From a631ed069736a1dce90636b63a46dca6763d59b1 Mon Sep 17 00:00:00 2001 From: Paul Park Date: Thu, 31 Aug 1995 17:33:55 +0000 Subject: [PATCH] Update to GSSAPI-V2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6638 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/generic/.Sanitize | 1 + src/lib/gssapi/generic/ChangeLog | 14 + src/lib/gssapi/generic/Makefile.in | 4 +- src/lib/gssapi/generic/disp_major_status.c | 7 +- src/lib/gssapi/generic/gssapi.h | 620 ++++++++++++++------- src/lib/gssapi/generic/gssapiP_generic.h | 43 +- src/lib/gssapi/generic/gssapi_generic.c | 8 +- src/lib/gssapi/generic/oid_ops.c | 351 ++++++++++++ src/lib/gssapi/generic/rel_oid_set.c | 4 + src/lib/gssapi/generic/util_token.c | 6 +- src/lib/gssapi/krb5/.Sanitize | 2 + src/lib/gssapi/krb5/ChangeLog | 15 + src/lib/gssapi/krb5/Makefile.in | 6 +- src/lib/gssapi/krb5/accept_sec_context.c | 10 +- src/lib/gssapi/krb5/acquire_cred.c | 37 +- src/lib/gssapi/krb5/disp_status.c | 4 +- src/lib/gssapi/krb5/gssapiP_krb5.h | 148 ++++- src/lib/gssapi/krb5/gssapi_krb5.c | 8 +- src/lib/gssapi/krb5/import_name.c | 2 +- src/lib/gssapi/krb5/init_sec_context.c | 12 +- src/lib/gssapi/krb5/inq_context.c | 12 +- src/lib/gssapi/krb5/inq_cred.c | 53 +- src/lib/gssapi/krb5/inq_names.c | 87 +++ src/lib/gssapi/krb5/k5seal.c | 59 +- src/lib/gssapi/krb5/k5unseal.c | 24 +- src/lib/gssapi/krb5/krb5_gss_glue.c | 224 +++++++- src/lib/gssapi/krb5/rel_name.c | 2 +- src/lib/gssapi/krb5/rel_oid.c | 55 ++ src/lib/gssapi/krb5/seal.c | 36 ++ src/lib/gssapi/krb5/sign.c | 16 + src/lib/gssapi/krb5/unseal.c | 24 + src/lib/gssapi/krb5/verify.c | 23 + 32 files changed, 1622 insertions(+), 295 deletions(-) create mode 100644 src/lib/gssapi/generic/oid_ops.c create mode 100644 src/lib/gssapi/krb5/inq_names.c create mode 100644 src/lib/gssapi/krb5/rel_oid.c diff --git a/src/lib/gssapi/generic/.Sanitize b/src/lib/gssapi/generic/.Sanitize index dc4d5312f..c76c457d2 100644 --- a/src/lib/gssapi/generic/.Sanitize +++ b/src/lib/gssapi/generic/.Sanitize @@ -36,6 +36,7 @@ gssapiP_generic.h gssapi_err_generic.et gssapi_generic.c gssapi_generic.h +oid_ops.c rel_buffer.c rel_oid_set.c util_buffer.c diff --git a/src/lib/gssapi/generic/ChangeLog b/src/lib/gssapi/generic/ChangeLog index 3d8a7ea5c..89f798626 100644 --- a/src/lib/gssapi/generic/ChangeLog +++ b/src/lib/gssapi/generic/ChangeLog @@ -1,4 +1,18 @@ +Thu Aug 31 11:43:59 EDT 1995 Paul Park (pjpark@mit.edu) + * gssapi.h - Update to V2 API. Also use autoconf.h if USE_AUTOCONF_H + is defined, otherwise resort to brute force. Remove const_ + gss_OID, as it's not defined in the API. + * gssapiP_generic.h - Add new V2 dispatch prototypes. Update + arguments to be compatible with V2 API. + * disp_major_status.c - Describe new failure codes. Update argument. + * gssapi_generic.c - Replace const_gss_OID. + * rel_oid_set.c - Free individual OID data also. + * util_token.c - Replace const_gss_OID. + * oid_ops.c - New V2 OID set manipulation routines. + * Makefile.in, .Sanitize - Add oid_ops.c. + + Tue Aug 29 13:30:29 EDT 1995 Paul Park (pjpark@mit.edu) * gssapi.h - Add prototypes for gss_{im,ex}port_sec_context. diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in index 626512d9b..2db4458d9 100644 --- a/src/lib/gssapi/generic/Makefile.in +++ b/src/lib/gssapi/generic/Makefile.in @@ -1,4 +1,4 @@ -CFLAGS = $(CCOPTS) $(DEFS) -I. -I$(srcdir) +CFLAGS = $(CCOPTS) $(DEFS) -I. -I$(srcdir) -DUSE_AUTOCONF_H ##DOSBUILDTOP = ..\..\.. ##DOSLIBNAME=..\gssapi.$(LIBEXT) @@ -29,6 +29,7 @@ CCSRCS = \ $(srcdir)/disp_major_status.c \ $(srcdir)/disp_com_err_status.c \ $(srcdir)/gssapi_generic.c \ + $(srcdir)/oid_ops.c \ $(srcdir)/rel_buffer.c \ $(srcdir)/rel_oid_set.c \ $(srcdir)/util_buffer.c \ @@ -42,6 +43,7 @@ CCOBJS = \ disp_major_status.$(OBJEXT) \ disp_com_err_status.$(OBJEXT) \ gssapi_generic.$(OBJEXT) \ + oid_ops.$(OBJEXT) \ rel_buffer.$(OBJEXT) \ rel_oid_set.$(OBJEXT) \ util_buffer.$(OBJEXT) \ diff --git a/src/lib/gssapi/generic/disp_major_status.c b/src/lib/gssapi/generic/disp_major_status.c index c6f82789d..ad0b17f20 100644 --- a/src/lib/gssapi/generic/disp_major_status.c +++ b/src/lib/gssapi/generic/disp_major_status.c @@ -62,7 +62,10 @@ static const char * const routine_error_string[] = { "A credential was invalid", "The referenced credentials have expired", "The context has expired", - "Miscellaneous failure", + "Miscellaneous failure", + "The quality-of-protection requested could not be provided", + "The operation is forbidden by the local security policy", + "The operation or option is not available", }; static const char * const routine_error = "routine error"; @@ -206,7 +209,7 @@ OM_uint32 g_display_major_status(minor_status, status_value, message_context, status_string) OM_uint32 *minor_status; OM_uint32 status_value; - int *message_context; + OM_uint32 *message_context; gss_buffer_t status_string; { OM_uint32 ret, tmp; diff --git a/src/lib/gssapi/generic/gssapi.h b/src/lib/gssapi/generic/gssapi.h index 7d4174444..7f79ca1bb 100644 --- a/src/lib/gssapi/generic/gssapi.h +++ b/src/lib/gssapi/generic/gssapi.h @@ -23,21 +23,40 @@ #ifndef _GSSAPI_H_ #define _GSSAPI_H_ -/* for general config: */ -#ifndef NO_STDLIB_H -#include -#endif -#include - /* - * First, define the platform-dependent types. + * Determine platform-dependent configuration. + */ +#ifdef USE_AUTOCONF_H +/* + * Use autoconf generated header. + */ +#include "autoconf.h" +#define GSS_SIZEOF_INT SIZEOF_INT +#define GSS_SIZEOF_LONG SIZEOF_LONG +#define GSS_SIZEOF_SHORT SIZEOF_SHORT +#else /* USE_AUTOCONF_H */ +/* + * Do it brute force. */ - #ifdef _MSDOS #define GSS_SIZEOF_INT 2 #define GSS_SIZEOF_SHORT 2 #define GSS_SIZEOF_LONG 4 +/* #define HAVE_STDDEF_H 1 */ +/* #define HAVE_XOM_H 1 */ +#else /* _MSDOS */ +#define GSS_SIZEOF_INT 4 +#define GSS_SIZEOF_LONG 4 +#define GSS_SIZEOF_SHORT 2 +/* #define HAVE_STDDEF_H 1 */ +/* #define HAVE_XOM_H 1 */ +#endif /* _MSDOS */ +#endif /* USE_AUTOCONF_H */ +/* + * Define INTERFACE, INTERFACE_C and FAR. + */ +#ifdef _MSDOS #ifndef INTERFACE #define INTERFACE __far __export __pascal #define INTERFACE_C __far __export __cdecl @@ -47,53 +66,80 @@ #define FAR _far #endif /* FAR */ #else /* _MSDOS */ -/* - * XXX we need to fix this to be modified by autoconf... - */ -#define GSS_SIZEOF_INT 4 -#define GSS_SIZEOF_LONG 4 -#define GSS_SIZEOF_SHORT 2 #ifndef FAR #define FAR #define INTERFACE #endif /* FAR */ #endif -#if (GSS_SIZEOF_INT == 4) -typedef unsigned int OM_uint32; -#elif (GSS_SIZEOF_LONG == 4) -typedef unsigned long OM_uint32; -#elif (GSS_SIZEOF_SHORT == 4) -typedef unsigned short OM_uint32; +/* + * Make sure we have a definition for PROTOTYPE. + */ +#if !defined(PROTOTYPE) +#if defined(__STDC__) || defined(_WINDOWS) +#define PROTOTYPE(x) x +#else +#define PROTOTYPE(x) () #endif +#endif + +/* + * First, include stddef.h to get size_t defined. + */ +#if HAVE_STDDEF_H +#include +#endif /* HAVE_STDDEF_H */ + +/* + * If the platform supports the xom.h header file, it should be included here. + */ +#if HAVE_XOM_H +#include +#endif /* HAVE_XOM_H */ +/* + * First, define the three platform-dependent pointer types. + */ typedef void FAR * gss_name_t; typedef void FAR * gss_cred_id_t; typedef void FAR * gss_ctx_id_t; -#if !defined(PROTOTYPE) -#if defined(__STDC__) || defined(_WINDOWS) -#define PROTOTYPE(x) x -#else -#define PROTOTYPE(x) () +/* + * The following type must be defined as the smallest natural unsigned integer + * supported by the platform that has at least 32 bits of precision. + */ +#if (GSS_SIZEOF_SHORT == 4) +typedef unsigned short gss_uint32; +#elif (GSS_SIZEOF_INT == 4) +typedef unsigned int gss_uint32; +#elif (GSS_SIZEOF_LONG == 4) +typedef unsigned long gss_uint32; #endif + +#ifdef OM_STRING +/* + * We have included the xom.h header file. Verify that OM_uint32 is defined + * correctly. + */ +#if sizeof(gss_uint32) != sizeof(OM_uint32) +#error Incompatible definition of OM_uint32 from xom.h #endif +typedef OM_object_identifier gss_OID_desc, *gss_OID; +#else /* OM_STRING */ /* - * Note that a platform supporting the xom.h X/Open header file - * may make use of that header for the definitions of OM_uint32 - * and the structure to which gss_OID_desc equates. + * We can't use X/Open definitions, so roll our own. */ +typedef gss_uint32 OM_uint32; typedef struct gss_OID_desc_struct { OM_uint32 length; void FAR *elements; } gss_OID_desc, FAR *gss_OID; - -typedef const gss_OID_desc FAR * const const_gss_OID; +#endif /* OM_STRING */ typedef struct gss_OID_set_desc_struct { - int count; + size_t count; gss_OID elements; } gss_OID_set_desc, FAR *gss_OID_set; @@ -110,10 +156,15 @@ typedef struct gss_channel_bindings_struct { gss_buffer_desc application_data; } FAR *gss_channel_bindings_t; +/* + * For now, define a QOP-type as an OM_uint32 (pending resolution of ongoing + * discussions). + */ +typedef OM_uint32 gss_qop_t; +typedef int gss_cred_usage_t; /* - * Six independent flags each of which indicates that a context - * supports a specific service option. + * Flag bits for context-level services. */ #define GSS_C_DELEG_FLAG 1 #define GSS_C_MUTUAL_FLAG 2 @@ -121,7 +172,7 @@ typedef struct gss_channel_bindings_struct { #define GSS_C_SEQUENCE_FLAG 8 #define GSS_C_CONF_FLAG 16 #define GSS_C_INTEG_FLAG 32 - +#define GSS_C_ANON_FLAG 64 /* * Credential usage options @@ -163,22 +214,31 @@ typedef struct gss_channel_bindings_struct { #define GSS_C_AF_NULLADDR 255 +/* + * Various Null values. + */ #define GSS_C_NO_BUFFER ((gss_buffer_t) 0) -#define GSS_C_NULL_OID ((gss_OID) 0) -#define GSS_C_NULL_OID_SET ((gss_OID_set) 0) -#define GSS_C_NO_NAME ((gss_name_t) 0) +#define GSS_C_NO_OID ((gss_OID) 0) +#define GSS_C_NO_OID_SET ((gss_OID_set) 0) #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) #define GSS_C_EMPTY_BUFFER {0, NULL} /* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may either reserve a value (for example zero, - * as assumed here) to mean "default protection", or alternatively - * may simply equate GSS_C_QOP_DEFAULT to a specific explicit QOP - * value. + * Some alternate names for a couple of the above values. These are defined + * for V1 compatibility. + */ +#define GSS_C_NULL_OID GSS_C_NO_OID +#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET + +/* + * Define the default Quality of Protection for per-message services. Note + * that an implementation that offers multiple levels of QOP may either reserve + * a value (for example zero, as assumed here) to mean "default protection", or + * alternatively may simply equate GSS_C_QOP_DEFAULT to a specific explicit + * QOP value. However a value of 0 should always be interpreted by a GSSAPI + * implementation as a request for the default protection level. */ #define GSS_C_QOP_DEFAULT 0 @@ -186,7 +246,7 @@ typedef struct gss_channel_bindings_struct { * Expiration time of 2^32-1 seconds means infinite lifetime for a * credential or security context */ -#define GSS_C_INDEFINITE 0xffffffff +#define GSS_C_INDEFINITE 0xfffffffful /* Major status codes */ @@ -199,12 +259,14 @@ typedef struct gss_channel_bindings_struct { #define GSS_C_CALLING_ERROR_OFFSET 24 #define GSS_C_ROUTINE_ERROR_OFFSET 16 #define GSS_C_SUPPLEMENTARY_OFFSET 0 -#define GSS_C_CALLING_ERROR_MASK 0377 -#define GSS_C_ROUTINE_ERROR_MASK 0377 -#define GSS_C_SUPPLEMENTARY_MASK 0177777 +#define GSS_C_CALLING_ERROR_MASK 0377ul +#define GSS_C_ROUTINE_ERROR_MASK 0377ul +#define GSS_C_SUPPLEMENTARY_MASK 0177777ul /* - * The macros that test status codes for error conditions + * The macros that test status codes for error conditions. Note that the + * GSS_ERROR() macro has changed slightly from the V1 GSSAPI so that it now + * evaluates its argument only once. */ #define GSS_CALLING_ERROR(x) \ ((x) & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) @@ -213,16 +275,8 @@ typedef struct gss_channel_bindings_struct { #define GSS_SUPPLEMENTARY_INFO(x) \ ((x) & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) #define GSS_ERROR(x) \ - ((GSS_CALLING_ERROR(x) != 0) || (GSS_ROUTINE_ERROR(x) != 0)) - -/* XXXX these are not part of the GSSAPI C bindings! (but should be) */ - -#define GSS_CALLING_ERROR_FIELD(x) \ - (((x) >> GSS_C_CALLING_ERROR_OFFSET) & GSS_C_CALLING_ERROR_MASK) -#define GSS_ROUTINE_ERROR_FIELD(x) \ - (((x) >> GSS_C_ROUTINE_ERROR_OFFSET) & GSS_C_ROUTINE_ERROR_MASK) -#define GSS_SUPPLEMENTARY_INFO_FIELD(x) \ - (((x) >> GSS_C_SUPPLEMENTARY_OFFSET) & GSS_C_SUPPLEMENTARY_MASK) + ((x) & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ + (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) /* * Now the actual status code definitions @@ -232,38 +286,39 @@ typedef struct gss_channel_bindings_struct { * Calling errors: */ #define GSS_S_CALL_INACCESSIBLE_READ \ - (1 << GSS_C_CALLING_ERROR_OFFSET) + (1ul << GSS_C_CALLING_ERROR_OFFSET) #define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2 << GSS_C_CALLING_ERROR_OFFSET) + (2ul << GSS_C_CALLING_ERROR_OFFSET) #define GSS_S_CALL_BAD_STRUCTURE \ - (3 << GSS_C_CALLING_ERROR_OFFSET) + (3ul << GSS_C_CALLING_ERROR_OFFSET) /* * Routine errors: */ -#define GSS_S_BAD_MECH (1 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAME (2 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAMETYPE (3 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_BINDINGS (4 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_STATUS (5 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_SIG (6 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NO_CRED (7 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NO_CONTEXT (8 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_TOKEN (9 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_CREDENTIAL (10 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CREDENTIALS_EXPIRED (11 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CONTEXT_EXPIRED (12 << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_FAILURE (13 << GSS_C_ROUTINE_ERROR_OFFSET) -/* XXXX This is a necessary evil until the spec is fixed */ -#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE +#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) /* * Supplementary info bits: */ -#define GSS_S_CONTINUE_NEEDED (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) -#define GSS_S_DUPLICATE_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) -#define GSS_S_OLD_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) -#define GSS_S_UNSEQ_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) +#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) +#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) +#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) +#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) /* @@ -271,185 +326,346 @@ typedef struct gss_channel_bindings_struct { */ OM_uint32 INTERFACE gss_acquire_cred -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_name_t, /* desired_name */ - OM_uint32, /* time_req */ - gss_OID_set, /* desired_mechs */ - int, /* cred_usage */ - gss_cred_id_t FAR *,/* output_cred_handle */ - gss_OID_set FAR *, /* actual_mechs */ - OM_uint32 FAR * /* time_rec */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_name_t, /* desired_name */ + OM_uint32, /* time_req */ + gss_OID_set, /* desired_mechs */ + gss_cred_usage_t, /* cred_usage */ + gss_cred_id_t FAR *, /* output_cred_handle */ + gss_OID_set FAR *, /* actual_mechs */ + OM_uint32 FAR * /* time_rec */ )); OM_uint32 INTERFACE gss_release_cred -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_cred_id_t FAR * /* cred_handle */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_cred_id_t FAR * /* cred_handle */ )); OM_uint32 INTERFACE gss_init_sec_context -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_cred_id_t, /* claimant_cred_handle */ - gss_ctx_id_t FAR *, /* context_handle */ - gss_name_t, /* target_name */ - const_gss_OID, /* mech_type */ - int, /* req_flags */ - OM_uint32, /* time_req */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_buffer_t, /* input_token */ - gss_OID FAR *, /* actual_mech_type */ - gss_buffer_t, /* output_token */ - int FAR *, /* ret_flags */ - OM_uint32 FAR * /* time_rec */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_cred_id_t, /* claimant_cred_handle */ + gss_ctx_id_t FAR *, /* context_handle */ + gss_name_t, /* target_name */ + gss_OID, /* mech_type (used to be const) */ + OM_uint32, /* req_flags */ + OM_uint32, /* time_req */ + gss_channel_bindings_t, /* input_chan_bindings */ + gss_buffer_t, /* input_token */ + gss_OID FAR *, /* actual_mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32 FAR *, /* ret_flags */ + OM_uint32 FAR * /* time_rec */ )); OM_uint32 INTERFACE gss_accept_sec_context -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t FAR *, /* context_handle */ - gss_cred_id_t, /* verifier_cred_handle */ - gss_buffer_t, /* input_token_buffer */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_name_t FAR *, /* src_name */ - gss_OID FAR *, /* mech_type */ - gss_buffer_t, /* output_token */ - int FAR *, /* ret_flags */ - OM_uint32 FAR *, /* time_rec */ - gss_cred_id_t FAR * /* delegated_cred_handle */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t FAR *, /* context_handle */ + gss_cred_id_t, /* acceptor_cred_handle */ + gss_buffer_t, /* input_token_buffer */ + gss_channel_bindings_t, /* input_chan_bindings */ + gss_name_t FAR *, /* src_name */ + gss_OID FAR *, /* mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32 FAR *, /* ret_flags */ + OM_uint32 FAR *, /* time_rec */ + gss_cred_id_t FAR * /* delegated_cred_handle */ )); OM_uint32 INTERFACE gss_process_context_token -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t /* token_buffer */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t /* token_buffer */ )); OM_uint32 INTERFACE gss_delete_sec_context -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t FAR *, /* context_handle */ - gss_buffer_t /* output_token */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t FAR *, /* context_handle */ + gss_buffer_t /* output_token */ )); OM_uint32 INTERFACE gss_context_time -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - OM_uint32 FAR * /* time_rec */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + OM_uint32 FAR * /* time_rec */ )); -OM_uint32 INTERFACE gss_sign -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - )); +/* New for V2 */ +OM_uint32 INTERFACE gss_get_mic +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ + )); -OM_uint32 INTERFACE gss_verify -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* token_buffer */ - int FAR * /* qop_state */ - )); +/* New for V2 */ +OM_uint32 INTERFACE gss_verify_mic +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* message_token */ + gss_qop_t * /* qop_state */ + )); -OM_uint32 INTERFACE gss_seal -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - int, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int FAR *, /* conf_state */ - gss_buffer_t /* output_message_buffer */ - )); +/* New for V2 */ +OM_uint32 INTERFACE gss_wrap +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int FAR *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ + )); -OM_uint32 INTERFACE gss_unseal -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int FAR *, /* conf_state */ - int FAR * /* qop_state */ - )); +/* New for V2 */ +OM_uint32 INTERFACE gss_unwrap +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int FAR *, /* conf_state */ + gss_qop_t FAR * /* qop_state */ + )); OM_uint32 INTERFACE gss_display_status -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - OM_uint32, /* status_value */ - int, /* status_type */ - const_gss_OID, /* mech_type */ - int FAR *, /* message_context */ - gss_buffer_t /* status_string */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + OM_uint32, /* status_value */ + int, /* status_type */ + gss_OID, /* mech_type (used to be const) */ + OM_uint32 FAR *, /* message_context */ + gss_buffer_t /* status_string */ )); OM_uint32 INTERFACE gss_indicate_mechs -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_OID_set FAR * /* mech_set */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_OID_set FAR * /* mech_set */ )); OM_uint32 INTERFACE gss_compare_name -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_name_t, /* name1 */ - gss_name_t, /* name2 */ - int FAR * /* name_equal */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_name_t, /* name1 */ + gss_name_t, /* name2 */ + int FAR * /* name_equal */ )); OM_uint32 INTERFACE gss_display_name -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_name_t, /* input_name */ - gss_buffer_t, /* output_name_buffer */ - gss_OID FAR * /* output_name_type */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_name_t, /* input_name */ + gss_buffer_t, /* output_name_buffer */ + gss_OID FAR * /* output_name_type */ )); OM_uint32 INTERFACE gss_import_name -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_buffer_t, /* input_name_buffer */ - const_gss_OID, /* input_name_type */ - gss_name_t FAR * /* output_name */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_buffer_t, /* input_name_buffer */ + gss_OID, /* input_name_type(used to be const) */ + gss_name_t FAR * /* output_name */ )); OM_uint32 INTERFACE gss_release_name -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_name_t FAR * /* input_name */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_name_t FAR * /* input_name */ )); OM_uint32 INTERFACE gss_release_buffer -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_buffer_t /* buffer */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_buffer_t /* buffer */ )); OM_uint32 INTERFACE gss_release_oid_set -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_OID_set FAR * /* set */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_OID_set FAR * /* set */ )); OM_uint32 INTERFACE gss_inquire_cred -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - gss_name_t FAR *, /* name */ - OM_uint32 FAR *, /* lifetime */ - int FAR *, /* cred_usage */ - gss_OID_set FAR * /* mechanisms */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + gss_name_t FAR *, /* name */ + OM_uint32 FAR *, /* lifetime */ + gss_cred_usage_t FAR *, /* cred_usage */ + gss_OID_set FAR * /* mechanisms */ )); +/* Last argument new for V2 */ OM_uint32 INTERFACE gss_inquire_context -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_name_t FAR *, /* initiator_name */ - gss_name_t FAR *, /* acceptor_name */ - OM_uint32 FAR *, /* lifetime_rec */ - gss_OID FAR *, /* mech_type */ - int FAR *, /* ret_flags */ - int FAR * /* locally_initiated */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_name_t FAR *, /* src_name */ + gss_name_t FAR *, /* targ_name */ + OM_uint32 FAR *, /* lifetime_rec */ + gss_OID FAR *, /* mech_type */ + OM_uint32 FAR *, /* ctx_flags */ + int FAR *, /* locally_initiated */ + int FAR * /* open */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_wrap_size_limit +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + OM_uint32, /* req_output_size */ + OM_uint32 * /* max_input_size */ )); +/* New for V2 */ +OM_uint32 INTERFACE gss_import_name_object +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + void FAR *, /* input_name */ + gss_OID, /* input_name_type */ + gss_name_t FAR * /* output_name */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_export_name_object +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_name_t, /* input_name */ + gss_OID, /* desired_name_type */ + void FAR * FAR * /* output_name */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_add_cred +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_cred_id_t, /* input_cred_handle */ + gss_name_t, /* desired_name */ + gss_OID, /* desired_mech */ + gss_cred_usage_t, /* cred_usage */ + OM_uint32, /* initiator_time_req */ + OM_uint32, /* acceptor_time_req */ + gss_cred_id_t FAR *, /* output_cred_handle */ + gss_OID_set FAR *, /* actual_mechs */ + OM_uint32 FAR *, /* initiator_time_rec */ + OM_uint32 FAR * /* acceptor_time_rec */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_inquire_cred_by_mech +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + gss_OID, /* mech_type */ + gss_name_t FAR *, /* name */ + OM_uint32 FAR *, /* initiator_lifetime */ + OM_uint32 FAR *, /* acceptor_lifetime */ + gss_cred_usage_t FAR * /* cred_usage */ + )); + +/* New for V2 */ OM_uint32 INTERFACE gss_export_sec_context -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_ctx_id_t FAR *, /* context_handle */ - gss_buffer_t /* interprocess_token */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t FAR *, /* context_handle */ + gss_buffer_t /* interprocess_token */ )); +/* New for V2 */ OM_uint32 INTERFACE gss_import_sec_context -PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ - gss_buffer_t, /* interprocess_token */ - gss_ctx_id_t FAR * /* context_handle */ +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_buffer_t, /* interprocess_token */ + gss_ctx_id_t FAR * /* context_handle */ )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_release_oid +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_OID FAR * /* oid */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_create_empty_oid_set +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_OID_set FAR * /* oid_set */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_add_oid_set_member +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_OID, /* member_oid */ + gss_OID_set FAR * /* oid_set */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_test_oid_set_member +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_OID, /* member */ + gss_OID_set, /* set */ + int FAR * /* present */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_str_to_oid +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_buffer_t, /* oid_str */ + gss_OID FAR * /* oid */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_oid_to_str +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_OID, /* oid */ + gss_buffer_t /* oid_str */ + )); + +/* New for V2 */ +OM_uint32 INTERFACE gss_inquire_names_for_mech +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_OID, /* mechanism */ + gss_OID_set FAR * /* name_types */ + )); + +/* + * The following routines are obsolete variants of gss_get_mic, gss_wrap, + * gss_verify_mic and gss_unwrap. They should be provided by GSSAPI V2 + * implementations for backwards compatibility with V1 applications. Distinct + * entrypoints (as opposed to #defines) should be provided, to allow GSSAPI + * V1 applications to link against GSSAPI V2 implementations. + */ +OM_uint32 INTERFACE gss_sign +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ + )); + +OM_uint32 INTERFACE gss_verify +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* token_buffer */ + int FAR * /* qop_state */ + )); + +OM_uint32 INTERFACE gss_seal +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + int, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int FAR *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ + )); + +OM_uint32 INTERFACE gss_unseal +PROTOTYPE( (OM_uint32 FAR *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int FAR *, /* conf_state */ + int FAR * /* qop_state */ + )); + +/* XXXX these are not part of the GSSAPI C bindings! (but should be) */ + +#define GSS_CALLING_ERROR_FIELD(x) \ + (((x) >> GSS_C_CALLING_ERROR_OFFSET) & GSS_C_CALLING_ERROR_MASK) +#define GSS_ROUTINE_ERROR_FIELD(x) \ + (((x) >> GSS_C_ROUTINE_ERROR_OFFSET) & GSS_C_ROUTINE_ERROR_MASK) +#define GSS_SUPPLEMENTARY_INFO_FIELD(x) \ + (((x) >> GSS_C_SUPPLEMENTARY_OFFSET) & GSS_C_SUPPLEMENTARY_MASK) + +/* XXXX This is a necessary evil until the spec is fixed */ +#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE + #endif /* _GSSAPI_H_ */ diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h index 21ac01c89..ab7eddf97 100644 --- a/src/lib/gssapi/generic/gssapiP_generic.h +++ b/src/lib/gssapi/generic/gssapiP_generic.h @@ -93,17 +93,17 @@ int g_make_string_buffer PROTOTYPE((const char *str, gss_buffer_t buffer)); int g_copy_OID_set PROTOTYPE((const gss_OID_set_desc * const in, gss_OID_set *out)); -int g_token_size PROTOTYPE((const_gss_OID mech, unsigned int body_size)); +int g_token_size PROTOTYPE((gss_OID mech, unsigned int body_size)); -void g_make_token_header PROTOTYPE((const_gss_OID mech, int body_size, +void g_make_token_header PROTOTYPE((gss_OID mech, int body_size, unsigned char **buf, int tok_type)); -int g_verify_token_header PROTOTYPE((const_gss_OID mech, int *body_size, +int g_verify_token_header PROTOTYPE((gss_OID mech, int *body_size, unsigned char **buf, int tok_type, int toksize)); OM_uint32 g_display_major_status PROTOTYPE((OM_uint32 *minor_status, OM_uint32 status_value, - int *message_context, + OM_uint32 *message_context, gss_buffer_t status_string)); OM_uint32 g_display_com_err_status PROTOTYPE((OM_uint32 *minor_status, @@ -126,4 +126,39 @@ PROTOTYPE( (OM_uint32*, /* minor_status */ gss_OID_set* /* set */ )); +OM_uint32 generic_gss_release_oid +PROTOTYPE( (OM_uint32 *, /* minor_status */ + gss_OID * /* oid */ + )); + +OM_uint32 generic_gss_create_empty_oid_set +PROTOTYPE( (OM_uint32 *, /* minor_status */ + gss_OID_set * /* oid_set */ + )); + +OM_uint32 generic_gss_add_oid_set_member +PROTOTYPE( (OM_uint32 *, /* minor_status */ + gss_OID, /* member_oid */ + gss_OID_set * /* oid_set */ + )); + +OM_uint32 generic_gss_test_oid_set_member +PROTOTYPE( (OM_uint32 *, /* minor_status */ + gss_OID, /* member */ + gss_OID_set, /* set */ + int * /* present */ + )); + +OM_uint32 generic_gss_oid_to_str +PROTOTYPE( (OM_uint32 *, /* minor_status */ + gss_OID, /* oid */ + gss_buffer_t /* oid_str */ + )); + +OM_uint32 generic_gss_str_to_oid +PROTOTYPE( (OM_uint32 *, /* minor_status */ + gss_buffer_t, /* oid_str */ + gss_OID * /* oid */ + )); + #endif /* _GSSAPIP_GENERIC_H_ */ diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c index 8f88a8c21..f94e424cf 100644 --- a/src/lib/gssapi/generic/gssapi_generic.c +++ b/src/lib/gssapi/generic/gssapi_generic.c @@ -49,7 +49,7 @@ static const gss_OID_desc oids[] = { {10, "\052\206\110\206\367\022\001\002\001\004"}, }; -const_gss_OID gss_nt_user_name = oids+0; -const_gss_OID gss_nt_machine_uid_name = oids+1; -const_gss_OID gss_nt_string_uid_name = oids+2; -const_gss_OID gss_nt_service_name = oids+3; +const gss_OID_desc * const gss_nt_user_name = oids+0; +const gss_OID_desc * const gss_nt_machine_uid_name = oids+1; +const gss_OID_desc * const gss_nt_string_uid_name = oids+2; +const gss_OID_desc * const gss_nt_service_name = oids+3; diff --git a/src/lib/gssapi/generic/oid_ops.c b/src/lib/gssapi/generic/oid_ops.c new file mode 100644 index 000000000..d7af94d53 --- /dev/null +++ b/src/lib/gssapi/generic/oid_ops.c @@ -0,0 +1,351 @@ +/* + * lib/gssapi/generic/oid_ops.c + * + * Copyright 1995 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + +/* + * oid_ops.c - GSS-API V2 interfaces to manipulate OIDs + */ + +#include "gssapiP_generic.h" +#include "gssapi_generic.h" + +OM_uint32 +generic_gss_release_oid(minor_status, oid) + OM_uint32 *minor_status; + gss_OID *oid; +{ + *minor_status = 0; + + if (*oid == GSS_C_NO_OID) + return(GSS_S_COMPLETE); + + /* + * The V2 API says the following! + * + * gss_release_oid[()] will recognize any of the GSSAPI's own OID values, + * and will silently ignore attempts to free these OIDs; for other OIDs + * it will call the C free() routine for both the OID data and the + * descriptor. This allows applications to freely mix their own heap- + * allocated OID values with OIDs returned by GSS-API. + */ + if ((*oid != gss_nt_user_name) && + (*oid != gss_nt_machine_uid_name) && + (*oid != gss_nt_string_uid_name) && + (*oid != gss_nt_service_name)) { + xfree((*oid)->elements); + xfree(*oid); + } + *oid = GSS_C_NO_OID; + return(GSS_S_COMPLETE); +} + +OM_uint32 +generic_gss_create_empty_oid_set(minor_status, oid_set) + OM_uint32 *minor_status; + gss_OID_set *oid_set; +{ + if ((*oid_set = (gss_OID_set) xmalloc(sizeof(gss_OID_set_desc)))) { + memset(*oid_set, 0, sizeof(gss_OID_set_desc)); + *minor_status = 0; + return(GSS_S_COMPLETE); + } + else { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } +} + +OM_uint32 +generic_gss_add_oid_set_member(minor_status, member_oid, oid_set) + OM_uint32 *minor_status; + gss_OID member_oid; + gss_OID_set *oid_set; +{ + gss_OID elist; + gss_OID lastel; + + elist = (*oid_set)->elements; + /* Get an enlarged copy of the array */ + if (((*oid_set)->elements = (gss_OID) xmalloc(((*oid_set)->count+1) * + sizeof(gss_OID_desc)))) { + /* Copy in the old junk */ + if (elist) + memcpy((*oid_set)->elements, + elist, + ((*oid_set)->count * sizeof(gss_OID_desc))); + + /* Duplicate the input element */ + lastel = &(*oid_set)->elements[(*oid_set)->count]; + if ((lastel->elements = + (void *) xmalloc((size_t) member_oid->length))) { + /* Success - copy elements */ + memcpy(lastel->elements, member_oid->elements, + (size_t) member_oid->length); + /* Set length */ + lastel->length = member_oid->length; + + /* Update count */ + (*oid_set)->count++; + if (elist) + xfree(elist); + *minor_status = 0; + return(GSS_S_COMPLETE); + } + else + xfree((*oid_set)->elements); + } + /* Failure - restore old contents of list */ + (*oid_set)->elements = elist; + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +} + +OM_uint32 +generic_gss_test_oid_set_member(minor_status, member, set, present) + OM_uint32 *minor_status; + gss_OID member; + gss_OID_set set; + int *present; +{ + size_t i; + int result; + + result = 0; + for (i=0; icount; i++) { + if ((set->elements[i].length == member->length) && + !memcmp(set->elements[i].elements, + member->elements, + member->length)) { + result = 1; + break; + } + } + *present = result; + *minor_status = 0; + return(GSS_S_COMPLETE); +} + +/* + * OID<->string routines. These are uuuuugly. + */ +OM_uint32 +generic_gss_oid_to_str(minor_status, oid, oid_str) + OM_uint32 *minor_status; + gss_OID oid; + gss_buffer_t oid_str; +{ + char numstr[128]; + unsigned long number; + int numshift; + size_t string_length; + size_t i; + unsigned char *cp; + char *bp; + + /* Decoded according to krb5/gssapi_krb5.c */ + + /* First determine the size of the string */ + string_length = 0; + number = 0; + numshift = 0; + cp = (unsigned char *) oid->elements; + number = (unsigned long) cp[0]; + sprintf(numstr, "%d ", number/40); + string_length += strlen(numstr); + sprintf(numstr, "%d ", number%40); + string_length += strlen(numstr); + for (i=1; ilength; i++) { + if ((numshift+7) < (sizeof(unsigned long)*8)) { + number = (number << 7) | (cp[i] & 0x7f); + numshift += 7; + } + else { + *minor_status = EINVAL; + return(GSS_S_FAILURE); + } + if ((cp[i] & 0x80) == 0) { + sprintf(numstr, "%d ", number); + string_length += strlen(numstr); + number = 0; + numshift = 0; + } + } + /* + * If we get here, we've calculated the length of "n n n ... n ". Add 4 + * here for "{ " and "}\0". + */ + string_length += 4; + if ((bp = (char *) xmalloc(string_length))) { + strcpy(bp, "{ "); + number = (unsigned long) cp[0]; + sprintf(numstr, "%d ", number/40); + strcat(bp, numstr); + sprintf(numstr, "%d ", number%40); + strcat(bp, numstr); + number = 0; + cp = (unsigned char *) oid->elements; + for (i=1; ilength; i++) { + number = (number << 7) | (cp[i] & 0x7f); + if ((cp[i] & 0x80) == 0) { + sprintf(numstr, "%d ", number); + strcat(bp, numstr); + number = 0; + } + } + strcat(bp, "}"); + oid_str->length = strlen(bp)+1; + oid_str->value = (void *) bp; + *minor_status = 0; + return(GSS_S_COMPLETE); + } + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +} + +OM_uint32 +generic_gss_str_to_oid(minor_status, oid_str, oid) + OM_uint32 *minor_status; + gss_buffer_t oid_str; + gss_OID *oid; +{ + size_t i; + char *cp, *bp, *startp; + int brace; + long numbuf; + long onumbuf; + OM_uint32 nbytes; + int index; + unsigned char *op; + + brace = 0; + bp = (char *) oid_str->value; + cp = bp; + /* Skip over leading space */ + while ((bp < &cp[oid_str->length]) && isspace(*bp)) + bp++; + if (*bp == '{') { + brace = 1; + bp++; + } + while ((bp < &cp[oid_str->length]) && isspace(*bp)) + bp++; + startp = bp; + nbytes = 0; + + /* + * The first two numbers are chewed up by the first octet. + */ + if (sscanf(bp, "%ld", &numbuf) != 1) { + *minor_status = EINVAL; + return(GSS_S_FAILURE); + } + while ((bp < &cp[oid_str->length]) && isdigit(*bp)) + bp++; + while ((bp < &cp[oid_str->length]) && isspace(*bp)) + bp++; + if (sscanf(bp, "%ld", &numbuf) != 1) { + *minor_status = EINVAL; + return(GSS_S_FAILURE); + } + while ((bp < &cp[oid_str->length]) && isdigit(*bp)) + bp++; + while ((bp < &cp[oid_str->length]) && isspace(*bp)) + bp++; + nbytes++; + while (isdigit(*bp)) { + if (sscanf(bp, "%ld", &numbuf) != 1) { + *minor_status = EINVAL; + return(GSS_S_FAILURE); + } + while (numbuf) { + nbytes++; + numbuf >>= 7; + } + while ((bp < &cp[oid_str->length]) && isdigit(*bp)) + bp++; + while ((bp < &cp[oid_str->length]) && isspace(*bp)) + bp++; + } + if (brace && (*bp != '}')) { + *minor_status = EINVAL; + return(GSS_S_FAILURE); + } + + /* + * Phew! We've come this far, so the syntax is good. + */ + if ((*oid = (gss_OID) malloc(sizeof(gss_OID_desc)))) { + if ((*oid)->elements = (void *) malloc(nbytes)) { + (*oid)->length = nbytes; + op = (unsigned char *) (*oid)->elements; + bp = startp; + sscanf(bp, "%ld", &numbuf); + while (isdigit(*bp)) + bp++; + while (isspace(*bp)) + bp++; + onumbuf = 40*numbuf; + sscanf(bp, "%ld", &numbuf); + onumbuf += numbuf; + *op = (unsigned char) onumbuf; + op++; + while (isdigit(*bp)) + bp++; + while (isspace(*bp)) + bp++; + while (isdigit(*bp)) { + sscanf(bp, "%ld", &numbuf); + nbytes = 0; + /* Have to fill in the bytes msb-first */ + onumbuf = numbuf; + while (numbuf) { + nbytes++; + numbuf >>= 7; + } + numbuf = onumbuf; + op += nbytes; + index = -1; + while (numbuf) { + op[index] = numbuf & 0x7f; + if (index != -1) + op[index] |= 0x80; + index--; + numbuf >>= 7; + } + while (isdigit(*bp)) + bp++; + while (isspace(*bp)) + bp++; + } + *minor_status = 0; + return(GSS_S_COMPLETE); + } + else { + xfree(*oid); + *oid = GSS_C_NO_OID; + } + } + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +} + diff --git a/src/lib/gssapi/generic/rel_oid_set.c b/src/lib/gssapi/generic/rel_oid_set.c index 2edfe9a39..96f6f8d15 100644 --- a/src/lib/gssapi/generic/rel_oid_set.c +++ b/src/lib/gssapi/generic/rel_oid_set.c @@ -26,11 +26,15 @@ OM_uint32 generic_gss_release_oid_set(minor_status, set) OM_uint32 *minor_status; gss_OID_set *set; { + size_t index; + *minor_status = 0; if (*set == GSS_C_NULL_OID_SET) return(GSS_S_COMPLETE); + for (index=0; index<(*set)->count; index++) + xfree((*set)->elements[index].elements); xfree((*set)->elements); xfree(*set); diff --git a/src/lib/gssapi/generic/util_token.c b/src/lib/gssapi/generic/util_token.c index eadfad82a..d8e5e91ae 100644 --- a/src/lib/gssapi/generic/util_token.c +++ b/src/lib/gssapi/generic/util_token.c @@ -118,7 +118,7 @@ static int der_read_length(buf, bufsize) /* returns the length of a token, given the mech oid and the body size */ int g_token_size(mech, body_size) - const_gss_OID mech; + gss_OID mech; unsigned int body_size; { /* set body_size to sequence contents size */ @@ -130,7 +130,7 @@ int g_token_size(mech, body_size) be the right size. buf is advanced past the token header */ void g_make_token_header(mech, body_size, buf, tok_type) - const_gss_OID mech; + gss_OID mech; int body_size; unsigned char **buf; int tok_type; @@ -149,7 +149,7 @@ void g_make_token_header(mech, body_size, buf, tok_type) to the number of remaining bytes */ int g_verify_token_header(mech, body_size, buf, tok_type, toksize) - const_gss_OID mech; + gss_OID mech; int *body_size; unsigned char **buf; int tok_type; diff --git a/src/lib/gssapi/krb5/.Sanitize b/src/lib/gssapi/krb5/.Sanitize index 9fe1b32f8..bd133d778 100644 --- a/src/lib/gssapi/krb5/.Sanitize +++ b/src/lib/gssapi/krb5/.Sanitize @@ -48,12 +48,14 @@ indicate_mechs.c init_sec_context.c inq_context.c inq_cred.c +inq_names.c k5seal.c k5unseal.c krb5_gss_glue.c process_context_token.c rel_cred.c rel_name.c +rel_oid.c seal.c ser_sctx.c sign.c diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 4074450e7..6f5c30ddb 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,18 @@ + +Thu Aug 31 11:50:34 EDT 1995 Paul Park (pjpark@mit.edu) + * gssapiP_krb5.h - Add new V2 dispatch prototypes. Update arguments + to be compatible with V2 API. Add tokens for V2 integrity + and confidentiality services. + * k5seal.c - Add support for V2 tokens and add kg_seal_size() to + support gss_wrap_size_limit(). + * k5unseal.c - Add support for V2 tokens. + * accept_sec_context,disp_status,gssapi_krb5,init_sec_context, + inq_context,rel_name.c - Update arguments to V2. + * acquire_cred,import_name,inq_cred,krb5_gss_glue,seal,sign,unseal, + verify.c - Update arguments to V2 and add new V2 functions. + * rel_oid.c, inq_names.c - New V2 modules. + * Makefile.in, .Sanitize - Add rel_oid.c and inq_names.c + Tue Aug 29 22:38:54 1995 Ezra Peisach * init_sec_context.c (krb5_gss_init_sec_context): Remove diff --git a/src/lib/gssapi/krb5/Makefile.in b/src/lib/gssapi/krb5/Makefile.in index 0c9fbe167..cc5e1f101 100644 --- a/src/lib/gssapi/krb5/Makefile.in +++ b/src/lib/gssapi/krb5/Makefile.in @@ -1,4 +1,4 @@ -CFLAGS = $(CCOPTS) $(DEFS) -I. -I$(srcdir) -I../generic -I$(srcdir)/../generic -I$(srcdir)/../../crypto/md5 +CFLAGS = $(CCOPTS) $(DEFS) -I. -I$(srcdir) -I../generic -I$(srcdir)/../generic -I$(srcdir)/../../crypto/md5 -DUSE_AUTOCONF_H ##DOSBUILDTOP = ..\..\.. ##DOSLIBNAME=..\gssapi.$(LIBEXT) @@ -34,12 +34,14 @@ CCSRCS = \ $(srcdir)/init_sec_context.c \ $(srcdir)/inq_context.c \ $(srcdir)/inq_cred.c \ + $(srcdir)/inq_names.c \ $(srcdir)/k5seal.c \ $(srcdir)/k5unseal.c \ $(srcdir)/krb5_gss_glue.c \ $(srcdir)/process_context_token.c \ $(srcdir)/rel_cred.c \ $(srcdir)/rel_name.c \ + $(srcdir)/rel_oid.c \ $(srcdir)/seal.c \ $(srcdir)/ser_sctx.c \ $(srcdir)/sign.c \ @@ -67,12 +69,14 @@ CCOBJS = \ init_sec_context.$(OBJEXT) \ inq_context.$(OBJEXT) \ inq_cred.$(OBJEXT) \ + inq_names.$(OBJEXT) \ k5seal.$(OBJEXT) \ k5unseal.$(OBJEXT) \ krb5_gss_glue.$(OBJEXT) \ process_context_token.$(OBJEXT) \ rel_cred.$(OBJEXT) \ rel_name.$(OBJEXT) \ + rel_oid.$(OBJEXT) \ seal.$(OBJEXT) \ ser_sctx.$(OBJEXT) \ sign.$(OBJEXT) \ diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index ba62cbb20..e4e089eaa 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -39,7 +39,7 @@ krb5_gss_accept_sec_context(context, minor_status, context_handle, gss_name_t *src_name; gss_OID *mech_type; gss_buffer_t output_token; - int *ret_flags; + OM_uint32 *ret_flags; OM_uint32 *time_rec; gss_cred_id_t *delegated_cred_handle; { @@ -65,7 +65,7 @@ krb5_gss_accept_sec_context(context, minor_status, context_handle, /* set up returns to be freeable */ if (src_name) - *src_name = GSS_C_NO_NAME; + *src_name = (gss_name_t) NULL; output_token->length = 0; output_token->value = NULL; if (mech_type) @@ -109,7 +109,7 @@ krb5_gss_accept_sec_context(context, minor_status, context_handle, ptr = (unsigned char *) input_token->value; - if (! g_verify_token_header(gss_mech_krb5, &(ap_req.length), + if (! g_verify_token_header((gss_OID) gss_mech_krb5, &(ap_req.length), &ptr, KG_TOK_CTX_AP_REQ, input_token->length)) { *minor_status = 0; return(GSS_S_DEFECTIVE_TOKEN); @@ -281,7 +281,7 @@ krb5_gss_accept_sec_context(context, minor_status, context_handle, return(GSS_S_FAILURE); } krb5_auth_con_getlocalseqnumber(context, auth_context, &ctx->seq_send); - token.length = g_token_size(gss_mech_krb5, ap_rep.length); + token.length = g_token_size((gss_OID) gss_mech_krb5, ap_rep.length); if ((token.value = (unsigned char *) xmalloc(token.length)) == NULL) { (void)krb5_gss_delete_sec_context(context, minor_status, @@ -290,7 +290,7 @@ krb5_gss_accept_sec_context(context, minor_status, context_handle, return(GSS_S_FAILURE); } ptr = token.value; - g_make_token_header(gss_mech_krb5, ap_rep.length, + g_make_token_header((gss_OID) gss_mech_krb5, ap_rep.length, &ptr, KG_TOK_CTX_AP_REP); TWRITE_STR(ptr, ap_rep.data, ap_rep.length); diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index 10563d694..6ffbe49fa 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -61,7 +61,7 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred) /* figure out what principal to use. If the default name is requested, use the default sn2princ output */ - if (desired_name == GSS_C_NO_NAME) { + if (desired_name == (gss_name_t) NULL) { if (code = krb5_sname_to_principal(context, NULL, NULL, KRB5_NT_SRV_HST, &princ)) { *minor_status = code; @@ -160,7 +160,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) return(GSS_S_FAILURE); } - if (desired_name != GSS_C_NO_NAME) { + if (desired_name != (gss_name_t) NULL) { if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) { (void)krb5_free_principal(context, princ); (void)krb5_cc_close(context, ccache); @@ -246,7 +246,7 @@ krb5_gss_acquire_cred(context, minor_status, desired_name, time_req, gss_name_t desired_name; OM_uint32 time_req; gss_OID_set desired_mechs; - int cred_usage; + gss_cred_usage_t cred_usage; gss_cred_id_t *output_cred_handle; gss_OID_set *actual_mechs; OM_uint32 *time_rec; @@ -268,7 +268,7 @@ krb5_gss_acquire_cred(context, minor_status, desired_name, time_req, /* validate the name */ /*SUPPRESS 29*/ - if ((desired_name != GSS_C_NO_NAME) && + if ((desired_name != (gss_name_t) NULL) && (! kg_validate_name(desired_name))) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); @@ -425,3 +425,32 @@ krb5_gss_acquire_cred(context, minor_status, desired_name, time_req, return(GSS_S_COMPLETE); } + +/* V2 interface */ +OM_uint32 +krb5_gss_add_cred(context, minor_status, input_cred_handle, + desired_name, desired_mech, cred_usage, + initiator_time_req, acceptor_time_req, + output_cred_handle, actual_mechs, + initiator_time_rec, acceptor_time_rec) + krb5_context context; + OM_uint32 *minor_status; + gss_cred_id_t input_cred_handle; + gss_name_t desired_name; + gss_OID desired_mech; + gss_cred_usage_t cred_usage; + OM_uint32 initiator_time_req; + OM_uint32 acceptor_time_req; + gss_cred_id_t *output_cred_handle; + gss_OID_set *actual_mechs; + OM_uint32 *initiator_time_rec; + OM_uint32 *acceptor_time_rec; +{ + /* + * This does not apply to our single-mechanism implementation. Until we + * come up with a better error code, return failure. + */ + *minor_status = 0; + return(GSS_S_FAILURE); +} + diff --git a/src/lib/gssapi/krb5/disp_status.c b/src/lib/gssapi/krb5/disp_status.c index 4e04d9b6b..97775147c 100644 --- a/src/lib/gssapi/krb5/disp_status.c +++ b/src/lib/gssapi/krb5/disp_status.c @@ -38,8 +38,8 @@ krb5_gss_display_status(context, minor_status, status_value, status_type, OM_uint32 *minor_status; OM_uint32 status_value; int status_type; - const_gss_OID mech_type; - int *message_context; + gss_OID mech_type; + OM_uint32 *message_context; gss_buffer_t status_string; { status_string->length = 0; diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index f0f42fbd4..dc109f158 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -48,7 +48,9 @@ #define KG_TOK_CTX_ERROR 0x0300 #define KG_TOK_SIGN_MSG 0x0101 #define KG_TOK_SEAL_MSG 0x0201 -#define KG_TOK_DEL_CTX 0x0102 +#define KG_TOK_MIC_MSG 0x0102 +#define KG_TOK_WRAP_MSG 0x0202 +#define KG_TOK_DEL_CTX 0x0103 /** internal types **/ @@ -56,7 +58,7 @@ typedef krb5_principal krb5_gss_name_t; typedef struct _krb5_gss_cred_id_rec { /* name/type of credential */ - int usage; + gss_cred_usage_t usage; krb5_principal princ; /* this is not interned as a gss_name_t */ /* keytab (accept) data */ @@ -75,7 +77,7 @@ typedef struct _krb5_gss_enc_desc { typedef struct _krb5_gss_ctx_id_rec { int initiate; /* nonzero if initiating, zero if accepting */ - int mutual; + OM_uint32 mutual; int seed_init; unsigned char seed[16]; krb5_gss_cred_id_t cred; @@ -173,7 +175,7 @@ PROTOTYPE( (krb5_context, gss_name_t, /* desired_name */ OM_uint32, /* time_req */ gss_OID_set, /* desired_mechs */ - int, /* cred_usage */ + gss_cred_usage_t, /* cred_usage */ gss_cred_id_t*, /* output_cred_handle */ gss_OID_set*, /* actual_mechs */ OM_uint32* /* time_rec */ @@ -191,15 +193,15 @@ PROTOTYPE( (krb5_context, gss_cred_id_t, /* claimant_cred_handle */ gss_ctx_id_t*, /* context_handle */ gss_name_t, /* target_name */ - const_gss_OID, /* mech_type */ - int, /* req_flags */ + gss_OID, /* mech_type */ + OM_uint32, /* req_flags */ OM_uint32, /* time_req */ gss_channel_bindings_t, /* input_chan_bindings */ gss_buffer_t, /* input_token */ gss_OID*, /* actual_mech_type */ gss_buffer_t, /* output_token */ - int*, /* ret_flags */ + OM_uint32*, /* ret_flags */ OM_uint32* /* time_rec */ )); @@ -214,7 +216,7 @@ PROTOTYPE( (krb5_context, gss_name_t*, /* src_name */ gss_OID*, /* mech_type */ gss_buffer_t, /* output_token */ - int*, /* ret_flags */ + OM_uint32*, /* ret_flags */ OM_uint32*, /* time_rec */ gss_cred_id_t* /* delegated_cred_handle */ )); @@ -284,8 +286,8 @@ PROTOTYPE( (krb5_context, OM_uint32*, /* minor_status */ OM_uint32, /* status_value */ int, /* status_type */ - const_gss_OID, /* mech_type */ - int*, /* message_context */ + gss_OID, /* mech_type */ + OM_uint32*, /* message_context */ gss_buffer_t /* status_string */ )); @@ -307,7 +309,7 @@ OM_uint32 krb5_gss_display_name PROTOTYPE( (krb5_context, OM_uint32*, /* minor_status */ gss_name_t, /* input_name */ - gss_buffer_t, /* output_name_buffer */ + gss_buffer_t, /* output_name_buffer */ gss_OID* /* output_name_type */ )); @@ -315,7 +317,7 @@ OM_uint32 krb5_gss_import_name PROTOTYPE( (krb5_context, OM_uint32*, /* minor_status */ gss_buffer_t, /* input_name_buffer */ - const_gss_OID, /* input_name_type */ + gss_OID, /* input_name_type */ gss_name_t* /* output_name */ )); @@ -331,7 +333,7 @@ PROTOTYPE( (krb5_context, gss_cred_id_t, /* cred_handle */ gss_name_t *, /* name */ OM_uint32 *, /* lifetime */ - int *, /* cred_usage */ + gss_cred_usage_t*,/* cred_usage */ gss_OID_set * /* mechanisms */ )); @@ -343,24 +345,128 @@ PROTOTYPE( (krb5_context, gss_name_t*, /* acceptor_name */ OM_uint32*, /* lifetime_rec */ gss_OID*, /* mech_type */ - int*, /* ret_flags */ - int* /* locally_initiated */ + OM_uint32*, /* ret_flags */ + int*, /* locally_initiated */ + int* /* open */ + )); + +/* New V2 entry points */ +OM_uint32 krb5_gss_get_mic +PROTOTYPE( (krb5_context, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ + )); + +OM_uint32 krb5_gss_verify_mic +PROTOTYPE( (krb5_context, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* message_token */ + gss_qop_t * /* qop_state */ + )); + +OM_uint32 krb5_gss_wrap +PROTOTYPE( (krb5_context, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ + )); + +OM_uint32 krb5_gss_unwrap +PROTOTYPE( (krb5_context, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int *, /* conf_state */ + gss_qop_t * /* qop_state */ + )); + +OM_uint32 krb5_gss_wrap_size_limit +PROTOTYPE( (krb5_context, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + OM_uint32, /* req_output_size */ + OM_uint32 * /* max_input_size */ + )); + +OM_uint32 krb5_gss_import_name_object +PROTOTYPE( (krb5_context, + OM_uint32 *, /* minor_status */ + void *, /* input_name */ + gss_OID, /* input_name_type */ + gss_name_t * /* output_name */ + )); + +OM_uint32 krb5_gss_export_name_object +PROTOTYPE( (krb5_context, + OM_uint32 *, /* minor_status */ + gss_name_t, /* input_name */ + gss_OID, /* desired_name_type */ + void * * /* output_name */ + )); + +OM_uint32 krb5_gss_add_cred +PROTOTYPE( (krb5_context, + OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* input_cred_handle */ + gss_name_t, /* desired_name */ + gss_OID, /* desired_mech */ + gss_cred_usage_t, /* cred_usage */ + OM_uint32, /* initiator_time_req */ + OM_uint32, /* acceptor_time_req */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 *, /* initiator_time_rec */ + OM_uint32 * /* acceptor_time_rec */ + )); + +OM_uint32 krb5_gss_inquire_cred_by_mech +PROTOTYPE( (krb5_context, + OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + gss_OID, /* mech_type */ + gss_name_t *, /* name */ + OM_uint32 *, /* initiator_lifetime */ + OM_uint32 *, /* acceptor_lifetime */ + gss_cred_usage_t * /* cred_usage */ )); OM_uint32 krb5_gss_export_sec_context PROTOTYPE( (krb5_context, - OM_uint32 *, /* minor_status */ - gss_ctx_id_t *, /* context_handle */ - gss_buffer_t /* interprocess_token */ + OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* interprocess_token */ )); OM_uint32 krb5_gss_import_sec_context PROTOTYPE( (krb5_context, - OM_uint32 *, /* minor_status */ - gss_buffer_t, /* interprocess_token */ - gss_ctx_id_t * /* context_handle */ + OM_uint32 *, /* minor_status */ + gss_buffer_t, /* interprocess_token */ + gss_ctx_id_t * /* context_handle */ )); +OM_uint32 krb5_gss_release_oid +PROTOTYPE( (OM_uint32 *, /* minor_status */ + gss_OID * /* oid */ + )); + +OM_uint32 krb5_gss_inquire_names_for_mech +PROTOTYPE( (OM_uint32 *, /* minor_status */ + gss_OID, /* mechanism */ + gss_OID_set * /* name_types */ + )); + OM_uint32 kg_get_context(); #endif /* _GSSAPIP_KRB5_H_ */ diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index 4b23217fa..6e86eb97a 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -51,9 +51,9 @@ static const gss_OID_desc oids[] = { {10, "\052\206\110\206\367\022\001\002\002\002"}, }; -const_gss_OID gss_mech_krb5 = oids+0; -const_gss_OID gss_nt_krb5_name = oids+1; -const_gss_OID gss_nt_krb5_principal = oids+2; +const gss_OID_desc * const gss_mech_krb5 = oids+0; +const gss_OID_desc * const gss_nt_krb5_name = oids+1; +const gss_OID_desc * const gss_nt_krb5_principal = oids+2; static const gss_OID_set_desc oidsets[] = { {1, (gss_OID) oids}, @@ -85,7 +85,7 @@ kg_get_defcred(minor_status, cred) return GSS_S_FAILURE; if ((major = krb5_gss_acquire_cred(kg_context, minor_status, - GSS_C_NO_NAME, GSS_C_INDEFINITE, + (gss_name_t) NULL, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, GSS_C_INITIATE, &defcred, NULL, NULL)) && GSS_ERROR(major)) { diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index d5dcd20f9..c038392dc 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -44,7 +44,7 @@ krb5_gss_import_name(context, minor_status, input_name_buffer, krb5_context context; OM_uint32 *minor_status; gss_buffer_t input_name_buffer; - const_gss_OID input_name_type; + gss_OID input_name_type; gss_name_t *output_name; { krb5_principal princ; diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 74ae24412..c258c4c7d 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -120,7 +120,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, /* build up the token */ /* allocate space for the token */ - tlen = g_token_size(gss_mech_krb5, ap_req.length); + tlen = g_token_size((gss_OID) gss_mech_krb5, ap_req.length); if ((t = (unsigned char *) xmalloc(tlen)) == NULL) { krb5_auth_con_free(context, *auth_context); @@ -132,7 +132,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, ptr = t; - g_make_token_header(gss_mech_krb5, ap_req.length, + g_make_token_header((gss_OID) gss_mech_krb5, ap_req.length, &ptr, KG_TOK_CTX_AP_REQ); TWRITE_STR(ptr, (unsigned char *) ap_req.data, ap_req.length); @@ -158,14 +158,14 @@ krb5_gss_init_sec_context(context, minor_status, claimant_cred_handle, gss_cred_id_t claimant_cred_handle; gss_ctx_id_t *context_handle; gss_name_t target_name; - const_gss_OID mech_type; - int req_flags; + gss_OID mech_type; + OM_uint32 req_flags; OM_uint32 time_req; gss_channel_bindings_t input_chan_bindings; gss_buffer_t input_token; gss_OID *actual_mech_type; gss_buffer_t output_token; - int *ret_flags; + OM_uint32 *ret_flags; OM_uint32 *time_rec; { krb5_gss_cred_id_t cred; @@ -402,7 +402,7 @@ krb5_gss_init_sec_context(context, minor_status, claimant_cred_handle, ptr = (unsigned char *) input_token->value; - if (! g_verify_token_header(gss_mech_krb5, &(ap_rep.length), + if (! g_verify_token_header((gss_OID) gss_mech_krb5, &(ap_rep.length), &ptr, KG_TOK_CTX_AP_REP, input_token->length)) { *minor_status = 0; diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c index 371f3cbe7..ac54a423b 100644 --- a/src/lib/gssapi/krb5/inq_context.c +++ b/src/lib/gssapi/krb5/inq_context.c @@ -25,7 +25,7 @@ OM_uint32 krb5_gss_inquire_context(context, minor_status, context_handle, initiator_name, acceptor_name, lifetime_rec, mech_type, ret_flags, - locally_initiated) + locally_initiated, open) krb5_context context; OM_uint32 *minor_status; gss_ctx_id_t context_handle; @@ -33,8 +33,9 @@ krb5_gss_inquire_context(context, minor_status, context_handle, initiator_name, gss_name_t *acceptor_name; OM_uint32 *lifetime_rec; gss_OID *mech_type; - int *ret_flags; + OM_uint32 *ret_flags; int *locally_initiated; + int *open; { krb5_error_code code; krb5_gss_ctx_id_rec *ctx; @@ -43,9 +44,9 @@ krb5_gss_inquire_context(context, minor_status, context_handle, initiator_name, krb5_deltat lifetime; if (initiator_name) - *initiator_name = GSS_C_NO_NAME; + *initiator_name = (gss_name_t) NULL; if (acceptor_name) - *acceptor_name = GSS_C_NO_NAME; + *acceptor_name = (gss_name_t) NULL; /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { @@ -122,6 +123,9 @@ krb5_gss_inquire_context(context, minor_status, context_handle, initiator_name, if (locally_initiated) *locally_initiated = ctx->initiate; + if (open) + *open = ctx->established; + *minor_status = 0; return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c index 9fa00b54a..e56467507 100644 --- a/src/lib/gssapi/krb5/inq_cred.c +++ b/src/lib/gssapi/krb5/inq_cred.c @@ -30,7 +30,7 @@ krb5_gss_inquire_cred(context, minor_status, cred_handle, name, lifetime_ret, gss_cred_id_t cred_handle; gss_name_t *name; OM_uint32 *lifetime_ret; - int *cred_usage; + gss_cred_usage_t *cred_usage; gss_OID_set *mechanisms; { krb5_gss_cred_id_t cred; @@ -109,3 +109,54 @@ krb5_gss_inquire_cred(context, minor_status, cred_handle, name, lifetime_ret, *minor_status = 0; return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE); } + +/* V2 interface */ +OM_uint32 +krb5_gss_inquire_cred_by_mech(context, minor_status, cred_handle, + mech_type, name, initiator_lifetime, + acceptor_lifetime, cred_usage) + krb5_context context; + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; + gss_OID mech_type; + gss_name_t *name; + OM_uint32 *initiator_lifetime; + OM_uint32 *acceptor_lifetime; + gss_cred_usage_t *cred_usage; +{ + krb5_gss_cred_id_t cred; + OM_uint32 lifetime; + OM_uint32 mstat; + + /* + * We only know how to handle our own creds. + */ + if ((mech_type != GSS_C_NULL_OID) && + !g_OID_equal(gss_mech_krb5, mech_type)) { + *minor_status = 0; + return(GSS_S_NO_CRED); + } + + cred = (krb5_gss_cred_id_t) cred_handle; + mstat = krb5_gss_inquire_cred(context, + minor_status, + cred_handle, + name, + &lifetime, + cred_usage, + (gss_OID_set *) NULL); + if (mstat == GSS_S_COMPLETE) { + if (cred && + ((cred->usage == GSS_C_INITIATE) || + (cred->usage == GSS_C_BOTH)) && + initiator_lifetime) + *initiator_lifetime = lifetime; + if (cred && + ((cred->usage == GSS_C_ACCEPT) || + (cred->usage == GSS_C_BOTH)) && + acceptor_lifetime) + *acceptor_lifetime = lifetime; + } + return(mstat); +} + diff --git a/src/lib/gssapi/krb5/inq_names.c b/src/lib/gssapi/krb5/inq_names.c new file mode 100644 index 000000000..7c5ffd3c8 --- /dev/null +++ b/src/lib/gssapi/krb5/inq_names.c @@ -0,0 +1,87 @@ +/* + * lib/gssapi/krb5/inq_names.c + * + * Copyright 1995 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + +/* + * inq_names.c - Return set of nametypes supported by the KRB5 mechanism. + */ +#include "gssapiP_krb5.h" + +OM_uint32 +krb5_gss_inquire_names_for_mech(minor_status, mechanism, name_types) + OM_uint32 *minor_status; + gss_OID mechanism; + gss_OID_set *name_types; +{ + OM_uint32 major, minor; + + /* + * We only know how to handle our own mechanism. + */ + if ((mechanism != GSS_C_NULL_OID) && + !g_OID_equal(gss_mech_krb5, mechanism)) { + *minor_status = 0; + return(GSS_S_FAILURE); + } + + /* We're okay. Create an empty OID set */ + major = gss_create_empty_oid_set(minor_status, name_types); + if (major == GSS_S_COMPLETE) { + /* Now add our members. */ + if ( + ((major = gss_add_oid_set_member(minor_status, + (gss_OID) gss_nt_user_name, + name_types) + ) == GSS_S_COMPLETE) && + ((major = gss_add_oid_set_member(minor_status, + (gss_OID) gss_nt_machine_uid_name, + name_types) + ) == GSS_S_COMPLETE) && + ((major = gss_add_oid_set_member(minor_status, + (gss_OID) gss_nt_string_uid_name, + name_types) + ) == GSS_S_COMPLETE) && + ((major = gss_add_oid_set_member(minor_status, + (gss_OID) gss_nt_service_name, + name_types) + ) == GSS_S_COMPLETE) && + ((major = gss_add_oid_set_member(minor_status, + (gss_OID) gss_nt_krb5_name, + name_types) + ) == GSS_S_COMPLETE) + ) { + major = gss_add_oid_set_member(minor_status, + (gss_OID) gss_nt_krb5_principal, + name_types); + } + + /* + * If we choked, then release the set, but don't overwrite the minor + * status with the release call. + */ + if (major != GSS_S_COMPLETE) + (void) gss_release_oid_set(&minor, + name_types); + } + return(major); +} diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 17d93b251..38770173e 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -45,7 +45,7 @@ make_seal_token(context, enc_ed, seq_ed, seqnum, direction, text, token, /* create the token buffer */ - if (toktype == KG_TOK_SEAL_MSG) { + if ((toktype == KG_TOK_SEAL_MSG) || (toktype == KG_TOK_WRAP_MSG)) { if (bigend && !encrypt) tmsglen = text->length; else @@ -54,7 +54,7 @@ make_seal_token(context, enc_ed, seq_ed, seqnum, direction, text, token, tmsglen = 0; } - tlen = g_token_size(gss_mech_krb5, 22+tmsglen); + tlen = g_token_size((gss_OID) gss_mech_krb5, 22+tmsglen); if ((t = (unsigned char *) xmalloc(tlen)) == NULL) return(ENOMEM); @@ -63,7 +63,7 @@ make_seal_token(context, enc_ed, seq_ed, seqnum, direction, text, token, ptr = t; - g_make_token_header(gss_mech_krb5, 22+tmsglen, &ptr, toktype); + g_make_token_header((gss_OID) gss_mech_krb5, 22+tmsglen, &ptr, toktype); /* for now, only generate DES integrity */ @@ -72,7 +72,8 @@ make_seal_token(context, enc_ed, seq_ed, seqnum, direction, text, token, /* SEAL_ALG, or filler */ - if ((toktype == KG_TOK_SEAL_MSG) && encrypt) { + if (((toktype == KG_TOK_SEAL_MSG) || + (toktype == KG_TOK_WRAP_MSG)) && encrypt) { ptr[2] = 0; ptr[3] = 0; } else { @@ -87,7 +88,7 @@ make_seal_token(context, enc_ed, seq_ed, seqnum, direction, text, token, /* pad the plaintext, encrypt if needed, and stick it in the token */ - if (toktype == KG_TOK_SEAL_MSG) { + if ((toktype == KG_TOK_SEAL_MSG) || (toktype == KG_TOK_WRAP_MSG)) { unsigned char *plain; unsigned char pad; @@ -230,9 +231,55 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, return(GSS_S_FAILURE); } - if ((toktype == KG_TOK_SEAL_MSG) && conf_state) + if (((toktype == KG_TOK_SEAL_MSG) || + (toktype == KG_TOK_WRAP_MSG)) && conf_state) { *conf_state = conf_req_flag; + } *minor_status = 0; return((ctx->endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); } + +OM_uint32 +kg_seal_size(minor_status, context_handle, conf_req_flag, qop_req, + output_size, input_size) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + OM_uint32 output_size; + OM_uint32 *input_size; +{ + krb5_gss_ctx_id_rec *ctx; + krb5_error_code code; + OM_uint32 cfsize; + OM_uint32 ohlen; + + /* only default qop is allowed */ + if (qop_req != GSS_C_QOP_DEFAULT) { + *minor_status = (OM_uint32) G_UNKNOWN_QOP; + return(GSS_S_FAILURE); + } + + /* validate the context handle */ + if (! kg_validate_ctx_id(context_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); + } + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + if (! ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } + + /* Calculate the token size and subtract that from the output size */ + cfsize = (conf_req_flag) ? kg_confounder_size(&ctx->enc) : 0; + ohlen = g_token_size((gss_OID) gss_mech_krb5, cfsize + 22); + + /* Cannot have trailer length that will cause us to pad over our length */ + *input_size = (output_size - ohlen) & (~7); + *minor_status = 0; + return(GSS_S_COMPLETE); +} + diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 40fe9eed1..a50c4cb21 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -54,7 +54,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, unsigned char *plain; int plainlen; - if (toktype == KG_TOK_SEAL_MSG) { + if ((toktype == KG_TOK_SEAL_MSG) || (toktype == KG_TOK_WRAP_MSG)) { message_buffer->length = 0; message_buffer->value = NULL; } @@ -78,13 +78,13 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, ptr = (unsigned char *) input_token_buffer->value; - if (! g_verify_token_header(gss_mech_krb5, &bodysize, + if (! g_verify_token_header((gss_OID) gss_mech_krb5, &bodysize, &ptr, toktype, input_token_buffer->length)) { *minor_status = 0; return(GSS_S_DEFECTIVE_TOKEN); } - if (toktype == KG_TOK_SEAL_MSG) + if ((toktype == KG_TOK_SEAL_MSG) || (toktype == KG_TOK_WRAP_MSG)) tmsglen = bodysize-22; /* get the sign and seal algorithms */ @@ -93,8 +93,10 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, sealalg = ptr[2] + (ptr[3]<<8); if (((signalg != 0) && (signalg != 1)) || - ((toktype != KG_TOK_SEAL_MSG) && (sealalg != 0xffff)) || - ((toktype == KG_TOK_SEAL_MSG) && + (((toktype != KG_TOK_SEAL_MSG) && + (toktype != KG_TOK_WRAP_MSG)) && (sealalg != 0xffff)) || + (((toktype == KG_TOK_SEAL_MSG) || + (toktype == KG_TOK_WRAP_MSG)) && ((sealalg != 0xffff) && (sealalg != 0))) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) { @@ -106,7 +108,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, /* decode the message, if SEAL */ - if (toktype == KG_TOK_SEAL_MSG) { + if ((toktype == KG_TOK_SEAL_MSG) || (toktype == KG_TOK_WRAP_MSG)) { if (sealalg == 0) { if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) { *minor_status = ENOMEM; @@ -142,7 +144,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, else memcpy(token.value, plain+8, token.length); } - } else if (toktype == KG_TOK_SIGN_MSG) { + } else if ((toktype == KG_TOK_SIGN_MSG) || (toktype == KG_TOK_MIC_MSG)) { token = *message_buffer; plain = token.value; plainlen = token.length; @@ -176,7 +178,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, 16, ctx->seq.key->contents, ctx->seq.key->length, &desmac)) { - if (toktype == KG_TOK_SEAL_MSG) + if ((toktype == KG_TOK_SEAL_MSG) || (toktype == KG_TOK_WRAP_MSG)) xfree(token.value); *minor_status = code; return(GSS_S_FAILURE); @@ -188,7 +190,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, if (code = kg_make_seed(ctx->subkey, ctx->seed)) { if (sealalg == 0) xfree(plain); - if (toktype == KG_TOK_SEAL_MSG) + if ((toktype == KG_TOK_SEAL_MSG) || (toktype == KG_TOK_WRAP_MSG)) xfree(token.value); *minor_status = code; return(GSS_S_FAILURE); @@ -216,7 +218,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, if (memcmp(cksum, ptr+14, 8) != 0) { if (signalg == 0) xfree(desmac.contents); - if (toktype == KG_TOK_SEAL_MSG) + if ((toktype == KG_TOK_SEAL_MSG) || (toktype == KG_TOK_WRAP_MSG)) xfree(token.value); *minor_status = 0; return(GSS_S_BAD_SIG); @@ -229,7 +231,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, /* it got through unscathed. Make sure the context is unexpired */ - if (toktype == KG_TOK_SEAL_MSG) + if ((toktype == KG_TOK_SEAL_MSG) || (toktype = KG_TOK_WRAP_MSG)) *message_buffer = token; if (conf_state) diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c index abb57131f..f6271afa7 100644 --- a/src/lib/gssapi/krb5/krb5_gss_glue.c +++ b/src/lib/gssapi/krb5/krb5_gss_glue.c @@ -34,7 +34,7 @@ gss_accept_sec_context(minor_status, context_handle, verifier_cred_handle, gss_name_t *src_name; gss_OID *mech_type; gss_buffer_t output_token; - int *ret_flags; + OM_uint32 *ret_flags; OM_uint32 *time_rec; gss_cred_id_t *delegated_cred_handle; { @@ -71,7 +71,7 @@ gss_acquire_cred(minor_status, desired_name, time_req, desired_mechs, gss_name_t desired_name; OM_uint32 time_req; gss_OID_set desired_mechs; - int cred_usage; + gss_cred_usage_t cred_usage; gss_cred_id_t *output_cred_handle; gss_OID_set *actual_mechs; OM_uint32 *time_rec; @@ -89,6 +89,45 @@ gss_acquire_cred(minor_status, desired_name, time_req, desired_mechs, time_rec)); } +/* V2 */ +OM_uint32 INTERFACE +gss_add_cred(minor_status, input_cred_handle, desired_name, desired_mech, + cred_usage, initiator_time_req, acceptor_time_req, + output_cred_handle, actual_mechs, initiator_time_rec, + acceptor_time_rec) + OM_uint32 *minor_status; + gss_cred_id_t input_cred_handle; + gss_name_t desired_name; + gss_OID desired_mech; + gss_cred_usage_t cred_usage; + OM_uint32 initiator_time_req; + OM_uint32 acceptor_time_req; + gss_cred_id_t *output_cred_handle; + gss_OID_set *actual_mechs; + OM_uint32 *initiator_time_rec; + OM_uint32 *acceptor_time_rec; +{ + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + + return(krb5_gss_add_cred(kg_context, + minor_status, input_cred_handle, desired_name, + desired_mech, cred_usage, initiator_time_req, + acceptor_time_req, output_cred_handle, + actual_mechs, initiator_time_rec, + acceptor_time_rec)); +} + +/* V2 */ +OM_uint32 INTERFACE +gss_add_oid_set_member(minor_status, member_oid, oid_set) + OM_uint32 *minor_status; + gss_OID member_oid; + gss_OID_set *oid_set; +{ + return(generic_gss_add_oid_set_member(minor_status, member_oid, oid_set)); +} + OM_uint32 INTERFACE gss_compare_name(minor_status, name1, name2, name_equal) OM_uint32 *minor_status; @@ -123,6 +162,15 @@ gss_context_time(minor_status, context_handle, time_rec) time_rec)); } +/* V2 */ +OM_uint32 INTERFACE +gss_create_empty_oid_set(minor_status, oid_set) + OM_uint32 *minor_status; + gss_OID_set *oid_set; +{ + return(generic_gss_create_empty_oid_set(minor_status, oid_set)); +} + OM_uint32 INTERFACE gss_delete_sec_context(minor_status, context_handle, output_token) OM_uint32 *minor_status; @@ -163,8 +211,8 @@ gss_display_status(minor_status, status_value, status_type, OM_uint32 *minor_status; OM_uint32 status_value; int status_type; - const_gss_OID mech_type; - int *message_context; + gss_OID mech_type; + OM_uint32 *message_context; gss_buffer_t status_string; { if (!kg_context && kg_get_context()) @@ -175,6 +223,7 @@ gss_display_status(minor_status, status_value, status_type, status_string)); } +/* V2 */ OM_uint32 INTERFACE gss_export_sec_context(minor_status, context_handle, interprocess_token) OM_uint32 *minor_status; @@ -190,11 +239,27 @@ gss_export_sec_context(minor_status, context_handle, interprocess_token) interprocess_token)); } +/* V2 */ +OM_uint32 INTERFACE +gss_get_mic(minor_status, context_handle, qop_req, + message_buffer, message_token) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_qop_t qop_req; + gss_buffer_t message_buffer; + gss_buffer_t message_token; +{ + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + return(krb5_gss_get_mic(kg_context, minor_status, context_handle, + qop_req, message_buffer, message_token)); +} + OM_uint32 INTERFACE gss_import_name(minor_status, input_name_buffer, input_name_type, output_name) OM_uint32 *minor_status; gss_buffer_t input_name_buffer; - const_gss_OID input_name_type; + gss_OID input_name_type; gss_name_t *output_name; { if (!kg_context && kg_get_context()) @@ -204,6 +269,7 @@ gss_import_name(minor_status, input_name_buffer, input_name_type, output_name) input_name_type, output_name)); } +/* V2 */ OM_uint32 INTERFACE gss_import_sec_context(minor_status, interprocess_token, context_handle) OM_uint32 *minor_status; @@ -239,14 +305,14 @@ gss_init_sec_context(minor_status, claimant_cred_handle, context_handle, gss_cred_id_t claimant_cred_handle; gss_ctx_id_t *context_handle; gss_name_t target_name; - const_gss_OID mech_type; - int req_flags; + gss_OID mech_type; + OM_uint32 req_flags; OM_uint32 time_req; gss_channel_bindings_t input_chan_bindings; gss_buffer_t input_token; gss_OID *actual_mech_type; gss_buffer_t output_token; - int *ret_flags; + OM_uint32 *ret_flags; OM_uint32 *time_rec; { if (!kg_context && kg_get_context()) @@ -263,15 +329,16 @@ gss_init_sec_context(minor_status, claimant_cred_handle, context_handle, OM_uint32 INTERFACE gss_inquire_context(minor_status, context_handle, initiator_name, acceptor_name, lifetime_rec, mech_type, ret_flags, - locally_initiated) + locally_initiated, open) OM_uint32 *minor_status; gss_ctx_id_t context_handle; gss_name_t *initiator_name; gss_name_t *acceptor_name; OM_uint32 *lifetime_rec; gss_OID *mech_type; - int *ret_flags; + OM_uint32 *ret_flags; int *locally_initiated; + int *open; { krb5_gss_ctx_id_t * ctx; @@ -285,7 +352,8 @@ gss_inquire_context(minor_status, context_handle, initiator_name, acceptor_name, return(krb5_gss_inquire_context(ctx->context, minor_status, context_handle, initiator_name, acceptor_name, lifetime_rec, - mech_type, ret_flags, locally_initiated)); + mech_type, ret_flags, locally_initiated, + open)); } OM_uint32 INTERFACE @@ -295,7 +363,7 @@ gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, gss_cred_id_t cred_handle; gss_name_t *name; OM_uint32 *lifetime_ret; - int *cred_usage; + gss_cred_usage_t *cred_usage; gss_OID_set *mechanisms; { if (!kg_context && kg_get_context()) @@ -305,6 +373,48 @@ gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, name, lifetime_ret, cred_usage, mechanisms)); } +/* V2 */ +OM_uint32 INTERFACE +gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, + initiator_lifetime, acceptor_lifetime, cred_usage) + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; + gss_OID mech_type; + gss_name_t *name; + OM_uint32 *initiator_lifetime; + OM_uint32 *acceptor_lifetime; + gss_cred_usage_t *cred_usage; +{ + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + + return(krb5_gss_inquire_cred_by_mech(kg_context, minor_status, cred_handle, + mech_type, name, initiator_lifetime, + acceptor_lifetime, cred_usage)); +} + +/* V2 */ +OM_uint32 INTERFACE +gss_inquire_names_for_mech(minor_status, mechanism, name_types) + OM_uint32 *minor_status; + gss_OID mechanism; + gss_OID_set *name_types; +{ + return(krb5_gss_inquire_names_for_mech(minor_status, + mechanism, + name_types)); +} + +/* V2 */ +OM_uint32 INTERFACE +gss_oid_to_str(minor_status, oid, oid_str) + OM_uint32 *minor_status; + gss_OID oid; + gss_buffer_t oid_str; +{ + return(generic_gss_oid_to_str(minor_status, oid, oid_str)); +} + OM_uint32 INTERFACE gss_process_context_token(minor_status, context_handle, token_buffer) OM_uint32 *minor_status; @@ -356,6 +466,15 @@ gss_release_buffer(minor_status, buffer) buffer)); } +/* V2 */ +OM_uint32 INTERFACE +gss_release_oid(minor_status, oid) + OM_uint32 *minor_status; + gss_OID *oid; +{ + return(krb5_gss_release_oid(minor_status, oid)); +} + OM_uint32 INTERFACE gss_release_oid_set(minor_status, set) OM_uint32* minor_status; @@ -364,6 +483,7 @@ gss_release_oid_set(minor_status, set) return(generic_gss_release_oid_set(minor_status, set)); } +/* V1 only */ OM_uint32 INTERFACE gss_seal(minor_status, context_handle, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer) @@ -390,6 +510,7 @@ gss_seal(minor_status, context_handle, conf_req_flag, qop_req, conf_state, output_message_buffer)); } +/* V1 only */ OM_uint32 INTERFACE gss_sign(minor_status, context_handle, qop_req, message_buffer, message_token) OM_uint32 *minor_status; @@ -412,6 +533,29 @@ gss_sign(minor_status, context_handle, qop_req, message_buffer, message_token) qop_req, message_buffer, message_token)); } +/* V2 */ +OM_uint32 INTERFACE +gss_str_to_oid(minor_status, oid_str, oid) + OM_uint32 *minor_status; + gss_buffer_t oid_str; + gss_OID *oid; +{ + return(generic_gss_str_to_oid(minor_status, oid_str, oid)); +} + +/* V2 */ +OM_uint32 INTERFACE +gss_test_oid_set_member(minor_status, member, set, present) + OM_uint32 *minor_status; + gss_OID member; + gss_OID_set set; + int *present; +{ + return(generic_gss_test_oid_set_member(minor_status, member, set, + present)); +} + +/* V1 only */ OM_uint32 INTERFACE gss_unseal(minor_status, context_handle, input_message_buffer, output_message_buffer, conf_state, qop_state) @@ -437,6 +581,25 @@ gss_unseal(minor_status, context_handle, input_message_buffer, conf_state, qop_state)); } +/* V2 */ +OM_uint32 INTERFACE +gss_unwrap(minor_status, context_handle, input_message_buffer, + output_message_buffer, conf_state, qop_state) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t input_message_buffer; + gss_buffer_t output_message_buffer; + int *conf_state; + gss_qop_t *qop_state; +{ + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + return(krb5_gss_unwrap(kg_context, + minor_status, context_handle, input_message_buffer, + output_message_buffer, conf_state, qop_state)); +} + +/* V1 only */ OM_uint32 INTERFACE gss_verify(minor_status, context_handle, message_buffer, token_buffer, qop_state) @@ -459,3 +622,40 @@ gss_verify(minor_status, context_handle, message_buffer, return(krb5_gss_verify(ctx->context, minor_status, context_handle, message_buffer, token_buffer, qop_state)); } + +/* V2 */ +OM_uint32 INTERFACE +gss_verify_mic(minor_status, context_handle, + message_buffer, token_buffer, qop_state) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t message_buffer; + gss_buffer_t token_buffer; + gss_qop_t *qop_state; +{ + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + return(krb5_gss_verify_mic(kg_context, minor_status, context_handle, + message_buffer, token_buffer, qop_state)); +} + +/* V2 */ +OM_uint32 INTERFACE +gss_wrap(minor_status, context_handle, conf_req_flag, qop_req, + input_message_buffer, conf_state, output_message_buffer) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + gss_buffer_t input_message_buffer; + int *conf_state; + gss_buffer_t output_message_buffer; +{ + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + return(krb5_gss_wrap(kg_context, + minor_status, context_handle, conf_req_flag, qop_req, + input_message_buffer, conf_state, + output_message_buffer)); +} + diff --git a/src/lib/gssapi/krb5/rel_name.c b/src/lib/gssapi/krb5/rel_name.c index 3e41bf43e..11e62355f 100644 --- a/src/lib/gssapi/krb5/rel_name.c +++ b/src/lib/gssapi/krb5/rel_name.c @@ -37,7 +37,7 @@ krb5_gss_release_name(context, minor_status, input_name) krb5_free_principal(context, (krb5_principal) *input_name); - *input_name = GSS_C_NO_NAME; + *input_name = (gss_name_t) NULL; *minor_status = 0; return(GSS_S_COMPLETE); diff --git a/src/lib/gssapi/krb5/rel_oid.c b/src/lib/gssapi/krb5/rel_oid.c new file mode 100644 index 000000000..c311d2fe1 --- /dev/null +++ b/src/lib/gssapi/krb5/rel_oid.c @@ -0,0 +1,55 @@ +/* + * lib/gssapi/krb5/rel_oid.c + * + * Copyright 1995 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + +/* + * rel_oid.c - Release an OID. + */ +#include "gssapiP_krb5.h" + +OM_uint32 +krb5_gss_release_oid(minor_status, oid) + OM_uint32 *minor_status; + gss_OID *oid; +{ + /* + * The V2 API says the following! + * + * gss_release_oid[()] will recognize any of the GSSAPI's own OID values, + * and will silently ignore attempts to free these OIDs; for other OIDs + * it will call the C free() routine for both the OID data and the + * descriptor. This allows applications to freely mix their own heap- + * allocated OID values with OIDs returned by GSS-API. + */ + if ((*oid != gss_mech_krb5) && + (*oid != gss_nt_krb5_name) && + (*oid != gss_nt_krb5_principal)) { + /* Pawn it off on the generic routine */ + return(generic_gss_release_oid(minor_status, oid)); + } + else { + *oid = GSS_C_NO_OID; + *minor_status = 0; + return(GSS_S_COMPLETE); + } +} diff --git a/src/lib/gssapi/krb5/seal.c b/src/lib/gssapi/krb5/seal.c index a0e06ebde..15e7a8bb1 100644 --- a/src/lib/gssapi/krb5/seal.c +++ b/src/lib/gssapi/krb5/seal.c @@ -39,3 +39,39 @@ krb5_gss_seal(context, minor_status, context_handle, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, KG_TOK_SEAL_MSG)); } + +/* V2 interface */ +OM_uint32 +krb5_gss_wrap(context, minor_status, context_handle, conf_req_flag, + qop_req, input_message_buffer, conf_state, + output_message_buffer) + krb5_context context; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + gss_buffer_t input_message_buffer; + int *conf_state; + gss_buffer_t output_message_buffer; +{ + return(kg_seal(minor_status, context_handle, conf_req_flag, + qop_req, input_message_buffer, conf_state, + output_message_buffer, KG_TOK_WRAP_MSG)); +} + +/* V2 interface */ +OM_uint32 +krb5_gss_wrap_size_limit(context, minor_status, context_handle, conf_req_flag, + qop_req, req_output_size, max_input_size) + krb5_context context; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + OM_uint32 req_output_size; + OM_uint32 *max_input_size; +{ + /* XXX - should just put this in k5seal.c */ + return(kg_seal_size(minor_status, context_handle, conf_req_flag, + qop_req, req_output_size, max_input_size)); +} diff --git a/src/lib/gssapi/krb5/sign.c b/src/lib/gssapi/krb5/sign.c index bafc0837d..3f8b43619 100644 --- a/src/lib/gssapi/krb5/sign.c +++ b/src/lib/gssapi/krb5/sign.c @@ -37,3 +37,19 @@ krb5_gss_sign(context, minor_status, context_handle, qop_req, message_buffer, NULL, message_token, KG_TOK_SIGN_MSG)); } + +/* V2 interface */ +OM_uint32 +krb5_gss_get_mic(context, minor_status, context_handle, qop_req, + message_buffer, message_token) + krb5_context context; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_qop_t qop_req; + gss_buffer_t message_buffer; + gss_buffer_t message_token; +{ + return(kg_seal(minor_status, context_handle, 0, + qop_req, message_buffer, NULL, + message_token, KG_TOK_MIC_MSG)); +} diff --git a/src/lib/gssapi/krb5/unseal.c b/src/lib/gssapi/krb5/unseal.c index 3449951af..7871352d1 100644 --- a/src/lib/gssapi/krb5/unseal.c +++ b/src/lib/gssapi/krb5/unseal.c @@ -38,3 +38,27 @@ krb5_gss_unseal(context, minor_status, context_handle, input_message_buffer, output_message_buffer, conf_state, qop_state, KG_TOK_SEAL_MSG)); } + +/* V2 interface */ +OM_uint32 +krb5_gss_unwrap(context, minor_status, context_handle, + input_message_buffer, output_message_buffer, + conf_state, qop_state) + krb5_context context; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t input_message_buffer; + gss_buffer_t output_message_buffer; + int *conf_state; + gss_qop_t *qop_state; +{ + OM_uint32 rstat; + int qstate; + + rstat = kg_unseal(minor_status, context_handle, + input_message_buffer, output_message_buffer, + conf_state, &qstate, KG_TOK_WRAP_MSG); + if (!rstat && qop_state) + *qop_state = (gss_qop_t) qstate; + return(rstat); +} diff --git a/src/lib/gssapi/krb5/verify.c b/src/lib/gssapi/krb5/verify.c index 398b1d771..69fa967b7 100644 --- a/src/lib/gssapi/krb5/verify.c +++ b/src/lib/gssapi/krb5/verify.c @@ -37,3 +37,26 @@ krb5_gss_verify(context, minor_status, context_handle, token_buffer, message_buffer, NULL, qop_state, KG_TOK_SIGN_MSG)); } + +/* V2 interface */ +OM_uint32 +krb5_gss_verify_mic(context, minor_status, context_handle, + message_buffer, token_buffer, + qop_state) + krb5_context context; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t message_buffer; + gss_buffer_t token_buffer; + gss_qop_t *qop_state; +{ + OM_uint32 rstat; + int qstate; + + rstat = kg_unseal(minor_status, context_handle, + token_buffer, message_buffer, + NULL, &qstate, KG_TOK_MIC_MSG); + if (!rstat && qop_state) + *qop_state = (gss_qop_t) qstate; + return(rstat); +} -- 2.26.2