+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/**/
/* if status_type == GSS_C_GSS_CODE, return up to three error messages,
- for routine errors, call error, and status, in that order.
- message_context == 0 : print the routine error
- message_context == 1 : print the calling error
- message_context > 2 : print supplementary info bit (message_context-2)
+ for routine errors, call error, and status, in that order.
+ message_context == 0 : print the routine error
+ message_context == 1 : print the calling error
+ message_context > 2 : print supplementary info bit (message_context-2)
if status_type == GSS_C_MECH_CODE, return the output from error_message()
- */
+*/
OM_uint32
g_display_com_err_status(minor_status, status_value, status_string)
- OM_uint32 *minor_status;
- OM_uint32 status_value;
- gss_buffer_t status_string;
+ OM_uint32 *minor_status;
+ OM_uint32 status_value;
+ gss_buffer_t status_string;
{
- status_string->length = 0;
- status_string->value = NULL;
+ status_string->length = 0;
+ status_string->value = NULL;
- (void) gssint_initialize_library();
+ (void) gssint_initialize_library();
- if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
- status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ if (! g_make_string_buffer(((status_value == 0)?no_error:
+ error_message(status_value)),
+ status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/**/
static const char * const calling_error_string[] = {
- NULL,
- "A required input parameter could not be read",
- "A required input parameter could not be written",
- "A parameter was malformed",
+ NULL,
+ "A required input parameter could not be read",
+ "A required input parameter could not be written",
+ "A parameter was malformed",
};
-
+
static const char * const calling_error = "calling error";
#define GSS_CALLING_ERROR_STR(x) \
GSS_ERROR_STR((x), calling_error_string, GSS_CALLING_ERROR, \
- GSS_S_CALL_INACCESSIBLE_READ, GSS_S_CALL_BAD_STRUCTURE, \
- GSS_CALLING_ERROR_FIELD)
+ GSS_S_CALL_INACCESSIBLE_READ, GSS_S_CALL_BAD_STRUCTURE, \
+ GSS_CALLING_ERROR_FIELD)
/**/
static const char * const routine_error_string[] = {
- NULL,
- "An unsupported mechanism was requested",
- "An invalid name was supplied",
- "A supplied name was of an unsupported type",
- "Incorrect channel bindings were supplied",
- "An invalid status code was supplied",
- "A token had an invalid signature",
- "No credentials were supplied",
- "No context has been established",
- "A token was invalid",
- "A credential was invalid",
- "The referenced credentials have expired",
- "The context has expired",
- "Miscellaneous failure",
- "The quality-of-protection requested could not be provided",
- "The operation is forbidden by the local security policy",
- "The operation or option is not available",
-};
+ NULL,
+ "An unsupported mechanism was requested",
+ "An invalid name was supplied",
+ "A supplied name was of an unsupported type",
+ "Incorrect channel bindings were supplied",
+ "An invalid status code was supplied",
+ "A token had an invalid signature",
+ "No credentials were supplied",
+ "No context has been established",
+ "A token was invalid",
+ "A credential was invalid",
+ "The referenced credentials have expired",
+ "The context has expired",
+ "Miscellaneous failure",
+ "The quality-of-protection requested could not be provided",
+ "The operation is forbidden by the local security policy",
+ "The operation or option is not available",
+};
static const char * const routine_error = "routine error";
#define GSS_ROUTINE_ERROR_STR(x) \
GSS_ERROR_STR((x), routine_error_string, GSS_ROUTINE_ERROR, \
- GSS_S_BAD_MECH, GSS_S_FAILURE, \
- GSS_ROUTINE_ERROR_FIELD)
+ GSS_S_BAD_MECH, GSS_S_FAILURE, \
+ GSS_ROUTINE_ERROR_FIELD)
/**/
/* this becomes overly gross after about 4 strings */
static const char * const sinfo_string[] = {
- "The routine must be called again to complete its function",
- "The token was a duplicate of an earlier token",
- "The token's validity period has expired",
- "A later token has already been processed",
+ "The routine must be called again to complete its function",
+ "The token was a duplicate of an earlier token",
+ "The token's validity period has expired",
+ "A later token has already been processed",
};
static const char * const sinfo_code = "supplementary info code";
/**/
-static int
+static int
display_unknown(kind, value, buffer)
- const char *kind;
- OM_uint32 value;
- gss_buffer_t buffer;
+ const char *kind;
+ OM_uint32 value;
+ gss_buffer_t buffer;
{
- char *str;
+ char *str;
- if (asprintf(&str, unknown_error, kind, value) < 0)
- return(0);
+ if (asprintf(&str, unknown_error, kind, value) < 0)
+ return(0);
- buffer->length = strlen(str);
- buffer->value = str;
+ buffer->length = strlen(str);
+ buffer->value = str;
- return(1);
+ return(1);
}
/* code should be set to the calling error field */
static OM_uint32 display_calling(minor_status, code, status_string)
- OM_uint32 *minor_status;
- OM_uint32 code;
- gss_buffer_t status_string;
+ OM_uint32 *minor_status;
+ OM_uint32 code;
+ gss_buffer_t status_string;
{
- const char *str;
-
- if ((str = GSS_CALLING_ERROR_STR(code))) {
- if (! g_make_string_buffer(str, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- } else {
- if (! display_unknown(calling_error, GSS_CALLING_ERROR_FIELD(code),
- status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ const char *str;
+
+ if ((str = GSS_CALLING_ERROR_STR(code))) {
+ if (! g_make_string_buffer(str, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ if (! display_unknown(calling_error, GSS_CALLING_ERROR_FIELD(code),
+ status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
/* code should be set to the routine error field */
static OM_uint32 display_routine(minor_status, code, status_string)
- OM_uint32 *minor_status;
- OM_uint32 code;
- gss_buffer_t status_string;
+ OM_uint32 *minor_status;
+ OM_uint32 code;
+ gss_buffer_t status_string;
{
- const char *str;
-
- if ((str = GSS_ROUTINE_ERROR_STR(code))) {
- if (! g_make_string_buffer(str, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- } else {
- if (! display_unknown(routine_error, GSS_ROUTINE_ERROR_FIELD(code),
- status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ const char *str;
+
+ if ((str = GSS_ROUTINE_ERROR_STR(code))) {
+ if (! g_make_string_buffer(str, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ if (! display_unknown(routine_error, GSS_ROUTINE_ERROR_FIELD(code),
+ status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
/* code should be set to the bit offset (log_2) of a supplementary info bit */
static OM_uint32 display_bit(minor_status, code, status_string)
- OM_uint32 *minor_status;
- OM_uint32 code;
- gss_buffer_t status_string;
+ OM_uint32 *minor_status;
+ OM_uint32 code;
+ gss_buffer_t status_string;
{
- const char *str;
-
- if ((str = GSS_SINFO_STR(code))) {
- if (! g_make_string_buffer(str, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- } else {
- if (! display_unknown(sinfo_code, 1<<code, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ const char *str;
+
+ if ((str = GSS_SINFO_STR(code))) {
+ if (! g_make_string_buffer(str, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ if (! display_unknown(sinfo_code, 1<<code, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
/**/
/* return error messages, for routine errors, call error, and status,
in that order.
- message_context == 0 : print the routine error
- message_context == 1 : print the calling error
- message_context > 2 : print supplementary info bit (message_context-2)
- */
-
-OM_uint32 g_display_major_status(minor_status, status_value,
- message_context, status_string)
- OM_uint32 *minor_status;
- OM_uint32 status_value;
- OM_uint32 *message_context;
- gss_buffer_t status_string;
+ message_context == 0 : print the routine error
+ message_context == 1 : print the calling error
+ message_context > 2 : print supplementary info bit (message_context-2)
+*/
+
+OM_uint32 g_display_major_status(minor_status, status_value,
+ message_context, status_string)
+ OM_uint32 *minor_status;
+ OM_uint32 status_value;
+ OM_uint32 *message_context;
+ gss_buffer_t status_string;
{
- OM_uint32 ret, tmp;
- int bit;
-
- /*** deal with no error at all specially */
-
- if (status_value == 0) {
- if (! g_make_string_buffer(no_error, status_string)) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- *message_context = 0;
- *minor_status = 0;
- return(GSS_S_COMPLETE);
- }
-
- /*** do routine error */
-
- if (*message_context == 0) {
- if ((tmp = GSS_ROUTINE_ERROR(status_value))) {
- status_value -= tmp;
- if ((ret = display_routine(minor_status, tmp, status_string)))
- return(ret);
- *minor_status = 0;
- if (status_value) {
- (*message_context)++;
- return(GSS_S_COMPLETE);
- } else {
- *message_context = 0;
- return(GSS_S_COMPLETE);
- }
- } else {
- (*message_context)++;
- }
- } else {
- status_value -= GSS_ROUTINE_ERROR(status_value);
- }
-
- /*** do calling error */
-
- if (*message_context == 1) {
- if ((tmp = GSS_CALLING_ERROR(status_value))) {
- status_value -= tmp;
- if ((ret = display_calling(minor_status, tmp, status_string)))
- return(ret);
- *minor_status = 0;
- if (status_value) {
- (*message_context)++;
- return(GSS_S_COMPLETE);
- } else {
- *message_context = 0;
- return(GSS_S_COMPLETE);
- }
- } else {
- (*message_context)++;
- }
- } else {
- status_value -= GSS_CALLING_ERROR(status_value);
- }
-
- /*** do sinfo bits (*message_context == 2 + number of bits done) */
-
- tmp = GSS_SUPPLEMENTARY_INFO_FIELD(status_value);
- /* mask off the bits which have been done */
- if (*message_context > 2) {
- tmp &= ~LSBMASK(*message_context-3);
- status_value &= ~LSBMASK(*message_context-3);
- }
-
- if (!tmp) {
- /* bogon input - there should be something left */
- *minor_status = (OM_uint32) G_BAD_MSG_CTX;
- return(GSS_S_FAILURE);
- }
-
- /* compute the bit offset */
- /*SUPPRESS 570*/
- for (bit=0; (((OM_uint32) 1)<<bit) != LSBGET(tmp); bit++) ;
-
- /* print it */
- if ((ret = display_bit(minor_status, bit, status_string)))
- return(ret);
-
- /* compute the new status_value/message_context */
- status_value -= ((OM_uint32) 1)<<bit;
-
- if (status_value) {
- *message_context = bit+3;
- return(GSS_S_COMPLETE);
- } else {
- *message_context = 0;
- return(GSS_S_COMPLETE);
- }
+ OM_uint32 ret, tmp;
+ int bit;
+
+ /*** deal with no error at all specially */
+
+ if (status_value == 0) {
+ if (! g_make_string_buffer(no_error, status_string)) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ *message_context = 0;
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
+ }
+
+ /*** do routine error */
+
+ if (*message_context == 0) {
+ if ((tmp = GSS_ROUTINE_ERROR(status_value))) {
+ status_value -= tmp;
+ if ((ret = display_routine(minor_status, tmp, status_string)))
+ return(ret);
+ *minor_status = 0;
+ if (status_value) {
+ (*message_context)++;
+ return(GSS_S_COMPLETE);
+ } else {
+ *message_context = 0;
+ return(GSS_S_COMPLETE);
+ }
+ } else {
+ (*message_context)++;
+ }
+ } else {
+ status_value -= GSS_ROUTINE_ERROR(status_value);
+ }
+
+ /*** do calling error */
+
+ if (*message_context == 1) {
+ if ((tmp = GSS_CALLING_ERROR(status_value))) {
+ status_value -= tmp;
+ if ((ret = display_calling(minor_status, tmp, status_string)))
+ return(ret);
+ *minor_status = 0;
+ if (status_value) {
+ (*message_context)++;
+ return(GSS_S_COMPLETE);
+ } else {
+ *message_context = 0;
+ return(GSS_S_COMPLETE);
+ }
+ } else {
+ (*message_context)++;
+ }
+ } else {
+ status_value -= GSS_CALLING_ERROR(status_value);
+ }
+
+ /*** do sinfo bits (*message_context == 2 + number of bits done) */
+
+ tmp = GSS_SUPPLEMENTARY_INFO_FIELD(status_value);
+ /* mask off the bits which have been done */
+ if (*message_context > 2) {
+ tmp &= ~LSBMASK(*message_context-3);
+ status_value &= ~LSBMASK(*message_context-3);
+ }
+
+ if (!tmp) {
+ /* bogon input - there should be something left */
+ *minor_status = (OM_uint32) G_BAD_MSG_CTX;
+ return(GSS_S_FAILURE);
+ }
+
+ /* compute the bit offset */
+ /*SUPPRESS 570*/
+ for (bit=0; (((OM_uint32) 1)<<bit) != LSBGET(tmp); bit++) ;
+
+ /* print it */
+ if ((ret = display_bit(minor_status, bit, status_string)))
+ return(ret);
+
+ /* compute the new status_value/message_context */
+ status_value -= ((OM_uint32) 1)<<bit;
+
+ if (status_value) {
+ *message_context = bit+3;
+ return(GSS_S_COMPLETE);
+ } else {
+ *message_context = 0;
+ return(GSS_S_COMPLETE);
+ }
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
*/
#if defined(__MACH__) && defined(__APPLE__)
-# include <TargetConditionals.h>
-# if TARGET_RT_MAC_CFM
-# error "Use KfM 4.0 SDK headers for CFM compilation."
-# endif
+# include <TargetConditionals.h>
+# if TARGET_RT_MAC_CFM
+# error "Use KfM 4.0 SDK headers for CFM compilation."
+# endif
#endif
#ifdef __cplusplus
typedef uint32_t gss_uint32;
typedef int32_t gss_int32;
-#ifdef OM_STRING
+#ifdef OM_STRING
/*
* We have included the xom.h header file. Use the definition for
* OM_object identifier.
*/
-typedef OM_object_identifier gss_OID_desc, *gss_OID;
-#else /* OM_STRING */
+typedef OM_object_identifier gss_OID_desc, *gss_OID;
+#else /* OM_STRING */
/*
* We can't use X/Open definitions, so roll our own.
*/
-typedef gss_uint32 OM_uint32;
+typedef gss_uint32 OM_uint32;
typedef struct gss_OID_desc_struct {
- OM_uint32 length;
- void *elements;
+ OM_uint32 length;
+ void *elements;
} gss_OID_desc, *gss_OID;
-#endif /* OM_STRING */
+#endif /* OM_STRING */
typedef struct gss_OID_set_desc_struct {
- size_t count;
- gss_OID elements;
+ size_t count;
+ gss_OID elements;
} gss_OID_set_desc, *gss_OID_set;
typedef struct gss_buffer_desc_struct {
- size_t length;
- void *value;
+ size_t length;
+ void *value;
} gss_buffer_desc, *gss_buffer_t;
typedef struct gss_channel_bindings_struct {
- OM_uint32 initiator_addrtype;
- gss_buffer_desc initiator_address;
- OM_uint32 acceptor_addrtype;
- gss_buffer_desc acceptor_address;
- gss_buffer_desc application_data;
+ OM_uint32 initiator_addrtype;
+ gss_buffer_desc initiator_address;
+ OM_uint32 acceptor_addrtype;
+ gss_buffer_desc acceptor_address;
+ gss_buffer_desc application_data;
} *gss_channel_bindings_t;
/*
* For now, define a QOP-type as an OM_uint32 (pending resolution of ongoing
* discussions).
*/
-typedef OM_uint32 gss_qop_t;
-typedef int gss_cred_usage_t;
+typedef OM_uint32 gss_qop_t;
+typedef int gss_cred_usage_t;
/*
* Flag bits for context-level services.
*/
-#define GSS_C_DELEG_FLAG 1
-#define GSS_C_MUTUAL_FLAG 2
-#define GSS_C_REPLAY_FLAG 4
-#define GSS_C_SEQUENCE_FLAG 8
-#define GSS_C_CONF_FLAG 16
-#define GSS_C_INTEG_FLAG 32
-#define GSS_C_ANON_FLAG 64
-#define GSS_C_PROT_READY_FLAG 128
-#define GSS_C_TRANS_FLAG 256
+#define GSS_C_DELEG_FLAG 1
+#define GSS_C_MUTUAL_FLAG 2
+#define GSS_C_REPLAY_FLAG 4
+#define GSS_C_SEQUENCE_FLAG 8
+#define GSS_C_CONF_FLAG 16
+#define GSS_C_INTEG_FLAG 32
+#define GSS_C_ANON_FLAG 64
+#define GSS_C_PROT_READY_FLAG 128
+#define GSS_C_TRANS_FLAG 256
/*
* Credential usage options
*/
-#define GSS_C_BOTH 0
-#define GSS_C_INITIATE 1
-#define GSS_C_ACCEPT 2
+#define GSS_C_BOTH 0
+#define GSS_C_INITIATE 1
+#define GSS_C_ACCEPT 2
/*
* Status code types for gss_display_status
*/
-#define GSS_C_GSS_CODE 1
+#define GSS_C_GSS_CODE 1
#define GSS_C_MECH_CODE 2
/*
* Some alternate names for a couple of the above values. These are defined
* for V1 compatibility.
*/
-#define GSS_C_NULL_OID GSS_C_NO_OID
-#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
+#define GSS_C_NULL_OID GSS_C_NO_OID
+#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
/*
* Define the default Quality of Protection for per-message services. Note
((x) & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
#define GSS_ERROR(x) \
((x) & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
- (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+ (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
/*
* Now the actual status code definitions
/* Function Prototypes */
-OM_uint32 KRB5_CALLCONV gss_acquire_cred
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* desired_name */
- OM_uint32, /* time_req */
- gss_OID_set, /* desired_mechs */
- gss_cred_usage_t, /* cred_usage */
- gss_cred_id_t *, /* output_cred_handle */
- gss_OID_set *, /* actual_mechs */
- OM_uint32 * /* time_rec */
- );
-
-OM_uint32 KRB5_CALLCONV gss_release_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t * /* cred_handle */
- );
-
-OM_uint32 KRB5_CALLCONV gss_init_sec_context
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* claimant_cred_handle */
- gss_ctx_id_t *, /* context_handle */
- gss_name_t, /* target_name */
- gss_OID, /* mech_type (used to be const) */
- OM_uint32, /* req_flags */
- OM_uint32, /* time_req */
- gss_channel_bindings_t, /* input_chan_bindings */
- gss_buffer_t, /* input_token */
- gss_OID *, /* actual_mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32 *, /* ret_flags */
- OM_uint32 * /* time_rec */
- );
-
-OM_uint32 KRB5_CALLCONV gss_accept_sec_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_cred_id_t, /* acceptor_cred_handle */
- gss_buffer_t, /* input_token_buffer */
- gss_channel_bindings_t, /* input_chan_bindings */
- gss_name_t *, /* src_name */
- gss_OID *, /* mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32 *, /* ret_flags */
- OM_uint32 *, /* time_rec */
- gss_cred_id_t * /* delegated_cred_handle */
- );
-
-OM_uint32 KRB5_CALLCONV gss_process_context_token
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t /* token_buffer */
- );
-
-OM_uint32 KRB5_CALLCONV gss_delete_sec_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_buffer_t /* output_token */
- );
-
-OM_uint32 KRB5_CALLCONV gss_context_time
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- OM_uint32 * /* time_rec */
- );
+OM_uint32 KRB5_CALLCONV
+gss_acquire_cred(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *); /* time_rec */
+
+OM_uint32 KRB5_CALLCONV
+gss_release_cred(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t *); /* cred_handle */
+
+OM_uint32 KRB5_CALLCONV
+gss_init_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* claimant_cred_handle */
+ gss_ctx_id_t *, /* context_handle */
+ gss_name_t, /* target_name */
+ gss_OID, /* mech_type (used to be const) */
+ OM_uint32, /* req_flags */
+ OM_uint32, /* time_req */
+ gss_channel_bindings_t, /* input_chan_bindings */
+ gss_buffer_t, /* input_token */
+ gss_OID *, /* actual_mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32 *, /* ret_flags */
+ OM_uint32 *); /* time_rec */
+
+OM_uint32 KRB5_CALLCONV
+gss_accept_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_cred_id_t, /* acceptor_cred_handle */
+ gss_buffer_t, /* input_token_buffer */
+ gss_channel_bindings_t, /* input_chan_bindings */
+ gss_name_t *, /* src_name */
+ gss_OID *, /* mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32 *, /* ret_flags */
+ OM_uint32 *, /* time_rec */
+ gss_cred_id_t *); /* delegated_cred_handle */
+
+OM_uint32 KRB5_CALLCONV
+gss_process_context_token(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t); /* token_buffer */
+
+
+OM_uint32 KRB5_CALLCONV
+gss_delete_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_buffer_t); /* output_token */
+
+
+OM_uint32 KRB5_CALLCONV
+gss_context_time(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ OM_uint32 *); /* time_rec */
+
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_get_mic
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
+OM_uint32 KRB5_CALLCONV
+gss_get_mic(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t); /* message_token */
+
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_verify_mic
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* message_token */
- gss_qop_t * /* qop_state */
- );
+OM_uint32 KRB5_CALLCONV
+gss_verify_mic(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t, /* message_token */
+ gss_qop_t * /* qop_state */
+);
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_wrap
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int *, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
+OM_uint32 KRB5_CALLCONV
+gss_wrap(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* input_message_buffer */
+ int *, /* conf_state */
+ gss_buffer_t); /* output_message_buffer */
+
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_unwrap
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int *, /* conf_state */
- gss_qop_t * /* qop_state */
- );
-
-OM_uint32 KRB5_CALLCONV gss_display_status
-(OM_uint32 *, /* minor_status */
- OM_uint32, /* status_value */
- int, /* status_type */
- gss_OID, /* mech_type (used to be const) */
- OM_uint32 *, /* message_context */
- gss_buffer_t /* status_string */
- );
-
-OM_uint32 KRB5_CALLCONV gss_indicate_mechs
-(OM_uint32 *, /* minor_status */
- gss_OID_set * /* mech_set */
- );
-
-OM_uint32 KRB5_CALLCONV gss_compare_name
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* name1 */
- gss_name_t, /* name2 */
- int * /* name_equal */
- );
-
-OM_uint32 KRB5_CALLCONV gss_display_name
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* input_name */
- gss_buffer_t, /* output_name_buffer */
- gss_OID * /* output_name_type */
- );
-
-OM_uint32 KRB5_CALLCONV gss_import_name
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* input_name_buffer */
- gss_OID, /* input_name_type(used to be const) */
- gss_name_t * /* output_name */
- );
-
-OM_uint32 KRB5_CALLCONV gss_release_name
-(OM_uint32 *, /* minor_status */
- gss_name_t * /* input_name */
- );
-
-OM_uint32 KRB5_CALLCONV gss_release_buffer
-(OM_uint32 *, /* minor_status */
- gss_buffer_t /* buffer */
- );
-
-OM_uint32 KRB5_CALLCONV gss_release_oid_set
-(OM_uint32 *, /* minor_status */
- gss_OID_set * /* set */
- );
-
-OM_uint32 KRB5_CALLCONV gss_inquire_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_name_t *, /* name */
- OM_uint32 *, /* lifetime */
- gss_cred_usage_t *, /* cred_usage */
- gss_OID_set * /* mechanisms */
- );
+OM_uint32 KRB5_CALLCONV
+gss_unwrap(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int *, /* conf_state */
+ gss_qop_t *); /* qop_state */
+
+
+OM_uint32 KRB5_CALLCONV
+gss_display_status(
+ OM_uint32 *, /* minor_status */
+ OM_uint32, /* status_value */
+ int, /* status_type */
+ gss_OID, /* mech_type (used to be const) */
+ OM_uint32 *, /* message_context */
+ gss_buffer_t); /* status_string */
+
+
+OM_uint32 KRB5_CALLCONV
+gss_indicate_mechs(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* mech_set */
+
+
+OM_uint32 KRB5_CALLCONV
+gss_compare_name(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* name1 */
+ gss_name_t, /* name2 */
+ int *); /* name_equal */
+
+
+OM_uint32 KRB5_CALLCONV
+gss_display_name(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* input_name */
+ gss_buffer_t, /* output_name_buffer */
+ gss_OID *); /* output_name_type */
+
+
+OM_uint32 KRB5_CALLCONV
+gss_import_name(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* input_name_buffer */
+ gss_OID, /* input_name_type(used to be const) */
+ gss_name_t *); /* output_name */
+
+OM_uint32 KRB5_CALLCONV
+gss_release_name(
+ OM_uint32 *, /* minor_status */
+ gss_name_t *); /* input_name */
+
+OM_uint32 KRB5_CALLCONV
+gss_release_buffer(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t); /* buffer */
+
+OM_uint32 KRB5_CALLCONV
+gss_release_oid_set(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* set */
+
+OM_uint32 KRB5_CALLCONV
+gss_inquire_cred(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* lifetime */
+ gss_cred_usage_t *, /* cred_usage */
+ gss_OID_set *); /* mechanisms */
/* Last argument new for V2 */
-OM_uint32 KRB5_CALLCONV gss_inquire_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_name_t *, /* src_name */
- gss_name_t *, /* targ_name */
- OM_uint32 *, /* lifetime_rec */
- gss_OID *, /* mech_type */
- OM_uint32 *, /* ctx_flags */
- int *, /* locally_initiated */
- int * /* open */
- );
+OM_uint32 KRB5_CALLCONV
+gss_inquire_context(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_name_t *, /* src_name */
+ gss_name_t *, /* targ_name */
+ OM_uint32 *, /* lifetime_rec */
+ gss_OID *, /* mech_type */
+ OM_uint32 *, /* ctx_flags */
+ int *, /* locally_initiated */
+ int *); /* open */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_wrap_size_limit
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- OM_uint32, /* req_output_size */
- OM_uint32 * /* max_input_size */
- );
+OM_uint32 KRB5_CALLCONV
+gss_wrap_size_limit(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ OM_uint32, /* req_output_size */
+ OM_uint32 *); /* max_input_size */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_import_name_object
-(OM_uint32 *, /* minor_status */
- void *, /* input_name */
- gss_OID, /* input_name_type */
- gss_name_t * /* output_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_import_name_object(
+ OM_uint32 *, /* minor_status */
+ void *, /* input_name */
+ gss_OID, /* input_name_type */
+ gss_name_t *); /* output_name */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_export_name_object
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* input_name */
- gss_OID, /* desired_name_type */
- void ** /* output_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_export_name_object(
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* input_name */
+ gss_OID, /* desired_name_type */
+ void **); /* output_name */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_add_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* input_cred_handle */
- gss_name_t, /* desired_name */
- gss_OID, /* desired_mech */
- gss_cred_usage_t, /* cred_usage */
- OM_uint32, /* initiator_time_req */
- OM_uint32, /* acceptor_time_req */
- gss_cred_id_t *, /* output_cred_handle */
- gss_OID_set *, /* actual_mechs */
- OM_uint32 *, /* initiator_time_rec */
- OM_uint32 * /* acceptor_time_rec */
- );
+OM_uint32 KRB5_CALLCONV
+gss_add_cred(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* input_cred_handle */
+ gss_name_t, /* desired_name */
+ gss_OID, /* desired_mech */
+ gss_cred_usage_t, /* cred_usage */
+ OM_uint32, /* initiator_time_req */
+ OM_uint32, /* acceptor_time_req */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *, /* initiator_time_rec */
+ OM_uint32 *); /* acceptor_time_rec */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_inquire_cred_by_mech
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_OID, /* mech_type */
- gss_name_t *, /* name */
- OM_uint32 *, /* initiator_lifetime */
- OM_uint32 *, /* acceptor_lifetime */
- gss_cred_usage_t * /* cred_usage */
- );
+OM_uint32 KRB5_CALLCONV
+gss_inquire_cred_by_mech(
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ gss_OID, /* mech_type */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* initiator_lifetime */
+ OM_uint32 *, /* acceptor_lifetime */
+ gss_cred_usage_t *); /* cred_usage */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_export_sec_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_buffer_t /* interprocess_token */
- );
+OM_uint32 KRB5_CALLCONV
+gss_export_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_buffer_t); /* interprocess_token */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_import_sec_context
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* interprocess_token */
- gss_ctx_id_t * /* context_handle */
- );
+OM_uint32 KRB5_CALLCONV
+gss_import_sec_context(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* interprocess_token */
+ gss_ctx_id_t *); /* context_handle */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_release_oid
-(OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
+OM_uint32 KRB5_CALLCONV
+gss_release_oid(
+ OM_uint32 *, /* minor_status */
+ gss_OID *); /* oid */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_create_empty_oid_set
-(OM_uint32 *, /* minor_status */
- gss_OID_set * /* oid_set */
- );
+OM_uint32 KRB5_CALLCONV
+gss_create_empty_oid_set(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* oid_set */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_add_oid_set_member
-(OM_uint32 *, /* minor_status */
- gss_OID, /* member_oid */
- gss_OID_set * /* oid_set */
- );
+OM_uint32 KRB5_CALLCONV
+gss_add_oid_set_member(
+ OM_uint32 *, /* minor_status */
+ gss_OID, /* member_oid */
+ gss_OID_set *); /* oid_set */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_test_oid_set_member
-(OM_uint32 *, /* minor_status */
- gss_OID, /* member */
- gss_OID_set, /* set */
- int * /* present */
- );
+OM_uint32 KRB5_CALLCONV
+gss_test_oid_set_member(
+ OM_uint32 *, /* minor_status */
+ gss_OID, /* member */
+ gss_OID_set, /* set */
+ int *); /* present */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_str_to_oid
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* oid_str */
- gss_OID * /* oid */
- );
+OM_uint32 KRB5_CALLCONV
+gss_str_to_oid(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* oid_str */
+ gss_OID *); /* oid */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_oid_to_str
-(OM_uint32 *, /* minor_status */
- gss_OID, /* oid */
- gss_buffer_t /* oid_str */
- );
+OM_uint32 KRB5_CALLCONV
+gss_oid_to_str(
+ OM_uint32 *, /* minor_status */
+ gss_OID, /* oid */
+ gss_buffer_t); /* oid_str */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_inquire_names_for_mech
-(OM_uint32 *, /* minor_status */
- gss_OID, /* mechanism */
- gss_OID_set * /* name_types */
- );
+OM_uint32 KRB5_CALLCONV
+gss_inquire_names_for_mech(
+ OM_uint32 *, /* minor_status */
+ gss_OID, /* mechanism */
+ gss_OID_set *); /* name_types */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_inquire_mechs_for_name(
- OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_OID_set * /* mech_types */
-);
+OM_uint32 KRB5_CALLCONV
+gss_inquire_mechs_for_name(
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_OID_set *); /* mech_types */
/*
* The following routines are obsolete variants of gss_get_mic, gss_wrap,
* entrypoints (as opposed to #defines) should be provided, to allow GSSAPI
* V1 applications to link against GSSAPI V2 implementations.
*/
-OM_uint32 KRB5_CALLCONV gss_sign
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
-
-OM_uint32 KRB5_CALLCONV gss_verify
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* token_buffer */
- int * /* qop_state */
- );
-
-OM_uint32 KRB5_CALLCONV gss_seal
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- int, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int *, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
-
-OM_uint32 KRB5_CALLCONV gss_unseal
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int *, /* conf_state */
- int * /* qop_state */
- );
+OM_uint32 KRB5_CALLCONV
+gss_sign(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* qop_req */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t); /* message_token */
+
+OM_uint32 KRB5_CALLCONV
+gss_verify(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t, /* token_buffer */
+ int *); /* qop_state */
+
+OM_uint32 KRB5_CALLCONV
+gss_seal(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ int, /* qop_req */
+ gss_buffer_t, /* input_message_buffer */
+ int *, /* conf_state */
+ gss_buffer_t); /* output_message_buffer */
+
+OM_uint32 KRB5_CALLCONV
+gss_unseal(
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int *, /* conf_state */
+ int *); /* qop_state */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_export_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_buffer_t /* exported_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_export_name(
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_buffer_t); /* exported_name */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_duplicate_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_name_t * /* dest_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_duplicate_name(
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_name_t *); /* dest_name */
/* New for V2 */
-OM_uint32 KRB5_CALLCONV gss_canonicalize_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- const gss_OID, /* mech_type */
- gss_name_t * /* output_name */
- );
+OM_uint32 KRB5_CALLCONV
+gss_canonicalize_name(
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ const gss_OID, /* mech_type */
+ gss_name_t *); /* output_name */
#if TARGET_OS_MAC
# pragma pack(pop)
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/** helper macros **/
-#define g_OID_equal(o1, o2) \
- (((o1)->length == (o2)->length) && \
- (memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0))
+#define g_OID_equal(o1, o2) \
+ (((o1)->length == (o2)->length) && \
+ (memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0))
/* this code knows that an int on the wire is 32 bits. The type of
num should be at least this big, or the extra shifts may do weird
things */
-#define TWRITE_INT(ptr, num, bigend) \
- (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
- (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
- (ptr)[2] = (char) ((bigend)?(((num)>>8)&0xff):(((num)>>16)&0xff)); \
- (ptr)[3] = (char) ((bigend)?((num)&0xff):((num)>>24)); \
+#define TWRITE_INT(ptr, num, bigend) \
+ (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
+ (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
+ (ptr)[2] = (char) ((bigend)?(((num)>>8)&0xff):(((num)>>16)&0xff)); \
+ (ptr)[3] = (char) ((bigend)?((num)&0xff):((num)>>24)); \
(ptr) += 4;
-#define TWRITE_INT16(ptr, num, bigend) \
- (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
- (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
+#define TWRITE_INT16(ptr, num, bigend) \
+ (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
+ (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
(ptr) += 2;
-#define TREAD_INT(ptr, num, bigend) \
- (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
- ((ptr)[1]<<((bigend)?16: 8)) | \
- ((ptr)[2]<<((bigend)? 8:16)) | \
- ((ptr)[3]<<((bigend)? 0:24))); \
+#define TREAD_INT(ptr, num, bigend) \
+ (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
+ ((ptr)[1]<<((bigend)?16: 8)) | \
+ ((ptr)[2]<<((bigend)? 8:16)) | \
+ ((ptr)[3]<<((bigend)? 0:24))); \
(ptr) += 4;
-#define TREAD_INT16(ptr, num, bigend) \
- (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
- ((ptr)[1]<<((bigend)?16: 8))); \
+#define TREAD_INT16(ptr, num, bigend) \
+ (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
+ ((ptr)[1]<<((bigend)?16: 8))); \
(ptr) += 2;
-#define TWRITE_STR(ptr, str, len) \
- memcpy((ptr), (char *) (str), (len)); \
+#define TWRITE_STR(ptr, str, len) \
+ memcpy((ptr), (char *) (str), (len)); \
(ptr) += (len);
-#define TREAD_STR(ptr, str, len) \
- (str) = (ptr); \
+#define TREAD_STR(ptr, str, len) \
+ (str) = (ptr); \
(ptr) += (len);
-#define TWRITE_BUF(ptr, buf, bigend) \
- TWRITE_INT((ptr), (buf).length, (bigend)); \
+#define TWRITE_BUF(ptr, buf, bigend) \
+ TWRITE_INT((ptr), (buf).length, (bigend)); \
TWRITE_STR((ptr), (buf).value, (buf).length);
/** malloc wrappers; these may actually do something later */
/** helper functions **/
/* hide names from applications, especially glib applications */
-#define g_set_init gssint_g_set_init
-#define g_set_destroy gssint_g_set_destroy
-#define g_set_entry_add gssint_g_set_entry_add
-#define g_set_entry_delete gssint_g_set_entry_delete
-#define g_set_entry_get gssint_g_set_entry_get
-#define g_save_name gssint_g_save_name
-#define g_save_cred_id gssint_g_save_cred_id
-#define g_save_ctx_id gssint_g_save_ctx_id
-#define g_save_lucidctx_id gssint_g_save_lucidctx_id
-#define g_validate_name gssint_g_validate_name
-#define g_validate_cred_id gssint_g_validate_cred_id
-#define g_validate_ctx_id gssint_g_validate_ctx_id
-#define g_validate_lucidctx_id gssint_g_validate_lucidctx_id
-#define g_delete_name gssint_g_delete_name
-#define g_delete_cred_id gssint_g_delete_cred_id
-#define g_delete_ctx_id gssint_g_delete_ctx_id
-#define g_delete_lucidctx_id gssint_g_delete_lucidctx_id
-#define g_make_string_buffer gssint_g_make_string_buffer
-#define g_token_size gssint_g_token_size
-#define g_make_token_header gssint_g_make_token_header
-#define g_verify_token_header gssint_g_verify_token_header
-#define g_display_major_status gssint_g_display_major_status
-#define g_display_com_err_status gssint_g_display_com_err_status
-#define g_order_init gssint_g_order_init
-#define g_order_check gssint_g_order_check
-#define g_order_free gssint_g_order_free
-#define g_queue_size gssint_g_queue_size
-#define g_queue_externalize gssint_g_queue_externalize
-#define g_queue_internalize gssint_g_queue_internalize
-#define g_canonicalize_host gssint_g_canonicalize_host
-#define g_local_host_name gssint_g_local_host_name
-#define g_strdup gssint_g_strdup
+#define g_set_init gssint_g_set_init
+#define g_set_destroy gssint_g_set_destroy
+#define g_set_entry_add gssint_g_set_entry_add
+#define g_set_entry_delete gssint_g_set_entry_delete
+#define g_set_entry_get gssint_g_set_entry_get
+#define g_save_name gssint_g_save_name
+#define g_save_cred_id gssint_g_save_cred_id
+#define g_save_ctx_id gssint_g_save_ctx_id
+#define g_save_lucidctx_id gssint_g_save_lucidctx_id
+#define g_validate_name gssint_g_validate_name
+#define g_validate_cred_id gssint_g_validate_cred_id
+#define g_validate_ctx_id gssint_g_validate_ctx_id
+#define g_validate_lucidctx_id gssint_g_validate_lucidctx_id
+#define g_delete_name gssint_g_delete_name
+#define g_delete_cred_id gssint_g_delete_cred_id
+#define g_delete_ctx_id gssint_g_delete_ctx_id
+#define g_delete_lucidctx_id gssint_g_delete_lucidctx_id
+#define g_make_string_buffer gssint_g_make_string_buffer
+#define g_token_size gssint_g_token_size
+#define g_make_token_header gssint_g_make_token_header
+#define g_verify_token_header gssint_g_verify_token_header
+#define g_display_major_status gssint_g_display_major_status
+#define g_display_com_err_status gssint_g_display_com_err_status
+#define g_order_init gssint_g_order_init
+#define g_order_check gssint_g_order_check
+#define g_order_free gssint_g_order_free
+#define g_queue_size gssint_g_queue_size
+#define g_queue_externalize gssint_g_queue_externalize
+#define g_queue_internalize gssint_g_queue_internalize
+#define g_canonicalize_host gssint_g_canonicalize_host
+#define g_local_host_name gssint_g_local_host_name
+#define g_strdup gssint_g_strdup
typedef struct _g_set_elt *g_set_elt;
typedef struct {
unsigned int g_token_size (const gss_OID_desc * mech, unsigned int body_size);
void g_make_token_header (const gss_OID_desc * mech, unsigned int body_size,
- unsigned char **buf, int tok_type);
+ unsigned char **buf, int tok_type);
-gss_int32 g_verify_token_header (const gss_OID_desc * mech,
- unsigned int *body_size,
- unsigned char **buf, int tok_type,
- unsigned int toksize_in,
- int wrapper_required);
+gss_int32 g_verify_token_header (const gss_OID_desc * mech,
+ unsigned int *body_size,
+ unsigned char **buf, int tok_type,
+ unsigned int toksize_in,
+ int wrapper_required);
OM_uint32 g_display_major_status (OM_uint32 *minor_status,
- OM_uint32 status_value,
- OM_uint32 *message_context,
- gss_buffer_t status_string);
+ OM_uint32 status_value,
+ OM_uint32 *message_context,
+ gss_buffer_t status_string);
OM_uint32 g_display_com_err_status (OM_uint32 *minor_status,
- OM_uint32 status_value,
- gss_buffer_t status_string);
+ OM_uint32 status_value,
+ gss_buffer_t status_string);
gss_int32 g_order_init (void **queue, gssint_uint64 seqnum,
- int do_replay, int do_sequence, int wide);
+ int do_replay, int do_sequence, int wide);
gss_int32 g_order_check (void **queue, gssint_uint64 seqnum);
gss_uint32 g_queue_size(void *vqueue, size_t *sizep);
gss_uint32 g_queue_externalize(void *vqueue, unsigned char **buf,
- size_t *lenremain);
+ size_t *lenremain);
gss_uint32 g_queue_internalize(void **vqueue, unsigned char **buf,
- size_t *lenremain);
+ size_t *lenremain);
char *g_strdup (char *str);
/** declarations of internal name mechanism functions **/
-OM_uint32 generic_gss_release_buffer
-(OM_uint32*, /* minor_status */
- gss_buffer_t /* buffer */
- );
-
-OM_uint32 generic_gss_release_oid_set
-(OM_uint32*, /* minor_status */
- gss_OID_set* /* set */
- );
-
-OM_uint32 generic_gss_release_oid
-(OM_uint32*, /* minor_status */
- gss_OID* /* set */
- );
-
-OM_uint32 generic_gss_copy_oid
-(OM_uint32 *, /* minor_status */
- const gss_OID_desc * const, /* oid */
- gss_OID * /* new_oid */
- );
-
-OM_uint32 generic_gss_create_empty_oid_set
-(OM_uint32 *, /* minor_status */
- gss_OID_set * /* oid_set */
- );
-
-OM_uint32 generic_gss_add_oid_set_member
-(OM_uint32 *, /* minor_status */
- const gss_OID_desc * const, /* member_oid */
- gss_OID_set * /* oid_set */
- );
-
-OM_uint32 generic_gss_test_oid_set_member
-(OM_uint32 *, /* minor_status */
- const gss_OID_desc * const, /* member */
- gss_OID_set, /* set */
- int * /* present */
- );
-
-OM_uint32 generic_gss_oid_to_str
-(OM_uint32 *, /* minor_status */
- const gss_OID_desc * const, /* oid */
- gss_buffer_t /* oid_str */
- );
-
-OM_uint32 generic_gss_str_to_oid
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* oid_str */
- gss_OID * /* oid */
- );
+OM_uint32
+generic_gss_release_buffer(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t); /* buffer */
+
+OM_uint32
+generic_gss_release_oid_set(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* set */
+
+OM_uint32
+generic_gss_release_oid(
+ OM_uint32 *, /* minor_status */
+ gss_OID *); /* set */
+
+OM_uint32
+generic_gss_copy_oid(
+ OM_uint32 *, /* minor_status */
+ const gss_OID_desc * const, /* oid */
+ gss_OID *); /* new_oid */
+
+OM_uint32
+generic_gss_create_empty_oid_set(
+ OM_uint32 *, /* minor_status */
+ gss_OID_set *); /* oid_set */
+
+OM_uint32
+generic_gss_add_oid_set_member(
+ OM_uint32 *, /* minor_status */
+ const gss_OID_desc * const, /* member_oid */
+ gss_OID_set *); /* oid_set */
+
+OM_uint32
+generic_gss_test_oid_set_member(
+ OM_uint32 *, /* minor_status */
+ const gss_OID_desc * const, /* member */
+ gss_OID_set, /* set */
+ int *); /* present */
+
+OM_uint32
+generic_gss_oid_to_str(
+ OM_uint32 *, /* minor_status */
+ const gss_OID_desc * const, /* oid */
+ gss_buffer_t); /* oid_str */
+
+OM_uint32
+generic_gss_str_to_oid(
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* oid_str */
+ gss_OID *); /* oid */
int gssint_mecherrmap_init(void);
void gssint_mecherrmap_destroy(void);
OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc *oid);
int gssint_mecherrmap_get(OM_uint32 minor, gss_OID mech_oid,
- OM_uint32 *mech_minor);
+ OM_uint32 *mech_minor);
OM_uint32 gssint_mecherrmap_map_errcode(OM_uint32 errcode);
#endif /* _GSSAPIP_GENERIC_H_ */
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
static const gss_OID_desc const_oids[] = {
/*
* The implementation must reserve static storage for a
- * gss_OID_desc object containing the value */
+ * gss_OID_desc object containing the value */
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"},
/* corresponding to an object-identifier value of
- * {iso(1) member-body(2) United States(840) mit(113554)
- * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
- * GSS_C_NT_USER_NAME should be initialized to point
- * to that gss_OID_desc.
- */
-
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+
/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value */
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value */
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"},
/* corresponding to an object-identifier value of
- * {iso(1) member-body(2) United States(840) mit(113554)
- * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
- * The constant GSS_C_NT_MACHINE_UID_NAME should be
- * initialized to point to that gss_OID_desc.
- */
-
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value */
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value */
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"},
/* corresponding to an object-identifier value of
- * {iso(1) member-body(2) United States(840) mit(113554)
- * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
- * The constant GSS_C_NT_STRING_UID_NAME should be
- * initialized to point to that gss_OID_desc.
- */
-
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value */
* parameter, but should not be emitted by GSS-API
* implementations
*/
-
+
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value */
- {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"},
- /* corresponding to an object-identifier value of
- * {iso(1) member-body(2) Unites States(840) mit(113554)
- * infosys(1) gssapi(2) generic(1) service_name(4)}.
- * The constant GSS_C_NT_HOSTBASED_SERVICE should be
+ {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"},
+ /* corresponding to an object-identifier value of
+ * {iso(1) member-body(2) Unites States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) service_name(4)}.
+ * The constant GSS_C_NT_HOSTBASED_SERVICE should be
* initialized to point to that gss_OID_desc.
*/
* and GSS_C_NT_ANONYMOUS should be initialized to point
* to that gss_OID_desc.
*/
-
+
/*
* The implementation must reserve static storage for a
* gss_OID_desc object containing the value */
*
* Constants of the form GSS_C_NT_* are specified by rfc 2744.
*
- * Constants of the form gss_nt_* are the original MIT krb5 names
- * found in gssapi_generic.h. They are provided for compatibility. */
+ * Constants of the form gss_nt_* are the original MIT krb5 names
+ * found in gssapi_generic.h. They are provided for compatibility. */
GSS_DLLIMP gss_OID GSS_C_NT_USER_NAME = oids+0;
GSS_DLLIMP gss_OID gss_nt_user_name = oids+0;
GSS_DLLIMP gss_OID gss_nt_string_uid_name = oids+2;
GSS_DLLIMP gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = oids+3;
-gss_OID gss_nt_service_name_v2 = oids+3;
+gss_OID gss_nt_service_name_v2 = oids+3;
GSS_DLLIMP gss_OID GSS_C_NT_HOSTBASED_SERVICE = oids+4;
GSS_DLLIMP gss_OID gss_nt_service_name = oids+4;
GSS_DLLIMP gss_OID GSS_C_NT_ANONYMOUS = oids+5;
GSS_DLLIMP gss_OID GSS_C_NT_EXPORT_NAME = oids+6;
-gss_OID gss_nt_exported_name = oids+6;
+gss_OID gss_nt_exported_name = oids+6;
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#include <gssapi/gssapi.h>
#if defined(__cplusplus) && !defined(GSSAPIGENERIC_BEGIN_DECLS)
-#define GSSAPIGENERIC_BEGIN_DECLS extern "C" {
-#define GSSAPIGENERIC_END_DECLS }
+#define GSSAPIGENERIC_BEGIN_DECLS extern "C" {
+#define GSSAPIGENERIC_END_DECLS }
#else
#define GSSAPIGENERIC_BEGIN_DECLS
#define GSSAPIGENERIC_END_DECLS
GSSAPIGENERIC_BEGIN_DECLS
/* Deprecated MIT krb5 oid names provided for compatibility.
- * The correct oids (GSS_C_NT_USER_NAME, etc) from rfc 2744
+ * The correct oids (GSS_C_NT_USER_NAME, etc) from rfc 2744
* are defined in gssapi.h. */
GSS_DLLIMP extern gss_OID gss_nt_user_name;
+/* -*- mode: c; indent-tabs-mode: nil -*- */
#include <stdio.h>
#include <stdarg.h>
#include <assert.h>
static int eltcmp(elt left, elt right)
{
if (left.a < right.a)
- return -1;
+ return -1;
if (left.a > right.a)
- return 1;
+ return 1;
if (left.b < right.b)
- return -1;
+ return -1;
if (left.b > right.b)
- return 1;
+ return 1;
return 0;
}
static void eltprt(elt v, FILE *f)
static int intcmp(int left, int right)
{
if (left < right)
- return -1;
+ return -1;
if (left > right)
- return 1;
+ return 1;
return 0;
}
static void intprt(int v, FILE *f)
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/* #ident "@(#)g_rel_buffer.c 1.2 96/02/06 SMI" */
/*
* Copyright 1996 by Sun Microsystems, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. Sun Microsystems makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#endif
OM_uint32
-generic_gss_release_buffer (minor_status,
- buffer)
- OM_uint32 * minor_status;
- gss_buffer_t buffer;
+generic_gss_release_buffer(
+ OM_uint32 *minor_status,
+ gss_buffer_t buffer)
{
if (minor_status)
- *minor_status = 0;
+ *minor_status = 0;
/* if buffer is NULL, return */
if (buffer == GSS_C_NO_BUFFER)
- return(GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
if (buffer->value) {
- free(buffer->value);
- buffer->length = 0;
- buffer->value = NULL;
+ free(buffer->value);
+ buffer->length = 0;
+ buffer->value = NULL;
}
return (GSS_S_COMPLETE);
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/* #ident "@(#)gss_release_oid_set.c 1.12 95/08/23 SMI" */
/*
* Copyright 1996 by Sun Microsystems, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. Sun Microsystems makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#endif
OM_uint32
-generic_gss_release_oid_set (minor_status,
- set)
- OM_uint32 * minor_status;
- gss_OID_set * set;
+generic_gss_release_oid_set(
+ OM_uint32 *minor_status,
+ gss_OID_set *set)
{
size_t i;
if (minor_status)
- *minor_status = 0;
+ *minor_status = 0;
if (set == NULL)
- return(GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
if (*set == GSS_C_NULL_OID_SET)
- return(GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
for (i=0; i<(*set)->count; i++)
- free((*set)->elements[i].elements);
+ free((*set)->elements[i].elements);
free((*set)->elements);
free(*set);
*set = GSS_C_NULL_OID_SET;
-
+
return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
int g_make_string_buffer(const char *str, gss_buffer_t buffer)
{
- buffer->length = strlen(str);
+ buffer->length = strlen(str);
- if ((buffer->value = strdup(str)) == NULL) {
- buffer->length = 0;
- return(0);
- }
+ if ((buffer->value = strdup(str)) == NULL) {
+ buffer->length = 0;
+ return(0);
+ }
- return(1);
+ return(1);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#include <string.h>
char *
-g_canonicalize_host(hostname)
- char *hostname;
+g_canonicalize_host(char *hostname)
{
- struct hostent *hent;
- char *haddr;
- char *canon, *str;
+ struct hostent *hent;
+ char *haddr;
+ char *canon, *str;
- if ((hent = gethostbyname(hostname)) == NULL)
- return(NULL);
+ if ((hent = gethostbyname(hostname)) == NULL)
+ return(NULL);
- if (! (haddr = (char *) xmalloc(hent->h_length))) {
+ if (! (haddr = (char *) xmalloc(hent->h_length))) {
return(NULL);
- }
+ }
- memcpy(haddr, hent->h_addr_list[0], hent->h_length);
+ memcpy(haddr, hent->h_addr_list[0], hent->h_length);
- if (! (hent = gethostbyaddr(haddr, hent->h_length, hent->h_addrtype))) {
+ if (! (hent = gethostbyaddr(haddr, hent->h_length, hent->h_addrtype))) {
return(NULL);
- }
+ }
- xfree(haddr);
+ xfree(haddr);
- if ((canon = (char *) xmalloc(strlen(hent->h_name)+1)) == NULL)
- return(NULL);
+ if ((canon = (char *) xmalloc(strlen(hent->h_name)+1)) == NULL)
+ return(NULL);
- strcpy(canon, hent->h_name);
+ strcpy(canon, hent->h_name);
- for (str = canon; *str; str++)
- if (isupper(*str)) *str = tolower(*str);
+ for (str = canon; *str; str++)
+ if (isupper(*str)) *str = tolower(*str);
- return(canon);
+ return(canon);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2007, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
#include "gssapiP_generic.h"
cmp_OM_uint32(OM_uint32 m1, OM_uint32 m2)
{
if (m1 < m2)
- return -1;
+ return -1;
else if (m1 > m2)
- return 1;
+ return 1;
else
- return 0;
+ return 0;
}
static inline int
mecherror_cmp(struct mecherror m1, struct mecherror m2)
{
if (m1.code < m2.code)
- return -1;
+ return -1;
if (m1.code > m2.code)
- return 1;
+ return 1;
if (m1.mech.length < m2.mech.length)
- return -1;
+ return -1;
if (m1.mech.length > m2.mech.length)
- return 1;
+ return 1;
if (m1.mech.length == 0)
- return 0;
+ return 0;
return memcmp(m1.mech.elements, m2.mech.elements, m1.mech.length);
}
*dest = src;
dest->mech.elements = malloc(src.mech.length);
if (dest->mech.elements == NULL) {
- if (src.mech.length)
- return ENOMEM;
- else
- return 0;
+ if (src.mech.length)
+ return ENOMEM;
+ else
+ return 0;
}
memcpy(dest->mech.elements, src.mech.elements, src.mech.length);
return 0;
OM_uint32 minor;
gss_buffer_desc str;
static const struct {
- const char *oidstr, *name;
+ const char *oidstr, *name;
} mechnames[] = {
- { "{ 1 2 840 113554 1 2 2 }", "krb5-new" },
- { "{ 1 3 5 1 5 2 }", "krb5-old" },
- { "{ 1 2 840 48018 1 2 2 }", "krb5-microsoft" },
- { "{ 1 3 6 1 5 5 2 }", "spnego" },
+ { "{ 1 2 840 113554 1 2 2 }", "krb5-new" },
+ { "{ 1 3 5 1 5 2 }", "krb5-old" },
+ { "{ 1 2 840 48018 1 2 2 }", "krb5-microsoft" },
+ { "{ 1 3 6 1 5 5 2 }", "spnego" },
};
unsigned int i;
fprintf(f, "%lu@", (unsigned long) value.code);
if (value.mech.length == 0) {
- fprintf(f, "(com_err)");
- return;
+ fprintf(f, "(com_err)");
+ return;
}
fprintf(f, "%p=", value.mech.elements);
if (generic_gss_oid_to_str(&minor, &value.mech, &str)) {
- fprintf(f, "(error in conversion)");
- return;
+ fprintf(f, "(error in conversion)");
+ return;
}
/* Note: generic_gss_oid_to_str returns a null-terminated string. */
for (i = 0; i < sizeof(mechnames)/sizeof(mechnames[0]); i++) {
- if (!strcmp(str.value, mechnames[i].oidstr) && mechnames[i].name != 0) {
- fprintf(f, "%s", mechnames[i].name);
- break;
- }
+ if (!strcmp(str.value, mechnames[i].oidstr) && mechnames[i].name != 0) {
+ fprintf(f, "%s", mechnames[i].name);
+ break;
+ }
}
if (i == sizeof(mechnames)/sizeof(mechnames[0]))
- fprintf(f, "%s", (char *) str.value);
+ fprintf(f, "%s", (char *) str.value);
generic_gss_release_buffer(&minor, &str);
}
#include "errmap.h"
-#include "krb5.h" /* for KRB5KRB_AP_WRONG_PRINC */
+#include "krb5.h" /* for KRB5KRB_AP_WRONG_PRINC */
static mecherrmap m;
static k5_mutex_t mutex = K5_MUTEX_PARTIAL_INITIALIZER;
err = mecherrmap_init(&m);
if (err)
- return err;
+ return err;
err = k5_mutex_finish_init(&mutex);
if (err) {
- mecherrmap_destroy(&m);
- return err;
+ mecherrmap_destroy(&m);
+ return err;
}
return 0;
static int free_one(OM_uint32 i, struct mecherror value, void *p)
{
if (value.mech.length && value.mech.elements)
- free(value.mech.elements);
+ free(value.mech.elements);
return 0;
}
FILE *f;
f = fopen("/dev/pts/9", "w+");
if (f == NULL)
- f = stderr;
+ f = stderr;
#endif
me.code = minor;
err = k5_mutex_lock(&mutex);
if (err) {
#ifdef DEBUG
- if (f != stderr) fclose(f);
+ if (f != stderr) fclose(f);
#endif
- return 0;
+ return 0;
}
/* Is this status+oid already mapped? */
p = mecherrmap_findright(&m, me);
if (p != NULL) {
- k5_mutex_unlock(&mutex);
+ k5_mutex_unlock(&mutex);
#ifdef DEBUG
- fprintf(f, "%s: found ", __func__);
- mecherror_print(me, f);
- fprintf(f, " in map as %lu\n", (unsigned long) *p);
- if (f != stderr) fclose(f);
+ fprintf(f, "%s: found ", __func__);
+ mecherror_print(me, f);
+ fprintf(f, " in map as %lu\n", (unsigned long) *p);
+ if (f != stderr) fclose(f);
#endif
- return *p;
+ return *p;
}
/* Is this status code already mapped to something else
mech-specific? */
mep = mecherrmap_findleft(&m, minor);
if (mep == NULL) {
- /* Map it to itself plus this mech-oid. */
- new_status = minor;
+ /* Map it to itself plus this mech-oid. */
+ new_status = minor;
} else {
- /* Already assigned. Pick a fake new value and map it. */
- /* There's a theoretical infinite loop risk here, if we fill
- in 2**32 values. Also, returning 0 has a special
- meaning. */
- do {
- next_fake++;
- new_status = next_fake;
- if (new_status == 0)
- /* ??? */;
- } while (mecherrmap_findleft(&m, new_status) != NULL);
+ /* Already assigned. Pick a fake new value and map it. */
+ /* There's a theoretical infinite loop risk here, if we fill
+ in 2**32 values. Also, returning 0 has a special
+ meaning. */
+ do {
+ next_fake++;
+ new_status = next_fake;
+ if (new_status == 0)
+ /* ??? */;
+ } while (mecherrmap_findleft(&m, new_status) != NULL);
}
err = mecherror_copy(&me_copy, me);
if (err) {
- k5_mutex_unlock(&mutex);
- return err;
+ k5_mutex_unlock(&mutex);
+ return err;
}
err = mecherrmap_add(&m, new_status, me_copy);
k5_mutex_unlock(&mutex);
if (err) {
- if (me_copy.mech.length)
- free(me_copy.mech.elements);
+ if (me_copy.mech.length)
+ free(me_copy.mech.elements);
}
#ifdef DEBUG
fprintf(f, "%s: mapping ", __func__);
if (f != stderr) fclose(f);
#endif
if (err)
- return 0;
+ return 0;
else
- return new_status;
+ return new_status;
}
static gss_OID_desc no_oid = { 0, 0 };
}
int gssint_mecherrmap_get(OM_uint32 minor, gss_OID mech_oid,
- OM_uint32 *mech_minor)
+ OM_uint32 *mech_minor)
{
const struct mecherror *p;
int err;
if (minor == 0) {
- return EINVAL;
+ return EINVAL;
}
err = k5_mutex_lock(&mutex);
if (err)
- return err;
+ return err;
p = mecherrmap_findleft(&m, minor);
k5_mutex_unlock(&mutex);
if (!p) {
- return EINVAL;
+ return EINVAL;
}
*mech_oid = p->mech;
*mech_minor = p->code;
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#define MAXHOSTNAMELEN 64
#endif
-char *g_local_host_name()
+char *
+g_local_host_name(void)
{
- char buf[MAXHOSTNAMELEN+1], *ptr;
+ char buf[MAXHOSTNAMELEN+1], *ptr;
- if (gethostname(buf, sizeof(buf)) < 0)
- return 0;
+ if (gethostname(buf, sizeof(buf)) < 0)
+ return 0;
- buf[sizeof(buf)-1] = '\0';
+ buf[sizeof(buf)-1] = '\0';
- if (! (ptr = xmalloc(strlen(buf) + 1)))
- return 0;
+ if (! (ptr = xmalloc(strlen(buf) + 1)))
+ return 0;
- return strcpy(ptr, buf);
+ return strcpy(ptr, buf);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#define QUEUE_LENGTH 20
typedef struct _queue {
- int do_replay;
- int do_sequence;
- int start;
- int length;
- gssint_uint64 firstnum;
- /* Stored as deltas from firstnum. This way, the high bit won't
- overflow unless we've actually gone through 2**n messages, or
- gotten something *way* out of sequence. */
- gssint_uint64 elem[QUEUE_LENGTH];
- /* All ones for 64-bit sequence numbers; 32 ones for 32-bit
- sequence numbers. */
- gssint_uint64 mask;
+ int do_replay;
+ int do_sequence;
+ int start;
+ int length;
+ gssint_uint64 firstnum;
+ /* Stored as deltas from firstnum. This way, the high bit won't
+ overflow unless we've actually gone through 2**n messages, or
+ gotten something *way* out of sequence. */
+ gssint_uint64 elem[QUEUE_LENGTH];
+ /* All ones for 64-bit sequence numbers; 32 ones for 32-bit
+ sequence numbers. */
+ gssint_uint64 mask;
} queue;
/* rep invariant:
static void
queue_insert(queue *q, int after, gssint_uint64 seqnum)
{
- /* insert. this is not the fastest way, but it's easy, and it's
- optimized for insert at end, which is the common case */
- int i;
+ /* insert. this is not the fastest way, but it's easy, and it's
+ optimized for insert at end, which is the common case */
+ int i;
- /* common case: at end, after == q->start+q->length-1 */
+ /* common case: at end, after == q->start+q->length-1 */
- /* move all the elements (after,last] up one slot */
+ /* move all the elements (after,last] up one slot */
- for (i=q->start+q->length-1; i>after; i--)
- QELEM(q,i+1) = QELEM(q,i);
+ for (i=q->start+q->length-1; i>after; i--)
+ QELEM(q,i+1) = QELEM(q,i);
- /* fill in slot after+1 */
+ /* fill in slot after+1 */
- QELEM(q,after+1) = seqnum;
+ QELEM(q,after+1) = seqnum;
- /* Either increase the length by one, or move the starting point up
- one (deleting the first element, which got bashed above), as
- appropriate. */
+ /* Either increase the length by one, or move the starting point up
+ one (deleting the first element, which got bashed above), as
+ appropriate. */
- if (q->length == QSIZE(q)) {
- q->start++;
- if (q->start == QSIZE(q))
- q->start = 0;
- } else {
- q->length++;
- }
+ if (q->length == QSIZE(q)) {
+ q->start++;
+ if (q->start == QSIZE(q))
+ q->start = 0;
+ } else {
+ q->length++;
+ }
}
gss_int32
g_order_init(void **vqueue, gssint_uint64 seqnum,
- int do_replay, int do_sequence, int wide_nums)
+ int do_replay, int do_sequence, int wide_nums)
{
- queue *q;
+ queue *q;
- if ((q = (queue *) malloc(sizeof(queue))) == NULL)
- return(ENOMEM);
+ if ((q = (queue *) malloc(sizeof(queue))) == NULL)
+ return(ENOMEM);
- /* This stops valgrind from complaining about writing uninitialized
- data if the caller exports the context and writes it to a file.
- We don't actually use those bytes at all, but valgrind still
- complains. */
- memset(q, 0xfe, sizeof(*q));
+ /* This stops valgrind from complaining about writing uninitialized
+ data if the caller exports the context and writes it to a file.
+ We don't actually use those bytes at all, but valgrind still
+ complains. */
+ memset(q, 0xfe, sizeof(*q));
- q->do_replay = do_replay;
- q->do_sequence = do_sequence;
- q->mask = wide_nums ? ~(gssint_uint64)0 : 0xffffffffUL;
+ q->do_replay = do_replay;
+ q->do_sequence = do_sequence;
+ q->mask = wide_nums ? ~(gssint_uint64)0 : 0xffffffffUL;
- q->start = 0;
- q->length = 1;
- q->firstnum = seqnum;
- q->elem[q->start] = ((gssint_uint64)0 - 1) & q->mask;
+ q->start = 0;
+ q->length = 1;
+ q->firstnum = seqnum;
+ q->elem[q->start] = ((gssint_uint64)0 - 1) & q->mask;
- *vqueue = (void *) q;
- return(0);
+ *vqueue = (void *) q;
+ return(0);
}
gss_int32
g_order_check(void **vqueue, gssint_uint64 seqnum)
{
- queue *q;
- int i;
- gssint_uint64 expected;
-
- q = (queue *) (*vqueue);
-
- if (!q->do_replay && !q->do_sequence)
- return(GSS_S_COMPLETE);
-
- /* All checks are done relative to the initial sequence number, to
- avoid (or at least put off) the pain of wrapping. */
- seqnum -= q->firstnum;
- /* If we're only doing 32-bit values, adjust for that again.
-
- Note that this will probably be the wrong thing to if we get
- 2**32 messages sent with 32-bit sequence numbers. */
- seqnum &= q->mask;
-
- /* rule 1: expected sequence number */
-
- expected = (QELEM(q,q->start+q->length-1)+1) & q->mask;
- if (seqnum == expected) {
- queue_insert(q, q->start+q->length-1, seqnum);
- return(GSS_S_COMPLETE);
- }
-
- /* rule 2: > expected sequence number */
-
- if ((seqnum > expected)) {
- queue_insert(q, q->start+q->length-1, seqnum);
- if (q->do_replay && !q->do_sequence)
- return(GSS_S_COMPLETE);
- else
- return(GSS_S_GAP_TOKEN);
- }
-
- /* rule 3: seqnum < seqnum(first) */
-
- if ((seqnum < QELEM(q,q->start)) &&
- /* Is top bit of whatever width we're using set?
-
- We used to check for greater than or equal to firstnum, but
- (1) we've since switched to compute values relative to
- firstnum, so the lowest we can have is 0, and (2) the effect
- of the original scheme was highly dependent on whether
- firstnum was close to either side of 0. (Consider
- firstnum==0xFFFFFFFE and we miss three packets; the next
- packet is *new* but would look old.)
-
- This check should give us 2**31 or 2**63 messages "new", and
- just as many "old". That's not quite right either. */
- (seqnum & (1 + (q->mask >> 1)))
- ) {
- if (q->do_replay && !q->do_sequence)
- return(GSS_S_OLD_TOKEN);
- else
- return(GSS_S_UNSEQ_TOKEN);
- }
-
- /* rule 4+5: seqnum in [seqnum(first),seqnum(last)] */
-
- else {
- if (seqnum == QELEM(q,q->start+q->length-1))
- return(GSS_S_DUPLICATE_TOKEN);
-
- for (i=q->start; i<q->start+q->length-1; i++) {
- if (seqnum == QELEM(q,i))
- return(GSS_S_DUPLICATE_TOKEN);
- if ((seqnum > QELEM(q,i)) && (seqnum < QELEM(q,i+1))) {
- queue_insert(q, i, seqnum);
- if (q->do_replay && !q->do_sequence)
- return(GSS_S_COMPLETE);
- else
- return(GSS_S_UNSEQ_TOKEN);
- }
- }
- }
-
- /* this should never happen */
- return(GSS_S_FAILURE);
+ queue *q;
+ int i;
+ gssint_uint64 expected;
+
+ q = (queue *) (*vqueue);
+
+ if (!q->do_replay && !q->do_sequence)
+ return(GSS_S_COMPLETE);
+
+ /* All checks are done relative to the initial sequence number, to
+ avoid (or at least put off) the pain of wrapping. */
+ seqnum -= q->firstnum;
+ /* If we're only doing 32-bit values, adjust for that again.
+
+ Note that this will probably be the wrong thing to if we get
+ 2**32 messages sent with 32-bit sequence numbers. */
+ seqnum &= q->mask;
+
+ /* rule 1: expected sequence number */
+
+ expected = (QELEM(q,q->start+q->length-1)+1) & q->mask;
+ if (seqnum == expected) {
+ queue_insert(q, q->start+q->length-1, seqnum);
+ return(GSS_S_COMPLETE);
+ }
+
+ /* rule 2: > expected sequence number */
+
+ if ((seqnum > expected)) {
+ queue_insert(q, q->start+q->length-1, seqnum);
+ if (q->do_replay && !q->do_sequence)
+ return(GSS_S_COMPLETE);
+ else
+ return(GSS_S_GAP_TOKEN);
+ }
+
+ /* rule 3: seqnum < seqnum(first) */
+
+ if ((seqnum < QELEM(q,q->start)) &&
+ /* Is top bit of whatever width we're using set?
+
+ We used to check for greater than or equal to firstnum, but
+ (1) we've since switched to compute values relative to
+ firstnum, so the lowest we can have is 0, and (2) the effect
+ of the original scheme was highly dependent on whether
+ firstnum was close to either side of 0. (Consider
+ firstnum==0xFFFFFFFE and we miss three packets; the next
+ packet is *new* but would look old.)
+
+ This check should give us 2**31 or 2**63 messages "new", and
+ just as many "old". That's not quite right either. */
+ (seqnum & (1 + (q->mask >> 1)))
+ ) {
+ if (q->do_replay && !q->do_sequence)
+ return(GSS_S_OLD_TOKEN);
+ else
+ return(GSS_S_UNSEQ_TOKEN);
+ }
+
+ /* rule 4+5: seqnum in [seqnum(first),seqnum(last)] */
+
+ else {
+ if (seqnum == QELEM(q,q->start+q->length-1))
+ return(GSS_S_DUPLICATE_TOKEN);
+
+ for (i=q->start; i<q->start+q->length-1; i++) {
+ if (seqnum == QELEM(q,i))
+ return(GSS_S_DUPLICATE_TOKEN);
+ if ((seqnum > QELEM(q,i)) && (seqnum < QELEM(q,i+1))) {
+ queue_insert(q, i, seqnum);
+ if (q->do_replay && !q->do_sequence)
+ return(GSS_S_COMPLETE);
+ else
+ return(GSS_S_UNSEQ_TOKEN);
+ }
+ }
+ }
+
+ /* this should never happen */
+ return(GSS_S_FAILURE);
}
void
g_order_free(void **vqueue)
{
- queue *q;
-
- q = (queue *) (*vqueue);
+ queue *q;
- free(q);
+ q = (queue *) (*vqueue);
- *vqueue = NULL;
+ free(q);
+
+ *vqueue = NULL;
}
/*
g_queue_externalize(void *vqueue, unsigned char **buf, size_t *lenremain)
{
if (*lenremain < sizeof(queue))
- return ENOMEM;
+ return ENOMEM;
memcpy(*buf, vqueue, sizeof(queue));
*buf += sizeof(queue);
*lenremain -= sizeof(queue);
-
+
return 0;
}
void *q;
if (*lenremain < sizeof(queue))
- return EINVAL;
+ return EINVAL;
if ((q = malloc(sizeof(queue))) == 0)
- return ENOMEM;
+ return ENOMEM;
memcpy(q, *buf, sizeof(queue));
*buf += sizeof(queue);
*lenremain -= sizeof(queue);
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1995 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#include "gssapiP_generic.h"
struct _g_set_elt {
- void *key;
- void *value;
- struct _g_set_elt *next;
+ void *key;
+ void *value;
+ struct _g_set_elt *next;
};
int g_set_init(g_set_elt *s)
{
- *s = NULL;
+ *s = NULL;
- return(0);
+ return(0);
}
#if 0
int g_set_destroy(g_set_elt *s)
{
- g_set next;
+ g_set next;
- while (*s) {
- next = (*s)->next;
- free(*s);
- *s = next;
- }
+ while (*s) {
+ next = (*s)->next;
+ free(*s);
+ *s = next;
+ }
- return(0);
+ return(0);
}
#endif
int g_set_entry_add(g_set_elt *s, void *key, void *value)
{
- g_set_elt first;
+ g_set_elt first;
- if ((first = (struct _g_set_elt *) malloc(sizeof(struct _g_set_elt))) == NULL)
- return(ENOMEM);
+ if ((first = (struct _g_set_elt *) malloc(sizeof(struct _g_set_elt))) == NULL)
+ return(ENOMEM);
- first->key = key;
- first->value = value;
- first->next = *s;
+ first->key = key;
+ first->value = value;
+ first->next = *s;
- *s = first;
+ *s = first;
- return(0);
+ return(0);
}
int g_set_entry_delete(g_set_elt *s, void *key)
{
- g_set_elt *p;
+ g_set_elt *p;
- for (p=s; *p; p = &((*p)->next)) {
- if ((*p)->key == key) {
- g_set_elt next = (*p)->next;
- free(*p);
- *p = next;
+ for (p=s; *p; p = &((*p)->next)) {
+ if ((*p)->key == key) {
+ g_set_elt next = (*p)->next;
+ free(*p);
+ *p = next;
- return(0);
- }
- }
+ return(0);
+ }
+ }
- return(-1);
+ return(-1);
}
int g_set_entry_get(g_set_elt *s, void *key, void **value)
{
- g_set_elt p;
+ g_set_elt p;
- for (p = *s; p; p = p->next) {
- if (p->key == key) {
- *value = p->value;
+ for (p = *s; p; p = p->next) {
+ if (p->key == key) {
+ *value = p->value;
- return(0);
- }
- }
+ return(0);
+ }
+ }
- *value = NULL;
+ *value = NULL;
- return(-1);
+ return(-1);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
the interfaces, so the code can be fixed if the OSI namespace
balloons unexpectedly. */
-/* Each token looks like this:
-
-0x60 tag for APPLICATION 0, SEQUENCE
- (constructed, definite-length)
- <length> possible multiple bytes, need to parse/generate
- 0x06 tag for OBJECT IDENTIFIER
- <moid_length> compile-time constant string (assume 1 byte)
- <moid_bytes> compile-time constant string
- <inner_bytes> the ANY containing the application token
- bytes 0,1 are the token type
- bytes 2,n are the token data
-
-Note that the token type field is a feature of RFC 1964 mechanisms and
-is not used by other GSSAPI mechanisms. As such, a token type of -1
-is interpreted to mean that no token type should be expected or
-generated.
-
-For the purposes of this abstraction, the token "header" consists of
-the sequence tag and length octets, the mech OID DER encoding, and the
-first two inner bytes, which indicate the token type. The token
-"body" consists of everything else.
-
-*/
-
-static unsigned int der_length_size(length)
- int length;
+/*
+ * Each token looks like this:
+ * 0x60 tag for APPLICATION 0, SEQUENCE
+ * (constructed, definite-length)
+ * <length> possible multiple bytes, need to parse/generate
+ * 0x06 tag for OBJECT IDENTIFIER
+ * <moid_length> compile-time constant string (assume 1 byte)
+ * <moid_bytes> compile-time constant string
+ * <inner_bytes> the ANY containing the application token
+ * bytes 0,1 are the token type
+ * bytes 2,n are the token data
+ *
+ * Note that the token type field is a feature of RFC 1964 mechanisms and
+ * is not used by other GSSAPI mechanisms. As such, a token type of -1
+ * is interpreted to mean that no token type should be expected or
+ * generated.
+ *
+ * For the purposes of this abstraction, the token "header" consists of
+ * the sequence tag and length octets, the mech OID DER encoding, and the
+ * first two inner bytes, which indicate the token type. The token
+ * "body" consists of everything else.
+ */
+static unsigned int
+der_length_size(int length)
{
- if (length < (1<<7))
- return(1);
- else if (length < (1<<8))
- return(2);
+ if (length < (1<<7))
+ return(1);
+ else if (length < (1<<8))
+ return(2);
#if INT_MAX == 0x7fff
- else
- return(3);
+ else
+ return(3);
#else
- else if (length < (1<<16))
- return(3);
- else if (length < (1<<24))
- return(4);
- else
- return(5);
+ else if (length < (1<<16))
+ return(3);
+ else if (length < (1<<24))
+ return(4);
+ else
+ return(5);
#endif
}
-static void der_write_length(buf, length)
- unsigned char **buf;
- int length;
+static void
+der_write_length(unsigned char **buf, int length)
{
- if (length < (1<<7)) {
- *(*buf)++ = (unsigned char) length;
- } else {
- *(*buf)++ = (unsigned char) (der_length_size(length)+127);
+ if (length < (1<<7)) {
+ *(*buf)++ = (unsigned char) length;
+ } else {
+ *(*buf)++ = (unsigned char) (der_length_size(length)+127);
#if INT_MAX > 0x7fff
- if (length >= (1<<24))
- *(*buf)++ = (unsigned char) (length>>24);
- if (length >= (1<<16))
- *(*buf)++ = (unsigned char) ((length>>16)&0xff);
+ if (length >= (1<<24))
+ *(*buf)++ = (unsigned char) (length>>24);
+ if (length >= (1<<16))
+ *(*buf)++ = (unsigned char) ((length>>16)&0xff);
#endif
- if (length >= (1<<8))
- *(*buf)++ = (unsigned char) ((length>>8)&0xff);
- *(*buf)++ = (unsigned char) (length&0xff);
- }
+ if (length >= (1<<8))
+ *(*buf)++ = (unsigned char) ((length>>8)&0xff);
+ *(*buf)++ = (unsigned char) (length&0xff);
+ }
}
/* returns decoded length, or < 0 on failure. Advances buf and
decrements bufsize */
-static int der_read_length(buf, bufsize)
- unsigned char **buf;
- int *bufsize;
+static int
+der_read_length(unsigned char **buf, int *bufsize)
{
- unsigned char sf;
- int ret;
-
- if (*bufsize < 1)
- return(-1);
- sf = *(*buf)++;
- (*bufsize)--;
- if (sf & 0x80) {
- if ((sf &= 0x7f) > ((*bufsize)-1))
- return(-1);
- if (sf > sizeof(int))
- return (-1);
- ret = 0;
- for (; sf; sf--) {
- ret = (ret<<8) + (*(*buf)++);
- (*bufsize)--;
- }
- } else {
- ret = sf;
- }
-
- return(ret);
+ unsigned char sf;
+ int ret;
+
+ if (*bufsize < 1)
+ return(-1);
+ sf = *(*buf)++;
+ (*bufsize)--;
+ if (sf & 0x80) {
+ if ((sf &= 0x7f) > ((*bufsize)-1))
+ return(-1);
+ if (sf > sizeof(int))
+ return (-1);
+ ret = 0;
+ for (; sf; sf--) {
+ ret = (ret<<8) + (*(*buf)++);
+ (*bufsize)--;
+ }
+ } else {
+ ret = sf;
+ }
+
+ return(ret);
}
/* returns the length of a token, given the mech oid and the body size */
-unsigned int g_token_size(mech, body_size)
- const gss_OID_desc * mech;
- unsigned int body_size;
+unsigned int
+g_token_size(const gss_OID_desc * mech, unsigned int body_size)
{
- /* set body_size to sequence contents size */
- body_size += 4 + (int) mech->length; /* NEED overflow check */
- return(1 + der_length_size(body_size) + body_size);
+ /* set body_size to sequence contents size */
+ body_size += 4 + (int) mech->length; /* NEED overflow check */
+ return(1 + der_length_size(body_size) + body_size);
}
/* fills in a buffer with the token header. The buffer is assumed to
be the right size. buf is advanced past the token header */
-void g_make_token_header(mech, body_size, buf, tok_type)
- const gss_OID_desc * mech;
- unsigned int body_size;
- unsigned char **buf;
- int tok_type;
+void
+g_make_token_header(
+ const gss_OID_desc * mech,
+ unsigned int body_size,
+ unsigned char **buf,
+ int tok_type)
{
- *(*buf)++ = 0x60;
- der_write_length(buf, (tok_type == -1) ?2:4 + mech->length + body_size);
- *(*buf)++ = 0x06;
- *(*buf)++ = (unsigned char) mech->length;
- TWRITE_STR(*buf, mech->elements, mech->length);
- if (tok_type != -1) {
- *(*buf)++ = (unsigned char) ((tok_type>>8)&0xff);
- *(*buf)++ = (unsigned char) (tok_type&0xff);
- }
+ *(*buf)++ = 0x60;
+ der_write_length(buf, (tok_type == -1) ?2:4 + mech->length + body_size);
+ *(*buf)++ = 0x06;
+ *(*buf)++ = (unsigned char) mech->length;
+ TWRITE_STR(*buf, mech->elements, mech->length);
+ if (tok_type != -1) {
+ *(*buf)++ = (unsigned char) ((tok_type>>8)&0xff);
+ *(*buf)++ = (unsigned char) (tok_type&0xff);
+ }
}
/*
* *body_size are left unmodified on error.
*/
-gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in,
- wrapper_required)
- const gss_OID_desc * mech;
- unsigned int *body_size;
- unsigned char **buf_in;
- int tok_type;
- unsigned int toksize_in;
- int wrapper_required;
+gss_int32
+g_verify_token_header(
+ const gss_OID_desc * mech,
+ unsigned int *body_size,
+ unsigned char **buf_in,
+ int tok_type,
+ unsigned int toksize_in,
+ int wrapper_required)
{
- unsigned char *buf = *buf_in;
- int seqsize;
- gss_OID_desc toid;
- int toksize = toksize_in;
-
- if ((toksize-=1) < 0)
- return(G_BAD_TOK_HEADER);
- if (*buf++ != 0x60) {
- if (wrapper_required)
- return(G_BAD_TOK_HEADER);
- buf--;
- toksize++;
- goto skip_wrapper;
- }
-
- if ((seqsize = der_read_length(&buf, &toksize)) < 0)
- return(G_BAD_TOK_HEADER);
-
- if (seqsize != toksize)
- return(G_BAD_TOK_HEADER);
-
- if ((toksize-=1) < 0)
- return(G_BAD_TOK_HEADER);
- if (*buf++ != 0x06)
- return(G_BAD_TOK_HEADER);
-
- if ((toksize-=1) < 0)
- return(G_BAD_TOK_HEADER);
- toid.length = *buf++;
-
- if ((toksize-=toid.length) < 0)
- return(G_BAD_TOK_HEADER);
- toid.elements = buf;
- buf+=toid.length;
-
- if (! g_OID_equal(&toid, mech))
- return G_WRONG_MECH;
+ unsigned char *buf = *buf_in;
+ int seqsize;
+ gss_OID_desc toid;
+ int toksize = toksize_in;
+
+ if ((toksize-=1) < 0)
+ return(G_BAD_TOK_HEADER);
+ if (*buf++ != 0x60) {
+ if (wrapper_required)
+ return(G_BAD_TOK_HEADER);
+ buf--;
+ toksize++;
+ goto skip_wrapper;
+ }
+
+ if ((seqsize = der_read_length(&buf, &toksize)) < 0)
+ return(G_BAD_TOK_HEADER);
+
+ if (seqsize != toksize)
+ return(G_BAD_TOK_HEADER);
+
+ if ((toksize-=1) < 0)
+ return(G_BAD_TOK_HEADER);
+ if (*buf++ != 0x06)
+ return(G_BAD_TOK_HEADER);
+
+ if ((toksize-=1) < 0)
+ return(G_BAD_TOK_HEADER);
+ toid.length = *buf++;
+
+ if ((toksize-=toid.length) < 0)
+ return(G_BAD_TOK_HEADER);
+ toid.elements = buf;
+ buf+=toid.length;
+
+ if (! g_OID_equal(&toid, mech))
+ return G_WRONG_MECH;
skip_wrapper:
- if (tok_type != -1) {
- if ((toksize-=2) < 0)
- return(G_BAD_TOK_HEADER);
-
- if ((*buf++ != ((tok_type>>8)&0xff)) ||
- (*buf++ != (tok_type&0xff)))
- return(G_WRONG_TOKID);
- }
- *buf_in = buf;
- *body_size = toksize;
-
- return 0;
+ if (tok_type != -1) {
+ if ((toksize-=2) < 0)
+ return(G_BAD_TOK_HEADER);
+
+ if ((*buf++ != ((tok_type>>8)&0xff)) ||
+ (*buf++ != (tok_type&0xff)))
+ return(G_WRONG_TOKID);
+ }
+ *buf_in = buf;
+ *body_size = toksize;
+
+ return 0;
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
static const DBT dbtone = { (void *) &one, sizeof(one) };
typedef struct _vkey {
- int type;
- void *ptr;
+ int type;
+ void *ptr;
} vkey;
#endif
-#define V_NAME 1
-#define V_CRED_ID 2
-#define V_CTX_ID 3
-#define V_LCTX_ID 4
+#define V_NAME 1
+#define V_CRED_ID 2
+#define V_CTX_ID 3
+#define V_LCTX_ID 4
/* All these functions return 0 on failure, and non-zero on success */
static int g_save(db, type, ptr)
- g_set *db;
+ g_set *db;
#ifdef HAVE_BSD_DB
- int type;
+ int type;
#else
- void *type;
+ void *type;
#endif
- void *ptr;
+ void *ptr;
{
- int ret;
+ int ret;
#ifdef HAVE_BSD_DB
- DB **vdb;
- vkey vk;
- DBT key;
+ DB **vdb;
+ vkey vk;
+ DBT key;
- ret = gssint_initialize_library();
- if (ret)
- return 0;
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
+ ret = gssint_initialize_library();
+ if (ret)
+ return 0;
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
- vdb = (DB **) &db->data;
+ vdb = (DB **) &db->data;
- if (!*vdb)
- *vdb = dbopen(NULL, O_CREAT|O_RDWR, O_CREAT|O_RDWR, DB_HASH, NULL);
+ if (!*vdb)
+ *vdb = dbopen(NULL, O_CREAT|O_RDWR, O_CREAT|O_RDWR, DB_HASH, NULL);
- vk.type = type;
- vk.ptr = ptr;
+ vk.type = type;
+ vk.ptr = ptr;
- key.data = &vk;
- key.size = sizeof(vk);
+ key.data = &vk;
+ key.size = sizeof(vk);
- ret = ((*((*vdb)->put))(*vdb, &key, &dbtone, 0) == 0);
- k5_mutex_unlock(&db->mutex);
- return ret;
+ ret = ((*((*vdb)->put))(*vdb, &key, &dbtone, 0) == 0);
+ k5_mutex_unlock(&db->mutex);
+ return ret;
#else
- g_set_elt *gs;
-
- ret = gssint_initialize_library();
- if (ret)
- return 0;
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
-
- gs = (g_set_elt *) &db->data;
-
- if (!*gs)
- if (g_set_init(gs)) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
-
- ret = (g_set_entry_add(gs, ptr, type) == 0);
- k5_mutex_unlock(&db->mutex);
- return ret;
+ g_set_elt *gs;
+
+ ret = gssint_initialize_library();
+ if (ret)
+ return 0;
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
+
+ gs = (g_set_elt *) &db->data;
+
+ if (!*gs)
+ if (g_set_init(gs)) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
+
+ ret = (g_set_entry_add(gs, ptr, type) == 0);
+ k5_mutex_unlock(&db->mutex);
+ return ret;
#endif
}
static int g_validate(db, type, ptr)
- g_set *db;
+ g_set *db;
#ifdef HAVE_BSD_DB
- int type;
+ int type;
#else
- void *type;
+ void *type;
#endif
- void *ptr;
+ void *ptr;
{
- int ret;
+ int ret;
#ifdef HAVE_BSD_DB
- DB **vdb;
- vkey vk;
- DBT key, value;
-
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
-
- vdb = (DB **) &db->data;
- if (!*vdb) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
-
- vk.type = type;
- vk.ptr = ptr;
-
- key.data = &vk;
- key.size = sizeof(vk);
-
- if ((*((*vdb)->get))(*vdb, &key, &value, 0)) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
-
- k5_mutex_unlock(&db->mutex);
- return((value.size == sizeof(one)) &&
- (*((int *) value.data) == one));
+ DB **vdb;
+ vkey vk;
+ DBT key, value;
+
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
+
+ vdb = (DB **) &db->data;
+ if (!*vdb) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
+
+ vk.type = type;
+ vk.ptr = ptr;
+
+ key.data = &vk;
+ key.size = sizeof(vk);
+
+ if ((*((*vdb)->get))(*vdb, &key, &value, 0)) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
+
+ k5_mutex_unlock(&db->mutex);
+ return((value.size == sizeof(one)) &&
+ (*((int *) value.data) == one));
#else
- g_set_elt *gs;
- void *value;
-
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
-
- gs = (g_set_elt *) &db->data;
- if (!*gs) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
-
- if (g_set_entry_get(gs, ptr, (void **) &value)) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
- k5_mutex_unlock(&db->mutex);
- return(value == type);
+ g_set_elt *gs;
+ void *value;
+
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
+
+ gs = (g_set_elt *) &db->data;
+ if (!*gs) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
+
+ if (g_set_entry_get(gs, ptr, (void **) &value)) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
+ k5_mutex_unlock(&db->mutex);
+ return(value == type);
#endif
}
static int g_delete(db, type, ptr)
- g_set *db;
+ g_set *db;
#ifdef HAVE_BSD_DB
- int type;
+ int type;
#else
- void *type;
+ void *type;
#endif
- void *ptr;
+ void *ptr;
{
- int ret;
+ int ret;
#ifdef HAVE_BSD_DB
- DB **vdb;
- vkey vk;
- DBT key;
+ DB **vdb;
+ vkey vk;
+ DBT key;
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
- vdb = (DB **) &db->data;
- if (!*vdb) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
+ vdb = (DB **) &db->data;
+ if (!*vdb) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
- vk.type = type;
- vk.ptr = ptr;
+ vk.type = type;
+ vk.ptr = ptr;
- key.data = &vk;
- key.size = sizeof(vk);
+ key.data = &vk;
+ key.size = sizeof(vk);
- ret = ((*((*vdb)->del))(*vdb, &key, 0) == 0);
- k5_mutex_unlock(&db->mutex);
- return ret;
+ ret = ((*((*vdb)->del))(*vdb, &key, 0) == 0);
+ k5_mutex_unlock(&db->mutex);
+ return ret;
#else
- g_set_elt *gs;
-
- ret = k5_mutex_lock(&db->mutex);
- if (ret)
- return 0;
-
- gs = (g_set_elt *) &db->data;
- if (!*gs) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
-
- if (g_set_entry_delete(gs, ptr)) {
- k5_mutex_unlock(&db->mutex);
- return(0);
- }
- k5_mutex_unlock(&db->mutex);
- return(1);
+ g_set_elt *gs;
+
+ ret = k5_mutex_lock(&db->mutex);
+ if (ret)
+ return 0;
+
+ gs = (g_set_elt *) &db->data;
+ if (!*gs) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
+
+ if (g_set_entry_delete(gs, ptr)) {
+ k5_mutex_unlock(&db->mutex);
+ return(0);
+ }
+ k5_mutex_unlock(&db->mutex);
+ return(1);
#endif
}
/* save */
int g_save_name(vdb, name)
- g_set *vdb;
- gss_name_t name;
+ g_set *vdb;
+ gss_name_t name;
{
- return(g_save(vdb, V_NAME, (void *) name));
+ return(g_save(vdb, V_NAME, (void *) name));
}
int g_save_cred_id(vdb, cred)
- g_set *vdb;
- gss_cred_id_t cred;
+ g_set *vdb;
+ gss_cred_id_t cred;
{
- return(g_save(vdb, V_CRED_ID, (void *) cred));
+ return(g_save(vdb, V_CRED_ID, (void *) cred));
}
int g_save_ctx_id(vdb, ctx)
- g_set *vdb;
- gss_ctx_id_t ctx;
+ g_set *vdb;
+ gss_ctx_id_t ctx;
{
- return(g_save(vdb, V_CTX_ID, (void *) ctx));
+ return(g_save(vdb, V_CTX_ID, (void *) ctx));
}
int g_save_lucidctx_id(vdb, lctx)
- g_set *vdb;
- void *lctx;
+ g_set *vdb;
+ void *lctx;
{
- return(g_save(vdb, V_LCTX_ID, (void *) lctx));
+ return(g_save(vdb, V_LCTX_ID, (void *) lctx));
}
/* validate */
int g_validate_name(vdb, name)
- g_set *vdb;
- gss_name_t name;
+ g_set *vdb;
+ gss_name_t name;
{
- return(g_validate(vdb, V_NAME, (void *) name));
+ return(g_validate(vdb, V_NAME, (void *) name));
}
int g_validate_cred_id(vdb, cred)
- g_set *vdb;
- gss_cred_id_t cred;
+ g_set *vdb;
+ gss_cred_id_t cred;
{
- return(g_validate(vdb, V_CRED_ID, (void *) cred));
+ return(g_validate(vdb, V_CRED_ID, (void *) cred));
}
int g_validate_ctx_id(vdb, ctx)
- g_set *vdb;
- gss_ctx_id_t ctx;
+ g_set *vdb;
+ gss_ctx_id_t ctx;
{
- return(g_validate(vdb, V_CTX_ID, (void *) ctx));
+ return(g_validate(vdb, V_CTX_ID, (void *) ctx));
}
int g_validate_lucidctx_id(vdb, lctx)
- g_set *vdb;
- void *lctx;
+ g_set *vdb;
+ void *lctx;
{
- return(g_validate(vdb, V_LCTX_ID, (void *) lctx));
+ return(g_validate(vdb, V_LCTX_ID, (void *) lctx));
}
/* delete */
int g_delete_name(vdb, name)
- g_set *vdb;
- gss_name_t name;
+ g_set *vdb;
+ gss_name_t name;
{
- return(g_delete(vdb, V_NAME, (void *) name));
+ return(g_delete(vdb, V_NAME, (void *) name));
}
int g_delete_cred_id(vdb, cred)
- g_set *vdb;
- gss_cred_id_t cred;
+ g_set *vdb;
+ gss_cred_id_t cred;
{
- return(g_delete(vdb, V_CRED_ID, (void *) cred));
+ return(g_delete(vdb, V_CRED_ID, (void *) cred));
}
int g_delete_ctx_id(vdb, ctx)
- g_set *vdb;
- gss_ctx_id_t ctx;
+ g_set *vdb;
+ gss_ctx_id_t ctx;
{
- return(g_delete(vdb, V_CTX_ID, (void *) ctx));
+ return(g_delete(vdb, V_CTX_ID, (void *) ctx));
}
int g_delete_lucidctx_id(vdb, lctx)
- g_set *vdb;
- void *lctx;
+ g_set *vdb;
+ void *lctx;
{
- return(g_delete(vdb, V_LCTX_ID, (void *) lctx));
+ return(g_delete(vdb, V_LCTX_ID, (void *) lctx));
}
-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1990,1994 by the Massachusetts Institute of Technology.
* All Rights Reserved.
- *
+ *
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
/* save */
int g_save_name(vdb, name)
- void **vdb;
- gss_name_t *name;
+ void **vdb;
+ gss_name_t *name;
{
- return 1;
+ return 1;
}
int g_save_cred_id(vdb, cred)
- void **vdb;
- gss_cred_id_t *cred;
+ void **vdb;
+ gss_cred_id_t *cred;
{
- return 1;
+ return 1;
}
int g_save_ctx_id(vdb, ctx)
- void **vdb;
- gss_ctx_id_t *ctx;
+ void **vdb;
+ gss_ctx_id_t *ctx;
{
- return 1;
+ return 1;
}
int g_save_lucidctx_id(vdb, lctx)
- void **vdb;
- void *lctx;
+ void **vdb;
+ void *lctx;
{
- return 1;
+ return 1;
}
/* validate */
int g_validate_name(vdb, name)
- void **vdb;
- gss_name_t *name;
+ void **vdb;
+ gss_name_t *name;
{
- return 1;
+ return 1;
}
int g_validate_cred_id(vdb, cred)
- void **vdb;
- gss_cred_id_t *cred;
+ void **vdb;
+ gss_cred_id_t *cred;
{
- return 1;
+ return 1;
}
int g_validate_ctx_id(vdb, ctx)
- void **vdb;
- gss_ctx_id_t *ctx;
+ void **vdb;
+ gss_ctx_id_t *ctx;
{
- return 1;
+ return 1;
}
int g_validate_lucidctx_id(vdb, lctx)
- void **vdb;
- void *lctx;
+ void **vdb;
+ void *lctx;
{
- return 1;
+ return 1;
}
/* delete */
int g_delete_name(vdb, name)
- void **vdb;
- gss_name_t *name;
+ void **vdb;
+ gss_name_t *name;
{
- return 1;
+ return 1;
}
int g_delete_cred_id(vdb, cred)
- void **vdb;
- gss_cred_id_t *cred;
+ void **vdb;
+ gss_cred_id_t *cred;
{
- return 1;
+ return 1;
}
int g_delete_ctx_id(vdb, ctx)
- void **vdb;
- gss_ctx_id_t *ctx;
+ void **vdb;
+ gss_ctx_id_t *ctx;
{
- return 1;
+ return 1;
}
int g_delete_lucidctx_id(vdb, lctx)
- void **vdb;
- void *lctx;
+ void **vdb;
+ void *lctx;
{
- return 1;
+ return 1;
}
-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
#include <assert.h>
#include "gssapi_err_generic.h"
err = gssint_mechglue_init();
if (err)
- return err;
+ return err;
#ifndef LEAN_CLIENT
err = k5_mutex_finish_init(&gssint_krb5_keytab_lock);
if (err)
- return err;
+ return err;
#endif /* LEAN_CLIENT */
err = k5_key_register(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, free);
if (err)
- return err;
+ return err;
err = k5_key_register(K5_KEY_GSS_KRB5_CCACHE_NAME, free);
if (err)
- return err;
+ return err;
err = k5_key_register(K5_KEY_GSS_KRB5_ERROR_MESSAGE,
- krb5_gss_delete_error_info);
+ krb5_gss_delete_error_info);
if (err)
- return err;
+ return err;
err = gssint_mecherrmap_init();
if (err)
- return err;
+ return err;
#ifndef _WIN32
err = k5_mutex_finish_init(&kg_kdc_flag_mutex);
if (err)
- return err;
+ return err;
#endif
return k5_mutex_finish_init(&kg_vdb.mutex);
}
{
if (!INITIALIZER_RAN(gssint_lib_init) || PROGRAM_EXITING()) {
#ifdef SHOW_INITFINI_FUNCS
- printf("gssint_lib_fini: skipping\n");
+ printf("gssint_lib_fini: skipping\n");
#endif
- return;
+ return;
}
#ifdef SHOW_INITFINI_FUNCS
printf("gssint_lib_fini\n");
+/* -*- mode: c; indent-tabs-mode: nil -*- */
#ifndef GSSAPI_LIBINIT_H
#define GSSAPI_LIBINIT_H
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2004, 2007, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#define CFX_ACCEPTOR_SUBKEY 1
#endif
-#ifndef LEAN_CLIENT
+#ifndef LEAN_CLIENT
/* Decode, decrypt and store the forwarded creds in the local ccache. */
static krb5_error_code
krb5_ccache ccache = NULL;
krb5_gss_cred_id_t cred = NULL;
krb5_auth_context new_auth_ctx = NULL;
- krb5_int32 flags_org;
-
- if ((retval = krb5_auth_con_getflags(context, auth_context, &flags_org)))
- return retval;
- krb5_auth_con_setflags(context, auth_context,
- 0);
-
- /*
- * By the time krb5_rd_cred is called here (after krb5_rd_req has been
- * called in krb5_gss_accept_sec_context), the "keyblock" field of
- * auth_context contains a pointer to the session key, and the
- * "recv_subkey" field might contain a session subkey. Either of
- * these (the "recv_subkey" if it isn't NULL, otherwise the
- * "keyblock") might have been used to encrypt the encrypted part of
- * the KRB_CRED message that contains the forwarded credentials. (The
- * Java Crypto and Security Implementation from the DSTC in Australia
- * always uses the session key. But apparently it never negotiates a
- * subkey, so this code works fine against a JCSI client.) Up to the
- * present, though, GSSAPI clients linked against the MIT code (which
- * is almost all GSSAPI clients) don't encrypt the KRB_CRED message at
- * all -- at this level. So if the first call to krb5_rd_cred fails,
- * we should call it a second time with another auth context freshly
- * created by krb5_auth_con_init. All of its keyblock fields will be
- * NULL, so krb5_rd_cred will assume that the KRB_CRED message is
- * unencrypted. (The MIT code doesn't actually send the KRB_CRED
- * message in the clear -- the "authenticator" whose "checksum" ends up
- * containing the KRB_CRED message does get encrypted.)
- */
- if (krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) {
- if ((retval = krb5_auth_con_init(context, &new_auth_ctx)))
- goto cleanup;
- krb5_auth_con_setflags(context, new_auth_ctx, 0);
- if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf,
- &creds, NULL)))
- goto cleanup;
- }
+ krb5_int32 flags_org;
+
+ if ((retval = krb5_auth_con_getflags(context, auth_context, &flags_org)))
+ return retval;
+ krb5_auth_con_setflags(context, auth_context,
+ 0);
+
+ /*
+ * By the time krb5_rd_cred is called here (after krb5_rd_req has been
+ * called in krb5_gss_accept_sec_context), the "keyblock" field of
+ * auth_context contains a pointer to the session key, and the
+ * "recv_subkey" field might contain a session subkey. Either of
+ * these (the "recv_subkey" if it isn't NULL, otherwise the
+ * "keyblock") might have been used to encrypt the encrypted part of
+ * the KRB_CRED message that contains the forwarded credentials. (The
+ * Java Crypto and Security Implementation from the DSTC in Australia
+ * always uses the session key. But apparently it never negotiates a
+ * subkey, so this code works fine against a JCSI client.) Up to the
+ * present, though, GSSAPI clients linked against the MIT code (which
+ * is almost all GSSAPI clients) don't encrypt the KRB_CRED message at
+ * all -- at this level. So if the first call to krb5_rd_cred fails,
+ * we should call it a second time with another auth context freshly
+ * created by krb5_auth_con_init. All of its keyblock fields will be
+ * NULL, so krb5_rd_cred will assume that the KRB_CRED message is
+ * unencrypted. (The MIT code doesn't actually send the KRB_CRED
+ * message in the clear -- the "authenticator" whose "checksum" ends up
+ * containing the KRB_CRED message does get encrypted.)
+ */
+ if (krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) {
+ if ((retval = krb5_auth_con_init(context, &new_auth_ctx)))
+ goto cleanup;
+ krb5_auth_con_setflags(context, new_auth_ctx, 0);
+ if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf,
+ &creds, NULL)))
+ goto cleanup;
+ }
if ((retval = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) {
- ccache = NULL;
+ ccache = NULL;
goto cleanup;
}
if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client)))
- goto cleanup;
+ goto cleanup;
if ((retval = krb5_cc_store_cred(context, ccache, creds[0])))
- goto cleanup;
+ goto cleanup;
/* generate a delegated credential handle */
if (out_cred) {
- /* allocate memory for a cred_t... */
- if (!(cred =
- (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))) {
- retval = ENOMEM; /* out of memory? */
- goto cleanup;
- }
-
- /* zero it out... */
- memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
-
- retval = k5_mutex_init(&cred->lock);
- if (retval) {
- xfree(cred);
- cred = NULL;
- goto cleanup;
- }
-
- /* copy the client principle into it... */
- if ((retval =
- krb5_copy_principal(context, creds[0]->client, &(cred->princ)))) {
- k5_mutex_destroy(&cred->lock);
- retval = ENOMEM; /* out of memory? */
- xfree(cred); /* clean up memory on failure */
- cred = NULL;
- goto cleanup;
- }
-
- cred->usage = GSS_C_INITIATE; /* we can't accept with this */
- /* cred->princ already set */
- cred->prerfc_mech = 1; /* this cred will work with all three mechs */
- cred->rfc_mech = 1;
- cred->keytab = NULL; /* no keytab associated with this... */
- cred->tgt_expire = creds[0]->times.endtime; /* store the end time */
- cred->ccache = ccache; /* the ccache containing the credential */
- ccache = NULL; /* cred takes ownership so don't destroy */
+ /* allocate memory for a cred_t... */
+ if (!(cred =
+ (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))) {
+ retval = ENOMEM; /* out of memory? */
+ goto cleanup;
+ }
+
+ /* zero it out... */
+ memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
+
+ retval = k5_mutex_init(&cred->lock);
+ if (retval) {
+ xfree(cred);
+ cred = NULL;
+ goto cleanup;
+ }
+
+ /* copy the client principle into it... */
+ if ((retval =
+ krb5_copy_principal(context, creds[0]->client, &(cred->princ)))) {
+ k5_mutex_destroy(&cred->lock);
+ retval = ENOMEM; /* out of memory? */
+ xfree(cred); /* clean up memory on failure */
+ cred = NULL;
+ goto cleanup;
+ }
+
+ cred->usage = GSS_C_INITIATE; /* we can't accept with this */
+ /* cred->princ already set */
+ cred->prerfc_mech = 1; /* this cred will work with all three mechs */
+ cred->rfc_mech = 1;
+ cred->keytab = NULL; /* no keytab associated with this... */
+ cred->tgt_expire = creds[0]->times.endtime; /* store the end time */
+ cred->ccache = ccache; /* the ccache containing the credential */
+ ccache = NULL; /* cred takes ownership so don't destroy */
}
/* If there were errors, there might have been a memory leak
*/
cleanup:
if (creds)
- krb5_free_tgt_creds(context, creds);
+ krb5_free_tgt_creds(context, creds);
if (ccache)
- (void)krb5_cc_destroy(context, ccache);
+ (void)krb5_cc_destroy(context, ccache);
if (out_cred)
- *out_cred = cred; /* return credential */
+ *out_cred = cred; /* return credential */
if (new_auth_ctx)
- krb5_auth_con_free(context, new_auth_ctx);
+ krb5_auth_con_free(context, new_auth_ctx);
krb5_auth_con_setflags(context, auth_context, flags_org);
OM_uint32
-krb5_gss_accept_sec_context(minor_status, context_handle,
- verifier_cred_handle, input_token,
- input_chan_bindings, src_name, mech_type,
- output_token, ret_flags, time_rec,
- delegated_cred_handle)
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_cred_id_t verifier_cred_handle;
- gss_buffer_t input_token;
- gss_channel_bindings_t input_chan_bindings;
- gss_name_t *src_name;
- gss_OID *mech_type;
- gss_buffer_t output_token;
- OM_uint32 *ret_flags;
- OM_uint32 *time_rec;
- gss_cred_id_t *delegated_cred_handle;
+krb5_gss_accept_sec_context(minor_status, context_handle,
+ verifier_cred_handle, input_token,
+ input_chan_bindings, src_name, mech_type,
+ output_token, ret_flags, time_rec,
+ delegated_cred_handle)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_cred_id_t verifier_cred_handle;
+ gss_buffer_t input_token;
+ gss_channel_bindings_t input_chan_bindings;
+ gss_name_t *src_name;
+ gss_OID *mech_type;
+ gss_buffer_t output_token;
+ OM_uint32 *ret_flags;
+ OM_uint32 *time_rec;
+ gss_cred_id_t *delegated_cred_handle;
{
- krb5_context context;
- unsigned char *ptr, *ptr2;
- char *sptr;
- long tmp;
- size_t md5len;
- int bigend;
- krb5_gss_cred_id_t cred = 0;
- krb5_data ap_rep, ap_req;
- unsigned int i;
- krb5_error_code code;
- krb5_address addr, *paddr;
- krb5_authenticator *authdat = 0;
- krb5_checksum reqcksum;
- krb5_principal name = NULL;
- krb5_ui_4 gss_flags = 0;
- int decode_req_message = 0;
- krb5_gss_ctx_id_rec *ctx = 0;
- krb5_timestamp now;
- gss_buffer_desc token;
- krb5_auth_context auth_context = NULL;
- krb5_ticket * ticket = NULL;
- int option_id;
- krb5_data option;
- const gss_OID_desc *mech_used = NULL;
- OM_uint32 major_status = GSS_S_FAILURE;
- OM_uint32 tmp_minor_status;
- krb5_error krb_error_data;
- krb5_data scratch;
- gss_cred_id_t cred_handle = NULL;
- krb5_gss_cred_id_t deleg_cred = NULL;
- krb5int_access kaccess;
- int cred_rcache = 0;
-
- code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (code) {
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
-
- /* set up returns to be freeable */
-
- if (src_name)
- *src_name = (gss_name_t) NULL;
- output_token->length = 0;
- output_token->value = NULL;
- token.value = 0;
- reqcksum.contents = 0;
- ap_req.data = 0;
- ap_rep.data = 0;
-
- if (mech_type)
- *mech_type = GSS_C_NULL_OID;
- /* return a bogus cred handle */
- if (delegated_cred_handle)
- *delegated_cred_handle = GSS_C_NO_CREDENTIAL;
-
- /*
- * Context handle must be unspecified. Actually, it must be
- * non-established, but currently, accept_sec_context never returns
- * a non-established context handle.
- */
- /*SUPPRESS 29*/
- if (*context_handle != GSS_C_NO_CONTEXT) {
- *minor_status = EINVAL;
- save_error_string(EINVAL, "accept_sec_context called with existing context handle");
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-
- /* handle default cred handle */
- if (verifier_cred_handle == GSS_C_NO_CREDENTIAL) {
- major_status = krb5_gss_acquire_cred(minor_status, GSS_C_NO_NAME,
- GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
- GSS_C_ACCEPT, &cred_handle,
- NULL, NULL);
- if (major_status != GSS_S_COMPLETE) {
- code = *minor_status;
- goto fail;
- }
- } else {
- major_status = krb5_gss_validate_cred(minor_status,
- verifier_cred_handle);
- if (GSS_ERROR(major_status)) {
- code = *minor_status;
- goto fail;
- }
- cred_handle = verifier_cred_handle;
- }
-
- cred = (krb5_gss_cred_id_t) cred_handle;
-
- /* make sure the supplied credentials are valid for accept */
-
- if ((cred->usage != GSS_C_ACCEPT) &&
- (cred->usage != GSS_C_BOTH)) {
- code = 0;
- major_status = GSS_S_NO_CRED;
- goto fail;
- }
-
- /* verify the token's integrity, and leave the token in ap_req.
- figure out which mech oid was used, and save it */
-
- ptr = (unsigned char *) input_token->value;
-
- if (!(code = g_verify_token_header(gss_mech_krb5,
- &(ap_req.length),
- &ptr, KG_TOK_CTX_AP_REQ,
- input_token->length, 1))) {
- mech_used = gss_mech_krb5;
- } else if ((code == G_WRONG_MECH)
- &&!(code = g_verify_token_header((gss_OID) gss_mech_krb5_wrong,
- &(ap_req.length),
- &ptr, KG_TOK_CTX_AP_REQ,
- input_token->length, 1))) {
- mech_used = gss_mech_krb5_wrong;
- } else if ((code == G_WRONG_MECH) &&
- !(code = g_verify_token_header(gss_mech_krb5_old,
- &(ap_req.length),
- &ptr, KG_TOK_CTX_AP_REQ,
- input_token->length, 1))) {
- /*
- * Previous versions of this library used the old mech_id
- * and some broken behavior (wrong IV on checksum
- * encryption). We support the old mech_id for
- * compatibility, and use it to decide when to use the
- * old behavior.
- */
- mech_used = gss_mech_krb5_old;
- } else if (code == G_WRONG_TOKID) {
- major_status = GSS_S_CONTINUE_NEEDED;
- code = KRB5KRB_AP_ERR_MSG_TYPE;
- mech_used = gss_mech_krb5;
- goto fail;
- } else {
- major_status = GSS_S_DEFECTIVE_TOKEN;
- goto fail;
- }
-
- sptr = (char *) ptr;
- TREAD_STR(sptr, ap_req.data, ap_req.length);
- decode_req_message = 1;
-
- /* construct the sender_addr */
-
- if ((input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) &&
- (input_chan_bindings->initiator_addrtype == GSS_C_AF_INET)) {
- /* XXX is this right? */
- addr.addrtype = ADDRTYPE_INET;
- addr.length = input_chan_bindings->initiator_address.length;
- addr.contents = input_chan_bindings->initiator_address.value;
-
- paddr = &addr;
- } else {
- paddr = NULL;
- }
-
- /* decode the AP_REQ message */
-
- /* decode the message */
-
- if ((code = krb5_auth_con_init(context, &auth_context))) {
- major_status = GSS_S_FAILURE;
- save_error_info(code, context);
- goto fail;
- }
- if (cred->rcache) {
- cred_rcache = 1;
- if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
- if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
- cred->keytab, NULL, &ticket))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- krb5_auth_con_setflags(context, auth_context,
- KRB5_AUTH_CONTEXT_DO_SEQUENCE);
-
- krb5_auth_con_getauthenticator(context, auth_context, &authdat);
+ krb5_context context;
+ unsigned char *ptr, *ptr2;
+ char *sptr;
+ long tmp;
+ size_t md5len;
+ int bigend;
+ krb5_gss_cred_id_t cred = 0;
+ krb5_data ap_rep, ap_req;
+ unsigned int i;
+ krb5_error_code code;
+ krb5_address addr, *paddr;
+ krb5_authenticator *authdat = 0;
+ krb5_checksum reqcksum;
+ krb5_principal name = NULL;
+ krb5_ui_4 gss_flags = 0;
+ int decode_req_message = 0;
+ krb5_gss_ctx_id_rec *ctx = 0;
+ krb5_timestamp now;
+ gss_buffer_desc token;
+ krb5_auth_context auth_context = NULL;
+ krb5_ticket * ticket = NULL;
+ int option_id;
+ krb5_data option;
+ const gss_OID_desc *mech_used = NULL;
+ OM_uint32 major_status = GSS_S_FAILURE;
+ OM_uint32 tmp_minor_status;
+ krb5_error krb_error_data;
+ krb5_data scratch;
+ gss_cred_id_t cred_handle = NULL;
+ krb5_gss_cred_id_t deleg_cred = NULL;
+ krb5int_access kaccess;
+ int cred_rcache = 0;
+
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code) {
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ /* set up returns to be freeable */
+
+ if (src_name)
+ *src_name = (gss_name_t) NULL;
+ output_token->length = 0;
+ output_token->value = NULL;
+ token.value = 0;
+ reqcksum.contents = 0;
+ ap_req.data = 0;
+ ap_rep.data = 0;
+
+ if (mech_type)
+ *mech_type = GSS_C_NULL_OID;
+ /* return a bogus cred handle */
+ if (delegated_cred_handle)
+ *delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+
+ /*
+ * Context handle must be unspecified. Actually, it must be
+ * non-established, but currently, accept_sec_context never returns
+ * a non-established context handle.
+ */
+ /*SUPPRESS 29*/
+ if (*context_handle != GSS_C_NO_CONTEXT) {
+ *minor_status = EINVAL;
+ save_error_string(EINVAL, "accept_sec_context called with existing context handle");
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+
+ /* handle default cred handle */
+ if (verifier_cred_handle == GSS_C_NO_CREDENTIAL) {
+ major_status = krb5_gss_acquire_cred(minor_status, GSS_C_NO_NAME,
+ GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
+ GSS_C_ACCEPT, &cred_handle,
+ NULL, NULL);
+ if (major_status != GSS_S_COMPLETE) {
+ code = *minor_status;
+ goto fail;
+ }
+ } else {
+ major_status = krb5_gss_validate_cred(minor_status,
+ verifier_cred_handle);
+ if (GSS_ERROR(major_status)) {
+ code = *minor_status;
+ goto fail;
+ }
+ cred_handle = verifier_cred_handle;
+ }
+
+ cred = (krb5_gss_cred_id_t) cred_handle;
+
+ /* make sure the supplied credentials are valid for accept */
+
+ if ((cred->usage != GSS_C_ACCEPT) &&
+ (cred->usage != GSS_C_BOTH)) {
+ code = 0;
+ major_status = GSS_S_NO_CRED;
+ goto fail;
+ }
+
+ /* verify the token's integrity, and leave the token in ap_req.
+ figure out which mech oid was used, and save it */
+
+ ptr = (unsigned char *) input_token->value;
+
+ if (!(code = g_verify_token_header(gss_mech_krb5,
+ &(ap_req.length),
+ &ptr, KG_TOK_CTX_AP_REQ,
+ input_token->length, 1))) {
+ mech_used = gss_mech_krb5;
+ } else if ((code == G_WRONG_MECH)
+ &&!(code = g_verify_token_header((gss_OID) gss_mech_krb5_wrong,
+ &(ap_req.length),
+ &ptr, KG_TOK_CTX_AP_REQ,
+ input_token->length, 1))) {
+ mech_used = gss_mech_krb5_wrong;
+ } else if ((code == G_WRONG_MECH) &&
+ !(code = g_verify_token_header(gss_mech_krb5_old,
+ &(ap_req.length),
+ &ptr, KG_TOK_CTX_AP_REQ,
+ input_token->length, 1))) {
+ /*
+ * Previous versions of this library used the old mech_id
+ * and some broken behavior (wrong IV on checksum
+ * encryption). We support the old mech_id for
+ * compatibility, and use it to decide when to use the
+ * old behavior.
+ */
+ mech_used = gss_mech_krb5_old;
+ } else if (code == G_WRONG_TOKID) {
+ major_status = GSS_S_CONTINUE_NEEDED;
+ code = KRB5KRB_AP_ERR_MSG_TYPE;
+ mech_used = gss_mech_krb5;
+ goto fail;
+ } else {
+ major_status = GSS_S_DEFECTIVE_TOKEN;
+ goto fail;
+ }
+
+ sptr = (char *) ptr;
+ TREAD_STR(sptr, ap_req.data, ap_req.length);
+ decode_req_message = 1;
+
+ /* construct the sender_addr */
+
+ if ((input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) &&
+ (input_chan_bindings->initiator_addrtype == GSS_C_AF_INET)) {
+ /* XXX is this right? */
+ addr.addrtype = ADDRTYPE_INET;
+ addr.length = input_chan_bindings->initiator_address.length;
+ addr.contents = input_chan_bindings->initiator_address.value;
+
+ paddr = &addr;
+ } else {
+ paddr = NULL;
+ }
+
+ /* decode the AP_REQ message */
+
+ /* decode the message */
+
+ if ((code = krb5_auth_con_init(context, &auth_context))) {
+ major_status = GSS_S_FAILURE;
+ save_error_info(code, context);
+ goto fail;
+ }
+ if (cred->rcache) {
+ cred_rcache = 1;
+ if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+ if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
+ cred->keytab, NULL, &ticket))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ krb5_auth_con_setflags(context, auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+ krb5_auth_con_getauthenticator(context, auth_context, &authdat);
#if 0
- /* make sure the necessary parts of the authdat are present */
-
- if ((authdat->authenticator->subkey == NULL) ||
- (authdat->ticket->enc_part2 == NULL)) {
- code = KG_NO_SUBKEY;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ /* make sure the necessary parts of the authdat are present */
+
+ if ((authdat->authenticator->subkey == NULL) ||
+ (authdat->ticket->enc_part2 == NULL)) {
+ code = KG_NO_SUBKEY;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
#endif
- {
- /* gss krb5 v1 */
+ {
+ /* gss krb5 v1 */
- /* stash this now, for later. */
- code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &md5len);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ /* stash this now, for later. */
+ code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &md5len);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- /* verify that the checksum is correct */
+ /* verify that the checksum is correct */
- /*
- The checksum may be either exactly 24 bytes, in which case
- no options are specified, or greater than 24 bytes, in which case
- one or more options are specified. Currently, the only valid
- option is KRB5_GSS_FOR_CREDS_OPTION ( = 1 ).
- */
+ /*
+ The checksum may be either exactly 24 bytes, in which case
+ no options are specified, or greater than 24 bytes, in which case
+ one or more options are specified. Currently, the only valid
+ option is KRB5_GSS_FOR_CREDS_OPTION ( = 1 ).
+ */
- if ((authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) ||
- (authdat->checksum->length < 24)) {
- code = 0;
- major_status = GSS_S_BAD_BINDINGS;
- goto fail;
- }
+ if ((authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) ||
+ (authdat->checksum->length < 24)) {
+ code = 0;
+ major_status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
- /*
- "Be liberal in what you accept, and
- conservative in what you send"
- -- rfc1123
+ /*
+ "Be liberal in what you accept, and
+ conservative in what you send"
+ -- rfc1123
- This code will let this acceptor interoperate with an initiator
- using little-endian or big-endian integer encoding.
- */
+ This code will let this acceptor interoperate with an initiator
+ using little-endian or big-endian integer encoding.
+ */
- ptr = (unsigned char *) authdat->checksum->contents;
- bigend = 0;
+ ptr = (unsigned char *) authdat->checksum->contents;
+ bigend = 0;
- TREAD_INT(ptr, tmp, bigend);
+ TREAD_INT(ptr, tmp, bigend);
- if (tmp != md5len) {
- ptr = (unsigned char *) authdat->checksum->contents;
- bigend = 1;
+ if (tmp != md5len) {
+ ptr = (unsigned char *) authdat->checksum->contents;
+ bigend = 1;
- TREAD_INT(ptr, tmp, bigend);
+ TREAD_INT(ptr, tmp, bigend);
- if (tmp != md5len) {
- code = KG_BAD_LENGTH;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
+ if (tmp != md5len) {
+ code = KG_BAD_LENGTH;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
- /* at this point, bigend is set according to the initiator's
- byte order */
+ /* at this point, bigend is set according to the initiator's
+ byte order */
- /*
+ /*
The following section of code attempts to implement the
optional channel binding facility as described in RFC2743.
a checksum and compare against those provided by the
client. */
- if ((code = kg_checksum_channel_bindings(context,
- input_chan_bindings,
- &reqcksum, bigend))) {
- major_status = GSS_S_BAD_BINDINGS;
- goto fail;
- }
-
- /* Always read the clients bindings - eventhough we might ignore them */
- TREAD_STR(ptr, ptr2, reqcksum.length);
-
- if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) {
- if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
- xfree(reqcksum.contents);
- reqcksum.contents = 0;
- code = 0;
- major_status = GSS_S_BAD_BINDINGS;
- goto fail;
- }
-
- }
-
- xfree(reqcksum.contents);
- reqcksum.contents = 0;
-
- TREAD_INT(ptr, gss_flags, bigend);
+ if ((code = kg_checksum_channel_bindings(context,
+ input_chan_bindings,
+ &reqcksum, bigend))) {
+ major_status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
+
+ /* Always read the clients bindings - eventhough we might ignore them */
+ TREAD_STR(ptr, ptr2, reqcksum.length);
+
+ if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) {
+ if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
+ xfree(reqcksum.contents);
+ reqcksum.contents = 0;
+ code = 0;
+ major_status = GSS_S_BAD_BINDINGS;
+ goto fail;
+ }
+
+ }
+
+ xfree(reqcksum.contents);
+ reqcksum.contents = 0;
+
+ TREAD_INT(ptr, gss_flags, bigend);
#if 0
- gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
- there's a delegation, we'll set
- it below */
+ gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
+ there's a delegation, we'll set
+ it below */
#endif
- decode_req_message = 0;
+ decode_req_message = 0;
- /* if the checksum length > 24, there are options to process */
+ /* if the checksum length > 24, there are options to process */
- if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) {
+ if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) {
- i = authdat->checksum->length - 24;
+ i = authdat->checksum->length - 24;
- if (i >= 4) {
+ if (i >= 4) {
- TREAD_INT16(ptr, option_id, bigend);
+ TREAD_INT16(ptr, option_id, bigend);
- TREAD_INT16(ptr, option.length, bigend);
+ TREAD_INT16(ptr, option.length, bigend);
- i -= 4;
+ i -= 4;
- if (i < option.length || option.length < 0) {
- code = KG_BAD_LENGTH;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ if (i < option.length || option.length < 0) {
+ code = KG_BAD_LENGTH;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- /* have to use ptr2, since option.data is wrong type and
- macro uses ptr as both lvalue and rvalue */
+ /* have to use ptr2, since option.data is wrong type and
+ macro uses ptr as both lvalue and rvalue */
- TREAD_STR(ptr, ptr2, option.length);
- option.data = (char *) ptr2;
+ TREAD_STR(ptr, ptr2, option.length);
+ option.data = (char *) ptr2;
- i -= option.length;
+ i -= option.length;
- if (option_id != KRB5_GSS_FOR_CREDS_OPTION) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ if (option_id != KRB5_GSS_FOR_CREDS_OPTION) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- /* store the delegated credential */
+ /* store the delegated credential */
- code = rd_and_store_for_creds(context, auth_context, &option,
- (delegated_cred_handle) ?
- &deleg_cred : NULL);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ code = rd_and_store_for_creds(context, auth_context, &option,
+ (delegated_cred_handle) ?
+ &deleg_cred : NULL);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
- } /* if i >= 4 */
- /* ignore any additional trailing data, for now */
+ } /* if i >= 4 */
+ /* ignore any additional trailing data, for now */
#ifdef CFX_EXERCISE
- {
- FILE *f = fopen("/tmp/gsslog", "a");
- if (f) {
- fprintf(f,
- "initial context token with delegation, %d extra bytes\n",
- i);
- fclose(f);
- }
- }
+ {
+ FILE *f = fopen("/tmp/gsslog", "a");
+ if (f) {
+ fprintf(f,
+ "initial context token with delegation, %d extra bytes\n",
+ i);
+ fclose(f);
+ }
+ }
#endif
- } else {
+ } else {
#ifdef CFX_EXERCISE
- {
- FILE *f = fopen("/tmp/gsslog", "a");
- if (f) {
- if (gss_flags & GSS_C_DELEG_FLAG)
- fprintf(f,
- "initial context token, delegation flag but too small\n");
- else
- /* no deleg flag, length might still be too big */
- fprintf(f,
- "initial context token, %d extra bytes\n",
- authdat->checksum->length - 24);
- fclose(f);
- }
- }
+ {
+ FILE *f = fopen("/tmp/gsslog", "a");
+ if (f) {
+ if (gss_flags & GSS_C_DELEG_FLAG)
+ fprintf(f,
+ "initial context token, delegation flag but too small\n");
+ else
+ /* no deleg flag, length might still be too big */
+ fprintf(f,
+ "initial context token, %d extra bytes\n",
+ authdat->checksum->length - 24);
+ fclose(f);
+ }
+ }
#endif
- }
- }
-
- /* create the ctx struct and start filling it in */
-
- if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
- == NULL) {
- code = ENOMEM;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
- ctx->mech_used = (gss_OID) mech_used;
- ctx->auth_context = auth_context;
- ctx->initiate = 0;
- ctx->gss_flags = (GSS_C_TRANS_FLAG |
- ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
- GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
- ctx->seed_init = 0;
- ctx->big_endian = bigend;
- ctx->cred_rcache = cred_rcache;
-
- /* Intern the ctx pointer so that delete_sec_context works */
- if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
- xfree(ctx);
- ctx = 0;
-
- code = G_VALIDATE_FAILED;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- if ((code = krb5_copy_principal(context, authdat->client, &ctx->there))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
- &ctx->subkey))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- /* use the session key if the subkey isn't present */
-
- if (ctx->subkey == NULL) {
- if ((code = krb5_auth_con_getkey(context, auth_context,
- &ctx->subkey))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
-
- if (ctx->subkey == NULL) {
- /* this isn't a very good error, but it's not clear to me this
- can actually happen */
- major_status = GSS_S_FAILURE;
- code = KRB5KDC_ERR_NULL_KEY;
- goto fail;
- }
-
- ctx->proto = 0;
- switch(ctx->subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_CRC:
- ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
- ctx->signalg = SGN_ALG_DES_MAC_MD5;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_DES;
-
- /* fill in the encryption descriptors */
-
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- for (i=0; i<ctx->enc->length; i++)
- /*SUPPRESS 113*/
- ctx->enc->contents[i] ^= 0xf0;
-
- goto copy_subkey_to_seq;
-
- case ENCTYPE_DES3_CBC_SHA1:
- ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
- ctx->cksum_size = 20;
- ctx->sealalg = SEAL_ALG_DES3KD;
-
- /* fill in the encryption descriptors */
- copy_subkey:
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- copy_subkey_to_seq:
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- break;
-
- case ENCTYPE_ARCFOUR_HMAC:
- ctx->signalg = SGN_ALG_HMAC_MD5 ;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
- goto copy_subkey;
-
- default:
- ctx->signalg = -1;
- ctx->sealalg = -1;
- ctx->proto = 1;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
- &ctx->cksumtype);
- if (code)
- goto fail;
- code = krb5_c_checksum_length(context, ctx->cksumtype,
- &ctx->cksum_size);
- if (code)
- goto fail;
- ctx->have_acceptor_subkey = 0;
- goto copy_subkey;
- }
-
- ctx->endtime = ticket->enc_part2->times.endtime;
- ctx->krb_flags = ticket->enc_part2->flags;
-
- krb5_free_ticket(context, ticket); /* Done with ticket */
-
- {
- krb5_ui_4 seq_temp;
- krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp);
- ctx->seq_recv = seq_temp;
- }
-
- if ((code = krb5_timeofday(context, &now))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- if (ctx->endtime < now) {
- code = 0;
- major_status = GSS_S_CREDENTIALS_EXPIRED;
- goto fail;
- }
-
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
-
- /* at this point, the entire context structure is filled in,
- so it can be released. */
-
- /* generate an AP_REP if necessary */
-
- if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
- unsigned char * ptr3;
- krb5_ui_4 seq_temp;
- int cfx_generate_subkey;
-
- if (ctx->proto == 1)
- cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY;
- else
- cfx_generate_subkey = 0;
-
- if (cfx_generate_subkey) {
- krb5_int32 acflags;
- code = krb5_auth_con_getflags(context, auth_context, &acflags);
- if (code == 0) {
- acflags |= KRB5_AUTH_CONTEXT_USE_SUBKEY;
- code = krb5_auth_con_setflags(context, auth_context, acflags);
- }
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
-
- if ((code = krb5_mk_rep(context, auth_context, &ap_rep))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- krb5_auth_con_getlocalseqnumber(context, auth_context, &seq_temp);
- ctx->seq_send = seq_temp & 0xffffffffL;
-
- if (cfx_generate_subkey) {
- /* Get the new acceptor subkey. With the code above, there
- should always be one if we make it to this point. */
- code = krb5_auth_con_getsendsubkey(context, auth_context,
- &ctx->acceptor_subkey);
- if (code != 0) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
- ctx->acceptor_subkey->enctype,
- &ctx->acceptor_subkey_cksumtype);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- ctx->have_acceptor_subkey = 1;
- }
-
- /* the reply token hasn't been sent yet, but that's ok. */
- ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
- ctx->established = 1;
-
- token.length = g_token_size(mech_used, ap_rep.length);
-
- if ((token.value = (unsigned char *) xmalloc(token.length))
- == NULL) {
- major_status = GSS_S_FAILURE;
- code = ENOMEM;
- goto fail;
- }
- ptr3 = token.value;
- g_make_token_header(mech_used, ap_rep.length,
- &ptr3, KG_TOK_CTX_AP_REP);
-
- TWRITE_STR(ptr3, ap_rep.data, ap_rep.length);
-
- ctx->established = 1;
-
- } else {
- token.length = 0;
- token.value = NULL;
- ctx->seq_send = ctx->seq_recv;
-
- ctx->established = 1;
- }
-
- /* set the return arguments */
-
- if (src_name) {
- if ((code = krb5_copy_principal(context, ctx->there, &name))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- /* intern the src_name */
- if (! kg_save_name((gss_name_t) name)) {
- code = G_VALIDATE_FAILED;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- }
-
- if (mech_type)
- *mech_type = (gss_OID) mech_used;
-
- if (time_rec)
- *time_rec = ctx->endtime - now;
-
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
-
- *context_handle = (gss_ctx_id_t)ctx;
- *output_token = token;
-
- if (src_name)
- *src_name = (gss_name_t) name;
-
- if (delegated_cred_handle && deleg_cred) {
- if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) {
- major_status = GSS_S_FAILURE;
- code = G_VALIDATE_FAILED;
- goto fail;
- }
-
- *delegated_cred_handle = (gss_cred_id_t) deleg_cred;
- }
-
- /* finally! */
-
- *minor_status = 0;
- major_status = GSS_S_COMPLETE;
-
- fail:
- if (authdat)
- krb5_free_authenticator(context, authdat);
- /* The ctx structure has the handle of the auth_context */
- if (auth_context && !ctx) {
- if (cred_rcache)
- (void)krb5_auth_con_setrcache(context, auth_context, NULL);
-
- krb5_auth_con_free(context, auth_context);
- }
- if (reqcksum.contents)
- xfree(reqcksum.contents);
- if (ap_rep.data)
- krb5_free_data_contents(context, &ap_rep);
-
- if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) {
- ctx->k5_context = context;
- context = NULL;
- goto done;
- }
-
- /* from here on is the real "fail" code */
-
- if (ctx)
- (void) krb5_gss_delete_sec_context(&tmp_minor_status,
- (gss_ctx_id_t *) &ctx, NULL);
- if (deleg_cred) { /* free memory associated with the deleg credential */
- if (deleg_cred->ccache)
- (void)krb5_cc_close(context, deleg_cred->ccache);
- if (deleg_cred->princ)
- krb5_free_principal(context, deleg_cred->princ);
- xfree(deleg_cred);
- }
- if (token.value)
- xfree(token.value);
- if (name) {
- (void) kg_delete_name((gss_name_t) name);
- krb5_free_principal(context, name);
- }
-
- *minor_status = code;
-
- /*
- * If decode_req_message is set, then we need to decode the ap_req
- * message to determine whether or not to send a response token.
- * We need to do this because for some errors we won't be able to
- * decode the authenticator to read out the gss_flags field.
- */
- if (decode_req_message) {
- krb5_ap_req * request;
-
- if (decode_krb5_ap_req(&ap_req, &request))
- goto done;
-
- if (request->ap_options & AP_OPTS_MUTUAL_REQUIRED)
- gss_flags |= GSS_C_MUTUAL_FLAG;
- krb5_free_ap_req(context, request);
- }
-
- if (cred
- && ((gss_flags & GSS_C_MUTUAL_FLAG)
- || (major_status == GSS_S_CONTINUE_NEEDED))) {
- unsigned int tmsglen;
- int toktype;
-
- /*
- * The client is expecting a response, so we can send an
- * error token back
- */
- memset(&krb_error_data, 0, sizeof(krb_error_data));
-
- code -= ERROR_TABLE_BASE_krb5;
- if (code < 0 || code > 128)
- code = 60 /* KRB_ERR_GENERIC */;
-
- krb_error_data.error = code;
- (void) krb5_us_timeofday(context, &krb_error_data.stime,
- &krb_error_data.susec);
- krb_error_data.server = cred->princ;
-
- code = krb5_mk_error(context, &krb_error_data, &scratch);
- if (code)
- goto done;
-
- tmsglen = scratch.length;
- toktype = KG_TOK_CTX_ERROR;
-
- token.length = g_token_size(mech_used, tmsglen);
- token.value = (unsigned char *) xmalloc(token.length);
- if (!token.value)
- goto done;
-
- ptr = token.value;
- g_make_token_header(mech_used, tmsglen, &ptr, toktype);
-
- TWRITE_STR(ptr, scratch.data, scratch.length);
- krb5_free_data_contents(context, &scratch);
-
- *output_token = token;
- }
-
- done:
- if (!verifier_cred_handle && cred_handle) {
- krb5_gss_release_cred(&tmp_minor_status, &cred_handle);
- }
- if (context) {
- if (major_status && *minor_status)
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- }
- return (major_status);
+ }
+ }
+
+ /* create the ctx struct and start filling it in */
+
+ if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
+ == NULL) {
+ code = ENOMEM;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
+ ctx->mech_used = (gss_OID) mech_used;
+ ctx->auth_context = auth_context;
+ ctx->initiate = 0;
+ ctx->gss_flags = (GSS_C_TRANS_FLAG |
+ ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
+ GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+ GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
+ ctx->seed_init = 0;
+ ctx->big_endian = bigend;
+ ctx->cred_rcache = cred_rcache;
+
+ /* Intern the ctx pointer so that delete_sec_context works */
+ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
+ xfree(ctx);
+ ctx = 0;
+
+ code = G_VALIDATE_FAILED;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ if ((code = krb5_copy_principal(context, authdat->client, &ctx->there))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
+ &ctx->subkey))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ /* use the session key if the subkey isn't present */
+
+ if (ctx->subkey == NULL) {
+ if ((code = krb5_auth_con_getkey(context, auth_context,
+ &ctx->subkey))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+
+ if (ctx->subkey == NULL) {
+ /* this isn't a very good error, but it's not clear to me this
+ can actually happen */
+ major_status = GSS_S_FAILURE;
+ code = KRB5KDC_ERR_NULL_KEY;
+ goto fail;
+ }
+
+ ctx->proto = 0;
+ switch(ctx->subkey->enctype) {
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_CRC:
+ ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
+ ctx->signalg = SGN_ALG_DES_MAC_MD5;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_DES;
+
+ /* fill in the encryption descriptors */
+
+ if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ for (i=0; i<ctx->enc->length; i++)
+ /*SUPPRESS 113*/
+ ctx->enc->contents[i] ^= 0xf0;
+
+ goto copy_subkey_to_seq;
+
+ case ENCTYPE_DES3_CBC_SHA1:
+ ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
+ ctx->cksum_size = 20;
+ ctx->sealalg = SEAL_ALG_DES3KD;
+
+ /* fill in the encryption descriptors */
+ copy_subkey:
+ if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ copy_subkey_to_seq:
+ if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ break;
+
+ case ENCTYPE_ARCFOUR_HMAC:
+ ctx->signalg = SGN_ALG_HMAC_MD5 ;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
+ goto copy_subkey;
+
+ default:
+ ctx->signalg = -1;
+ ctx->sealalg = -1;
+ ctx->proto = 1;
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
+ &ctx->cksumtype);
+ if (code)
+ goto fail;
+ code = krb5_c_checksum_length(context, ctx->cksumtype,
+ &ctx->cksum_size);
+ if (code)
+ goto fail;
+ ctx->have_acceptor_subkey = 0;
+ goto copy_subkey;
+ }
+
+ ctx->endtime = ticket->enc_part2->times.endtime;
+ ctx->krb_flags = ticket->enc_part2->flags;
+
+ krb5_free_ticket(context, ticket); /* Done with ticket */
+
+ {
+ krb5_ui_4 seq_temp;
+ krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp);
+ ctx->seq_recv = seq_temp;
+ }
+
+ if ((code = krb5_timeofday(context, &now))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ if (ctx->endtime < now) {
+ code = 0;
+ major_status = GSS_S_CREDENTIALS_EXPIRED;
+ goto fail;
+ }
+
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
+
+ /* at this point, the entire context structure is filled in,
+ so it can be released. */
+
+ /* generate an AP_REP if necessary */
+
+ if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
+ unsigned char * ptr3;
+ krb5_ui_4 seq_temp;
+ int cfx_generate_subkey;
+
+ if (ctx->proto == 1)
+ cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY;
+ else
+ cfx_generate_subkey = 0;
+
+ if (cfx_generate_subkey) {
+ krb5_int32 acflags;
+ code = krb5_auth_con_getflags(context, auth_context, &acflags);
+ if (code == 0) {
+ acflags |= KRB5_AUTH_CONTEXT_USE_SUBKEY;
+ code = krb5_auth_con_setflags(context, auth_context, acflags);
+ }
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+
+ if ((code = krb5_mk_rep(context, auth_context, &ap_rep))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
+ krb5_auth_con_getlocalseqnumber(context, auth_context, &seq_temp);
+ ctx->seq_send = seq_temp & 0xffffffffL;
+
+ if (cfx_generate_subkey) {
+ /* Get the new acceptor subkey. With the code above, there
+ should always be one if we make it to this point. */
+ code = krb5_auth_con_getsendsubkey(context, auth_context,
+ &ctx->acceptor_subkey);
+ if (code != 0) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
+ ctx->acceptor_subkey->enctype,
+ &ctx->acceptor_subkey_cksumtype);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ ctx->have_acceptor_subkey = 1;
+ }
+
+ /* the reply token hasn't been sent yet, but that's ok. */
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
+ ctx->established = 1;
+
+ token.length = g_token_size(mech_used, ap_rep.length);
+
+ if ((token.value = (unsigned char *) xmalloc(token.length))
+ == NULL) {
+ major_status = GSS_S_FAILURE;
+ code = ENOMEM;
+ goto fail;
+ }
+ ptr3 = token.value;
+ g_make_token_header(mech_used, ap_rep.length,
+ &ptr3, KG_TOK_CTX_AP_REP);
+
+ TWRITE_STR(ptr3, ap_rep.data, ap_rep.length);
+
+ ctx->established = 1;
+
+ } else {
+ token.length = 0;
+ token.value = NULL;
+ ctx->seq_send = ctx->seq_recv;
+
+ ctx->established = 1;
+ }
+
+ /* set the return arguments */
+
+ if (src_name) {
+ if ((code = krb5_copy_principal(context, ctx->there, &name))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ /* intern the src_name */
+ if (! kg_save_name((gss_name_t) name)) {
+ code = G_VALIDATE_FAILED;
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+
+ if (mech_type)
+ *mech_type = (gss_OID) mech_used;
+
+ if (time_rec)
+ *time_rec = ctx->endtime - now;
+
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
+
+ *context_handle = (gss_ctx_id_t)ctx;
+ *output_token = token;
+
+ if (src_name)
+ *src_name = (gss_name_t) name;
+
+ if (delegated_cred_handle && deleg_cred) {
+ if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) {
+ major_status = GSS_S_FAILURE;
+ code = G_VALIDATE_FAILED;
+ goto fail;
+ }
+
+ *delegated_cred_handle = (gss_cred_id_t) deleg_cred;
+ }
+
+ /* finally! */
+
+ *minor_status = 0;
+ major_status = GSS_S_COMPLETE;
+
+fail:
+ if (authdat)
+ krb5_free_authenticator(context, authdat);
+ /* The ctx structure has the handle of the auth_context */
+ if (auth_context && !ctx) {
+ if (cred_rcache)
+ (void)krb5_auth_con_setrcache(context, auth_context, NULL);
+
+ krb5_auth_con_free(context, auth_context);
+ }
+ if (reqcksum.contents)
+ xfree(reqcksum.contents);
+ if (ap_rep.data)
+ krb5_free_data_contents(context, &ap_rep);
+
+ if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) {
+ ctx->k5_context = context;
+ context = NULL;
+ goto done;
+ }
+
+ /* from here on is the real "fail" code */
+
+ if (ctx)
+ (void) krb5_gss_delete_sec_context(&tmp_minor_status,
+ (gss_ctx_id_t *) &ctx, NULL);
+ if (deleg_cred) { /* free memory associated with the deleg credential */
+ if (deleg_cred->ccache)
+ (void)krb5_cc_close(context, deleg_cred->ccache);
+ if (deleg_cred->princ)
+ krb5_free_principal(context, deleg_cred->princ);
+ xfree(deleg_cred);
+ }
+ if (token.value)
+ xfree(token.value);
+ if (name) {
+ (void) kg_delete_name((gss_name_t) name);
+ krb5_free_principal(context, name);
+ }
+
+ *minor_status = code;
+
+ /*
+ * If decode_req_message is set, then we need to decode the ap_req
+ * message to determine whether or not to send a response token.
+ * We need to do this because for some errors we won't be able to
+ * decode the authenticator to read out the gss_flags field.
+ */
+ if (decode_req_message) {
+ krb5_ap_req * request;
+
+ if (decode_krb5_ap_req(&ap_req, &request))
+ goto done;
+
+ if (request->ap_options & AP_OPTS_MUTUAL_REQUIRED)
+ gss_flags |= GSS_C_MUTUAL_FLAG;
+ krb5_free_ap_req(context, request);
+ }
+
+ if (cred
+ && ((gss_flags & GSS_C_MUTUAL_FLAG)
+ || (major_status == GSS_S_CONTINUE_NEEDED))) {
+ unsigned int tmsglen;
+ int toktype;
+
+ /*
+ * The client is expecting a response, so we can send an
+ * error token back
+ */
+ memset(&krb_error_data, 0, sizeof(krb_error_data));
+
+ code -= ERROR_TABLE_BASE_krb5;
+ if (code < 0 || code > 128)
+ code = 60 /* KRB_ERR_GENERIC */;
+
+ krb_error_data.error = code;
+ (void) krb5_us_timeofday(context, &krb_error_data.stime,
+ &krb_error_data.susec);
+ krb_error_data.server = cred->princ;
+
+ code = krb5_mk_error(context, &krb_error_data, &scratch);
+ if (code)
+ goto done;
+
+ tmsglen = scratch.length;
+ toktype = KG_TOK_CTX_ERROR;
+
+ token.length = g_token_size(mech_used, tmsglen);
+ token.value = (unsigned char *) xmalloc(token.length);
+ if (!token.value)
+ goto done;
+
+ ptr = token.value;
+ g_make_token_header(mech_used, tmsglen, &ptr, toktype);
+
+ TWRITE_STR(ptr, scratch.data, scratch.length);
+ krb5_free_data_contents(context, &scratch);
+
+ *output_token = token;
+ }
+
+done:
+ if (!verifier_cred_handle && cred_handle) {
+ krb5_gss_release_cred(&tmp_minor_status, &cred_handle);
+ }
+ if (context) {
+ if (major_status && *minor_status)
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ }
+ return (major_status);
}
#endif /* LEAN_CLIENT */
-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2007, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
err = gssint_initialize_library();
if (err != 0)
- return GSS_S_FAILURE;
+ return GSS_S_FAILURE;
if (keytab == NULL)
- return GSS_S_FAILURE;
+ return GSS_S_FAILURE;
new = strdup(keytab);
if (new == NULL)
- return GSS_S_FAILURE;
+ return GSS_S_FAILURE;
err = k5_mutex_lock(&gssint_krb5_keytab_lock);
if (err) {
- free(new);
- return GSS_S_FAILURE;
+ free(new);
+ return GSS_S_FAILURE;
}
old = krb5_gss_keytab;
krb5_gss_keytab = new;
k5_mutex_unlock(&gssint_krb5_keytab_lock);
if (old != NULL)
- free(old);
+ free(old);
return GSS_S_COMPLETE;
}
/* get credentials corresponding to a key in the krb5 keytab.
If the default name is requested, return the name in output_princ.
- If output_princ is non-NULL, the caller will use or free it, regardless
- of the return value.
+ If output_princ is non-NULL, the caller will use or free it, regardless
+ of the return value.
If successful, set the keytab-specific fields in cred
- */
+*/
-static OM_uint32
+static OM_uint32
acquire_accept_cred(context, minor_status, desired_name, output_princ, cred)
- krb5_context context;
- OM_uint32 *minor_status;
- gss_name_t desired_name;
- krb5_principal *output_princ;
- krb5_gss_cred_id_rec *cred;
+ krb5_context context;
+ OM_uint32 *minor_status;
+ gss_name_t desired_name;
+ krb5_principal *output_princ;
+ krb5_gss_cred_id_rec *cred;
{
- krb5_error_code code;
- krb5_principal princ;
- krb5_keytab kt;
- krb5_keytab_entry entry;
-
- *output_princ = NULL;
- cred->keytab = NULL;
-
- /* open the default keytab */
-
- code = gssint_initialize_library();
- if (code != 0) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
- code = k5_mutex_lock(&gssint_krb5_keytab_lock);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
- if (krb5_gss_keytab != NULL) {
- code = krb5_kt_resolve(context, krb5_gss_keytab, &kt);
- k5_mutex_unlock(&gssint_krb5_keytab_lock);
- } else {
- k5_mutex_unlock(&gssint_krb5_keytab_lock);
- code = krb5_kt_default(context, &kt);
- }
-
- if (code) {
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
-
- if (desired_name != GSS_C_NO_NAME) {
- princ = (krb5_principal) desired_name;
- if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
- (void) krb5_kt_close(context, kt);
- if (code == KRB5_KT_NOTFOUND) {
- char *errstr = krb5_get_error_message(context, code);
- krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr);
- krb5_free_error_message(context, errstr);
- *minor_status = KG_KEYTAB_NOMATCH;
- } else
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
- krb5_kt_free_entry(context, &entry);
-
- /* Open the replay cache for this principal. */
- if ((code = krb5_get_server_rcache(context,
- krb5_princ_component(context, princ, 0),
- &cred->rcache))) {
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- }
+ krb5_error_code code;
+ krb5_principal princ;
+ krb5_keytab kt;
+ krb5_keytab_entry entry;
+
+ *output_princ = NULL;
+ cred->keytab = NULL;
+
+ /* open the default keytab */
+
+ code = gssint_initialize_library();
+ if (code != 0) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+ code = k5_mutex_lock(&gssint_krb5_keytab_lock);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+ if (krb5_gss_keytab != NULL) {
+ code = krb5_kt_resolve(context, krb5_gss_keytab, &kt);
+ k5_mutex_unlock(&gssint_krb5_keytab_lock);
+ } else {
+ k5_mutex_unlock(&gssint_krb5_keytab_lock);
+ code = krb5_kt_default(context, &kt);
+ }
+
+ if (code) {
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+
+ if (desired_name != GSS_C_NO_NAME) {
+ princ = (krb5_principal) desired_name;
+ if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
+ (void) krb5_kt_close(context, kt);
+ if (code == KRB5_KT_NOTFOUND) {
+ char *errstr = krb5_get_error_message(context, code);
+ krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr);
+ krb5_free_error_message(context, errstr);
+ *minor_status = KG_KEYTAB_NOMATCH;
+ } else
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ krb5_kt_free_entry(context, &entry);
+
+ /* Open the replay cache for this principal. */
+ if ((code = krb5_get_server_rcache(context,
+ krb5_princ_component(context, princ, 0),
+ &cred->rcache))) {
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
+ }
/* hooray. we made it */
- cred->keytab = kt;
+ cred->keytab = kt;
- return(GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
}
#endif /* LEAN_CLIENT */
/* get credentials corresponding to the default credential cache.
If the default name is requested, return the name in output_princ.
- If output_princ is non-NULL, the caller will use or free it, regardless
- of the return value.
+ If output_princ is non-NULL, the caller will use or free it, regardless
+ of the return value.
If successful, set the ccache-specific fields in cred.
- */
+*/
-static OM_uint32
+static OM_uint32
acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
- krb5_context context;
- OM_uint32 *minor_status;
- gss_name_t desired_name;
- krb5_principal *output_princ;
- krb5_gss_cred_id_rec *cred;
+ krb5_context context;
+ OM_uint32 *minor_status;
+ gss_name_t desired_name;
+ krb5_principal *output_princ;
+ krb5_gss_cred_id_rec *cred;
{
- krb5_error_code code;
- krb5_ccache ccache;
- krb5_principal princ, tmp_princ;
- krb5_flags flags;
- krb5_cc_cursor cur;
- krb5_creds creds;
- int got_endtime;
- int caller_provided_ccache_name = 0;
-
- cred->ccache = NULL;
-
- /* load the GSS ccache name into the kg_context */
-
- if (GSS_ERROR(kg_sync_ccache_name(context, minor_status)))
- return(GSS_S_FAILURE);
-
- /* check to see if the caller provided a ccache name if so
- * we will just use that and not search the cache collection */
- if (GSS_ERROR(kg_caller_provided_ccache_name (minor_status, &caller_provided_ccache_name))) {
- return(GSS_S_FAILURE);
- }
+ krb5_error_code code;
+ krb5_ccache ccache;
+ krb5_principal princ, tmp_princ;
+ krb5_flags flags;
+ krb5_cc_cursor cur;
+ krb5_creds creds;
+ int got_endtime;
+ int caller_provided_ccache_name = 0;
+
+ cred->ccache = NULL;
+
+ /* load the GSS ccache name into the kg_context */
+
+ if (GSS_ERROR(kg_sync_ccache_name(context, minor_status)))
+ return(GSS_S_FAILURE);
+
+ /* check to see if the caller provided a ccache name if so
+ * we will just use that and not search the cache collection */
+ if (GSS_ERROR(kg_caller_provided_ccache_name (minor_status, &caller_provided_ccache_name))) {
+ return(GSS_S_FAILURE);
+ }
#if defined(USE_KIM) || defined(USE_LEASH)
- if (desired_name && !caller_provided_ccache_name) {
+ if (desired_name && !caller_provided_ccache_name) {
#if defined(USE_KIM)
- kim_error err = KIM_NO_ERROR;
- kim_ccache kimccache = NULL;
- kim_identity identity = NULL;
-
- err = kim_identity_create_from_krb5_principal (&identity,
- context,
- (krb5_principal) desired_name);
-
- if (!err) {
- err = kim_ccache_create_new_if_needed (&kimccache,
- identity,
- KIM_OPTIONS_DEFAULT);
- }
-
- if (!err) {
- err = kim_ccache_get_krb5_ccache (kimccache, context, &ccache);
- }
-
- kim_ccache_free (&kimccache);
- kim_identity_free (&identity);
-
- if (err) {
- *minor_status = err;
- return(GSS_S_CRED_UNAVAIL);
- }
-
+ kim_error err = KIM_NO_ERROR;
+ kim_ccache kimccache = NULL;
+ kim_identity identity = NULL;
+
+ err = kim_identity_create_from_krb5_principal (&identity,
+ context,
+ (krb5_principal) desired_name);
+
+ if (!err) {
+ err = kim_ccache_create_new_if_needed (&kimccache,
+ identity,
+ KIM_OPTIONS_DEFAULT);
+ }
+
+ if (!err) {
+ err = kim_ccache_get_krb5_ccache (kimccache, context, &ccache);
+ }
+
+ kim_ccache_free (&kimccache);
+ kim_identity_free (&identity);
+
+ if (err) {
+ *minor_status = err;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+
#elif defined(USE_LEASH)
- if ( hLeashDLL == INVALID_HANDLE_VALUE ) {
- hLeashDLL = LoadLibrary(LEASH_DLL);
- if ( hLeashDLL != INVALID_HANDLE_VALUE ) {
- (FARPROC) pLeash_AcquireInitialTicketsIfNeeded =
- GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded");
- }
- }
-
- if ( pLeash_AcquireInitialTicketsIfNeeded ) {
- char ccname[256]="";
- pLeash_AcquireInitialTicketsIfNeeded(context, (krb5_principal) desired_name, ccname, sizeof(ccname));
- if (!ccname[0]) {
- *minor_status = KRB5_CC_NOTFOUND;
- return(GSS_S_CRED_UNAVAIL);
- }
-
- if ((code = krb5_cc_resolve (context, ccname, &ccache))) {
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
- } else {
- /* leash dll not available, open the default credential cache */
-
- if ((code = krb5int_cc_default(context, &ccache))) {
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
- }
+ if ( hLeashDLL == INVALID_HANDLE_VALUE ) {
+ hLeashDLL = LoadLibrary(LEASH_DLL);
+ if ( hLeashDLL != INVALID_HANDLE_VALUE ) {
+ (FARPROC) pLeash_AcquireInitialTicketsIfNeeded =
+ GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded");
+ }
+ }
+
+ if ( pLeash_AcquireInitialTicketsIfNeeded ) {
+ char ccname[256]="";
+ pLeash_AcquireInitialTicketsIfNeeded(context, (krb5_principal) desired_name, ccname, sizeof(ccname));
+ if (!ccname[0]) {
+ *minor_status = KRB5_CC_NOTFOUND;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+
+ if ((code = krb5_cc_resolve (context, ccname, &ccache))) {
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ } else {
+ /* leash dll not available, open the default credential cache */
+
+ if ((code = krb5int_cc_default(context, &ccache))) {
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ }
#endif /* USE_LEASH */
- } else
+ } else
#endif /* USE_KIM || USE_LEASH */
- {
- /* open the default credential cache */
-
- if ((code = krb5int_cc_default(context, &ccache))) {
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
- }
-
- /* turn off OPENCLOSE mode while extensive frobbing is going on */
-
- flags = 0; /* turns off OPENCLOSE mode */
- if ((code = krb5_cc_set_flags(context, ccache, flags))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_CRED_UNAVAIL);
- }
-
- /* get out the principal name and see if it matches */
-
- if ((code = krb5_cc_get_principal(context, ccache, &princ))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- if (desired_name != (gss_name_t) NULL) {
- if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) {
- (void)krb5_free_principal(context, princ);
- (void)krb5_cc_close(context, ccache);
- *minor_status = KG_CCACHE_NOMATCH;
- return(GSS_S_CRED_UNAVAIL);
- }
- (void)krb5_free_principal(context, princ);
- princ = (krb5_principal) desired_name;
- } else {
- *output_princ = princ;
- }
-
- /* iterate over the ccache, find the tgt */
-
- if ((code = krb5_cc_start_seq_get(context, ccache, &cur))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- /* this is hairy. If there's a tgt for the principal's local realm
- in here, that's what we want for the expire time. But if
- there's not, then we want to use the first key. */
-
- got_endtime = 0;
-
- code = krb5_build_principal_ext(context, &tmp_princ,
- krb5_princ_realm(context, princ)->length,
- krb5_princ_realm(context, princ)->data,
- 6, "krbtgt",
- krb5_princ_realm(context, princ)->length,
- krb5_princ_realm(context, princ)->data,
- 0);
- if (code) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
- while (!(code = krb5_cc_next_cred(context, ccache, &cur, &creds))) {
- if (krb5_principal_compare(context, tmp_princ, creds.server)) {
- cred->tgt_expire = creds.times.endtime;
- got_endtime = 1;
- *minor_status = 0;
- code = 0;
- krb5_free_cred_contents(context, &creds);
- break;
- }
- if (got_endtime == 0) {
- cred->tgt_expire = creds.times.endtime;
- got_endtime = 1;
- }
- krb5_free_cred_contents(context, &creds);
- }
- krb5_free_principal(context, tmp_princ);
-
- if (code && code != KRB5_CC_END) {
- /* this means some error occurred reading the ccache */
- (void)krb5_cc_end_seq_get(context, ccache, &cur);
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- } else if (! got_endtime) {
- /* this means the ccache was entirely empty */
- (void)krb5_cc_end_seq_get(context, ccache, &cur);
- (void)krb5_cc_close(context, ccache);
- *minor_status = KG_EMPTY_CCACHE;
- return(GSS_S_FAILURE);
- } else {
- /* this means that we found an endtime to use. */
- if ((code = krb5_cc_end_seq_get(context, ccache, &cur))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
- flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */
- if ((code = krb5_cc_set_flags(context, ccache, flags))) {
- (void)krb5_cc_close(context, ccache);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
- }
-
- /* the credentials match and are valid */
-
- cred->ccache = ccache;
- /* minor_status is set while we are iterating over the ccache */
- return(GSS_S_COMPLETE);
+ {
+ /* open the default credential cache */
+
+ if ((code = krb5int_cc_default(context, &ccache))) {
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ }
+
+ /* turn off OPENCLOSE mode while extensive frobbing is going on */
+
+ flags = 0; /* turns off OPENCLOSE mode */
+ if ((code = krb5_cc_set_flags(context, ccache, flags))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+
+ /* get out the principal name and see if it matches */
+
+ if ((code = krb5_cc_get_principal(context, ccache, &princ))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
+ if (desired_name != (gss_name_t) NULL) {
+ if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) {
+ (void)krb5_free_principal(context, princ);
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = KG_CCACHE_NOMATCH;
+ return(GSS_S_CRED_UNAVAIL);
+ }
+ (void)krb5_free_principal(context, princ);
+ princ = (krb5_principal) desired_name;
+ } else {
+ *output_princ = princ;
+ }
+
+ /* iterate over the ccache, find the tgt */
+
+ if ((code = krb5_cc_start_seq_get(context, ccache, &cur))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
+ /* this is hairy. If there's a tgt for the principal's local realm
+ in here, that's what we want for the expire time. But if
+ there's not, then we want to use the first key. */
+
+ got_endtime = 0;
+
+ code = krb5_build_principal_ext(context, &tmp_princ,
+ krb5_princ_realm(context, princ)->length,
+ krb5_princ_realm(context, princ)->data,
+ 6, "krbtgt",
+ krb5_princ_realm(context, princ)->length,
+ krb5_princ_realm(context, princ)->data,
+ 0);
+ if (code) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+ while (!(code = krb5_cc_next_cred(context, ccache, &cur, &creds))) {
+ if (krb5_principal_compare(context, tmp_princ, creds.server)) {
+ cred->tgt_expire = creds.times.endtime;
+ got_endtime = 1;
+ *minor_status = 0;
+ code = 0;
+ krb5_free_cred_contents(context, &creds);
+ break;
+ }
+ if (got_endtime == 0) {
+ cred->tgt_expire = creds.times.endtime;
+ got_endtime = 1;
+ }
+ krb5_free_cred_contents(context, &creds);
+ }
+ krb5_free_principal(context, tmp_princ);
+
+ if (code && code != KRB5_CC_END) {
+ /* this means some error occurred reading the ccache */
+ (void)krb5_cc_end_seq_get(context, ccache, &cur);
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ } else if (! got_endtime) {
+ /* this means the ccache was entirely empty */
+ (void)krb5_cc_end_seq_get(context, ccache, &cur);
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = KG_EMPTY_CCACHE;
+ return(GSS_S_FAILURE);
+ } else {
+ /* this means that we found an endtime to use. */
+ if ((code = krb5_cc_end_seq_get(context, ccache, &cur))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+ flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */
+ if ((code = krb5_cc_set_flags(context, ccache, flags))) {
+ (void)krb5_cc_close(context, ccache);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+ }
+
+ /* the credentials match and are valid */
+
+ cred->ccache = ccache;
+ /* minor_status is set while we are iterating over the ccache */
+ return(GSS_S_COMPLETE);
}
-
+
/*ARGSUSED*/
OM_uint32
krb5_gss_acquire_cred(minor_status, desired_name, time_req,
- desired_mechs, cred_usage, output_cred_handle,
- actual_mechs, time_rec)
- OM_uint32 *minor_status;
- gss_name_t desired_name;
- OM_uint32 time_req;
- gss_OID_set desired_mechs;
- gss_cred_usage_t cred_usage;
- gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
- OM_uint32 *time_rec;
+ desired_mechs, cred_usage, output_cred_handle,
+ actual_mechs, time_rec)
+ OM_uint32 *minor_status;
+ gss_name_t desired_name;
+ OM_uint32 time_req;
+ gss_OID_set desired_mechs;
+ gss_cred_usage_t cred_usage;
+ gss_cred_id_t *output_cred_handle;
+ gss_OID_set *actual_mechs;
+ OM_uint32 *time_rec;
{
- krb5_context context;
- size_t i;
- krb5_gss_cred_id_t cred;
- gss_OID_set ret_mechs;
- int req_old, req_new;
- OM_uint32 ret;
- krb5_error_code code;
-
- code = gssint_initialize_library();
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
-
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
-
- /* make sure all outputs are valid */
-
- *output_cred_handle = NULL;
- if (actual_mechs)
- *actual_mechs = NULL;
- if (time_rec)
- *time_rec = 0;
-
- /* validate the name */
-
- /*SUPPRESS 29*/
- if ((desired_name != (gss_name_t) NULL) &&
- (! kg_validate_name(desired_name))) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
-
- /* verify that the requested mechanism set is the default, or
- contains krb5 */
-
- if (desired_mechs == GSS_C_NULL_OID_SET) {
- req_old = 1;
- req_new = 1;
- } else {
- req_old = 0;
- req_new = 0;
-
- for (i=0; i<desired_mechs->count; i++) {
- if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i])))
- req_old++;
- if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i])))
- req_new++;
- }
-
- if (!req_old && !req_new) {
- *minor_status = 0;
- krb5_free_context(context);
- return(GSS_S_BAD_MECH);
- }
- }
-
- /* create the gss cred structure */
-
- if ((cred =
- (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) == NULL) {
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
-
- cred->usage = cred_usage;
- cred->princ = NULL;
- cred->prerfc_mech = req_old;
- cred->rfc_mech = req_new;
+ krb5_context context;
+ size_t i;
+ krb5_gss_cred_id_t cred;
+ gss_OID_set ret_mechs;
+ int req_old, req_new;
+ OM_uint32 ret;
+ krb5_error_code code;
+
+ code = gssint_initialize_library();
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ /* make sure all outputs are valid */
+
+ *output_cred_handle = NULL;
+ if (actual_mechs)
+ *actual_mechs = NULL;
+ if (time_rec)
+ *time_rec = 0;
+
+ /* validate the name */
+
+ /*SUPPRESS 29*/
+ if ((desired_name != (gss_name_t) NULL) &&
+ (! kg_validate_name(desired_name))) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
+
+ /* verify that the requested mechanism set is the default, or
+ contains krb5 */
+
+ if (desired_mechs == GSS_C_NULL_OID_SET) {
+ req_old = 1;
+ req_new = 1;
+ } else {
+ req_old = 0;
+ req_new = 0;
+
+ for (i=0; i<desired_mechs->count; i++) {
+ if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i])))
+ req_old++;
+ if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i])))
+ req_new++;
+ }
+
+ if (!req_old && !req_new) {
+ *minor_status = 0;
+ krb5_free_context(context);
+ return(GSS_S_BAD_MECH);
+ }
+ }
+
+ /* create the gss cred structure */
+
+ if ((cred =
+ (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) == NULL) {
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
+
+ cred->usage = cred_usage;
+ cred->princ = NULL;
+ cred->prerfc_mech = req_old;
+ cred->rfc_mech = req_new;
#ifndef LEAN_CLIENT
- cred->keytab = NULL;
+ cred->keytab = NULL;
#endif /* LEAN_CLIENT */
- cred->ccache = NULL;
-
- code = k5_mutex_init(&cred->lock);
- if (code) {
- *minor_status = code;
- krb5_free_context(context);
- return GSS_S_FAILURE;
- }
- /* Note that we don't need to lock this GSSAPI credential record
- here, because no other thread can gain access to it until we
- return it. */
-
- if ((cred_usage != GSS_C_INITIATE) &&
- (cred_usage != GSS_C_ACCEPT) &&
- (cred_usage != GSS_C_BOTH)) {
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- *minor_status = (OM_uint32) G_BAD_USAGE;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-
- /* if requested, acquire credentials for accepting */
- /* this will fill in cred->princ if the desired_name is not specified */
+ cred->ccache = NULL;
+
+ code = k5_mutex_init(&cred->lock);
+ if (code) {
+ *minor_status = code;
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
+ }
+ /* Note that we don't need to lock this GSSAPI credential record
+ here, because no other thread can gain access to it until we
+ return it. */
+
+ if ((cred_usage != GSS_C_INITIATE) &&
+ (cred_usage != GSS_C_ACCEPT) &&
+ (cred_usage != GSS_C_BOTH)) {
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ *minor_status = (OM_uint32) G_BAD_USAGE;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+
+ /* if requested, acquire credentials for accepting */
+ /* this will fill in cred->princ if the desired_name is not specified */
#ifndef LEAN_CLIENT
- if ((cred_usage == GSS_C_ACCEPT) ||
- (cred_usage == GSS_C_BOTH))
- if ((ret = acquire_accept_cred(context, minor_status, desired_name,
- &(cred->princ), cred))
- != GSS_S_COMPLETE) {
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- /* minor_status set by acquire_accept_cred() */
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(ret);
- }
+ if ((cred_usage == GSS_C_ACCEPT) ||
+ (cred_usage == GSS_C_BOTH))
+ if ((ret = acquire_accept_cred(context, minor_status, desired_name,
+ &(cred->princ), cred))
+ != GSS_S_COMPLETE) {
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ /* minor_status set by acquire_accept_cred() */
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(ret);
+ }
#endif /* LEAN_CLIENT */
- /* if requested, acquire credentials for initiation */
- /* this will fill in cred->princ if it wasn't set above, and
- the desired_name is not specified */
-
- if ((cred_usage == GSS_C_INITIATE) ||
- (cred_usage == GSS_C_BOTH))
- if ((ret =
- acquire_init_cred(context, minor_status,
- cred->princ?(gss_name_t)cred->princ:desired_name,
- &(cred->princ), cred))
- != GSS_S_COMPLETE) {
+ /* if requested, acquire credentials for initiation */
+ /* this will fill in cred->princ if it wasn't set above, and
+ the desired_name is not specified */
+
+ if ((cred_usage == GSS_C_INITIATE) ||
+ (cred_usage == GSS_C_BOTH))
+ if ((ret =
+ acquire_init_cred(context, minor_status,
+ cred->princ?(gss_name_t)cred->princ:desired_name,
+ &(cred->princ), cred))
+ != GSS_S_COMPLETE) {
#ifndef LEAN_CLIENT
- if (cred->keytab)
- krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- /* minor_status set by acquire_init_cred() */
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(ret);
- }
-
- /* if the princ wasn't filled in already, fill it in now */
-
- if (!cred->princ && (desired_name != GSS_C_NO_NAME))
- if ((code = krb5_copy_principal(context, (krb5_principal) desired_name,
- &(cred->princ)))) {
- if (cred->ccache)
- (void)krb5_cc_close(context, cred->ccache);
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ /* minor_status set by acquire_init_cred() */
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(ret);
+ }
+
+ /* if the princ wasn't filled in already, fill it in now */
+
+ if (!cred->princ && (desired_name != GSS_C_NO_NAME))
+ if ((code = krb5_copy_principal(context, (krb5_principal) desired_name,
+ &(cred->princ)))) {
+ if (cred->ccache)
+ (void)krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
- if (cred->keytab)
- (void)krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ (void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-
- /*** at this point, the cred structure has been completely created */
-
- /* compute time_rec */
-
- if (cred_usage == GSS_C_ACCEPT) {
- if (time_rec)
- *time_rec = GSS_C_INDEFINITE;
- } else {
- krb5_timestamp now;
-
- if ((code = krb5_timeofday(context, &now))) {
- if (cred->ccache)
- (void)krb5_cc_close(context, cred->ccache);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+
+ /*** at this point, the cred structure has been completely created */
+
+ /* compute time_rec */
+
+ if (cred_usage == GSS_C_ACCEPT) {
+ if (time_rec)
+ *time_rec = GSS_C_INDEFINITE;
+ } else {
+ krb5_timestamp now;
+
+ if ((code = krb5_timeofday(context, &now))) {
+ if (cred->ccache)
+ (void)krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
- if (cred->keytab)
- (void)krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ (void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-
- if (time_rec)
- *time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0;
- }
-
- /* create mechs */
-
- if (actual_mechs) {
- if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
- &ret_mechs)) ||
- (cred->prerfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5_old,
- &ret_mechs))) ||
- (cred->rfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5,
- &ret_mechs)))) {
- if (cred->ccache)
- (void)krb5_cc_close(context, cred->ccache);
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+
+ if (time_rec)
+ *time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0;
+ }
+
+ /* create mechs */
+
+ if (actual_mechs) {
+ if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
+ &ret_mechs)) ||
+ (cred->prerfc_mech &&
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5_old,
+ &ret_mechs))) ||
+ (cred->rfc_mech &&
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5,
+ &ret_mechs)))) {
+ if (cred->ccache)
+ (void)krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
- if (cred->keytab)
- (void)krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ (void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- /* *minor_status set above */
- krb5_free_context(context);
- return(ret);
- }
- }
-
- /* intern the credential handle */
-
- if (! kg_save_cred_id((gss_cred_id_t) cred)) {
- free(ret_mechs->elements);
- free(ret_mechs);
- if (cred->ccache)
- (void)krb5_cc_close(context, cred->ccache);
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ /* *minor_status set above */
+ krb5_free_context(context);
+ return(ret);
+ }
+ }
+
+ /* intern the credential handle */
+
+ if (! kg_save_cred_id((gss_cred_id_t) cred)) {
+ free(ret_mechs->elements);
+ free(ret_mechs);
+ if (cred->ccache)
+ (void)krb5_cc_close(context, cred->ccache);
#ifndef LEAN_CLIENT
- if (cred->keytab)
- (void)krb5_kt_close(context, cred->keytab);
+ if (cred->keytab)
+ (void)krb5_kt_close(context, cred->keytab);
#endif /* LEAN_CLIENT */
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
- k5_mutex_destroy(&cred->lock);
- xfree(cred);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- save_error_string(*minor_status, "error saving credentials");
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-
- /* return success */
-
- *minor_status = 0;
- *output_cred_handle = (gss_cred_id_t) cred;
- if (actual_mechs)
- *actual_mechs = ret_mechs;
-
- krb5_free_context(context);
- return(GSS_S_COMPLETE);
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
+ k5_mutex_destroy(&cred->lock);
+ xfree(cred);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ save_error_string(*minor_status, "error saving credentials");
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+
+ /* return success */
+
+ *minor_status = 0;
+ *output_cred_handle = (gss_cred_id_t) cred;
+ if (actual_mechs)
+ *actual_mechs = ret_mechs;
+
+ krb5_free_context(context);
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
/* V2 interface */
OM_uint32
krb5_gss_add_cred(minor_status, input_cred_handle,
- desired_name, desired_mech, cred_usage,
- initiator_time_req, acceptor_time_req,
- output_cred_handle, actual_mechs,
- initiator_time_rec, acceptor_time_rec)
- OM_uint32 *minor_status;
- gss_cred_id_t input_cred_handle;
- gss_name_t desired_name;
- gss_OID desired_mech;
- gss_cred_usage_t cred_usage;
- OM_uint32 initiator_time_req;
- OM_uint32 acceptor_time_req;
- gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
- OM_uint32 *initiator_time_rec;
- OM_uint32 *acceptor_time_rec;
+ desired_name, desired_mech, cred_usage,
+ initiator_time_req, acceptor_time_req,
+ output_cred_handle, actual_mechs,
+ initiator_time_rec, acceptor_time_rec)
+ OM_uint32 *minor_status;
+ gss_cred_id_t input_cred_handle;
+ gss_name_t desired_name;
+ gss_OID desired_mech;
+ gss_cred_usage_t cred_usage;
+ OM_uint32 initiator_time_req;
+ OM_uint32 acceptor_time_req;
+ gss_cred_id_t *output_cred_handle;
+ gss_OID_set *actual_mechs;
+ OM_uint32 *initiator_time_rec;
+ OM_uint32 *acceptor_time_rec;
{
- krb5_context context;
- OM_uint32 major_status, lifetime;
- krb5_gss_cred_id_t cred;
- krb5_error_code code;
+ krb5_context context;
+ OM_uint32 major_status, lifetime;
+ krb5_gss_cred_id_t cred;
+ krb5_error_code code;
/* this is pretty simple, since there's not really any difference
between the underlying mechanisms. The main hair is in copying
/* check if the desired_mech is bogus */
if (!g_OID_equal(desired_mech, gss_mech_krb5) &&
- !g_OID_equal(desired_mech, gss_mech_krb5_old)) {
- *minor_status = 0;
- return(GSS_S_BAD_MECH);
+ !g_OID_equal(desired_mech, gss_mech_krb5_old)) {
+ *minor_status = 0;
+ return(GSS_S_BAD_MECH);
}
/* check if the desired_mech is bogus */
if ((cred_usage != GSS_C_INITIATE) &&
- (cred_usage != GSS_C_ACCEPT) &&
- (cred_usage != GSS_C_BOTH)) {
- *minor_status = (OM_uint32) G_BAD_USAGE;
- return(GSS_S_FAILURE);
+ (cred_usage != GSS_C_ACCEPT) &&
+ (cred_usage != GSS_C_BOTH)) {
+ *minor_status = (OM_uint32) G_BAD_USAGE;
+ return(GSS_S_FAILURE);
}
/* since the default credential includes all the mechanisms,
/*SUPPRESS 29*/
if (input_cred_handle == GSS_C_NO_CREDENTIAL) {
- *minor_status = 0;
- return(GSS_S_DUPLICATE_ELEMENT);
+ *minor_status = 0;
+ return(GSS_S_DUPLICATE_ELEMENT);
}
code = krb5_gss_init_context(&context);
if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
+ *minor_status = code;
+ return GSS_S_FAILURE;
}
major_status = krb5_gss_validate_cred_1(minor_status, input_cred_handle,
- context);
+ context);
if (GSS_ERROR(major_status)) {
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return major_status;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return major_status;
}
cred = (krb5_gss_cred_id_t) input_cred_handle;
if copying */
if (!((cred->usage == cred_usage) ||
- ((cred->usage == GSS_C_BOTH) &&
- (output_cred_handle != NULL)))) {
- *minor_status = (OM_uint32) G_BAD_USAGE;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
+ ((cred->usage == GSS_C_BOTH) &&
+ (output_cred_handle != NULL)))) {
+ *minor_status = (OM_uint32) G_BAD_USAGE;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
}
/* check that desired_mech isn't already in the credential */
if ((g_OID_equal(desired_mech, gss_mech_krb5_old) && cred->prerfc_mech) ||
- (g_OID_equal(desired_mech, gss_mech_krb5) && cred->rfc_mech)) {
- *minor_status = 0;
- krb5_free_context(context);
- return(GSS_S_DUPLICATE_ELEMENT);
+ (g_OID_equal(desired_mech, gss_mech_krb5) && cred->rfc_mech)) {
+ *minor_status = 0;
+ krb5_free_context(context);
+ return(GSS_S_DUPLICATE_ELEMENT);
}
if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) {
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return GSS_S_FAILURE;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
}
/* verify the desired_name */
/*SUPPRESS 29*/
if ((desired_name != (gss_name_t) NULL) &&
- (! kg_validate_name(desired_name))) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ (! kg_validate_name(desired_name))) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
}
/* make sure the desired_name is the same as the existing one */
if (desired_name &&
- !krb5_principal_compare(context, (krb5_principal) desired_name,
- cred->princ)) {
- *minor_status = 0;
- krb5_free_context(context);
- return(GSS_S_BAD_NAME);
+ !krb5_principal_compare(context, (krb5_principal) desired_name,
+ cred->princ)) {
+ *minor_status = 0;
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAME);
}
/* copy the cred if necessary */
if (output_cred_handle) {
- /* make a copy */
- krb5_gss_cred_id_t new_cred;
- char ktboth[1024];
- const char *kttype, *cctype, *ccname;
- char ccboth[1024];
-
- if ((new_cred =
- (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))
- == NULL) {
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- memset(new_cred, 0, sizeof(krb5_gss_cred_id_rec));
-
- new_cred->usage = cred_usage;
- new_cred->prerfc_mech = cred->prerfc_mech;
- new_cred->rfc_mech = cred->rfc_mech;
- new_cred->tgt_expire = cred->tgt_expire;
-
- if (cred->princ)
- code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
- if (code) {
- xfree(new_cred);
-
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-#ifndef LEAN_CLIENT
- if (cred->keytab) {
- kttype = krb5_kt_get_type(context, cred->keytab);
- if ((strlen(kttype)+2) > sizeof(ktboth)) {
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
-
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-
- strncpy(ktboth, kttype, sizeof(ktboth) - 1);
- ktboth[sizeof(ktboth) - 1] = '\0';
- strncat(ktboth, ":", sizeof(ktboth) - 1 - strlen(ktboth));
-
- code = krb5_kt_get_name(context, cred->keytab,
- ktboth+strlen(ktboth),
- sizeof(ktboth)-strlen(ktboth));
- if (code) {
- if(new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
-
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-
- code = krb5_kt_resolve(context, ktboth, &new_cred->keytab);
- if (code) {
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
-
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- } else {
+ /* make a copy */
+ krb5_gss_cred_id_t new_cred;
+ char ktboth[1024];
+ const char *kttype, *cctype, *ccname;
+ char ccboth[1024];
+
+ if ((new_cred =
+ (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))
+ == NULL) {
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ memset(new_cred, 0, sizeof(krb5_gss_cred_id_rec));
+
+ new_cred->usage = cred_usage;
+ new_cred->prerfc_mech = cred->prerfc_mech;
+ new_cred->rfc_mech = cred->rfc_mech;
+ new_cred->tgt_expire = cred->tgt_expire;
+
+ if (cred->princ)
+ code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
+ if (code) {
+ xfree(new_cred);
+
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+#ifndef LEAN_CLIENT
+ if (cred->keytab) {
+ kttype = krb5_kt_get_type(context, cred->keytab);
+ if ((strlen(kttype)+2) > sizeof(ktboth)) {
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
+
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+
+ strncpy(ktboth, kttype, sizeof(ktboth) - 1);
+ ktboth[sizeof(ktboth) - 1] = '\0';
+ strncat(ktboth, ":", sizeof(ktboth) - 1 - strlen(ktboth));
+
+ code = krb5_kt_get_name(context, cred->keytab,
+ ktboth+strlen(ktboth),
+ sizeof(ktboth)-strlen(ktboth));
+ if (code) {
+ if(new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
+
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+
+ code = krb5_kt_resolve(context, ktboth, &new_cred->keytab);
+ if (code) {
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
+
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ } else {
#endif /* LEAN_CLIENT */
- new_cred->keytab = NULL;
-#ifndef LEAN_CLIENT
- }
+ new_cred->keytab = NULL;
+#ifndef LEAN_CLIENT
+ }
#endif /* LEAN_CLIENT */
-
- if (cred->rcache) {
- /* Open the replay cache for this principal. */
- if ((code = krb5_get_server_rcache(context,
- krb5_princ_component(context, cred->princ, 0),
- &new_cred->rcache))) {
-#ifndef LEAN_CLIENT
- if (new_cred->keytab)
- krb5_kt_close(context, new_cred->keytab);
+
+ if (cred->rcache) {
+ /* Open the replay cache for this principal. */
+ if ((code = krb5_get_server_rcache(context,
+ krb5_princ_component(context, cred->princ, 0),
+ &new_cred->rcache))) {
+#ifndef LEAN_CLIENT
+ if (new_cred->keytab)
+ krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
-
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- } else {
- new_cred->rcache = NULL;
- }
-
- if (cred->ccache) {
- cctype = krb5_cc_get_type(context, cred->ccache);
- ccname = krb5_cc_get_name(context, cred->ccache);
-
- if ((strlen(cctype)+strlen(ccname)+2) > sizeof(ccboth)) {
- if (new_cred->rcache)
- krb5_rc_close(context, new_cred->rcache);
-#ifndef LEAN_CLIENT
- if (new_cred->keytab)
- krb5_kt_close(context, new_cred->keytab);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
+
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ new_cred->rcache = NULL;
+ }
+
+ if (cred->ccache) {
+ cctype = krb5_cc_get_type(context, cred->ccache);
+ ccname = krb5_cc_get_name(context, cred->ccache);
+
+ if ((strlen(cctype)+strlen(ccname)+2) > sizeof(ccboth)) {
+ if (new_cred->rcache)
+ krb5_rc_close(context, new_cred->rcache);
+#ifndef LEAN_CLIENT
+ if (new_cred->keytab)
+ krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
-
- krb5_free_context(context);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
-
- strncpy(ccboth, cctype, sizeof(ccboth) - 1);
- ccboth[sizeof(ccboth) - 1] = '\0';
- strncat(ccboth, ":", sizeof(ccboth) - 1 - strlen(ccboth));
- strncat(ccboth, ccname, sizeof(ccboth) - 1 - strlen(ccboth));
-
- code = krb5_cc_resolve(context, ccboth, &new_cred->ccache);
- if (code) {
- if (new_cred->rcache)
- krb5_rc_close(context, new_cred->rcache);
-#ifndef LEAN_CLIENT
- if (new_cred->keytab)
- krb5_kt_close(context, new_cred->keytab);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
+
+ krb5_free_context(context);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+
+ strncpy(ccboth, cctype, sizeof(ccboth) - 1);
+ ccboth[sizeof(ccboth) - 1] = '\0';
+ strncat(ccboth, ":", sizeof(ccboth) - 1 - strlen(ccboth));
+ strncat(ccboth, ccname, sizeof(ccboth) - 1 - strlen(ccboth));
+
+ code = krb5_cc_resolve(context, ccboth, &new_cred->ccache);
+ if (code) {
+ if (new_cred->rcache)
+ krb5_rc_close(context, new_cred->rcache);
+#ifndef LEAN_CLIENT
+ if (new_cred->keytab)
+ krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
-
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- } else {
- new_cred->ccache = NULL;
- }
-
- /* intern the credential handle */
-
- if (! kg_save_cred_id((gss_cred_id_t) new_cred)) {
- if (new_cred->ccache)
- krb5_cc_close(context, new_cred->ccache);
- if (new_cred->rcache)
- krb5_rc_close(context, new_cred->rcache);
-#ifndef LEAN_CLIENT
- if (new_cred->keytab)
- krb5_kt_close(context, new_cred->keytab);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
+
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ new_cred->ccache = NULL;
+ }
+
+ /* intern the credential handle */
+
+ if (! kg_save_cred_id((gss_cred_id_t) new_cred)) {
+ if (new_cred->ccache)
+ krb5_cc_close(context, new_cred->ccache);
+ if (new_cred->rcache)
+ krb5_rc_close(context, new_cred->rcache);
+#ifndef LEAN_CLIENT
+ if (new_cred->keytab)
+ krb5_kt_close(context, new_cred->keytab);
#endif /* LEAN_CLIENT */
- if (new_cred->princ)
- krb5_free_principal(context, new_cred->princ);
- xfree(new_cred);
- krb5_free_context(context);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
+ xfree(new_cred);
+ krb5_free_context(context);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
- /* modify new_cred */
+ /* modify new_cred */
- cred = new_cred;
+ cred = new_cred;
}
-
+
/* set the flag for the new mechanism */
if (g_OID_equal(desired_mech, gss_mech_krb5_old))
- cred->prerfc_mech = 1;
+ cred->prerfc_mech = 1;
else if (g_OID_equal(desired_mech, gss_mech_krb5))
- cred->rfc_mech = 1;
+ cred->rfc_mech = 1;
/* set the outputs */
- if (GSS_ERROR(major_status = krb5_gss_inquire_cred(minor_status,
- (gss_cred_id_t)cred,
- NULL, &lifetime,
- NULL, actual_mechs))) {
- OM_uint32 dummy;
-
- if (output_cred_handle)
- (void) krb5_gss_release_cred(&dummy, (gss_cred_id_t *) &cred);
- krb5_free_context(context);
-
- return(major_status);
+ if (GSS_ERROR(major_status = krb5_gss_inquire_cred(minor_status,
+ (gss_cred_id_t)cred,
+ NULL, &lifetime,
+ NULL, actual_mechs))) {
+ OM_uint32 dummy;
+
+ if (output_cred_handle)
+ (void) krb5_gss_release_cred(&dummy, (gss_cred_id_t *) &cred);
+ krb5_free_context(context);
+
+ return(major_status);
}
if (initiator_time_rec)
- *initiator_time_rec = lifetime;
+ *initiator_time_rec = lifetime;
if (acceptor_time_rec)
- *acceptor_time_rec = lifetime;
+ *acceptor_time_rec = lifetime;
if (output_cred_handle)
- *output_cred_handle = (gss_cred_id_t)cred;
+ *output_cred_handle = (gss_cred_id_t)cred;
krb5_free_context(context);
*minor_status = 0;
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/canon_name.c
*
/* This is trivial since we're a single mechanism implementation */
OM_uint32 krb5_gss_canonicalize_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
- const gss_OID mech_type,
- gss_name_t *output_name)
+ const gss_name_t input_name,
+ const gss_OID mech_type,
+ gss_name_t *output_name)
{
if ((mech_type != GSS_C_NULL_OID) &&
- !g_OID_equal(gss_mech_krb5, mech_type) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
- *minor_status = 0;
- return(GSS_S_BAD_MECH);
+ !g_OID_equal(gss_mech_krb5, mech_type) &&
+ !g_OID_equal(gss_mech_krb5_old, mech_type)) {
+ *minor_status = 0;
+ return(GSS_S_BAD_MECH);
}
return(gss_duplicate_name(minor_status, input_name, output_name));
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
OM_uint32
krb5_gss_compare_name(minor_status, name1, name2, name_equal)
- OM_uint32 *minor_status;
- gss_name_t name1;
- gss_name_t name2;
- int *name_equal;
-{
- krb5_context context;
- krb5_error_code code;
+ OM_uint32 *minor_status;
+ gss_name_t name1;
+ gss_name_t name2;
+ int *name_equal;
+{
+ krb5_context context;
+ krb5_error_code code;
- if (! kg_validate_name(name1)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(name1)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- if (! kg_validate_name(name2)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(name2)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- *minor_status = 0;
- *name_equal = krb5_principal_compare(context, (krb5_principal) name1,
- (krb5_principal) name2);
- krb5_free_context(context);
- return(GSS_S_COMPLETE);
+ *minor_status = 0;
+ *name_equal = krb5_principal_compare(context, (krb5_principal) name1,
+ (krb5_principal) name2);
+ krb5_free_context(context);
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
OM_uint32
krb5_gss_context_time(minor_status, context_handle, time_rec)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- OM_uint32 *time_rec;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ OM_uint32 *time_rec;
{
- krb5_error_code code;
- krb5_gss_ctx_id_rec *ctx;
- krb5_timestamp now;
- krb5_deltat lifetime;
+ krb5_error_code code;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_timestamp now;
+ krb5_deltat lifetime;
- /* validate the context handle */
- if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /* validate the context handle */
+ if (! kg_validate_ctx_id(context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
- }
+ if (! ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
+ }
- if ((code = krb5_timeofday(ctx->k5_context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, ctx->k5_context);
- return(GSS_S_FAILURE);
- }
+ if ((code = krb5_timeofday(ctx->k5_context, &now))) {
+ *minor_status = code;
+ save_error_info(*minor_status, ctx->k5_context);
+ return(GSS_S_FAILURE);
+ }
- if ((lifetime = ctx->endtime - now) <= 0) {
- *time_rec = 0;
- *minor_status = 0;
- return(GSS_S_CONTEXT_EXPIRED);
- } else {
- *time_rec = lifetime;
- *minor_status = 0;
- return(GSS_S_COMPLETE);
- }
+ if ((lifetime = ctx->endtime - now) <= 0) {
+ *time_rec = 0;
+ *minor_status = 0;
+ return(GSS_S_CONTEXT_EXPIRED);
+ } else {
+ *time_rec = lifetime;
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
+ }
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
#include "gssapiP_krb5.h"
-OM_uint32 KRB5_CALLCONV
+OM_uint32 KRB5_CALLCONV
gss_krb5int_copy_ccache(minor_status, cred_handle, out_ccache)
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- krb5_ccache out_ccache;
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
+ krb5_ccache out_ccache;
{
- OM_uint32 major_status;
- krb5_gss_cred_id_t k5creds;
- krb5_cc_cursor cursor;
- krb5_creds creds;
- krb5_error_code code;
- krb5_context context;
+ OM_uint32 major_status;
+ krb5_gss_cred_id_t k5creds;
+ krb5_cc_cursor cursor;
+ krb5_creds creds;
+ krb5_error_code code;
+ krb5_context context;
- /* validate the cred handle */
- major_status = krb5_gss_validate_cred(minor_status, cred_handle);
- if (major_status)
- return(major_status);
-
- k5creds = (krb5_gss_cred_id_t) cred_handle;
- code = k5_mutex_lock(&k5creds->lock);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
- if (k5creds->usage == GSS_C_ACCEPT) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = (OM_uint32) G_BAD_USAGE;
- return(GSS_S_FAILURE);
- }
+ /* validate the cred handle */
+ major_status = krb5_gss_validate_cred(minor_status, cred_handle);
+ if (major_status)
+ return(major_status);
- code = krb5_gss_init_context(&context);
- if (code) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ k5creds = (krb5_gss_cred_id_t) cred_handle;
+ code = k5_mutex_lock(&k5creds->lock);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+ if (k5creds->usage == GSS_C_ACCEPT) {
+ k5_mutex_unlock(&k5creds->lock);
+ *minor_status = (OM_uint32) G_BAD_USAGE;
+ return(GSS_S_FAILURE);
+ }
- code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor);
- if (code) {
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, &creds))
- code = krb5_cc_store_cred(context, out_ccache, &creds);
- krb5_cc_end_seq_get(context, k5creds->ccache, &cursor);
- k5_mutex_unlock(&k5creds->lock);
- *minor_status = code;
- if (code)
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return code ? GSS_S_FAILURE : GSS_S_COMPLETE;
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ k5_mutex_unlock(&k5creds->lock);
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor);
+ if (code) {
+ k5_mutex_unlock(&k5creds->lock);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, &creds))
+ code = krb5_cc_store_cred(context, out_ccache, &creds);
+ krb5_cc_end_seq_get(context, k5creds->ccache, &cursor);
+ k5_mutex_unlock(&k5creds->lock);
+ *minor_status = code;
+ if (code)
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return code ? GSS_S_FAILURE : GSS_S_COMPLETE;
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
OM_uint32
krb5_gss_delete_sec_context(minor_status, context_handle, output_token)
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_buffer_t output_token;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_buffer_t output_token;
{
- krb5_context context;
- krb5_gss_ctx_id_rec *ctx;
+ krb5_context context;
+ krb5_gss_ctx_id_rec *ctx;
- if (output_token) {
- output_token->length = 0;
- output_token->value = NULL;
- }
+ if (output_token) {
+ output_token->length = 0;
+ output_token->value = NULL;
+ }
- /*SUPPRESS 29*/
- if (*context_handle == GSS_C_NO_CONTEXT) {
- *minor_status = 0;
- return(GSS_S_COMPLETE);
- }
+ /*SUPPRESS 29*/
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
+ }
- /*SUPPRESS 29*/
- /* validate the context handle */
- if (! kg_validate_ctx_id(*context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /*SUPPRESS 29*/
+ /* validate the context handle */
+ if (! kg_validate_ctx_id(*context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- ctx = (krb5_gss_ctx_id_t) *context_handle;
- context = ctx->k5_context;
+ ctx = (krb5_gss_ctx_id_t) *context_handle;
+ context = ctx->k5_context;
- /* construct a delete context token if necessary */
+ /* construct a delete context token if necessary */
- if (output_token) {
- OM_uint32 major;
- gss_buffer_desc empty;
- empty.length = 0; empty.value = NULL;
+ if (output_token) {
+ OM_uint32 major;
+ gss_buffer_desc empty;
+ empty.length = 0; empty.value = NULL;
- if ((major = kg_seal(minor_status, *context_handle, 0,
- GSS_C_QOP_DEFAULT,
- &empty, NULL, output_token, KG_TOK_DEL_CTX))) {
- save_error_info(*minor_status, context);
- return(major);
- }
- }
+ if ((major = kg_seal(minor_status, *context_handle, 0,
+ GSS_C_QOP_DEFAULT,
+ &empty, NULL, output_token, KG_TOK_DEL_CTX))) {
+ save_error_info(*minor_status, context);
+ return(major);
+ }
+ }
- /* invalidate the context handle */
+ /* invalidate the context handle */
- (void)kg_delete_ctx_id(*context_handle);
+ (void)kg_delete_ctx_id(*context_handle);
- /* free all the context state */
+ /* free all the context state */
- if (ctx->seqstate)
- g_order_free(&(ctx->seqstate));
+ if (ctx->seqstate)
+ g_order_free(&(ctx->seqstate));
- if (ctx->enc)
- krb5_free_keyblock(context, ctx->enc);
+ if (ctx->enc)
+ krb5_free_keyblock(context, ctx->enc);
- if (ctx->seq)
- krb5_free_keyblock(context, ctx->seq);
+ if (ctx->seq)
+ krb5_free_keyblock(context, ctx->seq);
- if (ctx->here)
- krb5_free_principal(context, ctx->here);
- if (ctx->there)
- krb5_free_principal(context, ctx->there);
- if (ctx->subkey)
- krb5_free_keyblock(context, ctx->subkey);
- if (ctx->acceptor_subkey)
- krb5_free_keyblock(context, ctx->acceptor_subkey);
+ if (ctx->here)
+ krb5_free_principal(context, ctx->here);
+ if (ctx->there)
+ krb5_free_principal(context, ctx->there);
+ if (ctx->subkey)
+ krb5_free_keyblock(context, ctx->subkey);
+ if (ctx->acceptor_subkey)
+ krb5_free_keyblock(context, ctx->acceptor_subkey);
- if (ctx->auth_context) {
- if (ctx->cred_rcache)
- (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
+ if (ctx->auth_context) {
+ if (ctx->cred_rcache)
+ (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
- krb5_auth_con_free(context, ctx->auth_context);
- }
+ krb5_auth_con_free(context, ctx->auth_context);
+ }
- if (ctx->mech_used)
- gss_release_oid(minor_status, &ctx->mech_used);
-
- if (ctx->k5_context)
- krb5_free_context(ctx->k5_context);
+ if (ctx->mech_used)
+ gss_release_oid(minor_status, &ctx->mech_used);
- /* Zero out context */
- memset(ctx, 0, sizeof(*ctx));
- xfree(ctx);
+ if (ctx->k5_context)
+ krb5_free_context(ctx->k5_context);
- /* zero the handle itself */
+ /* Zero out context */
+ memset(ctx, 0, sizeof(*ctx));
+ xfree(ctx);
- *context_handle = GSS_C_NO_CONTEXT;
+ /* zero the handle itself */
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ *context_handle = GSS_C_NO_CONTEXT;
+
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#include "gssapiP_krb5.h"
OM_uint32
-krb5_gss_display_name(minor_status, input_name, output_name_buffer,
- output_name_type)
- OM_uint32 *minor_status;
- gss_name_t input_name;
- gss_buffer_t output_name_buffer;
- gss_OID *output_name_type;
+krb5_gss_display_name(minor_status, input_name, output_name_buffer,
+ output_name_type)
+ OM_uint32 *minor_status;
+ gss_name_t input_name;
+ gss_buffer_t output_name_buffer;
+ gss_OID *output_name_type;
{
- krb5_context context;
- krb5_error_code code;
- char *str;
+ krb5_context context;
+ krb5_error_code code;
+ char *str;
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- output_name_buffer->length = 0;
- output_name_buffer->value = NULL;
+ output_name_buffer->length = 0;
+ output_name_buffer->value = NULL;
- if (! kg_validate_name(input_name)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(input_name)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- if ((code = krb5_unparse_name(context,
- (krb5_principal) input_name, &str))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ if ((code = krb5_unparse_name(context,
+ (krb5_principal) input_name, &str))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- if (! g_make_string_buffer(str, output_name_buffer)) {
- krb5_free_unparsed_name(context, str);
- krb5_free_context(context);
+ if (! g_make_string_buffer(str, output_name_buffer)) {
+ krb5_free_unparsed_name(context, str);
+ krb5_free_context(context);
- *minor_status = (OM_uint32) G_BUFFER_ALLOC;
- return(GSS_S_FAILURE);
- }
+ *minor_status = (OM_uint32) G_BUFFER_ALLOC;
+ return(GSS_S_FAILURE);
+ }
- krb5_free_unparsed_name(context, str);
- krb5_free_context(context);
+ krb5_free_unparsed_name(context, str);
+ krb5_free_context(context);
- *minor_status = 0;
- if (output_name_type)
- *output_name_type = (gss_OID) gss_nt_krb5_name;
- return(GSS_S_COMPLETE);
+ *minor_status = 0;
+ if (output_name_type)
+ *output_name_type = (gss_OID) gss_nt_krb5_name;
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
compare_OM_uint32 (OM_uint32 a, OM_uint32 b)
{
if (a < b)
- return -1;
+ return -1;
else if (a == b)
- return 0;
+ return 0;
else
- return 1;
+ return 1;
}
static inline void
free_string (char *s)
char *msg = 0;
#ifdef DEBUG
fprintf(stderr, "%s(%lu, p=%p)", __func__, (unsigned long) minor_code,
- (void *) p);
+ (void *) p);
#endif
if (p) {
- char **v = gsserrmap_find(p, minor_code);
- if (v) {
- msg = *v;
+ char **v = gsserrmap_find(p, minor_code);
+ if (v) {
+ msg = *v;
#ifdef DEBUG
- fprintf(stderr, " FOUND!");
+ fprintf(stderr, " FOUND!");
#endif
- }
+ }
}
if (msg == 0)
- msg = error_message(minor_code);
+ msg = error_message(minor_code);
#ifdef DEBUG
fprintf(stderr, " -> %p/%s\n", (void *) msg, msg);
#endif
#endif
p = k5_getspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE);
if (!p) {
- p = malloc(sizeof(*p));
- if (p == NULL) {
- ret = 1;
- goto fail;
- }
- if (gsserrmap_init(p) != 0) {
- free(p);
- p = NULL;
- ret = 1;
- goto fail;
- }
- if (k5_setspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE, p) != 0) {
- gsserrmap_destroy(p);
- free(p);
- p = NULL;
- ret = 1;
- goto fail;
- }
+ p = malloc(sizeof(*p));
+ if (p == NULL) {
+ ret = 1;
+ goto fail;
+ }
+ if (gsserrmap_init(p) != 0) {
+ free(p);
+ p = NULL;
+ ret = 1;
+ goto fail;
+ }
+ if (k5_setspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE, p) != 0) {
+ gsserrmap_destroy(p);
+ free(p);
+ p = NULL;
+ ret = 1;
+ goto fail;
+ }
}
ret = gsserrmap_replace_or_insert(p, minor_code, msg);
fail:
{
char *s = strdup(msg);
if (s) {
- if (save_error_string_nocopy(minor_code, s) != 0)
- free(s);
+ if (save_error_string_nocopy(minor_code, s) != 0)
+ free(s);
}
}
void save_error_message(OM_uint32 minor_code, const char *format, ...)
n = vasprintf(&s, format, ap);
va_end(ap);
if (n >= 0) {
- if (save_error_string_nocopy(minor_code, s) != 0)
- free(s);
+ if (save_error_string_nocopy(minor_code, s) != 0)
+ free(s);
}
}
void krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx)
#ifdef DEBUG
fprintf(stderr, "%s(%lu, ctx=%p)\n", __func__,
- (unsigned long) minor_code, (void *)ctx);
+ (unsigned long) minor_code, (void *)ctx);
#endif
s = krb5_get_error_message(ctx, minor_code);
#ifdef DEBUG
fprintf(stderr, "%s(%lu, ctx=%p) saving: %s\n", __func__,
- (unsigned long) minor_code, (void *)ctx, s);
+ (unsigned long) minor_code, (void *)ctx, s);
#endif
save_error_string(minor_code, s);
/* The get_error_message call above resets the error message in
OM_uint32
krb5_gss_display_status(minor_status, status_value, status_type,
- mech_type, message_context, status_string)
- OM_uint32 *minor_status;
- OM_uint32 status_value;
- int status_type;
- gss_OID mech_type;
- OM_uint32 *message_context;
- gss_buffer_t status_string;
+ mech_type, message_context, status_string)
+ OM_uint32 *minor_status;
+ OM_uint32 status_value;
+ int status_type;
+ gss_OID mech_type;
+ OM_uint32 *message_context;
+ gss_buffer_t status_string;
{
- status_string->length = 0;
- status_string->value = NULL;
+ status_string->length = 0;
+ status_string->value = NULL;
- if ((mech_type != GSS_C_NULL_OID) &&
- !g_OID_equal(gss_mech_krb5, mech_type) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
- *minor_status = 0;
- return(GSS_S_BAD_MECH);
+ if ((mech_type != GSS_C_NULL_OID) &&
+ !g_OID_equal(gss_mech_krb5, mech_type) &&
+ !g_OID_equal(gss_mech_krb5_old, mech_type)) {
+ *minor_status = 0;
+ return(GSS_S_BAD_MECH);
}
- if (status_type == GSS_C_GSS_CODE) {
- return(g_display_major_status(minor_status, status_value,
- message_context, status_string));
- } else if (status_type == GSS_C_MECH_CODE) {
- (void) gssint_initialize_library();
+ if (status_type == GSS_C_GSS_CODE) {
+ return(g_display_major_status(minor_status, status_value,
+ message_context, status_string));
+ } else if (status_type == GSS_C_MECH_CODE) {
+ (void) gssint_initialize_library();
- if (*message_context) {
- *minor_status = (OM_uint32) G_BAD_MSG_CTX;
- return(GSS_S_FAILURE);
- }
+ if (*message_context) {
+ *minor_status = (OM_uint32) G_BAD_MSG_CTX;
+ return(GSS_S_FAILURE);
+ }
- /* If this fails, there's not much we can do... */
- if (g_make_string_buffer(krb5_gss_get_error_message(status_value),
- status_string) != 0)
- *minor_status = ENOMEM;
- else
- *minor_status = 0;
- return 0;
- } else {
- *minor_status = 0;
- return(GSS_S_BAD_STATUS);
- }
+ /* If this fails, there's not much we can do... */
+ if (g_make_string_buffer(krb5_gss_get_error_message(status_value),
+ status_string) != 0)
+ *minor_status = ENOMEM;
+ else
+ *minor_status = 0;
+ return 0;
+ } else {
+ *minor_status = 0;
+ return(GSS_S_BAD_STATUS);
+ }
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/duplicate_name.c
*
#include "gssapiP_krb5.h"
OM_uint32 krb5_gss_duplicate_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
- gss_name_t *dest_name)
+ const gss_name_t input_name,
+ gss_name_t *dest_name)
{
- krb5_context context;
- krb5_error_code code;
- krb5_principal princ, outprinc;
+ krb5_context context;
+ krb5_error_code code;
+ krb5_principal princ, outprinc;
- if (minor_status)
- *minor_status = 0;
-
- code = krb5_gss_init_context(&context);
- if (code) {
- if (minor_status)
- *minor_status = code;
- return GSS_S_FAILURE;
- }
-
- if (! kg_validate_name(input_name)) {
- if (minor_status)
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
-
- princ = (krb5_principal)input_name;
- if ((code = krb5_copy_principal(context, princ, &outprinc))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-
- if (! kg_save_name((gss_name_t) outprinc)) {
- krb5_free_principal(context, outprinc);
- krb5_free_context(context);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
-
- krb5_free_context(context);
- *dest_name = (gss_name_t) outprinc;
- return(GSS_S_COMPLETE);
-
-}
+ if (minor_status)
+ *minor_status = 0;
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ if (minor_status)
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+ if (! kg_validate_name(input_name)) {
+ if (minor_status)
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
+ princ = (krb5_principal)input_name;
+ if ((code = krb5_copy_principal(context, princ, &outprinc))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ if (! kg_save_name((gss_name_t) outprinc)) {
+ krb5_free_principal(context, outprinc);
+ krb5_free_context(context);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
+ krb5_free_context(context);
+ *dest_name = (gss_name_t) outprinc;
+ return(GSS_S_COMPLETE);
+}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/export_name.c
*
#include "gssapiP_krb5.h"
OM_uint32 krb5_gss_export_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
- gss_buffer_t exported_name)
+ const gss_name_t input_name,
+ gss_buffer_t exported_name)
{
- krb5_context context;
- krb5_error_code code;
- size_t length;
- char *str, *cp;
+ krb5_context context;
+ krb5_error_code code;
+ size_t length;
+ char *str, *cp;
- if (minor_status)
- *minor_status = 0;
+ if (minor_status)
+ *minor_status = 0;
- code = krb5_gss_init_context(&context);
- if (code) {
- if (minor_status)
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ if (minor_status)
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- exported_name->length = 0;
- exported_name->value = NULL;
-
- if (! kg_validate_name(input_name)) {
- if (minor_status)
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ exported_name->length = 0;
+ exported_name->value = NULL;
- if ((code = krb5_unparse_name(context, (krb5_principal) input_name,
- &str))) {
- if (minor_status)
- *minor_status = code;
- save_error_info(code, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
+ if (! kg_validate_name(input_name)) {
+ if (minor_status)
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- krb5_free_context(context);
- length = strlen(str);
- exported_name->length = 10 + length + gss_mech_krb5->length;
- exported_name->value = malloc(exported_name->length);
- if (!exported_name->value) {
- free(str);
- if (minor_status)
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- cp = exported_name->value;
+ if ((code = krb5_unparse_name(context, (krb5_principal) input_name,
+ &str))) {
+ if (minor_status)
+ *minor_status = code;
+ save_error_info(code, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
- /* Note: we assume the OID will be less than 128 bytes... */
- *cp++ = 0x04; *cp++ = 0x01;
- store_16_be(gss_mech_krb5->length+2, cp);
- cp += 2;
- *cp++ = 0x06;
- *cp++ = (gss_mech_krb5->length) & 0xFF;
- memcpy(cp, gss_mech_krb5->elements, gss_mech_krb5->length);
- cp += gss_mech_krb5->length;
- store_32_be(length, cp);
- cp += 4;
- memcpy(cp, str, length);
+ krb5_free_context(context);
+ length = strlen(str);
+ exported_name->length = 10 + length + gss_mech_krb5->length;
+ exported_name->value = malloc(exported_name->length);
+ if (!exported_name->value) {
+ free(str);
+ if (minor_status)
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ cp = exported_name->value;
- free(str);
+ /* Note: we assume the OID will be less than 128 bytes... */
+ *cp++ = 0x04; *cp++ = 0x01;
+ store_16_be(gss_mech_krb5->length+2, cp);
+ cp += 2;
+ *cp++ = 0x06;
+ *cp++ = (gss_mech_krb5->length) & 0xFF;
+ memcpy(cp, gss_mech_krb5->elements, gss_mech_krb5->length);
+ cp += gss_mech_krb5->length;
+ store_32_be(length, cp);
+ cp += 4;
+ memcpy(cp, str, length);
- return(GSS_S_COMPLETE);
+ free(str);
+
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/export_sec_context.c
*
*/
/*
- * export_sec_context.c - Externalize the security context.
+ * export_sec_context.c - Externalize the security context.
*/
#include "gssapiP_krb5.h"
#ifndef LEAN_CLIENT
OM_uint32
krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token)
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_buffer_t interprocess_token;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_buffer_t interprocess_token;
{
- krb5_context context = NULL;
- krb5_error_code kret;
- OM_uint32 retval;
- size_t bufsize, blen;
- krb5_gss_ctx_id_t ctx;
- krb5_octet *obuffer, *obp;
+ krb5_context context = NULL;
+ krb5_error_code kret;
+ OM_uint32 retval;
+ size_t bufsize, blen;
+ krb5_gss_ctx_id_t ctx;
+ krb5_octet *obuffer, *obp;
/* Assume a tragic failure */
obuffer = (krb5_octet *) NULL;
*minor_status = 0;
if (!kg_validate_ctx_id(*context_handle)) {
- kret = (OM_uint32) G_VALIDATE_FAILED;
- retval = GSS_S_NO_CONTEXT;
- goto error_out;
+ kret = (OM_uint32) G_VALIDATE_FAILED;
+ retval = GSS_S_NO_CONTEXT;
+ goto error_out;
}
ctx = (krb5_gss_ctx_id_t) *context_handle;
context = ctx->k5_context;
kret = krb5_gss_ser_init(context);
if (kret)
- goto error_out;
+ goto error_out;
/* Determine size needed for externalization of context */
bufsize = 0;
if ((kret = kg_ctx_size(context, (krb5_pointer) ctx,
- &bufsize)))
- goto error_out;
+ &bufsize)))
+ goto error_out;
/* Allocate the buffer */
if ((obuffer = (krb5_octet *) xmalloc(bufsize)) == NULL) {
- kret = ENOMEM;
- goto error_out;
+ kret = ENOMEM;
+ goto error_out;
}
obp = obuffer;
blen = bufsize;
/* Externalize the context */
if ((kret = kg_ctx_externalize(context,
- (krb5_pointer) ctx, &obp, &blen)))
- goto error_out;
+ (krb5_pointer) ctx, &obp, &blen)))
+ goto error_out;
/* Success! Return the buffer */
interprocess_token->length = bufsize - blen;
error_out:
if (retval != GSS_S_COMPLETE)
- if (kret != 0 && context != 0)
- save_error_info(kret, context);
+ if (kret != 0 && context != 0)
+ save_error_info(kret, context);
if (obuffer && bufsize) {
- memset(obuffer, 0, bufsize);
- xfree(obuffer);
+ memset(obuffer, 0, bufsize);
+ xfree(obuffer);
}
- if (*minor_status == 0)
- *minor_status = (OM_uint32) kret;
+ if (*minor_status == 0)
+ *minor_status = (OM_uint32) kret;
return(retval);
}
#endif /* LEAN_CLIENT */
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
* $Id$
*/
-OM_uint32 KRB5_CALLCONV
+OM_uint32 KRB5_CALLCONV
gss_krb5int_get_tkt_flags(minor_status, context_handle, ticket_flags)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- krb5_flags *ticket_flags;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ krb5_flags *ticket_flags;
{
- krb5_gss_ctx_id_rec *ctx;
+ krb5_gss_ctx_id_rec *ctx;
- /* validate the context handle */
- if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /* validate the context handle */
+ if (! kg_validate_ctx_id(context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- ctx = (krb5_gss_ctx_id_rec *) context_handle;
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
- if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
- }
+ if (! ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
+ }
- if (ticket_flags)
- *ticket_flags = ctx->krb_flags;
+ if (ticket_flags)
+ *ticket_flags = ctx->krb_flags;
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002"
-#define CKSUMTYPE_KG_CB 0x8003
+#define CKSUMTYPE_KG_CB 0x8003
-#define KG_TOK_CTX_AP_REQ 0x0100
-#define KG_TOK_CTX_AP_REP 0x0200
-#define KG_TOK_CTX_ERROR 0x0300
-#define KG_TOK_SIGN_MSG 0x0101
-#define KG_TOK_SEAL_MSG 0x0201
-#define KG_TOK_MIC_MSG 0x0101
-#define KG_TOK_WRAP_MSG 0x0201
-#define KG_TOK_DEL_CTX 0x0102
+#define KG_TOK_CTX_AP_REQ 0x0100
+#define KG_TOK_CTX_AP_REP 0x0200
+#define KG_TOK_CTX_ERROR 0x0300
+#define KG_TOK_SIGN_MSG 0x0101
+#define KG_TOK_SEAL_MSG 0x0201
+#define KG_TOK_MIC_MSG 0x0101
+#define KG_TOK_WRAP_MSG 0x0201
+#define KG_TOK_DEL_CTX 0x0102
-#define KG2_TOK_INITIAL 0x0101
-#define KG2_TOK_RESPONSE 0x0202
-#define KG2_TOK_MIC 0x0303
-#define KG2_TOK_WRAP_INTEG 0x0404
-#define KG2_TOK_WRAP_PRIV 0x0505
+#define KG2_TOK_INITIAL 0x0101
+#define KG2_TOK_RESPONSE 0x0202
+#define KG2_TOK_MIC 0x0303
+#define KG2_TOK_WRAP_INTEG 0x0404
+#define KG2_TOK_WRAP_PRIV 0x0505
#define KRB5_GSS_FOR_CREDS_OPTION 1
-#define KG2_RESP_FLAG_ERROR 0x0001
-#define KG2_RESP_FLAG_DELEG_OK 0x0002
+#define KG2_RESP_FLAG_ERROR 0x0001
+#define KG2_RESP_FLAG_DELEG_OK 0x0002
/* These are to be stored in little-endian order, i.e., des-mac is
stored as 02 00. */
enum sgn_alg {
- SGN_ALG_DES_MAC_MD5 = 0x0000,
- SGN_ALG_MD2_5 = 0x0001,
- SGN_ALG_DES_MAC = 0x0002,
- SGN_ALG_3 = 0x0003, /* not published */
- SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */
- SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
+ SGN_ALG_DES_MAC_MD5 = 0x0000,
+ SGN_ALG_MD2_5 = 0x0001,
+ SGN_ALG_DES_MAC = 0x0002,
+ SGN_ALG_3 = 0x0003, /* not published */
+ SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */
+ SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
};
enum seal_alg {
- SEAL_ALG_NONE = 0xffff,
- SEAL_ALG_DES = 0x0000,
- SEAL_ALG_1 = 0x0001, /* not published */
- SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
- SEAL_ALG_DES3KD = 0x0002
+ SEAL_ALG_NONE = 0xffff,
+ SEAL_ALG_DES = 0x0000,
+ SEAL_ALG_1 = 0x0001, /* not published */
+ SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
+ SEAL_ALG_DES3KD = 0x0002
};
/* for 3DES */
#define KG_USAGE_SEQ 24
/* for draft-ietf-krb-wg-gssapi-cfx-01 */
-#define KG_USAGE_ACCEPTOR_SEAL 22
-#define KG_USAGE_ACCEPTOR_SIGN 23
-#define KG_USAGE_INITIATOR_SEAL 24
-#define KG_USAGE_INITIATOR_SIGN 25
+#define KG_USAGE_ACCEPTOR_SEAL 22
+#define KG_USAGE_ACCEPTOR_SIGN 23
+#define KG_USAGE_INITIATOR_SEAL 24
+#define KG_USAGE_INITIATOR_SIGN 25
enum qop {
- GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */
- GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002,
- GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003,
- GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
- GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff,
- GSS_KRB5_CONF_C_QOP_DES = 0x0100,
- GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200,
- GSS_KRB5_CONF_C_QOP_MASK = 0xff00
+ GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */
+ GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002,
+ GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003,
+ GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
+ GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff,
+ GSS_KRB5_CONF_C_QOP_DES = 0x0100,
+ GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200,
+ GSS_KRB5_CONF_C_QOP_MASK = 0xff00
};
/** internal types **/
typedef krb5_principal krb5_gss_name_t;
typedef struct _krb5_gss_cred_id_rec {
- /* protect against simultaneous accesses */
- k5_mutex_t lock;
+ /* protect against simultaneous accesses */
+ k5_mutex_t lock;
- /* name/type of credential */
- gss_cred_usage_t usage;
- krb5_principal princ; /* this is not interned as a gss_name_t */
- int prerfc_mech;
- int rfc_mech;
+ /* name/type of credential */
+ gss_cred_usage_t usage;
+ krb5_principal princ; /* this is not interned as a gss_name_t */
+ int prerfc_mech;
+ int rfc_mech;
- /* keytab (accept) data */
- krb5_keytab keytab;
- krb5_rcache rcache;
+ /* keytab (accept) data */
+ krb5_keytab keytab;
+ krb5_rcache rcache;
- /* ccache (init) data */
- krb5_ccache ccache;
- krb5_timestamp tgt_expire;
- krb5_enctype *req_enctypes; /* limit negotiated enctypes to this list */
-} krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
+ /* ccache (init) data */
+ krb5_ccache ccache;
+ krb5_timestamp tgt_expire;
+ krb5_enctype *req_enctypes; /* limit negotiated enctypes to this list */
+} krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
typedef struct _krb5_gss_ctx_id_rec {
- unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
- unsigned int established : 1;
- unsigned int big_endian : 1;
- unsigned int have_acceptor_subkey : 1;
- unsigned int seed_init : 1; /* XXX tested but never actually set */
- OM_uint32 gss_flags;
- unsigned char seed[16];
- krb5_principal here;
- krb5_principal there;
- krb5_keyblock *subkey;
- int signalg;
- size_t cksum_size;
- int sealalg;
- krb5_keyblock *enc;
- krb5_keyblock *seq;
- krb5_timestamp endtime;
- krb5_flags krb_flags;
- /* XXX these used to be signed. the old spec is inspecific, and
- the new spec specifies unsigned. I don't believe that the change
- affects the wire encoding. */
- gssint_uint64 seq_send;
- gssint_uint64 seq_recv;
- void *seqstate;
- krb5_context k5_context;
- krb5_auth_context auth_context;
- gss_OID_desc *mech_used;
+ unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
+ unsigned int established : 1;
+ unsigned int big_endian : 1;
+ unsigned int have_acceptor_subkey : 1;
+ unsigned int seed_init : 1; /* XXX tested but never actually set */
+ OM_uint32 gss_flags;
+ unsigned char seed[16];
+ krb5_principal here;
+ krb5_principal there;
+ krb5_keyblock *subkey;
+ int signalg;
+ size_t cksum_size;
+ int sealalg;
+ krb5_keyblock *enc;
+ krb5_keyblock *seq;
+ krb5_timestamp endtime;
+ krb5_flags krb_flags;
+ /* XXX these used to be signed. the old spec is inspecific, and
+ the new spec specifies unsigned. I don't believe that the change
+ affects the wire encoding. */
+ gssint_uint64 seq_send;
+ gssint_uint64 seq_recv;
+ void *seqstate;
+ krb5_context k5_context;
+ krb5_auth_context auth_context;
+ gss_OID_desc *mech_used;
/* Protocol spec revision
0 => RFC 1964 with 3DES and RC4 enhancements
1 => draft-ietf-krb-wg-gssapi-cfx-01
No others defined so far. */
- int proto;
- krb5_cksumtype cksumtype; /* for "main" subkey */
- krb5_keyblock *acceptor_subkey; /* CFX only */
- krb5_cksumtype acceptor_subkey_cksumtype;
- int cred_rcache; /* did we get rcache from creds? */
+ int proto;
+ krb5_cksumtype cksumtype; /* for "main" subkey */
+ krb5_keyblock *acceptor_subkey; /* CFX only */
+ krb5_cksumtype acceptor_subkey_cksumtype;
+ int cred_rcache; /* did we get rcache from creds? */
} krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
extern g_set kg_vdb;
/* helper macros */
-#define kg_save_name(name) g_save_name(&kg_vdb,name)
-#define kg_save_cred_id(cred) g_save_cred_id(&kg_vdb,cred)
-#define kg_save_ctx_id(ctx) g_save_ctx_id(&kg_vdb,ctx)
-#define kg_save_lucidctx_id(lctx) g_save_lucidctx_id(&kg_vdb,lctx)
+#define kg_save_name(name) g_save_name(&kg_vdb,name)
+#define kg_save_cred_id(cred) g_save_cred_id(&kg_vdb,cred)
+#define kg_save_ctx_id(ctx) g_save_ctx_id(&kg_vdb,ctx)
+#define kg_save_lucidctx_id(lctx) g_save_lucidctx_id(&kg_vdb,lctx)
-#define kg_validate_name(name) g_validate_name(&kg_vdb,name)
-#define kg_validate_cred_id(cred) g_validate_cred_id(&kg_vdb,cred)
-#define kg_validate_ctx_id(ctx) g_validate_ctx_id(&kg_vdb,ctx)
-#define kg_validate_lucidctx_id(lctx) g_validate_lucidctx_id(&kg_vdb,lctx)
+#define kg_validate_name(name) g_validate_name(&kg_vdb,name)
+#define kg_validate_cred_id(cred) g_validate_cred_id(&kg_vdb,cred)
+#define kg_validate_ctx_id(ctx) g_validate_ctx_id(&kg_vdb,ctx)
+#define kg_validate_lucidctx_id(lctx) g_validate_lucidctx_id(&kg_vdb,lctx)
-#define kg_delete_name(name) g_delete_name(&kg_vdb,name)
-#define kg_delete_cred_id(cred) g_delete_cred_id(&kg_vdb,cred)
-#define kg_delete_ctx_id(ctx) g_delete_ctx_id(&kg_vdb,ctx)
-#define kg_delete_lucidctx_id(lctx) g_delete_lucidctx_id(&kg_vdb,lctx)
+#define kg_delete_name(name) g_delete_name(&kg_vdb,name)
+#define kg_delete_cred_id(cred) g_delete_cred_id(&kg_vdb,cred)
+#define kg_delete_ctx_id(ctx) g_delete_ctx_id(&kg_vdb,ctx)
+#define kg_delete_lucidctx_id(lctx) g_delete_lucidctx_id(&kg_vdb,lctx)
/** helper functions **/
-OM_uint32 kg_get_defcred
- (OM_uint32 *minor_status,
- gss_cred_id_t *cred);
+OM_uint32 kg_get_defcred
+(OM_uint32 *minor_status,
+ gss_cred_id_t *cred);
krb5_error_code kg_checksum_channel_bindings
- (krb5_context context, gss_channel_bindings_t cb,
- krb5_checksum *cksum,
- int bigend);
+(krb5_context context, gss_channel_bindings_t cb,
+ krb5_checksum *cksum,
+ int bigend);
krb5_error_code kg_make_seq_num (krb5_context context,
- krb5_keyblock *key,
- int direction, krb5_ui_4 seqnum, unsigned char *cksum,
- unsigned char *buf);
+ krb5_keyblock *key,
+ int direction, krb5_ui_4 seqnum, unsigned char *cksum,
+ unsigned char *buf);
krb5_error_code kg_get_seq_num (krb5_context context,
- krb5_keyblock *key,
- unsigned char *cksum, unsigned char *buf, int *direction,
- krb5_ui_4 *seqnum);
+ krb5_keyblock *key,
+ unsigned char *cksum, unsigned char *buf, int *direction,
+ krb5_ui_4 *seqnum);
krb5_error_code kg_make_seed (krb5_context context,
- krb5_keyblock *key,
- unsigned char *seed);
+ krb5_keyblock *key,
+ unsigned char *seed);
int kg_confounder_size (krb5_context context, krb5_keyblock *key);
-krb5_error_code kg_make_confounder (krb5_context context,
- krb5_keyblock *key, unsigned char *buf);
+krb5_error_code kg_make_confounder (krb5_context context,
+ krb5_keyblock *key, unsigned char *buf);
-krb5_error_code kg_encrypt (krb5_context context,
- krb5_keyblock *key, int usage,
- krb5_pointer iv,
- krb5_const_pointer in,
- krb5_pointer out,
- unsigned int length);
+krb5_error_code kg_encrypt (krb5_context context,
+ krb5_keyblock *key, int usage,
+ krb5_pointer iv,
+ krb5_const_pointer in,
+ krb5_pointer out,
+ unsigned int length);
krb5_error_code
kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage,
- const unsigned char *kd_data, size_t kd_data_len,
- const unsigned char *input_buf, size_t input_len,
- unsigned char *output_buf);
+ const unsigned char *kd_data, size_t kd_data_len,
+ const unsigned char *input_buf, size_t input_len,
+ unsigned char *output_buf);
krb5_error_code kg_decrypt (krb5_context context,
- krb5_keyblock *key, int usage,
- krb5_pointer iv,
- krb5_const_pointer in,
- krb5_pointer out,
- unsigned int length);
+ krb5_keyblock *key, int usage,
+ krb5_pointer iv,
+ krb5_const_pointer in,
+ krb5_pointer out,
+ unsigned int length);
OM_uint32 kg_seal (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- int conf_req_flag,
- int qop_req,
- gss_buffer_t input_message_buffer,
- int *conf_state,
- gss_buffer_t output_message_buffer,
- int toktype);
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ int qop_req,
+ gss_buffer_t input_message_buffer,
+ int *conf_state,
+ gss_buffer_t output_message_buffer,
+ int toktype);
OM_uint32 kg_unseal (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- gss_buffer_t input_token_buffer,
- gss_buffer_t message_buffer,
- int *conf_state,
- int *qop_state,
- int toktype);
+ gss_ctx_id_t context_handle,
+ gss_buffer_t input_token_buffer,
+ gss_buffer_t message_buffer,
+ int *conf_state,
+ int *qop_state,
+ int toktype);
OM_uint32 kg_seal_size (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- int conf_req_flag,
- gss_qop_t qop_req,
- OM_uint32 output_size,
- OM_uint32 *input_size);
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ OM_uint32 output_size,
+ OM_uint32 *input_size);
krb5_error_code kg_ctx_size (krb5_context kcontext,
- krb5_pointer arg,
- size_t *sizep);
+ krb5_pointer arg,
+ size_t *sizep);
krb5_error_code kg_ctx_externalize (krb5_context kcontext,
- krb5_pointer arg,
- krb5_octet **buffer,
- size_t *lenremain);
+ krb5_pointer arg,
+ krb5_octet **buffer,
+ size_t *lenremain);
krb5_error_code kg_ctx_internalize (krb5_context kcontext,
- krb5_pointer *argp,
- krb5_octet **buffer,
- size_t *lenremain);
+ krb5_pointer *argp,
+ krb5_octet **buffer,
+ size_t *lenremain);
OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status);
-OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status,
+OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status,
int *out_caller_provided_name);
-OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status,
+OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status,
const char **out_name);
-OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status,
+OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status,
const char *name);
/** declarations of internal name mechanism functions **/
OM_uint32 krb5_gss_acquire_cred
(OM_uint32*, /* minor_status */
- gss_name_t, /* desired_name */
- OM_uint32, /* time_req */
- gss_OID_set, /* desired_mechs */
- gss_cred_usage_t, /* cred_usage */
- gss_cred_id_t*, /* output_cred_handle */
- gss_OID_set*, /* actual_mechs */
- OM_uint32* /* time_rec */
- );
+ gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t*, /* output_cred_handle */
+ gss_OID_set*, /* actual_mechs */
+ OM_uint32* /* time_rec */
+);
OM_uint32 krb5_gss_release_cred
(OM_uint32*, /* minor_status */
- gss_cred_id_t* /* cred_handle */
- );
+ gss_cred_id_t* /* cred_handle */
+);
OM_uint32 krb5_gss_init_sec_context
(OM_uint32*, /* minor_status */
- gss_cred_id_t, /* claimant_cred_handle */
- gss_ctx_id_t*, /* context_handle */
- gss_name_t, /* target_name */
- gss_OID, /* mech_type */
- OM_uint32, /* req_flags */
- OM_uint32, /* time_req */
- gss_channel_bindings_t,
- /* input_chan_bindings */
- gss_buffer_t, /* input_token */
- gss_OID*, /* actual_mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32*, /* ret_flags */
- OM_uint32* /* time_rec */
- );
+ gss_cred_id_t, /* claimant_cred_handle */
+ gss_ctx_id_t*, /* context_handle */
+ gss_name_t, /* target_name */
+ gss_OID, /* mech_type */
+ OM_uint32, /* req_flags */
+ OM_uint32, /* time_req */
+ gss_channel_bindings_t,
+ /* input_chan_bindings */
+ gss_buffer_t, /* input_token */
+ gss_OID*, /* actual_mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32*, /* ret_flags */
+ OM_uint32* /* time_rec */
+);
#ifndef LEAN_CLIENT
OM_uint32 krb5_gss_accept_sec_context
(OM_uint32*, /* minor_status */
- gss_ctx_id_t*, /* context_handle */
- gss_cred_id_t, /* verifier_cred_handle */
- gss_buffer_t, /* input_token_buffer */
- gss_channel_bindings_t,
- /* input_chan_bindings */
- gss_name_t*, /* src_name */
- gss_OID*, /* mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32*, /* ret_flags */
- OM_uint32*, /* time_rec */
- gss_cred_id_t* /* delegated_cred_handle */
- );
+ gss_ctx_id_t*, /* context_handle */
+ gss_cred_id_t, /* verifier_cred_handle */
+ gss_buffer_t, /* input_token_buffer */
+ gss_channel_bindings_t,
+ /* input_chan_bindings */
+ gss_name_t*, /* src_name */
+ gss_OID*, /* mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32*, /* ret_flags */
+ OM_uint32*, /* time_rec */
+ gss_cred_id_t* /* delegated_cred_handle */
+);
#endif /* LEAN_CLIENT */
OM_uint32 krb5_gss_process_context_token
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t /* token_buffer */
- );
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t /* token_buffer */
+);
OM_uint32 krb5_gss_delete_sec_context
(OM_uint32*, /* minor_status */
- gss_ctx_id_t*, /* context_handle */
- gss_buffer_t /* output_token */
- );
+ gss_ctx_id_t*, /* context_handle */
+ gss_buffer_t /* output_token */
+);
OM_uint32 krb5_gss_context_time
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- OM_uint32* /* time_rec */
- );
+ gss_ctx_id_t, /* context_handle */
+ OM_uint32* /* time_rec */
+);
OM_uint32 krb5_gss_sign
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
+ gss_ctx_id_t, /* context_handle */
+ int, /* qop_req */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t /* message_token */
+);
OM_uint32 krb5_gss_verify
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* token_buffer */
- int* /* qop_state */
- );
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t, /* token_buffer */
+ int* /* qop_state */
+);
OM_uint32 krb5_gss_seal
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- int, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int*, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ int, /* qop_req */
+ gss_buffer_t, /* input_message_buffer */
+ int*, /* conf_state */
+ gss_buffer_t /* output_message_buffer */
+);
OM_uint32 krb5_gss_unseal
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int*, /* conf_state */
- int* /* qop_state */
- );
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int*, /* conf_state */
+ int* /* qop_state */
+);
OM_uint32 krb5_gss_display_status
(OM_uint32*, /* minor_status */
- OM_uint32, /* status_value */
- int, /* status_type */
- gss_OID, /* mech_type */
- OM_uint32*, /* message_context */
- gss_buffer_t /* status_string */
- );
+ OM_uint32, /* status_value */
+ int, /* status_type */
+ gss_OID, /* mech_type */
+ OM_uint32*, /* message_context */
+ gss_buffer_t /* status_string */
+);
OM_uint32 krb5_gss_indicate_mechs
(OM_uint32*, /* minor_status */
- gss_OID_set* /* mech_set */
- );
+ gss_OID_set* /* mech_set */
+);
OM_uint32 krb5_gss_compare_name
(OM_uint32*, /* minor_status */
- gss_name_t, /* name1 */
- gss_name_t, /* name2 */
- int* /* name_equal */
- );
+ gss_name_t, /* name1 */
+ gss_name_t, /* name2 */
+ int* /* name_equal */
+);
OM_uint32 krb5_gss_display_name
(OM_uint32*, /* minor_status */
- gss_name_t, /* input_name */
- gss_buffer_t, /* output_name_buffer */
- gss_OID* /* output_name_type */
- );
+ gss_name_t, /* input_name */
+ gss_buffer_t, /* output_name_buffer */
+ gss_OID* /* output_name_type */
+);
OM_uint32 krb5_gss_import_name
(OM_uint32*, /* minor_status */
- gss_buffer_t, /* input_name_buffer */
- gss_OID, /* input_name_type */
- gss_name_t* /* output_name */
- );
+ gss_buffer_t, /* input_name_buffer */
+ gss_OID, /* input_name_type */
+ gss_name_t* /* output_name */
+);
OM_uint32 krb5_gss_release_name
(OM_uint32*, /* minor_status */
- gss_name_t* /* input_name */
- );
+ gss_name_t* /* input_name */
+);
OM_uint32 krb5_gss_inquire_cred
(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_name_t *, /* name */
- OM_uint32 *, /* lifetime */
- gss_cred_usage_t*,/* cred_usage */
- gss_OID_set * /* mechanisms */
- );
+ gss_cred_id_t, /* cred_handle */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* lifetime */
+ gss_cred_usage_t*,/* cred_usage */
+ gss_OID_set * /* mechanisms */
+);
OM_uint32 krb5_gss_inquire_context
(OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_name_t*, /* initiator_name */
- gss_name_t*, /* acceptor_name */
- OM_uint32*, /* lifetime_rec */
- gss_OID*, /* mech_type */
- OM_uint32*, /* ret_flags */
- int*, /* locally_initiated */
- int* /* open */
- );
+ gss_ctx_id_t, /* context_handle */
+ gss_name_t*, /* initiator_name */
+ gss_name_t*, /* acceptor_name */
+ OM_uint32*, /* lifetime_rec */
+ gss_OID*, /* mech_type */
+ OM_uint32*, /* ret_flags */
+ int*, /* locally_initiated */
+ int* /* open */
+);
/* New V2 entry points */
OM_uint32 krb5_gss_get_mic
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t /* message_token */
+);
OM_uint32 krb5_gss_verify_mic
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* message_token */
- gss_qop_t * /* qop_state */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t, /* message_token */
+ gss_qop_t * /* qop_state */
+);
OM_uint32 krb5_gss_wrap
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int *, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* input_message_buffer */
+ int *, /* conf_state */
+ gss_buffer_t /* output_message_buffer */
+);
OM_uint32 krb5_gss_unwrap
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int *, /* conf_state */
- gss_qop_t * /* qop_state */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int *, /* conf_state */
+ gss_qop_t * /* qop_state */
+);
OM_uint32 krb5_gss_wrap_size_limit
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- OM_uint32, /* req_output_size */
- OM_uint32 * /* max_input_size */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ OM_uint32, /* req_output_size */
+ OM_uint32 * /* max_input_size */
+);
OM_uint32 krb5_gss_import_name_object
-(OM_uint32 *, /* minor_status */
- void *, /* input_name */
- gss_OID, /* input_name_type */
- gss_name_t * /* output_name */
- );
+(OM_uint32 *, /* minor_status */
+ void *, /* input_name */
+ gss_OID, /* input_name_type */
+ gss_name_t * /* output_name */
+);
OM_uint32 krb5_gss_export_name_object
-(OM_uint32 *, /* minor_status */
- gss_name_t, /* input_name */
- gss_OID, /* desired_name_type */
- void * * /* output_name */
- );
+(OM_uint32 *, /* minor_status */
+ gss_name_t, /* input_name */
+ gss_OID, /* desired_name_type */
+ void * * /* output_name */
+);
OM_uint32 krb5_gss_add_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* input_cred_handle */
- gss_name_t, /* desired_name */
- gss_OID, /* desired_mech */
- gss_cred_usage_t, /* cred_usage */
- OM_uint32, /* initiator_time_req */
- OM_uint32, /* acceptor_time_req */
- gss_cred_id_t *, /* output_cred_handle */
- gss_OID_set *, /* actual_mechs */
- OM_uint32 *, /* initiator_time_rec */
- OM_uint32 * /* acceptor_time_rec */
- );
+(OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* input_cred_handle */
+ gss_name_t, /* desired_name */
+ gss_OID, /* desired_mech */
+ gss_cred_usage_t, /* cred_usage */
+ OM_uint32, /* initiator_time_req */
+ OM_uint32, /* acceptor_time_req */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *, /* initiator_time_rec */
+ OM_uint32 * /* acceptor_time_rec */
+);
OM_uint32 krb5_gss_inquire_cred_by_mech
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_OID, /* mech_type */
- gss_name_t *, /* name */
- OM_uint32 *, /* initiator_lifetime */
- OM_uint32 *, /* acceptor_lifetime */
- gss_cred_usage_t * /* cred_usage */
- );
+(OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ gss_OID, /* mech_type */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* initiator_lifetime */
+ OM_uint32 *, /* acceptor_lifetime */
+ gss_cred_usage_t * /* cred_usage */
+);
#ifndef LEAN_CLIENT
OM_uint32 krb5_gss_export_sec_context
-(OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_buffer_t /* interprocess_token */
- );
+(OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_buffer_t /* interprocess_token */
+);
OM_uint32 krb5_gss_import_sec_context
-(OM_uint32 *, /* minor_status */
- gss_buffer_t, /* interprocess_token */
- gss_ctx_id_t * /* context_handle */
- );
+(OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* interprocess_token */
+ gss_ctx_id_t * /* context_handle */
+);
#endif /* LEAN_CLIENT */
krb5_error_code krb5_gss_ser_init(krb5_context);
OM_uint32 krb5_gss_release_oid
-(OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
+(OM_uint32 *, /* minor_status */
+ gss_OID * /* oid */
+);
OM_uint32 krb5_gss_internal_release_oid
-(OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
+(OM_uint32 *, /* minor_status */
+ gss_OID * /* oid */
+);
OM_uint32 krb5_gss_inquire_names_for_mech
-(OM_uint32 *, /* minor_status */
- gss_OID, /* mechanism */
- gss_OID_set * /* name_types */
- );
+(OM_uint32 *, /* minor_status */
+ gss_OID, /* mechanism */
+ gss_OID_set * /* name_types */
+);
OM_uint32 krb5_gss_canonicalize_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- const gss_OID, /* mech_type */
- gss_name_t * /* output_name */
- );
-
+(OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ const gss_OID, /* mech_type */
+ gss_name_t * /* output_name */
+);
+
OM_uint32 krb5_gss_export_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_buffer_t /* exported_name */
- );
+(OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_buffer_t /* exported_name */
+);
OM_uint32 krb5_gss_duplicate_name
-(OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_name_t * /* dest_name */
- );
+(OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_name_t * /* dest_name */
+);
OM_uint32 krb5_gss_validate_cred
-(OM_uint32 *, /* minor_status */
- gss_cred_id_t /* cred */
- );
+(OM_uint32 *, /* minor_status */
+ gss_cred_id_t /* cred */
+);
OM_uint32
krb5_gss_validate_cred_1(OM_uint32 * /* minor_status */,
- gss_cred_id_t /* cred_handle */,
- krb5_context /* context */);
+ gss_cred_id_t /* cred_handle */,
+ krb5_context /* context */);
gss_OID krb5_gss_convert_static_mech_oid(gss_OID oid);
-
+
krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context,
- krb5_gss_ctx_id_rec *,
- const gss_buffer_desc *,
- gss_buffer_t,
- int, int);
+ krb5_gss_ctx_id_rec *,
+ const gss_buffer_desc *,
+ gss_buffer_t,
+ int, int);
OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr,
- OM_uint32 *minor_status,
- krb5_gss_ctx_id_rec *ctx,
- unsigned char *ptr,
- unsigned int bodysize,
- gss_buffer_t message_buffer,
- int *conf_state, int *qop_state,
- int toktype);
+ OM_uint32 *minor_status,
+ krb5_gss_ctx_id_rec *ctx,
+ unsigned char *ptr,
+ unsigned int bodysize,
+ gss_buffer_t message_buffer,
+ int *conf_state, int *qop_state,
+ int toktype);
/*
* These take unglued krb5-mech-specific contexts.
*/
-OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags
- (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- krb5_flags *ticket_flags);
+OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags
+(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ krb5_flags *ticket_flags);
OM_uint32 KRB5_CALLCONV gss_krb5int_copy_ccache
- (OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
- krb5_ccache out_ccache);
+(OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ krb5_ccache out_ccache);
OM_uint32 KRB5_CALLCONV
-gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
- gss_cred_id_t cred,
- OM_uint32 num_ktypes,
- krb5_enctype *ktypes);
+gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
+ gss_cred_id_t cred,
+ OM_uint32 num_ktypes,
+ krb5_enctype *ktypes);
OM_uint32 KRB5_CALLCONV
gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- OM_uint32 version,
- void **kctx);
+ gss_ctx_id_t *context_handle,
+ OM_uint32 version,
+ void **kctx);
extern k5_mutex_t kg_kdc_flag_mutex;
__attribute__((__format__(__printf__, 2, 3)))
#endif
;
-extern void
-krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx);
+ extern void
+ krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx);
#define get_error_message krb5_gss_get_error_message
#define save_error_string krb5_gss_save_error_string
#define save_error_message krb5_gss_save_error_message
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
/*
* The OID of the draft krb5 mechanism, assigned by IETF, is:
- * iso(1) org(3) dod(5) internet(1) security(5)
- * kerberosv5(2) = 1.3.5.1.5.2
+ * iso(1) org(3) dod(5) internet(1) security(5)
+ * kerberosv5(2) = 1.3.5.1.5.2
* The OID of the krb5_name type is:
- * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
- * krb5(2) krb5_name(1) = 1.2.840.113554.1.2.2.1
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5_name(1) = 1.2.840.113554.1.2.2.1
* The OID of the krb5_principal type is:
- * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
- * krb5(2) krb5_principal(2) = 1.2.840.113554.1.2.2.2
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5_principal(2) = 1.2.840.113554.1.2.2.2
* The OID of the proposed standard krb5 mechanism is:
- * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
- * krb5(2) = 1.2.840.113554.1.2.2
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) = 1.2.840.113554.1.2.2
* The OID of the proposed standard krb5 v2 mechanism is:
- * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
- * krb5v2(3) = 1.2.840.113554.1.2.3
- *
+ * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ * krb5v2(3) = 1.2.840.113554.1.2.3
+ *
*/
/*
*/
const gss_OID_desc krb5_gss_oid_array[] = {
- /* this is the official, rfc-specified OID */
- {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID},
- /* this pre-RFC mech OID */
- {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID},
- /* this is the unofficial, incorrect mech OID emitted by MS */
- {GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID},
- /* this is the v2 assigned OID */
- {9, "\052\206\110\206\367\022\001\002\003"},
- /* these two are name type OID's */
+ /* this is the official, rfc-specified OID */
+ {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID},
+ /* this pre-RFC mech OID */
+ {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID},
+ /* this is the unofficial, incorrect mech OID emitted by MS */
+ {GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID},
+ /* this is the v2 assigned OID */
+ {9, "\052\206\110\206\367\022\001\002\003"},
+ /* these two are name type OID's */
/* 2.1.1. Kerberos Principal Name Form: (rfc 1964)
* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* krb5(2) krb5_name(1)}. The recommended symbolic name for this type
* is "GSS_KRB5_NT_PRINCIPAL_NAME". */
- {10, "\052\206\110\206\367\022\001\002\002\001"},
+ {10, "\052\206\110\206\367\022\001\002\002\001"},
- /* gss_nt_krb5_principal. Object identifier for a krb5_principal. Do not use. */
- {10, "\052\206\110\206\367\022\001\002\002\002"},
- { 0, 0 }
+ /* gss_nt_krb5_principal. Object identifier for a krb5_principal. Do not use. */
+ {10, "\052\206\110\206\367\022\001\002\002\002"},
+ { 0, 0 }
};
const gss_OID_desc * const gss_mech_krb5 = krb5_gss_oid_array+0;
const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+4;
static const gss_OID_set_desc oidsets[] = {
- {1, (gss_OID) krb5_gss_oid_array+0},
- {1, (gss_OID) krb5_gss_oid_array+1},
- {3, (gss_OID) krb5_gss_oid_array+0},
- {1, (gss_OID) krb5_gss_oid_array+2},
- {3, (gss_OID) krb5_gss_oid_array+0},
+ {1, (gss_OID) krb5_gss_oid_array+0},
+ {1, (gss_OID) krb5_gss_oid_array+1},
+ {3, (gss_OID) krb5_gss_oid_array+0},
+ {1, (gss_OID) krb5_gss_oid_array+2},
+ {3, (gss_OID) krb5_gss_oid_array+0},
};
const gss_OID_set_desc * const gss_mech_set_krb5 = oidsets+0;
*/
OM_uint32
kg_get_defcred(minor_status, cred)
- OM_uint32 *minor_status;
- gss_cred_id_t *cred;
+ OM_uint32 *minor_status;
+ gss_cred_id_t *cred;
{
OM_uint32 major;
-
- if ((major = krb5_gss_acquire_cred(minor_status,
- (gss_name_t) NULL, GSS_C_INDEFINITE,
- GSS_C_NULL_OID_SET, GSS_C_INITIATE,
- cred, NULL, NULL)) && GSS_ERROR(major)) {
- return(major);
- }
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+
+ if ((major = krb5_gss_acquire_cred(minor_status,
+ (gss_name_t) NULL, GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET, GSS_C_INITIATE,
+ cred, NULL, NULL)) && GSS_ERROR(major)) {
+ return(major);
+ }
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
OM_uint32
kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status)
{
OM_uint32 err = 0;
-
- /*
+
+ /*
* Sync up the context ccache name with the GSSAPI ccache name.
- * If kg_ccache_name is NULL -- normal unless someone has called
- * gss_krb5_ccache_name() -- then the system default ccache will
+ * If kg_ccache_name is NULL -- normal unless someone has called
+ * gss_krb5_ccache_name() -- then the system default ccache will
* be picked up and used by resetting the context default ccache.
* This is needed for platforms which support multiple ccaches.
*/
-
+
if (!err) {
/* if NULL, resets the context default ccache */
err = krb5_cc_set_default_name(context,
- (char *) k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME));
+ (char *) k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME));
}
-
+
*minor_status = err;
return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
/* This function returns whether or not the caller set a cccache name. Used by
- * gss_acquire_cred to figure out if the caller wants to only look at this
+ * gss_acquire_cred to figure out if the caller wants to only look at this
* ccache or search the cache collection for the desired name */
OM_uint32
-kg_caller_provided_ccache_name (OM_uint32 *minor_status,
-int *out_caller_provided_name)
+kg_caller_provided_ccache_name (OM_uint32 *minor_status,
+ int *out_caller_provided_name)
{
if (out_caller_provided_name) {
- *out_caller_provided_name =
- (k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME) != NULL);
+ *out_caller_provided_name =
+ (k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME) != NULL);
}
*minor_status = 0;
char *kg_ccache_name;
kg_ccache_name = k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME);
-
+
if (kg_ccache_name != NULL) {
- name = strdup(kg_ccache_name);
- if (name == NULL)
- err = ENOMEM;
+ name = strdup(kg_ccache_name);
+ if (name == NULL)
+ err = ENOMEM;
} else {
- krb5_context context = NULL;
-
- /* Reset the context default ccache (see text above), and then
- retrieve it. */
- err = krb5_gss_init_context(&context);
- if (!err)
- err = krb5_cc_set_default_name (context, NULL);
- if (!err) {
- name = krb5_cc_default_name(context);
- if (name) {
- name = strdup(name);
- if (name == NULL)
- err = ENOMEM;
- }
- }
- if (err && context)
- save_error_info(err, context);
- if (context)
- krb5_free_context(context);
+ krb5_context context = NULL;
+
+ /* Reset the context default ccache (see text above), and then
+ retrieve it. */
+ err = krb5_gss_init_context(&context);
+ if (!err)
+ err = krb5_cc_set_default_name (context, NULL);
+ if (!err) {
+ name = krb5_cc_default_name(context);
+ if (name) {
+ name = strdup(name);
+ if (name == NULL)
+ err = ENOMEM;
+ }
+ }
+ if (err && context)
+ save_error_info(err, context);
+ if (context)
+ krb5_free_context(context);
}
if (!err) {
*out_name = name;
}
}
-
+
*minor_status = err;
return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
krb5_error_code kerr;
if (name) {
- new_name = malloc(strlen(name) + 1);
- if (new_name == NULL) {
- *minor_status = ENOMEM;
- return GSS_S_FAILURE;
- }
- strcpy(new_name, name);
+ new_name = malloc(strlen(name) + 1);
+ if (new_name == NULL) {
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ strcpy(new_name, name);
}
kg_ccache_name = k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME);
new_name = swap;
kerr = k5_setspecific(K5_KEY_GSS_KRB5_CCACHE_NAME, kg_ccache_name);
if (kerr != 0) {
- /* Can't store, so free up the storage. */
- free(kg_ccache_name);
- /* ??? free(new_name); */
- *minor_status = kerr;
- return GSS_S_FAILURE;
+ /* Can't store, so free up the storage. */
+ free(kg_ccache_name);
+ /* ??? free(new_name); */
+ *minor_status = kerr;
+ return GSS_S_FAILURE;
}
free (new_name);
-/* -*- c -*-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
+/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
* "GSS_C_NT_HOSTBASED_SERVICE". */
/* 2.2.1. User Name Form */
-#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
+#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
/* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) user_name(1)}. The recommended symbolic name for this
/* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) string_uid_name(3)}. The recommended symbolic name for
- * this type is "GSS_KRB5_NT_STRING_UID_NAME". */
+ * this type is "GSS_KRB5_NT_STRING_UID_NAME". */
GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5;
GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old;
GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[];
-#define gss_krb5_nt_general_name gss_nt_krb5_name
-#define gss_krb5_nt_principal gss_nt_krb5_principal
-#define gss_krb5_nt_service_name gss_nt_service_name
-#define gss_krb5_nt_user_name gss_nt_user_name
-#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name
-#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name
+#define gss_krb5_nt_general_name gss_nt_krb5_name
+#define gss_krb5_nt_principal gss_nt_krb5_principal
+#define gss_krb5_nt_service_name gss_nt_service_name
+#define gss_krb5_nt_user_name gss_nt_user_name
+#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name
+#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name
#if defined(_WIN32)
typedef struct gss_krb5_lucid_key {
- OM_uint32 type; /* key encryption type */
- OM_uint32 length; /* length of key data */
- void * data; /* actual key data */
+ OM_uint32 type; /* key encryption type */
+ OM_uint32 length; /* length of key data */
+ void * data; /* actual key data */
} gss_krb5_lucid_key_t;
typedef struct gss_krb5_rfc1964_keydata {
- OM_uint32 sign_alg; /* signing algorthm */
- OM_uint32 seal_alg; /* seal/encrypt algorthm */
- gss_krb5_lucid_key_t ctx_key;
- /* Context key
- (Kerberos session key or subkey) */
+ OM_uint32 sign_alg; /* signing algorthm */
+ OM_uint32 seal_alg; /* seal/encrypt algorthm */
+ gss_krb5_lucid_key_t ctx_key;
+ /* Context key
+ (Kerberos session key or subkey) */
} gss_krb5_rfc1964_keydata_t;
typedef struct gss_krb5_cfx_keydata {
- OM_uint32 have_acceptor_subkey;
- /* 1 if there is an acceptor_subkey
- present, 0 otherwise */
- gss_krb5_lucid_key_t ctx_key;
- /* Context key
- (Kerberos session key or subkey) */
- gss_krb5_lucid_key_t acceptor_subkey;
- /* acceptor-asserted subkey or
- 0's if no acceptor subkey */
+ OM_uint32 have_acceptor_subkey;
+ /* 1 if there is an acceptor_subkey
+ present, 0 otherwise */
+ gss_krb5_lucid_key_t ctx_key;
+ /* Context key
+ (Kerberos session key or subkey) */
+ gss_krb5_lucid_key_t acceptor_subkey;
+ /* acceptor-asserted subkey or
+ 0's if no acceptor subkey */
} gss_krb5_cfx_keydata_t;
typedef struct gss_krb5_lucid_context_v1 {
- OM_uint32 version; /* Structure version number (1)
- MUST be at beginning of struct! */
- OM_uint32 initiate; /* Are we the initiator? */
- OM_uint32 endtime; /* expiration time of context */
- gss_uint64 send_seq; /* sender sequence number */
- gss_uint64 recv_seq; /* receive sequence number */
- OM_uint32 protocol; /* 0: rfc1964,
- 1: draft-ietf-krb-wg-gssapi-cfx-07 */
- /*
- * if (protocol == 0) rfc1964_kd should be used
- * and cfx_kd contents are invalid and should be zero
- * if (protocol == 1) cfx_kd should be used
- * and rfc1964_kd contents are invalid and should be zero
- */
- gss_krb5_rfc1964_keydata_t rfc1964_kd;
- gss_krb5_cfx_keydata_t cfx_kd;
+ OM_uint32 version; /* Structure version number (1)
+ MUST be at beginning of struct! */
+ OM_uint32 initiate; /* Are we the initiator? */
+ OM_uint32 endtime; /* expiration time of context */
+ gss_uint64 send_seq; /* sender sequence number */
+ gss_uint64 recv_seq; /* receive sequence number */
+ OM_uint32 protocol; /* 0: rfc1964,
+ 1: draft-ietf-krb-wg-gssapi-cfx-07 */
+ /*
+ * if (protocol == 0) rfc1964_kd should be used
+ * and cfx_kd contents are invalid and should be zero
+ * if (protocol == 1) cfx_kd should be used
+ * and rfc1964_kd contents are invalid and should be zero
+ */
+ gss_krb5_rfc1964_keydata_t rfc1964_kd;
+ gss_krb5_cfx_keydata_t cfx_kd;
} gss_krb5_lucid_context_v1_t;
/*
* See example below for usage.
*/
typedef struct gss_krb5_lucid_context_version {
- OM_uint32 version; /* Structure version number */
+ OM_uint32 version; /* Structure version number */
} gss_krb5_lucid_context_version_t;
OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *);
-OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags
- (OM_uint32 *minor_status,
- gss_ctx_id_t context_handle,
- krb5_flags *ticket_flags);
+OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ krb5_flags *ticket_flags);
-OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache
- (OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
- krb5_ccache out_ccache);
+OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ krb5_ccache out_ccache);
-OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name
- (OM_uint32 *minor_status, const char *name,
- const char **out_name);
+OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name(
+ OM_uint32 *minor_status, const char *name,
+ const char **out_name);
/*
* gss_krb5_set_allowable_enctypes
*
*/
OM_uint32 KRB5_CALLCONV
-gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
- gss_cred_id_t cred,
- OM_uint32 num_ktypes,
- krb5_enctype *ktypes);
+gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
+ gss_cred_id_t cred,
+ OM_uint32 num_ktypes,
+ krb5_enctype *ktypes);
/*
* Returns a non-opaque (lucid) version of the internal context
- * information.
+ * information.
*
* Note that context_handle must not be used again by the caller
* after this call. The GSS implementation is free to release any
* GSS implementation whether it returns pointers to existing data,
* or copies of the data. The caller should treat the returned
* lucid context as read-only.
- *
+ *
* The caller must call gss_krb5_free_lucid_context() to free
* the context and allocated resources when it is finished with it.
*
* (XXX Need error definition(s))
*
* For example:
- * void *return_ctx;
- * gss_krb5_lucid_context_v1_t *ctx;
- * OM_uint32 min_stat, maj_stat;
- * OM_uint32 vers;
- * gss_ctx_id_t *ctx_handle;
+ * void *return_ctx;
+ * gss_krb5_lucid_context_v1_t *ctx;
+ * OM_uint32 min_stat, maj_stat;
+ * OM_uint32 vers;
+ * gss_ctx_id_t *ctx_handle;
*
- * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
- * ctx_handle, 1, &return_ctx);
- * // Verify success
+ * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
+ * ctx_handle, 1, &return_ctx);
+ * // Verify success
*
- * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
- * switch (vers) {
- * case 1:
- * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
- * break;
- * default:
- * // Error, unknown version returned
- * break;
- * }
+ * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
+ * switch (vers) {
+ * case 1:
+ * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
+ * break;
+ * default:
+ * // Error, unknown version returned
+ * break;
+ * }
*
*/
OM_uint32 KRB5_CALLCONV
gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- OM_uint32 version,
- void **kctx);
+ gss_ctx_id_t *context_handle,
+ OM_uint32 version,
+ void **kctx);
/*
* Frees the allocated storage associated with an
*/
OM_uint32 KRB5_CALLCONV
gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
- void *kctx);
+ void *kctx);
#ifdef __cplusplus
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/*
* errors:
- * GSS_S_BAD_NAMETYPE if the type is bogus
- * GSS_S_BAD_NAME if the type is good but the name is bogus
- * GSS_S_FAILURE if memory allocation fails
+ * GSS_S_BAD_NAMETYPE if the type is bogus
+ * GSS_S_BAD_NAME if the type is good but the name is bogus
+ * GSS_S_FAILURE if memory allocation fails
*/
OM_uint32
-krb5_gss_import_name(minor_status, input_name_buffer,
- input_name_type, output_name)
- OM_uint32 *minor_status;
- gss_buffer_t input_name_buffer;
- gss_OID input_name_type;
- gss_name_t *output_name;
+krb5_gss_import_name(minor_status, input_name_buffer,
+ input_name_type, output_name)
+ OM_uint32 *minor_status;
+ gss_buffer_t input_name_buffer;
+ gss_OID input_name_type;
+ gss_name_t *output_name;
{
- krb5_context context;
- krb5_principal princ;
- krb5_error_code code;
- char *stringrep, *tmp, *tmp2, *cp;
- OM_uint32 length;
+ krb5_context context;
+ krb5_principal princ;
+ krb5_error_code code;
+ char *stringrep, *tmp, *tmp2, *cp;
+ OM_uint32 length;
#ifndef NO_PASSWORD
- struct passwd *pw;
+ struct passwd *pw;
#endif
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
-
- /* set up default returns */
-
- *output_name = NULL;
- *minor_status = 0;
-
- /* Go find the appropriate string rep to pass into parse_name */
-
- if ((input_name_type != GSS_C_NULL_OID) &&
- (g_OID_equal(input_name_type, gss_nt_service_name) ||
- g_OID_equal(input_name_type, gss_nt_service_name_v2))) {
- char *service, *host;
-
- if ((tmp =
- (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
-
- memcpy(tmp, input_name_buffer->value, input_name_buffer->length);
- tmp[input_name_buffer->length] = 0;
-
- service = tmp;
- if ((host = strchr(tmp, '@'))) {
- *host = '\0';
- host++;
- }
-
- code = krb5_sname_to_principal(context, host, service, KRB5_NT_SRV_HST,
- &princ);
-
- xfree(tmp);
- } else if ((input_name_type != GSS_C_NULL_OID) &&
- (g_OID_equal(input_name_type, gss_nt_krb5_principal))) {
- krb5_principal input;
-
- if (input_name_buffer->length != sizeof(krb5_principal)) {
- *minor_status = (OM_uint32) G_WRONG_SIZE;
- krb5_free_context(context);
- return(GSS_S_BAD_NAME);
- }
-
- input = *((krb5_principal *) input_name_buffer->value);
-
- if ((code = krb5_copy_principal(context, input, &princ))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- } else {
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ /* set up default returns */
+
+ *output_name = NULL;
+ *minor_status = 0;
+
+ /* Go find the appropriate string rep to pass into parse_name */
+
+ if ((input_name_type != GSS_C_NULL_OID) &&
+ (g_OID_equal(input_name_type, gss_nt_service_name) ||
+ g_OID_equal(input_name_type, gss_nt_service_name_v2))) {
+ char *service, *host;
+
+ if ((tmp =
+ (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+
+ memcpy(tmp, input_name_buffer->value, input_name_buffer->length);
+ tmp[input_name_buffer->length] = 0;
+
+ service = tmp;
+ if ((host = strchr(tmp, '@'))) {
+ *host = '\0';
+ host++;
+ }
+
+ code = krb5_sname_to_principal(context, host, service, KRB5_NT_SRV_HST,
+ &princ);
+
+ xfree(tmp);
+ } else if ((input_name_type != GSS_C_NULL_OID) &&
+ (g_OID_equal(input_name_type, gss_nt_krb5_principal))) {
+ krb5_principal input;
+
+ if (input_name_buffer->length != sizeof(krb5_principal)) {
+ *minor_status = (OM_uint32) G_WRONG_SIZE;
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAME);
+ }
+
+ input = *((krb5_principal *) input_name_buffer->value);
+
+ if ((code = krb5_copy_principal(context, input, &princ))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ } else {
#ifndef NO_PASSWORD
- uid_t uid;
- struct passwd pwx;
- char pwbuf[BUFSIZ];
+ uid_t uid;
+ struct passwd pwx;
+ char pwbuf[BUFSIZ];
#endif
- stringrep = NULL;
+ stringrep = NULL;
- if ((tmp =
- (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- tmp2 = 0;
+ if ((tmp =
+ (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ tmp2 = 0;
- memcpy(tmp, input_name_buffer->value, input_name_buffer->length);
- tmp[input_name_buffer->length] = 0;
+ memcpy(tmp, input_name_buffer->value, input_name_buffer->length);
+ tmp[input_name_buffer->length] = 0;
- if ((input_name_type == GSS_C_NULL_OID) ||
- g_OID_equal(input_name_type, gss_nt_krb5_name) ||
- g_OID_equal(input_name_type, gss_nt_user_name)) {
- stringrep = (char *) tmp;
+ if ((input_name_type == GSS_C_NULL_OID) ||
+ g_OID_equal(input_name_type, gss_nt_krb5_name) ||
+ g_OID_equal(input_name_type, gss_nt_user_name)) {
+ stringrep = (char *) tmp;
#ifndef NO_PASSWORD
- } else if (g_OID_equal(input_name_type, gss_nt_machine_uid_name)) {
- uid = *(uid_t *) input_name_buffer->value;
- do_getpwuid:
- if (k5_getpwuid_r(uid, &pwx, pwbuf, sizeof(pwbuf), &pw) == 0)
- stringrep = pw->pw_name;
- else
- *minor_status = (OM_uint32) G_NOUSER;
- } else if (g_OID_equal(input_name_type, gss_nt_string_uid_name)) {
- uid = atoi(tmp);
- goto do_getpwuid;
+ } else if (g_OID_equal(input_name_type, gss_nt_machine_uid_name)) {
+ uid = *(uid_t *) input_name_buffer->value;
+ do_getpwuid:
+ if (k5_getpwuid_r(uid, &pwx, pwbuf, sizeof(pwbuf), &pw) == 0)
+ stringrep = pw->pw_name;
+ else
+ *minor_status = (OM_uint32) G_NOUSER;
+ } else if (g_OID_equal(input_name_type, gss_nt_string_uid_name)) {
+ uid = atoi(tmp);
+ goto do_getpwuid;
#endif
- } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
- cp = tmp;
- if (*cp++ != 0x04)
- goto fail_name;
- if (*cp++ != 0x01)
- goto fail_name;
- if (*cp++ != 0x00)
- goto fail_name;
- length = *cp++;
- if (length != gss_mech_krb5->length+2)
- goto fail_name;
- if (*cp++ != 0x06)
- goto fail_name;
- length = *cp++;
- if (length != gss_mech_krb5->length)
- goto fail_name;
- if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
- goto fail_name;
- cp += length;
- length = *cp++;
- length = (length << 8) | *cp++;
- length = (length << 8) | *cp++;
- length = (length << 8) | *cp++;
- tmp2 = malloc(length+1);
- if (tmp2 == NULL) {
- xfree(tmp);
- *minor_status = ENOMEM;
- krb5_free_context(context);
- return GSS_S_FAILURE;
- }
- strncpy(tmp2, cp, length);
- tmp2[length] = 0;
-
- stringrep = tmp2;
- } else {
- xfree(tmp);
- krb5_free_context(context);
- return(GSS_S_BAD_NAMETYPE);
- }
-
- /* at this point, stringrep is set, or if not, *minor_status is. */
-
- if (stringrep)
- code = krb5_parse_name(context, (char *) stringrep, &princ);
- else {
- fail_name:
- xfree(tmp);
- if (tmp2)
- xfree(tmp2);
- krb5_free_context(context);
- return(GSS_S_BAD_NAME);
- }
-
- if (tmp2)
- xfree(tmp2);
- xfree(tmp);
- }
-
- /* at this point, a krb5 function has been called to set princ. code
- contains the return status */
-
- if (code) {
- *minor_status = (OM_uint32) code;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(GSS_S_BAD_NAME);
- }
-
- /* save the name in the validation database */
-
- if (! kg_save_name((gss_name_t) princ)) {
- krb5_free_principal(context, princ);
- krb5_free_context(context);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
-
- krb5_free_context(context);
-
- /* return it */
-
- *output_name = (gss_name_t) princ;
- return(GSS_S_COMPLETE);
+ } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
+ cp = tmp;
+ if (*cp++ != 0x04)
+ goto fail_name;
+ if (*cp++ != 0x01)
+ goto fail_name;
+ if (*cp++ != 0x00)
+ goto fail_name;
+ length = *cp++;
+ if (length != gss_mech_krb5->length+2)
+ goto fail_name;
+ if (*cp++ != 0x06)
+ goto fail_name;
+ length = *cp++;
+ if (length != gss_mech_krb5->length)
+ goto fail_name;
+ if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
+ goto fail_name;
+ cp += length;
+ length = *cp++;
+ length = (length << 8) | *cp++;
+ length = (length << 8) | *cp++;
+ length = (length << 8) | *cp++;
+ tmp2 = malloc(length+1);
+ if (tmp2 == NULL) {
+ xfree(tmp);
+ *minor_status = ENOMEM;
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
+ }
+ strncpy(tmp2, cp, length);
+ tmp2[length] = 0;
+
+ stringrep = tmp2;
+ } else {
+ xfree(tmp);
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAMETYPE);
+ }
+
+ /* at this point, stringrep is set, or if not, *minor_status is. */
+
+ if (stringrep)
+ code = krb5_parse_name(context, (char *) stringrep, &princ);
+ else {
+ fail_name:
+ xfree(tmp);
+ if (tmp2)
+ xfree(tmp2);
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAME);
+ }
+
+ if (tmp2)
+ xfree(tmp2);
+ xfree(tmp);
+ }
+
+ /* at this point, a krb5 function has been called to set princ. code
+ contains the return status */
+
+ if (code) {
+ *minor_status = (OM_uint32) code;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(GSS_S_BAD_NAME);
+ }
+
+ /* save the name in the validation database */
+
+ if (! kg_save_name((gss_name_t) princ)) {
+ krb5_free_principal(context, princ);
+ krb5_free_context(context);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
+
+ krb5_free_context(context);
+
+ /* return it */
+
+ *output_name = (gss_name_t) princ;
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/import_sec_context.c
*
*/
/*
- * import_sec_context.c - Internalize the security context.
+ * import_sec_context.c - Internalize the security context.
*/
#include "gssapiP_krb5.h"
/* for serialization initialization functions */
* the OID if possible.
*/
gss_OID krb5_gss_convert_static_mech_oid(oid)
- gss_OID oid;
+ gss_OID oid;
{
- const gss_OID_desc *p;
- OM_uint32 minor_status;
-
- for (p = krb5_gss_oid_array; p->length; p++) {
- if ((oid->length == p->length) &&
- (memcmp(oid->elements, p->elements, p->length) == 0)) {
- gss_release_oid(&minor_status, &oid);
- return (gss_OID) p;
- }
- }
- return oid;
+ const gss_OID_desc *p;
+ OM_uint32 minor_status;
+
+ for (p = krb5_gss_oid_array; p->length; p++) {
+ if ((oid->length == p->length) &&
+ (memcmp(oid->elements, p->elements, p->length) == 0)) {
+ gss_release_oid(&minor_status, &oid);
+ return (gss_OID) p;
+ }
+ }
+ return oid;
}
krb5_error_code
{
krb5_error_code code;
static krb5_error_code (KRB5_CALLCONV *const fns[])(krb5_context) = {
- krb5_ser_context_init, krb5_ser_auth_context_init,
- krb5_ser_ccache_init, krb5_ser_rcache_init, krb5_ser_keytab_init,
+ krb5_ser_context_init, krb5_ser_auth_context_init,
+ krb5_ser_ccache_init, krb5_ser_rcache_init, krb5_ser_keytab_init,
};
unsigned int i;
for (i = 0; i < sizeof(fns)/sizeof(fns[0]); i++)
- if ((code = (fns[i])(context)) != 0)
- return code;
+ if ((code = (fns[i])(context)) != 0)
+ return code;
return 0;
}
OM_uint32
krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle)
- OM_uint32 *minor_status;
- gss_buffer_t interprocess_token;
- gss_ctx_id_t *context_handle;
+ OM_uint32 *minor_status;
+ gss_buffer_t interprocess_token;
+ gss_ctx_id_t *context_handle;
{
- krb5_context context;
- krb5_error_code kret = 0;
- size_t blen;
- krb5_gss_ctx_id_t ctx;
- krb5_octet *ibp;
+ krb5_context context;
+ krb5_error_code kret = 0;
+ size_t blen;
+ krb5_gss_ctx_id_t ctx;
+ krb5_octet *ibp;
/* This is a bit screwy. We create a krb5 context because we need
one when calling the serialization code. However, one of the
we can throw this one away. */
kret = krb5_gss_init_context(&context);
if (kret) {
- *minor_status = kret;
- return GSS_S_FAILURE;
+ *minor_status = kret;
+ return GSS_S_FAILURE;
}
kret = krb5_gss_ser_init(context);
if (kret) {
- *minor_status = kret;
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return GSS_S_FAILURE;
+ *minor_status = kret;
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
}
/* Assume a tragic failure */
kret = kg_ctx_internalize(context, (krb5_pointer *) &ctx, &ibp, &blen);
krb5_free_context(context);
if (kret) {
- *minor_status = (OM_uint32) kret;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
+ *minor_status = (OM_uint32) kret;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
}
/* intern the context handle */
if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
- (void)krb5_gss_delete_sec_context(minor_status,
- (gss_ctx_id_t *) &ctx, NULL);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
+ (void)krb5_gss_delete_sec_context(minor_status,
+ (gss_ctx_id_t *) &ctx, NULL);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
}
ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
-
+
*context_handle = (gss_ctx_id_t) ctx;
*minor_status = 0;
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
OM_uint32
krb5_gss_indicate_mechs(minor_status, mech_set)
- OM_uint32 *minor_status;
- gss_OID_set *mech_set;
+ OM_uint32 *minor_status;
+ gss_OID_set *mech_set;
{
- *minor_status = 0;
+ *minor_status = 0;
- if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
- *mech_set = GSS_C_NO_OID_SET;
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
+ if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
+ *mech_set = GSS_C_NO_OID_SET;
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
- return(GSS_S_COMPLETE);
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000,2002, 2003, 2007 by the Massachusetts Institute of Technology.
* All Rights Reserved.
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
* ccache.
*/
static krb5_error_code get_credentials(context, cred, server, now,
- endtime, out_creds)
+ endtime, out_creds)
krb5_context context;
krb5_gss_cred_id_t cred;
krb5_principal server;
krb5_timestamp endtime;
krb5_creds **out_creds;
{
- krb5_error_code code;
- krb5_creds in_creds;
+ krb5_error_code code;
+ krb5_creds in_creds;
k5_mutex_assert_locked(&cred->lock);
memset((char *) &in_creds, 0, sizeof(krb5_creds));
if ((code = krb5_copy_principal(context, cred->princ, &in_creds.client)))
- goto cleanup;
+ goto cleanup;
if ((code = krb5_copy_principal(context, server, &in_creds.server)))
- goto cleanup;
+ goto cleanup;
in_creds.times.endtime = endtime;
in_creds.keyblock.enctype = 0;
code = krb5_get_credentials(context, 0, cred->ccache,
- &in_creds, out_creds);
+ &in_creds, out_creds);
if (code)
- goto cleanup;
+ goto cleanup;
/*
* Enforce a stricter limit (without timeskew forgiveness at the
* non-forgiving.
*/
if (!krb5_gss_dbg_client_expcreds && *out_creds != NULL &&
- (*out_creds)->times.endtime < now) {
- code = KRB5KRB_AP_ERR_TKT_EXPIRED;
- goto cleanup;
+ (*out_creds)->times.endtime < now) {
+ code = KRB5KRB_AP_ERR_TKT_EXPIRED;
+ goto cleanup;
}
-
+
cleanup:
if (in_creds.client)
- krb5_free_principal(context, in_creds.client);
+ krb5_free_principal(context, in_creds.client);
if (in_creds.server)
- krb5_free_principal(context, in_creds.server);
+ krb5_free_principal(context, in_creds.server);
return code;
}
struct gss_checksum_data {
#endif
static krb5_error_code KRB5_CALLCONV
make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
- void *cksum_data, krb5_data **out)
+ void *cksum_data, krb5_data **out)
{
krb5_error_code code;
krb5_int32 con_flags;
/* build the checksum field */
if (data->ctx->gss_flags & GSS_C_DELEG_FLAG) {
- /* first get KRB_CRED message, so we know its length */
+ /* first get KRB_CRED message, so we know its length */
- /* clear the time check flag that was set in krb5_auth_con_init() */
- krb5_auth_con_getflags(context, auth_context, &con_flags);
- krb5_auth_con_setflags(context, auth_context,
- con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
+ /* clear the time check flag that was set in krb5_auth_con_init() */
+ krb5_auth_con_getflags(context, auth_context, &con_flags);
+ krb5_auth_con_setflags(context, auth_context,
+ con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
- code = krb5_fwd_tgt_creds(context, auth_context, 0,
- data->cred->princ, data->ctx->there,
- data->cred->ccache, 1,
- &credmsg);
+ code = krb5_fwd_tgt_creds(context, auth_context, 0,
+ data->cred->princ, data->ctx->there,
+ data->cred->ccache, 1,
+ &credmsg);
- /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
- krb5_auth_con_setflags(context, auth_context, con_flags);
+ /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
+ krb5_auth_con_setflags(context, auth_context, con_flags);
- if (code) {
- /* don't fail here; just don't accept/do the delegation
+ if (code) {
+ /* don't fail here; just don't accept/do the delegation
request */
- data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
+ data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
- data->checksum_data.length = 24;
- } else {
- if (credmsg.length+28 > KRB5_INT16_MAX) {
- krb5_free_data_contents(context, &credmsg);
- return(KRB5KRB_ERR_FIELD_TOOLONG);
- }
+ data->checksum_data.length = 24;
+ } else {
+ if (credmsg.length+28 > KRB5_INT16_MAX) {
+ krb5_free_data_contents(context, &credmsg);
+ return(KRB5KRB_ERR_FIELD_TOOLONG);
+ }
- data->checksum_data.length = 28+credmsg.length;
- }
+ data->checksum_data.length = 28+credmsg.length;
+ }
} else {
- data->checksum_data.length = 24;
+ data->checksum_data.length = 24;
}
#ifdef CFX_EXERCISE
if (data->ctx->auth_context->keyblock != NULL
- && data->ctx->auth_context->keyblock->enctype == 18) {
- srand(time(0) ^ getpid());
- /* Our ftp client code stupidly assumes a base64-encoded
- version of the token will fit in 10K, so don't make this
- too big. */
- junk = rand() & 0xff;
+ && data->ctx->auth_context->keyblock->enctype == 18) {
+ srand(time(0) ^ getpid());
+ /* Our ftp client code stupidly assumes a base64-encoded
+ version of the token will fit in 10K, so don't make this
+ too big. */
+ junk = rand() & 0xff;
} else
- junk = 0;
+ junk = 0;
#else
junk = 0;
#endif
(maybe) KRB_CRED msg */
if ((data->checksum_data.data =
- (char *) xmalloc(data->checksum_data.length)) == NULL) {
- if (credmsg.data)
- krb5_free_data_contents(context, &credmsg);
- return(ENOMEM);
+ (char *) xmalloc(data->checksum_data.length)) == NULL) {
+ if (credmsg.data)
+ krb5_free_data_contents(context, &credmsg);
+ return(ENOMEM);
}
ptr = data->checksum_data.data;
xfree(data->md5.contents);
if (credmsg.data) {
- TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0);
- TWRITE_INT16(ptr, credmsg.length, 0);
- TWRITE_STR(ptr, (unsigned char *) credmsg.data, credmsg.length);
+ TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0);
+ TWRITE_INT16(ptr, credmsg.length, 0);
+ TWRITE_STR(ptr, (unsigned char *) credmsg.data, credmsg.length);
- /* free credmsg data */
- krb5_free_data_contents(context, &credmsg);
+ /* free credmsg data */
+ krb5_free_data_contents(context, &credmsg);
}
if (junk)
- memset(ptr, 'i', junk);
+ memset(ptr, 'i', junk);
*out = &data->checksum_data;
return 0;
}
-
+
static krb5_error_code
make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token)
krb5_context context;
return(code);
krb5_auth_con_set_req_cksumtype(context, ctx->auth_context,
- CKSUMTYPE_KG_CB);
+ CKSUMTYPE_KG_CB);
cksum_struct.md5 = md5;
cksum_struct.ctx = ctx;
cksum_struct.cred = cred;
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_DES3_CBC_SHA1:
- code = make_gss_checksum(context, ctx->auth_context, &cksum_struct,
- &checksum_data);
- if (code)
- goto cleanup;
- break;
+ code = make_gss_checksum(context, ctx->auth_context, &cksum_struct,
+ &checksum_data);
+ if (code)
+ goto cleanup;
+ break;
default:
- krb5_auth_con_set_checksum_func(context, ctx->auth_context,
- make_gss_checksum, &cksum_struct);
- break;
+ krb5_auth_con_set_checksum_func(context, ctx->auth_context,
+ make_gss_checksum, &cksum_struct);
+ break;
}
mk_req_flags = AP_OPTS_USE_SUBKEY;
if (ctx->gss_flags & GSS_C_MUTUAL_FLAG)
- mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED;
+ mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED;
code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags,
- checksum_data, k_cred, &ap_req);
+ checksum_data, k_cred, &ap_req);
krb5_free_data_contents(context, &cksum_struct.checksum_data);
if (code)
- goto cleanup;
+ goto cleanup;
+
+ /* store the interesting stuff from creds and authent */
+ ctx->endtime = k_cred->times.endtime;
+ ctx->krb_flags = k_cred->ticket_flags;
- /* store the interesting stuff from creds and authent */
- ctx->endtime = k_cred->times.endtime;
- ctx->krb_flags = k_cred->ticket_flags;
+ /* build up the token */
- /* build up the token */
+ /* allocate space for the token */
+ tlen = g_token_size((gss_OID) mech_type, ap_req.length);
- /* allocate space for the token */
- tlen = g_token_size((gss_OID) mech_type, ap_req.length);
+ if ((t = (unsigned char *) xmalloc(tlen)) == NULL) {
+ code = ENOMEM;
+ goto cleanup;
+ }
- if ((t = (unsigned char *) xmalloc(tlen)) == NULL) {
- code = ENOMEM;
- goto cleanup;
- }
+ /* fill in the buffer */
- /* fill in the buffer */
+ ptr = t;
- ptr = t;
+ g_make_token_header(mech_type, ap_req.length,
+ &ptr, KG_TOK_CTX_AP_REQ);
- g_make_token_header(mech_type, ap_req.length,
- &ptr, KG_TOK_CTX_AP_REQ);
+ TWRITE_STR(ptr, (unsigned char *) ap_req.data, ap_req.length);
- TWRITE_STR(ptr, (unsigned char *) ap_req.data, ap_req.length);
+ /* pass it back */
- /* pass it back */
+ token->length = tlen;
+ token->value = (void *) t;
- token->length = tlen;
- token->value = (void *) t;
+ code = 0;
- code = 0;
-
- cleanup:
- if (checksum_data && checksum_data->data)
- krb5_free_data_contents(context, checksum_data);
- if (ap_req.data)
- krb5_free_data_contents(context, &ap_req);
+cleanup:
+ if (checksum_data && checksum_data->data)
+ krb5_free_data_contents(context, checksum_data);
+ if (ap_req.data)
+ krb5_free_data_contents(context, &ap_req);
- return (code);
+ return (code);
}
/*
*/
static OM_uint32
setup_enc(
- OM_uint32 *minor_status,
- krb5_gss_ctx_id_rec *ctx,
- krb5_context context)
+ OM_uint32 *minor_status,
+ krb5_gss_ctx_id_rec *ctx,
+ krb5_context context)
{
- krb5_error_code code;
- unsigned int i;
- krb5int_access kaccess;
-
- code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (code)
- goto fail;
-
- ctx->have_acceptor_subkey = 0;
- ctx->proto = 0;
- ctx->cksumtype = 0;
- switch(ctx->subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_CRC:
- ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
- ctx->signalg = SGN_ALG_DES_MAC_MD5;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_DES;
-
- /* The encryption key is the session key XOR
- 0xf0f0f0f0f0f0f0f0. */
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
- goto fail;
-
- for (i=0; i<ctx->enc->length; i++)
- ctx->enc->contents[i] ^= 0xf0;
-
- goto copy_subkey_to_seq;
-
- case ENCTYPE_DES3_CBC_SHA1:
- /* MIT extension */
- ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
- ctx->cksum_size = 20;
- ctx->sealalg = SEAL_ALG_DES3KD;
-
- copy_subkey:
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
- if (code)
- goto fail;
- copy_subkey_to_seq:
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
- if (code) {
- krb5_free_keyblock (context, ctx->enc);
- goto fail;
- }
- break;
-
- case ENCTYPE_ARCFOUR_HMAC:
- /* Microsoft extension */
- ctx->signalg = SGN_ALG_HMAC_MD5 ;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
-
- goto copy_subkey;
-
- default:
- /* Fill some fields we shouldn't be using on this path
- with garbage. */
- ctx->signalg = -10;
- ctx->sealalg = -10;
-
- ctx->proto = 1;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
- &ctx->cksumtype);
- if (code)
- goto fail;
- code = krb5_c_checksum_length(context, ctx->cksumtype,
- &ctx->cksum_size);
- if (code)
- goto fail;
- goto copy_subkey;
- }
+ krb5_error_code code;
+ unsigned int i;
+ krb5int_access kaccess;
+
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code)
+ goto fail;
+
+ ctx->have_acceptor_subkey = 0;
+ ctx->proto = 0;
+ ctx->cksumtype = 0;
+ switch(ctx->subkey->enctype) {
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_CRC:
+ ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
+ ctx->signalg = SGN_ALG_DES_MAC_MD5;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_DES;
+
+ /* The encryption key is the session key XOR
+ 0xf0f0f0f0f0f0f0f0. */
+ if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
+ goto fail;
+
+ for (i=0; i<ctx->enc->length; i++)
+ ctx->enc->contents[i] ^= 0xf0;
+
+ goto copy_subkey_to_seq;
+
+ case ENCTYPE_DES3_CBC_SHA1:
+ /* MIT extension */
+ ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
+ ctx->cksum_size = 20;
+ ctx->sealalg = SEAL_ALG_DES3KD;
+
+ copy_subkey:
+ code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
+ if (code)
+ goto fail;
+ copy_subkey_to_seq:
+ code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
+ if (code) {
+ krb5_free_keyblock (context, ctx->enc);
+ goto fail;
+ }
+ break;
+
+ case ENCTYPE_ARCFOUR_HMAC:
+ /* Microsoft extension */
+ ctx->signalg = SGN_ALG_HMAC_MD5 ;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
+
+ goto copy_subkey;
+
+ default:
+ /* Fill some fields we shouldn't be using on this path
+ with garbage. */
+ ctx->signalg = -10;
+ ctx->sealalg = -10;
+
+ ctx->proto = 1;
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
+ &ctx->cksumtype);
+ if (code)
+ goto fail;
+ code = krb5_c_checksum_length(context, ctx->cksumtype,
+ &ctx->cksum_size);
+ if (code)
+ goto fail;
+ goto copy_subkey;
+ }
fail:
- *minor_status = code;
- return GSS_S_FAILURE;
+ *minor_status = code;
+ return GSS_S_FAILURE;
}
/*
*/
static OM_uint32
new_connection(
- OM_uint32 *minor_status,
- krb5_gss_cred_id_t cred,
- gss_ctx_id_t *context_handle,
- gss_name_t target_name,
- gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- gss_channel_bindings_t input_chan_bindings,
- gss_buffer_t input_token,
- gss_OID *actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 *ret_flags,
- OM_uint32 *time_rec,
- krb5_context context,
- int default_mech)
+ OM_uint32 *minor_status,
+ krb5_gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ krb5_context context,
+ int default_mech)
{
- OM_uint32 major_status;
- krb5_error_code code;
- krb5_creds *k_cred;
- krb5_gss_ctx_id_rec *ctx, *ctx_free;
- krb5_timestamp now;
- gss_buffer_desc token;
-
- k5_mutex_assert_locked(&cred->lock);
- major_status = GSS_S_FAILURE;
- token.length = 0;
- token.value = NULL;
-
- /* make sure the cred is usable for init */
-
- if ((cred->usage != GSS_C_INITIATE) &&
- (cred->usage != GSS_C_BOTH)) {
- *minor_status = 0;
- return(GSS_S_NO_CRED);
- }
-
- /* complain if the input token is non-null */
-
- if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
- }
-
- /* create the ctx */
-
- if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
- == NULL) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
-
- /* fill in the ctx */
- memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
- ctx_free = ctx;
- if ((code = krb5_auth_con_init(context, &ctx->auth_context)))
- goto fail;
- krb5_auth_con_setflags(context, ctx->auth_context,
- KRB5_AUTH_CONTEXT_DO_SEQUENCE);
-
- /* limit the encryption types negotiated (if requested) */
- if (cred->req_enctypes) {
- if ((code = krb5_set_default_tgs_enctypes(context,
- cred->req_enctypes))) {
- goto fail;
- }
- }
-
- ctx->initiate = 1;
- ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
- GSS_C_TRANS_FLAG |
- ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
- GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
- ctx->seed_init = 0;
- ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
- ctx->seqstate = 0;
-
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
-
- if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
- ctx->endtime = 0;
- } else {
- ctx->endtime = now + time_req;
- }
-
- if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
- goto fail;
-
- if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
- &ctx->there)))
- goto fail;
-
- code = get_credentials(context, cred, ctx->there, now,
- ctx->endtime, &k_cred);
- if (code)
- goto fail;
-
- if (default_mech) {
- mech_type = (gss_OID) gss_mech_krb5;
- }
-
- if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
- != GSS_S_COMPLETE) {
- code = *minor_status;
- goto fail;
- }
- /*
- * Now try to make it static if at all possible....
- */
- ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
-
- {
- /* gsskrb5 v1 */
- krb5_ui_4 seq_temp;
- if ((code = make_ap_req_v1(context, ctx,
- cred, k_cred, input_chan_bindings,
- mech_type, &token))) {
- if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
- (code == KG_EMPTY_CCACHE))
- major_status = GSS_S_NO_CRED;
- if (code == KRB5KRB_AP_ERR_TKT_EXPIRED)
- major_status = GSS_S_CREDENTIALS_EXPIRED;
- goto fail;
- }
-
- krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp);
- ctx->seq_send = seq_temp;
- krb5_auth_con_getsendsubkey(context, ctx->auth_context,
- &ctx->subkey);
- }
-
- major_status = setup_enc(minor_status, ctx, context);
-
- if (k_cred) {
- krb5_free_creds(context, k_cred);
- k_cred = 0;
- }
-
- /* at this point, the context is constructed and valid,
- hence, releaseable */
-
- /* intern the context handle */
-
- if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
- code = G_VALIDATE_FAILED;
- goto fail;
- }
- *context_handle = (gss_ctx_id_t) ctx;
- ctx_free = 0;
-
- /* compute time_rec */
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
- *time_rec = ctx->endtime - now;
- }
-
- /* set the other returns */
- *output_token = token;
-
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
-
- if (actual_mech_type)
- *actual_mech_type = mech_type;
-
- /* return successfully */
-
- *minor_status = 0;
- if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
- ctx->established = 0;
- return(GSS_S_CONTINUE_NEEDED);
- } else {
- ctx->seq_recv = ctx->seq_send;
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
- ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
- ctx->established = 1;
- return(GSS_S_COMPLETE);
- }
+ OM_uint32 major_status;
+ krb5_error_code code;
+ krb5_creds *k_cred;
+ krb5_gss_ctx_id_rec *ctx, *ctx_free;
+ krb5_timestamp now;
+ gss_buffer_desc token;
+
+ k5_mutex_assert_locked(&cred->lock);
+ major_status = GSS_S_FAILURE;
+ token.length = 0;
+ token.value = NULL;
+
+ /* make sure the cred is usable for init */
+
+ if ((cred->usage != GSS_C_INITIATE) &&
+ (cred->usage != GSS_C_BOTH)) {
+ *minor_status = 0;
+ return(GSS_S_NO_CRED);
+ }
+
+ /* complain if the input token is non-null */
+
+ if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
+
+ /* create the ctx */
+
+ if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
+ == NULL) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+
+ /* fill in the ctx */
+ memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
+ ctx_free = ctx;
+ if ((code = krb5_auth_con_init(context, &ctx->auth_context)))
+ goto fail;
+ krb5_auth_con_setflags(context, ctx->auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+ /* limit the encryption types negotiated (if requested) */
+ if (cred->req_enctypes) {
+ if ((code = krb5_set_default_tgs_enctypes(context,
+ cred->req_enctypes))) {
+ goto fail;
+ }
+ }
+
+ ctx->initiate = 1;
+ ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
+ GSS_C_TRANS_FLAG |
+ ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+ GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));
+ ctx->seed_init = 0;
+ ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
+ ctx->seqstate = 0;
+
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+
+ if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
+ ctx->endtime = 0;
+ } else {
+ ctx->endtime = now + time_req;
+ }
+
+ if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
+ goto fail;
+
+ if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
+ &ctx->there)))
+ goto fail;
+
+ code = get_credentials(context, cred, ctx->there, now,
+ ctx->endtime, &k_cred);
+ if (code)
+ goto fail;
+
+ if (default_mech) {
+ mech_type = (gss_OID) gss_mech_krb5;
+ }
+
+ if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
+ != GSS_S_COMPLETE) {
+ code = *minor_status;
+ goto fail;
+ }
+ /*
+ * Now try to make it static if at all possible....
+ */
+ ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
+
+ {
+ /* gsskrb5 v1 */
+ krb5_ui_4 seq_temp;
+ if ((code = make_ap_req_v1(context, ctx,
+ cred, k_cred, input_chan_bindings,
+ mech_type, &token))) {
+ if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
+ (code == KG_EMPTY_CCACHE))
+ major_status = GSS_S_NO_CRED;
+ if (code == KRB5KRB_AP_ERR_TKT_EXPIRED)
+ major_status = GSS_S_CREDENTIALS_EXPIRED;
+ goto fail;
+ }
+
+ krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp);
+ ctx->seq_send = seq_temp;
+ krb5_auth_con_getsendsubkey(context, ctx->auth_context,
+ &ctx->subkey);
+ }
+
+ major_status = setup_enc(minor_status, ctx, context);
+
+ if (k_cred) {
+ krb5_free_creds(context, k_cred);
+ k_cred = 0;
+ }
+
+ /* at this point, the context is constructed and valid,
+ hence, releaseable */
+
+ /* intern the context handle */
+
+ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
+ code = G_VALIDATE_FAILED;
+ goto fail;
+ }
+ *context_handle = (gss_ctx_id_t) ctx;
+ ctx_free = 0;
+
+ /* compute time_rec */
+ if (time_rec) {
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+ *time_rec = ctx->endtime - now;
+ }
+
+ /* set the other returns */
+ *output_token = token;
+
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
+
+ if (actual_mech_type)
+ *actual_mech_type = mech_type;
+
+ /* return successfully */
+
+ *minor_status = 0;
+ if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
+ ctx->established = 0;
+ return(GSS_S_CONTINUE_NEEDED);
+ } else {
+ ctx->seq_recv = ctx->seq_send;
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
+ ctx->established = 1;
+ return(GSS_S_COMPLETE);
+ }
fail:
- if (ctx_free) {
- if (ctx_free->auth_context)
- krb5_auth_con_free(context, ctx_free->auth_context);
- if (ctx_free->here)
- krb5_free_principal(context, ctx_free->here);
- if (ctx_free->there)
- krb5_free_principal(context, ctx_free->there);
- if (ctx_free->subkey)
- krb5_free_keyblock(context, ctx_free->subkey);
- xfree(ctx_free);
- } else
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
-
- *minor_status = code;
- return (major_status);
+ if (ctx_free) {
+ if (ctx_free->auth_context)
+ krb5_auth_con_free(context, ctx_free->auth_context);
+ if (ctx_free->here)
+ krb5_free_principal(context, ctx_free->here);
+ if (ctx_free->there)
+ krb5_free_principal(context, ctx_free->there);
+ if (ctx_free->subkey)
+ krb5_free_keyblock(context, ctx_free->subkey);
+ xfree(ctx_free);
+ } else
+ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+
+ *minor_status = code;
+ return (major_status);
}
/*
*/
static OM_uint32
mutual_auth(
- OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- gss_name_t target_name,
- gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- gss_channel_bindings_t input_chan_bindings,
- gss_buffer_t input_token,
- gss_OID *actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 *ret_flags,
- OM_uint32 *time_rec,
- krb5_context context)
+ OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ krb5_context context)
{
- OM_uint32 major_status;
- unsigned char *ptr;
- char *sptr;
- krb5_data ap_rep;
- krb5_ap_rep_enc_part *ap_rep_data;
- krb5_timestamp now;
- krb5_gss_ctx_id_rec *ctx;
- krb5_error *krb_error;
- krb5_error_code code;
- krb5int_access kaccess;
-
- major_status = GSS_S_FAILURE;
-
- code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (code)
- goto fail;
-
- /* validate the context handle */
- /*SUPPRESS 29*/
- if (! kg_validate_ctx_id(*context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
-
- ctx = (krb5_gss_ctx_id_t) *context_handle;
-
- /* make sure the context is non-established, and that certain
- arguments are unchanged */
-
- if ((ctx->established) ||
- ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) {
- code = KG_CONTEXT_ESTABLISHED;
- goto fail;
- }
-
- if (! krb5_principal_compare(context, ctx->there,
- (krb5_principal) target_name)) {
- (void)krb5_gss_delete_sec_context(minor_status,
- context_handle, NULL);
- code = 0;
- major_status = GSS_S_BAD_NAME;
- goto fail;
- }
-
- /* verify the token and leave the AP_REP message in ap_rep */
-
- if (input_token == GSS_C_NO_BUFFER) {
- (void)krb5_gss_delete_sec_context(minor_status,
- context_handle, NULL);
- code = 0;
- major_status = GSS_S_DEFECTIVE_TOKEN;
- goto fail;
- }
-
- ptr = (unsigned char *) input_token->value;
-
- if (g_verify_token_header(ctx->mech_used,
- &(ap_rep.length),
- &ptr, KG_TOK_CTX_AP_REP,
- input_token->length, 1)) {
- if (g_verify_token_header((gss_OID) ctx->mech_used,
- &(ap_rep.length),
- &ptr, KG_TOK_CTX_ERROR,
- input_token->length, 1) == 0) {
-
- /* Handle a KRB_ERROR message from the server */
-
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
-
- code = krb5_rd_error(context, &ap_rep, &krb_error);
- if (code)
- goto fail;
- if (krb_error->error)
- code = krb_error->error + ERROR_TABLE_BASE_krb5;
- else
- code = 0;
- krb5_free_error(context, krb_error);
- goto fail;
- } else {
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
- }
- }
-
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
-
- /* decode the ap_rep */
- if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
- &ap_rep_data))) {
- /*
- * XXX A hack for backwards compatiblity.
- * To be removed in 1999 -- proven
- */
- krb5_auth_con_setuseruserkey(context, ctx->auth_context,
- ctx->subkey);
- if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep,
- &ap_rep_data)))
- goto fail;
- }
-
- /* store away the sequence number */
- ctx->seq_recv = ap_rep_data->seq_number;
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto);
-
- if (ctx->proto == 1 && ap_rep_data->subkey) {
- /* Keep acceptor's subkey. */
- ctx->have_acceptor_subkey = 1;
- code = krb5_copy_keyblock(context, ap_rep_data->subkey,
- &ctx->acceptor_subkey);
- if (code)
- goto fail;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
- ctx->acceptor_subkey->enctype,
- &ctx->acceptor_subkey_cksumtype);
- if (code)
- goto fail;
- }
-
- /* free the ap_rep_data */
- krb5_free_ap_rep_enc_part(context, ap_rep_data);
-
- /* set established */
- ctx->established = 1;
-
- /* set returns */
-
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
- *time_rec = ctx->endtime - now;
- }
-
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
-
- if (actual_mech_type)
- *actual_mech_type = mech_type;
-
- /* success */
-
- *minor_status = 0;
- return GSS_S_COMPLETE;
+ OM_uint32 major_status;
+ unsigned char *ptr;
+ char *sptr;
+ krb5_data ap_rep;
+ krb5_ap_rep_enc_part *ap_rep_data;
+ krb5_timestamp now;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_error *krb_error;
+ krb5_error_code code;
+ krb5int_access kaccess;
+
+ major_status = GSS_S_FAILURE;
+
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code)
+ goto fail;
+
+ /* validate the context handle */
+ /*SUPPRESS 29*/
+ if (! kg_validate_ctx_id(*context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
+
+ ctx = (krb5_gss_ctx_id_t) *context_handle;
+
+ /* make sure the context is non-established, and that certain
+ arguments are unchanged */
+
+ if ((ctx->established) ||
+ ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) {
+ code = KG_CONTEXT_ESTABLISHED;
+ goto fail;
+ }
+
+ if (! krb5_principal_compare(context, ctx->there,
+ (krb5_principal) target_name)) {
+ (void)krb5_gss_delete_sec_context(minor_status,
+ context_handle, NULL);
+ code = 0;
+ major_status = GSS_S_BAD_NAME;
+ goto fail;
+ }
+
+ /* verify the token and leave the AP_REP message in ap_rep */
+
+ if (input_token == GSS_C_NO_BUFFER) {
+ (void)krb5_gss_delete_sec_context(minor_status,
+ context_handle, NULL);
+ code = 0;
+ major_status = GSS_S_DEFECTIVE_TOKEN;
+ goto fail;
+ }
+
+ ptr = (unsigned char *) input_token->value;
+
+ if (g_verify_token_header(ctx->mech_used,
+ &(ap_rep.length),
+ &ptr, KG_TOK_CTX_AP_REP,
+ input_token->length, 1)) {
+ if (g_verify_token_header((gss_OID) ctx->mech_used,
+ &(ap_rep.length),
+ &ptr, KG_TOK_CTX_ERROR,
+ input_token->length, 1) == 0) {
+
+ /* Handle a KRB_ERROR message from the server */
+
+ sptr = (char *) ptr; /* PC compiler bug */
+ TREAD_STR(sptr, ap_rep.data, ap_rep.length);
+
+ code = krb5_rd_error(context, &ap_rep, &krb_error);
+ if (code)
+ goto fail;
+ if (krb_error->error)
+ code = krb_error->error + ERROR_TABLE_BASE_krb5;
+ else
+ code = 0;
+ krb5_free_error(context, krb_error);
+ goto fail;
+ } else {
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
+ }
+
+ sptr = (char *) ptr; /* PC compiler bug */
+ TREAD_STR(sptr, ap_rep.data, ap_rep.length);
+
+ /* decode the ap_rep */
+ if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
+ &ap_rep_data))) {
+ /*
+ * XXX A hack for backwards compatiblity.
+ * To be removed in 1999 -- proven
+ */
+ krb5_auth_con_setuseruserkey(context, ctx->auth_context,
+ ctx->subkey);
+ if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep,
+ &ap_rep_data)))
+ goto fail;
+ }
+
+ /* store away the sequence number */
+ ctx->seq_recv = ap_rep_data->seq_number;
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto);
+
+ if (ctx->proto == 1 && ap_rep_data->subkey) {
+ /* Keep acceptor's subkey. */
+ ctx->have_acceptor_subkey = 1;
+ code = krb5_copy_keyblock(context, ap_rep_data->subkey,
+ &ctx->acceptor_subkey);
+ if (code)
+ goto fail;
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
+ ctx->acceptor_subkey->enctype,
+ &ctx->acceptor_subkey_cksumtype);
+ if (code)
+ goto fail;
+ }
+
+ /* free the ap_rep_data */
+ krb5_free_ap_rep_enc_part(context, ap_rep_data);
+
+ /* set established */
+ ctx->established = 1;
+
+ /* set returns */
+
+ if (time_rec) {
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+ *time_rec = ctx->endtime - now;
+ }
+
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
+
+ if (actual_mech_type)
+ *actual_mech_type = mech_type;
+
+ /* success */
+
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
fail:
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
- *minor_status = code;
- return (major_status);
+ *minor_status = code;
+ return (major_status);
}
OM_uint32
krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
- context_handle, target_name, mech_type,
- req_flags, time_req, input_chan_bindings,
- input_token, actual_mech_type, output_token,
- ret_flags, time_rec)
+ context_handle, target_name, mech_type,
+ req_flags, time_req, input_chan_bindings,
+ input_token, actual_mech_type, output_token,
+ ret_flags, time_rec)
OM_uint32 *minor_status;
gss_cred_id_t claimant_cred_handle;
gss_ctx_id_t *context_handle;
OM_uint32 *ret_flags;
OM_uint32 *time_rec;
{
- krb5_context context;
- krb5_gss_cred_id_t cred;
- int err;
- krb5_error_code kerr;
- int default_mech = 0;
- OM_uint32 major_status;
- OM_uint32 tmp_min_stat;
-
- if (*context_handle == GSS_C_NO_CONTEXT) {
- kerr = krb5_gss_init_context(&context);
- if (kerr) {
- *minor_status = kerr;
- return GSS_S_FAILURE;
- }
- if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) {
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return GSS_S_FAILURE;
- }
- } else {
- context = ((krb5_gss_ctx_id_rec *)*context_handle)->k5_context;
- }
-
- /* set up return values so they can be "freed" successfully */
-
- major_status = GSS_S_FAILURE; /* Default major code */
- output_token->length = 0;
- output_token->value = NULL;
- if (actual_mech_type)
- *actual_mech_type = NULL;
-
- /* verify that the target_name is valid and usable */
-
- if (! kg_validate_name(target_name)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- save_error_info(*minor_status, context);
- if (*context_handle == GSS_C_NO_CONTEXT)
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
-
- /* verify the credential, or use the default */
- /*SUPPRESS 29*/
- if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
- major_status = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred);
- if (major_status && GSS_ERROR(major_status)) {
- if (*context_handle == GSS_C_NO_CONTEXT)
- krb5_free_context(context);
- return(major_status);
- }
- } else {
- major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle);
- if (GSS_ERROR(major_status)) {
- save_error_info(*minor_status, context);
- if (*context_handle == GSS_C_NO_CONTEXT)
- krb5_free_context(context);
- return(major_status);
- }
- cred = (krb5_gss_cred_id_t) claimant_cred_handle;
- }
- kerr = k5_mutex_lock(&cred->lock);
- if (kerr) {
- krb5_free_context(context);
- *minor_status = kerr;
- return GSS_S_FAILURE;
- }
-
- /* verify the mech_type */
-
- err = 0;
- if (mech_type == GSS_C_NULL_OID) {
- default_mech = 1;
- if (cred->rfc_mech) {
- mech_type = (gss_OID) gss_mech_krb5;
- } else if (cred->prerfc_mech) {
- mech_type = (gss_OID) gss_mech_krb5_old;
- } else {
- err = 1;
- }
- } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
- if (!cred->rfc_mech)
- err = 1;
- } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
- if (!cred->prerfc_mech)
- err = 1;
- } else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) {
- if (!cred->rfc_mech)
- err = 1;
- } else {
- err = 1;
- }
-
- if (err) {
- k5_mutex_unlock(&cred->lock);
- if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
- *minor_status = 0;
- if (*context_handle == GSS_C_NO_CONTEXT)
- krb5_free_context(context);
- return(GSS_S_BAD_MECH);
- }
-
- /* is this a new connection or not? */
-
- /*SUPPRESS 29*/
- if (*context_handle == GSS_C_NO_CONTEXT) {
- major_status = new_connection(minor_status, cred, context_handle,
- target_name, mech_type, req_flags,
- time_req, input_chan_bindings,
- input_token, actual_mech_type,
- output_token, ret_flags, time_rec,
- context, default_mech);
- k5_mutex_unlock(&cred->lock);
- if (*context_handle == GSS_C_NO_CONTEXT) {
- save_error_info (*minor_status, context);
- krb5_free_context(context);
- } else
- ((krb5_gss_ctx_id_rec *) *context_handle)->k5_context = context;
- } else {
- /* mutual_auth doesn't care about the credentials */
- k5_mutex_unlock(&cred->lock);
- major_status = mutual_auth(minor_status, context_handle,
- target_name, mech_type, req_flags,
- time_req, input_chan_bindings,
- input_token, actual_mech_type,
- output_token, ret_flags, time_rec,
- context);
- /* If context_handle is now NO_CONTEXT, mutual_auth called
- delete_sec_context, which would've zapped the krb5 context
- too. */
- }
-
- if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
-
- return(major_status);
+ krb5_context context;
+ krb5_gss_cred_id_t cred;
+ int err;
+ krb5_error_code kerr;
+ int default_mech = 0;
+ OM_uint32 major_status;
+ OM_uint32 tmp_min_stat;
+
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ kerr = krb5_gss_init_context(&context);
+ if (kerr) {
+ *minor_status = kerr;
+ return GSS_S_FAILURE;
+ }
+ if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) {
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return GSS_S_FAILURE;
+ }
+ } else {
+ context = ((krb5_gss_ctx_id_rec *)*context_handle)->k5_context;
+ }
+
+ /* set up return values so they can be "freed" successfully */
+
+ major_status = GSS_S_FAILURE; /* Default major code */
+ output_token->length = 0;
+ output_token->value = NULL;
+ if (actual_mech_type)
+ *actual_mech_type = NULL;
+
+ /* verify that the target_name is valid and usable */
+
+ if (! kg_validate_name(target_name)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ save_error_info(*minor_status, context);
+ if (*context_handle == GSS_C_NO_CONTEXT)
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
+
+ /* verify the credential, or use the default */
+ /*SUPPRESS 29*/
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
+ major_status = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred);
+ if (major_status && GSS_ERROR(major_status)) {
+ if (*context_handle == GSS_C_NO_CONTEXT)
+ krb5_free_context(context);
+ return(major_status);
+ }
+ } else {
+ major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle);
+ if (GSS_ERROR(major_status)) {
+ save_error_info(*minor_status, context);
+ if (*context_handle == GSS_C_NO_CONTEXT)
+ krb5_free_context(context);
+ return(major_status);
+ }
+ cred = (krb5_gss_cred_id_t) claimant_cred_handle;
+ }
+ kerr = k5_mutex_lock(&cred->lock);
+ if (kerr) {
+ krb5_free_context(context);
+ *minor_status = kerr;
+ return GSS_S_FAILURE;
+ }
+
+ /* verify the mech_type */
+
+ err = 0;
+ if (mech_type == GSS_C_NULL_OID) {
+ default_mech = 1;
+ if (cred->rfc_mech) {
+ mech_type = (gss_OID) gss_mech_krb5;
+ } else if (cred->prerfc_mech) {
+ mech_type = (gss_OID) gss_mech_krb5_old;
+ } else {
+ err = 1;
+ }
+ } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
+ if (!cred->rfc_mech)
+ err = 1;
+ } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
+ if (!cred->prerfc_mech)
+ err = 1;
+ } else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) {
+ if (!cred->rfc_mech)
+ err = 1;
+ } else {
+ err = 1;
+ }
+
+ if (err) {
+ k5_mutex_unlock(&cred->lock);
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+ *minor_status = 0;
+ if (*context_handle == GSS_C_NO_CONTEXT)
+ krb5_free_context(context);
+ return(GSS_S_BAD_MECH);
+ }
+
+ /* is this a new connection or not? */
+
+ /*SUPPRESS 29*/
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ major_status = new_connection(minor_status, cred, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings,
+ input_token, actual_mech_type,
+ output_token, ret_flags, time_rec,
+ context, default_mech);
+ k5_mutex_unlock(&cred->lock);
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ save_error_info (*minor_status, context);
+ krb5_free_context(context);
+ } else
+ ((krb5_gss_ctx_id_rec *) *context_handle)->k5_context = context;
+ } else {
+ /* mutual_auth doesn't care about the credentials */
+ k5_mutex_unlock(&cred->lock);
+ major_status = mutual_auth(minor_status, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings,
+ input_token, actual_mech_type,
+ output_token, ret_flags, time_rec,
+ context);
+ /* If context_handle is now NO_CONTEXT, mutual_auth called
+ delete_sec_context, which would've zapped the krb5 context
+ too. */
+ }
+
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
+
+ return(major_status);
}
#ifndef _WIN32
err = gssint_initialize_library();
if (err)
- return err;
+ return err;
#ifndef _WIN32
err = k5_mutex_lock(&kg_kdc_flag_mutex);
if (err)
- return err;
+ return err;
is_kdc = kdc_flag;
k5_mutex_unlock(&kg_kdc_flag_mutex);
if (is_kdc)
- return krb5int_init_context_kdc(ctxp);
+ return krb5int_init_context_kdc(ctxp);
#endif
return krb5_init_context(ctxp);
err = gssint_initialize_library();
if (err)
- return err;
+ return err;
err = k5_mutex_lock(&kg_kdc_flag_mutex);
if (err)
- return err;
+ return err;
kdc_flag = 1;
k5_mutex_unlock(&kg_kdc_flag_mutex);
return 0;
}
#endif
-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#include "gssapiP_krb5.h"
OM_uint32
-krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
- acceptor_name, lifetime_rec, mech_type, ret_flags,
- locally_initiated, opened)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_name_t *initiator_name;
- gss_name_t *acceptor_name;
- OM_uint32 *lifetime_rec;
- gss_OID *mech_type;
- OM_uint32 *ret_flags;
- int *locally_initiated;
- int *opened;
+krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
+ acceptor_name, lifetime_rec, mech_type, ret_flags,
+ locally_initiated, opened)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_name_t *initiator_name;
+ gss_name_t *acceptor_name;
+ OM_uint32 *lifetime_rec;
+ gss_OID *mech_type;
+ OM_uint32 *ret_flags;
+ int *locally_initiated;
+ int *opened;
{
- krb5_context context;
- krb5_error_code code;
- krb5_gss_ctx_id_rec *ctx;
- krb5_principal initiator, acceptor;
- krb5_timestamp now;
- krb5_deltat lifetime;
-
- if (initiator_name)
- *initiator_name = (gss_name_t) NULL;
- if (acceptor_name)
- *acceptor_name = (gss_name_t) NULL;
-
- /* validate the context handle */
- if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
-
- ctx = (krb5_gss_ctx_id_rec *) context_handle;
-
- if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
- }
-
- initiator = NULL;
- acceptor = NULL;
- context = ctx->k5_context;
-
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
-
- if ((lifetime = ctx->endtime - now) < 0)
- lifetime = 0;
-
- if (initiator_name) {
- if ((code = krb5_copy_principal(context,
- ctx->initiate?ctx->here:ctx->there,
- &initiator))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
- if (! kg_save_name((gss_name_t) initiator)) {
- krb5_free_principal(context, initiator);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
- }
-
- if (acceptor_name) {
- if ((code = krb5_copy_principal(context,
- ctx->initiate?ctx->there:ctx->here,
- &acceptor))) {
- if (initiator) krb5_free_principal(context, initiator);
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
- if (! kg_save_name((gss_name_t) acceptor)) {
- krb5_free_principal(context, acceptor);
- if (initiator) {
- kg_delete_name((gss_name_t) initiator);
- krb5_free_principal(context, initiator);
- }
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_FAILURE);
- }
- }
-
- if (initiator_name)
- *initiator_name = (gss_name_t) initiator;
-
- if (acceptor_name)
- *acceptor_name = (gss_name_t) acceptor;
-
- if (lifetime_rec)
- *lifetime_rec = lifetime;
-
- if (mech_type)
- *mech_type = (gss_OID) ctx->mech_used;
-
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
-
- if (locally_initiated)
- *locally_initiated = ctx->initiate;
-
- if (opened)
- *opened = ctx->established;
-
- *minor_status = 0;
- return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+ krb5_context context;
+ krb5_error_code code;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_principal initiator, acceptor;
+ krb5_timestamp now;
+ krb5_deltat lifetime;
+
+ if (initiator_name)
+ *initiator_name = (gss_name_t) NULL;
+ if (acceptor_name)
+ *acceptor_name = (gss_name_t) NULL;
+
+ /* validate the context handle */
+ if (! kg_validate_ctx_id(context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
+
+ ctx = (krb5_gss_ctx_id_rec *) context_handle;
+
+ if (! ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
+ }
+
+ initiator = NULL;
+ acceptor = NULL;
+ context = ctx->k5_context;
+
+ if ((code = krb5_timeofday(context, &now))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
+ }
+
+ if ((lifetime = ctx->endtime - now) < 0)
+ lifetime = 0;
+
+ if (initiator_name) {
+ if ((code = krb5_copy_principal(context,
+ ctx->initiate?ctx->here:ctx->there,
+ &initiator))) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
+ }
+ if (! kg_save_name((gss_name_t) initiator)) {
+ krb5_free_principal(context, initiator);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
+ }
+
+ if (acceptor_name) {
+ if ((code = krb5_copy_principal(context,
+ ctx->initiate?ctx->there:ctx->here,
+ &acceptor))) {
+ if (initiator) krb5_free_principal(context, initiator);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
+ }
+ if (! kg_save_name((gss_name_t) acceptor)) {
+ krb5_free_principal(context, acceptor);
+ if (initiator) {
+ kg_delete_name((gss_name_t) initiator);
+ krb5_free_principal(context, initiator);
+ }
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_FAILURE);
+ }
+ }
+
+ if (initiator_name)
+ *initiator_name = (gss_name_t) initiator;
+
+ if (acceptor_name)
+ *acceptor_name = (gss_name_t) acceptor;
+
+ if (lifetime_rec)
+ *lifetime_rec = lifetime;
+
+ if (mech_type)
+ *mech_type = (gss_OID) ctx->mech_used;
+
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
+
+ if (locally_initiated)
+ *locally_initiated = ctx->initiate;
+
+ if (opened)
+ *opened = ctx->established;
+
+ *minor_status = 0;
+ return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000, 2007 by the Massachusetts Institute of Technology.
* All Rights Reserved.
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
OM_uint32
krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
- cred_usage, mechanisms)
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- gss_name_t *name;
- OM_uint32 *lifetime_ret;
- gss_cred_usage_t *cred_usage;
- gss_OID_set *mechanisms;
+ cred_usage, mechanisms)
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
+ gss_name_t *name;
+ OM_uint32 *lifetime_ret;
+ gss_cred_usage_t *cred_usage;
+ gss_OID_set *mechanisms;
{
- krb5_context context;
- krb5_gss_cred_id_t cred;
- krb5_error_code code;
- krb5_timestamp now;
- krb5_deltat lifetime;
- krb5_principal ret_name;
- gss_OID_set mechs;
- OM_uint32 ret;
+ krb5_context context;
+ krb5_gss_cred_id_t cred;
+ krb5_error_code code;
+ krb5_timestamp now;
+ krb5_deltat lifetime;
+ krb5_principal ret_name;
+ gss_OID_set mechs;
+ OM_uint32 ret;
+
+ ret = GSS_S_FAILURE;
+ ret_name = NULL;
- ret = GSS_S_FAILURE;
- ret_name = NULL;
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ if (name) *name = NULL;
+ if (mechanisms) *mechanisms = NULL;
- if (name) *name = NULL;
- if (mechanisms) *mechanisms = NULL;
+ /* check for default credential */
+ /*SUPPRESS 29*/
+ if (cred_handle == GSS_C_NO_CREDENTIAL) {
+ OM_uint32 major;
- /* check for default credential */
- /*SUPPRESS 29*/
- if (cred_handle == GSS_C_NO_CREDENTIAL) {
- OM_uint32 major;
+ if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) &&
+ GSS_ERROR(major)) {
+ krb5_free_context(context);
+ return(major);
+ }
+ } else {
+ OM_uint32 major;
- if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) &&
- GSS_ERROR(major)) {
- krb5_free_context(context);
- return(major);
- }
- } else {
- OM_uint32 major;
-
- major = krb5_gss_validate_cred(minor_status, cred_handle);
- if (GSS_ERROR(major)) {
- krb5_free_context(context);
- return(major);
- }
- cred = (krb5_gss_cred_id_t) cred_handle;
- }
+ major = krb5_gss_validate_cred(minor_status, cred_handle);
+ if (GSS_ERROR(major)) {
+ krb5_free_context(context);
+ return(major);
+ }
+ cred = (krb5_gss_cred_id_t) cred_handle;
+ }
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- ret = GSS_S_FAILURE;
- goto fail;
- }
+ if ((code = krb5_timeofday(context, &now))) {
+ *minor_status = code;
+ ret = GSS_S_FAILURE;
+ goto fail;
+ }
- code = k5_mutex_lock(&cred->lock);
- if (code != 0) {
- *minor_status = code;
- ret = GSS_S_FAILURE;
- goto fail;
- }
- if (cred->tgt_expire > 0) {
- if ((lifetime = cred->tgt_expire - now) < 0)
- lifetime = 0;
- }
- else
- lifetime = GSS_C_INDEFINITE;
+ code = k5_mutex_lock(&cred->lock);
+ if (code != 0) {
+ *minor_status = code;
+ ret = GSS_S_FAILURE;
+ goto fail;
+ }
+ if (cred->tgt_expire > 0) {
+ if ((lifetime = cred->tgt_expire - now) < 0)
+ lifetime = 0;
+ }
+ else
+ lifetime = GSS_C_INDEFINITE;
- if (name) {
- if (cred->princ &&
- (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
- k5_mutex_unlock(&cred->lock);
- *minor_status = code;
- save_error_info(*minor_status, context);
- ret = GSS_S_FAILURE;
- goto fail;
- }
- }
+ if (name) {
+ if (cred->princ &&
+ (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
+ k5_mutex_unlock(&cred->lock);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ ret = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
- if (mechanisms) {
- if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
- &mechs)) ||
- (cred->prerfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5_old,
- &mechs))) ||
- (cred->rfc_mech &&
- GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
- gss_mech_krb5,
- &mechs)))) {
- k5_mutex_unlock(&cred->lock);
- if (ret_name)
- krb5_free_principal(context, ret_name);
- /* *minor_status set above */
- goto fail;
- }
- }
+ if (mechanisms) {
+ if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
+ &mechs)) ||
+ (cred->prerfc_mech &&
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5_old,
+ &mechs))) ||
+ (cred->rfc_mech &&
+ GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+ gss_mech_krb5,
+ &mechs)))) {
+ k5_mutex_unlock(&cred->lock);
+ if (ret_name)
+ krb5_free_principal(context, ret_name);
+ /* *minor_status set above */
+ goto fail;
+ }
+ }
- if (name) {
- if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) {
- k5_mutex_unlock(&cred->lock);
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+ if (name) {
+ if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) {
+ k5_mutex_unlock(&cred->lock);
+ if (cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
- (void) gss_release_oid_set(minor_status, &mechs);
- krb5_free_principal(context, ret_name);
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_FAILURE);
- }
- if (ret_name != NULL)
- *name = (gss_name_t) ret_name;
- else
- *name = GSS_C_NO_NAME;
- }
+ (void) gss_release_oid_set(minor_status, &mechs);
+ krb5_free_principal(context, ret_name);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_FAILURE);
+ }
+ if (ret_name != NULL)
+ *name = (gss_name_t) ret_name;
+ else
+ *name = GSS_C_NO_NAME;
+ }
- if (lifetime_ret)
- *lifetime_ret = lifetime;
+ if (lifetime_ret)
+ *lifetime_ret = lifetime;
- if (cred_usage)
- *cred_usage = cred->usage;
- k5_mutex_unlock(&cred->lock);
+ if (cred_usage)
+ *cred_usage = cred->usage;
+ k5_mutex_unlock(&cred->lock);
- if (mechanisms)
- *mechanisms = mechs;
+ if (mechanisms)
+ *mechanisms = mechs;
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+ if (cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
- krb5_free_context(context);
- *minor_status = 0;
- return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
+ krb5_free_context(context);
+ *minor_status = 0;
+ return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
fail:
- if (cred_handle == GSS_C_NO_CREDENTIAL) {
- OM_uint32 tmp_min_stat;
+ if (cred_handle == GSS_C_NO_CREDENTIAL) {
+ OM_uint32 tmp_min_stat;
- krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
- }
- krb5_free_context(context);
- return ret;
+ krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
+ }
+ krb5_free_context(context);
+ return ret;
}
/* V2 interface */
OM_uint32
krb5_gss_inquire_cred_by_mech(minor_status, cred_handle,
- mech_type, name, initiator_lifetime,
- acceptor_lifetime, cred_usage)
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- gss_OID mech_type;
- gss_name_t *name;
- OM_uint32 *initiator_lifetime;
- OM_uint32 *acceptor_lifetime;
+ mech_type, name, initiator_lifetime,
+ acceptor_lifetime, cred_usage)
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
+ gss_OID mech_type;
+ gss_name_t *name;
+ OM_uint32 *initiator_lifetime;
+ OM_uint32 *acceptor_lifetime;
gss_cred_usage_t *cred_usage;
{
- krb5_gss_cred_id_t cred;
- OM_uint32 lifetime;
- OM_uint32 mstat;
+ krb5_gss_cred_id_t cred;
+ OM_uint32 lifetime;
+ OM_uint32 mstat;
/*
* We only know how to handle our own creds.
*/
if ((mech_type != GSS_C_NULL_OID) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type) &&
- !g_OID_equal(gss_mech_krb5, mech_type)) {
- *minor_status = 0;
- return(GSS_S_NO_CRED);
+ !g_OID_equal(gss_mech_krb5_old, mech_type) &&
+ !g_OID_equal(gss_mech_krb5, mech_type)) {
+ *minor_status = 0;
+ return(GSS_S_NO_CRED);
}
cred = (krb5_gss_cred_id_t) cred_handle;
mstat = krb5_gss_inquire_cred(minor_status,
- cred_handle,
- name,
- &lifetime,
- cred_usage,
- (gss_OID_set *) NULL);
+ cred_handle,
+ name,
+ &lifetime,
+ cred_usage,
+ (gss_OID_set *) NULL);
if (mstat == GSS_S_COMPLETE) {
- if (cred &&
- ((cred->usage == GSS_C_INITIATE) ||
- (cred->usage == GSS_C_BOTH)) &&
- initiator_lifetime)
- *initiator_lifetime = lifetime;
- if (cred &&
- ((cred->usage == GSS_C_ACCEPT) ||
- (cred->usage == GSS_C_BOTH)) &&
- acceptor_lifetime)
- *acceptor_lifetime = lifetime;
+ if (cred &&
+ ((cred->usage == GSS_C_INITIATE) ||
+ (cred->usage == GSS_C_BOTH)) &&
+ initiator_lifetime)
+ *initiator_lifetime = lifetime;
+ if (cred &&
+ ((cred->usage == GSS_C_ACCEPT) ||
+ (cred->usage == GSS_C_BOTH)) &&
+ acceptor_lifetime)
+ *acceptor_lifetime = lifetime;
}
return(mstat);
}
-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/inq_names.c
*
OM_uint32
krb5_gss_inquire_names_for_mech(minor_status, mechanism, name_types)
- OM_uint32 *minor_status;
- gss_OID mechanism;
- gss_OID_set *name_types;
+ OM_uint32 *minor_status;
+ gss_OID mechanism;
+ gss_OID_set *name_types;
{
- OM_uint32 major, minor;
+ OM_uint32 major, minor;
/*
* We only know how to handle our own mechanism.
*/
if ((mechanism != GSS_C_NULL_OID) &&
- !g_OID_equal(gss_mech_krb5, mechanism) &&
- !g_OID_equal(gss_mech_krb5_old, mechanism)) {
- *minor_status = 0;
- return(GSS_S_BAD_MECH);
+ !g_OID_equal(gss_mech_krb5, mechanism) &&
+ !g_OID_equal(gss_mech_krb5_old, mechanism)) {
+ *minor_status = 0;
+ return(GSS_S_BAD_MECH);
}
/* We're okay. Create an empty OID set */
major = gss_create_empty_oid_set(minor_status, name_types);
if (major == GSS_S_COMPLETE) {
- /* Now add our members. */
- if (
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_user_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_machine_uid_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_string_uid_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_service_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_service_name_v2,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_exported_name,
- name_types)
- ) == GSS_S_COMPLETE) &&
- ((major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_krb5_name,
- name_types)
- ) == GSS_S_COMPLETE)
- ) {
- major = generic_gss_add_oid_set_member(minor_status,
- gss_nt_krb5_principal,
- name_types);
- }
+ /* Now add our members. */
+ if (
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_user_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_machine_uid_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_string_uid_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_service_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_service_name_v2,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_exported_name,
+ name_types)
+ ) == GSS_S_COMPLETE) &&
+ ((major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_krb5_name,
+ name_types)
+ ) == GSS_S_COMPLETE)
+ ) {
+ major = generic_gss_add_oid_set_member(minor_status,
+ gss_nt_krb5_principal,
+ name_types);
+ }
- /*
- * If we choked, then release the set, but don't overwrite the minor
- * status with the release call.
- */
- if (major != GSS_S_COMPLETE)
- (void) gss_release_oid_set(&minor,
- name_types);
+ /*
+ * If we choked, then release the set, but don't overwrite the minor
+ * status with the release call.
+ */
+ if (major != GSS_S_COMPLETE)
+ (void) gss_release_oid_set(&minor,
+ name_types);
}
return(major);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
*
static krb5_error_code
make_seal_token_v1 (krb5_context context,
- krb5_keyblock *enc,
- krb5_keyblock *seq,
- gssint_uint64 *seqnum,
- int direction,
- gss_buffer_t text,
- gss_buffer_t token,
- int signalg,
- size_t cksum_size,
- int sealalg,
- int do_encrypt,
- int toktype,
- int bigend,
- gss_OID oid)
+ krb5_keyblock *enc,
+ krb5_keyblock *seq,
+ gssint_uint64 *seqnum,
+ int direction,
+ gss_buffer_t text,
+ gss_buffer_t token,
+ int signalg,
+ size_t cksum_size,
+ int sealalg,
+ int do_encrypt,
+ int toktype,
+ int bigend,
+ gss_OID oid)
{
krb5_error_code code;
size_t sumlen;
krb5_data plaind;
krb5_checksum md5cksum;
krb5_checksum cksum;
- /* msglen contains the message length
- * we are signing/encrypting. tmsglen
- * contains the length of the message
- * we plan to write out to the token.
- * tlen is the length of the token
- * including header. */
+ /* msglen contains the message length
+ * we are signing/encrypting. tmsglen
+ * contains the length of the message
+ * we plan to write out to the token.
+ * tlen is the length of the token
+ * including header. */
unsigned conflen=0, tmsglen, tlen, msglen;
unsigned char *t, *ptr;
unsigned char *plain;
/* create the token buffer */
/* Do we need confounder? */
if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG)))
- conflen = kg_confounder_size(context, enc);
+ conflen = kg_confounder_size(context, enc);
else conflen = 0;
if (toktype == KG_TOK_SEAL_MSG) {
- switch (sealalg) {
- case SEAL_ALG_MICROSOFT_RC4:
- msglen = conflen + text->length+1;
- pad = 1;
- break;
- default:
- /* XXX knows that des block size is 8 */
- msglen = (conflen+text->length+8)&(~7);
- pad = 8-(text->length%8);
- }
- tmsglen = msglen;
+ switch (sealalg) {
+ case SEAL_ALG_MICROSOFT_RC4:
+ msglen = conflen + text->length+1;
+ pad = 1;
+ break;
+ default:
+ /* XXX knows that des block size is 8 */
+ msglen = (conflen+text->length+8)&(~7);
+ pad = 8-(text->length%8);
+ }
+ tmsglen = msglen;
} else {
- tmsglen = 0;
- msglen = text->length;
- pad = 0;
+ tmsglen = 0;
+ msglen = text->length;
+ pad = 0;
}
tlen = g_token_size((gss_OID) oid, 14+cksum_size+tmsglen);
if ((t = (unsigned char *) xmalloc(tlen)) == NULL)
- return(ENOMEM);
+ return(ENOMEM);
/*** fill in the token */
/* 2..3 SEAL_ALG or Filler */
if ((toktype == KG_TOK_SEAL_MSG) && do_encrypt) {
- ptr[2] = sealalg & 0xff;
- ptr[3] = (sealalg >> 8) & 0xff;
+ ptr[2] = sealalg & 0xff;
+ ptr[3] = (sealalg >> 8) & 0xff;
} else {
- /* No seal */
- ptr[2] = 0xff;
- ptr[3] = 0xff;
+ /* No seal */
+ ptr[2] = 0xff;
+ ptr[3] = 0xff;
}
/* 4..5 Filler */
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
- md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
+ break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
- md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
+ break;
case SGN_ALG_HMAC_MD5:
- md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
- if (toktype != KG_TOK_SEAL_MSG)
- sign_usage = 15;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
+ if (toktype != KG_TOK_SEAL_MSG)
+ sign_usage = 15;
+ break;
default:
case SGN_ALG_DES_MAC:
- abort ();
+ abort ();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code) {
- xfree(t);
- return(code);
+ xfree(t);
+ return(code);
}
md5cksum.length = sumlen;
if ((plain = (unsigned char *) xmalloc(msglen ? msglen : 1)) == NULL) {
- xfree(t);
- return(ENOMEM);
+ xfree(t);
+ return(ENOMEM);
}
if (conflen) {
- if ((code = kg_make_confounder(context, enc, plain))) {
- xfree(plain);
- xfree(t);
- return(code);
- }
+ if ((code = kg_make_confounder(context, enc, plain))) {
+ xfree(plain);
+ xfree(t);
+ return(code);
+ }
}
memcpy(plain+conflen, text->value, text->length);
/* 8 = head of token body as specified by mech spec */
if (! (data_ptr =
- (char *) xmalloc(8 + (bigend ? text->length : msglen)))) {
- xfree(plain);
- xfree(t);
- return(ENOMEM);
+ (char *) xmalloc(8 + (bigend ? text->length : msglen)))) {
+ xfree(plain);
+ xfree(t);
+ return(ENOMEM);
}
(void) memcpy(data_ptr, ptr-2, 8);
if (bigend)
- (void) memcpy(data_ptr+8, text->value, text->length);
+ (void) memcpy(data_ptr+8, text->value, text->length);
else
- (void) memcpy(data_ptr+8, plain, msglen);
+ (void) memcpy(data_ptr+8, plain, msglen);
plaind.length = 8 + (bigend ? text->length : msglen);
plaind.data = data_ptr;
code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq,
- sign_usage, &plaind, &md5cksum);
+ sign_usage, &plaind, &md5cksum);
xfree(data_ptr);
if (code) {
- xfree(plain);
- xfree(t);
- return(code);
+ xfree(plain);
+ xfree(t);
+ return(code);
}
switch(signalg) {
case SGN_ALG_DES_MAC_MD5:
case 3:
- if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL,
- (g_OID_equal(oid, gss_mech_krb5_old) ?
- seq->contents : NULL),
- md5cksum.contents, md5cksum.contents, 16))) {
- krb5_free_checksum_contents(context, &md5cksum);
- xfree (plain);
- xfree(t);
- return code;
- }
+ if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL,
+ (g_OID_equal(oid, gss_mech_krb5_old) ?
+ seq->contents : NULL),
+ md5cksum.contents, md5cksum.contents, 16))) {
+ krb5_free_checksum_contents(context, &md5cksum);
+ xfree (plain);
+ xfree(t);
+ return code;
+ }
- cksum.length = cksum_size;
- cksum.contents = md5cksum.contents + 16 - cksum.length;
+ cksum.length = cksum_size;
+ cksum.contents = md5cksum.contents + 16 - cksum.length;
- memcpy(ptr+14, cksum.contents, cksum.length);
- break;
+ memcpy(ptr+14, cksum.contents, cksum.length);
+ break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
- /*
- * Using key derivation, the call to krb5_c_make_checksum
- * already dealt with encrypting.
- */
- if (md5cksum.length != cksum_size)
- abort ();
- memcpy (ptr+14, md5cksum.contents, md5cksum.length);
- break;
+ /*
+ * Using key derivation, the call to krb5_c_make_checksum
+ * already dealt with encrypting.
+ */
+ if (md5cksum.length != cksum_size)
+ abort ();
+ memcpy (ptr+14, md5cksum.contents, md5cksum.length);
+ break;
case SGN_ALG_HMAC_MD5:
- memcpy (ptr+14, md5cksum.contents, cksum_size);
- break;
+ memcpy (ptr+14, md5cksum.contents, cksum_size);
+ break;
}
krb5_free_checksum_contents(context, &md5cksum);
/* create the seq_num */
if ((code = kg_make_seq_num(context, seq, direction?0:0xff, *seqnum,
- ptr+14, ptr+6))) {
- xfree (plain);
- xfree(t);
- return(code);
+ ptr+14, ptr+6))) {
+ xfree (plain);
+ xfree(t);
+ return(code);
}
if (do_encrypt) {
- switch(sealalg) {
- case SEAL_ALG_MICROSOFT_RC4:
- {
- unsigned char bigend_seqnum[4];
- krb5_keyblock *enc_key;
- int i;
- bigend_seqnum[0] = (*seqnum>>24) & 0xff;
- bigend_seqnum[1] = (*seqnum>>16) & 0xff;
- bigend_seqnum[2] = (*seqnum>>8) & 0xff;
- bigend_seqnum[3] = *seqnum & 0xff;
- code = krb5_copy_keyblock (context, enc, &enc_key);
- if (code)
- {
- xfree(plain);
- xfree(t);
- return(code);
- }
- assert (enc_key->length == 16);
- for (i = 0; i <= 15; i++)
- ((char *) enc_key->contents)[i] ^=0xf0;
- code = kg_arcfour_docrypt (enc_key, 0,
- bigend_seqnum, 4,
- plain, tmsglen,
- ptr+14+cksum_size);
- krb5_free_keyblock (context, enc_key);
- if (code)
- {
- xfree(plain);
- xfree(t);
- return(code);
- }
- }
- break;
- default:
- if ((code = kg_encrypt(context, enc, KG_USAGE_SEAL, NULL,
- (krb5_pointer) plain,
- (krb5_pointer) (ptr+cksum_size+14),
- tmsglen))) {
- xfree(plain);
- xfree(t);
- return(code);
- }
- }
+ switch(sealalg) {
+ case SEAL_ALG_MICROSOFT_RC4:
+ {
+ unsigned char bigend_seqnum[4];
+ krb5_keyblock *enc_key;
+ int i;
+ bigend_seqnum[0] = (*seqnum>>24) & 0xff;
+ bigend_seqnum[1] = (*seqnum>>16) & 0xff;
+ bigend_seqnum[2] = (*seqnum>>8) & 0xff;
+ bigend_seqnum[3] = *seqnum & 0xff;
+ code = krb5_copy_keyblock (context, enc, &enc_key);
+ if (code)
+ {
+ xfree(plain);
+ xfree(t);
+ return(code);
+ }
+ assert (enc_key->length == 16);
+ for (i = 0; i <= 15; i++)
+ ((char *) enc_key->contents)[i] ^=0xf0;
+ code = kg_arcfour_docrypt (enc_key, 0,
+ bigend_seqnum, 4,
+ plain, tmsglen,
+ ptr+14+cksum_size);
+ krb5_free_keyblock (context, enc_key);
+ if (code)
+ {
+ xfree(plain);
+ xfree(t);
+ return(code);
+ }
+ }
+ break;
+ default:
+ if ((code = kg_encrypt(context, enc, KG_USAGE_SEAL, NULL,
+ (krb5_pointer) plain,
+ (krb5_pointer) (ptr+cksum_size+14),
+ tmsglen))) {
+ xfree(plain);
+ xfree(t);
+ return(code);
+ }
+ }
}else {
- if (tmsglen)
- memcpy(ptr+14+cksum_size, plain, tmsglen);
+ if (tmsglen)
+ memcpy(ptr+14+cksum_size, plain, tmsglen);
}
- xfree(plain);
+ xfree(plain);
/* that's it. return the token */
OM_uint32
kg_seal(minor_status, context_handle, conf_req_flag, qop_req,
- input_message_buffer, conf_state, output_message_buffer, toktype)
+ input_message_buffer, conf_state, output_message_buffer, toktype)
OM_uint32 *minor_status;
gss_ctx_id_t context_handle;
int conf_req_flag;
/* Only default qop or matching established cryptosystem is allowed.
- There are NO EXTENSIONS to this set for AES and friends! The
- new spec says "just use 0". The old spec plus extensions would
- actually allow for certain non-zero values. Fix this to handle
- them later. */
+ There are NO EXTENSIONS to this set for AES and friends! The
+ new spec says "just use 0". The old spec plus extensions would
+ actually allow for certain non-zero values. Fix this to handle
+ them later. */
if (qop_req != 0) {
- *minor_status = (OM_uint32) G_UNKNOWN_QOP;
- return GSS_S_FAILURE;
+ *minor_status = (OM_uint32) G_UNKNOWN_QOP;
+ return GSS_S_FAILURE;
}
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
}
ctx = (krb5_gss_ctx_id_rec *) context_handle;
if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
}
context = ctx->k5_context;
if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
}
switch (ctx->proto)
{
case 0:
- code = make_seal_token_v1(context, ctx->enc, ctx->seq,
- &ctx->seq_send, ctx->initiate,
- input_message_buffer, output_message_buffer,
- ctx->signalg, ctx->cksum_size, ctx->sealalg,
- conf_req_flag, toktype, ctx->big_endian,
- ctx->mech_used);
- break;
+ code = make_seal_token_v1(context, ctx->enc, ctx->seq,
+ &ctx->seq_send, ctx->initiate,
+ input_message_buffer, output_message_buffer,
+ ctx->signalg, ctx->cksum_size, ctx->sealalg,
+ conf_req_flag, toktype, ctx->big_endian,
+ ctx->mech_used);
+ break;
case 1:
- code = gss_krb5int_make_seal_token_v3(context, ctx,
- input_message_buffer,
- output_message_buffer,
- conf_req_flag, toktype);
- break;
+ code = gss_krb5int_make_seal_token_v3(context, ctx,
+ input_message_buffer,
+ output_message_buffer,
+ conf_req_flag, toktype);
+ break;
default:
- code = G_UNKNOWN_QOP; /* XXX */
- break;
+ code = G_UNKNOWN_QOP; /* XXX */
+ break;
}
if (code) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
}
if (conf_state)
- *conf_state = conf_req_flag;
+ *conf_state = conf_req_flag;
*minor_status = 0;
return((ctx->endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/k5sealv3.c
*
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*
*/
/* draft-ietf-krb-wg-gssapi-cfx-05 */
#include <assert.h>
-#include "k5-platform.h" /* for 64-bit support */
-#include "k5-int.h" /* for zap() */
+#include "k5-platform.h" /* for 64-bit support */
+#include "k5-int.h" /* for zap() */
#include "gssapiP_krb5.h"
#include <stdarg.h>
void *tbuf;
if (bufsiz == 0)
- return 1;
+ return 1;
rc = rc % bufsiz;
if (rc == 0)
- return 1;
+ return 1;
tbuf = malloc(rc);
if (tbuf == 0)
- return 0;
+ return 0;
memcpy(tbuf, ptr, rc);
memmove(ptr, (char *)ptr + rc, bufsiz - rc);
memcpy((char *)ptr + bufsiz - rc, tbuf, rc);
static const gss_buffer_desc empty_message = { 0, 0 };
-#define FLAG_SENDER_IS_ACCEPTOR 0x01
-#define FLAG_WRAP_CONFIDENTIAL 0x02
-#define FLAG_ACCEPTOR_SUBKEY 0x04
+#define FLAG_SENDER_IS_ACCEPTOR 0x01
+#define FLAG_WRAP_CONFIDENTIAL 0x02
+#define FLAG_ACCEPTOR_SUBKEY 0x04
krb5_error_code
gss_krb5int_make_seal_token_v3 (krb5_context context,
- krb5_gss_ctx_id_rec *ctx,
- const gss_buffer_desc * message,
- gss_buffer_t token,
- int conf_req_flag, int toktype)
+ krb5_gss_ctx_id_rec *ctx,
+ const gss_buffer_desc * message,
+ gss_buffer_t token,
+ int conf_req_flag, int toktype)
{
size_t bufsize = 16;
unsigned char *outbuf = 0;
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
- ? (ctx->initiate
- ? KG_USAGE_INITIATOR_SEAL
- : KG_USAGE_ACCEPTOR_SEAL)
- : (ctx->initiate
- ? KG_USAGE_INITIATOR_SIGN
- : KG_USAGE_ACCEPTOR_SIGN));
+ ? (ctx->initiate
+ ? KG_USAGE_INITIATOR_SEAL
+ : KG_USAGE_ACCEPTOR_SEAL)
+ : (ctx->initiate
+ ? KG_USAGE_INITIATOR_SIGN
+ : KG_USAGE_ACCEPTOR_SIGN));
if (ctx->have_acceptor_subkey) {
- key = ctx->acceptor_subkey;
+ key = ctx->acceptor_subkey;
} else {
- key = ctx->enc;
+ key = ctx->enc;
}
#ifdef CFX_EXERCISE
{
- static int initialized = 0;
- if (!initialized) {
- srand(time(0));
- initialized = 1;
- }
+ static int initialized = 0;
+ if (!initialized) {
+ srand(time(0));
+ initialized = 1;
+ }
}
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
- krb5_data plain;
- krb5_enc_data cipher;
- size_t ec_max;
-
- /* 300: Adds some slop. */
- if (SIZE_MAX - 300 < message->length)
- return ENOMEM;
- ec_max = SIZE_MAX - message->length - 300;
- if (ec_max > 0xffff)
- ec_max = 0xffff;
+ krb5_data plain;
+ krb5_enc_data cipher;
+ size_t ec_max;
+
+ /* 300: Adds some slop. */
+ if (SIZE_MAX - 300 < message->length)
+ return ENOMEM;
+ ec_max = SIZE_MAX - message->length - 300;
+ if (ec_max > 0xffff)
+ ec_max = 0xffff;
#ifdef CFX_EXERCISE
- /* For testing only. For performance, always set ec = 0. */
- ec = ec_max & rand();
+ /* For testing only. For performance, always set ec = 0. */
+ ec = ec_max & rand();
#else
- ec = 0;
+ ec = 0;
#endif
- plain.length = message->length + 16 + ec;
- plain.data = malloc(message->length + 16 + ec);
- if (plain.data == NULL)
- return ENOMEM;
-
- /* Get size of ciphertext. */
- bufsize = 16 + krb5_encrypt_size (plain.length, ctx->enc->enctype);
- /* Allocate space for header plus encrypted data. */
- outbuf = malloc(bufsize);
- if (outbuf == NULL) {
- free(plain.data);
- return ENOMEM;
- }
-
- /* TOK_ID */
- store_16_be(0x0504, outbuf);
- /* flags */
- outbuf[2] = (acceptor_flag
- | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
- /* filler */
- outbuf[3] = 0xff;
- /* EC */
- store_16_be(ec, outbuf+4);
- /* RRC */
- store_16_be(0, outbuf+6);
- store_64_be(ctx->seq_send, outbuf+8);
-
- memcpy(plain.data, message->value, message->length);
- memset(plain.data + message->length, 'x', ec);
- memcpy(plain.data + message->length + ec, outbuf, 16);
-
- cipher.ciphertext.data = outbuf + 16;
- cipher.ciphertext.length = bufsize - 16;
- cipher.enctype = key->enctype;
- err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
- if (err)
- goto error;
-
- /* Now that we know we're returning a valid token.... */
- ctx->seq_send++;
+ plain.length = message->length + 16 + ec;
+ plain.data = malloc(message->length + 16 + ec);
+ if (plain.data == NULL)
+ return ENOMEM;
+
+ /* Get size of ciphertext. */
+ bufsize = 16 + krb5_encrypt_size (plain.length, ctx->enc->enctype);
+ /* Allocate space for header plus encrypted data. */
+ outbuf = malloc(bufsize);
+ if (outbuf == NULL) {
+ free(plain.data);
+ return ENOMEM;
+ }
+
+ /* TOK_ID */
+ store_16_be(0x0504, outbuf);
+ /* flags */
+ outbuf[2] = (acceptor_flag
+ | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
+ | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ /* filler */
+ outbuf[3] = 0xff;
+ /* EC */
+ store_16_be(ec, outbuf+4);
+ /* RRC */
+ store_16_be(0, outbuf+6);
+ store_64_be(ctx->seq_send, outbuf+8);
+
+ memcpy(plain.data, message->value, message->length);
+ memset(plain.data + message->length, 'x', ec);
+ memcpy(plain.data + message->length + ec, outbuf, 16);
+
+ cipher.ciphertext.data = outbuf + 16;
+ cipher.ciphertext.length = bufsize - 16;
+ cipher.enctype = key->enctype;
+ err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher);
+ zap(plain.data, plain.length);
+ free(plain.data);
+ plain.data = 0;
+ if (err)
+ goto error;
+
+ /* Now that we know we're returning a valid token.... */
+ ctx->seq_send++;
#ifdef CFX_EXERCISE
- rrc = rand() & 0xffff;
- if (rotate_left(outbuf+16, bufsize-16,
- (bufsize-16) - (rrc % (bufsize - 16))))
- store_16_be(rrc, outbuf+6);
- /* If the rotate fails, don't worry about it. */
+ rrc = rand() & 0xffff;
+ if (rotate_left(outbuf+16, bufsize-16,
+ (bufsize-16) - (rrc % (bufsize - 16))))
+ store_16_be(rrc, outbuf+6);
+ /* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
- krb5_data plain;
+ krb5_data plain;
- /* Here, message is the application-supplied data; message2 is
- what goes into the output token. They may be the same, or
- message2 may be empty (for MIC). */
+ /* Here, message is the application-supplied data; message2 is
+ what goes into the output token. They may be the same, or
+ message2 may be empty (for MIC). */
- tok_id = 0x0504;
+ tok_id = 0x0504;
wrap_with_checksum:
- plain.length = message->length + 16;
- plain.data = malloc(message->length + 16);
- if (plain.data == NULL)
- return ENOMEM;
-
- if (ctx->cksum_size > 0xffff)
- abort();
-
- bufsize = 16 + message2->length + ctx->cksum_size;
- outbuf = malloc(bufsize);
- if (outbuf == NULL) {
- free(plain.data);
- plain.data = 0;
- err = ENOMEM;
- goto error;
- }
-
- /* TOK_ID */
- store_16_be(tok_id, outbuf);
- /* flags */
- outbuf[2] = (acceptor_flag
- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
- /* filler */
- outbuf[3] = 0xff;
- if (toktype == KG_TOK_WRAP_MSG) {
- /* Use 0 for checksum calculation, substitute
- checksum length later. */
- /* EC */
- store_16_be(0, outbuf+4);
- /* RRC */
- store_16_be(0, outbuf+6);
- } else {
- /* MIC and DEL store 0xFF in EC and RRC. */
- store_16_be(0xffff, outbuf+4);
- store_16_be(0xffff, outbuf+6);
- }
- store_64_be(ctx->seq_send, outbuf+8);
-
- memcpy(plain.data, message->value, message->length);
- memcpy(plain.data + message->length, outbuf, 16);
-
- /* Fill in the output token -- data contents, if any, and
- space for the checksum. */
- if (message2->length)
- memcpy(outbuf + 16, message2->value, message2->length);
-
- sum.contents = outbuf + 16 + message2->length;
- sum.length = ctx->cksum_size;
-
- err = krb5_c_make_checksum(context, ctx->cksumtype, key,
- key_usage, &plain, &sum);
- zap(plain.data, plain.length);
- free(plain.data);
- plain.data = 0;
- if (err) {
- zap(outbuf,bufsize);
- goto error;
- }
- if (sum.length != ctx->cksum_size)
- abort();
- memcpy(outbuf + 16 + message2->length, sum.contents, ctx->cksum_size);
- krb5_free_checksum_contents(context, &sum);
- sum.contents = 0;
- /* Now that we know we're actually generating the token... */
- ctx->seq_send++;
-
- if (toktype == KG_TOK_WRAP_MSG) {
+ plain.length = message->length + 16;
+ plain.data = malloc(message->length + 16);
+ if (plain.data == NULL)
+ return ENOMEM;
+
+ if (ctx->cksum_size > 0xffff)
+ abort();
+
+ bufsize = 16 + message2->length + ctx->cksum_size;
+ outbuf = malloc(bufsize);
+ if (outbuf == NULL) {
+ free(plain.data);
+ plain.data = 0;
+ err = ENOMEM;
+ goto error;
+ }
+
+ /* TOK_ID */
+ store_16_be(tok_id, outbuf);
+ /* flags */
+ outbuf[2] = (acceptor_flag
+ | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ /* filler */
+ outbuf[3] = 0xff;
+ if (toktype == KG_TOK_WRAP_MSG) {
+ /* Use 0 for checksum calculation, substitute
+ checksum length later. */
+ /* EC */
+ store_16_be(0, outbuf+4);
+ /* RRC */
+ store_16_be(0, outbuf+6);
+ } else {
+ /* MIC and DEL store 0xFF in EC and RRC. */
+ store_16_be(0xffff, outbuf+4);
+ store_16_be(0xffff, outbuf+6);
+ }
+ store_64_be(ctx->seq_send, outbuf+8);
+
+ memcpy(plain.data, message->value, message->length);
+ memcpy(plain.data + message->length, outbuf, 16);
+
+ /* Fill in the output token -- data contents, if any, and
+ space for the checksum. */
+ if (message2->length)
+ memcpy(outbuf + 16, message2->value, message2->length);
+
+ sum.contents = outbuf + 16 + message2->length;
+ sum.length = ctx->cksum_size;
+
+ err = krb5_c_make_checksum(context, ctx->cksumtype, key,
+ key_usage, &plain, &sum);
+ zap(plain.data, plain.length);
+ free(plain.data);
+ plain.data = 0;
+ if (err) {
+ zap(outbuf,bufsize);
+ goto error;
+ }
+ if (sum.length != ctx->cksum_size)
+ abort();
+ memcpy(outbuf + 16 + message2->length, sum.contents, ctx->cksum_size);
+ krb5_free_checksum_contents(context, &sum);
+ sum.contents = 0;
+ /* Now that we know we're actually generating the token... */
+ ctx->seq_send++;
+
+ if (toktype == KG_TOK_WRAP_MSG) {
#ifdef CFX_EXERCISE
- rrc = rand() & 0xffff;
- /* If the rotate fails, don't worry about it. */
- if (rotate_left(outbuf+16, bufsize-16,
- (bufsize-16) - (rrc % (bufsize - 16))))
- store_16_be(rrc, outbuf+6);
+ rrc = rand() & 0xffff;
+ /* If the rotate fails, don't worry about it. */
+ if (rotate_left(outbuf+16, bufsize-16,
+ (bufsize-16) - (rrc % (bufsize - 16))))
+ store_16_be(rrc, outbuf+6);
#endif
- /* Fix up EC field. */
- store_16_be(ctx->cksum_size, outbuf+4);
- } else {
- store_16_be(0xffff, outbuf+6);
- }
+ /* Fix up EC field. */
+ store_16_be(ctx->cksum_size, outbuf+4);
+ } else {
+ store_16_be(0xffff, outbuf+6);
+ }
} else if (toktype == KG_TOK_MIC_MSG) {
- tok_id = 0x0404;
- message2 = &empty_message;
- goto wrap_with_checksum;
+ tok_id = 0x0404;
+ message2 = &empty_message;
+ goto wrap_with_checksum;
} else if (toktype == KG_TOK_DEL_CTX) {
- tok_id = 0x0405;
- message = message2 = &empty_message;
- goto wrap_with_checksum;
+ tok_id = 0x0405;
+ message = message2 = &empty_message;
+ goto wrap_with_checksum;
} else
- abort();
+ abort();
token->value = outbuf;
token->length = bufsize;
OM_uint32
gss_krb5int_unseal_token_v3(krb5_context *contextptr,
- OM_uint32 *minor_status,
- krb5_gss_ctx_id_rec *ctx,
- unsigned char *ptr, unsigned int bodysize,
- gss_buffer_t message_buffer,
- int *conf_state, int *qop_state, int toktype)
+ OM_uint32 *minor_status,
+ krb5_gss_ctx_id_rec *ctx,
+ unsigned char *ptr, unsigned int bodysize,
+ gss_buffer_t message_buffer,
+ int *conf_state, int *qop_state, int toktype)
{
krb5_context context = *contextptr;
krb5_data plain;
assert(ctx->proto == 1);
if (qop_state)
- *qop_state = GSS_C_QOP_DEFAULT;
+ *qop_state = GSS_C_QOP_DEFAULT;
acceptor_flag = ctx->initiate ? FLAG_SENDER_IS_ACCEPTOR : 0;
key_usage = (toktype == KG_TOK_WRAP_MSG
- ? (!ctx->initiate
- ? KG_USAGE_INITIATOR_SEAL
- : KG_USAGE_ACCEPTOR_SEAL)
- : (!ctx->initiate
- ? KG_USAGE_INITIATOR_SIGN
- : KG_USAGE_ACCEPTOR_SIGN));
+ ? (!ctx->initiate
+ ? KG_USAGE_INITIATOR_SEAL
+ : KG_USAGE_ACCEPTOR_SEAL)
+ : (!ctx->initiate
+ ? KG_USAGE_INITIATOR_SIGN
+ : KG_USAGE_ACCEPTOR_SIGN));
/* Oops. I wrote this code assuming ptr would be at the start of
the token header. */
if (bodysize < 16) {
defective:
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) {
- *minor_status = G_BAD_DIRECTION;
- return GSS_S_BAD_SIG;
+ *minor_status = G_BAD_DIRECTION;
+ return GSS_S_BAD_SIG;
}
/* Two things to note here.
- First, we can't really enforce the use of the acceptor's subkey,
- if we're the acceptor; the initiator may have sent messages
- before getting the subkey. We could probably enforce it if
- we're the initiator.
-
- Second, if someone tweaks the code to not set the flag telling
- the krb5 library to generate a new subkey in the AP-REP
- message, the MIT library may include a subkey anyways --
- namely, a copy of the AP-REQ subkey, if it was provided. So
- the initiator may think we wanted a subkey, and set the flag,
- even though we weren't trying to set the subkey. The "other"
- key, the one not asserted by the acceptor, will have the same
- value in that case, though, so we can just ignore the flag. */
+ First, we can't really enforce the use of the acceptor's subkey,
+ if we're the acceptor; the initiator may have sent messages
+ before getting the subkey. We could probably enforce it if
+ we're the initiator.
+
+ Second, if someone tweaks the code to not set the flag telling
+ the krb5 library to generate a new subkey in the AP-REP
+ message, the MIT library may include a subkey anyways --
+ namely, a copy of the AP-REQ subkey, if it was provided. So
+ the initiator may think we wanted a subkey, and set the flag,
+ even though we weren't trying to set the subkey. The "other"
+ key, the one not asserted by the acceptor, will have the same
+ value in that case, though, so we can just ignore the flag. */
if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) {
- key = ctx->acceptor_subkey;
+ key = ctx->acceptor_subkey;
} else {
- key = ctx->enc;
+ key = ctx->enc;
}
if (toktype == KG_TOK_WRAP_MSG) {
- if (load_16_be(ptr) != 0x0504)
- goto defective;
- if (ptr[3] != 0xff)
- goto defective;
- ec = load_16_be(ptr+4);
- rrc = load_16_be(ptr+6);
- seqnum = load_64_be(ptr+8);
- if (!rotate_left(ptr+16, bodysize-16, rrc)) {
- no_mem:
- *minor_status = ENOMEM;
- return GSS_S_FAILURE;
- }
- if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) {
- /* confidentiality */
- krb5_enc_data cipher;
- unsigned char *althdr;
-
- if (conf_state)
- *conf_state = 1;
- /* Do we have no decrypt_size function?
-
- For all current cryptosystems, the ciphertext size will
- be larger than the plaintext size. */
- cipher.enctype = key->enctype;
- cipher.ciphertext.length = bodysize - 16;
- cipher.ciphertext.data = ptr + 16;
- plain.length = bodysize - 16;
- plain.data = malloc(plain.length);
- if (plain.data == NULL)
- goto no_mem;
- err = krb5_c_decrypt(context, key, key_usage, 0,
- &cipher, &plain);
- if (err) {
- free(plain.data);
- goto error;
- }
- /* Don't use bodysize here! Use the fact that
- cipher.ciphertext.length has been adjusted to the
- correct length. */
- althdr = plain.data + plain.length - 16;
- if (load_16_be(althdr) != 0x0504
- || althdr[2] != ptr[2]
- || althdr[3] != ptr[3]
- || memcmp(althdr+8, ptr+8, 8)) {
- free(plain.data);
- goto defective;
- }
- message_buffer->value = plain.data;
- message_buffer->length = plain.length - ec - 16;
- if(message_buffer->length == 0) {
- free(message_buffer->value);
- message_buffer->value = NULL;
- }
- } else {
- /* no confidentiality */
- if (conf_state)
- *conf_state = 0;
- if (ec + 16 < ec)
- /* overflow check */
- goto defective;
- if (ec + 16 > bodysize)
- goto defective;
- /* We have: header | msg | cksum.
- We need cksum(msg | header).
- Rotate the first two. */
- store_16_be(0, ptr+4);
- store_16_be(0, ptr+6);
- plain.length = bodysize-ec;
- plain.data = ptr;
- if (!rotate_left(ptr, bodysize-ec, 16))
- goto no_mem;
- sum.length = ec;
- if (sum.length != ctx->cksum_size) {
- *minor_status = 0;
- return GSS_S_BAD_SIG;
- }
- sum.contents = ptr+bodysize-ec;
- sum.checksum_type = ctx->cksumtype;
- err = krb5_c_verify_checksum(context, key, key_usage,
- &plain, &sum, &valid);
- if (err)
- goto error;
- if (!valid) {
- *minor_status = 0;
- return GSS_S_BAD_SIG;
- }
- message_buffer->length = plain.length - 16;
- message_buffer->value = malloc(message_buffer->length);
- if (message_buffer->value == NULL)
- goto no_mem;
- memcpy(message_buffer->value, plain.data, message_buffer->length);
- }
- err = g_order_check(&ctx->seqstate, seqnum);
- *minor_status = 0;
- return err;
+ if (load_16_be(ptr) != 0x0504)
+ goto defective;
+ if (ptr[3] != 0xff)
+ goto defective;
+ ec = load_16_be(ptr+4);
+ rrc = load_16_be(ptr+6);
+ seqnum = load_64_be(ptr+8);
+ if (!rotate_left(ptr+16, bodysize-16, rrc)) {
+ no_mem:
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) {
+ /* confidentiality */
+ krb5_enc_data cipher;
+ unsigned char *althdr;
+
+ if (conf_state)
+ *conf_state = 1;
+ /* Do we have no decrypt_size function?
+
+ For all current cryptosystems, the ciphertext size will
+ be larger than the plaintext size. */
+ cipher.enctype = key->enctype;
+ cipher.ciphertext.length = bodysize - 16;
+ cipher.ciphertext.data = ptr + 16;
+ plain.length = bodysize - 16;
+ plain.data = malloc(plain.length);
+ if (plain.data == NULL)
+ goto no_mem;
+ err = krb5_c_decrypt(context, key, key_usage, 0,
+ &cipher, &plain);
+ if (err) {
+ free(plain.data);
+ goto error;
+ }
+ /* Don't use bodysize here! Use the fact that
+ cipher.ciphertext.length has been adjusted to the
+ correct length. */
+ althdr = plain.data + plain.length - 16;
+ if (load_16_be(althdr) != 0x0504
+ || althdr[2] != ptr[2]
+ || althdr[3] != ptr[3]
+ || memcmp(althdr+8, ptr+8, 8)) {
+ free(plain.data);
+ goto defective;
+ }
+ message_buffer->value = plain.data;
+ message_buffer->length = plain.length - ec - 16;
+ if(message_buffer->length == 0) {
+ free(message_buffer->value);
+ message_buffer->value = NULL;
+ }
+ } else {
+ /* no confidentiality */
+ if (conf_state)
+ *conf_state = 0;
+ if (ec + 16 < ec)
+ /* overflow check */
+ goto defective;
+ if (ec + 16 > bodysize)
+ goto defective;
+ /* We have: header | msg | cksum.
+ We need cksum(msg | header).
+ Rotate the first two. */
+ store_16_be(0, ptr+4);
+ store_16_be(0, ptr+6);
+ plain.length = bodysize-ec;
+ plain.data = ptr;
+ if (!rotate_left(ptr, bodysize-ec, 16))
+ goto no_mem;
+ sum.length = ec;
+ if (sum.length != ctx->cksum_size) {
+ *minor_status = 0;
+ return GSS_S_BAD_SIG;
+ }
+ sum.contents = ptr+bodysize-ec;
+ sum.checksum_type = ctx->cksumtype;
+ err = krb5_c_verify_checksum(context, key, key_usage,
+ &plain, &sum, &valid);
+ if (err)
+ goto error;
+ if (!valid) {
+ *minor_status = 0;
+ return GSS_S_BAD_SIG;
+ }
+ message_buffer->length = plain.length - 16;
+ message_buffer->value = malloc(message_buffer->length);
+ if (message_buffer->value == NULL)
+ goto no_mem;
+ memcpy(message_buffer->value, plain.data, message_buffer->length);
+ }
+ err = g_order_check(&ctx->seqstate, seqnum);
+ *minor_status = 0;
+ return err;
} else if (toktype == KG_TOK_MIC_MSG) {
- /* wrap token, no confidentiality */
- if (load_16_be(ptr) != 0x0404)
- goto defective;
+ /* wrap token, no confidentiality */
+ if (load_16_be(ptr) != 0x0404)
+ goto defective;
verify_mic_1:
- if (ptr[3] != 0xff)
- goto defective;
- if (load_32_be(ptr+4) != 0xffffffffL)
- goto defective;
- seqnum = load_64_be(ptr+8);
- plain.length = message_buffer->length + 16;
- plain.data = malloc(plain.length);
- if (plain.data == NULL)
- goto no_mem;
- if (message_buffer->length)
- memcpy(plain.data, message_buffer->value, message_buffer->length);
- memcpy(plain.data + message_buffer->length, ptr, 16);
- sum.length = bodysize - 16;
- sum.contents = ptr + 16;
- sum.checksum_type = ctx->cksumtype;
- err = krb5_c_verify_checksum(context, key, key_usage,
- &plain, &sum, &valid);
- free(plain.data);
- plain.data = NULL;
- if (err) {
- error:
- *minor_status = err;
- save_error_info(*minor_status, context);
- return GSS_S_BAD_SIG; /* XXX */
- }
- if (!valid) {
- *minor_status = 0;
- return GSS_S_BAD_SIG;
- }
- err = g_order_check(&ctx->seqstate, seqnum);
- *minor_status = 0;
- return err;
+ if (ptr[3] != 0xff)
+ goto defective;
+ if (load_32_be(ptr+4) != 0xffffffffL)
+ goto defective;
+ seqnum = load_64_be(ptr+8);
+ plain.length = message_buffer->length + 16;
+ plain.data = malloc(plain.length);
+ if (plain.data == NULL)
+ goto no_mem;
+ if (message_buffer->length)
+ memcpy(plain.data, message_buffer->value, message_buffer->length);
+ memcpy(plain.data + message_buffer->length, ptr, 16);
+ sum.length = bodysize - 16;
+ sum.contents = ptr + 16;
+ sum.checksum_type = ctx->cksumtype;
+ err = krb5_c_verify_checksum(context, key, key_usage,
+ &plain, &sum, &valid);
+ free(plain.data);
+ plain.data = NULL;
+ if (err) {
+ error:
+ *minor_status = err;
+ save_error_info(*minor_status, context);
+ return GSS_S_BAD_SIG; /* XXX */
+ }
+ if (!valid) {
+ *minor_status = 0;
+ return GSS_S_BAD_SIG;
+ }
+ err = g_order_check(&ctx->seqstate, seqnum);
+ *minor_status = 0;
+ return err;
} else if (toktype == KG_TOK_DEL_CTX) {
- if (load_16_be(ptr) != 0x0405)
- goto defective;
- message_buffer = &empty_message;
- goto verify_mic_1;
+ if (load_16_be(ptr) != 0x0405)
+ goto defective;
+ message_buffer = &empty_message;
+ goto verify_mic_1;
} else {
- goto defective;
+ goto defective;
}
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2001, 2007 by the Massachusetts Institute of Technology.
* Copyright 1993 by OpenVision Technologies, Inc.
static OM_uint32
kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
- conf_state, qop_state, toktype)
+ conf_state, qop_state, toktype)
krb5_context context;
OM_uint32 *minor_status;
krb5_gss_ctx_id_rec *ctx;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
if (toktype == KG_TOK_SEAL_MSG) {
- message_buffer->length = 0;
- message_buffer->value = NULL;
+ message_buffer->length = 0;
+ message_buffer->value = NULL;
}
/* get the sign and seal algorithms */
/* Sanity checks */
if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
if ((toktype != KG_TOK_SEAL_MSG) &&
- (sealalg != 0xffff)) {
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ (sealalg != 0xffff)) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
/* in the current spec, there is only one valid seal algorithm per
key type, so a simple comparison is ok */
if ((toktype == KG_TOK_SEAL_MSG) &&
- !((sealalg == 0xffff) ||
- (sealalg == ctx->sealalg))) {
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ !((sealalg == 0xffff) ||
+ (sealalg == ctx->sealalg))) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
/* there are several mappings of seal algorithms to sign algorithms,
but few enough that we can try them all. */
if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
- (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
- (ctx->sealalg == SEAL_ALG_DES3KD &&
- signalg != SGN_ALG_HMAC_SHA1_DES3_KD)||
- (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 &&
- signalg != SGN_ALG_HMAC_MD5)) {
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
+ (ctx->sealalg == SEAL_ALG_DES3KD &&
+ signalg != SGN_ALG_HMAC_SHA1_DES3_KD)||
+ (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 &&
+ signalg != SGN_ALG_HMAC_MD5)) {
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
case SGN_ALG_HMAC_MD5:
- cksum_len = 8;
- if (toktype != KG_TOK_SEAL_MSG)
- sign_usage = 15;
- break;
+ cksum_len = 8;
+ if (toktype != KG_TOK_SEAL_MSG)
+ sign_usage = 15;
+ break;
case SGN_ALG_3:
- cksum_len = 16;
- break;
+ cksum_len = 16;
+ break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
- cksum_len = 20;
- break;
+ cksum_len = 20;
+ break;
default:
- *minor_status = 0;
- return GSS_S_DEFECTIVE_TOKEN;
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
}
/* get the token parameters */
if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
- &seqnum))) {
- *minor_status = code;
- return(GSS_S_BAD_SIG);
+ &seqnum))) {
+ *minor_status = code;
+ return(GSS_S_BAD_SIG);
}
/* decode the message, if SEAL */
if (toktype == KG_TOK_SEAL_MSG) {
- int tmsglen = bodysize-(14+cksum_len);
- if (sealalg != 0xffff) {
- if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- if (ctx->enc->enctype == ENCTYPE_ARCFOUR_HMAC) {
- unsigned char bigend_seqnum[4];
- krb5_keyblock *enc_key;
- int i;
- bigend_seqnum[0] = (seqnum>>24) & 0xff;
- bigend_seqnum[1] = (seqnum>>16) & 0xff;
- bigend_seqnum[2] = (seqnum>>8) & 0xff;
- bigend_seqnum[3] = seqnum & 0xff;
- code = krb5_copy_keyblock (context, ctx->enc, &enc_key);
- if (code)
- {
- xfree(plain);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- assert (enc_key->length == 16);
- for (i = 0; i <= 15; i++)
- ((char *) enc_key->contents)[i] ^=0xf0;
- code = kg_arcfour_docrypt (enc_key, 0,
- &bigend_seqnum[0], 4,
- ptr+14+cksum_len, tmsglen,
- plain);
- krb5_free_keyblock (context, enc_key);
- } else {
- code = kg_decrypt(context, ctx->enc, KG_USAGE_SEAL, NULL,
- ptr+14+cksum_len, plain, tmsglen);
- }
- if (code) {
- xfree(plain);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
- } else {
- plain = ptr+14+cksum_len;
- }
-
- plainlen = tmsglen;
-
- if ((sealalg == 0xffff) && ctx->big_endian) {
- token.length = tmsglen;
- } else {
- conflen = kg_confounder_size(context, ctx->enc);
- token.length = tmsglen - conflen - plain[tmsglen-1];
- }
-
- if (token.length) {
- if ((token.value = (void *) xmalloc(token.length)) == NULL) {
- if (sealalg != 0xffff)
- xfree(plain);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- memcpy(token.value, plain+conflen, token.length);
- } else {
- token.value = NULL;
- }
+ int tmsglen = bodysize-(14+cksum_len);
+ if (sealalg != 0xffff) {
+ if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ if (ctx->enc->enctype == ENCTYPE_ARCFOUR_HMAC) {
+ unsigned char bigend_seqnum[4];
+ krb5_keyblock *enc_key;
+ int i;
+ bigend_seqnum[0] = (seqnum>>24) & 0xff;
+ bigend_seqnum[1] = (seqnum>>16) & 0xff;
+ bigend_seqnum[2] = (seqnum>>8) & 0xff;
+ bigend_seqnum[3] = seqnum & 0xff;
+ code = krb5_copy_keyblock (context, ctx->enc, &enc_key);
+ if (code)
+ {
+ xfree(plain);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
+ assert (enc_key->length == 16);
+ for (i = 0; i <= 15; i++)
+ ((char *) enc_key->contents)[i] ^=0xf0;
+ code = kg_arcfour_docrypt (enc_key, 0,
+ &bigend_seqnum[0], 4,
+ ptr+14+cksum_len, tmsglen,
+ plain);
+ krb5_free_keyblock (context, enc_key);
+ } else {
+ code = kg_decrypt(context, ctx->enc, KG_USAGE_SEAL, NULL,
+ ptr+14+cksum_len, plain, tmsglen);
+ }
+ if (code) {
+ xfree(plain);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+ } else {
+ plain = ptr+14+cksum_len;
+ }
+
+ plainlen = tmsglen;
+
+ if ((sealalg == 0xffff) && ctx->big_endian) {
+ token.length = tmsglen;
+ } else {
+ conflen = kg_confounder_size(context, ctx->enc);
+ token.length = tmsglen - conflen - plain[tmsglen-1];
+ }
+
+ if (token.length) {
+ if ((token.value = (void *) xmalloc(token.length)) == NULL) {
+ if (sealalg != 0xffff)
+ xfree(plain);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ memcpy(token.value, plain+conflen, token.length);
+ } else {
+ token.value = NULL;
+ }
} else if (toktype == KG_TOK_SIGN_MSG) {
- token = *message_buffer;
- plain = token.value;
- plainlen = token.length;
+ token = *message_buffer;
+ plain = token.value;
+ plainlen = token.length;
} else {
- token.length = 0;
- token.value = NULL;
- plain = token.value;
- plainlen = token.length;
+ token.length = 0;
+ token.value = NULL;
+ plain = token.value;
+ plainlen = token.length;
}
/* compute the checksum of the message */
case SGN_ALG_MD2_5:
case SGN_ALG_DES_MAC:
case SGN_ALG_3:
- md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
+ break;
case SGN_ALG_HMAC_MD5:
- md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
+ break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
- md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
- break;
+ md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
+ break;
default:
- abort ();
+ abort ();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code)
- return(code);
+ return(code);
md5cksum.length = sumlen;
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_3:
- /* compute the checksum of the message */
-
- /* 8 = bytes of token body to be checksummed according to spec */
-
- if (! (data_ptr = (void *)
- xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
- if (sealalg != 0xffff)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
-
- (void) memcpy(data_ptr, ptr-2, 8);
-
- if (ctx->big_endian)
- (void) memcpy(data_ptr+8, token.value, token.length);
- else
- (void) memcpy(data_ptr+8, plain, plainlen);
-
- plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
- plaind.data = data_ptr;
- code = krb5_c_make_checksum(context, md5cksum.checksum_type,
- ctx->seq, sign_usage,
- &plaind, &md5cksum);
- xfree(data_ptr);
-
- if (code) {
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- if ((code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
- (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
- ctx->seq->contents : NULL),
- md5cksum.contents, md5cksum.contents, 16))) {
- krb5_free_checksum_contents(context, &md5cksum);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return GSS_S_FAILURE;
- }
-
- if (signalg == 0)
- cksum.length = 8;
- else
- cksum.length = 16;
- cksum.contents = md5cksum.contents + 16 - cksum.length;
-
- code = memcmp(cksum.contents, ptr+14, cksum.length);
- break;
+ /* compute the checksum of the message */
+
+ /* 8 = bytes of token body to be checksummed according to spec */
+
+ if (! (data_ptr = (void *)
+ xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
+ if (sealalg != 0xffff)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+
+ (void) memcpy(data_ptr, ptr-2, 8);
+
+ if (ctx->big_endian)
+ (void) memcpy(data_ptr+8, token.value, token.length);
+ else
+ (void) memcpy(data_ptr+8, plain, plainlen);
+
+ plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
+ plaind.data = data_ptr;
+ code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+ ctx->seq, sign_usage,
+ &plaind, &md5cksum);
+ xfree(data_ptr);
+
+ if (code) {
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
+ if ((code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
+ (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
+ ctx->seq->contents : NULL),
+ md5cksum.contents, md5cksum.contents, 16))) {
+ krb5_free_checksum_contents(context, &md5cksum);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ if (signalg == 0)
+ cksum.length = 8;
+ else
+ cksum.length = 16;
+ cksum.contents = md5cksum.contents + 16 - cksum.length;
+
+ code = memcmp(cksum.contents, ptr+14, cksum.length);
+ break;
case SGN_ALG_MD2_5:
- if (!ctx->seed_init &&
- (code = kg_make_seed(context, ctx->subkey, ctx->seed))) {
- krb5_free_checksum_contents(context, &md5cksum);
- if (sealalg != 0xffff)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return GSS_S_FAILURE;
- }
-
- if (! (data_ptr = (void *)
- xmalloc(sizeof(ctx->seed) + 8 +
- (ctx->big_endian ? token.length : plainlen)))) {
- krb5_free_checksum_contents(context, &md5cksum);
- if (sealalg == 0)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- (void) memcpy(data_ptr, ptr-2, 8);
- (void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed));
- if (ctx->big_endian)
- (void) memcpy(data_ptr+8+sizeof(ctx->seed),
- token.value, token.length);
- else
- (void) memcpy(data_ptr+8+sizeof(ctx->seed),
- plain, plainlen);
- plaind.length = 8 + sizeof(ctx->seed) +
- (ctx->big_endian ? token.length : plainlen);
- plaind.data = data_ptr;
- krb5_free_checksum_contents(context, &md5cksum);
- code = krb5_c_make_checksum(context, md5cksum.checksum_type,
- ctx->seq, sign_usage,
- &plaind, &md5cksum);
- xfree(data_ptr);
-
- if (code) {
- if (sealalg == 0)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- code = memcmp(md5cksum.contents, ptr+14, 8);
- /* Falls through to defective-token?? */
+ if (!ctx->seed_init &&
+ (code = kg_make_seed(context, ctx->subkey, ctx->seed))) {
+ krb5_free_checksum_contents(context, &md5cksum);
+ if (sealalg != 0xffff)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
+
+ if (! (data_ptr = (void *)
+ xmalloc(sizeof(ctx->seed) + 8 +
+ (ctx->big_endian ? token.length : plainlen)))) {
+ krb5_free_checksum_contents(context, &md5cksum);
+ if (sealalg == 0)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+ (void) memcpy(data_ptr, ptr-2, 8);
+ (void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed));
+ if (ctx->big_endian)
+ (void) memcpy(data_ptr+8+sizeof(ctx->seed),
+ token.value, token.length);
+ else
+ (void) memcpy(data_ptr+8+sizeof(ctx->seed),
+ plain, plainlen);
+ plaind.length = 8 + sizeof(ctx->seed) +
+ (ctx->big_endian ? token.length : plainlen);
+ plaind.data = data_ptr;
+ krb5_free_checksum_contents(context, &md5cksum);
+ code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+ ctx->seq, sign_usage,
+ &plaind, &md5cksum);
+ xfree(data_ptr);
+
+ if (code) {
+ if (sealalg == 0)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
+ code = memcmp(md5cksum.contents, ptr+14, 8);
+ /* Falls through to defective-token?? */
default:
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
case SGN_ALG_HMAC_SHA1_DES3_KD:
case SGN_ALG_HMAC_MD5:
- /* compute the checksum of the message */
-
- /* 8 = bytes of token body to be checksummed according to spec */
-
- if (! (data_ptr = (void *)
- xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
- if (sealalg != 0xffff)
- xfree(plain);
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
-
- (void) memcpy(data_ptr, ptr-2, 8);
-
- if (ctx->big_endian)
- (void) memcpy(data_ptr+8, token.value, token.length);
- else
- (void) memcpy(data_ptr+8, plain, plainlen);
-
- plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
- plaind.data = data_ptr;
- code = krb5_c_make_checksum(context, md5cksum.checksum_type,
- ctx->seq, sign_usage,
- &plaind, &md5cksum);
- xfree(data_ptr);
-
- if (code) {
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
-
- code = memcmp(md5cksum.contents, ptr+14, cksum_len);
- break;
+ /* compute the checksum of the message */
+
+ /* 8 = bytes of token body to be checksummed according to spec */
+
+ if (! (data_ptr = (void *)
+ xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
+ if (sealalg != 0xffff)
+ xfree(plain);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+
+ (void) memcpy(data_ptr, ptr-2, 8);
+
+ if (ctx->big_endian)
+ (void) memcpy(data_ptr+8, token.value, token.length);
+ else
+ (void) memcpy(data_ptr+8, plain, plainlen);
+
+ plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
+ plaind.data = data_ptr;
+ code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+ ctx->seq, sign_usage,
+ &plaind, &md5cksum);
+ xfree(data_ptr);
+
+ if (code) {
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
+ code = memcmp(md5cksum.contents, ptr+14, cksum_len);
+ break;
}
krb5_free_checksum_contents(context, &md5cksum);
if (sealalg != 0xffff)
- xfree(plain);
+ xfree(plain);
/* compare the computed checksum against the transmitted checksum */
if (code) {
- if (toktype == KG_TOK_SEAL_MSG)
- xfree(token.value);
- *minor_status = 0;
- return(GSS_S_BAD_SIG);
+ if (toktype == KG_TOK_SEAL_MSG)
+ xfree(token.value);
+ *minor_status = 0;
+ return(GSS_S_BAD_SIG);
}
/* it got through unscathed. Make sure the context is unexpired */
if (toktype == KG_TOK_SEAL_MSG)
- *message_buffer = token;
+ *message_buffer = token;
if (conf_state)
- *conf_state = (sealalg != 0xffff);
+ *conf_state = (sealalg != 0xffff);
if (qop_state)
- *qop_state = GSS_C_QOP_DEFAULT;
+ *qop_state = GSS_C_QOP_DEFAULT;
if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- return(GSS_S_FAILURE);
+ *minor_status = code;
+ return(GSS_S_FAILURE);
}
if (now > ctx->endtime) {
- *minor_status = 0;
- return(GSS_S_CONTEXT_EXPIRED);
+ *minor_status = 0;
+ return(GSS_S_CONTEXT_EXPIRED);
}
/* do sequencing checks */
if ((ctx->initiate && direction != 0xff) ||
- (!ctx->initiate && direction != 0)) {
- if (toktype == KG_TOK_SEAL_MSG) {
- xfree(token.value);
- message_buffer->value = NULL;
- message_buffer->length = 0;
- }
- *minor_status = G_BAD_DIRECTION;
- return(GSS_S_BAD_SIG);
+ (!ctx->initiate && direction != 0)) {
+ if (toktype == KG_TOK_SEAL_MSG) {
+ xfree(token.value);
+ message_buffer->value = NULL;
+ message_buffer->length = 0;
+ }
+ *minor_status = G_BAD_DIRECTION;
+ return(GSS_S_BAD_SIG);
}
retval = g_order_check(&(ctx->seqstate), seqnum);
OM_uint32
kg_unseal(minor_status, context_handle, input_token_buffer,
- message_buffer, conf_state, qop_state, toktype)
+ message_buffer, conf_state, qop_state, toktype)
OM_uint32 *minor_status;
gss_ctx_id_t context_handle;
gss_buffer_t input_token_buffer;
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
}
ctx = (krb5_gss_ctx_id_rec *) context_handle;
if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
}
/* parse the token, leave the data in message_buffer, setting conf_state */
ptr = (unsigned char *) input_token_buffer->value;
if (ctx->proto)
- switch (toktype) {
- case KG_TOK_SIGN_MSG:
- toktype2 = 0x0404;
- break;
- case KG_TOK_SEAL_MSG:
- toktype2 = 0x0504;
- break;
- case KG_TOK_DEL_CTX:
- toktype2 = 0x0405;
- break;
- default:
- toktype2 = toktype;
- break;
- }
+ switch (toktype) {
+ case KG_TOK_SIGN_MSG:
+ toktype2 = 0x0404;
+ break;
+ case KG_TOK_SEAL_MSG:
+ toktype2 = 0x0504;
+ break;
+ case KG_TOK_DEL_CTX:
+ toktype2 = 0x0405;
+ break;
+ default:
+ toktype2 = toktype;
+ break;
+ }
else
- toktype2 = toktype;
+ toktype2 = toktype;
err = g_verify_token_header(ctx->mech_used,
- &bodysize, &ptr, toktype2,
- input_token_buffer->length,
- !ctx->proto);
+ &bodysize, &ptr, toktype2,
+ input_token_buffer->length,
+ !ctx->proto);
if (err) {
- *minor_status = err;
- return GSS_S_DEFECTIVE_TOKEN;
+ *minor_status = err;
+ return GSS_S_DEFECTIVE_TOKEN;
}
if (ctx->proto == 0)
- ret = kg_unseal_v1(ctx->k5_context, minor_status, ctx, ptr, bodysize,
- message_buffer, conf_state, qop_state,
- toktype);
+ ret = kg_unseal_v1(ctx->k5_context, minor_status, ctx, ptr, bodysize,
+ message_buffer, conf_state, qop_state,
+ toktype);
else
- ret = gss_krb5int_unseal_token_v3(&ctx->k5_context, minor_status, ctx,
- ptr, bodysize, message_buffer,
- conf_state, qop_state, toktype);
+ ret = gss_krb5int_unseal_token_v3(&ctx->k5_context, minor_status, ctx,
+ ptr, bodysize, message_buffer,
+ conf_state, qop_state, toktype);
if (ret != 0)
- save_error_info (*minor_status, ctx->k5_context);
+ save_error_info (*minor_status, ctx->k5_context);
return ret;
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/** mechglue wrappers **/
-static OM_uint32 k5glue_acquire_cred
-(void *, OM_uint32*, /* minor_status */
- gss_name_t, /* desired_name */
- OM_uint32, /* time_req */
- gss_OID_set, /* desired_mechs */
- gss_cred_usage_t, /* cred_usage */
- gss_cred_id_t*, /* output_cred_handle */
- gss_OID_set*, /* actual_mechs */
- OM_uint32* /* time_rec */
- );
-
-static OM_uint32 k5glue_release_cred
-(void *, OM_uint32*, /* minor_status */
- gss_cred_id_t* /* cred_handle */
- );
-
-static OM_uint32 k5glue_init_sec_context
-(void *, OM_uint32*, /* minor_status */
- gss_cred_id_t, /* claimant_cred_handle */
- gss_ctx_id_t*, /* context_handle */
- gss_name_t, /* target_name */
- gss_OID, /* mech_type */
- OM_uint32, /* req_flags */
- OM_uint32, /* time_req */
- gss_channel_bindings_t,
- /* input_chan_bindings */
- gss_buffer_t, /* input_token */
- gss_OID*, /* actual_mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32*, /* ret_flags */
- OM_uint32* /* time_rec */
- );
-
+static OM_uint32 k5glue_acquire_cred(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t*, /* output_cred_handle */
+ gss_OID_set*, /* actual_mechs */
+ OM_uint32* /* time_rec */
+);
+
+static OM_uint32 k5glue_release_cred(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_cred_id_t* /* cred_handle */
+);
+
+static OM_uint32 k5glue_init_sec_context(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_cred_id_t, /* claimant_cred_handle */
+ gss_ctx_id_t*, /* context_handle */
+ gss_name_t, /* target_name */
+ gss_OID, /* mech_type */
+ OM_uint32, /* req_flags */
+ OM_uint32, /* time_req */
+ gss_channel_bindings_t,
+ /* input_chan_bindings */
+ gss_buffer_t, /* input_token */
+ gss_OID*, /* actual_mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32*, /* ret_flags */
+ OM_uint32* /* time_rec */
+);
+
#ifndef LEAN_CLIENT
-static OM_uint32 k5glue_accept_sec_context
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t*, /* context_handle */
- gss_cred_id_t, /* verifier_cred_handle */
- gss_buffer_t, /* input_token_buffer */
- gss_channel_bindings_t,
- /* input_chan_bindings */
- gss_name_t*, /* src_name */
- gss_OID*, /* mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32*, /* ret_flags */
- OM_uint32*, /* time_rec */
- gss_cred_id_t* /* delegated_cred_handle */
- );
+static OM_uint32 k5glue_accept_sec_context(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_ctx_id_t*, /* context_handle */
+ gss_cred_id_t, /* verifier_cred_handle */
+ gss_buffer_t, /* input_token_buffer */
+ gss_channel_bindings_t,
+ /* input_chan_bindings */
+ gss_name_t*, /* src_name */
+ gss_OID*, /* mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32*, /* ret_flags */
+ OM_uint32*, /* time_rec */
+ gss_cred_id_t* /* delegated_cred_handle */
+);
#endif /* LEAN_CLIENT */
-static OM_uint32 k5glue_process_context_token
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t /* token_buffer */
- );
-
-static OM_uint32 k5glue_delete_sec_context
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t*, /* context_handle */
- gss_buffer_t /* output_token */
- );
-
-static OM_uint32 k5glue_context_time
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- OM_uint32* /* time_rec */
- );
-
-static OM_uint32 k5glue_sign
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
-
-static OM_uint32 k5glue_verify
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* token_buffer */
- int* /* qop_state */
- );
-
-static OM_uint32 k5glue_seal
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- int, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int*, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
-
-static OM_uint32 k5glue_unseal
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int*, /* conf_state */
- int* /* qop_state */
- );
-
-static OM_uint32 k5glue_display_status
-(void *, OM_uint32*, /* minor_status */
- OM_uint32, /* status_value */
- int, /* status_type */
- gss_OID, /* mech_type */
- OM_uint32*, /* message_context */
- gss_buffer_t /* status_string */
- );
-
-static OM_uint32 k5glue_indicate_mechs
-(void *, OM_uint32*, /* minor_status */
- gss_OID_set* /* mech_set */
- );
-
-static OM_uint32 k5glue_compare_name
-(void *, OM_uint32*, /* minor_status */
- gss_name_t, /* name1 */
- gss_name_t, /* name2 */
- int* /* name_equal */
- );
-
-static OM_uint32 k5glue_display_name
-(void *, OM_uint32*, /* minor_status */
- gss_name_t, /* input_name */
- gss_buffer_t, /* output_name_buffer */
- gss_OID* /* output_name_type */
- );
-
-static OM_uint32 k5glue_import_name
-(void *, OM_uint32*, /* minor_status */
- gss_buffer_t, /* input_name_buffer */
- gss_OID, /* input_name_type */
- gss_name_t* /* output_name */
- );
-
-static OM_uint32 k5glue_release_name
-(void *, OM_uint32*, /* minor_status */
- gss_name_t* /* input_name */
- );
-
-static OM_uint32 k5glue_inquire_cred
-(void *, OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_name_t *, /* name */
- OM_uint32 *, /* lifetime */
- gss_cred_usage_t*,/* cred_usage */
- gss_OID_set * /* mechanisms */
- );
-
-static OM_uint32 k5glue_inquire_context
-(void *, OM_uint32*, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_name_t*, /* initiator_name */
- gss_name_t*, /* acceptor_name */
- OM_uint32*, /* lifetime_rec */
- gss_OID*, /* mech_type */
- OM_uint32*, /* ret_flags */
- int*, /* locally_initiated */
- int* /* open */
- );
+static OM_uint32 k5glue_process_context_token(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t /* token_buffer */
+);
+
+static OM_uint32 k5glue_delete_sec_context(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_ctx_id_t*, /* context_handle */
+ gss_buffer_t /* output_token */
+);
+
+static OM_uint32 k5glue_context_time(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ OM_uint32* /* time_rec */
+);
+
+static OM_uint32 k5glue_sign(
+ void *, OM_uint32*, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* qop_req */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t /* message_token */
+);
+
+static OM_uint32 k5glue_verify(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t, /* token_buffer */
+ int* /* qop_state */
+);
+
+static OM_uint32 k5glue_seal(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ int, /* qop_req */
+ gss_buffer_t, /* input_message_buffer */
+ int*, /* conf_state */
+ gss_buffer_t /* output_message_buffer */
+);
+
+static OM_uint32 k5glue_unseal(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int*, /* conf_state */
+ int* /* qop_state */
+);
+
+static OM_uint32 k5glue_display_status(
+ void *,
+ OM_uint32*, /* minor_status */
+ OM_uint32, /* status_value */
+ int, /* status_type */
+ gss_OID, /* mech_type */
+ OM_uint32*, /* message_context */
+ gss_buffer_t /* status_string */
+);
+
+static OM_uint32 k5glue_indicate_mechs(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_OID_set* /* mech_set */
+);
+
+static OM_uint32 k5glue_compare_name(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_name_t, /* name1 */
+ gss_name_t, /* name2 */
+ int* /* name_equal */
+);
+
+static OM_uint32 k5glue_display_name(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_name_t, /* input_name */
+ gss_buffer_t, /* output_name_buffer */
+ gss_OID* /* output_name_type */
+);
+
+static OM_uint32 k5glue_import_name(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_buffer_t, /* input_name_buffer */
+ gss_OID, /* input_name_type */
+ gss_name_t* /* output_name */
+);
+
+static OM_uint32 k5glue_release_name(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_name_t* /* input_name */
+);
+
+static OM_uint32 k5glue_inquire_cred(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* lifetime */
+ gss_cred_usage_t*,/* cred_usage */
+ gss_OID_set * /* mechanisms */
+);
+
+static OM_uint32 k5glue_inquire_context(
+ void *,
+ OM_uint32*, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_name_t*, /* initiator_name */
+ gss_name_t*, /* acceptor_name */
+ OM_uint32*, /* lifetime_rec */
+ gss_OID*, /* mech_type */
+ OM_uint32*, /* ret_flags */
+ int*, /* locally_initiated */
+ int* /* open */
+);
#if 0
/* New V2 entry points */
-static OM_uint32 k5glue_get_mic
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t /* message_token */
- );
-
-static OM_uint32 k5glue_verify_mic
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* message_buffer */
- gss_buffer_t, /* message_token */
- gss_qop_t * /* qop_state */
- );
-
-static OM_uint32 k5glue_wrap
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- gss_buffer_t, /* input_message_buffer */
- int *, /* conf_state */
- gss_buffer_t /* output_message_buffer */
- );
-
-static OM_uint32 k5glue_unwrap
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- gss_buffer_t, /* input_message_buffer */
- gss_buffer_t, /* output_message_buffer */
- int *, /* conf_state */
- gss_qop_t * /* qop_state */
- );
+static OM_uint32 k5glue_get_mic(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t /* message_token */
+);
+
+static OM_uint32 k5glue_verify_mic(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* message_buffer */
+ gss_buffer_t, /* message_token */
+ gss_qop_t * /* qop_state */
+);
+
+static OM_uint32 k5glue_wrap(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ gss_buffer_t, /* input_message_buffer */
+ int *, /* conf_state */
+ gss_buffer_t /* output_message_buffer */
+);
+
+static OM_uint32 k5glue_unwrap(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int *, /* conf_state */
+ gss_qop_t * /* qop_state */
+);
#endif
-static OM_uint32 k5glue_wrap_size_limit
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t, /* context_handle */
- int, /* conf_req_flag */
- gss_qop_t, /* qop_req */
- OM_uint32, /* req_output_size */
- OM_uint32 * /* max_input_size */
- );
+static OM_uint32 k5glue_wrap_size_limit(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ OM_uint32, /* req_output_size */
+ OM_uint32 * /* max_input_size */
+);
#if 0
-static OM_uint32 k5glue_import_name_object
-(void *, OM_uint32 *, /* minor_status */
- void *, /* input_name */
- gss_OID, /* input_name_type */
- gss_name_t * /* output_name */
- );
-
-static OM_uint32 k5glue_export_name_object
-(void *, OM_uint32 *, /* minor_status */
- gss_name_t, /* input_name */
- gss_OID, /* desired_name_type */
- void * * /* output_name */
- );
+static OM_uint32 k5glue_import_name_object(
+ void *,
+ OM_uint32 *, /* minor_status */
+ void *, /* input_name */
+ gss_OID, /* input_name_type */
+ gss_name_t * /* output_name */
+);
+
+static OM_uint32 k5glue_export_name_object(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_name_t, /* input_name */
+ gss_OID, /* desired_name_type */
+ void * * /* output_name */
+);
#endif
-static OM_uint32 k5glue_add_cred
-(void *, OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* input_cred_handle */
- gss_name_t, /* desired_name */
- gss_OID, /* desired_mech */
- gss_cred_usage_t, /* cred_usage */
- OM_uint32, /* initiator_time_req */
- OM_uint32, /* acceptor_time_req */
- gss_cred_id_t *, /* output_cred_handle */
- gss_OID_set *, /* actual_mechs */
- OM_uint32 *, /* initiator_time_rec */
- OM_uint32 * /* acceptor_time_rec */
- );
-
-static OM_uint32 k5glue_inquire_cred_by_mech
-(void *, OM_uint32 *, /* minor_status */
- gss_cred_id_t, /* cred_handle */
- gss_OID, /* mech_type */
- gss_name_t *, /* name */
- OM_uint32 *, /* initiator_lifetime */
- OM_uint32 *, /* acceptor_lifetime */
- gss_cred_usage_t * /* cred_usage */
- );
+static OM_uint32 k5glue_add_cred(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* input_cred_handle */
+ gss_name_t, /* desired_name */
+ gss_OID, /* desired_mech */
+ gss_cred_usage_t, /* cred_usage */
+ OM_uint32, /* initiator_time_req */
+ OM_uint32, /* acceptor_time_req */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *, /* initiator_time_rec */
+ OM_uint32 * /* acceptor_time_rec */
+);
+
+static OM_uint32 k5glue_inquire_cred_by_mech(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ gss_OID, /* mech_type */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* initiator_lifetime */
+ OM_uint32 *, /* acceptor_lifetime */
+ gss_cred_usage_t * /* cred_usage */
+);
#ifndef LEAN_CLIENT
-static OM_uint32 k5glue_export_sec_context
-(void *, OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- gss_buffer_t /* interprocess_token */
- );
-
-static OM_uint32 k5glue_import_sec_context
-(void *, OM_uint32 *, /* minor_status */
- gss_buffer_t, /* interprocess_token */
- gss_ctx_id_t * /* context_handle */
- );
+static OM_uint32 k5glue_export_sec_context(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_buffer_t /* interprocess_token */
+);
+
+static OM_uint32 k5glue_import_sec_context(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_buffer_t, /* interprocess_token */
+ gss_ctx_id_t * /* context_handle */
+);
#endif /* LEAN_CLIENT */
krb5_error_code k5glue_ser_init(krb5_context);
-static OM_uint32 k5glue_internal_release_oid
-(void *, OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
+static OM_uint32 k5glue_internal_release_oid(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_OID * /* oid */
+);
-static OM_uint32 k5glue_inquire_names_for_mech
-(void *, OM_uint32 *, /* minor_status */
- gss_OID, /* mechanism */
- gss_OID_set * /* name_types */
- );
+static OM_uint32 k5glue_inquire_names_for_mech(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_OID, /* mechanism */
+ gss_OID_set * /* name_types */
+);
#if 0
-static OM_uint32 k5glue_canonicalize_name
-(void *, OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- const gss_OID, /* mech_type */
- gss_name_t * /* output_name */
- );
+static OM_uint32 k5glue_canonicalize_name(
+ void *,
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ const gss_OID, /* mech_type */
+ gss_name_t * /* output_name */
+);
#endif
-static OM_uint32 k5glue_export_name
-(void *, OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_buffer_t /* exported_name */
- );
+static OM_uint32 k5glue_export_name(
+ void *,
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_buffer_t /* exported_name */
+);
#if 0
-static OM_uint32 k5glue_duplicate_name
-(void *, OM_uint32 *, /* minor_status */
- const gss_name_t, /* input_name */
- gss_name_t * /* dest_name */
- );
+static OM_uint32 k5glue_duplicate_name(
+ void *,
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_name_t * /* dest_name */
+);
#endif
#if 0
-static OM_uint32 k5glue_validate_cred
-(void *, OM_uint32 *, /* minor_status */
- gss_cred_id_t /* cred */
- );
+static OM_uint32 k5glue_validate_cred(
+ void *,
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t /* cred */
+);
#endif
/*
* ensure that both dispatch tables contain identical function
* pointers.
*/
-#ifndef LEAN_CLIENT
-#define KRB5_GSS_CONFIG_INIT \
- NULL, \
- k5glue_acquire_cred, \
- k5glue_release_cred, \
- k5glue_init_sec_context, \
- k5glue_accept_sec_context, \
- k5glue_process_context_token, \
- k5glue_delete_sec_context, \
- k5glue_context_time, \
- k5glue_sign, \
- k5glue_verify, \
- k5glue_seal, \
- k5glue_unseal, \
- k5glue_display_status, \
- k5glue_indicate_mechs, \
- k5glue_compare_name, \
- k5glue_display_name, \
- k5glue_import_name, \
- k5glue_release_name, \
- k5glue_inquire_cred, \
- k5glue_add_cred, \
- k5glue_export_sec_context, \
- k5glue_import_sec_context, \
- k5glue_inquire_cred_by_mech, \
- k5glue_inquire_names_for_mech, \
- k5glue_inquire_context, \
- k5glue_internal_release_oid, \
- k5glue_wrap_size_limit, \
- k5glue_export_name, \
- NULL /* store_cred */
-
-#else /* LEAN_CLIENT */
-
-#define KRB5_GSS_CONFIG_INIT \
- NULL, \
- k5glue_acquire_cred, \
- k5glue_release_cred, \
- k5glue_init_sec_context, \
- NULL, \
- k5glue_process_context_token, \
- k5glue_delete_sec_context, \
- k5glue_context_time, \
- k5glue_sign, \
- k5glue_verify, \
- k5glue_seal, \
- k5glue_unseal, \
- k5glue_display_status, \
- k5glue_indicate_mechs, \
- k5glue_compare_name, \
- k5glue_display_name, \
- k5glue_import_name, \
- k5glue_release_name, \
- k5glue_inquire_cred, \
- k5glue_add_cred, \
- NULL, \
- NULL, \
- k5glue_inquire_cred_by_mech, \
- k5glue_inquire_names_for_mech, \
- k5glue_inquire_context, \
- k5glue_internal_release_oid, \
- k5glue_wrap_size_limit, \
- k5glue_export_name, \
- NULL /* store_cred */
-
-#endif /* LEAN_CLIENT */
+#ifndef LEAN_CLIENT
+#define KRB5_GSS_CONFIG_INIT \
+ NULL, \
+ k5glue_acquire_cred, \
+ k5glue_release_cred, \
+ k5glue_init_sec_context, \
+ k5glue_accept_sec_context, \
+ k5glue_process_context_token, \
+ k5glue_delete_sec_context, \
+ k5glue_context_time, \
+ k5glue_sign, \
+ k5glue_verify, \
+ k5glue_seal, \
+ k5glue_unseal, \
+ k5glue_display_status, \
+ k5glue_indicate_mechs, \
+ k5glue_compare_name, \
+ k5glue_display_name, \
+ k5glue_import_name, \
+ k5glue_release_name, \
+ k5glue_inquire_cred, \
+ k5glue_add_cred, \
+ k5glue_export_sec_context, \
+ k5glue_import_sec_context, \
+ k5glue_inquire_cred_by_mech, \
+ k5glue_inquire_names_for_mech, \
+ k5glue_inquire_context, \
+ k5glue_internal_release_oid, \
+ k5glue_wrap_size_limit, \
+ k5glue_export_name, \
+ NULL /* store_cred */
+
+#else /* LEAN_CLIENT */
+
+#define KRB5_GSS_CONFIG_INIT \
+ NULL, \
+ k5glue_acquire_cred, \
+ k5glue_release_cred, \
+ k5glue_init_sec_context, \
+ NULL, \
+ k5glue_process_context_token, \
+ k5glue_delete_sec_context, \
+ k5glue_context_time, \
+ k5glue_sign, \
+ k5glue_verify, \
+ k5glue_seal, \
+ k5glue_unseal, \
+ k5glue_display_status, \
+ k5glue_indicate_mechs, \
+ k5glue_compare_name, \
+ k5glue_display_name, \
+ k5glue_import_name, \
+ k5glue_release_name, \
+ k5glue_inquire_cred, \
+ k5glue_add_cred, \
+ NULL, \
+ NULL, \
+ k5glue_inquire_cred_by_mech, \
+ k5glue_inquire_names_for_mech, \
+ k5glue_inquire_context, \
+ k5glue_internal_release_oid, \
+ k5glue_wrap_size_limit, \
+ k5glue_export_name, \
+ NULL /* store_cred */
+
+#endif /* LEAN_CLIENT */
static struct gss_config krb5_mechanism = {
char *envstr = getenv("MS_FORCE_NO_MSOID");
if (envstr != NULL && strcmp(envstr, "1") == 0) {
- return krb5_mech_configs_hack;
+ return krb5_mech_configs_hack;
}
#endif
return krb5_mech_configs;
#ifndef LEAN_CLIENT
static OM_uint32
k5glue_accept_sec_context(ctx, minor_status, context_handle, verifier_cred_handle,
- input_token, input_chan_bindings, src_name, mech_type,
- output_token, ret_flags, time_rec, delegated_cred_handle)
+ input_token, input_chan_bindings, src_name, mech_type,
+ output_token, ret_flags, time_rec, delegated_cred_handle)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_cred_id_t verifier_cred_handle;
- gss_buffer_t input_token;
- gss_channel_bindings_t input_chan_bindings;
- gss_name_t *src_name;
- gss_OID *mech_type;
- gss_buffer_t output_token;
- OM_uint32 *ret_flags;
- OM_uint32 *time_rec;
- gss_cred_id_t *delegated_cred_handle;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_cred_id_t verifier_cred_handle;
+ gss_buffer_t input_token;
+ gss_channel_bindings_t input_chan_bindings;
+ gss_name_t *src_name;
+ gss_OID *mech_type;
+ gss_buffer_t output_token;
+ OM_uint32 *ret_flags;
+ OM_uint32 *time_rec;
+ gss_cred_id_t *delegated_cred_handle;
{
- return(krb5_gss_accept_sec_context(minor_status,
- context_handle,
- verifier_cred_handle,
- input_token,
- input_chan_bindings,
- src_name,
- mech_type,
- output_token,
- ret_flags,
- time_rec,
- delegated_cred_handle));
+ return(krb5_gss_accept_sec_context(minor_status,
+ context_handle,
+ verifier_cred_handle,
+ input_token,
+ input_chan_bindings,
+ src_name,
+ mech_type,
+ output_token,
+ ret_flags,
+ time_rec,
+ delegated_cred_handle));
}
#endif /* LEAN_CLIENT */
static OM_uint32
k5glue_acquire_cred(ctx, minor_status, desired_name, time_req, desired_mechs,
- cred_usage, output_cred_handle, actual_mechs, time_rec)
+ cred_usage, output_cred_handle, actual_mechs, time_rec)
void *ctx;
- OM_uint32 *minor_status;
- gss_name_t desired_name;
- OM_uint32 time_req;
- gss_OID_set desired_mechs;
- gss_cred_usage_t cred_usage;
- gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
- OM_uint32 *time_rec;
+ OM_uint32 *minor_status;
+ gss_name_t desired_name;
+ OM_uint32 time_req;
+ gss_OID_set desired_mechs;
+ gss_cred_usage_t cred_usage;
+ gss_cred_id_t *output_cred_handle;
+ gss_OID_set *actual_mechs;
+ OM_uint32 *time_rec;
{
- return(krb5_gss_acquire_cred(minor_status,
- desired_name,
- time_req,
- desired_mechs,
- cred_usage,
- output_cred_handle,
- actual_mechs,
- time_rec));
+ return(krb5_gss_acquire_cred(minor_status,
+ desired_name,
+ time_req,
+ desired_mechs,
+ cred_usage,
+ output_cred_handle,
+ actual_mechs,
+ time_rec));
}
/* V2 */
static OM_uint32
k5glue_add_cred(ctx, minor_status, input_cred_handle, desired_name, desired_mech,
- cred_usage, initiator_time_req, acceptor_time_req,
- output_cred_handle, actual_mechs, initiator_time_rec,
- acceptor_time_rec)
+ cred_usage, initiator_time_req, acceptor_time_req,
+ output_cred_handle, actual_mechs, initiator_time_rec,
+ acceptor_time_rec)
void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t input_cred_handle;
- gss_name_t desired_name;
- gss_OID desired_mech;
- gss_cred_usage_t cred_usage;
- OM_uint32 initiator_time_req;
- OM_uint32 acceptor_time_req;
- gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
- OM_uint32 *initiator_time_rec;
- OM_uint32 *acceptor_time_rec;
+ OM_uint32 *minor_status;
+ gss_cred_id_t input_cred_handle;
+ gss_name_t desired_name;
+ gss_OID desired_mech;
+ gss_cred_usage_t cred_usage;
+ OM_uint32 initiator_time_req;
+ OM_uint32 acceptor_time_req;
+ gss_cred_id_t *output_cred_handle;
+ gss_OID_set *actual_mechs;
+ OM_uint32 *initiator_time_rec;
+ OM_uint32 *acceptor_time_rec;
{
return(krb5_gss_add_cred(minor_status, input_cred_handle, desired_name,
- desired_mech, cred_usage, initiator_time_req,
- acceptor_time_req, output_cred_handle,
- actual_mechs, initiator_time_rec,
- acceptor_time_rec));
+ desired_mech, cred_usage, initiator_time_req,
+ acceptor_time_req, output_cred_handle,
+ actual_mechs, initiator_time_rec,
+ acceptor_time_rec));
}
#if 0
static OM_uint32
k5glue_add_oid_set_member(ctx, minor_status, member_oid, oid_set)
void *ctx;
- OM_uint32 *minor_status;
- gss_OID member_oid;
- gss_OID_set *oid_set;
+ OM_uint32 *minor_status;
+ gss_OID member_oid;
+ gss_OID_set *oid_set;
{
return(generic_gss_add_oid_set_member(minor_status, member_oid, oid_set));
}
static OM_uint32
k5glue_compare_name(ctx, minor_status, name1, name2, name_equal)
void *ctx;
- OM_uint32 *minor_status;
- gss_name_t name1;
- gss_name_t name2;
- int *name_equal;
+ OM_uint32 *minor_status;
+ gss_name_t name1;
+ gss_name_t name2;
+ int *name_equal;
{
- return(krb5_gss_compare_name(minor_status, name1,
- name2, name_equal));
+ return(krb5_gss_compare_name(minor_status, name1,
+ name2, name_equal));
}
static OM_uint32
k5glue_context_time(ctx, minor_status, context_handle, time_rec)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- OM_uint32 *time_rec;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ OM_uint32 *time_rec;
{
- return(krb5_gss_context_time(minor_status, context_handle,
- time_rec));
+ return(krb5_gss_context_time(minor_status, context_handle,
+ time_rec));
}
#if 0
static OM_uint32
k5glue_create_empty_oid_set(ctx, minor_status, oid_set)
void *ctx;
- OM_uint32 *minor_status;
- gss_OID_set *oid_set;
+ OM_uint32 *minor_status;
+ gss_OID_set *oid_set;
{
return(generic_gss_create_empty_oid_set(minor_status, oid_set));
}
static OM_uint32
k5glue_delete_sec_context(ctx, minor_status, context_handle, output_token)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_buffer_t output_token;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_buffer_t output_token;
{
- return(krb5_gss_delete_sec_context(minor_status,
- context_handle, output_token));
+ return(krb5_gss_delete_sec_context(minor_status,
+ context_handle, output_token));
}
static OM_uint32
k5glue_display_name(ctx, minor_status, input_name, output_name_buffer, output_name_type)
void *ctx;
- OM_uint32 *minor_status;
- gss_name_t input_name;
- gss_buffer_t output_name_buffer;
- gss_OID *output_name_type;
+ OM_uint32 *minor_status;
+ gss_name_t input_name;
+ gss_buffer_t output_name_buffer;
+ gss_OID *output_name_type;
{
- return(krb5_gss_display_name(minor_status, input_name,
- output_name_buffer, output_name_type));
+ return(krb5_gss_display_name(minor_status, input_name,
+ output_name_buffer, output_name_type));
}
static OM_uint32
k5glue_display_status(ctx, minor_status, status_value, status_type,
- mech_type, message_context, status_string)
+ mech_type, message_context, status_string)
void *ctx;
- OM_uint32 *minor_status;
- OM_uint32 status_value;
- int status_type;
- gss_OID mech_type;
- OM_uint32 *message_context;
- gss_buffer_t status_string;
+ OM_uint32 *minor_status;
+ OM_uint32 status_value;
+ int status_type;
+ gss_OID mech_type;
+ OM_uint32 *message_context;
+ gss_buffer_t status_string;
{
- return(krb5_gss_display_status(minor_status, status_value,
- status_type, mech_type, message_context,
- status_string));
+ return(krb5_gss_display_status(minor_status, status_value,
+ status_type, mech_type, message_context,
+ status_string));
}
#ifndef LEAN_CLIENT
/* V2 */
static OM_uint32
k5glue_export_sec_context(ctx, minor_status, context_handle, interprocess_token)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_buffer_t interprocess_token;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t *context_handle;
+ gss_buffer_t interprocess_token;
{
- return(krb5_gss_export_sec_context(minor_status,
- context_handle,
- interprocess_token));
+ return(krb5_gss_export_sec_context(minor_status,
+ context_handle,
+ interprocess_token));
}
#endif /* LEAN_CLIENT */
#if 0
/* V2 */
static OM_uint32
k5glue_get_mic(ctx, minor_status, context_handle, qop_req,
- message_buffer, message_token)
+ message_buffer, message_token)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_qop_t qop_req;
- gss_buffer_t message_buffer;
- gss_buffer_t message_token;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_qop_t qop_req;
+ gss_buffer_t message_buffer;
+ gss_buffer_t message_token;
{
return(krb5_gss_get_mic(minor_status, context_handle,
- qop_req, message_buffer, message_token));
+ qop_req, message_buffer, message_token));
}
#endif
static OM_uint32
k5glue_import_name(ctx, minor_status, input_name_buffer, input_name_type, output_name)
void *ctx;
- OM_uint32 *minor_status;
- gss_buffer_t input_name_buffer;
- gss_OID input_name_type;
- gss_name_t *output_name;
+ OM_uint32 *minor_status;
+ gss_buffer_t input_name_buffer;
+ gss_OID input_name_type;
+ gss_name_t *output_name;
{
#if 0
OM_uint32 err;
err = gssint_initialize_library();
if (err) {
- *minor_status = err;
- return GSS_S_FAILURE;
+ *minor_status = err;
+ return GSS_S_FAILURE;
}
#endif
return(krb5_gss_import_name(minor_status, input_name_buffer,
- input_name_type, output_name));
+ input_name_type, output_name));
}
#ifndef LEAN_CLIENT
static OM_uint32
k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle)
void *ctx;
- OM_uint32 *minor_status;
- gss_buffer_t interprocess_token;
- gss_ctx_id_t *context_handle;
+ OM_uint32 *minor_status;
+ gss_buffer_t interprocess_token;
+ gss_ctx_id_t *context_handle;
{
- return(krb5_gss_import_sec_context(minor_status,
- interprocess_token,
- context_handle));
+ return(krb5_gss_import_sec_context(minor_status,
+ interprocess_token,
+ context_handle));
}
#endif /* LEAN_CLIENT */
static OM_uint32
k5glue_indicate_mechs(ctx, minor_status, mech_set)
void *ctx;
- OM_uint32 *minor_status;
- gss_OID_set *mech_set;
+ OM_uint32 *minor_status;
+ gss_OID_set *mech_set;
{
- return(krb5_gss_indicate_mechs(minor_status, mech_set));
+ return(krb5_gss_indicate_mechs(minor_status, mech_set));
}
static OM_uint32
k5glue_init_sec_context(ctx, minor_status, claimant_cred_handle, context_handle,
- target_name, mech_type, req_flags, time_req,
- input_chan_bindings, input_token, actual_mech_type,
- output_token, ret_flags, time_rec)
+ target_name, mech_type, req_flags, time_req,
+ input_chan_bindings, input_token, actual_mech_type,
+ output_token, ret_flags, time_rec)
void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t claimant_cred_handle;
- gss_ctx_id_t *context_handle;
- gss_name_t target_name;
- gss_OID mech_type;
- OM_uint32 req_flags;
- OM_uint32 time_req;
- gss_channel_bindings_t input_chan_bindings;
- gss_buffer_t input_token;
- gss_OID *actual_mech_type;
- gss_buffer_t output_token;
- OM_uint32 *ret_flags;
- OM_uint32 *time_rec;
+ OM_uint32 *minor_status;
+ gss_cred_id_t claimant_cred_handle;
+ gss_ctx_id_t *context_handle;
+ gss_name_t target_name;
+ gss_OID mech_type;
+ OM_uint32 req_flags;
+ OM_uint32 time_req;
+ gss_channel_bindings_t input_chan_bindings;
+ gss_buffer_t input_token;
+ gss_OID *actual_mech_type;
+ gss_buffer_t output_token;
+ OM_uint32 *ret_flags;
+ OM_uint32 *time_rec;
{
- return(krb5_gss_init_sec_context(minor_status,
- claimant_cred_handle, context_handle,
- target_name, mech_type, req_flags,
- time_req, input_chan_bindings, input_token,
- actual_mech_type, output_token, ret_flags,
- time_rec));
+ return(krb5_gss_init_sec_context(minor_status,
+ claimant_cred_handle, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings, input_token,
+ actual_mech_type, output_token, ret_flags,
+ time_rec));
}
static OM_uint32
k5glue_inquire_context(ctx, minor_status, context_handle, initiator_name, acceptor_name,
- lifetime_rec, mech_type, ret_flags,
- locally_initiated, opened)
+ lifetime_rec, mech_type, ret_flags,
+ locally_initiated, opened)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_name_t *initiator_name;
- gss_name_t *acceptor_name;
- OM_uint32 *lifetime_rec;
- gss_OID *mech_type;
- OM_uint32 *ret_flags;
- int *locally_initiated;
- int *opened;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_name_t *initiator_name;
+ gss_name_t *acceptor_name;
+ OM_uint32 *lifetime_rec;
+ gss_OID *mech_type;
+ OM_uint32 *ret_flags;
+ int *locally_initiated;
+ int *opened;
{
- return(krb5_gss_inquire_context(minor_status, context_handle,
- initiator_name, acceptor_name, lifetime_rec,
- mech_type, ret_flags, locally_initiated,
- opened));
+ return(krb5_gss_inquire_context(minor_status, context_handle,
+ initiator_name, acceptor_name, lifetime_rec,
+ mech_type, ret_flags, locally_initiated,
+ opened));
}
static OM_uint32
k5glue_inquire_cred(ctx, minor_status, cred_handle, name, lifetime_ret,
- cred_usage, mechanisms)
+ cred_usage, mechanisms)
void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- gss_name_t *name;
- OM_uint32 *lifetime_ret;
- gss_cred_usage_t *cred_usage;
- gss_OID_set *mechanisms;
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
+ gss_name_t *name;
+ OM_uint32 *lifetime_ret;
+ gss_cred_usage_t *cred_usage;
+ gss_OID_set *mechanisms;
{
- return(krb5_gss_inquire_cred(minor_status, cred_handle,
- name, lifetime_ret, cred_usage, mechanisms));
+ return(krb5_gss_inquire_cred(minor_status, cred_handle,
+ name, lifetime_ret, cred_usage, mechanisms));
}
/* V2 */
static OM_uint32
k5glue_inquire_cred_by_mech(ctx, minor_status, cred_handle, mech_type, name,
- initiator_lifetime, acceptor_lifetime, cred_usage)
+ initiator_lifetime, acceptor_lifetime, cred_usage)
void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
- gss_OID mech_type;
- gss_name_t *name;
- OM_uint32 *initiator_lifetime;
- OM_uint32 *acceptor_lifetime;
- gss_cred_usage_t *cred_usage;
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
+ gss_OID mech_type;
+ gss_name_t *name;
+ OM_uint32 *initiator_lifetime;
+ OM_uint32 *acceptor_lifetime;
+ gss_cred_usage_t *cred_usage;
{
- return(krb5_gss_inquire_cred_by_mech(minor_status, cred_handle,
- mech_type, name, initiator_lifetime,
- acceptor_lifetime, cred_usage));
+ return(krb5_gss_inquire_cred_by_mech(minor_status, cred_handle,
+ mech_type, name, initiator_lifetime,
+ acceptor_lifetime, cred_usage));
}
/* V2 */
static OM_uint32
k5glue_inquire_names_for_mech(ctx, minor_status, mechanism, name_types)
void *ctx;
- OM_uint32 *minor_status;
- gss_OID mechanism;
- gss_OID_set *name_types;
+ OM_uint32 *minor_status;
+ gss_OID mechanism;
+ gss_OID_set *name_types;
{
return(krb5_gss_inquire_names_for_mech(minor_status,
- mechanism,
- name_types));
+ mechanism,
+ name_types));
}
#if 0
static OM_uint32
k5glue_oid_to_str(ctx, minor_status, oid, oid_str)
void *ctx;
- OM_uint32 *minor_status;
- gss_OID oid;
- gss_buffer_t oid_str;
+ OM_uint32 *minor_status;
+ gss_OID oid;
+ gss_buffer_t oid_str;
{
return(generic_gss_oid_to_str(minor_status, oid, oid_str));
}
static OM_uint32
k5glue_process_context_token(ctx, minor_status, context_handle, token_buffer)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t token_buffer;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t token_buffer;
{
- return(krb5_gss_process_context_token(minor_status,
- context_handle, token_buffer));
+ return(krb5_gss_process_context_token(minor_status,
+ context_handle, token_buffer));
}
static OM_uint32
k5glue_release_cred(ctx, minor_status, cred_handle)
void *ctx;
- OM_uint32 *minor_status;
- gss_cred_id_t *cred_handle;
+ OM_uint32 *minor_status;
+ gss_cred_id_t *cred_handle;
{
- return(krb5_gss_release_cred(minor_status, cred_handle));
+ return(krb5_gss_release_cred(minor_status, cred_handle));
}
static OM_uint32
k5glue_release_name(ctx, minor_status, input_name)
void *ctx;
- OM_uint32 *minor_status;
- gss_name_t *input_name;
+ OM_uint32 *minor_status;
+ gss_name_t *input_name;
{
- return(krb5_gss_release_name(minor_status, input_name));
+ return(krb5_gss_release_name(minor_status, input_name));
}
#if 0
static OM_uint32
k5glue_release_buffer(ctx, minor_status, buffer)
void *ctx;
- OM_uint32 *minor_status;
- gss_buffer_t buffer;
+ OM_uint32 *minor_status;
+ gss_buffer_t buffer;
{
- return(generic_gss_release_buffer(minor_status,
- buffer));
+ return(generic_gss_release_buffer(minor_status,
+ buffer));
}
#endif
static OM_uint32
k5glue_internal_release_oid(ctx, minor_status, oid)
void *ctx;
- OM_uint32 *minor_status;
- gss_OID *oid;
+ OM_uint32 *minor_status;
+ gss_OID *oid;
{
return(krb5_gss_internal_release_oid(minor_status, oid));
}
static OM_uint32
k5glue_release_oid_set(ctx, minor_status, set)
void *ctx;
- OM_uint32 * minor_status;
- gss_OID_set *set;
+ OM_uint32 * minor_status;
+ gss_OID_set *set;
{
- return(generic_gss_release_oid_set(minor_status, set));
+ return(generic_gss_release_oid_set(minor_status, set));
}
#endif
/* V1 only */
static OM_uint32
k5glue_seal(ctx, minor_status, context_handle, conf_req_flag, qop_req,
- input_message_buffer, conf_state, output_message_buffer)
+ input_message_buffer, conf_state, output_message_buffer)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- int qop_req;
- gss_buffer_t input_message_buffer;
- int *conf_state;
- gss_buffer_t output_message_buffer;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int conf_req_flag;
+ int qop_req;
+ gss_buffer_t input_message_buffer;
+ int *conf_state;
+ gss_buffer_t output_message_buffer;
{
- return(krb5_gss_seal(minor_status, context_handle,
- conf_req_flag, qop_req, input_message_buffer,
- conf_state, output_message_buffer));
+ return(krb5_gss_seal(minor_status, context_handle,
+ conf_req_flag, qop_req, input_message_buffer,
+ conf_state, output_message_buffer));
}
static OM_uint32
k5glue_sign(ctx, minor_status, context_handle,
- qop_req, message_buffer,
- message_token)
+ qop_req, message_buffer,
+ message_token)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int qop_req;
- gss_buffer_t message_buffer;
- gss_buffer_t message_token;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int qop_req;
+ gss_buffer_t message_buffer;
+ gss_buffer_t message_token;
{
- return(krb5_gss_sign(minor_status, context_handle,
- qop_req, message_buffer, message_token));
+ return(krb5_gss_sign(minor_status, context_handle,
+ qop_req, message_buffer, message_token));
}
#if 0
/* V2 */
static OM_uint32
k5glue_verify_mic(ctx, minor_status, context_handle,
- message_buffer, token_buffer, qop_state)
+ message_buffer, token_buffer, qop_state)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- gss_qop_t *qop_state;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t message_buffer;
+ gss_buffer_t token_buffer;
+ gss_qop_t *qop_state;
{
return(krb5_gss_verify_mic(minor_status, context_handle,
- message_buffer, token_buffer, qop_state));
+ message_buffer, token_buffer, qop_state));
}
/* V2 */
static OM_uint32
k5glue_wrap(ctx, minor_status, context_handle, conf_req_flag, qop_req,
- input_message_buffer, conf_state, output_message_buffer)
+ input_message_buffer, conf_state, output_message_buffer)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- gss_qop_t qop_req;
- gss_buffer_t input_message_buffer;
- int *conf_state;
- gss_buffer_t output_message_buffer;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int conf_req_flag;
+ gss_qop_t qop_req;
+ gss_buffer_t input_message_buffer;
+ int *conf_state;
+ gss_buffer_t output_message_buffer;
{
return(krb5_gss_wrap(minor_status, context_handle, conf_req_flag, qop_req,
- input_message_buffer, conf_state,
- output_message_buffer));
+ input_message_buffer, conf_state,
+ output_message_buffer));
}
/* V2 */
static OM_uint32
k5glue_str_to_oid(ctx, minor_status, oid_str, oid)
void *ctx;
- OM_uint32 *minor_status;
- gss_buffer_t oid_str;
- gss_OID *oid;
+ OM_uint32 *minor_status;
+ gss_buffer_t oid_str;
+ gss_OID *oid;
{
return(generic_gss_str_to_oid(minor_status, oid_str, oid));
}
static OM_uint32
k5glue_test_oid_set_member(ctx, minor_status, member, set, present)
void *ctx;
- OM_uint32 *minor_status;
- gss_OID member;
- gss_OID_set set;
- int *present;
+ OM_uint32 *minor_status;
+ gss_OID member;
+ gss_OID_set set;
+ int *present;
{
return(generic_gss_test_oid_set_member(minor_status, member, set,
- present));
+ present));
}
#endif
/* V1 only */
static OM_uint32
k5glue_unseal(ctx, minor_status, context_handle, input_message_buffer,
- output_message_buffer, conf_state, qop_state)
+ output_message_buffer, conf_state, qop_state)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
- int *conf_state;
- int *qop_state;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t input_message_buffer;
+ gss_buffer_t output_message_buffer;
+ int *conf_state;
+ int *qop_state;
{
- return(krb5_gss_unseal(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, qop_state));
+ return(krb5_gss_unseal(minor_status, context_handle,
+ input_message_buffer, output_message_buffer,
+ conf_state, qop_state));
}
#if 0
/* V2 */
static OM_uint32
-k5glue_unwrap(ctx, minor_status, context_handle, input_message_buffer,
- output_message_buffer, conf_state, qop_state)
+k5glue_unwrap(ctx, minor_status, context_handle, input_message_buffer,
+ output_message_buffer, conf_state, qop_state)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
- int *conf_state;
- gss_qop_t *qop_state;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t input_message_buffer;
+ gss_buffer_t output_message_buffer;
+ int *conf_state;
+ gss_qop_t *qop_state;
{
return(krb5_gss_unwrap(minor_status, context_handle, input_message_buffer,
- output_message_buffer, conf_state, qop_state));
+ output_message_buffer, conf_state, qop_state));
}
#endif
/* V1 only */
static OM_uint32
k5glue_verify(ctx, minor_status, context_handle, message_buffer,
- token_buffer, qop_state)
+ token_buffer, qop_state)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- int *qop_state;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t message_buffer;
+ gss_buffer_t token_buffer;
+ int *qop_state;
{
- return(krb5_gss_verify(minor_status,
- context_handle,
- message_buffer,
- token_buffer,
- qop_state));
+ return(krb5_gss_verify(minor_status,
+ context_handle,
+ message_buffer,
+ token_buffer,
+ qop_state));
}
/* V2 interface */
static OM_uint32
k5glue_wrap_size_limit(ctx, minor_status, context_handle, conf_req_flag,
- qop_req, req_output_size, max_input_size)
+ qop_req, req_output_size, max_input_size)
void *ctx;
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- gss_qop_t qop_req;
- OM_uint32 req_output_size;
- OM_uint32 *max_input_size;
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int conf_req_flag;
+ gss_qop_t qop_req;
+ OM_uint32 req_output_size;
+ OM_uint32 *max_input_size;
{
- return(krb5_gss_wrap_size_limit(minor_status, context_handle,
- conf_req_flag, qop_req,
- req_output_size, max_input_size));
+ return(krb5_gss_wrap_size_limit(minor_status, context_handle,
+ conf_req_flag, qop_req,
+ req_output_size, max_input_size));
}
#if 0
static OM_uint32
k5glue_canonicalize_name(ctx, minor_status, input_name, mech_type, output_name)
void *ctx;
- OM_uint32 *minor_status;
- const gss_name_t input_name;
- const gss_OID mech_type;
- gss_name_t *output_name;
+ OM_uint32 *minor_status;
+ const gss_name_t input_name;
+ const gss_OID mech_type;
+ gss_name_t *output_name;
{
- return krb5_gss_canonicalize_name(minor_status, input_name,
- mech_type, output_name);
+ return krb5_gss_canonicalize_name(minor_status, input_name,
+ mech_type, output_name);
}
#endif
static OM_uint32
k5glue_export_name(ctx, minor_status, input_name, exported_name)
void *ctx;
- OM_uint32 *minor_status;
- const gss_name_t input_name;
- gss_buffer_t exported_name;
+ OM_uint32 *minor_status;
+ const gss_name_t input_name;
+ gss_buffer_t exported_name;
{
- return krb5_gss_export_name(minor_status, input_name, exported_name);
+ return krb5_gss_export_name(minor_status, input_name, exported_name);
}
#if 0
static OM_uint32
k5glue_duplicate_name(ctx, minor_status, input_name, dest_name)
void *ctx;
- OM_uint32 *minor_status;
- const gss_name_t input_name;
- gss_name_t *dest_name;
+ OM_uint32 *minor_status;
+ const gss_name_t input_name;
+ gss_name_t *dest_name;
{
- return krb5_gss_duplicate_name(minor_status, input_name, dest_name);
+ return krb5_gss_duplicate_name(minor_status, input_name, dest_name);
}
#endif
uctx = (gss_union_ctx_id_t)context_handle;
if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) &&
- !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
- return GSS_S_BAD_MECH;
+ !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
+ return GSS_S_BAD_MECH;
return gss_krb5int_get_tkt_flags(minor_status, uctx->internal_ctx_id,
- ticket_flags);
+ ticket_flags);
}
-OM_uint32 KRB5_CALLCONV
+OM_uint32 KRB5_CALLCONV
gss_krb5_copy_ccache(
OM_uint32 *minor_status,
gss_cred_id_t cred_handle,
mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type);
if (mcred != GSS_C_NO_CREDENTIAL)
- return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache);
+ return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache);
mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type);
if (mcred != GSS_C_NO_CREDENTIAL)
- return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache);
+ return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache);
return GSS_S_DEFECTIVE_CREDENTIAL;
}
uctx = (gss_union_ctx_id_t)*context_handle;
if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) &&
- !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
- return GSS_S_BAD_MECH;
+ !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
+ return GSS_S_BAD_MECH;
return gss_krb5int_export_lucid_sec_context(minor_status,
- &uctx->internal_ctx_id,
- version, kctx);
+ &uctx->internal_ctx_id,
+ version, kctx);
}
OM_uint32 KRB5_CALLCONV
gss_krb5_set_allowable_enctypes(
- OM_uint32 *minor_status,
+ OM_uint32 *minor_status,
gss_cred_id_t cred,
OM_uint32 num_ktypes,
krb5_enctype *ktypes)
ucred = (gss_union_cred_t)cred;
mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type);
if (mcred != GSS_C_NO_CREDENTIAL)
- return gss_krb5int_set_allowable_enctypes(minor_status, mcred,
- num_ktypes, ktypes);
+ return gss_krb5int_set_allowable_enctypes(minor_status, mcred,
+ num_ktypes, ktypes);
mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type);
if (mcred != GSS_C_NO_CREDENTIAL)
- return gss_krb5int_set_allowable_enctypes(minor_status, mcred,
- num_ktypes, ktypes);
+ return gss_krb5int_set_allowable_enctypes(minor_status, mcred,
+ num_ktypes, ktypes);
return GSS_S_DEFECTIVE_CREDENTIAL;
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/lucid_context.c
*
OM_uint32 KRB5_CALLCONV
gss_krb5int_export_lucid_sec_context(
- OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- OM_uint32 version,
- void **kctx)
+ OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ OM_uint32 version,
+ void **kctx)
{
- krb5_error_code kret = 0;
- OM_uint32 retval;
- krb5_gss_ctx_id_t ctx;
- void *lctx = NULL;
+ krb5_error_code kret = 0;
+ OM_uint32 retval;
+ krb5_gss_ctx_id_t ctx;
+ void *lctx = NULL;
/* Assume failure */
retval = GSS_S_FAILURE;
*minor_status = 0;
if (kctx)
- *kctx = NULL;
+ *kctx = NULL;
else {
- kret = EINVAL;
- goto error_out;
+ kret = EINVAL;
+ goto error_out;
}
if (!kg_validate_ctx_id(*context_handle)) {
- kret = (OM_uint32) G_VALIDATE_FAILED;
- retval = GSS_S_NO_CONTEXT;
- goto error_out;
+ kret = (OM_uint32) G_VALIDATE_FAILED;
+ retval = GSS_S_NO_CONTEXT;
+ goto error_out;
}
ctx = (krb5_gss_ctx_id_t) *context_handle;
/* Externalize a structure of the right version */
switch (version) {
case 1:
- kret = make_external_lucid_ctx_v1((krb5_pointer)ctx,
- version, &lctx);
+ kret = make_external_lucid_ctx_v1((krb5_pointer)ctx,
+ version, &lctx);
break;
default:
- kret = (OM_uint32) KG_LUCID_VERSION;
- break;
+ kret = (OM_uint32) KG_LUCID_VERSION;
+ break;
}
if (kret)
- goto error_out;
+ goto error_out;
/* Success! Record the context and return the buffer */
if (! kg_save_lucidctx_id((void *)lctx)) {
- kret = G_VALIDATE_FAILED;
- goto error_out;
+ kret = G_VALIDATE_FAILED;
+ goto error_out;
}
*kctx = lctx;
return (retval);
error_out:
- if (*minor_status == 0)
- *minor_status = (OM_uint32) kret;
+ if (*minor_status == 0)
+ *minor_status = (OM_uint32) kret;
return(retval);
}
OM_uint32 *minor_status,
void *kctx)
{
- OM_uint32 retval;
- krb5_error_code kret = 0;
- int version;
+ OM_uint32 retval;
+ krb5_error_code kret = 0;
+ int version;
/* Assume failure */
retval = GSS_S_FAILURE;
*minor_status = 0;
if (!kctx) {
- kret = EINVAL;
- goto error_out;
+ kret = EINVAL;
+ goto error_out;
}
/* Verify pointer is valid lucid context */
if (! kg_validate_lucidctx_id(kctx)) {
- kret = G_VALIDATE_FAILED;
- goto error_out;
+ kret = G_VALIDATE_FAILED;
+ goto error_out;
}
/* Determine version and call correct free routine */
version = ((gss_krb5_lucid_context_version_t *)kctx)->version;
switch (version) {
case 1:
- (void)kg_delete_lucidctx_id(kctx);
- free_external_lucid_ctx_v1((gss_krb5_lucid_context_v1_t*) kctx);
- break;
+ (void)kg_delete_lucidctx_id(kctx);
+ free_external_lucid_ctx_v1((gss_krb5_lucid_context_v1_t*) kctx);
+ break;
default:
- kret = EINVAL;
- break;
+ kret = EINVAL;
+ break;
}
if (kret)
- goto error_out;
+ goto error_out;
/* Success! */
*minor_status = 0;
return (retval);
error_out:
- if (*minor_status == 0)
- *minor_status = (OM_uint32) kret;
+ if (*minor_status == 0)
+ *minor_status = (OM_uint32) kret;
return(retval);
}
/* Allocate the structure */
if ((lctx = xmalloc(bufsize)) == NULL) {
- retval = ENOMEM;
- goto error_out;
+ retval = ENOMEM;
+ goto error_out;
}
memset(lctx, 0, bufsize);
/* gctx->proto == 0 ==> rfc1964-style key information
gctx->proto == 1 ==> cfx-style (draft-ietf-krb-wg-gssapi-cfx-07) keys */
if (gctx->proto == 0) {
- lctx->rfc1964_kd.sign_alg = gctx->signalg;
- lctx->rfc1964_kd.seal_alg = gctx->sealalg;
- /* Copy key */
- if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
- &lctx->rfc1964_kd.ctx_key)))
- goto error_out;
+ lctx->rfc1964_kd.sign_alg = gctx->signalg;
+ lctx->rfc1964_kd.seal_alg = gctx->sealalg;
+ /* Copy key */
+ if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
+ &lctx->rfc1964_kd.ctx_key)))
+ goto error_out;
}
else if (gctx->proto == 1) {
- /* Copy keys */
- /* (subkey is always present, either a copy of the kerberos
- session key or a subkey) */
- if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
- &lctx->cfx_kd.ctx_key)))
- goto error_out;
- if (gctx->have_acceptor_subkey) {
- if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
- &lctx->cfx_kd.acceptor_subkey)))
- goto error_out;
- lctx->cfx_kd.have_acceptor_subkey = 1;
- }
+ /* Copy keys */
+ /* (subkey is always present, either a copy of the kerberos
+ session key or a subkey) */
+ if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
+ &lctx->cfx_kd.ctx_key)))
+ goto error_out;
+ if (gctx->have_acceptor_subkey) {
+ if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
+ &lctx->cfx_kd.acceptor_subkey)))
+ goto error_out;
+ lctx->cfx_kd.have_acceptor_subkey = 1;
+ }
}
else {
- return EINVAL; /* XXX better error code? */
+ return EINVAL; /* XXX better error code? */
}
/* Success! */
error_out:
if (lctx) {
- free_external_lucid_ctx_v1(lctx);
+ free_external_lucid_ctx_v1(lctx);
}
return retval;
gss_krb5_lucid_key_t *lkey)
{
if (!k5key || !k5key->contents || k5key->length == 0)
- return EINVAL;
+ return EINVAL;
memset(lkey, 0, sizeof(gss_krb5_lucid_key_t));
/* Allocate storage for the key data */
if ((lkey->data = xmalloc(k5key->length)) == NULL) {
- return ENOMEM;
+ return ENOMEM;
}
memcpy(lkey->data, k5key->contents, k5key->length);
lkey->length = k5key->length;
gss_krb5_lucid_key_t *key)
{
if (key) {
- if (key->data && key->length) {
- memset(key->data, 0, key->length);
- xfree(key->data);
- memset(key, 0, sizeof(gss_krb5_lucid_key_t));
- }
+ if (key->data && key->length) {
+ memset(key->data, 0, key->length);
+ xfree(key->data);
+ memset(key, 0, sizeof(gss_krb5_lucid_key_t));
+ }
}
}
/* Free any storage associated with a gss_krb5_lucid_context_v1 structure */
gss_krb5_lucid_context_v1_t *ctx)
{
if (ctx) {
- if (ctx->protocol == 0) {
- free_lucid_key_data(&ctx->rfc1964_kd.ctx_key);
- }
- if (ctx->protocol == 1) {
- free_lucid_key_data(&ctx->cfx_kd.ctx_key);
- if (ctx->cfx_kd.have_acceptor_subkey)
- free_lucid_key_data(&ctx->cfx_kd.acceptor_subkey);
- }
- xfree(ctx);
- ctx = NULL;
+ if (ctx->protocol == 0) {
+ free_lucid_key_data(&ctx->rfc1964_kd.ctx_key);
+ }
+ if (ctx->protocol == 1) {
+ free_lucid_key_data(&ctx->cfx_kd.ctx_key);
+ if (ctx->cfx_kd.have_acceptor_subkey)
+ free_lucid_key_data(&ctx->cfx_kd.acceptor_subkey);
+ }
+ xfree(ctx);
+ ctx = NULL;
}
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
*/
OM_uint32
-krb5_gss_process_context_token(minor_status, context_handle,
- token_buffer)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t token_buffer;
+krb5_gss_process_context_token(minor_status, context_handle,
+ token_buffer)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t token_buffer;
{
- krb5_gss_ctx_id_rec *ctx;
- OM_uint32 majerr;
+ krb5_gss_ctx_id_rec *ctx;
+ OM_uint32 majerr;
- /* validate the context handle */
- if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
+ /* validate the context handle */
+ if (! kg_validate_ctx_id(context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
- ctx = (krb5_gss_ctx_id_t) context_handle;
+ ctx = (krb5_gss_ctx_id_t) context_handle;
- if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
- }
+ if (! ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
+ }
- /* "unseal" the token */
+ /* "unseal" the token */
- if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle,
- token_buffer,
- GSS_C_NO_BUFFER, NULL, NULL,
- KG_TOK_DEL_CTX)))
- return(majerr);
+ if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle,
+ token_buffer,
+ GSS_C_NO_BUFFER, NULL, NULL,
+ KG_TOK_DEL_CTX)))
+ return(majerr);
- /* that's it. delete the context */
+ /* that's it. delete the context */
- return(krb5_gss_delete_sec_context(minor_status, &context_handle,
- GSS_C_NO_BUFFER));
+ return(krb5_gss_delete_sec_context(minor_status, &context_handle,
+ GSS_C_NO_BUFFER));
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
#include "gssapiP_krb5.h"
-OM_uint32
+OM_uint32
krb5_gss_release_cred(minor_status, cred_handle)
- OM_uint32 *minor_status;
- gss_cred_id_t *cred_handle;
+ OM_uint32 *minor_status;
+ gss_cred_id_t *cred_handle;
{
- krb5_context context;
- krb5_gss_cred_id_t cred;
- krb5_error_code code1, code2, code3;
+ krb5_context context;
+ krb5_gss_cred_id_t cred;
+ krb5_error_code code1, code2, code3;
- code1 = krb5_gss_init_context(&context);
- if (code1) {
- *minor_status = code1;
- return GSS_S_FAILURE;
- }
+ code1 = krb5_gss_init_context(&context);
+ if (code1) {
+ *minor_status = code1;
+ return GSS_S_FAILURE;
+ }
- if (*cred_handle == GSS_C_NO_CREDENTIAL) {
- *minor_status = 0;
- krb5_free_context(context);
- return(GSS_S_COMPLETE);
- }
+ if (*cred_handle == GSS_C_NO_CREDENTIAL) {
+ *minor_status = 0;
+ krb5_free_context(context);
+ return(GSS_S_COMPLETE);
+ }
- if (! kg_delete_cred_id(*cred_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_NO_CRED);
- }
+ if (! kg_delete_cred_id(*cred_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_NO_CRED);
+ }
- cred = (krb5_gss_cred_id_t)*cred_handle;
+ cred = (krb5_gss_cred_id_t)*cred_handle;
- k5_mutex_destroy(&cred->lock);
- /* ignore error destroying mutex */
+ k5_mutex_destroy(&cred->lock);
+ /* ignore error destroying mutex */
- if (cred->ccache)
- code1 = krb5_cc_close(context, cred->ccache);
- else
- code1 = 0;
+ if (cred->ccache)
+ code1 = krb5_cc_close(context, cred->ccache);
+ else
+ code1 = 0;
-#ifndef LEAN_CLIENT
- if (cred->keytab)
- code2 = krb5_kt_close(context, cred->keytab);
- else
+#ifndef LEAN_CLIENT
+ if (cred->keytab)
+ code2 = krb5_kt_close(context, cred->keytab);
+ else
#endif /* LEAN_CLIENT */
- code2 = 0;
+ code2 = 0;
- if (cred->rcache)
- code3 = krb5_rc_close(context, cred->rcache);
- else
- code3 = 0;
- if (cred->princ)
- krb5_free_principal(context, cred->princ);
+ if (cred->rcache)
+ code3 = krb5_rc_close(context, cred->rcache);
+ else
+ code3 = 0;
+ if (cred->princ)
+ krb5_free_principal(context, cred->princ);
- if (cred->req_enctypes)
- free(cred->req_enctypes);
+ if (cred->req_enctypes)
+ free(cred->req_enctypes);
- xfree(cred);
+ xfree(cred);
- *cred_handle = NULL;
+ *cred_handle = NULL;
- *minor_status = 0;
- if (code1)
- *minor_status = code1;
- if (code2)
- *minor_status = code2;
- if (code3)
- *minor_status = code3;
+ *minor_status = 0;
+ if (code1)
+ *minor_status = code1;
+ if (code2)
+ *minor_status = code2;
+ if (code3)
+ *minor_status = code3;
- if (*minor_status)
- save_error_info(*minor_status, context);
- krb5_free_context(context);
- return(*minor_status?GSS_S_FAILURE:GSS_S_COMPLETE);
+ if (*minor_status)
+ save_error_info(*minor_status, context);
+ krb5_free_context(context);
+ return(*minor_status?GSS_S_FAILURE:GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
OM_uint32
krb5_gss_release_name(minor_status, input_name)
- OM_uint32 *minor_status;
- gss_name_t *input_name;
+ OM_uint32 *minor_status;
+ gss_name_t *input_name;
{
- krb5_context context;
- krb5_error_code code;
+ krb5_context context;
+ krb5_error_code code;
- code = krb5_gss_init_context(&context);
- if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
- }
+ code = krb5_gss_init_context(&context);
+ if (code) {
+ *minor_status = code;
+ return GSS_S_FAILURE;
+ }
- if (! kg_validate_name(*input_name)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- krb5_free_context(context);
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
+ if (! kg_validate_name(*input_name)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ krb5_free_context(context);
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
- (void)kg_delete_name(*input_name);
+ (void)kg_delete_name(*input_name);
- krb5_free_principal(context, (krb5_principal) *input_name);
- krb5_free_context(context);
+ krb5_free_principal(context, (krb5_principal) *input_name);
+ krb5_free_context(context);
- *input_name = (gss_name_t) NULL;
+ *input_name = (gss_name_t) NULL;
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/rel_oid.c
*
#include "gssapiP_krb5.h"
OM_uint32 krb5_gss_internal_release_oid (OM_uint32 *, /* minor_status */
- gss_OID * /* oid */
- );
+ gss_OID * /* oid */
+);
OM_uint32
krb5_gss_release_oid(minor_status, oid)
- OM_uint32 *minor_status;
- gss_OID *oid;
+ OM_uint32 *minor_status;
+ gss_OID *oid;
{
/*
* The V2 API says the following!
* allocated OID values with OIDs returned by GSS-API.
*/
if (krb5_gss_internal_release_oid(minor_status, oid) != GSS_S_COMPLETE) {
- /* Pawn it off on the generic routine */
- return(generic_gss_release_oid(minor_status, oid));
+ /* Pawn it off on the generic routine */
+ return(generic_gss_release_oid(minor_status, oid));
}
else {
- *oid = GSS_C_NO_OID;
- *minor_status = 0;
- return(GSS_S_COMPLETE);
+ *oid = GSS_C_NO_OID;
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
}
}
OM_uint32
krb5_gss_internal_release_oid(minor_status, oid)
- OM_uint32 *minor_status;
- gss_OID *oid;
+ OM_uint32 *minor_status;
+ gss_OID *oid;
{
/*
* This function only knows how to release internal OIDs. It will
* return GSS_S_CONTINUE_NEEDED for any OIDs it does not recognize.
*/
-
+
*minor_status = 0;
if ((*oid != gss_mech_krb5) &&
- (*oid != gss_mech_krb5_old) &&
- (*oid != gss_mech_krb5_wrong) &&
- (*oid != gss_nt_krb5_name) &&
- (*oid != gss_nt_krb5_principal)) {
- /* We don't know about this OID */
- return(GSS_S_CONTINUE_NEEDED);
+ (*oid != gss_mech_krb5_old) &&
+ (*oid != gss_mech_krb5_wrong) &&
+ (*oid != gss_nt_krb5_name) &&
+ (*oid != gss_nt_krb5_principal)) {
+ /* We don't know about this OID */
+ return(GSS_S_CONTINUE_NEEDED);
}
else {
- *oid = GSS_C_NO_OID;
- return(GSS_S_COMPLETE);
+ *oid = GSS_C_NO_OID;
+ return(GSS_S_COMPLETE);
}
}
-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
OM_uint32
krb5_gss_seal(minor_status, context_handle, conf_req_flag,
- qop_req, input_message_buffer, conf_state,
- output_message_buffer)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- int qop_req;
- gss_buffer_t input_message_buffer;
- int *conf_state;
- gss_buffer_t output_message_buffer;
+ qop_req, input_message_buffer, conf_state,
+ output_message_buffer)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int conf_req_flag;
+ int qop_req;
+ gss_buffer_t input_message_buffer;
+ int *conf_state;
+ gss_buffer_t output_message_buffer;
{
- return(kg_seal(minor_status, context_handle, conf_req_flag,
- qop_req, input_message_buffer, conf_state,
- output_message_buffer, KG_TOK_SEAL_MSG));
+ return(kg_seal(minor_status, context_handle, conf_req_flag,
+ qop_req, input_message_buffer, conf_state,
+ output_message_buffer, KG_TOK_SEAL_MSG));
}
/* V2 interface */
OM_uint32
krb5_gss_wrap(minor_status, context_handle, conf_req_flag,
- qop_req, input_message_buffer, conf_state,
- output_message_buffer)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- gss_qop_t qop_req;
- gss_buffer_t input_message_buffer;
- int *conf_state;
- gss_buffer_t output_message_buffer;
+ qop_req, input_message_buffer, conf_state,
+ output_message_buffer)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int conf_req_flag;
+ gss_qop_t qop_req;
+ gss_buffer_t input_message_buffer;
+ int *conf_state;
+ gss_buffer_t output_message_buffer;
{
return(kg_seal(minor_status, context_handle, conf_req_flag,
- (int) qop_req, input_message_buffer, conf_state,
- output_message_buffer, KG_TOK_WRAP_MSG));
+ (int) qop_req, input_message_buffer, conf_state,
+ output_message_buffer, KG_TOK_WRAP_MSG));
}
-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/ser_sctx.c
*
#include "gssapiP_krb5.h"
/*
- * This module contains routines to [de]serialize
- * krb5_gss_enc_desc and krb5_gss_ctx_id_t.
+ * This module contains routines to [de]serialize
+ * krb5_gss_enc_desc and krb5_gss_ctx_id_t.
* XXX This whole serialization abstraction is unnecessary in a
* non-messaging environment, which krb5 is. Someday, this should
* all get redone without the extra level of indirection. I've done
static krb5_error_code
kg_oid_externalize(kcontext, arg, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer arg;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- gss_OID oid = (gss_OID) arg;
- krb5_error_code err;
-
- err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain);
- if (err)
- return err;
- err = krb5_ser_pack_int32((krb5_int32) oid->length,
- buffer, lenremain);
- if (err)
- return err;
- err = krb5_ser_pack_bytes((krb5_octet *) oid->elements,
- oid->length, buffer, lenremain);
- if (err)
- return err;
- err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain);
- return err;
+ gss_OID oid = (gss_OID) arg;
+ krb5_error_code err;
+
+ err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain);
+ if (err)
+ return err;
+ err = krb5_ser_pack_int32((krb5_int32) oid->length,
+ buffer, lenremain);
+ if (err)
+ return err;
+ err = krb5_ser_pack_bytes((krb5_octet *) oid->elements,
+ oid->length, buffer, lenremain);
+ if (err)
+ return err;
+ err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain);
+ return err;
}
static krb5_error_code
kg_oid_internalize(kcontext, argp, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer *argp;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer *argp;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- gss_OID oid;
- krb5_int32 ibuf;
- krb5_octet *bp;
- size_t remain;
-
- bp = *buffer;
- remain = *lenremain;
-
- /* Read in and check our magic number */
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
- return (EINVAL);
-
- if (ibuf != KV5M_GSS_OID)
- return (EINVAL);
-
- oid = (gss_OID) malloc(sizeof(gss_OID_desc));
- if (oid == NULL)
- return ENOMEM;
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
- free(oid);
- return EINVAL;
- }
- oid->length = ibuf;
- oid->elements = malloc(ibuf);
- if (oid->elements == 0) {
- free(oid);
- return ENOMEM;
- }
- if (krb5_ser_unpack_bytes((krb5_octet *) oid->elements,
- oid->length, &bp, &remain)) {
- free(oid->elements);
- free(oid);
- return EINVAL;
- }
-
- /* Read in and check our trailing magic number */
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
- free(oid->elements);
- free(oid);
- return (EINVAL);
- }
-
- if (ibuf != KV5M_GSS_OID) {
- free(oid->elements);
- free(oid);
- return (EINVAL);
- }
-
- *buffer = bp;
- *lenremain = remain;
- *argp = (krb5_pointer) oid;
- return 0;
+ gss_OID oid;
+ krb5_int32 ibuf;
+ krb5_octet *bp;
+ size_t remain;
+
+ bp = *buffer;
+ remain = *lenremain;
+
+ /* Read in and check our magic number */
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
+ return (EINVAL);
+
+ if (ibuf != KV5M_GSS_OID)
+ return (EINVAL);
+
+ oid = (gss_OID) malloc(sizeof(gss_OID_desc));
+ if (oid == NULL)
+ return ENOMEM;
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
+ free(oid);
+ return EINVAL;
+ }
+ oid->length = ibuf;
+ oid->elements = malloc(ibuf);
+ if (oid->elements == 0) {
+ free(oid);
+ return ENOMEM;
+ }
+ if (krb5_ser_unpack_bytes((krb5_octet *) oid->elements,
+ oid->length, &bp, &remain)) {
+ free(oid->elements);
+ free(oid);
+ return EINVAL;
+ }
+
+ /* Read in and check our trailing magic number */
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
+ free(oid->elements);
+ free(oid);
+ return (EINVAL);
+ }
+
+ if (ibuf != KV5M_GSS_OID) {
+ free(oid->elements);
+ free(oid);
+ return (EINVAL);
+ }
+
+ *buffer = bp;
+ *lenremain = remain;
+ *argp = (krb5_pointer) oid;
+ return 0;
}
static krb5_error_code
kg_oid_size(kcontext, arg, sizep)
- krb5_context kcontext;
- krb5_pointer arg;
- size_t *sizep;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ size_t *sizep;
{
- krb5_error_code kret;
- gss_OID oid;
- size_t required;
+ krb5_error_code kret;
+ gss_OID oid;
+ size_t required;
- kret = EINVAL;
- if ((oid = (gss_OID) arg)) {
- required = 2*sizeof(krb5_int32); /* For the header and trailer */
- required += sizeof(krb5_int32);
- required += oid->length;
+ kret = EINVAL;
+ if ((oid = (gss_OID) arg)) {
+ required = 2*sizeof(krb5_int32); /* For the header and trailer */
+ required += sizeof(krb5_int32);
+ required += oid->length;
- kret = 0;
+ kret = 0;
- *sizep += required;
- }
+ *sizep += required;
+ }
- return(kret);
+ return(kret);
}
static krb5_error_code
kg_queue_externalize(kcontext, arg, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer arg;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
krb5_error_code err;
err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain);
if (err == 0)
- err = g_queue_externalize(arg, buffer, lenremain);
+ err = g_queue_externalize(arg, buffer, lenremain);
if (err == 0)
- err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain);
+ err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain);
return err;
}
static krb5_error_code
kg_queue_internalize(kcontext, argp, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer *argp;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer *argp;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- krb5_int32 ibuf;
- krb5_octet *bp;
- size_t remain;
- krb5_error_code err;
-
- bp = *buffer;
- remain = *lenremain;
-
- /* Read in and check our magic number */
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
- return (EINVAL);
-
- if (ibuf != KV5M_GSS_QUEUE)
- return (EINVAL);
-
- err = g_queue_internalize(argp, &bp, &remain);
- if (err)
- return err;
-
- /* Read in and check our trailing magic number */
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
- g_order_free(argp);
- return (EINVAL);
- }
-
- if (ibuf != KV5M_GSS_QUEUE) {
- g_order_free(argp);
- return (EINVAL);
- }
-
- *buffer = bp;
- *lenremain = remain;
- return 0;
+ krb5_int32 ibuf;
+ krb5_octet *bp;
+ size_t remain;
+ krb5_error_code err;
+
+ bp = *buffer;
+ remain = *lenremain;
+
+ /* Read in and check our magic number */
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
+ return (EINVAL);
+
+ if (ibuf != KV5M_GSS_QUEUE)
+ return (EINVAL);
+
+ err = g_queue_internalize(argp, &bp, &remain);
+ if (err)
+ return err;
+
+ /* Read in and check our trailing magic number */
+ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
+ g_order_free(argp);
+ return (EINVAL);
+ }
+
+ if (ibuf != KV5M_GSS_QUEUE) {
+ g_order_free(argp);
+ return (EINVAL);
+ }
+
+ *buffer = bp;
+ *lenremain = remain;
+ return 0;
}
static krb5_error_code
kg_queue_size(kcontext, arg, sizep)
- krb5_context kcontext;
- krb5_pointer arg;
- size_t *sizep;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ size_t *sizep;
{
- krb5_error_code kret;
- size_t required;
-
- kret = EINVAL;
- if (arg) {
- required = 2*sizeof(krb5_int32); /* For the header and trailer */
- g_queue_size(arg, &required);
-
- kret = 0;
- *sizep += required;
- }
- return(kret);
+ krb5_error_code kret;
+ size_t required;
+
+ kret = EINVAL;
+ if (arg) {
+ required = 2*sizeof(krb5_int32); /* For the header and trailer */
+ g_queue_size(arg, &required);
+
+ kret = 0;
+ *sizep += required;
+ }
+ return(kret);
}
/*
*/
krb5_error_code
kg_ctx_size(kcontext, arg, sizep)
- krb5_context kcontext;
- krb5_pointer arg;
- size_t *sizep;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ size_t *sizep;
{
- krb5_error_code kret;
- krb5_gss_ctx_id_rec *ctx;
- size_t required;
+ krb5_error_code kret;
+ krb5_gss_ctx_id_rec *ctx;
+ size_t required;
/*
* krb5_gss_ctx_id_rec requires:
- * krb5_int32 for KG_CONTEXT
- * krb5_int32 for initiate.
- * krb5_int32 for established.
- * krb5_int32 for big_endian.
- * krb5_int32 for have_acceptor_subkey.
- * krb5_int32 for seed_init.
- * krb5_int32 for gss_flags.
- * sizeof(seed) for seed
- * ... for here
- * ... for there
- * ... for subkey
- * krb5_int32 for signalg.
- * krb5_int32 for cksum_size.
- * krb5_int32 for sealalg.
- * ... for enc
- * ... for seq
- * krb5_int32 for endtime.
- * krb5_int32 for flags.
- * krb5_int64 for seq_send.
- * krb5_int64 for seq_recv.
- * ... for seqstate
- * ... for auth_context
- * ... for mech_used
- * krb5_int32 for proto
- * krb5_int32 for cksumtype
- * ... for acceptor_subkey
- * krb5_int32 for acceptor_key_cksumtype
- * krb5_int32 for cred_rcache
- * krb5_int32 for trailer.
+ * krb5_int32 for KG_CONTEXT
+ * krb5_int32 for initiate.
+ * krb5_int32 for established.
+ * krb5_int32 for big_endian.
+ * krb5_int32 for have_acceptor_subkey.
+ * krb5_int32 for seed_init.
+ * krb5_int32 for gss_flags.
+ * sizeof(seed) for seed
+ * ... for here
+ * ... for there
+ * ... for subkey
+ * krb5_int32 for signalg.
+ * krb5_int32 for cksum_size.
+ * krb5_int32 for sealalg.
+ * ... for enc
+ * ... for seq
+ * krb5_int32 for endtime.
+ * krb5_int32 for flags.
+ * krb5_int64 for seq_send.
+ * krb5_int64 for seq_recv.
+ * ... for seqstate
+ * ... for auth_context
+ * ... for mech_used
+ * krb5_int32 for proto
+ * krb5_int32 for cksumtype
+ * ... for acceptor_subkey
+ * krb5_int32 for acceptor_key_cksumtype
+ * krb5_int32 for cred_rcache
+ * krb5_int32 for trailer.
*/
kret = EINVAL;
if ((ctx = (krb5_gss_ctx_id_rec *) arg)) {
- required = 17*sizeof(krb5_int32);
- required += 2*sizeof(krb5_int64);
- required += sizeof(ctx->seed);
-
- kret = 0;
- if (!kret && ctx->here)
- kret = krb5_size_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer) ctx->here,
- &required);
-
- if (!kret && ctx->there)
- kret = krb5_size_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer) ctx->there,
- &required);
-
- if (!kret && ctx->subkey)
- kret = krb5_size_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->subkey,
- &required);
-
- if (!kret && ctx->enc)
- kret = krb5_size_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->enc,
- &required);
-
- if (!kret && ctx->seq)
- kret = krb5_size_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->seq,
- &required);
-
- if (!kret)
- kret = kg_oid_size(kcontext,
- (krb5_pointer) ctx->mech_used,
- &required);
-
- if (!kret && ctx->seqstate)
- kret = kg_queue_size(kcontext, ctx->seqstate, &required);
-
- if (!kret)
- kret = krb5_size_opaque(kcontext,
- KV5M_CONTEXT,
- (krb5_pointer) ctx->k5_context,
- &required);
- if (!kret)
- kret = krb5_size_opaque(kcontext,
- KV5M_AUTH_CONTEXT,
- (krb5_pointer) ctx->auth_context,
- &required);
- if (!kret && ctx->acceptor_subkey)
- kret = krb5_size_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->acceptor_subkey,
- &required);
- if (!kret)
- *sizep += required;
+ required = 17*sizeof(krb5_int32);
+ required += 2*sizeof(krb5_int64);
+ required += sizeof(ctx->seed);
+
+ kret = 0;
+ if (!kret && ctx->here)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer) ctx->here,
+ &required);
+
+ if (!kret && ctx->there)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer) ctx->there,
+ &required);
+
+ if (!kret && ctx->subkey)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->subkey,
+ &required);
+
+ if (!kret && ctx->enc)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->enc,
+ &required);
+
+ if (!kret && ctx->seq)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->seq,
+ &required);
+
+ if (!kret)
+ kret = kg_oid_size(kcontext,
+ (krb5_pointer) ctx->mech_used,
+ &required);
+
+ if (!kret && ctx->seqstate)
+ kret = kg_queue_size(kcontext, ctx->seqstate, &required);
+
+ if (!kret)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_CONTEXT,
+ (krb5_pointer) ctx->k5_context,
+ &required);
+ if (!kret)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_AUTH_CONTEXT,
+ (krb5_pointer) ctx->auth_context,
+ &required);
+ if (!kret && ctx->acceptor_subkey)
+ kret = krb5_size_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->acceptor_subkey,
+ &required);
+ if (!kret)
+ *sizep += required;
}
return(kret);
}
*/
krb5_error_code
kg_ctx_externalize(kcontext, arg, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer arg;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer arg;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- krb5_error_code kret;
- krb5_gss_ctx_id_rec *ctx;
- size_t required;
- krb5_octet *bp;
- size_t remain;
+ krb5_error_code kret;
+ krb5_gss_ctx_id_rec *ctx;
+ size_t required;
+ krb5_octet *bp;
+ size_t remain;
krb5int_access kaccess;
kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (kret)
+ if (kret)
return(kret);
required = 0;
remain = *lenremain;
kret = EINVAL;
if ((ctx = (krb5_gss_ctx_id_rec *) arg)) {
- kret = ENOMEM;
- if (!kg_ctx_size(kcontext, arg, &required) &&
- (required <= remain)) {
- /* Our identifier */
- (void) krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
-
- /* Now static data */
- (void) krb5_ser_pack_int32((krb5_int32) ctx->initiate,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->established,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->gss_flags,
- &bp, &remain);
- (void) krb5_ser_pack_bytes((krb5_octet *) ctx->seed,
- sizeof(ctx->seed),
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->signalg,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->cksum_size,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->sealalg,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->endtime,
- &bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags,
- &bp, &remain);
- (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_send,
- &bp, &remain);
- (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_recv,
- &bp, &remain);
-
- /* Now dynamic data */
- kret = 0;
-
- if (!kret && ctx->mech_used)
- kret = kg_oid_externalize(kcontext, ctx->mech_used,
- &bp, &remain);
-
- if (!kret && ctx->here)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer) ctx->here,
- &bp, &remain);
-
- if (!kret && ctx->there)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer) ctx->there,
- &bp, &remain);
-
- if (!kret && ctx->subkey)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->subkey,
- &bp, &remain);
-
- if (!kret && ctx->enc)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->enc,
- &bp, &remain);
-
- if (!kret && ctx->seq)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->seq,
- &bp, &remain);
-
- if (!kret && ctx->seqstate)
- kret = kg_queue_externalize(kcontext,
- ctx->seqstate, &bp, &remain);
-
- if (!kret)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_CONTEXT,
- (krb5_pointer) ctx->k5_context,
- &bp, &remain);
-
- if (!kret)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_AUTH_CONTEXT,
- (krb5_pointer) ctx->auth_context,
- &bp, &remain);
-
- if (!kret)
- kret = krb5_ser_pack_int32((krb5_int32) ctx->proto,
- &bp, &remain);
- if (!kret)
- kret = krb5_ser_pack_int32((krb5_int32) ctx->cksumtype,
- &bp, &remain);
- if (!kret && ctx->acceptor_subkey)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->acceptor_subkey,
- &bp, &remain);
- if (!kret)
- kret = krb5_ser_pack_int32((krb5_int32) ctx->acceptor_subkey_cksumtype,
- &bp, &remain);
-
- if (!kret)
- kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache,
- &bp, &remain);
- /* trailer */
- if (!kret)
- kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
- if (!kret) {
- *buffer = bp;
- *lenremain = remain;
- }
- }
+ kret = ENOMEM;
+ if (!kg_ctx_size(kcontext, arg, &required) &&
+ (required <= remain)) {
+ /* Our identifier */
+ (void) krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
+
+ /* Now static data */
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->initiate,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->established,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->gss_flags,
+ &bp, &remain);
+ (void) krb5_ser_pack_bytes((krb5_octet *) ctx->seed,
+ sizeof(ctx->seed),
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->signalg,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->cksum_size,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->sealalg,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->endtime,
+ &bp, &remain);
+ (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags,
+ &bp, &remain);
+ (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_send,
+ &bp, &remain);
+ (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_recv,
+ &bp, &remain);
+
+ /* Now dynamic data */
+ kret = 0;
+
+ if (!kret && ctx->mech_used)
+ kret = kg_oid_externalize(kcontext, ctx->mech_used,
+ &bp, &remain);
+
+ if (!kret && ctx->here)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer) ctx->here,
+ &bp, &remain);
+
+ if (!kret && ctx->there)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer) ctx->there,
+ &bp, &remain);
+
+ if (!kret && ctx->subkey)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->subkey,
+ &bp, &remain);
+
+ if (!kret && ctx->enc)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->enc,
+ &bp, &remain);
+
+ if (!kret && ctx->seq)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->seq,
+ &bp, &remain);
+
+ if (!kret && ctx->seqstate)
+ kret = kg_queue_externalize(kcontext,
+ ctx->seqstate, &bp, &remain);
+
+ if (!kret)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_CONTEXT,
+ (krb5_pointer) ctx->k5_context,
+ &bp, &remain);
+
+ if (!kret)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_AUTH_CONTEXT,
+ (krb5_pointer) ctx->auth_context,
+ &bp, &remain);
+
+ if (!kret)
+ kret = krb5_ser_pack_int32((krb5_int32) ctx->proto,
+ &bp, &remain);
+ if (!kret)
+ kret = krb5_ser_pack_int32((krb5_int32) ctx->cksumtype,
+ &bp, &remain);
+ if (!kret && ctx->acceptor_subkey)
+ kret = krb5_externalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer) ctx->acceptor_subkey,
+ &bp, &remain);
+ if (!kret)
+ kret = krb5_ser_pack_int32((krb5_int32) ctx->acceptor_subkey_cksumtype,
+ &bp, &remain);
+
+ if (!kret)
+ kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache,
+ &bp, &remain);
+ /* trailer */
+ if (!kret)
+ kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
+ if (!kret) {
+ *buffer = bp;
+ *lenremain = remain;
+ }
+ }
}
return(kret);
}
*/
krb5_error_code
kg_ctx_internalize(kcontext, argp, buffer, lenremain)
- krb5_context kcontext;
- krb5_pointer *argp;
- krb5_octet **buffer;
- size_t *lenremain;
+ krb5_context kcontext;
+ krb5_pointer *argp;
+ krb5_octet **buffer;
+ size_t *lenremain;
{
- krb5_error_code kret;
- krb5_gss_ctx_id_rec *ctx;
- krb5_int32 ibuf;
- krb5_octet *bp;
- size_t remain;
+ krb5_error_code kret;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_int32 ibuf;
+ krb5_octet *bp;
+ size_t remain;
krb5int_access kaccess;
kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
kret = EINVAL;
/* Read our magic number */
if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
- ibuf = 0;
+ ibuf = 0;
if (ibuf == KG_CONTEXT) {
- kret = ENOMEM;
-
- /* Get a context */
- if ((remain >= (17*sizeof(krb5_int32)
- + 2*sizeof(krb5_int64)
- + sizeof(ctx->seed))) &&
- (ctx = (krb5_gss_ctx_id_rec *)
- xmalloc(sizeof(krb5_gss_ctx_id_rec)))) {
- memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
-
- ctx->k5_context = kcontext;
-
- /* Get static data */
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->initiate = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->established = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->big_endian = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->have_acceptor_subkey = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->seed_init = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->gss_flags = (int) ibuf;
- (void) krb5_ser_unpack_bytes((krb5_octet *) ctx->seed,
- sizeof(ctx->seed),
- &bp, &remain);
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->signalg = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->cksum_size = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->sealalg = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->endtime = (krb5_timestamp) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->krb_flags = (krb5_flags) ibuf;
- (void) (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_send, &bp, &remain);
- kret = (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_recv, &bp, &remain);
- if (kret) {
- free(ctx);
- return kret;
- }
-
- {
- krb5_pointer tmp;
- kret = kg_oid_internalize(kcontext, &tmp, &bp,
- &remain);
- if (kret == 0)
- ctx->mech_used = tmp;
- else if (kret == EINVAL)
- kret = 0;
- }
- /* Now get substructure data */
- if ((kret = krb5_internalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer *) &ctx->here,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_PRINCIPAL,
- (krb5_pointer *) &ctx->there,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->subkey,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->enc,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->seq,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
-
- if (!kret) {
- kret = kg_queue_internalize(kcontext, &ctx->seqstate,
- &bp, &remain);
- if (kret == EINVAL)
- kret = 0;
- }
-
- if (!kret)
- kret = krb5_internalize_opaque(kcontext,
- KV5M_CONTEXT,
- (krb5_pointer *) &ctx->k5_context,
- &bp, &remain);
-
- if (!kret)
- kret = krb5_internalize_opaque(kcontext,
- KV5M_AUTH_CONTEXT,
- (krb5_pointer *) &ctx->auth_context,
- &bp, &remain);
-
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->proto = ibuf;
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->cksumtype = ibuf;
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->acceptor_subkey,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->cred_rcache = ibuf;
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->acceptor_subkey_cksumtype = ibuf;
-
- /* Get trailer */
- if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- if (!kret && ibuf != KG_CONTEXT)
- kret = EINVAL;
-
- if (!kret) {
- *buffer = bp;
- *lenremain = remain;
- *argp = (krb5_pointer) ctx;
- } else {
- if (ctx->seq)
- krb5_free_keyblock(kcontext, ctx->seq);
- if (ctx->enc)
- krb5_free_keyblock(kcontext, ctx->enc);
- if (ctx->subkey)
- krb5_free_keyblock(kcontext, ctx->subkey);
- if (ctx->there)
- krb5_free_principal(kcontext, ctx->there);
- if (ctx->here)
- krb5_free_principal(kcontext, ctx->here);
- xfree(ctx);
- }
- }
+ kret = ENOMEM;
+
+ /* Get a context */
+ if ((remain >= (17*sizeof(krb5_int32)
+ + 2*sizeof(krb5_int64)
+ + sizeof(ctx->seed))) &&
+ (ctx = (krb5_gss_ctx_id_rec *)
+ xmalloc(sizeof(krb5_gss_ctx_id_rec)))) {
+ memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
+
+ ctx->k5_context = kcontext;
+
+ /* Get static data */
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->initiate = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->established = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->big_endian = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->have_acceptor_subkey = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->seed_init = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->gss_flags = (int) ibuf;
+ (void) krb5_ser_unpack_bytes((krb5_octet *) ctx->seed,
+ sizeof(ctx->seed),
+ &bp, &remain);
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->signalg = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->cksum_size = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->sealalg = (int) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->endtime = (krb5_timestamp) ibuf;
+ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->krb_flags = (krb5_flags) ibuf;
+ (void) (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_send, &bp, &remain);
+ kret = (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_recv, &bp, &remain);
+ if (kret) {
+ free(ctx);
+ return kret;
+ }
+
+ {
+ krb5_pointer tmp;
+ kret = kg_oid_internalize(kcontext, &tmp, &bp,
+ &remain);
+ if (kret == 0)
+ ctx->mech_used = tmp;
+ else if (kret == EINVAL)
+ kret = 0;
+ }
+ /* Now get substructure data */
+ if ((kret = krb5_internalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer *) &ctx->here,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_PRINCIPAL,
+ (krb5_pointer *) &ctx->there,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer *) &ctx->subkey,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer *) &ctx->enc,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer *) &ctx->seq,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+
+ if (!kret) {
+ kret = kg_queue_internalize(kcontext, &ctx->seqstate,
+ &bp, &remain);
+ if (kret == EINVAL)
+ kret = 0;
+ }
+
+ if (!kret)
+ kret = krb5_internalize_opaque(kcontext,
+ KV5M_CONTEXT,
+ (krb5_pointer *) &ctx->k5_context,
+ &bp, &remain);
+
+ if (!kret)
+ kret = krb5_internalize_opaque(kcontext,
+ KV5M_AUTH_CONTEXT,
+ (krb5_pointer *) &ctx->auth_context,
+ &bp, &remain);
+
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->proto = ibuf;
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->cksumtype = ibuf;
+ if (!kret &&
+ (kret = krb5_internalize_opaque(kcontext,
+ KV5M_KEYBLOCK,
+ (krb5_pointer *) &ctx->acceptor_subkey,
+ &bp, &remain))) {
+ if (kret == EINVAL)
+ kret = 0;
+ }
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->cred_rcache = ibuf;
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ctx->acceptor_subkey_cksumtype = ibuf;
+
+ /* Get trailer */
+ if (!kret)
+ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ if (!kret && ibuf != KG_CONTEXT)
+ kret = EINVAL;
+
+ if (!kret) {
+ *buffer = bp;
+ *lenremain = remain;
+ *argp = (krb5_pointer) ctx;
+ } else {
+ if (ctx->seq)
+ krb5_free_keyblock(kcontext, ctx->seq);
+ if (ctx->enc)
+ krb5_free_keyblock(kcontext, ctx->enc);
+ if (ctx->subkey)
+ krb5_free_keyblock(kcontext, ctx->subkey);
+ if (ctx->there)
+ krb5_free_principal(kcontext, ctx->there);
+ if (ctx->here)
+ krb5_free_principal(kcontext, ctx->here);
+ xfree(ctx);
+ }
+ }
}
return(kret);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/set_allowable_enctypes.c
*
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
#include "gssapi_krb5.h"
OM_uint32 KRB5_CALLCONV
-gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
- gss_cred_id_t cred_handle,
- OM_uint32 num_ktypes,
- krb5_enctype *ktypes)
+gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ OM_uint32 num_ktypes,
+ krb5_enctype *ktypes)
{
unsigned int i;
krb5_enctype * new_ktypes;
/* verify and valildate cred handle */
if (cred_handle == GSS_C_NO_CREDENTIAL) {
- kerr = KRB5_NOCREDS_SUPPLIED;
- goto error_out;
+ kerr = KRB5_NOCREDS_SUPPLIED;
+ goto error_out;
}
major_status = krb5_gss_validate_cred(&temp_status, cred_handle);
if (GSS_ERROR(major_status)) {
- kerr = temp_status;
- goto error_out;
+ kerr = temp_status;
+ goto error_out;
}
cred = (krb5_gss_cred_id_t) cred_handle;
if (ktypes) {
- for (i = 0; i < num_ktypes && ktypes[i]; i++) {
- if (!krb5_c_valid_enctype(ktypes[i])) {
- kerr = KRB5_PROG_ETYPE_NOSUPP;
- goto error_out;
- }
- }
+ for (i = 0; i < num_ktypes && ktypes[i]; i++) {
+ if (!krb5_c_valid_enctype(ktypes[i])) {
+ kerr = KRB5_PROG_ETYPE_NOSUPP;
+ goto error_out;
+ }
+ }
} else {
- kerr = k5_mutex_lock(&cred->lock);
- if (kerr)
- goto error_out;
- if (cred->req_enctypes)
- free(cred->req_enctypes);
- cred->req_enctypes = NULL;
- k5_mutex_unlock(&cred->lock);
- return GSS_S_COMPLETE;
+ kerr = k5_mutex_lock(&cred->lock);
+ if (kerr)
+ goto error_out;
+ if (cred->req_enctypes)
+ free(cred->req_enctypes);
+ cred->req_enctypes = NULL;
+ k5_mutex_unlock(&cred->lock);
+ return GSS_S_COMPLETE;
}
/* Copy the requested ktypes into the cred structure */
if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * (i + 1)))) {
- memcpy(new_ktypes, ktypes, sizeof(krb5_enctype) * i);
- new_ktypes[i] = 0; /* "null-terminate" the list */
+ memcpy(new_ktypes, ktypes, sizeof(krb5_enctype) * i);
+ new_ktypes[i] = 0; /* "null-terminate" the list */
}
else {
- kerr = ENOMEM;
- goto error_out;
+ kerr = ENOMEM;
+ goto error_out;
}
kerr = k5_mutex_lock(&cred->lock);
if (kerr) {
- free(new_ktypes);
- goto error_out;
+ free(new_ktypes);
+ goto error_out;
}
if (cred->req_enctypes)
- free(cred->req_enctypes);
+ free(cred->req_enctypes);
cred->req_enctypes = new_ktypes;
k5_mutex_unlock(&cred->lock);
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* lib/gssapi/krb5/set_ccache.c
*
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
#include "gssapiP_krb5.h"
#include "gss_libinit.h"
-OM_uint32 KRB5_CALLCONV
+OM_uint32 KRB5_CALLCONV
gss_krb5_ccache_name(minor_status, name, out_name)
- OM_uint32 *minor_status;
- const char *name;
- const char **out_name;
+ OM_uint32 *minor_status;
+ const char *name;
+ const char **out_name;
{
char *old_name = NULL;
OM_uint32 err = 0;
err = gssint_initialize_library();
if (err) {
- *minor_status = err;
- return GSS_S_FAILURE;
+ *minor_status = err;
+ return GSS_S_FAILURE;
}
gss_out_name = k5_getspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME);
if (!err) {
old_name = gss_out_name;
gss_out_name = tmp_name;
- }
+ }
}
/* If out_name was NULL, we keep the same gss_out_name value, and
don't free up any storage (leave old_name NULL). */
minor = k5_setspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, gss_out_name);
if (minor) {
- /* Um. Now what? */
- if (err == 0) {
- err = minor;
- }
- free(gss_out_name);
- gss_out_name = NULL;
+ /* Um. Now what? */
+ if (err == 0) {
+ err = minor;
+ }
+ free(gss_out_name);
+ gss_out_name = NULL;
}
if (!err) {
*out_name = gss_out_name;
}
}
-
+
if (old_name != NULL) {
free (old_name);
}
-
+
*minor_status = err;
return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
OM_uint32
krb5_gss_sign(minor_status, context_handle,
- qop_req, message_buffer,
- message_token)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int qop_req;
- gss_buffer_t message_buffer;
- gss_buffer_t message_token;
+ qop_req, message_buffer,
+ message_token)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int qop_req;
+ gss_buffer_t message_buffer;
+ gss_buffer_t message_token;
{
- return(kg_seal(minor_status, context_handle, 0,
- qop_req, message_buffer, NULL,
- message_token, KG_TOK_SIGN_MSG));
+ return(kg_seal(minor_status, context_handle, 0,
+ qop_req, message_buffer, NULL,
+ message_token, KG_TOK_SIGN_MSG));
}
/* V2 interface */
OM_uint32
krb5_gss_get_mic(minor_status, context_handle, qop_req,
- message_buffer, message_token)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_qop_t qop_req;
- gss_buffer_t message_buffer;
- gss_buffer_t message_token;
+ message_buffer, message_token)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_qop_t qop_req;
+ gss_buffer_t message_buffer;
+ gss_buffer_t message_token;
{
return(kg_seal(minor_status, context_handle, 0,
- (int) qop_req, message_buffer, NULL,
- message_token, KG_TOK_MIC_MSG));
+ (int) qop_req, message_buffer, NULL,
+ message_token, KG_TOK_MIC_MSG));
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
OM_uint32
krb5_gss_unseal(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
- int *conf_state;
- int *qop_state;
+ input_message_buffer, output_message_buffer,
+ conf_state, qop_state)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t input_message_buffer;
+ gss_buffer_t output_message_buffer;
+ int *conf_state;
+ int *qop_state;
{
- return(kg_unseal(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, qop_state, KG_TOK_SEAL_MSG));
+ return(kg_unseal(minor_status, context_handle,
+ input_message_buffer, output_message_buffer,
+ conf_state, qop_state, KG_TOK_SEAL_MSG));
}
/* V2 interface */
OM_uint32
krb5_gss_unwrap(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
- int *conf_state;
- gss_qop_t *qop_state;
+ input_message_buffer, output_message_buffer,
+ conf_state, qop_state)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t input_message_buffer;
+ gss_buffer_t output_message_buffer;
+ int *conf_state;
+ gss_qop_t *qop_state;
{
- OM_uint32 rstat;
- int qstate;
+ OM_uint32 rstat;
+ int qstate;
rstat = kg_unseal(minor_status, context_handle,
- input_message_buffer, output_message_buffer,
- conf_state, &qstate, KG_TOK_WRAP_MSG);
+ input_message_buffer, output_message_buffer,
+ conf_state, &qstate, KG_TOK_WRAP_MSG);
if (!rstat && qop_state)
- *qop_state = (gss_qop_t) qstate;
+ *qop_state = (gss_qop_t) qstate;
return(rstat);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/* Checksumming the channel bindings always uses plain MD5. */
krb5_error_code
kg_checksum_channel_bindings(context, cb, cksum, bigend)
- krb5_context context;
- gss_channel_bindings_t cb;
- krb5_checksum *cksum;
- int bigend;
+ krb5_context context;
+ gss_channel_bindings_t cb;
+ krb5_checksum *cksum;
+ int bigend;
{
- size_t len;
- char *buf = 0;
- char *ptr;
- size_t sumlen;
- krb5_data plaind;
- krb5_error_code code;
- void *temp;
-
- /* initialize the the cksum */
- code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen);
- if (code)
- return(code);
-
- cksum->checksum_type = CKSUMTYPE_RSA_MD5;
- cksum->length = sumlen;
-
- /* generate a buffer full of zeros if no cb specified */
-
- if (cb == GSS_C_NO_CHANNEL_BINDINGS) {
- if ((cksum->contents = (krb5_octet *) xmalloc(cksum->length)) == NULL) {
- return(ENOMEM);
- }
- memset(cksum->contents, '\0', cksum->length);
- return(0);
- }
-
- /* create the buffer to checksum into */
-
- len = (sizeof(krb5_int32)*5+
- cb->initiator_address.length+
- cb->acceptor_address.length+
- cb->application_data.length);
-
- if ((buf = (char *) xmalloc(len)) == NULL)
- return(ENOMEM);
-
- /* helper macros. This code currently depends on a long being 32
- bits, and htonl dtrt. */
-
- ptr = buf;
-
- TWRITE_INT(ptr, cb->initiator_addrtype, bigend);
- TWRITE_BUF(ptr, cb->initiator_address, bigend);
- TWRITE_INT(ptr, cb->acceptor_addrtype, bigend);
- TWRITE_BUF(ptr, cb->acceptor_address, bigend);
- TWRITE_BUF(ptr, cb->application_data, bigend);
-
- /* checksum the data */
-
- plaind.length = len;
- plaind.data = buf;
-
- code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0,
- &plaind, cksum);
- if (code)
- goto cleanup;
-
- if ((temp = xmalloc(cksum->length)) == NULL) {
- krb5_free_checksum_contents(context, cksum);
- code = ENOMEM;
- goto cleanup;
- }
-
- memcpy(temp, cksum->contents, cksum->length);
- krb5_free_checksum_contents(context, cksum);
- cksum->contents = (krb5_octet *)temp;
-
- /* success */
- cleanup:
- if (buf)
- xfree(buf);
- return code;
+ size_t len;
+ char *buf = 0;
+ char *ptr;
+ size_t sumlen;
+ krb5_data plaind;
+ krb5_error_code code;
+ void *temp;
+
+ /* initialize the the cksum */
+ code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen);
+ if (code)
+ return(code);
+
+ cksum->checksum_type = CKSUMTYPE_RSA_MD5;
+ cksum->length = sumlen;
+
+ /* generate a buffer full of zeros if no cb specified */
+
+ if (cb == GSS_C_NO_CHANNEL_BINDINGS) {
+ if ((cksum->contents = (krb5_octet *) xmalloc(cksum->length)) == NULL) {
+ return(ENOMEM);
+ }
+ memset(cksum->contents, '\0', cksum->length);
+ return(0);
+ }
+
+ /* create the buffer to checksum into */
+
+ len = (sizeof(krb5_int32)*5+
+ cb->initiator_address.length+
+ cb->acceptor_address.length+
+ cb->application_data.length);
+
+ if ((buf = (char *) xmalloc(len)) == NULL)
+ return(ENOMEM);
+
+ /* helper macros. This code currently depends on a long being 32
+ bits, and htonl dtrt. */
+
+ ptr = buf;
+
+ TWRITE_INT(ptr, cb->initiator_addrtype, bigend);
+ TWRITE_BUF(ptr, cb->initiator_address, bigend);
+ TWRITE_INT(ptr, cb->acceptor_addrtype, bigend);
+ TWRITE_BUF(ptr, cb->acceptor_address, bigend);
+ TWRITE_BUF(ptr, cb->application_data, bigend);
+
+ /* checksum the data */
+
+ plaind.length = len;
+ plaind.data = buf;
+
+ code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0,
+ &plaind, cksum);
+ if (code)
+ goto cleanup;
+
+ if ((temp = xmalloc(cksum->length)) == NULL) {
+ krb5_free_checksum_contents(context, cksum);
+ code = ENOMEM;
+ goto cleanup;
+ }
+
+ memcpy(temp, cksum->contents, cksum->length);
+ krb5_free_checksum_contents(context, cksum);
+ cksum->contents = (krb5_octet *)temp;
+
+ /* success */
+cleanup:
+ if (buf)
+ xfree(buf);
+ return code;
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
- * Copyright2001 by the Massachusetts Institute of Technology.
+ * Copyright2001 by the Massachusetts Institute of Technology.
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
int
kg_confounder_size(context, key)
- krb5_context context;
- krb5_keyblock *key;
+ krb5_context context;
+ krb5_keyblock *key;
{
- krb5_error_code code;
- size_t blocksize;
- /* We special case rc4*/
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC)
- return 8;
- code = krb5_c_block_size(context, key->enctype, &blocksize);
- if (code)
- return(-1); /* XXX */
-
- return(blocksize);
+ krb5_error_code code;
+ size_t blocksize;
+ /* We special case rc4*/
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC)
+ return 8;
+ code = krb5_c_block_size(context, key->enctype, &blocksize);
+ if (code)
+ return(-1); /* XXX */
+
+ return(blocksize);
}
krb5_error_code
kg_make_confounder(context, key, buf)
- krb5_context context;
- krb5_keyblock *key;
- unsigned char *buf;
+ krb5_context context;
+ krb5_keyblock *key;
+ unsigned char *buf;
{
- krb5_error_code code;
- size_t blocksize;
- krb5_data lrandom;
+ krb5_error_code code;
+ size_t blocksize;
+ krb5_data lrandom;
- code = krb5_c_block_size(context, key->enctype, &blocksize);
- if (code)
- return(code);
+ code = krb5_c_block_size(context, key->enctype, &blocksize);
+ if (code)
+ return(code);
- lrandom.length = blocksize;
- lrandom.data = buf;
+ lrandom.length = blocksize;
+ lrandom.data = buf;
- return(krb5_c_random_make_octets(context, &lrandom));
+ return(krb5_c_random_make_octets(context, &lrandom));
}
krb5_error_code
kg_encrypt(context, key, usage, iv, in, out, length)
- krb5_context context;
- krb5_keyblock *key;
- int usage;
- krb5_pointer iv;
- krb5_const_pointer in;
- krb5_pointer out;
- unsigned int length;
+ krb5_context context;
+ krb5_keyblock *key;
+ int usage;
+ krb5_pointer iv;
+ krb5_const_pointer in;
+ krb5_pointer out;
+ unsigned int length;
{
- krb5_error_code code;
- size_t blocksize;
- krb5_data ivd, *pivd, inputd;
- krb5_enc_data outputd;
-
- if (iv) {
- code = krb5_c_block_size(context, key->enctype, &blocksize);
- if (code)
- return(code);
-
- ivd.length = blocksize;
- ivd.data = malloc(ivd.length);
- if (ivd.data == NULL)
- return ENOMEM;
- memcpy(ivd.data, iv, ivd.length);
- pivd = &ivd;
- } else {
- pivd = NULL;
- }
-
- inputd.length = length;
- inputd.data = in;
-
- outputd.ciphertext.length = length;
- outputd.ciphertext.data = out;
-
- code = krb5_c_encrypt(context, key, usage, pivd, &inputd, &outputd);
- if (pivd != NULL)
- free(pivd->data);
- return code;
+ krb5_error_code code;
+ size_t blocksize;
+ krb5_data ivd, *pivd, inputd;
+ krb5_enc_data outputd;
+
+ if (iv) {
+ code = krb5_c_block_size(context, key->enctype, &blocksize);
+ if (code)
+ return(code);
+
+ ivd.length = blocksize;
+ ivd.data = malloc(ivd.length);
+ if (ivd.data == NULL)
+ return ENOMEM;
+ memcpy(ivd.data, iv, ivd.length);
+ pivd = &ivd;
+ } else {
+ pivd = NULL;
+ }
+
+ inputd.length = length;
+ inputd.data = in;
+
+ outputd.ciphertext.length = length;
+ outputd.ciphertext.data = out;
+
+ code = krb5_c_encrypt(context, key, usage, pivd, &inputd, &outputd);
+ if (pivd != NULL)
+ free(pivd->data);
+ return code;
}
/* length is the length of the cleartext. */
krb5_error_code
kg_decrypt(context, key, usage, iv, in, out, length)
- krb5_context context;
- krb5_keyblock *key;
- int usage;
- krb5_pointer iv;
- krb5_const_pointer in;
- krb5_pointer out;
- unsigned int length;
+ krb5_context context;
+ krb5_keyblock *key;
+ int usage;
+ krb5_pointer iv;
+ krb5_const_pointer in;
+ krb5_pointer out;
+ unsigned int length;
{
- krb5_error_code code;
- size_t blocksize;
- krb5_data ivd, *pivd, outputd;
- krb5_enc_data inputd;
-
- if (iv) {
- code = krb5_c_block_size(context, key->enctype, &blocksize);
- if (code)
- return(code);
-
- ivd.length = blocksize;
- ivd.data = malloc(ivd.length);
- if (ivd.data == NULL)
- return ENOMEM;
- memcpy(ivd.data, iv, ivd.length);
- pivd = &ivd;
- } else {
- pivd = NULL;
- }
-
- inputd.enctype = ENCTYPE_UNKNOWN;
- inputd.ciphertext.length = length;
- inputd.ciphertext.data = in;
-
- outputd.length = length;
- outputd.data = out;
-
- code = krb5_c_decrypt(context, key, usage, pivd, &inputd, &outputd);
- if (pivd != NULL)
- free(pivd->data);
- return code;
+ krb5_error_code code;
+ size_t blocksize;
+ krb5_data ivd, *pivd, outputd;
+ krb5_enc_data inputd;
+
+ if (iv) {
+ code = krb5_c_block_size(context, key->enctype, &blocksize);
+ if (code)
+ return(code);
+
+ ivd.length = blocksize;
+ ivd.data = malloc(ivd.length);
+ if (ivd.data == NULL)
+ return ENOMEM;
+ memcpy(ivd.data, iv, ivd.length);
+ pivd = &ivd;
+ } else {
+ pivd = NULL;
+ }
+
+ inputd.enctype = ENCTYPE_UNKNOWN;
+ inputd.ciphertext.length = length;
+ inputd.ciphertext.data = in;
+
+ outputd.length = length;
+ outputd.data = out;
+
+ code = krb5_c_decrypt(context, key, usage, pivd, &inputd, &outputd);
+ if (pivd != NULL)
+ free(pivd->data);
+ return code;
}
krb5_error_code
kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage,
- const unsigned char *kd_data, size_t kd_data_len,
- const unsigned char *input_buf, size_t input_len,
- unsigned char *output_buf)
+ const unsigned char *kd_data, size_t kd_data_len,
+ const unsigned char *input_buf, size_t input_len,
+ unsigned char *output_buf)
{
- krb5_error_code code;
- krb5_data input, output;
- krb5int_access kaccess;
- krb5_keyblock seq_enc_key, usage_key;
- unsigned char t[4];
-
- usage_key.length = longterm_key->length;
- usage_key.contents = malloc(usage_key.length);
- if (usage_key.contents == NULL)
- return (ENOMEM);
- seq_enc_key.length = longterm_key->length;
- seq_enc_key.contents = malloc(seq_enc_key.length);
- if (seq_enc_key.contents == NULL) {
+ krb5_error_code code;
+ krb5_data input, output;
+ krb5int_access kaccess;
+ krb5_keyblock seq_enc_key, usage_key;
+ unsigned char t[4];
+
+ usage_key.length = longterm_key->length;
+ usage_key.contents = malloc(usage_key.length);
+ if (usage_key.contents == NULL)
+ return (ENOMEM);
+ seq_enc_key.length = longterm_key->length;
+ seq_enc_key.contents = malloc(seq_enc_key.length);
+ if (seq_enc_key.contents == NULL) {
+ free ((void *) usage_key.contents);
+ return (ENOMEM);
+ }
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code)
+ goto cleanup_arcfour;
+
+ t[0] = ms_usage &0xff;
+ t[1] = (ms_usage>>8) & 0xff;
+ t[2] = (ms_usage>>16) & 0xff;
+ t[3] = (ms_usage>>24) & 0xff;
+ input.data = (void *) &t;
+ input.length = 4;
+ output.data = (void *) usage_key.contents;
+ output.length = usage_key.length;
+ code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
+ longterm_key, 1, &input, &output);
+ if (code)
+ goto cleanup_arcfour;
+
+ input.data = ( void *) kd_data;
+ input.length = kd_data_len;
+ output.data = (void *) seq_enc_key.contents;
+ code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
+ &usage_key, 1, &input, &output);
+ if (code)
+ goto cleanup_arcfour;
+ input.data = ( void * ) input_buf;
+ input.length = input_len;
+ output.data = (void * ) output_buf;
+ output.length = input_len;
+ code = ((*kaccess.arcfour_enc_provider->encrypt)(
+ &seq_enc_key, 0,
+ &input, &output));
+cleanup_arcfour:
+ memset ((void *) seq_enc_key.contents, 0, seq_enc_key.length);
+ memset ((void *) usage_key.contents, 0, usage_key.length);
free ((void *) usage_key.contents);
- return (ENOMEM);
- }
- code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (code)
- goto cleanup_arcfour;
-
- t[0] = ms_usage &0xff;
- t[1] = (ms_usage>>8) & 0xff;
- t[2] = (ms_usage>>16) & 0xff;
- t[3] = (ms_usage>>24) & 0xff;
- input.data = (void *) &t;
- input.length = 4;
- output.data = (void *) usage_key.contents;
- output.length = usage_key.length;
- code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
- longterm_key, 1, &input, &output);
- if (code)
- goto cleanup_arcfour;
-
- input.data = ( void *) kd_data;
- input.length = kd_data_len;
- output.data = (void *) seq_enc_key.contents;
- code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider,
- &usage_key, 1, &input, &output);
- if (code)
- goto cleanup_arcfour;
- input.data = ( void * ) input_buf;
- input.length = input_len;
- output.data = (void * ) output_buf;
- output.length = input_len;
- code = ((*kaccess.arcfour_enc_provider->encrypt)(
- &seq_enc_key, 0,
- &input, &output));
- cleanup_arcfour:
- memset ((void *) seq_enc_key.contents, 0, seq_enc_key.length);
- memset ((void *) usage_key.contents, 0, usage_key.length);
- free ((void *) usage_key.contents);
- free ((void *) seq_enc_key.contents);
- return (code);
+ free ((void *) seq_enc_key.contents);
+ return (code);
}
-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
krb5_error_code
kg_make_seed(context, key, seed)
- krb5_context context;
- krb5_keyblock *key;
- unsigned char *seed;
+ krb5_context context;
+ krb5_keyblock *key;
+ unsigned char *seed;
{
- krb5_error_code code;
- krb5_keyblock *tmpkey;
- unsigned int i;
+ krb5_error_code code;
+ krb5_keyblock *tmpkey;
+ unsigned int i;
- code = krb5_copy_keyblock(context, key, &tmpkey);
- if (code)
- return(code);
+ code = krb5_copy_keyblock(context, key, &tmpkey);
+ if (code)
+ return(code);
- /* reverse the key bytes, as per spec */
+ /* reverse the key bytes, as per spec */
- for (i=0; i<tmpkey->length; i++)
- tmpkey->contents[i] = key->contents[key->length - 1 - i];
+ for (i=0; i<tmpkey->length; i++)
+ tmpkey->contents[i] = key->contents[key->length - 1 - i];
- code = kg_encrypt(context, tmpkey, KG_USAGE_SEAL, NULL, zeros, seed, 16);
+ code = kg_encrypt(context, tmpkey, KG_USAGE_SEAL, NULL, zeros, seed, 16);
- krb5_free_keyblock(context, tmpkey);
+ krb5_free_keyblock(context, tmpkey);
- return(code);
+ return(code);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
- * Copyright2001 by the Massachusetts Institute of Technology.
+ * Copyright2001 by the Massachusetts Institute of Technology.
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
krb5_error_code
kg_make_seq_num(context, key, direction, seqnum, cksum, buf)
- krb5_context context;
- krb5_keyblock *key;
- int direction;
- krb5_ui_4 seqnum;
- unsigned char *cksum;
- unsigned char *buf;
+ krb5_context context;
+ krb5_keyblock *key;
+ int direction;
+ krb5_ui_4 seqnum;
+ unsigned char *cksum;
+ unsigned char *buf;
{
- unsigned char plain[8];
+ unsigned char plain[8];
- plain[4] = direction;
- plain[5] = direction;
- plain[6] = direction;
- plain[7] = direction;
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC ) {
- /* Yes, Microsoft used big-endian sequence number.*/
- plain[0] = (seqnum>>24) & 0xff;
- plain[1] = (seqnum>>16) & 0xff;
- plain[2] = (seqnum>>8) & 0xff;
- plain[3] = seqnum & 0xff;
- return kg_arcfour_docrypt (key, 0,
- cksum, 8,
- &plain[0], 8,
- buf);
-
- }
-
- plain[0] = (unsigned char) (seqnum&0xff);
- plain[1] = (unsigned char) ((seqnum>>8)&0xff);
- plain[2] = (unsigned char) ((seqnum>>16)&0xff);
- plain[3] = (unsigned char) ((seqnum>>24)&0xff);
+ plain[4] = direction;
+ plain[5] = direction;
+ plain[6] = direction;
+ plain[7] = direction;
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC ) {
+ /* Yes, Microsoft used big-endian sequence number.*/
+ plain[0] = (seqnum>>24) & 0xff;
+ plain[1] = (seqnum>>16) & 0xff;
+ plain[2] = (seqnum>>8) & 0xff;
+ plain[3] = seqnum & 0xff;
+ return kg_arcfour_docrypt (key, 0,
+ cksum, 8,
+ &plain[0], 8,
+ buf);
- return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8));
+ }
+
+ plain[0] = (unsigned char) (seqnum&0xff);
+ plain[1] = (unsigned char) ((seqnum>>8)&0xff);
+ plain[2] = (unsigned char) ((seqnum>>16)&0xff);
+ plain[3] = (unsigned char) ((seqnum>>24)&0xff);
+
+ return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8));
}
krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum)
- krb5_context context;
- krb5_keyblock *key;
- unsigned char *cksum;
- unsigned char *buf;
- int *direction;
- krb5_ui_4 *seqnum;
+ krb5_context context;
+ krb5_keyblock *key;
+ unsigned char *cksum;
+ unsigned char *buf;
+ int *direction;
+ krb5_ui_4 *seqnum;
{
- krb5_error_code code;
- unsigned char plain[8];
+ krb5_error_code code;
+ unsigned char plain[8];
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC) {
- code = kg_arcfour_docrypt (key, 0,
- cksum, 8,
- buf, 8,
- plain);
- } else {
- code = kg_decrypt(context, key, KG_USAGE_SEQ, cksum, buf, plain, 8);
- }
- if (code)
- return(code);
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC) {
+ code = kg_arcfour_docrypt (key, 0,
+ cksum, 8,
+ buf, 8,
+ plain);
+ } else {
+ code = kg_decrypt(context, key, KG_USAGE_SEQ, cksum, buf, plain, 8);
+ }
+ if (code)
+ return(code);
- if ((plain[4] != plain[5]) ||
- (plain[4] != plain[6]) ||
- (plain[4] != plain[7]))
- return((krb5_error_code) KG_BAD_SEQ);
+ if ((plain[4] != plain[5]) ||
+ (plain[4] != plain[6]) ||
+ (plain[4] != plain[7]))
+ return((krb5_error_code) KG_BAD_SEQ);
- *direction = plain[4];
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC) {
- *seqnum = (plain[3]|(plain[2]<<8) | (plain[1]<<16)| (plain[0]<<24));
- } else {
- *seqnum = ((plain[0]) |
- (plain[1]<<8) |
- (plain[2]<<16) |
- (plain[3]<<24));
- }
+ *direction = plain[4];
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC) {
+ *seqnum = (plain[3]|(plain[2]<<8) | (plain[1]<<16)| (plain[0]<<24));
+ } else {
+ *seqnum = ((plain[0]) |
+ (plain[1]<<8) |
+ (plain[2]<<16) |
+ (plain[3]<<24));
+ }
- return(0);
+ return(0);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1997, 2007 by Massachusetts Institute of Technology
* All Rights Reserved.
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
#include "gssapiP_krb5.h"
OM_uint32
krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
- krb5_context context)
+ krb5_context context)
{
krb5_gss_cred_id_t cred;
krb5_error_code code;
krb5_principal princ;
if (!kg_validate_cred_id(cred_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL);
}
cred = (krb5_gss_cred_id_t) cred_handle;
code = k5_mutex_lock(&cred->lock);
if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
+ *minor_status = code;
+ return GSS_S_FAILURE;
}
if (cred->ccache) {
- if ((code = krb5_cc_get_principal(context, cred->ccache, &princ))) {
- k5_mutex_unlock(&cred->lock);
- *minor_status = code;
- return(GSS_S_DEFECTIVE_CREDENTIAL);
- }
- if (!krb5_principal_compare(context, princ, cred->princ)) {
- k5_mutex_unlock(&cred->lock);
- *minor_status = KG_CCACHE_NOMATCH;
- return(GSS_S_DEFECTIVE_CREDENTIAL);
- }
- (void)krb5_free_principal(context, princ);
+ if ((code = krb5_cc_get_principal(context, cred->ccache, &princ))) {
+ k5_mutex_unlock(&cred->lock);
+ *minor_status = code;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+ if (!krb5_principal_compare(context, princ, cred->princ)) {
+ k5_mutex_unlock(&cred->lock);
+ *minor_status = KG_CCACHE_NOMATCH;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+ (void)krb5_free_principal(context, princ);
}
*minor_status = 0;
return GSS_S_COMPLETE;
OM_uint32
krb5_gss_validate_cred(minor_status, cred_handle)
- OM_uint32 *minor_status;
- gss_cred_id_t cred_handle;
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
{
krb5_context context;
krb5_error_code code;
code = krb5_gss_init_context(&context);
if (code) {
- *minor_status = code;
- return GSS_S_FAILURE;
+ *minor_status = code;
+ return GSS_S_FAILURE;
}
maj = krb5_gss_validate_cred_1(minor_status, cred_handle, context);
if (maj == 0) {
- krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t) cred_handle;
- k5_mutex_assert_locked(&cred->lock);
- k5_mutex_unlock(&cred->lock);
+ krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t) cred_handle;
+ k5_mutex_assert_locked(&cred->lock);
+ k5_mutex_unlock(&cred->lock);
}
save_error_info(*minor_status, context);
krb5_free_context(context);
return maj;
}
-
-
-
-
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
OM_uint32
krb5_gss_verify(minor_status, context_handle,
- message_buffer, token_buffer,
- qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- int *qop_state;
+ message_buffer, token_buffer,
+ qop_state)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t message_buffer;
+ gss_buffer_t token_buffer;
+ int *qop_state;
{
- return(kg_unseal(minor_status, context_handle,
- token_buffer, message_buffer,
- NULL, qop_state, KG_TOK_SIGN_MSG));
+ return(kg_unseal(minor_status, context_handle,
+ token_buffer, message_buffer,
+ NULL, qop_state, KG_TOK_SIGN_MSG));
}
/* V2 interface */
OM_uint32
krb5_gss_verify_mic(minor_status, context_handle,
- message_buffer, token_buffer,
- qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- gss_qop_t *qop_state;
+ message_buffer, token_buffer,
+ qop_state)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ gss_buffer_t message_buffer;
+ gss_buffer_t token_buffer;
+ gss_qop_t *qop_state;
{
- OM_uint32 rstat;
- int qstate;
+ OM_uint32 rstat;
+ int qstate;
rstat = kg_unseal(minor_status, context_handle,
- token_buffer, message_buffer,
- NULL, &qstate, KG_TOK_MIC_MSG);
+ token_buffer, message_buffer,
+ NULL, &qstate, KG_TOK_MIC_MSG);
if (!rstat && qop_state)
- *qop_state = (gss_qop_t) qstate;
+ *qop_state = (gss_qop_t) qstate;
return(rstat);
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 2000 by the Massachusetts Institute of Technology.
* All Rights Reserved.
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
- *
+ *
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
- *
+ *
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
/* V2 interface */
OM_uint32
krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
- qop_req, req_output_size, max_input_size)
- OM_uint32 *minor_status;
- gss_ctx_id_t context_handle;
- int conf_req_flag;
- gss_qop_t qop_req;
- OM_uint32 req_output_size;
- OM_uint32 *max_input_size;
+ qop_req, req_output_size, max_input_size)
+ OM_uint32 *minor_status;
+ gss_ctx_id_t context_handle;
+ int conf_req_flag;
+ gss_qop_t qop_req;
+ OM_uint32 req_output_size;
+ OM_uint32 *max_input_size;
{
- krb5_gss_ctx_id_rec *ctx;
- OM_uint32 data_size, conflen;
- OM_uint32 ohlen;
- int overhead;
+ krb5_gss_ctx_id_rec *ctx;
+ OM_uint32 data_size, conflen;
+ OM_uint32 ohlen;
+ int overhead;
/* only default qop is allowed */
if (qop_req != GSS_C_QOP_DEFAULT) {
- *minor_status = (OM_uint32) G_UNKNOWN_QOP;
- return(GSS_S_FAILURE);
+ *minor_status = (OM_uint32) G_UNKNOWN_QOP;
+ return(GSS_S_FAILURE);
}
-
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
}
-
+
ctx = (krb5_gss_ctx_id_rec *) context_handle;
if (! ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
+ *minor_status = KG_CTX_INCOMPLETE;
+ return(GSS_S_NO_CONTEXT);
}
if (ctx->proto == 1) {
- /* No pseudo-ASN.1 wrapper overhead, so no sequence length and
- OID. */
- OM_uint32 sz = req_output_size;
- /* Token header: 16 octets. */
- if (conf_req_flag) {
- while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size)
- sz--;
- /* Allow for encrypted copy of header. */
- if (sz > 16)
- sz -= 16;
- else
- sz = 0;
+ /* No pseudo-ASN.1 wrapper overhead, so no sequence length and
+ OID. */
+ OM_uint32 sz = req_output_size;
+ /* Token header: 16 octets. */
+ if (conf_req_flag) {
+ while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size)
+ sz--;
+ /* Allow for encrypted copy of header. */
+ if (sz > 16)
+ sz -= 16;
+ else
+ sz = 0;
#ifdef CFX_EXERCISE
- /* Allow for EC padding. In the MIT implementation, only
- added while testing. */
- if (sz > 65535)
- sz -= 65535;
- else
- sz = 0;
+ /* Allow for EC padding. In the MIT implementation, only
+ added while testing. */
+ if (sz > 65535)
+ sz -= 65535;
+ else
+ sz = 0;
#endif
- } else {
- /* Allow for token header and checksum. */
- if (sz < 16 + ctx->cksum_size)
- sz = 0;
- else
- sz -= (16 + ctx->cksum_size);
- }
+ } else {
+ /* Allow for token header and checksum. */
+ if (sz < 16 + ctx->cksum_size)
+ sz = 0;
+ else
+ sz -= (16 + ctx->cksum_size);
+ }
- *max_input_size = sz;
- *minor_status = 0;
- return GSS_S_COMPLETE;
+ *max_input_size = sz;
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
}
/* Calculate the token size and subtract that from the output size */
conflen = kg_confounder_size(ctx->k5_context, ctx->enc);
data_size = (conflen + data_size + 8) & (~(OM_uint32)7);
ohlen = g_token_size(ctx->mech_used,
- (unsigned int) (data_size + ctx->cksum_size + 14))
- - req_output_size;
+ (unsigned int) (data_size + ctx->cksum_size + 14))
+ - req_output_size;
if (ohlen+overhead < req_output_size)
- /*
- * Cannot have trailer length that will cause us to pad over our
- * length.
- */
- *max_input_size = (req_output_size - ohlen - overhead) & (~(OM_uint32)7);
+ /*
+ * Cannot have trailer length that will cause us to pad over our
+ * length.
+ */
+ *max_input_size = (req_output_size - ohlen - overhead) & (~(OM_uint32)7);
else
- *max_input_size = 0;
+ *max_input_size = 0;
*minor_status = 0;
return(GSS_S_COMPLETE);