summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-08-09 03:04:47 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:31:33 -0500
commitc0e8144c5d1e402b36ebe04b843eba62e7ab9958 (patch)
tree1b885ceee1a88e8cb2822051690b023c8f8acb78 /source4/heimdal/lib/gssapi
parent4b93e377cd9809199487e20fa53d8a2c98ad32ea (diff)
downloadsamba-c0e8144c5d1e402b36ebe04b843eba62e7ab9958.tar.gz
samba-c0e8144c5d1e402b36ebe04b843eba62e7ab9958.tar.bz2
samba-c0e8144c5d1e402b36ebe04b843eba62e7ab9958.zip
r9221: Try to merge Heimdal across from lorikeet-heimdal to samba4.
This is my first attempt at this, so there may be a few rough edges. Andrew Bartlett (This used to be commit 9a1d2f2fec67930975da856a2d365345cec46216)
Diffstat (limited to 'source4/heimdal/lib/gssapi')
-rw-r--r--source4/heimdal/lib/gssapi/accept_sec_context.c49
-rw-r--r--source4/heimdal/lib/gssapi/init_sec_context.c270
2 files changed, 141 insertions, 178 deletions
diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c
index 6672f3fc67..2ba2415112 100644
--- a/source4/heimdal/lib/gssapi/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/accept_sec_context.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -1051,28 +1051,27 @@ spnego_accept_sec_context
}
OM_uint32
-gss_accept_sec_context(
- OM_uint32 * minor_status,
- gss_ctx_id_t * context_handle,
- const gss_cred_id_t acceptor_cred_handle,
- const gss_buffer_t input_token,
- const gss_channel_bindings_t input_chan_bindings,
- gss_name_t * src_name,
- gss_OID * actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 * ret_flags,
- OM_uint32 * time_rec,
- gss_cred_id_t * delegated_cred_handle)
+gss_accept_sec_context
+ (OM_uint32 * minor_status,
+ gss_ctx_id_t * context_handle,
+ const gss_cred_id_t acceptor_cred_handle,
+ const gss_buffer_t input_token_buffer,
+ const gss_channel_bindings_t input_chan_bindings,
+ gss_name_t * src_name,
+ gss_OID * mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec,
+ gss_cred_id_t * delegated_cred_handle
+ )
{
- ssize_t mech_len;
- const u_char *p;
-
- GSSAPI_KRB5_INIT ();
+ ssize_t mech_len;
+ const u_char *p;
- *minor_status = 0;
+ *minor_status = 0;
if (src_name) *src_name = GSS_C_NO_NAME;
- if (actual_mech_type) *actual_mech_type = GSS_C_NO_OID;
+ if (mech_type) *mech_type = GSS_C_NO_OID;
output_token->length = 0;
output_token->value = NULL;
@@ -1081,8 +1080,8 @@ gss_accept_sec_context(
if (time_rec) *time_rec = 0;
if (delegated_cred_handle) *delegated_cred_handle = NULL;
- mech_len = gssapi_krb5_get_mech(input_token->value,
- input_token->length,
+ mech_len = gssapi_krb5_get_mech(input_token_buffer->value,
+ input_token_buffer->length,
&p);
/* This could be 'dce style' kerberos, where the OID is missing :-( */
@@ -1091,10 +1090,10 @@ gss_accept_sec_context(
return gsskrb5_accept_sec_context(minor_status,
context_handle,
acceptor_cred_handle,
- input_token,
+ input_token_buffer,
input_chan_bindings,
src_name,
- actual_mech_type,
+ mech_type,
output_token,
ret_flags,
time_rec,
@@ -1104,10 +1103,10 @@ gss_accept_sec_context(
return spnego_accept_sec_context(minor_status,
context_handle,
acceptor_cred_handle,
- input_token,
+ input_token_buffer,
input_chan_bindings,
src_name,
- actual_mech_type,
+ mech_type,
output_token,
ret_flags,
time_rec,
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c
index c7e4aa50d6..0376ca30bf 100644
--- a/source4/heimdal/lib/gssapi/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/init_sec_context.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: init_sec_context.c,v 1.57 2005/05/30 20:58:29 lha Exp $");
+RCSID("$Id: init_sec_context.c,v 1.58 2005/07/13 07:00:15 lha Exp $");
/*
* copy the addresses from `input_chan_bindings' (if any) to
@@ -41,9 +41,8 @@ RCSID("$Id: init_sec_context.c,v 1.57 2005/05/30 20:58:29 lha Exp $");
*/
static OM_uint32
-gsskrb5_set_addresses(
- krb5_auth_context ac,
- const gss_channel_bindings_t input_chan_bindings)
+set_addresses (krb5_auth_context ac,
+ const gss_channel_bindings_t input_chan_bindings)
{
/* Port numbers are expected to be in application_data.value,
* initator's port first */
@@ -136,8 +135,8 @@ _gsskrb5_create_ctx(
return GSS_S_FAILURE;
}
- kret = gsskrb5_set_addresses((*context_handle)->auth_context,
- input_chan_bindings);
+ kret = set_addresses((*context_handle)->auth_context,
+ input_chan_bindings);
if (kret) {
*minor_status = kret;
@@ -278,13 +277,12 @@ gsskrb5_initiator_ready(
*/
static void
-gsskrb5_do_delegation(
- krb5_auth_context ac,
- krb5_ccache ccache,
- krb5_creds *cred,
- const gss_name_t target_name,
- krb5_data *fwd_data,
- int *flags)
+do_delegation (krb5_auth_context ac,
+ krb5_ccache ccache,
+ krb5_creds *cred,
+ const gss_name_t target_name,
+ krb5_data *fwd_data,
+ int *flags)
{
krb5_creds creds;
krb5_kdc_flags fwd_flags;
@@ -292,7 +290,7 @@ gsskrb5_do_delegation(
memset (&creds, 0, sizeof(creds));
krb5_data_zero (fwd_data);
-
+
kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client);
if (kret)
goto out;
@@ -342,34 +340,35 @@ gsskrb5_do_delegation(
*/
static OM_uint32
-gsskrb5_initiator_start(
- OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
- gss_ctx_id_t * context_handle,
- const gss_name_t target_name,
- const gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- const gss_channel_bindings_t input_chan_bindings,
- const gss_buffer_t input_token,
- gss_buffer_t output_token,
- OM_uint32 * ret_flags,
- OM_uint32 * time_rec)
+gsskrb5_initiator_start
+(OM_uint32 * minor_status,
+ const gss_cred_id_t initiator_cred_handle,
+ gss_ctx_id_t * context_handle,
+ const gss_name_t target_name,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+ )
{
- OM_uint32 ret = GSS_S_FAILURE;
- krb5_error_code kret;
- krb5_flags ap_options;
- krb5_creds *cred = NULL;
- krb5_data outbuf;
- krb5_ccache ccache = NULL;
- u_int32_t flags;
- krb5_data authenticator;
- Checksum cksum;
- krb5_enctype enctype;
- krb5_data fwd_data;
-
- krb5_data_zero(&outbuf);
- krb5_data_zero(&fwd_data);
+ OM_uint32 ret = GSS_S_FAILURE;
+ krb5_error_code kret;
+ krb5_flags ap_options;
+ krb5_creds *cred = NULL;
+ krb5_data outbuf;
+ krb5_ccache ccache = NULL;
+ u_int32_t flags;
+ krb5_data authenticator;
+ Checksum cksum;
+ krb5_enctype enctype;
+ krb5_data fwd_data;
+
+ krb5_data_zero(&outbuf);
+ krb5_data_zero(&fwd_data);
(*context_handle)->more_flags |= LOCAL;
@@ -425,7 +424,7 @@ gsskrb5_initiator_start(
ap_options = 0;
if (req_flags & GSS_C_DELEG_FLAG) {
- gsskrb5_do_delegation((*context_handle)->auth_context,
+ do_delegation((*context_handle)->auth_context,
ccache, cred, target_name, &fwd_data, &flags);
}
@@ -681,20 +680,21 @@ gsskrb5_initiator_wait_for_mutual(
}
static OM_uint32
-gsskrb5_init_sec_context(
- OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
- gss_ctx_id_t * context_handle,
- const gss_name_t target_name,
- const gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- const gss_channel_bindings_t input_chan_bindings,
- const gss_buffer_t input_token,
- gss_OID * actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 * ret_flags,
- OM_uint32 * time_rec)
+gsskrb5_init_sec_context
+ (OM_uint32 * minor_status,
+ const gss_cred_id_t initiator_cred_handle,
+ gss_ctx_id_t * context_handle,
+ const gss_name_t target_name,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+ )
{
OM_uint32 ret;
@@ -1076,9 +1076,7 @@ spnego_initial
ni.mechListMIC = NULL;
-#if 0
{
- int ret;
NegotiationToken nt;
nt.element = choice_NegotiationToken_negTokenInit;
@@ -1086,47 +1084,10 @@ spnego_initial
ASN1_MALLOC_ENCODE(NegotiationToken, buf, buf_size,
&nt, &buf_len, ret);
- if (buf_size != buf_len)
+ if (ret == 0 && buf_size != buf_len)
abort();
}
-#else
- ni_len = length_NegTokenInit(&ni);
- buf_size = 1 + length_len(ni_len) + ni_len;
- buf = malloc(buf_size);
- if (buf == NULL) {
- free_NegTokenInit(&ni);
- *minor_status = ENOMEM;
- return GSS_S_FAILURE;
- }
-
- ret = encode_NegTokenInit(buf + buf_size - 1,
- ni_len,
- &ni, &buf_len);
- if (ret == 0 && ni_len != buf_len)
- abort();
-
- if (ret == 0) {
- size_t tmp;
-
- ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
- buf_size - buf_len,
- buf_len,
- ASN1_C_CONTEXT,
- CONS,
- 0,
- &tmp);
- if (ret == 0 && tmp + buf_len != buf_size)
- abort();
- }
- if (ret) {
- *minor_status = ret;
- free(buf);
- free_NegTokenInit(&ni);
- return GSS_S_FAILURE;
- }
-
-#endif
data.data = buf;
data.length = buf_size;
@@ -1197,65 +1158,68 @@ spnego_init_sec_context
* gss_init_sec_context
*/
-OM_uint32 gss_init_sec_context(
- OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
- gss_ctx_id_t * context_handle,
- const gss_name_t target_name,
- const gss_OID mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- const gss_channel_bindings_t input_chan_bindings,
- const gss_buffer_t input_token,
- gss_OID * actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 * ret_flags,
- OM_uint32 * time_rec)
+OM_uint32 gss_init_sec_context
+ (OM_uint32 * minor_status,
+ const gss_cred_id_t initiator_cred_handle,
+ gss_ctx_id_t * context_handle,
+ const gss_name_t target_name,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+ )
{
- GSSAPI_KRB5_INIT ();
+ GSSAPI_KRB5_INIT ();
- *minor_status = 0;
+ output_token->length = 0;
+ output_token->value = NULL;
- if (actual_mech_type) *actual_mech_type = GSS_C_NO_OID;
-
- output_token->length = 0;
- output_token->value = NULL;
-
- if (ret_flags) *ret_flags = 0;
- if (time_rec) *time_rec = 0;
-
- if (target_name == GSS_C_NO_NAME) return GSS_S_BAD_NAME;
-
- if (mech_type == GSS_C_NO_OID ||
- gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) {
- return gsskrb5_init_sec_context(minor_status,
- initiator_cred_handle,
- context_handle,
- target_name,
- mech_type,
- req_flags,
- time_req,
- input_chan_bindings,
- input_token,
- actual_mech_type,
- output_token,
- ret_flags,
- time_rec);
- } else if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM)) {
- return spnego_init_sec_context (minor_status,
- initiator_cred_handle,
- context_handle,
- target_name,
- mech_type,
- req_flags,
- time_req,
- input_chan_bindings,
- input_token,
- actual_mech_type,
- output_token,
- ret_flags,
- time_rec);
- }
+ if (ret_flags)
+ *ret_flags = 0;
+ if (time_rec)
+ *time_rec = 0;
+ if (target_name == GSS_C_NO_NAME) {
+ if (actual_mech_type)
+ *actual_mech_type = GSS_C_NO_OID;
+ *minor_status = 0;
+ return GSS_S_BAD_NAME;
+ }
+
+ if (mech_type == GSS_C_NO_OID ||
+ gss_oid_equal(mech_type, GSS_KRB5_MECHANISM))
+ return gsskrb5_init_sec_context(minor_status,
+ initiator_cred_handle,
+ context_handle,
+ target_name,
+ mech_type,
+ req_flags,
+ time_req,
+ input_chan_bindings,
+ input_token,
+ actual_mech_type,
+ output_token,
+ ret_flags,
+ time_rec);
+ else if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM))
+ return spnego_init_sec_context (minor_status,
+ initiator_cred_handle,
+ context_handle,
+ target_name,
+ mech_type,
+ req_flags,
+ time_req,
+ input_chan_bindings,
+ input_token,
+ actual_mech_type,
+ output_token,
+ ret_flags,
+ time_rec);
+ else
return GSS_S_BAD_MECH;
}