/,
@ -551,7 +561,7 @@ OM_uint32 gss_inquire_cred
gss_OID_set * /*mechanisms*/
);
OM_uint32 gss_inquire_context (
OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_context (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
gss_name_t * /*src_name*/,
@ -563,7 +573,7 @@ OM_uint32 gss_inquire_context (
int * /*open_context*/
);
OM_uint32 gss_wrap_size_limit (
OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap_size_limit (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
@ -572,7 +582,7 @@ OM_uint32 gss_wrap_size_limit (
OM_uint32 * /*max_input_size*/
);
OM_uint32 gss_add_cred (
OM_uint32 GSSAPI_LIB_FUNCTION gss_add_cred (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*input_cred_handle*/,
const gss_name_t /*desired_name*/,
@ -586,7 +596,7 @@ OM_uint32 gss_add_cred (
OM_uint32 * /*acceptor_time_rec*/
);
OM_uint32 gss_inquire_cred_by_mech (
OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred_by_mech (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*cred_handle*/,
const gss_OID /*mech_type*/,
@ -596,80 +606,81 @@ OM_uint32 gss_inquire_cred_by_mech (
gss_cred_usage_t * /*cred_usage*/
);
OM_uint32 gss_export_sec_context (
OM_uint32 GSSAPI_LIB_FUNCTION gss_export_sec_context (
OM_uint32 * /*minor_status*/,
gss_ctx_id_t * /*context_handle*/,
gss_buffer_t /*interprocess_token*/
);
OM_uint32 gss_import_sec_context (
OM_uint32 GSSAPI_LIB_FUNCTION gss_import_sec_context (
OM_uint32 * /*minor_status*/,
const gss_buffer_t /*interprocess_token*/,
gss_ctx_id_t * /*context_handle*/
);
OM_uint32 gss_create_empty_oid_set (
OM_uint32 GSSAPI_LIB_FUNCTION gss_create_empty_oid_set (
OM_uint32 * /*minor_status*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_add_oid_set_member (
OM_uint32 GSSAPI_LIB_FUNCTION gss_add_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member_oid*/,
gss_OID_set * /*oid_set*/
);
OM_uint32 gss_test_oid_set_member (
OM_uint32 GSSAPI_LIB_FUNCTION gss_test_oid_set_member (
OM_uint32 * /*minor_status*/,
const gss_OID /*member*/,
const gss_OID_set /*set*/,
int * /*present*/
);
OM_uint32 gss_inquire_names_for_mech (
OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_names_for_mech (
OM_uint32 * /*minor_status*/,
const gss_OID /*mechanism*/,
gss_OID_set * /*name_types*/
);
OM_uint32 gss_inquire_mechs_for_name (
OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_mechs_for_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
gss_OID_set * /*mech_types*/
);
OM_uint32 gss_canonicalize_name (
OM_uint32 GSSAPI_LIB_FUNCTION gss_canonicalize_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*input_name*/,
const gss_OID /*mech_type*/,
gss_name_t * /*output_name*/
);
OM_uint32 gss_duplicate_name (
OM_uint32 GSSAPI_LIB_FUNCTION gss_duplicate_name (
OM_uint32 * /*minor_status*/,
const gss_name_t /*src_name*/,
gss_name_t * /*dest_name*/
);
OM_uint32 gss_duplicate_oid (
OM_uint32 GSSAPI_LIB_FUNCTION gss_duplicate_oid (
OM_uint32 * /* minor_status */,
gss_OID /* src_oid */,
gss_OID * /* dest_oid */
);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_release_oid
(OM_uint32 * /*minor_status*/,
gss_OID * /* oid */
);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_oid_to_str(
OM_uint32 * /*minor_status*/,
gss_OID /* oid */,
gss_buffer_t /* str */
);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_sec_context_by_oid(
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
@ -677,38 +688,38 @@ gss_inquire_sec_context_by_oid(
gss_buffer_set_t *data_set
);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_set_sec_context_option (OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
const gss_buffer_t value);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_set_cred_option (OM_uint32 *minor_status,
gss_cred_id_t *cred_handle,
const gss_OID object,
const gss_buffer_t value);
int
int GSSAPI_LIB_FUNCTION
gss_oid_equal(const gss_OID a, const gss_OID b);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_create_empty_buffer_set
(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_add_buffer_set_member
(OM_uint32 * minor_status,
const gss_buffer_t member_buffer,
gss_buffer_set_t *buffer_set);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_release_buffer_set
(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_cred_by_oid(OM_uint32 *minor_status,
const gss_cred_id_t cred_handle,
const gss_OID desired_object,
@ -721,7 +732,7 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status,
#define GSS_C_PRF_KEY_FULL 0
#define GSS_C_PRF_KEY_PARTIAL 1
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_pseudo_random
(OM_uint32 *minor_status,
gss_ctx_id_t context,
@ -742,7 +753,7 @@ gss_pseudo_random
* obsolete versions of these routines and their current forms.
*/
OM_uint32 gss_sign
OM_uint32 GSSAPI_LIB_FUNCTION gss_sign
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*qop_req*/,
@ -750,7 +761,7 @@ OM_uint32 gss_sign
gss_buffer_t /*message_token*/
);
OM_uint32 gss_verify
OM_uint32 GSSAPI_LIB_FUNCTION gss_verify
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*message_buffer*/,
@ -758,7 +769,7 @@ OM_uint32 gss_verify
int * /*qop_state*/
);
OM_uint32 gss_seal
OM_uint32 GSSAPI_LIB_FUNCTION gss_seal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
@ -768,7 +779,7 @@ OM_uint32 gss_seal
gss_buffer_t /*output_message_buffer*/
);
OM_uint32 gss_unseal
OM_uint32 GSSAPI_LIB_FUNCTION gss_unseal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/,
@ -781,18 +792,18 @@ OM_uint32 gss_unseal
*
*/
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_encapsulate_token(gss_buffer_t /* input_token */,
gss_OID /* oid */,
gss_buffer_t /* output_token */);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_decapsulate_token(gss_buffer_t /* input_token */,
gss_OID /* oid */,
gss_buffer_t /* output_token */);

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gssapi_krb5.h 22655 2008-02-26 12:40:35Z lha $ */
/* $Id: gssapi_krb5.h 23420 2008-07-26 18:37:48Z lha $ */
#ifndef GSSAPI_KRB5_H_
#define GSSAPI_KRB5_H_
@ -46,12 +46,12 @@ extern "C" {
* This is for kerberos5 names.
*/
extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
extern gss_OID GSS_KRB5_NT_USER_NAME;
extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_USER_NAME;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_STRING_UID_NAME;
extern gss_OID GSS_KRB5_MECHANISM;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_MECHANISM;
/* for compatibility with MIT api */
@ -59,28 +59,30 @@ extern gss_OID GSS_KRB5_MECHANISM;
#define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME
/* Extensions set contexts options */
extern gss_OID GSS_KRB5_COPY_CCACHE_X;
extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X;
extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
extern gss_OID GSS_KRB5_SEND_TO_KDC_X;
extern gss_OID GSS_KRB5_SET_DEFAULT_REALM_X;
extern gss_OID GSS_KRB5_CCACHE_NAME_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_COPY_CCACHE_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_COMPAT_DES3_MIC_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SEND_TO_KDC_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_DEFAULT_REALM_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_CCACHE_NAME_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_TIME_OFFSET_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_TIME_OFFSET_X;
/* Extensions inquire context */
extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;
extern gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO;
extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X;
extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X;
extern gss_OID GSS_KRB5_GET_SUBKEY_X;
extern gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X;
extern gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X;
extern gss_OID GSS_KRB5_GET_AUTHTIME_X;
extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_SUBKEY_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_AUTHTIME_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
/* Extensions creds */
extern gss_OID GSS_KRB5_IMPORT_CRED_X;
extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X;
extern gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_IMPORT_CRED_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X;
/*
* kerberos mechanism specific functions
@ -90,39 +92,42 @@ struct krb5_keytab_data;
struct krb5_ccache_data;
struct Principal;
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_ccache_name(OM_uint32 * /*minor_status*/,
const char * /*name */,
const char ** /*out_name */);
OM_uint32 gsskrb5_register_acceptor_identity
OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_register_acceptor_identity
(const char */*identity*/);
OM_uint32 gss_krb5_copy_ccache
OM_uint32 GSSAPI_LIB_FUNCTION krb5_gss_register_acceptor_identity
(const char */*identity*/);
OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_copy_ccache
(OM_uint32 */*minor*/,
gss_cred_id_t /*cred*/,
struct krb5_ccache_data */*out*/);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_import_cred(OM_uint32 */*minor*/,
struct krb5_ccache_data * /*in*/,
struct Principal * /*keytab_principal*/,
struct krb5_keytab_data * /*keytab*/,
gss_cred_id_t */*out*/);
OM_uint32 gss_krb5_get_tkt_flags
OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_get_tkt_flags
(OM_uint32 */*minor*/,
gss_ctx_id_t /*context_handle*/,
OM_uint32 */*tkt_flags*/);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_extract_authz_data_from_sec_context
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*ad_type*/,
gss_buffer_t /*ad_data*/);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_set_dns_canonicalize(int);
struct gsskrb5_send_to_kdc {
@ -130,30 +135,36 @@ struct gsskrb5_send_to_kdc {
void *ptr;
};
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_set_default_realm(const char *);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *);
struct EncryptionKey;
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_get_subkey(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_set_time_offset(int);
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_get_time_offset(int *);
/*
* Lucid - NFSv4 interface to GSS-API KRB5 to expose key material to
* do GSS content token handling in-kernel.
@ -196,19 +207,19 @@ typedef struct gss_krb5_lucid_context_version {
* Function declarations
*/
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
OM_uint32 version,
void **kctx);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
void *kctx);
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
gss_cred_id_t cred,
OM_uint32 num_enctypes,

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gssapi_spnego.h 18335 2006-10-07 22:26:21Z lha $ */
/* $Id: gssapi_spnego.h 23025 2008-04-17 10:01:57Z lha $ */
#ifndef GSSAPI_SPNEGO_H_
#define GSSAPI_SPNEGO_H_
@ -48,7 +48,7 @@ extern "C" {
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
extern gss_OID GSS_SPNEGO_MECHANISM;
extern GSSAPI_LIB_VARIABLE gss_OID GSS_SPNEGO_MECHANISM;
#define gss_mech_spnego GSS_SPNEGO_MECHANISM
#ifdef __cplusplus

View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: accept_sec_context.c 20199 2007-02-07 22:36:39Z lha $");
RCSID("$Id: accept_sec_context.c 23433 2008-07-26 18:44:26Z lha $");
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
@ -250,6 +250,62 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
return GSS_S_COMPLETE;
}
static OM_uint32
send_error_token(OM_uint32 *minor_status,
krb5_context context,
krb5_error_code kret,
krb5_principal server,
krb5_data *indata,
gss_buffer_t output_token)
{
krb5_principal ap_req_server = NULL;
krb5_error_code ret;
krb5_data outbuf;
/* build server from request if the acceptor had not selected one */
if (server == NULL) {
AP_REQ ap_req;
ret = krb5_decode_ap_req(context, indata, &ap_req);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _krb5_principalname2krb5_principal(context,
&ap_req_server,
ap_req.ticket.sname,
ap_req.ticket.realm);
free_AP_REQ(&ap_req);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
server = ap_req_server;
}
ret = krb5_mk_error(context, kret, NULL, NULL, NULL,
server, NULL, NULL, &outbuf);
if (ap_req_server)
krb5_free_principal(context, ap_req_server);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5_encapsulate(minor_status,
&outbuf,
output_token,
"\x03\x00",
GSS_KRB5_MECHANISM);
krb5_data_free (&outbuf);
if (ret)
return ret;
*minor_status = 0;
return GSS_S_CONTINUE_NEEDED;
}
static OM_uint32
gsskrb5_acceptor_start(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
@ -304,6 +360,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
{
krb5_rd_req_in_ctx in = NULL;
krb5_rd_req_out_ctx out = NULL;
krb5_principal server = NULL;
if (acceptor_cred)
server = acceptor_cred->principal;
kret = krb5_rd_req_in_ctx_alloc(context, &in);
if (kret == 0)
@ -319,17 +379,20 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
kret = krb5_rd_req_ctx(context,
&ctx->auth_context,
&indata,
(acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
server,
in, &out);
krb5_rd_req_in_ctx_free(context, in);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
return ret;
/*
* No reply in non-MUTUAL mode, but we don't know that its
* non-MUTUAL mode yet, thats inside the 8003 checksum.
*/
return send_error_token(minor_status, context, kret,
server, &indata, output_token);
}
/*
* We need to remember some data on the context_handle.
* we need to remember some data on the context_handle.
*/
kret = krb5_rd_req_out_get_ap_req_options(context, out,
&ap_options);

View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: delete_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
RCSID("$Id: delete_sec_context.c 23420 2008-07-26 18:37:48Z lha $");
OM_uint32
_gsskrb5_delete_sec_context(OM_uint32 * minor_status,
@ -61,6 +61,8 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_free (context, ctx->auth_context);
if (ctx->kcred)
krb5_free_creds(context, ctx->kcred);
if(ctx->source)
krb5_free_principal (context, ctx->source);
if(ctx->target)

View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: display_status.c 19031 2006-11-13 18:02:57Z lha $");
RCSID("$Id: display_status.c 23316 2008-06-23 04:32:32Z lha $");
static const char *
calling_error(OM_uint32 v)
@ -135,7 +135,7 @@ _gsskrb5_set_status (const char *fmt, ...)
vasprintf(&str, fmt, args);
va_end(args);
if (str) {
krb5_set_error_string(context, str);
krb5_set_error_message(context, 0, str);
free(str);
}
}

View File

@ -34,7 +34,7 @@
#include "krb5/gsskrb5_locl.h"
#include <gssapi_mech.h>
RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $");
RCSID("$Id: external.c 23420 2008-07-26 18:37:48Z lha $");
/*
* The implementation must reserve static storage for a
@ -49,9 +49,10 @@ RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $");
*/
static gss_OID_desc gss_c_nt_user_name_oid_desc =
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")};
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")};
gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_USER_NAME =
&gss_c_nt_user_name_oid_desc;
/*
* The implementation must reserve static storage for a
@ -66,9 +67,10 @@ gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
*/
static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc =
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")};
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")};
gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_MACHINE_UID_NAME =
&gss_c_nt_machine_uid_name_oid_desc;
/*
* The implementation must reserve static storage for a
@ -83,9 +85,10 @@ gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
*/
static gss_OID_desc gss_c_nt_string_uid_name_oid_desc =
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")};
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")};
gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_STRING_UID_NAME =
&gss_c_nt_string_uid_name_oid_desc;
/*
* The implementation must reserve static storage for a
@ -106,9 +109,10 @@ gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
*/
static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc =
{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")};
{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")};
gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_HOSTBASED_SERVICE_X =
&gss_c_nt_hostbased_service_x_oid_desc;
/*
* The implementation must reserve static storage for a
@ -122,9 +126,10 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc;
* to point to that gss_OID_desc.
*/
static gss_OID_desc gss_c_nt_hostbased_service_oid_desc =
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")};
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")};
gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_HOSTBASED_SERVICE =
&gss_c_nt_hostbased_service_oid_desc;
/*
* The implementation must reserve static storage for a
@ -138,9 +143,10 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
*/
static gss_OID_desc gss_c_nt_anonymous_oid_desc =
{6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")};
{6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")};
gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_ANONYMOUS =
&gss_c_nt_anonymous_oid_desc;
/*
* The implementation must reserve static storage for a
@ -154,9 +160,10 @@ gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc;
*/
static gss_OID_desc gss_c_nt_export_name_oid_desc =
{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") };
{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") };
gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_EXPORT_NAME =
&gss_c_nt_export_name_oid_desc;
/*
* This name form shall be represented by the Object Identifier {iso(1)
@ -166,9 +173,10 @@ gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc;
*/
static gss_OID_desc gss_krb5_nt_principal_name_oid_desc =
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") };
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") };
gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_PRINCIPAL_NAME =
&gss_krb5_nt_principal_name_oid_desc;
/*
* This name form shall be represented by the Object Identifier {iso(1)
@ -177,7 +185,8 @@ gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc;
* type is "GSS_KRB5_NT_USER_NAME".
*/
gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_USER_NAME =
&gss_c_nt_user_name_oid_desc;
/*
* This name form shall be represented by the Object Identifier {iso(1)
@ -186,7 +195,8 @@ gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
* this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
*/
gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_MACHINE_UID_NAME =
&gss_c_nt_machine_uid_name_oid_desc;
/*
* This name form shall be represented by the Object Identifier {iso(1)
@ -195,7 +205,8 @@ gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
* this type is "GSS_KRB5_NT_STRING_UID_NAME".
*/
gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_STRING_UID_NAME =
&gss_c_nt_string_uid_name_oid_desc;
/*
* To support ongoing experimentation, testing, and evolution of the
@ -217,14 +228,15 @@ gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
#if 0 /* This is the old OID */
static gss_OID_desc gss_krb5_mechanism_oid_desc =
{5, rk_UNCONST("\x2b\x05\x01\x05\x02")};
{5, rk_UNCONST("\x2b\x05\x01\x05\x02")};
#endif
static gss_OID_desc gss_krb5_mechanism_oid_desc =
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_MECHANISM =
&gss_krb5_mechanism_oid_desc;
/*
* draft-ietf-cat-iakerb-09, IAKERB:
@ -240,23 +252,26 @@ gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
*/
static gss_OID_desc gss_iakerb_proxy_mechanism_oid_desc =
{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")};
{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")};
gss_OID GSS_IAKERB_PROXY_MECHANISM = &gss_iakerb_proxy_mechanism_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_IAKERB_PROXY_MECHANISM =
&gss_iakerb_proxy_mechanism_oid_desc;
static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc =
{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") };
{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") };
gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_IAKERB_MIN_MSG_MECHANISM =
&gss_iakerb_min_msg_mechanism_oid_desc;
/*
*
*/
static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc =
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"};
{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"};
gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_C_PEER_HAS_UPDATED_SPNEGO =
&gss_c_peer_has_updated_spnego_oid_desc;
/*
* 1.2.752.43.13 Heimdal GSS-API Extentions
@ -264,111 +279,143 @@ gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc;
/* 1.2.752.43.13.1 */
static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")};
gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_COPY_CCACHE_X =
&gss_krb5_copy_ccache_x_oid_desc;
/* 1.2.752.43.13.2 */
static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")};
gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_TKT_FLAGS_X =
&gss_krb5_get_tkt_flags_x_oid_desc;
/* 1.2.752.43.13.3 */
static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")};
gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X =
&gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
/* 1.2.752.43.13.4 */
static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")};
gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_COMPAT_DES3_MIC_X =
&gss_krb5_compat_des3_mic_x_oid_desc;
/* 1.2.752.43.13.5 */
static gss_OID_desc gss_krb5_register_acceptor_identity_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = &gss_krb5_register_acceptor_identity_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X =
&gss_krb5_register_acceptor_identity_x_desc;
/* 1.2.752.43.13.6 */
static gss_OID_desc gss_krb5_export_lucid_context_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")};
gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X = &gss_krb5_export_lucid_context_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXPORT_LUCID_CONTEXT_X =
&gss_krb5_export_lucid_context_x_desc;
/* 1.2.752.43.13.6.1 */
static gss_OID_desc gss_krb5_export_lucid_context_v1_x_desc =
{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")};
{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")};
gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = &gss_krb5_export_lucid_context_v1_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X =
&gss_krb5_export_lucid_context_v1_x_desc;
/* 1.2.752.43.13.7 */
static gss_OID_desc gss_krb5_set_dns_canonicalize_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")};
gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X = &gss_krb5_set_dns_canonicalize_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_DNS_CANONICALIZE_X =
&gss_krb5_set_dns_canonicalize_x_desc;
/* 1.2.752.43.13.8 */
static gss_OID_desc gss_krb5_get_subkey_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")};
gss_OID GSS_KRB5_GET_SUBKEY_X = &gss_krb5_get_subkey_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_SUBKEY_X =
&gss_krb5_get_subkey_x_desc;
/* 1.2.752.43.13.9 */
static gss_OID_desc gss_krb5_get_initiator_subkey_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")};
gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X = &gss_krb5_get_initiator_subkey_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_INITIATOR_SUBKEY_X =
&gss_krb5_get_initiator_subkey_x_desc;
/* 1.2.752.43.13.10 */
static gss_OID_desc gss_krb5_get_acceptor_subkey_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")};
gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = &gss_krb5_get_acceptor_subkey_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_ACCEPTOR_SUBKEY_X =
&gss_krb5_get_acceptor_subkey_x_desc;
/* 1.2.752.43.13.11 */
static gss_OID_desc gss_krb5_send_to_kdc_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")};
gss_OID GSS_KRB5_SEND_TO_KDC_X = &gss_krb5_send_to_kdc_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SEND_TO_KDC_X =
&gss_krb5_send_to_kdc_x_desc;
/* 1.2.752.43.13.12 */
static gss_OID_desc gss_krb5_get_authtime_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")};
gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_AUTHTIME_X =
&gss_krb5_get_authtime_x_desc;
/* 1.2.752.43.13.13 */
static gss_OID_desc gss_krb5_get_service_keyblock_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_SERVICE_KEYBLOCK_X =
&gss_krb5_get_service_keyblock_x_desc;
/* 1.2.752.43.13.14 */
static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")};
gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X =
&gss_krb5_set_allowable_enctypes_x_desc;
/* 1.2.752.43.13.15 */
static gss_OID_desc gss_krb5_set_default_realm_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")};
gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_DEFAULT_REALM_X =
&gss_krb5_set_default_realm_x_desc;
/* 1.2.752.43.13.16 */
static gss_OID_desc gss_krb5_ccache_name_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")};
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")};
gss_OID GSS_KRB5_CCACHE_NAME_X = &gss_krb5_ccache_name_x_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_CCACHE_NAME_X =
&gss_krb5_ccache_name_x_desc;
/* 1.2.752.43.13.17 */
static gss_OID_desc gss_krb5_set_time_offset_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")};
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_TIME_OFFSET_X =
&gss_krb5_set_time_offset_x_desc;
/* 1.2.752.43.13.18 */
static gss_OID_desc gss_krb5_get_time_offset_x_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")};
gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_TIME_OFFSET_X =
&gss_krb5_get_time_offset_x_desc;
/* 1.2.752.43.14.1 */
static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc;
gss_OID GSSAPI_LIB_VARIABLE GSS_SASL_DIGEST_MD5_MECHANISM =
&gss_sasl_digest_md5_mechanism_desc;
/*
* Context for krb5 calls.

View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: get_mic.c 19031 2006-11-13 18:02:57Z lha $");
RCSID("$Id: get_mic.c 23112 2008-04-27 18:51:26Z lha $");
static OM_uint32
mic_des
@ -88,7 +88,7 @@ mic_des
memset (&zero, 0, sizeof(zero));
memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
&schedule, &zero);
memcpy (p - 8, hash, 8); /* SGN_CKSUM */
@ -108,7 +108,7 @@ mic_des
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gsskrb5_locl.h 22655 2008-02-26 12:40:35Z lha $ */
/* $Id: gsskrb5_locl.h 23435 2008-07-26 20:49:35Z lha $ */
#ifndef GSSKRB5_LOCL_H
#define GSSKRB5_LOCL_H
@ -62,11 +62,14 @@ typedef struct {
enum { LOCAL = 1, OPEN = 2,
COMPAT_OLD_DES3 = 4,
COMPAT_OLD_DES3_SELECTED = 8,
ACCEPTOR_SUBKEY = 16
ACCEPTOR_SUBKEY = 16,
RETRIED = 32,
CLOSE_CCACHE = 64
} more_flags;
enum gss_ctx_id_t_state {
/* initiator states */
INITIATOR_START,
INITIATOR_RESTART,
INITIATOR_WAIT_FOR_MUTAL,
INITIATOR_READY,
/* acceptor states */
@ -74,6 +77,8 @@ typedef struct {
ACCEPTOR_WAIT_FOR_DCESTYLE,
ACCEPTOR_READY
} state;
krb5_creds *kcred;
krb5_ccache ccache;
struct krb5_ticket *ticket;
OM_uint32 lifetime;
HEIMDAL_MUTEX ctx_id_mutex;

View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: import_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
RCSID("$Id: import_sec_context.c 22997 2008-04-15 19:36:25Z lha $");
OM_uint32
_gsskrb5_import_sec_context (
@ -52,8 +52,7 @@ _gsskrb5_import_sec_context (
krb5_data data;
gss_buffer_desc buffer;
krb5_keyblock keyblock;
int32_t tmp;
int32_t flags;
int32_t flags, tmp;
gsskrb5_ctx ctx;
gss_name_t name;
@ -96,8 +95,9 @@ _gsskrb5_import_sec_context (
/* retrieve the auth context */
ac = ctx->auth_context;
if (krb5_ret_uint32 (sp, &ac->flags) != 0)
if (krb5_ret_int32 (sp, &tmp) != 0)
goto failure;
ac->flags = tmp;
if (flags & SC_LOCAL_ADDRESS) {
if (krb5_ret_address (sp, localp = &local) != 0)
goto failure;

View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: init_sec_context.c 22671 2008-03-09 23:57:54Z lha $");
RCSID("$Id: init_sec_context.c 23422 2008-07-26 18:38:29Z lha $");
/*
* copy the addresses from `input_chan_bindings' (if any) to
@ -121,6 +121,8 @@ _gsskrb5_create_ctx(
ctx->auth_context = NULL;
ctx->source = NULL;
ctx->target = NULL;
ctx->kcred = NULL;
ctx->ccache = NULL;
ctx->state = state;
ctx->flags = 0;
ctx->more_flags = 0;
@ -134,9 +136,7 @@ _gsskrb5_create_ctx(
kret = krb5_auth_con_init (context, &ctx->auth_context);
if (kret) {
*minor_status = kret;
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
@ -237,9 +237,14 @@ gsskrb5_initiator_ready(
int is_cfx = 0;
OM_uint32 flags = ctx->flags;
krb5_auth_getremoteseqnumber (context,
ctx->auth_context,
&seq_number);
krb5_free_creds(context, ctx->kcred);
ctx->kcred = NULL;
if (ctx->more_flags & CLOSE_CCACHE)
krb5_cc_close(context, ctx->ccache);
ctx->ccache = NULL;
krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number);
_gsskrb5i_is_cfx(ctx, &is_cfx);
@ -333,7 +338,6 @@ init_auth
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
@ -343,14 +347,7 @@ init_auth
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_error_code kret;
krb5_flags ap_options;
krb5_creds *kcred = NULL;
krb5_data outbuf;
krb5_ccache ccache = NULL;
uint32_t flags;
krb5_data authenticator;
Checksum cksum;
krb5_enctype enctype;
krb5_data fwd_data;
OM_uint32 lifetime_rec;
@ -363,16 +360,17 @@ init_auth
*actual_mech_type = GSS_KRB5_MECHANISM;
if (cred == NULL) {
kret = krb5_cc_default (context, &ccache);
kret = krb5_cc_default (context, &ctx->ccache);
if (kret) {
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
ctx->more_flags |= CLOSE_CCACHE;
} else
ccache = cred->ccache;
ctx->ccache = cred->ccache;
kret = krb5_cc_get_principal (context, ccache, &ctx->source);
kret = krb5_cc_get_principal (context, ctx->ccache, &ctx->source);
if (kret) {
*minor_status = kret;
ret = GSS_S_FAILURE;
@ -407,16 +405,16 @@ init_auth
ret = gsskrb5_get_creds(minor_status,
context,
ccache,
ctx->ccache,
ctx,
ctx->target,
time_req,
time_rec,
&kcred);
&ctx->kcred);
if (ret)
goto failure;
ctx->lifetime = kcred->times.endtime;
ctx->lifetime = ctx->kcred->times.endtime;
ret = _gsskrb5_lifetime_left(minor_status,
context,
@ -434,17 +432,59 @@ init_auth
krb5_auth_con_setkey(context,
ctx->auth_context,
&kcred->session);
&ctx->kcred->session);
kret = krb5_auth_con_generatelocalsubkey(context,
ctx->auth_context,
&kcred->session);
&ctx->kcred->session);
if(kret) {
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
return GSS_S_COMPLETE;
failure:
if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE))
krb5_cc_close(context, ctx->ccache);
ctx->ccache = NULL;
return ret;
}
static OM_uint32
init_auth_restart
(OM_uint32 * minor_status,
gsskrb5_cred cred,
gsskrb5_ctx ctx,
krb5_context context,
OM_uint32 req_flags,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec
)
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_error_code kret;
krb5_flags ap_options;
krb5_data outbuf;
uint32_t flags;
krb5_data authenticator;
Checksum cksum;
krb5_enctype enctype;
krb5_data fwd_data, timedata;
int32_t offset = 0, oldoffset;
krb5_data_zero(&outbuf);
krb5_data_zero(&fwd_data);
*minor_status = 0;
/*
* If the credential doesn't have ok-as-delegate, check what local
* policy say about ok-as-delegate, default is FALSE that makes
@ -452,12 +492,24 @@ init_auth
* requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
* KDC doesn't set ok-as-delegate.
*/
if (!kcred->flags.b.ok_as_delegate) {
krb5_boolean delegate;
if (!ctx->kcred->flags.b.ok_as_delegate) {
krb5_boolean delegate, realm_setting;
krb5_data data;
krb5_appdefault_boolean(context,
"gssapi", name->realm,
"ok-as-delegate", FALSE, &delegate);
realm_setting = FALSE;
ret = krb5_cc_get_config(context, ctx->ccache, NULL,
"realm-config", &data);
if (ret == 0) {
/* XXX 1 is use ok-as-delegate */
if (data.length > 0 && (((unsigned char *)data.data)[0]) & 1)
realm_setting = TRUE;
krb5_data_free(&data);
}
krb5_appdefault_boolean(context, "gssapi", ctx->target->realm,
"ok-as-delegate", realm_setting,
&delegate);
if (delegate)
req_flags &= ~GSS_C_DELEG_FLAG;
}
@ -467,7 +519,8 @@ init_auth
if (req_flags & GSS_C_DELEG_FLAG)
do_delegation (context,
ctx->auth_context,
ccache, kcred, name, &fwd_data, &flags);
ctx->ccache, ctx->kcred, ctx->target,
&fwd_data, &flags);
if (req_flags & GSS_C_MUTUAL_FLAG) {
flags |= GSS_C_MUTUAL_FLAG;
@ -518,16 +571,33 @@ init_auth
enctype = ctx->auth_context->keyblock->keytype;
ret = krb5_cc_get_config(context, ctx->ccache, ctx->target,
"time-offset", &timedata);
if (ret == 0) {
if (timedata.length == 4) {
const u_char *p = timedata.data;
offset = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
}
krb5_data_free(&timedata);
}
if (offset) {
krb5_get_kdc_sec_offset (context, &oldoffset, NULL);
krb5_set_kdc_sec_offset (context, offset, -1);
}
kret = krb5_build_authenticator (context,
ctx->auth_context,
enctype,
kcred,
ctx->kcred,
&cksum,
NULL,
&authenticator,
KRB5_KU_AP_REQ_AUTH);
if (kret) {
if (offset)
krb5_set_kdc_sec_offset (context, oldoffset, -1);
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@ -535,11 +605,12 @@ init_auth
kret = krb5_build_ap_req (context,
enctype,
kcred,
ctx->kcred,
ap_options,
authenticator,
&outbuf);
if (offset)
krb5_set_kdc_sec_offset (context, oldoffset, -1);
if (kret) {
*minor_status = kret;
ret = GSS_S_FAILURE;
@ -552,16 +623,12 @@ init_auth
} else {
ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
(u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
krb5_data_free (&outbuf);
if (ret)
goto failure;
krb5_data_free (&outbuf);
}
krb5_free_creds(context, kcred);
free_Checksum(&cksum);
if (cred == NULL)
krb5_cc_close(context, ccache);
if (flags & GSS_C_MUTUAL_FLAG) {
ctx->state = INITIATOR_WAIT_FOR_MUTAL;
@ -570,15 +637,14 @@ init_auth
return gsskrb5_initiator_ready(minor_status, ctx, context);
failure:
if(kcred)
krb5_free_creds(context, kcred);
if (ccache && cred == NULL)
krb5_cc_close(context, ccache);
if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE))
krb5_cc_close(context, ctx->ccache);
ctx->ccache = NULL;
return ret;
}
static OM_uint32
repl_mutual
(OM_uint32 * minor_status,
@ -617,8 +683,46 @@ repl_mutual
&indata,
"\x02\x00",
GSS_KRB5_MECHANISM);
if (ret) {
/* XXX - Handle AP_ERROR */
if (ret == GSS_S_DEFECTIVE_TOKEN) {
/* check if there is an error token sent instead */
ret = _gsskrb5_decapsulate (minor_status,
input_token,
&indata,
"\x03\x00",
GSS_KRB5_MECHANISM);
if (ret == GSS_S_COMPLETE) {
KRB_ERROR error;
kret = krb5_rd_error(context, &indata, &error);
if (kret == 0) {
kret = krb5_error_from_rd_error(context, &error, NULL);
/* save the time skrew for this host */
if (kret == KRB5KRB_AP_ERR_SKEW) {
krb5_data timedata;
unsigned char p[4];
int32_t t = error.stime - time(NULL);
p[0] = (t >> 24) & 0xFF;
p[1] = (t >> 16) & 0xFF;
p[2] = (t >> 8) & 0xFF;
p[3] = (t >> 0) & 0xFF;
timedata.data = p;
timedata.length = sizeof(p);
krb5_cc_set_config(context, ctx->ccache, ctx->target,
"time-offset", &timedata);
if ((ctx->more_flags & RETRIED) == 0)
ctx->state = INITIATOR_RESTART;
ctx->more_flags |= RETRIED;
}
free_KRB_ERROR (&error);
}
*minor_status = kret;
return GSS_S_FAILURE;
}
return ret;
}
}
@ -661,30 +765,31 @@ repl_mutual
*ret_flags = ctx->flags;
if (req_flags & GSS_C_DCE_STYLE) {
int32_t con_flags;
int32_t local_seq, remote_seq;
krb5_data outbuf;
/* Do don't do sequence number for the mk-rep */
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE,
&con_flags);
/*
* So DCE_STYLE is strange. The client echos the seq number
* that the server used in the server's mk_rep in its own
* mk_rep(). After when done, it resets to it's own seq number
* for the gss_wrap calls.
*/
kret = krb5_mk_rep(context,
ctx->auth_context,
&outbuf);
krb5_auth_getremoteseqnumber(context, ctx->auth_context, &remote_seq);
krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &local_seq);
krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, remote_seq);
kret = krb5_mk_rep(context, ctx->auth_context, &outbuf);
if (kret) {
*minor_status = kret;
return GSS_S_FAILURE;
}
/* reset local seq number */
krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
output_token->length = outbuf.length;
output_token->value = outbuf.data;
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE,
NULL);
}
return gsskrb5_initiator_ready(minor_status, ctx, context);
@ -768,6 +873,7 @@ OM_uint32 _gsskrb5_init_sec_context
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
again:
switch (ctx->state) {
case INITIATOR_START:
ret = init_auth(minor_status,
@ -778,6 +884,20 @@ OM_uint32 _gsskrb5_init_sec_context
mech_type,
req_flags,
time_req,
input_token,
actual_mech_type,
output_token,
ret_flags,
time_rec);
if (ret != GSS_S_COMPLETE)
break;
/* FALL THOUGH */
case INITIATOR_RESTART:
ret = init_auth_restart(minor_status,
cred,
ctx,
context,
req_flags,
input_chan_bindings,
input_token,
actual_mech_type,
@ -798,6 +918,8 @@ OM_uint32 _gsskrb5_init_sec_context
output_token,
ret_flags,
time_rec);
if (ctx->state == INITIATOR_RESTART)
goto again;
break;
case INITIATOR_READY:
/*

View File

@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: set_cred_option.c 22655 2008-02-26 12:40:35Z lha $");
RCSID("$Id: set_cred_option.c 23331 2008-06-27 12:01:48Z lha $");
/* 1.2.752.43.13.17 */
static gss_OID_desc gss_krb5_cred_no_ci_flags_x_oid_desc =

View File

@ -36,7 +36,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: set_sec_context_option.c 20384 2007-04-18 08:51:06Z lha $");
RCSID("$Id: set_sec_context_option.c 23420 2008-07-26 18:37:48Z lha $");
static OM_uint32
get_bool(OM_uint32 *minor_status,
@ -70,6 +70,36 @@ get_string(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
static OM_uint32
get_int32(OM_uint32 *minor_status,
const gss_buffer_t value,
OM_uint32 *ret)
{
*minor_status = 0;
if (value == NULL || value->length == 0)
*ret = 0;
else if (value->length == sizeof(*ret))
memcpy(ret, value->value, sizeof(*ret));
else
return GSS_S_UNAVAILABLE;
return GSS_S_COMPLETE;
}
static OM_uint32
set_int32(OM_uint32 *minor_status,
const gss_buffer_t value,
OM_uint32 set)
{
*minor_status = 0;
if (value->length == sizeof(set))
memcpy(value->value, &set, sizeof(set));
else
return GSS_S_UNAVAILABLE;
return GSS_S_COMPLETE;
}
OM_uint32
_gsskrb5_set_sec_context_option
(OM_uint32 *minor_status,
@ -185,6 +215,35 @@ _gsskrb5_set_sec_context_option
return GSS_S_FAILURE;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_TIME_OFFSET_X)) {
OM_uint32 offset;
time_t t;
maj_stat = get_int32(minor_status, value, &offset);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
t = time(NULL) + offset;
krb5_set_real_time(context, t, 0);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_TIME_OFFSET_X)) {
krb5_timestamp sec;
int32_t usec;
time_t t;
t = time(NULL);
krb5_us_timeofday (context, &sec, &usec);
maj_stat = set_int32(minor_status, value, sec - t);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
*minor_status = 0;
return GSS_S_COMPLETE;
}
*minor_status = EINVAL;

View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: unwrap.c 19031 2006-11-13 18:02:57Z lha $");
RCSID("$Id: unwrap.c 23112 2008-04-27 18:51:26Z lha $");
static OM_uint32
unwrap_des
@ -93,7 +93,7 @@ unwrap_des
for (i = 0; i < sizeof(deskey); ++i)
deskey[i] ^= 0xf0;
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
memset (&zero, 0, sizeof(zero));
DES_cbc_encrypt ((void *)p,
(void *)p,
@ -119,7 +119,7 @@ unwrap_des
memset (&zero, 0, sizeof(zero));
memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
&schedule, &zero);
if (memcmp (p - 8, hash, 8) != 0)
@ -130,7 +130,7 @@ unwrap_des
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
p -= 16;
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)hash, DES_DECRYPT);

View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: verify_mic.c 19031 2006-11-13 18:02:57Z lha $");
RCSID("$Id: verify_mic.c 23112 2008-04-27 18:51:26Z lha $");
static OM_uint32
verify_mic_des
@ -83,7 +83,7 @@ verify_mic_des
memset (&zero, 0, sizeof(zero));
memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
&schedule, &zero);
if (memcmp (p - 8, hash, 8) != 0) {
@ -97,7 +97,7 @@ verify_mic_des
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
p -= 16;
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)hash, DES_DECRYPT);

View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: wrap.c 19035 2006-11-14 09:49:56Z lha $");
RCSID("$Id: wrap.c 23316 2008-06-23 04:32:32Z lha $");
/*
* Return initiator subkey, or if that doesn't exists, the subkey.
@ -61,7 +61,7 @@ _gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx,
ctx->auth_context,
key);
if (ret == 0 && *key == NULL) {
krb5_set_error_string(context, "No initiator subkey available");
krb5_set_error_message(context, 0, "No initiator subkey available");
return GSS_KRB5_S_KG_NO_SUBKEY;
}
return ret;
@ -85,7 +85,7 @@ _gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx,
key);
}
if (ret == 0 && *key == NULL) {
krb5_set_error_string(context, "No acceptor subkey available");
krb5_set_error_message(context, 0, "No acceptor subkey available");
return GSS_KRB5_S_KG_NO_SUBKEY;
}
return ret;
@ -106,7 +106,7 @@ _gsskrb5i_get_token_key(const gsskrb5_ctx ctx,
_gsskrb5i_get_initiator_subkey(ctx, context, key);
}
if (*key == NULL) {
krb5_set_error_string(context, "No token key available");
krb5_set_error_message(context, 0, "No token key available");
return GSS_KRB5_S_KG_NO_SUBKEY;
}
return 0;
@ -259,7 +259,7 @@ wrap_des
memset (&zero, 0, sizeof(zero));
memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
&schedule, &zero);
memcpy (p - 8, hash, 8);
@ -279,7 +279,7 @@ wrap_des
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
@ -296,7 +296,7 @@ wrap_des
for (i = 0; i < sizeof(deskey); ++i)
deskey[i] ^= 0xf0;
DES_set_key (&deskey, &schedule);
DES_set_key_unchecked (&deskey, &schedule);
memset (&zero, 0, sizeof(zero));
DES_cbc_encrypt ((void *)p,
(void *)p,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_acquire_cred.c 21478 2007-07-10 16:32:01Z lha $");
RCSID("$Id: gss_acquire_cred.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_acquire_cred(OM_uint32 *minor_status,
const gss_name_t desired_name,
OM_uint32 time_req,

View File

@ -27,7 +27,7 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_add_cred.c 21474 2007-07-10 16:30:23Z lha $");
RCSID("$Id: gss_add_cred.c 23025 2008-04-17 10:01:57Z lha $");
static struct _gss_mechanism_cred *
_gss_copy_cred(struct _gss_mechanism_cred *mc)
@ -71,7 +71,7 @@ _gss_copy_cred(struct _gss_mechanism_cred *mc)
return (new_mc);
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_add_cred(OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
const gss_name_t desired_name,

View File

@ -32,9 +32,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_add_oid_set_member.c 18817 2006-10-22 09:36:13Z lha $");
RCSID("$Id: gss_add_oid_set_member.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_add_oid_set_member (OM_uint32 * minor_status,
const gss_OID member_oid,
gss_OID_set * oid_set)

View File

@ -31,9 +31,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_buffer_set.c 18885 2006-10-24 21:53:02Z lha $");
RCSID("$Id: gss_buffer_set.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_create_empty_buffer_set
(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set)
@ -55,7 +55,7 @@ gss_create_empty_buffer_set
return GSS_S_COMPLETE;
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_add_buffer_set_member
(OM_uint32 * minor_status,
const gss_buffer_t member_buffer,
@ -97,7 +97,7 @@ gss_add_buffer_set_member
return GSS_S_COMPLETE;
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_release_buffer_set(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set)
{

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_canonicalize_name.c 21476 2007-07-10 16:31:27Z lha $");
RCSID("$Id: gss_canonicalize_name.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_canonicalize_name(OM_uint32 *minor_status,
const gss_name_t input_name,
const gss_OID mech_type,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_compare_name.c 21475 2007-07-10 16:31:03Z lha $");
RCSID("$Id: gss_compare_name.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_compare_name(OM_uint32 *minor_status,
const gss_name_t name1_arg,
const gss_name_t name2_arg,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_context_time.c 17700 2006-06-28 09:00:26Z lha $");
RCSID("$Id: gss_context_time.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_context_time(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
OM_uint32 *time_rec)

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_create_empty_oid_set.c 19951 2007-01-17 10:14:58Z lha $");
RCSID("$Id: gss_create_empty_oid_set.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_create_empty_oid_set(OM_uint32 *minor_status,
gss_OID_set *oid_set)
{

View File

@ -32,9 +32,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_decapsulate_token.c 19951 2007-01-17 10:14:58Z lha $");
RCSID("$Id: gss_decapsulate_token.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_decapsulate_token(gss_buffer_t input_token,
gss_OID oid,
gss_buffer_t output_token)

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_delete_sec_context.c 19951 2007-01-17 10:14:58Z lha $");
RCSID("$Id: gss_delete_sec_context.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_delete_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t output_token)

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_display_name.c 21246 2007-06-20 15:25:19Z lha $");
RCSID("$Id: gss_display_name.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_display_name(OM_uint32 *minor_status,
const gss_name_t input_name,
gss_buffer_t output_name_buffer,

View File

@ -59,7 +59,7 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_display_status.c 21247 2007-06-21 00:37:27Z lha $");
RCSID("$Id: gss_display_status.c 23025 2008-04-17 10:01:57Z lha $");
static const char *
calling_error(OM_uint32 v)
@ -136,7 +136,7 @@ supplementary_error(OM_uint32 v)
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_display_status(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,

View File

@ -32,9 +32,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_encapsulate_token.c 19954 2007-01-17 11:50:23Z lha $");
RCSID("$Id: gss_encapsulate_token.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_encapsulate_token(gss_buffer_t input_token,
gss_OID oid,
gss_buffer_t output_token)

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_export_name.c 19954 2007-01-17 11:50:23Z lha $");
RCSID("$Id: gss_export_name.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_export_name(OM_uint32 *minor_status,
const gss_name_t input_name,
gss_buffer_t exported_name)

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_export_sec_context.c 19954 2007-01-17 11:50:23Z lha $");
RCSID("$Id: gss_export_sec_context.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_export_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token)

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_get_mic.c 19954 2007-01-17 11:50:23Z lha $");
RCSID("$Id: gss_get_mic.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_get_mic(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_qop_t qop_req,

View File

@ -27,7 +27,7 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_import_name.c 19954 2007-01-17 11:50:23Z lha $");
RCSID("$Id: gss_import_name.c 23025 2008-04-17 10:01:57Z lha $");
static OM_uint32
_gss_import_export_name(OM_uint32 *minor_status,
@ -139,7 +139,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
return (GSS_S_COMPLETE);
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_import_name(OM_uint32 *minor_status,
const gss_buffer_t input_name_buffer,
const gss_OID input_name_type,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_import_sec_context.c 19956 2007-01-17 12:04:16Z lha $");
RCSID("$Id: gss_import_sec_context.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_import_sec_context(OM_uint32 *minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_indicate_mechs.c 17803 2006-07-05 22:36:49Z lha $");
RCSID("$Id: gss_indicate_mechs.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_indicate_mechs(OM_uint32 *minor_status,
gss_OID_set *mech_set)
{

View File

@ -27,7 +27,7 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_init_sec_context.c 21479 2007-07-10 16:32:19Z lha $");
RCSID("$Id: gss_init_sec_context.c 23025 2008-04-17 10:01:57Z lha $");
static gss_cred_id_t
_gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
@ -45,7 +45,7 @@ _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
return GSS_C_NO_CREDENTIAL;
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_init_sec_context(OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_inquire_context.c 21125 2007-06-18 20:11:07Z lha $");
RCSID("$Id: gss_inquire_context.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_context(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
gss_name_t *src_name,

View File

@ -27,7 +27,7 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_inquire_cred.c 20626 2007-05-08 13:56:49Z lha $");
RCSID("$Id: gss_inquire_cred.c 23025 2008-04-17 10:01:57Z lha $");
#define AUSAGE 1
#define IUSAGE 2
@ -43,7 +43,7 @@ updateusage(gss_cred_usage_t usage, int *usagemask)
*usagemask |= IUSAGE;
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_cred(OM_uint32 *minor_status,
const gss_cred_id_t cred_handle,
gss_name_t *name_ret,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_inquire_cred_by_mech.c 21124 2007-06-18 20:08:24Z lha $");
RCSID("$Id: gss_inquire_cred_by_mech.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_cred_by_mech(OM_uint32 *minor_status,
const gss_cred_id_t cred_handle,
const gss_OID mech_type,

View File

@ -31,9 +31,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_inquire_cred_by_oid.c 19960 2007-01-17 15:09:24Z lha $");
RCSID("$Id: gss_inquire_cred_by_oid.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_cred_by_oid (OM_uint32 *minor_status,
const gss_cred_id_t cred_handle,
const gss_OID desired_object,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_inquire_mechs_for_name.c 17844 2006-07-20 02:04:00Z lha $");
RCSID("$Id: gss_inquire_mechs_for_name.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_mechs_for_name(OM_uint32 *minor_status,
const gss_name_t input_name,
gss_OID_set *mech_types)

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_inquire_names_for_mech.c 19960 2007-01-17 15:09:24Z lha $");
RCSID("$Id: gss_inquire_names_for_mech.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_names_for_mech(OM_uint32 *minor_status,
const gss_OID mechanism,
gss_OID_set *name_types)

View File

@ -31,9 +31,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_inquire_sec_context_by_oid.c 19961 2007-01-17 15:57:51Z lha $");
RCSID("$Id: gss_inquire_sec_context_by_oid.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,

View File

@ -27,13 +27,13 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_krb5.c 21889 2007-08-09 07:43:24Z lha $");
RCSID("$Id: gss_krb5.c 23420 2008-07-26 18:37:48Z lha $");
#include <krb5.h>
#include <roken.h>
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_copy_ccache(OM_uint32 *minor_status,
gss_cred_id_t cred,
krb5_ccache out)
@ -91,7 +91,7 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status,
return ret;
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_import_cred(OM_uint32 *minor_status,
krb5_ccache id,
krb5_principal keytab_principal,
@ -186,7 +186,7 @@ out:
return major_status;
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_register_acceptor_identity(const char *identity)
{
struct _gss_mech_switch *m;
@ -208,7 +208,14 @@ gsskrb5_register_acceptor_identity(const char *identity)
return (GSS_S_COMPLETE);
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
krb5_gss_register_acceptor_identity(const char *identity)
{
return gsskrb5_register_acceptor_identity(identity);
}
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_set_dns_canonicalize(int flag)
{
struct _gss_mech_switch *m;
@ -253,7 +260,7 @@ free_key(gss_krb5_lucid_key_t *key)
memset(key, 0, sizeof(*key));
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
OM_uint32 version,
@ -396,7 +403,7 @@ out:
return GSS_S_COMPLETE;
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c)
{
gss_krb5_lucid_context_v1_t *ctx = c;
@ -424,7 +431,7 @@ gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c)
*
*/
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
gss_cred_id_t cred,
OM_uint32 num_enctypes,
@ -478,7 +485,7 @@ out:
*
*/
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c)
{
struct _gss_mech_switch *m;
@ -509,7 +516,7 @@ gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c)
*
*/
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_ccache_name(OM_uint32 *minor_status,
const char *name,
const char **out_name)
@ -541,7 +548,7 @@ gss_krb5_ccache_name(OM_uint32 *minor_status,
*
*/
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
time_t *authtime)
@ -596,7 +603,7 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
*
*/
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int ad_type,
@ -769,7 +776,7 @@ out:
*
*/
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
krb5_keyblock **keyblock)
@ -780,7 +787,7 @@ gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
keyblock);
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
krb5_keyblock **keyblock)
@ -791,7 +798,7 @@ gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
keyblock);
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_get_subkey(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
krb5_keyblock **keyblock)
@ -802,7 +809,7 @@ gsskrb5_get_subkey(OM_uint32 *minor_status,
keyblock);
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_set_default_realm(const char *realm)
{
struct _gss_mech_switch *m;
@ -824,7 +831,7 @@ gsskrb5_set_default_realm(const char *realm)
return (GSS_S_COMPLETE);
}
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_krb5_get_tkt_flags(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
OM_uint32 *tkt_flags)
@ -863,3 +870,53 @@ gss_krb5_get_tkt_flags(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_set_time_offset(int offset)
{
struct _gss_mech_switch *m;
gss_buffer_desc buffer;
OM_uint32 junk;
int32_t o = offset;
_gss_load_mech();
buffer.value = &o;
buffer.length = sizeof(o);
SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (m->gm_mech.gm_set_sec_context_option == NULL)
continue;
m->gm_mech.gm_set_sec_context_option(&junk, NULL,
GSS_KRB5_SET_TIME_OFFSET_X, &buffer);
}
return (GSS_S_COMPLETE);
}
OM_uint32 GSSAPI_LIB_FUNCTION
gsskrb5_get_time_offset(int *offset)
{
struct _gss_mech_switch *m;
gss_buffer_desc buffer;
OM_uint32 maj_stat, junk;
int32_t o;
_gss_load_mech();
buffer.value = &o;
buffer.length = sizeof(o);
SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (m->gm_mech.gm_set_sec_context_option == NULL)
continue;
maj_stat = m->gm_mech.gm_set_sec_context_option(&junk, NULL,
GSS_KRB5_GET_TIME_OFFSET_X, &buffer);
if (maj_stat == GSS_S_COMPLETE) {
*offset = o;
return maj_stat;
}
}
return (GSS_S_UNAVAILABLE);
}

View File

@ -28,7 +28,7 @@
#include "mech_locl.h"
#include <heim_threads.h>
RCSID("$Id: gss_mech_switch.c 21698 2007-07-26 19:07:11Z lha $");
RCSID("$Id: gss_mech_switch.c 23471 2008-07-27 12:17:49Z lha $");
#ifndef _PATH_GSS_MECH
#define _PATH_GSS_MECH "/etc/gss/mech"
@ -46,7 +46,7 @@ static int
_gss_string_to_oid(const char* s, gss_OID oid)
{
int number_count, i, j;
int byte_count;
size_t byte_count;
const char *p, *q;
char *res;
@ -118,7 +118,7 @@ _gss_string_to_oid(const char* s, gss_OID oid)
* The number is encoded in seven bit chunks.
*/
unsigned int t;
int bytes;
unsigned int bytes;
bytes = 0;
for (t = number; t; t >>= 7)
@ -229,6 +229,7 @@ _gss_load_mech(void)
HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
return;
}
rk_cloexec_file(fp);
while (fgets(buf, sizeof(buf), fp)) {
if (*buf == '#')

View File

@ -32,9 +32,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_oid_equal.c 17702 2006-06-28 09:07:08Z lha $");
RCSID("$Id: gss_oid_equal.c 23025 2008-04-17 10:01:57Z lha $");
int
int GSSAPI_LIB_FUNCTION
gss_oid_equal(const gss_OID a, const gss_OID b)
{
if (a == b)

View File

@ -32,9 +32,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_oid_to_str.c 21409 2007-07-04 14:19:11Z lha $");
RCSID("$Id: gss_oid_to_str.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str)
{
int ret;

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_process_context_token.c 17700 2006-06-28 09:00:26Z lha $");
RCSID("$Id: gss_process_context_token.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_process_context_token(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t token_buffer)

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_release_buffer.c 19962 2007-01-17 15:59:04Z lha $");
RCSID("$Id: gss_release_buffer.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_release_buffer(OM_uint32 *minor_status,
gss_buffer_t buffer)
{

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_release_cred.c 19963 2007-01-17 16:01:22Z lha $");
RCSID("$Id: gss_release_cred.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
{
struct _gss_cred *cred = (struct _gss_cred *) *cred_handle;

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_release_name.c 18812 2006-10-22 07:59:06Z lha $");
RCSID("$Id: gss_release_name.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_release_name(OM_uint32 *minor_status,
gss_name_t *input_name)
{

View File

@ -33,9 +33,9 @@
#include "mech_locl.h"
RCSID("$Id: gss_release_oid.c 17747 2006-06-30 09:34:54Z lha $");
RCSID("$Id: gss_release_oid.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_release_oid(OM_uint32 *minor_status, gss_OID *oid)
{
gss_OID o = *oid;

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_release_oid_set.c 22144 2007-12-04 17:31:55Z lha $");
RCSID("$Id: gss_release_oid_set.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_release_oid_set(OM_uint32 *minor_status,
gss_OID_set *set)
{

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_seal.c 17700 2006-06-28 09:00:26Z lha $");
RCSID("$Id: gss_seal.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_seal(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,

View File

@ -31,9 +31,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_set_cred_option.c 21126 2007-06-18 20:19:59Z lha $");
RCSID("$Id: gss_set_cred_option.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_set_cred_option (OM_uint32 *minor_status,
gss_cred_id_t *cred_handle,
const gss_OID object,

View File

@ -31,9 +31,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_set_sec_context_option.c 19928 2007-01-16 10:37:54Z lha $");
RCSID("$Id: gss_set_sec_context_option.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_set_sec_context_option (OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID object,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_sign.c 17700 2006-06-28 09:00:26Z lha $");
RCSID("$Id: gss_sign.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_sign(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int qop_req,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_test_oid_set_member.c 17700 2006-06-28 09:00:26Z lha $");
RCSID("$Id: gss_test_oid_set_member.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_test_oid_set_member(OM_uint32 *minor_status,
const gss_OID member,
const gss_OID_set set,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_unseal.c 17700 2006-06-28 09:00:26Z lha $");
RCSID("$Id: gss_unseal.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_unseal(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t input_message_buffer,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_unwrap.c 17700 2006-06-28 09:00:26Z lha $");
RCSID("$Id: gss_unwrap.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_unwrap(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t input_message_buffer,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_verify.c 17700 2006-06-28 09:00:26Z lha $");
RCSID("$Id: gss_verify.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_verify(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t message_buffer,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_verify_mic.c 19965 2007-01-17 16:23:47Z lha $");
RCSID("$Id: gss_verify_mic.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_verify_mic(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
const gss_buffer_t message_buffer,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_wrap.c 19965 2007-01-17 16:23:47Z lha $");
RCSID("$Id: gss_wrap.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_wrap(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,

View File

@ -27,9 +27,9 @@
*/
#include "mech_locl.h"
RCSID("$Id: gss_wrap_size_limit.c 19965 2007-01-17 16:23:47Z lha $");
RCSID("$Id: gss_wrap_size_limit.c 23025 2008-04-17 10:01:57Z lha $");
OM_uint32
OM_uint32 GSSAPI_LIB_FUNCTION
gss_wrap_size_limit(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,

View File

@ -33,7 +33,7 @@
#include "spnego/spnego_locl.h"
RCSID("$Id: accept_sec_context.c 22600 2008-02-21 12:46:24Z lha $");
RCSID("$Id: accept_sec_context.c 23158 2008-05-02 09:45:28Z lha $");
static OM_uint32
send_reject (OM_uint32 *minor_status,
@ -376,6 +376,9 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
char mechbuf[64];
size_t mech_len;
gss_OID_desc oid;
gss_OID oidp;
gss_OID_set mechs;
int i;
OM_uint32 ret, junk;
ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1,
@ -396,27 +399,29 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
*minor_status = 0;
/* Translate broken MS Kebreros OID */
if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc)) {
gssapi_mech_interface mech;
if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc))
oidp = &_gss_spnego_krb5_mechanism_oid_desc;
else
oidp = &oid;
mech = __gss_get_mechanism(&_gss_spnego_krb5_mechanism_oid_desc);
if (mech == NULL)
ret = gss_indicate_mechs(&junk, &mechs);
if (ret)
return (ret);
for (i = 0; i < mechs->count; i++)
if (gss_oid_equal(&mechs->elements[i], oidp))
break;
if (i == mechs->count) {
gss_release_oid_set(&junk, &mechs);
return GSS_S_BAD_MECH;
ret = gss_duplicate_oid(minor_status,
&_gss_spnego_mskrb_mechanism_oid_desc,
mech_p);
} else {
gssapi_mech_interface mech;
mech = __gss_get_mechanism(&oid);
if (mech == NULL)
return GSS_S_BAD_MECH;
ret = gss_duplicate_oid(minor_status,
&mech->gm_mech_oid,
mech_p);
}
gss_release_oid_set(&junk, &mechs);
ret = gss_duplicate_oid(minor_status,
&oid, /* possibly this should be oidp */
mech_p);
if (verify_p) {
gss_name_t name = GSS_C_NO_NAME;
@ -635,9 +640,6 @@ acceptor_start
if (ctx->mech_src_name != GSS_C_NO_NAME)
gss_release_name(&junk, &ctx->mech_src_name);
if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
_gss_spnego_release_cred(&junk, &ctx->delegated_cred_id);
ret = gss_accept_sec_context(minor_status,
&ctx->negotiated_ctx_id,
mech_cred,
@ -649,19 +651,20 @@ acceptor_start
&ctx->mech_flags,
&ctx->mech_time_rec,
&mech_delegated_cred);
if (mech_delegated_cred && delegated_cred_handle) {
_gss_spnego_alloc_cred(&junk,
mech_delegated_cred,
delegated_cred_handle);
} else if (mech_delegated_cred != GSS_C_NO_CREDENTIAL)
gss_release_cred(&junk, &mech_delegated_cred);
if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
ctx->preferred_mech_type = preferred_mech_type;
ctx->negotiated_mech_type = preferred_mech_type;
if (ret == GSS_S_COMPLETE)
ctx->open = 1;
if (mech_delegated_cred && delegated_cred_handle)
ret = _gss_spnego_alloc_cred(&junk,
mech_delegated_cred,
delegated_cred_handle);
else
gss_release_cred(&junk, &mech_delegated_cred);
ret = acceptor_complete(minor_status,
ctx,
&get_mic,
@ -740,10 +743,6 @@ out:
*src_name = (gss_name_t)name;
}
}
if (delegated_cred_handle != NULL) {
*delegated_cred_handle = ctx->delegated_cred_id;
ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
}
}
if (mech_type != NULL)
@ -780,7 +779,7 @@ acceptor_continue
gss_cred_id_t *delegated_cred_handle
)
{
OM_uint32 ret, ret2, minor;
OM_uint32 ret, ret2, minor, junk;
NegotiationToken nt;
size_t nt_len;
NegTokenResp *na;
@ -836,27 +835,16 @@ acceptor_continue
if (mech_input_token != GSS_C_NO_BUFFER) {
gss_cred_id_t mech_cred;
gss_cred_id_t mech_delegated_cred;
gss_cred_id_t *mech_delegated_cred_p;
gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL;
if (acceptor_cred != NULL)
mech_cred = acceptor_cred->negotiated_cred_id;
else
mech_cred = GSS_C_NO_CREDENTIAL;
if (delegated_cred_handle != NULL) {
mech_delegated_cred = GSS_C_NO_CREDENTIAL;
mech_delegated_cred_p = &mech_delegated_cred;
} else {
mech_delegated_cred_p = NULL;
}
if (ctx->mech_src_name != GSS_C_NO_NAME)
gss_release_name(&minor, &ctx->mech_src_name);
if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
_gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
ret = gss_accept_sec_context(&minor,
&ctx->negotiated_ctx_id,
mech_cred,
@ -867,16 +855,16 @@ acceptor_continue
&obuf,
&ctx->mech_flags,
&ctx->mech_time_rec,
mech_delegated_cred_p);
if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
if (mech_delegated_cred_p != NULL &&
mech_delegated_cred != GSS_C_NO_CREDENTIAL) {
ret2 = _gss_spnego_alloc_cred(minor_status,
&mech_delegated_cred);
if (mech_delegated_cred && delegated_cred_handle) {
_gss_spnego_alloc_cred(&junk,
mech_delegated_cred,
&ctx->delegated_cred_id);
if (ret2 != GSS_S_COMPLETE)
ret = ret2;
}
delegated_cred_handle);
} else if (mech_delegated_cred != GSS_C_NO_CREDENTIAL)
gss_release_cred(&junk, &mech_delegated_cred);
if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
mech_output_token = &obuf;
}
if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
@ -958,10 +946,6 @@ acceptor_continue
*src_name = (gss_name_t)name;
}
}
if (delegated_cred_handle != NULL) {
*delegated_cred_handle = ctx->delegated_cred_id;
ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
}
}
if (mech_type != NULL)

View File

@ -32,7 +32,7 @@
#include "spnego/spnego_locl.h"
RCSID("$Id: compat.c 21866 2007-08-08 11:31:29Z lha $");
RCSID("$Id: compat.c 22688 2008-03-16 11:33:58Z lha $");
/*
* Apparently Microsoft got the OID wrong, and used
@ -76,7 +76,6 @@ OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status,
ctx->mech_flags = 0;
ctx->mech_time_rec = 0;
ctx->mech_src_name = GSS_C_NO_NAME;
ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
ctx->open = 0;
ctx->local = 0;
@ -124,8 +123,6 @@ OM_uint32 _gss_spnego_internal_delete_sec_context
if (ctx->initiator_mech_types.val != NULL)
free_MechTypeList(&ctx->initiator_mech_types);
_gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
gss_release_oid(&minor, &ctx->preferred_mech_type);
ctx->negotiated_mech_type = GSS_C_NO_OID;

View File

@ -32,7 +32,7 @@
#include "spnego/spnego_locl.h"
RCSID("$Id: context_stubs.c 22604 2008-02-21 21:12:48Z lha $");
RCSID("$Id: context_stubs.c 22688 2008-03-16 11:33:58Z lha $");
static OM_uint32
spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs)
@ -907,7 +907,7 @@ OM_uint32 _gss_spnego_set_sec_context_option
return GSS_S_NO_CONTEXT;
}
ctx = (gssspnego_ctx)context_handle;
ctx = (gssspnego_ctx)*context_handle;
if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
return GSS_S_NO_CONTEXT;
@ -919,3 +919,31 @@ OM_uint32 _gss_spnego_set_sec_context_option
value);
}
OM_uint32
_gss_spnego_pseudo_random(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int prf_key,
const gss_buffer_t prf_in,
ssize_t desired_output_len,
gss_buffer_t prf_out)
{
gssspnego_ctx ctx;
*minor_status = 0;
if (context_handle == GSS_C_NO_CONTEXT)
return GSS_S_NO_CONTEXT;
ctx = (gssspnego_ctx)context_handle;
if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT)
return GSS_S_NO_CONTEXT;
return gss_pseudo_random(minor_status,
ctx->negotiated_ctx_id,
prf_key,
prf_in,
desired_output_len,
prf_out);
}

View File

@ -32,7 +32,7 @@
#include "spnego/spnego_locl.h"
RCSID("$Id: cred_stubs.c 20619 2007-05-08 13:43:45Z lha $");
RCSID("$Id: cred_stubs.c 22688 2008-03-16 11:33:58Z lha $");
OM_uint32
_gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
@ -334,3 +334,23 @@ OM_uint32 _gss_spnego_inquire_cred_by_oid
return ret;
}
OM_uint32
_gss_spnego_set_cred_option (OM_uint32 *minor_status,
gss_cred_id_t *cred_handle,
const gss_OID object,
const gss_buffer_t value)
{
gssspnego_cred cred;
if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) {
*minor_status = 0;
return GSS_S_NO_CRED;
}
cred = (gssspnego_cred)*cred_handle;
return gss_set_cred_option(minor_status,
&cred->negotiated_cred_id,
object,
value);
}

View File

@ -33,7 +33,7 @@
#include "spnego/spnego_locl.h"
#include <gssapi_mech.h>
RCSID("$Id: external.c 22600 2008-02-21 12:46:24Z lha $");
RCSID("$Id: external.c 22688 2008-03-16 11:33:58Z lha $");
/*
* RFC2478, SPNEGO:
@ -57,8 +57,8 @@ static gssapi_mech_interface_desc spnego_mech = {
_gss_spnego_verify_mic,
_gss_spnego_wrap,
_gss_spnego_unwrap,
NULL,
NULL,
NULL, /* gm_display_status */
NULL, /* gm_indicate_mechs */
_gss_spnego_compare_name,
_gss_spnego_display_name,
_gss_spnego_import_name,
@ -74,7 +74,12 @@ static gssapi_mech_interface_desc spnego_mech = {
_gss_spnego_inquire_names_for_mech,
_gss_spnego_inquire_mechs_for_name,
_gss_spnego_canonicalize_name,
_gss_spnego_duplicate_name
_gss_spnego_duplicate_name,
_gss_spnego_inquire_sec_context_by_oid,
_gss_spnego_inquire_cred_by_oid,
_gss_spnego_set_sec_context_option,
_gss_spnego_set_cred_option,
_gss_spnego_pseudo_random
};
gssapi_mech_interface

View File

@ -224,6 +224,15 @@ _gss_spnego_process_context_token (
const gss_ctx_id_t /*context_handle*/,
const gss_buffer_t token_buffer );
OM_uint32
_gss_spnego_pseudo_random (
OM_uint32 */*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*prf_key*/,
const gss_buffer_t /*prf_in*/,
ssize_t /*desired_output_len*/,
gss_buffer_t /*prf_out*/);
OM_uint32
_gss_spnego_release_cred (
OM_uint32 */*minor_status*/,
@ -250,6 +259,13 @@ _gss_spnego_seal (
int * /*conf_state*/,
gss_buffer_t output_message_buffer );
OM_uint32
_gss_spnego_set_cred_option (
OM_uint32 */*minor_status*/,
gss_cred_id_t */*cred_handle*/,
const gss_OID /*object*/,
const gss_buffer_t /*value*/);
OM_uint32
_gss_spnego_set_sec_context_option (
OM_uint32 * /*minor_status*/,

View File

@ -30,7 +30,7 @@
* SUCH DAMAGE.
*/
/* $Id: spnego_locl.h 19411 2006-12-18 15:42:03Z lha $ */
/* $Id: spnego_locl.h 23161 2008-05-05 09:56:20Z lha $ */
#ifndef SPNEGO_LOCL_H
#define SPNEGO_LOCL_H
@ -86,7 +86,6 @@ typedef struct {
OM_uint32 mech_flags;
OM_uint32 mech_time_rec;
gss_name_t mech_src_name;
gss_cred_id_t delegated_cred_id;
unsigned int open : 1;
unsigned int local : 1;
unsigned int require_mic : 1;

0
source/heimdal/lib/hcrypto/aes.c Executable file → Normal file
View File

Some files were not shown because too many files have changed in this diff Show More