diff options
264 files changed, 25771 insertions, 10833 deletions
diff --git a/source4/auth/credentials/credentials_krb5.h b/source4/auth/credentials/credentials_krb5.h index 2bd38af5c7..22c0f5abfe 100644 --- a/source4/auth/credentials/credentials_krb5.h +++ b/source4/auth/credentials/credentials_krb5.h @@ -21,9 +21,7 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -struct EncryptionKey; - -#include "heimdal/lib/gssapi/gssapi.h" +#include "heimdal/lib/gssapi/gssapi/gssapi.h" struct ccache_container; diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index ed407b623b..136962d892 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -24,7 +24,7 @@ #include "includes.h" #include "system/kerberos.h" -#include "heimdal/lib/gssapi/gssapi.h" +#include "heimdal/lib/gssapi/gssapi/gssapi.h" #include "auth/kerberos/kerberos.h" #include "librpc/gen_ndr/krb5pac.h" #include "auth/auth.h" @@ -73,6 +73,7 @@ struct gensec_gssapi_state { * layer... */ size_t max_wrap_buf_size; + int gss_exchange_count; }; static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security); @@ -133,12 +134,14 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) { struct gensec_gssapi_state *gensec_gssapi_state; krb5_error_code ret; - + struct gsskrb5_send_to_kdc send_to_kdc; + gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state); if (!gensec_gssapi_state) { return NT_STATUS_NO_MEMORY; } + gensec_gssapi_state->gss_exchange_count = 0; gensec_gssapi_state->max_wrap_buf_size = lp_parm_int(-1, "gensec_gssapi", "max wrap buf size", 65536); @@ -186,10 +189,18 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->gss_oid = gss_mech_krb5; + send_to_kdc.func = smb_krb5_send_and_recv_func; + send_to_kdc.ptr = gensec_security->event_ctx; + + ret = gsskrb5_set_send_to_kdc(&send_to_kdc); + if (ret) { + DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n")); + return NT_STATUS_INTERNAL_ERROR; + } ret = smb_krb5_init_context(gensec_gssapi_state, &gensec_gssapi_state->smb_krb5_context); if (ret) { - DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", + DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", error_message(ret))); return NT_STATUS_INTERNAL_ERROR; } @@ -431,6 +442,8 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, } + gensec_gssapi_state->gss_exchange_count++; + if (maj_stat == GSS_S_COMPLETE) { *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length); gss_release_buffer(&min_stat2, &output_token); @@ -493,12 +506,14 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, /* garbage input, possibly from the auto-mech detection */ return NT_STATUS_INVALID_PARAMETER; default: - DEBUG(1, ("GSS(krb5) Update failed: %s\n", + DEBUG(1, ("GSS Update(krb5)(%d) Update failed: %s\n", + gensec_gssapi_state->gss_exchange_count, gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); return nt_status; } } else { - DEBUG(1, ("GSS Update failed: %s\n", + DEBUG(1, ("GSS Update(%d) failed: %s\n", + gensec_gssapi_state->gss_exchange_count, gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); return nt_status; } @@ -583,7 +598,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, &conf_state, &output_token); if (GSS_ERROR(maj_stat)) { - DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n", + DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); return NT_STATUS_ACCESS_DENIED; } @@ -648,7 +663,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, &conf_state, &output_token); if (GSS_ERROR(maj_stat)) { - DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n", + DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); return NT_STATUS_ACCESS_DENIED; } @@ -1185,38 +1200,57 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return NT_STATUS_NO_MEMORY; } - maj_stat = gss_krb5_copy_service_keyblock(&min_stat, - gensec_gssapi_state->gssapi_context, - &keyblock); - - if (maj_stat == 0) { - maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat, - gensec_gssapi_state->gssapi_context, - &authtime); - } - - if (maj_stat == 0) { - maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, - gensec_gssapi_state->gssapi_context, - KRB5_AUTHDATA_WIN2K_PAC, - &pac); - } - + maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, + gensec_gssapi_state->gssapi_context, + KRB5_AUTHDATA_WIN2K_PAC, + &pac); + + if (maj_stat == 0) { pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length); gss_release_buffer(&min_stat, &pac); + + } else { + pac_blob = data_blob(NULL, 0); } /* IF we have the PAC - otherwise we need to get this * data from elsewere - local ldb, or (TODO) lookup of some * kind... */ - if (maj_stat == 0) { + if (pac_blob.length) { krb5_error_code ret; + union netr_Validation validation; - ret = krb5_parse_name(gensec_gssapi_state->smb_krb5_context->krb5_context, - principal_string, &principal); + maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat, + gensec_gssapi_state->gssapi_context, + &authtime); + + if (GSS_ERROR(maj_stat)) { + DEBUG(1, ("gsskrb5_extract_authtime_from_sec_context: %s\n", + gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); + talloc_free(mem_ctx); + return NT_STATUS_FOOBAR; + } + + maj_stat = gsskrb5_extract_service_keyblock(&min_stat, + gensec_gssapi_state->gssapi_context, + &keyblock); + + if (GSS_ERROR(maj_stat)) { + DEBUG(1, ("gsskrb5_copy_service_keyblock failed: %s\n", + gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); + talloc_free(mem_ctx); + return NT_STATUS_FOOBAR; + } + + ret = krb5_parse_name_flags(gensec_gssapi_state->smb_krb5_context->krb5_context, + principal_string, + KRB5_PRINCIPAL_PARSE_MUST_REALM, + &principal); if (ret) { + krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, + keyblock); talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } @@ -1226,25 +1260,25 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi gensec_gssapi_state->smb_krb5_context->krb5_context, NULL, keyblock, principal, authtime, NULL); krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal); + krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, + keyblock); - if (NT_STATUS_IS_OK(nt_status)) { - union netr_Validation validation; - validation.sam3 = &logon_info->info3; - nt_status = make_server_info_netlogon_validation(gensec_gssapi_state, - NULL, - 3, &validation, - &server_info); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - } else { - maj_stat = 1; + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; } - } - - if (maj_stat) { - DEBUG(1, ("Unable to use PAC, resorting to local user lookup!\n")); + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(gensec_gssapi_state, + NULL, + 3, &validation, + &server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + } else if (!lp_parm_bool(-1, "gensec", "require_pac", False)) { + DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n", + gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); nt_status = sam_get_server_info_principal(mem_ctx, principal_string, &server_info); @@ -1252,6 +1286,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi talloc_free(mem_ctx); return nt_status; } + } else { + DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n", + principal_string, + gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); + return NT_STATUS_ACCESS_DENIED; } /* references the server_info into the session_info */ diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index d84f3dedf5..66d2801520 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -527,6 +527,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security struct PAC_LOGON_INFO *logon_info; krb5_principal client_principal; + char *principal_string; DATA_BLOB pac; krb5_data pac_data; @@ -538,30 +539,63 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security return NT_STATUS_NO_MEMORY; } + ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal); + if (ret) { + DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n", + smb_get_krb5_error_message(context, + ret, mem_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, + client_principal, &principal_string); + if (ret) { + DEBUG(1, ("Unable to parse client principal: %s\n", + smb_get_krb5_error_message(context, + ret, mem_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket, KRB5_AUTHDATA_WIN2K_PAC, &pac_data); - if (ret) { + if (ret && lp_parm_bool(-1, "gensec", "require_pac", False)) { + DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n", + principal_string, + smb_get_krb5_error_message(context, + ret, mem_ctx))); + krb5_free_principal(context, client_principal); + free(principal_string); + return NT_STATUS_ACCESS_DENIED; + } else if (ret) { + /* NO pac */ DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); + nt_status = sam_get_server_info_principal(mem_ctx, principal_string, + &server_info); + krb5_free_principal(context, client_principal); + free(principal_string); + + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } } else { + /* Found pac */ + union netr_Validation validation; + free(principal_string); + pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length); if (!pac.data) { + krb5_free_principal(context, client_principal); talloc_free(mem_ctx); return NT_STATUS_NO_MEMORY; } - ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal); - if (ret) { - DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n", - smb_get_krb5_error_message(context, - ret, mem_ctx))); - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - /* decode and verify the pac */ nt_status = kerberos_pac_logon_info(gensec_krb5_state, &logon_info, pac, gensec_krb5_state->smb_krb5_context->krb5_context, @@ -570,46 +604,16 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security gensec_krb5_state->ticket->ticket.authtime, NULL); krb5_free_principal(context, client_principal); - if (NT_STATUS_IS_OK(nt_status)) { - union netr_Validation validation; - validation.sam3 = &logon_info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, - NULL, - 3, &validation, - &server_info); - } - } - - - - /* IF we have the PAC - otherwise we need to get this - * data from elsewere - local ldb, or (TODO) lookup of some - * kind... - */ - if (!NT_STATUS_IS_OK(nt_status)) { - /* NO pac, or can't parse or verify it */ - char *principal_string; - ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal); - if (ret) { - DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n", - smb_get_krb5_error_message(context, - ret, mem_ctx))); - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, - client_principal, &principal_string); - krb5_free_principal(context, client_principal); - if (ret) { + if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; + return nt_status; } - nt_status = sam_get_server_info_principal(mem_ctx, principal_string, - &server_info); - free(principal_string); - + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(mem_ctx, + NULL, + 3, &validation, + &server_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 06f0c186a3..2b4c5d4cb0 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -45,6 +45,8 @@ krb5_get_init_creds_opt_init(&options); + krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options); + if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock, 0, NULL, &options))) { return code; @@ -87,6 +89,8 @@ krb5_get_init_creds_opt_init(&options); + krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options); + if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, NULL, NULL, 0, NULL, &options))) { diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index dcfe16c896..8e1801f745 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -280,7 +280,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCESS_DENIED; } - ret = krb5_parse_name_norealm(context, logon_name->account_name, &client_principal_pac); + ret = krb5_parse_name_flags(context, logon_name->account_name, KRB5_PRINCIPAL_PARSE_NO_REALM, + &client_principal_pac); if (ret) { DEBUG(2, ("Could not parse name from incoming PAC: [%s]: %s\n", logon_name->account_name, @@ -591,7 +592,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, u_LOGON_INFO->logon_info.info = LOGON_INFO; LOGON_INFO->info3 = *sam3; - ret = krb5_unparse_name_norealm(context, client_principal, &name); + ret = krb5_unparse_name_flags(context, client_principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name); if (ret) { return ret; } diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c index d895d7a336..a3ef895b16 100644 --- a/source4/auth/kerberos/krb5_init_context.c +++ b/source4/auth/kerberos/krb5_init_context.c @@ -23,6 +23,7 @@ #include "includes.h" #include "system/kerberos.h" +#include "heimdal/lib/krb5/krb5_locl.h" #include "auth/kerberos/kerberos.h" #include "lib/socket/socket.h" #include "system/network.h" @@ -69,7 +70,7 @@ static void smb_krb5_debug_close(void *private) { static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private) { - DEBUG(3, ("Kerberos: %s\n", msg)); + DEBUG(2, ("Kerberos: %s\n", msg)); } /* @@ -224,11 +225,11 @@ static void smb_krb5_socket_handler(struct event_context *ev, struct fd_event *f } -static krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, - void *data, - krb5_krbhst_info *hi, - const krb5_data *send_buf, - krb5_data *recv_buf) +krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, + void *data, + krb5_krbhst_info *hi, + const krb5_data *send_buf, + krb5_data *recv_buf) { krb5_error_code ret; NTSTATUS status; @@ -363,13 +364,6 @@ static krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, return KRB5_KDC_UNREACH; } -/* NO internal data, so nothing to free */ -static void smb_krb5_send_and_recv_close_func(krb5_context context, void *data) -{ - return; -} - - krb5_error_code smb_krb5_init_context(void *parent_ctx, struct smb_krb5_context **smb_krb5_context) { @@ -437,9 +431,9 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx, ev = event_context_find(*smb_krb5_context); /* Set use of our socket lib */ - ret = krb5_set_send_recv_func((*smb_krb5_context)->krb5_context, - smb_krb5_send_and_recv_func, - smb_krb5_send_and_recv_close_func, ev); + ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context, + smb_krb5_send_and_recv_func, + ev); if (ret) { DEBUG(1,("krb5_set_send_recv_func failed (%s)\n", smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx))); @@ -454,12 +448,8 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx, /* Set options in kerberos */ - (*smb_krb5_context)->krb5_context->fdns = FALSE; + krb5_set_dns_canonicalize_hostname((*smb_krb5_context)->krb5_context, FALSE); return 0; } - void smb_krb5_free_context(struct smb_krb5_context *smb_krb5_context) -{ - talloc_free(smb_krb5_context); -} diff --git a/source4/auth/kerberos/krb5_init_context.h b/source4/auth/kerberos/krb5_init_context.h index f3ffc067fa..7aad97e2ca 100644 --- a/source4/auth/kerberos/krb5_init_context.h +++ b/source4/auth/kerberos/krb5_init_context.h @@ -27,3 +27,8 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx, struct smb_krb5_context **smb_krb5_context); void smb_krb5_free_context(struct smb_krb5_context *smb_krb5_context); +krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, + void *data, + krb5_krbhst_info *hi, + const krb5_data *send_buf, + krb5_data *recv_buf); diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c index f92cf949b1..eb051a0fb2 100644 --- a/source4/dsdb/samdb/cracknames.c +++ b/source4/dsdb/samdb/cracknames.c @@ -154,8 +154,8 @@ static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_c enum drsuapi_DsNameStatus namestatus; /* parse principal */ - ret = krb5_parse_name_norealm(smb_krb5_context->krb5_context, - name, &principal); + ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, + name, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal); if (ret) { DEBUG(2, ("Could not parse principal: %s: %s", name, smb_get_krb5_error_message(smb_krb5_context->krb5_context, @@ -196,7 +196,8 @@ static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_c } /* reform principal */ - ret = krb5_unparse_name_norealm(smb_krb5_context->krb5_context, principal, &new_princ); + ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &new_princ); krb5_free_principal(smb_krb5_context->krb5_context, principal); @@ -231,7 +232,8 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, return WERR_OK; } - ret = krb5_parse_name_mustrealm(smb_krb5_context->krb5_context, name, &principal); + ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name, + KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal); if (ret) { info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND; return WERR_OK; @@ -243,7 +245,8 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))", ldb_binary_encode_string(mem_ctx, *realm), ldb_binary_encode_string(mem_ctx, *realm)); - ret = krb5_unparse_name_norealm(smb_krb5_context->krb5_context, principal, &unparsed_name_short); + ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short); krb5_free_principal(smb_krb5_context->krb5_context, principal); if (ret) { @@ -445,11 +448,13 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, krb5_principal principal; char *unparsed_name_short; char *service; - ret = krb5_parse_name_norealm(smb_krb5_context->krb5_context, name, &principal); + ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name, + KRB5_PRINCIPAL_PARSE_NO_REALM, &principal); if (ret) { /* perhaps it's a principal with a realm, so return the right 'domain only' response */ char **realm; - ret = krb5_parse_name_mustrealm(smb_krb5_context->krb5_context, name, &principal); + ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name, + KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal); if (ret) { info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND; return WERR_OK; @@ -473,7 +478,8 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, domain_filter = NULL; - ret = krb5_unparse_name_norealm(smb_krb5_context->krb5_context, principal, &unparsed_name_short); + ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short); if (ret) { krb5_free_principal(smb_krb5_context->krb5_context, principal); return WERR_NOMEM; diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c index d61b78d9b6..56c12efd60 100644 --- a/source4/heimdal/kdc/524.c +++ b/source4/heimdal/kdc/524.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: 524.c,v 1.37 2006/04/27 11:33:20 lha Exp $"); +RCSID("$Id: 524.c,v 1.40 2006/10/06 17:06:30 lha Exp $"); #include <krb5-v4compat.h> @@ -53,7 +53,8 @@ fetch_server (krb5_context context, krb5_error_code ret; krb5_principal sprinc; - ret = _krb5_principalname2krb5_principal(context, &sprinc, t->sname, t->realm); + ret = _krb5_principalname2krb5_principal(context, &sprinc, + t->sname, t->realm); if (ret) { kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s", krb5_get_err_text(context, ret)); @@ -66,7 +67,8 @@ fetch_server (krb5_context context, krb5_get_err_text(context, ret)); return ret; } - ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, server); + ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, + NULL, server); krb5_free_principal(context, sprinc); if (ret) { kdc_log(context, config, 0, @@ -90,7 +92,8 @@ log_524 (krb5_context context, char *cpn; krb5_error_code ret; - ret = _krb5_principalname2krb5_principal(context, &client, et->cname, et->crealm); + ret = _krb5_principalname2krb5_principal(context, &client, + et->cname, et->crealm); if (ret) { kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s", krb5_get_err_text (context, ret)); diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c index 5152fe9ab1..c4d9f51fd0 100644 --- a/source4/heimdal/kdc/default_config.c +++ b/source4/heimdal/kdc/default_config.c @@ -42,8 +42,9 @@ void krb5_kdc_default_config(krb5_kdc_configuration *config) { + memset(config, 0, sizeof(*config)); config->require_preauth = TRUE; - config->kdc_warn_pwexpire = -1; + config->kdc_warn_pwexpire = 0; config->encode_as_rep_as_tgs_rep = FALSE; /* bug compatibility */ config->check_ticket_addresses = TRUE; config->allow_null_ticket_addresses = TRUE; diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c new file mode 100644 index 0000000000..a5517fb896 --- /dev/null +++ b/source4/heimdal/kdc/digest.c @@ -0,0 +1,712 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kdc_locl.h" +#include <digest_asn1.h> +#include <hex.h> + +RCSID("$Id: digest.c,v 1.7 2006/10/22 20:11:44 lha Exp $"); + +krb5_error_code +_kdc_do_digest(krb5_context context, + krb5_kdc_configuration *config, + const DigestREQ *req, krb5_data *reply, + const char *from, struct sockaddr *addr) +{ + krb5_error_code ret = 0; + krb5_ticket *ticket = NULL; + krb5_auth_context ac = NULL; + krb5_keytab id = NULL; + krb5_crypto crypto = NULL; + DigestReqInner ireq; + DigestRepInner r; + DigestREP rep; + krb5_flags ap_req_options; + krb5_data buf; + size_t size; + krb5_storage *sp = NULL; + Checksum res; + hdb_entry_ex *server = NULL, *user = NULL; + char *password = NULL; + krb5_data serverNonce; + + if(!config->enable_digest) { + kdc_log(context, config, 0, "Rejected digest request from %s", from); + return KRB5KDC_ERR_POLICY; + } + + krb5_data_zero(&buf); + krb5_data_zero(reply); + krb5_data_zero(&serverNonce); + memset(&ireq, 0, sizeof(ireq)); + memset(&r, 0, sizeof(r)); + memset(&rep, 0, sizeof(rep)); + + kdc_log(context, config, 0, "Digest request from %s", from); + + ret = krb5_kt_resolve(context, "HDB:", &id); + if (ret) { + kdc_log(context, config, 0, "Can't open database for digest"); + goto out; + } + + ret = krb5_rd_req(context, + &ac, + &req->apReq, + NULL, + id, + &ap_req_options, + &ticket); + if (ret) + goto out; + + /* check the server principal in the ticket matches digest/R@R */ + { + krb5_principal principal = NULL; + const char *p, *r; + + ret = krb5_ticket_get_server(context, ticket, &principal); + if (ret) + goto out; + + ret = EINVAL; + krb5_set_error_string(context, "Wrong digest server principal used"); + p = krb5_principal_get_comp_string(context, principal, 0); + if (p == NULL) { + krb5_free_principal(context, principal); + goto out; + } + if (strcmp(p, KRB5_DIGEST_NAME) != 0) { + krb5_free_principal(context, principal); + goto out; + } + + p = krb5_principal_get_comp_string(context, principal, 1); + if (p == NULL) { + krb5_free_principal(context, principal); + goto out; + } + r = krb5_principal_get_realm(context, principal); + if (r == NULL) { + krb5_free_principal(context, principal); + goto out; + } + if (strcmp(p, r) != 0) { + krb5_free_principal(context, principal); + goto out; + } + + ret = _kdc_db_fetch(context, config, principal, + HDB_F_GET_SERVER, NULL, &server); + if (ret) + goto out; + + krb5_free_principal(context, principal); + } + + /* check the client is allowed to do digest auth */ + { + krb5_principal principal = NULL; + hdb_entry_ex *client; + + ret = krb5_ticket_get_client(context, ticket, &principal); + if (ret) + goto out; + + ret = _kdc_db_fetch(context, config, principal, + HDB_F_GET_CLIENT, NULL, &client); + krb5_free_principal(context, principal); + if (ret) + goto out; + + if (client->entry.flags.allow_digest == 0) { + krb5_set_error_string(context, + "Client is not permitted to use digest"); + ret = KRB5KDC_ERR_POLICY; + _kdc_free_ent (context, client); + goto out; + } + _kdc_free_ent (context, client); + } + + /* unpack request */ + { + krb5_keyblock *key; + + ret = krb5_auth_con_getremotesubkey(context, ac, &key); + if (ret) + goto out; + if (key == NULL) { + krb5_set_error_string(context, "digest: remote subkey not found"); + ret = EINVAL; + goto out; + } + + ret = krb5_crypto_init(context, key, 0, &crypto); + krb5_free_keyblock (context, key); + if (ret) + goto out; + } + + ret = krb5_decrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT, + &req->innerReq, &buf); + krb5_crypto_destroy(context, crypto); + crypto = NULL; + if (ret) + goto out; + + ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL); + krb5_data_free(&buf); + if (ret) { + krb5_set_error_string(context, "Failed to decode digest inner request"); + goto out; + } + + /* + * Process the inner request + */ + + switch (ireq.element) { + case choice_DigestReqInner_init: { + unsigned char server_nonce[16], identifier; + + RAND_pseudo_bytes(&identifier, sizeof(identifier)); + RAND_pseudo_bytes(server_nonce, sizeof(server_nonce)); + + server_nonce[0] = kdc_time & 0xff; + server_nonce[1] = (kdc_time >> 8) & 0xff; + server_nonce[2] = (kdc_time >> 16) & 0xff; + server_nonce[3] = (kdc_time >> 24) & 0xff; + + r.element = choice_DigestRepInner_initReply; + + hex_encode(server_nonce, sizeof(server_nonce), &r.u.initReply.nonce); + if (r.u.initReply.nonce == NULL) { + krb5_set_error_string(context, "Failed to decode server nonce"); + ret = ENOMEM; + goto out; + } + + sp = krb5_storage_emem(); + if (sp == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "out of memory"); + goto out; + } + ret = krb5_store_stringz(sp, ireq.u.init.type); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + + if (ireq.u.init.channel) { + char *s; + + asprintf(&s, "%s-%s:%s", r.u.initReply.nonce, + ireq.u.init.channel->cb_type, + ireq.u.init.channel->cb_binding); + if (s == NULL) { + krb5_set_error_string(context, "Failed to allocate " + "channel binding"); + ret = ENOMEM; + goto out; + } + free(r.u.initReply.nonce); + r.u.initReply.nonce = s; + } + + ret = krb5_store_stringz(sp, r.u.initReply.nonce); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + + if (strcasecmp(ireq.u.init.type, "CHAP") == 0) { + r.u.initReply.identifier = + malloc(sizeof(*r.u.initReply.identifier)); + if (r.u.initReply.identifier == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + + asprintf(r.u.initReply.identifier, "%02X", identifier & 0xff); + if (*r.u.initReply.identifier == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + + ret = krb5_store_stringz(sp, *r.u.initReply.identifier); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + } else + r.u.initReply.identifier = NULL; + + if (ireq.u.init.hostname) { + ret = krb5_store_stringz(sp, *ireq.u.init.hostname); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + } + + ret = krb5_storage_to_data(sp, &buf); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + + { + Key *key; + krb5_enctype enctype; + + ret = _kdc_get_preferred_key(context, + config, + server, + "digest-service", + &enctype, + &key); + if (ret) + goto out; + ret = krb5_crypto_init(context, &key->key, 0, &crypto); + if (ret) + goto out; + } + + ret = krb5_create_checksum(context, + crypto, + KRB5_KU_DIGEST_OPAQUE, + 0, + buf.data, + buf.length, + &res); + krb5_crypto_destroy(context, crypto); + crypto = NULL; + krb5_data_free(&buf); + if (ret) + goto out; + + ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret); + free_Checksum(&res); + if (ret) { + krb5_set_error_string(context, "Failed to encode " + "checksum in digest request"); + goto out; + } + if (size != buf.length) + krb5_abortx(context, "ASN1 internal error"); + + hex_encode(buf.data, buf.length, &r.u.initReply.opaque); + free(buf.data); + if (r.u.initReply.opaque == NULL) { + krb5_clear_error_string(context); + ret = ENOMEM; + goto out; + } + + break; + } + case choice_DigestReqInner_digestRequest: { + krb5_principal clientprincipal; + HDB *db; + + sp = krb5_storage_emem(); + if (sp == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "out of memory"); + goto out; + } + krb5_store_stringz(sp, ireq.u.digestRequest.type); + + krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce); + if (ireq.u.digestRequest.identifier) { + ret = krb5_store_stringz(sp, *ireq.u.digestRequest.identifier); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + } + if (ireq.u.digestRequest.hostname) { + ret = krb5_store_stringz(sp, *ireq.u.digestRequest.hostname); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + } + + buf.length = strlen(ireq.u.digestRequest.opaque); + buf.data = malloc(buf.length); + if (buf.data == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + + ret = hex_decode(ireq.u.digestRequest.opaque, buf.data, buf.length); + if (ret <= 0) { + krb5_set_error_string(context, "Failed to decode opaque"); + ret = ENOMEM; + goto out; + } + buf.length = ret; + + ret = decode_Checksum(buf.data, buf.length, &res, NULL); + free(buf.data); + if (ret) { + krb5_set_error_string(context, "Failed to decode digest Checksum"); + goto out; + } + + ret = krb5_storage_to_data(sp, &buf); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + + serverNonce.length = strlen(ireq.u.digestRequest.serverNonce); + serverNonce.data = malloc(serverNonce.length); + if (serverNonce.data == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + + /* + * CHAP does the checksum of the raw nonce, but do it for all + * types, since we need to check the timestamp. + */ + { + ssize_t ssize; + + ssize = hex_decode(ireq.u.digestRequest.serverNonce, + serverNonce.data, serverNonce.length); + if (ssize <= 0) { + krb5_set_error_string(context, "Failed to decode serverNonce"); + ret = ENOMEM; + goto out; + } + serverNonce.length = ssize; + } + + { + Key *key; + krb5_enctype enctype; + + ret = _kdc_get_preferred_key(context, + config, + server, + "digest-service", + &enctype, + &key); + if (ret) + goto out; + ret = krb5_crypto_init(context, &key->key, 0, &crypto); + if (ret) + goto out; + } + + ret = krb5_verify_checksum(context, crypto, + KRB5_KU_DIGEST_OPAQUE, + buf.data, buf.length, &res); + krb5_crypto_destroy(context, crypto); + crypto = NULL; + if (ret) + goto out; + + /* verify time */ + { + unsigned char *p = serverNonce.data; + uint32_t t; + + if (serverNonce.length < 4) { + krb5_set_error_string(context, "server nonce too short"); + ret = EINVAL; + goto out; + } + t = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); + + if (abs((kdc_time & 0xffffffff) - t) > context->max_skew) { + krb5_set_error_string(context, "time screw in server nonce "); + ret = EINVAL; + goto out; + } + } + + /* get username */ + ret = krb5_parse_name(context, + ireq.u.digestRequest.username, + &clientprincipal); + if (ret) + goto out; + + ret = _kdc_db_fetch(context, config, clientprincipal, + HDB_F_GET_CLIENT, &db, &user); + + krb5_free_principal(context, clientprincipal); + if (ret) + goto out; + + ret = hdb_entry_get_password(context, db, &user->entry, &password); + if (ret || password == NULL) { + if (ret == 0) { + ret = EINVAL; + krb5_set_error_string(context, "password missing"); + } + goto out; + } + + if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) { + MD5_CTX ctx; + unsigned char md[MD5_DIGEST_LENGTH]; + char id; + + if (ireq.u.digestRequest.identifier == NULL) { + krb5_set_error_string(context, "Identifier missing " + "from CHAP request"); + ret = EINVAL; + goto out; + } + + if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) { + krb5_set_error_string(context, "failed to decode identifier"); + ret = EINVAL; + goto out; + } + + MD5_Init(&ctx); + MD5_Update(&ctx, &id, 1); + MD5_Update(&ctx, password, strlen(password)); + MD5_Update(&ctx, serverNonce.data, serverNonce.length); + MD5_Final(md, &ctx); + + r.element = choice_DigestRepInner_response; + hex_encode(md, sizeof(md), &r.u.response.responseData); + if (r.u.response.responseData == NULL) { + krb5_clear_error_string(context); + ret = ENOMEM; + goto out; + } + } else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) { + MD5_CTX ctx; + unsigned char md[MD5_DIGEST_LENGTH]; + char *A1, *A2; + + if (ireq.u.digestRequest.nonceCount == NULL) + goto out; + if (ireq.u.digestRequest.clientNonce == NULL) + goto out; + if (ireq.u.digestRequest.qop == NULL) + goto out; + if (ireq.u.digestRequest.realm == NULL) + goto out; + + MD5_Init(&ctx); + MD5_Update(&ctx, ireq.u.digestRequest.username, + strlen(ireq.u.digestRequest.username)); + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, *ireq.u.digestRequest.realm, + strlen(*ireq.u.digestRequest.realm)); + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, password, strlen(password)); + MD5_Final(md, &ctx); + + MD5_Init(&ctx); + MD5_Update(&ctx, md, sizeof(md)); + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, ireq.u.digestRequest.serverNonce, + strlen(ireq.u.digestRequest.serverNonce)); + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount, + strlen(*ireq.u.digestRequest.nonceCount)); + if (ireq.u.digestRequest.authid) { + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, *ireq.u.digestRequest.authid, + strlen(*ireq.u.digestRequest.authid)); + } + MD5_Final(md, &ctx); + hex_encode(md, sizeof(md), &A1); + if (A1 == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + + MD5_Init(&ctx); + MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); + MD5_Update(&ctx, *ireq.u.digestRequest.uri, + strlen(*ireq.u.digestRequest.uri)); + + /* conf|int */ + if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) { + static char conf_zeros[] = ":00000000000000000000000000000000"; + MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1); + } + + MD5_Final(md, &ctx); + hex_encode(md, sizeof(md), &A2); + if (A2 == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + free(A1); + goto out; + } + + MD5_Init(&ctx); + MD5_Update(&ctx, A1, strlen(A2)); + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, ireq.u.digestRequest.serverNonce, + strlen(ireq.u.digestRequest.serverNonce)); + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount, + strlen(*ireq.u.digestRequest.nonceCount)); + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce, + strlen(*ireq.u.digestRequest.clientNonce)); + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, *ireq.u.digestRequest.qop, + strlen(*ireq.u.digestRequest.qop)); + MD5_Update(&ctx, ":", 1); + MD5_Update(&ctx, A2, strlen(A2)); + + MD5_Final(md, &ctx); + + r.element = choice_DigestRepInner_response; + hex_encode(md, sizeof(md), &r.u.response.responseData); + + free(A1); + free(A2); + + if (r.u.response.responseData == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + + } else { + r.element = choice_DigestRepInner_error; + asprintf(&r.u.error.reason, "unsupported digest type %s", + ireq.u.digestRequest.type); + if (r.u.error.reason == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + r.u.error.code = EINVAL; + } + + break; + } + default: + r.element = choice_DigestRepInner_error; + r.u.error.reason = strdup("unknown operation"); + if (r.u.error.reason == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + r.u.error.code = EINVAL; + break; + } + + ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret); + if (ret) { + krb5_set_error_string(context, "Failed to encode inner digest reply"); + goto out; + } + if (size != buf.length) + krb5_abortx(context, "ASN1 internal error"); + + krb5_auth_con_addflags(context, ac, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL); + + ret = krb5_mk_rep (context, ac, &rep.apRep); + if (ret) + goto out; + + { + krb5_keyblock *key; + + ret = krb5_auth_con_getlocalsubkey(context, ac, &key); + if (ret) + goto out; + + ret = krb5_crypto_init(context, key, 0, &crypto); + krb5_free_keyblock (context, key); + if (ret) + goto out; + } + + ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT, + buf.data, buf.length, 0, + &rep.innerRep); + + ASN1_MALLOC_ENCODE(DigestREP, reply->data, reply->length, &rep, &size, ret); + if (ret) { + krb5_set_error_string(context, "Failed to encode digest reply"); + goto out; + } + if (size != reply->length) + krb5_abortx(context, "ASN1 internal error"); + + +out: + if (ac) + krb5_auth_con_free(context, ac); + if (ret) + krb5_warn(context, ret, "Digest request from %s failed", from); + if (ticket) + krb5_free_ticket(context, ticket); + if (id) + krb5_kt_close(context, id); + if (crypto) + krb5_crypto_destroy(context, crypto); + if (sp) + krb5_storage_free(sp); + if (user) + _kdc_free_ent (context, user); + if (server) + _kdc_free_ent (context, server); + if (password) { + memset(password, 0, strlen(password)); + free (password); + } + krb5_data_free(&buf); + krb5_data_free(&serverNonce); + free_DigestREP(&rep); + free_DigestRepInner(&r); + free_DigestReqInner(&ireq); + + return ret; +} diff --git a/source4/heimdal/kdc/headers.h b/source4/heimdal/kdc/headers.h index 86f162aa94..87d713b076 100644 --- a/source4/heimdal/kdc/headers.h +++ b/source4/heimdal/kdc/headers.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ /* - * $Id: headers.h,v 1.16 2005/04/24 13:49:00 lha Exp $ + * $Id: headers.h,v 1.18 2006/10/17 02:22:17 lha Exp $ */ #ifndef __HEADERS_H__ @@ -88,9 +88,10 @@ #include <parse_units.h> #include <krb5.h> #include <krb5_locl.h> +#include <digest_asn1.h> #include <hdb.h> #include <hdb_err.h> -#include <der.h> /* copy_octet_string */ +#include <der.h> #undef ALLOC #define ALLOC(X) ((X) = malloc(sizeof(*(X)))) diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c index c08a51b9cc..ac282717ed 100644 --- a/source4/heimdal/kdc/kaserver.c +++ b/source4/heimdal/kdc/kaserver.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kaserver.c,v 1.35 2006/05/05 10:49:50 lha Exp $"); +RCSID("$Id: kaserver.c,v 1.36 2006/08/23 11:43:44 lha Exp $"); #include <krb5-v4compat.h> #include <rx.h> @@ -465,7 +465,8 @@ do_authenticate (krb5_context context, client_name, from, server_name); ret = _kdc_db_fetch4 (context, config, name, instance, - config->v4_realm, HDB_F_GET_CLIENT, &client_entry); + config->v4_realm, HDB_F_GET_CLIENT, + &client_entry); if (ret) { kdc_log(context, config, 0, "Client not found in database: %s: %s", client_name, krb5_get_err_text(context, ret)); diff --git a/source4/heimdal/kdc/kdc-private.h b/source4/heimdal/kdc/kdc-private.h index 251e06b14a..8c2f56002d 100644 --- a/source4/heimdal/kdc/kdc-private.h +++ b/source4/heimdal/kdc/kdc-private.h @@ -5,6 +5,16 @@ #include <stdarg.h> krb5_error_code +_kdc_add_KRB5SignedPath ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + hdb_entry_ex */*krbtgt*/, + krb5_enctype /*enctype*/, + krb5_const_principal /*server*/, + KRB5SignedPathPrincipals */*principals*/, + EncTicketPart */*tkt*/); + +krb5_error_code _kdc_as_rep ( krb5_context /*context*/, krb5_kdc_configuration */*config*/, @@ -12,7 +22,15 @@ _kdc_as_rep ( const krb5_data */*req_buffer*/, krb5_data */*reply*/, const char */*from*/, - struct sockaddr */*from_addr*/); + struct sockaddr */*from_addr*/, + int /*datagram_reply*/); + +krb5_boolean +_kdc_check_addresses ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + HostAddresses */*addresses*/, + const struct sockaddr */*from*/); krb5_error_code _kdc_check_flags ( @@ -30,6 +48,7 @@ _kdc_db_fetch ( krb5_kdc_configuration */*config*/, krb5_const_principal /*principal*/, unsigned /*flags*/, + HDB **/*db*/, hdb_entry_ex **/*h*/); krb5_error_code @@ -52,6 +71,15 @@ _kdc_do_524 ( struct sockaddr */*addr*/); krb5_error_code +_kdc_do_digest ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + const DigestREQ */*req*/, + krb5_data */*reply*/, + const char */*from*/, + struct sockaddr */*addr*/); + +krb5_error_code _kdc_do_kaserver ( krb5_context /*context*/, krb5_kdc_configuration */*config*/, @@ -72,6 +100,21 @@ _kdc_do_version4 ( struct sockaddr_in */*addr*/); krb5_error_code +_kdc_encode_reply ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + KDC_REP */*rep*/, + const EncTicketPart */*et*/, + EncKDCRepPart */*ek*/, + krb5_enctype /*etype*/, + int /*skvno*/, + const EncryptionKey */*skey*/, + int /*ckvno*/, + const EncryptionKey */*ckey*/, + const char **/*e_text*/, + krb5_data */*reply*/); + +krb5_error_code _kdc_encode_v4_ticket ( krb5_context /*context*/, krb5_kdc_configuration */*config*/, @@ -81,6 +124,24 @@ _kdc_encode_v4_ticket ( const PrincipalName */*service*/, size_t */*size*/); +krb5_error_code +_kdc_find_etype ( + krb5_context /*context*/, + const hdb_entry_ex */*princ*/, + krb5_enctype */*etypes*/, + unsigned /*len*/, + Key **/*ret_key*/, + krb5_enctype */*ret_etype*/); + +PA_DATA* +_kdc_find_padata ( + KDC_REQ */*req*/, + int */*start*/, + int /*type*/); + +void +_kdc_fix_time (time_t **/*t*/); + void _kdc_free_ent ( krb5_context /*context*/, @@ -94,6 +155,28 @@ _kdc_get_des_key ( krb5_boolean /*prefer_afs_key*/, Key **/*ret_key*/); +krb5_error_code +_kdc_get_preferred_key ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + hdb_entry_ex */*h*/, + const char */*name*/, + krb5_enctype */*enctype*/, + Key **/*key*/); + +void +_kdc_log_timestamp ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + const char */*type*/, + KerberosTime /*authtime*/, + KerberosTime */*starttime*/, + KerberosTime /*endtime*/, + KerberosTime */*renew_till*/); + +krb5_error_code +_kdc_make_anonymous_principalname (PrincipalName */*pn*/); + int _kdc_maybe_version4 ( unsigned char */*buf*/, @@ -120,7 +203,7 @@ _kdc_pk_initialize ( const char */*user_id*/, const char */*anchors*/, char **/*pool*/, - char **/*revoke*/); + char **/*revoke_list*/); krb5_error_code _kdc_pk_mk_pa_reply ( diff --git a/source4/heimdal/kdc/kdc-protos.h b/source4/heimdal/kdc/kdc-protos.h index 5967f933f3..69bc871b01 100644 --- a/source4/heimdal/kdc/kdc-protos.h +++ b/source4/heimdal/kdc/kdc-protos.h @@ -41,25 +41,27 @@ void krb5_kdc_default_config (krb5_kdc_configuration */*config*/); int -krb5_kdc_process_generic_request ( +krb5_kdc_process_krb5_request ( krb5_context /*context*/, krb5_kdc_configuration */*config*/, unsigned char */*buf*/, size_t /*len*/, krb5_data */*reply*/, - krb5_boolean */*prependlength*/, const char */*from*/, - struct sockaddr */*addr*/); + struct sockaddr */*addr*/, + int /*datagram_reply*/); int -krb5_kdc_process_krb5_request ( +krb5_kdc_process_request ( krb5_context /*context*/, krb5_kdc_configuration */*config*/, unsigned char */*buf*/, size_t /*len*/, krb5_data */*reply*/, + krb5_boolean */*prependlength*/, const char */*from*/, - struct sockaddr */*addr*/); + struct sockaddr */*addr*/, + int /*datagram_reply*/); #ifdef __cplusplus } diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h index 2948570e3a..043b6de47d 100644 --- a/source4/heimdal/kdc/kdc.h +++ b/source4/heimdal/kdc/kdc.h @@ -35,7 +35,7 @@ */ /* - * $Id: kdc.h,v 1.6 2006/05/03 12:03:29 lha Exp $ + * $Id: kdc.h,v 1.9 2006/10/09 15:34:07 lha Exp $ */ #ifndef __KDC_H__ @@ -65,10 +65,12 @@ typedef struct krb5_kdc_configuration { char *v4_realm; krb5_boolean enable_v4; + krb5_boolean enable_v4_cross_realm; + krb5_boolean enable_v4_per_principal; + krb5_boolean enable_kaserver; - + krb5_boolean enable_524; - krb5_boolean enable_v4_cross_realm; krb5_boolean enable_pkinit; krb5_boolean enable_pkinit_princ_in_cert; @@ -78,6 +80,9 @@ typedef struct krb5_kdc_configuration { int pkinit_dh_min_bits; + int enable_digest; + size_t max_datagram_reply_length; + } krb5_kdc_configuration; #include <kdc-protos.h> diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c index d7a3a9cb69..97e98d86ad 100644 --- a/source4/heimdal/kdc/kerberos4.c +++ b/source4/heimdal/kdc/kerberos4.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,7 +35,7 @@ #include <krb5-v4compat.h> -RCSID("$Id: kerberos4.c,v 1.60 2006/05/05 10:50:44 lha Exp $"); +RCSID("$Id: kerberos4.c,v 1.63 2006/10/08 13:43:27 lha Exp $"); #ifndef swap32 static uint32_t @@ -80,7 +80,7 @@ valid_princ(krb5_context context, ret = krb5_unparse_name(context, princ, &s); if (ret) return FALSE; - ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, &ent); + ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent); if (ret) { kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s, krb5_get_err_text (context, ret)); @@ -111,7 +111,7 @@ _kdc_db_fetch4(krb5_context context, valid_princ, &ctx, 0, &p); if(ret) return ret; - ret = _kdc_db_fetch(context, config, p, flags, ent); + ret = _kdc_db_fetch(context, config, p, flags, NULL, ent); krb5_free_principal(context, p); return ret; } @@ -221,6 +221,17 @@ _kdc_do_version4(krb5_context context, goto out1; } + if (config->enable_v4_per_principal && + client->entry.flags.allow_kerberos4 == 0) + { + kdc_log(context, config, 0, + "Per principal Kerberos 4 flag not turned on for %s", + client_name); + make_err_reply(context, reply, KERB_ERR_NULL_KEY, + "allow kerberos4 flag required"); + goto out1; + } + /* * There's no way to do pre-authentication in v4 and thus no * good error code to return if preauthentication is required. @@ -372,7 +383,7 @@ _kdc_do_version4(krb5_context context, } ret = _kdc_db_fetch(context, config, tgt_princ, - HDB_F_GET_KRBTGT, &tgt); + HDB_F_GET_KRBTGT, NULL, &tgt); if(ret){ char *s; s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not " @@ -668,7 +679,7 @@ _kdc_encode_v4_ticket(krb5_context context, if(ret) return ret; - _krb5_principalname2krb5_principal(context, + _krb5_principalname2krb5_principal(context, &princ, et->cname, et->crealm); diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index a73c2c10b3..19287b31cc 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -33,12 +33,12 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.211 2006/04/27 12:01:09 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.223 2006/10/17 02:16:29 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) -static void -fix_time(time_t **t) +void +_kdc_fix_time(time_t **t) { if(*t == NULL){ ALLOC(*t); @@ -65,13 +65,13 @@ set_salt_padata (METHOD_DATA *md, Salt *salt) if (salt) { realloc_method_data(md); md->val[md->len - 1].padata_type = salt->type; - copy_octet_string(&salt->salt, - &md->val[md->len - 1].padata_value); + der_copy_octet_string(&salt->salt, + &md->val[md->len - 1].padata_value); } } -static PA_DATA* -find_padata(KDC_REQ *req, int *start, int type) +PA_DATA* +_kdc_find_padata(KDC_REQ *req, int *start, int type) { while(*start < req->padata->len){ (*start)++; @@ -87,10 +87,10 @@ find_padata(KDC_REQ *req, int *start, int type) * one, but preferring one that has default salt */ -static krb5_error_code -find_etype(krb5_context context, const hdb_entry_ex *princ, - krb5_enctype *etypes, unsigned len, - Key **ret_key, krb5_enctype *ret_etype) +krb5_error_code +_kdc_find_etype(krb5_context context, const hdb_entry_ex *princ, + krb5_enctype *etypes, unsigned len, + Key **ret_key, krb5_enctype *ret_etype) { int i; krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP; @@ -116,46 +116,8 @@ find_etype(krb5_context context, const hdb_entry_ex *princ, return ret; } -static krb5_error_code -find_keys(krb5_context context, - krb5_kdc_configuration *config, - const hdb_entry_ex *client, - const char *client_name, - const hdb_entry_ex *server, - const char *server_name, - Key **ckey, - krb5_enctype *cetype, - Key **skey, - krb5_enctype *setype, - krb5_enctype *etypes, - unsigned num_etypes) -{ - krb5_error_code ret; - - if(client){ - /* find client key */ - ret = find_etype(context, client, etypes, num_etypes, ckey, cetype); - if (ret) { - kdc_log(context, config, 0, - "Client (%s) has no support for etypes", client_name); - return ret; - } - } - - if(server){ - /* find server key */ - ret = find_etype(context, server, etypes, num_etypes, skey, setype); - if (ret) { - kdc_log(context, config, 0, - "Server (%s) has no support for etypes", server_name); - return ret; - } - } - return 0; -} - -static krb5_error_code -make_anonymous_principalname (PrincipalName *pn) +krb5_error_code +_kdc_make_anonymous_principalname (PrincipalName *pn) { pn->name_type = KRB5_NT_PRINCIPAL; pn->name_string.len = 1; @@ -171,12 +133,12 @@ make_anonymous_principalname (PrincipalName *pn) return 0; } -static void -log_timestamp(krb5_context context, - krb5_kdc_configuration *config, - const char *type, - KerberosTime authtime, KerberosTime *starttime, - KerberosTime endtime, KerberosTime *renew_till) +void +_kdc_log_timestamp(krb5_context context, + krb5_kdc_configuration *config, + const char *type, + KerberosTime authtime, KerberosTime *starttime, + KerberosTime endtime, KerberosTime *renew_till) { char authtime_str[100], starttime_str[100], endtime_str[100], renewtime_str[100]; @@ -248,15 +210,15 @@ log_patypes(krb5_context context, */ -static krb5_error_code -encode_reply(krb5_context context, - krb5_kdc_configuration *config, - KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek, - krb5_enctype etype, - int skvno, EncryptionKey *skey, - int ckvno, EncryptionKey *ckey, - const char **e_text, - krb5_data *reply) +krb5_error_code +_kdc_encode_reply(krb5_context context, + krb5_kdc_configuration *config, + KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek, + krb5_enctype etype, + int skvno, const EncryptionKey *skey, + int ckvno, const EncryptionKey *ckey, + const char **e_text, + krb5_data *reply) { unsigned char *buf; size_t buf_size; @@ -795,10 +757,10 @@ _kdc_check_flags(krb5_context context, * these checks */ -static krb5_boolean -check_addresses(krb5_context context, - krb5_kdc_configuration *config, - HostAddresses *addresses, const struct sockaddr *from) +krb5_boolean +_kdc_check_addresses(krb5_context context, + krb5_kdc_configuration *config, + HostAddresses *addresses, const struct sockaddr *from) { krb5_error_code ret; krb5_address addr; @@ -843,13 +805,14 @@ _kdc_as_rep(krb5_context context, const krb5_data *req_buffer, krb5_data *reply, const char *from, - struct sockaddr *from_addr) + struct sockaddr *from_addr, + int datagram_reply) { KDC_REQ_BODY *b = &req->req_body; AS_REP rep; KDCOptions f = b->kdc_options; hdb_entry_ex *client = NULL, *server = NULL; - krb5_enctype cetype, setype; + krb5_enctype cetype, setype, sessionetype; EncTicketPart et; EncKDCRepPart ek; krb5_principal client_princ = NULL, server_princ = NULL; @@ -869,12 +832,15 @@ _kdc_as_rep(krb5_context context, ret = KRB5KRB_ERR_GENERIC; e_text = "No server in request"; } else{ - _krb5_principalname2krb5_principal (context, &server_princ, - *(b->sname), b->realm); + _krb5_principalname2krb5_principal (context, + &server_princ, + *(b->sname), + b->realm); ret = krb5_unparse_name(context, server_princ, &server_name); } if (ret) { - kdc_log(context, config, 0, "AS-REQ malformed server name from %s", from); + kdc_log(context, config, 0, + "AS-REQ malformed server name from %s", from); goto out; } @@ -882,12 +848,15 @@ _kdc_as_rep(krb5_context context, ret = KRB5KRB_ERR_GENERIC; e_text = "No client in request"; } else { - _krb5_principalname2krb5_principal (context, &client_princ, - *(b->cname), b->realm); + _krb5_principalname2krb5_principal (context, + &client_princ, + *(b->cname), + b->realm); ret = krb5_unparse_name(context, client_princ, &client_name); } if (ret) { - kdc_log(context, config, 0, "AS-REQ malformed client name from %s", from); + kdc_log(context, config, 0, + "AS-REQ malformed client name from %s", from); goto out; } @@ -895,7 +864,7 @@ _kdc_as_rep(krb5_context context, client_name, from, server_name); ret = _kdc_db_fetch(context, config, client_princ, - HDB_F_GET_CLIENT, &client); + HDB_F_GET_CLIENT, NULL, &client); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -904,7 +873,8 @@ _kdc_as_rep(krb5_context context, } ret = _kdc_db_fetch(context, config, server_princ, - HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, &server); + HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, + NULL, &server); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, krb5_get_err_text(context, ret)); @@ -943,11 +913,11 @@ _kdc_as_rep(krb5_context context, e_text = "No PKINIT PA found"; i = 0; - if ((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ))) + if ((pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ))) ; if (pa == NULL) { i = 0; - if((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN))) + if((pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN))) ; } if (pa) { @@ -995,7 +965,7 @@ _kdc_as_rep(krb5_context context, i = 0; e_text = "No ENC-TS found"; - while((pa = find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){ + while((pa = _kdc_find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){ krb5_data ts_data; PA_ENC_TS_ENC p; size_t len; @@ -1056,7 +1026,7 @@ _kdc_as_rep(krb5_context context, if(ret){ krb5_error_code ret2; ret2 = krb5_enctype_to_string(context, - pa_key->key.keytype, &str); + pa_key->key.keytype, &str); if (ret2) str = NULL; kdc_log(context, config, 5, @@ -1092,9 +1062,18 @@ _kdc_as_rep(krb5_context context, } free_PA_ENC_TS_ENC(&p); if (abs(kdc_time - p.patimestamp) > context->max_skew) { + char client_time[100]; + + krb5_format_time(context, p.patimestamp, + client_time, sizeof(client_time), TRUE); + ret = KRB5KRB_AP_ERR_SKEW; kdc_log(context, config, 0, - "Too large time skew -- %s", client_name); + "Too large time skew, client time %s is out by %u > %u seconds -- %s", + client_time, + (unsigned)abs(kdc_time - p.patimestamp), + context->max_skew, + client_name); /* * the following is needed to make windows clients * to retry using the timestamp in the error message @@ -1162,7 +1141,7 @@ _kdc_as_rep(krb5_context context, * both info replies (we send 'info' first in the list). * - If the client is 'modern', because it knows about 'new' * enctype types, then only send the 'info2' reply. - */ + */ /* XXX check ret */ if (only_older_enctype_p(req)) @@ -1197,14 +1176,54 @@ _kdc_as_rep(krb5_context context, goto out2; } - ret = find_keys(context, config, - client, client_name, - server, server_name, - &ckey, &cetype, &skey, &setype, - b->etype.val, b->etype.len); - if(ret) + /* + * Find the client key (for preauth ENC-TS verification and reply + * encryption). Then the best encryption type for the KDC and + * last the best session key that shared between the client and + * KDC runtime enctypes. + */ + + ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len, + &ckey, &cetype); + if (ret) { + kdc_log(context, config, 0, + "Client (%s) has no support for etypes", client_name); goto out; + } + ret = _kdc_get_preferred_key(context, config, + server, server_name, + &setype, &skey); + if(ret) + goto out; + + { + const krb5_enctype *p; + int i, j; + + p = krb5_kerberos_enctypes(context); + + sessionetype = ETYPE_NULL; + + for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) { + if (krb5_enctype_valid(context, p[i]) != 0) + continue; + for (j = 0; j < b->etype.len; j++) { + if (p[i] == b->etype.val[j]) { + sessionetype = p[i]; + break; + } + } + } + if (sessionetype == ETYPE_NULL) { + kdc_log(context, config, 0, + "Client (%s) from %s has no common enctypes with KDC" + "to use for the session key", + client_name, from); + goto out; + } + } + { struct rk_strpool *p = NULL; char *str; @@ -1268,9 +1287,9 @@ _kdc_as_rep(krb5_context context, rep.msg_type = krb_as_rep; copy_Realm(&client->entry.principal->realm, &rep.crealm); if (f.request_anonymous) - make_anonymous_principalname (&rep.cname); + _kdc_make_anonymous_principalname (&rep.cname); else - _krb5_principal2principalname(&rep.cname, + _krb5_principal2principalname(&rep.cname, client->entry.principal); rep.ticket.tkt_vno = 5; copy_Realm(&server->entry.principal->realm, &rep.ticket.realm); @@ -1304,14 +1323,14 @@ _kdc_as_rep(krb5_context context, } /* check for valid set of addresses */ - if(!check_addresses(context, config, b->addresses, from_addr)) { + if(!_kdc_check_addresses(context, config, b->addresses, from_addr)) { ret = KRB5KRB_AP_ERR_BADADDR; kdc_log(context, config, 0, "Bad address list requested -- %s", client_name); goto out; } - krb5_generate_random_keyblock(context, setype, &et.key); + krb5_generate_random_keyblock(context, sessionetype, &et.key); copy_PrincipalName(&rep.cname, &et.cname); copy_Realm(&rep.crealm, &et.crealm); @@ -1327,7 +1346,7 @@ _kdc_as_rep(krb5_context context, et.flags.invalid = 1; et.flags.postdated = 1; /* XXX ??? */ } - fix_time(&b->till); + _kdc_fix_time(&b->till); t = *b->till; /* be careful not overflowing */ @@ -1392,7 +1411,7 @@ _kdc_as_rep(krb5_context context, ek.last_req.len = 0; if (client->entry.pw_end && (config->kdc_warn_pwexpire == 0 - || kdc_time + config->kdc_warn_pwexpire <= *client->entry.pw_end)) { + || kdc_time + config->kdc_warn_pwexpire >= *client->entry.pw_end)) { ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME; ek.last_req.val[ek.last_req.len].lr_value = *client->entry.pw_end; ++ek.last_req.len; @@ -1472,15 +1491,37 @@ _kdc_as_rep(krb5_context context, goto out; } - log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime, - et.endtime, et.renew_till); + _kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime, + et.endtime, et.renew_till); + + /* do this as the last thing since this signs the EncTicketPart */ + ret = _kdc_add_KRB5SignedPath(context, + config, + server, + setype, + NULL, + NULL, + &et); + if (ret) + goto out; - ret = encode_reply(context, config, - &rep, &et, &ek, setype, server->entry.kvno, &skey->key, - client->entry.kvno, reply_key, &e_text, reply); + ret = _kdc_encode_reply(context, config, + &rep, &et, &ek, setype, server->entry.kvno, + &skey->key, client->entry.kvno, + reply_key, &e_text, reply); free_EncTicketPart(&et); free_EncKDCRepPart(&ek); - out: + if (ret) + goto out; + + /* */ + if (datagram_reply && reply->length > config->max_datagram_reply_length) { + krb5_data_free(reply); + ret = KRB5KRB_ERR_RESPONSE_TOO_BIG; + e_text = "Reply packet too large"; + } + +out: free_AS_REP(&rep); if(ret){ krb5_mk_error(context, @@ -1494,7 +1535,7 @@ _kdc_as_rep(krb5_context context, reply); ret = 0; } - out2: +out2: #ifdef PKINIT if (pkp) _kdc_pk_free_client_param(context, pkp); @@ -1511,1089 +1552,3 @@ _kdc_as_rep(krb5_context context, _kdc_free_ent(context, server); return ret; } - - -static krb5_error_code -check_tgs_flags(krb5_context context, - krb5_kdc_configuration *config, - KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et) -{ - KDCOptions f = b->kdc_options; - - if(f.validate){ - if(!tgt->flags.invalid || tgt->starttime == NULL){ - kdc_log(context, config, 0, - "Bad request to validate ticket"); - return KRB5KDC_ERR_BADOPTION; - } - if(*tgt->starttime > kdc_time){ - kdc_log(context, config, 0, - "Early request to validate ticket"); - return KRB5KRB_AP_ERR_TKT_NYV; - } - /* XXX tkt = tgt */ - et->flags.invalid = 0; - }else if(tgt->flags.invalid){ - kdc_log(context, config, 0, - "Ticket-granting ticket has INVALID flag set"); - return KRB5KRB_AP_ERR_TKT_INVALID; - } - - if(f.forwardable){ - if(!tgt->flags.forwardable){ - kdc_log(context, config, 0, - "Bad request for forwardable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.forwardable = 1; - } - if(f.forwarded){ - if(!tgt->flags.forwardable){ - kdc_log(context, config, 0, - "Request to forward non-forwardable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.forwarded = 1; - et->caddr = b->addresses; - } - if(tgt->flags.forwarded) - et->flags.forwarded = 1; - - if(f.proxiable){ - if(!tgt->flags.proxiable){ - kdc_log(context, config, 0, - "Bad request for proxiable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.proxiable = 1; - } - if(f.proxy){ - if(!tgt->flags.proxiable){ - kdc_log(context, config, 0, - "Request to proxy non-proxiable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.proxy = 1; - et->caddr = b->addresses; - } - if(tgt->flags.proxy) - et->flags.proxy = 1; - - if(f.allow_postdate){ - if(!tgt->flags.may_postdate){ - kdc_log(context, config, 0, - "Bad request for post-datable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.may_postdate = 1; - } - if(f.postdated){ - if(!tgt->flags.may_postdate){ - kdc_log(context, config, 0, - "Bad request for postdated ticket"); - return KRB5KDC_ERR_BADOPTION; - } - if(b->from) - *et->starttime = *b->from; - et->flags.postdated = 1; - et->flags.invalid = 1; - }else if(b->from && *b->from > kdc_time + context->max_skew){ - kdc_log(context, config, 0, "Ticket cannot be postdated"); - return KRB5KDC_ERR_CANNOT_POSTDATE; - } - - if(f.renewable){ - if(!tgt->flags.renewable){ - kdc_log(context, config, 0, - "Bad request for renewable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - et->flags.renewable = 1; - ALLOC(et->renew_till); - fix_time(&b->rtime); - *et->renew_till = *b->rtime; - } - if(f.renew){ - time_t old_life; - if(!tgt->flags.renewable || tgt->renew_till == NULL){ - kdc_log(context, config, 0, - "Request to renew non-renewable ticket"); - return KRB5KDC_ERR_BADOPTION; - } - old_life = tgt->endtime; - if(tgt->starttime) - old_life -= *tgt->starttime; - else - old_life -= tgt->authtime; - et->endtime = *et->starttime + old_life; - if (et->renew_till != NULL) - et->endtime = min(*et->renew_till, et->endtime); - } - - /* checks for excess flags */ - if(f.request_anonymous && !config->allow_anonymous){ - kdc_log(context, config, 0, - "Request for anonymous ticket"); - return KRB5KDC_ERR_BADOPTION; - } - return 0; -} - -static krb5_error_code -fix_transited_encoding(krb5_context context, - krb5_kdc_configuration *config, - krb5_boolean check_policy, - TransitedEncoding *tr, - EncTicketPart *et, - const char *client_realm, - const char *server_realm, - const char *tgt_realm) -{ - krb5_error_code ret = 0; - char **realms, **tmp; - int num_realms; - int i; - - switch (tr->tr_type) { - case DOMAIN_X500_COMPRESS: - break; - case 0: - /* - * Allow empty content of type 0 because that is was Microsoft - * generates in their TGT. - */ - if (tr->contents.length == 0) - break; - kdc_log(context, config, 0, - "Transited type 0 with non empty content"); - return KRB5KDC_ERR_TRTYPE_NOSUPP; - default: - kdc_log(context, config, 0, - "Unknown transited type: %u", tr->tr_type); - return KRB5KDC_ERR_TRTYPE_NOSUPP; - } - - ret = krb5_domain_x500_decode(context, - tr->contents, - &realms, - &num_realms, - client_realm, - server_realm); - if(ret){ - krb5_warn(context, ret, - "Decoding transited encoding"); - return ret; - } - if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { - /* not us, so add the previous realm to transited set */ - if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) { - ret = ERANGE; - goto free_realms; - } - tmp = realloc(realms, (num_realms + 1) * sizeof(*realms)); - if(tmp == NULL){ - ret = ENOMEM; - goto free_realms; - } - realms = tmp; - realms[num_realms] = strdup(tgt_realm); - if(realms[num_realms] == NULL){ - ret = ENOMEM; - goto free_realms; - } - num_realms++; - } - if(num_realms == 0) { - if(strcmp(client_realm, server_realm)) - kdc_log(context, config, 0, - "cross-realm %s -> %s", client_realm, server_realm); - } else { - size_t l = 0; - char *rs; - for(i = 0; i < num_realms; i++) - l += strlen(realms[i]) + 2; - rs = malloc(l); - if(rs != NULL) { - *rs = '\0'; - for(i = 0; i < num_realms; i++) { - if(i > 0) - strlcat(rs, ", ", l); - strlcat(rs, realms[i], l); - } - kdc_log(context, config, 0, - "cross-realm %s -> %s via [%s]", - client_realm, server_realm, rs); - free(rs); - } - } - if(check_policy) { - ret = krb5_check_transited(context, client_realm, - server_realm, - realms, num_realms, NULL); - if(ret) { - krb5_warn(context, ret, "cross-realm %s -> %s", - client_realm, server_realm); - goto free_realms; - } - et->flags.transited_policy_checked = 1; - } - et->transited.tr_type = DOMAIN_X500_COMPRESS; - ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents); - if(ret) - krb5_warn(context, ret, "Encoding transited encoding"); - free_realms: - for(i = 0; i < num_realms; i++) - free(realms[i]); - free(realms); - return ret; -} - - -static krb5_error_code -tgs_make_reply(krb5_context context, - krb5_kdc_configuration *config, - KDC_REQ_BODY *b, - EncTicketPart *tgt, - EncTicketPart *adtkt, - AuthorizationData *auth_data, - krb5_ticket *tgs_ticket, - hdb_entry_ex *server, - const char *server_name, - hdb_entry_ex *client, - krb5_principal client_principal, - hdb_entry_ex *krbtgt, - EncryptionKey *tgtkey, - krb5_enctype cetype, - const char **e_text, - krb5_data *reply) -{ - KDC_REP rep; - EncKDCRepPart ek; - EncTicketPart et; - KDCOptions f = b->kdc_options; - krb5_error_code ret; - krb5_enctype etype; - Key *skey; - EncryptionKey *ekey; - AuthorizationData *new_auth_data = NULL; - - if(adtkt) { - int i; - ekey = &adtkt->key; - for(i = 0; i < b->etype.len; i++) - if (b->etype.val[i] == adtkt->key.keytype) - break; - if(i == b->etype.len) { - krb5_clear_error_string(context); - return KRB5KDC_ERR_ETYPE_NOSUPP; - } - etype = b->etype.val[i]; - }else{ - ret = find_keys(context, config, - NULL, NULL, server, server_name, - NULL, NULL, &skey, &etype, - b->etype.val, b->etype.len); - if(ret) - return ret; - ekey = &skey->key; - } - - memset(&rep, 0, sizeof(rep)); - memset(&et, 0, sizeof(et)); - memset(&ek, 0, sizeof(ek)); - - rep.pvno = 5; - rep.msg_type = krb_tgs_rep; - - et.authtime = tgt->authtime; - fix_time(&b->till); - et.endtime = min(tgt->endtime, *b->till); - ALLOC(et.starttime); - *et.starttime = kdc_time; - - ret = check_tgs_flags(context, config, b, tgt, &et); - if(ret) - goto out; - - /* We should check the transited encoding if: - 1) the request doesn't ask not to be checked - 2) globally enforcing a check - 3) principal requires checking - 4) we allow non-check per-principal, but principal isn't marked as allowing this - 5) we don't globally allow this - */ - -#define GLOBAL_FORCE_TRANSITED_CHECK \ - (config->trpolicy == TRPOLICY_ALWAYS_CHECK) -#define GLOBAL_ALLOW_PER_PRINCIPAL \ - (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL) -#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \ - (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST) - -/* these will consult the database in future release */ -#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0 -#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0 - - ret = fix_transited_encoding(context, config, - !f.disable_transited_check || - GLOBAL_FORCE_TRANSITED_CHECK || - PRINCIPAL_FORCE_TRANSITED_CHECK(server) || - !((GLOBAL_ALLOW_PER_PRINCIPAL && - PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) || - GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), - &tgt->transited, &et, - *krb5_princ_realm(context, client_principal), - *krb5_princ_realm(context, server->entry.principal), - *krb5_princ_realm(context, krbtgt->entry.principal)); - if(ret) - goto out; - - copy_Realm(krb5_princ_realm(context, server->entry.principal), - &rep.ticket.realm); - _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); - copy_Realm(&tgt->crealm, &rep.crealm); - if (f.request_anonymous) - make_anonymous_principalname (&tgt->cname); - else - copy_PrincipalName(&tgt->cname, &rep.cname); - rep.ticket.tkt_vno = 5; - - ek.caddr = et.caddr; - if(et.caddr == NULL) - et.caddr = tgt->caddr; - - { - time_t life; - life = et.endtime - *et.starttime; - if(client && client->entry.max_life) - life = min(life, *client->entry.max_life); - if(server->entry.max_life) - life = min(life, *server->entry.max_life); - et.endtime = *et.starttime + life; - } - if(f.renewable_ok && tgt->flags.renewable && - et.renew_till == NULL && et.endtime < *b->till){ - et.flags.renewable = 1; - ALLOC(et.renew_till); - *et.renew_till = *b->till; - } - if(et.renew_till){ - time_t renew; - renew = *et.renew_till - et.authtime; - if(client && client->entry.max_renew) - renew = min(renew, *client->entry.max_renew); - if(server->entry.max_renew) - renew = min(renew, *server->entry.max_renew); - *et.renew_till = et.authtime + renew; - } - - if(et.renew_till){ - *et.renew_till = min(*et.renew_till, *tgt->renew_till); - *et.starttime = min(*et.starttime, *et.renew_till); - et.endtime = min(et.endtime, *et.renew_till); - } - - *et.starttime = min(*et.starttime, et.endtime); - - if(*et.starttime == et.endtime){ - ret = KRB5KDC_ERR_NEVER_VALID; - goto out; - } - if(et.renew_till && et.endtime == *et.renew_till){ - free(et.renew_till); - et.renew_till = NULL; - et.flags.renewable = 0; - } - - et.flags.pre_authent = tgt->flags.pre_authent; - et.flags.hw_authent = tgt->flags.hw_authent; - et.flags.anonymous = tgt->flags.anonymous; - et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; - - - krb5_generate_random_keyblock(context, etype, &et.key); - - if (server->authz_data_tgs_req) { - ret = server->authz_data_tgs_req(context, server, - client_principal, - tgs_ticket->ticket.authorization_data, - tgs_ticket->ticket.authtime, - tgtkey, - ekey, - &et.key, - &new_auth_data); - if (ret) { - new_auth_data = NULL; - } - } - - /* XXX Check enc-authorization-data */ - et.authorization_data = new_auth_data; - - et.crealm = tgt->crealm; - et.cname = tgt->cname; - - ek.key = et.key; - /* MIT must have at least one last_req */ - ek.last_req.len = 1; - ek.last_req.val = calloc(1, sizeof(*ek.last_req.val)); - ek.nonce = b->nonce; - ek.flags = et.flags; - ek.authtime = et.authtime; - ek.starttime = et.starttime; - ek.endtime = et.endtime; - ek.renew_till = et.renew_till; - ek.srealm = rep.ticket.realm; - ek.sname = rep.ticket.sname; - - log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime, - et.endtime, et.renew_till); - - /* It is somewhat unclear where the etype in the following - encryption should come from. What we have is a session - key in the passed tgt, and a list of preferred etypes - *for the new ticket*. Should we pick the best possible - etype, given the keytype in the tgt, or should we look - at the etype list here as well? What if the tgt - session key is DES3 and we want a ticket with a (say) - CAST session key. Should the DES3 etype be added to the - etype list, even if we don't want a session key with - DES3? */ - ret = encode_reply(context, config, - &rep, &et, &ek, etype, adtkt ? 0 : server->entry.kvno, - ekey, 0, &tgt->key, e_text, reply); - out: - free_TGS_REP(&rep); - free_TransitedEncoding(&et.transited); - if(et.starttime) - free(et.starttime); - if(et.renew_till) - free(et.renew_till); - free_LastReq(&ek.last_req); - memset(et.key.keyvalue.data, 0, et.key.keyvalue.length); - free_EncryptionKey(&et.key); - return ret; -} - -static krb5_error_code -tgs_check_authenticator(krb5_context context, - krb5_kdc_configuration *config, - krb5_auth_context ac, - KDC_REQ_BODY *b, - const char **e_text, - krb5_keyblock *key) -{ - krb5_authenticator auth; - size_t len; - unsigned char *buf; - size_t buf_size; - krb5_error_code ret; - krb5_crypto crypto; - - krb5_auth_con_getauthenticator(context, ac, &auth); - if(auth->cksum == NULL){ - kdc_log(context, config, 0, "No authenticator in request"); - ret = KRB5KRB_AP_ERR_INAPP_CKSUM; - goto out; - } - /* - * according to RFC1510 it doesn't need to be keyed, - * but according to the latest draft it needs to. - */ - if ( -#if 0 -!krb5_checksum_is_keyed(context, auth->cksum->cksumtype) - || -#endif - !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) { - kdc_log(context, config, 0, "Bad checksum type in authenticator: %d", - auth->cksum->cksumtype); - ret = KRB5KRB_AP_ERR_INAPP_CKSUM; - goto out; - } - - /* XXX should not re-encode this */ - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); - if(ret){ - kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", - krb5_get_err_text(context, ret)); - goto out; - } - if(buf_size != len) { - free(buf); - kdc_log(context, config, 0, "Internal error in ASN.1 encoder"); - *e_text = "KDC internal error"; - ret = KRB5KRB_ERR_GENERIC; - goto out; - } - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free(buf); - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); - goto out; - } - ret = krb5_verify_checksum(context, - crypto, - KRB5_KU_TGS_REQ_AUTH_CKSUM, - buf, - len, - auth->cksum); - free(buf); - krb5_crypto_destroy(context, crypto); - if(ret){ - kdc_log(context, config, 0, - "Failed to verify authenticator checksum: %s", - krb5_get_err_text(context, ret)); - } -out: - free_Authenticator(auth); - free(auth); - return ret; -} - -/* - * return the realm of a krbtgt-ticket or NULL - */ - -static Realm -get_krbtgt_realm(const PrincipalName *p) -{ - if(p->name_string.len == 2 - && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0) - return p->name_string.val[1]; - else - return NULL; -} - -static const char * -find_rpath(krb5_context context, Realm crealm, Realm srealm) -{ - const char *new_realm = krb5_config_get_string(context, - NULL, - "capaths", - crealm, - srealm, - NULL); - return new_realm; -} - - -static krb5_boolean -need_referral(krb5_context context, krb5_principal server, krb5_realm **realms) -{ - if(server->name.name_type != KRB5_NT_SRV_INST || - server->name.name_string.len != 2) - return FALSE; - - return _krb5_get_host_realm_int(context, server->name.name_string.val[1], - FALSE, realms) == 0; -} - -static krb5_error_code -tgs_rep2(krb5_context context, - krb5_kdc_configuration *config, - KDC_REQ_BODY *b, - PA_DATA *tgs_req, - krb5_data *reply, - const char *from, - const struct sockaddr *from_addr, - time_t **csec, - int **cusec) -{ - krb5_ap_req ap_req; - krb5_error_code ret; - krb5_principal princ; - krb5_auth_context ac = NULL; - krb5_ticket *ticket = NULL; - krb5_flags ap_req_options; - krb5_flags verify_ap_req_flags; - const char *e_text = NULL; - krb5_crypto crypto; - - hdb_entry_ex *krbtgt = NULL; - EncTicketPart *tgt; - Key *tkey; - krb5_enctype cetype; - krb5_principal cp = NULL; - krb5_principal sp = NULL; - AuthorizationData *auth_data = NULL; - - *csec = NULL; - *cusec = NULL; - - memset(&ap_req, 0, sizeof(ap_req)); - ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); - if(ret){ - kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - - if(!get_krbtgt_realm(&ap_req.ticket.sname)){ - /* XXX check for ticket.sname == req.sname */ - kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket"); - ret = KRB5KDC_ERR_POLICY; /* ? */ - goto out2; - } - - _krb5_principalname2krb5_principal(context, &princ, - ap_req.ticket.sname, - ap_req.ticket.realm); - - ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, &krbtgt); - - if(ret) { - char *p; - ret = krb5_unparse_name(context, princ, &p); - if (ret != 0) - p = "<unparse_name failed>"; - krb5_free_principal(context, princ); - kdc_log(context, config, 0, - "Ticket-granting ticket not found in database: %s: %s", - p, krb5_get_err_text(context, ret)); - if (ret == 0) - free(p); - ret = KRB5KRB_AP_ERR_NOT_US; - goto out2; - } - - if(ap_req.ticket.enc_part.kvno && - *ap_req.ticket.enc_part.kvno != krbtgt->entry.kvno){ - char *p; - - ret = krb5_unparse_name (context, princ, &p); - krb5_free_principal(context, princ); - if (ret != 0) - p = "<unparse_name failed>"; - kdc_log(context, config, 0, - "Ticket kvno = %d, DB kvno = %d (%s)", - *ap_req.ticket.enc_part.kvno, - krbtgt->entry.kvno, - p); - if (ret == 0) - free (p); - ret = KRB5KRB_AP_ERR_BADKEYVER; - goto out2; - } - - ret = hdb_enctype2key(context, &krbtgt->entry, - ap_req.ticket.enc_part.etype, &tkey); - if(ret){ - char *str, *p; - krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str); - krb5_unparse_name(context, princ, &p); - kdc_log(context, config, 0, - "No server key with enctype %s found for %s", str, p); - free(str); - free(p); - ret = KRB5KRB_AP_ERR_BADKEYVER; - goto out2; - } - - if (b->kdc_options.validate) - verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID; - else - verify_ap_req_flags = 0; - - ret = krb5_verify_ap_req2(context, - &ac, - &ap_req, - princ, - &tkey->key, - verify_ap_req_flags, - &ap_req_options, - &ticket, - KRB5_KU_TGS_REQ_AUTH); - - krb5_free_principal(context, princ); - if(ret) { - kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - - { - krb5_authenticator auth; - - ret = krb5_auth_con_getauthenticator(context, ac, &auth); - if (ret == 0) { - *csec = malloc(sizeof(**csec)); - if (*csec == NULL) { - krb5_free_authenticator(context, &auth); - kdc_log(context, config, 0, "malloc failed"); - goto out2; - } - **csec = auth->ctime; - *cusec = malloc(sizeof(**cusec)); - if (*cusec == NULL) { - krb5_free_authenticator(context, &auth); - kdc_log(context, config, 0, "malloc failed"); - goto out2; - } - **csec = auth->cusec; - krb5_free_authenticator(context, &auth); - } - } - - cetype = ap_req.authenticator.etype; - - tgt = &ticket->ticket; - - ret = tgs_check_authenticator(context, config, - ac, b, &e_text, &tgt->key); - if (ret) { - krb5_auth_con_free(context, ac); - goto out2; - } - - if (b->enc_authorization_data) { - krb5_keyblock *subkey; - krb5_data ad; - ret = krb5_auth_con_getremotesubkey(context, - ac, - &subkey); - if(ret){ - krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "Failed to get remote subkey: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - if(subkey == NULL){ - ret = krb5_auth_con_getkey(context, ac, &subkey); - if(ret) { - krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "Failed to get session key: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - } - if(subkey == NULL){ - krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, - "Failed to get key for enc-authorization-data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out2; - } - ret = krb5_crypto_init(context, subkey, 0, &crypto); - if (ret) { - krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); - goto out2; - } - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, - b->enc_authorization_data, - &ad); - krb5_crypto_destroy(context, crypto); - if(ret){ - krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "Failed to decrypt enc-authorization-data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out2; - } - krb5_free_keyblock(context, subkey); - ALLOC(auth_data); - ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL); - if(ret){ - krb5_auth_con_free(context, ac); - free(auth_data); - auth_data = NULL; - kdc_log(context, config, 0, "Failed to decode authorization data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out2; - } - } - - krb5_auth_con_free(context, ac); - - { - PrincipalName *s; - Realm r; - char *spn = NULL, *cpn = NULL; - hdb_entry_ex *server = NULL, *client = NULL; - int nloop = 0; - EncTicketPart adtkt; - char opt_str[128]; - - s = b->sname; - r = b->realm; - if(b->kdc_options.enc_tkt_in_skey){ - Ticket *t; - hdb_entry_ex *uu; - krb5_principal p; - Key *uukey; - - if(b->additional_tickets == NULL || - b->additional_tickets->len == 0){ - ret = KRB5KDC_ERR_BADOPTION; /* ? */ - kdc_log(context, config, 0, - "No second ticket present in request"); - goto out; - } - t = &b->additional_tickets->val[0]; - if(!get_krbtgt_realm(&t->sname)){ - kdc_log(context, config, 0, - "Additional ticket is not a ticket-granting ticket"); - ret = KRB5KDC_ERR_POLICY; - goto out2; - } - _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm); - ret = _kdc_db_fetch(context, config, p, - HDB_F_GET_CLIENT|HDB_F_GET_SERVER, &uu); - krb5_free_principal(context, p); - if(ret){ - if (ret == HDB_ERR_NOENTRY) - ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto out; - } - ret = hdb_enctype2key(context, &uu->entry, - t->enc_part.etype, &uukey); - if(ret){ - _kdc_free_ent(context, uu); - ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ - goto out; - } - ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0); - _kdc_free_ent(context, uu); - if(ret) - goto out; - s = &adtkt.cname; - r = adtkt.crealm; - } - - _krb5_principalname2krb5_principal(context, &sp, *s, r); - ret = krb5_unparse_name(context, sp, &spn); - if (ret) - goto out; - _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm); - ret = krb5_unparse_name(context, cp, &cpn); - if (ret) - goto out; - unparse_flags (KDCOptions2int(b->kdc_options), - asn1_KDCOptions_units(), - opt_str, sizeof(opt_str)); - if(*opt_str) - kdc_log(context, config, 0, - "TGS-REQ %s from %s for %s [%s]", - cpn, from, spn, opt_str); - else - kdc_log(context, config, 0, - "TGS-REQ %s from %s for %s", cpn, from, spn); - server_lookup: - ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, &server); - - if(ret){ - const char *new_rlm; - Realm req_rlm; - krb5_realm *realms; - - if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { - if(nloop++ < 2) { - new_rlm = find_rpath(context, tgt->crealm, req_rlm); - if(new_rlm) { - kdc_log(context, config, 5, "krbtgt for realm %s not found, trying %s", - req_rlm, new_rlm); - krb5_free_principal(context, sp); - free(spn); - krb5_make_principal(context, &sp, r, - KRB5_TGS_NAME, new_rlm, NULL); - ret = krb5_unparse_name(context, sp, &spn); - if (ret) - goto out; - goto server_lookup; - } - } - } else if(need_referral(context, sp, &realms)) { - if (strcmp(realms[0], sp->realm) != 0) { - kdc_log(context, config, 5, - "Returning a referral to realm %s for " - "server %s that was not found", - realms[0], spn); - krb5_free_principal(context, sp); - free(spn); - krb5_make_principal(context, &sp, r, KRB5_TGS_NAME, - realms[0], NULL); - ret = krb5_unparse_name(context, sp, &spn); - if (ret) - goto out; - krb5_free_host_realm(context, realms); - goto server_lookup; - } - krb5_free_host_realm(context, realms); - } - kdc_log(context, config, 0, - "Server not found in database: %s: %s", spn, - krb5_get_err_text(context, ret)); - if (ret == HDB_ERR_NOENTRY) - ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto out; - } - - ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, &client); - if(ret) - kdc_log(context, config, 1, "Client not found in database: %s: %s", - cpn, krb5_get_err_text(context, ret)); - - /* - * If the client belongs to the same realm as our krbtgt, it - * should exist in the local database. - * - * If its not the same, check the "direction" on the krbtgt, - * so its not a backward uni-directional trust. - */ - - if(strcmp(krb5_principal_get_realm(context, sp), - krb5_principal_get_comp_string(context, - krbtgt->entry.principal, 1)) == 0) { - if(ret) { - if (ret == HDB_ERR_NOENTRY) - ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - goto out; - } - } else { - char *tpn; - ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); - kdc_log(context, config, 0, - "Request with wrong krbtgt: %s", - (ret == 0) ? tpn : "<unknown>"); - if(ret == 0) - free(tpn); - ret = KRB5KRB_AP_ERR_NOT_US; - goto out; - - } - - ret = _kdc_check_flags(context, config, - client, cpn, - server, spn, - FALSE); - if(ret) - goto out; - - if((b->kdc_options.validate || b->kdc_options.renew) && - !krb5_principal_compare(context, - krbtgt->entry.principal, - server->entry.principal)){ - kdc_log(context, config, 0, "Inconsistent request."); - ret = KRB5KDC_ERR_SERVER_NOMATCH; - goto out; - } - - /* check for valid set of addresses */ - if(!check_addresses(context, config, tgt->caddr, from_addr)) { - ret = KRB5KRB_AP_ERR_BADADDR; - kdc_log(context, config, 0, "Request from wrong address"); - goto out; - } - - ret = tgs_make_reply(context, - config, - b, - tgt, - b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, - auth_data, - ticket, - server, - spn, - client, - cp, - krbtgt, - &tkey->key, - cetype, - &e_text, - reply); - - out: - free(spn); - free(cpn); - - if(server) - _kdc_free_ent(context, server); - if(client) - _kdc_free_ent(context, client); - } - out2: - if(ret) { - krb5_mk_error(context, - ret, - e_text, - NULL, - cp, - sp, - NULL, - NULL, - reply); - free(*csec); - free(*cusec); - *csec = NULL; - *cusec = NULL; - } - krb5_free_principal(context, cp); - krb5_free_principal(context, sp); - if (ticket) - krb5_free_ticket(context, ticket); - free_AP_REQ(&ap_req); - if(auth_data){ - free_AuthorizationData(auth_data); - free(auth_data); - } - - if(krbtgt) - _kdc_free_ent(context, krbtgt); - - return ret; -} - - -krb5_error_code -_kdc_tgs_rep(krb5_context context, - krb5_kdc_configuration *config, - KDC_REQ *req, - krb5_data *data, - const char *from, - struct sockaddr *from_addr) -{ - krb5_error_code ret; - int i = 0; - PA_DATA *tgs_req = NULL; - time_t *csec = NULL; - int *cusec = NULL; - - if(req->padata == NULL){ - ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */ - kdc_log(context, config, 0, - "TGS-REQ from %s without PA-DATA", from); - goto out; - } - - tgs_req = find_padata(req, &i, KRB5_PADATA_TGS_REQ); - - if(tgs_req == NULL){ - ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - - kdc_log(context, config, 0, - "TGS-REQ from %s without PA-TGS-REQ", from); - goto out; - } - ret = tgs_rep2(context, config, - &req->req_body, tgs_req, data, from, from_addr, - &csec, &cusec); -out: - if(ret && data->data == NULL){ - krb5_mk_error(context, - ret, - NULL, - NULL, - NULL, - NULL, - csec, - cusec, - data); - } - free(csec); - free(cusec); - return 0; -} diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c new file mode 100644 index 0000000000..dcf29eb6e9 --- /dev/null +++ b/source4/heimdal/kdc/krb5tgs.c @@ -0,0 +1,1781 @@ +/* + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kdc_locl.h" + +RCSID("$Id: krb5tgs.c,v 1.16 2006/10/22 15:54:37 lha Exp $"); + +/* + * return the realm of a krbtgt-ticket or NULL + */ + +static Realm +get_krbtgt_realm(const PrincipalName *p) +{ + if(p->name_string.len == 2 + && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0) + return p->name_string.val[1]; + else + return NULL; +} + +/* + * The KDC might add a signed path to the ticket authorization data + * field. This is to avoid server impersonating clients and the + * request constrained delegation. + * + * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single + * entry of type KRB5SignedPath. + */ + +static krb5_error_code +find_KRB5SignedPath(krb5_context context, + const AuthorizationData *ad, + krb5_data *data) +{ + AuthorizationData child; + krb5_error_code ret; + int pos; + + if (ad == NULL || ad->len == 0) + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + + pos = ad->len - 1; + + if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT) + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + + ret = decode_AuthorizationData(ad->val[pos].ad_data.data, + ad->val[pos].ad_data.length, + &child, + NULL); + if (ret) { + krb5_set_error_string(context, "Failed to decode " + "IF_RELEVANT with %d", ret); + return ret; + } + + if (child.len != 1) { + free_AuthorizationData(&child); + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + } + + if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) { + free_AuthorizationData(&child); + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + } + + if (data) + ret = der_copy_octet_string(&child.val[0].ad_data, data); + free_AuthorizationData(&child); + return ret; +} + +krb5_error_code +_kdc_add_KRB5SignedPath(krb5_context context, + krb5_kdc_configuration *config, + hdb_entry_ex *krbtgt, + krb5_enctype enctype, + krb5_const_principal server, + KRB5SignedPathPrincipals *principals, + EncTicketPart *tkt) +{ + krb5_error_code ret; + KRB5SignedPath sp; + krb5_data data; + krb5_crypto crypto = NULL; + size_t size; + + if (server && principals) { + ret = add_KRB5SignedPathPrincipals(principals, server); + if (ret) + goto out; + } + + { + KRB5SignedPathData spd; + + spd.encticket = *tkt; + spd.delegated = principals; + + ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length, + &spd, &size, ret); + if (ret) + goto out; + if (data.length != size) + krb5_abortx(context, "internal asn.1 encoder error"); + } + + { + Key *key; + ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key); + if (ret == 0) + ret = krb5_crypto_init(context, &key->key, 0, &crypto); + if (ret) { + free(data.data); + return ret; + } + } + + /* + * Fill in KRB5SignedPath + */ + + sp.etype = enctype; + sp.delegated = principals; + + ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0, + data.data, data.length, &sp.cksum); + krb5_crypto_destroy(context, crypto); + free(data.data); + if (ret) + goto out; + + ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret); + free_Checksum(&sp.cksum); + if (ret) + goto out; + if (data.length != size) + krb5_abortx(context, "internal asn.1 encoder error"); + + + /* + * Add IF-RELEVANT(KRB5SignedPath) to the last slot in + * authorization data field. + */ + + if (tkt->authorization_data == NULL) { + tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data)); + if (tkt->authorization_data == NULL) { + ret = ENOMEM; + goto out; + } + } + + /* add the entry to the last element */ + { + AuthorizationData ad = { 0, NULL }; + AuthorizationDataElement ade; + + ade.ad_type = KRB5_AUTHDATA_SIGNTICKET; + ade.ad_data = data; + + ret = add_AuthorizationData(&ad, &ade); + krb5_data_free(&data); + if (ret) + return ret; + + ASN1_MALLOC_ENCODE(AuthorizationData, data.data, data.length, + &ad, &size, ret); + free_AuthorizationData(&ad); + if (ret) + return ret; + if (data.length != size) + krb5_abortx(context, "internal asn.1 encoder error"); + + ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT; + ade.ad_data = data; + + ret = add_AuthorizationData(tkt->authorization_data, &ade); + krb5_data_free(&data); + if (ret) + return ret; + } + +out: + return 0; +} + +static krb5_error_code +check_KRB5SignedPath(krb5_context context, + krb5_kdc_configuration *config, + hdb_entry_ex *krbtgt, + EncTicketPart *tkt, + KRB5SignedPathPrincipals **delegated, + int require_signedpath) +{ + krb5_error_code ret; + krb5_data data; + krb5_crypto crypto = NULL; + + *delegated = NULL; + + ret = find_KRB5SignedPath(context, tkt->authorization_data, &data); + if (ret == 0) { + KRB5SignedPathData spd; + KRB5SignedPath sp; + AuthorizationData *ad; + size_t size; + + ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL); + krb5_data_free(&data); + if (ret) + return ret; + + spd.encticket = *tkt; + /* the KRB5SignedPath is the last entry */ + ad = spd.encticket.authorization_data; + if (--ad->len == 0) + spd.encticket.authorization_data = NULL; + spd.delegated = sp.delegated; + + ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length, + &spd, &size, ret); + ad->len++; + spd.encticket.authorization_data = ad; + if (ret) { + free_KRB5SignedPath(&sp); + return ret; + } + if (data.length != size) + krb5_abortx(context, "internal asn.1 encoder error"); + + { + Key *key; + ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key); + if (ret == 0) + ret = krb5_crypto_init(context, &key->key, 0, &crypto); + if (ret) { + free(data.data); + free_KRB5SignedPath(&sp); + return ret; + } + } + ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, + data.data, data.length, + &sp.cksum); + krb5_crypto_destroy(context, crypto); + free(data.data); + if (ret) { + free_KRB5SignedPath(&sp); + return ret; + } + + if (sp.delegated) { + + *delegated = malloc(sizeof(*sp.delegated)); + if (*delegated == NULL) { + free_KRB5SignedPath(&sp); + return ENOMEM; + } + + ret = copy_KRB5SignedPathPrincipals(*delegated, sp.delegated); + if (ret) { + free_KRB5SignedPath(&sp); + free(*delegated); + *delegated = NULL; + return ret; + } + } + free_KRB5SignedPath(&sp); + + } else { + if (require_signedpath) + return KRB5KDC_ERR_BADOPTION; + } + + return 0; +} + + +/* + * + */ + +static krb5_error_code +check_tgs_flags(krb5_context context, + krb5_kdc_configuration *config, + KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et) +{ + KDCOptions f = b->kdc_options; + + if(f.validate){ + if(!tgt->flags.invalid || tgt->starttime == NULL){ + kdc_log(context, config, 0, + "Bad request to validate ticket"); + return KRB5KDC_ERR_BADOPTION; + } + if(*tgt->starttime > kdc_time){ + kdc_log(context, config, 0, + "Early request to validate ticket"); + return KRB5KRB_AP_ERR_TKT_NYV; + } + /* XXX tkt = tgt */ + et->flags.invalid = 0; + }else if(tgt->flags.invalid){ + kdc_log(context, config, 0, + "Ticket-granting ticket has INVALID flag set"); + return KRB5KRB_AP_ERR_TKT_INVALID; + } + + if(f.forwardable){ + if(!tgt->flags.forwardable){ + kdc_log(context, config, 0, + "Bad request for forwardable ticket"); + return KRB5KDC_ERR_BADOPTION; + } + et->flags.forwardable = 1; + } + if(f.forwarded){ + if(!tgt->flags.forwardable){ + kdc_log(context, config, 0, + "Request to forward non-forwardable ticket"); + return KRB5KDC_ERR_BADOPTION; + } + et->flags.forwarded = 1; + et->caddr = b->addresses; + } + if(tgt->flags.forwarded) + et->flags.forwarded = 1; + + if(f.proxiable){ + if(!tgt->flags.proxiable){ + kdc_log(context, config, 0, + "Bad request for proxiable ticket"); + return KRB5KDC_ERR_BADOPTION; + } + et->flags.proxiable = 1; + } + if(f.proxy){ + if(!tgt->flags.proxiable){ + kdc_log(context, config, 0, + "Request to proxy non-proxiable ticket"); + return KRB5KDC_ERR_BADOPTION; + } + et->flags.proxy = 1; + et->caddr = b->addresses; + } + if(tgt->flags.proxy) + et->flags.proxy = 1; + + if(f.allow_postdate){ + if(!tgt->flags.may_postdate){ + kdc_log(context, config, 0, + "Bad request for post-datable ticket"); + return KRB5KDC_ERR_BADOPTION; + } + et->flags.may_postdate = 1; + } + if(f.postdated){ + if(!tgt->flags.may_postdate){ + kdc_log(context, config, 0, + "Bad request for postdated ticket"); + return KRB5KDC_ERR_BADOPTION; + } + if(b->from) + *et->starttime = *b->from; + et->flags.postdated = 1; + et->flags.invalid = 1; + }else if(b->from && *b->from > kdc_time + context->max_skew){ + kdc_log(context, config, 0, "Ticket cannot be postdated"); + return KRB5KDC_ERR_CANNOT_POSTDATE; + } + + if(f.renewable){ + if(!tgt->flags.renewable){ + kdc_log(context, config, 0, + "Bad request for renewable ticket"); + return KRB5KDC_ERR_BADOPTION; + } + et->flags.renewable = 1; + ALLOC(et->renew_till); + _kdc_fix_time(&b->rtime); + *et->renew_till = *b->rtime; + } + if(f.renew){ + time_t old_life; + if(!tgt->flags.renewable || tgt->renew_till == NULL){ + kdc_log(context, config, 0, + "Request to renew non-renewable ticket"); + return KRB5KDC_ERR_BADOPTION; + } + old_life = tgt->endtime; + if(tgt->starttime) + old_life -= *tgt->starttime; + else + old_life -= tgt->authtime; + et->endtime = *et->starttime + old_life; + if (et->renew_till != NULL) + et->endtime = min(*et->renew_till, et->endtime); + } + + /* checks for excess flags */ + if(f.request_anonymous && !config->allow_anonymous){ + kdc_log(context, config, 0, + "Request for anonymous ticket"); + return KRB5KDC_ERR_BADOPTION; + } + return 0; +} + +/* + * + */ + +static krb5_error_code +check_constrained_delegation(krb5_context context, + krb5_kdc_configuration *config, + hdb_entry_ex *client, + krb5_const_principal server) +{ + const HDB_Ext_Constrained_delegation_acl *acl; + krb5_error_code ret; + int i; + + ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); + if (ret) { + krb5_clear_error_string(context); + return ret; + } + + if (acl) { + for (i = 0; i < acl->len; i++) { + if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE) + return 0; + } + } + kdc_log(context, config, 0, + "Bad request for constrained delegation"); + return KRB5KDC_ERR_BADOPTION; +} + +/* + * + */ + +static krb5_error_code +verify_flags (krb5_context context, + krb5_kdc_configuration *config, + const EncTicketPart *et, + const char *pstr) +{ + if(et->endtime < kdc_time){ + kdc_log(context, config, 0, "Ticket expired (%s)", pstr); + return KRB5KRB_AP_ERR_TKT_EXPIRED; + } + if(et->flags.invalid){ + kdc_log(context, config, 0, "Ticket not valid (%s)", pstr); + return KRB5KRB_AP_ERR_TKT_NYV; + } + return 0; +} + +/* + * + */ + +static krb5_error_code +fix_transited_encoding(krb5_context context, + krb5_kdc_configuration *config, + krb5_boolean check_policy, + const TransitedEncoding *tr, + EncTicketPart *et, + const char *client_realm, + const char *server_realm, + const char *tgt_realm) +{ + krb5_error_code ret = 0; + char **realms, **tmp; + int num_realms; + int i; + + switch (tr->tr_type) { + case DOMAIN_X500_COMPRESS: + break; + case 0: + /* + * Allow empty content of type 0 because that is was Microsoft + * generates in their TGT. + */ + if (tr->contents.length == 0) + break; + kdc_log(context, config, 0, + "Transited type 0 with non empty content"); + return KRB5KDC_ERR_TRTYPE_NOSUPP; + default: + kdc_log(context, config, 0, + "Unknown transited type: %u", tr->tr_type); + return KRB5KDC_ERR_TRTYPE_NOSUPP; + } + + ret = krb5_domain_x500_decode(context, + tr->contents, + &realms, + &num_realms, + client_realm, + server_realm); + if(ret){ + krb5_warn(context, ret, + "Decoding transited encoding"); + return ret; + } + if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { + /* not us, so add the previous realm to transited set */ + if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) { + ret = ERANGE; + goto free_realms; + } + tmp = realloc(realms, (num_realms + 1) * sizeof(*realms)); + if(tmp == NULL){ + ret = ENOMEM; + goto free_realms; + } + realms = tmp; + realms[num_realms] = strdup(tgt_realm); + if(realms[num_realms] == NULL){ + ret = ENOMEM; + goto free_realms; + } + num_realms++; + } + if(num_realms == 0) { + if(strcmp(client_realm, server_realm)) + kdc_log(context, config, 0, + "cross-realm %s -> %s", client_realm, server_realm); + } else { + size_t l = 0; + char *rs; + for(i = 0; i < num_realms; i++) + l += strlen(realms[i]) + 2; + rs = malloc(l); + if(rs != NULL) { + *rs = '\0'; + for(i = 0; i < num_realms; i++) { + if(i > 0) + strlcat(rs, ", ", l); + strlcat(rs, realms[i], l); + } + kdc_log(context, config, 0, + "cross-realm %s -> %s via [%s]", + client_realm, server_realm, rs); + free(rs); + } + } + if(check_policy) { + ret = krb5_check_transited(context, client_realm, + server_realm, + realms, num_realms, NULL); + if(ret) { + krb5_warn(context, ret, "cross-realm %s -> %s", + client_realm, server_realm); + goto free_realms; + } + et->flags.transited_policy_checked = 1; + } + et->transited.tr_type = DOMAIN_X500_COMPRESS; + ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents); + if(ret) + krb5_warn(context, ret, "Encoding transited encoding"); + free_realms: + for(i = 0; i < num_realms; i++) + free(realms[i]); + free(realms); + return ret; +} + + +static krb5_error_code +tgs_make_reply(krb5_context context, + krb5_kdc_configuration *config, + KDC_REQ_BODY *b, + krb5_const_principal tgt_name, + const EncTicketPart *tgt, + const EncTicketPart *adtkt, + AuthorizationData *auth_data, + krb5_ticket *tgs_ticket, + hdb_entry_ex *server, + const char *server_name, + hdb_entry_ex *client, + krb5_principal client_principal, + hdb_entry_ex *krbtgt, + krb5_enctype krbtgt_etype, + KRB5SignedPathPrincipals *spp, + EncryptionKey *tgtkey, + const char **e_text, + krb5_data *reply) +{ + KDC_REP rep; + EncKDCRepPart ek; + EncTicketPart et; + KDCOptions f = b->kdc_options; + krb5_error_code ret; + krb5_enctype etype; + Key *skey; + const EncryptionKey *ekey; + AuthorizationData *new_auth_data = NULL; + + if(adtkt) { + int i; + ekey = &adtkt->key; + for(i = 0; i < b->etype.len; i++) + if (b->etype.val[i] == adtkt->key.keytype) + break; + if(i == b->etype.len) { + krb5_clear_error_string(context); + return KRB5KDC_ERR_ETYPE_NOSUPP; + } + etype = b->etype.val[i]; + }else{ + ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len, + &skey, &etype); + if(ret) { + kdc_log(context, config, 0, + "Server (%s) has no support for etypes", server_name); + return ret; + } + ekey = &skey->key; + } + + memset(&rep, 0, sizeof(rep)); + memset(&et, 0, sizeof(et)); + memset(&ek, 0, sizeof(ek)); + + rep.pvno = 5; + rep.msg_type = krb_tgs_rep; + + et.authtime = tgt->authtime; + _kdc_fix_time(&b->till); + et.endtime = min(tgt->endtime, *b->till); + ALLOC(et.starttime); + *et.starttime = kdc_time; + + ret = check_tgs_flags(context, config, b, tgt, &et); + if(ret) + goto out; + + /* We should check the transited encoding if: + 1) the request doesn't ask not to be checked + 2) globally enforcing a check + 3) principal requires checking + 4) we allow non-check per-principal, but principal isn't marked as allowing this + 5) we don't globally allow this + */ + +#define GLOBAL_FORCE_TRANSITED_CHECK \ + (config->trpolicy == TRPOLICY_ALWAYS_CHECK) +#define GLOBAL_ALLOW_PER_PRINCIPAL \ + (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL) +#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \ + (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST) + +/* these will consult the database in future release */ +#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0 +#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0 + + ret = fix_transited_encoding(context, config, + !f.disable_transited_check || + GLOBAL_FORCE_TRANSITED_CHECK || + PRINCIPAL_FORCE_TRANSITED_CHECK(server) || + !((GLOBAL_ALLOW_PER_PRINCIPAL && + PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) || + GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), + &tgt->transited, &et, + *krb5_princ_realm(context, client_principal), + *krb5_princ_realm(context, server->entry.principal), + *krb5_princ_realm(context, krbtgt->entry.principal)); + if(ret) + goto out; + + copy_Realm(krb5_princ_realm(context, server->entry.principal), + &rep.ticket.realm); + _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); + copy_Realm(&tgt_name->realm, &rep.crealm); + if (f.request_anonymous) + _kdc_make_anonymous_principalname (&rep.cname); + else + copy_PrincipalName(&tgt_name->name, &rep.cname); + rep.ticket.tkt_vno = 5; + + ek.caddr = et.caddr; + if(et.caddr == NULL) + et.caddr = tgt->caddr; + + { + time_t life; + life = et.endtime - *et.starttime; + if(client && client->entry.max_life) + life = min(life, *client->entry.max_life); + if(server->entry.max_life) + life = min(life, *server->entry.max_life); + et.endtime = *et.starttime + life; + } + if(f.renewable_ok && tgt->flags.renewable && + et.renew_till == NULL && et.endtime < *b->till){ + et.flags.renewable = 1; + ALLOC(et.renew_till); + *et.renew_till = *b->till; + } + if(et.renew_till){ + time_t renew; + renew = *et.renew_till - et.authtime; + if(client && client->entry.max_renew) + renew = min(renew, *client->entry.max_renew); + if(server->entry.max_renew) + renew = min(renew, *server->entry.max_renew); + *et.renew_till = et.authtime + renew; + } + + if(et.renew_till){ + *et.renew_till = min(*et.renew_till, *tgt->renew_till); + *et.starttime = min(*et.starttime, *et.renew_till); + et.endtime = min(et.endtime, *et.renew_till); + } + + *et.starttime = min(*et.starttime, et.endtime); + + if(*et.starttime == et.endtime){ + ret = KRB5KDC_ERR_NEVER_VALID; + goto out; + } + if(et.renew_till && et.endtime == *et.renew_till){ + free(et.renew_till); + et.renew_till = NULL; + et.flags.renewable = 0; + } + + et.flags.pre_authent = tgt->flags.pre_authent; + et.flags.hw_authent = tgt->flags.hw_authent; + et.flags.anonymous = tgt->flags.anonymous; + et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; + + + krb5_generate_random_keyblock(context, etype, &et.key); + + if (server->authz_data_tgs_req) { + ret = server->authz_data_tgs_req(context, server, + client_principal, + tgs_ticket->ticket.authorization_data, + tgs_ticket->ticket.authtime, + tgtkey, + ekey, + &et.key, + &new_auth_data); + if (ret) { + new_auth_data = NULL; + } + } + + /* XXX Check enc-authorization-data */ + et.authorization_data = new_auth_data; + + et.crealm = tgt->crealm; + et.cname = tgt_name->name; + + ek.key = et.key; + /* MIT must have at least one last_req */ + ek.last_req.len = 1; + ek.last_req.val = calloc(1, sizeof(*ek.last_req.val)); + ek.nonce = b->nonce; + ek.flags = et.flags; + ek.authtime = et.authtime; + ek.starttime = et.starttime; + ek.endtime = et.endtime; + ek.renew_till = et.renew_till; + ek.srealm = rep.ticket.realm; + ek.sname = rep.ticket.sname; + + _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime, + et.endtime, et.renew_till); + + /* Don't sign cross realm tickets, they can't be checked anyway */ + { + char *r = get_krbtgt_realm(&ek.sname); + + if (r == NULL || strcmp(r, ek.srealm) == 0) { + ret = _kdc_add_KRB5SignedPath(context, + config, + krbtgt, + krbtgt_etype, + NULL, + NULL, + &et); + if (ret) + goto out; + } + } + + /* It is somewhat unclear where the etype in the following + encryption should come from. What we have is a session + key in the passed tgt, and a list of preferred etypes + *for the new ticket*. Should we pick the best possible + etype, given the keytype in the tgt, or should we look + at the etype list here as well? What if the tgt + session key is DES3 and we want a ticket with a (say) + CAST session key. Should the DES3 etype be added to the + etype list, even if we don't want a session key with + DES3? */ + ret = _kdc_encode_reply(context, config, + &rep, &et, &ek, etype, + adtkt ? 0 : server->entry.kvno, + ekey, 0, &tgt->key, e_text, reply); +out: + free_TGS_REP(&rep); + free_TransitedEncoding(&et.transited); + if(et.starttime) + free(et.starttime); + if(et.renew_till) + free(et.renew_till); + if(et.authorization_data) { + free_AuthorizationData(et.authorization_data); + free(et.authorization_data); + } + free_LastReq(&ek.last_req); + memset(et.key.keyvalue.data, 0, et.key.keyvalue.length); + free_EncryptionKey(&et.key); + return ret; +} + +static krb5_error_code +tgs_check_authenticator(krb5_context context, + krb5_kdc_configuration *config, + krb5_auth_context ac, + KDC_REQ_BODY *b, + const char **e_text, + krb5_keyblock *key) +{ + krb5_authenticator auth; + size_t len; + unsigned char *buf; + size_t buf_size; + krb5_error_code ret; + krb5_crypto crypto; + + krb5_auth_con_getauthenticator(context, ac, &auth); + if(auth->cksum == NULL){ + kdc_log(context, config, 0, "No authenticator in request"); + ret = KRB5KRB_AP_ERR_INAPP_CKSUM; + goto out; + } + /* + * according to RFC1510 it doesn't need to be keyed, + * but according to the latest draft it needs to. + */ + if ( +#if 0 +!krb5_checksum_is_keyed(context, auth->cksum->cksumtype) + || +#endif + !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) { + kdc_log(context, config, 0, "Bad checksum type in authenticator: %d", + auth->cksum->cksumtype); + ret = KRB5KRB_AP_ERR_INAPP_CKSUM; + goto out; + } + + /* XXX should not re-encode this */ + ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); + if(ret){ + kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", + krb5_get_err_text(context, ret)); + goto out; + } + if(buf_size != len) { + free(buf); + kdc_log(context, config, 0, "Internal error in ASN.1 encoder"); + *e_text = "KDC internal error"; + ret = KRB5KRB_ERR_GENERIC; + goto out; + } + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) { + free(buf); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", + krb5_get_err_text(context, ret)); + goto out; + } + ret = krb5_verify_checksum(context, + crypto, + KRB5_KU_TGS_REQ_AUTH_CKSUM, + buf, + len, + auth->cksum); + free(buf); + krb5_crypto_destroy(context, crypto); + if(ret){ + kdc_log(context, config, 0, + "Failed to verify authenticator checksum: %s", + krb5_get_err_text(context, ret)); + } +out: + free_Authenticator(auth); + free(auth); + return ret; +} + +/* + * + */ + +static const char * +find_rpath(krb5_context context, Realm crealm, Realm srealm) +{ + const char *new_realm = krb5_config_get_string(context, + NULL, + "capaths", + crealm, + srealm, + NULL); + return new_realm; +} + + +static krb5_boolean +need_referral(krb5_context context, krb5_principal server, krb5_realm **realms) +{ + if(server->name.name_type != KRB5_NT_SRV_INST || + server->name.name_string.len != 2) + return FALSE; + + return _krb5_get_host_realm_int(context, server->name.name_string.val[1], + FALSE, realms) == 0; +} + +static krb5_error_code +tgs_parse_request(krb5_context context, + krb5_kdc_configuration *config, + KDC_REQ_BODY *b, + PA_DATA *tgs_req, + hdb_entry_ex **krbtgt, + krb5_enctype *krbtgt_etype, + krb5_ticket **ticket, + const char **e_text, + const char *from, + const struct sockaddr *from_addr, + time_t **csec, + int **cusec, + AuthorizationData **auth_data, + EncryptionKey **tgtkey) +{ + krb5_ap_req ap_req; + krb5_error_code ret; + krb5_principal princ; + krb5_auth_context ac = NULL; + krb5_flags ap_req_options; + krb5_flags verify_ap_req_flags; + krb5_crypto crypto; + Key *tkey; + + *auth_data = NULL; + *csec = NULL; + *cusec = NULL; + + memset(&ap_req, 0, sizeof(ap_req)); + ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); + if(ret){ + kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", + krb5_get_err_text(context, ret)); + goto out; + } + + if(!get_krbtgt_realm(&ap_req.ticket.sname)){ + /* XXX check for ticket.sname == req.sname */ + kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket"); + ret = KRB5KDC_ERR_POLICY; /* ? */ + goto out; + } + + _krb5_principalname2krb5_principal(context, + &princ, + ap_req.ticket.sname, + ap_req.ticket.realm); + + ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt); + + if(ret) { + char *p; + ret = krb5_unparse_name(context, princ, &p); + if (ret != 0) + p = "<unparse_name failed>"; + krb5_free_principal(context, princ); + kdc_log(context, config, 0, + "Ticket-granting ticket not found in database: %s: %s", + p, krb5_get_err_text(context, ret)); + if (ret == 0) + free(p); + ret = KRB5KRB_AP_ERR_NOT_US; + goto out; + } + + if(ap_req.ticket.enc_part.kvno && + *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){ + char *p; + + ret = krb5_unparse_name (context, princ, &p); + krb5_free_principal(context, princ); + if (ret != 0) + p = "<unparse_name failed>"; + kdc_log(context, config, 0, + "Ticket kvno = %d, DB kvno = %d (%s)", + *ap_req.ticket.enc_part.kvno, + (*krbtgt)->entry.kvno, + p); + if (ret == 0) + free (p); + ret = KRB5KRB_AP_ERR_BADKEYVER; + goto out; + } + + *krbtgt_etype = ap_req.ticket.enc_part.etype; + + ret = hdb_enctype2key(context, &(*krbtgt)->entry, + ap_req.ticket.enc_part.etype, &tkey); + if(ret){ + char *str, *p; + krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str); + krb5_unparse_name(context, princ, &p); + kdc_log(context, config, 0, + "No server key with enctype %s found for %s", str, p); + free(str); + free(p); + ret = KRB5KRB_AP_ERR_BADKEYVER; + goto out; + } + + *tgtkey = &tkey->key; + + if (b->kdc_options.validate) + verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID; + else + verify_ap_req_flags = 0; + + ret = krb5_verify_ap_req2(context, + &ac, + &ap_req, + princ, + &tkey->key, + verify_ap_req_flags, + &ap_req_options, + ticket, + KRB5_KU_TGS_REQ_AUTH); + + krb5_free_principal(context, princ); + if(ret) { + kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", + krb5_get_err_text(context, ret)); + goto out; + } + + { + krb5_authenticator auth; + + ret = krb5_auth_con_getauthenticator(context, ac, &auth); + if (ret == 0) { + *csec = malloc(sizeof(**csec)); + if (*csec == NULL) { + krb5_free_authenticator(context, &auth); + kdc_log(context, config, 0, "malloc failed"); + goto out; + } + **csec = auth->ctime; + *cusec = malloc(sizeof(**cusec)); + if (*cusec == NULL) { + krb5_free_authenticator(context, &auth); + kdc_log(context, config, 0, "malloc failed"); + goto out; + } + **cusec = auth->cusec; + krb5_free_authenticator(context, &auth); + } + } + + ret = tgs_check_authenticator(context, config, + ac, b, e_text, &(*ticket)->ticket.key); + if (ret) { + krb5_auth_con_free(context, ac); + goto out; + } + + if (b->enc_authorization_data) { + krb5_keyblock *subkey; + krb5_data ad; + ret = krb5_auth_con_getremotesubkey(context, + ac, + &subkey); + if(ret){ + krb5_auth_con_free(context, ac); + kdc_log(context, config, 0, "Failed to get remote subkey: %s", + krb5_get_err_text(context, ret)); + goto out; + } + if(subkey == NULL){ + ret = krb5_auth_con_getkey(context, ac, &subkey); + if(ret) { + krb5_auth_con_free(context, ac); + kdc_log(context, config, 0, "Failed to get session key: %s", + krb5_get_err_text(context, ret)); + goto out; + } + } + if(subkey == NULL){ + krb5_auth_con_free(context, ac); + kdc_log(context, config, 0, + "Failed to get key for enc-authorization-data"); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + ret = krb5_crypto_init(context, subkey, 0, &crypto); + if (ret) { + krb5_auth_con_free(context, ac); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", + krb5_get_err_text(context, ret)); + goto out; + } + ret = krb5_decrypt_EncryptedData (context, + crypto, + KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, + b->enc_authorization_data, + &ad); + krb5_crypto_destroy(context, crypto); + if(ret){ + krb5_auth_con_free(context, ac); + kdc_log(context, config, 0, + "Failed to decrypt enc-authorization-data"); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + krb5_free_keyblock(context, subkey); + ALLOC(*auth_data); + if (*auth_data == NULL) { + krb5_auth_con_free(context, ac); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL); + if(ret){ + krb5_auth_con_free(context, ac); + free(*auth_data); + *auth_data = NULL; + kdc_log(context, config, 0, "Failed to decode authorization data"); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + } + + krb5_auth_con_free(context, ac); + +out: + free_AP_REQ(&ap_req); + + return ret; +} + +static krb5_error_code +tgs_build_reply(krb5_context context, + krb5_kdc_configuration *config, + KDC_REQ *req, + KDC_REQ_BODY *b, + hdb_entry_ex *krbtgt, + krb5_enctype krbtgt_etype, + krb5_ticket *ticket, + krb5_data *reply, + const char *from, + const char **e_text, + AuthorizationData *auth_data, + EncryptionKey *tgtkey, + const struct sockaddr *from_addr) +{ + krb5_error_code ret; + krb5_principal cp = NULL, sp = NULL; + krb5_principal client_principal = NULL; + char *spn = NULL, *cpn = NULL; + hdb_entry_ex *server = NULL, *client = NULL; + EncTicketPart *tgt = &ticket->ticket; + KRB5SignedPathPrincipals *spp = NULL; + + PrincipalName *s; + Realm r; + int nloop = 0; + EncTicketPart adtkt; + char opt_str[128]; + int require_signedpath = 0; + + memset(&adtkt, 0, sizeof(adtkt)); + + s = b->sname; + r = b->realm; + + if(b->kdc_options.enc_tkt_in_skey){ + Ticket *t; + hdb_entry_ex *uu; + krb5_principal p; + Key *uukey; + + if(b->additional_tickets == NULL || + b->additional_tickets->len == 0){ + ret = KRB5KDC_ERR_BADOPTION; /* ? */ + kdc_log(context, config, 0, + "No second ticket present in request"); + goto out; + } + t = &b->additional_tickets->val[0]; + if(!get_krbtgt_realm(&t->sname)){ + kdc_log(context, config, 0, + "Additional ticket is not a ticket-granting ticket"); + ret = KRB5KDC_ERR_POLICY; + goto out; + } + _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm); + ret = _kdc_db_fetch(context, config, p, + HDB_F_GET_CLIENT|HDB_F_GET_SERVER, + NULL, &uu); + krb5_free_principal(context, p); + if(ret){ + if (ret == HDB_ERR_NOENTRY) + ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto out; + } + ret = hdb_enctype2key(context, &uu->entry, + t->enc_part.etype, &uukey); + if(ret){ + _kdc_free_ent(context, uu); + ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ + goto out; + } + ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0); + _kdc_free_ent(context, uu); + if(ret) + goto out; + + ret = verify_flags(context, config, &adtkt, spn); + if (ret) + goto out; + + s = &adtkt.cname; + r = adtkt.crealm; + } + + _krb5_principalname2krb5_principal(context, &sp, *s, r); + ret = krb5_unparse_name(context, sp, &spn); + if (ret) + goto out; + _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm); + ret = krb5_unparse_name(context, cp, &cpn); + if (ret) + goto out; + unparse_flags (KDCOptions2int(b->kdc_options), + asn1_KDCOptions_units(), + opt_str, sizeof(opt_str)); + if(*opt_str) + kdc_log(context, config, 0, + "TGS-REQ %s from %s for %s [%s]", + cpn, from, spn, opt_str); + else + kdc_log(context, config, 0, + "TGS-REQ %s from %s for %s", cpn, from, spn); + + /* + * Fetch server + */ + +server_lookup: + ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, NULL, &server); + + if(ret){ + const char *new_rlm; + Realm req_rlm; + krb5_realm *realms; + + if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { + if(nloop++ < 2) { + new_rlm = find_rpath(context, tgt->crealm, req_rlm); + if(new_rlm) { + kdc_log(context, config, 5, "krbtgt for realm %s " + "not found, trying %s", + req_rlm, new_rlm); + krb5_free_principal(context, sp); + free(spn); + krb5_make_principal(context, &sp, r, + KRB5_TGS_NAME, new_rlm, NULL); + ret = krb5_unparse_name(context, sp, &spn); + if (ret) + goto out; + goto server_lookup; + } + } + } else if(need_referral(context, sp, &realms)) { + if (strcmp(realms[0], sp->realm) != 0) { + kdc_log(context, config, 5, + "Returning a referral to realm %s for " + "server %s that was not found", + realms[0], spn); + krb5_free_principal(context, sp); + free(spn); + krb5_make_principal(context, &sp, r, KRB5_TGS_NAME, + realms[0], NULL); + ret = krb5_unparse_name(context, sp, &spn); + if (ret) + goto out; + krb5_free_host_realm(context, realms); + goto server_lookup; + } + krb5_free_host_realm(context, realms); + } + kdc_log(context, config, 0, + "Server not found in database: %s: %s", spn, + krb5_get_err_text(context, ret)); + if (ret == HDB_ERR_NOENTRY) + ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto out; + } + + ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client); + if(ret) { + const char *krbtgt_realm; + + /* + * If the client belongs to the same realm as our krbtgt, it + * should exist in the local database. + * + */ + + krbtgt_realm = + krb5_principal_get_comp_string(context, + krbtgt->entry.principal, 1); + + if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) { + if (ret == HDB_ERR_NOENTRY) + ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + kdc_log(context, config, 1, "Client no longer in database: %s", + cpn); + goto out; + } + + kdc_log(context, config, 1, "Client not found in database: %s: %s", + cpn, krb5_get_err_text(context, ret)); + } + + /* + * Check that service is in the same realm as the krbtgt. If its + * not the same, its someone that is using a uni-directional trust + * backward. + */ + + if (strcmp(krb5_principal_get_realm(context, sp), + krb5_principal_get_comp_string(context, + krbtgt->entry.principal, + 1)) != 0) { + char *tpn; + ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); + kdc_log(context, config, 0, + "Request with wrong krbtgt: %s", + (ret == 0) ? tpn : "<unknown>"); + if(ret == 0) + free(tpn); + ret = KRB5KRB_AP_ERR_NOT_US; + goto out; + } + + /* + * + */ + + client_principal = cp; + + if (client) { + const PA_DATA *sdata; + int i = 0; + + sdata = _kdc_find_padata(req, &i, KRB5_PADATA_S4U2SELF); + if (sdata) { + krb5_crypto crypto; + krb5_data datack; + PA_S4U2Self self; + char *selfcpn = NULL; + const char *str; + + ret = decode_PA_S4U2Self(sdata->padata_value.data, + sdata->padata_value.length, + &self, NULL); + if (ret) { + kdc_log(context, config, 0, "Failed to decode PA-S4U2Self"); + goto out; + } + + ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack); + if (ret) + goto out; + + ret = krb5_crypto_init(context, &tgt->key, 0, &crypto); + if (ret) { + free_PA_S4U2Self(&self); + krb5_data_free(&datack); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", + krb5_get_err_text(context, ret)); + goto out; + } + + ret = krb5_verify_checksum(context, + crypto, + KRB5_KU_TGS_IMPERSONATE, + datack.data, + datack.length, + &self.cksum); + krb5_data_free(&datack); + krb5_crypto_destroy(context, crypto); + if (ret) { + free_PA_S4U2Self(&self); + kdc_log(context, config, 0, + "krb5_verify_checksum failed for S4U2Self: %s", + krb5_get_err_text(context, ret)); + goto out; + } + + ret = _krb5_principalname2krb5_principal(context, + &client_principal, + self.name, + self.realm); + free_PA_S4U2Self(&self); + if (ret) + goto out; + + ret = krb5_unparse_name(context, client_principal, &selfcpn); + if (ret) + goto out; + + /* + * Check that service doing the impersonating is + * requesting a ticket to it-self. + */ + if (krb5_principal_compare(context, cp, sp) != TRUE) { + kdc_log(context, config, 0, "S4U2Self: %s is not allowed " + "to impersonate some other user " + "(tried for user %s to service %s)", + cpn, selfcpn, spn); + free(selfcpn); + ret = KRB5KDC_ERR_BADOPTION; /* ? */ + goto out; + } + + /* + * If the service isn't trusted for authentication to + * delegation, remove the forward flag. + */ + + if (client->entry.flags.trusted_for_delegation) { + str = "[forwardable]"; + } else { + b->kdc_options.forwardable = 0; + str = ""; + } + kdc_log(context, config, 0, "s4u2self %s impersonating %s to " + "service %s %s", cpn, selfcpn, spn, str); + free(selfcpn); + } + } + + /* + * Constrained delegation + */ + + if (client != NULL + && b->additional_tickets != NULL + && b->additional_tickets->len != 0 + && b->kdc_options.enc_tkt_in_skey == 0) + { + Key *clientkey; + Ticket *t; + char *str; + + t = &b->additional_tickets->val[0]; + + ret = hdb_enctype2key(context, &client->entry, + t->enc_part.etype, &clientkey); + if(ret){ + ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ + goto out; + } + + ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0); + if (ret) { + kdc_log(context, config, 0, + "failed to decrypt ticket for " + "constrained delegation from %s to %s ", spn, cpn); + goto out; + } + + /* check that ticket is valid */ + + if (adtkt.flags.forwardable == 0) { + kdc_log(context, config, 0, + "Missing forwardable flag on ticket for " + "constrained delegation from %s to %s ", spn, cpn); + ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ + goto out; + } + + ret = check_constrained_delegation(context, config, client, sp); + if (ret) { + kdc_log(context, config, 0, + "constrained delegation from %s to %s not allowed", + spn, cpn); + goto out; + } + + ret = _krb5_principalname2krb5_principal(context, + &client_principal, + adtkt.cname, + adtkt.crealm); + if (ret) + goto out; + + ret = krb5_unparse_name(context, client_principal, &str); + if (ret) + goto out; + + ret = verify_flags(context, config, &adtkt, str); + if (ret) { + free(str); + goto out; + } + + /* + * Check KRB5SignedPath in authorization data and add new entry to + * make sure servers can't fake a ticket to us. + */ + + ret = check_KRB5SignedPath(context, + config, + krbtgt, + &adtkt, + &spp, + 1); + if (ret) { + kdc_log(context, config, 0, + "KRB5SignedPath check from service %s failed " + "for delegation to %s for client %s " + "from %s failed with %s", + spn, str, cpn, from, krb5_get_err_text(context, ret)); + free(str); + goto out; + } + + kdc_log(context, config, 0, "constrained delegation for %s " + "from %s to %s", str, cpn, spn); + free(str); + + /* + * Also require that the KDC have issue the service's krbtgt + * used to do the request. + */ + require_signedpath = 1; + } + + /* + * Check flags + */ + + ret = _kdc_check_flags(context, config, + client, cpn, + server, spn, + FALSE); + if(ret) + goto out; + + if((b->kdc_options.validate || b->kdc_options.renew) && + !krb5_principal_compare(context, + krbtgt->entry.principal, + server->entry.principal)){ + kdc_log(context, config, 0, "Inconsistent request."); + ret = KRB5KDC_ERR_SERVER_NOMATCH; + goto out; + } + + /* check for valid set of addresses */ + if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) { + ret = KRB5KRB_AP_ERR_BADADDR; + kdc_log(context, config, 0, "Request from wrong address"); + goto out; + } + + /* also check the krbtgt for signature */ + ret = check_KRB5SignedPath(context, + config, + krbtgt, + tgt, + &spp, + require_signedpath); + if (ret) { + kdc_log(context, config, 0, + "KRB5SignedPath check failed for %s (%s) from %s with %s", + spn, cpn, from, krb5_get_err_text(context, ret)); + goto out; + } + + /* + * + */ + + ret = tgs_make_reply(context, + config, + b, + client_principal, + tgt, + b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, + auth_data, + ticket, + server, + spn, + client, + cp, + krbtgt, + krbtgt_etype, + spp, + tgtkey, + e_text, + reply); + +out: + free(spn); + free(cpn); + + if(server) + _kdc_free_ent(context, server); + if(client) + _kdc_free_ent(context, client); + + if (client_principal && client_principal != cp) + krb5_free_principal(context, client_principal); + if (cp) + krb5_free_principal(context, cp); + if (sp) + krb5_free_principal(context, sp); + + free_EncTicketPart(&adtkt); + + return ret; +} + +/* + * + */ + +krb5_error_code +_kdc_tgs_rep(krb5_context context, + krb5_kdc_configuration *config, + KDC_REQ *req, + krb5_data *data, + const char *from, + struct sockaddr *from_addr) +{ + AuthorizationData *auth_data = NULL; + krb5_error_code ret; + int i = 0; + PA_DATA *tgs_req = NULL; + + hdb_entry_ex *krbtgt = NULL; + krb5_ticket *ticket = NULL; + const char *e_text = NULL; + krb5_enctype krbtgt_etype = ETYPE_NULL; + EncryptionKey *tgtkey = NULL; + + + time_t *csec = NULL; + int *cusec = NULL; + + if(req->padata == NULL){ + ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */ + kdc_log(context, config, 0, + "TGS-REQ from %s without PA-DATA", from); + goto out; + } + + tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ); + + if(tgs_req == NULL){ + ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + + kdc_log(context, config, 0, + "TGS-REQ from %s without PA-TGS-REQ", from); + goto out; + } + ret = tgs_parse_request(context, config, + &req->req_body, tgs_req, + &krbtgt, + &krbtgt_etype, + &ticket, + &e_text, + from, from_addr, + &csec, &cusec, + &auth_data, + &tgtkey); + if (ret) { + kdc_log(context, config, 0, + "Failed parsing TGS-REQ from %s", from); + goto out; + } + + ret = tgs_build_reply(context, + config, + req, + &req->req_body, + krbtgt, + krbtgt_etype, + ticket, + data, + from, + &e_text, + auth_data, + tgtkey, + from_addr); + if (ret) { + kdc_log(context, config, 0, + "Failed building TGS-REP to %s", from); + goto out; + } + +out: + if(ret && data->data == NULL){ + krb5_mk_error(context, + ret, + NULL, + NULL, + NULL, + NULL, + csec, + cusec, + data); + } + free(csec); + free(cusec); + if (ticket) + krb5_free_ticket(context, ticket); + if(krbtgt) + _kdc_free_ent(context, krbtgt); + + if (auth_data) { + free_AuthorizationData(auth_data); + free(auth_data); + } + + return 0; +} diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index a61c647f71..b511e1a7a8 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: misc.c,v 1.29 2006/04/27 11:33:21 lha Exp $"); +RCSID("$Id: misc.c,v 1.32 2006/08/28 14:41:49 lha Exp $"); struct timeval _kdc_now; @@ -42,6 +42,7 @@ _kdc_db_fetch(krb5_context context, krb5_kdc_configuration *config, krb5_const_principal principal, unsigned flags, + HDB **db, hdb_entry_ex **h) { hdb_entry_ex *ent; @@ -66,6 +67,8 @@ _kdc_db_fetch(krb5_context context, ent); config->db[i]->hdb_close(context, config->db[i]); if(ret == 0) { + if (db) + *db = config->db[i]; *h = ent; return 0; } @@ -81,3 +84,36 @@ _kdc_free_ent(krb5_context context, hdb_entry_ex *ent) free (ent); } +/* + * Use the order list of preferred encryption types and sort the + * available keys and return the most preferred key. + */ + +krb5_error_code +_kdc_get_preferred_key(krb5_context context, + krb5_kdc_configuration *config, + hdb_entry_ex *h, + const char *name, + krb5_enctype *enctype, + Key **key) +{ + const krb5_enctype *p; + krb5_error_code ret; + int i; + + p = krb5_kerberos_enctypes(context); + + for (i = 0; p[i] != ETYPE_NULL; i++) { + if (krb5_enctype_valid(context, p[i]) != 0) + continue; + ret = hdb_enctype2key(context, &h->entry, p[i], key); + if (ret == 0) { + *enctype = p[i]; + return 0; + } + } + + krb5_set_error_string(context, "No valid kerberos key found for %s", name); + return EINVAL; +} + diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index c220e70ddd..e3d77c0621 100755 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: pkinit.c,v 1.65 2006/05/06 13:22:33 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.72 2006/10/24 17:51:33 lha Exp $"); #ifdef PKINIT @@ -156,7 +156,7 @@ pk_check_pkauthenticator(krb5_context context, goto out; } - if (heim_octet_string_cmp(a->paChecksum, &checksum.checksum) != 0) { + if (der_heim_octet_string_cmp(a->paChecksum, &checksum.checksum) != 0) { krb5_clear_error_string(context); ret = KRB5KRB_ERR_GENERIC; } @@ -269,7 +269,7 @@ get_dh_param(krb5_context context, memset(&dhparam, 0, sizeof(dhparam)); - if (heim_oid_cmp(&dh_key_info->algorithm.algorithm, oid_id_dhpublicnumber())) { + if (der_heim_oid_cmp(&dh_key_info->algorithm.algorithm, oid_id_dhpublicnumber())) { krb5_set_error_string(context, "PKINIT invalid oid in clientPublicValue"); return KRB5_BADMSGTYPE; @@ -338,7 +338,7 @@ get_dh_param(krb5_context context, client_params->dh_public_key = integer_to_BN(context, "subjectPublicKey", &glue); - free_heim_integer(&glue); + der_free_heim_integer(&glue); if (client_params->dh_public_key == NULL) goto out; } @@ -426,7 +426,7 @@ _kdc_pk_rd_padata(krb5_context context, krb5_data signed_content = { 0, NULL }; const char *type = "unknown type"; const heim_oid *pa_contentType; - int have_data; + int have_data = 0; *ret_params = NULL; @@ -444,7 +444,6 @@ _kdc_pk_rd_padata(krb5_context context, if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) { PA_PK_AS_REQ_Win2k r; - int have_data; type = "PK-INIT-Win2k"; pa_contentType = oid_id_pkcs7_data(); @@ -502,7 +501,7 @@ _kdc_pk_rd_padata(krb5_context context, goto out; } - ret = heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData()); + ret = der_heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData()); if (ret != 0) { krb5_set_error_string(context, "PK-AS-REQ-Win2k invalid content " "type oid"); @@ -542,7 +541,7 @@ _kdc_pk_rd_padata(krb5_context context, } /* Signature is correct, now verify the signed message */ - if (heim_oid_cmp(&eContentType, pa_contentType)) { + if (der_heim_oid_cmp(&eContentType, pa_contentType)) { krb5_set_error_string(context, "got wrong oid for pkauthdata"); ret = KRB5_BADMSGTYPE; goto out; @@ -621,8 +620,8 @@ out: if (signed_content.data) free(signed_content.data); krb5_data_free(&eContent); - free_oid(&eContentType); - free_oid(&contentInfoOid); + der_free_oid(&eContentType); + der_free_oid(&contentInfoOid); if (ret) _kdc_pk_free_client_param(context, client_params); else @@ -657,10 +656,11 @@ pk_mk_pa_reply_enckey(krb5_context context, ContentInfo *content_info) { krb5_error_code ret; - krb5_data buf, o; + krb5_data buf, signed_data; size_t size; krb5_data_zero(&buf); + krb5_data_zero(&signed_data); switch (client_params->type) { case PKINIT_COMPAT_WIN2K: { @@ -678,6 +678,7 @@ pk_mk_pa_reply_enckey(krb5_context context, buf.data, buf.length, &kp, &size,ret); free_ReplyKeyPack_Win2k(&kp); + break; } case PKINIT_COMPAT_27: { krb5_crypto ascrypto; @@ -724,21 +725,55 @@ pk_mk_pa_reply_enckey(krb5_context context, if (buf.length != size) krb5_abortx(context, "Internal ASN.1 encoder error"); + { + hx509_query *q; + hx509_cert cert; + + ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); + if (ret) + goto out; + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + + ret = hx509_certs_find(kdc_identity->hx509ctx, + kdc_identity->certs, + q, + &cert); + hx509_query_free(kdc_identity->hx509ctx, q); + if (ret) + goto out; + + ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx, + oid_id_pkrkeydata(), + buf.data, + buf.length, + NULL, + cert, + kdc_identity->anchors, + kdc_identity->certpool, + &signed_data); + hx509_cert_free(cert); + } + + krb5_data_free(&buf); + if (ret) + goto out; + ret = hx509_cms_envelope_1(kdc_identity->hx509ctx, client_params->cert, - buf.data, buf.length, NULL, - oid_id_pkcs7_signedData(), &o); + signed_data.data, signed_data.length, NULL, + oid_id_pkcs7_signedData(), &buf); if (ret) goto out; ret = _krb5_pk_mk_ContentInfo(context, - &o, + &buf, oid_id_pkcs7_envelopedData(), content_info); - free_octet_string(&o); - - out: +out: krb5_data_free(&buf); + krb5_data_free(&signed_data); return ret; } @@ -1195,6 +1230,7 @@ _kdc_pk_check_client(krb5_context context, pk_client_params *client_params, char **subject_name) { + const HDB_Ext_PKINIT_acl *acl; krb5_error_code ret; hx509_name name; int i; @@ -1210,8 +1246,8 @@ _kdc_pk_check_client(krb5_context context, if (ret) return ret; - kdc_log(context, config, 5, - "Trying to authorize subject DN %s", + kdc_log(context, config, 0, + "Trying to authorize PK-INIT subject DN %s", *subject_name); if (config->enable_pkinit_princ_in_cert) { @@ -1225,6 +1261,28 @@ _kdc_pk_check_client(krb5_context context, } } + ret = hdb_entry_get_pkinit_acl(&client->entry, &acl); + if (ret == 0 && acl != NULL) { + /* + * Cheat here and compare the generated name with the string + * and not the reverse. + */ + for (i = 0; i < acl->len; i++) { + if (strcmp(*subject_name, acl->val[0].subject) != 0) + continue; + + /* Don't support isser and anchor checking right now */ + if (acl->val[0].issuer) + continue; + if (acl->val[0].anchor) + continue; + + kdc_log(context, config, 5, + "Found matching PK-INIT database ACL"); + return 0; + } + } + for (i = 0; i < principal_mappings.len; i++) { krb5_boolean b; @@ -1235,11 +1293,14 @@ _kdc_pk_check_client(krb5_context context, continue; if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0) continue; + kdc_log(context, config, 5, + "Found matching PK-INIT FILE ACL"); return 0; } - free(*subject_name); + free(*subject_name); *subject_name = NULL; + krb5_set_error_string(context, "PKINIT no matching principals"); return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; } @@ -1282,7 +1343,7 @@ _kdc_pk_initialize(krb5_context context, const char *user_id, const char *anchors, char **pool, - char **revoke) + char **revoke_list) { const char *file; krb5_error_code ret; @@ -1305,7 +1366,7 @@ _kdc_pk_initialize(krb5_context context, user_id, anchors, pool, - revoke, + revoke_list, NULL, NULL, NULL); diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c index d0f8245bf9..ed5cb3d651 100644 --- a/source4/heimdal/kdc/process.c +++ b/source4/heimdal/kdc/process.c @@ -34,7 +34,7 @@ #include "kdc_locl.h" -RCSID("$Id: process.c,v 1.3 2005/08/12 08:25:48 lha Exp $"); +RCSID("$Id: process.c,v 1.5 2006/10/09 15:37:39 lha Exp $"); /* * handle the request in `buf, len', from `addr' (or `from' as a string), @@ -42,17 +42,19 @@ RCSID("$Id: process.c,v 1.3 2005/08/12 08:25:48 lha Exp $"); */ int -krb5_kdc_process_generic_request(krb5_context context, - krb5_kdc_configuration *config, - unsigned char *buf, - size_t len, - krb5_data *reply, - krb5_boolean *prependlength, - const char *from, - struct sockaddr *addr) +krb5_kdc_process_request(krb5_context context, + krb5_kdc_configuration *config, + unsigned char *buf, + size_t len, + krb5_data *reply, + krb5_boolean *prependlength, + const char *from, + struct sockaddr *addr, + int datagram_reply) { KDC_REQ req; Ticket ticket; + DigestREQ digestreq; krb5_error_code ret; size_t i; @@ -64,7 +66,7 @@ krb5_kdc_process_generic_request(krb5_context context, req_buffer.length = len; ret = _kdc_as_rep(context, config, &req, &req_buffer, - reply, from, addr); + reply, from, addr, datagram_reply); free_AS_REQ(&req); return ret; }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){ @@ -75,6 +77,10 @@ krb5_kdc_process_generic_request(krb5_context context, ret = _kdc_do_524(context, config, &ticket, reply, from, addr); free_Ticket(&ticket); return ret; + }else if(decode_DigestREQ(buf, len, &digestreq, &i) == 0){ + ret = _kdc_do_digest(context, config, &digestreq, reply, from, addr); + free_DigestREQ(&digestreq); + return ret; } else if(_kdc_maybe_version4(buf, len)){ *prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */ _kdc_do_version4(context, config, buf, len, reply, from, @@ -103,7 +109,8 @@ krb5_kdc_process_krb5_request(krb5_context context, size_t len, krb5_data *reply, const char *from, - struct sockaddr *addr) + struct sockaddr *addr, + int datagram_reply) { KDC_REQ req; krb5_error_code ret; @@ -117,7 +124,7 @@ krb5_kdc_process_krb5_request(krb5_context context, req_buffer.length = len; ret = _kdc_as_rep(context, config, &req, &req_buffer, - reply, from, addr); + reply, from, addr, datagram_reply); free_AS_REQ(&req); return ret; }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){ diff --git a/source4/heimdal/lib/asn1/CMS.asn1 b/source4/heimdal/lib/asn1/CMS.asn1 index 78873761b6..ce43c2cd02 100644 --- a/source4/heimdal/lib/asn1/CMS.asn1 +++ b/source4/heimdal/lib/asn1/CMS.asn1 @@ -1,5 +1,5 @@ -- From RFC 3369 -- --- $Id: CMS.asn1,v 1.4 2006/04/15 10:53:25 lha Exp $ -- +-- $Id: CMS.asn1,v 1.5 2006/09/07 12:20:42 lha Exp $ -- CMS DEFINITIONS ::= BEGIN @@ -17,7 +17,13 @@ id-pkcs7-signedAndEnvelopedData OBJECT IDENTIFIER ::= { id-pkcs7 4 } id-pkcs7-digestedData OBJECT IDENTIFIER ::= { id-pkcs7 5 } id-pkcs7-encryptedData OBJECT IDENTIFIER ::= { id-pkcs7 6 } -CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) } +CMSVersion ::= INTEGER { + CMSVersion_v0(0), + CMSVersion_v1(1), + CMSVersion_v2(2), + CMSVersion_v3(3), + CMSVersion_v4(4) +} DigestAlgorithmIdentifier ::= AlgorithmIdentifier DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier diff --git a/source4/heimdal/lib/asn1/asn1-common.h b/source4/heimdal/lib/asn1/asn1-common.h index 01411b384a..ab06ae79dd 100644 --- a/source4/heimdal/lib/asn1/asn1-common.h +++ b/source4/heimdal/lib/asn1/asn1-common.h @@ -1,4 +1,4 @@ -/* $Id: asn1-common.h,v 1.5 2005/07/12 06:27:14 lha Exp $ */ +/* $Id: asn1-common.h,v 1.6 2006/10/14 05:09:47 lha Exp $ */ #include <stddef.h> #include <time.h> @@ -43,6 +43,9 @@ typedef struct heim_bit_string { void *data; } heim_bit_string; +typedef struct heim_octet_string heim_any; +typedef struct heim_octet_string heim_any_set; + #define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R) \ do { \ (BL) = length_##T((S)); \ diff --git a/source4/heimdal/lib/asn1/der-protos.h b/source4/heimdal/lib/asn1/der-protos.h new file mode 100644 index 0000000000..3aee392c96 --- /dev/null +++ b/source4/heimdal/lib/asn1/der-protos.h @@ -0,0 +1,542 @@ +/* This is a generated file */ +#ifndef __der_protos_h__ +#define __der_protos_h__ + +#include <stdarg.h> + +#ifdef __cplusplus +extern "C" { +#endif + +int +copy_heim_any ( + const heim_any */*from*/, + heim_any */*to*/); + +int +copy_heim_any_set ( + const heim_any_set */*from*/, + heim_any_set */*to*/); + +int +decode_heim_any ( + const unsigned char */*p*/, + size_t /*len*/, + heim_any */*data*/, + size_t */*size*/); + +int +decode_heim_any_set ( + const unsigned char */*p*/, + size_t /*len*/, + heim_any_set */*data*/, + size_t */*size*/); + +int +der_copy_bit_string ( + const heim_bit_string */*from*/, + heim_bit_string */*to*/); + +int +der_copy_bmp_string ( + const heim_bmp_string */*from*/, + heim_bmp_string */*to*/); + +int +der_copy_general_string ( + const heim_general_string */*from*/, + heim_general_string */*to*/); + +int +der_copy_heim_integer ( + const heim_integer */*from*/, + heim_integer */*to*/); + +int +der_copy_ia5_string ( + const heim_printable_string */*from*/, + heim_printable_string */*to*/); + +int +der_copy_octet_string ( + const heim_octet_string */*from*/, + heim_octet_string */*to*/); + +int +der_copy_oid ( + const heim_oid */*from*/, + heim_oid */*to*/); + +int +der_copy_printable_string ( + const heim_printable_string */*from*/, + heim_printable_string */*to*/); + +int +der_copy_universal_string ( + const heim_universal_string */*from*/, + heim_universal_string */*to*/); + +int +der_copy_utf8string ( + const heim_utf8_string */*from*/, + heim_utf8_string */*to*/); + +void +der_free_bit_string (heim_bit_string */*k*/); + +void +der_free_bmp_string (heim_bmp_string */*k*/); + +void +der_free_general_string (heim_general_string */*str*/); + +void +der_free_heim_integer (heim_integer */*k*/); + +void +der_free_ia5_string (heim_ia5_string */*str*/); + +void +der_free_octet_string (heim_octet_string */*k*/); + +void +der_free_oid (heim_oid */*k*/); + +void +der_free_printable_string (heim_printable_string */*str*/); + +void +der_free_universal_string (heim_universal_string */*k*/); + +void +der_free_utf8string (heim_utf8_string */*str*/); + +int +der_get_bit_string ( + const unsigned char */*p*/, + size_t /*len*/, + heim_bit_string */*data*/, + size_t */*size*/); + +int +der_get_bmp_string ( + const unsigned char */*p*/, + size_t /*len*/, + heim_bmp_string */*data*/, + size_t */*size*/); + +int +der_get_boolean ( + const unsigned char */*p*/, + size_t /*len*/, + int */*data*/, + size_t */*size*/); + +const char * +der_get_class_name (unsigned /*num*/); + +int +der_get_class_num (const char */*name*/); + +int +der_get_general_string ( + const unsigned char */*p*/, + size_t /*len*/, + heim_general_string */*str*/, + size_t */*size*/); + +int +der_get_generalized_time ( + const unsigned char */*p*/, + size_t /*len*/, + time_t */*data*/, + size_t */*size*/); + +int +der_get_heim_integer ( + const unsigned char */*p*/, + size_t /*len*/, + heim_integer */*data*/, + size_t */*size*/); + +int +der_get_ia5_string ( + const unsigned char */*p*/, + size_t /*len*/, + heim_ia5_string */*str*/, + size_t */*size*/); + +int +der_get_integer ( + const unsigned char */*p*/, + size_t /*len*/, + int */*ret*/, + size_t */*size*/); + +int +der_get_length ( + const unsigned char */*p*/, + size_t /*len*/, + size_t */*val*/, + size_t */*size*/); + +int +der_get_octet_string ( + const unsigned char */*p*/, + size_t /*len*/, + heim_octet_string */*data*/, + size_t */*size*/); + +int +der_get_oid ( + const unsigned char */*p*/, + size_t /*len*/, + heim_oid */*data*/, + size_t */*size*/); + +int +der_get_printable_string ( + const unsigned char */*p*/, + size_t /*len*/, + heim_printable_string */*str*/, + size_t */*size*/); + +int +der_get_tag ( + const unsigned char */*p*/, + size_t /*len*/, + Der_class */*class*/, + Der_type */*type*/, + unsigned int */*tag*/, + size_t */*size*/); + +const char * +der_get_tag_name (unsigned /*num*/); + +int +der_get_tag_num (const char */*name*/); + +const char * +der_get_type_name (unsigned /*num*/); + +int +der_get_type_num (const char */*name*/); + +int +der_get_universal_string ( + const unsigned char */*p*/, + size_t /*len*/, + heim_universal_string */*data*/, + size_t */*size*/); + +int +der_get_unsigned ( + const unsigned char */*p*/, + size_t /*len*/, + unsigned */*ret*/, + size_t */*size*/); + +int +der_get_utctime ( + const unsigned char */*p*/, + size_t /*len*/, + time_t */*data*/, + size_t */*size*/); + +int +der_get_utf8string ( + const unsigned char */*p*/, + size_t /*len*/, + heim_utf8_string */*str*/, + size_t */*size*/); + +int +der_heim_bit_string_cmp ( + const heim_bit_string */*p*/, + const heim_bit_string */*q*/); + +int +der_heim_bmp_string_cmp ( + const heim_bmp_string */*p*/, + const heim_bmp_string */*q*/); + +int +der_heim_integer_cmp ( + const heim_integer */*p*/, + const heim_integer */*q*/); + +int +der_heim_octet_string_cmp ( + const heim_octet_string */*p*/, + const heim_octet_string */*q*/); + +int +der_heim_oid_cmp ( + const heim_oid */*p*/, + const heim_oid */*q*/); + +int +der_heim_universal_string_cmp ( + const heim_universal_string */*p*/, + const heim_universal_string */*q*/); + +size_t +der_length_bit_string (const heim_bit_string */*k*/); + +size_t +der_length_bmp_string (const heim_bmp_string */*data*/); + +size_t +der_length_boolean (const int */*k*/); + +size_t +der_length_enumerated (const unsigned */*data*/); + +size_t +der_length_general_string (const heim_general_string */*data*/); + +size_t +der_length_generalized_time (const time_t */*t*/); + +size_t +der_length_heim_integer (const heim_integer */*k*/); + +size_t +der_length_ia5_string (const heim_ia5_string */*data*/); + +size_t +der_length_integer (const int */*data*/); + +size_t +der_length_len (size_t /*len*/); + +size_t +der_length_octet_string (const heim_octet_string */*k*/); + +size_t +der_length_oid (const heim_oid */*k*/); + +size_t +der_length_printable_string (const heim_printable_string */*data*/); + +size_t +der_length_universal_string (const heim_universal_string */*data*/); + +size_t +der_length_unsigned (const unsigned */*data*/); + +size_t +der_length_utctime (const time_t */*t*/); + +size_t +der_length_utf8string (const heim_utf8_string */*data*/); + +int +der_match_tag ( + const unsigned char */*p*/, + size_t /*len*/, + Der_class /*class*/, + Der_type /*type*/, + unsigned int /*tag*/, + size_t */*size*/); + +int +der_match_tag_and_length ( + const unsigned char */*p*/, + size_t /*len*/, + Der_class /*class*/, + Der_type /*type*/, + unsigned int /*tag*/, + size_t */*length_ret*/, + size_t */*size*/); + +int +der_parse_heim_oid ( + const char */*str*/, + const char */*sep*/, + heim_oid */*data*/); + +int +der_parse_hex_heim_integer ( + const char */*p*/, + heim_integer */*data*/); + +int +der_print_heim_oid ( + const heim_oid */*oid*/, + char /*delim*/, + char **/*str*/); + +int +der_print_hex_heim_integer ( + const heim_integer */*data*/, + char **/*p*/); + +int +der_put_bit_string ( + unsigned char */*p*/, + size_t /*len*/, + const heim_bit_string */*data*/, + size_t */*size*/); + +int +der_put_bmp_string ( + unsigned char */*p*/, + size_t /*len*/, + const heim_bmp_string */*data*/, + size_t */*size*/); + +int +der_put_boolean ( + unsigned char */*p*/, + size_t /*len*/, + const int */*data*/, + size_t */*size*/); + +int +der_put_general_string ( + unsigned char */*p*/, + size_t /*len*/, + const heim_general_string */*str*/, + size_t */*size*/); + +int +der_put_generalized_time ( + unsigned char */*p*/, + size_t /*len*/, + const time_t */*data*/, + size_t */*size*/); + +int +der_put_heim_integer ( + unsigned char */*p*/, + size_t /*len*/, + const heim_integer */*data*/, + size_t */*size*/); + +int +der_put_ia5_string ( + unsigned char */*p*/, + size_t /*len*/, + const heim_ia5_string */*str*/, + size_t */*size*/); + +int +der_put_integer ( + unsigned char */*p*/, + size_t /*len*/, + const int */*v*/, + size_t */*size*/); + +int +der_put_length ( + unsigned char */*p*/, + size_t /*len*/, + size_t /*val*/, + size_t */*size*/); + +int +der_put_length_and_tag ( + unsigned char */*p*/, + size_t /*len*/, + size_t /*len_val*/, + Der_class /*class*/, + Der_type /*type*/, + unsigned int /*tag*/, + size_t */*size*/); + +int +der_put_octet_string ( + unsigned char */*p*/, + size_t /*len*/, + const heim_octet_string */*data*/, + size_t */*size*/); + +int +der_put_oid ( + unsigned char */*p*/, + size_t /*len*/, + const heim_oid */*data*/, + size_t */*size*/); + +int +der_put_printable_string ( + unsigned char */*p*/, + size_t /*len*/, + const heim_printable_string */*str*/, + size_t */*size*/); + +int +der_put_tag ( + unsigned char */*p*/, + size_t /*len*/, + Der_class /*class*/, + Der_type /*type*/, + unsigned int /*tag*/, + size_t */*size*/); + +int +der_put_universal_string ( + unsigned char */*p*/, + size_t /*len*/, + const heim_universal_string */*data*/, + size_t */*size*/); + +int +der_put_unsigned ( + unsigned char */*p*/, + size_t /*len*/, + const unsigned */*v*/, + size_t */*size*/); + +int +der_put_utctime ( + unsigned char */*p*/, + size_t /*len*/, + const time_t */*data*/, + size_t */*size*/); + +int +der_put_utf8string ( + unsigned char */*p*/, + size_t /*len*/, + const heim_utf8_string */*str*/, + size_t */*size*/); + +int +encode_heim_any ( + unsigned char */*p*/, + size_t /*len*/, + const heim_any */*data*/, + size_t */*size*/); + +int +encode_heim_any_set ( + unsigned char */*p*/, + size_t /*len*/, + const heim_any_set */*data*/, + size_t */*size*/); + +void +free_heim_any (heim_any */*data*/); + +void +free_heim_any_set (heim_any_set */*data*/); + +int +heim_any_cmp ( + const heim_any_set */*p*/, + const heim_any_set */*q*/); + +size_t +length_heim_any (const heim_any */*data*/); + +size_t +length_heim_any_set (const heim_any */*data*/); + +#ifdef __cplusplus +} +#endif + +#endif /* __der_protos_h__ */ diff --git a/source4/heimdal/lib/asn1/der.h b/source4/heimdal/lib/asn1/der.h index b9c2b47079..b0170e35fe 100644 --- a/source4/heimdal/lib/asn1/der.h +++ b/source4/heimdal/lib/asn1/der.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: der.h,v 1.32 2006/01/30 15:25:25 lha Exp $ */ +/* $Id: der.h,v 1.36 2006/10/14 05:16:08 lha Exp $ */ #ifndef __DER_H__ #define __DER_H__ @@ -83,164 +83,21 @@ enum { #define ASN1_INDEFINITE 0xdce0deed -typedef struct asn1_der_time_t { +typedef struct heim_der_time_t { time_t dt_sec; unsigned long dt_nsec; -} asn1_der_time_t; +} heim_der_time_t; -typedef struct asn1_ber_time_t { +typedef struct heim_ber_time_t { time_t bt_sec; unsigned bt_nsec; int bt_zone; -} asn1_ber_time_t; +} heim_ber_time_t; -int der_get_unsigned (const unsigned char *p, size_t len, - unsigned *ret, size_t *size); -int der_get_integer (const unsigned char *p, size_t len, - int *ret, size_t *size); -int der_get_heim_integer (const unsigned char *p, size_t len, - heim_integer *ret, size_t *size); -int der_get_boolean(const unsigned char *p, size_t len, - int *data, size_t *size); -int der_get_length (const unsigned char *p, size_t len, - size_t *val, size_t *size); -int der_get_general_string (const unsigned char *p, size_t len, - heim_general_string *str, size_t *size); -int der_get_utf8string (const unsigned char *p, size_t len, - heim_utf8_string *str, size_t *size); -int der_get_universal_string (const unsigned char *p, size_t len, - heim_universal_string *str, size_t *size); -int der_get_bmp_string (const unsigned char *p, size_t len, - heim_bmp_string *str, size_t *size); -int der_get_printable_string (const unsigned char *p, size_t len, - heim_printable_string *str, size_t *size); -int der_get_ia5_string (const unsigned char *p, size_t len, - heim_ia5_string *str, size_t *size); -int der_get_octet_string (const unsigned char *p, size_t len, - heim_octet_string *data, size_t *size); -int der_get_generalized_time (const unsigned char *p, size_t len, - time_t *data, size_t *size); -int der_get_generalized_time_der (const unsigned char *p, size_t len, - asn1_der_time_t *data, size_t *size); -int der_get_generalized_time_ber (const unsigned char *p, size_t len, - asn1_ber_time_t *data, size_t *size); -int der_get_utctime (const unsigned char *p, size_t len, - time_t *data, size_t *size); -int der_get_oid (const unsigned char *p, size_t len, - heim_oid *data, size_t *size); -int der_get_bit_string (const unsigned char *p, size_t len, - heim_bit_string *data, size_t *size); -int der_get_tag (const unsigned char *p, size_t len, - Der_class *class, Der_type *type, - unsigned int *tag, size_t *size); - -int der_match_tag (const unsigned char *p, size_t len, - Der_class class, Der_type type, - unsigned int tag, size_t *size); -int der_match_tag_and_length (const unsigned char *p, size_t len, - Der_class class, Der_type type, unsigned int tag, - size_t *length_ret, size_t *size); - -int der_put_unsigned (unsigned char *p, size_t len, const unsigned *val, size_t*); -int der_put_integer (unsigned char *p, size_t len, const int *val, size_t*); -int der_put_heim_integer (unsigned char *p, size_t len, - const heim_integer *val, size_t*); -int der_put_boolean (unsigned char *p, size_t len, const int *val, size_t*); - -int der_put_length (unsigned char *p, size_t len, size_t val, size_t*); -int der_put_general_string (unsigned char *p, size_t len, - const heim_general_string *str, size_t*); -int der_put_utf8string (unsigned char *p, size_t len, - const heim_utf8_string *str, size_t*); -int der_put_universal_string (unsigned char *p, size_t len, - const heim_universal_string *str, size_t*); -int der_put_bmp_string (unsigned char *p, size_t len, - const heim_bmp_string *str, size_t*); -int der_put_printable_string (unsigned char *p, size_t len, - const heim_printable_string *str, size_t*); -int der_put_ia5_string (unsigned char *p, size_t len, - const heim_ia5_string *str, size_t*); -int der_put_octet_string (unsigned char *p, size_t len, - const heim_octet_string *data, size_t*); -int der_put_generalized_time (unsigned char *p, size_t len, - const time_t *data, size_t *size); -int der_put_utctime (unsigned char *p, size_t len, - const time_t *data, size_t *size); -int der_put_oid (unsigned char *p, size_t len, - const heim_oid *data, size_t *size); -int der_put_bit_string (unsigned char *p, size_t len, - const heim_bit_string *data, size_t *size); -int der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type, - unsigned int tag, size_t*); -int der_put_length_and_tag (unsigned char*, size_t, size_t, - Der_class, Der_type, unsigned int, size_t*); - -void free_integer (int *num); -void free_heim_integer (heim_integer *num); -void free_octet_string (heim_octet_string *k); -void free_general_string (heim_general_string *str); -void free_octet_string (heim_octet_string *k); -void free_oid (heim_oid *k); -void free_bit_string (heim_bit_string *k); -void free_generalized_time (time_t *t); -void free_utctime (time_t *t); -void free_utf8string (heim_utf8_string*); -void free_printable_string (heim_printable_string*); -void free_ia5_string (heim_ia5_string*); -void free_universal_string (heim_universal_string*); -void free_bmp_string (heim_bmp_string*); - -size_t length_len (size_t len); -size_t length_integer (const int *data); -size_t length_heim_integer (const heim_integer *data); -size_t length_unsigned (const unsigned *data); -size_t length_enumerated (const unsigned *data); -size_t length_general_string (const heim_general_string *data); -size_t length_octet_string (const heim_octet_string *k); -size_t length_oid (const heim_oid *k); -size_t length_bit_string (const heim_bit_string *k); -size_t length_generalized_time (const time_t *t); -size_t length_utctime (const time_t *t); -size_t length_utf8string (const heim_utf8_string*); -size_t length_printable_string (const heim_printable_string*); -size_t length_ia5_string (const heim_ia5_string*); -size_t length_bmp_string (const heim_bmp_string*); -size_t length_universal_string (const heim_universal_string*); -size_t length_boolean (const int*); - -int copy_heim_integer (const heim_integer *, heim_integer *); -int copy_general_string (const heim_general_string *, heim_general_string *); -int copy_octet_string (const heim_octet_string *, heim_octet_string *); -int copy_oid (const heim_oid *from, heim_oid *to); -int copy_bit_string (const heim_bit_string *from, heim_bit_string *to); -int copy_utf8string (const heim_utf8_string*, heim_utf8_string*); -int copy_printable_string (const heim_printable_string*,heim_printable_string*); -int copy_ia5_string (const heim_ia5_string*,heim_ia5_string*); -int copy_universal_string(const heim_universal_string*,heim_universal_string*); -int copy_bmp_string (const heim_bmp_string*,heim_bmp_string*); - -int heim_oid_cmp(const heim_oid *, const heim_oid *); -int heim_octet_string_cmp(const heim_octet_string *,const heim_octet_string *); -int heim_bit_string_cmp(const heim_bit_string *, const heim_bit_string *); -int heim_integer_cmp(const heim_integer *, const heim_integer *); -int heim_bmp_string_cmp(const heim_bmp_string *, const heim_bmp_string *); -int heim_universal_string_cmp(const heim_universal_string *, - const heim_universal_string *); - -int der_parse_oid(const char *, heim_oid *); +#include <der-protos.h> int _heim_fix_dce(size_t reallen, size_t *len); int _heim_der_set_sort(const void *, const void *); int _heim_time2generalizedtime (time_t, heim_octet_string *, int); -const char * der_get_class_name(unsigned); -int der_get_class_num(const char *); -const char * der_get_type_name(unsigned); -int der_get_type_num(const char *); -const char * der_get_tag_name(unsigned); -int der_get_tag_num(const char *); - -int der_parse_hex_heim_integer(const char *, heim_integer *); -int der_print_hex_heim_integer(const heim_integer *, char **); - #endif /* __DER_H__ */ diff --git a/source4/heimdal/lib/asn1/der_cmp.c b/source4/heimdal/lib/asn1/der_cmp.c index 2471312ba8..f27f03c02b 100755 --- a/source4/heimdal/lib/asn1/der_cmp.c +++ b/source4/heimdal/lib/asn1/der_cmp.c @@ -34,7 +34,7 @@ #include "der_locl.h" int -heim_oid_cmp(const heim_oid *p, const heim_oid *q) +der_heim_oid_cmp(const heim_oid *p, const heim_oid *q) { if (p->length != q->length) return p->length - q->length; @@ -44,7 +44,8 @@ heim_oid_cmp(const heim_oid *p, const heim_oid *q) } int -heim_octet_string_cmp(const heim_octet_string *p, const heim_octet_string *q) +der_heim_octet_string_cmp(const heim_octet_string *p, + const heim_octet_string *q) { if (p->length != q->length) return p->length - q->length; @@ -52,7 +53,8 @@ heim_octet_string_cmp(const heim_octet_string *p, const heim_octet_string *q) } int -heim_bit_string_cmp(const heim_bit_string *p, const heim_bit_string *q) +der_heim_bit_string_cmp(const heim_bit_string *p, + const heim_bit_string *q) { int i, r1, r2; if (p->length != q->length) @@ -72,7 +74,8 @@ heim_bit_string_cmp(const heim_bit_string *p, const heim_bit_string *q) } int -heim_integer_cmp(const heim_integer *p, const heim_integer *q) +der_heim_integer_cmp(const heim_integer *p, + const heim_integer *q) { if (p->negative != q->negative) return q->negative - p->negative; @@ -82,7 +85,7 @@ heim_integer_cmp(const heim_integer *p, const heim_integer *q) } int -heim_bmp_string_cmp(const heim_bmp_string *p, const heim_bmp_string *q) +der_heim_bmp_string_cmp(const heim_bmp_string *p, const heim_bmp_string *q) { if (p->length != q->length) return p->length - q->length; @@ -90,8 +93,8 @@ heim_bmp_string_cmp(const heim_bmp_string *p, const heim_bmp_string *q) } int -heim_universal_string_cmp(const heim_universal_string *p, - const heim_universal_string *q) +der_heim_universal_string_cmp(const heim_universal_string *p, + const heim_universal_string *q) { if (p->length != q->length) return p->length - q->length; diff --git a/source4/heimdal/lib/asn1/der_copy.c b/source4/heimdal/lib/asn1/der_copy.c index e0443eed39..96eea9c6d7 100644 --- a/source4/heimdal/lib/asn1/der_copy.c +++ b/source4/heimdal/lib/asn1/der_copy.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,10 +33,11 @@ #include "der_locl.h" -RCSID("$Id: der_copy.c,v 1.14 2006/01/04 23:41:29 lha Exp $"); +RCSID("$Id: der_copy.c,v 1.16 2006/10/14 05:30:02 lha Exp $"); int -copy_general_string (const heim_general_string *from, heim_general_string *to) +der_copy_general_string (const heim_general_string *from, + heim_general_string *to) { *to = strdup(*from); if(*to == NULL) @@ -45,27 +46,27 @@ copy_general_string (const heim_general_string *from, heim_general_string *to) } int -copy_utf8string (const heim_utf8_string *from, heim_utf8_string *to) +der_copy_utf8string (const heim_utf8_string *from, heim_utf8_string *to) { - return copy_general_string(from, to); + return der_copy_general_string(from, to); } int -copy_printable_string (const heim_printable_string *from, +der_copy_printable_string (const heim_printable_string *from, heim_printable_string *to) { - return copy_general_string(from, to); + return der_copy_general_string(from, to); } int -copy_ia5_string (const heim_printable_string *from, - heim_printable_string *to) +der_copy_ia5_string (const heim_printable_string *from, + heim_printable_string *to) { - return copy_general_string(from, to); + return der_copy_general_string(from, to); } int -copy_bmp_string (const heim_bmp_string *from, heim_bmp_string *to) +der_copy_bmp_string (const heim_bmp_string *from, heim_bmp_string *to) { to->length = from->length; to->data = malloc(to->length * sizeof(to->data[0])); @@ -76,8 +77,8 @@ copy_bmp_string (const heim_bmp_string *from, heim_bmp_string *to) } int -copy_universal_string (const heim_universal_string *from, - heim_universal_string *to) +der_copy_universal_string (const heim_universal_string *from, + heim_universal_string *to) { to->length = from->length; to->data = malloc(to->length * sizeof(to->data[0])); @@ -88,7 +89,7 @@ copy_universal_string (const heim_universal_string *from, } int -copy_octet_string (const heim_octet_string *from, heim_octet_string *to) +der_copy_octet_string (const heim_octet_string *from, heim_octet_string *to) { to->length = from->length; to->data = malloc(to->length); @@ -99,7 +100,7 @@ copy_octet_string (const heim_octet_string *from, heim_octet_string *to) } int -copy_heim_integer (const heim_integer *from, heim_integer *to) +der_copy_heim_integer (const heim_integer *from, heim_integer *to) { to->length = from->length; to->data = malloc(to->length); @@ -111,7 +112,7 @@ copy_heim_integer (const heim_integer *from, heim_integer *to) } int -copy_oid (const heim_oid *from, heim_oid *to) +der_copy_oid (const heim_oid *from, heim_oid *to) { to->length = from->length; to->components = malloc(to->length * sizeof(*to->components)); @@ -123,7 +124,7 @@ copy_oid (const heim_oid *from, heim_oid *to) } int -copy_bit_string (const heim_bit_string *from, heim_bit_string *to) +der_copy_bit_string (const heim_bit_string *from, heim_bit_string *to) { size_t len; diff --git a/source4/heimdal/lib/asn1/der_format.c b/source4/heimdal/lib/asn1/der_format.c index 44e39b46c5..9655269356 100644 --- a/source4/heimdal/lib/asn1/der_format.c +++ b/source4/heimdal/lib/asn1/der_format.c @@ -34,7 +34,7 @@ #include "der_locl.h" #include <hex.h> -RCSID("$Id: der_format.c,v 1.2 2006/01/16 23:01:11 lha Exp $"); +RCSID("$Id: der_format.c,v 1.6 2006/10/21 18:24:15 lha Exp $"); int der_parse_hex_heim_integer (const char *p, heim_integer *data) @@ -73,13 +73,13 @@ der_parse_hex_heim_integer (const char *p, heim_integer *data) } { - unsigned char *p = data->data; - while(*p == 0 && len > 0) { - p++; + unsigned char *q = data->data; + while(*q == 0 && len > 0) { + q++; len--; } data->length = len; - memmove(data->data, p, len); + memmove(data->data, q, len); } return 0; } @@ -103,3 +103,65 @@ der_print_hex_heim_integer (const heim_integer *data, char **p) } return 0; } + +int +der_print_heim_oid (const heim_oid *oid, char delim, char **str) +{ + struct rk_strpool *p = NULL; + int i; + + for (i = 0; i < oid->length ; i++) { + p = rk_strpoolprintf(p, "%d%s", + oid->components[i], + i < oid->length - 1 ? " " : ""); + if (p == NULL) { + *str = NULL; + return ENOMEM; + } + } + + *str = rk_strpoolcollect(p); + if (*str == NULL) + return ENOMEM; + return 0; +} + +int +der_parse_heim_oid (const char *str, const char *sep, heim_oid *data) +{ + char *s, *w, *brkt, *endptr; + unsigned int *c; + long l; + + data->length = 0; + data->components = NULL; + + if (sep == NULL) + sep = "."; + + s = strdup(str); + + for (w = strtok_r(s, sep, &brkt); + w != NULL; + w = strtok_r(NULL, sep, &brkt)) { + + c = realloc(data->components, + (data->length + 1) * sizeof(data->components[0])); + if (c == NULL) { + der_free_oid(data); + free(s); + return ENOMEM; + } + data->components = c; + + l = strtol(w, &endptr, 10); + if (*endptr != '\0' || l < 0 || l > INT_MAX) { + der_free_oid(data); + free(s); + return EINVAL; + } + data->components[data->length++] = l; + } + free(s); + return 0; +} diff --git a/source4/heimdal/lib/asn1/der_free.c b/source4/heimdal/lib/asn1/der_free.c index 8959c3b1c3..c3a6a17fff 100644 --- a/source4/heimdal/lib/asn1/der_free.c +++ b/source4/heimdal/lib/asn1/der_free.c @@ -33,37 +33,38 @@ #include "der_locl.h" -RCSID("$Id: der_free.c,v 1.11 2005/07/12 06:27:21 lha Exp $"); +RCSID("$Id: der_free.c,v 1.13 2006/10/14 05:30:47 lha Exp $"); void -free_general_string (heim_general_string *str) +der_free_general_string (heim_general_string *str) { free(*str); *str = NULL; } void -free_utf8string (heim_utf8_string *str) +der_free_utf8string (heim_utf8_string *str) { free(*str); *str = NULL; } void -free_printable_string (heim_printable_string *str) +der_free_printable_string (heim_printable_string *str) { free(*str); *str = NULL; } void -free_ia5_string (heim_ia5_string *str) +der_free_ia5_string (heim_ia5_string *str) { - free_general_string(str); + free(*str); + *str = NULL; } void -free_bmp_string (heim_bmp_string *k) +der_free_bmp_string (heim_bmp_string *k) { free(k->data); k->data = NULL; @@ -71,7 +72,7 @@ free_bmp_string (heim_bmp_string *k) } void -free_universal_string (heim_universal_string *k) +der_free_universal_string (heim_universal_string *k) { free(k->data); k->data = NULL; @@ -79,7 +80,7 @@ free_universal_string (heim_universal_string *k) } void -free_octet_string (heim_octet_string *k) +der_free_octet_string (heim_octet_string *k) { free(k->data); k->data = NULL; @@ -87,7 +88,7 @@ free_octet_string (heim_octet_string *k) } void -free_heim_integer (heim_integer *k) +der_free_heim_integer (heim_integer *k) { free(k->data); k->data = NULL; @@ -95,7 +96,7 @@ free_heim_integer (heim_integer *k) } void -free_oid (heim_oid *k) +der_free_oid (heim_oid *k) { free(k->components); k->components = NULL; @@ -103,7 +104,7 @@ free_oid (heim_oid *k) } void -free_bit_string (heim_bit_string *k) +der_free_bit_string (heim_bit_string *k) { free(k->data); k->data = NULL; diff --git a/source4/heimdal/lib/asn1/der_get.c b/source4/heimdal/lib/asn1/der_get.c index a75ab15c09..7808fa8165 100644 --- a/source4/heimdal/lib/asn1/der_get.c +++ b/source4/heimdal/lib/asn1/der_get.c @@ -33,7 +33,7 @@ #include "der_locl.h" -RCSID("$Id: der_get.c,v 1.45 2006/01/20 10:03:50 lha Exp $"); +RCSID("$Id: der_get.c,v 1.50 2006/10/19 16:27:44 lha Exp $"); #include <version.h> @@ -254,6 +254,8 @@ der_get_heim_integer (const unsigned char *p, size_t len, data->data = malloc(data->length); if (data->data == NULL) { data->length = 0; + if (size) + *size = 0; return ENOMEM; } q = &((unsigned char*)data->data)[data->length - 1]; @@ -276,6 +278,8 @@ der_get_heim_integer (const unsigned char *p, size_t len, data->data = malloc(data->length); if (data->data == NULL && data->length != 0) { data->length = 0; + if (size) + *size = 0; return ENOMEM; } memcpy(data->data, p, data->length); @@ -305,9 +309,10 @@ generalizedtime2time (const char *s, time_t *t) } tm.tm_year -= 1900; tm.tm_mon -= 1; - *t = timegm (&tm); + *t = _der_timegm (&tm); return 0; } +#undef timegm static int der_get_time (const unsigned char *p, size_t len, @@ -378,7 +383,7 @@ der_get_oid (const unsigned char *p, size_t len, u1 = u * 128 + (*p++ % 128); /* check that we don't overflow the element */ if (u1 < u) { - free_oid(data); + der_free_oid(data); return ASN1_OVERRUN; } u = u1; @@ -386,7 +391,7 @@ der_get_oid (const unsigned char *p, size_t len, data->components[n] = u; } if (n > 2 && p[-1] & 0x80) { - free_oid (data); + der_free_oid (data); return ASN1_OVERRUN; } data->length = n; diff --git a/source4/heimdal/lib/asn1/der_length.c b/source4/heimdal/lib/asn1/der_length.c index 2c017ad84e..9b2e9f0998 100644 --- a/source4/heimdal/lib/asn1/der_length.c +++ b/source4/heimdal/lib/asn1/der_length.c @@ -33,7 +33,7 @@ #include "der_locl.h" -RCSID("$Id: der_length.c,v 1.18 2006/01/20 10:04:46 lha Exp $"); +RCSID("$Id: der_length.c,v 1.19 2006/10/14 05:26:06 lha Exp $"); size_t _heim_len_unsigned (unsigned val) @@ -98,7 +98,7 @@ len_oid (const heim_oid *oid) } size_t -length_len (size_t len) +der_length_len (size_t len) { if (len < 128) return 1; @@ -113,67 +113,67 @@ length_len (size_t len) } size_t -length_integer (const int *data) +der_length_integer (const int *data) { return _heim_len_int (*data); } size_t -length_unsigned (const unsigned *data) +der_length_unsigned (const unsigned *data) { return _heim_len_unsigned(*data); } size_t -length_enumerated (const unsigned *data) +der_length_enumerated (const unsigned *data) { return _heim_len_int (*data); } size_t -length_general_string (const heim_general_string *data) +der_length_general_string (const heim_general_string *data) { return strlen(*data); } size_t -length_utf8string (const heim_utf8_string *data) +der_length_utf8string (const heim_utf8_string *data) { return strlen(*data); } size_t -length_printable_string (const heim_printable_string *data) +der_length_printable_string (const heim_printable_string *data) { return strlen(*data); } size_t -length_ia5_string (const heim_ia5_string *data) +der_length_ia5_string (const heim_ia5_string *data) { return strlen(*data); } size_t -length_bmp_string (const heim_bmp_string *data) +der_length_bmp_string (const heim_bmp_string *data) { return data->length * 2; } size_t -length_universal_string (const heim_universal_string *data) +der_length_universal_string (const heim_universal_string *data) { return data->length * 4; } size_t -length_octet_string (const heim_octet_string *k) +der_length_octet_string (const heim_octet_string *k) { return k->length; } size_t -length_heim_integer (const heim_integer *k) +der_length_heim_integer (const heim_integer *k) { if (k->length == 0) return 1; @@ -184,13 +184,13 @@ length_heim_integer (const heim_integer *k) } size_t -length_oid (const heim_oid *k) +der_length_oid (const heim_oid *k) { return len_oid (k); } size_t -length_generalized_time (const time_t *t) +der_length_generalized_time (const time_t *t) { heim_octet_string k; size_t ret; @@ -202,7 +202,7 @@ length_generalized_time (const time_t *t) } size_t -length_utctime (const time_t *t) +der_length_utctime (const time_t *t) { heim_octet_string k; size_t ret; @@ -214,13 +214,13 @@ length_utctime (const time_t *t) } size_t -length_boolean (const int *k) +der_length_boolean (const int *k) { return 1; } size_t -length_bit_string (const heim_bit_string *k) +der_length_bit_string (const heim_bit_string *k) { return (k->length + 7) / 8 + 1; } diff --git a/source4/heimdal/lib/asn1/der_locl.h b/source4/heimdal/lib/asn1/der_locl.h index 1127383e6c..1a87aaaee9 100644 --- a/source4/heimdal/lib/asn1/der_locl.h +++ b/source4/heimdal/lib/asn1/der_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: der_locl.h,v 1.6 2005/07/12 06:27:22 lha Exp $ */ +/* $Id: der_locl.h,v 1.8 2006/10/19 16:24:02 lha Exp $ */ #ifndef __DER_LOCL_H__ #define __DER_LOCL_H__ @@ -53,10 +53,7 @@ #include <asn1_err.h> #include <der.h> -#ifndef HAVE_TIMEGM -time_t timegm (struct tm *); -#endif - +time_t _der_timegm (struct tm *); size_t _heim_len_unsigned (unsigned); size_t _heim_len_int (int); diff --git a/source4/heimdal/lib/asn1/der_put.c b/source4/heimdal/lib/asn1/der_put.c index b006f233ca..2fe90df9a9 100644 --- a/source4/heimdal/lib/asn1/der_put.c +++ b/source4/heimdal/lib/asn1/der_put.c @@ -335,6 +335,9 @@ der_put_utctime (unsigned char *p, size_t len, return 0; } +/* This API is not what you might expect. p is a pointer to the *end* + * (last byte) of the buffer, of length len */ + int der_put_oid (unsigned char *p, size_t len, const heim_oid *data, size_t *size) diff --git a/source4/heimdal/lib/asn1/digest.asn1 b/source4/heimdal/lib/asn1/digest.asn1 new file mode 100644 index 0000000000..1f8f18b5cd --- /dev/null +++ b/source4/heimdal/lib/asn1/digest.asn1 @@ -0,0 +1,115 @@ +-- $Id: digest.asn1,v 1.9 2006/08/25 11:57:54 lha Exp $ + +DIGEST DEFINITIONS ::= +BEGIN + +IMPORTS EncryptedData, Principal FROM krb5; + +DigestInit ::= SEQUENCE { + type UTF8String, -- http, sasl, chap, cram-md5 -- + channel [0] SEQUENCE { + cb-type UTF8String, + cb-binding UTF8String + } OPTIONAL, + hostname [1] UTF8String OPTIONAL -- for chap/cram-md5 +} + +DigestInitReply ::= SEQUENCE { + nonce UTF8String, -- service nonce/challange + opaque UTF8String, -- server state + identifier [0] UTF8String OPTIONAL +} + + +DigestRequest ::= SEQUENCE { + type UTF8String, -- http, sasl-md5, chap, cram-md5 -- + digest UTF8String, -- http:md5/md5-sess sasl:clear/int/conf -- + username UTF8String, -- username user used + authid [0] UTF8String OPTIONAL, + authentication-user [1] Principal OPTIONAL, -- principal to get key from + realm [2] UTF8String OPTIONAL, + method [3] UTF8String OPTIONAL, + uri [4] UTF8String OPTIONAL, + serverNonce UTF8String, -- same as "DigestInitReply.nonce" + clientNonce [5] UTF8String OPTIONAL, + nonceCount [6] UTF8String OPTIONAL, + qop [7] UTF8String OPTIONAL, + identifier [8] UTF8String OPTIONAL, + hostname [9] UTF8String OPTIONAL, + opaque UTF8String -- same as "DigestInitReply.opaque" +} +-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key)) +-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding) + + +DigestError ::= SEQUENCE { + reason UTF8String, + code INTEGER (-2147483648..2147483647) +} + +DigestResponse ::= SEQUENCE { + responseData UTF8String, + rsp [0] UTF8String OPTIONAL, + tickets [1] SEQUENCE OF OCTET STRING OPTIONAL, + channel [2] SEQUENCE { + cb-type UTF8String, + cb-binding UTF8String + } OPTIONAL, + hash-a1 [3] OCTET STRING OPTIONAL +} + +DigestReqInner ::= CHOICE { + init [0] DigestInit, + digestRequest [1] DigestRequest +} + +DigestREQ ::= [APPLICATION 128] SEQUENCE { + apReq [0] OCTET STRING, + innerReq [1] EncryptedData +} + +DigestRepInner ::= CHOICE { + error [0] DigestError, + initReply [1] DigestInitReply, + response [2] DigestResponse +} + +DigestREP ::= [APPLICATION 129] SEQUENCE { + apRep [0] OCTET STRING, + innerRep [1] EncryptedData +} + + +-- HTTP + +-- md5 +-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd +-- md5-sess +-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value)) + +-- qop == auth +-- A2 = Method ":" digest-uri-value +-- qop == auth-int +-- A2 = Method ":" digest-uri-value ":" H(entity-body) + +-- request-digest = HEX(KD(HEX(H(A1)), +-- unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2)))) +-- no "qop" +-- request-digest = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2)))) + + +-- SASL: +-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } ) +-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) } +-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) } + +-- A2 = "AUTHENTICATE:", ":", digest-uri-value +-- qop == auth-int,auth-conf +-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000" + +-- response-value = HEX( KD ( HEX(H(A1)), +-- { unq(nonce-value), ":" nc-value, ":", +-- unq(cnonce-value), ":", qop-value, ":", +-- HEX(H(A2)) })) + +END diff --git a/source4/heimdal/lib/asn1/gen.c b/source4/heimdal/lib/asn1/gen.c index 3d7c3983ac..c3af316c88 100644 --- a/source4/heimdal/lib/asn1/gen.c +++ b/source4/heimdal/lib/asn1/gen.c @@ -33,7 +33,7 @@ #include "gen_locl.h" -RCSID("$Id: gen.c,v 1.67 2006/03/31 02:52:21 lha Exp $"); +RCSID("$Id: gen.c,v 1.69 2006/10/14 05:11:52 lha Exp $"); FILE *headerfile, *codefile, *logfile; @@ -145,6 +145,9 @@ init_generate (const char *filename, const char *base) " size_t length;\n" " void *data;\n" "} heim_bit_string;\n\n"); + fprintf (headerfile, + "typedef struct heim_octet_string heim_any;\n" + "typedef struct heim_octet_string heim_any_set;\n\n"); fputs("#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R) \\\n" " do { \\\n" " (BL) = length_##T((S)); \\\n" @@ -774,6 +777,7 @@ generate_type (const Symbol *s) generate_type_free (s); generate_type_length (s); generate_type_copy (s); + generate_type_seq (s); generate_glue (s->type, s->gen_name); fprintf(headerfile, "\n\n"); close_codefile(); diff --git a/source4/heimdal/lib/asn1/gen_copy.c b/source4/heimdal/lib/asn1/gen_copy.c index 07b7efba2c..9455f33c6f 100644 --- a/source4/heimdal/lib/asn1/gen_copy.c +++ b/source4/heimdal/lib/asn1/gen_copy.c @@ -33,14 +33,14 @@ #include "gen_locl.h" -RCSID("$Id: gen_copy.c,v 1.16 2005/07/12 06:27:26 lha Exp $"); +RCSID("$Id: gen_copy.c,v 1.18 2006/10/14 05:34:19 lha Exp $"); static int used_fail; static void copy_primitive (const char *typename, const char *from, const char *to) { - fprintf (codefile, "if(copy_%s(%s, %s)) goto fail;\n", + fprintf (codefile, "if(der_copy_%s(%s, %s)) goto fail;\n", typename, from, to); used_fail++; } @@ -86,7 +86,7 @@ copy_type (const char *from, const char *to, const Type *t, int preserve) if ((t->type == TSequence || t->type == TChoice) && preserve) { fprintf(codefile, "{ int ret;\n" - "ret = copy_octet_string(&(%s)->_save, &(%s)->_save);\n" + "ret = der_copy_octet_string(&(%s)->_save, &(%s)->_save);\n" "if (ret) goto fail;\n" "}\n", from, to); @@ -140,7 +140,7 @@ copy_type (const char *from, const char *to, const Type *t, int preserve) if (have_ellipsis) { fprintf(codefile, "case %s: {\n" "int ret;\n" - "ret = copy_octet_string(&(%s)->u.%s, &(%s)->u.%s);\n" + "ret=der_copy_octet_string(&(%s)->u.%s, &(%s)->u.%s);\n" "if (ret) goto fail;\n" "break;\n" "}\n", diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c index 6461a0ada9..193dab40e1 100644 --- a/source4/heimdal/lib/asn1/gen_decode.c +++ b/source4/heimdal/lib/asn1/gen_decode.c @@ -34,7 +34,7 @@ #include "gen_locl.h" #include "lex.h" -RCSID("$Id: gen_decode.c,v 1.29 2005/09/21 00:30:37 lha Exp $"); +RCSID("$Id: gen_decode.c,v 1.30 2006/09/24 09:13:12 lha Exp $"); static void decode_primitive (const char *typename, const char *name, const char *forwstr) @@ -307,7 +307,7 @@ decode_type (const char *name, const Type *t, int optional, decode_type (s, m->type, m->optional, forwstr, m->gen_name); free (s); } - + break; } case TSet: { @@ -632,7 +632,7 @@ generate_type_decode (const Symbol *s) case TType: case TChoice: fprintf (codefile, - "size_t ret = 0, reallen;\n" + "size_t ret = 0;\n" "size_t l;\n" "int e;\n"); if (preserve) @@ -640,7 +640,6 @@ generate_type_decode (const Symbol *s) fprintf (codefile, "\n"); fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */ - fprintf (codefile, "reallen = 0;\n"); decode_type ("data", s->type, 0, "goto fail", "Top"); if (preserve) diff --git a/source4/heimdal/lib/asn1/gen_free.c b/source4/heimdal/lib/asn1/gen_free.c index 36c7474a03..2b143bf818 100644 --- a/source4/heimdal/lib/asn1/gen_free.c +++ b/source4/heimdal/lib/asn1/gen_free.c @@ -33,12 +33,12 @@ #include "gen_locl.h" -RCSID("$Id: gen_free.c,v 1.14 2005/07/25 21:28:29 lha Exp $"); +RCSID("$Id: gen_free.c,v 1.16 2006/10/14 05:33:58 lha Exp $"); static void free_primitive (const char *typename, const char *name) { - fprintf (codefile, "free_%s(%s);\n", typename, name); + fprintf (codefile, "der_free_%s(%s);\n", typename, name); } static void @@ -78,7 +78,7 @@ free_type (const char *name, const Type *t, int preserve) break; if ((t->type == TSequence || t->type == TChoice) && preserve) - fprintf(codefile, "free_octet_string(&data->_save);\n"); + fprintf(codefile, "der_free_octet_string(&data->_save);\n"); if(t->type == TChoice) fprintf(codefile, "switch((%s)->element) {\n", name); @@ -115,7 +115,7 @@ free_type (const char *name, const Type *t, int preserve) if (have_ellipsis) fprintf(codefile, "case %s:\n" - "free_octet_string(&(%s)->u.%s);\n" + "der_free_octet_string(&(%s)->u.%s);\n" "break;", have_ellipsis->label, name, have_ellipsis->gen_name); diff --git a/source4/heimdal/lib/asn1/gen_length.c b/source4/heimdal/lib/asn1/gen_length.c index f3869fa5f2..0c92225b92 100644 --- a/source4/heimdal/lib/asn1/gen_length.c +++ b/source4/heimdal/lib/asn1/gen_length.c @@ -33,14 +33,14 @@ #include "gen_locl.h" -RCSID("$Id: gen_length.c,v 1.19 2005/08/23 11:51:41 lha Exp $"); +RCSID("$Id: gen_length.c,v 1.21 2006/10/14 05:28:28 lha Exp $"); static void length_primitive (const char *typename, const char *name, const char *variable) { - fprintf (codefile, "%s += length_%s(%s);\n", variable, typename, name); + fprintf (codefile, "%s += der_length_%s(%s);\n", variable, typename, name); } static size_t @@ -247,7 +247,7 @@ length_type (const char *name, const Type *t, if (tname == NULL) errx(1, "malloc"); length_type (name, t->subtype, variable, tname); - fprintf (codefile, "ret += %lu + length_len (ret);\n", + fprintf (codefile, "ret += %lu + der_length_len (ret);\n", (unsigned long)length_tag(t->tag.tagvalue)); free(tname); break; diff --git a/source4/heimdal/lib/asn1/gen_locl.h b/source4/heimdal/lib/asn1/gen_locl.h index 5a2ba85c7a..c9ea714c5f 100644 --- a/source4/heimdal/lib/asn1/gen_locl.h +++ b/source4/heimdal/lib/asn1/gen_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gen_locl.h,v 1.13 2005/08/23 10:48:15 lha Exp $ */ +/* $Id: gen_locl.h,v 1.14 2006/09/05 12:29:18 lha Exp $ */ #ifndef __GEN_LOCL_H__ #define __GEN_LOCL_H__ @@ -58,11 +58,10 @@ void generate_type (const Symbol *); void generate_constant (const Symbol *); void generate_type_encode (const Symbol *); void generate_type_decode (const Symbol *); -void generate_seq_type_decode (const Symbol *); void generate_type_free (const Symbol *); void generate_type_length (const Symbol *); void generate_type_copy (const Symbol *); -void generate_type_maybe (const Symbol *); +void generate_type_seq (const Symbol *); void generate_glue (const Type *, const char*); const char *classname(Der_class); @@ -79,6 +78,7 @@ void add_import(const char *); int yyparse(void); int preserve_type(const char *); +int seq_type(const char *); extern FILE *headerfile, *codefile, *logfile; extern int dce_fix; diff --git a/source4/heimdal/lib/asn1/gen_seq.c b/source4/heimdal/lib/asn1/gen_seq.c new file mode 100644 index 0000000000..fa3813fd61 --- /dev/null +++ b/source4/heimdal/lib/asn1/gen_seq.c @@ -0,0 +1,119 @@ +/* + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gen_locl.h" + +RCSID("$Id: gen_seq.c,v 1.4 2006/10/04 10:18:10 lha Exp $"); + +void +generate_type_seq (const Symbol *s) +{ + char *subname; + Type *type; + + if (!seq_type(s->name)) + return; + type = s->type; + while(type->type == TTag) + type = type->subtype; + + if (type->type != TSequenceOf) { + printf("%s not seq of %d\n", s->name, (int)type->type); + return; + } + + /* + * Require the subtype to be a type so we can name it and use + * copy_/free_ + */ + + if (type->subtype->type != TType) { + fprintf(stderr, "%s subtype is not a type, can't generate " + "sequence code for this case: %d\n", + s->name, (int)type->subtype->type); + exit(1); + } + + subname = type->subtype->symbol->gen_name; + + fprintf (headerfile, + "int add_%s (%s *, const %s *);\n" + "int remove_%s (%s *, unsigned int);\n", + s->gen_name, s->gen_name, subname, + s->gen_name, s->gen_name); + + fprintf (codefile, "int\n" + "add_%s(%s *data, const %s *element)\n" + "{\n", + s->gen_name, s->gen_name, subname); + + fprintf (codefile, + "int ret;\n" + "void *ptr;\n" + "\n" + "ptr = realloc(data->val, \n" + "\t(data->len + 1) * sizeof(data->val[0]));\n" + "if (ptr == NULL) return ENOMEM;\n" + "data->val = ptr;\n\n" + "ret = copy_%s(element, &data->val[data->len]);\n" + "if (ret) return ret;\n" + "data->len++;\n" + "return 0;\n", + subname); + + fprintf (codefile, "}\n\n"); + + fprintf (codefile, "int\n" + "remove_%s(%s *data, unsigned int element)\n" + "{\n", + s->gen_name, s->gen_name); + + fprintf (codefile, + "void *ptr;\n" + "\n" + "if (data->len == 0 || element >= data->len)\n" + "\treturn ASN1_OVERRUN;\n" + "free_%s(&data->val[element]);\n" + "data->len--;\n" + /* don't move if its the last element */ + "if (element < data->len)\n" + "\tmemmove(&data->val[element], &data->val[element + 1], \n" + "\t\tsizeof(data->val[0]) * data->len);\n" + /* resize but don't care about failures since it doesn't matter */ + "ptr = realloc(data->val, data->len * sizeof(data->val[0]));\n" + "if (ptr) data->val = ptr;\n" + "return 0;\n", + subname); + + fprintf (codefile, "}\n\n"); +} diff --git a/source4/heimdal/lib/asn1/heim_asn1.h b/source4/heimdal/lib/asn1/heim_asn1.h index 99f8e9514a..afee6f4218 100644 --- a/source4/heimdal/lib/asn1/heim_asn1.h +++ b/source4/heimdal/lib/asn1/heim_asn1.h @@ -34,9 +34,6 @@ #ifndef __HEIM_ANY_H__ #define __HEIM_ANY_H__ 1 -typedef struct heim_octet_string heim_any; -typedef struct heim_octet_string heim_any_set; - int encode_heim_any(unsigned char *, size_t, const heim_any *, size_t *); int decode_heim_any(const unsigned char *, size_t, heim_any *, size_t *); void free_heim_any(heim_any *); diff --git a/source4/heimdal/lib/asn1/k5.asn1 b/source4/heimdal/lib/asn1/k5.asn1 index e314adee0e..3f501f0592 100644 --- a/source4/heimdal/lib/asn1/k5.asn1 +++ b/source4/heimdal/lib/asn1/k5.asn1 @@ -1,4 +1,4 @@ --- $Id: k5.asn1,v 1.47 2006/03/27 22:52:11 lha Exp $ +-- $Id: k5.asn1,v 1.50 2006/09/11 13:28:59 lha Exp $ KERBEROS5 DEFINITIONS ::= BEGIN @@ -70,10 +70,11 @@ PADATA-TYPE ::= INTEGER { KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com - KRB5-PADATA-PK-AS-09-BINDING(132) -- client send this to + KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to -- tell KDC that is supports -- the asCheckSum in the -- PK-AS-REP + KRB5-PADATA-S4U2SELF(-17) } AUTHDATA-TYPE ::= INTEGER { @@ -89,7 +90,8 @@ AUTHDATA-TYPE ::= INTEGER { KRB5-AUTHDATA-SESAME(65), KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), KRB5-AUTHDATA-WIN2K-PAC(128), - KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129) -- Authenticator only + KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only + KRB5-AUTHDATA-SIGNTICKET(-17) } -- checksumtypes @@ -138,12 +140,7 @@ ENCTYPE ::= INTEGER { ETYPE_DES_CFB64_NONE(-0x1002), ETYPE_DES_PCBC_NONE(-0x1003), ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com - ETYPE_CRAM_MD5_NONE(-0x1005), -- private use, lukeh@padl.com - ETYPE_RC2_CBC_NONE(-0x1006), - ETYPE_AES128_CBC_NONE(-0x1007), - ETYPE_AES192_CBC_NONE(-0x1008), - ETYPE_AES256_CBC_NONE(-0x1009), - ETYPE_DES3_CBC_NONE_CMS(-0x100a) + ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com } @@ -186,11 +183,13 @@ HostAddresses ::= SEQUENCE OF HostAddress KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) -AuthorizationData ::= SEQUENCE OF SEQUENCE { +AuthorizationDataElement ::= SEQUENCE { ad-type[0] krb5int32, ad-data[1] OCTET STRING } +AuthorizationData ::= SEQUENCE OF AuthorizationDataElement + APOptions ::= BIT STRING { reserved(0), use-session-key(1), @@ -307,7 +306,7 @@ Authenticator ::= [APPLICATION 2] SEQUENCE { subkey[6] EncryptionKey OPTIONAL, seq-number[7] krb5uint32 OPTIONAL, authorization-data[8] AuthorizationData OPTIONAL - } +} PA-DATA ::= SEQUENCE { -- might be encoded AP-REQ @@ -601,16 +600,29 @@ PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { ... } --- This is really part of CMS, but its here because KCRYPTO provides --- the crypto framework for CMS glue in heimdal. - -RC2CBCParameter ::= SEQUENCE { - rc2ParameterVersion krb5int32, - iv OCTET STRING -- exactly 8 octets +PA-S4U2Self ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm, + cksum[2] Checksum, + auth[3] GeneralString } -CBCParameter ::= OCTET STRING +KRB5SignedPathPrincipals ::= SEQUENCE OF Principal +-- never encoded on the wire, just used to checksum over +KRB5SignedPathData ::= SEQUENCE { + encticket[0] EncTicketPart, + delegated[1] KRB5SignedPathPrincipals OPTIONAL +} + +KRB5SignedPath ::= SEQUENCE { + -- DERcoded KRB5SignedPathData + -- krbtgt key (etype), KeyUsage = XXX + etype[0] ENCTYPE, + cksum[1] Checksum, + -- srvs delegated though + delegated[2] KRB5SignedPathPrincipals OPTIONAL +} END diff --git a/source4/heimdal/lib/asn1/lex.c b/source4/heimdal/lib/asn1/lex.c index 70e893197d..10b4d65a7e 100644 --- a/source4/heimdal/lib/asn1/lex.c +++ b/source4/heimdal/lib/asn1/lex.c @@ -1,94 +1,32 @@ -#include "config.h" +/* A lexical scanner generated by flex*/ -#line 3 "lex.yy.c" - -#define YY_INT_ALIGNED short int - -/* A lexical scanner generated by flex */ +/* Scanner skeleton version: + * $Header: /home/daffy/u0/vern/flex/RCS/flex.skl,v 2.91 96/09/10 16:58:48 vern Exp $ + */ #define FLEX_SCANNER #define YY_FLEX_MAJOR_VERSION 2 #define YY_FLEX_MINOR_VERSION 5 -#define YY_FLEX_SUBMINOR_VERSION 33 -#if YY_FLEX_SUBMINOR_VERSION > 0 -#define FLEX_BETA -#endif - -/* First, we deal with platform-specific or compiler-specific issues. */ -/* begin standard C headers. */ #include <stdio.h> -#include <string.h> -#include <errno.h> -#include <stdlib.h> - -/* end standard C headers. */ - -/* flex integer type definitions */ - -#ifndef FLEXINT_H -#define FLEXINT_H - -/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */ - -#if __STDC_VERSION__ >= 199901L - -/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h, - * if you want the limit (max/min) macros for int types. - */ -#ifndef __STDC_LIMIT_MACROS -#define __STDC_LIMIT_MACROS 1 -#endif +#include <unistd.h> -#include <inttypes.h> -typedef int8_t flex_int8_t; -typedef uint8_t flex_uint8_t; -typedef int16_t flex_int16_t; -typedef uint16_t flex_uint16_t; -typedef int32_t flex_int32_t; -typedef uint32_t flex_uint32_t; -#else -typedef signed char flex_int8_t; -typedef short int flex_int16_t; -typedef int flex_int32_t; -typedef unsigned char flex_uint8_t; -typedef unsigned short int flex_uint16_t; -typedef unsigned int flex_uint32_t; -#endif /* ! C99 */ -/* Limits of integral types. */ -#ifndef INT8_MIN -#define INT8_MIN (-128) -#endif -#ifndef INT16_MIN -#define INT16_MIN (-32767-1) -#endif -#ifndef INT32_MIN -#define INT32_MIN (-2147483647-1) -#endif -#ifndef INT8_MAX -#define INT8_MAX (127) -#endif -#ifndef INT16_MAX -#define INT16_MAX (32767) -#endif -#ifndef INT32_MAX -#define INT32_MAX (2147483647) -#endif -#ifndef UINT8_MAX -#define UINT8_MAX (255U) -#endif -#ifndef UINT16_MAX -#define UINT16_MAX (65535U) +/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */ +#ifdef c_plusplus +#ifndef __cplusplus +#define __cplusplus #endif -#ifndef UINT32_MAX -#define UINT32_MAX (4294967295U) #endif -#endif /* ! FLEXINT_H */ #ifdef __cplusplus +#include <stdlib.h> + +/* Use prototypes in function declarations. */ +#define YY_USE_PROTOS + /* The "const" storage-class-modifier is valid. */ #define YY_USE_CONST @@ -96,17 +34,34 @@ typedef unsigned int flex_uint32_t; #if __STDC__ +#define YY_USE_PROTOS #define YY_USE_CONST #endif /* __STDC__ */ #endif /* ! __cplusplus */ +#ifdef __TURBOC__ + #pragma warn -rch + #pragma warn -use +#include <io.h> +#include <stdlib.h> +#define YY_USE_CONST +#define YY_USE_PROTOS +#endif + #ifdef YY_USE_CONST #define yyconst const #else #define yyconst #endif + +#ifdef YY_USE_PROTOS +#define YY_PROTO(proto) proto +#else +#define YY_PROTO(proto) () +#endif + /* Returned upon end-of-file. */ #define YY_NULL 0 @@ -121,75 +76,80 @@ typedef unsigned int flex_uint32_t; * but we do it the disgusting crufty way forced on us by the ()-less * definition of BEGIN. */ -#define BEGIN (yy_start) = 1 + 2 * +#define BEGIN yy_start = 1 + 2 * /* Translate the current start state into a value that can be later handed * to BEGIN to return to the state. The YYSTATE alias is for lex * compatibility. */ -#define YY_START (((yy_start) - 1) / 2) +#define YY_START ((yy_start - 1) / 2) #define YYSTATE YY_START /* Action number for EOF rule of a given start state. */ #define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1) /* Special action meaning "start processing a new file". */ -#define YY_NEW_FILE yyrestart(yyin ) +#define YY_NEW_FILE yyrestart( yyin ) #define YY_END_OF_BUFFER_CHAR 0 /* Size of default input buffer. */ -#ifndef YY_BUF_SIZE #define YY_BUF_SIZE 16384 -#endif -/* The state buf must be large enough to hold one state per character in the main buffer. - */ -#define YY_STATE_BUF_SIZE ((YY_BUF_SIZE + 2) * sizeof(yy_state_type)) - -#ifndef YY_TYPEDEF_YY_BUFFER_STATE -#define YY_TYPEDEF_YY_BUFFER_STATE typedef struct yy_buffer_state *YY_BUFFER_STATE; -#endif extern int yyleng; - extern FILE *yyin, *yyout; #define EOB_ACT_CONTINUE_SCAN 0 #define EOB_ACT_END_OF_FILE 1 #define EOB_ACT_LAST_MATCH 2 - #define YY_LESS_LINENO(n) - -/* Return all but the first "n" matched characters back to the input stream. */ +/* The funky do-while in the following #define is used to turn the definition + * int a single C statement (which needs a semi-colon terminator). This + * avoids problems with code like: + * + * if ( condition_holds ) + * yyless( 5 ); + * else + * do_something_else(); + * + * Prior to using the do-while the compiler would get upset at the + * "else" because it interpreted the "if" statement as being all + * done when it reached the ';' after the yyless() call. + */ + +/* Return all but the first 'n' matched characters back to the input stream. */ + #define yyless(n) \ do \ { \ /* Undo effects of setting up yytext. */ \ - int yyless_macro_arg = (n); \ - YY_LESS_LINENO(yyless_macro_arg);\ - *yy_cp = (yy_hold_char); \ + *yy_cp = yy_hold_char; \ YY_RESTORE_YY_MORE_OFFSET \ - (yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \ + yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \ YY_DO_BEFORE_ACTION; /* set up yytext again */ \ } \ while ( 0 ) -#define unput(c) yyunput( c, (yytext_ptr) ) +#define unput(c) yyunput( c, yytext_ptr ) + +/* Some routines like yy_flex_realloc() are emitted as static but are + not called by all lexers. This generates warnings in some compilers, + notably GCC. Arrange to suppress these. */ +#ifdef __GNUC__ +#define YY_MAY_BE_UNUSED __attribute__((unused)) +#else +#define YY_MAY_BE_UNUSED +#endif /* The following is because we cannot portably get our hands on size_t * (without autoconf's help, which isn't available because we want * flex-generated scanners to compile on their own). */ - -#ifndef YY_TYPEDEF_YY_SIZE_T -#define YY_TYPEDEF_YY_SIZE_T typedef unsigned int yy_size_t; -#endif -#ifndef YY_STRUCT_YY_BUFFER_STATE -#define YY_STRUCT_YY_BUFFER_STATE + struct yy_buffer_state { FILE *yy_input_file; @@ -226,16 +186,12 @@ struct yy_buffer_state */ int yy_at_bol; - int yy_bs_lineno; /**< The line count. */ - int yy_bs_column; /**< The column count. */ - /* Whether to try to fill the input buffer when we reach the * end of it. */ int yy_fill_buffer; int yy_buffer_status; - #define YY_BUFFER_NEW 0 #define YY_BUFFER_NORMAL 1 /* When an EOF's been seen but there's still some text to process @@ -249,38 +205,28 @@ struct yy_buffer_state * just pointing yyin at a new input file. */ #define YY_BUFFER_EOF_PENDING 2 - }; -#endif /* !YY_STRUCT_YY_BUFFER_STATE */ -/* Stack of input buffers. */ -static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */ -static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */ -static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */ +static YY_BUFFER_STATE yy_current_buffer = 0; /* We provide macros for accessing buffer states in case in the * future we want to put the buffer states in a more general * "scanner state". - * - * Returns the top of the stack, or NULL. */ -#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \ - ? (yy_buffer_stack)[(yy_buffer_stack_top)] \ - : NULL) +#define YY_CURRENT_BUFFER yy_current_buffer -/* Same as previous macro, but useful when we know that the buffer stack is not - * NULL or when we need an lvalue. For internal use only. - */ -#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] /* yy_hold_char holds the character lost when yytext is formed. */ static char yy_hold_char; + static int yy_n_chars; /* number of characters read into yy_ch_buf */ + + int yyleng; /* Points to current character in buffer. */ static char *yy_c_buf_p = (char *) 0; -static int yy_init = 0; /* whether we need to initialize */ +static int yy_init = 1; /* whether we need to initialize */ static int yy_start = 0; /* start state number */ /* Flag which is used to allow yywrap()'s to do buffer switches @@ -288,92 +234,66 @@ static int yy_start = 0; /* start state number */ */ static int yy_did_buffer_switch_on_eof; -void yyrestart (FILE *input_file ); -void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer ); -YY_BUFFER_STATE yy_create_buffer (FILE *file,int size ); -void yy_delete_buffer (YY_BUFFER_STATE b ); -void yy_flush_buffer (YY_BUFFER_STATE b ); -void yypush_buffer_state (YY_BUFFER_STATE new_buffer ); -void yypop_buffer_state (void ); +void yyrestart YY_PROTO(( FILE *input_file )); -static void yyensure_buffer_stack (void ); -static void yy_load_buffer_state (void ); -static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file ); +void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer )); +void yy_load_buffer_state YY_PROTO(( void )); +YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size )); +void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b )); +void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file )); +void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b )); +#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer ) -#define YY_FLUSH_BUFFER yy_flush_buffer(YY_CURRENT_BUFFER ) +YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size )); +YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str )); +YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len )); -YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size ); -YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str ); -YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len ); - -void *yyalloc (yy_size_t ); -void *yyrealloc (void *,yy_size_t ); -void yyfree (void * ); +static void *yy_flex_alloc YY_PROTO(( yy_size_t )); +static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t )) YY_MAY_BE_UNUSED; +static void yy_flex_free YY_PROTO(( void * )); #define yy_new_buffer yy_create_buffer #define yy_set_interactive(is_interactive) \ { \ - if ( ! YY_CURRENT_BUFFER ){ \ - yyensure_buffer_stack (); \ - YY_CURRENT_BUFFER_LVALUE = \ - yy_create_buffer(yyin,YY_BUF_SIZE ); \ - } \ - YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \ + if ( ! yy_current_buffer ) \ + yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \ + yy_current_buffer->yy_is_interactive = is_interactive; \ } #define yy_set_bol(at_bol) \ { \ - if ( ! YY_CURRENT_BUFFER ){\ - yyensure_buffer_stack (); \ - YY_CURRENT_BUFFER_LVALUE = \ - yy_create_buffer(yyin,YY_BUF_SIZE ); \ - } \ - YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \ + if ( ! yy_current_buffer ) \ + yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \ + yy_current_buffer->yy_at_bol = at_bol; \ } -#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol) - -/* Begin user sect3 */ +#define YY_AT_BOL() (yy_current_buffer->yy_at_bol) typedef unsigned char YY_CHAR; - FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0; - typedef int yy_state_type; - -extern int yylineno; - -int yylineno = 1; - extern char *yytext; #define yytext_ptr yytext -static yy_state_type yy_get_previous_state (void ); -static yy_state_type yy_try_NUL_trans (yy_state_type current_state ); -static int yy_get_next_buffer (void ); -static void yy_fatal_error (yyconst char msg[] ); +static yy_state_type yy_get_previous_state YY_PROTO(( void )); +static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state )); +static int yy_get_next_buffer YY_PROTO(( void )); +static void yy_fatal_error YY_PROTO(( yyconst char msg[] )); /* Done after the current pattern has been matched and before the * corresponding action - sets up yytext. */ #define YY_DO_BEFORE_ACTION \ - (yytext_ptr) = yy_bp; \ - yyleng = (size_t) (yy_cp - yy_bp); \ - (yy_hold_char) = *yy_cp; \ + yytext_ptr = yy_bp; \ + yyleng = (int) (yy_cp - yy_bp); \ + yy_hold_char = *yy_cp; \ *yy_cp = '\0'; \ - (yy_c_buf_p) = yy_cp; + yy_c_buf_p = yy_cp; #define YY_NUM_RULES 95 #define YY_END_OF_BUFFER 96 -/* This struct is not used in this scanner, - but its presence is necessary. */ -struct yy_trans_info - { - flex_int32_t yy_verify; - flex_int32_t yy_nxt; - }; -static yyconst flex_int16_t yy_accept[568] = +static yyconst short int yy_accept[568] = { 0, 0, 0, 96, 94, 90, 91, 87, 81, 81, 94, 94, 88, 88, 94, 89, 89, 89, 89, 89, 89, @@ -439,7 +359,7 @@ static yyconst flex_int16_t yy_accept[568] = 32, 89, 59, 70, 77, 53, 0 } ; -static yyconst flex_int32_t yy_ec[256] = +static yyconst int yy_ec[256] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 2, 3, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -471,7 +391,7 @@ static yyconst flex_int32_t yy_ec[256] = 1, 1, 1, 1, 1 } ; -static yyconst flex_int32_t yy_meta[70] = +static yyconst int yy_meta[70] = { 0, 1, 1, 1, 1, 1, 1, 2, 1, 1, 3, 3, 3, 3, 3, 3, 3, 1, 1, 3, 3, @@ -482,7 +402,7 @@ static yyconst flex_int32_t yy_meta[70] = 2, 2, 2, 2, 2, 2, 2, 2, 2 } ; -static yyconst flex_int16_t yy_base[570] = +static yyconst short int yy_base[570] = { 0, 0, 0, 636, 637, 637, 637, 637, 637, 63, 627, 628, 70, 77, 616, 74, 72, 76, 609, 65, 81, @@ -548,7 +468,7 @@ static yyconst flex_int16_t yy_base[570] = 0, 101, 0, 0, 0, 0, 637, 223, 69 } ; -static yyconst flex_int16_t yy_def[570] = +static yyconst short int yy_def[570] = { 0, 567, 1, 567, 567, 567, 567, 567, 567, 567, 567, 567, 567, 567, 567, 568, 568, 568, 568, 568, 568, @@ -614,7 +534,7 @@ static yyconst flex_int16_t yy_def[570] = 568, 568, 568, 568, 568, 568, 0, 567, 567 } ; -static yyconst flex_int16_t yy_nxt[707] = +static yyconst short int yy_nxt[707] = { 0, 4, 5, 6, 7, 8, 4, 9, 10, 11, 12, 13, 13, 13, 13, 13, 13, 14, 4, 15, 16, @@ -696,7 +616,7 @@ static yyconst flex_int16_t yy_nxt[707] = 567, 567, 567, 567, 567, 567 } ; -static yyconst flex_int16_t yy_chk[707] = +static yyconst short int yy_chk[707] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -781,9 +701,6 @@ static yyconst flex_int16_t yy_chk[707] = static yy_state_type yy_last_accepting_state; static char *yy_last_accepting_cpos; -extern int yy_flex_debug; -int yy_flex_debug = 0; - /* The intent behind this definition is that it'll catch * any uses of REJECT which flex missed. */ @@ -793,6 +710,7 @@ int yy_flex_debug = 0; #define YY_RESTORE_YY_MORE_OFFSET char *yytext; #line 1 "lex.l" +#define INITIAL 0 #line 2 "lex.l" /* * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan @@ -827,7 +745,7 @@ char *yytext; * SUCH DAMAGE. */ -/* $Id: lex.l,v 1.27 2005/09/13 18:17:16 lha Exp $ */ +/* $Id: lex.l,v 1.31 2006/10/21 11:57:22 lha Exp $ */ #ifdef HAVE_CONFIG_H #include <config.h> @@ -851,23 +769,8 @@ static unsigned lineno = 1; static void unterminated(const char *, unsigned); -#line 854 "lex.yy.c" - -#define INITIAL 0 - -#ifndef YY_NO_UNISTD_H -/* Special case for "unistd.h", since it is non-ANSI. We include it way - * down here because we want the user's section 1 to have been scanned first. - * The user has a chance to override it with an option. - */ -#include <unistd.h> -#endif - -#ifndef YY_EXTRA_TYPE -#define YY_EXTRA_TYPE void * -#endif - -static int yy_init_globals (void ); +/* This is for broken old lexes (solaris 10 and hpux) */ +#line 774 "lex.c" /* Macros after this point can all be overridden by user definitions in * section 1. @@ -875,30 +778,65 @@ static int yy_init_globals (void ); #ifndef YY_SKIP_YYWRAP #ifdef __cplusplus -extern "C" int yywrap (void ); +extern "C" int yywrap YY_PROTO(( void )); #else -extern int yywrap (void ); +extern int yywrap YY_PROTO(( void )); +#endif #endif + +#ifndef YY_NO_UNPUT +static void yyunput YY_PROTO(( int c, char *buf_ptr )); #endif - static void yyunput (int c,char *buf_ptr ); - #ifndef yytext_ptr -static void yy_flex_strncpy (char *,yyconst char *,int ); +static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int )); #endif #ifdef YY_NEED_STRLEN -static int yy_flex_strlen (yyconst char * ); +static int yy_flex_strlen YY_PROTO(( yyconst char * )); #endif #ifndef YY_NO_INPUT - #ifdef __cplusplus -static int yyinput (void ); +static int yyinput YY_PROTO(( void )); #else -static int input (void ); +static int input YY_PROTO(( void )); +#endif #endif +#if YY_STACK_USED +static int yy_start_stack_ptr = 0; +static int yy_start_stack_depth = 0; +static int *yy_start_stack = 0; +#ifndef YY_NO_PUSH_STATE +static void yy_push_state YY_PROTO(( int new_state )); +#endif +#ifndef YY_NO_POP_STATE +static void yy_pop_state YY_PROTO(( void )); +#endif +#ifndef YY_NO_TOP_STATE +static int yy_top_state YY_PROTO(( void )); +#endif + +#else +#define YY_NO_PUSH_STATE 1 +#define YY_NO_POP_STATE 1 +#define YY_NO_TOP_STATE 1 +#endif + +#ifdef YY_MALLOC_DECL +YY_MALLOC_DECL +#else +#if __STDC__ +#ifndef __cplusplus +#include <stdlib.h> +#endif +#else +/* Just try to get by without declaring the routines. This will fail + * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int) + * or sizeof(void*) != sizeof(int). + */ +#endif #endif /* Amount of stuff to slurp up with each read. */ @@ -907,6 +845,7 @@ static int input (void ); #endif /* Copy whatever the last rule matched to the standard output. */ + #ifndef ECHO /* This used to be an fputs(), but since the string might contain NUL's, * we now use fwrite(). @@ -919,10 +858,9 @@ static int input (void ); */ #ifndef YY_INPUT #define YY_INPUT(buf,result,max_size) \ - if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \ + if ( yy_current_buffer->yy_is_interactive ) \ { \ - int c = '*'; \ - size_t n; \ + int c = '*', n; \ for ( n = 0; n < max_size && \ (c = getc( yyin )) != EOF && c != '\n'; ++n ) \ buf[n] = (char) c; \ @@ -932,22 +870,9 @@ static int input (void ); YY_FATAL_ERROR( "input in flex scanner failed" ); \ result = n; \ } \ - else \ - { \ - errno=0; \ - while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \ - { \ - if( errno != EINTR) \ - { \ - YY_FATAL_ERROR( "input in flex scanner failed" ); \ - break; \ - } \ - errno=0; \ - clearerr(yyin); \ - } \ - }\ -\ - + else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \ + && ferror( yyin ) ) \ + YY_FATAL_ERROR( "input in flex scanner failed" ); #endif /* No semi-colon after return; correct usage is to write "yyterminate();" - @@ -968,18 +893,12 @@ static int input (void ); #define YY_FATAL_ERROR(msg) yy_fatal_error( msg ) #endif -/* end tables serialization structures and prototypes */ - /* Default declaration of generated scanner - a define so the user can * easily add parameters. */ #ifndef YY_DECL -#define YY_DECL_IS_OURS 1 - -extern int yylex (void); - -#define YY_DECL int yylex (void) -#endif /* !YY_DECL */ +#define YY_DECL int yylex YY_PROTO(( void )) +#endif /* Code executed at the beginning of each rule, after yytext and yyleng * have been set up. @@ -996,28 +915,26 @@ extern int yylex (void); #define YY_RULE_SETUP \ YY_USER_ACTION -/** The main scanner function which does all the work. - */ YY_DECL -{ + { register yy_state_type yy_current_state; - register char *yy_cp, *yy_bp; + register char *yy_cp = NULL, *yy_bp = NULL; register int yy_act; - -#line 62 "lex.l" -#line 1009 "lex.yy.c" +#line 68 "lex.l" - if ( !(yy_init) ) +#line 927 "lex.c" + + if ( yy_init ) { - (yy_init) = 1; + yy_init = 0; #ifdef YY_USER_INIT YY_USER_INIT; #endif - if ( ! (yy_start) ) - (yy_start) = 1; /* first start state */ + if ( ! yy_start ) + yy_start = 1; /* first start state */ if ( ! yyin ) yyin = stdin; @@ -1025,36 +942,34 @@ YY_DECL if ( ! yyout ) yyout = stdout; - if ( ! YY_CURRENT_BUFFER ) { - yyensure_buffer_stack (); - YY_CURRENT_BUFFER_LVALUE = - yy_create_buffer(yyin,YY_BUF_SIZE ); - } + if ( ! yy_current_buffer ) + yy_current_buffer = + yy_create_buffer( yyin, YY_BUF_SIZE ); - yy_load_buffer_state( ); + yy_load_buffer_state(); } while ( 1 ) /* loops until end-of-file is reached */ { - yy_cp = (yy_c_buf_p); + yy_cp = yy_c_buf_p; /* Support of yytext. */ - *yy_cp = (yy_hold_char); + *yy_cp = yy_hold_char; /* yy_bp points to the position in yy_ch_buf of the start of * the current run. */ yy_bp = yy_cp; - yy_current_state = (yy_start); + yy_current_state = yy_start; yy_match: do { register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)]; if ( yy_accept[yy_current_state] ) { - (yy_last_accepting_state) = yy_current_state; - (yy_last_accepting_cpos) = yy_cp; + yy_last_accepting_state = yy_current_state; + yy_last_accepting_cpos = yy_cp; } while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { @@ -1071,447 +986,449 @@ yy_find_action: yy_act = yy_accept[yy_current_state]; if ( yy_act == 0 ) { /* have to back up */ - yy_cp = (yy_last_accepting_cpos); - yy_current_state = (yy_last_accepting_state); + yy_cp = yy_last_accepting_cpos; + yy_current_state = yy_last_accepting_state; yy_act = yy_accept[yy_current_state]; } YY_DO_BEFORE_ACTION; + do_action: /* This label is used only to access EOF actions. */ + switch ( yy_act ) { /* beginning of action switch */ case 0: /* must back up */ /* undo the effects of YY_DO_BEFORE_ACTION */ - *yy_cp = (yy_hold_char); - yy_cp = (yy_last_accepting_cpos); - yy_current_state = (yy_last_accepting_state); + *yy_cp = yy_hold_char; + yy_cp = yy_last_accepting_cpos; + yy_current_state = yy_last_accepting_state; goto yy_find_action; case 1: YY_RULE_SETUP -#line 63 "lex.l" +#line 69 "lex.l" { return kw_ABSENT; } YY_BREAK case 2: YY_RULE_SETUP -#line 64 "lex.l" +#line 70 "lex.l" { return kw_ABSTRACT_SYNTAX; } YY_BREAK case 3: YY_RULE_SETUP -#line 65 "lex.l" +#line 71 "lex.l" { return kw_ALL; } YY_BREAK case 4: YY_RULE_SETUP -#line 66 "lex.l" +#line 72 "lex.l" { return kw_APPLICATION; } YY_BREAK case 5: YY_RULE_SETUP -#line 67 "lex.l" +#line 73 "lex.l" { return kw_AUTOMATIC; } YY_BREAK case 6: YY_RULE_SETUP -#line 68 "lex.l" +#line 74 "lex.l" { return kw_BEGIN; } YY_BREAK case 7: YY_RULE_SETUP -#line 69 "lex.l" +#line 75 "lex.l" { return kw_BIT; } YY_BREAK case 8: YY_RULE_SETUP -#line 70 "lex.l" +#line 76 "lex.l" { return kw_BMPString; } YY_BREAK case 9: YY_RULE_SETUP -#line 71 "lex.l" +#line 77 "lex.l" { return kw_BOOLEAN; } YY_BREAK case 10: YY_RULE_SETUP -#line 72 "lex.l" +#line 78 "lex.l" { return kw_BY; } YY_BREAK case 11: YY_RULE_SETUP -#line 73 "lex.l" +#line 79 "lex.l" { return kw_CHARACTER; } YY_BREAK case 12: YY_RULE_SETUP -#line 74 "lex.l" +#line 80 "lex.l" { return kw_CHOICE; } YY_BREAK case 13: YY_RULE_SETUP -#line 75 "lex.l" +#line 81 "lex.l" { return kw_CLASS; } YY_BREAK case 14: YY_RULE_SETUP -#line 76 "lex.l" +#line 82 "lex.l" { return kw_COMPONENT; } YY_BREAK case 15: YY_RULE_SETUP -#line 77 "lex.l" +#line 83 "lex.l" { return kw_COMPONENTS; } YY_BREAK case 16: YY_RULE_SETUP -#line 78 "lex.l" +#line 84 "lex.l" { return kw_CONSTRAINED; } YY_BREAK case 17: YY_RULE_SETUP -#line 79 "lex.l" +#line 85 "lex.l" { return kw_CONTAINING; } YY_BREAK case 18: YY_RULE_SETUP -#line 80 "lex.l" +#line 86 "lex.l" { return kw_DEFAULT; } YY_BREAK case 19: YY_RULE_SETUP -#line 81 "lex.l" +#line 87 "lex.l" { return kw_DEFINITIONS; } YY_BREAK case 20: YY_RULE_SETUP -#line 82 "lex.l" +#line 88 "lex.l" { return kw_EMBEDDED; } YY_BREAK case 21: YY_RULE_SETUP -#line 83 "lex.l" +#line 89 "lex.l" { return kw_ENCODED; } YY_BREAK case 22: YY_RULE_SETUP -#line 84 "lex.l" +#line 90 "lex.l" { return kw_END; } YY_BREAK case 23: YY_RULE_SETUP -#line 85 "lex.l" +#line 91 "lex.l" { return kw_ENUMERATED; } YY_BREAK case 24: YY_RULE_SETUP -#line 86 "lex.l" +#line 92 "lex.l" { return kw_EXCEPT; } YY_BREAK case 25: YY_RULE_SETUP -#line 87 "lex.l" +#line 93 "lex.l" { return kw_EXPLICIT; } YY_BREAK case 26: YY_RULE_SETUP -#line 88 "lex.l" +#line 94 "lex.l" { return kw_EXPORTS; } YY_BREAK case 27: YY_RULE_SETUP -#line 89 "lex.l" +#line 95 "lex.l" { return kw_EXTENSIBILITY; } YY_BREAK case 28: YY_RULE_SETUP -#line 90 "lex.l" +#line 96 "lex.l" { return kw_EXTERNAL; } YY_BREAK case 29: YY_RULE_SETUP -#line 91 "lex.l" +#line 97 "lex.l" { return kw_FALSE; } YY_BREAK case 30: YY_RULE_SETUP -#line 92 "lex.l" +#line 98 "lex.l" { return kw_FROM; } YY_BREAK case 31: YY_RULE_SETUP -#line 93 "lex.l" +#line 99 "lex.l" { return kw_GeneralString; } YY_BREAK case 32: YY_RULE_SETUP -#line 94 "lex.l" +#line 100 "lex.l" { return kw_GeneralizedTime; } YY_BREAK case 33: YY_RULE_SETUP -#line 95 "lex.l" +#line 101 "lex.l" { return kw_GraphicString; } YY_BREAK case 34: YY_RULE_SETUP -#line 96 "lex.l" +#line 102 "lex.l" { return kw_IA5String; } YY_BREAK case 35: YY_RULE_SETUP -#line 97 "lex.l" +#line 103 "lex.l" { return kw_IDENTIFIER; } YY_BREAK case 36: YY_RULE_SETUP -#line 98 "lex.l" +#line 104 "lex.l" { return kw_IMPLICIT; } YY_BREAK case 37: YY_RULE_SETUP -#line 99 "lex.l" +#line 105 "lex.l" { return kw_IMPLIED; } YY_BREAK case 38: YY_RULE_SETUP -#line 100 "lex.l" +#line 106 "lex.l" { return kw_IMPORTS; } YY_BREAK case 39: YY_RULE_SETUP -#line 101 "lex.l" +#line 107 "lex.l" { return kw_INCLUDES; } YY_BREAK case 40: YY_RULE_SETUP -#line 102 "lex.l" +#line 108 "lex.l" { return kw_INSTANCE; } YY_BREAK case 41: YY_RULE_SETUP -#line 103 "lex.l" +#line 109 "lex.l" { return kw_INTEGER; } YY_BREAK case 42: YY_RULE_SETUP -#line 104 "lex.l" +#line 110 "lex.l" { return kw_INTERSECTION; } YY_BREAK case 43: YY_RULE_SETUP -#line 105 "lex.l" +#line 111 "lex.l" { return kw_ISO646String; } YY_BREAK case 44: YY_RULE_SETUP -#line 106 "lex.l" +#line 112 "lex.l" { return kw_MAX; } YY_BREAK case 45: YY_RULE_SETUP -#line 107 "lex.l" +#line 113 "lex.l" { return kw_MIN; } YY_BREAK case 46: YY_RULE_SETUP -#line 108 "lex.l" +#line 114 "lex.l" { return kw_MINUS_INFINITY; } YY_BREAK case 47: YY_RULE_SETUP -#line 109 "lex.l" +#line 115 "lex.l" { return kw_NULL; } YY_BREAK case 48: YY_RULE_SETUP -#line 110 "lex.l" +#line 116 "lex.l" { return kw_NumericString; } YY_BREAK case 49: YY_RULE_SETUP -#line 111 "lex.l" +#line 117 "lex.l" { return kw_OBJECT; } YY_BREAK case 50: YY_RULE_SETUP -#line 112 "lex.l" +#line 118 "lex.l" { return kw_OCTET; } YY_BREAK case 51: YY_RULE_SETUP -#line 113 "lex.l" +#line 119 "lex.l" { return kw_OF; } YY_BREAK case 52: YY_RULE_SETUP -#line 114 "lex.l" +#line 120 "lex.l" { return kw_OPTIONAL; } YY_BREAK case 53: YY_RULE_SETUP -#line 115 "lex.l" +#line 121 "lex.l" { return kw_ObjectDescriptor; } YY_BREAK case 54: YY_RULE_SETUP -#line 116 "lex.l" +#line 122 "lex.l" { return kw_PATTERN; } YY_BREAK case 55: YY_RULE_SETUP -#line 117 "lex.l" +#line 123 "lex.l" { return kw_PDV; } YY_BREAK case 56: YY_RULE_SETUP -#line 118 "lex.l" +#line 124 "lex.l" { return kw_PLUS_INFINITY; } YY_BREAK case 57: YY_RULE_SETUP -#line 119 "lex.l" +#line 125 "lex.l" { return kw_PRESENT; } YY_BREAK case 58: YY_RULE_SETUP -#line 120 "lex.l" +#line 126 "lex.l" { return kw_PRIVATE; } YY_BREAK case 59: YY_RULE_SETUP -#line 121 "lex.l" +#line 127 "lex.l" { return kw_PrintableString; } YY_BREAK case 60: YY_RULE_SETUP -#line 122 "lex.l" +#line 128 "lex.l" { return kw_REAL; } YY_BREAK case 61: YY_RULE_SETUP -#line 123 "lex.l" +#line 129 "lex.l" { return kw_RELATIVE_OID; } YY_BREAK case 62: YY_RULE_SETUP -#line 124 "lex.l" +#line 130 "lex.l" { return kw_SEQUENCE; } YY_BREAK case 63: YY_RULE_SETUP -#line 125 "lex.l" +#line 131 "lex.l" { return kw_SET; } YY_BREAK case 64: YY_RULE_SETUP -#line 126 "lex.l" +#line 132 "lex.l" { return kw_SIZE; } YY_BREAK case 65: YY_RULE_SETUP -#line 127 "lex.l" +#line 133 "lex.l" { return kw_STRING; } YY_BREAK case 66: YY_RULE_SETUP -#line 128 "lex.l" +#line 134 "lex.l" { return kw_SYNTAX; } YY_BREAK case 67: YY_RULE_SETUP -#line 129 "lex.l" +#line 135 "lex.l" { return kw_T61String; } YY_BREAK case 68: YY_RULE_SETUP -#line 130 "lex.l" +#line 136 "lex.l" { return kw_TAGS; } YY_BREAK case 69: YY_RULE_SETUP -#line 131 "lex.l" +#line 137 "lex.l" { return kw_TRUE; } YY_BREAK case 70: YY_RULE_SETUP -#line 132 "lex.l" +#line 138 "lex.l" { return kw_TYPE_IDENTIFIER; } YY_BREAK case 71: YY_RULE_SETUP -#line 133 "lex.l" +#line 139 "lex.l" { return kw_TeletexString; } YY_BREAK case 72: YY_RULE_SETUP -#line 134 "lex.l" +#line 140 "lex.l" { return kw_UNION; } YY_BREAK case 73: YY_RULE_SETUP -#line 135 "lex.l" +#line 141 "lex.l" { return kw_UNIQUE; } YY_BREAK case 74: YY_RULE_SETUP -#line 136 "lex.l" +#line 142 "lex.l" { return kw_UNIVERSAL; } YY_BREAK case 75: YY_RULE_SETUP -#line 137 "lex.l" +#line 143 "lex.l" { return kw_UTCTime; } YY_BREAK case 76: YY_RULE_SETUP -#line 138 "lex.l" +#line 144 "lex.l" { return kw_UTF8String; } YY_BREAK case 77: YY_RULE_SETUP -#line 139 "lex.l" +#line 145 "lex.l" { return kw_UniversalString; } YY_BREAK case 78: YY_RULE_SETUP -#line 140 "lex.l" +#line 146 "lex.l" { return kw_VideotexString; } YY_BREAK case 79: YY_RULE_SETUP -#line 141 "lex.l" +#line 147 "lex.l" { return kw_VisibleString; } YY_BREAK case 80: YY_RULE_SETUP -#line 142 "lex.l" +#line 148 "lex.l" { return kw_WITH; } YY_BREAK case 81: YY_RULE_SETUP -#line 143 "lex.l" +#line 149 "lex.l" { return *yytext; } YY_BREAK case 82: YY_RULE_SETUP -#line 144 "lex.l" +#line 150 "lex.l" { return *yytext; } YY_BREAK case 83: YY_RULE_SETUP -#line 145 "lex.l" +#line 151 "lex.l" { return *yytext; } YY_BREAK case 84: YY_RULE_SETUP -#line 146 "lex.l" +#line 152 "lex.l" { return EEQUAL; } YY_BREAK case 85: YY_RULE_SETUP -#line 147 "lex.l" +#line 153 "lex.l" { int c, start_lineno = lineno; int f = 0; @@ -1534,7 +1451,7 @@ YY_RULE_SETUP YY_BREAK case 86: YY_RULE_SETUP -#line 166 "lex.l" +#line 172 "lex.l" { int c, start_lineno = lineno; int level = 1; @@ -1578,7 +1495,7 @@ YY_RULE_SETUP YY_BREAK case 87: YY_RULE_SETUP -#line 206 "lex.l" +#line 212 "lex.l" { int start_lineno = lineno; int c; @@ -1626,7 +1543,7 @@ YY_RULE_SETUP YY_BREAK case 88: YY_RULE_SETUP -#line 251 "lex.l" +#line 257 "lex.l" { char *e, *y = yytext; yylval.constant = strtol((const char *)yytext, &e, 0); @@ -1638,7 +1555,7 @@ YY_RULE_SETUP YY_BREAK case 89: YY_RULE_SETUP -#line 259 "lex.l" +#line 265 "lex.l" { yylval.name = estrdup ((const char *)yytext); return IDENTIFIER; @@ -1646,62 +1563,61 @@ YY_RULE_SETUP YY_BREAK case 90: YY_RULE_SETUP -#line 263 "lex.l" +#line 269 "lex.l" ; YY_BREAK case 91: -/* rule 91 can match eol */ YY_RULE_SETUP -#line 264 "lex.l" +#line 270 "lex.l" { ++lineno; } YY_BREAK case 92: YY_RULE_SETUP -#line 265 "lex.l" +#line 271 "lex.l" { return ELLIPSIS; } YY_BREAK case 93: YY_RULE_SETUP -#line 266 "lex.l" +#line 272 "lex.l" { return RANGE; } YY_BREAK case 94: YY_RULE_SETUP -#line 267 "lex.l" +#line 273 "lex.l" { error_message("Ignoring char(%c)\n", *yytext); } YY_BREAK case 95: YY_RULE_SETUP -#line 268 "lex.l" +#line 274 "lex.l" ECHO; YY_BREAK -#line 1678 "lex.yy.c" +#line 1595 "lex.c" case YY_STATE_EOF(INITIAL): yyterminate(); case YY_END_OF_BUFFER: { /* Amount of text matched not including the EOB char. */ - int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1; + int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1; /* Undo the effects of YY_DO_BEFORE_ACTION. */ - *yy_cp = (yy_hold_char); + *yy_cp = yy_hold_char; YY_RESTORE_YY_MORE_OFFSET - if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW ) + if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW ) { /* We're scanning a new file or input source. It's * possible that this happened because the user * just pointed yyin at a new source and called * yylex(). If so, then we have to assure - * consistency between YY_CURRENT_BUFFER and our + * consistency between yy_current_buffer and our * globals. Here is the right place to do so, because * this is the first action (other than possibly a * back-up) that will match for the new input source. */ - (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars; - YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin; - YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL; + yy_n_chars = yy_current_buffer->yy_n_chars; + yy_current_buffer->yy_input_file = yyin; + yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL; } /* Note that here we test for yy_c_buf_p "<=" to the position @@ -1711,13 +1627,13 @@ case YY_STATE_EOF(INITIAL): * end-of-buffer state). Contrast this with the test * in input(). */ - if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] ) + if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] ) { /* This was really a NUL. */ yy_state_type yy_next_state; - (yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text; + yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text; - yy_current_state = yy_get_previous_state( ); + yy_current_state = yy_get_previous_state(); /* Okay, we're now positioned to make the NUL * transition. We couldn't have @@ -1730,30 +1646,30 @@ case YY_STATE_EOF(INITIAL): yy_next_state = yy_try_NUL_trans( yy_current_state ); - yy_bp = (yytext_ptr) + YY_MORE_ADJ; + yy_bp = yytext_ptr + YY_MORE_ADJ; if ( yy_next_state ) { /* Consume the NUL. */ - yy_cp = ++(yy_c_buf_p); + yy_cp = ++yy_c_buf_p; yy_current_state = yy_next_state; goto yy_match; } else { - yy_cp = (yy_c_buf_p); + yy_cp = yy_c_buf_p; goto yy_find_action; } } - else switch ( yy_get_next_buffer( ) ) + else switch ( yy_get_next_buffer() ) { case EOB_ACT_END_OF_FILE: { - (yy_did_buffer_switch_on_eof) = 0; + yy_did_buffer_switch_on_eof = 0; - if ( yywrap( ) ) + if ( yywrap() ) { /* Note: because we've taken care in * yy_get_next_buffer() to have set up @@ -1764,7 +1680,7 @@ case YY_STATE_EOF(INITIAL): * YY_NULL, it'll still work - another * YY_NULL will get returned. */ - (yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ; + yy_c_buf_p = yytext_ptr + YY_MORE_ADJ; yy_act = YY_STATE_EOF(YY_START); goto do_action; @@ -1772,30 +1688,30 @@ case YY_STATE_EOF(INITIAL): else { - if ( ! (yy_did_buffer_switch_on_eof) ) + if ( ! yy_did_buffer_switch_on_eof ) YY_NEW_FILE; } break; } case EOB_ACT_CONTINUE_SCAN: - (yy_c_buf_p) = - (yytext_ptr) + yy_amount_of_matched_text; + yy_c_buf_p = + yytext_ptr + yy_amount_of_matched_text; - yy_current_state = yy_get_previous_state( ); + yy_current_state = yy_get_previous_state(); - yy_cp = (yy_c_buf_p); - yy_bp = (yytext_ptr) + YY_MORE_ADJ; + yy_cp = yy_c_buf_p; + yy_bp = yytext_ptr + YY_MORE_ADJ; goto yy_match; case EOB_ACT_LAST_MATCH: - (yy_c_buf_p) = - &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)]; + yy_c_buf_p = + &yy_current_buffer->yy_ch_buf[yy_n_chars]; - yy_current_state = yy_get_previous_state( ); + yy_current_state = yy_get_previous_state(); - yy_cp = (yy_c_buf_p); - yy_bp = (yytext_ptr) + YY_MORE_ADJ; + yy_cp = yy_c_buf_p; + yy_bp = yytext_ptr + YY_MORE_ADJ; goto yy_find_action; } break; @@ -1806,7 +1722,8 @@ case YY_STATE_EOF(INITIAL): "fatal flex scanner internal error--no action found" ); } /* end of action switch */ } /* end of scanning one token */ -} /* end of yylex */ + } /* end of yylex */ + /* yy_get_next_buffer - try to read in a new buffer * @@ -1815,20 +1732,21 @@ case YY_STATE_EOF(INITIAL): * EOB_ACT_CONTINUE_SCAN - continue scanning from current position * EOB_ACT_END_OF_FILE - end of file */ -static int yy_get_next_buffer (void) -{ - register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf; - register char *source = (yytext_ptr); + +static int yy_get_next_buffer() + { + register char *dest = yy_current_buffer->yy_ch_buf; + register char *source = yytext_ptr; register int number_to_move, i; int ret_val; - if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] ) + if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] ) YY_FATAL_ERROR( "fatal flex scanner internal error--end of buffer missed" ); - if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 ) + if ( yy_current_buffer->yy_fill_buffer == 0 ) { /* Don't try to fill the buffer, so this is an EOF. */ - if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 ) + if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 ) { /* We matched a single character, the EOB, so * treat this as a final EOF. @@ -1848,30 +1766,34 @@ static int yy_get_next_buffer (void) /* Try to read more data. */ /* First move last chars to start of buffer. */ - number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1; + number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1; for ( i = 0; i < number_to_move; ++i ) *(dest++) = *(source++); - if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) + if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING ) /* don't do the read, it's not guaranteed to return an EOF, * just force an EOF */ - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0; + yy_current_buffer->yy_n_chars = yy_n_chars = 0; else { - int num_to_read = - YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + int num_to_read = + yy_current_buffer->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) { /* Not enough room in the buffer - grow it. */ +#ifdef YY_USES_REJECT + YY_FATAL_ERROR( +"input buffer overflow, can't enlarge buffer because scanner uses REJECT" ); +#else /* just a shorter name for the current buffer */ - YY_BUFFER_STATE b = YY_CURRENT_BUFFER; + YY_BUFFER_STATE b = yy_current_buffer; int yy_c_buf_p_offset = - (int) ((yy_c_buf_p) - b->yy_ch_buf); + (int) (yy_c_buf_p - b->yy_ch_buf); if ( b->yy_is_our_buffer ) { @@ -1884,7 +1806,8 @@ static int yy_get_next_buffer (void) b->yy_ch_buf = (char *) /* Include room in for 2 EOB chars. */ - yyrealloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ); + yy_flex_realloc( (void *) b->yy_ch_buf, + b->yy_buf_size + 2 ); } else /* Can't grow it, we don't own it. */ @@ -1894,35 +1817,35 @@ static int yy_get_next_buffer (void) YY_FATAL_ERROR( "fatal error - scanner input buffer overflow" ); - (yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset]; + yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset]; - num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - + num_to_read = yy_current_buffer->yy_buf_size - number_to_move - 1; - +#endif } if ( num_to_read > YY_READ_BUF_SIZE ) num_to_read = YY_READ_BUF_SIZE; /* Read in more data. */ - YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]), - (yy_n_chars), (size_t) num_to_read ); + YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]), + yy_n_chars, num_to_read ); - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars); + yy_current_buffer->yy_n_chars = yy_n_chars; } - if ( (yy_n_chars) == 0 ) + if ( yy_n_chars == 0 ) { if ( number_to_move == YY_MORE_ADJ ) { ret_val = EOB_ACT_END_OF_FILE; - yyrestart(yyin ); + yyrestart( yyin ); } else { ret_val = EOB_ACT_LAST_MATCH; - YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = + yy_current_buffer->yy_buffer_status = YY_BUFFER_EOF_PENDING; } } @@ -1930,31 +1853,32 @@ static int yy_get_next_buffer (void) else ret_val = EOB_ACT_CONTINUE_SCAN; - (yy_n_chars) += number_to_move; - YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR; - YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR; + yy_n_chars += number_to_move; + yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR; + yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR; - (yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0]; + yytext_ptr = &yy_current_buffer->yy_ch_buf[0]; return ret_val; -} + } + /* yy_get_previous_state - get the state just before the EOB char was reached */ - static yy_state_type yy_get_previous_state (void) -{ +static yy_state_type yy_get_previous_state() + { register yy_state_type yy_current_state; register char *yy_cp; - - yy_current_state = (yy_start); - for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp ) + yy_current_state = yy_start; + + for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp ) { register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1); if ( yy_accept[yy_current_state] ) { - (yy_last_accepting_state) = yy_current_state; - (yy_last_accepting_cpos) = yy_cp; + yy_last_accepting_state = yy_current_state; + yy_last_accepting_cpos = yy_cp; } while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { @@ -1966,23 +1890,30 @@ static int yy_get_next_buffer (void) } return yy_current_state; -} + } + /* yy_try_NUL_trans - try to make a transition on the NUL character * * synopsis * next_state = yy_try_NUL_trans( current_state ); */ - static yy_state_type yy_try_NUL_trans (yy_state_type yy_current_state ) -{ + +#ifdef YY_USE_PROTOS +static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state ) +#else +static yy_state_type yy_try_NUL_trans( yy_current_state ) +yy_state_type yy_current_state; +#endif + { register int yy_is_jam; - register char *yy_cp = (yy_c_buf_p); + register char *yy_cp = yy_c_buf_p; register YY_CHAR yy_c = 1; if ( yy_accept[yy_current_state] ) { - (yy_last_accepting_state) = yy_current_state; - (yy_last_accepting_cpos) = yy_cp; + yy_last_accepting_state = yy_current_state; + yy_last_accepting_cpos = yy_cp; } while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { @@ -1994,73 +1925,81 @@ static int yy_get_next_buffer (void) yy_is_jam = (yy_current_state == 567); return yy_is_jam ? 0 : yy_current_state; -} + } - static void yyunput (int c, register char * yy_bp ) -{ - register char *yy_cp; - - yy_cp = (yy_c_buf_p); + +#ifndef YY_NO_UNPUT +#ifdef YY_USE_PROTOS +static void yyunput( int c, register char *yy_bp ) +#else +static void yyunput( c, yy_bp ) +int c; +register char *yy_bp; +#endif + { + register char *yy_cp = yy_c_buf_p; /* undo effects of setting up yytext */ - *yy_cp = (yy_hold_char); + *yy_cp = yy_hold_char; - if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) + if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 ) { /* need to shift things up to make room */ /* +2 for EOB chars. */ - register int number_to_move = (yy_n_chars) + 2; - register char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[ - YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2]; + register int number_to_move = yy_n_chars + 2; + register char *dest = &yy_current_buffer->yy_ch_buf[ + yy_current_buffer->yy_buf_size + 2]; register char *source = - &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]; + &yy_current_buffer->yy_ch_buf[number_to_move]; - while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf ) + while ( source > yy_current_buffer->yy_ch_buf ) *--dest = *--source; yy_cp += (int) (dest - source); yy_bp += (int) (dest - source); - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = - (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_buf_size; + yy_current_buffer->yy_n_chars = + yy_n_chars = yy_current_buffer->yy_buf_size; - if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) + if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 ) YY_FATAL_ERROR( "flex scanner push-back overflow" ); } *--yy_cp = (char) c; - (yytext_ptr) = yy_bp; - (yy_hold_char) = *yy_cp; - (yy_c_buf_p) = yy_cp; -} + + yytext_ptr = yy_bp; + yy_hold_char = *yy_cp; + yy_c_buf_p = yy_cp; + } +#endif /* ifndef YY_NO_UNPUT */ + #ifndef YY_NO_INPUT #ifdef __cplusplus - static int yyinput (void) +static int yyinput() #else - static int input (void) +static int input() #endif - -{ + { int c; - - *(yy_c_buf_p) = (yy_hold_char); - if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR ) + *yy_c_buf_p = yy_hold_char; + + if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR ) { /* yy_c_buf_p now points to the character we want to return. * If this occurs *before* the EOB characters, then it's a * valid NUL; if not, then we've hit the end of the buffer. */ - if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] ) + if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] ) /* This was really a NUL. */ - *(yy_c_buf_p) = '\0'; + *yy_c_buf_p = '\0'; else { /* need more input */ - int offset = (yy_c_buf_p) - (yytext_ptr); - ++(yy_c_buf_p); + int offset = yy_c_buf_p - yytext_ptr; + ++yy_c_buf_p; - switch ( yy_get_next_buffer( ) ) + switch ( yy_get_next_buffer() ) { case EOB_ACT_LAST_MATCH: /* This happens because yy_g_n_b() @@ -2074,16 +2013,16 @@ static int yy_get_next_buffer (void) */ /* Reset buffer status. */ - yyrestart(yyin ); + yyrestart( yyin ); - /*FALLTHROUGH*/ + /* fall through */ case EOB_ACT_END_OF_FILE: { - if ( yywrap( ) ) + if ( yywrap() ) return EOF; - if ( ! (yy_did_buffer_switch_on_eof) ) + if ( ! yy_did_buffer_switch_on_eof ) YY_NEW_FILE; #ifdef __cplusplus return yyinput(); @@ -2093,92 +2032,90 @@ static int yy_get_next_buffer (void) } case EOB_ACT_CONTINUE_SCAN: - (yy_c_buf_p) = (yytext_ptr) + offset; + yy_c_buf_p = yytext_ptr + offset; break; } } } - c = *(unsigned char *) (yy_c_buf_p); /* cast for 8-bit char's */ - *(yy_c_buf_p) = '\0'; /* preserve yytext */ - (yy_hold_char) = *++(yy_c_buf_p); + c = *(unsigned char *) yy_c_buf_p; /* cast for 8-bit char's */ + *yy_c_buf_p = '\0'; /* preserve yytext */ + yy_hold_char = *++yy_c_buf_p; + return c; -} -#endif /* ifndef YY_NO_INPUT */ + } +#endif /* YY_NO_INPUT */ -/** Immediately switch to a different input stream. - * @param input_file A readable stream. - * - * @note This function does not reset the start condition to @c INITIAL . - */ - void yyrestart (FILE * input_file ) -{ - - if ( ! YY_CURRENT_BUFFER ){ - yyensure_buffer_stack (); - YY_CURRENT_BUFFER_LVALUE = - yy_create_buffer(yyin,YY_BUF_SIZE ); +#ifdef YY_USE_PROTOS +void yyrestart( FILE *input_file ) +#else +void yyrestart( input_file ) +FILE *input_file; +#endif + { + if ( ! yy_current_buffer ) + yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); + + yy_init_buffer( yy_current_buffer, input_file ); + yy_load_buffer_state(); } - yy_init_buffer(YY_CURRENT_BUFFER,input_file ); - yy_load_buffer_state( ); -} -/** Switch to a different input buffer. - * @param new_buffer The new input buffer. - * - */ - void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer ) -{ - - /* TODO. We should be able to replace this entire function body - * with - * yypop_buffer_state(); - * yypush_buffer_state(new_buffer); - */ - yyensure_buffer_stack (); - if ( YY_CURRENT_BUFFER == new_buffer ) +#ifdef YY_USE_PROTOS +void yy_switch_to_buffer( YY_BUFFER_STATE new_buffer ) +#else +void yy_switch_to_buffer( new_buffer ) +YY_BUFFER_STATE new_buffer; +#endif + { + if ( yy_current_buffer == new_buffer ) return; - if ( YY_CURRENT_BUFFER ) + if ( yy_current_buffer ) { /* Flush out information for old buffer. */ - *(yy_c_buf_p) = (yy_hold_char); - YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p); - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars); + *yy_c_buf_p = yy_hold_char; + yy_current_buffer->yy_buf_pos = yy_c_buf_p; + yy_current_buffer->yy_n_chars = yy_n_chars; } - YY_CURRENT_BUFFER_LVALUE = new_buffer; - yy_load_buffer_state( ); + yy_current_buffer = new_buffer; + yy_load_buffer_state(); /* We don't actually know whether we did this switch during * EOF (yywrap()) processing, but the only time this flag * is looked at is after yywrap() is called, so it's safe * to go ahead and always set it. */ - (yy_did_buffer_switch_on_eof) = 1; -} + yy_did_buffer_switch_on_eof = 1; + } -static void yy_load_buffer_state (void) -{ - (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars; - (yytext_ptr) = (yy_c_buf_p) = YY_CURRENT_BUFFER_LVALUE->yy_buf_pos; - yyin = YY_CURRENT_BUFFER_LVALUE->yy_input_file; - (yy_hold_char) = *(yy_c_buf_p); -} -/** Allocate and initialize an input buffer state. - * @param file A readable stream. - * @param size The character buffer size in bytes. When in doubt, use @c YY_BUF_SIZE. - * - * @return the allocated buffer state. - */ - YY_BUFFER_STATE yy_create_buffer (FILE * file, int size ) -{ +#ifdef YY_USE_PROTOS +void yy_load_buffer_state( void ) +#else +void yy_load_buffer_state() +#endif + { + yy_n_chars = yy_current_buffer->yy_n_chars; + yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos; + yyin = yy_current_buffer->yy_input_file; + yy_hold_char = *yy_c_buf_p; + } + + +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE yy_create_buffer( FILE *file, int size ) +#else +YY_BUFFER_STATE yy_create_buffer( file, size ) +FILE *file; +int size; +#endif + { YY_BUFFER_STATE b; - - b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state ) ); + + b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) ); if ( ! b ) YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); @@ -2187,75 +2124,75 @@ static void yy_load_buffer_state (void) /* yy_ch_buf has to be 2 characters longer than the size given because * we need to put in 2 end-of-buffer characters. */ - b->yy_ch_buf = (char *) yyalloc(b->yy_buf_size + 2 ); + b->yy_ch_buf = (char *) yy_flex_alloc( b->yy_buf_size + 2 ); if ( ! b->yy_ch_buf ) YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); b->yy_is_our_buffer = 1; - yy_init_buffer(b,file ); + yy_init_buffer( b, file ); return b; -} + } -/** Destroy the buffer. - * @param b a buffer created with yy_create_buffer() - * - */ - void yy_delete_buffer (YY_BUFFER_STATE b ) -{ - + +#ifdef YY_USE_PROTOS +void yy_delete_buffer( YY_BUFFER_STATE b ) +#else +void yy_delete_buffer( b ) +YY_BUFFER_STATE b; +#endif + { if ( ! b ) return; - if ( b == YY_CURRENT_BUFFER ) /* Not sure if we should pop here. */ - YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0; + if ( b == yy_current_buffer ) + yy_current_buffer = (YY_BUFFER_STATE) 0; if ( b->yy_is_our_buffer ) - yyfree((void *) b->yy_ch_buf ); + yy_flex_free( (void *) b->yy_ch_buf ); - yyfree((void *) b ); -} + yy_flex_free( (void *) b ); + } -#ifndef __cplusplus -extern int isatty (int ); -#endif /* __cplusplus */ - -/* Initializes or reinitializes a buffer. - * This function is sometimes called more than once on the same buffer, - * such as during a yyrestart() or at EOF. - */ - static void yy_init_buffer (YY_BUFFER_STATE b, FILE * file ) -{ - int oerrno = errno; - - yy_flush_buffer(b ); + +#ifdef YY_USE_PROTOS +void yy_init_buffer( YY_BUFFER_STATE b, FILE *file ) +#else +void yy_init_buffer( b, file ) +YY_BUFFER_STATE b; +FILE *file; +#endif + + + { + yy_flush_buffer( b ); b->yy_input_file = file; b->yy_fill_buffer = 1; - /* If b is the current buffer, then yy_init_buffer was _probably_ - * called from yyrestart() or through yy_get_next_buffer. - * In that case, we don't want to reset the lineno or column. - */ - if (b != YY_CURRENT_BUFFER){ - b->yy_bs_lineno = 1; - b->yy_bs_column = 0; - } - - b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0; - - errno = oerrno; -} +#if YY_ALWAYS_INTERACTIVE + b->yy_is_interactive = 1; +#else +#if YY_NEVER_INTERACTIVE + b->yy_is_interactive = 0; +#else + b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0; +#endif +#endif + } -/** Discard all buffered characters. On the next scan, YY_INPUT will be called. - * @param b the buffer state to be flushed, usually @c YY_CURRENT_BUFFER. - * - */ - void yy_flush_buffer (YY_BUFFER_STATE b ) -{ - if ( ! b ) + +#ifdef YY_USE_PROTOS +void yy_flush_buffer( YY_BUFFER_STATE b ) +#else +void yy_flush_buffer( b ) +YY_BUFFER_STATE b; +#endif + + { + if ( ! b ) return; b->yy_n_chars = 0; @@ -2272,121 +2209,29 @@ extern int isatty (int ); b->yy_at_bol = 1; b->yy_buffer_status = YY_BUFFER_NEW; - if ( b == YY_CURRENT_BUFFER ) - yy_load_buffer_state( ); -} - -/** Pushes the new state onto the stack. The new state becomes - * the current state. This function will allocate the stack - * if necessary. - * @param new_buffer The new state. - * - */ -void yypush_buffer_state (YY_BUFFER_STATE new_buffer ) -{ - if (new_buffer == NULL) - return; - - yyensure_buffer_stack(); - - /* This block is copied from yy_switch_to_buffer. */ - if ( YY_CURRENT_BUFFER ) - { - /* Flush out information for old buffer. */ - *(yy_c_buf_p) = (yy_hold_char); - YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p); - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars); - } - - /* Only push if top exists. Otherwise, replace top. */ - if (YY_CURRENT_BUFFER) - (yy_buffer_stack_top)++; - YY_CURRENT_BUFFER_LVALUE = new_buffer; - - /* copied from yy_switch_to_buffer. */ - yy_load_buffer_state( ); - (yy_did_buffer_switch_on_eof) = 1; -} - -/** Removes and deletes the top of the stack, if present. - * The next element becomes the new top. - * - */ -void yypop_buffer_state (void) -{ - if (!YY_CURRENT_BUFFER) - return; - - yy_delete_buffer(YY_CURRENT_BUFFER ); - YY_CURRENT_BUFFER_LVALUE = NULL; - if ((yy_buffer_stack_top) > 0) - --(yy_buffer_stack_top); - - if (YY_CURRENT_BUFFER) { - yy_load_buffer_state( ); - (yy_did_buffer_switch_on_eof) = 1; - } -} - -/* Allocates the stack if it does not exist. - * Guarantees space for at least one push. - */ -static void yyensure_buffer_stack (void) -{ - int num_to_alloc; - - if (!(yy_buffer_stack)) { - - /* First allocation is just for 2 elements, since we don't know if this - * scanner will even need a stack. We use 2 instead of 1 to avoid an - * immediate realloc on the next call. - */ - num_to_alloc = 1; - (yy_buffer_stack) = (struct yy_buffer_state**)yyalloc - (num_to_alloc * sizeof(struct yy_buffer_state*) - ); - - memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*)); - - (yy_buffer_stack_max) = num_to_alloc; - (yy_buffer_stack_top) = 0; - return; + if ( b == yy_current_buffer ) + yy_load_buffer_state(); } - if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){ - - /* Increase the buffer to prepare for a possible push. */ - int grow_size = 8 /* arbitrary grow size */; - num_to_alloc = (yy_buffer_stack_max) + grow_size; - (yy_buffer_stack) = (struct yy_buffer_state**)yyrealloc - ((yy_buffer_stack), - num_to_alloc * sizeof(struct yy_buffer_state*) - ); - - /* zero only the new slots.*/ - memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*)); - (yy_buffer_stack_max) = num_to_alloc; - } -} - -/** Setup the input buffer state to scan directly from a user-specified character buffer. - * @param base the character buffer - * @param size the size in bytes of the character buffer - * - * @return the newly allocated buffer state object. - */ -YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size ) -{ +#ifndef YY_NO_SCAN_BUFFER +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE yy_scan_buffer( char *base, yy_size_t size ) +#else +YY_BUFFER_STATE yy_scan_buffer( base, size ) +char *base; +yy_size_t size; +#endif + { YY_BUFFER_STATE b; - + if ( size < 2 || base[size-2] != YY_END_OF_BUFFER_CHAR || base[size-1] != YY_END_OF_BUFFER_CHAR ) /* They forgot to leave room for the EOB's. */ return 0; - b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state ) ); + b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) ); if ( ! b ) YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" ); @@ -2400,51 +2245,56 @@ YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size ) b->yy_fill_buffer = 0; b->yy_buffer_status = YY_BUFFER_NEW; - yy_switch_to_buffer(b ); + yy_switch_to_buffer( b ); return b; -} + } +#endif -/** Setup the input buffer state to scan a string. The next call to yylex() will - * scan from a @e copy of @a str. - * @param yystr a NUL-terminated string to scan - * - * @return the newly allocated buffer state object. - * @note If you want to scan bytes that may contain NUL values, then use - * yy_scan_bytes() instead. - */ -YY_BUFFER_STATE yy_scan_string (yyconst char * yystr ) -{ - - return yy_scan_bytes(yystr,strlen(yystr) ); -} -/** Setup the input buffer state to scan the given bytes. The next call to yylex() will - * scan from a @e copy of @a bytes. - * @param bytes the byte buffer to scan - * @param len the number of bytes in the buffer pointed to by @a bytes. - * - * @return the newly allocated buffer state object. - */ -YY_BUFFER_STATE yy_scan_bytes (yyconst char * yybytes, int _yybytes_len ) -{ +#ifndef YY_NO_SCAN_STRING +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str ) +#else +YY_BUFFER_STATE yy_scan_string( yy_str ) +yyconst char *yy_str; +#endif + { + int len; + for ( len = 0; yy_str[len]; ++len ) + ; + + return yy_scan_bytes( yy_str, len ); + } +#endif + + +#ifndef YY_NO_SCAN_BYTES +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE yy_scan_bytes( yyconst char *bytes, int len ) +#else +YY_BUFFER_STATE yy_scan_bytes( bytes, len ) +yyconst char *bytes; +int len; +#endif + { YY_BUFFER_STATE b; char *buf; yy_size_t n; int i; - + /* Get memory for full buffer, including space for trailing EOB's. */ - n = _yybytes_len + 2; - buf = (char *) yyalloc(n ); + n = len + 2; + buf = (char *) yy_flex_alloc( n ); if ( ! buf ) YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" ); - for ( i = 0; i < _yybytes_len; ++i ) - buf[i] = yybytes[i]; + for ( i = 0; i < len; ++i ) + buf[i] = bytes[i]; - buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR; + buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR; - b = yy_scan_buffer(buf,n ); + b = yy_scan_buffer( buf, n ); if ( ! b ) YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" ); @@ -2454,196 +2304,148 @@ YY_BUFFER_STATE yy_scan_bytes (yyconst char * yybytes, int _yybytes_len ) b->yy_is_our_buffer = 1; return b; -} - -#ifndef YY_EXIT_FAILURE -#define YY_EXIT_FAILURE 2 + } #endif -static void yy_fatal_error (yyconst char* msg ) -{ - (void) fprintf( stderr, "%s\n", msg ); - exit( YY_EXIT_FAILURE ); -} - -/* Redefine yyless() so it works in section 3 code. */ -#undef yyless -#define yyless(n) \ - do \ - { \ - /* Undo effects of setting up yytext. */ \ - int yyless_macro_arg = (n); \ - YY_LESS_LINENO(yyless_macro_arg);\ - yytext[yyleng] = (yy_hold_char); \ - (yy_c_buf_p) = yytext + yyless_macro_arg; \ - (yy_hold_char) = *(yy_c_buf_p); \ - *(yy_c_buf_p) = '\0'; \ - yyleng = yyless_macro_arg; \ - } \ - while ( 0 ) +#ifndef YY_NO_PUSH_STATE +#ifdef YY_USE_PROTOS +static void yy_push_state( int new_state ) +#else +static void yy_push_state( new_state ) +int new_state; +#endif + { + if ( yy_start_stack_ptr >= yy_start_stack_depth ) + { + yy_size_t new_size; -/* Accessor methods (get/set functions) to struct members. */ + yy_start_stack_depth += YY_START_STACK_INCR; + new_size = yy_start_stack_depth * sizeof( int ); -/** Get the current line number. - * - */ -int yyget_lineno (void) -{ - - return yylineno; -} + if ( ! yy_start_stack ) + yy_start_stack = (int *) yy_flex_alloc( new_size ); -/** Get the input stream. - * - */ -FILE *yyget_in (void) -{ - return yyin; -} + else + yy_start_stack = (int *) yy_flex_realloc( + (void *) yy_start_stack, new_size ); -/** Get the output stream. - * - */ -FILE *yyget_out (void) -{ - return yyout; -} + if ( ! yy_start_stack ) + YY_FATAL_ERROR( + "out of memory expanding start-condition stack" ); + } -/** Get the length of the current token. - * - */ -int yyget_leng (void) -{ - return yyleng; -} + yy_start_stack[yy_start_stack_ptr++] = YY_START; -/** Get the current token. - * - */ + BEGIN(new_state); + } +#endif -char *yyget_text (void) -{ - return yytext; -} -/** Set the current line number. - * @param line_number - * - */ -void yyset_lineno (int line_number ) -{ - - yylineno = line_number; -} +#ifndef YY_NO_POP_STATE +static void yy_pop_state() + { + if ( --yy_start_stack_ptr < 0 ) + YY_FATAL_ERROR( "start-condition stack underflow" ); -/** Set the input stream. This does not discard the current - * input buffer. - * @param in_str A readable stream. - * - * @see yy_switch_to_buffer - */ -void yyset_in (FILE * in_str ) -{ - yyin = in_str ; -} + BEGIN(yy_start_stack[yy_start_stack_ptr]); + } +#endif -void yyset_out (FILE * out_str ) -{ - yyout = out_str ; -} -int yyget_debug (void) -{ - return yy_flex_debug; -} +#ifndef YY_NO_TOP_STATE +static int yy_top_state() + { + return yy_start_stack[yy_start_stack_ptr - 1]; + } +#endif -void yyset_debug (int bdebug ) -{ - yy_flex_debug = bdebug ; -} +#ifndef YY_EXIT_FAILURE +#define YY_EXIT_FAILURE 2 +#endif -static int yy_init_globals (void) -{ - /* Initialization is the same as for the non-reentrant scanner. - * This function is called from yylex_destroy(), so don't allocate here. - */ - - (yy_buffer_stack) = 0; - (yy_buffer_stack_top) = 0; - (yy_buffer_stack_max) = 0; - (yy_c_buf_p) = (char *) 0; - (yy_init) = 0; - (yy_start) = 0; - -/* Defined in main.c */ -#ifdef YY_STDINIT - yyin = stdin; - yyout = stdout; +#ifdef YY_USE_PROTOS +static void yy_fatal_error( yyconst char msg[] ) #else - yyin = (FILE *) 0; - yyout = (FILE *) 0; +static void yy_fatal_error( msg ) +char msg[]; #endif + { + (void) fprintf( stderr, "%s\n", msg ); + exit( YY_EXIT_FAILURE ); + } - /* For future reference: Set errno on error, since we are called by - * yylex_init() - */ - return 0; -} -/* yylex_destroy is for both reentrant and non-reentrant scanners. */ -int yylex_destroy (void) -{ - - /* Pop the buffer stack, destroying each element. */ - while(YY_CURRENT_BUFFER){ - yy_delete_buffer(YY_CURRENT_BUFFER ); - YY_CURRENT_BUFFER_LVALUE = NULL; - yypop_buffer_state(); - } - /* Destroy the stack itself. */ - yyfree((yy_buffer_stack) ); - (yy_buffer_stack) = NULL; +/* Redefine yyless() so it works in section 3 code. */ - /* Reset the globals. This is important in a non-reentrant scanner so the next time - * yylex() is called, initialization will occur. */ - yy_init_globals( ); +#undef yyless +#define yyless(n) \ + do \ + { \ + /* Undo effects of setting up yytext. */ \ + yytext[yyleng] = yy_hold_char; \ + yy_c_buf_p = yytext + n; \ + yy_hold_char = *yy_c_buf_p; \ + *yy_c_buf_p = '\0'; \ + yyleng = n; \ + } \ + while ( 0 ) - return 0; -} -/* - * Internal utility routines. - */ +/* Internal utility routines. */ #ifndef yytext_ptr -static void yy_flex_strncpy (char* s1, yyconst char * s2, int n ) -{ +#ifdef YY_USE_PROTOS +static void yy_flex_strncpy( char *s1, yyconst char *s2, int n ) +#else +static void yy_flex_strncpy( s1, s2, n ) +char *s1; +yyconst char *s2; +int n; +#endif + { register int i; for ( i = 0; i < n; ++i ) s1[i] = s2[i]; -} + } #endif #ifdef YY_NEED_STRLEN -static int yy_flex_strlen (yyconst char * s ) -{ +#ifdef YY_USE_PROTOS +static int yy_flex_strlen( yyconst char *s ) +#else +static int yy_flex_strlen( s ) +yyconst char *s; +#endif + { register int n; for ( n = 0; s[n]; ++n ) ; return n; -} + } #endif -void *yyalloc (yy_size_t size ) -{ + +#ifdef YY_USE_PROTOS +static void *yy_flex_alloc( yy_size_t size ) +#else +static void *yy_flex_alloc( size ) +yy_size_t size; +#endif + { return (void *) malloc( size ); -} + } -void *yyrealloc (void * ptr, yy_size_t size ) -{ +#ifdef YY_USE_PROTOS +static void *yy_flex_realloc( void *ptr, yy_size_t size ) +#else +static void *yy_flex_realloc( ptr, size ) +void *ptr; +yy_size_t size; +#endif + { /* The cast to (char *) in the following accommodates both * implementations that use char* generic pointers, and those * that use void* generic pointers. It works with the latter @@ -2652,17 +2454,26 @@ void *yyrealloc (void * ptr, yy_size_t size ) * as though doing an assignment. */ return (void *) realloc( (char *) ptr, size ); -} - -void yyfree (void * ptr ) -{ - free( (char *) ptr ); /* see yyrealloc() for (char *) cast */ -} - -#define YYTABLES_NAME "yytables" + } -#line 268 "lex.l" +#ifdef YY_USE_PROTOS +static void yy_flex_free( void *ptr ) +#else +static void yy_flex_free( ptr ) +void *ptr; +#endif + { + free( ptr ); + } +#if YY_MAIN +int main() + { + yylex(); + return 0; + } +#endif +#line 274 "lex.l" #ifndef yywrap /* XXX */ @@ -2690,4 +2501,3 @@ unterminated(const char *type, unsigned start_lineno) { error_message("unterminated %s, possibly started on line %d\n", type, start_lineno); } - diff --git a/source4/heimdal/lib/asn1/main.c b/source4/heimdal/lib/asn1/main.c index eec775f3ba..bba79b1e4e 100644 --- a/source4/heimdal/lib/asn1/main.c +++ b/source4/heimdal/lib/asn1/main.c @@ -35,11 +35,12 @@ #include <getarg.h> #include "lex.h" -RCSID("$Id: main.c,v 1.15 2005/08/23 10:50:12 lha Exp $"); +RCSID("$Id: main.c,v 1.16 2006/09/05 12:27:29 lha Exp $"); extern FILE *yyin; static getarg_strings preserve; +static getarg_strings seq; int preserve_type(const char *p) @@ -51,6 +52,16 @@ preserve_type(const char *p) return 0; } +int +seq_type(const char *p) +{ + int i; + for (i = 0; i < seq.num_strings; i++) + if (strcmp(seq.strings[i], p) == 0) + return 1; + return 0; +} + int dce_fix; int rfc1510_bitstring; int version_flag; @@ -59,6 +70,7 @@ struct getargs args[] = { { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring }, { "decode-dce-ber", 0, arg_flag, &dce_fix }, { "preserve-binary", 0, arg_strings, &preserve }, + { "sequence", 0, arg_strings, &seq }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; diff --git a/source4/heimdal/lib/asn1/parse.c b/source4/heimdal/lib/asn1/parse.c index e498d8f965..29d13ed68d 100644 --- a/source4/heimdal/lib/asn1/parse.c +++ b/source4/heimdal/lib/asn1/parse.c @@ -1,7 +1,7 @@ -/* A Bison parser, made by GNU Bison 2.0. */ +/* A Bison parser, made by GNU Bison 2.1. */ /* Skeleton parser for Yacc-like parsing with Bison, - Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. + Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -15,8 +15,8 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place - Suite 330, - Boston, MA 02111-1307, USA. */ + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301, USA. */ /* As a special exception, when this file is copied by Bison into a Bison output file, you may use that output file without restriction. @@ -36,6 +36,9 @@ /* Identify Bison output. */ #define YYBISON 1 +/* Bison version. */ +#define YYBISON_VERSION "2.1" + /* Skeleton name. */ #define YYSKELETON_NAME "yacc.c" @@ -142,6 +145,7 @@ NUMBER = 344 }; #endif +/* Tokens. */ #define kw_ABSENT 258 #define kw_ABSTRACT_SYNTAX 259 #define kw_ALL 260 @@ -277,6 +281,11 @@ struct string_list { # define YYERROR_VERBOSE 0 #endif +/* Enabling the token table. */ +#ifndef YYTOKEN_TABLE +# define YYTOKEN_TABLE 0 +#endif + #if ! defined (YYSTYPE) && ! defined (YYSTYPE_IS_DECLARED) #line 65 "parse.y" typedef union YYSTYPE { @@ -293,8 +302,8 @@ typedef union YYSTYPE { struct memhead *members; struct constraint_spec *constraint_spec; } YYSTYPE; -/* Line 190 of yacc.c. */ -#line 298 "parse.c" +/* Line 196 of yacc.c. */ +#line 307 "parse.c" # define yystype YYSTYPE /* obsolescent; will be withdrawn */ # define YYSTYPE_IS_DECLARED 1 # define YYSTYPE_IS_TRIVIAL 1 @@ -305,17 +314,36 @@ typedef union YYSTYPE { /* Copy the second part of user declarations. */ -/* Line 213 of yacc.c. */ -#line 310 "parse.c" +/* Line 219 of yacc.c. */ +#line 319 "parse.c" -#if ! defined (yyoverflow) || YYERROR_VERBOSE +#if ! defined (YYSIZE_T) && defined (__SIZE_TYPE__) +# define YYSIZE_T __SIZE_TYPE__ +#endif +#if ! defined (YYSIZE_T) && defined (size_t) +# define YYSIZE_T size_t +#endif +#if ! defined (YYSIZE_T) && (defined (__STDC__) || defined (__cplusplus)) +# include <stddef.h> /* INFRINGES ON USER NAME SPACE */ +# define YYSIZE_T size_t +#endif +#if ! defined (YYSIZE_T) +# define YYSIZE_T unsigned int +#endif -# ifndef YYFREE -# define YYFREE free +#ifndef YY_ +# if YYENABLE_NLS +# if ENABLE_NLS +# include <libintl.h> /* INFRINGES ON USER NAME SPACE */ +# define YY_(msgid) dgettext ("bison-runtime", msgid) +# endif # endif -# ifndef YYMALLOC -# define YYMALLOC malloc +# ifndef YY_ +# define YY_(msgid) msgid # endif +#endif + +#if ! defined (yyoverflow) || YYERROR_VERBOSE /* The parser invokes alloca or malloc; define the necessary symbols. */ @@ -325,6 +353,10 @@ typedef union YYSTYPE { # define YYSTACK_ALLOC __builtin_alloca # else # define YYSTACK_ALLOC alloca +# if defined (__STDC__) || defined (__cplusplus) +# include <stdlib.h> /* INFRINGES ON USER NAME SPACE */ +# define YYINCLUDED_STDLIB_H +# endif # endif # endif # endif @@ -332,13 +364,39 @@ typedef union YYSTYPE { # ifdef YYSTACK_ALLOC /* Pacify GCC's `empty if-body' warning. */ # define YYSTACK_FREE(Ptr) do { /* empty */; } while (0) -# else -# if defined (__STDC__) || defined (__cplusplus) -# include <stdlib.h> /* INFRINGES ON USER NAME SPACE */ -# define YYSIZE_T size_t +# ifndef YYSTACK_ALLOC_MAXIMUM + /* The OS might guarantee only one guard page at the bottom of the stack, + and a page size can be as small as 4096 bytes. So we cannot safely + invoke alloca (N) if N exceeds 4096. Use a slightly smaller number + to allow for a few compiler-allocated temporary stack slots. */ +# define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2005 */ # endif +# else # define YYSTACK_ALLOC YYMALLOC # define YYSTACK_FREE YYFREE +# ifndef YYSTACK_ALLOC_MAXIMUM +# define YYSTACK_ALLOC_MAXIMUM ((YYSIZE_T) -1) +# endif +# ifdef __cplusplus +extern "C" { +# endif +# ifndef YYMALLOC +# define YYMALLOC malloc +# if (! defined (malloc) && ! defined (YYINCLUDED_STDLIB_H) \ + && (defined (__STDC__) || defined (__cplusplus))) +void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */ +# endif +# endif +# ifndef YYFREE +# define YYFREE free +# if (! defined (free) && ! defined (YYINCLUDED_STDLIB_H) \ + && (defined (__STDC__) || defined (__cplusplus))) +void free (void *); /* INFRINGES ON USER NAME SPACE */ +# endif +# endif +# ifdef __cplusplus +} +# endif # endif #endif /* ! defined (yyoverflow) || YYERROR_VERBOSE */ @@ -373,7 +431,7 @@ union yyalloc # define YYCOPY(To, From, Count) \ do \ { \ - register YYSIZE_T yyi; \ + YYSIZE_T yyi; \ for (yyi = 0; yyi < (Count); yyi++) \ (To)[yyi] = (From)[yyi]; \ } \ @@ -423,7 +481,7 @@ union yyalloc #define YYUNDEFTOK 2 #define YYMAXUTOK 344 -#define YYTRANSLATE(YYX) \ +#define YYTRANSLATE(YYX) \ ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK) /* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX. */ @@ -548,8 +606,8 @@ static const unsigned short int yyrline[] = }; #endif -#if YYDEBUG || YYERROR_VERBOSE -/* YYTNME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM. +#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE +/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM. First, the terminals, then, starting at YYNTOKENS, nonterminals. */ static const char *const yytname[] = { @@ -804,22 +862,6 @@ static const unsigned char yystos[] = 154 }; -#if ! defined (YYSIZE_T) && defined (__SIZE_TYPE__) -# define YYSIZE_T __SIZE_TYPE__ -#endif -#if ! defined (YYSIZE_T) && defined (size_t) -# define YYSIZE_T size_t -#endif -#if ! defined (YYSIZE_T) -# if defined (__STDC__) || defined (__cplusplus) -# include <stddef.h> /* INFRINGES ON USER NAME SPACE */ -# define YYSIZE_T size_t -# endif -#endif -#if ! defined (YYSIZE_T) -# define YYSIZE_T unsigned int -#endif - #define yyerrok (yyerrstatus = 0) #define yyclearin (yychar = YYEMPTY) #define YYEMPTY (-2) @@ -849,8 +891,8 @@ do \ goto yybackup; \ } \ else \ - { \ - yyerror ("syntax error: cannot back up");\ + { \ + yyerror (YY_("syntax error: cannot back up")); \ YYERROR; \ } \ while (0) @@ -929,7 +971,7 @@ do { \ if (yydebug) \ { \ YYFPRINTF (stderr, "%s ", Title); \ - yysymprint (stderr, \ + yysymprint (stderr, \ Type, Value); \ YYFPRINTF (stderr, "\n"); \ } \ @@ -977,13 +1019,13 @@ yy_reduce_print (yyrule) #endif { int yyi; - unsigned int yylno = yyrline[yyrule]; - YYFPRINTF (stderr, "Reducing stack by rule %d (line %u), ", + unsigned long int yylno = yyrline[yyrule]; + YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu), ", yyrule - 1, yylno); /* Print the symbols being reduced, and their result. */ for (yyi = yyprhs[yyrule]; 0 <= yyrhs[yyi]; yyi++) - YYFPRINTF (stderr, "%s ", yytname [yyrhs[yyi]]); - YYFPRINTF (stderr, "-> %s\n", yytname [yyr1[yyrule]]); + YYFPRINTF (stderr, "%s ", yytname[yyrhs[yyi]]); + YYFPRINTF (stderr, "-> %s\n", yytname[yyr1[yyrule]]); } # define YY_REDUCE_PRINT(Rule) \ @@ -1012,7 +1054,7 @@ int yydebug; if the built-in stack extension method is used). Do not make this value too large; the results are undefined if - SIZE_MAX < YYSTACK_BYTES (YYMAXDEPTH) + YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH) evaluated with infinite-precision integer arithmetic. */ #ifndef YYMAXDEPTH @@ -1036,7 +1078,7 @@ yystrlen (yystr) const char *yystr; # endif { - register const char *yys = yystr; + const char *yys = yystr; while (*yys++ != '\0') continue; @@ -1061,8 +1103,8 @@ yystpcpy (yydest, yysrc) const char *yysrc; # endif { - register char *yyd = yydest; - register const char *yys = yysrc; + char *yyd = yydest; + const char *yys = yysrc; while ((*yyd++ = *yys++) != '\0') continue; @@ -1072,7 +1114,55 @@ yystpcpy (yydest, yysrc) # endif # endif -#endif /* !YYERROR_VERBOSE */ +# ifndef yytnamerr +/* Copy to YYRES the contents of YYSTR after stripping away unnecessary + quotes and backslashes, so that it's suitable for yyerror. The + heuristic is that double-quoting is unnecessary unless the string + contains an apostrophe, a comma, or backslash (other than + backslash-backslash). YYSTR is taken from yytname. If YYRES is + null, do not copy; instead, return the length of what the result + would have been. */ +static YYSIZE_T +yytnamerr (char *yyres, const char *yystr) +{ + if (*yystr == '"') + { + size_t yyn = 0; + char const *yyp = yystr; + + for (;;) + switch (*++yyp) + { + case '\'': + case ',': + goto do_not_strip_quotes; + + case '\\': + if (*++yyp != '\\') + goto do_not_strip_quotes; + /* Fall through. */ + default: + if (yyres) + yyres[yyn] = *yyp; + yyn++; + break; + + case '"': + if (yyres) + yyres[yyn] = '\0'; + return yyn; + } + do_not_strip_quotes: ; + } + + if (! yyres) + return yystrlen (yystr); + + return yystpcpy (yyres, yystr) - yyres; +} +# endif + +#endif /* YYERROR_VERBOSE */ @@ -1197,8 +1287,8 @@ yyparse () #endif { - register int yystate; - register int yyn; + int yystate; + int yyn; int yyresult; /* Number of tokens to shift before error messages enabled. */ int yyerrstatus; @@ -1216,12 +1306,12 @@ yyparse () /* The state stack. */ short int yyssa[YYINITDEPTH]; short int *yyss = yyssa; - register short int *yyssp; + short int *yyssp; /* The semantic value stack. */ YYSTYPE yyvsa[YYINITDEPTH]; YYSTYPE *yyvs = yyvsa; - register YYSTYPE *yyvsp; + YYSTYPE *yyvsp; @@ -1253,9 +1343,6 @@ yyparse () yyssp = yyss; yyvsp = yyvs; - - yyvsp[0] = yylval; - goto yysetstate; /*------------------------------------------------------------. @@ -1288,7 +1375,7 @@ yyparse () data in use in that stack, in bytes. This used to be a conditional around just the two extra args, but that might be undefined if yyoverflow is a macro. */ - yyoverflow ("parser stack overflow", + yyoverflow (YY_("memory exhausted"), &yyss1, yysize * sizeof (*yyssp), &yyvs1, yysize * sizeof (*yyvsp), @@ -1299,11 +1386,11 @@ yyparse () } #else /* no yyoverflow */ # ifndef YYSTACK_RELOCATE - goto yyoverflowlab; + goto yyexhaustedlab; # else /* Extend the stack our own way. */ if (YYMAXDEPTH <= yystacksize) - goto yyoverflowlab; + goto yyexhaustedlab; yystacksize *= 2; if (YYMAXDEPTH < yystacksize) yystacksize = YYMAXDEPTH; @@ -1313,7 +1400,7 @@ yyparse () union yyalloc *yyptr = (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize)); if (! yyptr) - goto yyoverflowlab; + goto yyexhaustedlab; YYSTACK_RELOCATE (yyss); YYSTACK_RELOCATE (yyvs); @@ -2143,10 +2230,11 @@ yyreduce: break; + default: break; } -/* Line 1037 of yacc.c. */ -#line 2150 "parse.c" +/* Line 1126 of yacc.c. */ +#line 2238 "parse.c" yyvsp -= yylen; yyssp -= yylen; @@ -2185,12 +2273,36 @@ yyerrlab: if (YYPACT_NINF < yyn && yyn < YYLAST) { - YYSIZE_T yysize = 0; int yytype = YYTRANSLATE (yychar); - const char* yyprefix; - char *yymsg; + YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]); + YYSIZE_T yysize = yysize0; + YYSIZE_T yysize1; + int yysize_overflow = 0; + char *yymsg = 0; +# define YYERROR_VERBOSE_ARGS_MAXIMUM 5 + char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM]; int yyx; +#if 0 + /* This is so xgettext sees the translatable formats that are + constructed on the fly. */ + YY_("syntax error, unexpected %s"); + YY_("syntax error, unexpected %s, expecting %s"); + YY_("syntax error, unexpected %s, expecting %s or %s"); + YY_("syntax error, unexpected %s, expecting %s or %s or %s"); + YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s"); +#endif + char *yyfmt; + char const *yyf; + static char const yyunexpected[] = "syntax error, unexpected %s"; + static char const yyexpecting[] = ", expecting %s"; + static char const yyor[] = " or %s"; + char yyformat[sizeof yyunexpected + + sizeof yyexpecting - 1 + + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2) + * (sizeof yyor - 1))]; + char const *yyprefix = yyexpecting; + /* Start YYX at -YYN if negative to avoid negative indexes in YYCHECK. */ int yyxbegin = yyn < 0 ? -yyn : 0; @@ -2198,48 +2310,68 @@ yyerrlab: /* Stay within bounds of both yycheck and yytname. */ int yychecklim = YYLAST - yyn; int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS; - int yycount = 0; + int yycount = 1; + + yyarg[0] = yytname[yytype]; + yyfmt = yystpcpy (yyformat, yyunexpected); - yyprefix = ", expecting "; for (yyx = yyxbegin; yyx < yyxend; ++yyx) if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR) { - yysize += yystrlen (yyprefix) + yystrlen (yytname [yyx]); - yycount += 1; - if (yycount == 5) + if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM) { - yysize = 0; + yycount = 1; + yysize = yysize0; + yyformat[sizeof yyunexpected - 1] = '\0'; break; } + yyarg[yycount++] = yytname[yyx]; + yysize1 = yysize + yytnamerr (0, yytname[yyx]); + yysize_overflow |= yysize1 < yysize; + yysize = yysize1; + yyfmt = yystpcpy (yyfmt, yyprefix); + yyprefix = yyor; } - yysize += (sizeof ("syntax error, unexpected ") - + yystrlen (yytname[yytype])); - yymsg = (char *) YYSTACK_ALLOC (yysize); - if (yymsg != 0) - { - char *yyp = yystpcpy (yymsg, "syntax error, unexpected "); - yyp = yystpcpy (yyp, yytname[yytype]); - if (yycount < 5) + yyf = YY_(yyformat); + yysize1 = yysize + yystrlen (yyf); + yysize_overflow |= yysize1 < yysize; + yysize = yysize1; + + if (!yysize_overflow && yysize <= YYSTACK_ALLOC_MAXIMUM) + yymsg = (char *) YYSTACK_ALLOC (yysize); + if (yymsg) + { + /* Avoid sprintf, as that infringes on the user's name space. + Don't have undefined behavior even if the translation + produced a string with the wrong number of "%s"s. */ + char *yyp = yymsg; + int yyi = 0; + while ((*yyp = *yyf)) { - yyprefix = ", expecting "; - for (yyx = yyxbegin; yyx < yyxend; ++yyx) - if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR) - { - yyp = yystpcpy (yyp, yyprefix); - yyp = yystpcpy (yyp, yytname[yyx]); - yyprefix = " or "; - } + if (*yyp == '%' && yyf[1] == 's' && yyi < yycount) + { + yyp += yytnamerr (yyp, yyarg[yyi++]); + yyf += 2; + } + else + { + yyp++; + yyf++; + } } yyerror (yymsg); YYSTACK_FREE (yymsg); } else - yyerror ("syntax error; also virtual memory exhausted"); + { + yyerror (YY_("syntax error")); + goto yyexhaustedlab; + } } else #endif /* YYERROR_VERBOSE */ - yyerror ("syntax error"); + yyerror (YY_("syntax error")); } @@ -2251,18 +2383,9 @@ yyerrlab: if (yychar <= YYEOF) { - /* If at end of input, pop the error token, - then the rest of the stack, then return failure. */ + /* Return failure if at end of input. */ if (yychar == YYEOF) - for (;;) - { - - YYPOPSTACK; - if (yyssp == yyss) - YYABORT; - yydestruct ("Error: popping", - yystos[*yyssp], yyvsp); - } + YYABORT; } else { @@ -2281,12 +2404,11 @@ yyerrlab: `---------------------------------------------------*/ yyerrorlab: -#ifdef __GNUC__ - /* Pacify GCC when the user code never invokes YYERROR and the label - yyerrorlab therefore never appears in user code. */ + /* Pacify compilers like GCC when the user code never invokes + YYERROR and the label yyerrorlab therefore never appears in user + code. */ if (0) goto yyerrorlab; -#endif yyvsp -= yylen; yyssp -= yylen; @@ -2349,23 +2471,29 @@ yyacceptlab: | yyabortlab -- YYABORT comes here. | `-----------------------------------*/ yyabortlab: - yydestruct ("Error: discarding lookahead", - yytoken, &yylval); - yychar = YYEMPTY; yyresult = 1; goto yyreturn; #ifndef yyoverflow -/*----------------------------------------------. -| yyoverflowlab -- parser overflow comes here. | -`----------------------------------------------*/ -yyoverflowlab: - yyerror ("parser stack overflow"); +/*-------------------------------------------------. +| yyexhaustedlab -- memory exhaustion comes here. | +`-------------------------------------------------*/ +yyexhaustedlab: + yyerror (YY_("memory exhausted")); yyresult = 2; /* Fall through. */ #endif yyreturn: + if (yychar != YYEOF && yychar != YYEMPTY) + yydestruct ("Cleanup: discarding lookahead", + yytoken, &yylval); + while (yyssp != yyss) + { + yydestruct ("Cleanup: popping", + yystos[*yyssp], yyvsp); + YYPOPSTACK; + } #ifndef yyoverflow if (yyss != yyssa) YYSTACK_FREE (yyss); diff --git a/source4/heimdal/lib/asn1/parse.h b/source4/heimdal/lib/asn1/parse.h index 5cc1342618..df4587501e 100644 --- a/source4/heimdal/lib/asn1/parse.h +++ b/source4/heimdal/lib/asn1/parse.h @@ -1,7 +1,7 @@ -/* A Bison parser, made by GNU Bison 2.0. */ +/* A Bison parser, made by GNU Bison 2.1. */ /* Skeleton parser for Yacc-like parsing with Bison, - Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. + Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -15,8 +15,8 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place - Suite 330, - Boston, MA 02111-1307, USA. */ + Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301, USA. */ /* As a special exception, when this file is copied by Bison into a Bison output file, you may use that output file without restriction. @@ -118,6 +118,7 @@ NUMBER = 344 }; #endif +/* Tokens. */ #define kw_ABSENT 258 #define kw_ABSTRACT_SYNTAX 259 #define kw_ALL 260 @@ -225,8 +226,8 @@ typedef union YYSTYPE { struct memhead *members; struct constraint_spec *constraint_spec; } YYSTYPE; -/* Line 1318 of yacc.c. */ -#line 230 "parse.h" +/* Line 1447 of yacc.c. */ +#line 231 "parse.h" # define yystype YYSTYPE /* obsolescent; will be withdrawn */ # define YYSTYPE_IS_DECLARED 1 # define YYSTYPE_IS_TRIVIAL 1 diff --git a/source4/heimdal/lib/asn1/pkinit.asn1 b/source4/heimdal/lib/asn1/pkinit.asn1 new file mode 100644 index 0000000000..56d6611677 --- /dev/null +++ b/source4/heimdal/lib/asn1/pkinit.asn1 @@ -0,0 +1,161 @@ +-- $Id$ -- + +PKINIT DEFINITIONS ::= BEGIN + +IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum FROM krb5 + IssuerAndSerialNumber, ContentInfo FROM cms + SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459 + heim_any FROM heim; + +id-pkinit OBJECT IDENTIFIER ::= + { iso (1) org (3) dod (6) internet (1) security (5) + kerberosv5 (2) pkinit (3) } + +id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 } +id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 } +id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 } +id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 } +id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 } + +id-pkinit-san OBJECT IDENTIFIER ::= + { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) + x509-sanan(2) } + +id-pkinit-ms-san OBJECT IDENTIFIER ::= + { iso(1) org(3) dod(6) internet(1) foo1(4) + foo2(1) foo3(311) foo4(20) foo5(2) foo6(3) } + +pa-pk-as-req INTEGER ::= 16 +pa-pk-as-rep INTEGER ::= 17 + +ad-initial-verified-cas INTEGER ::= 9 + +td-trusted-certifiers INTEGER ::= 104 +td-invalid-certificates INTEGER ::= 105 +td-dh-parameters INTEGER ::= 109 + +DHNonce ::= OCTET STRING + +TrustedCA ::= SEQUENCE { + caName [0] IMPLICIT OCTET STRING, + certificateSerialNumber [1] INTEGER OPTIONAL, + subjectKeyIdentifier [2] OCTET STRING OPTIONAL, + ... +} + +ExternalPrincipalIdentifier ::= SEQUENCE { + subjectName [0] IMPLICIT OCTET STRING OPTIONAL, + issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, + subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, + ... +} + +ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier + +PA-PK-AS-REQ ::= SEQUENCE { + signedAuthPack [0] IMPLICIT OCTET STRING, + trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL, + kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL, + ... +} + +PKAuthenticator ::= SEQUENCE { + cusec [0] INTEGER -- (0..999999) --, + ctime [1] KerberosTime, + nonce [2] INTEGER (0..4294967295), + paChecksum [3] OCTET STRING OPTIONAL, + ... +} + +AuthPack ::= SEQUENCE { + pkAuthenticator [0] PKAuthenticator, + clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, + supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL, + clientDHNonce [3] DHNonce OPTIONAL, + ... +} + +TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers +TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers + +KRB5PrincipalName ::= SEQUENCE { + realm [0] Realm, + principalName [1] PrincipalName +} + +AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier + + +DHRepInfo ::= SEQUENCE { + dhSignedData [0] IMPLICIT OCTET STRING, + serverDHNonce [1] DHNonce OPTIONAL +} + +PA-PK-AS-REP ::= CHOICE { + dhInfo [0] DHRepInfo, + encKeyPack [1] IMPLICIT OCTET STRING, + ... +} + +KDCDHKeyInfo ::= SEQUENCE { + subjectPublicKey [0] BIT STRING, + nonce [1] INTEGER (0..4294967295), + dhKeyExpiration [2] KerberosTime OPTIONAL, + ... +} + +ReplyKeyPack ::= SEQUENCE { + replyKey [0] EncryptionKey, + asChecksum [1] Checksum, + ... +} + +TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier + + +-- Windows compat glue -- + +PKAuthenticator-Win2k ::= SEQUENCE { + kdcName [0] PrincipalName, + kdcRealm [1] Realm, + cusec [2] INTEGER (0..4294967295), + ctime [3] KerberosTime, + nonce [4] INTEGER (-2147483648..2147483647) +} + +AuthPack-Win2k ::= SEQUENCE { + pkAuthenticator [0] PKAuthenticator-Win2k, + clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL +} + + +TrustedCA-Win2k ::= CHOICE { + caName [1] heim_any, + issuerAndSerial [2] IssuerAndSerialNumber +} + +PA-PK-AS-REQ-Win2k ::= SEQUENCE { + signed-auth-pack [0] IMPLICIT OCTET STRING, + trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL, + kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, + encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL +} + +PA-PK-AS-REP-Win2k ::= CHOICE { + dhSignedData [0] IMPLICIT OCTET STRING, + encKeyPack [1] IMPLICIT OCTET STRING +} + + +KDCDHKeyInfo-Win2k ::= SEQUENCE { + nonce [0] INTEGER (-2147483648..2147483647), + subjectPublicKey [2] BIT STRING +} + +ReplyKeyPack-Win2k ::= SEQUENCE { + replyKey [0] EncryptionKey, + nonce [1] INTEGER (0..4294967295), + ... +} + +END diff --git a/source4/heimdal/lib/asn1/rfc2459.asn1 b/source4/heimdal/lib/asn1/rfc2459.asn1 new file mode 100644 index 0000000000..eebbc3211b --- /dev/null +++ b/source4/heimdal/lib/asn1/rfc2459.asn1 @@ -0,0 +1,426 @@ +-- $Id$ -- +-- Definitions from rfc2459/rfc3280 + +RFC2459 DEFINITIONS ::= BEGIN + +IMPORTS heim_any FROM heim; + +Version ::= INTEGER { + rfc3280_version_1(0), + rfc3280_version_2(1), + rfc3280_version_3(2) +} + +id-pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) 1 } +id-pkcs1-rsaEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 1 } +id-pkcs1-md2WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 2 } +id-pkcs1-md5WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 4 } +id-pkcs1-sha1WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 5 } +id-pkcs1-sha256WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 11 } +id-pkcs1-sha384WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 12 } +id-pkcs1-sha512WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 13 } + +id-pkcs-2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) 2 } +id-pkcs2-md2 OBJECT IDENTIFIER ::= { id-pkcs-2 2 } +id-pkcs2-md4 OBJECT IDENTIFIER ::= { id-pkcs-2 4 } +id-pkcs2-md5 OBJECT IDENTIFIER ::= { id-pkcs-2 5 } + +id-rsa-digestAlgorithm OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) 2 } + +id-rsa-digest-md2 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 2 } +id-rsa-digest-md4 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 4 } +id-rsa-digest-md5 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 5 } + +id-pkcs-3 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) 3 } + +id-pkcs3-rc2-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 2 } +id-pkcs3-rc4 OBJECT IDENTIFIER ::= { id-pkcs-3 4 } +id-pkcs3-des-ede3-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 7 } + +id-rsadsi-encalg OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) 3 } + +id-rsadsi-rc2-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 2 } +id-rsadsi-des-ede3-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 7 } + +id-secsig-sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) + oiw(14) secsig(3) algorithm(2) 26 } + +id-nistAlgorithm OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 } + +id-nist-aes-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 1 } + +id-aes-128-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 2 } +id-aes-192-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 22 } +id-aes-256-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 42 } + +id-nist-sha-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 2 } + +id-sha256 OBJECT IDENTIFIER ::= { id-nist-sha-algs 1 } +id-sha224 OBJECT IDENTIFIER ::= { id-nist-sha-algs 4 } +id-sha384 OBJECT IDENTIFIER ::= { id-nist-sha-algs 2 } +id-sha512 OBJECT IDENTIFIER ::= { id-nist-sha-algs 3 } + +id-dhpublicnumber OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-x942(10046) + number-type(2) 1 } + +id-x9-57 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-x942(10046) + 4 } + +id-dsa OBJECT IDENTIFIER ::= { id-x9-57 1 } +id-dsa-with-sha1 OBJECT IDENTIFIER ::= { id-x9-57 3 } + +-- x.520 names types + +id-x520-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } + +id-at-commonName OBJECT IDENTIFIER ::= { id-x520-at 3 } +id-at-surname OBJECT IDENTIFIER ::= { id-x520-at 4 } +id-at-serialNumber OBJECT IDENTIFIER ::= { id-x520-at 5 } +id-at-countryName OBJECT IDENTIFIER ::= { id-x520-at 6 } +id-at-localityName OBJECT IDENTIFIER ::= { id-x520-at 7 } +id-at-stateOrProvinceName OBJECT IDENTIFIER ::= { id-x520-at 8 } +id-at-organizationName OBJECT IDENTIFIER ::= { id-x520-at 10 } +id-at-organizationalUnitName OBJECT IDENTIFIER ::= { id-x520-at 11 } +id-at-name OBJECT IDENTIFIER ::= { id-x520-at 41 } +id-at-givenName OBJECT IDENTIFIER ::= { id-x520-at 42 } +id-at-initials OBJECT IDENTIFIER ::= { id-x520-at 43 } +id-at-generationQualifier OBJECT IDENTIFIER ::= { id-x520-at 44 } +id-at-pseudonym OBJECT IDENTIFIER ::= { id-x520-at 65 } +-- RFC 2247 +id-Userid OBJECT IDENTIFIER ::= + { 0 9 2342 19200300 100 1 1 } +id-domainComponent OBJECT IDENTIFIER ::= + { 0 9 2342 19200300 100 1 25 } + + +-- rfc3280 + +id-x509-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} + +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters heim_any OPTIONAL +} + +AttributeType ::= OBJECT IDENTIFIER + +AttributeValue ::= heim_any + +TeletexStringx ::= [UNIVERSAL 20] IMPLICIT OCTET STRING + +DirectoryString ::= CHOICE { + ia5String IA5String, + teletexString TeletexStringx, + printableString PrintableString, + universalString UniversalString, + utf8String UTF8String, + bmpString BMPString +} + +Attribute ::= SEQUENCE { + type AttributeType, + value SET OF -- AttributeValue -- heim_any +} + +AttributeTypeAndValue ::= SEQUENCE { + type AttributeType, + value DirectoryString +} + +RelativeDistinguishedName ::= SET OF AttributeTypeAndValue + +RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + +Name ::= CHOICE { + rdnSequence RDNSequence +} + +CertificateSerialNumber ::= INTEGER + +Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime +} + +Validity ::= SEQUENCE { + notBefore Time, + notAfter Time +} + +UniqueIdentifier ::= BIT STRING + +SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier, + subjectPublicKey BIT STRING +} + +Extension ::= SEQUENCE { + extnID OBJECT IDENTIFIER, + critical BOOLEAN OPTIONAL, -- DEFAULT FALSE XXX + extnValue OCTET STRING +} + +Extensions ::= SEQUENCE OF Extension -- SIZE (1..MAX) + +TBSCertificate ::= SEQUENCE { + version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo, + issuerUniqueID [1] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL, + -- If present, version shall be v2 or v3 + subjectUniqueID [2] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL, + -- If present, version shall be v2 or v3 + extensions [3] EXPLICIT Extensions OPTIONAL + -- If present, version shall be v3 +} + +Certificate ::= SEQUENCE { + tbsCertificate TBSCertificate, + signatureAlgorithm AlgorithmIdentifier, + signatureValue BIT STRING +} + +Certificates ::= SEQUENCE OF Certificate + +ValidationParms ::= SEQUENCE { + seed BIT STRING, + pgenCounter INTEGER +} + +DomainParameters ::= SEQUENCE { + p INTEGER, -- odd prime, p=jq +1 + g INTEGER, -- generator, g + q INTEGER, -- factor of p-1 + j INTEGER OPTIONAL, -- subgroup factor + validationParms ValidationParms OPTIONAL -- ValidationParms +} + +DHPublicKey ::= INTEGER + +OtherName ::= SEQUENCE { + type-id OBJECT IDENTIFIER, + value [0] EXPLICIT heim_any +} + +GeneralName ::= CHOICE { + otherName [0] IMPLICIT -- OtherName -- SEQUENCE { + type-id OBJECT IDENTIFIER, + value [0] EXPLICIT heim_any + }, + rfc822Name [1] IMPLICIT IA5String, + dNSName [2] IMPLICIT IA5String, +-- x400Address [3] IMPLICIT ORAddress,-- + directoryName [4] IMPLICIT -- Name -- CHOICE { + rdnSequence RDNSequence + }, +-- ediPartyName [5] IMPLICIT EDIPartyName, -- + uniformResourceIdentifier [6] IMPLICIT IA5String, + iPAddress [7] IMPLICIT OCTET STRING, + registeredID [8] IMPLICIT OBJECT IDENTIFIER +} + +GeneralNames ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralName + +id-x509-ce-keyUsage OBJECT IDENTIFIER ::= { id-x509-ce 15 } + +KeyUsage ::= BIT STRING { + digitalSignature (0), + nonRepudiation (1), + keyEncipherment (2), + dataEncipherment (3), + keyAgreement (4), + keyCertSign (5), + cRLSign (6), + encipherOnly (7), + decipherOnly (8) +} + +id-x509-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 35 } + +KeyIdentifier ::= OCTET STRING + +AuthorityKeyIdentifier ::= SEQUENCE { + keyIdentifier [0] IMPLICIT OCTET STRING OPTIONAL, + authorityCertIssuer [1] IMPLICIT -- GeneralName -- + SEQUENCE -- SIZE (1..MAX) -- OF GeneralName OPTIONAL, + authorityCertSerialNumber [2] IMPLICIT INTEGER OPTIONAL +} + +id-x509-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 14 } + +SubjectKeyIdentifier ::= KeyIdentifier + +id-x509-ce-basicConstraints OBJECT IDENTIFIER ::= { id-x509-ce 19 } + +BasicConstraints ::= SEQUENCE { + cA BOOLEAN OPTIONAL -- DEFAULT FALSE --, + pathLenConstraint INTEGER (0..4294967295) OPTIONAL +} + +id-x509-ce-nameConstraints OBJECT IDENTIFIER ::= { id-x509-ce 30 } + +BaseDistance ::= INTEGER -- (0..MAX) -- + +GeneralSubtree ::= SEQUENCE { + base GeneralName, + minimum [0] IMPLICIT -- BaseDistance -- INTEGER OPTIONAL -- DEFAULT 0 --, + maximum [1] IMPLICIT -- BaseDistance -- INTEGER OPTIONAL +} + +GeneralSubtrees ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralSubtree + +NameConstraints ::= SEQUENCE { + permittedSubtrees [0] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL, + excludedSubtrees [1] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL +} + +id-x509-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-x509-ce 16 } +id-x509-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-x509-ce 32 } +id-x509-ce-policyMappings OBJECT IDENTIFIER ::= { id-x509-ce 33 } +id-x509-ce-subjectAltName OBJECT IDENTIFIER ::= { id-x509-ce 17 } +id-x509-ce-issuerAltName OBJECT IDENTIFIER ::= { id-x509-ce 18 } +id-x509-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-x509-ce 9 } +id-x509-ce-policyConstraints OBJECT IDENTIFIER ::= { id-x509-ce 36 } + +id-x509-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-x509-ce 37} + +ExtKeyUsage ::= SEQUENCE OF OBJECT IDENTIFIER + +id-x509-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-x509-ce 31 } +id-x509-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-x509-ce 27 } +id-x509-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-x509-ce 28 } +id-x509-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-x509-ce 23 } +id-x509-ce-invalidityDate OBJECT IDENTIFIER ::= { id-x509-ce 24 } +id-x509-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-x509-ce 29 } +id-x509-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-x509-ce 54 } + +-- rfc3279 + +DSASigValue ::= SEQUENCE { + r INTEGER, + s INTEGER +} + +DSAPublicKey ::= INTEGER + +DSAParams ::= SEQUENCE { + p INTEGER, + q INTEGER, + g INTEGER +} + +-- really pkcs1 + +RSAPublicKey ::= SEQUENCE { + modulus INTEGER, -- n + publicExponent INTEGER -- e +} + +RSAPrivateKey ::= SEQUENCE { + version INTEGER (0..4294967295), + modulus INTEGER, -- n + publicExponent INTEGER, -- e + privateExponent INTEGER, -- d + prime1 INTEGER, -- p + prime2 INTEGER, -- q + exponent1 INTEGER, -- d mod (p-1) + exponent2 INTEGER, -- d mod (q-1) + coefficient INTEGER -- (inverse of q) mod p +} + +DigestInfo ::= SEQUENCE { + digestAlgorithm AlgorithmIdentifier, + digest OCTET STRING +} + +-- some ms ext + +-- szOID_ENROLL_CERTTYPE_EXTENSION "1.3.6.1.4.1.311.20.2" is Encoded as a + +-- UNICODESTRING (0x1E tag) + +-- szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" is Encoded as: + +-- TemplateVersion ::= INTEGER (0..4294967295) + +-- CertificateTemplate ::= SEQUENCE { +-- templateID OBJECT IDENTIFIER, +-- templateMajorVersion TemplateVersion, +-- templateMinorVersion TemplateVersion OPTIONAL +-- } + + +-- +-- CRL +-- + +TBSCRLCertList ::= SEQUENCE { + version Version OPTIONAL, -- if present, MUST be v2 + signature AlgorithmIdentifier, + issuer Name, + thisUpdate Time, + nextUpdate Time OPTIONAL, + revokedCertificates SEQUENCE OF SEQUENCE { + userCertificate CertificateSerialNumber, + revocationDate Time, + crlEntryExtensions Extensions OPTIONAL + -- if present, MUST be v2 + } OPTIONAL, + crlExtensions [0] EXPLICIT Extensions OPTIONAL + -- if present, MUST be v2 +} + + +CRLCertificateList ::= SEQUENCE { + tbsCertList TBSCRLCertList, + signatureAlgorithm AlgorithmIdentifier, + signatureValue BIT STRING +} + +id-x509-ce-cRLNumber OBJECT IDENTIFIER ::= { id-x509-ce 20 } +id-x509-ce-freshestCRL OBJECT IDENTIFIER ::= { id-x509-ce 46 } +id-x509-ce-cRLReason OBJECT IDENTIFIER ::= { id-x509-ce 21 } + +CRLReason ::= ENUMERATED { + unspecified (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + removeFromCRL (8), + privilegeWithdrawn (9), + aACompromise (10) +} + +-- RFC 3820 Proxy Certificate Profile + +id-pkix-pe OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) 1 } + +id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 } + +ProxyPolicy ::= SEQUENCE { + policyLanguage OBJECT IDENTIFIER, + policy OCTET STRING OPTIONAL +} + +ProxyCertInfo ::= SEQUENCE { + pCPathLenConstraint INTEGER (0..4294967295) OPTIONAL, -- really MAX + proxyPolicy ProxyPolicy +} + +END diff --git a/source4/heimdal/lib/asn1/test.asn1 b/source4/heimdal/lib/asn1/test.asn1 index 22fcc0b003..1a1179bc30 100644 --- a/source4/heimdal/lib/asn1/test.asn1 +++ b/source4/heimdal/lib/asn1/test.asn1 @@ -1,4 +1,4 @@ --- $Id: test.asn1,v 1.8 2006/01/31 09:42:04 lha Exp $ -- +-- $Id: test.asn1,v 1.9 2006/09/05 14:00:44 lha Exp $ -- TEST DEFINITIONS ::= @@ -83,4 +83,6 @@ TESTUSERCONSTRAINED ::= OCTET STRING (CONSTRAINED BY { -- meh -- }) -- TESTUSERCONSTRAINED3 ::= OCTET STRING (CONSTRAINED BY { INTEGER }) -- TESTUSERCONSTRAINED4 ::= OCTET STRING (CONSTRAINED BY { INTEGER : 1 }) +TESTSeqOf ::= SEQUENCE OF TESTInteger + END diff --git a/source4/heimdal/lib/asn1/timegm.c b/source4/heimdal/lib/asn1/timegm.c new file mode 100644 index 0000000000..86df58d700 --- /dev/null +++ b/source4/heimdal/lib/asn1/timegm.c @@ -0,0 +1,86 @@ +/* + * Copyright (c) 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "der_locl.h" + +RCSID("$Id: timegm.c,v 1.11 2006/10/19 16:19:32 lha Exp $"); + +static int +is_leap(unsigned y) +{ + y += 1900; + return (y % 4) == 0 && ((y % 100) != 0 || (y % 400) == 0); +} + +/* + * This is a simplifed version of _der_timegm that doesn't accept out + * of bound values that timegm(3) normally accepts but those are not + * valid in asn1 encodings. + */ + +time_t +_der_timegm (struct tm *tm) +{ + static const unsigned ndays[2][12] ={ + {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}, + {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}}; + time_t res = 0; + unsigned i; + + if (tm->tm_year < 0) + return -1; + if (tm->tm_mon < 0 || tm->tm_mon > 11) + return -1; + if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon]) + return -1; + if (tm->tm_hour < 0 || tm->tm_hour > 23) + return -1; + if (tm->tm_min < 0 || tm->tm_min > 59) + return -1; + if (tm->tm_sec < 0 || tm->tm_sec > 59) + return -1; + + for (i = 70; i < tm->tm_year; ++i) + res += is_leap(i) ? 366 : 365; + + for (i = 0; i < tm->tm_mon; ++i) + res += ndays[is_leap(tm->tm_year)][i]; + res += tm->tm_mday - 1; + res *= 24; + res += tm->tm_hour; + res *= 60; + res += tm->tm_min; + res *= 60; + res += tm->tm_sec; + return res; +} diff --git a/source4/heimdal/lib/com_err/lex.c b/source4/heimdal/lib/com_err/lex.c index 4697d0a3fd..30b44d0c19 100644 --- a/source4/heimdal/lib/com_err/lex.c +++ b/source4/heimdal/lib/com_err/lex.c @@ -1,94 +1,32 @@ -#include "config.h" - -#line 3 "lex.yy.c" - -#define YY_INT_ALIGNED short int - /* A lexical scanner generated by flex */ +/* Scanner skeleton version: + * $Header: /cvs/root/flex/flex/skel.c,v 1.2 2004/05/07 00:28:17 jkh Exp $ + */ + #define FLEX_SCANNER #define YY_FLEX_MAJOR_VERSION 2 #define YY_FLEX_MINOR_VERSION 5 -#define YY_FLEX_SUBMINOR_VERSION 33 -#if YY_FLEX_SUBMINOR_VERSION > 0 -#define FLEX_BETA -#endif - -/* First, we deal with platform-specific or compiler-specific issues. */ -/* begin standard C headers. */ #include <stdio.h> -#include <string.h> -#include <errno.h> -#include <stdlib.h> - -/* end standard C headers. */ - -/* flex integer type definitions */ -#ifndef FLEXINT_H -#define FLEXINT_H -/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */ - -#if __STDC_VERSION__ >= 199901L - -/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h, - * if you want the limit (max/min) macros for int types. - */ -#ifndef __STDC_LIMIT_MACROS -#define __STDC_LIMIT_MACROS 1 -#endif - -#include <inttypes.h> -typedef int8_t flex_int8_t; -typedef uint8_t flex_uint8_t; -typedef int16_t flex_int16_t; -typedef uint16_t flex_uint16_t; -typedef int32_t flex_int32_t; -typedef uint32_t flex_uint32_t; -#else -typedef signed char flex_int8_t; -typedef short int flex_int16_t; -typedef int flex_int32_t; -typedef unsigned char flex_uint8_t; -typedef unsigned short int flex_uint16_t; -typedef unsigned int flex_uint32_t; -#endif /* ! C99 */ - -/* Limits of integral types. */ -#ifndef INT8_MIN -#define INT8_MIN (-128) -#endif -#ifndef INT16_MIN -#define INT16_MIN (-32767-1) -#endif -#ifndef INT32_MIN -#define INT32_MIN (-2147483647-1) -#endif -#ifndef INT8_MAX -#define INT8_MAX (127) -#endif -#ifndef INT16_MAX -#define INT16_MAX (32767) -#endif -#ifndef INT32_MAX -#define INT32_MAX (2147483647) -#endif -#ifndef UINT8_MAX -#define UINT8_MAX (255U) -#endif -#ifndef UINT16_MAX -#define UINT16_MAX (65535U) +/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */ +#ifdef c_plusplus +#ifndef __cplusplus +#define __cplusplus #endif -#ifndef UINT32_MAX -#define UINT32_MAX (4294967295U) #endif -#endif /* ! FLEXINT_H */ #ifdef __cplusplus +#include <stdlib.h> +#include <unistd.h> + +/* Use prototypes in function declarations. */ +#define YY_USE_PROTOS + /* The "const" storage-class-modifier is valid. */ #define YY_USE_CONST @@ -96,17 +34,34 @@ typedef unsigned int flex_uint32_t; #if __STDC__ +#define YY_USE_PROTOS #define YY_USE_CONST #endif /* __STDC__ */ #endif /* ! __cplusplus */ +#ifdef __TURBOC__ + #pragma warn -rch + #pragma warn -use +#include <io.h> +#include <stdlib.h> +#define YY_USE_CONST +#define YY_USE_PROTOS +#endif + #ifdef YY_USE_CONST #define yyconst const #else #define yyconst #endif + +#ifdef YY_USE_PROTOS +#define YY_PROTO(proto) proto +#else +#define YY_PROTO(proto) () +#endif + /* Returned upon end-of-file. */ #define YY_NULL 0 @@ -121,75 +76,71 @@ typedef unsigned int flex_uint32_t; * but we do it the disgusting crufty way forced on us by the ()-less * definition of BEGIN. */ -#define BEGIN (yy_start) = 1 + 2 * +#define BEGIN yy_start = 1 + 2 * /* Translate the current start state into a value that can be later handed * to BEGIN to return to the state. The YYSTATE alias is for lex * compatibility. */ -#define YY_START (((yy_start) - 1) / 2) +#define YY_START ((yy_start - 1) / 2) #define YYSTATE YY_START /* Action number for EOF rule of a given start state. */ #define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1) /* Special action meaning "start processing a new file". */ -#define YY_NEW_FILE yyrestart(yyin ) +#define YY_NEW_FILE yyrestart( yyin ) #define YY_END_OF_BUFFER_CHAR 0 /* Size of default input buffer. */ -#ifndef YY_BUF_SIZE #define YY_BUF_SIZE 16384 -#endif - -/* The state buf must be large enough to hold one state per character in the main buffer. - */ -#define YY_STATE_BUF_SIZE ((YY_BUF_SIZE + 2) * sizeof(yy_state_type)) -#ifndef YY_TYPEDEF_YY_BUFFER_STATE -#define YY_TYPEDEF_YY_BUFFER_STATE typedef struct yy_buffer_state *YY_BUFFER_STATE; -#endif extern int yyleng; - extern FILE *yyin, *yyout; #define EOB_ACT_CONTINUE_SCAN 0 #define EOB_ACT_END_OF_FILE 1 #define EOB_ACT_LAST_MATCH 2 - #define YY_LESS_LINENO(n) - -/* Return all but the first "n" matched characters back to the input stream. */ +/* The funky do-while in the following #define is used to turn the definition + * int a single C statement (which needs a semi-colon terminator). This + * avoids problems with code like: + * + * if ( condition_holds ) + * yyless( 5 ); + * else + * do_something_else(); + * + * Prior to using the do-while the compiler would get upset at the + * "else" because it interpreted the "if" statement as being all + * done when it reached the ';' after the yyless() call. + */ + +/* Return all but the first 'n' matched characters back to the input stream. */ + #define yyless(n) \ do \ { \ /* Undo effects of setting up yytext. */ \ - int yyless_macro_arg = (n); \ - YY_LESS_LINENO(yyless_macro_arg);\ - *yy_cp = (yy_hold_char); \ + *yy_cp = yy_hold_char; \ YY_RESTORE_YY_MORE_OFFSET \ - (yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \ + yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \ YY_DO_BEFORE_ACTION; /* set up yytext again */ \ } \ while ( 0 ) -#define unput(c) yyunput( c, (yytext_ptr) ) +#define unput(c) yyunput( c, yytext_ptr ) /* The following is because we cannot portably get our hands on size_t * (without autoconf's help, which isn't available because we want * flex-generated scanners to compile on their own). */ - -#ifndef YY_TYPEDEF_YY_SIZE_T -#define YY_TYPEDEF_YY_SIZE_T typedef unsigned int yy_size_t; -#endif -#ifndef YY_STRUCT_YY_BUFFER_STATE -#define YY_STRUCT_YY_BUFFER_STATE + struct yy_buffer_state { FILE *yy_input_file; @@ -226,16 +177,12 @@ struct yy_buffer_state */ int yy_at_bol; - int yy_bs_lineno; /**< The line count. */ - int yy_bs_column; /**< The column count. */ - /* Whether to try to fill the input buffer when we reach the * end of it. */ int yy_fill_buffer; int yy_buffer_status; - #define YY_BUFFER_NEW 0 #define YY_BUFFER_NORMAL 1 /* When an EOF's been seen but there's still some text to process @@ -249,38 +196,28 @@ struct yy_buffer_state * just pointing yyin at a new input file. */ #define YY_BUFFER_EOF_PENDING 2 - }; -#endif /* !YY_STRUCT_YY_BUFFER_STATE */ -/* Stack of input buffers. */ -static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */ -static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */ -static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */ +static YY_BUFFER_STATE yy_current_buffer = 0; /* We provide macros for accessing buffer states in case in the * future we want to put the buffer states in a more general * "scanner state". - * - * Returns the top of the stack, or NULL. */ -#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \ - ? (yy_buffer_stack)[(yy_buffer_stack_top)] \ - : NULL) +#define YY_CURRENT_BUFFER yy_current_buffer -/* Same as previous macro, but useful when we know that the buffer stack is not - * NULL or when we need an lvalue. For internal use only. - */ -#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] /* yy_hold_char holds the character lost when yytext is formed. */ static char yy_hold_char; + static int yy_n_chars; /* number of characters read into yy_ch_buf */ + + int yyleng; /* Points to current character in buffer. */ static char *yy_c_buf_p = (char *) 0; -static int yy_init = 0; /* whether we need to initialize */ +static int yy_init = 1; /* whether we need to initialize */ static int yy_start = 0; /* start state number */ /* Flag which is used to allow yywrap()'s to do buffer switches @@ -288,92 +225,66 @@ static int yy_start = 0; /* start state number */ */ static int yy_did_buffer_switch_on_eof; -void yyrestart (FILE *input_file ); -void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer ); -YY_BUFFER_STATE yy_create_buffer (FILE *file,int size ); -void yy_delete_buffer (YY_BUFFER_STATE b ); -void yy_flush_buffer (YY_BUFFER_STATE b ); -void yypush_buffer_state (YY_BUFFER_STATE new_buffer ); -void yypop_buffer_state (void ); - -static void yyensure_buffer_stack (void ); -static void yy_load_buffer_state (void ); -static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file ); +void yyrestart YY_PROTO(( FILE *input_file )); -#define YY_FLUSH_BUFFER yy_flush_buffer(YY_CURRENT_BUFFER ) +void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer )); +void yy_load_buffer_state YY_PROTO(( void )); +YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size )); +void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b )); +void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file )); +void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b )); +#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer ) -YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size ); -YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str ); -YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len ); +YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size )); +YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str )); +YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len )); -void *yyalloc (yy_size_t ); -void *yyrealloc (void *,yy_size_t ); -void yyfree (void * ); +static void *yy_flex_alloc YY_PROTO(( yy_size_t )); +static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t )); +static void yy_flex_free YY_PROTO(( void * )); #define yy_new_buffer yy_create_buffer #define yy_set_interactive(is_interactive) \ { \ - if ( ! YY_CURRENT_BUFFER ){ \ - yyensure_buffer_stack (); \ - YY_CURRENT_BUFFER_LVALUE = \ - yy_create_buffer(yyin,YY_BUF_SIZE ); \ - } \ - YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \ + if ( ! yy_current_buffer ) \ + yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \ + yy_current_buffer->yy_is_interactive = is_interactive; \ } #define yy_set_bol(at_bol) \ { \ - if ( ! YY_CURRENT_BUFFER ){\ - yyensure_buffer_stack (); \ - YY_CURRENT_BUFFER_LVALUE = \ - yy_create_buffer(yyin,YY_BUF_SIZE ); \ - } \ - YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \ + if ( ! yy_current_buffer ) \ + yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \ + yy_current_buffer->yy_at_bol = at_bol; \ } -#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol) - -/* Begin user sect3 */ +#define YY_AT_BOL() (yy_current_buffer->yy_at_bol) typedef unsigned char YY_CHAR; - FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0; - typedef int yy_state_type; - -extern int yylineno; - -int yylineno = 1; - extern char *yytext; #define yytext_ptr yytext -static yy_state_type yy_get_previous_state (void ); -static yy_state_type yy_try_NUL_trans (yy_state_type current_state ); -static int yy_get_next_buffer (void ); -static void yy_fatal_error (yyconst char msg[] ); +static yy_state_type yy_get_previous_state YY_PROTO(( void )); +static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state )); +static int yy_get_next_buffer YY_PROTO(( void )); +static void yy_fatal_error YY_PROTO(( yyconst char msg[] )); /* Done after the current pattern has been matched and before the * corresponding action - sets up yytext. */ #define YY_DO_BEFORE_ACTION \ - (yytext_ptr) = yy_bp; \ - yyleng = (size_t) (yy_cp - yy_bp); \ - (yy_hold_char) = *yy_cp; \ + yytext_ptr = yy_bp; \ + yyleng = (int) (yy_cp - yy_bp); \ + yy_hold_char = *yy_cp; \ *yy_cp = '\0'; \ - (yy_c_buf_p) = yy_cp; + yy_c_buf_p = yy_cp; #define YY_NUM_RULES 16 #define YY_END_OF_BUFFER 17 -/* This struct is not used in this scanner, - but its presence is necessary. */ -struct yy_trans_info - { - flex_int32_t yy_verify; - flex_int32_t yy_nxt; - }; -static yyconst flex_int16_t yy_accept[46] = +static yyconst short int yy_accept[46] = { 0, 0, 0, 17, 15, 11, 12, 13, 10, 9, 14, 14, 14, 14, 10, 9, 14, 3, 14, 14, 1, @@ -382,7 +293,7 @@ static yyconst flex_int16_t yy_accept[46] = 14, 4, 14, 2, 0 } ; -static yyconst flex_int32_t yy_ec[256] = +static yyconst int yy_ec[256] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 2, 3, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -414,14 +325,14 @@ static yyconst flex_int32_t yy_ec[256] = 1, 1, 1, 1, 1 } ; -static yyconst flex_int32_t yy_meta[23] = +static yyconst int yy_meta[23] = { 0, 1, 1, 2, 1, 1, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3 } ; -static yyconst flex_int16_t yy_base[48] = +static yyconst short int yy_base[48] = { 0, 0, 0, 56, 57, 57, 57, 57, 0, 49, 0, 12, 13, 34, 0, 47, 0, 0, 40, 31, 0, @@ -430,7 +341,7 @@ static yyconst flex_int16_t yy_base[48] = 12, 0, 14, 0, 57, 34, 23 } ; -static yyconst flex_int16_t yy_def[48] = +static yyconst short int yy_def[48] = { 0, 45, 1, 45, 45, 45, 45, 45, 46, 47, 47, 47, 47, 47, 46, 47, 47, 47, 47, 47, 47, @@ -439,7 +350,7 @@ static yyconst flex_int16_t yy_def[48] = 47, 47, 47, 47, 0, 45, 45 } ; -static yyconst flex_int16_t yy_nxt[80] = +static yyconst short int yy_nxt[80] = { 0, 4, 5, 6, 7, 8, 9, 10, 10, 10, 10, 10, 10, 11, 10, 12, 10, 10, 10, 13, 10, @@ -451,7 +362,7 @@ static yyconst flex_int16_t yy_nxt[80] = 45, 45, 45, 45, 45, 45, 45, 45, 45 } ; -static yyconst flex_int16_t yy_chk[80] = +static yyconst short int yy_chk[80] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -466,9 +377,6 @@ static yyconst flex_int16_t yy_chk[80] = static yy_state_type yy_last_accepting_state; static char *yy_last_accepting_cpos; -extern int yy_flex_debug; -int yy_flex_debug = 0; - /* The intent behind this definition is that it'll catch * any uses of REJECT which flex missed. */ @@ -477,8 +385,9 @@ int yy_flex_debug = 0; #define YY_MORE_ADJ 0 #define YY_RESTORE_YY_MORE_OFFSET char *yytext; -#line 1 "lex.l" -#line 2 "lex.l" +#line 1 "../../../lib/com_err/lex.l" +#define INITIAL 0 +#line 2 "../../../lib/com_err/lex.l" /* * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). @@ -533,23 +442,7 @@ static int getstring(void); #undef ECHO -#line 536 "lex.yy.c" - -#define INITIAL 0 - -#ifndef YY_NO_UNISTD_H -/* Special case for "unistd.h", since it is non-ANSI. We include it way - * down here because we want the user's section 1 to have been scanned first. - * The user has a chance to override it with an option. - */ -#include <unistd.h> -#endif - -#ifndef YY_EXTRA_TYPE -#define YY_EXTRA_TYPE void * -#endif - -static int yy_init_globals (void ); +#line 446 "lex.c" /* Macros after this point can all be overridden by user definitions in * section 1. @@ -557,30 +450,65 @@ static int yy_init_globals (void ); #ifndef YY_SKIP_YYWRAP #ifdef __cplusplus -extern "C" int yywrap (void ); +extern "C" int yywrap YY_PROTO(( void )); #else -extern int yywrap (void ); +extern int yywrap YY_PROTO(( void )); #endif #endif - static void yyunput (int c,char *buf_ptr ); - +#ifndef YY_NO_UNPUT +static void yyunput YY_PROTO(( int c, char *buf_ptr )); +#endif + #ifndef yytext_ptr -static void yy_flex_strncpy (char *,yyconst char *,int ); +static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int )); #endif #ifdef YY_NEED_STRLEN -static int yy_flex_strlen (yyconst char * ); +static int yy_flex_strlen YY_PROTO(( yyconst char * )); #endif #ifndef YY_NO_INPUT - #ifdef __cplusplus -static int yyinput (void ); +static int yyinput YY_PROTO(( void )); +#else +static int input YY_PROTO(( void )); +#endif +#endif + +#if YY_STACK_USED +static int yy_start_stack_ptr = 0; +static int yy_start_stack_depth = 0; +static int *yy_start_stack = 0; +#ifndef YY_NO_PUSH_STATE +static void yy_push_state YY_PROTO(( int new_state )); +#endif +#ifndef YY_NO_POP_STATE +static void yy_pop_state YY_PROTO(( void )); +#endif +#ifndef YY_NO_TOP_STATE +static int yy_top_state YY_PROTO(( void )); +#endif + #else -static int input (void ); +#define YY_NO_PUSH_STATE 1 +#define YY_NO_POP_STATE 1 +#define YY_NO_TOP_STATE 1 #endif +#ifdef YY_MALLOC_DECL +YY_MALLOC_DECL +#else +#if __STDC__ +#ifndef __cplusplus +#include <stdlib.h> +#endif +#else +/* Just try to get by without declaring the routines. This will fail + * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int) + * or sizeof(void*) != sizeof(int). + */ +#endif #endif /* Amount of stuff to slurp up with each read. */ @@ -589,6 +517,7 @@ static int input (void ); #endif /* Copy whatever the last rule matched to the standard output. */ + #ifndef ECHO /* This used to be an fputs(), but since the string might contain NUL's, * we now use fwrite(). @@ -601,10 +530,9 @@ static int input (void ); */ #ifndef YY_INPUT #define YY_INPUT(buf,result,max_size) \ - if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \ + if ( yy_current_buffer->yy_is_interactive ) \ { \ - int c = '*'; \ - size_t n; \ + int c = '*', n; \ for ( n = 0; n < max_size && \ (c = getc( yyin )) != EOF && c != '\n'; ++n ) \ buf[n] = (char) c; \ @@ -614,22 +542,9 @@ static int input (void ); YY_FATAL_ERROR( "input in flex scanner failed" ); \ result = n; \ } \ - else \ - { \ - errno=0; \ - while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \ - { \ - if( errno != EINTR) \ - { \ - YY_FATAL_ERROR( "input in flex scanner failed" ); \ - break; \ - } \ - errno=0; \ - clearerr(yyin); \ - } \ - }\ -\ - + else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \ + && ferror( yyin ) ) \ + YY_FATAL_ERROR( "input in flex scanner failed" ); #endif /* No semi-colon after return; correct usage is to write "yyterminate();" - @@ -650,18 +565,12 @@ static int input (void ); #define YY_FATAL_ERROR(msg) yy_fatal_error( msg ) #endif -/* end tables serialization structures and prototypes */ - /* Default declaration of generated scanner - a define so the user can * easily add parameters. */ #ifndef YY_DECL -#define YY_DECL_IS_OURS 1 - -extern int yylex (void); - -#define YY_DECL int yylex (void) -#endif /* !YY_DECL */ +#define YY_DECL int yylex YY_PROTO(( void )) +#endif /* Code executed at the beginning of each rule, after yytext and yyleng * have been set up. @@ -678,28 +587,26 @@ extern int yylex (void); #define YY_RULE_SETUP \ YY_USER_ACTION -/** The main scanner function which does all the work. - */ YY_DECL -{ + { register yy_state_type yy_current_state; register char *yy_cp, *yy_bp; register int yy_act; - -#line 59 "lex.l" -#line 691 "lex.yy.c" +#line 59 "../../../lib/com_err/lex.l" + +#line 599 "lex.c" - if ( !(yy_init) ) + if ( yy_init ) { - (yy_init) = 1; + yy_init = 0; #ifdef YY_USER_INIT YY_USER_INIT; #endif - if ( ! (yy_start) ) - (yy_start) = 1; /* first start state */ + if ( ! yy_start ) + yy_start = 1; /* first start state */ if ( ! yyin ) yyin = stdin; @@ -707,36 +614,34 @@ YY_DECL if ( ! yyout ) yyout = stdout; - if ( ! YY_CURRENT_BUFFER ) { - yyensure_buffer_stack (); - YY_CURRENT_BUFFER_LVALUE = - yy_create_buffer(yyin,YY_BUF_SIZE ); - } + if ( ! yy_current_buffer ) + yy_current_buffer = + yy_create_buffer( yyin, YY_BUF_SIZE ); - yy_load_buffer_state( ); + yy_load_buffer_state(); } while ( 1 ) /* loops until end-of-file is reached */ { - yy_cp = (yy_c_buf_p); + yy_cp = yy_c_buf_p; /* Support of yytext. */ - *yy_cp = (yy_hold_char); + *yy_cp = yy_hold_char; /* yy_bp points to the position in yy_ch_buf of the start of * the current run. */ yy_bp = yy_cp; - yy_current_state = (yy_start); + yy_current_state = yy_start; yy_match: do { register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)]; if ( yy_accept[yy_current_state] ) { - (yy_last_accepting_state) = yy_current_state; - (yy_last_accepting_cpos) = yy_cp; + yy_last_accepting_state = yy_current_state; + yy_last_accepting_cpos = yy_cp; } while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { @@ -753,132 +658,133 @@ yy_find_action: yy_act = yy_accept[yy_current_state]; if ( yy_act == 0 ) { /* have to back up */ - yy_cp = (yy_last_accepting_cpos); - yy_current_state = (yy_last_accepting_state); + yy_cp = yy_last_accepting_cpos; + yy_current_state = yy_last_accepting_state; yy_act = yy_accept[yy_current_state]; } YY_DO_BEFORE_ACTION; + do_action: /* This label is used only to access EOF actions. */ + switch ( yy_act ) { /* beginning of action switch */ case 0: /* must back up */ /* undo the effects of YY_DO_BEFORE_ACTION */ - *yy_cp = (yy_hold_char); - yy_cp = (yy_last_accepting_cpos); - yy_current_state = (yy_last_accepting_state); + *yy_cp = yy_hold_char; + yy_cp = yy_last_accepting_cpos; + yy_current_state = yy_last_accepting_state; goto yy_find_action; case 1: YY_RULE_SETUP -#line 60 "lex.l" +#line 60 "../../../lib/com_err/lex.l" { return ET; } YY_BREAK case 2: YY_RULE_SETUP -#line 61 "lex.l" +#line 61 "../../../lib/com_err/lex.l" { return ET; } YY_BREAK case 3: YY_RULE_SETUP -#line 62 "lex.l" +#line 62 "../../../lib/com_err/lex.l" { return EC; } YY_BREAK case 4: YY_RULE_SETUP -#line 63 "lex.l" +#line 63 "../../../lib/com_err/lex.l" { return EC; } YY_BREAK case 5: YY_RULE_SETUP -#line 64 "lex.l" +#line 64 "../../../lib/com_err/lex.l" { return PREFIX; } YY_BREAK case 6: YY_RULE_SETUP -#line 65 "lex.l" +#line 65 "../../../lib/com_err/lex.l" { return INDEX; } YY_BREAK case 7: YY_RULE_SETUP -#line 66 "lex.l" +#line 66 "../../../lib/com_err/lex.l" { return ID; } YY_BREAK case 8: YY_RULE_SETUP -#line 67 "lex.l" +#line 67 "../../../lib/com_err/lex.l" { return END; } YY_BREAK case 9: YY_RULE_SETUP -#line 68 "lex.l" +#line 68 "../../../lib/com_err/lex.l" { yylval.number = atoi(yytext); return NUMBER; } YY_BREAK case 10: YY_RULE_SETUP -#line 69 "lex.l" +#line 69 "../../../lib/com_err/lex.l" ; YY_BREAK case 11: YY_RULE_SETUP -#line 70 "lex.l" +#line 70 "../../../lib/com_err/lex.l" ; YY_BREAK case 12: -/* rule 12 can match eol */ YY_RULE_SETUP -#line 71 "lex.l" +#line 71 "../../../lib/com_err/lex.l" { lineno++; } YY_BREAK case 13: YY_RULE_SETUP -#line 72 "lex.l" +#line 72 "../../../lib/com_err/lex.l" { return getstring(); } YY_BREAK case 14: YY_RULE_SETUP -#line 73 "lex.l" +#line 73 "../../../lib/com_err/lex.l" { yylval.string = strdup(yytext); return STRING; } YY_BREAK case 15: YY_RULE_SETUP -#line 74 "lex.l" +#line 74 "../../../lib/com_err/lex.l" { return *yytext; } YY_BREAK case 16: YY_RULE_SETUP -#line 75 "lex.l" +#line 75 "../../../lib/com_err/lex.l" ECHO; YY_BREAK -#line 855 "lex.yy.c" +#line 762 "lex.c" case YY_STATE_EOF(INITIAL): yyterminate(); case YY_END_OF_BUFFER: { /* Amount of text matched not including the EOB char. */ - int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1; + int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1; /* Undo the effects of YY_DO_BEFORE_ACTION. */ - *yy_cp = (yy_hold_char); + *yy_cp = yy_hold_char; YY_RESTORE_YY_MORE_OFFSET - if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW ) + if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW ) { /* We're scanning a new file or input source. It's * possible that this happened because the user * just pointed yyin at a new source and called * yylex(). If so, then we have to assure - * consistency between YY_CURRENT_BUFFER and our + * consistency between yy_current_buffer and our * globals. Here is the right place to do so, because * this is the first action (other than possibly a * back-up) that will match for the new input source. */ - (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars; - YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin; - YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL; + yy_n_chars = yy_current_buffer->yy_n_chars; + yy_current_buffer->yy_input_file = yyin; + yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL; } /* Note that here we test for yy_c_buf_p "<=" to the position @@ -888,13 +794,13 @@ case YY_STATE_EOF(INITIAL): * end-of-buffer state). Contrast this with the test * in input(). */ - if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] ) + if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] ) { /* This was really a NUL. */ yy_state_type yy_next_state; - (yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text; + yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text; - yy_current_state = yy_get_previous_state( ); + yy_current_state = yy_get_previous_state(); /* Okay, we're now positioned to make the NUL * transition. We couldn't have @@ -907,30 +813,30 @@ case YY_STATE_EOF(INITIAL): yy_next_state = yy_try_NUL_trans( yy_current_state ); - yy_bp = (yytext_ptr) + YY_MORE_ADJ; + yy_bp = yytext_ptr + YY_MORE_ADJ; if ( yy_next_state ) { /* Consume the NUL. */ - yy_cp = ++(yy_c_buf_p); + yy_cp = ++yy_c_buf_p; yy_current_state = yy_next_state; goto yy_match; } else { - yy_cp = (yy_c_buf_p); + yy_cp = yy_c_buf_p; goto yy_find_action; } } - else switch ( yy_get_next_buffer( ) ) + else switch ( yy_get_next_buffer() ) { case EOB_ACT_END_OF_FILE: { - (yy_did_buffer_switch_on_eof) = 0; + yy_did_buffer_switch_on_eof = 0; - if ( yywrap( ) ) + if ( yywrap() ) { /* Note: because we've taken care in * yy_get_next_buffer() to have set up @@ -941,7 +847,7 @@ case YY_STATE_EOF(INITIAL): * YY_NULL, it'll still work - another * YY_NULL will get returned. */ - (yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ; + yy_c_buf_p = yytext_ptr + YY_MORE_ADJ; yy_act = YY_STATE_EOF(YY_START); goto do_action; @@ -949,30 +855,30 @@ case YY_STATE_EOF(INITIAL): else { - if ( ! (yy_did_buffer_switch_on_eof) ) + if ( ! yy_did_buffer_switch_on_eof ) YY_NEW_FILE; } break; } case EOB_ACT_CONTINUE_SCAN: - (yy_c_buf_p) = - (yytext_ptr) + yy_amount_of_matched_text; + yy_c_buf_p = + yytext_ptr + yy_amount_of_matched_text; - yy_current_state = yy_get_previous_state( ); + yy_current_state = yy_get_previous_state(); - yy_cp = (yy_c_buf_p); - yy_bp = (yytext_ptr) + YY_MORE_ADJ; + yy_cp = yy_c_buf_p; + yy_bp = yytext_ptr + YY_MORE_ADJ; goto yy_match; case EOB_ACT_LAST_MATCH: - (yy_c_buf_p) = - &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)]; + yy_c_buf_p = + &yy_current_buffer->yy_ch_buf[yy_n_chars]; - yy_current_state = yy_get_previous_state( ); + yy_current_state = yy_get_previous_state(); - yy_cp = (yy_c_buf_p); - yy_bp = (yytext_ptr) + YY_MORE_ADJ; + yy_cp = yy_c_buf_p; + yy_bp = yytext_ptr + YY_MORE_ADJ; goto yy_find_action; } break; @@ -983,7 +889,8 @@ case YY_STATE_EOF(INITIAL): "fatal flex scanner internal error--no action found" ); } /* end of action switch */ } /* end of scanning one token */ -} /* end of yylex */ + } /* end of yylex */ + /* yy_get_next_buffer - try to read in a new buffer * @@ -992,20 +899,21 @@ case YY_STATE_EOF(INITIAL): * EOB_ACT_CONTINUE_SCAN - continue scanning from current position * EOB_ACT_END_OF_FILE - end of file */ -static int yy_get_next_buffer (void) -{ - register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf; - register char *source = (yytext_ptr); + +static int yy_get_next_buffer() + { + register char *dest = yy_current_buffer->yy_ch_buf; + register char *source = yytext_ptr; register int number_to_move, i; int ret_val; - if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] ) + if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] ) YY_FATAL_ERROR( "fatal flex scanner internal error--end of buffer missed" ); - if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 ) + if ( yy_current_buffer->yy_fill_buffer == 0 ) { /* Don't try to fill the buffer, so this is an EOF. */ - if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 ) + if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 ) { /* We matched a single character, the EOB, so * treat this as a final EOF. @@ -1025,30 +933,34 @@ static int yy_get_next_buffer (void) /* Try to read more data. */ /* First move last chars to start of buffer. */ - number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1; + number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1; for ( i = 0; i < number_to_move; ++i ) *(dest++) = *(source++); - if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) + if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING ) /* don't do the read, it's not guaranteed to return an EOF, * just force an EOF */ - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0; + yy_current_buffer->yy_n_chars = yy_n_chars = 0; else { - int num_to_read = - YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + int num_to_read = + yy_current_buffer->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) { /* Not enough room in the buffer - grow it. */ +#ifdef YY_USES_REJECT + YY_FATAL_ERROR( +"input buffer overflow, can't enlarge buffer because scanner uses REJECT" ); +#else /* just a shorter name for the current buffer */ - YY_BUFFER_STATE b = YY_CURRENT_BUFFER; + YY_BUFFER_STATE b = yy_current_buffer; int yy_c_buf_p_offset = - (int) ((yy_c_buf_p) - b->yy_ch_buf); + (int) (yy_c_buf_p - b->yy_ch_buf); if ( b->yy_is_our_buffer ) { @@ -1061,7 +973,8 @@ static int yy_get_next_buffer (void) b->yy_ch_buf = (char *) /* Include room in for 2 EOB chars. */ - yyrealloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ); + yy_flex_realloc( (void *) b->yy_ch_buf, + b->yy_buf_size + 2 ); } else /* Can't grow it, we don't own it. */ @@ -1071,35 +984,35 @@ static int yy_get_next_buffer (void) YY_FATAL_ERROR( "fatal error - scanner input buffer overflow" ); - (yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset]; + yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset]; - num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - + num_to_read = yy_current_buffer->yy_buf_size - number_to_move - 1; - +#endif } if ( num_to_read > YY_READ_BUF_SIZE ) num_to_read = YY_READ_BUF_SIZE; /* Read in more data. */ - YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]), - (yy_n_chars), (size_t) num_to_read ); + YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]), + yy_n_chars, num_to_read ); - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars); + yy_current_buffer->yy_n_chars = yy_n_chars; } - if ( (yy_n_chars) == 0 ) + if ( yy_n_chars == 0 ) { if ( number_to_move == YY_MORE_ADJ ) { ret_val = EOB_ACT_END_OF_FILE; - yyrestart(yyin ); + yyrestart( yyin ); } else { ret_val = EOB_ACT_LAST_MATCH; - YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = + yy_current_buffer->yy_buffer_status = YY_BUFFER_EOF_PENDING; } } @@ -1107,31 +1020,32 @@ static int yy_get_next_buffer (void) else ret_val = EOB_ACT_CONTINUE_SCAN; - (yy_n_chars) += number_to_move; - YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR; - YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR; + yy_n_chars += number_to_move; + yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR; + yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR; - (yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0]; + yytext_ptr = &yy_current_buffer->yy_ch_buf[0]; return ret_val; -} + } + /* yy_get_previous_state - get the state just before the EOB char was reached */ - static yy_state_type yy_get_previous_state (void) -{ +static yy_state_type yy_get_previous_state() + { register yy_state_type yy_current_state; register char *yy_cp; - - yy_current_state = (yy_start); - for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp ) + yy_current_state = yy_start; + + for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp ) { register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1); if ( yy_accept[yy_current_state] ) { - (yy_last_accepting_state) = yy_current_state; - (yy_last_accepting_cpos) = yy_cp; + yy_last_accepting_state = yy_current_state; + yy_last_accepting_cpos = yy_cp; } while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { @@ -1143,23 +1057,30 @@ static int yy_get_next_buffer (void) } return yy_current_state; -} + } + /* yy_try_NUL_trans - try to make a transition on the NUL character * * synopsis * next_state = yy_try_NUL_trans( current_state ); */ - static yy_state_type yy_try_NUL_trans (yy_state_type yy_current_state ) -{ + +#ifdef YY_USE_PROTOS +static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state ) +#else +static yy_state_type yy_try_NUL_trans( yy_current_state ) +yy_state_type yy_current_state; +#endif + { register int yy_is_jam; - register char *yy_cp = (yy_c_buf_p); + register char *yy_cp = yy_c_buf_p; register YY_CHAR yy_c = 1; if ( yy_accept[yy_current_state] ) { - (yy_last_accepting_state) = yy_current_state; - (yy_last_accepting_cpos) = yy_cp; + yy_last_accepting_state = yy_current_state; + yy_last_accepting_cpos = yy_cp; } while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { @@ -1171,73 +1092,80 @@ static int yy_get_next_buffer (void) yy_is_jam = (yy_current_state == 45); return yy_is_jam ? 0 : yy_current_state; -} + } - static void yyunput (int c, register char * yy_bp ) -{ - register char *yy_cp; - - yy_cp = (yy_c_buf_p); + +#ifndef YY_NO_UNPUT +#ifdef YY_USE_PROTOS +static void yyunput( int c, register char *yy_bp ) +#else +static void yyunput( c, yy_bp ) +int c; +register char *yy_bp; +#endif + { + register char *yy_cp = yy_c_buf_p; /* undo effects of setting up yytext */ - *yy_cp = (yy_hold_char); + *yy_cp = yy_hold_char; - if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) + if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 ) { /* need to shift things up to make room */ /* +2 for EOB chars. */ - register int number_to_move = (yy_n_chars) + 2; - register char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[ - YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2]; + register int number_to_move = yy_n_chars + 2; + register char *dest = &yy_current_buffer->yy_ch_buf[ + yy_current_buffer->yy_buf_size + 2]; register char *source = - &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]; + &yy_current_buffer->yy_ch_buf[number_to_move]; - while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf ) + while ( source > yy_current_buffer->yy_ch_buf ) *--dest = *--source; yy_cp += (int) (dest - source); yy_bp += (int) (dest - source); - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = - (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_buf_size; + yy_current_buffer->yy_n_chars = + yy_n_chars = yy_current_buffer->yy_buf_size; - if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) + if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 ) YY_FATAL_ERROR( "flex scanner push-back overflow" ); } *--yy_cp = (char) c; - (yytext_ptr) = yy_bp; - (yy_hold_char) = *yy_cp; - (yy_c_buf_p) = yy_cp; -} -#ifndef YY_NO_INPUT + yytext_ptr = yy_bp; + yy_hold_char = *yy_cp; + yy_c_buf_p = yy_cp; + } +#endif /* ifndef YY_NO_UNPUT */ + + #ifdef __cplusplus - static int yyinput (void) +static int yyinput() #else - static int input (void) +static int input() #endif - -{ + { int c; - - *(yy_c_buf_p) = (yy_hold_char); - if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR ) + *yy_c_buf_p = yy_hold_char; + + if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR ) { /* yy_c_buf_p now points to the character we want to return. * If this occurs *before* the EOB characters, then it's a * valid NUL; if not, then we've hit the end of the buffer. */ - if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] ) + if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] ) /* This was really a NUL. */ - *(yy_c_buf_p) = '\0'; + *yy_c_buf_p = '\0'; else { /* need more input */ - int offset = (yy_c_buf_p) - (yytext_ptr); - ++(yy_c_buf_p); + int offset = yy_c_buf_p - yytext_ptr; + ++yy_c_buf_p; - switch ( yy_get_next_buffer( ) ) + switch ( yy_get_next_buffer() ) { case EOB_ACT_LAST_MATCH: /* This happens because yy_g_n_b() @@ -1251,16 +1179,16 @@ static int yy_get_next_buffer (void) */ /* Reset buffer status. */ - yyrestart(yyin ); + yyrestart( yyin ); - /*FALLTHROUGH*/ + /* fall through */ case EOB_ACT_END_OF_FILE: { - if ( yywrap( ) ) + if ( yywrap() ) return EOF; - if ( ! (yy_did_buffer_switch_on_eof) ) + if ( ! yy_did_buffer_switch_on_eof ) YY_NEW_FILE; #ifdef __cplusplus return yyinput(); @@ -1270,92 +1198,90 @@ static int yy_get_next_buffer (void) } case EOB_ACT_CONTINUE_SCAN: - (yy_c_buf_p) = (yytext_ptr) + offset; + yy_c_buf_p = yytext_ptr + offset; break; } } } - c = *(unsigned char *) (yy_c_buf_p); /* cast for 8-bit char's */ - *(yy_c_buf_p) = '\0'; /* preserve yytext */ - (yy_hold_char) = *++(yy_c_buf_p); + c = *(unsigned char *) yy_c_buf_p; /* cast for 8-bit char's */ + *yy_c_buf_p = '\0'; /* preserve yytext */ + yy_hold_char = *++yy_c_buf_p; + return c; -} -#endif /* ifndef YY_NO_INPUT */ + } -/** Immediately switch to a different input stream. - * @param input_file A readable stream. - * - * @note This function does not reset the start condition to @c INITIAL . - */ - void yyrestart (FILE * input_file ) -{ - - if ( ! YY_CURRENT_BUFFER ){ - yyensure_buffer_stack (); - YY_CURRENT_BUFFER_LVALUE = - yy_create_buffer(yyin,YY_BUF_SIZE ); + +#ifdef YY_USE_PROTOS +void yyrestart( FILE *input_file ) +#else +void yyrestart( input_file ) +FILE *input_file; +#endif + { + if ( ! yy_current_buffer ) + yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); + + yy_init_buffer( yy_current_buffer, input_file ); + yy_load_buffer_state(); } - yy_init_buffer(YY_CURRENT_BUFFER,input_file ); - yy_load_buffer_state( ); -} -/** Switch to a different input buffer. - * @param new_buffer The new input buffer. - * - */ - void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer ) -{ - - /* TODO. We should be able to replace this entire function body - * with - * yypop_buffer_state(); - * yypush_buffer_state(new_buffer); - */ - yyensure_buffer_stack (); - if ( YY_CURRENT_BUFFER == new_buffer ) +#ifdef YY_USE_PROTOS +void yy_switch_to_buffer( YY_BUFFER_STATE new_buffer ) +#else +void yy_switch_to_buffer( new_buffer ) +YY_BUFFER_STATE new_buffer; +#endif + { + if ( yy_current_buffer == new_buffer ) return; - if ( YY_CURRENT_BUFFER ) + if ( yy_current_buffer ) { /* Flush out information for old buffer. */ - *(yy_c_buf_p) = (yy_hold_char); - YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p); - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars); + *yy_c_buf_p = yy_hold_char; + yy_current_buffer->yy_buf_pos = yy_c_buf_p; + yy_current_buffer->yy_n_chars = yy_n_chars; } - YY_CURRENT_BUFFER_LVALUE = new_buffer; - yy_load_buffer_state( ); + yy_current_buffer = new_buffer; + yy_load_buffer_state(); /* We don't actually know whether we did this switch during * EOF (yywrap()) processing, but the only time this flag * is looked at is after yywrap() is called, so it's safe * to go ahead and always set it. */ - (yy_did_buffer_switch_on_eof) = 1; -} + yy_did_buffer_switch_on_eof = 1; + } -static void yy_load_buffer_state (void) -{ - (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars; - (yytext_ptr) = (yy_c_buf_p) = YY_CURRENT_BUFFER_LVALUE->yy_buf_pos; - yyin = YY_CURRENT_BUFFER_LVALUE->yy_input_file; - (yy_hold_char) = *(yy_c_buf_p); -} -/** Allocate and initialize an input buffer state. - * @param file A readable stream. - * @param size The character buffer size in bytes. When in doubt, use @c YY_BUF_SIZE. - * - * @return the allocated buffer state. - */ - YY_BUFFER_STATE yy_create_buffer (FILE * file, int size ) -{ +#ifdef YY_USE_PROTOS +void yy_load_buffer_state( void ) +#else +void yy_load_buffer_state() +#endif + { + yy_n_chars = yy_current_buffer->yy_n_chars; + yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos; + yyin = yy_current_buffer->yy_input_file; + yy_hold_char = *yy_c_buf_p; + } + + +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE yy_create_buffer( FILE *file, int size ) +#else +YY_BUFFER_STATE yy_create_buffer( file, size ) +FILE *file; +int size; +#endif + { YY_BUFFER_STATE b; - - b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state ) ); + + b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) ); if ( ! b ) YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); @@ -1364,75 +1290,80 @@ static void yy_load_buffer_state (void) /* yy_ch_buf has to be 2 characters longer than the size given because * we need to put in 2 end-of-buffer characters. */ - b->yy_ch_buf = (char *) yyalloc(b->yy_buf_size + 2 ); + b->yy_ch_buf = (char *) yy_flex_alloc( b->yy_buf_size + 2 ); if ( ! b->yy_ch_buf ) YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); b->yy_is_our_buffer = 1; - yy_init_buffer(b,file ); + yy_init_buffer( b, file ); return b; -} + } -/** Destroy the buffer. - * @param b a buffer created with yy_create_buffer() - * - */ - void yy_delete_buffer (YY_BUFFER_STATE b ) -{ - + +#ifdef YY_USE_PROTOS +void yy_delete_buffer( YY_BUFFER_STATE b ) +#else +void yy_delete_buffer( b ) +YY_BUFFER_STATE b; +#endif + { if ( ! b ) return; - if ( b == YY_CURRENT_BUFFER ) /* Not sure if we should pop here. */ - YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0; + if ( b == yy_current_buffer ) + yy_current_buffer = (YY_BUFFER_STATE) 0; if ( b->yy_is_our_buffer ) - yyfree((void *) b->yy_ch_buf ); + yy_flex_free( (void *) b->yy_ch_buf ); - yyfree((void *) b ); -} + yy_flex_free( (void *) b ); + } -#ifndef __cplusplus -extern int isatty (int ); -#endif /* __cplusplus */ - -/* Initializes or reinitializes a buffer. - * This function is sometimes called more than once on the same buffer, - * such as during a yyrestart() or at EOF. - */ - static void yy_init_buffer (YY_BUFFER_STATE b, FILE * file ) -{ - int oerrno = errno; - - yy_flush_buffer(b ); +#ifndef YY_ALWAYS_INTERACTIVE +#ifndef YY_NEVER_INTERACTIVE +extern int isatty YY_PROTO(( int )); +#endif +#endif + +#ifdef YY_USE_PROTOS +void yy_init_buffer( YY_BUFFER_STATE b, FILE *file ) +#else +void yy_init_buffer( b, file ) +YY_BUFFER_STATE b; +FILE *file; +#endif + + + { + yy_flush_buffer( b ); b->yy_input_file = file; b->yy_fill_buffer = 1; - /* If b is the current buffer, then yy_init_buffer was _probably_ - * called from yyrestart() or through yy_get_next_buffer. - * In that case, we don't want to reset the lineno or column. - */ - if (b != YY_CURRENT_BUFFER){ - b->yy_bs_lineno = 1; - b->yy_bs_column = 0; - } +#if YY_ALWAYS_INTERACTIVE + b->yy_is_interactive = 1; +#else +#if YY_NEVER_INTERACTIVE + b->yy_is_interactive = 0; +#else + b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0; +#endif +#endif + } - b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0; - - errno = oerrno; -} -/** Discard all buffered characters. On the next scan, YY_INPUT will be called. - * @param b the buffer state to be flushed, usually @c YY_CURRENT_BUFFER. - * - */ - void yy_flush_buffer (YY_BUFFER_STATE b ) -{ - if ( ! b ) +#ifdef YY_USE_PROTOS +void yy_flush_buffer( YY_BUFFER_STATE b ) +#else +void yy_flush_buffer( b ) +YY_BUFFER_STATE b; +#endif + + { + if ( ! b ) return; b->yy_n_chars = 0; @@ -1449,121 +1380,29 @@ extern int isatty (int ); b->yy_at_bol = 1; b->yy_buffer_status = YY_BUFFER_NEW; - if ( b == YY_CURRENT_BUFFER ) - yy_load_buffer_state( ); -} - -/** Pushes the new state onto the stack. The new state becomes - * the current state. This function will allocate the stack - * if necessary. - * @param new_buffer The new state. - * - */ -void yypush_buffer_state (YY_BUFFER_STATE new_buffer ) -{ - if (new_buffer == NULL) - return; - - yyensure_buffer_stack(); - - /* This block is copied from yy_switch_to_buffer. */ - if ( YY_CURRENT_BUFFER ) - { - /* Flush out information for old buffer. */ - *(yy_c_buf_p) = (yy_hold_char); - YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p); - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars); - } - - /* Only push if top exists. Otherwise, replace top. */ - if (YY_CURRENT_BUFFER) - (yy_buffer_stack_top)++; - YY_CURRENT_BUFFER_LVALUE = new_buffer; - - /* copied from yy_switch_to_buffer. */ - yy_load_buffer_state( ); - (yy_did_buffer_switch_on_eof) = 1; -} - -/** Removes and deletes the top of the stack, if present. - * The next element becomes the new top. - * - */ -void yypop_buffer_state (void) -{ - if (!YY_CURRENT_BUFFER) - return; - - yy_delete_buffer(YY_CURRENT_BUFFER ); - YY_CURRENT_BUFFER_LVALUE = NULL; - if ((yy_buffer_stack_top) > 0) - --(yy_buffer_stack_top); - - if (YY_CURRENT_BUFFER) { - yy_load_buffer_state( ); - (yy_did_buffer_switch_on_eof) = 1; - } -} - -/* Allocates the stack if it does not exist. - * Guarantees space for at least one push. - */ -static void yyensure_buffer_stack (void) -{ - int num_to_alloc; - - if (!(yy_buffer_stack)) { - - /* First allocation is just for 2 elements, since we don't know if this - * scanner will even need a stack. We use 2 instead of 1 to avoid an - * immediate realloc on the next call. - */ - num_to_alloc = 1; - (yy_buffer_stack) = (struct yy_buffer_state**)yyalloc - (num_to_alloc * sizeof(struct yy_buffer_state*) - ); - - memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*)); - - (yy_buffer_stack_max) = num_to_alloc; - (yy_buffer_stack_top) = 0; - return; + if ( b == yy_current_buffer ) + yy_load_buffer_state(); } - if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){ - /* Increase the buffer to prepare for a possible push. */ - int grow_size = 8 /* arbitrary grow size */; - - num_to_alloc = (yy_buffer_stack_max) + grow_size; - (yy_buffer_stack) = (struct yy_buffer_state**)yyrealloc - ((yy_buffer_stack), - num_to_alloc * sizeof(struct yy_buffer_state*) - ); - - /* zero only the new slots.*/ - memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*)); - (yy_buffer_stack_max) = num_to_alloc; - } -} - -/** Setup the input buffer state to scan directly from a user-specified character buffer. - * @param base the character buffer - * @param size the size in bytes of the character buffer - * - * @return the newly allocated buffer state object. - */ -YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size ) -{ +#ifndef YY_NO_SCAN_BUFFER +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE yy_scan_buffer( char *base, yy_size_t size ) +#else +YY_BUFFER_STATE yy_scan_buffer( base, size ) +char *base; +yy_size_t size; +#endif + { YY_BUFFER_STATE b; - + if ( size < 2 || base[size-2] != YY_END_OF_BUFFER_CHAR || base[size-1] != YY_END_OF_BUFFER_CHAR ) /* They forgot to leave room for the EOB's. */ return 0; - b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state ) ); + b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) ); if ( ! b ) YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" ); @@ -1577,51 +1416,56 @@ YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size ) b->yy_fill_buffer = 0; b->yy_buffer_status = YY_BUFFER_NEW; - yy_switch_to_buffer(b ); + yy_switch_to_buffer( b ); return b; -} + } +#endif -/** Setup the input buffer state to scan a string. The next call to yylex() will - * scan from a @e copy of @a str. - * @param yystr a NUL-terminated string to scan - * - * @return the newly allocated buffer state object. - * @note If you want to scan bytes that may contain NUL values, then use - * yy_scan_bytes() instead. - */ -YY_BUFFER_STATE yy_scan_string (yyconst char * yystr ) -{ - - return yy_scan_bytes(yystr,strlen(yystr) ); -} -/** Setup the input buffer state to scan the given bytes. The next call to yylex() will - * scan from a @e copy of @a bytes. - * @param bytes the byte buffer to scan - * @param len the number of bytes in the buffer pointed to by @a bytes. - * - * @return the newly allocated buffer state object. - */ -YY_BUFFER_STATE yy_scan_bytes (yyconst char * yybytes, int _yybytes_len ) -{ +#ifndef YY_NO_SCAN_STRING +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str ) +#else +YY_BUFFER_STATE yy_scan_string( yy_str ) +yyconst char *yy_str; +#endif + { + int len; + for ( len = 0; yy_str[len]; ++len ) + ; + + return yy_scan_bytes( yy_str, len ); + } +#endif + + +#ifndef YY_NO_SCAN_BYTES +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE yy_scan_bytes( yyconst char *bytes, int len ) +#else +YY_BUFFER_STATE yy_scan_bytes( bytes, len ) +yyconst char *bytes; +int len; +#endif + { YY_BUFFER_STATE b; char *buf; yy_size_t n; int i; - + /* Get memory for full buffer, including space for trailing EOB's. */ - n = _yybytes_len + 2; - buf = (char *) yyalloc(n ); + n = len + 2; + buf = (char *) yy_flex_alloc( n ); if ( ! buf ) YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" ); - for ( i = 0; i < _yybytes_len; ++i ) - buf[i] = yybytes[i]; + for ( i = 0; i < len; ++i ) + buf[i] = bytes[i]; - buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR; + buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR; - b = yy_scan_buffer(buf,n ); + b = yy_scan_buffer( buf, n ); if ( ! b ) YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" ); @@ -1631,196 +1475,148 @@ YY_BUFFER_STATE yy_scan_bytes (yyconst char * yybytes, int _yybytes_len ) b->yy_is_our_buffer = 1; return b; -} - -#ifndef YY_EXIT_FAILURE -#define YY_EXIT_FAILURE 2 + } #endif -static void yy_fatal_error (yyconst char* msg ) -{ - (void) fprintf( stderr, "%s\n", msg ); - exit( YY_EXIT_FAILURE ); -} - -/* Redefine yyless() so it works in section 3 code. */ -#undef yyless -#define yyless(n) \ - do \ - { \ - /* Undo effects of setting up yytext. */ \ - int yyless_macro_arg = (n); \ - YY_LESS_LINENO(yyless_macro_arg);\ - yytext[yyleng] = (yy_hold_char); \ - (yy_c_buf_p) = yytext + yyless_macro_arg; \ - (yy_hold_char) = *(yy_c_buf_p); \ - *(yy_c_buf_p) = '\0'; \ - yyleng = yyless_macro_arg; \ - } \ - while ( 0 ) +#ifndef YY_NO_PUSH_STATE +#ifdef YY_USE_PROTOS +static void yy_push_state( int new_state ) +#else +static void yy_push_state( new_state ) +int new_state; +#endif + { + if ( yy_start_stack_ptr >= yy_start_stack_depth ) + { + yy_size_t new_size; -/* Accessor methods (get/set functions) to struct members. */ + yy_start_stack_depth += YY_START_STACK_INCR; + new_size = yy_start_stack_depth * sizeof( int ); -/** Get the current line number. - * - */ -int yyget_lineno (void) -{ - - return yylineno; -} + if ( ! yy_start_stack ) + yy_start_stack = (int *) yy_flex_alloc( new_size ); -/** Get the input stream. - * - */ -FILE *yyget_in (void) -{ - return yyin; -} + else + yy_start_stack = (int *) yy_flex_realloc( + (void *) yy_start_stack, new_size ); -/** Get the output stream. - * - */ -FILE *yyget_out (void) -{ - return yyout; -} + if ( ! yy_start_stack ) + YY_FATAL_ERROR( + "out of memory expanding start-condition stack" ); + } -/** Get the length of the current token. - * - */ -int yyget_leng (void) -{ - return yyleng; -} + yy_start_stack[yy_start_stack_ptr++] = YY_START; -/** Get the current token. - * - */ + BEGIN(new_state); + } +#endif -char *yyget_text (void) -{ - return yytext; -} -/** Set the current line number. - * @param line_number - * - */ -void yyset_lineno (int line_number ) -{ - - yylineno = line_number; -} +#ifndef YY_NO_POP_STATE +static void yy_pop_state() + { + if ( --yy_start_stack_ptr < 0 ) + YY_FATAL_ERROR( "start-condition stack underflow" ); -/** Set the input stream. This does not discard the current - * input buffer. - * @param in_str A readable stream. - * - * @see yy_switch_to_buffer - */ -void yyset_in (FILE * in_str ) -{ - yyin = in_str ; -} + BEGIN(yy_start_stack[yy_start_stack_ptr]); + } +#endif -void yyset_out (FILE * out_str ) -{ - yyout = out_str ; -} -int yyget_debug (void) -{ - return yy_flex_debug; -} +#ifndef YY_NO_TOP_STATE +static int yy_top_state() + { + return yy_start_stack[yy_start_stack_ptr - 1]; + } +#endif -void yyset_debug (int bdebug ) -{ - yy_flex_debug = bdebug ; -} +#ifndef YY_EXIT_FAILURE +#define YY_EXIT_FAILURE 2 +#endif -static int yy_init_globals (void) -{ - /* Initialization is the same as for the non-reentrant scanner. - * This function is called from yylex_destroy(), so don't allocate here. - */ - - (yy_buffer_stack) = 0; - (yy_buffer_stack_top) = 0; - (yy_buffer_stack_max) = 0; - (yy_c_buf_p) = (char *) 0; - (yy_init) = 0; - (yy_start) = 0; - -/* Defined in main.c */ -#ifdef YY_STDINIT - yyin = stdin; - yyout = stdout; +#ifdef YY_USE_PROTOS +static void yy_fatal_error( yyconst char msg[] ) #else - yyin = (FILE *) 0; - yyout = (FILE *) 0; +static void yy_fatal_error( msg ) +char msg[]; #endif + { + (void) fprintf( stderr, "%s\n", msg ); + exit( YY_EXIT_FAILURE ); + } - /* For future reference: Set errno on error, since we are called by - * yylex_init() - */ - return 0; -} -/* yylex_destroy is for both reentrant and non-reentrant scanners. */ -int yylex_destroy (void) -{ - - /* Pop the buffer stack, destroying each element. */ - while(YY_CURRENT_BUFFER){ - yy_delete_buffer(YY_CURRENT_BUFFER ); - YY_CURRENT_BUFFER_LVALUE = NULL; - yypop_buffer_state(); - } - /* Destroy the stack itself. */ - yyfree((yy_buffer_stack) ); - (yy_buffer_stack) = NULL; +/* Redefine yyless() so it works in section 3 code. */ - /* Reset the globals. This is important in a non-reentrant scanner so the next time - * yylex() is called, initialization will occur. */ - yy_init_globals( ); +#undef yyless +#define yyless(n) \ + do \ + { \ + /* Undo effects of setting up yytext. */ \ + yytext[yyleng] = yy_hold_char; \ + yy_c_buf_p = yytext + n; \ + yy_hold_char = *yy_c_buf_p; \ + *yy_c_buf_p = '\0'; \ + yyleng = n; \ + } \ + while ( 0 ) - return 0; -} -/* - * Internal utility routines. - */ +/* Internal utility routines. */ #ifndef yytext_ptr -static void yy_flex_strncpy (char* s1, yyconst char * s2, int n ) -{ +#ifdef YY_USE_PROTOS +static void yy_flex_strncpy( char *s1, yyconst char *s2, int n ) +#else +static void yy_flex_strncpy( s1, s2, n ) +char *s1; +yyconst char *s2; +int n; +#endif + { register int i; for ( i = 0; i < n; ++i ) s1[i] = s2[i]; -} + } #endif #ifdef YY_NEED_STRLEN -static int yy_flex_strlen (yyconst char * s ) -{ +#ifdef YY_USE_PROTOS +static int yy_flex_strlen( yyconst char *s ) +#else +static int yy_flex_strlen( s ) +yyconst char *s; +#endif + { register int n; for ( n = 0; s[n]; ++n ) ; return n; -} + } #endif -void *yyalloc (yy_size_t size ) -{ + +#ifdef YY_USE_PROTOS +static void *yy_flex_alloc( yy_size_t size ) +#else +static void *yy_flex_alloc( size ) +yy_size_t size; +#endif + { return (void *) malloc( size ); -} + } -void *yyrealloc (void * ptr, yy_size_t size ) -{ +#ifdef YY_USE_PROTOS +static void *yy_flex_realloc( void *ptr, yy_size_t size ) +#else +static void *yy_flex_realloc( ptr, size ) +void *ptr; +yy_size_t size; +#endif + { /* The cast to (char *) in the following accommodates both * implementations that use char* generic pointers, and those * that use void* generic pointers. It works with the latter @@ -1829,17 +1625,26 @@ void *yyrealloc (void * ptr, yy_size_t size ) * as though doing an assignment. */ return (void *) realloc( (char *) ptr, size ); -} - -void yyfree (void * ptr ) -{ - free( (char *) ptr ); /* see yyrealloc() for (char *) cast */ -} - -#define YYTABLES_NAME "yytables" + } -#line 75 "lex.l" +#ifdef YY_USE_PROTOS +static void yy_flex_free( void *ptr ) +#else +static void yy_flex_free( ptr ) +void *ptr; +#endif + { + free( ptr ); + } +#if YY_MAIN +int main() + { + yylex(); + return 0; + } +#endif +#line 75 "../../../lib/com_err/lex.l" #ifndef yywrap /* XXX */ @@ -1894,4 +1699,3 @@ error_message (const char *format, ...) va_end (args); numerror++; } - diff --git a/source4/heimdal/lib/com_err/parse.c b/source4/heimdal/lib/com_err/parse.c index e55dafa41e..a7160a4d42 100644 --- a/source4/heimdal/lib/com_err/parse.c +++ b/source4/heimdal/lib/com_err/parse.c @@ -1,82 +1,19 @@ -/* A Bison parser, made by GNU Bison 2.0. */ - -/* Skeleton parser for Yacc-like parsing with Bison, - Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place - Suite 330, - Boston, MA 02111-1307, USA. */ - -/* As a special exception, when this file is copied by Bison into a - Bison output file, you may use that output file without restriction. - This special exception was added by the Free Software Foundation - in version 1.24 of Bison. */ - -/* Written by Richard Stallman by simplifying the original so called - ``semantic'' parser. */ - -/* All symbols defined below should begin with yy or YY, to avoid - infringing on user name space. This should be done even for local - variables, as they might otherwise be expanded by user macros. - There are some unavoidable exceptions within include files to - define necessary library symbols; they are noted "INFRINGES ON - USER NAME SPACE" below. */ - -/* Identify Bison output. */ -#define YYBISON 1 - -/* Skeleton name. */ -#define YYSKELETON_NAME "yacc.c" - -/* Pure parsers. */ -#define YYPURE 0 - -/* Using locations. */ -#define YYLSP_NEEDED 0 - - - -/* Tokens. */ -#ifndef YYTOKENTYPE -# define YYTOKENTYPE - /* Put the tokens into the symbol table, so that GDB and other debuggers - know about them. */ - enum yytokentype { - ET = 258, - INDEX = 259, - PREFIX = 260, - EC = 261, - ID = 262, - END = 263, - STRING = 264, - NUMBER = 265 - }; -#endif -#define ET 258 -#define INDEX 259 -#define PREFIX 260 -#define EC 261 -#define ID 262 -#define END 263 -#define STRING 264 -#define NUMBER 265 +/* A Bison parser, made from ../../../lib/com_err/parse.y + by GNU Bison version 1.28 */ +#define YYBISON 1 /* Identify Bison output. */ +#define ET 257 +#define INDEX 258 +#define PREFIX 259 +#define EC 260 +#define ID 261 +#define END 262 +#define STRING 263 +#define NUMBER 264 -/* Copy the first part of user declarations. */ -#line 1 "parse.y" +#line 1 "../../../lib/com_err/parse.y" /* * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan @@ -128,748 +65,425 @@ extern char *yytext; #endif - -/* Enabling traces. */ -#ifndef YYDEBUG -# define YYDEBUG 0 -#endif - -/* Enabling verbose error messages. */ -#ifdef YYERROR_VERBOSE -# undef YYERROR_VERBOSE -# define YYERROR_VERBOSE 1 -#else -# define YYERROR_VERBOSE 0 -#endif - -#if ! defined (YYSTYPE) && ! defined (YYSTYPE_IS_DECLARED) -#line 53 "parse.y" -typedef union YYSTYPE { +#line 53 "../../../lib/com_err/parse.y" +typedef union { char *string; int number; } YYSTYPE; -/* Line 190 of yacc.c. */ -#line 153 "$base.c" -# define yystype YYSTYPE /* obsolescent; will be withdrawn */ -# define YYSTYPE_IS_DECLARED 1 -# define YYSTYPE_IS_TRIVIAL 1 -#endif - - - -/* Copy the second part of user declarations. */ - +#include <stdio.h> -/* Line 213 of yacc.c. */ -#line 165 "$base.c" +#ifndef __cplusplus +#ifndef __STDC__ +#define const +#endif +#endif -#if ! defined (yyoverflow) || YYERROR_VERBOSE -# ifndef YYFREE -# define YYFREE free -# endif -# ifndef YYMALLOC -# define YYMALLOC malloc -# endif -/* The parser invokes alloca or malloc; define the necessary symbols. */ +#define YYFINAL 24 +#define YYFLAG -32768 +#define YYNTBASE 12 + +#define YYTRANSLATE(x) ((unsigned)(x) <= 264 ? yytranslate[x] : 18) + +static const char yytranslate[] = { 0, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 11, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 1, 3, 4, 5, 6, + 7, 8, 9, 10 +}; -# ifdef YYSTACK_USE_ALLOCA -# if YYSTACK_USE_ALLOCA -# ifdef __GNUC__ -# define YYSTACK_ALLOC __builtin_alloca -# else -# define YYSTACK_ALLOC alloca -# endif -# endif -# endif +#if YYDEBUG != 0 +static const short yyprhs[] = { 0, + 0, 1, 4, 7, 9, 12, 15, 19, 21, 24, + 27, 30, 32, 37 +}; -# ifdef YYSTACK_ALLOC - /* Pacify GCC's `empty if-body' warning. */ -# define YYSTACK_FREE(Ptr) do { /* empty */; } while (0) -# else -# if defined (__STDC__) || defined (__cplusplus) -# include <stdlib.h> /* INFRINGES ON USER NAME SPACE */ -# define YYSIZE_T size_t -# endif -# define YYSTACK_ALLOC YYMALLOC -# define YYSTACK_FREE YYFREE -# endif -#endif /* ! defined (yyoverflow) || YYERROR_VERBOSE */ +static const short yyrhs[] = { -1, + 13, 16, 0, 14, 15, 0, 15, 0, 7, 9, + 0, 3, 9, 0, 3, 9, 9, 0, 17, 0, + 16, 17, 0, 4, 10, 0, 5, 9, 0, 5, + 0, 6, 9, 11, 9, 0, 8, 0 +}; +#endif -#if (! defined (yyoverflow) \ - && (! defined (__cplusplus) \ - || (defined (YYSTYPE_IS_TRIVIAL) && YYSTYPE_IS_TRIVIAL))) +#if YYDEBUG != 0 +static const short yyrline[] = { 0, + 64, 65, 68, 69, 72, 78, 84, 93, 94, 97, + 101, 109, 116, 136 +}; +#endif -/* A type that is properly aligned for any stack member. */ -union yyalloc -{ - short int yyss; - YYSTYPE yyvs; - }; - -/* The size of the maximum gap between one aligned stack and the next. */ -# define YYSTACK_GAP_MAXIMUM (sizeof (union yyalloc) - 1) - -/* The size of an array large to enough to hold all stacks, each with - N elements. */ -# define YYSTACK_BYTES(N) \ - ((N) * (sizeof (short int) + sizeof (YYSTYPE)) \ - + YYSTACK_GAP_MAXIMUM) - -/* Copy COUNT objects from FROM to TO. The source and destination do - not overlap. */ -# ifndef YYCOPY -# if defined (__GNUC__) && 1 < __GNUC__ -# define YYCOPY(To, From, Count) \ - __builtin_memcpy (To, From, (Count) * sizeof (*(From))) -# else -# define YYCOPY(To, From, Count) \ - do \ - { \ - register YYSIZE_T yyi; \ - for (yyi = 0; yyi < (Count); yyi++) \ - (To)[yyi] = (From)[yyi]; \ - } \ - while (0) -# endif -# endif - -/* Relocate STACK from its old location to the new one. The - local variables YYSIZE and YYSTACKSIZE give the old and new number of - elements in the stack, and YYPTR gives the new location of the - stack. Advance YYPTR to a properly aligned location for the next - stack. */ -# define YYSTACK_RELOCATE(Stack) \ - do \ - { \ - YYSIZE_T yynewbytes; \ - YYCOPY (&yyptr->Stack, Stack, yysize); \ - Stack = &yyptr->Stack; \ - yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \ - yyptr += yynewbytes / sizeof (*yyptr); \ - } \ - while (0) -#endif +#if YYDEBUG != 0 || defined (YYERROR_VERBOSE) -#if defined (__STDC__) || defined (__cplusplus) - typedef signed char yysigned_char; -#else - typedef short int yysigned_char; +static const char * const yytname[] = { "$","error","$undefined.","ET","INDEX", +"PREFIX","EC","ID","END","STRING","NUMBER","','","file","header","id","et","statements", +"statement", NULL +}; #endif -/* YYFINAL -- State number of the termination state. */ -#define YYFINAL 9 -/* YYLAST -- Last index in YYTABLE. */ -#define YYLAST 23 - -/* YYNTOKENS -- Number of terminals. */ -#define YYNTOKENS 12 -/* YYNNTS -- Number of nonterminals. */ -#define YYNNTS 7 -/* YYNRULES -- Number of rules. */ -#define YYNRULES 15 -/* YYNRULES -- Number of states. */ -#define YYNSTATES 24 - -/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX. */ -#define YYUNDEFTOK 2 -#define YYMAXUTOK 265 - -#define YYTRANSLATE(YYX) \ - ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK) - -/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX. */ -static const unsigned char yytranslate[] = -{ - 0, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 11, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 1, 2, 3, 4, - 5, 6, 7, 8, 9, 10 +static const short yyr1[] = { 0, + 12, 12, 13, 13, 14, 15, 15, 16, 16, 17, + 17, 17, 17, 17 }; -#if YYDEBUG -/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in - YYRHS. */ -static const unsigned char yyprhs[] = -{ - 0, 0, 3, 4, 7, 10, 12, 15, 18, 22, - 24, 27, 30, 33, 35, 40 +static const short yyr2[] = { 0, + 0, 2, 2, 1, 2, 2, 3, 1, 2, 2, + 2, 1, 4, 1 }; -/* YYRHS -- A `-1'-separated list of the rules' RHS. */ -static const yysigned_char yyrhs[] = -{ - 13, 0, -1, -1, 14, 17, -1, 15, 16, -1, - 16, -1, 7, 9, -1, 3, 9, -1, 3, 9, - 9, -1, 18, -1, 17, 18, -1, 4, 10, -1, - 5, 9, -1, 5, -1, 6, 9, 11, 9, -1, - 8, -1 +static const short yydefact[] = { 1, + 0, 0, 0, 0, 4, 6, 5, 0, 12, 0, + 14, 2, 8, 3, 7, 10, 11, 0, 9, 0, + 13, 0, 0, 0 }; -/* YYRLINE[YYN] -- source line where rule number YYN was defined. */ -static const unsigned char yyrline[] = -{ - 0, 64, 64, 65, 68, 69, 72, 78, 84, 93, - 94, 97, 101, 109, 116, 136 +static const short yydefgoto[] = { 22, + 3, 4, 5, 12, 13 }; -#endif -#if YYDEBUG || YYERROR_VERBOSE -/* YYTNME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM. - First, the terminals, then, starting at YYNTOKENS, nonterminals. */ -static const char *const yytname[] = -{ - "$end", "error", "$undefined", "ET", "INDEX", "PREFIX", "EC", "ID", - "END", "STRING", "NUMBER", "','", "$accept", "file", "header", "id", - "et", "statements", "statement", 0 +static const short yypact[] = { 0, + -3, -1, -4, 2,-32768, 1,-32768, 3, 5, 6, +-32768, -4,-32768,-32768,-32768,-32768,-32768, -2,-32768, 7, +-32768, 11, 12,-32768 }; -#endif -# ifdef YYPRINT -/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to - token YYLEX-NUM. */ -static const unsigned short int yytoknum[] = -{ - 0, 256, 257, 258, 259, 260, 261, 262, 263, 264, - 265, 44 +static const short yypgoto[] = {-32768, +-32768,-32768, 13,-32768, 8 }; -# endif -/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives. */ -static const unsigned char yyr1[] = -{ - 0, 12, 13, 13, 14, 14, 15, 16, 16, 17, - 17, 18, 18, 18, 18, 18 -}; -/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN. */ -static const unsigned char yyr2[] = -{ - 0, 2, 0, 2, 2, 1, 2, 2, 3, 1, - 2, 2, 2, 1, 4, 1 -}; +#define YYLAST 20 -/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state - STATE-NUM when YYTABLE doesn't specify something else to do. Zero - means the default is an error. */ -static const unsigned char yydefact[] = -{ - 2, 0, 0, 0, 0, 0, 5, 7, 6, 1, - 0, 13, 0, 15, 3, 9, 4, 8, 11, 12, - 0, 10, 0, 14 -}; -/* YYDEFGOTO[NTERM-NUM]. */ -static const yysigned_char yydefgoto[] = -{ - -1, 3, 4, 5, 6, 14, 15 +static const short yytable[] = { 8, + 9, 10, 1, 11, 1, 6, 2, 7, 20, 15, + 23, 24, 16, 17, 18, 21, 14, 0, 0, 19 }; -/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing - STATE-NUM. */ -#define YYPACT_NINF -5 -static const yysigned_char yypact[] = -{ - 0, -3, -1, 5, -4, 6, -5, 1, -5, -5, - 2, 4, 7, -5, -4, -5, -5, -5, -5, -5, - 3, -5, 8, -5 +static const short yycheck[] = { 4, + 5, 6, 3, 8, 3, 9, 7, 9, 11, 9, + 0, 0, 10, 9, 9, 9, 4, -1, -1, 12 }; +/* -*-C-*- Note some compilers choke on comments on `#line' lines. */ +#line 3 "/usr/share/bison.simple" +/* This file comes from bison-1.28. */ -/* YYPGOTO[NTERM-NUM]. */ -static const yysigned_char yypgoto[] = -{ - -5, -5, -5, -5, 10, -5, 9 -}; +/* Skeleton output parser for bison, + Copyright (C) 1984, 1989, 1990 Free Software Foundation, Inc. -/* YYTABLE[YYPACT[STATE-NUM]]. What to do in state STATE-NUM. If - positive, shift that token. If negative, reduce the rule which - number is the opposite. If zero, do what YYDEFACT says. - If YYTABLE_NINF, syntax error. */ -#define YYTABLE_NINF -1 -static const unsigned char yytable[] = -{ - 10, 11, 12, 1, 13, 9, 7, 2, 8, 1, - 17, 0, 18, 19, 22, 16, 20, 23, 0, 0, - 0, 0, 0, 21 -}; + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. -static const yysigned_char yycheck[] = -{ - 4, 5, 6, 3, 8, 0, 9, 7, 9, 3, - 9, -1, 10, 9, 11, 5, 9, 9, -1, -1, - -1, -1, -1, 14 -}; + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. -/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing - symbol of state STATE-NUM. */ -static const unsigned char yystos[] = -{ - 0, 3, 7, 13, 14, 15, 16, 9, 9, 0, - 4, 5, 6, 8, 17, 18, 16, 9, 10, 9, - 9, 18, 11, 9 -}; + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place - Suite 330, + Boston, MA 02111-1307, USA. */ -#if ! defined (YYSIZE_T) && defined (__SIZE_TYPE__) -# define YYSIZE_T __SIZE_TYPE__ -#endif -#if ! defined (YYSIZE_T) && defined (size_t) -# define YYSIZE_T size_t +/* As a special exception, when this file is copied by Bison into a + Bison output file, you may use that output file without restriction. + This special exception was added by the Free Software Foundation + in version 1.24 of Bison. */ + +/* This is the parser code that is written into each bison parser + when the %semantic_parser declaration is not specified in the grammar. + It was written by Richard Stallman by simplifying the hairy parser + used when %semantic_parser is specified. */ + +#ifndef YYSTACK_USE_ALLOCA +#ifdef alloca +#define YYSTACK_USE_ALLOCA +#else /* alloca not defined */ +#ifdef __GNUC__ +#define YYSTACK_USE_ALLOCA +#define alloca __builtin_alloca +#else /* not GNU C. */ +#if (!defined (__STDC__) && defined (sparc)) || defined (__sparc__) || defined (__sparc) || defined (__sgi) || (defined (__sun) && defined (__i386)) +#define YYSTACK_USE_ALLOCA +#include <alloca.h> +#else /* not sparc */ +/* We think this test detects Watcom and Microsoft C. */ +/* This used to test MSDOS, but that is a bad idea + since that symbol is in the user namespace. */ +#if (defined (_MSDOS) || defined (_MSDOS_)) && !defined (__TURBOC__) +#if 0 /* No need for malloc.h, which pollutes the namespace; + instead, just don't use alloca. */ +#include <malloc.h> #endif -#if ! defined (YYSIZE_T) -# if defined (__STDC__) || defined (__cplusplus) -# include <stddef.h> /* INFRINGES ON USER NAME SPACE */ -# define YYSIZE_T size_t -# endif +#else /* not MSDOS, or __TURBOC__ */ +#if defined(_AIX) +/* I don't know what this was needed for, but it pollutes the namespace. + So I turned it off. rms, 2 May 1997. */ +/* #include <malloc.h> */ + #pragma alloca +#define YYSTACK_USE_ALLOCA +#else /* not MSDOS, or __TURBOC__, or _AIX */ +#if 0 +#ifdef __hpux /* haible@ilog.fr says this works for HPUX 9.05 and up, + and on HPUX 10. Eventually we can turn this on. */ +#define YYSTACK_USE_ALLOCA +#define alloca __builtin_alloca +#endif /* __hpux */ #endif -#if ! defined (YYSIZE_T) -# define YYSIZE_T unsigned int +#endif /* not _AIX */ +#endif /* not MSDOS, or __TURBOC__ */ +#endif /* not sparc */ +#endif /* not GNU C */ +#endif /* alloca not defined */ +#endif /* YYSTACK_USE_ALLOCA not defined */ + +#ifdef YYSTACK_USE_ALLOCA +#define YYSTACK_ALLOC alloca +#else +#define YYSTACK_ALLOC malloc #endif +/* Note: there must be only one dollar sign in this file. + It is replaced by the list of actions, each action + as one case of the switch. */ + #define yyerrok (yyerrstatus = 0) #define yyclearin (yychar = YYEMPTY) -#define YYEMPTY (-2) +#define YYEMPTY -2 #define YYEOF 0 - #define YYACCEPT goto yyacceptlab -#define YYABORT goto yyabortlab -#define YYERROR goto yyerrorlab - - -/* Like YYERROR except do call yyerror. This remains here temporarily - to ease the transition to the new meaning of YYERROR, for GCC. +#define YYABORT goto yyabortlab +#define YYERROR goto yyerrlab1 +/* Like YYERROR except do call yyerror. + This remains here temporarily to ease the + transition to the new meaning of YYERROR, for GCC. Once GCC version 2 has supplanted version 1, this can go. */ - #define YYFAIL goto yyerrlab - #define YYRECOVERING() (!!yyerrstatus) - -#define YYBACKUP(Token, Value) \ +#define YYBACKUP(token, value) \ do \ if (yychar == YYEMPTY && yylen == 1) \ - { \ - yychar = (Token); \ - yylval = (Value); \ - yytoken = YYTRANSLATE (yychar); \ + { yychar = (token), yylval = (value); \ + yychar1 = YYTRANSLATE (yychar); \ YYPOPSTACK; \ goto yybackup; \ } \ else \ - { \ - yyerror ("syntax error: cannot back up");\ - YYERROR; \ - } \ + { yyerror ("syntax error: cannot back up"); YYERROR; } \ while (0) - #define YYTERROR 1 #define YYERRCODE 256 - -/* YYLLOC_DEFAULT -- Set CURRENT to span from RHS[1] to RHS[N]. - If N is 0, then set CURRENT to the empty location which ends - the previous symbol: RHS[0] (always defined). */ - -#define YYRHSLOC(Rhs, K) ((Rhs)[K]) -#ifndef YYLLOC_DEFAULT -# define YYLLOC_DEFAULT(Current, Rhs, N) \ - do \ - if (N) \ - { \ - (Current).first_line = YYRHSLOC (Rhs, 1).first_line; \ - (Current).first_column = YYRHSLOC (Rhs, 1).first_column; \ - (Current).last_line = YYRHSLOC (Rhs, N).last_line; \ - (Current).last_column = YYRHSLOC (Rhs, N).last_column; \ - } \ - else \ - { \ - (Current).first_line = (Current).last_line = \ - YYRHSLOC (Rhs, 0).last_line; \ - (Current).first_column = (Current).last_column = \ - YYRHSLOC (Rhs, 0).last_column; \ - } \ - while (0) -#endif - - -/* YY_LOCATION_PRINT -- Print the location on the stream. - This macro was not mandated originally: define only if we know - we won't break user code: when these are the locations we know. */ - -#ifndef YY_LOCATION_PRINT -# if YYLTYPE_IS_TRIVIAL -# define YY_LOCATION_PRINT(File, Loc) \ - fprintf (File, "%d.%d-%d.%d", \ - (Loc).first_line, (Loc).first_column, \ - (Loc).last_line, (Loc).last_column) -# else -# define YY_LOCATION_PRINT(File, Loc) ((void) 0) -# endif +#ifndef YYPURE +#define YYLEX yylex() #endif - -/* YYLEX -- calling `yylex' with the right arguments. */ - +#ifdef YYPURE +#ifdef YYLSP_NEEDED #ifdef YYLEX_PARAM -# define YYLEX yylex (YYLEX_PARAM) +#define YYLEX yylex(&yylval, &yylloc, YYLEX_PARAM) #else -# define YYLEX yylex () +#define YYLEX yylex(&yylval, &yylloc) #endif - -/* Enable debugging if requested. */ -#if YYDEBUG - -# ifndef YYFPRINTF -# include <stdio.h> /* INFRINGES ON USER NAME SPACE */ -# define YYFPRINTF fprintf -# endif - -# define YYDPRINTF(Args) \ -do { \ - if (yydebug) \ - YYFPRINTF Args; \ -} while (0) - -# define YY_SYMBOL_PRINT(Title, Type, Value, Location) \ -do { \ - if (yydebug) \ - { \ - YYFPRINTF (stderr, "%s ", Title); \ - yysymprint (stderr, \ - Type, Value); \ - YYFPRINTF (stderr, "\n"); \ - } \ -} while (0) - -/*------------------------------------------------------------------. -| yy_stack_print -- Print the state stack from its BOTTOM up to its | -| TOP (included). | -`------------------------------------------------------------------*/ - -#if defined (__STDC__) || defined (__cplusplus) -static void -yy_stack_print (short int *bottom, short int *top) +#else /* not YYLSP_NEEDED */ +#ifdef YYLEX_PARAM +#define YYLEX yylex(&yylval, YYLEX_PARAM) #else -static void -yy_stack_print (bottom, top) - short int *bottom; - short int *top; +#define YYLEX yylex(&yylval) +#endif +#endif /* not YYLSP_NEEDED */ #endif -{ - YYFPRINTF (stderr, "Stack now"); - for (/* Nothing. */; bottom <= top; ++bottom) - YYFPRINTF (stderr, " %d", *bottom); - YYFPRINTF (stderr, "\n"); -} -# define YY_STACK_PRINT(Bottom, Top) \ -do { \ - if (yydebug) \ - yy_stack_print ((Bottom), (Top)); \ -} while (0) +/* If nonreentrant, generate the variables here */ +#ifndef YYPURE -/*------------------------------------------------. -| Report that the YYRULE is going to be reduced. | -`------------------------------------------------*/ +int yychar; /* the lookahead symbol */ +YYSTYPE yylval; /* the semantic value of the */ + /* lookahead symbol */ -#if defined (__STDC__) || defined (__cplusplus) -static void -yy_reduce_print (int yyrule) -#else -static void -yy_reduce_print (yyrule) - int yyrule; +#ifdef YYLSP_NEEDED +YYLTYPE yylloc; /* location data for the lookahead */ + /* symbol */ #endif -{ - int yyi; - unsigned int yylno = yyrline[yyrule]; - YYFPRINTF (stderr, "Reducing stack by rule %d (line %u), ", - yyrule - 1, yylno); - /* Print the symbols being reduced, and their result. */ - for (yyi = yyprhs[yyrule]; 0 <= yyrhs[yyi]; yyi++) - YYFPRINTF (stderr, "%s ", yytname [yyrhs[yyi]]); - YYFPRINTF (stderr, "-> %s\n", yytname [yyr1[yyrule]]); -} -# define YY_REDUCE_PRINT(Rule) \ -do { \ - if (yydebug) \ - yy_reduce_print (Rule); \ -} while (0) +int yynerrs; /* number of parse errors so far */ +#endif /* not YYPURE */ -/* Nonzero means print parse trace. It is left uninitialized so that - multiple parsers can coexist. */ -int yydebug; -#else /* !YYDEBUG */ -# define YYDPRINTF(Args) -# define YY_SYMBOL_PRINT(Title, Type, Value, Location) -# define YY_STACK_PRINT(Bottom, Top) -# define YY_REDUCE_PRINT(Rule) -#endif /* !YYDEBUG */ +#if YYDEBUG != 0 +int yydebug; /* nonzero means print parse trace */ +/* Since this is uninitialized, it does not stop multiple parsers + from coexisting. */ +#endif +/* YYINITDEPTH indicates the initial size of the parser's stacks */ -/* YYINITDEPTH -- initial size of the parser's stacks. */ #ifndef YYINITDEPTH -# define YYINITDEPTH 200 +#define YYINITDEPTH 200 #endif -/* YYMAXDEPTH -- maximum size the stacks can grow to (effective only - if the built-in stack extension method is used). +/* YYMAXDEPTH is the maximum size the stacks can grow to + (effective only if the built-in stack extension method is used). */ - Do not make this value too large; the results are undefined if - SIZE_MAX < YYSTACK_BYTES (YYMAXDEPTH) - evaluated with infinite-precision integer arithmetic. */ +#if YYMAXDEPTH == 0 +#undef YYMAXDEPTH +#endif #ifndef YYMAXDEPTH -# define YYMAXDEPTH 10000 +#define YYMAXDEPTH 10000 #endif - - -#if YYERROR_VERBOSE - -# ifndef yystrlen -# if defined (__GLIBC__) && defined (_STRING_H) -# define yystrlen strlen -# else -/* Return the length of YYSTR. */ -static YYSIZE_T -# if defined (__STDC__) || defined (__cplusplus) -yystrlen (const char *yystr) -# else -yystrlen (yystr) - const char *yystr; -# endif -{ - register const char *yys = yystr; - - while (*yys++ != '\0') - continue; - - return yys - yystr - 1; -} -# endif -# endif - -# ifndef yystpcpy -# if defined (__GLIBC__) && defined (_STRING_H) && defined (_GNU_SOURCE) -# define yystpcpy stpcpy -# else -/* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in - YYDEST. */ -static char * -# if defined (__STDC__) || defined (__cplusplus) -yystpcpy (char *yydest, const char *yysrc) -# else -yystpcpy (yydest, yysrc) - char *yydest; - const char *yysrc; -# endif +/* Define __yy_memcpy. Note that the size argument + should be passed with type unsigned int, because that is what the non-GCC + definitions require. With GCC, __builtin_memcpy takes an arg + of type size_t, but it can handle unsigned int. */ + +#if __GNUC__ > 1 /* GNU C and GNU C++ define this. */ +#define __yy_memcpy(TO,FROM,COUNT) __builtin_memcpy(TO,FROM,COUNT) +#else /* not GNU C or C++ */ +#ifndef __cplusplus + +/* This is the most reliable way to avoid incompatibilities + in available built-in functions on various systems. */ +static void +__yy_memcpy (to, from, count) + char *to; + char *from; + unsigned int count; { - register char *yyd = yydest; - register const char *yys = yysrc; - - while ((*yyd++ = *yys++) != '\0') - continue; + register char *f = from; + register char *t = to; + register int i = count; - return yyd - 1; + while (i-- > 0) + *t++ = *f++; } -# endif -# endif - -#endif /* !YYERROR_VERBOSE */ - - -#if YYDEBUG -/*--------------------------------. -| Print this symbol on YYOUTPUT. | -`--------------------------------*/ +#else /* __cplusplus */ -#if defined (__STDC__) || defined (__cplusplus) -static void -yysymprint (FILE *yyoutput, int yytype, YYSTYPE *yyvaluep) -#else +/* This is the most reliable way to avoid incompatibilities + in available built-in functions on various systems. */ static void -yysymprint (yyoutput, yytype, yyvaluep) - FILE *yyoutput; - int yytype; - YYSTYPE *yyvaluep; -#endif +__yy_memcpy (char *to, char *from, unsigned int count) { - /* Pacify ``unused variable'' warnings. */ - (void) yyvaluep; - - if (yytype < YYNTOKENS) - YYFPRINTF (yyoutput, "token %s (", yytname[yytype]); - else - YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]); - + register char *t = to; + register char *f = from; + register int i = count; -# ifdef YYPRINT - if (yytype < YYNTOKENS) - YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep); -# endif - switch (yytype) - { - default: - break; - } - YYFPRINTF (yyoutput, ")"); + while (i-- > 0) + *t++ = *f++; } -#endif /* ! YYDEBUG */ -/*-----------------------------------------------. -| Release the memory associated to this symbol. | -`-----------------------------------------------*/ - -#if defined (__STDC__) || defined (__cplusplus) -static void -yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep) -#else -static void -yydestruct (yymsg, yytype, yyvaluep) - const char *yymsg; - int yytype; - YYSTYPE *yyvaluep; #endif -{ - /* Pacify ``unused variable'' warnings. */ - (void) yyvaluep; - - if (!yymsg) - yymsg = "Deleting"; - YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp); - - switch (yytype) - { - - default: - break; - } -} +#endif +#line 217 "/usr/share/bison.simple" -/* Prevent warnings from -Wmissing-prototypes. */ +/* The user can define YYPARSE_PARAM as the name of an argument to be passed + into yyparse. The argument should have type void *. + It should actually point to an object. + Grammar actions can access the variable by casting it + to the proper pointer type. */ #ifdef YYPARSE_PARAM -# if defined (__STDC__) || defined (__cplusplus) -int yyparse (void *YYPARSE_PARAM); -# else -int yyparse (); -# endif -#else /* ! YYPARSE_PARAM */ -#if defined (__STDC__) || defined (__cplusplus) -int yyparse (void); -#else -int yyparse (); -#endif -#endif /* ! YYPARSE_PARAM */ - - - -/* The look-ahead symbol. */ -int yychar; - -/* The semantic value of the look-ahead symbol. */ -YYSTYPE yylval; - -/* Number of syntax errors so far. */ -int yynerrs; - - - -/*----------. -| yyparse. | -`----------*/ - +#ifdef __cplusplus +#define YYPARSE_PARAM_ARG void *YYPARSE_PARAM +#define YYPARSE_PARAM_DECL +#else /* not __cplusplus */ +#define YYPARSE_PARAM_ARG YYPARSE_PARAM +#define YYPARSE_PARAM_DECL void *YYPARSE_PARAM; +#endif /* not __cplusplus */ +#else /* not YYPARSE_PARAM */ +#define YYPARSE_PARAM_ARG +#define YYPARSE_PARAM_DECL +#endif /* not YYPARSE_PARAM */ + +/* Prevent warning if -Wstrict-prototypes. */ +#ifdef __GNUC__ #ifdef YYPARSE_PARAM -# if defined (__STDC__) || defined (__cplusplus) -int yyparse (void *YYPARSE_PARAM) -# else -int yyparse (YYPARSE_PARAM) - void *YYPARSE_PARAM; -# endif -#else /* ! YYPARSE_PARAM */ -#if defined (__STDC__) || defined (__cplusplus) -int -yyparse (void) +int yyparse (void *); #else -int -yyparse () - +int yyparse (void); #endif #endif + +int +yyparse(YYPARSE_PARAM_ARG) + YYPARSE_PARAM_DECL { - register int yystate; register int yyn; - int yyresult; - /* Number of tokens to shift before error messages enabled. */ - int yyerrstatus; - /* Look-ahead token as an internal (translated) token number. */ - int yytoken = 0; - - /* Three stacks and their tools: - `yyss': related to states, - `yyvs': related to semantic values, - `yyls': related to locations. - - Refer to the stacks thru separate pointers, to allow yyoverflow - to reallocate them elsewhere. */ - - /* The state stack. */ - short int yyssa[YYINITDEPTH]; - short int *yyss = yyssa; - register short int *yyssp; - - /* The semantic value stack. */ - YYSTYPE yyvsa[YYINITDEPTH]; - YYSTYPE *yyvs = yyvsa; + register short *yyssp; register YYSTYPE *yyvsp; + int yyerrstatus; /* number of tokens to shift before error messages enabled */ + int yychar1 = 0; /* lookahead token as an internal (translated) token number */ + short yyssa[YYINITDEPTH]; /* the state stack */ + YYSTYPE yyvsa[YYINITDEPTH]; /* the semantic value stack */ + short *yyss = yyssa; /* refer to the stacks thru separate pointers */ + YYSTYPE *yyvs = yyvsa; /* to allow yyoverflow to reallocate them elsewhere */ +#ifdef YYLSP_NEEDED + YYLTYPE yylsa[YYINITDEPTH]; /* the location stack */ + YYLTYPE *yyls = yylsa; + YYLTYPE *yylsp; + +#define YYPOPSTACK (yyvsp--, yyssp--, yylsp--) +#else #define YYPOPSTACK (yyvsp--, yyssp--) +#endif - YYSIZE_T yystacksize = YYINITDEPTH; + int yystacksize = YYINITDEPTH; + int yyfree_stacks = 0; - /* The variables used to return semantic value and location from the - action routines. */ - YYSTYPE yyval; +#ifdef YYPURE + int yychar; + YYSTYPE yylval; + int yynerrs; +#ifdef YYLSP_NEEDED + YYLTYPE yylloc; +#endif +#endif + YYSTYPE yyval; /* the variable used to return */ + /* semantic values from the action */ + /* routines */ - /* When reducing, the number of symbols on the RHS of the reduced - rule. */ int yylen; - YYDPRINTF ((stderr, "Starting parse\n")); +#if YYDEBUG != 0 + if (yydebug) + fprintf(stderr, "Starting parse\n"); +#endif yystate = 0; yyerrstatus = 0; @@ -881,254 +495,295 @@ yyparse () so that they stay on the same level as the state stack. The wasted elements are never initialized. */ - yyssp = yyss; + yyssp = yyss - 1; yyvsp = yyvs; +#ifdef YYLSP_NEEDED + yylsp = yyls; +#endif +/* Push a new state, which is found in yystate . */ +/* In all cases, when you get here, the value and location stacks + have just been pushed. so pushing a state here evens the stacks. */ +yynewstate: - yyvsp[0] = yylval; - - goto yysetstate; - -/*------------------------------------------------------------. -| yynewstate -- Push a new state, which is found in yystate. | -`------------------------------------------------------------*/ - yynewstate: - /* In all cases, when you get here, the value and location stacks - have just been pushed. so pushing a state here evens the stacks. - */ - yyssp++; - - yysetstate: - *yyssp = yystate; + *++yyssp = yystate; - if (yyss + yystacksize - 1 <= yyssp) + if (yyssp >= yyss + yystacksize - 1) { + /* Give user a chance to reallocate the stack */ + /* Use copies of these so that the &'s don't force the real ones into memory. */ + YYSTYPE *yyvs1 = yyvs; + short *yyss1 = yyss; +#ifdef YYLSP_NEEDED + YYLTYPE *yyls1 = yyls; +#endif + /* Get the current used size of the three stacks, in elements. */ - YYSIZE_T yysize = yyssp - yyss + 1; + int size = yyssp - yyss + 1; #ifdef yyoverflow - { - /* Give user a chance to reallocate the stack. Use copies of - these so that the &'s don't force the real ones into - memory. */ - YYSTYPE *yyvs1 = yyvs; - short int *yyss1 = yyss; - - - /* Each stack pointer address is followed by the size of the - data in use in that stack, in bytes. This used to be a - conditional around just the two extra args, but that might - be undefined if yyoverflow is a macro. */ - yyoverflow ("parser stack overflow", - &yyss1, yysize * sizeof (*yyssp), - &yyvs1, yysize * sizeof (*yyvsp), - - &yystacksize); - - yyss = yyss1; - yyvs = yyvs1; - } + /* Each stack pointer address is followed by the size of + the data in use in that stack, in bytes. */ +#ifdef YYLSP_NEEDED + /* This used to be a conditional around just the two extra args, + but that might be undefined if yyoverflow is a macro. */ + yyoverflow("parser stack overflow", + &yyss1, size * sizeof (*yyssp), + &yyvs1, size * sizeof (*yyvsp), + &yyls1, size * sizeof (*yylsp), + &yystacksize); +#else + yyoverflow("parser stack overflow", + &yyss1, size * sizeof (*yyssp), + &yyvs1, size * sizeof (*yyvsp), + &yystacksize); +#endif + + yyss = yyss1; yyvs = yyvs1; +#ifdef YYLSP_NEEDED + yyls = yyls1; +#endif #else /* no yyoverflow */ -# ifndef YYSTACK_RELOCATE - goto yyoverflowlab; -# else /* Extend the stack our own way. */ - if (YYMAXDEPTH <= yystacksize) - goto yyoverflowlab; + if (yystacksize >= YYMAXDEPTH) + { + yyerror("parser stack overflow"); + if (yyfree_stacks) + { + free (yyss); + free (yyvs); +#ifdef YYLSP_NEEDED + free (yyls); +#endif + } + return 2; + } yystacksize *= 2; - if (YYMAXDEPTH < yystacksize) + if (yystacksize > YYMAXDEPTH) yystacksize = YYMAXDEPTH; - - { - short int *yyss1 = yyss; - union yyalloc *yyptr = - (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize)); - if (! yyptr) - goto yyoverflowlab; - YYSTACK_RELOCATE (yyss); - YYSTACK_RELOCATE (yyvs); - -# undef YYSTACK_RELOCATE - if (yyss1 != yyssa) - YYSTACK_FREE (yyss1); - } -# endif +#ifndef YYSTACK_USE_ALLOCA + yyfree_stacks = 1; +#endif + yyss = (short *) YYSTACK_ALLOC (yystacksize * sizeof (*yyssp)); + __yy_memcpy ((char *)yyss, (char *)yyss1, + size * (unsigned int) sizeof (*yyssp)); + yyvs = (YYSTYPE *) YYSTACK_ALLOC (yystacksize * sizeof (*yyvsp)); + __yy_memcpy ((char *)yyvs, (char *)yyvs1, + size * (unsigned int) sizeof (*yyvsp)); +#ifdef YYLSP_NEEDED + yyls = (YYLTYPE *) YYSTACK_ALLOC (yystacksize * sizeof (*yylsp)); + __yy_memcpy ((char *)yyls, (char *)yyls1, + size * (unsigned int) sizeof (*yylsp)); +#endif #endif /* no yyoverflow */ - yyssp = yyss + yysize - 1; - yyvsp = yyvs + yysize - 1; - + yyssp = yyss + size - 1; + yyvsp = yyvs + size - 1; +#ifdef YYLSP_NEEDED + yylsp = yyls + size - 1; +#endif - YYDPRINTF ((stderr, "Stack size increased to %lu\n", - (unsigned long int) yystacksize)); +#if YYDEBUG != 0 + if (yydebug) + fprintf(stderr, "Stack size increased to %d\n", yystacksize); +#endif - if (yyss + yystacksize - 1 <= yyssp) + if (yyssp >= yyss + yystacksize - 1) YYABORT; } - YYDPRINTF ((stderr, "Entering state %d\n", yystate)); +#if YYDEBUG != 0 + if (yydebug) + fprintf(stderr, "Entering state %d\n", yystate); +#endif goto yybackup; - -/*-----------. -| yybackup. | -`-----------*/ -yybackup: + yybackup: /* Do appropriate processing given the current state. */ -/* Read a look-ahead token if we need one and don't already have one. */ +/* Read a lookahead token if we need one and don't already have one. */ /* yyresume: */ - /* First try to decide what to do without reference to look-ahead token. */ + /* First try to decide what to do without reference to lookahead token. */ yyn = yypact[yystate]; - if (yyn == YYPACT_NINF) + if (yyn == YYFLAG) goto yydefault; - /* Not known => get a look-ahead token if don't already have one. */ + /* Not known => get a lookahead token if don't already have one. */ + + /* yychar is either YYEMPTY or YYEOF + or a valid token in external form. */ - /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol. */ if (yychar == YYEMPTY) { - YYDPRINTF ((stderr, "Reading a token: ")); +#if YYDEBUG != 0 + if (yydebug) + fprintf(stderr, "Reading a token: "); +#endif yychar = YYLEX; } - if (yychar <= YYEOF) + /* Convert token to internal form (in yychar1) for indexing tables with */ + + if (yychar <= 0) /* This means end of input. */ { - yychar = yytoken = YYEOF; - YYDPRINTF ((stderr, "Now at end of input.\n")); + yychar1 = 0; + yychar = YYEOF; /* Don't call YYLEX any more */ + +#if YYDEBUG != 0 + if (yydebug) + fprintf(stderr, "Now at end of input.\n"); +#endif } else { - yytoken = YYTRANSLATE (yychar); - YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc); + yychar1 = YYTRANSLATE(yychar); + +#if YYDEBUG != 0 + if (yydebug) + { + fprintf (stderr, "Next token is %d (%s", yychar, yytname[yychar1]); + /* Give the individual parser a way to print the precise meaning + of a token, for further debugging info. */ +#ifdef YYPRINT + YYPRINT (stderr, yychar, yylval); +#endif + fprintf (stderr, ")\n"); + } +#endif } - /* If the proper action on seeing token YYTOKEN is to reduce or to - detect an error, take that action. */ - yyn += yytoken; - if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken) + yyn += yychar1; + if (yyn < 0 || yyn > YYLAST || yycheck[yyn] != yychar1) goto yydefault; + yyn = yytable[yyn]; - if (yyn <= 0) + + /* yyn is what to do for this token type in this state. + Negative => reduce, -yyn is rule number. + Positive => shift, yyn is new state. + New state is final state => don't bother to shift, + just return success. + 0, or most negative number => error. */ + + if (yyn < 0) { - if (yyn == 0 || yyn == YYTABLE_NINF) + if (yyn == YYFLAG) goto yyerrlab; yyn = -yyn; goto yyreduce; } + else if (yyn == 0) + goto yyerrlab; if (yyn == YYFINAL) YYACCEPT; - /* Shift the look-ahead token. */ - YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc); + /* Shift the lookahead token. */ + +#if YYDEBUG != 0 + if (yydebug) + fprintf(stderr, "Shifting token %d (%s), ", yychar, yytname[yychar1]); +#endif /* Discard the token being shifted unless it is eof. */ if (yychar != YYEOF) yychar = YYEMPTY; *++yyvsp = yylval; +#ifdef YYLSP_NEEDED + *++yylsp = yylloc; +#endif - - /* Count tokens shifted since error; after three, turn off error - status. */ - if (yyerrstatus) - yyerrstatus--; + /* count tokens shifted since error; after three, turn off error status. */ + if (yyerrstatus) yyerrstatus--; yystate = yyn; goto yynewstate; - -/*-----------------------------------------------------------. -| yydefault -- do the default action for the current state. | -`-----------------------------------------------------------*/ +/* Do the default action for the current state. */ yydefault: + yyn = yydefact[yystate]; if (yyn == 0) goto yyerrlab; - goto yyreduce; - -/*-----------------------------. -| yyreduce -- Do a reduction. | -`-----------------------------*/ +/* Do a reduction. yyn is the number of a rule to reduce with. */ yyreduce: - /* yyn is the number of a rule to reduce with. */ yylen = yyr2[yyn]; + if (yylen > 0) + yyval = yyvsp[1-yylen]; /* implement default value of the action */ - /* If YYLEN is nonzero, implement the default value of the action: - `$$ = $1'. - - Otherwise, the following line sets YYVAL to garbage. - This behavior is undocumented and Bison - users should not rely upon it. Assigning to YYVAL - unconditionally makes the parser a bit smaller, and it avoids a - GCC warning that YYVAL may be used uninitialized. */ - yyval = yyvsp[1-yylen]; - - - YY_REDUCE_PRINT (yyn); - switch (yyn) +#if YYDEBUG != 0 + if (yydebug) { - case 6: -#line 73 "parse.y" - { - id_str = (yyvsp[0].string); - } - break; + int i; - case 7: -#line 79 "parse.y" - { - base_id = name2number((yyvsp[0].string)); - strlcpy(name, (yyvsp[0].string), sizeof(name)); - free((yyvsp[0].string)); - } - break; + fprintf (stderr, "Reducing via rule %d (line %d), ", + yyn, yyrline[yyn]); - case 8: -#line 85 "parse.y" - { - base_id = name2number((yyvsp[-1].string)); - strlcpy(name, (yyvsp[0].string), sizeof(name)); - free((yyvsp[-1].string)); - free((yyvsp[0].string)); - } - break; + /* Print the symbols being reduced, and their result. */ + for (i = yyprhs[yyn]; yyrhs[i] > 0; i++) + fprintf (stderr, "%s ", yytname[yyrhs[i]]); + fprintf (stderr, " -> %s\n", yytname[yyr1[yyn]]); + } +#endif - case 11: -#line 98 "parse.y" - { - number = (yyvsp[0].number); - } - break; - case 12: -#line 102 "parse.y" - { + switch (yyn) { + +case 5: +#line 73 "../../../lib/com_err/parse.y" +{ + id_str = yyvsp[0].string; + ; + break;} +case 6: +#line 79 "../../../lib/com_err/parse.y" +{ + base_id = name2number(yyvsp[0].string); + strlcpy(name, yyvsp[0].string, sizeof(name)); + free(yyvsp[0].string); + ; + break;} +case 7: +#line 85 "../../../lib/com_err/parse.y" +{ + base_id = name2number(yyvsp[-1].string); + strlcpy(name, yyvsp[0].string, sizeof(name)); + free(yyvsp[-1].string); + free(yyvsp[0].string); + ; + break;} +case 10: +#line 98 "../../../lib/com_err/parse.y" +{ + number = yyvsp[0].number; + ; + break;} +case 11: +#line 102 "../../../lib/com_err/parse.y" +{ free(prefix); - asprintf (&prefix, "%s_", (yyvsp[0].string)); + asprintf (&prefix, "%s_", yyvsp[0].string); if (prefix == NULL) errx(1, "malloc"); - free((yyvsp[0].string)); - } - break; - - case 13: -#line 110 "parse.y" - { + free(yyvsp[0].string); + ; + break;} +case 12: +#line 110 "../../../lib/com_err/parse.y" +{ prefix = realloc(prefix, 1); if (prefix == NULL) errx(1, "malloc"); *prefix = '\0'; - } - break; - - case 14: -#line 117 "parse.y" - { + ; + break;} +case 13: +#line 117 "../../../lib/com_err/parse.y" +{ struct error_code *ec = malloc(sizeof(*ec)); if (ec == NULL) @@ -1137,258 +792,246 @@ yyreduce: ec->next = NULL; ec->number = number; if(prefix && *prefix != '\0') { - asprintf (&ec->name, "%s%s", prefix, (yyvsp[-2].string)); + asprintf (&ec->name, "%s%s", prefix, yyvsp[-2].string); if (ec->name == NULL) errx(1, "malloc"); - free((yyvsp[-2].string)); + free(yyvsp[-2].string); } else - ec->name = (yyvsp[-2].string); - ec->string = (yyvsp[0].string); + ec->name = yyvsp[-2].string; + ec->string = yyvsp[0].string; APPEND(codes, ec); number++; - } - break; - - case 15: -#line 137 "parse.y" - { + ; + break;} +case 14: +#line 137 "../../../lib/com_err/parse.y" +{ YYACCEPT; - } - break; - - - } - -/* Line 1037 of yacc.c. */ -#line 1164 "$base.c" + ; + break;} +} + /* the action file gets copied in in place of this dollarsign */ +#line 543 "/usr/share/bison.simple" yyvsp -= yylen; yyssp -= yylen; +#ifdef YYLSP_NEEDED + yylsp -= yylen; +#endif - - YY_STACK_PRINT (yyss, yyssp); +#if YYDEBUG != 0 + if (yydebug) + { + short *ssp1 = yyss - 1; + fprintf (stderr, "state stack now"); + while (ssp1 != yyssp) + fprintf (stderr, " %d", *++ssp1); + fprintf (stderr, "\n"); + } +#endif *++yyvsp = yyval; +#ifdef YYLSP_NEEDED + yylsp++; + if (yylen == 0) + { + yylsp->first_line = yylloc.first_line; + yylsp->first_column = yylloc.first_column; + yylsp->last_line = (yylsp-1)->last_line; + yylsp->last_column = (yylsp-1)->last_column; + yylsp->text = 0; + } + else + { + yylsp->last_line = (yylsp+yylen-1)->last_line; + yylsp->last_column = (yylsp+yylen-1)->last_column; + } +#endif - /* Now `shift' the result of the reduction. Determine what state - that goes to, based on the state we popped back to and the rule - number reduced by. */ + /* Now "shift" the result of the reduction. + Determine what state that goes to, + based on the state we popped back to + and the rule number reduced by. */ yyn = yyr1[yyn]; - yystate = yypgoto[yyn - YYNTOKENS] + *yyssp; - if (0 <= yystate && yystate <= YYLAST && yycheck[yystate] == *yyssp) + yystate = yypgoto[yyn - YYNTBASE] + *yyssp; + if (yystate >= 0 && yystate <= YYLAST && yycheck[yystate] == *yyssp) yystate = yytable[yystate]; else - yystate = yydefgoto[yyn - YYNTOKENS]; + yystate = yydefgoto[yyn - YYNTBASE]; goto yynewstate; +yyerrlab: /* here on detecting error */ -/*------------------------------------. -| yyerrlab -- here on detecting error | -`------------------------------------*/ -yyerrlab: - /* If not already recovering from an error, report this error. */ - if (!yyerrstatus) + if (! yyerrstatus) + /* If not already recovering from an error, report this error. */ { ++yynerrs; -#if YYERROR_VERBOSE + +#ifdef YYERROR_VERBOSE yyn = yypact[yystate]; - if (YYPACT_NINF < yyn && yyn < YYLAST) + if (yyn > YYFLAG && yyn < YYLAST) { - YYSIZE_T yysize = 0; - int yytype = YYTRANSLATE (yychar); - const char* yyprefix; - char *yymsg; - int yyx; - - /* Start YYX at -YYN if negative to avoid negative indexes in - YYCHECK. */ - int yyxbegin = yyn < 0 ? -yyn : 0; - - /* Stay within bounds of both yycheck and yytname. */ - int yychecklim = YYLAST - yyn; - int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS; - int yycount = 0; - - yyprefix = ", expecting "; - for (yyx = yyxbegin; yyx < yyxend; ++yyx) - if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR) - { - yysize += yystrlen (yyprefix) + yystrlen (yytname [yyx]); - yycount += 1; - if (yycount == 5) - { - yysize = 0; - break; - } - } - yysize += (sizeof ("syntax error, unexpected ") - + yystrlen (yytname[yytype])); - yymsg = (char *) YYSTACK_ALLOC (yysize); - if (yymsg != 0) + int size = 0; + char *msg; + int x, count; + + count = 0; + /* Start X at -yyn if nec to avoid negative indexes in yycheck. */ + for (x = (yyn < 0 ? -yyn : 0); + x < (sizeof(yytname) / sizeof(char *)); x++) + if (yycheck[x + yyn] == x) + size += strlen(yytname[x]) + 15, count++; + msg = (char *) malloc(size + 15); + if (msg != 0) { - char *yyp = yystpcpy (yymsg, "syntax error, unexpected "); - yyp = yystpcpy (yyp, yytname[yytype]); + strcpy(msg, "parse error"); - if (yycount < 5) + if (count < 5) { - yyprefix = ", expecting "; - for (yyx = yyxbegin; yyx < yyxend; ++yyx) - if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR) + count = 0; + for (x = (yyn < 0 ? -yyn : 0); + x < (sizeof(yytname) / sizeof(char *)); x++) + if (yycheck[x + yyn] == x) { - yyp = yystpcpy (yyp, yyprefix); - yyp = yystpcpy (yyp, yytname[yyx]); - yyprefix = " or "; + strcat(msg, count == 0 ? ", expecting `" : " or `"); + strcat(msg, yytname[x]); + strcat(msg, "'"); + count++; } } - yyerror (yymsg); - YYSTACK_FREE (yymsg); + yyerror(msg); + free(msg); } else - yyerror ("syntax error; also virtual memory exhausted"); + yyerror ("parse error; also virtual memory exceeded"); } else #endif /* YYERROR_VERBOSE */ - yyerror ("syntax error"); + yyerror("parse error"); } - + goto yyerrlab1; +yyerrlab1: /* here on error raised explicitly by an action */ if (yyerrstatus == 3) { - /* If just tried and failed to reuse look-ahead token after an - error, discard it. */ - - if (yychar <= YYEOF) - { - /* If at end of input, pop the error token, - then the rest of the stack, then return failure. */ - if (yychar == YYEOF) - for (;;) - { - - YYPOPSTACK; - if (yyssp == yyss) - YYABORT; - yydestruct ("Error: popping", - yystos[*yyssp], yyvsp); - } - } - else - { - yydestruct ("Error: discarding", yytoken, &yylval); - yychar = YYEMPTY; - } + /* if just tried and failed to reuse lookahead token after an error, discard it. */ + + /* return failure if at end of input */ + if (yychar == YYEOF) + YYABORT; + +#if YYDEBUG != 0 + if (yydebug) + fprintf(stderr, "Discarding token %d (%s).\n", yychar, yytname[yychar1]); +#endif + + yychar = YYEMPTY; } - /* Else will try to reuse look-ahead token after shifting the error - token. */ - goto yyerrlab1; + /* Else will try to reuse lookahead token + after shifting the error token. */ + yyerrstatus = 3; /* Each real token shifted decrements this */ -/*---------------------------------------------------. -| yyerrorlab -- error raised explicitly by YYERROR. | -`---------------------------------------------------*/ -yyerrorlab: + goto yyerrhandle; -#ifdef __GNUC__ - /* Pacify GCC when the user code never invokes YYERROR and the label - yyerrorlab therefore never appears in user code. */ - if (0) - goto yyerrorlab; -#endif +yyerrdefault: /* current state does not do anything special for the error token. */ -yyvsp -= yylen; - yyssp -= yylen; - yystate = *yyssp; - goto yyerrlab1; +#if 0 + /* This is wrong; only states that explicitly want error tokens + should shift them. */ + yyn = yydefact[yystate]; /* If its default is to accept any token, ok. Otherwise pop it.*/ + if (yyn) goto yydefault; +#endif +yyerrpop: /* pop the current state because it cannot handle the error token */ -/*-------------------------------------------------------------. -| yyerrlab1 -- common code for both syntax error and YYERROR. | -`-------------------------------------------------------------*/ -yyerrlab1: - yyerrstatus = 3; /* Each real token shifted decrements this. */ + if (yyssp == yyss) YYABORT; + yyvsp--; + yystate = *--yyssp; +#ifdef YYLSP_NEEDED + yylsp--; +#endif - for (;;) +#if YYDEBUG != 0 + if (yydebug) { - yyn = yypact[yystate]; - if (yyn != YYPACT_NINF) - { - yyn += YYTERROR; - if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR) - { - yyn = yytable[yyn]; - if (0 < yyn) - break; - } - } + short *ssp1 = yyss - 1; + fprintf (stderr, "Error: state stack now"); + while (ssp1 != yyssp) + fprintf (stderr, " %d", *++ssp1); + fprintf (stderr, "\n"); + } +#endif - /* Pop the current state because it cannot handle the error token. */ - if (yyssp == yyss) - YYABORT; +yyerrhandle: + + yyn = yypact[yystate]; + if (yyn == YYFLAG) + goto yyerrdefault; + yyn += YYTERROR; + if (yyn < 0 || yyn > YYLAST || yycheck[yyn] != YYTERROR) + goto yyerrdefault; - yydestruct ("Error: popping", yystos[yystate], yyvsp); - YYPOPSTACK; - yystate = *yyssp; - YY_STACK_PRINT (yyss, yyssp); + yyn = yytable[yyn]; + if (yyn < 0) + { + if (yyn == YYFLAG) + goto yyerrpop; + yyn = -yyn; + goto yyreduce; } + else if (yyn == 0) + goto yyerrpop; if (yyn == YYFINAL) YYACCEPT; - *++yyvsp = yylval; - +#if YYDEBUG != 0 + if (yydebug) + fprintf(stderr, "Shifting error token, "); +#endif - /* Shift the error token. */ - YY_SYMBOL_PRINT ("Shifting", yystos[yyn], yyvsp, yylsp); + *++yyvsp = yylval; +#ifdef YYLSP_NEEDED + *++yylsp = yylloc; +#endif yystate = yyn; goto yynewstate; - -/*-------------------------------------. -| yyacceptlab -- YYACCEPT comes here. | -`-------------------------------------*/ -yyacceptlab: - yyresult = 0; - goto yyreturn; - -/*-----------------------------------. -| yyabortlab -- YYABORT comes here. | -`-----------------------------------*/ -yyabortlab: - yydestruct ("Error: discarding lookahead", - yytoken, &yylval); - yychar = YYEMPTY; - yyresult = 1; - goto yyreturn; - -#ifndef yyoverflow -/*----------------------------------------------. -| yyoverflowlab -- parser overflow comes here. | -`----------------------------------------------*/ -yyoverflowlab: - yyerror ("parser stack overflow"); - yyresult = 2; - /* Fall through. */ + yyacceptlab: + /* YYACCEPT comes here. */ + if (yyfree_stacks) + { + free (yyss); + free (yyvs); +#ifdef YYLSP_NEEDED + free (yyls); #endif + } + return 0; -yyreturn: -#ifndef yyoverflow - if (yyss != yyssa) - YYSTACK_FREE (yyss); + yyabortlab: + /* YYABORT comes here. */ + if (yyfree_stacks) + { + free (yyss); + free (yyvs); +#ifdef YYLSP_NEEDED + free (yyls); #endif - return yyresult; + } + return 1; } - - -#line 142 "parse.y" +#line 142 "../../../lib/com_err/parse.y" static long @@ -1421,4 +1064,3 @@ yyerror (char *s) { error_message ("%s\n", s); } - diff --git a/source4/heimdal/lib/com_err/parse.h b/source4/heimdal/lib/com_err/parse.h index ef7b9ba91e..07e33790d3 100644 --- a/source4/heimdal/lib/com_err/parse.h +++ b/source4/heimdal/lib/com_err/parse.h @@ -1,70 +1,15 @@ -/* A Bison parser, made by GNU Bison 2.0. */ - -/* Skeleton parser for Yacc-like parsing with Bison, - Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place - Suite 330, - Boston, MA 02111-1307, USA. */ - -/* As a special exception, when this file is copied by Bison into a - Bison output file, you may use that output file without restriction. - This special exception was added by the Free Software Foundation - in version 1.24 of Bison. */ - -/* Tokens. */ -#ifndef YYTOKENTYPE -# define YYTOKENTYPE - /* Put the tokens into the symbol table, so that GDB and other debuggers - know about them. */ - enum yytokentype { - ET = 258, - INDEX = 259, - PREFIX = 260, - EC = 261, - ID = 262, - END = 263, - STRING = 264, - NUMBER = 265 - }; -#endif -#define ET 258 -#define INDEX 259 -#define PREFIX 260 -#define EC 261 -#define ID 262 -#define END 263 -#define STRING 264 -#define NUMBER 265 - - - - -#if ! defined (YYSTYPE) && ! defined (YYSTYPE_IS_DECLARED) -#line 53 "parse.y" -typedef union YYSTYPE { +typedef union { char *string; int number; } YYSTYPE; -/* Line 1318 of yacc.c. */ -#line 62 "parse.h" -# define yystype YYSTYPE /* obsolescent; will be withdrawn */ -# define YYSTYPE_IS_DECLARED 1 -# define YYSTYPE_IS_TRIVIAL 1 -#endif - -extern YYSTYPE yylval; - +#define ET 257 +#define INDEX 258 +#define PREFIX 259 +#define EC 260 +#define ID 261 +#define END 262 +#define STRING 263 +#define NUMBER 264 +extern YYSTYPE yylval; diff --git a/source4/heimdal/lib/des/evp.c b/source4/heimdal/lib/des/evp.c index fd6ac63ec2..34480dbe7e 100644 --- a/source4/heimdal/lib/des/evp.c +++ b/source4/heimdal/lib/des/evp.c @@ -17,14 +17,19 @@ #include <md4.h> #include <md5.h> +typedef int (*evp_md_init)(EVP_MD_CTX *); +typedef int (*evp_md_update)(EVP_MD_CTX *,const void *, size_t); +typedef int (*evp_md_final)(void *, EVP_MD_CTX *); +typedef int (*evp_md_cleanup)(EVP_MD_CTX *); + struct hc_evp_md { int hash_size; int block_size; int ctx_size; - int (*init)(EVP_MD_CTX *); - int (*update)(EVP_MD_CTX *,const void *, size_t ); - int (*final)(void *, EVP_MD_CTX *); - int (*cleanup)(EVP_MD_CTX *); + evp_md_init init; + evp_md_update update; + evp_md_final final; + evp_md_cleanup cleanup; }; /* @@ -151,19 +156,18 @@ EVP_Digest(const void *data, size_t dsize, void *hash, unsigned int *hsize, * */ -static const struct hc_evp_md sha256 = { - 32, - 64, - sizeof(SHA256_CTX), - (void *)SHA256_Init, - (void *)SHA256_Update, - (void *)SHA256_Final, - NULL -}; - const EVP_MD * EVP_sha256(void) { + static const struct hc_evp_md sha256 = { + 32, + 64, + sizeof(SHA256_CTX), + (evp_md_init)SHA256_Init, + (evp_md_update)SHA256_Update, + (evp_md_final)SHA256_Final, + NULL + }; return &sha256; } @@ -171,9 +175,9 @@ static const struct hc_evp_md sha1 = { 20, 64, sizeof(SHA_CTX), - (void *)SHA1_Init, - (void *)SHA1_Update, - (void *)SHA1_Final, + (evp_md_init)SHA1_Init, + (evp_md_update)SHA1_Update, + (evp_md_final)SHA1_Final, NULL }; @@ -196,9 +200,9 @@ EVP_md5(void) 16, 64, sizeof(MD5_CTX), - (void *)MD5_Init, - (void *)MD5_Update, - (void *)MD5_Final, + (evp_md_init)MD5_Init, + (evp_md_update)MD5_Update, + (evp_md_final)MD5_Final, NULL }; return &md5; @@ -211,9 +215,9 @@ EVP_md4(void) 16, 64, sizeof(MD4_CTX), - (void *)MD4_Init, - (void *)MD4_Update, - (void *)MD4_Final, + (evp_md_init)MD4_Init, + (evp_md_update)MD4_Update, + (evp_md_final)MD4_Final, NULL }; return &md4; @@ -226,9 +230,9 @@ EVP_md2(void) 16, 16, sizeof(MD2_CTX), - (void *)MD2_Init, - (void *)MD2_Update, - (void *)MD2_Final, + (evp_md_init)MD2_Init, + (evp_md_update)MD2_Update, + (evp_md_final)MD2_Final, NULL }; return &md2; @@ -258,9 +262,9 @@ EVP_md_null(void) 0, 0, 0, - (void *)null_Init, - (void *)null_Update, - (void *)null_Final, + (evp_md_init)null_Init, + (evp_md_update)null_Update, + (evp_md_final)null_Final, NULL }; return &null; @@ -878,3 +882,24 @@ EVP_BytesToKey(const EVP_CIPHER *type, return EVP_CIPHER_key_length(type); } +/* + * + */ + +void +OpenSSL_add_all_algorithms(void) +{ + return; +} + +void +OpenSSL_add_all_algorithms_conf(void) +{ + return; +} + +void +OpenSSL_add_all_algorithms_noconf(void) +{ + return; +} diff --git a/source4/heimdal/lib/des/evp.h b/source4/heimdal/lib/des/evp.h index 17d6d5fd41..2fdf8d0765 100644 --- a/source4/heimdal/lib/des/evp.h +++ b/source4/heimdal/lib/des/evp.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: evp.h,v 1.8 2006/04/21 15:00:54 lha Exp $ */ +/* $Id: evp.h,v 1.11 2006/10/07 17:21:24 lha Exp $ */ #ifndef HEIM_EVP_H #define HEIM_EVP_H 1 @@ -89,6 +89,9 @@ #define PKCS5_PBKDF2_HMAC_SHA1 hc_PKCS5_PBKDF2_HMAC_SHA1 #define EVP_BytesToKey hc_EVP_BytesToKey #define EVP_get_cipherbyname hc_EVP_get_cipherbyname +#define OpenSSL_add_all_algorithms hc_OpenSSL_add_all_algorithms +#define OpenSSL_add_all_algorithms_conf hc_OpenSSL_add_all_algorithms_conf +#define OpenSSL_add_all_algorithms_noconf hc_OpenSSL_add_all_algorithms_noconf /* * @@ -241,4 +244,12 @@ int EVP_BytesToKey(const EVP_CIPHER *, const EVP_MD *, unsigned int, void *, void *); +/* + * + */ + +void OpenSSL_add_all_algorithms(void); +void OpenSSL_add_all_algorithms_conf(void); +void OpenSSL_add_all_algorithms_noconf(void); + #endif /* HEIM_EVP_H */ diff --git a/source4/heimdal/lib/des/hmac.c b/source4/heimdal/lib/des/hmac.c index 4bcb0defa5..848b987a90 100644 --- a/source4/heimdal/lib/des/hmac.c +++ b/source4/heimdal/lib/des/hmac.c @@ -29,8 +29,8 @@ HMAC_CTX_cleanup(HMAC_CTX *ctx) ctx->ipad = NULL; } if (ctx->ctx) { - EVP_MD_CTX_destroy(ctx->ctx); - ctx->ctx = NULL; + EVP_MD_CTX_destroy(ctx->ctx); + ctx->ctx = NULL; } } diff --git a/source4/heimdal/lib/des/rand-unix.c b/source4/heimdal/lib/des/rand-unix.c new file mode 100644 index 0000000000..a51c6c0c0d --- /dev/null +++ b/source4/heimdal/lib/des/rand-unix.c @@ -0,0 +1,153 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +RCSID("$Id: rand-unix.c,v 1.2 2006/10/21 21:09:14 lha Exp $"); + +#include <stdio.h> +#include <stdlib.h> +#include <rand.h> + +#include <roken.h> + +/* + * Unix /dev/random + */ + +static int +get_device_fd(int flags) +{ + static const char *rnd_devices[] = { + "/dev/urandom", + "/dev/random", + "/dev/srandom", + "/dev/arandom", + NULL + }; + const char **p; + + for(p = rnd_devices; *p; p++) { + int fd = open(*p, flags | O_NDELAY); + if(fd >= 0) + return fd; + } + return -1; +} + +static void +unix_seed(const void *indata, int size) +{ + int fd; + + if (size <= 0) + return; + + fd = get_device_fd(O_WRONLY); + if (fd < 0) + return; + + write(fd, indata, size); + close(fd); + +} + +static int +unix_bytes(unsigned char *outdata, int size) +{ + ssize_t count; + int fd; + + if (size <= 0) + return 0; + + fd = get_device_fd(O_RDONLY); + if (fd < 0) + return 0; + + while (size > 0) { + count = read (fd, outdata, size); + if (count < 0 && errno == EINTR) + continue; + else if (count <= 0) { + close(fd); + return 0; + } + outdata += count; + size -= count; + } + close(fd); + + return 1; +} + +static void +unix_cleanup(void) +{ +} + +static void +unix_add(const void *indata, int size, double entropi) +{ + unix_seed(indata, size); +} + +static int +unix_pseudorand(unsigned char *outdata, int size) +{ + return unix_bytes(outdata, size); +} + +static int +unix_status(void) +{ + int fd; + + fd = get_device_fd(O_RDONLY); + if (fd < 0) + return 0; + close(fd); + + return 1; +} + +const RAND_METHOD hc_rand_unix_method = { + unix_seed, + unix_bytes, + unix_cleanup, + unix_add, + unix_pseudorand, + unix_status +}; diff --git a/source4/heimdal/lib/des/rand.c b/source4/heimdal/lib/des/rand.c new file mode 100644 index 0000000000..6eb959b724 --- /dev/null +++ b/source4/heimdal/lib/des/rand.c @@ -0,0 +1,120 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +RCSID("$Id: rand.c,v 1.7 2006/10/16 10:23:01 lha Exp $"); + +#include <stdio.h> +#include <stdlib.h> +#include <rand.h> + +#include <roken.h> + +extern RAND_METHOD hc_rand_unix_method; +static const RAND_METHOD *selected_meth = &hc_rand_unix_method; + +void +RAND_seed(const void *indata, size_t size) +{ + (*selected_meth->seed)(indata, size); +} + +int +RAND_bytes(void *outdata, size_t size) +{ + return (*selected_meth->bytes)(outdata, size); +} + +void +RAND_cleanup(void) +{ + (*selected_meth->cleanup)(); +} + +void +RAND_add(const void *indata, size_t size, double entropi) +{ + (*selected_meth->add)(indata, size, entropi); +} + +int +RAND_pseudo_bytes(void *outdata, size_t size) +{ + return (*selected_meth->pseudorand)(outdata, size); +} + +int +RAND_status(void) +{ + return (*selected_meth->status)(); +} + +int +RAND_set_rand_method(const RAND_METHOD *meth) +{ + selected_meth = meth; + return 1; +} + +const RAND_METHOD * +RAND_get_rand_method(void) +{ + return selected_meth; +} + +int +RAND_set_rand_engine(ENGINE *engine) +{ + return 1; +} + +int +RAND_load_file(const char *filename, size_t size) +{ + return 1; +} + +int +RAND_write_file(const char *filename) +{ + return 1; +} + +int +RAND_egd(const char *filename) +{ + return 1; +} diff --git a/source4/heimdal/lib/des/ui.c b/source4/heimdal/lib/des/ui.c index 276367e186..25b0ad293c 100644 --- a/source4/heimdal/lib/des/ui.c +++ b/source4/heimdal/lib/des/ui.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$Id: ui.c,v 1.5 2006/01/08 21:47:29 lha Exp $"); +RCSID("$Id: ui.c,v 1.6 2006/09/22 15:45:57 lha Exp $"); #endif #include <stdio.h> @@ -53,11 +53,16 @@ intr(int sig) intr_flag++; } +#ifndef NSIG +#define NSIG 47 +#endif + static int read_string(const char *preprompt, const char *prompt, char *buf, size_t len, int echo) { - struct sigaction sigs[47]; + struct sigaction sigs[NSIG]; + int oksigs[NSIG]; struct sigaction sa; FILE *tty; int ret = 0; @@ -68,12 +73,16 @@ read_string(const char *preprompt, const char *prompt, struct termios t_new, t_old; + memset(&oksigs, 0, sizeof(oksigs)); + memset(&sa, 0, sizeof(sa)); sa.sa_handler = intr; sigemptyset(&sa.sa_mask); sa.sa_flags = 0; - for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++) - if (i != SIGALRM) sigaction(i, &sa, &sigs[i]); + for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++) + if (i != SIGALRM) + if (sigaction(i, &sa, &sigs[i]) == 0) + oksigs[i] = 1; if((tty = fopen("/dev/tty", "r")) == NULL) tty = stdin; @@ -114,8 +123,9 @@ read_string(const char *preprompt, const char *prompt, if(tty != stdin) fclose(tty); - for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++) - if (i != SIGALRM) sigaction(i, &sigs[i], NULL); + for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++) + if (oksigs[i]) + sigaction(i, &sigs[i], NULL); if(ret) return -3; diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c deleted file mode 100644 index 41a54bdab1..0000000000 --- a/source4/heimdal/lib/gssapi/accept_sec_context.c +++ /dev/null @@ -1,1176 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: accept_sec_context.c,v 1.55 2005/11/25 15:57:35 lha Exp $"); - -HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; -krb5_keytab gssapi_krb5_keytab; - -OM_uint32 -gsskrb5_register_acceptor_identity (const char *identity) -{ - krb5_error_code ret; - - ret = gssapi_krb5_init(); - if(ret) - return GSS_S_FAILURE; - - HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - - if(gssapi_krb5_keytab != NULL) { - krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab); - gssapi_krb5_keytab = NULL; - } - if (identity == NULL) { - ret = krb5_kt_default(gssapi_krb5_context, &gssapi_krb5_keytab); - } else { - char *p; - - asprintf(&p, "FILE:%s", identity); - if(p == NULL) { - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - return GSS_S_FAILURE; - } - ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab); - free(p); - } - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - if(ret) - return GSS_S_FAILURE; - return GSS_S_COMPLETE; -} - -void -gsskrb5_is_cfx(gss_ctx_id_t context_handle, int *is_cfx) -{ - krb5_keyblock *key; - int acceptor = (context_handle->more_flags & LOCAL) == 0; - *is_cfx = 0; - - if (acceptor) { - if (context_handle->auth_context->local_subkey) - key = context_handle->auth_context->local_subkey; - else - key = context_handle->auth_context->remote_subkey; - } else { - if (context_handle->auth_context->remote_subkey) - key = context_handle->auth_context->remote_subkey; - else - key = context_handle->auth_context->local_subkey; - } - if (key == NULL) - key = context_handle->auth_context->keyblock; - - if (key == NULL) - return; - - switch (key->keytype) { - case ETYPE_DES_CBC_CRC: - case ETYPE_DES_CBC_MD4: - case ETYPE_DES_CBC_MD5: - case ETYPE_DES3_CBC_MD5: - case ETYPE_DES3_CBC_SHA1: - case ETYPE_ARCFOUR_HMAC_MD5: - case ETYPE_ARCFOUR_HMAC_MD5_56: - break; - default : - *is_cfx = 1; - if ((acceptor && context_handle->auth_context->local_subkey) || - (!acceptor && context_handle->auth_context->remote_subkey)) - context_handle->more_flags |= ACCEPTOR_SUBKEY; - break; - } -} - - -static OM_uint32 -gsskrb5_accept_delegated_token - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_cred_id_t * delegated_cred_handle) -{ - krb5_data *fwd_data = &(*context_handle)->fwd_data; - OM_uint32 *flags = &(*context_handle)->flags; - krb5_principal principal = (*context_handle)->source; - krb5_ccache ccache = NULL; - krb5_error_code kret; - int32_t ac_flags, ret = GSS_S_COMPLETE; - - *minor_status = 0; - - /* XXX Create a new delegated_cred_handle? */ - if (delegated_cred_handle == NULL) - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - else - kret = krb5_cc_gen_new (gssapi_krb5_context, &krb5_mcc_ops, &ccache); - if (kret) { - *flags &= ~GSS_C_DELEG_FLAG; - goto out; - } - - kret = krb5_cc_initialize(gssapi_krb5_context, ccache, principal); - if (kret) { - *flags &= ~GSS_C_DELEG_FLAG; - goto out; - } - - krb5_auth_con_removeflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_DO_TIME, - &ac_flags); - kret = krb5_rd_cred2(gssapi_krb5_context, - (*context_handle)->auth_context, - ccache, - fwd_data); - if (kret) - gssapi_krb5_set_error_string(); - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - ac_flags); - if (kret) { - *flags &= ~GSS_C_DELEG_FLAG; - ret = GSS_S_FAILURE; - *minor_status = kret; - goto out; - } - - if (delegated_cred_handle) { - ret = gss_krb5_import_cred(minor_status, - ccache, - NULL, - NULL, - delegated_cred_handle); - if (ret != GSS_S_COMPLETE) - goto out; - - (*delegated_cred_handle)->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; - ccache = NULL; - } - -out: - if (ccache) { - if (delegated_cred_handle == NULL) - krb5_cc_close(gssapi_krb5_context, ccache); - else - krb5_cc_destroy(gssapi_krb5_context, ccache); - } - return ret; -} - -static OM_uint32 -gsskrb5_acceptor_ready( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_cred_id_t * delegated_cred_handle) -{ - OM_uint32 ret; - int32_t seq_number; - int is_cfx = 0; - OM_uint32 *flags = &(*context_handle)->flags; - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, - &seq_number); - - gsskrb5_is_cfx(*context_handle, &is_cfx); - - ret = _gssapi_msg_order_create(minor_status, - &(*context_handle)->order, - _gssapi_msg_order_f(*flags), - seq_number, 0, is_cfx); - if (ret) return ret; - - if (!(*flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(*flags)) { - krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - seq_number); - } - - /* - * We should handle the delegation ticket, in case it's there - */ - if ((*context_handle)->fwd_data.length > 0 && (*flags & GSS_C_DELEG_FLAG)) { - ret = gsskrb5_accept_delegated_token(minor_status, - context_handle, - delegated_cred_handle); - if (ret) return ret; - } else { - /* Well, looks like it wasn't there after all */ - *flags &= ~GSS_C_DELEG_FLAG; - } - - (*context_handle)->state = ACCEPTOR_READY; - (*context_handle)->more_flags |= OPEN; - - return GSS_S_COMPLETE; -} -static OM_uint32 -gsskrb5_acceptor_start - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - krb5_error_code kret; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data indata; - krb5_flags ap_options; - OM_uint32 flags; - krb5_ticket *ticket = NULL; - krb5_keytab keytab = NULL; - krb5_keyblock *keyblock = NULL; - int is_cfx = 0; - - krb5_data_zero (&(*context_handle)->fwd_data); - - /* - * We may, or may not, have an escapsulation. - */ - ret = gssapi_krb5_decapsulate (minor_status, - input_token_buffer, - &indata, - "\x01\x00", - GSS_KRB5_MECHANISM); - - if (ret) { - /* No OID wrapping apparently available. */ - indata.length = input_token_buffer->length; - indata.data = input_token_buffer->value; - } - - /* - * We need to get our keytab - */ - if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { - if (gssapi_krb5_keytab != NULL) { - keytab = gssapi_krb5_keytab; - } - } else if (acceptor_cred_handle->keytab != NULL) { - keytab = acceptor_cred_handle->keytab; - } - - /* - * We need to check the ticket and create the AP-REP packet - */ - kret = krb5_rd_req_return_keyblock(gssapi_krb5_context, - &(*context_handle)->auth_context, - &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred_handle->principal, - keytab, - &ap_options, - &ticket, - &keyblock); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - return ret; - } - - /* - * We need to remember some data on the context_handle - */ - (*context_handle)->ticket = ticket; - (*context_handle)->service_keyblock = keyblock; - (*context_handle)->lifetime = ticket->ticket.endtime; - - /* - * We need to copy the principal names to the context and the calling layer - */ - kret = krb5_copy_principal(gssapi_krb5_context, - ticket->client, - &(*context_handle)->source); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->server, - &(*context_handle)->target); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - return ret; - } - - /* - * We need to setup some compat stuff, this assumes that context_handle->target is already set - */ - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) { - return ret; - } - - if (src_name != NULL) { - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - src_name); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - return ret; - } - } - - /* - * We need to get the flags out of the 8003 checksum - */ - { - krb5_authenticator authenticator; - - kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, - (*context_handle)->auth_context, - &authenticator); - if(kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - return ret; - } - - if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { - ret = gssapi_krb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &flags, - &(*context_handle)->fwd_data); - - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) { - return ret; - } - } else { - krb5_crypto crypto; - - kret = krb5_crypto_init(gssapi_krb5_context, - (*context_handle)->auth_context->keyblock, - 0, &crypto); - if(kret) { - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - return ret; - } - - /* Windows accepts Samba3's use of a kerberos, - rather than GSSAPI checksum here */ - kret = krb5_verify_checksum(gssapi_krb5_context, - crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0, - authenticator->cksum); - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - krb5_crypto_destroy(gssapi_krb5_context, crypto); - - if(kret) { - ret = GSS_S_BAD_SIG; - *minor_status = kret; - gssapi_krb5_set_error_string (); - return ret; - } - - flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; - } - } - - if(flags & GSS_C_MUTUAL_FLAG) { - krb5_data outbuf; - - gsskrb5_is_cfx(*context_handle, &is_cfx); - - if (is_cfx != 0 - || (ap_options & AP_OPTS_USE_SUBKEY)) { - kret = krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_USE_SUBKEY, - NULL); - (*context_handle)->more_flags |= ACCEPTOR_SUBKEY; - } - - kret = krb5_mk_rep(gssapi_krb5_context, - (*context_handle)->auth_context, - &outbuf); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - - if (!(flags & GSS_C_DCE_STYLE)) { - ret = gssapi_krb5_encapsulate(minor_status, - &outbuf, - output_token, - "\x02\x00", - GSS_KRB5_MECHANISM); - krb5_data_free (&outbuf); - if (ret) { - return ret; - } - } else { - output_token->length = outbuf.length; - output_token->value = outbuf.data; - } - } - - flags |= GSS_C_TRANS_FLAG; - - /* Remember the flags */ - - (*context_handle)->lifetime = ticket->ticket.endtime; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= OPEN; - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - time_rec); - if (ret) { - return ret; - } - } - - /* - * When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from the client - */ - if (flags & GSS_C_DCE_STYLE) { - if (ret_flags) { - /* Return flags to caller, but we haven't processed delgations yet */ - *ret_flags = flags & ~GSS_C_DELEG_FLAG; - } - - (*context_handle)->state = ACCEPTOR_WAIT_FOR_DCESTYLE; - return GSS_S_CONTINUE_NEEDED; - } - - ret = gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle); - - /* - * We need to send the flags back to the caller - */ - - *ret_flags = (*context_handle)->flags; - return ret; -} - -static OM_uint32 -gsskrb5_acceptor_wait_for_dcestyle( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_data inbuf; - OM_uint32 r_seq_number; - OM_uint32 l_seq_number; - - /* We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP */ - inbuf.length = input_token_buffer->length; - inbuf.data = input_token_buffer->value; - - /* - * We need to remeber the old remote seq_number, then check if the client has replied with our local seq_number, - * and then reset the remote seq_number to the old value - */ - { - kret = krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - &l_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_auth_getremoteseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - &r_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_auth_con_setremoteseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - l_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - /* We need to verify the AP_REP, but we need to flag that this - is DCE_STYLE, so don't check the timestamps this time - */ - { - krb5_ap_rep_enc_part *repl; - int32_t auth_flags; - - kret = krb5_auth_con_removeflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_DO_TIME, &auth_flags); - if (kret) { /* Can't happen */ - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_rd_rep(gssapi_krb5_context, - (*context_handle)->auth_context, - &inbuf, - &repl); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - /* Because the inbuf above is a final leg from client - * to server, we don't have a use for a 'reply' - * here */ - krb5_free_ap_rep_enc_part(gssapi_krb5_context, repl); - - /* Do no harm, put the flags back */ - kret = krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - auth_flags); - if (kret) { /* Can't happen */ - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - /* We need to check the liftime */ - { - OM_uint32 lifetime_rec; - - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - &lifetime_rec); - if (ret) { - return ret; - } - if (lifetime_rec == 0) { - return GSS_S_CONTEXT_EXPIRED; - } - - if (time_rec) *time_rec = lifetime_rec; - } - - /* We need to give the caller the flags which are in use */ - if (ret_flags) *ret_flags = (*context_handle)->flags; - - if (src_name) { - kret = krb5_copy_principal(gssapi_krb5_context, - (*context_handle)->source, - src_name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - } - - /* - * After the krb5_rd_rep() the remote and local seq_number should be the same, - * because the client just replies the seq_number from our AP-REP in its AP-REP, - * but then the client uses the seq_number from its AP-REQ for GSS_wrap() - */ - { - OM_uint32 tmp_r_seq_number; - OM_uint32 tmp_l_seq_number; - - kret = krb5_auth_getremoteseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - &tmp_r_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - &tmp_l_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - /* - * Here we check if the client has responsed with our local seq_number, - */ - if (tmp_r_seq_number != tmp_l_seq_number) { - return GSS_S_UNSEQ_TOKEN; - } - } - - /* - * We need to reset the remote seq_number, because the client will use, - * the old one for the GSS_wrap() calls - */ - { - kret = krb5_auth_con_setremoteseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - r_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - return gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle); -} - -static OM_uint32 -gsskrb5_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data fwd_data; - gss_ctx_id_t local_context; - OM_uint32 minor_status2; - GSSAPI_KRB5_INIT(); - - krb5_data_zero (&fwd_data); - output_token->length = 0; - output_token->value = NULL; - - if (src_name != NULL) - *src_name = NULL; - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (*context_handle == GSS_C_NO_CONTEXT) { - ret = _gsskrb5_create_ctx(minor_status, - &local_context, - input_chan_bindings, - ACCEPTOR_START); - if (ret) return ret; - } else { - local_context = *context_handle; - } - - /* - * TODO: check the channel_bindings - * (above just sets them to krb5 layer) - */ - - HEIMDAL_MUTEX_lock(&(local_context)->ctx_id_mutex); - - switch ((local_context)->state) { - case ACCEPTOR_START: - ret = gsskrb5_acceptor_start(minor_status, - &local_context, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - break; - case ACCEPTOR_WAIT_FOR_DCESTYLE: - ret = gsskrb5_acceptor_wait_for_dcestyle(minor_status, - &local_context, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - break; - case ACCEPTOR_READY: - /* this function should not be called after it has returned GSS_S_COMPLETE */ - ret = GSS_S_BAD_STATUS; - break; - default: - /* TODO: is this correct here? --metze */ - ret = GSS_S_BAD_STATUS; - break; - } - - HEIMDAL_MUTEX_unlock(&(local_context)->ctx_id_mutex); - - if (*context_handle == GSS_C_NO_CONTEXT) { - if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { - *context_handle = local_context; - } else { - gss_delete_sec_context(&minor_status2, - &local_context, - NULL); - } - } - - return ret; -} - -static OM_uint32 -code_NegTokenArg(OM_uint32 *minor_status, - const NegTokenTarg *targ, - krb5_data *data, - u_char **ret_buf) -{ - OM_uint32 ret; - u_char *buf; - size_t buf_size, buf_len; - - buf_size = 1024; - buf = malloc(buf_size); - if (buf == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - do { - ret = encode_NegTokenTarg(buf + buf_size - 1, - buf_size, - targ, &buf_len); - if (ret == 0) { - size_t tmp; - - ret = der_put_length_and_tag(buf + buf_size - buf_len - 1, - buf_size - buf_len, - buf_len, - ASN1_C_CONTEXT, - CONS, - 1, - &tmp); - if (ret == 0) - buf_len += tmp; - } - if (ret) { - if (ret == ASN1_OVERFLOW) { - u_char *tmp; - - buf_size *= 2; - tmp = realloc (buf, buf_size); - if (tmp == NULL) { - *minor_status = ENOMEM; - free(buf); - return GSS_S_FAILURE; - } - buf = tmp; - } else { - *minor_status = ret; - free(buf); - return GSS_S_FAILURE; - } - } - } while (ret == ASN1_OVERFLOW); - - data->data = buf + buf_size - buf_len; - data->length = buf_len; - *ret_buf = buf; - return GSS_S_COMPLETE; -} - -static OM_uint32 -send_reject (OM_uint32 *minor_status, - gss_buffer_t output_token) -{ - NegTokenTarg targ; - krb5_data data; - u_char *buf; - OM_uint32 ret; - - ALLOC(targ.negResult, 1); - if (targ.negResult == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - *(targ.negResult) = reject; - targ.supportedMech = NULL; - targ.responseToken = NULL; - targ.mechListMIC = NULL; - - ret = code_NegTokenArg (minor_status, &targ, &data, &buf); - free_NegTokenTarg(&targ); - if (ret) - return ret; - -#if 0 - ret = _gssapi_encapsulate(minor_status, - &data, - output_token, - GSS_SPNEGO_MECHANISM); -#else - output_token->value = malloc(data.length); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - ret = GSS_S_FAILURE; - } else { - output_token->length = data.length; - memcpy(output_token->value, data.data, output_token->length); - } -#endif - free(buf); - if (ret) - return ret; - return GSS_S_BAD_MECH; -} - -static OM_uint32 -send_accept (OM_uint32 *minor_status, - OM_uint32 major_status, - gss_buffer_t output_token, - gss_buffer_t mech_token, - gss_ctx_id_t context_handle, - const MechTypeList *mechtypelist) -{ - NegTokenTarg targ; - krb5_data data; - u_char *buf; - OM_uint32 ret; - gss_buffer_desc mech_buf, mech_mic_buf; - krb5_boolean require_mic; - - memset(&targ, 0, sizeof(targ)); - ALLOC(targ.negResult, 1); - if (targ.negResult == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - *(targ.negResult) = accept_completed; - - ALLOC(targ.supportedMech, 1); - if (targ.supportedMech == NULL) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ret = der_get_oid(GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length, - targ.supportedMech, - NULL); - if (ret) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - if (mech_token != NULL && mech_token->length != 0) { - ALLOC(targ.responseToken, 1); - if (targ.responseToken == NULL) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - targ.responseToken->length = mech_token->length; - targ.responseToken->data = mech_token->value; - mech_token->length = 0; - mech_token->value = NULL; - } else { - targ.responseToken = NULL; - } - - ret = _gss_spnego_require_mechlist_mic(minor_status, context_handle, - &require_mic); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - if (major_status == GSS_S_COMPLETE && require_mic) { - size_t buf_len; - - ALLOC(targ.mechListMIC, 1); - if (targ.mechListMIC == NULL) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length, - mechtypelist, &buf_len, ret); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - if (mech_buf.length != buf_len) - abort(); - - ret = gss_get_mic(minor_status, context_handle, 0, &mech_buf, - &mech_mic_buf); - free (mech_buf.value); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - targ.mechListMIC->length = mech_mic_buf.length; - targ.mechListMIC->data = mech_mic_buf.value; - } else - targ.mechListMIC = NULL; - - ret = code_NegTokenArg (minor_status, &targ, &data, &buf); - free_NegTokenTarg(&targ); - if (ret) - return ret; - -#if 0 - ret = _gssapi_encapsulate(minor_status, - &data, - output_token, - GSS_SPNEGO_MECHANISM); -#else - output_token->value = malloc(data.length); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - ret = GSS_S_FAILURE; - } else { - output_token->length = data.length; - memcpy(output_token->value, data.data, output_token->length); - } -#endif - free(buf); - if (ret) - return ret; - return GSS_S_COMPLETE; -} - -static OM_uint32 -spnego_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - OM_uint32 ret, ret2; - NegTokenInit ni; - size_t ni_len; - int i; - int found = 0; - krb5_data data; - size_t len, taglen; - - output_token->length = 0; - output_token->value = NULL; - - ret = _gssapi_decapsulate (minor_status, - input_token_buffer, - &data, - GSS_SPNEGO_MECHANISM); - if (ret) - return ret; - - ret = der_match_tag_and_length(data.data, data.length, - ASN1_C_CONTEXT, CONS, 0, &len, &taglen); - if (ret) - return ret; - - if(len > data.length - taglen) - return ASN1_OVERRUN; - - ret = decode_NegTokenInit((const unsigned char *)data.data + taglen, len, - &ni, &ni_len); - if (ret) - return GSS_S_DEFECTIVE_TOKEN; - - if (ni.mechTypes == NULL) { - free_NegTokenInit(&ni); - return send_reject (minor_status, output_token); - } - - for (i = 0; !found && i < ni.mechTypes->len; ++i) { - unsigned char mechbuf[17]; - size_t mech_len; - - ret = der_put_oid (mechbuf + sizeof(mechbuf) - 1, - sizeof(mechbuf), - &ni.mechTypes->val[i], - &mech_len); - if (ret) { - free_NegTokenInit(&ni); - return GSS_S_DEFECTIVE_TOKEN; - } - if (mech_len == GSS_KRB5_MECHANISM->length - && memcmp(GSS_KRB5_MECHANISM->elements, - mechbuf + sizeof(mechbuf) - mech_len, - mech_len) == 0) - found = 1; - } - if (found) { - gss_buffer_desc ibuf, obuf; - gss_buffer_t ot = NULL; - OM_uint32 minor; - - if (ni.mechToken != NULL) { - ibuf.length = ni.mechToken->length; - ibuf.value = ni.mechToken->data; - - ret = gsskrb5_accept_sec_context(&minor, - context_handle, - acceptor_cred_handle, - &ibuf, - input_chan_bindings, - src_name, - mech_type, - &obuf, - ret_flags, - time_rec, - delegated_cred_handle); - if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { - ot = &obuf; - } else { - free_NegTokenInit(&ni); - send_reject (minor_status, output_token); - return ret; - } - } - ret2 = send_accept (minor_status, ret, output_token, ot, - *context_handle, ni.mechTypes); - if (ret2 != GSS_S_COMPLETE) - ret = ret2; - if (ot != NULL) - gss_release_buffer(&minor, ot); - free_NegTokenInit(&ni); - return ret; - } else { - free_NegTokenInit(&ni); - return send_reject (minor_status, output_token); - } -} - -OM_uint32 -gss_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - OM_uint32 ret; - ssize_t mech_len; - const u_char *p; - - *minor_status = 0; - - mech_len = gssapi_krb5_get_mech (input_token_buffer->value, - input_token_buffer->length, - &p); - - /* This could be 'dce style' kerberos, where the OID is missing :-( */ - if ((mech_len < 0) || ((mech_len == GSS_KRB5_MECHANISM->length) - && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_len) == 0)) - ret = gsskrb5_accept_sec_context(minor_status, - context_handle, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - else if (mech_len == GSS_SPNEGO_MECHANISM->length - && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_len) == 0) - ret = spnego_accept_sec_context(minor_status, - context_handle, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - else - return GSS_S_BAD_MECH; - - return ret; -} diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h index eac2737f43..340b35377d 100644 --- a/source4/heimdal/lib/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,802 +31,11 @@ * SUCH DAMAGE. */ -/* $Id: gssapi.h,v 1.40 2006/05/05 11:08:29 lha Exp $ */ +/* $Id: gssapi.h,v 1.50 2006/10/07 20:57:15 lha Exp $ */ #ifndef GSSAPI_H_ #define GSSAPI_H_ -/* - * First, include stddef.h to get size_t defined. - */ -#include <stddef.h> - -#include <krb5-types.h> - -/* - * Now define the three implementation-dependent types. - */ - -typedef uint32_t OM_uint32; - -typedef uint32_t gss_uint32; - -/* - * This is to avoid having to include <krb5.h> - */ - -struct krb5_auth_context_data; - -struct Principal; - -/* typedef void *gss_name_t; */ - -typedef struct Principal *gss_name_t; - -struct gss_ctx_id_t_desc_struct; -typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t; - -typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; -} gss_OID_desc, *gss_OID; - -typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; -} gss_OID_set_desc, *gss_OID_set; - -struct krb5_keytab_data; - -struct krb5_ccache_data; - -typedef int gss_cred_usage_t; - -struct gss_cred_id_t_desc_struct; -typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t; - -typedef struct gss_buffer_desc_struct { - size_t length; - void *value; -} gss_buffer_desc, *gss_buffer_t; - -typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; -} *gss_channel_bindings_t; - -/* - * For now, define a QOP-type as an OM_uint32 - */ -typedef OM_uint32 gss_qop_t; - -/* - * Flag bits for context-level services. - */ -#define GSS_C_DELEG_FLAG 1 /* 0x00000001 */ -#define GSS_C_MUTUAL_FLAG 2 /* 0x00000002 */ -#define GSS_C_REPLAY_FLAG 4 /* 0x00000004 */ -#define GSS_C_SEQUENCE_FLAG 8 /* 0x00000008 */ -#define GSS_C_CONF_FLAG 16 /* 0x00000010 */ -#define GSS_C_INTEG_FLAG 32 /* 0x00000020 */ -#define GSS_C_ANON_FLAG 64 /* 0x00000040 */ -#define GSS_C_PROT_READY_FLAG 128 /* 0x00000080 */ -#define GSS_C_TRANS_FLAG 256 /* 0x00000100 */ - -/* these are from draft-brezak-win2k-krb-rc4-hmac-04.txt */ -#define GSS_C_DCE_STYLE 4096 /* 0x00001000 */ -#define GSS_C_IDENTIFY_FLAG 8192 /* 0x00002000 */ -#define GSS_C_EXTENDED_ERROR_FLAG 16384 /* 0x00004000 */ - -/* - * Credential usage options - */ -#define GSS_C_BOTH 0 -#define GSS_C_INITIATE 1 -#define GSS_C_ACCEPT 2 - -/* - * Status code types for gss_display_status - */ -#define GSS_C_GSS_CODE 1 -#define GSS_C_MECH_CODE 2 - -/* - * The constant definitions for channel-bindings address families - */ -#define GSS_C_AF_UNSPEC 0 -#define GSS_C_AF_LOCAL 1 -#define GSS_C_AF_INET 2 -#define GSS_C_AF_IMPLINK 3 -#define GSS_C_AF_PUP 4 -#define GSS_C_AF_CHAOS 5 -#define GSS_C_AF_NS 6 -#define GSS_C_AF_NBS 7 -#define GSS_C_AF_ECMA 8 -#define GSS_C_AF_DATAKIT 9 -#define GSS_C_AF_CCITT 10 -#define GSS_C_AF_SNA 11 -#define GSS_C_AF_DECnet 12 -#define GSS_C_AF_DLI 13 -#define GSS_C_AF_LAT 14 -#define GSS_C_AF_HYLINK 15 -#define GSS_C_AF_APPLETALK 16 -#define GSS_C_AF_BSC 17 -#define GSS_C_AF_DSS 18 -#define GSS_C_AF_OSI 19 -#define GSS_C_AF_X25 21 -#define GSS_C_AF_INET6 24 - -#define GSS_C_AF_NULLADDR 255 - -/* - * Various Null values - */ -#define GSS_C_NO_NAME ((gss_name_t) 0) -#define GSS_C_NO_BUFFER ((gss_buffer_t) 0) -#define GSS_C_NO_OID ((gss_OID) 0) -#define GSS_C_NO_OID_SET ((gss_OID_set) 0) -#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) -#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) -#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) -#define GSS_C_EMPTY_BUFFER {0, NULL} - -/* - * Some alternate names for a couple of the above - * values. These are defined for V1 compatibility. - */ -#define GSS_C_NULL_OID GSS_C_NO_OID -#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET - -/* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero - * (as done here) to mean "default protection", or to a specific - * explicit QOP value. However, a value of 0 should always be - * interpreted by a GSSAPI implementation as a request for the - * default protection level. - */ -#define GSS_C_QOP_DEFAULT 0 - -#define GSS_KRB5_CONF_C_QOP_DES 0x0100 -#define GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 - -/* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ -#define GSS_C_INDEFINITE 0xfffffffful - -#ifdef __cplusplus -extern "C" { -#endif - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_USER_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_MACHINE_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_STRING_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_ANONYMOUS; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_EXPORT_NAME; - -/* - * RFC2478, SPNEGO: - * The security mechanism of the initial - * negotiation token is identified by the Object Identifier - * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). - */ -extern gss_OID GSS_SPNEGO_MECHANISM; - -/* - * This if for kerberos5 names. - */ - -extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; -extern gss_OID GSS_KRB5_NT_USER_NAME; -extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME; -extern gss_OID GSS_KRB5_NT_STRING_UID_NAME; - -extern gss_OID GSS_KRB5_MECHANISM; - -/* for compatibility with MIT api */ - -#define gss_mech_krb5 GSS_KRB5_MECHANISM -#define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME +#include <gssapi/gssapi.h> -/* Major status codes */ - -#define GSS_S_COMPLETE 0 - -/* - * Some "helper" definitions to make the status code macros obvious. - */ -#define GSS_C_CALLING_ERROR_OFFSET 24 -#define GSS_C_ROUTINE_ERROR_OFFSET 16 -#define GSS_C_SUPPLEMENTARY_OFFSET 0 -#define GSS_C_CALLING_ERROR_MASK 0377ul -#define GSS_C_ROUTINE_ERROR_MASK 0377ul -#define GSS_C_SUPPLEMENTARY_MASK 0177777ul - -/* - * The macros that test status codes for error conditions. - * Note that the GSS_ERROR() macro has changed slightly from - * the V1 GSSAPI so that it now evaluates its argument - * only once. - */ -#define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) -#define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) -#define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) -#define GSS_ERROR(x) \ - (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ - (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) - -/* - * Now the actual status code definitions - */ - -/* - * Calling errors: - */ -#define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - -/* - * Routine errors: - */ -#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) - -#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_MIC GSS_S_BAD_SIG -#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET) - -/* - * Supplementary info bits: - */ -#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) -#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) -#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) -#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) -#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) - -/* - * From RFC1964: - * - * 4.1.1. Non-Kerberos-specific codes - */ - -#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1 - /* "No @ in SERVICE-NAME name string" */ -#define GSS_KRB5_S_G_BAD_STRING_UID 2 - /* "STRING-UID-NAME contains nondigits" */ -#define GSS_KRB5_S_G_NOUSER 3 - /* "UID does not resolve to username" */ -#define GSS_KRB5_S_G_VALIDATE_FAILED 4 - /* "Validation error" */ -#define GSS_KRB5_S_G_BUFFER_ALLOC 5 - /* "Couldn't allocate gss_buffer_t data" */ -#define GSS_KRB5_S_G_BAD_MSG_CTX 6 - /* "Message context invalid" */ -#define GSS_KRB5_S_G_WRONG_SIZE 7 - /* "Buffer is the wrong size" */ -#define GSS_KRB5_S_G_BAD_USAGE 8 - /* "Credential usage type is unknown" */ -#define GSS_KRB5_S_G_UNKNOWN_QOP 9 - /* "Unknown quality of protection specified" */ - - /* - * 4.1.2. Kerberos-specific-codes - */ - -#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10 - /* "Principal in credential cache does not match desired name" */ -#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11 - /* "No principal in keytab matches desired name" */ -#define GSS_KRB5_S_KG_TGT_MISSING 12 - /* "Credential cache has no TGT" */ -#define GSS_KRB5_S_KG_NO_SUBKEY 13 - /* "Authenticator has no subkey" */ -#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14 - /* "Context is already fully established" */ -#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15 - /* "Unknown signature type in token" */ -#define GSS_KRB5_S_KG_BAD_LENGTH 16 - /* "Invalid field length in token" */ -#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17 - /* "Attempt to use incomplete security context" */ - -/* - * Finally, function prototypes for the GSS-API routines. - */ - - -OM_uint32 gss_acquire_cred - (OM_uint32 * /*minor_status*/, - const gss_name_t /*desired_name*/, - OM_uint32 /*time_req*/, - const gss_OID_set /*desired_mechs*/, - gss_cred_usage_t /*cred_usage*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_release_cred - (OM_uint32 * /*minor_status*/, - gss_cred_id_t * /*cred_handle*/ - ); - -OM_uint32 gss_init_sec_context - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*initiator_cred_handle*/, - gss_ctx_id_t * /*context_handle*/, - const gss_name_t /*target_name*/, - const gss_OID /*mech_type*/, - OM_uint32 /*req_flags*/, - OM_uint32 /*time_req*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - const gss_buffer_t /*input_token*/, - gss_OID * /*actual_mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_accept_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - const gss_cred_id_t /*acceptor_cred_handle*/, - const gss_buffer_t /*input_token_buffer*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - gss_name_t * /*src_name*/, - gss_OID * /*mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/, - gss_cred_id_t * /*delegated_cred_handle*/ - ); - -OM_uint32 gss_process_context_token - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*token_buffer*/ - ); - -OM_uint32 gss_delete_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*output_token*/ - ); - -OM_uint32 gss_context_time - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_get_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*message_buffer*/, - const gss_buffer_t /*token_buffer*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_wrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unwrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_display_status - (OM_uint32 * /*minor_status*/, - OM_uint32 /*status_value*/, - int /*status_type*/, - const gss_OID /*mech_type*/, - OM_uint32 * /*message_context*/, - gss_buffer_t /*status_string*/ - ); - -OM_uint32 gss_indicate_mechs - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*mech_set*/ - ); - -OM_uint32 gss_compare_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*name1*/, - const gss_name_t /*name2*/, - int * /*name_equal*/ - ); - -OM_uint32 gss_display_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*output_name_buffer*/, - gss_OID * /*output_name_type*/ - ); - -OM_uint32 gss_import_name - (OM_uint32 * /*minor_status*/, - const gss_buffer_t /*input_name_buffer*/, - const gss_OID /*input_name_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_export_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*exported_name*/ - ); - -OM_uint32 gss_release_name - (OM_uint32 * /*minor_status*/, - gss_name_t * /*input_name*/ - ); - -OM_uint32 gss_release_buffer - (OM_uint32 * /*minor_status*/, - gss_buffer_t /*buffer*/ - ); - -OM_uint32 gss_release_oid_set - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*set*/ - ); - -OM_uint32 gss_inquire_cred - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - gss_name_t * /*name*/, - OM_uint32 * /*lifetime*/, - gss_cred_usage_t * /*cred_usage*/, - gss_OID_set * /*mechanisms*/ - ); - -OM_uint32 gss_inquire_context ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_name_t * /*src_name*/, - gss_name_t * /*targ_name*/, - OM_uint32 * /*lifetime_rec*/, - gss_OID * /*mech_type*/, - OM_uint32 * /*ctx_flags*/, - int * /*locally_initiated*/, - int * /*open_context*/ - ); - -OM_uint32 gsskrb5_wrap_size ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - OM_uint32 /*req_input_size*/, - OM_uint32 * /*output_size*/ - ); - -OM_uint32 gss_wrap_size_limit ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - OM_uint32 /*req_output_size*/, - OM_uint32 * /*max_input_size*/ - ); - -OM_uint32 gss_add_cred ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*input_cred_handle*/, - const gss_name_t /*desired_name*/, - const gss_OID /*desired_mech*/, - gss_cred_usage_t /*cred_usage*/, - OM_uint32 /*initiator_time_req*/, - OM_uint32 /*acceptor_time_req*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*initiator_time_rec*/, - OM_uint32 * /*acceptor_time_rec*/ - ); - -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - const gss_OID /*mech_type*/, - gss_name_t * /*name*/, - OM_uint32 * /*initiator_lifetime*/, - OM_uint32 * /*acceptor_lifetime*/, - gss_cred_usage_t * /*cred_usage*/ - ); - -OM_uint32 gss_export_sec_context ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*interprocess_token*/ - ); - -OM_uint32 gss_import_sec_context ( - OM_uint32 * /*minor_status*/, - const gss_buffer_t /*interprocess_token*/, - gss_ctx_id_t * /*context_handle*/ - ); - -OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * /*minor_status*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_add_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member_oid*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member*/, - const gss_OID_set /*set*/, - int * /*present*/ - ); - -OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * /*minor_status*/, - const gss_OID /*mechanism*/, - gss_OID_set * /*name_types*/ - ); - -OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_OID_set * /*mech_types*/ - ); - -OM_uint32 gss_canonicalize_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - const gss_OID /*mech_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_duplicate_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*src_name*/, - gss_name_t * /*dest_name*/ - ); - -/* - * The following routines are obsolete variants of gss_get_mic, - * gss_verify_mic, gss_wrap and gss_unwrap. They should be - * provided by GSSAPI V2 implementations for backwards - * compatibility with V1 applications. Distinct entrypoints - * (as opposed to #defines) should be provided, both to allow - * GSSAPI V1 applications to link against GSSAPI V2 implementations, - * and to retain the slight parameter type differences between the - * obsolete versions of these routines and their current forms. - */ - -OM_uint32 gss_sign - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*qop_req*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*token_buffer*/, - int * /*qop_state*/ - ); - -OM_uint32 gss_seal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - int /*qop_req*/, - gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unseal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - int * /*qop_state*/ - ); - -/* - * kerberos mechanism specific functions - */ - -OM_uint32 -gss_krb5_ccache_name(OM_uint32 * /*minor_status*/, - const char * /*name */, - const char ** /*out_name */); - -OM_uint32 gsskrb5_register_acceptor_identity - (const char */*identity*/); - -OM_uint32 gss_krb5_copy_ccache - (OM_uint32 */*minor*/, - gss_cred_id_t /*cred*/, - struct krb5_ccache_data */*out*/); - -OM_uint32 gss_krb5_copy_service_keyblock - (OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - struct EncryptionKey **out); - -OM_uint32 gss_krb5_import_cred(OM_uint32 *minor_status, - struct krb5_ccache_data * /* id */, - struct Principal * /* keytab_principal */, - struct krb5_keytab_data * /* keytab */, - gss_cred_id_t */* cred */); - -OM_uint32 gss_krb5_get_tkt_flags - (OM_uint32 */*minor*/, - gss_ctx_id_t /*context_handle*/, - OM_uint32 */*tkt_flags*/); - -OM_uint32 -gsskrb5_extract_authz_data_from_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*ad_type*/, - gss_buffer_t /*ad_data*/); -OM_uint32 -gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - time_t *authtime); -OM_uint32 -gsskrb5_get_initiator_subkey - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t context_handle, - gss_buffer_t /* subkey */); - -#define GSS_C_KRB5_COMPAT_DES3_MIC 1 - -OM_uint32 -gss_krb5_compat_des3_mic(OM_uint32 *, gss_ctx_id_t, int); - -#ifdef __cplusplus -} #endif - -#endif /* GSSAPI_H_ */ diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi/gssapi.h new file mode 100644 index 0000000000..238907653e --- /dev/null +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi.h @@ -0,0 +1,837 @@ +/* + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: gssapi.h,v 1.5 2006/10/19 07:11:14 lha Exp $ */ + +#ifndef GSSAPI_GSSAPI_H_ +#define GSSAPI_GSSAPI_H_ + +/* + * First, include stddef.h to get size_t defined. + */ +#include <stddef.h> + +#include <krb5-types.h> + +/* + * Now define the three implementation-dependent types. + */ + +typedef uint32_t OM_uint32; +typedef uint64_t OM_uint64; + +typedef uint32_t gss_uint32; + +struct gss_name_t_desc_struct; +typedef struct gss_name_t_desc_struct *gss_name_t; + +struct gss_ctx_id_t_desc_struct; +typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t; + +typedef struct gss_OID_desc_struct { + OM_uint32 length; + void *elements; +} gss_OID_desc, *gss_OID; + +typedef struct gss_OID_set_desc_struct { + size_t count; + gss_OID elements; +} gss_OID_set_desc, *gss_OID_set; + +typedef int gss_cred_usage_t; + +struct gss_cred_id_t_desc_struct; +typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t; + +typedef struct gss_buffer_desc_struct { + size_t length; + void *value; +} gss_buffer_desc, *gss_buffer_t; + +typedef struct gss_channel_bindings_struct { + OM_uint32 initiator_addrtype; + gss_buffer_desc initiator_address; + OM_uint32 acceptor_addrtype; + gss_buffer_desc acceptor_address; + gss_buffer_desc application_data; +} *gss_channel_bindings_t; + +/* GGF extension data types */ +typedef struct gss_buffer_set_desc_struct { + size_t count; + gss_buffer_desc *elements; +} gss_buffer_set_desc, *gss_buffer_set_t; + +/* + * For now, define a QOP-type as an OM_uint32 + */ +typedef OM_uint32 gss_qop_t; + +/* + * Flag bits for context-level services. + */ +#define GSS_C_DELEG_FLAG 1 +#define GSS_C_MUTUAL_FLAG 2 +#define GSS_C_REPLAY_FLAG 4 +#define GSS_C_SEQUENCE_FLAG 8 +#define GSS_C_CONF_FLAG 16 +#define GSS_C_INTEG_FLAG 32 +#define GSS_C_ANON_FLAG 64 +#define GSS_C_PROT_READY_FLAG 128 +#define GSS_C_TRANS_FLAG 256 + +#define GSS_C_DCE_STYLE 4096 +#define GSS_C_IDENTIFY_FLAG 8192 +#define GSS_C_EXTENDED_ERROR_FLAG 16384 + +/* + * Credential usage options + */ +#define GSS_C_BOTH 0 +#define GSS_C_INITIATE 1 +#define GSS_C_ACCEPT 2 + +/* + * Status code types for gss_display_status + */ +#define GSS_C_GSS_CODE 1 +#define GSS_C_MECH_CODE 2 + +/* + * The constant definitions for channel-bindings address families + */ +#define GSS_C_AF_UNSPEC 0 +#define GSS_C_AF_LOCAL 1 +#define GSS_C_AF_INET 2 +#define GSS_C_AF_IMPLINK 3 +#define GSS_C_AF_PUP 4 +#define GSS_C_AF_CHAOS 5 +#define GSS_C_AF_NS 6 +#define GSS_C_AF_NBS 7 +#define GSS_C_AF_ECMA 8 +#define GSS_C_AF_DATAKIT 9 +#define GSS_C_AF_CCITT 10 +#define GSS_C_AF_SNA 11 +#define GSS_C_AF_DECnet 12 +#define GSS_C_AF_DLI 13 +#define GSS_C_AF_LAT 14 +#define GSS_C_AF_HYLINK 15 +#define GSS_C_AF_APPLETALK 16 +#define GSS_C_AF_BSC 17 +#define GSS_C_AF_DSS 18 +#define GSS_C_AF_OSI 19 +#define GSS_C_AF_X25 21 +#define GSS_C_AF_INET6 24 + +#define GSS_C_AF_NULLADDR 255 + +/* + * Various Null values + */ +#define GSS_C_NO_NAME ((gss_name_t) 0) +#define GSS_C_NO_BUFFER ((gss_buffer_t) 0) +#define GSS_C_NO_BUFFER_SET ((gss_buffer_set_t) 0) +#define GSS_C_NO_OID ((gss_OID) 0) +#define GSS_C_NO_OID_SET ((gss_OID_set) 0) +#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) +#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) +#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) +#define GSS_C_EMPTY_BUFFER {0, NULL} + +/* + * Some alternate names for a couple of the above + * values. These are defined for V1 compatibility. + */ +#define GSS_C_NULL_OID GSS_C_NO_OID +#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET + +/* + * Define the default Quality of Protection for per-message + * services. Note that an implementation that offers multiple + * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero + * (as done here) to mean "default protection", or to a specific + * explicit QOP value. However, a value of 0 should always be + * interpreted by a GSSAPI implementation as a request for the + * default protection level. + */ +#define GSS_C_QOP_DEFAULT 0 + +#define GSS_KRB5_CONF_C_QOP_DES 0x0100 +#define GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 + +/* + * Expiration time of 2^32-1 seconds means infinite lifetime for a + * credential or security context + */ +#define GSS_C_INDEFINITE 0xfffffffful + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x01"}, + * corresponding to an object-identifier value of + * {iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant + * GSS_C_NT_USER_NAME should be initialized to point + * to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_USER_NAME; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x02"}, + * corresponding to an object-identifier value of + * {iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. + * The constant GSS_C_NT_MACHINE_UID_NAME should be + * initialized to point to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_MACHINE_UID_NAME; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x03"}, + * corresponding to an object-identifier value of + * {iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. + * The constant GSS_C_NT_STRING_UID_NAME should be + * initialized to point to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_STRING_UID_NAME; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, + * corresponding to an object-identifier value of + * {iso(1) org(3) dod(6) internet(1) security(5) + * nametypes(6) gss-host-based-services(2)). The constant + * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point + * to that gss_OID_desc. This is a deprecated OID value, and + * implementations wishing to support hostbased-service names + * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, + * defined below, to identify such names; + * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym + * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input + * parameter, but should not be emitted by GSS-API + * implementations + */ +extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x04"}, corresponding to an + * object-identifier value of {iso(1) member-body(2) + * Unites States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) service_name(4)}. The constant + * GSS_C_NT_HOSTBASED_SERVICE should be initialized + * to point to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, + * corresponding to an object identifier value of + * {1(iso), 3(org), 6(dod), 1(internet), 5(security), + * 6(nametypes), 3(gss-anonymous-name)}. The constant + * and GSS_C_NT_ANONYMOUS should be initialized to point + * to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_ANONYMOUS; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, + * corresponding to an object-identifier value of + * {1(iso), 3(org), 6(dod), 1(internet), 5(security), + * 6(nametypes), 4(gss-api-exported-name)}. The constant + * GSS_C_NT_EXPORT_NAME should be initialized to point + * to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_EXPORT_NAME; + +/* + * Digest mechanism + */ + +extern gss_OID GSS_SASL_DIGEST_MD5_MECHANISM; + +/* Major status codes */ + +#define GSS_S_COMPLETE 0 + +/* + * Some "helper" definitions to make the status code macros obvious. + */ +#define GSS_C_CALLING_ERROR_OFFSET 24 +#define GSS_C_ROUTINE_ERROR_OFFSET 16 +#define GSS_C_SUPPLEMENTARY_OFFSET 0 +#define GSS_C_CALLING_ERROR_MASK 0377ul +#define GSS_C_ROUTINE_ERROR_MASK 0377ul +#define GSS_C_SUPPLEMENTARY_MASK 0177777ul + +/* + * The macros that test status codes for error conditions. + * Note that the GSS_ERROR() macro has changed slightly from + * the V1 GSSAPI so that it now evaluates its argument + * only once. + */ +#define GSS_CALLING_ERROR(x) \ + (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) +#define GSS_ROUTINE_ERROR(x) \ + (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) +#define GSS_SUPPLEMENTARY_INFO(x) \ + (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) +#define GSS_ERROR(x) \ + (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ + (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) + +/* + * Now the actual status code definitions + */ + +/* + * Calling errors: + */ +#define GSS_S_CALL_INACCESSIBLE_READ \ + (1ul << GSS_C_CALLING_ERROR_OFFSET) +#define GSS_S_CALL_INACCESSIBLE_WRITE \ + (2ul << GSS_C_CALLING_ERROR_OFFSET) +#define GSS_S_CALL_BAD_STRUCTURE \ + (3ul << GSS_C_CALLING_ERROR_OFFSET) + +/* + * Routine errors: + */ +#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) + +#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_MIC GSS_S_BAD_SIG +#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET) + +/* + * Supplementary info bits: + */ +#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) +#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) +#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) +#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) +#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) + +/* + * From RFC1964: + * + * 4.1.1. Non-Kerberos-specific codes + */ + +#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1 + /* "No @ in SERVICE-NAME name string" */ +#define GSS_KRB5_S_G_BAD_STRING_UID 2 + /* "STRING-UID-NAME contains nondigits" */ +#define GSS_KRB5_S_G_NOUSER 3 + /* "UID does not resolve to username" */ +#define GSS_KRB5_S_G_VALIDATE_FAILED 4 + /* "Validation error" */ +#define GSS_KRB5_S_G_BUFFER_ALLOC 5 + /* "Couldn't allocate gss_buffer_t data" */ +#define GSS_KRB5_S_G_BAD_MSG_CTX 6 + /* "Message context invalid" */ +#define GSS_KRB5_S_G_WRONG_SIZE 7 + /* "Buffer is the wrong size" */ +#define GSS_KRB5_S_G_BAD_USAGE 8 + /* "Credential usage type is unknown" */ +#define GSS_KRB5_S_G_UNKNOWN_QOP 9 + /* "Unknown quality of protection specified" */ + + /* + * 4.1.2. Kerberos-specific-codes + */ + +#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10 + /* "Principal in credential cache does not match desired name" */ +#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11 + /* "No principal in keytab matches desired name" */ +#define GSS_KRB5_S_KG_TGT_MISSING 12 + /* "Credential cache has no TGT" */ +#define GSS_KRB5_S_KG_NO_SUBKEY 13 + /* "Authenticator has no subkey" */ +#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14 + /* "Context is already fully established" */ +#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15 + /* "Unknown signature type in token" */ +#define GSS_KRB5_S_KG_BAD_LENGTH 16 + /* "Invalid field length in token" */ +#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17 + /* "Attempt to use incomplete security context" */ + +/* + * This is used to make sure mechs that don't want to have external + * references don't get any prototypes, and thus can get warnings. + */ + +/* + * Finally, function prototypes for the GSS-API routines. + */ + +OM_uint32 gss_acquire_cred + (OM_uint32 * /*minor_status*/, + const gss_name_t /*desired_name*/, + OM_uint32 /*time_req*/, + const gss_OID_set /*desired_mechs*/, + gss_cred_usage_t /*cred_usage*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * /*time_rec*/ + ); + +OM_uint32 gss_release_cred + (OM_uint32 * /*minor_status*/, + gss_cred_id_t * /*cred_handle*/ + ); + +OM_uint32 gss_init_sec_context + (OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*initiator_cred_handle*/, + gss_ctx_id_t * /*context_handle*/, + const gss_name_t /*target_name*/, + const gss_OID /*mech_type*/, + OM_uint32 /*req_flags*/, + OM_uint32 /*time_req*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + const gss_buffer_t /*input_token*/, + gss_OID * /*actual_mech_type*/, + gss_buffer_t /*output_token*/, + OM_uint32 * /*ret_flags*/, + OM_uint32 * /*time_rec*/ + ); + +OM_uint32 gss_accept_sec_context + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + const gss_cred_id_t /*acceptor_cred_handle*/, + const gss_buffer_t /*input_token_buffer*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + gss_name_t * /*src_name*/, + gss_OID * /*mech_type*/, + gss_buffer_t /*output_token*/, + OM_uint32 * /*ret_flags*/, + OM_uint32 * /*time_rec*/, + gss_cred_id_t * /*delegated_cred_handle*/ + ); + +OM_uint32 gss_process_context_token + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*token_buffer*/ + ); + +OM_uint32 gss_delete_sec_context + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + gss_buffer_t /*output_token*/ + ); + +OM_uint32 gss_context_time + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + OM_uint32 * /*time_rec*/ + ); + +OM_uint32 gss_get_mic + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*message_buffer*/, + gss_buffer_t /*message_token*/ + ); + +OM_uint32 gss_verify_mic + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*message_buffer*/, + const gss_buffer_t /*token_buffer*/, + gss_qop_t * /*qop_state*/ + ); + +OM_uint32 gss_wrap + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*input_message_buffer*/, + int * /*conf_state*/, + gss_buffer_t /*output_message_buffer*/ + ); + +OM_uint32 gss_unwrap + (OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int * /*conf_state*/, + gss_qop_t * /*qop_state*/ + ); + +OM_uint32 gss_display_status + (OM_uint32 * /*minor_status*/, + OM_uint32 /*status_value*/, + int /*status_type*/, + const gss_OID /*mech_type*/, + OM_uint32 * /*message_context*/, + gss_buffer_t /*status_string*/ + ); + +OM_uint32 gss_indicate_mechs + (OM_uint32 * /*minor_status*/, + gss_OID_set * /*mech_set*/ + ); + +OM_uint32 gss_compare_name + (OM_uint32 * /*minor_status*/, + const gss_name_t /*name1*/, + const gss_name_t /*name2*/, + int * /*name_equal*/ + ); + +OM_uint32 gss_display_name + (OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_buffer_t /*output_name_buffer*/, + gss_OID * /*output_name_type*/ + ); + +OM_uint32 gss_import_name + (OM_uint32 * /*minor_status*/, + const gss_buffer_t /*input_name_buffer*/, + const gss_OID /*input_name_type*/, + gss_name_t * /*output_name*/ + ); + +OM_uint32 gss_export_name + (OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_buffer_t /*exported_name*/ + ); + +OM_uint32 gss_release_name + (OM_uint32 * /*minor_status*/, + gss_name_t * /*input_name*/ + ); + +OM_uint32 gss_release_buffer + (OM_uint32 * /*minor_status*/, + gss_buffer_t /*buffer*/ + ); + +OM_uint32 gss_release_oid_set + (OM_uint32 * /*minor_status*/, + gss_OID_set * /*set*/ + ); + +OM_uint32 gss_inquire_cred + (OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + gss_name_t * /*name*/, + OM_uint32 * /*lifetime*/, + gss_cred_usage_t * /*cred_usage*/, + gss_OID_set * /*mechanisms*/ + ); + +OM_uint32 gss_inquire_context ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + gss_name_t * /*src_name*/, + gss_name_t * /*targ_name*/, + OM_uint32 * /*lifetime_rec*/, + gss_OID * /*mech_type*/, + OM_uint32 * /*ctx_flags*/, + int * /*locally_initiated*/, + int * /*open_context*/ + ); + +OM_uint32 gss_wrap_size_limit ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + OM_uint32 /*req_output_size*/, + OM_uint32 * /*max_input_size*/ + ); + +OM_uint32 gss_add_cred ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*input_cred_handle*/, + const gss_name_t /*desired_name*/, + const gss_OID /*desired_mech*/, + gss_cred_usage_t /*cred_usage*/, + OM_uint32 /*initiator_time_req*/, + OM_uint32 /*acceptor_time_req*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * /*initiator_time_rec*/, + OM_uint32 * /*acceptor_time_rec*/ + ); + +OM_uint32 gss_inquire_cred_by_mech ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + const gss_OID /*mech_type*/, + gss_name_t * /*name*/, + OM_uint32 * /*initiator_lifetime*/, + OM_uint32 * /*acceptor_lifetime*/, + gss_cred_usage_t * /*cred_usage*/ + ); + +OM_uint32 gss_export_sec_context ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + gss_buffer_t /*interprocess_token*/ + ); + +OM_uint32 gss_import_sec_context ( + OM_uint32 * /*minor_status*/, + const gss_buffer_t /*interprocess_token*/, + gss_ctx_id_t * /*context_handle*/ + ); + +OM_uint32 gss_create_empty_oid_set ( + OM_uint32 * /*minor_status*/, + gss_OID_set * /*oid_set*/ + ); + +OM_uint32 gss_add_oid_set_member ( + OM_uint32 * /*minor_status*/, + const gss_OID /*member_oid*/, + gss_OID_set * /*oid_set*/ + ); + +OM_uint32 gss_test_oid_set_member ( + OM_uint32 * /*minor_status*/, + const gss_OID /*member*/, + const gss_OID_set /*set*/, + int * /*present*/ + ); + +OM_uint32 gss_inquire_names_for_mech ( + OM_uint32 * /*minor_status*/, + const gss_OID /*mechanism*/, + gss_OID_set * /*name_types*/ + ); + +OM_uint32 gss_inquire_mechs_for_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_OID_set * /*mech_types*/ + ); + +OM_uint32 gss_canonicalize_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + const gss_OID /*mech_type*/, + gss_name_t * /*output_name*/ + ); + +OM_uint32 gss_duplicate_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*src_name*/, + gss_name_t * /*dest_name*/ + ); + +OM_uint32 gss_duplicate_oid ( + OM_uint32 * /* minor_status */, + gss_OID /* src_oid */, + gss_OID * /* dest_oid */ + ); +OM_uint32 +gss_release_oid + (OM_uint32 * /*minor_status*/, + gss_OID * /* oid */ + ); + +OM_uint32 +gss_oid_to_str( + OM_uint32 * /*minor_status*/, + gss_OID /* oid */, + gss_buffer_t /* str */ + ); + +OM_uint32 +gss_inquire_sec_context_by_oid( + OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set + ); + +OM_uint32 +gss_set_sec_context_option (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID desired_object, + const gss_buffer_t value); + +OM_uint32 +gss_set_cred_option (OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_OID object, + const gss_buffer_t value); + +int +gss_oid_equal(const gss_OID a, const gss_OID b); + +OM_uint32 +gss_create_empty_buffer_set + (OM_uint32 * minor_status, + gss_buffer_set_t *buffer_set); + +OM_uint32 +gss_add_buffer_set_member + (OM_uint32 * minor_status, + const gss_buffer_t member_buffer, + gss_buffer_set_t *buffer_set); + +OM_uint32 +gss_release_buffer_set + (OM_uint32 * minor_status, + gss_buffer_set_t *buffer_set); + +OM_uint32 +gss_inquire_cred_by_oid(OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set); + +/* + * The following routines are obsolete variants of gss_get_mic, + * gss_verify_mic, gss_wrap and gss_unwrap. They should be + * provided by GSSAPI V2 implementations for backwards + * compatibility with V1 applications. Distinct entrypoints + * (as opposed to #defines) should be provided, both to allow + * GSSAPI V1 applications to link against GSSAPI V2 implementations, + * and to retain the slight parameter type differences between the + * obsolete versions of these routines and their current forms. + */ + +OM_uint32 gss_sign + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*qop_req*/, + gss_buffer_t /*message_buffer*/, + gss_buffer_t /*message_token*/ + ); + +OM_uint32 gss_verify + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + gss_buffer_t /*message_buffer*/, + gss_buffer_t /*token_buffer*/, + int * /*qop_state*/ + ); + +OM_uint32 gss_seal + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + int /*qop_req*/, + gss_buffer_t /*input_message_buffer*/, + int * /*conf_state*/, + gss_buffer_t /*output_message_buffer*/ + ); + +OM_uint32 gss_unseal + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int * /*conf_state*/, + int * /*qop_state*/ + ); + +/* + * + */ + +OM_uint32 +gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set); + +OM_uint32 +gss_encapsulate_token(gss_buffer_t /* input_token */, + gss_OID /* oid */, + gss_buffer_t /* output_token */); + +OM_uint32 +gss_decapsulate_token(gss_buffer_t /* input_token */, + gss_OID /* oid */, + gss_buffer_t /* output_token */); + + + +#ifdef __cplusplus +} +#endif + +#include <gssapi/gssapi_krb5.h> +#include <gssapi/gssapi_spnego.h> + +#endif /* GSSAPI_GSSAPI_H_ */ diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h new file mode 100644 index 0000000000..8c025c8366 --- /dev/null +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h @@ -0,0 +1,209 @@ +/* + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: gssapi_krb5.h,v 1.10 2006/10/20 22:04:03 lha Exp $ */ + +#ifndef GSSAPI_KRB5_H_ +#define GSSAPI_KRB5_H_ + +#include <gssapi/gssapi.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * This is for kerberos5 names. + */ + +extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; +extern gss_OID GSS_KRB5_NT_USER_NAME; +extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME; +extern gss_OID GSS_KRB5_NT_STRING_UID_NAME; + +extern gss_OID GSS_KRB5_MECHANISM; + +/* for compatibility with MIT api */ + +#define gss_mech_krb5 GSS_KRB5_MECHANISM +#define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME + +/* Extensions set contexts options */ +extern gss_OID GSS_KRB5_COPY_CCACHE_X; +extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X; +extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X; +extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X; +extern gss_OID GSS_KRB5_SEND_TO_KDC_X; +/* Extensions inquire context */ +extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X; +extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X; +extern gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO; +extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X; +extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X; +extern gss_OID GSS_KRB5_GET_SUBKEY_X; +extern gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X; +extern gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X; +extern gss_OID GSS_KRB5_GET_AUTHTIME_X; +extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X; +/* Extensions creds */ +extern gss_OID GSS_KRB5_IMPORT_CRED_X; + +/* + * kerberos mechanism specific functions + */ + +struct krb5_keytab_data; +struct krb5_ccache_data; +struct Principal; + +OM_uint32 +gss_krb5_ccache_name(OM_uint32 * /*minor_status*/, + const char * /*name */, + const char ** /*out_name */); + +OM_uint32 gsskrb5_register_acceptor_identity + (const char */*identity*/); + +OM_uint32 gss_krb5_copy_ccache + (OM_uint32 */*minor*/, + gss_cred_id_t /*cred*/, + struct krb5_ccache_data */*out*/); + +OM_uint32 +gss_krb5_import_cred(OM_uint32 */*minor*/, + struct krb5_ccache_data * /*in*/, + struct Principal * /*keytab_principal*/, + struct krb5_keytab_data * /*keytab*/, + gss_cred_id_t */*out*/); + +OM_uint32 gss_krb5_get_tkt_flags + (OM_uint32 */*minor*/, + gss_ctx_id_t /*context_handle*/, + OM_uint32 */*tkt_flags*/); + +OM_uint32 +gsskrb5_extract_authz_data_from_sec_context + (OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*ad_type*/, + gss_buffer_t /*ad_data*/); + +OM_uint32 +gsskrb5_set_dns_canonicalize(int); + +struct gsskrb5_send_to_kdc { + void *func; + void *ptr; +}; + +OM_uint32 +gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *); + +OM_uint32 +gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *); + +struct EncryptionKey; + +OM_uint32 +gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + struct EncryptionKey **out); +OM_uint32 +gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + struct EncryptionKey **out); +OM_uint32 +gsskrb5_get_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + struct EncryptionKey **out); + +/* + * Lucid - NFSv4 interface to GSS-API KRB5 to expose key material to + * do GSS content token handling in-kernel. + */ + +typedef struct gss_krb5_lucid_key { + OM_uint32 type; + OM_uint32 length; + void * data; +} gss_krb5_lucid_key_t; + +typedef struct gss_krb5_rfc1964_keydata { + OM_uint32 sign_alg; + OM_uint32 seal_alg; + gss_krb5_lucid_key_t ctx_key; +} gss_krb5_rfc1964_keydata_t; + +typedef struct gss_krb5_cfx_keydata { + OM_uint32 have_acceptor_subkey; + gss_krb5_lucid_key_t ctx_key; + gss_krb5_lucid_key_t acceptor_subkey; +} gss_krb5_cfx_keydata_t; + +typedef struct gss_krb5_lucid_context_v1 { + OM_uint32 version; + OM_uint32 initiate; + OM_uint32 endtime; + OM_uint64 send_seq; + OM_uint64 recv_seq; + OM_uint32 protocol; + gss_krb5_rfc1964_keydata_t rfc1964_kd; + gss_krb5_cfx_keydata_t cfx_kd; +} gss_krb5_lucid_context_v1_t; + +typedef struct gss_krb5_lucid_context_version { + OM_uint32 version; /* Structure version number */ +} gss_krb5_lucid_context_version_t; + +/* + * Function declarations + */ + +OM_uint32 +gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **kctx); + + +OM_uint32 +gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, + void *kctx); + + + +#ifdef __cplusplus +} +#endif + +#endif /* GSSAPI_SPNEGO_H_ */ diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h new file mode 100644 index 0000000000..0a856e39aa --- /dev/null +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h @@ -0,0 +1,58 @@ +/* + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: gssapi_spnego.h,v 1.1 2006/10/07 22:26:21 lha Exp $ */ + +#ifndef GSSAPI_SPNEGO_H_ +#define GSSAPI_SPNEGO_H_ + +#include <gssapi.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * RFC2478, SPNEGO: + * The security mechanism of the initial + * negotiation token is identified by the Object Identifier + * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). + */ +extern gss_OID GSS_SPNEGO_MECHANISM; +#define gss_mech_spnego GSS_SPNEGO_MECHANISM + +#ifdef __cplusplus +} +#endif + +#endif /* GSSAPI_SPNEGO_H_ */ diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h deleted file mode 100644 index 81169a8500..0000000000 --- a/source4/heimdal/lib/gssapi/gssapi_locl.h +++ /dev/null @@ -1,315 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: gssapi_locl.h,v 1.45 2006/05/04 11:56:14 lha Exp $ */ - -#ifndef GSSAPI_LOCL_H -#define GSSAPI_LOCL_H - -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - -#include <krb5_locl.h> -#include <gssapi.h> -#include <assert.h> - -#include "cfx.h" -#include "arcfour.h" - -#include "spnego_asn1.h" - -/* - * - */ - -struct gss_msg_order; - -typedef struct gss_ctx_id_t_desc_struct { - struct krb5_auth_context_data *auth_context; - gss_name_t source, target; - enum gss_ctx_id_t_state { - INITIATOR_START = 1, INITIATOR_WAIT_FOR_MUTAL = 2, INITIATOR_READY= 3, - ACCEPTOR_START = 11, ACCEPTOR_WAIT_FOR_DCESTYLE = 12, ACCEPTOR_READY = 13 - } state; - OM_uint32 flags; - enum {LOCAL = 1, - OPEN = 2, - COMPAT_OLD_DES3 = 4, - COMPAT_OLD_DES3_SELECTED = 8, - ACCEPTOR_SUBKEY = 16 - } more_flags; - struct krb5_ticket *ticket; - krb5_keyblock *service_keyblock; - krb5_data fwd_data; - OM_uint32 lifetime; - HEIMDAL_MUTEX ctx_id_mutex; - struct gss_msg_order *order; -} gss_ctx_id_t_desc; - -typedef struct gss_cred_id_t_desc_struct { - gss_name_t principal; - int cred_flags; -#define GSS_CF_DESTROY_CRED_ON_RELEASE 1 - struct krb5_keytab_data *keytab; - OM_uint32 lifetime; - gss_cred_usage_t usage; - gss_OID_set mechanisms; - struct krb5_ccache_data *ccache; - HEIMDAL_MUTEX cred_id_mutex; -} gss_cred_id_t_desc; - -/* - * - */ - -extern krb5_context gssapi_krb5_context; - -extern krb5_keytab gssapi_krb5_keytab; -extern HEIMDAL_MUTEX gssapi_keytab_mutex; - -struct gssapi_thr_context { - HEIMDAL_MUTEX mutex; - char *error_string; -}; - -/* - * Prototypes - */ - -krb5_error_code gssapi_krb5_init (void); - -krb5_error_code gssapi_krb5_init_ev (void *); - -#define GSSAPI_KRB5_INIT() do { \ - krb5_error_code kret_gss_init; \ - if((kret_gss_init = gssapi_krb5_init ()) != 0) { \ - *minor_status = kret_gss_init; \ - return GSS_S_FAILURE; \ - } \ -} while (0) - -struct gssapi_thr_context * -gssapi_get_thread_context(int); - -OM_uint32 -_gsskrb5_create_ctx( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_channel_bindings_t input_chan_bindings, - enum gss_ctx_id_t_state state); - -void -gsskrb5_is_cfx(gss_ctx_id_t, int *); - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result); - -OM_uint32 -gssapi_krb5_verify_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data); - -void -_gssapi_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech); - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech); - - - -OM_uint32 -_gssapi_encapsulate(OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const gss_OID mech); - - -OM_uint32 -gssapi_krb5_encapsulate(OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const u_char *type, - const gss_OID mech); - -OM_uint32 -gssapi_krb5_decapsulate(OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - const char *type, - gss_OID oid); - -u_char * -gssapi_krb5_make_header (u_char *p, - size_t len, - const u_char *type, - const gss_OID mech); - -u_char * -_gssapi_make_mech_header(u_char *p, - size_t len, - const gss_OID mech); - -OM_uint32 -_gssapi_verify_mech_header(u_char **str, - size_t total_len, - gss_OID oid); - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - const u_char *type, - gss_OID oid); - -OM_uint32 -_gssapi_decapsulate(OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - const gss_OID mech); - - -ssize_t -gssapi_krb5_get_mech (const u_char *, size_t, const u_char **); - -OM_uint32 -_gssapi_verify_pad(gss_buffer_t, size_t, size_t *); - -OM_uint32 -gss_verify_mic_internal(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type); - -OM_uint32 -gss_krb5_get_subkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address); - -/* sec_context flags */ - -#define SC_LOCAL_ADDRESS 0x01 -#define SC_REMOTE_ADDRESS 0x02 -#define SC_KEYBLOCK 0x04 -#define SC_LOCAL_SUBKEY 0x08 -#define SC_REMOTE_SUBKEY 0x10 - -int -gss_oid_equal(const gss_OID a, const gss_OID b); - -void -gssapi_krb5_clear_status (void); - -void -gssapi_krb5_set_status (const char *fmt, ...); - -void -gssapi_krb5_set_error_string (void); - -char * -gssapi_krb5_get_error_string (void); - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *, gss_ctx_id_t); - -OM_uint32 -_gss_spnego_require_mechlist_mic(OM_uint32 *, gss_ctx_id_t, krb5_boolean *); - -krb5_error_code -_gss_check_compat(OM_uint32 *, gss_name_t, const char *, - krb5_boolean *, krb5_boolean); - -OM_uint32 -gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *); - -OM_uint32 -_gssapi_krb5_ccache_lifetime(OM_uint32 *, krb5_ccache, - krb5_principal, OM_uint32 *); - -/* sequence */ - -OM_uint32 -_gssapi_msg_order_create(OM_uint32 *, struct gss_msg_order **, - OM_uint32, OM_uint32, OM_uint32, int); -OM_uint32 -_gssapi_msg_order_destroy(struct gss_msg_order **); - -OM_uint32 -_gssapi_msg_order_check(struct gss_msg_order *, OM_uint32); - -OM_uint32 -_gssapi_msg_order_f(OM_uint32); - -OM_uint32 -_gssapi_msg_order_import(OM_uint32 *, krb5_storage *, - struct gss_msg_order **); - -krb5_error_code -_gssapi_msg_order_export(krb5_storage *, struct gss_msg_order *); - - -/* 8003 */ - -krb5_error_code -gssapi_encode_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_decode_om_uint32(const void *, OM_uint32 *); - -krb5_error_code -gssapi_decode_be_om_uint32(const void *, OM_uint32 *); - -#endif diff --git a/source4/heimdal/lib/gssapi/gssapi_mech.h b/source4/heimdal/lib/gssapi/gssapi_mech.h new file mode 100644 index 0000000000..a05919b510 --- /dev/null +++ b/source4/heimdal/lib/gssapi/gssapi_mech.h @@ -0,0 +1,348 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/mech_switch.h,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#ifndef GSSAPI_MECH_H +#define GSSAPI_MECH_H 1 + +#include <gssapi.h> + +typedef OM_uint32 _gss_acquire_cred_t + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* desired_name */ + OM_uint32, /* time_req */ + const gss_OID_set, /* desired_mechs */ + gss_cred_usage_t, /* cred_usage */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 * /* time_rec */ + ); + +typedef OM_uint32 _gss_release_cred_t + (OM_uint32 *, /* minor_status */ + gss_cred_id_t * /* cred_handle */ + ); + +typedef OM_uint32 _gss_init_sec_context_t + (OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* initiator_cred_handle */ + gss_ctx_id_t *, /* context_handle */ + const gss_name_t, /* target_name */ + const gss_OID, /* mech_type */ + OM_uint32, /* req_flags */ + OM_uint32, /* time_req */ + const gss_channel_bindings_t, + /* input_chan_bindings */ + const gss_buffer_t, /* input_token */ + gss_OID *, /* actual_mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32 *, /* ret_flags */ + OM_uint32 * /* time_rec */ + ); + +typedef OM_uint32 _gss_accept_sec_context_t + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + const gss_cred_id_t, /* acceptor_cred_handle */ + const gss_buffer_t, /* input_token_buffer */ + const gss_channel_bindings_t, + /* input_chan_bindings */ + gss_name_t *, /* src_name */ + gss_OID *, /* mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32 *, /* ret_flags */ + OM_uint32 *, /* time_rec */ + gss_cred_id_t * /* delegated_cred_handle */ + ); + +typedef OM_uint32 _gss_process_context_token_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_buffer_t /* token_buffer */ + ); + +typedef OM_uint32 _gss_delete_sec_context_t + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* output_token */ + ); + +typedef OM_uint32 _gss_context_time_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + OM_uint32 * /* time_rec */ + ); + +typedef OM_uint32 _gss_get_mic_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + gss_qop_t, /* qop_req */ + const gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ + ); + +typedef OM_uint32 _gss_verify_mic_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_buffer_t, /* message_buffer */ + const gss_buffer_t, /* token_buffer */ + gss_qop_t * /* qop_state */ + ); + +typedef OM_uint32 _gss_wrap_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + const gss_buffer_t, /* input_message_buffer */ + int *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ + ); + +typedef OM_uint32 _gss_unwrap_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int *, /* conf_state */ + gss_qop_t * /* qop_state */ + ); + +typedef OM_uint32 _gss_display_status_t + (OM_uint32 *, /* minor_status */ + OM_uint32, /* status_value */ + int, /* status_type */ + const gss_OID, /* mech_type */ + OM_uint32 *, /* message_context */ + gss_buffer_t /* status_string */ + ); + +typedef OM_uint32 _gss_indicate_mechs_t + (OM_uint32 *, /* minor_status */ + gss_OID_set * /* mech_set */ + ); + +typedef OM_uint32 _gss_compare_name_t + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* name1 */ + const gss_name_t, /* name2 */ + int * /* name_equal */ + ); + +typedef OM_uint32 _gss_display_name_t + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_buffer_t, /* output_name_buffer */ + gss_OID * /* output_name_type */ + ); + +typedef OM_uint32 _gss_import_name_t + (OM_uint32 *, /* minor_status */ + const gss_buffer_t, /* input_name_buffer */ + const gss_OID, /* input_name_type */ + gss_name_t * /* output_name */ + ); + +typedef OM_uint32 _gss_export_name_t + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_buffer_t /* exported_name */ + ); + +typedef OM_uint32 _gss_release_name_t + (OM_uint32 *, /* minor_status */ + gss_name_t * /* input_name */ + ); + +typedef OM_uint32 _gss_inquire_cred_t + (OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* cred_handle */ + gss_name_t *, /* name */ + OM_uint32 *, /* lifetime */ + gss_cred_usage_t *, /* cred_usage */ + gss_OID_set * /* mechanisms */ + ); + +typedef OM_uint32 _gss_inquire_context_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + gss_name_t *, /* src_name */ + gss_name_t *, /* targ_name */ + OM_uint32 *, /* lifetime_rec */ + gss_OID *, /* mech_type */ + OM_uint32 *, /* ctx_flags */ + int *, /* locally_initiated */ + int * /* open */ + ); + +typedef OM_uint32 _gss_wrap_size_limit_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + OM_uint32, /* req_output_size */ + OM_uint32 * /* max_input_size */ + ); + +typedef OM_uint32 _gss_add_cred_t ( + OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* input_cred_handle */ + const gss_name_t, /* desired_name */ + const gss_OID, /* desired_mech */ + gss_cred_usage_t, /* cred_usage */ + OM_uint32, /* initiator_time_req */ + OM_uint32, /* acceptor_time_req */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 *, /* initiator_time_rec */ + OM_uint32 * /* acceptor_time_rec */ + ); + +typedef OM_uint32 _gss_inquire_cred_by_mech_t ( + OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* cred_handle */ + const gss_OID, /* mech_type */ + gss_name_t *, /* name */ + OM_uint32 *, /* initiator_lifetime */ + OM_uint32 *, /* acceptor_lifetime */ + gss_cred_usage_t * /* cred_usage */ + ); + +typedef OM_uint32 _gss_export_sec_context_t ( + OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* interprocess_token */ + ); + +typedef OM_uint32 _gss_import_sec_context_t ( + OM_uint32 *, /* minor_status */ + const gss_buffer_t, /* interprocess_token */ + gss_ctx_id_t * /* context_handle */ + ); + +typedef OM_uint32 _gss_inquire_names_for_mech_t ( + OM_uint32 *, /* minor_status */ + const gss_OID, /* mechanism */ + gss_OID_set * /* name_types */ + ); + +typedef OM_uint32 _gss_inquire_mechs_for_name_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_OID_set * /* mech_types */ + ); + +typedef OM_uint32 _gss_canonicalize_name_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + const gss_OID, /* mech_type */ + gss_name_t * /* output_name */ + ); + +typedef OM_uint32 _gss_duplicate_name_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* src_name */ + gss_name_t * /* dest_name */ + ); + +typedef OM_uint32 _gss_inquire_sec_context_by_oid ( + OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set + ); + +typedef OM_uint32 _gss_inquire_cred_by_oid ( + OM_uint32 *minor_status, + const gss_cred_id_t cred, + const gss_OID desired_object, + gss_buffer_set_t *data_set + ); + +typedef OM_uint32 _gss_set_sec_context_option ( + OM_uint32 *minor_status, + gss_ctx_id_t *cred_handle, + const gss_OID desired_object, + const gss_buffer_t value + ); + +typedef OM_uint32 _gss_set_cred_option ( + OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_OID desired_object, + const gss_buffer_t value + ); + + +#define GMI_VERSION 1 + +typedef struct gssapi_mech_interface_desc { + unsigned gm_version; + const char *gm_name; + gss_OID_desc gm_mech_oid; + _gss_acquire_cred_t *gm_acquire_cred; + _gss_release_cred_t *gm_release_cred; + _gss_init_sec_context_t *gm_init_sec_context; + _gss_accept_sec_context_t *gm_accept_sec_context; + _gss_process_context_token_t *gm_process_context_token; + _gss_delete_sec_context_t *gm_delete_sec_context; + _gss_context_time_t *gm_context_time; + _gss_get_mic_t *gm_get_mic; + _gss_verify_mic_t *gm_verify_mic; + _gss_wrap_t *gm_wrap; + _gss_unwrap_t *gm_unwrap; + _gss_display_status_t *gm_display_status; + _gss_indicate_mechs_t *gm_indicate_mechs; + _gss_compare_name_t *gm_compare_name; + _gss_display_name_t *gm_display_name; + _gss_import_name_t *gm_import_name; + _gss_export_name_t *gm_export_name; + _gss_release_name_t *gm_release_name; + _gss_inquire_cred_t *gm_inquire_cred; + _gss_inquire_context_t *gm_inquire_context; + _gss_wrap_size_limit_t *gm_wrap_size_limit; + _gss_add_cred_t *gm_add_cred; + _gss_inquire_cred_by_mech_t *gm_inquire_cred_by_mech; + _gss_export_sec_context_t *gm_export_sec_context; + _gss_import_sec_context_t *gm_import_sec_context; + _gss_inquire_names_for_mech_t *gm_inquire_names_for_mech; + _gss_inquire_mechs_for_name_t *gm_inquire_mechs_for_name; + _gss_canonicalize_name_t *gm_canonicalize_name; + _gss_duplicate_name_t *gm_duplicate_name; + _gss_inquire_sec_context_by_oid *gm_inquire_sec_context_by_oid; + _gss_inquire_cred_by_oid *gm_inquire_cred_by_oid; + _gss_set_sec_context_option *gm_set_sec_context_option; + _gss_set_cred_option *gm_set_cred_option; +} gssapi_mech_interface_desc, *gssapi_mech_interface; + +gssapi_mech_interface +__gss_get_mechanism(gss_OID /* oid */); + +gssapi_mech_interface __gss_spnego_initialize(void); +gssapi_mech_interface __gss_krb5_initialize(void); + +#endif /* GSSAPI_MECH_H */ diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c deleted file mode 100644 index 4f0d237241..0000000000 --- a/source4/heimdal/lib/gssapi/init_sec_context.c +++ /dev/null @@ -1,1261 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: init_sec_context.c,v 1.63 2006/05/05 10:27:13 lha Exp $"); - -/* - * copy the addresses from `input_chan_bindings' (if any) to - * the auth context `ac' - */ - -static OM_uint32 -set_addresses (krb5_auth_context ac, - const gss_channel_bindings_t input_chan_bindings) -{ - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - krb5_error_code kret; - - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS - || input_chan_bindings->application_data.length != - 2 * sizeof(ac->local_port)) - return 0; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - ac->local_port = - *(int16_t *) input_chan_bindings->application_data.value; - - ac->remote_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - ac->remote_port, - &acceptor_addr); - if (kret) - return kret; - - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - ac->local_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - return kret; - } - - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - ac, - &initiator_addr, /* local address */ - &acceptor_addr); /* remote address */ - - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - return kret; -} - -OM_uint32 -_gsskrb5_create_ctx( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_channel_bindings_t input_chan_bindings, - enum gss_ctx_id_t_state state) -{ - krb5_error_code kret; - - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->state = state; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->service_keyblock = NULL; - (*context_handle)->ticket = NULL; - krb5_data_zero(&(*context_handle)->fwd_data); - (*context_handle)->lifetime = GSS_C_INDEFINITE; - (*context_handle)->order = NULL; - HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex); - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - - return GSS_S_FAILURE; - } - - kret = set_addresses((*context_handle)->auth_context, - input_chan_bindings); - if (kret) { - *minor_status = kret; - - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - - krb5_auth_con_free(gssapi_krb5_context, (*context_handle)->auth_context); - - return GSS_S_BAD_BINDINGS; - } - - /* - * We need a sequence number - */ - - krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - NULL); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -gsskrb5_get_creds( - OM_uint32 * minor_status, - krb5_ccache ccache, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - OM_uint32 time_req, - OM_uint32 * time_rec, - krb5_creds ** cred) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_creds this_cred; - OM_uint32 lifetime_rec; - - *cred = NULL; - - kret = krb5_cc_get_principal(gssapi_krb5_context, - ccache, - &(*context_handle)->source); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_copy_principal(gssapi_krb5_context, - target_name, - &(*context_handle)->target); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - memset(&this_cred, 0, sizeof(this_cred)); - this_cred.client = (*context_handle)->source; - this_cred.server = (*context_handle)->target; - - if (time_req && time_req != GSS_C_INDEFINITE) { - krb5_timestamp ts; - - krb5_timeofday (gssapi_krb5_context, &ts); - this_cred.times.endtime = ts + time_req; - } else { - this_cred.times.endtime = 0; - } - - this_cred.session.keytype = KEYTYPE_NULL; - - kret = krb5_get_credentials(gssapi_krb5_context, - 0, - ccache, - &this_cred, - cred); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - (*context_handle)->lifetime = (*cred)->times.endtime; - - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - &lifetime_rec); - if (ret) return ret; - - if (lifetime_rec == 0) { - *minor_status = 0; - return GSS_S_CONTEXT_EXPIRED; - } - - if (time_rec) *time_rec = lifetime_rec; - - return GSS_S_COMPLETE; -} - -static OM_uint32 -gsskrb5_initiator_ready( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle) -{ - OM_uint32 ret; - int32_t seq_number; - int is_cfx = 0; - OM_uint32 flags = (*context_handle)->flags; - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - (*context_handle)->auth_context, - &seq_number); - - gsskrb5_is_cfx(*context_handle, &is_cfx); - - ret = _gssapi_msg_order_create(minor_status, - &(*context_handle)->order, - _gssapi_msg_order_f(flags), - seq_number, 0, is_cfx); - if (ret) return ret; - - (*context_handle)->state = INITIATOR_READY; - (*context_handle)->more_flags |= OPEN; - - return GSS_S_COMPLETE; -} - -/* - * handle delegated creds in init-sec-context - */ - -static void -do_delegation (krb5_auth_context ac, - krb5_ccache ccache, - krb5_creds *cred, - const gss_name_t target_name, - krb5_data *fwd_data, - OM_uint32 *flags) -{ - krb5_creds creds; - krb5_kdc_flags fwd_flags; - krb5_error_code kret; - - memset (&creds, 0, sizeof(creds)); - krb5_data_zero (fwd_data); - - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client); - if (kret) - goto out; - - kret = krb5_build_principal(gssapi_krb5_context, - &creds.server, - strlen(creds.client->realm), - creds.client->realm, - KRB5_TGS_NAME, - creds.client->realm, - NULL); - if (kret) - goto out; - - creds.times.endtime = 0; - - fwd_flags.i = 0; - fwd_flags.b.forwarded = 1; - fwd_flags.b.forwardable = 1; - - if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/ - target_name->name.name_string.len < 2) - goto out; - - kret = krb5_get_forwarded_creds(gssapi_krb5_context, - ac, - ccache, - fwd_flags.i, - target_name->name.name_string.val[1], - &creds, - fwd_data); - - out: - if (kret) - *flags &= ~GSS_C_DELEG_FLAG; - else - *flags |= GSS_C_DELEG_FLAG; - - if (creds.client) - krb5_free_principal(gssapi_krb5_context, creds.client); - if (creds.server) - krb5_free_principal(gssapi_krb5_context, creds.server); -} - -/* - * first stage of init-sec-context - */ - -static OM_uint32 -gsskrb5_initiator_start -(OM_uint32 * minor_status, - krb5_ccache ccache, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_flags ap_options; - krb5_creds *cred = NULL; - krb5_data outbuf; - OM_uint32 flags; - krb5_data authenticator; - Checksum cksum; - krb5_enctype enctype; - krb5_data fwd_data; - int is_cfx; - - krb5_data_zero(&outbuf); - krb5_data_zero(&fwd_data); - - (*context_handle)->more_flags |= LOCAL; - - /* We need to get the credentials for the requested target */ - ret = gsskrb5_get_creds(minor_status, - ccache, - context_handle, - target_name, - time_req, - time_rec, - &cred); - if (ret) return ret; - - /* - * We need to setup some compat stuff, this assumes that context_handle->target is already set - */ - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) return ret; - - /* We need the key and a random local subkey */ - { - kret = krb5_auth_con_setkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - /* We need to prepare the flags used for this context */ - { - flags = 0; - ap_options = 0; - - /* - * The KDC may have issued us a service ticket marked NOT - * ok-as-delegate. We may still wish to force the matter, and to - * allow this we check a per-realm gssapi [appdefaults] config - * option. If ok-as-delegate in the config file is set to TRUE - * (default FALSE) and our caller has so requested, we will still - * attempt to forward the ticket. - * - * Otherwise, strip the GSS_C_DELEG_FLAG (so we don't attempt a - * delegation) - */ - if (!cred->flags.b.ok_as_delegate) { - krb5_boolean delegate; - - krb5_appdefault_boolean(gssapi_krb5_context, - "gssapi", target_name->realm, - "ok-as-delegate", FALSE, &delegate); - if (!delegate) - req_flags &= ~GSS_C_DELEG_FLAG; - } - - if (req_flags & GSS_C_DELEG_FLAG) { - do_delegation((*context_handle)->auth_context, - ccache, cred, target_name, &fwd_data, &flags); - } - - if (req_flags & GSS_C_MUTUAL_FLAG) { - flags |= GSS_C_MUTUAL_FLAG; - ap_options |= AP_OPTS_MUTUAL_REQUIRED; - } - - if (req_flags & GSS_C_REPLAY_FLAG) { - flags |= GSS_C_REPLAY_FLAG; - } - - if (req_flags & GSS_C_SEQUENCE_FLAG) { - flags |= GSS_C_SEQUENCE_FLAG; - } - - if (req_flags & GSS_C_ANON_FLAG) { - ;/* XXX */ - } - - if (req_flags & GSS_C_DCE_STYLE) { - flags |= GSS_C_DCE_STYLE; - /* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */ - flags |= GSS_C_MUTUAL_FLAG; - ap_options |= AP_OPTS_MUTUAL_REQUIRED; - } - - if (req_flags & GSS_C_IDENTIFY_FLAG) { - flags |= GSS_C_IDENTIFY_FLAG; - } - - if (req_flags & GSS_C_EXTENDED_ERROR_FLAG) { - flags |= GSS_C_EXTENDED_ERROR_FLAG; - } - - /* TODO: why are this always there? --metze */ - flags |= GSS_C_CONF_FLAG; - flags |= GSS_C_INTEG_FLAG; - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) *ret_flags = flags; - (*context_handle)->flags = flags; - } - - /* We need to generate the 8003 checksum */ - { - ret = gssapi_krb5_create_8003_checksum(minor_status, - input_chan_bindings, - flags, - &fwd_data, - &cksum); - krb5_data_free (&fwd_data); - if (ret) return ret; - } - - enctype = (*context_handle)->auth_context->keyblock->keytype; - - gsskrb5_is_cfx(*context_handle, &is_cfx); - - if (is_cfx != 0) { - kret = krb5_auth_con_addflags(gssapi_krb5_context, - (*context_handle)->auth_context, - KRB5_AUTH_CONTEXT_USE_SUBKEY, - NULL); - (*context_handle)->more_flags |= ACCEPTOR_SUBKEY; - } - - /* We need to create an Authenticator */ - { - kret = krb5_build_authenticator (gssapi_krb5_context, - (*context_handle)->auth_context, - enctype, - cred, - &cksum, - NULL, - &authenticator, - KRB5_KU_AP_REQ_AUTH); - free_Checksum(&cksum); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - /* We need to create the AP_REQ */ - { - kret = krb5_build_ap_req(gssapi_krb5_context, - enctype, - cred, - ap_options, - authenticator, - &outbuf); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - /* We need to encapsulate the AP_REQ if GSS_C_DCE_STYLE isn't in use */ - { - if (!(flags & GSS_C_DCE_STYLE)) { - ret = gssapi_krb5_encapsulate(minor_status, &outbuf, output_token, - "\x01\x00", GSS_KRB5_MECHANISM); - krb5_data_free (&outbuf); - if (ret) return ret; - } else { - output_token->length = outbuf.length; - output_token->value = outbuf.data; - } - } - - /* We no longer need the creds */ - krb5_free_creds(gssapi_krb5_context, cred); - - /* We are done if GSS_C_MUTUAL_FLAG is in use */ - if (flags & GSS_C_MUTUAL_FLAG) { - (*context_handle)->state = INITIATOR_WAIT_FOR_MUTAL; - return GSS_S_CONTINUE_NEEDED; - } - - return gsskrb5_initiator_ready(minor_status, context_handle); -} - -static OM_uint32 -gsskrb5_initiator_wait_for_mutual( - OM_uint32 * minor_status, - krb5_ccache ccache, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_data inbuf; - OM_uint32 flags = (*context_handle)->flags; - int32_t l_seq_number; - int32_t r_seq_number; - - /* We need to decapsulate the AP_REP if GSS_C_DCE_STYLE isn't in use */ - { - if (!(flags & GSS_C_DCE_STYLE)) { - ret = gssapi_krb5_decapsulate(minor_status, input_token, &inbuf, - "\x02\x00", GSS_KRB5_MECHANISM); - if (ret) return ret; - } else { - inbuf.length = input_token->length; - inbuf.data = input_token->value; - } - } - - /* We need to verify the AP_REP */ - { - krb5_ap_rep_enc_part *repl; - - kret = krb5_rd_rep(gssapi_krb5_context, - (*context_handle)->auth_context, - &inbuf, - &repl); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - krb5_free_ap_rep_enc_part(gssapi_krb5_context, repl); - } - - /* We need to check the liftime */ - { - OM_uint32 lifetime_rec; - - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - &lifetime_rec); - if (ret) return ret; - - if (lifetime_rec == 0) { - return GSS_S_CONTEXT_EXPIRED; - } - - if (time_rec) *time_rec = lifetime_rec; - } - - /* We need to give the caller the flags which are in use */ - if (ret_flags) *ret_flags = (*context_handle)->flags; - - /* We are done here if GSS_C_DCE_STYLE isn't in use */ - if (!(flags & GSS_C_DCE_STYLE)) { - return gsskrb5_initiator_ready(minor_status, context_handle); - } - - /* - * We need to set the local seq_number to the remote one just for the krb5_mk_rep(), - * and then we need to use the old local seq_number again for the GSS_Wrap() messages - */ - { - kret = krb5_auth_getremoteseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - &r_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - &l_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - r_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - /* We need to create an AP_REP */ - { - krb5_data outbuf; - - kret = krb5_mk_rep(gssapi_krb5_context, - (*context_handle)->auth_context, - &outbuf); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - output_token->length = outbuf.length; - output_token->value = outbuf.data; - } - - /* We need to reset the local seq_number */ - { - kret = krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, - (*context_handle)->auth_context, - l_seq_number); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - return gsskrb5_initiator_ready(minor_status, context_handle); -} - -static OM_uint32 -gsskrb5_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_ccache ccache = NULL; - - if (*context_handle == GSS_C_NO_CONTEXT) { - ret = _gsskrb5_create_ctx(minor_status, - context_handle, - input_chan_bindings, - INITIATOR_START); - if (ret) return ret; - } - - if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM; - - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } else { - ccache = initiator_cred_handle->ccache; - } - - HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); - - switch ((*context_handle)->state) { - case INITIATOR_START: - ret = gsskrb5_initiator_start(minor_status, - ccache, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - output_token, - ret_flags, - time_rec); - break; - case INITIATOR_WAIT_FOR_MUTAL: - ret = gsskrb5_initiator_wait_for_mutual(minor_status, - ccache, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - output_token, - ret_flags, - time_rec); - break; - case INITIATOR_READY: - /* should this be GSS_S_BAD_STATUS ? --metze */ - - /* We need to check the liftime */ - { - OM_uint32 lifetime_rec; - - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - &lifetime_rec); - if (ret) break; - - if (lifetime_rec == 0) { - *minor_status = 0; - ret = GSS_S_CONTEXT_EXPIRED; - break; - } - - if (time_rec) *time_rec = lifetime_rec; - } - - /* We need to give the caller the flags which are in use */ - if (ret_flags) *ret_flags = (*context_handle)->flags; - - ret = GSS_S_COMPLETE; - break; - default: - /* TODO: is this correct here? --metze */ - ret = GSS_S_BAD_STATUS; - break; - } - - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { - krb5_cc_close(gssapi_krb5_context, ccache); - } - - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - - return ret; -} - -static OM_uint32 -spnego_reply - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_data indata; - NegTokenTarg targ; - u_char oidbuf[17]; - size_t oidlen; - gss_buffer_desc sub_token; - ssize_t mech_len; - const u_char *p; - size_t len, taglen; - krb5_boolean require_mic; - - output_token->length = 0; - output_token->value = NULL; - - /* - * SPNEGO doesn't include gss wrapping on SubsequentContextToken - * like the Kerberos 5 mech does. But lets check for it anyway. - */ - - mech_len = gssapi_krb5_get_mech (input_token->value, - input_token->length, - &p); - - if (mech_len < 0) { - indata.data = input_token->value; - indata.length = input_token->length; - } else if (mech_len == GSS_KRB5_MECHANISM->length - && memcmp(GSS_KRB5_MECHANISM->elements, p, mech_len) == 0) - return gsskrb5_init_sec_context (minor_status, - initiator_cred_handle, - context_handle, - target_name, - GSS_KRB5_MECHANISM, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else if (mech_len == GSS_SPNEGO_MECHANISM->length - && memcmp(GSS_SPNEGO_MECHANISM->elements, p, mech_len) == 0){ - ret = _gssapi_decapsulate (minor_status, - input_token, - &indata, - GSS_SPNEGO_MECHANISM); - if (ret) - return ret; - } else - return GSS_S_BAD_MECH; - - ret = der_match_tag_and_length((const char *)indata.data, - indata.length, - ASN1_C_CONTEXT, CONS, 1, &len, &taglen); - if (ret) { - gssapi_krb5_set_status("Failed to decode NegToken choice"); - *minor_status = ret; - return GSS_S_FAILURE; - } - - if(len > indata.length - taglen) { - gssapi_krb5_set_status("Buffer overrun in NegToken choice"); - *minor_status = ASN1_OVERRUN; - return GSS_S_FAILURE; - } - - ret = decode_NegTokenTarg((const char *)indata.data + taglen, - len, &targ, NULL); - if (ret) { - gssapi_krb5_set_status("Failed to decode NegTokenTarg"); - *minor_status = ret; - return GSS_S_FAILURE; - } - - if (targ.negResult == NULL - || *(targ.negResult) == reject - || targ.supportedMech == NULL) { - free_NegTokenTarg(&targ); - return GSS_S_BAD_MECH; - } - - ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1, - sizeof(oidbuf), - targ.supportedMech, - &oidlen); - if (ret || oidlen != GSS_KRB5_MECHANISM->length - || memcmp(oidbuf + sizeof(oidbuf) - oidlen, - GSS_KRB5_MECHANISM->elements, - oidlen) != 0) { - free_NegTokenTarg(&targ); - return GSS_S_BAD_MECH; - } - - if (targ.responseToken != NULL) { - sub_token.length = targ.responseToken->length; - sub_token.value = targ.responseToken->data; - } else { - sub_token.length = 0; - sub_token.value = NULL; - } - - ret = gsskrb5_init_sec_context(minor_status, - initiator_cred_handle, - context_handle, - target_name, - GSS_KRB5_MECHANISM, - req_flags, - time_req, - input_chan_bindings, - &sub_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - /* - * Verify the mechListMIC if CFX was used; or if local policy - * dictated so. - */ - ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle, - &require_mic); - if (ret) { - free_NegTokenTarg(&targ); - return ret; - } - - if (require_mic) { - MechTypeList mechlist; - MechType m0; - size_t buf_len; - gss_buffer_desc mic_buf, mech_buf; - - if (targ.mechListMIC == NULL) { - free_NegTokenTarg(&targ); - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - mechlist.len = 1; - mechlist.val = &m0; - - ret = der_get_oid(GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length, - &m0, - NULL); - if (ret) { - free_NegTokenTarg(&targ); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length, - &mechlist, &buf_len, ret); - if (ret) { - free_NegTokenTarg(&targ); - free_oid(&m0); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - if (mech_buf.length != buf_len) - abort(); - - mic_buf.length = targ.mechListMIC->length; - mic_buf.value = targ.mechListMIC->data; - - ret = gss_verify_mic(minor_status, *context_handle, - &mech_buf, &mic_buf, NULL); - free(mech_buf.value); - free_oid(&m0); - } - free_NegTokenTarg(&targ); - return ret; -} - -static OM_uint32 -spnego_initial - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - NegTokenInit ni; - int ret; - OM_uint32 sub, minor; - gss_buffer_desc mech_token; - u_char *buf; - size_t buf_size, buf_len; - krb5_data data; - - memset (&ni, 0, sizeof(ni)); - - ALLOC(ni.mechTypes, 1); - if (ni.mechTypes == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ALLOC_SEQ(ni.mechTypes, 1); - if (ni.mechTypes->val == NULL) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ret = der_get_oid(GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length, - &ni.mechTypes->val[0], - NULL); - if (ret) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - -#if 0 - ALLOC(ni.reqFlags, 1); - if (ni.reqFlags == NULL) { - free_NegTokenInit(&ni); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ni.reqFlags->delegFlag = req_flags & GSS_C_DELEG_FLAG; - ni.reqFlags->mutualFlag = req_flags & GSS_C_MUTUAL_FLAG; - ni.reqFlags->replayFlag = req_flags & GSS_C_REPLAY_FLAG; - ni.reqFlags->sequenceFlag = req_flags & GSS_C_SEQUENCE_FLAG; - ni.reqFlags->anonFlag = req_flags & GSS_C_ANON_FLAG; - ni.reqFlags->confFlag = req_flags & GSS_C_CONF_FLAG; - ni.reqFlags->integFlag = req_flags & GSS_C_INTEG_FLAG; -#else - ni.reqFlags = NULL; -#endif - - sub = gsskrb5_init_sec_context(&minor, - initiator_cred_handle, - context_handle, - target_name, - GSS_KRB5_MECHANISM, - req_flags, - time_req, - input_chan_bindings, - GSS_C_NO_BUFFER, - actual_mech_type, - &mech_token, - ret_flags, - time_rec); - if (GSS_ERROR(sub)) { - free_NegTokenInit(&ni); - return sub; - } - if (mech_token.length != 0) { - ALLOC(ni.mechToken, 1); - if (ni.mechToken == NULL) { - free_NegTokenInit(&ni); - gss_release_buffer(&minor, &mech_token); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ni.mechToken->length = mech_token.length; - ni.mechToken->data = malloc(mech_token.length); - if (ni.mechToken->data == NULL && mech_token.length != 0) { - free_NegTokenInit(&ni); - gss_release_buffer(&minor, &mech_token); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(ni.mechToken->data, mech_token.value, mech_token.length); - gss_release_buffer(&minor, &mech_token); - } else - ni.mechToken = NULL; - - /* XXX ignore mech list mic for now */ - ni.mechListMIC = NULL; - - - { - NegotiationToken nt; - - nt.element = choice_NegotiationToken_negTokenInit; - nt.u.negTokenInit = ni; - - ASN1_MALLOC_ENCODE(NegotiationToken, buf, buf_size, - &nt, &buf_len, ret); - if (ret == 0 && buf_size != buf_len) - abort(); - } - - data.data = buf; - data.length = buf_size; - - free_NegTokenInit(&ni); - if (ret) - return ret; - - sub = _gssapi_encapsulate(minor_status, - &data, - output_token, - GSS_SPNEGO_MECHANISM); - free (buf); - - if (sub) - return sub; - - return GSS_S_CONTINUE_NEEDED; -} - -static OM_uint32 -spnego_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) - return spnego_initial (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return spnego_reply (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); -} - -/* - * gss_init_sec_context - */ - -OM_uint32 gss_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - GSSAPI_KRB5_INIT (); - - output_token->length = 0; - output_token->value = NULL; - - if (ret_flags) - *ret_flags = 0; - if (time_rec) - *time_rec = 0; - - if (target_name == GSS_C_NO_NAME) { - if (actual_mech_type) - *actual_mech_type = GSS_C_NO_OID; - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - if (mech_type == GSS_C_NO_OID || - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) - return gsskrb5_init_sec_context(minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM)) - return spnego_init_sec_context (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return GSS_S_BAD_MECH; -} diff --git a/source4/heimdal/lib/gssapi/inquire_cred.c b/source4/heimdal/lib/gssapi/inquire_cred.c deleted file mode 100644 index 9ed1ff4cc4..0000000000 --- a/source4/heimdal/lib/gssapi/inquire_cred.c +++ /dev/null @@ -1,123 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_cred.c,v 1.7 2004/11/30 19:27:11 lha Exp $"); - -OM_uint32 gss_inquire_cred - (OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - gss_cred_usage_t * cred_usage, - gss_OID_set * mechanisms - ) -{ - gss_cred_id_t cred; - OM_uint32 ret; - - *minor_status = 0; - - if (name) - *name = NULL; - if (mechanisms) - *mechanisms = GSS_C_NO_OID_SET; - - if (cred_handle == GSS_C_NO_CREDENTIAL) { - ret = gss_acquire_cred(minor_status, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - GSS_C_BOTH, - &cred, - NULL, - NULL); - if (ret) - return ret; - } else - cred = (gss_cred_id_t)cred_handle; - - HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - - if (name != NULL) { - if (cred->principal != NULL) { - ret = gss_duplicate_name(minor_status, cred->principal, - name); - if (ret) - goto out; - } else if (cred->usage == GSS_C_ACCEPT) { - *minor_status = krb5_sname_to_principal(gssapi_krb5_context, NULL, - NULL, KRB5_NT_SRV_HST, name); - if (*minor_status) { - ret = GSS_S_FAILURE; - goto out; - } - } else { - *minor_status = krb5_get_default_principal(gssapi_krb5_context, - name); - if (*minor_status) { - ret = GSS_S_FAILURE; - goto out; - } - } - } - if (lifetime != NULL) { - ret = gssapi_lifetime_left(minor_status, - cred->lifetime, - lifetime); - if (ret) - goto out; - } - if (cred_usage != NULL) - *cred_usage = cred->usage; - - if (mechanisms != NULL) { - ret = gss_create_empty_oid_set(minor_status, mechanisms); - if (ret) - goto out; - ret = gss_add_oid_set_member(minor_status, - &cred->mechanisms->elements[0], - mechanisms); - if (ret) - goto out; - } - ret = GSS_S_COMPLETE; - out: - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - - if (cred_handle == GSS_C_NO_CREDENTIAL) - ret = gss_release_cred(minor_status, &cred); - - return ret; -} diff --git a/source4/heimdal/lib/gssapi/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c index 359bb6e715..0123f67e09 100644 --- a/source4/heimdal/lib/gssapi/8003.c +++ b/source4/heimdal/lib/gssapi/krb5/8003.c @@ -31,12 +31,12 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: 8003.c,v 1.18 2006/05/04 11:55:40 lha Exp $"); +RCSID("$Id: 8003.c,v 1.20 2006/10/07 22:13:51 lha Exp $"); krb5_error_code -gssapi_encode_om_uint32(OM_uint32 n, u_char *p) +_gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p) { p[0] = (n >> 0) & 0xFF; p[1] = (n >> 8) & 0xFF; @@ -46,7 +46,7 @@ gssapi_encode_om_uint32(OM_uint32 n, u_char *p) } krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) +_gsskrb5_encode_be_om_uint32(OM_uint32 n, u_char *p) { p[0] = (n >> 24) & 0xFF; p[1] = (n >> 16) & 0xFF; @@ -56,7 +56,7 @@ gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) } krb5_error_code -gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n) +_gsskrb5_decode_om_uint32(const void *ptr, OM_uint32 *n) { const u_char *p = ptr; *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); @@ -64,7 +64,7 @@ gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n) } krb5_error_code -gssapi_decode_be_om_uint32(const void *ptr, OM_uint32 *n) +_gsskrb5_decode_be_om_uint32(const void *ptr, OM_uint32 *n) { const u_char *p = ptr; *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); @@ -79,23 +79,23 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, MD5_CTX md5; MD5_Init(&md5); - gssapi_encode_om_uint32 (b->initiator_addrtype, num); + _gsskrb5_encode_om_uint32 (b->initiator_addrtype, num); MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->initiator_address.length, num); + _gsskrb5_encode_om_uint32 (b->initiator_address.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->initiator_address.length) MD5_Update (&md5, b->initiator_address.value, b->initiator_address.length); - gssapi_encode_om_uint32 (b->acceptor_addrtype, num); + _gsskrb5_encode_om_uint32 (b->acceptor_addrtype, num); MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->acceptor_address.length, num); + _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->acceptor_address.length) MD5_Update (&md5, b->acceptor_address.value, b->acceptor_address.length); - gssapi_encode_om_uint32 (b->application_data.length, num); + _gsskrb5_encode_om_uint32 (b->application_data.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->application_data.length) MD5_Update (&md5, @@ -112,7 +112,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, */ OM_uint32 -gssapi_krb5_create_8003_checksum ( +_gsskrb5_create_8003_checksum ( OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, OM_uint32 flags, @@ -136,7 +136,7 @@ gssapi_krb5_create_8003_checksum ( } p = result->checksum.data; - gssapi_encode_om_uint32 (16, p); + _gsskrb5_encode_om_uint32 (16, p); p += 4; if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { memset (p, 0, 16); @@ -144,7 +144,7 @@ gssapi_krb5_create_8003_checksum ( hash_input_chan_bindings (input_chan_bindings, p); } p += 16; - gssapi_encode_om_uint32 (flags, p); + _gsskrb5_encode_om_uint32 (flags, p); p += 4; if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { @@ -167,7 +167,7 @@ gssapi_krb5_create_8003_checksum ( */ OM_uint32 -gssapi_krb5_verify_8003_checksum( +_gsskrb5_verify_8003_checksum( OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, const Checksum *cksum, @@ -192,7 +192,7 @@ gssapi_krb5_verify_8003_checksum( } p = cksum->checksum.data; - gssapi_decode_om_uint32(p, &length); + _gsskrb5_decode_om_uint32(p, &length); if(length != sizeof(hash)) { *minor_status = 0; return GSS_S_BAD_BINDINGS; @@ -214,7 +214,7 @@ gssapi_krb5_verify_8003_checksum( p += sizeof(hash); - gssapi_decode_om_uint32(p, flags); + _gsskrb5_decode_om_uint32(p, flags); p += 4; if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c new file mode 100644 index 0000000000..e42bb11b85 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -0,0 +1,774 @@ +/* + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: accept_sec_context.c,v 1.64 2006/10/25 04:19:45 lha Exp $"); + +HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; +krb5_keytab _gsskrb5_keytab; + +OM_uint32 +_gsskrb5_register_acceptor_identity (const char *identity) +{ + krb5_error_code ret; + + ret = _gsskrb5_init(); + if(ret) + return GSS_S_FAILURE; + + HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); + + if(_gsskrb5_keytab != NULL) { + krb5_kt_close(_gsskrb5_context, _gsskrb5_keytab); + _gsskrb5_keytab = NULL; + } + if (identity == NULL) { + ret = krb5_kt_default(_gsskrb5_context, &_gsskrb5_keytab); + } else { + char *p; + + asprintf(&p, "FILE:%s", identity); + if(p == NULL) { + HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); + return GSS_S_FAILURE; + } + ret = krb5_kt_resolve(_gsskrb5_context, p, &_gsskrb5_keytab); + free(p); + } + HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); + if(ret) + return GSS_S_FAILURE; + return GSS_S_COMPLETE; +} + +void +_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx) +{ + krb5_keyblock *key; + int acceptor = (ctx->more_flags & LOCAL) == 0; + + *is_cfx = 0; + + if (acceptor) { + if (ctx->auth_context->local_subkey) + key = ctx->auth_context->local_subkey; + else + key = ctx->auth_context->remote_subkey; + } else { + if (ctx->auth_context->remote_subkey) + key = ctx->auth_context->remote_subkey; + else + key = ctx->auth_context->local_subkey; + } + if (key == NULL) + key = ctx->auth_context->keyblock; + + if (key == NULL) + return; + + switch (key->keytype) { + case ETYPE_DES_CBC_CRC: + case ETYPE_DES_CBC_MD4: + case ETYPE_DES_CBC_MD5: + case ETYPE_DES3_CBC_MD5: + case ETYPE_DES3_CBC_SHA1: + case ETYPE_ARCFOUR_HMAC_MD5: + case ETYPE_ARCFOUR_HMAC_MD5_56: + break; + default : + *is_cfx = 1; + if ((acceptor && ctx->auth_context->local_subkey) || + (!acceptor && ctx->auth_context->remote_subkey)) + ctx->more_flags |= ACCEPTOR_SUBKEY; + break; + } +} + + +static OM_uint32 +gsskrb5_accept_delegated_token +(OM_uint32 * minor_status, + gsskrb5_ctx ctx, + gss_cred_id_t * delegated_cred_handle + ) +{ + krb5_ccache ccache = NULL; + krb5_error_code kret; + int32_t ac_flags, ret = GSS_S_COMPLETE; + + *minor_status = 0; + + /* XXX Create a new delegated_cred_handle? */ + if (delegated_cred_handle == NULL) { + kret = krb5_cc_default (_gsskrb5_context, &ccache); + } else { + *delegated_cred_handle = NULL; + kret = krb5_cc_gen_new (_gsskrb5_context, &krb5_mcc_ops, &ccache); + } + if (kret) { + ctx->flags &= ~GSS_C_DELEG_FLAG; + goto out; + } + + kret = krb5_cc_initialize(_gsskrb5_context, ccache, ctx->source); + if (kret) { + ctx->flags &= ~GSS_C_DELEG_FLAG; + goto out; + } + + krb5_auth_con_removeflags(_gsskrb5_context, + ctx->auth_context, + KRB5_AUTH_CONTEXT_DO_TIME, + &ac_flags); + kret = krb5_rd_cred2(_gsskrb5_context, + ctx->auth_context, + ccache, + &ctx->fwd_data); + if (kret) + _gsskrb5_set_error_string(); + krb5_auth_con_setflags(_gsskrb5_context, + ctx->auth_context, + ac_flags); + if (kret) { + ctx->flags &= ~GSS_C_DELEG_FLAG; + ret = GSS_S_FAILURE; + *minor_status = kret; + goto out; + } + + if (delegated_cred_handle) { + gsskrb5_cred handle; + + ret = _gsskrb5_import_cred(minor_status, + ccache, + NULL, + NULL, + delegated_cred_handle); + if (ret != GSS_S_COMPLETE) + goto out; + + handle = (gsskrb5_cred) *delegated_cred_handle; + + handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; + krb5_cc_close(_gsskrb5_context, ccache); + ccache = NULL; + } + +out: + if (ccache) { + if (delegated_cred_handle == NULL) + krb5_cc_close(_gsskrb5_context, ccache); + else + krb5_cc_destroy(_gsskrb5_context, ccache); + } + return ret; +} + +static OM_uint32 +gsskrb5_acceptor_ready(OM_uint32 * minor_status, + gsskrb5_ctx ctx, + gss_cred_id_t *delegated_cred_handle) +{ + OM_uint32 ret; + int32_t seq_number; + int is_cfx = 0; + + krb5_auth_getremoteseqnumber (_gsskrb5_context, + ctx->auth_context, + &seq_number); + + _gsskrb5i_is_cfx(ctx, &is_cfx); + + ret = _gssapi_msg_order_create(minor_status, + &ctx->order, + _gssapi_msg_order_f(ctx->flags), + seq_number, 0, is_cfx); + if (ret) + return ret; + + /* + * If requested, set local sequence num to remote sequence if this + * isn't a mutual authentication context + */ + if (!(ctx->flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(ctx->flags)) { + krb5_auth_con_setlocalseqnumber(_gsskrb5_context, + ctx->auth_context, + seq_number); + } + + /* + * We should handle the delegation ticket, in case it's there + */ + if (ctx->fwd_data.length > 0 && (ctx->flags & GSS_C_DELEG_FLAG)) { + ret = gsskrb5_accept_delegated_token(minor_status, + ctx, + delegated_cred_handle); + if (ret) + return ret; + } else { + /* Well, looks like it wasn't there after all */ + ctx->flags &= ~GSS_C_DELEG_FLAG; + } + + ctx->state = ACCEPTOR_READY; + ctx->more_flags |= OPEN; + + return GSS_S_COMPLETE; +} + +static OM_uint32 +gsskrb5_acceptor_start(OM_uint32 * minor_status, + gsskrb5_ctx ctx, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token_buffer, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t * src_name, + gss_OID * mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec, + gss_cred_id_t * delegated_cred_handle) +{ + krb5_error_code kret; + OM_uint32 ret = GSS_S_COMPLETE; + krb5_data indata; + krb5_flags ap_options; + krb5_ticket *ticket = NULL; + krb5_keytab keytab = NULL; + krb5_keyblock *keyblock = NULL; + int is_cfx = 0; + const gsskrb5_cred acceptor_cred = (gsskrb5_cred)acceptor_cred_handle; + + /* + * We may, or may not, have an escapsulation. + */ + ret = _gsskrb5_decapsulate (minor_status, + input_token_buffer, + &indata, + "\x01\x00", + GSS_KRB5_MECHANISM); + + if (ret) { + /* Assume that there is no OID wrapping. */ + indata.length = input_token_buffer->length; + indata.data = input_token_buffer->value; + } + + /* + * We need to get our keytab + */ + if (acceptor_cred == NULL) { + if (_gsskrb5_keytab != NULL) + keytab = _gsskrb5_keytab; + } else if (acceptor_cred->keytab != NULL) { + keytab = acceptor_cred->keytab; + } + + /* + * We need to check the ticket and create the AP-REP packet + */ + kret = krb5_rd_req_return_keyblock(_gsskrb5_context, + &ctx->auth_context, + &indata, + (acceptor_cred == NULL) ? NULL : acceptor_cred->principal, + keytab, + &ap_options, + &ticket, + &keyblock); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + _gsskrb5_set_error_string (); + return ret; + } + + /* + * We need to remember some data on the context_handle. + */ + ctx->ticket = ticket; + ctx->service_keyblock = keyblock; + ctx->lifetime = ticket->ticket.endtime; + + /* + * We need to copy the principal names to the context and the + * calling layer. + */ + kret = krb5_copy_principal(_gsskrb5_context, + ticket->client, + &ctx->source); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + _gsskrb5_set_error_string (); + } + + kret = krb5_copy_principal(_gsskrb5_context, ticket->server, &ctx->target); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + _gsskrb5_set_error_string (); + return ret; + } + + /* + * We need to setup some compat stuff, this assumes that + * context_handle->target is already set. + */ + ret = _gss_DES3_get_mic_compat(minor_status, ctx); + if (ret) + return ret; + + if (src_name != NULL) { + kret = krb5_copy_principal (_gsskrb5_context, + ticket->client, + (gsskrb5_name*)src_name); + if (kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + _gsskrb5_set_error_string (); + return ret; + } + } + + /* + * We need to get the flags out of the 8003 checksum. + */ + { + krb5_authenticator authenticator; + + kret = krb5_auth_con_getauthenticator(_gsskrb5_context, + ctx->auth_context, + &authenticator); + if(kret) { + ret = GSS_S_FAILURE; + *minor_status = kret; + _gsskrb5_set_error_string (); + return ret; + } + + if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { + ret = _gsskrb5_verify_8003_checksum(minor_status, + input_chan_bindings, + authenticator->cksum, + &ctx->flags, + &ctx->fwd_data); + + krb5_free_authenticator(_gsskrb5_context, &authenticator); + if (ret) { + return ret; + } + } else { + krb5_crypto crypto; + + kret = krb5_crypto_init(_gsskrb5_context, + ctx->auth_context->keyblock, + 0, &crypto); + if(kret) { + krb5_free_authenticator(_gsskrb5_context, &authenticator); + + ret = GSS_S_FAILURE; + *minor_status = kret; + _gsskrb5_set_error_string (); + return ret; + } + + /* + * Windows accepts Samba3's use of a kerberos, rather than + * GSSAPI checksum here + */ + + kret = krb5_verify_checksum(_gsskrb5_context, + crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0, + authenticator->cksum); + krb5_free_authenticator(_gsskrb5_context, &authenticator); + krb5_crypto_destroy(_gsskrb5_context, crypto); + + if(kret) { + ret = GSS_S_BAD_SIG; + *minor_status = kret; + _gsskrb5_set_error_string (); + return ret; + } + + /* + * Samba style get some flags (but not DCE-STYLE) + */ + ctx->flags = + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; + } + } + + if(ctx->flags & GSS_C_MUTUAL_FLAG) { + krb5_data outbuf; + + _gsskrb5i_is_cfx(ctx, &is_cfx); + + if (is_cfx != 0 + || (ap_options & AP_OPTS_USE_SUBKEY)) { + kret = krb5_auth_con_addflags(_gsskrb5_context, + ctx->auth_context, + KRB5_AUTH_CONTEXT_USE_SUBKEY, + NULL); + ctx->more_flags |= ACCEPTOR_SUBKEY; + } + + kret = krb5_mk_rep(_gsskrb5_context, + ctx->auth_context, + &outbuf); + if (kret) { + *minor_status = kret; + _gsskrb5_set_error_string (); + return GSS_S_FAILURE; + } + + if (ctx->flags & GSS_C_DCE_STYLE) { + output_token->length = outbuf.length; + output_token->value = outbuf.data; + } else { + ret = _gsskrb5_encapsulate(minor_status, + &outbuf, + output_token, + "\x02\x00", + GSS_KRB5_MECHANISM); + krb5_data_free (&outbuf); + if (ret) + return ret; + } + } + + ctx->flags |= GSS_C_TRANS_FLAG; + + /* Remember the flags */ + + ctx->lifetime = ticket->ticket.endtime; + ctx->more_flags |= OPEN; + + if (mech_type) + *mech_type = GSS_KRB5_MECHANISM; + + if (time_rec) { + ret = _gsskrb5_lifetime_left(minor_status, + ctx->lifetime, + time_rec); + if (ret) { + return ret; + } + } + + /* + * When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from + * the client. + */ + if (ctx->flags & GSS_C_DCE_STYLE) { + /* + * Return flags to caller, but we haven't processed + * delgations yet + */ + if (ret_flags) + *ret_flags = (ctx->flags & ~GSS_C_DELEG_FLAG); + + ctx->state = ACCEPTOR_WAIT_FOR_DCESTYLE; + return GSS_S_CONTINUE_NEEDED; + } + + ret = gsskrb5_acceptor_ready(minor_status, ctx, delegated_cred_handle); + + if (ret_flags) + *ret_flags = ctx->flags; + + return ret; +} + +static OM_uint32 +acceptor_wait_for_dcestyle(OM_uint32 * minor_status, + gsskrb5_ctx ctx, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token_buffer, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t * src_name, + gss_OID * mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec, + gss_cred_id_t * delegated_cred_handle) +{ + OM_uint32 ret; + krb5_error_code kret; + krb5_data inbuf; + int32_t r_seq_number, l_seq_number; + + /* + * We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP + */ + + inbuf.length = input_token_buffer->length; + inbuf.data = input_token_buffer->value; + + /* + * We need to remeber the old remote seq_number, then check if the + * client has replied with our local seq_number, and then reset + * the remote seq_number to the old value + */ + { + kret = krb5_auth_con_getlocalseqnumber(_gsskrb5_context, + ctx->auth_context, + &l_seq_number); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + + kret = krb5_auth_getremoteseqnumber(_gsskrb5_context, + ctx->auth_context, + &r_seq_number); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + + kret = krb5_auth_con_setremoteseqnumber(_gsskrb5_context, + ctx->auth_context, + l_seq_number); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + } + + /* + * We need to verify the AP_REP, but we need to flag that this is + * DCE_STYLE, so don't check the timestamps this time, but put the + * flag DO_TIME back afterward. + */ + { + krb5_ap_rep_enc_part *repl; + int32_t auth_flags; + + krb5_auth_con_removeflags(_gsskrb5_context, + ctx->auth_context, + KRB5_AUTH_CONTEXT_DO_TIME, + &auth_flags); + + kret = krb5_rd_rep(_gsskrb5_context, ctx->auth_context, &inbuf, &repl); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + krb5_free_ap_rep_enc_part(_gsskrb5_context, repl); + krb5_auth_con_setflags(_gsskrb5_context, ctx->auth_context, auth_flags); + } + + /* We need to check the liftime */ + { + OM_uint32 lifetime_rec; + + ret = _gsskrb5_lifetime_left(minor_status, + ctx->lifetime, + &lifetime_rec); + if (ret) { + return ret; + } + if (lifetime_rec == 0) { + return GSS_S_CONTEXT_EXPIRED; + } + + if (time_rec) *time_rec = lifetime_rec; + } + + /* We need to give the caller the flags which are in use */ + if (ret_flags) *ret_flags = ctx->flags; + + if (src_name) { + kret = krb5_copy_principal(_gsskrb5_context, + ctx->source, + (gsskrb5_name*)src_name); + if (kret) { + *minor_status = kret; + _gsskrb5_set_error_string (); + return GSS_S_FAILURE; + } + } + + /* + * After the krb5_rd_rep() the remote and local seq_number should + * be the same, because the client just replies the seq_number + * from our AP-REP in its AP-REP, but then the client uses the + * seq_number from its AP-REQ for GSS_wrap() + */ + { + int32_t tmp_r_seq_number, tmp_l_seq_number; + + kret = krb5_auth_getremoteseqnumber(_gsskrb5_context, + ctx->auth_context, + &tmp_r_seq_number); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + + kret = krb5_auth_con_getlocalseqnumber(_gsskrb5_context, + ctx->auth_context, + &tmp_l_seq_number); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + + /* + * Here we check if the client has responsed with our local seq_number, + */ + if (tmp_r_seq_number != tmp_l_seq_number) { + return GSS_S_UNSEQ_TOKEN; + } + } + + /* + * We need to reset the remote seq_number, because the client will use, + * the old one for the GSS_wrap() calls + */ + { + kret = krb5_auth_con_setremoteseqnumber(_gsskrb5_context, + ctx->auth_context, + r_seq_number); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + } + + return gsskrb5_acceptor_ready(minor_status, ctx, delegated_cred_handle); +} + + +OM_uint32 +_gsskrb5_accept_sec_context(OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token_buffer, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t * src_name, + gss_OID * mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec, + gss_cred_id_t * delegated_cred_handle) +{ + OM_uint32 ret; + gsskrb5_ctx ctx; + + GSSAPI_KRB5_INIT(); + + output_token->length = 0; + output_token->value = NULL; + + if (src_name != NULL) + *src_name = NULL; + if (mech_type) + *mech_type = GSS_KRB5_MECHANISM; + + if (*context_handle == GSS_C_NO_CONTEXT) { + ret = _gsskrb5_create_ctx(minor_status, + context_handle, + input_chan_bindings, + ACCEPTOR_START); + if (ret) + return ret; + } + + ctx = (gsskrb5_ctx)*context_handle; + + + /* + * TODO: check the channel_bindings + * (above just sets them to krb5 layer) + */ + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + switch (ctx->state) { + case ACCEPTOR_START: + ret = gsskrb5_acceptor_start(minor_status, + ctx, + acceptor_cred_handle, + input_token_buffer, + input_chan_bindings, + src_name, + mech_type, + output_token, + ret_flags, + time_rec, + delegated_cred_handle); + break; + case ACCEPTOR_WAIT_FOR_DCESTYLE: + ret = acceptor_wait_for_dcestyle(minor_status, + ctx, + acceptor_cred_handle, + input_token_buffer, + input_chan_bindings, + src_name, + mech_type, + output_token, + ret_flags, + time_rec, + delegated_cred_handle); + break; + case ACCEPTOR_READY: + /* + * If we get there, the caller have called + * gss_accept_sec_context() one time too many. + */ + ret = GSS_S_BAD_STATUS; + break; + default: + /* TODO: is this correct here? --metze */ + ret = GSS_S_BAD_STATUS; + break; + } + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + if (GSS_ERROR(ret)) { + OM_uint32 min2; + _gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER); + } + + return ret; +} diff --git a/source4/heimdal/lib/gssapi/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c index fa5d709a30..df6e137402 100644 --- a/source4/heimdal/lib/gssapi/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,12 +31,12 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: acquire_cred.c,v 1.27 2005/12/01 16:26:02 lha Exp $"); +RCSID("$Id: acquire_cred.c,v 1.31 2006/10/07 22:13:55 lha Exp $"); OM_uint32 -_gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status, +__gsskrb5_ccache_lifetime(OM_uint32 *minor_status, krb5_ccache id, krb5_principal principal, OM_uint32 *lifetime) @@ -48,32 +48,32 @@ _gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status, memset(&in_cred, 0, sizeof(in_cred)); in_cred.client = principal; - realm = krb5_principal_get_realm(gssapi_krb5_context, principal); + realm = krb5_principal_get_realm(_gsskrb5_context, principal); if (realm == NULL) { - gssapi_krb5_clear_status (); + _gsskrb5_clear_status (); *minor_status = KRB5_PRINC_NOMATCH; /* XXX */ return GSS_S_FAILURE; } - kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server, + kret = krb5_make_principal(_gsskrb5_context, &in_cred.server, realm, KRB5_TGS_NAME, realm, NULL); if (kret) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = kret; return GSS_S_FAILURE; } - kret = krb5_get_credentials(gssapi_krb5_context, 0, + kret = krb5_get_credentials(_gsskrb5_context, 0, id, &in_cred, &out_cred); - krb5_free_principal(gssapi_krb5_context, in_cred.server); + krb5_free_principal(_gsskrb5_context, in_cred.server); if (kret) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = kret; return GSS_S_FAILURE; } *lifetime = out_cred->times.endtime; - krb5_free_creds(gssapi_krb5_context, out_cred); + krb5_free_creds(_gsskrb5_context, out_cred); return GSS_S_COMPLETE; } @@ -82,21 +82,21 @@ _gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status, static krb5_error_code -get_keytab(krb5_context context, krb5_keytab *keytab) +get_keytab(krb5_keytab *keytab) { char kt_name[256]; krb5_error_code kret; HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - if (gssapi_krb5_keytab != NULL) { - kret = krb5_kt_get_name(context, - gssapi_krb5_keytab, + if (_gsskrb5_keytab != NULL) { + kret = krb5_kt_get_name(_gsskrb5_context, + _gsskrb5_keytab, kt_name, sizeof(kt_name)); if (kret == 0) - kret = krb5_kt_resolve(context, kt_name, keytab); + kret = krb5_kt_resolve(_gsskrb5_context, kt_name, keytab); } else - kret = krb5_kt_default(context, keytab); + kret = krb5_kt_default(_gsskrb5_context, keytab); HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); @@ -105,12 +105,11 @@ get_keytab(krb5_context context, krb5_keytab *keytab) static OM_uint32 acquire_initiator_cred (OM_uint32 * minor_status, - krb5_context context, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, - gss_cred_id_t handle, + gsskrb5_cred handle, gss_OID_set * actual_mechs, OM_uint32 * time_rec ) @@ -120,9 +119,10 @@ static OM_uint32 acquire_initiator_cred krb5_principal def_princ; krb5_get_init_creds_opt *opt; krb5_ccache ccache; - krb5_error_code kret; krb5_keytab keytab; + krb5_error_code kret; + keytab = NULL; ccache = NULL; def_princ = NULL; ret = GSS_S_FAILURE; @@ -132,33 +132,33 @@ static OM_uint32 acquire_initiator_cred * caches, otherwise, fall back to default cache. Ignore * errors. */ if (handle->principal) - kret = krb5_cc_cache_match (gssapi_krb5_context, + kret = krb5_cc_cache_match (_gsskrb5_context, handle->principal, NULL, &ccache); if (ccache == NULL) { - kret = krb5_cc_default(gssapi_krb5_context, &ccache); + kret = krb5_cc_default(_gsskrb5_context, &ccache); if (kret) goto end; } - kret = krb5_cc_get_principal(context, ccache, + kret = krb5_cc_get_principal(_gsskrb5_context, ccache, &def_princ); if (kret != 0) { /* we'll try to use a keytab below */ - krb5_cc_destroy(context, ccache); + krb5_cc_destroy(_gsskrb5_context, ccache); ccache = NULL; kret = 0; } else if (handle->principal == NULL) { - kret = krb5_copy_principal(context, def_princ, + kret = krb5_copy_principal(_gsskrb5_context, def_princ, &handle->principal); if (kret) goto end; } else if (handle->principal != NULL && - krb5_principal_compare(context, handle->principal, + krb5_principal_compare(_gsskrb5_context, handle->principal, def_princ) == FALSE) { /* Before failing, lets check the keytab */ - krb5_free_principal(context, def_princ); + krb5_free_principal(_gsskrb5_context, def_princ); def_princ = NULL; } if (def_princ == NULL) { @@ -166,37 +166,37 @@ static OM_uint32 acquire_initiator_cred * so attempt to get a TGT using a keytab. */ if (handle->principal == NULL) { - kret = krb5_get_default_principal(context, + kret = krb5_get_default_principal(_gsskrb5_context, &handle->principal); if (kret) goto end; } - kret = get_keytab(context, &keytab); + kret = get_keytab(&keytab); if (kret) goto end; - kret = krb5_get_init_creds_opt_alloc(gssapi_krb5_context, &opt); + kret = krb5_get_init_creds_opt_alloc(_gsskrb5_context, &opt); if (kret) goto end; - kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred, + kret = krb5_get_init_creds_keytab(_gsskrb5_context, &cred, handle->principal, keytab, 0, NULL, opt); krb5_get_init_creds_opt_free(opt); if (kret) goto end; - kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, + kret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops, &ccache); if (kret) goto end; - kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client); + kret = krb5_cc_initialize(_gsskrb5_context, ccache, cred.client); if (kret) goto end; - kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred); + kret = krb5_cc_store_cred(_gsskrb5_context, ccache, &cred); if (kret) goto end; handle->lifetime = cred.times.endtime; handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; } else { - ret = _gssapi_krb5_ccache_lifetime(minor_status, + ret = __gsskrb5_ccache_lifetime(minor_status, ccache, handle->principal, &handle->lifetime); @@ -210,17 +210,17 @@ static OM_uint32 acquire_initiator_cred end: if (cred.client != NULL) - krb5_free_cred_contents(context, &cred); + krb5_free_cred_contents(_gsskrb5_context, &cred); if (def_princ != NULL) - krb5_free_principal(context, def_princ); + krb5_free_principal(_gsskrb5_context, def_princ); if (keytab != NULL) - krb5_kt_close(context, keytab); + krb5_kt_close(_gsskrb5_context, keytab); if (ret != GSS_S_COMPLETE) { if (ccache != NULL) - krb5_cc_close(gssapi_krb5_context, ccache); + krb5_cc_close(_gsskrb5_context, ccache); if (kret != 0) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); } } return (ret); @@ -228,11 +228,11 @@ end: static OM_uint32 acquire_acceptor_cred (OM_uint32 * minor_status, - krb5_context context, + const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, - gss_cred_id_t handle, + gsskrb5_cred handle, gss_OID_set * actual_mechs, OM_uint32 * time_rec ) @@ -242,7 +242,7 @@ static OM_uint32 acquire_acceptor_cred kret = 0; ret = GSS_S_FAILURE; - kret = get_keytab(context, &handle->keytab); + kret = get_keytab(&handle->keytab); if (kret) goto end; @@ -250,37 +250,38 @@ static OM_uint32 acquire_acceptor_cred if (handle->principal) { krb5_keytab_entry entry; - kret = krb5_kt_get_entry(gssapi_krb5_context, handle->keytab, + kret = krb5_kt_get_entry(_gsskrb5_context, handle->keytab, handle->principal, 0, 0, &entry); if (kret) goto end; - krb5_kt_free_entry(gssapi_krb5_context, &entry); + krb5_kt_free_entry(_gsskrb5_context, &entry); } ret = GSS_S_COMPLETE; end: if (ret != GSS_S_COMPLETE) { - krb5_kt_close(context, handle->keytab); + if (handle->keytab != NULL) + krb5_kt_close(_gsskrb5_context, handle->keytab); if (kret != 0) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); } } return (ret); } -OM_uint32 gss_acquire_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) +OM_uint32 _gsskrb5_acquire_cred +(OM_uint32 * minor_status, + const gss_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t * output_cred_handle, + gss_OID_set * actual_mechs, + OM_uint32 * time_rec + ) { - gss_cred_id_t handle; + gsskrb5_cred handle; OM_uint32 ret; if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { @@ -299,8 +300,8 @@ OM_uint32 gss_acquire_cred if (desired_mechs) { int present = 0; - ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - desired_mechs, &present); + ret = _gsskrb5_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + desired_mechs, &present); if (ret) return ret; if (!present) { @@ -309,66 +310,63 @@ OM_uint32 gss_acquire_cred } } - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { + handle = calloc(1, sizeof(*handle)); + if (handle == NULL) { *minor_status = ENOMEM; return (GSS_S_FAILURE); } - memset(handle, 0, sizeof (*handle)); HEIMDAL_MUTEX_init(&handle->cred_id_mutex); if (desired_name != GSS_C_NO_NAME) { - ret = gss_duplicate_name(minor_status, desired_name, - &handle->principal); - if (ret != GSS_S_COMPLETE) { + krb5_principal name = (krb5_principal)desired_name; + ret = krb5_copy_principal(_gsskrb5_context, name, &handle->principal); + if (ret) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); + _gsskrb5_set_error_string(); + *minor_status = ret; free(handle); - return (ret); + return GSS_S_FAILURE; } } if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { - ret = acquire_initiator_cred(minor_status, gssapi_krb5_context, - desired_name, time_req, - desired_mechs, cred_usage, - handle, actual_mechs, time_rec); + ret = acquire_initiator_cred(minor_status, desired_name, time_req, + desired_mechs, cred_usage, handle, actual_mechs, time_rec); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); return (ret); } } if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { - ret = acquire_acceptor_cred(minor_status, gssapi_krb5_context, - time_req, - desired_mechs, cred_usage, - handle, actual_mechs, time_rec); + ret = acquire_acceptor_cred(minor_status, desired_name, time_req, + desired_mechs, cred_usage, handle, actual_mechs, time_rec); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); return (ret); } } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); + ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms); if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); + ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); if (ret == GSS_S_COMPLETE) - ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL, - actual_mechs); + ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle, + NULL, time_rec, NULL, actual_mechs); if (ret != GSS_S_COMPLETE) { if (handle->mechanisms != NULL) - gss_release_oid_set(NULL, &handle->mechanisms); + _gsskrb5_release_oid_set(NULL, &handle->mechanisms); HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); return (ret); } *minor_status = 0; if (time_rec) { - ret = gssapi_lifetime_left(minor_status, + ret = _gsskrb5_lifetime_left(minor_status, handle->lifetime, time_rec); @@ -376,8 +374,6 @@ OM_uint32 gss_acquire_cred return ret; } handle->usage = cred_usage; - - *output_cred_handle = handle; + *output_cred_handle = (gss_cred_id_t)handle; return (GSS_S_COMPLETE); } - diff --git a/source4/heimdal/lib/gssapi/krb5/add_cred.c b/source4/heimdal/lib/gssapi/krb5/add_cred.c new file mode 100644 index 0000000000..4892e84798 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/add_cred.c @@ -0,0 +1,249 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: add_cred.c,v 1.9 2006/10/07 22:13:58 lha Exp $"); + +OM_uint32 _gsskrb5_add_cred ( + OM_uint32 *minor_status, + const gss_cred_id_t input_cred_handle, + const gss_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec) +{ + OM_uint32 ret, lifetime; + gsskrb5_cred cred, handle; + krb5_const_principal dname; + + handle = NULL; + cred = (gsskrb5_cred)input_cred_handle; + dname = (krb5_const_principal)desired_name; + + if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { + *minor_status = 0; + return GSS_S_BAD_MECH; + } + + if (cred == NULL && output_cred_handle == NULL) { + *minor_status = 0; + return GSS_S_NO_CRED; + } + + if (cred == NULL) { /* XXX standard conformance failure */ + *minor_status = 0; + return GSS_S_NO_CRED; + } + + /* check if requested output usage is compatible with output usage */ + if (output_cred_handle != NULL) { + HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); + if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) { + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + *minor_status = GSS_KRB5_S_G_BAD_USAGE; + return(GSS_S_FAILURE); + } + } + + /* check that we have the same name */ + if (dname != NULL && + krb5_principal_compare(_gsskrb5_context, dname, + cred->principal) != FALSE) { + if (output_cred_handle) + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + *minor_status = 0; + return GSS_S_BAD_NAME; + } + + /* make a copy */ + if (output_cred_handle) { + krb5_error_code kret; + + handle = calloc(1, sizeof(*handle)); + if (handle == NULL) { + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + handle->usage = cred_usage; + handle->lifetime = cred->lifetime; + handle->principal = NULL; + handle->keytab = NULL; + handle->ccache = NULL; + handle->mechanisms = NULL; + HEIMDAL_MUTEX_init(&handle->cred_id_mutex); + + ret = GSS_S_FAILURE; + + kret = krb5_copy_principal(_gsskrb5_context, cred->principal, + &handle->principal); + if (kret) { + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + free(handle); + *minor_status = kret; + return GSS_S_FAILURE; + } + + if (cred->keytab) { + char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; + int len; + + ret = GSS_S_FAILURE; + + kret = krb5_kt_get_type(_gsskrb5_context, cred->keytab, + name, KRB5_KT_PREFIX_MAX_LEN); + if (kret) { + *minor_status = kret; + goto failure; + } + len = strlen(name); + name[len++] = ':'; + + kret = krb5_kt_get_name(_gsskrb5_context, cred->keytab, + name + len, + sizeof(name) - len); + if (kret) { + *minor_status = kret; + goto failure; + } + + kret = krb5_kt_resolve(_gsskrb5_context, name, + &handle->keytab); + if (kret){ + *minor_status = kret; + goto failure; + } + } + + if (cred->ccache) { + const char *type, *name; + char *type_name; + + ret = GSS_S_FAILURE; + + type = krb5_cc_get_type(_gsskrb5_context, cred->ccache); + if (type == NULL){ + *minor_status = ENOMEM; + goto failure; + } + + if (strcmp(type, "MEMORY") == 0) { + ret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops, + &handle->ccache); + if (ret) { + *minor_status = ret; + goto failure; + } + + ret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, + handle->ccache); + if (ret) { + *minor_status = ret; + goto failure; + } + + } else { + name = krb5_cc_get_name(_gsskrb5_context, cred->ccache); + if (name == NULL) { + *minor_status = ENOMEM; + goto failure; + } + + asprintf(&type_name, "%s:%s", type, name); + if (type_name == NULL) { + *minor_status = ENOMEM; + goto failure; + } + + kret = krb5_cc_resolve(_gsskrb5_context, type_name, + &handle->ccache); + free(type_name); + if (kret) { + *minor_status = kret; + goto failure; + } + } + } + ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms); + if (ret) + goto failure; + + ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); + if (ret) + goto failure; + } + + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + + ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred, + NULL, &lifetime, NULL, actual_mechs); + if (ret) + goto failure; + + if (initiator_time_rec) + *initiator_time_rec = lifetime; + if (acceptor_time_rec) + *acceptor_time_rec = lifetime; + + if (output_cred_handle) { + *output_cred_handle = (gss_cred_id_t)handle; + } + + *minor_status = 0; + return ret; + + failure: + + if (handle) { + if (handle->principal) + krb5_free_principal(_gsskrb5_context, handle->principal); + if (handle->keytab) + krb5_kt_close(_gsskrb5_context, handle->keytab); + if (handle->ccache) + krb5_cc_destroy(_gsskrb5_context, handle->ccache); + if (handle->mechanisms) + _gsskrb5_release_oid_set(NULL, &handle->mechanisms); + free(handle); + } + if (output_cred_handle) + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + return ret; +} diff --git a/source4/heimdal/lib/gssapi/add_oid_set_member.c b/source4/heimdal/lib/gssapi/krb5/add_oid_set_member.c index ed654fc8c5..b0ec2c60d8 100644 --- a/source4/heimdal/lib/gssapi/add_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/krb5/add_oid_set_member.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: add_oid_set_member.c,v 1.8 2003/03/16 17:50:49 lha Exp $"); +RCSID("$Id: add_oid_set_member.c,v 1.10 2006/10/07 22:14:00 lha Exp $"); -OM_uint32 gss_add_oid_set_member ( +OM_uint32 _gsskrb5_add_oid_set_member ( OM_uint32 * minor_status, const gss_OID member_oid, gss_OID_set * oid_set @@ -46,7 +46,8 @@ OM_uint32 gss_add_oid_set_member ( OM_uint32 res; int present; - res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present); + res = _gsskrb5_test_oid_set_member(minor_status, member_oid, + *oid_set, &present); if (res != GSS_S_COMPLETE) return res; diff --git a/source4/heimdal/lib/gssapi/address_to_krb5addr.c b/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c index 13a6825f55..9aec53faaa 100644 --- a/source4/heimdal/lib/gssapi/address_to_krb5addr.c +++ b/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c @@ -31,15 +31,15 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" #include <roken.h> krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address) +_gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type, + gss_buffer_desc *gss_addr, + int16_t port, + krb5_address *address) { int addr_type; struct sockaddr sa; @@ -61,7 +61,7 @@ gss_address_to_krb5addr(OM_uint32 gss_addr_type, return GSS_S_FAILURE; } - problem = krb5_h_addr2sockaddr (gssapi_krb5_context, + problem = krb5_h_addr2sockaddr (_gsskrb5_context, addr_type, gss_addr->value, &sa, @@ -70,7 +70,7 @@ gss_address_to_krb5addr(OM_uint32 gss_addr_type, if (problem) return GSS_S_FAILURE; - problem = krb5_sockaddr2address (gssapi_krb5_context, &sa, address); + problem = krb5_sockaddr2address (_gsskrb5_context, &sa, address); return problem; } diff --git a/source4/heimdal/lib/gssapi/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c index 936a20d403..82851f5a78 100644 --- a/source4/heimdal/lib/gssapi/arcfour.c +++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,9 +31,9 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: arcfour.c,v 1.19 2006/05/04 11:56:50 lha Exp $"); +RCSID("$Id: arcfour.c,v 1.29 2006/10/07 22:14:05 lha Exp $"); /* * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt @@ -57,6 +57,17 @@ RCSID("$Id: arcfour.c,v 1.19 2006/05/04 11:56:50 lha Exp $"); * Confounder[8] */ +/* + * WRAP in DCE-style have a fixed size header, the oid and length over + * the WRAP header is a total of + * GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE + + * GSS_ARCFOUR_WRAP_TOKEN_SIZE byte (ie total of 45 bytes overhead, + * remember the 2 bytes from APPL [0] SEQ). + */ + +#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 +#define GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE 13 + static krb5_error_code arcfour_mic_key(krb5_context context, krb5_keyblock *key, @@ -127,13 +138,13 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, memcpy(ptr + l1, v2, l2); memcpy(ptr + l1 + l2, v3, l3); - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret) { free(ptr); return ret; } - ret = krb5_create_checksum(gssapi_krb5_context, + ret = krb5_create_checksum(_gsskrb5_context, crypto, usage, 0, @@ -144,7 +155,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz); free_Checksum(&CKSUM); } - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return ret; } @@ -152,7 +163,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, gss_qop_t qop_req, const gss_buffer_t message_buffer, gss_buffer_t message_token, @@ -164,7 +175,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status, u_char k6_data[16], *p0, *p; RC4_KEY rc4_key; - gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); message_token->length = total_len; message_token->value = malloc (total_len); @@ -195,28 +206,28 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status, message_buffer->value, message_buffer->length, NULL, 0); if (ret) { - gss_release_buffer(minor_status, message_token); + _gsskrb5_release_buffer(minor_status, message_token); *minor_status = ret; return GSS_S_FAILURE; } - ret = arcfour_mic_key(gssapi_krb5_context, key, + ret = arcfour_mic_key(_gsskrb5_context, key, p0 + 16, 8, /* SGN_CKSUM */ k6_data, sizeof(k6_data)); if (ret) { - gss_release_buffer(minor_status, message_token); + _gsskrb5_release_buffer(minor_status, message_token); *minor_status = ret; return GSS_S_FAILURE; } HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, context_handle->auth_context, &seq_number); p = p0 + 8; /* SND_SEQ */ - gssapi_encode_be_om_uint32(seq_number, p); + _gsskrb5_encode_be_om_uint32(seq_number, p); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, context_handle->auth_context, ++seq_number); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -236,7 +247,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status, OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, @@ -244,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, char *type) { krb5_error_code ret; - int32_t seq_number; + uint32_t seq_number; OM_uint32 omret; u_char SND_SEQ[8], cksum_data[8], *p; char k6_data[16]; @@ -254,7 +265,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, *qop_state = 0; p = token_buffer->value; - omret = gssapi_krb5_verify_header (&p, + omret = _gsskrb5_verify_header (&p, token_buffer->length, (u_char *)type, GSS_KRB5_MECHANISM); @@ -278,7 +289,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, return GSS_S_FAILURE; } - ret = arcfour_mic_key(gssapi_krb5_context, key, + ret = arcfour_mic_key(_gsskrb5_context, key, cksum_data, sizeof(cksum_data), k6_data, sizeof(k6_data)); if (ret) { @@ -302,7 +313,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, memset(k6_data, 0, sizeof(k6_data)); } - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); + _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); @@ -326,39 +337,8 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, } OM_uint32 -_gssapi_wrap_size_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_input_size, - OM_uint32 * output_size, - OM_uint32 * padlen, - krb5_keyblock *key) -{ - size_t len, total_len, datalen; - *padlen = 0; - datalen = req_input_size; - len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; - /* if GSS_C_DCE_STYLE is in use: - * - we only need to encapsulate the WRAP token - * - we should not add padding - */ - if (!(context_handle->flags & GSS_C_DCE_STYLE)) { - datalen += 1 /* padding */; - len += datalen; - } - _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - if (context_handle->flags & GSS_C_DCE_STYLE) { - total_len += datalen; - } - - *output_size = total_len; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_wrap_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, @@ -375,19 +355,17 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, if (conf_state) *conf_state = 0; - datalen = input_message_buffer->length; - len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; - /* if GSS_C_DCE_STYLE is in use: - * - we only need to encapsulate the WRAP token - * - we should not add padding - */ - if (!(context_handle->flags & GSS_C_DCE_STYLE)) { - datalen += 1 /* padding */; - len += datalen; - } - _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - if (context_handle->flags & GSS_C_DCE_STYLE) { - total_len += datalen; + if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) { + datalen = input_message_buffer->length + 1 /* padding */; + + len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE; + _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); + } else { + datalen = input_message_buffer->length; + + len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; + _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); + total_len += datalen; } output_message_buffer->length = total_len; @@ -419,13 +397,13 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, p = NULL; HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, context_handle->auth_context, &seq_number); - gssapi_encode_be_om_uint32(seq_number, p0 + 8); + _gsskrb5_encode_be_om_uint32(seq_number, p0 + 8); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, context_handle->auth_context, ++seq_number); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -439,9 +417,9 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, /* p points to data */ p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE; memcpy(p, input_message_buffer->value, input_message_buffer->length); - /* only add padding when GSS_C_DCE_STYLE is not in use */ - if (!(context_handle->flags & GSS_C_DCE_STYLE)) { - p[input_message_buffer->length] = 1; /* PADDING */ + + if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) { + p[input_message_buffer->length] = 1; /* PADDING */ } ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, @@ -452,7 +430,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, datalen); if (ret) { *minor_status = ret; - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } @@ -466,12 +444,12 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, for (i = 0; i < 16; i++) Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, + ret = arcfour_mic_key(_gsskrb5_context, &Klocal, p0 + 8, 4, /* SND_SEQ */ k6_data, sizeof(k6_data)); memset(Klocaldata, 0, sizeof(Klocaldata)); if (ret) { - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = ret; return GSS_S_FAILURE; } @@ -487,11 +465,11 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, } memset(k6_data, 0, sizeof(k6_data)); - ret = arcfour_mic_key(gssapi_krb5_context, key, + ret = arcfour_mic_key(_gsskrb5_context, key, p0 + 16, 8, /* SGN_CKSUM */ k6_data, sizeof(k6_data)); if (ret) { - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = ret; return GSS_S_FAILURE; } @@ -513,7 +491,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, } OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int *conf_state, @@ -523,15 +501,15 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, u_char Klocaldata[16]; krb5_keyblock Klocal; krb5_error_code ret; - int32_t seq_number; - size_t len, datalen; + uint32_t seq_number; + size_t datalen; OM_uint32 omret; u_char k6_data[16], SND_SEQ[8], Confounder[8]; u_char cksum_data[8]; u_char *p, *p0; int cmp; int conf_flag; - size_t padlen = 0; + size_t padlen = 0, len; if (conf_state) *conf_state = 0; @@ -539,25 +517,34 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, *qop_state = 0; p0 = input_message_buffer->value; - len = input_message_buffer->length; - /* if we have GSS_C_DCE_STYLE in use, we only need to decapsulate the WRAP token */ - if (context_handle->flags & GSS_C_DCE_STYLE) { - if (input_message_buffer->length < (GSS_ARCFOUR_WRAP_TOKEN_OFFSET+GSS_ARCFOUR_WRAP_TOKEN_SIZE)) { - return GSS_S_BAD_MECH; - } - len = GSS_ARCFOUR_WRAP_TOKEN_OFFSET+GSS_ARCFOUR_WRAP_TOKEN_SIZE; + + if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) { + len = input_message_buffer->length; + } else { + len = GSS_ARCFOUR_WRAP_TOKEN_SIZE + + GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE; + if (input_message_buffer->length < len) + return GSS_S_BAD_MECH; } + omret = _gssapi_verify_mech_header(&p0, len, GSS_KRB5_MECHANISM); if (omret) return omret; - p = p0; - datalen = input_message_buffer->length - - (p - ((u_char *)input_message_buffer->value)) - + /* length of mech header */ + len = (p0 - (u_char *)input_message_buffer->value) + GSS_ARCFOUR_WRAP_TOKEN_SIZE; + if (len > input_message_buffer->length) + return GSS_S_BAD_MECH; + + /* length of data */ + datalen = input_message_buffer->length - len; + + p = p0; + if (memcmp(p, "\x02\x01", 2) != 0) return GSS_S_BAD_SIG; p += 2; @@ -577,7 +564,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, return GSS_S_BAD_MIC; p = NULL; - ret = arcfour_mic_key(gssapi_krb5_context, key, + ret = arcfour_mic_key(_gsskrb5_context, key, p0 + 16, 8, /* SGN_CKSUM */ k6_data, sizeof(k6_data)); if (ret) { @@ -594,7 +581,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, memset(k6_data, 0, sizeof(k6_data)); } - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); + _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); @@ -616,7 +603,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, for (i = 0; i < 16; i++) Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, + ret = arcfour_mic_key(_gsskrb5_context, &Klocal, SND_SEQ, 4, k6_data, sizeof(k6_data)); memset(Klocaldata, 0, sizeof(Klocaldata)); @@ -648,14 +635,14 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, } memset(k6_data, 0, sizeof(k6_data)); - if (!(context_handle->flags & GSS_C_DCE_STYLE)) { - ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); + if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) { + ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); + if (ret) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = 0; return ret; - } - output_message_buffer->length -= padlen; + } + output_message_buffer->length -= padlen; } ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, @@ -665,14 +652,14 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, output_message_buffer->value, output_message_buffer->length + padlen); if (ret) { - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = ret; return GSS_S_FAILURE; } cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ if (cmp) { - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = 0; return GSS_S_BAD_MIC; } @@ -689,3 +676,79 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, *minor_status = 0; return GSS_S_COMPLETE; } + +static OM_uint32 +max_wrap_length_arcfour(const gsskrb5_ctx ctx, + krb5_crypto crypto, + size_t input_length, + OM_uint32 *max_input_size) +{ + /* + * if GSS_C_DCE_STYLE is in use: + * - we only need to encapsulate the WRAP token + * However, since this is a fixed since, we just + */ + if (ctx->flags & GSS_C_DCE_STYLE) { + size_t len, total_len; + + len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; + _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); + + if (input_length < len) + *max_input_size = 0; + else + *max_input_size = input_length - len; + + } else { + size_t extrasize = GSS_ARCFOUR_WRAP_TOKEN_SIZE; + size_t blocksize = 8; + size_t len, total_len; + + len = 8 + input_length + blocksize + extrasize; + + _gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); + + total_len -= input_length; /* token length */ + if (total_len < input_length) { + *max_input_size = (input_length - total_len); + (*max_input_size) &= (~(OM_uint32)(blocksize - 1)); + } else { + *max_input_size = 0; + } + } + + return GSS_S_COMPLETE; +} + +OM_uint32 +_gssapi_wrap_size_arcfour(OM_uint32 *minor_status, + const gsskrb5_ctx ctx, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size, + krb5_keyblock *key) +{ + krb5_error_code ret; + krb5_crypto crypto; + + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); + if (ret != 0) { + _gsskrb5_set_error_string(); + *minor_status = ret; + return GSS_S_FAILURE; + } + + ret = max_wrap_length_arcfour(ctx, crypto, + req_output_size, max_input_size); + if (ret != 0) { + _gsskrb5_set_error_string(); + *minor_status = ret; + krb5_crypto_destroy(_gsskrb5_context, crypto); + return GSS_S_FAILURE; + } + + krb5_crypto_destroy(_gsskrb5_context, crypto); + + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c new file mode 100644 index 0000000000..f69300b590 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c @@ -0,0 +1,46 @@ +/* + * Copyright (c) 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: canonicalize_name.c,v 1.4 2006/10/07 22:14:08 lha Exp $"); + +OM_uint32 _gsskrb5_canonicalize_name ( + OM_uint32 * minor_status, + const gss_name_t input_name, + const gss_OID mech_type, + gss_name_t * output_name + ) +{ + return _gsskrb5_duplicate_name (minor_status, input_name, output_name); +} diff --git a/source4/heimdal/lib/gssapi/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c index ef7907c0de..cb3f9ee5d3 100755 --- a/source4/heimdal/lib/gssapi/cfx.c +++ b/source4/heimdal/lib/gssapi/krb5/cfx.c @@ -30,9 +30,9 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: cfx.c,v 1.19 2006/05/05 10:26:43 lha Exp $"); +RCSID("$Id: cfx.c,v 1.24 2006/10/24 21:13:22 lha Exp $"); /* * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt @@ -42,14 +42,13 @@ RCSID("$Id: cfx.c,v 1.19 2006/05/05 10:26:43 lha Exp $"); #define CFXSealed (1 << 1) #define CFXAcceptorSubkey (1 << 2) -static krb5_error_code -wrap_length_cfx(krb5_crypto crypto, - int conf_req_flag, - size_t input_length, - size_t *output_length, - size_t *cksumsize, - uint16_t *padlength, - size_t *padsize) +krb5_error_code +_gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto, + int conf_req_flag, + size_t input_length, + size_t *output_length, + size_t *cksumsize, + uint16_t *padlength) { krb5_error_code ret; krb5_cksumtype type; @@ -58,39 +57,37 @@ wrap_length_cfx(krb5_crypto crypto, *output_length = sizeof(gss_cfx_wrap_token_desc); *padlength = 0; - ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto, &type); - if (ret) { + ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type); + if (ret) return ret; - } - ret = krb5_checksumsize(gssapi_krb5_context, type, cksumsize); - if (ret) { + ret = krb5_checksumsize(_gsskrb5_context, type, cksumsize); + if (ret) return ret; - } if (conf_req_flag) { + size_t padsize; /* Header is concatenated with data before encryption */ input_length += sizeof(gss_cfx_wrap_token_desc); - ret = krb5_crypto_getpadsize(gssapi_krb5_context, crypto, padsize); + ret = krb5_crypto_getpadsize(_gsskrb5_context, crypto, &padsize); if (ret) { return ret; } - if (*padsize > 1) { + if (padsize > 1) { /* XXX check this */ - *padlength = *padsize - (input_length % *padsize); - } + *padlength = padsize - (input_length % padsize); - /* We add the pad ourselves (noted here for completeness only) */ - input_length += *padlength; + /* We add the pad ourselves (noted here for completeness only) */ + input_length += *padlength; + } - *output_length += krb5_get_wrapped_length(gssapi_krb5_context, + *output_length += krb5_get_wrapped_length(_gsskrb5_context, crypto, input_length); } else { /* Checksum is concatenated with data */ *output_length += input_length + *cksumsize; - *padsize = 0; } assert(*output_length > input_length); @@ -98,42 +95,94 @@ wrap_length_cfx(krb5_crypto crypto, return 0; } +krb5_error_code +_gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto, + int conf_req_flag, + size_t input_length, + OM_uint32 *output_length) +{ + krb5_error_code ret; + + *output_length = 0; + + /* 16-byte header is always first */ + if (input_length < 16) + return 0; + input_length -= 16; + + if (conf_req_flag) { + size_t wrapped_size, sz; + + wrapped_size = input_length + 1; + do { + wrapped_size--; + sz = krb5_get_wrapped_length(_gsskrb5_context, + crypto, wrapped_size); + } while (wrapped_size && sz > input_length); + if (wrapped_size == 0) { + *output_length = 0; + return 0; + } + + /* inner header */ + if (wrapped_size < 16) { + *output_length = 0; + return 0; + } + wrapped_size -= 16; + + *output_length = wrapped_size; + } else { + krb5_cksumtype type; + size_t cksumsize; + + ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type); + if (ret) + return ret; + + ret = krb5_checksumsize(_gsskrb5_context, type, &cksumsize); + if (ret) + return ret; + + if (input_length < cksumsize) + return 0; + + /* Checksum is concatenated with data */ + *output_length = input_length - cksumsize; + } + + return 0; +} + + OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, int conf_req_flag, gss_qop_t qop_req, - OM_uint32 req_input_size, - OM_uint32 *output_len, - OM_uint32 *padsize, + OM_uint32 req_output_size, + OM_uint32 *max_input_size, krb5_keyblock *key) { krb5_error_code ret; krb5_crypto crypto; - uint16_t pad_length; - size_t pad_size; - size_t output_length, cksumsize; - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } - ret = wrap_length_cfx(crypto, conf_req_flag, - req_input_size, - &output_length, &cksumsize, &pad_length, &pad_size); + ret = _gsskrb5cfx_max_wrap_length_cfx(crypto, conf_req_flag, + req_output_size, max_input_size); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } - *output_len = output_length; - *padsize = pad_size; - - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_COMPLETE; } @@ -183,7 +232,7 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate) } OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, @@ -199,23 +248,22 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, size_t wrapped_len, cksumsize; uint16_t padlength, rrc = 0; int32_t seq_number; - size_t padsize; u_char *p; - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } - ret = wrap_length_cfx(crypto, conf_req_flag, - input_message_buffer->length, - &wrapped_len, &cksumsize, &padlength, &padsize); + ret = _gsskrb5cfx_wrap_length_cfx(crypto, conf_req_flag, + input_message_buffer->length, + &wrapped_len, &cksumsize, &padlength); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -226,7 +274,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, output_message_buffer->value = malloc(output_message_buffer->length); if (output_message_buffer->value == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -276,12 +324,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, token->RRC[1] = 0; HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, + krb5_auth_con_getlocalseqnumber(_gsskrb5_context, context_handle->auth_context, &seq_number); - gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]); - gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); - krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, + _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); + _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); + krb5_auth_con_setlocalseqnumber(_gsskrb5_context, context_handle->auth_context, ++seq_number); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -316,16 +364,16 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, memcpy(p + input_message_buffer->length + padlength, token, sizeof(*token)); - ret = krb5_encrypt(gssapi_krb5_context, crypto, + ret = krb5_encrypt(_gsskrb5_context, crypto, usage, p, input_message_buffer->length + padlength + sizeof(*token), &cipher); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } assert(sizeof(*token) + cipher.length == wrapped_len); @@ -334,10 +382,10 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } memcpy(p, cipher.data, cipher.length); @@ -349,23 +397,23 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, buf = malloc(input_message_buffer->length + sizeof(*token)); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } memcpy(buf, input_message_buffer->value, input_message_buffer->length); memcpy(buf + input_message_buffer->length, token, sizeof(*token)); - ret = krb5_create_checksum(gssapi_krb5_context, crypto, + ret = krb5_create_checksum(_gsskrb5_context, crypto, usage, 0, buf, input_message_buffer->length + sizeof(*token), &cksum); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); free(buf); return GSS_S_FAILURE; } @@ -386,17 +434,17 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, ret = rrc_rotate(p, input_message_buffer->length + cksum.checksum.length, rrc, FALSE); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); free_Checksum(&cksum); return GSS_S_FAILURE; } free_Checksum(&cksum); } - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); if (conf_state != NULL) { *conf_state = conf_req_flag; @@ -407,7 +455,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int *conf_state, @@ -470,8 +518,8 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* * Check sequence number */ - gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); - gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); if (seq_number_hi) { /* no support for 64-bit sequence numbers */ *minor_status = ERANGE; @@ -483,7 +531,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, if (ret != 0) { *minor_status = 0; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - gss_release_buffer(minor_status, output_message_buffer); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return ret; } HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -491,9 +539,9 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* * Decrypt and/or verify checksum */ - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } @@ -511,23 +559,23 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Rotate by RRC; bogus to do this in-place XXX */ *minor_status = rrc_rotate(p, len, rrc, TRUE); if (*minor_status != 0) { - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } if (token_flags & CFXSealed) { - ret = krb5_decrypt(gssapi_krb5_context, crypto, usage, + ret = krb5_decrypt(_gsskrb5_context, crypto, usage, p, len, &data); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_BAD_MIC; } /* Check that there is room for the pad and token header */ if (data.length < ec + sizeof(*token)) { - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); krb5_data_free(&data); return GSS_S_DEFECTIVE_TOKEN; } @@ -540,7 +588,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Check the integrity of the header */ if (memcmp(p, token, sizeof(*token)) != 0) { - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); krb5_data_free(&data); return GSS_S_BAD_MIC; } @@ -551,12 +599,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, Checksum cksum; /* Determine checksum type */ - ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, + ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &cksum.cksumtype); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -565,7 +613,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Check we have at least as much data as the checksum */ if (len < cksum.checksum.length) { *minor_status = ERANGE; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_BAD_MIC; } @@ -577,7 +625,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, output_message_buffer->value = malloc(len + sizeof(*token)); if (output_message_buffer->value == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -594,21 +642,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, token->RRC[0] = 0; token->RRC[1] = 0; - ret = krb5_verify_checksum(gssapi_krb5_context, crypto, + ret = krb5_verify_checksum(_gsskrb5_context, crypto, usage, output_message_buffer->value, len + sizeof(*token), &cksum); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); - gss_release_buffer(minor_status, output_message_buffer); + krb5_crypto_destroy(_gsskrb5_context, crypto); + _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_BAD_MIC; } } - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); if (qop_state != NULL) { *qop_state = GSS_C_QOP_DEFAULT; @@ -619,7 +667,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, gss_qop_t qop_req, const gss_buffer_t message_buffer, gss_buffer_t message_token, @@ -634,9 +682,9 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, size_t len; int32_t seq_number; - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } @@ -645,7 +693,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, buf = malloc(len); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -662,12 +710,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, memset(token->Filler, 0xFF, 5); HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber(gssapi_krb5_context, + krb5_auth_con_getlocalseqnumber(_gsskrb5_context, context_handle->auth_context, &seq_number); - gssapi_encode_be_om_uint32(0, &token->SND_SEQ[0]); - gssapi_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); - krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, + _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); + _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); + krb5_auth_con_setlocalseqnumber(_gsskrb5_context, context_handle->auth_context, ++seq_number); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -678,16 +726,16 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; } - ret = krb5_create_checksum(gssapi_krb5_context, crypto, + ret = krb5_create_checksum(_gsskrb5_context, crypto, usage, 0, buf, len, &cksum); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); free(buf); return GSS_S_FAILURE; } - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); /* Determine MIC length */ message_token->length = sizeof(*token) + cksum.checksum.length; @@ -712,7 +760,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t *qop_state, @@ -763,8 +811,8 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, /* * Check sequence number */ - gssapi_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); - gssapi_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); if (seq_number_hi) { *minor_status = ERANGE; return GSS_S_UNSEQ_TOKEN; @@ -782,19 +830,19 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, /* * Verify checksum */ - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; return GSS_S_FAILURE; } - ret = krb5_crypto_get_checksum_type(gssapi_krb5_context, crypto, + ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &cksum.cksumtype); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } @@ -810,21 +858,21 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, buf = malloc(message_buffer->length + sizeof(*token)); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); return GSS_S_FAILURE; } memcpy(buf, message_buffer->value, message_buffer->length); memcpy(buf + message_buffer->length, token, sizeof(*token)); - ret = krb5_verify_checksum(gssapi_krb5_context, crypto, + ret = krb5_verify_checksum(_gsskrb5_context, crypto, usage, buf, sizeof(*token) + message_buffer->length, &cksum); + krb5_crypto_destroy(_gsskrb5_context, crypto); if (ret != 0) { - gssapi_krb5_set_error_string(); + _gsskrb5_set_error_string(); *minor_status = ret; - krb5_crypto_destroy(gssapi_krb5_context, crypto); free(buf); return GSS_S_BAD_MIC; } diff --git a/source4/heimdal/lib/gssapi/cfx.h b/source4/heimdal/lib/gssapi/krb5/cfx.h index d9bdd9da19..1120544fbe 100755 --- a/source4/heimdal/lib/gssapi/cfx.h +++ b/source4/heimdal/lib/gssapi/krb5/cfx.h @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -/* $Id: cfx.h,v 1.5 2003/09/22 21:48:35 lha Exp $ */ +/* $Id: cfx.h,v 1.7 2006/07/19 14:16:33 lha Exp $ */ #ifndef GSSAPI_CFX_H_ #define GSSAPI_CFX_H_ 1 @@ -62,44 +62,19 @@ typedef struct gss_cfx_delete_token_desc_struct { u_char SND_SEQ[8]; } gss_cfx_delete_token_desc, *gss_cfx_delete_token; -OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_input_size, - OM_uint32 *output_len, - OM_uint32 *padlen, - krb5_keyblock *key); - -OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key); +krb5_error_code +_gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto, + int conf_req_flag, + size_t input_length, + size_t *output_length, + size_t *cksumsize, + uint16_t *padlength); -OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key); - -OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key); +krb5_error_code +_gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto, + int conf_req_flag, + size_t input_length, + OM_uint32 *output_length); -OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key); #endif /* GSSAPI_CFX_H_ */ diff --git a/source4/heimdal/lib/gssapi/krb5/compare_name.c b/source4/heimdal/lib/gssapi/krb5/compare_name.c new file mode 100644 index 0000000000..3e0f7edfee --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/compare_name.c @@ -0,0 +1,54 @@ +/* + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: compare_name.c,v 1.7 2006/10/07 22:14:15 lha Exp $"); + +OM_uint32 _gsskrb5_compare_name + (OM_uint32 * minor_status, + const gss_name_t name1, + const gss_name_t name2, + int * name_equal + ) +{ + krb5_const_principal princ1 = (krb5_const_principal)name1; + krb5_const_principal princ2 = (krb5_const_principal)name2; + + GSSAPI_KRB5_INIT(); + + *name_equal = krb5_principal_compare (_gsskrb5_context, + princ1, princ2); + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/compat.c b/source4/heimdal/lib/gssapi/krb5/compat.c index 5605c48023..0ea2fce0e8 100644 --- a/source4/heimdal/lib/gssapi/compat.c +++ b/source4/heimdal/lib/gssapi/krb5/compat.c @@ -31,42 +31,42 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: compat.c,v 1.10 2005/05/30 20:51:51 lha Exp $"); +RCSID("$Id: compat.c,v 1.13 2006/10/07 22:14:17 lha Exp $"); -krb5_error_code -_gss_check_compat(OM_uint32 *minor_status, gss_name_t name, - const char *option, krb5_boolean *compat, - krb5_boolean match_val) +static krb5_error_code +check_compat(OM_uint32 *minor_status, krb5_const_principal name, + const char *option, krb5_boolean *compat, + krb5_boolean match_val) { krb5_error_code ret = 0; char **p, **q; krb5_principal match; - p = krb5_config_get_strings(gssapi_krb5_context, NULL, "gssapi", + p = krb5_config_get_strings(_gsskrb5_context, NULL, "gssapi", option, NULL); if(p == NULL) return 0; match = NULL; for(q = p; *q; q++) { - ret = krb5_parse_name(gssapi_krb5_context, *q, &match); + ret = krb5_parse_name(_gsskrb5_context, *q, &match); if (ret) break; - if (krb5_principal_match(gssapi_krb5_context, name, match)) { + if (krb5_principal_match(_gsskrb5_context, name, match)) { *compat = match_val; break; } - krb5_free_principal(gssapi_krb5_context, match); + krb5_free_principal(_gsskrb5_context, match); match = NULL; } if (match) - krb5_free_principal(gssapi_krb5_context, match); + krb5_free_principal(_gsskrb5_context, match); krb5_config_free_strings(p); if (ret) { @@ -83,18 +83,18 @@ _gss_check_compat(OM_uint32 *minor_status, gss_name_t name, */ OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) +_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gsskrb5_ctx ctx) { krb5_boolean use_compat = FALSE; OM_uint32 ret; if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) { - ret = _gss_check_compat(minor_status, ctx->target, - "broken_des3_mic", &use_compat, TRUE); + ret = check_compat(minor_status, ctx->target, + "broken_des3_mic", &use_compat, TRUE); if (ret) return ret; - ret = _gss_check_compat(minor_status, ctx->target, - "correct_des3_mic", &use_compat, FALSE); + ret = check_compat(minor_status, ctx->target, + "correct_des3_mic", &use_compat, FALSE); if (ret) return ret; @@ -105,6 +105,7 @@ _gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) return 0; } +#if 0 OM_uint32 gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) { @@ -121,34 +122,4 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) return 0; } - -/* - * For compatability with the Windows SPNEGO implementation, the - * default is to ignore the mechListMIC unless the initiator specified - * CFX or configured in krb5.conf with the option - * [gssapi]require_mechlist_mic=target-principal-pattern. - * The option is valid for both initiator and acceptor. - */ -OM_uint32 -_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status, - gss_ctx_id_t ctx, - krb5_boolean *require_mic) -{ - OM_uint32 ret; - int is_cfx = 0; - - gsskrb5_is_cfx(ctx, &is_cfx); - if (is_cfx) { - /* CFX session key was used */ - *require_mic = TRUE; - } else { - *require_mic = FALSE; - ret = _gss_check_compat(minor_status, ctx->target, - "require_mechlist_mic", - require_mic, TRUE); - if (ret) - return ret; - } - *minor_status = 0; - return GSS_S_COMPLETE; -} +#endif diff --git a/source4/heimdal/lib/gssapi/context_time.c b/source4/heimdal/lib/gssapi/krb5/context_time.c index ee1dc6fe93..4e9d9f5d1d 100644 --- a/source4/heimdal/lib/gssapi/context_time.c +++ b/source4/heimdal/lib/gssapi/krb5/context_time.c @@ -31,12 +31,12 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: context_time.c,v 1.11 2005/12/05 09:19:52 lha Exp $"); +RCSID("$Id: context_time.c,v 1.13 2006/10/07 22:14:19 lha Exp $"); OM_uint32 -gssapi_lifetime_left(OM_uint32 *minor_status, +_gsskrb5_lifetime_left(OM_uint32 *minor_status, OM_uint32 lifetime, OM_uint32 *lifetime_rec) { @@ -48,10 +48,10 @@ gssapi_lifetime_left(OM_uint32 *minor_status, return GSS_S_COMPLETE; } - kret = krb5_timeofday(gssapi_krb5_context, &timeret); + kret = krb5_timeofday(_gsskrb5_context, &timeret); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } @@ -64,7 +64,7 @@ gssapi_lifetime_left(OM_uint32 *minor_status, } -OM_uint32 gss_context_time +OM_uint32 _gsskrb5_context_time (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, OM_uint32 * time_rec @@ -72,14 +72,15 @@ OM_uint32 gss_context_time { OM_uint32 lifetime; OM_uint32 major_status; + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; GSSAPI_KRB5_INIT (); - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - lifetime = context_handle->lifetime; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + lifetime = ctx->lifetime; + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec); + major_status = _gsskrb5_lifetime_left(minor_status, lifetime, time_rec); if (major_status != GSS_S_COMPLETE) return major_status; diff --git a/source4/heimdal/lib/gssapi/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c index 782b701e44..99aa2ccb43 100644 --- a/source4/heimdal/lib/gssapi/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c @@ -31,10 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: copy_ccache.c,v 1.13 2005/11/28 23:05:44 lha Exp $"); +RCSID("$Id: copy_ccache.c,v 1.15 2006/10/07 22:14:22 lha Exp $"); +#if 0 OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, gss_cred_id_t cred, @@ -50,36 +51,37 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status, return GSS_S_FAILURE; } - kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out); + kret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, out); HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } *minor_status = 0; return GSS_S_COMPLETE; } +#endif OM_uint32 -gss_krb5_import_cred(OM_uint32 *minor_status, +_gsskrb5_import_cred(OM_uint32 *minor_status, krb5_ccache id, krb5_principal keytab_principal, krb5_keytab keytab, gss_cred_id_t *cred) { krb5_error_code kret; - gss_cred_id_t handle; + gsskrb5_cred handle; OM_uint32 ret; *cred = NULL; GSSAPI_KRB5_INIT (); - handle = (gss_cred_id_t)calloc(1, sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - gssapi_krb5_clear_status (); + handle = calloc(1, sizeof(*handle)); + if (handle == NULL) { + _gsskrb5_clear_status (); *minor_status = ENOMEM; return (GSS_S_FAILURE); } @@ -92,11 +94,11 @@ gss_krb5_import_cred(OM_uint32 *minor_status, handle->usage |= GSS_C_INITIATE; - kret = krb5_cc_get_principal(gssapi_krb5_context, id, + kret = krb5_cc_get_principal(_gsskrb5_context, id, &handle->principal); if (kret) { free(handle); - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } @@ -104,34 +106,34 @@ gss_krb5_import_cred(OM_uint32 *minor_status, if (keytab_principal) { krb5_boolean match; - match = krb5_principal_compare(gssapi_krb5_context, + match = krb5_principal_compare(_gsskrb5_context, handle->principal, keytab_principal); if (match == FALSE) { - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); - gssapi_krb5_clear_status (); + _gsskrb5_clear_status (); *minor_status = EINVAL; return GSS_S_FAILURE; } } - ret = _gssapi_krb5_ccache_lifetime(minor_status, + ret = __gsskrb5_ccache_lifetime(minor_status, id, handle->principal, &handle->lifetime); if (ret != GSS_S_COMPLETE) { - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); free(handle); return ret; } - kret = krb5_cc_get_full_name(gssapi_krb5_context, id, &str); + kret = krb5_cc_get_full_name(_gsskrb5_context, id, &str); if (kret) goto out; - kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache); + kret = krb5_cc_resolve(_gsskrb5_context, str, &handle->ccache); free(str); if (kret) goto out; @@ -144,18 +146,18 @@ gss_krb5_import_cred(OM_uint32 *minor_status, handle->usage |= GSS_C_ACCEPT; if (keytab_principal && handle->principal == NULL) { - kret = krb5_copy_principal(gssapi_krb5_context, + kret = krb5_copy_principal(_gsskrb5_context, keytab_principal, &handle->principal); if (kret) goto out; } - kret = krb5_kt_get_full_name(gssapi_krb5_context, keytab, &str); + kret = krb5_kt_get_full_name(_gsskrb5_context, keytab, &str); if (kret) goto out; - kret = krb5_kt_resolve(gssapi_krb5_context, str, &handle->keytab); + kret = krb5_kt_resolve(_gsskrb5_context, str, &handle->keytab); free(str); if (kret) goto out; @@ -163,10 +165,10 @@ gss_krb5_import_cred(OM_uint32 *minor_status, if (id || keytab) { - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); + ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms); if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); + ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); if (ret != GSS_S_COMPLETE) { kret = *minor_status; goto out; @@ -174,107 +176,16 @@ gss_krb5_import_cred(OM_uint32 *minor_status, } *minor_status = 0; - *cred = handle; + *cred = (gss_cred_id_t)handle; return GSS_S_COMPLETE; out: - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); if (handle->principal) - krb5_free_principal(gssapi_krb5_context, handle->principal); + krb5_free_principal(_gsskrb5_context, handle->principal); HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); free(handle); *minor_status = kret; return GSS_S_FAILURE; } - -OM_uint32 -gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int ad_type, - gss_buffer_t ad_data) -{ - krb5_error_code ret; - krb5_data data; - - ad_data->value = NULL; - ad_data->length = 0; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - ret = krb5_ticket_get_authorization_data_type(gssapi_krb5_context, - context_handle->ticket, - ad_type, - &data); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ad_data->value = malloc(data.length); - if (ad_data->value == NULL) { - krb5_data_free(&data); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ad_data->length = data.length; - memcpy(ad_data->value, data.data, ad_data->length); - krb5_data_free(&data); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 -gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - time_t *authtime) -{ - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - *authtime = context_handle->ticket->ticket.authtime; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 gss_krb5_copy_service_keyblock - (OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - struct EncryptionKey **out) -{ - krb5_error_code ret; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->service_keyblock == NULL) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - ret = krb5_copy_keyblock(gssapi_krb5_context, - context_handle->service_keyblock, - out); - - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/source4/heimdal/lib/gssapi/create_emtpy_oid_set.c b/source4/heimdal/lib/gssapi/krb5/create_emtpy_oid_set.c index 1a25e0d781..550995125a 100644 --- a/source4/heimdal/lib/gssapi/create_emtpy_oid_set.c +++ b/source4/heimdal/lib/gssapi/krb5/create_emtpy_oid_set.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: create_emtpy_oid_set.c,v 1.5 2003/03/16 17:47:07 lha Exp $"); +RCSID("$Id: create_emtpy_oid_set.c,v 1.7 2006/10/07 22:14:24 lha Exp $"); -OM_uint32 gss_create_empty_oid_set ( +OM_uint32 _gsskrb5_create_empty_oid_set ( OM_uint32 * minor_status, gss_OID_set * oid_set ) diff --git a/source4/heimdal/lib/gssapi/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c index 08df361776..eadec1ef03 100644 --- a/source4/heimdal/lib/gssapi/decapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c @@ -31,9 +31,9 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: decapsulate.c,v 1.12 2005/06/16 20:40:49 lha Exp $"); +RCSID("$Id: decapsulate.c,v 1.16 2006/10/07 22:14:26 lha Exp $"); /* * return the length of the mechanism in token or -1 @@ -41,7 +41,7 @@ RCSID("$Id: decapsulate.c,v 1.12 2005/06/16 20:40:49 lha Exp $"); */ ssize_t -gssapi_krb5_get_mech (const u_char *ptr, +_gsskrb5_get_mech (const u_char *ptr, size_t total_len, const u_char **mech_ret) { @@ -76,7 +76,7 @@ _gssapi_verify_mech_header(u_char **str, const u_char *p; ssize_t mech_len; - mech_len = gssapi_krb5_get_mech (*str, total_len, &p); + mech_len = _gsskrb5_get_mech (*str, total_len, &p); if (mech_len < 0) return GSS_S_DEFECTIVE_TOKEN; @@ -92,9 +92,9 @@ _gssapi_verify_mech_header(u_char **str, } OM_uint32 -gssapi_krb5_verify_header(u_char **str, +_gsskrb5_verify_header(u_char **str, size_t total_len, - const u_char *type, + const void *type, gss_OID oid) { OM_uint32 ret; @@ -110,7 +110,7 @@ gssapi_krb5_verify_header(u_char **str, if (len < 2) return GSS_S_DEFECTIVE_TOKEN; - if ((*str)[0] != type[0] || (*str)[1] != type[1]) + if (memcmp (*str, type, 2) != 0) return GSS_S_DEFECTIVE_TOKEN; *str += 2; @@ -154,17 +154,17 @@ _gssapi_decapsulate( */ OM_uint32 -gssapi_krb5_decapsulate(OM_uint32 *minor_status, +_gsskrb5_decapsulate(OM_uint32 *minor_status, gss_buffer_t input_token_buffer, krb5_data *out_data, - const char *type, + const void *type, gss_OID oid) { u_char *p; OM_uint32 ret; p = input_token_buffer->value; - ret = gssapi_krb5_verify_header(&p, + ret = _gsskrb5_verify_header(&p, input_token_buffer->length, type, oid); diff --git a/source4/heimdal/lib/gssapi/delete_sec_context.c b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c index f1842def7c..e890d7d2c2 100644 --- a/source4/heimdal/lib/gssapi/delete_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c @@ -31,16 +31,17 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: delete_sec_context.c,v 1.16 2006/01/16 13:12:29 lha Exp $"); +RCSID("$Id: delete_sec_context.c,v 1.19 2006/10/07 22:14:28 lha Exp $"); -OM_uint32 gss_delete_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token - ) +OM_uint32 +_gsskrb5_delete_sec_context(OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + gss_buffer_t output_token) { + gsskrb5_ctx ctx; + GSSAPI_KRB5_INIT (); *minor_status = 0; @@ -53,31 +54,27 @@ OM_uint32 gss_delete_sec_context if (*context_handle == GSS_C_NO_CONTEXT) return GSS_S_COMPLETE; - HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); + ctx = (gsskrb5_ctx) *context_handle; + *context_handle = GSS_C_NO_CONTEXT; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if ((*context_handle)->ticket) - krb5_free_ticket (gssapi_krb5_context, - (*context_handle)->ticket); - if ((*context_handle)->service_keyblock) - krb5_free_keyblock (gssapi_krb5_context, - (*context_handle)->service_keyblock); - if((*context_handle)->order) - _gssapi_msg_order_destroy(&(*context_handle)->order); - if ((*context_handle)->fwd_data.length > 0) - free((*context_handle)->fwd_data.data); + krb5_auth_con_free (_gsskrb5_context, ctx->auth_context); + if(ctx->source) + krb5_free_principal (_gsskrb5_context, ctx->source); + if(ctx->target) + krb5_free_principal (_gsskrb5_context, ctx->target); + if (ctx->ticket) + krb5_free_ticket (_gsskrb5_context, ctx->ticket); + if(ctx->order) + _gssapi_msg_order_destroy(&ctx->order); + if (ctx->service_keyblock) + krb5_free_keyblock (_gsskrb5_context, ctx->service_keyblock); + krb5_data_free(&ctx->fwd_data); - HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); - HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); - memset(*context_handle, 0, sizeof(**context_handle)); - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + memset(ctx, 0, sizeof(*ctx)); + free (ctx); return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/display_name.c b/source4/heimdal/lib/gssapi/krb5/display_name.c index 27a232fd3c..8fce7d8572 100644 --- a/source4/heimdal/lib/gssapi/display_name.c +++ b/source4/heimdal/lib/gssapi/krb5/display_name.c @@ -31,28 +31,27 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: display_name.c,v 1.9 2003/03/16 17:46:11 lha Exp $"); +RCSID("$Id: display_name.c,v 1.12 2006/10/07 22:14:31 lha Exp $"); -OM_uint32 gss_display_name +OM_uint32 _gsskrb5_display_name (OM_uint32 * minor_status, const gss_name_t input_name, gss_buffer_t output_name_buffer, gss_OID * output_name_type ) { + krb5_const_principal name = (krb5_const_principal)input_name; krb5_error_code kret; char *buf; size_t len; GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &buf); + kret = krb5_unparse_name (_gsskrb5_context, name, &buf); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } len = strlen (buf); diff --git a/source4/heimdal/lib/gssapi/display_status.c b/source4/heimdal/lib/gssapi/krb5/display_status.c index 0aa88bb57c..11926ca557 100644 --- a/source4/heimdal/lib/gssapi/display_status.c +++ b/source4/heimdal/lib/gssapi/krb5/display_status.c @@ -31,9 +31,9 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: display_status.c,v 1.14 2005/10/12 07:23:03 lha Exp $"); +RCSID("$Id: display_status.c,v 1.16 2006/10/07 22:14:33 lha Exp $"); static const char * calling_error(OM_uint32 v) @@ -112,9 +112,9 @@ supplementary_error(OM_uint32 v) } void -gssapi_krb5_clear_status (void) +_gsskrb5_clear_status (void) { - struct gssapi_thr_context *ctx = gssapi_get_thread_context(1); + struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1); if (ctx == NULL) return; HEIMDAL_MUTEX_lock(&ctx->mutex); @@ -125,9 +125,9 @@ gssapi_krb5_clear_status (void) } void -gssapi_krb5_set_status (const char *fmt, ...) +_gsskrb5_set_status (const char *fmt, ...) { - struct gssapi_thr_context *ctx = gssapi_get_thread_context(1); + struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1); va_list args; if (ctx == NULL) @@ -143,22 +143,22 @@ gssapi_krb5_set_status (const char *fmt, ...) } void -gssapi_krb5_set_error_string (void) +_gsskrb5_set_error_string (void) { char *e; - e = krb5_get_error_string(gssapi_krb5_context); + e = krb5_get_error_string(_gsskrb5_context); if (e) { - gssapi_krb5_set_status("%s", e); - krb5_free_error_string(gssapi_krb5_context, e); + _gsskrb5_set_status("%s", e); + krb5_free_error_string(_gsskrb5_context, e); } else - gssapi_krb5_clear_status(); + _gsskrb5_clear_status(); } char * -gssapi_krb5_get_error_string (void) +_gsskrb5_get_error_string (void) { - struct gssapi_thr_context *ctx = gssapi_get_thread_context(0); + struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(0); char *ret; if (ctx == NULL) @@ -170,7 +170,7 @@ gssapi_krb5_get_error_string (void) return ret; } -OM_uint32 gss_display_status +OM_uint32 _gsskrb5_display_status (OM_uint32 *minor_status, OM_uint32 status_value, int status_type, @@ -200,9 +200,9 @@ OM_uint32 gss_display_status calling_error(GSS_CALLING_ERROR(status_value)), routine_error(GSS_ROUTINE_ERROR(status_value))); } else if (status_type == GSS_C_MECH_CODE) { - buf = gssapi_krb5_get_error_string (); + buf = _gsskrb5_get_error_string (); if (buf == NULL) { - const char *tmp = krb5_get_err_text (gssapi_krb5_context, + const char *tmp = krb5_get_err_text (_gsskrb5_context, status_value); if (tmp == NULL) asprintf(&buf, "unknown mech error-code %u", diff --git a/source4/heimdal/lib/gssapi/duplicate_name.c b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c index 2b54e90ec8..475ae61efc 100644 --- a/source4/heimdal/lib/gssapi/duplicate_name.c +++ b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c @@ -31,26 +31,26 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: duplicate_name.c,v 1.7 2003/03/16 17:44:26 lha Exp $"); +RCSID("$Id: duplicate_name.c,v 1.10 2006/10/07 22:14:35 lha Exp $"); -OM_uint32 gss_duplicate_name ( +OM_uint32 _gsskrb5_duplicate_name ( OM_uint32 * minor_status, const gss_name_t src_name, gss_name_t * dest_name ) { + krb5_const_principal src = (krb5_const_principal)src_name; + krb5_principal *dest = (krb5_principal *)dest_name; krb5_error_code kret; GSSAPI_KRB5_INIT (); - kret = krb5_copy_principal (gssapi_krb5_context, - src_name, - dest_name); + kret = krb5_copy_principal (_gsskrb5_context, src, dest); if (kret) { *minor_status = kret; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); return GSS_S_FAILURE; } else { *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/encapsulate.c b/source4/heimdal/lib/gssapi/krb5/encapsulate.c index 4d488a6c42..a015a95103 100644 --- a/source4/heimdal/lib/gssapi/encapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/encapsulate.c @@ -31,9 +31,9 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: encapsulate.c,v 1.8 2003/09/04 18:08:55 lha Exp $"); +RCSID("$Id: encapsulate.c,v 1.12 2006/10/14 10:02:56 lha Exp $"); void _gssapi_encap_length (size_t data_len, @@ -45,13 +45,13 @@ _gssapi_encap_length (size_t data_len, *len = 1 + 1 + mech->length + data_len; - len_len = length_len(*len); + len_len = der_length_len(*len); *total_len = 1 + len_len + *len; } void -gssapi_krb5_encap_length (size_t data_len, +_gsskrb5_encap_length (size_t data_len, size_t *len, size_t *total_len, const gss_OID mech) @@ -59,28 +59,30 @@ gssapi_krb5_encap_length (size_t data_len, _gssapi_encap_length(data_len + 2, len, total_len, mech); } -u_char * -gssapi_krb5_make_header (u_char *p, +void * +_gsskrb5_make_header (void *ptr, size_t len, - const u_char *type, + const void *type, const gss_OID mech) { + u_char *p = ptr; p = _gssapi_make_mech_header(p, len, mech); memcpy (p, type, 2); p += 2; return p; } -u_char * -_gssapi_make_mech_header(u_char *p, +void * +_gssapi_make_mech_header(void *ptr, size_t len, const gss_OID mech) { + u_char *p = ptr; int e; size_t len_len, foo; *p++ = 0x60; - len_len = length_len(len); + len_len = der_length_len(len); e = der_put_length (p + len_len - 1, len_len, len, &foo); if(e || foo != len_len) abort (); @@ -105,7 +107,7 @@ _gssapi_encapsulate( ) { size_t len, outer_len; - u_char *p; + void *p; _gssapi_encap_length (in_data->length, &len, &outer_len, mech); @@ -127,18 +129,18 @@ _gssapi_encapsulate( */ OM_uint32 -gssapi_krb5_encapsulate( +_gsskrb5_encapsulate( OM_uint32 *minor_status, const krb5_data *in_data, gss_buffer_t output_token, - const u_char *type, + const void *type, const gss_OID mech ) { size_t len, outer_len; u_char *p; - gssapi_krb5_encap_length (in_data->length, &len, &outer_len, mech); + _gsskrb5_encap_length (in_data->length, &len, &outer_len, mech); output_token->length = outer_len; output_token->value = malloc (outer_len); @@ -147,7 +149,7 @@ gssapi_krb5_encapsulate( return GSS_S_FAILURE; } - p = gssapi_krb5_make_header (output_token->value, len, type, mech); + p = _gsskrb5_make_header (output_token->value, len, type, mech); memcpy (p, in_data->data, in_data->length); return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/krb5/export_name.c b/source4/heimdal/lib/gssapi/krb5/export_name.c new file mode 100644 index 0000000000..d00c458898 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/export_name.c @@ -0,0 +1,93 @@ +/* + * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: export_name.c,v 1.8 2006/10/07 22:14:40 lha Exp $"); + +OM_uint32 _gsskrb5_export_name + (OM_uint32 * minor_status, + const gss_name_t input_name, + gss_buffer_t exported_name + ) +{ + krb5_const_principal princ = (krb5_const_principal)input_name; + krb5_error_code kret; + char *buf, *name; + size_t len; + + GSSAPI_KRB5_INIT (); + kret = krb5_unparse_name (_gsskrb5_context, princ, &name); + if (kret) { + *minor_status = kret; + _gsskrb5_set_error_string (); + return GSS_S_FAILURE; + } + len = strlen (name); + + exported_name->length = 10 + len + GSS_KRB5_MECHANISM->length; + exported_name->value = malloc(exported_name->length); + if (exported_name->value == NULL) { + free (name); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ + + buf = exported_name->value; + memcpy(buf, "\x04\x01", 2); + buf += 2; + buf[0] = ((GSS_KRB5_MECHANISM->length + 2) >> 8) & 0xff; + buf[1] = (GSS_KRB5_MECHANISM->length + 2) & 0xff; + buf+= 2; + buf[0] = 0x06; + buf[1] = (GSS_KRB5_MECHANISM->length) & 0xFF; + buf+= 2; + + memcpy(buf, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); + buf += GSS_KRB5_MECHANISM->length; + + buf[0] = (len >> 24) & 0xff; + buf[1] = (len >> 16) & 0xff; + buf[2] = (len >> 8) & 0xff; + buf[3] = (len) & 0xff; + buf += 4; + + memcpy (buf, name, len); + + free (name); + + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/krb5/export_sec_context.c b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c new file mode 100644 index 0000000000..aff03a0b67 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c @@ -0,0 +1,239 @@ +/* + * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: export_sec_context.c,v 1.11 2006/10/07 22:14:42 lha Exp $"); + +OM_uint32 +_gsskrb5_export_sec_context ( + OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + gss_buffer_t interprocess_token + ) +{ + const gsskrb5_ctx ctx = (const gsskrb5_ctx) *context_handle; + krb5_storage *sp; + krb5_auth_context ac; + OM_uint32 ret = GSS_S_COMPLETE; + krb5_data data; + gss_buffer_desc buffer; + int flags; + OM_uint32 minor; + krb5_error_code kret; + + GSSAPI_KRB5_INIT (); + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + if (!(ctx->flags & GSS_C_TRANS_FLAG)) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + *minor_status = 0; + return GSS_S_UNAVAILABLE; + } + + sp = krb5_storage_emem (); + if (sp == NULL) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + ac = ctx->auth_context; + + /* flagging included fields */ + + flags = 0; + if (ac->local_address) + flags |= SC_LOCAL_ADDRESS; + if (ac->remote_address) + flags |= SC_REMOTE_ADDRESS; + if (ac->keyblock) + flags |= SC_KEYBLOCK; + if (ac->local_subkey) + flags |= SC_LOCAL_SUBKEY; + if (ac->remote_subkey) + flags |= SC_REMOTE_SUBKEY; + + kret = krb5_store_int32 (sp, flags); + if (kret) { + *minor_status = kret; + goto failure; + } + + /* marshall auth context */ + + kret = krb5_store_int32 (sp, ac->flags); + if (kret) { + *minor_status = kret; + goto failure; + } + if (ac->local_address) { + kret = krb5_store_address (sp, *ac->local_address); + if (kret) { + *minor_status = kret; + goto failure; + } + } + if (ac->remote_address) { + kret = krb5_store_address (sp, *ac->remote_address); + if (kret) { + *minor_status = kret; + goto failure; + } + } + kret = krb5_store_int16 (sp, ac->local_port); + if (kret) { + *minor_status = kret; + goto failure; + } + kret = krb5_store_int16 (sp, ac->remote_port); + if (kret) { + *minor_status = kret; + goto failure; + } + if (ac->keyblock) { + kret = krb5_store_keyblock (sp, *ac->keyblock); + if (kret) { + *minor_status = kret; + goto failure; + } + } + if (ac->local_subkey) { + kret = krb5_store_keyblock (sp, *ac->local_subkey); + if (kret) { + *minor_status = kret; + goto failure; + } + } + if (ac->remote_subkey) { + kret = krb5_store_keyblock (sp, *ac->remote_subkey); + if (kret) { + *minor_status = kret; + goto failure; + } + } + kret = krb5_store_int32 (sp, ac->local_seqnumber); + if (kret) { + *minor_status = kret; + goto failure; + } + kret = krb5_store_int32 (sp, ac->remote_seqnumber); + if (kret) { + *minor_status = kret; + goto failure; + } + + kret = krb5_store_int32 (sp, ac->keytype); + if (kret) { + *minor_status = kret; + goto failure; + } + kret = krb5_store_int32 (sp, ac->cksumtype); + if (kret) { + *minor_status = kret; + goto failure; + } + + /* names */ + + ret = _gsskrb5_export_name (minor_status, + (gss_name_t)ctx->source, &buffer); + if (ret) + goto failure; + data.data = buffer.value; + data.length = buffer.length; + kret = krb5_store_data (sp, data); + _gsskrb5_release_buffer (&minor, &buffer); + if (kret) { + *minor_status = kret; + goto failure; + } + + ret = _gsskrb5_export_name (minor_status, + (gss_name_t)ctx->target, &buffer); + if (ret) + goto failure; + data.data = buffer.value; + data.length = buffer.length; + + ret = GSS_S_FAILURE; + + kret = krb5_store_data (sp, data); + _gsskrb5_release_buffer (&minor, &buffer); + if (kret) { + *minor_status = kret; + goto failure; + } + + kret = krb5_store_int32 (sp, ctx->flags); + if (kret) { + *minor_status = kret; + goto failure; + } + kret = krb5_store_int32 (sp, ctx->more_flags); + if (kret) { + *minor_status = kret; + goto failure; + } + kret = krb5_store_int32 (sp, ctx->lifetime); + if (kret) { + *minor_status = kret; + goto failure; + } + kret = _gssapi_msg_order_export(sp, ctx->order); + if (kret ) { + *minor_status = kret; + goto failure; + } + + kret = krb5_storage_to_data (sp, &data); + krb5_storage_free (sp); + if (kret) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + *minor_status = kret; + return GSS_S_FAILURE; + } + interprocess_token->length = data.length; + interprocess_token->value = data.data; + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + ret = _gsskrb5_delete_sec_context (minor_status, context_handle, + GSS_C_NO_BUFFER); + if (ret != GSS_S_COMPLETE) + _gsskrb5_release_buffer (NULL, interprocess_token); + *minor_status = 0; + return ret; + failure: + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + krb5_storage_free (sp); + return ret; +} diff --git a/source4/heimdal/lib/gssapi/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index f8c1d23f98..7419bc2fe8 100644 --- a/source4/heimdal/lib/gssapi/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -31,9 +31,10 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" +#include <gssapi_mech.h> -RCSID("$Id: external.c,v 1.7 2005/08/23 11:59:47 lha Exp $"); +RCSID("$Id: external.c,v 1.18 2006/10/20 21:50:24 lha Exp $"); /* * The implementation must reserve static storage for a @@ -226,18 +227,6 @@ static gss_OID_desc gss_krb5_mechanism_oid_desc = gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; /* - * RFC2478, SPNEGO: - * The security mechanism of the initial - * negotiation token is identified by the Object Identifier - * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). - */ - -static gss_OID_desc gss_spnego_mechanism_oid_desc = -{6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02")}; - -gss_OID GSS_SPNEGO_MECHANISM = &gss_spnego_mechanism_oid_desc; - -/* * draft-ietf-cat-iakerb-09, IAKERB: * The mechanism ID for IAKERB proxy GSS-API Kerberos, in accordance * with the mechanism proposed by SPNEGO [7] for negotiating protocol @@ -261,7 +250,159 @@ static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc = gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc; /* + * + */ + +static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc = +{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}; + +gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc; + +/* + * 1.2.752.43.13 Heimdal GSS-API Extentions + */ + +/* 1.2.752.43.13.1 */ +static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")}; + +gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc; + +/* 1.2.752.43.13.2 */ +static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")}; + +gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc; + +/* 1.2.752.43.13.3 */ +static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")}; + +gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc; + +/* 1.2.752.43.13.4 */ +static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")}; + +gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc; + +/* 1.2.752.43.13.5 */ +static gss_OID_desc gss_krb5_register_acceptor_identity_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")}; + +gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = &gss_krb5_register_acceptor_identity_x_desc; + +/* 1.2.752.43.13.6 */ +static gss_OID_desc gss_krb5_export_lucid_context_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")}; + +gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X = &gss_krb5_export_lucid_context_x_desc; + +/* 1.2.752.43.13.6.1 */ +static gss_OID_desc gss_krb5_export_lucid_context_v1_x_desc = +{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")}; + +gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = &gss_krb5_export_lucid_context_v1_x_desc; + +/* 1.2.752.43.13.7 */ +static gss_OID_desc gss_krb5_set_dns_canonicalize_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")}; + +gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X = &gss_krb5_set_dns_canonicalize_x_desc; + +/* 1.2.752.43.13.8 */ +static gss_OID_desc gss_krb5_get_subkey_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")}; + +gss_OID GSS_KRB5_GET_SUBKEY_X = &gss_krb5_get_subkey_x_desc; + +/* 1.2.752.43.13.9 */ +static gss_OID_desc gss_krb5_get_initiator_subkey_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")}; + +gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X = &gss_krb5_get_initiator_subkey_x_desc; + +/* 1.2.752.43.13.10 */ +static gss_OID_desc gss_krb5_get_acceptor_subkey_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")}; + +gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = &gss_krb5_get_acceptor_subkey_x_desc; + +/* 1.2.752.43.13.11 */ +static gss_OID_desc gss_krb5_send_to_kdc_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")}; + +gss_OID GSS_KRB5_SEND_TO_KDC_X = &gss_krb5_send_to_kdc_x_desc; + +/* 1.2.752.43.13.12 */ +static gss_OID_desc gss_krb5_get_authtime_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")}; + +gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc; + +/* 1.2.752.43.13.14 */ +static gss_OID_desc gss_krb5_get_service_keyblock_x_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")}; + +gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc; + +/* 1.2.752.43.14.1 */ +static gss_OID_desc gss_sasl_digest_md5_mechanism_desc = +{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; + +gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc; + +/* * Context for krb5 calls. */ -krb5_context gssapi_krb5_context; +krb5_context _gsskrb5_context; + +/* + * + */ + +static gssapi_mech_interface_desc krb5_mech = { + GMI_VERSION, + "kerberos 5", + {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }, + _gsskrb5_acquire_cred, + _gsskrb5_release_cred, + _gsskrb5_init_sec_context, + _gsskrb5_accept_sec_context, + _gsskrb5_process_context_token, + _gsskrb5_delete_sec_context, + _gsskrb5_context_time, + _gsskrb5_get_mic, + _gsskrb5_verify_mic, + _gsskrb5_wrap, + _gsskrb5_unwrap, + _gsskrb5_display_status, + _gsskrb5_indicate_mechs, + _gsskrb5_compare_name, + _gsskrb5_display_name, + _gsskrb5_import_name, + _gsskrb5_export_name, + _gsskrb5_release_name, + _gsskrb5_inquire_cred, + _gsskrb5_inquire_context, + _gsskrb5_wrap_size_limit, + _gsskrb5_add_cred, + _gsskrb5_inquire_cred_by_mech, + _gsskrb5_export_sec_context, + _gsskrb5_import_sec_context, + _gsskrb5_inquire_names_for_mech, + _gsskrb5_inquire_mechs_for_name, + _gsskrb5_canonicalize_name, + _gsskrb5_duplicate_name, + _gsskrb5_inquire_sec_context_by_oid, + _gsskrb5_inquire_cred_by_oid, + _gsskrb5_set_sec_context_option, + _gsskrb5_set_cred_option +}; + +gssapi_mech_interface +__gss_krb5_initialize(void) +{ + return &krb5_mech; +} diff --git a/source4/heimdal/lib/gssapi/get_mic.c b/source4/heimdal/lib/gssapi/krb5/get_mic.c index 76f69cf41c..5a078d634d 100644 --- a/source4/heimdal/lib/gssapi/get_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/get_mic.c @@ -31,14 +31,14 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: get_mic.c,v 1.31 2006/05/08 09:55:37 lha Exp $"); +RCSID("$Id: get_mic.c,v 1.34 2006/10/18 15:59:23 lha Exp $"); static OM_uint32 mic_des (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx ctx, gss_qop_t qop_req, const gss_buffer_t message_buffer, gss_buffer_t message_token, @@ -54,7 +54,7 @@ mic_des int32_t seq_number; size_t len, total_len; - gssapi_krb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); message_token->length = total_len; message_token->value = malloc (total_len); @@ -64,7 +64,7 @@ mic_des return GSS_S_FAILURE; } - p = gssapi_krb5_make_header(message_token->value, + p = _gsskrb5_make_header(message_token->value, len, "\x01\x01", /* TOK_ID */ GSS_KRB5_MECHANISM); @@ -92,10 +92,10 @@ mic_des &schedule, &zero); memcpy (p - 8, hash, 8); /* SGN_CKSUM */ - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); p -= 16; /* SND_SEQ */ @@ -104,17 +104,17 @@ mic_des p[2] = (seq_number >> 16) & 0xFF; p[3] = (seq_number >> 24) & 0xFF; memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, + (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); DES_set_key (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); memset (deskey, 0, sizeof(deskey)); memset (&schedule, 0, sizeof(schedule)); @@ -126,7 +126,7 @@ mic_des static OM_uint32 mic_des3 (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx ctx, gss_qop_t qop_req, const gss_buffer_t message_buffer, gss_buffer_t message_token, @@ -146,7 +146,7 @@ mic_des3 char *tmp; char ivec[8]; - gssapi_krb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM); message_token->length = total_len; message_token->value = malloc (total_len); @@ -156,7 +156,7 @@ mic_des3 return GSS_S_FAILURE; } - p = gssapi_krb5_make_header(message_token->value, + p = _gsskrb5_make_header(message_token->value, len, "\x01\x01", /* TOK-ID */ GSS_KRB5_MECHANISM); @@ -180,18 +180,18 @@ mic_des3 memcpy (tmp, p - 8, 8); memcpy (tmp + 8, message_buffer->value, message_buffer->length); - kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + kret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (kret) { free (message_token->value); message_token->value = NULL; message_token->length = 0; free (tmp); - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } - kret = krb5_create_checksum (gssapi_krb5_context, + kret = krb5_create_checksum (_gsskrb5_context, crypto, KRB5_KU_USAGE_SIGN, 0, @@ -199,22 +199,22 @@ mic_des3 message_buffer->length + 8, &cksum); free (tmp); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (kret) { free (message_token->value); message_token->value = NULL; message_token->length = 0; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); seq[0] = (seq_number >> 0) & 0xFF; @@ -222,35 +222,35 @@ mic_des3 seq[2] = (seq_number >> 16) & 0xFF; seq[3] = (seq_number >> 24) & 0xFF; memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, + (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - kret = krb5_crypto_init(gssapi_krb5_context, key, + kret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (kret) { free (message_token->value); message_token->value = NULL; message_token->length = 0; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } - if (context_handle->more_flags & COMPAT_OLD_DES3) + if (ctx->more_flags & COMPAT_OLD_DES3) memset(ivec, 0, 8); else memcpy(ivec, p + 8, 8); - kret = krb5_encrypt_ivec (gssapi_krb5_context, + kret = krb5_encrypt_ivec (_gsskrb5_context, crypto, KRB5_KU_USAGE_SEQ, seq, 8, &encdata, ivec); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (kret) { free (message_token->value); message_token->value = NULL; message_token->length = 0; - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = kret; return GSS_S_FAILURE; } @@ -260,17 +260,17 @@ mic_des3 memcpy (p, encdata.data, encdata.length); krb5_data_free (&encdata); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); free_Checksum (&cksum); *minor_status = 0; return GSS_S_COMPLETE; } -OM_uint32 gss_get_mic +OM_uint32 _gsskrb5_get_mic (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, gss_qop_t qop_req, @@ -278,37 +278,40 @@ OM_uint32 gss_get_mic gss_buffer_t message_token ) { + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; - ret = gss_krb5_get_subkey(context_handle, &key); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(ctx, &key); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : - ret = mic_des (minor_status, context_handle, qop_req, + ret = mic_des (minor_status, ctx, qop_req, message_buffer, message_token, key); break; case KEYTYPE_DES3 : - ret = mic_des3 (minor_status, context_handle, qop_req, + ret = mic_des3 (minor_status, ctx, qop_req, message_buffer, message_token, key); break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: - ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req, + ret = _gssapi_get_mic_arcfour (minor_status, ctx, qop_req, message_buffer, message_token, key); break; default : - ret = _gssapi_mic_cfx (minor_status, context_handle, qop_req, + ret = _gssapi_mic_cfx (minor_status, ctx, qop_req, message_buffer, message_token, key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); return ret; } diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5-private.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5-private.h new file mode 100644 index 0000000000..426c0ab200 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5-private.h @@ -0,0 +1,705 @@ +/* This is a generated file */ +#ifndef __gsskrb5_private_h__ +#define __gsskrb5_private_h__ + +#include <stdarg.h> + +gssapi_mech_interface +__gss_krb5_initialize (void); + +OM_uint32 +__gsskrb5_ccache_lifetime ( + OM_uint32 */*minor_status*/, + krb5_ccache /*id*/, + krb5_principal /*principal*/, + OM_uint32 */*lifetime*/); + +OM_uint32 +_gss_DES3_get_mic_compat ( + OM_uint32 */*minor_status*/, + gsskrb5_ctx /*ctx*/); + +OM_uint32 +_gssapi_decapsulate ( + OM_uint32 */*minor_status*/, + gss_buffer_t /*input_token_buffer*/, + krb5_data */*out_data*/, + const gss_OID mech ); + +void +_gssapi_encap_length ( + size_t /*data_len*/, + size_t */*len*/, + size_t */*total_len*/, + const gss_OID /*mech*/); + +OM_uint32 +_gssapi_encapsulate ( + OM_uint32 */*minor_status*/, + const krb5_data */*in_data*/, + gss_buffer_t /*output_token*/, + const gss_OID mech ); + +OM_uint32 +_gssapi_get_mic_arcfour ( + OM_uint32 * /*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*message_buffer*/, + gss_buffer_t /*message_token*/, + krb5_keyblock */*key*/); + +void * +_gssapi_make_mech_header ( + void */*ptr*/, + size_t /*len*/, + const gss_OID /*mech*/); + +OM_uint32 +_gssapi_mic_cfx ( + OM_uint32 */*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*message_buffer*/, + gss_buffer_t /*message_token*/, + krb5_keyblock */*key*/); + +OM_uint32 +_gssapi_msg_order_check ( + struct gss_msg_order */*o*/, + OM_uint32 /*seq_num*/); + +OM_uint32 +_gssapi_msg_order_create ( + OM_uint32 */*minor_status*/, + struct gss_msg_order **/*o*/, + OM_uint32 /*flags*/, + OM_uint32 /*seq_num*/, + OM_uint32 /*jitter_window*/, + int /*use_64*/); + +OM_uint32 +_gssapi_msg_order_destroy (struct gss_msg_order **/*m*/); + +krb5_error_code +_gssapi_msg_order_export ( + krb5_storage */*sp*/, + struct gss_msg_order */*o*/); + +OM_uint32 +_gssapi_msg_order_f (OM_uint32 /*flags*/); + +OM_uint32 +_gssapi_msg_order_import ( + OM_uint32 */*minor_status*/, + krb5_storage */*sp*/, + struct gss_msg_order **/*o*/); + +OM_uint32 +_gssapi_unwrap_arcfour ( + OM_uint32 */*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + const gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int */*conf_state*/, + gss_qop_t */*qop_state*/, + krb5_keyblock */*key*/); + +OM_uint32 +_gssapi_unwrap_cfx ( + OM_uint32 */*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + const gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int */*conf_state*/, + gss_qop_t */*qop_state*/, + krb5_keyblock */*key*/); + +OM_uint32 +_gssapi_verify_mech_header ( + u_char **/*str*/, + size_t /*total_len*/, + gss_OID /*mech*/); + +OM_uint32 +_gssapi_verify_mic_arcfour ( + OM_uint32 * /*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + const gss_buffer_t /*message_buffer*/, + const gss_buffer_t /*token_buffer*/, + gss_qop_t * /*qop_state*/, + krb5_keyblock */*key*/, + char */*type*/); + +OM_uint32 +_gssapi_verify_mic_cfx ( + OM_uint32 */*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + const gss_buffer_t /*message_buffer*/, + const gss_buffer_t /*token_buffer*/, + gss_qop_t */*qop_state*/, + krb5_keyblock */*key*/); + +OM_uint32 +_gssapi_verify_pad ( + gss_buffer_t /*wrapped_token*/, + size_t /*datalen*/, + size_t */*padlen*/); + +OM_uint32 +_gssapi_wrap_arcfour ( + OM_uint32 * /*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*input_message_buffer*/, + int * /*conf_state*/, + gss_buffer_t /*output_message_buffer*/, + krb5_keyblock */*key*/); + +OM_uint32 +_gssapi_wrap_cfx ( + OM_uint32 */*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*input_message_buffer*/, + int */*conf_state*/, + gss_buffer_t /*output_message_buffer*/, + krb5_keyblock */*key*/); + +OM_uint32 +_gssapi_wrap_size_arcfour ( + OM_uint32 */*minor_status*/, + const gsskrb5_ctx /*ctx*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + OM_uint32 /*req_output_size*/, + OM_uint32 */*max_input_size*/, + krb5_keyblock */*key*/); + +OM_uint32 +_gssapi_wrap_size_cfx ( + OM_uint32 */*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + OM_uint32 /*req_output_size*/, + OM_uint32 */*max_input_size*/, + krb5_keyblock */*key*/); + +OM_uint32 +_gsskrb5_accept_sec_context ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + const gss_cred_id_t /*acceptor_cred_handle*/, + const gss_buffer_t /*input_token_buffer*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + gss_name_t * /*src_name*/, + gss_OID * /*mech_type*/, + gss_buffer_t /*output_token*/, + OM_uint32 * /*ret_flags*/, + OM_uint32 * /*time_rec*/, + gss_cred_id_t * /*delegated_cred_handle*/); + +OM_uint32 +_gsskrb5_acquire_cred ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*desired_name*/, + OM_uint32 /*time_req*/, + const gss_OID_set /*desired_mechs*/, + gss_cred_usage_t /*cred_usage*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * time_rec ); + +OM_uint32 +_gsskrb5_add_cred ( + OM_uint32 */*minor_status*/, + const gss_cred_id_t /*input_cred_handle*/, + const gss_name_t /*desired_name*/, + const gss_OID /*desired_mech*/, + gss_cred_usage_t /*cred_usage*/, + OM_uint32 /*initiator_time_req*/, + OM_uint32 /*acceptor_time_req*/, + gss_cred_id_t */*output_cred_handle*/, + gss_OID_set */*actual_mechs*/, + OM_uint32 */*initiator_time_rec*/, + OM_uint32 */*acceptor_time_rec*/); + +OM_uint32 +_gsskrb5_add_oid_set_member ( + OM_uint32 * /*minor_status*/, + const gss_OID /*member_oid*/, + gss_OID_set * oid_set ); + +OM_uint32 +_gsskrb5_canonicalize_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + const gss_OID /*mech_type*/, + gss_name_t * output_name ); + +void +_gsskrb5_clear_status (void); + +OM_uint32 +_gsskrb5_compare_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*name1*/, + const gss_name_t /*name2*/, + int * name_equal ); + +OM_uint32 +_gsskrb5_context_time ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + OM_uint32 * time_rec ); + +OM_uint32 +_gsskrb5_create_8003_checksum ( + OM_uint32 */*minor_status*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + OM_uint32 /*flags*/, + const krb5_data */*fwd_data*/, + Checksum */*result*/); + +OM_uint32 +_gsskrb5_create_ctx ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + enum gss_ctx_id_t_state /*state*/); + +OM_uint32 +_gsskrb5_create_empty_oid_set ( + OM_uint32 * /*minor_status*/, + gss_OID_set * oid_set ); + +OM_uint32 +_gsskrb5_decapsulate ( + OM_uint32 */*minor_status*/, + gss_buffer_t /*input_token_buffer*/, + krb5_data */*out_data*/, + const void */*type*/, + gss_OID /*oid*/); + +krb5_error_code +_gsskrb5_decode_be_om_uint32 ( + const void */*ptr*/, + OM_uint32 */*n*/); + +krb5_error_code +_gsskrb5_decode_om_uint32 ( + const void */*ptr*/, + OM_uint32 */*n*/); + +OM_uint32 +_gsskrb5_delete_sec_context ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + gss_buffer_t /*output_token*/); + +OM_uint32 +_gsskrb5_display_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_buffer_t /*output_name_buffer*/, + gss_OID * output_name_type ); + +OM_uint32 +_gsskrb5_display_status ( + OM_uint32 */*minor_status*/, + OM_uint32 /*status_value*/, + int /*status_type*/, + const gss_OID /*mech_type*/, + OM_uint32 */*message_context*/, + gss_buffer_t /*status_string*/); + +OM_uint32 +_gsskrb5_duplicate_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*src_name*/, + gss_name_t * dest_name ); + +void +_gsskrb5_encap_length ( + size_t /*data_len*/, + size_t */*len*/, + size_t */*total_len*/, + const gss_OID /*mech*/); + +OM_uint32 +_gsskrb5_encapsulate ( + OM_uint32 */*minor_status*/, + const krb5_data */*in_data*/, + gss_buffer_t /*output_token*/, + const void */*type*/, + const gss_OID mech ); + +krb5_error_code +_gsskrb5_encode_be_om_uint32 ( + OM_uint32 /*n*/, + u_char */*p*/); + +krb5_error_code +_gsskrb5_encode_om_uint32 ( + OM_uint32 /*n*/, + u_char */*p*/); + +OM_uint32 +_gsskrb5_export_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_buffer_t exported_name ); + +OM_uint32 +_gsskrb5_export_sec_context ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + gss_buffer_t interprocess_token ); + +char * +_gsskrb5_get_error_string (void); + +ssize_t +_gsskrb5_get_mech ( + const u_char */*ptr*/, + size_t /*total_len*/, + const u_char **/*mech_ret*/); + +OM_uint32 +_gsskrb5_get_mic ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*message_buffer*/, + gss_buffer_t message_token ); + +struct gssapi_thr_context * +_gsskrb5_get_thread_context (int /*createp*/); + +OM_uint32 +_gsskrb5_get_tkt_flags ( + OM_uint32 */*minor_status*/, + gsskrb5_ctx /*ctx*/, + OM_uint32 */*tkt_flags*/); + +OM_uint32 +_gsskrb5_import_cred ( + OM_uint32 */*minor_status*/, + krb5_ccache /*id*/, + krb5_principal /*keytab_principal*/, + krb5_keytab /*keytab*/, + gss_cred_id_t */*cred*/); + +OM_uint32 +_gsskrb5_import_name ( + OM_uint32 * /*minor_status*/, + const gss_buffer_t /*input_name_buffer*/, + const gss_OID /*input_name_type*/, + gss_name_t * output_name ); + +OM_uint32 +_gsskrb5_import_sec_context ( + OM_uint32 * /*minor_status*/, + const gss_buffer_t /*interprocess_token*/, + gss_ctx_id_t * context_handle ); + +OM_uint32 +_gsskrb5_indicate_mechs ( + OM_uint32 * /*minor_status*/, + gss_OID_set * mech_set ); + +krb5_error_code +_gsskrb5_init (void); + +OM_uint32 +_gsskrb5_init_sec_context ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*initiator_cred_handle*/, + gss_ctx_id_t * /*context_handle*/, + const gss_name_t /*target_name*/, + const gss_OID /*mech_type*/, + OM_uint32 /*req_flags*/, + OM_uint32 /*time_req*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + const gss_buffer_t /*input_token*/, + gss_OID * /*actual_mech_type*/, + gss_buffer_t /*output_token*/, + OM_uint32 * /*ret_flags*/, + OM_uint32 * time_rec ); + +OM_uint32 +_gsskrb5_inquire_context ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + gss_name_t * /*src_name*/, + gss_name_t * /*targ_name*/, + OM_uint32 * /*lifetime_rec*/, + gss_OID * /*mech_type*/, + OM_uint32 * /*ctx_flags*/, + int * /*locally_initiated*/, + int * open_context ); + +OM_uint32 +_gsskrb5_inquire_cred ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + gss_name_t * /*output_name*/, + OM_uint32 * /*lifetime*/, + gss_cred_usage_t * /*cred_usage*/, + gss_OID_set * mechanisms ); + +OM_uint32 +_gsskrb5_inquire_cred_by_mech ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + const gss_OID /*mech_type*/, + gss_name_t * /*name*/, + OM_uint32 * /*initiator_lifetime*/, + OM_uint32 * /*acceptor_lifetime*/, + gss_cred_usage_t * cred_usage ); + +OM_uint32 +_gsskrb5_inquire_cred_by_oid ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + const gss_OID /*desired_object*/, + gss_buffer_set_t */*data_set*/); + +OM_uint32 +_gsskrb5_inquire_mechs_for_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_OID_set * mech_types ); + +OM_uint32 +_gsskrb5_inquire_names_for_mech ( + OM_uint32 * /*minor_status*/, + const gss_OID /*mechanism*/, + gss_OID_set * name_types ); + +OM_uint32 +_gsskrb5_inquire_sec_context_by_oid ( + OM_uint32 */*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_OID /*desired_object*/, + gss_buffer_set_t */*data_set*/); + +OM_uint32 +_gsskrb5_krb5_ccache_name ( + OM_uint32 */*minor_status*/, + const char */*name*/, + const char **/*out_name*/); + +OM_uint32 +_gsskrb5_lifetime_left ( + OM_uint32 */*minor_status*/, + OM_uint32 /*lifetime*/, + OM_uint32 */*lifetime_rec*/); + +void * +_gsskrb5_make_header ( + void */*ptr*/, + size_t /*len*/, + const void */*type*/, + const gss_OID /*mech*/); + +OM_uint32 +_gsskrb5_process_context_token ( + OM_uint32 */*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t token_buffer ); + +OM_uint32 +_gsskrb5_register_acceptor_identity (const char */*identity*/); + +OM_uint32 +_gsskrb5_release_buffer ( + OM_uint32 * /*minor_status*/, + gss_buffer_t buffer ); + +OM_uint32 +_gsskrb5_release_cred ( + OM_uint32 * /*minor_status*/, + gss_cred_id_t * cred_handle ); + +OM_uint32 +_gsskrb5_release_name ( + OM_uint32 * /*minor_status*/, + gss_name_t * input_name ); + +OM_uint32 +_gsskrb5_release_oid_set ( + OM_uint32 * /*minor_status*/, + gss_OID_set * set ); + +OM_uint32 +_gsskrb5_seal ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + int /*qop_req*/, + gss_buffer_t /*input_message_buffer*/, + int * /*conf_state*/, + gss_buffer_t output_message_buffer ); + +OM_uint32 +_gsskrb5_set_cred_option ( + OM_uint32 */*minor_status*/, + gss_cred_id_t */*cred_handle*/, + const gss_OID /*desired_object*/, + const gss_buffer_t /*value*/); + +void +_gsskrb5_set_error_string (void); + +OM_uint32 +_gsskrb5_set_sec_context_option ( + OM_uint32 */*minor_status*/, + gss_ctx_id_t */*context_handle*/, + const gss_OID /*desired_object*/, + const gss_buffer_t /*value*/); + +void +_gsskrb5_set_status ( + const char */*fmt*/, + ...); + +OM_uint32 +_gsskrb5_sign ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*qop_req*/, + gss_buffer_t /*message_buffer*/, + gss_buffer_t message_token ); + +OM_uint32 +_gsskrb5_test_oid_set_member ( + OM_uint32 * /*minor_status*/, + const gss_OID /*member*/, + const gss_OID_set /*set*/, + int * present ); + +OM_uint32 +_gsskrb5_unseal ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int * /*conf_state*/, + int * qop_state ); + +OM_uint32 +_gsskrb5_unwrap ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int * /*conf_state*/, + gss_qop_t * qop_state ); + +OM_uint32 +_gsskrb5_verify ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + gss_buffer_t /*message_buffer*/, + gss_buffer_t /*token_buffer*/, + int * qop_state ); + +OM_uint32 +_gsskrb5_verify_8003_checksum ( + OM_uint32 */*minor_status*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + const Checksum */*cksum*/, + OM_uint32 */*flags*/, + krb5_data */*fwd_data*/); + +OM_uint32 +_gsskrb5_verify_header ( + u_char **/*str*/, + size_t /*total_len*/, + const void */*type*/, + gss_OID /*oid*/); + +OM_uint32 +_gsskrb5_verify_mic ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*message_buffer*/, + const gss_buffer_t /*token_buffer*/, + gss_qop_t * qop_state ); + +OM_uint32 +_gsskrb5_verify_mic_internal ( + OM_uint32 * /*minor_status*/, + const gsskrb5_ctx /*context_handle*/, + const gss_buffer_t /*message_buffer*/, + const gss_buffer_t /*token_buffer*/, + gss_qop_t * /*qop_state*/, + char * type ); + +OM_uint32 +_gsskrb5_wrap ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*input_message_buffer*/, + int * /*conf_state*/, + gss_buffer_t output_message_buffer ); + +OM_uint32 +_gsskrb5_wrap_size_limit ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + OM_uint32 /*req_output_size*/, + OM_uint32 * max_input_size ); + +krb5_error_code +_gsskrb5cfx_max_wrap_length_cfx ( + krb5_crypto /*crypto*/, + int /*conf_req_flag*/, + size_t /*input_length*/, + OM_uint32 */*output_length*/); + +krb5_error_code +_gsskrb5cfx_wrap_length_cfx ( + krb5_crypto /*crypto*/, + int /*conf_req_flag*/, + size_t /*input_length*/, + size_t */*output_length*/, + size_t */*cksumsize*/, + uint16_t */*padlength*/); + +krb5_error_code +_gsskrb5i_address_to_krb5addr ( + OM_uint32 /*gss_addr_type*/, + gss_buffer_desc */*gss_addr*/, + int16_t /*port*/, + krb5_address */*address*/); + +krb5_error_code +_gsskrb5i_get_acceptor_subkey ( + const gsskrb5_ctx /*ctx*/, + krb5_keyblock **/*key*/); + +krb5_error_code +_gsskrb5i_get_initiator_subkey ( + const gsskrb5_ctx /*ctx*/, + krb5_keyblock **/*key*/); + +OM_uint32 +_gsskrb5i_get_token_key ( + const gsskrb5_ctx /*ctx*/, + krb5_keyblock **/*key*/); + +void +_gsskrb5i_is_cfx ( + gsskrb5_ctx /*ctx*/, + int */*is_cfx*/); + +#endif /* __gsskrb5_private_h__ */ diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h new file mode 100644 index 0000000000..4d814032c3 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h @@ -0,0 +1,133 @@ +/* + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: gsskrb5_locl.h,v 1.6 2006/10/07 22:14:49 lha Exp $ */ + +#ifndef GSSKRB5_LOCL_H +#define GSSKRB5_LOCL_H + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <krb5_locl.h> +#include <gssapi.h> +#include <gssapi_mech.h> +#include <assert.h> + +#include "cfx.h" + +/* + * + */ + +struct gss_msg_order; + +typedef struct { + struct krb5_auth_context_data *auth_context; + krb5_principal source, target; + OM_uint32 flags; + enum { LOCAL = 1, OPEN = 2, + COMPAT_OLD_DES3 = 4, + COMPAT_OLD_DES3_SELECTED = 8, + ACCEPTOR_SUBKEY = 16 + } more_flags; + enum gss_ctx_id_t_state { + /* initiator states */ + INITIATOR_START, + INITIATOR_WAIT_FOR_MUTAL, + INITIATOR_READY, + /* acceptor states */ + ACCEPTOR_START, + ACCEPTOR_WAIT_FOR_DCESTYLE, + ACCEPTOR_READY + } state; + struct krb5_ticket *ticket; + OM_uint32 lifetime; + HEIMDAL_MUTEX ctx_id_mutex; + struct gss_msg_order *order; + krb5_keyblock *service_keyblock; + krb5_data fwd_data; +} *gsskrb5_ctx; + +typedef struct { + krb5_principal principal; + int cred_flags; +#define GSS_CF_DESTROY_CRED_ON_RELEASE 1 + struct krb5_keytab_data *keytab; + OM_uint32 lifetime; + gss_cred_usage_t usage; + gss_OID_set mechanisms; + struct krb5_ccache_data *ccache; + HEIMDAL_MUTEX cred_id_mutex; +} *gsskrb5_cred; + +typedef struct Principal *gsskrb5_name; + +/* + * + */ + +extern krb5_context _gsskrb5_context; + +extern krb5_keytab _gsskrb5_keytab; +extern HEIMDAL_MUTEX gssapi_keytab_mutex; + +struct gssapi_thr_context { + HEIMDAL_MUTEX mutex; + char *error_string; +}; + +/* + * Prototypes + */ + +#include <krb5/gsskrb5-private.h> + +#define GSSAPI_KRB5_INIT() do { \ + krb5_error_code kret_gss_init; \ + if((kret_gss_init = _gsskrb5_init ()) != 0) { \ + *minor_status = kret_gss_init; \ + return GSS_S_FAILURE; \ + } \ +} while (0) + +/* sec_context flags */ + +#define SC_LOCAL_ADDRESS 0x01 +#define SC_REMOTE_ADDRESS 0x02 +#define SC_KEYBLOCK 0x04 +#define SC_LOCAL_SUBKEY 0x08 +#define SC_REMOTE_SUBKEY 0x10 + +#endif diff --git a/source4/heimdal/lib/gssapi/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c index d393aa1a51..dc24ed5cf2 100644 --- a/source4/heimdal/lib/gssapi/import_name.c +++ b/source4/heimdal/lib/gssapi/krb5/import_name.c @@ -31,30 +31,31 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: import_name.c,v 1.14 2006/02/15 11:59:10 lha Exp $"); +RCSID("$Id: import_name.c,v 1.17 2006/10/07 22:14:51 lha Exp $"); static OM_uint32 parse_krb5_name (OM_uint32 *minor_status, const char *name, gss_name_t *output_name) { + krb5_principal princ; krb5_error_code kerr; - kerr = krb5_parse_name (gssapi_krb5_context, name, output_name); + kerr = krb5_parse_name (_gsskrb5_context, name, &princ); - if (kerr == 0) + if (kerr == 0) { + *output_name = (gss_name_t)princ; return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; } + _gsskrb5_set_error_string (); + *minor_status = kerr; + + if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) + return GSS_S_BAD_NAME; + + return GSS_S_FAILURE; } static OM_uint32 @@ -91,8 +92,7 @@ import_hostbased_name (OM_uint32 *minor_status, char *p; char *host; char local_hostname[MAXHOSTNAMELEN]; - - *output_name = NULL; + krb5_principal princ = NULL; tmp = malloc (input_name_buffer->length + 1); if (tmp == NULL) { @@ -117,24 +117,24 @@ import_hostbased_name (OM_uint32 *minor_status, host = local_hostname; } - kerr = krb5_sname_to_principal (gssapi_krb5_context, + kerr = krb5_sname_to_principal (_gsskrb5_context, host, tmp, KRB5_NT_SRV_HST, - output_name); + &princ); free (tmp); *minor_status = kerr; - if (kerr == 0) + if (kerr == 0) { + *output_name = (gss_name_t)princ; return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); + } + _gsskrb5_set_error_string (); *minor_status = kerr; + + if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } + + return GSS_S_FAILURE; } static OM_uint32 @@ -184,18 +184,7 @@ import_export_name (OM_uint32 *minor_status, return ret; } -int -gss_oid_equal(const gss_OID a, const gss_OID b) -{ - if (a == b) - return 1; - else if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length) - return 0; - else - return memcmp(a->elements, b->elements, a->length) == 0; -} - -OM_uint32 gss_import_name +OM_uint32 _gsskrb5_import_name (OM_uint32 * minor_status, const gss_buffer_t input_name_buffer, const gss_OID input_name_type, diff --git a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c new file mode 100644 index 0000000000..8131e2621d --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c @@ -0,0 +1,229 @@ +/* + * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: import_sec_context.c,v 1.17 2006/10/07 22:14:53 lha Exp $"); + +OM_uint32 +_gsskrb5_import_sec_context ( + OM_uint32 * minor_status, + const gss_buffer_t interprocess_token, + gss_ctx_id_t * context_handle + ) +{ + OM_uint32 ret = GSS_S_FAILURE; + krb5_error_code kret; + krb5_storage *sp; + krb5_auth_context ac; + krb5_address local, remote; + krb5_address *localp, *remotep; + krb5_data data; + gss_buffer_desc buffer; + krb5_keyblock keyblock; + int32_t tmp; + int32_t flags; + gsskrb5_ctx ctx; + gss_name_t name; + + GSSAPI_KRB5_INIT (); + + *context_handle = GSS_C_NO_CONTEXT; + + localp = remotep = NULL; + + sp = krb5_storage_from_mem (interprocess_token->value, + interprocess_token->length); + if (sp == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + *minor_status = ENOMEM; + krb5_storage_free (sp); + return GSS_S_FAILURE; + } + HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); + + kret = krb5_auth_con_init (_gsskrb5_context, + &ctx->auth_context); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + ret = GSS_S_FAILURE; + goto failure; + } + + /* flags */ + + *minor_status = 0; + + if (krb5_ret_int32 (sp, &flags) != 0) + goto failure; + + /* retrieve the auth context */ + + ac = ctx->auth_context; + if (krb5_ret_uint32 (sp, &ac->flags) != 0) + goto failure; + if (flags & SC_LOCAL_ADDRESS) { + if (krb5_ret_address (sp, localp = &local) != 0) + goto failure; + } + + if (flags & SC_REMOTE_ADDRESS) { + if (krb5_ret_address (sp, remotep = &remote) != 0) + goto failure; + } + + krb5_auth_con_setaddrs (_gsskrb5_context, ac, localp, remotep); + if (localp) + krb5_free_address (_gsskrb5_context, localp); + if (remotep) + krb5_free_address (_gsskrb5_context, remotep); + localp = remotep = NULL; + + if (krb5_ret_int16 (sp, &ac->local_port) != 0) + goto failure; + + if (krb5_ret_int16 (sp, &ac->remote_port) != 0) + goto failure; + if (flags & SC_KEYBLOCK) { + if (krb5_ret_keyblock (sp, &keyblock) != 0) + goto failure; + krb5_auth_con_setkey (_gsskrb5_context, ac, &keyblock); + krb5_free_keyblock_contents (_gsskrb5_context, &keyblock); + } + if (flags & SC_LOCAL_SUBKEY) { + if (krb5_ret_keyblock (sp, &keyblock) != 0) + goto failure; + krb5_auth_con_setlocalsubkey (_gsskrb5_context, ac, &keyblock); + krb5_free_keyblock_contents (_gsskrb5_context, &keyblock); + } + if (flags & SC_REMOTE_SUBKEY) { + if (krb5_ret_keyblock (sp, &keyblock) != 0) + goto failure; + krb5_auth_con_setremotesubkey (_gsskrb5_context, ac, &keyblock); + krb5_free_keyblock_contents (_gsskrb5_context, &keyblock); + } + if (krb5_ret_uint32 (sp, &ac->local_seqnumber)) + goto failure; + if (krb5_ret_uint32 (sp, &ac->remote_seqnumber)) + goto failure; + + if (krb5_ret_int32 (sp, &tmp) != 0) + goto failure; + ac->keytype = tmp; + if (krb5_ret_int32 (sp, &tmp) != 0) + goto failure; + ac->cksumtype = tmp; + + /* names */ + + if (krb5_ret_data (sp, &data)) + goto failure; + buffer.value = data.data; + buffer.length = data.length; + + ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, + &name); + if (ret) { + ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID, + &name); + if (ret) { + krb5_data_free (&data); + goto failure; + } + } + ctx->source = (krb5_principal)name; + krb5_data_free (&data); + + if (krb5_ret_data (sp, &data) != 0) + goto failure; + buffer.value = data.data; + buffer.length = data.length; + + ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, + &name); + if (ret) { + ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID, + &name); + if (ret) { + krb5_data_free (&data); + goto failure; + } + } + ctx->target = (krb5_principal)name; + krb5_data_free (&data); + + if (krb5_ret_int32 (sp, &tmp)) + goto failure; + ctx->flags = tmp; + if (krb5_ret_int32 (sp, &tmp)) + goto failure; + ctx->more_flags = tmp; + if (krb5_ret_int32 (sp, &tmp)) + goto failure; + ctx->lifetime = tmp; + + ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order); + if (ret) + goto failure; + + krb5_storage_free (sp); + + *context_handle = (gss_ctx_id_t)ctx; + + return GSS_S_COMPLETE; + +failure: + krb5_auth_con_free (_gsskrb5_context, + ctx->auth_context); + if (ctx->source != NULL) + krb5_free_principal(_gsskrb5_context, ctx->source); + if (ctx->target != NULL) + krb5_free_principal(_gsskrb5_context, ctx->target); + if (localp) + krb5_free_address (_gsskrb5_context, localp); + if (remotep) + krb5_free_address (_gsskrb5_context, remotep); + if(ctx->order) + _gssapi_msg_order_destroy(&ctx->order); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + krb5_storage_free (sp); + free (ctx); + *context_handle = GSS_C_NO_CONTEXT; + return ret; +} diff --git a/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c new file mode 100644 index 0000000000..3827533219 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c @@ -0,0 +1,58 @@ +/* + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: indicate_mechs.c,v 1.9 2006/10/07 22:14:56 lha Exp $"); + +OM_uint32 _gsskrb5_indicate_mechs + (OM_uint32 * minor_status, + gss_OID_set * mech_set + ) +{ + OM_uint32 ret, junk; + + ret = _gsskrb5_create_empty_oid_set(minor_status, mech_set); + if (ret) + return ret; + + ret = _gsskrb5_add_oid_set_member(minor_status, + GSS_KRB5_MECHANISM, mech_set); + if (ret) { + _gsskrb5_release_oid_set(&junk, mech_set); + return ret; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/init.c b/source4/heimdal/lib/gssapi/krb5/init.c index 11d7c9bb9f..cbef8740b7 100644 --- a/source4/heimdal/lib/gssapi/init.c +++ b/source4/heimdal/lib/gssapi/krb5/init.c @@ -31,15 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: init.c,v 1.7 2003/07/22 19:50:11 lha Exp $"); +RCSID("$Id: init.c,v 1.9 2006/10/07 22:14:58 lha Exp $"); -#ifdef _SAMBA_BUILD_ -#include "auth/kerberos/krb5_init_context.h" -#endif - -static HEIMDAL_MUTEX gssapi_krb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER; +static HEIMDAL_MUTEX _gsskrb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER; static int created_key; static HEIMDAL_thread_key gssapi_context_key; @@ -58,12 +54,12 @@ gssapi_destroy_thread_context(void *ptr) struct gssapi_thr_context * -gssapi_get_thread_context(int createp) +_gsskrb5_get_thread_context(int createp) { struct gssapi_thr_context *ctx; int ret; - HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex); + HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex); if (!created_key) abort(); @@ -80,72 +76,36 @@ gssapi_get_thread_context(int createp) if (ret) goto fail; } - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); + HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex); return ctx; fail: - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); + HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex); if (ctx) free(ctx); return NULL; } -#ifdef _SAMBA_BUILD_ -/* Init krb5 with an event context. Disgusting Samba-specific hack */ - -krb5_error_code -gssapi_krb5_init_ev (void *event_context) +krb5_error_code +_gsskrb5_init (void) { - static struct smb_krb5_context *smb_krb5_context; krb5_error_code ret = 0; - HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex); + HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex); - if(smb_krb5_context == NULL) { - ret = smb_krb5_init_context(event_context, &smb_krb5_context); - } + if(_gsskrb5_context == NULL) + ret = krb5_init_context (&_gsskrb5_context); if (ret == 0 && !created_key) { HEIMDAL_key_create(&gssapi_context_key, gssapi_destroy_thread_context, ret); if (ret) { - smb_krb5_free_context(smb_krb5_context); - smb_krb5_context = NULL; + krb5_free_context(_gsskrb5_context); + _gsskrb5_context = NULL; } else created_key = 1; } - if (ret == 0) { - gssapi_krb5_context = smb_krb5_context->krb5_context; - } - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); - return ret; -} -#endif - -krb5_error_code -gssapi_krb5_init (void) -{ - krb5_error_code ret = 0; -#ifdef _SAMBA_BUILD_ - ret = gssapi_krb5_init_ev(NULL); -#else - HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex); - - if(gssapi_krb5_context == NULL) { - ret = krb5_init_context (&gssapi_krb5_context); - } - if (ret == 0 && !created_key) { - HEIMDAL_key_create(&gssapi_context_key, - gssapi_destroy_thread_context, - ret); - if (ret) { - krb5_free_context(gssapi_krb5_context); - gssapi_krb5_context = NULL; - } else - created_key = 1; - } + HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex); - HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex); -#endif return ret; } diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c new file mode 100644 index 0000000000..00f2543833 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -0,0 +1,789 @@ +/* + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: init_sec_context.c,v 1.72 2006/10/24 23:03:19 lha Exp $"); + +/* + * copy the addresses from `input_chan_bindings' (if any) to + * the auth context `ac' + */ + +static OM_uint32 +set_addresses (krb5_auth_context ac, + const gss_channel_bindings_t input_chan_bindings) +{ + /* Port numbers are expected to be in application_data.value, + * initator's port first */ + + krb5_address initiator_addr, acceptor_addr; + krb5_error_code kret; + + if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS + || input_chan_bindings->application_data.length != + 2 * sizeof(ac->local_port)) + return 0; + + memset(&initiator_addr, 0, sizeof(initiator_addr)); + memset(&acceptor_addr, 0, sizeof(acceptor_addr)); + + ac->local_port = + *(int16_t *) input_chan_bindings->application_data.value; + + ac->remote_port = + *((int16_t *) input_chan_bindings->application_data.value + 1); + + kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, + &input_chan_bindings->acceptor_address, + ac->remote_port, + &acceptor_addr); + if (kret) + return kret; + + kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->initiator_addrtype, + &input_chan_bindings->initiator_address, + ac->local_port, + &initiator_addr); + if (kret) { + krb5_free_address (_gsskrb5_context, &acceptor_addr); + return kret; + } + + kret = krb5_auth_con_setaddrs(_gsskrb5_context, + ac, + &initiator_addr, /* local address */ + &acceptor_addr); /* remote address */ + + krb5_free_address (_gsskrb5_context, &initiator_addr); + krb5_free_address (_gsskrb5_context, &acceptor_addr); + +#if 0 + free(input_chan_bindings->application_data.value); + input_chan_bindings->application_data.value = NULL; + input_chan_bindings->application_data.length = 0; +#endif + + return kret; +} + +OM_uint32 +_gsskrb5_create_ctx( + OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + const gss_channel_bindings_t input_chan_bindings, + enum gss_ctx_id_t_state state) +{ + krb5_error_code kret; + gsskrb5_ctx ctx; + + *context_handle = NULL; + + ctx = malloc(sizeof(*ctx)); + if (ctx == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + ctx->auth_context = NULL; + ctx->source = NULL; + ctx->target = NULL; + ctx->state = state; + ctx->flags = 0; + ctx->more_flags = 0; + ctx->service_keyblock = NULL; + ctx->ticket = NULL; + krb5_data_zero(&ctx->fwd_data); + ctx->lifetime = GSS_C_INDEFINITE; + ctx->order = NULL; + HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); + + kret = krb5_auth_con_init (_gsskrb5_context, &ctx->auth_context); + if (kret) { + *minor_status = kret; + _gsskrb5_set_error_string (); + + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + + return GSS_S_FAILURE; + } + + kret = set_addresses(ctx->auth_context, input_chan_bindings); + if (kret) { + *minor_status = kret; + + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + + krb5_auth_con_free(_gsskrb5_context, ctx->auth_context); + + return GSS_S_BAD_BINDINGS; + } + + /* + * We need a sequence number + */ + + krb5_auth_con_addflags(_gsskrb5_context, + ctx->auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE | + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, + NULL); + + *context_handle = (gss_ctx_id_t)ctx; + + return GSS_S_COMPLETE; +} + + +static OM_uint32 +gsskrb5_get_creds( + OM_uint32 * minor_status, + krb5_ccache ccache, + gsskrb5_ctx ctx, + krb5_const_principal target_name, + OM_uint32 time_req, + OM_uint32 * time_rec, + krb5_creds ** cred) +{ + OM_uint32 ret; + krb5_error_code kret; + krb5_creds this_cred; + OM_uint32 lifetime_rec; + + *cred = NULL; + + memset(&this_cred, 0, sizeof(this_cred)); + this_cred.client = ctx->source; + this_cred.server = ctx->target; + + if (time_req && time_req != GSS_C_INDEFINITE) { + krb5_timestamp ts; + + krb5_timeofday (_gsskrb5_context, &ts); + this_cred.times.endtime = ts + time_req; + } else { + this_cred.times.endtime = 0; + } + + this_cred.session.keytype = KEYTYPE_NULL; + + kret = krb5_get_credentials(_gsskrb5_context, + 0, + ccache, + &this_cred, + cred); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + + ctx->lifetime = (*cred)->times.endtime; + + ret = _gsskrb5_lifetime_left(minor_status, ctx->lifetime, &lifetime_rec); + if (ret) return ret; + + if (lifetime_rec == 0) { + *minor_status = 0; + return GSS_S_CONTEXT_EXPIRED; + } + + if (time_rec) *time_rec = lifetime_rec; + + return GSS_S_COMPLETE; +} + +static OM_uint32 +gsskrb5_initiator_ready( + OM_uint32 * minor_status, + gsskrb5_ctx ctx) +{ + OM_uint32 ret; + int32_t seq_number; + int is_cfx = 0; + OM_uint32 flags = ctx->flags; + + krb5_auth_getremoteseqnumber (_gsskrb5_context, + ctx->auth_context, + &seq_number); + + _gsskrb5i_is_cfx(ctx, &is_cfx); + + ret = _gssapi_msg_order_create(minor_status, + &ctx->order, + _gssapi_msg_order_f(flags), + seq_number, 0, is_cfx); + if (ret) return ret; + + ctx->state = INITIATOR_READY; + ctx->more_flags |= OPEN; + + return GSS_S_COMPLETE; +} + +/* + * handle delegated creds in init-sec-context + */ + +static void +do_delegation (krb5_auth_context ac, + krb5_ccache ccache, + krb5_creds *cred, + krb5_const_principal name, + krb5_data *fwd_data, + uint32_t *flags) +{ + krb5_creds creds; + KDCOptions fwd_flags; + krb5_error_code kret; + + memset (&creds, 0, sizeof(creds)); + krb5_data_zero (fwd_data); + + kret = krb5_cc_get_principal(_gsskrb5_context, ccache, &creds.client); + if (kret) + goto out; + + kret = krb5_build_principal(_gsskrb5_context, + &creds.server, + strlen(creds.client->realm), + creds.client->realm, + KRB5_TGS_NAME, + creds.client->realm, + NULL); + if (kret) + goto out; + + creds.times.endtime = 0; + + memset(&fwd_flags, 0, sizeof(fwd_flags)); + fwd_flags.forwarded = 1; + fwd_flags.forwardable = 1; + + if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/ + name->name.name_string.len < 2) + goto out; + + kret = krb5_get_forwarded_creds(_gsskrb5_context, + ac, + ccache, + KDCOptions2int(fwd_flags), + name->name.name_string.val[1], + &creds, + fwd_data); + + out: + if (kret) + *flags &= ~GSS_C_DELEG_FLAG; + else + *flags |= GSS_C_DELEG_FLAG; + + if (creds.client) + krb5_free_principal(_gsskrb5_context, creds.client); + if (creds.server) + krb5_free_principal(_gsskrb5_context, creds.server); +} + +/* + * first stage of init-sec-context + */ + +static OM_uint32 +init_auth +(OM_uint32 * minor_status, + gsskrb5_cred initiator_cred_handle, + gsskrb5_ctx ctx, + krb5_const_principal name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) +{ + OM_uint32 ret = GSS_S_FAILURE; + krb5_error_code kret; + krb5_flags ap_options; + krb5_creds *cred = NULL; + krb5_data outbuf; + krb5_ccache ccache = NULL; + uint32_t flags; + krb5_data authenticator; + Checksum cksum; + krb5_enctype enctype; + krb5_data fwd_data; + OM_uint32 lifetime_rec; + + krb5_data_zero(&outbuf); + krb5_data_zero(&fwd_data); + + *minor_status = 0; + + if (actual_mech_type) + *actual_mech_type = GSS_KRB5_MECHANISM; + + if (initiator_cred_handle == NULL) { + kret = krb5_cc_default (_gsskrb5_context, &ccache); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + ret = GSS_S_FAILURE; + goto failure; + } + } else + ccache = initiator_cred_handle->ccache; + + kret = krb5_cc_get_principal (_gsskrb5_context, ccache, &ctx->source); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + ret = GSS_S_FAILURE; + goto failure; + } + + kret = krb5_copy_principal (_gsskrb5_context, name, &ctx->target); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + ret = GSS_S_FAILURE; + goto failure; + } + + ret = _gss_DES3_get_mic_compat(minor_status, ctx); + if (ret) + goto failure; + + + ret = gsskrb5_get_creds(minor_status, + ccache, + ctx, + ctx->target, + time_req, + time_rec, + &cred); + if (ret) + goto failure; + + ctx->lifetime = cred->times.endtime; + + ret = _gsskrb5_lifetime_left(minor_status, + ctx->lifetime, + &lifetime_rec); + if (ret) { + goto failure; + } + + if (lifetime_rec == 0) { + *minor_status = 0; + ret = GSS_S_CONTEXT_EXPIRED; + goto failure; + } + + krb5_auth_con_setkey(_gsskrb5_context, + ctx->auth_context, + &cred->session); + + kret = krb5_auth_con_generatelocalsubkey(_gsskrb5_context, + ctx->auth_context, + &cred->session); + if(kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + ret = GSS_S_FAILURE; + goto failure; + } + + /* + * If the credential doesn't have ok-as-delegate, check what local + * policy say about ok-as-delegate, default is FALSE that makes + * code ignore the KDC setting and follow what the application + * requested. If its TRUE, strip of the GSS_C_DELEG_FLAG if the + * KDC doesn't set ok-as-delegate. + */ + if (!cred->flags.b.ok_as_delegate) { + krb5_boolean delegate; + + krb5_appdefault_boolean(_gsskrb5_context, + "gssapi", name->realm, + "ok-as-delegate", FALSE, &delegate); + if (delegate) + req_flags &= ~GSS_C_DELEG_FLAG; + } + + flags = 0; + ap_options = 0; + if (req_flags & GSS_C_DELEG_FLAG) + do_delegation (ctx->auth_context, + ccache, cred, name, &fwd_data, &flags); + + if (req_flags & GSS_C_MUTUAL_FLAG) { + flags |= GSS_C_MUTUAL_FLAG; + ap_options |= AP_OPTS_MUTUAL_REQUIRED; + } + + if (req_flags & GSS_C_REPLAY_FLAG) + flags |= GSS_C_REPLAY_FLAG; + if (req_flags & GSS_C_SEQUENCE_FLAG) + flags |= GSS_C_SEQUENCE_FLAG; + if (req_flags & GSS_C_ANON_FLAG) + ; /* XXX */ + if (req_flags & GSS_C_DCE_STYLE) { + /* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */ + flags |= GSS_C_DCE_STYLE | GSS_C_MUTUAL_FLAG; + ap_options |= AP_OPTS_MUTUAL_REQUIRED; + } + if (req_flags & GSS_C_IDENTIFY_FLAG) + flags |= GSS_C_IDENTIFY_FLAG; + if (req_flags & GSS_C_EXTENDED_ERROR_FLAG) + flags |= GSS_C_EXTENDED_ERROR_FLAG; + + flags |= GSS_C_CONF_FLAG; + flags |= GSS_C_INTEG_FLAG; + flags |= GSS_C_TRANS_FLAG; + + if (ret_flags) + *ret_flags = flags; + ctx->flags = flags; + ctx->more_flags |= LOCAL; + + ret = _gsskrb5_create_8003_checksum (minor_status, + input_chan_bindings, + flags, + &fwd_data, + &cksum); + krb5_data_free (&fwd_data); + if (ret) + goto failure; + + enctype = ctx->auth_context->keyblock->keytype; + + kret = krb5_build_authenticator (_gsskrb5_context, + ctx->auth_context, + enctype, + cred, + &cksum, + NULL, + &authenticator, + KRB5_KU_AP_REQ_AUTH); + + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + ret = GSS_S_FAILURE; + goto failure; + } + + kret = krb5_build_ap_req (_gsskrb5_context, + enctype, + cred, + ap_options, + authenticator, + &outbuf); + + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + ret = GSS_S_FAILURE; + goto failure; + } + + ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, + (u_char *)"\x01\x00", GSS_KRB5_MECHANISM); + if (ret) + goto failure; + + krb5_data_free (&outbuf); + krb5_free_creds(_gsskrb5_context, cred); + free_Checksum(&cksum); + if (initiator_cred_handle == NULL) + krb5_cc_close(_gsskrb5_context, ccache); + + if (flags & GSS_C_MUTUAL_FLAG) { + ctx->state = INITIATOR_WAIT_FOR_MUTAL; + return GSS_S_CONTINUE_NEEDED; + } + + return gsskrb5_initiator_ready(minor_status, ctx); +failure: + if(cred) + krb5_free_creds(_gsskrb5_context, cred); + if (ccache && initiator_cred_handle == NULL) + krb5_cc_close(_gsskrb5_context, ccache); + + return ret; + +} + +static OM_uint32 +repl_mutual + (OM_uint32 * minor_status, + gsskrb5_ctx ctx, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) +{ + OM_uint32 ret; + krb5_error_code kret; + krb5_data indata; + krb5_ap_rep_enc_part *repl; + int is_cfx = 0; + + output_token->length = 0; + output_token->value = NULL; + + if (actual_mech_type) + *actual_mech_type = GSS_KRB5_MECHANISM; + + if (req_flags & GSS_C_DCE_STYLE) { + /* There is no OID wrapping. */ + indata.length = input_token->length; + indata.data = input_token->value; + } else { + ret = _gsskrb5_decapsulate (minor_status, + input_token, + &indata, + "\x02\x00", + GSS_KRB5_MECHANISM); + if (ret) { + /* XXX - Handle AP_ERROR */ + return ret; + } + } + + kret = krb5_rd_rep (_gsskrb5_context, + ctx->auth_context, + &indata, + &repl); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + krb5_free_ap_rep_enc_part (_gsskrb5_context, + repl); + + _gsskrb5i_is_cfx(ctx, &is_cfx); + if (is_cfx) { + krb5_keyblock *key = NULL; + + kret = krb5_auth_con_getremotesubkey(_gsskrb5_context, + ctx->auth_context, + &key); + if (kret == 0 && key != NULL) { + ctx->more_flags |= ACCEPTOR_SUBKEY; + krb5_free_keyblock (_gsskrb5_context, key); + } + } + + + *minor_status = 0; + if (time_rec) { + ret = _gsskrb5_lifetime_left(minor_status, + ctx->lifetime, + time_rec); + } else { + ret = GSS_S_COMPLETE; + } + if (ret_flags) + *ret_flags = ctx->flags; + + if (req_flags & GSS_C_DCE_STYLE) { + int32_t con_flags; + krb5_data outbuf; + + /* Do don't do sequence number for the mk-rep */ + krb5_auth_con_removeflags(_gsskrb5_context, + ctx->auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE, + &con_flags); + + kret = krb5_mk_rep(_gsskrb5_context, + ctx->auth_context, + &outbuf); + if (kret) { + _gsskrb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + + output_token->length = outbuf.length; + output_token->value = outbuf.data; + + krb5_auth_con_removeflags(_gsskrb5_context, + ctx->auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE, + NULL); + } + + return gsskrb5_initiator_ready(minor_status, ctx); +} + +/* + * gss_init_sec_context + */ + +OM_uint32 _gsskrb5_init_sec_context +(OM_uint32 * minor_status, + const gss_cred_id_t initiator_cred_handle, + gss_ctx_id_t * context_handle, + const gss_name_t target_name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) +{ + gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle; + krb5_const_principal name = (krb5_const_principal)target_name; + gsskrb5_ctx ctx; + OM_uint32 ret; + + GSSAPI_KRB5_INIT (); + + output_token->length = 0; + output_token->value = NULL; + + if (context_handle == NULL) { + *minor_status = 0; + return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; + } + + if (ret_flags) + *ret_flags = 0; + if (time_rec) + *time_rec = 0; + + if (target_name == GSS_C_NO_NAME) { + if (actual_mech_type) + *actual_mech_type = GSS_C_NO_OID; + *minor_status = 0; + return GSS_S_BAD_NAME; + } + + if (mech_type != GSS_C_NO_OID && + !gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) + return GSS_S_BAD_MECH; + + if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) { + OM_uint32 ret; + + if (*context_handle != GSS_C_NO_CONTEXT) { + *minor_status = 0; + return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; + } + + ret = _gsskrb5_create_ctx(minor_status, + context_handle, + input_chan_bindings, + INITIATOR_START); + if (ret) + return ret; + } + + if (*context_handle == GSS_C_NO_CONTEXT) { + *minor_status = 0; + return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; + } + + ctx = (gsskrb5_ctx) *context_handle; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + switch (ctx->state) { + case INITIATOR_START: + ret = init_auth(minor_status, + cred, + ctx, + name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + break; + case INITIATOR_WAIT_FOR_MUTAL: + ret = repl_mutual(minor_status, + ctx, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + break; + case INITIATOR_READY: + /* + * If we get there, the caller have called + * gss_init_sec_context() one time too many. + */ + *minor_status = 0; + ret = GSS_S_BAD_STATUS; + break; + default: + *minor_status = 0; + ret = GSS_S_BAD_STATUS; + break; + } + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + /* destroy context in case of error */ + if (GSS_ERROR(ret)) { + OM_uint32 min2; + _gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER); + } + + return ret; + +} diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_context.c b/source4/heimdal/lib/gssapi/krb5/inquire_context.c new file mode 100644 index 0000000000..ef43e6852c --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/inquire_context.c @@ -0,0 +1,108 @@ +/* + * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: inquire_context.c,v 1.10 2006/10/07 22:15:03 lha Exp $"); + +OM_uint32 _gsskrb5_inquire_context ( + OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + gss_name_t * src_name, + gss_name_t * targ_name, + OM_uint32 * lifetime_rec, + gss_OID * mech_type, + OM_uint32 * ctx_flags, + int * locally_initiated, + int * open_context + ) +{ + OM_uint32 ret; + gsskrb5_ctx ctx = (gsskrb5_ctx)context_handle; + gss_name_t name; + + if (src_name) + *src_name = GSS_C_NO_NAME; + if (targ_name) + *targ_name = GSS_C_NO_NAME; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + if (src_name) { + name = (gss_name_t)ctx->source; + ret = _gsskrb5_duplicate_name (minor_status, name, src_name); + if (ret) + goto failed; + } + + if (targ_name) { + name = (gss_name_t)ctx->target; + ret = _gsskrb5_duplicate_name (minor_status, name, targ_name); + if (ret) + goto failed; + } + + if (lifetime_rec) { + ret = _gsskrb5_lifetime_left(minor_status, + ctx->lifetime, + lifetime_rec); + if (ret) + goto failed; + } + + if (mech_type) + *mech_type = GSS_KRB5_MECHANISM; + + if (ctx_flags) + *ctx_flags = ctx->flags; + + if (locally_initiated) + *locally_initiated = ctx->more_flags & LOCAL; + + if (open_context) + *open_context = ctx->more_flags & OPEN; + + *minor_status = 0; + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + return GSS_S_COMPLETE; + +failed: + if (src_name) + _gsskrb5_release_name(NULL, src_name); + if (targ_name) + _gsskrb5_release_name(NULL, targ_name); + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + return ret; +} diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c new file mode 100644 index 0000000000..0593729365 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c @@ -0,0 +1,178 @@ +/* + * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: inquire_cred.c,v 1.12 2006/10/07 22:15:06 lha Exp $"); + +OM_uint32 _gsskrb5_inquire_cred +(OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + gss_name_t * output_name, + OM_uint32 * lifetime, + gss_cred_usage_t * cred_usage, + gss_OID_set * mechanisms + ) +{ + gss_cred_id_t aqcred_init = GSS_C_NO_CREDENTIAL; + gss_cred_id_t aqcred_accept = GSS_C_NO_CREDENTIAL; + gsskrb5_cred acred = NULL, icred = NULL; + OM_uint32 ret; + + *minor_status = 0; + + if (output_name) + *output_name = NULL; + if (mechanisms) + *mechanisms = GSS_C_NO_OID_SET; + + if (cred_handle == GSS_C_NO_CREDENTIAL) { + ret = _gsskrb5_acquire_cred(minor_status, + GSS_C_NO_NAME, + GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, + GSS_C_ACCEPT, + &aqcred_accept, + NULL, + NULL); + if (ret == GSS_S_COMPLETE) + acred = (gsskrb5_cred)aqcred_accept; + + ret = _gsskrb5_acquire_cred(minor_status, + GSS_C_NO_NAME, + GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, + GSS_C_INITIATE, + &aqcred_init, + NULL, + NULL); + if (ret == GSS_S_COMPLETE) + acred = (gsskrb5_cred)aqcred_init; + + if (icred == NULL && acred == NULL) { + *minor_status = 0; + return GSS_S_NO_CRED; + } + } else + acred = (gsskrb5_cred)cred_handle; + + if (acred) + HEIMDAL_MUTEX_lock(&acred->cred_id_mutex); + if (icred) + HEIMDAL_MUTEX_lock(&icred->cred_id_mutex); + + if (output_name != NULL) { + if (icred && icred->principal != NULL) { + gss_name_t name; + + if (acred) + name = (gss_name_t)acred->principal; + else + name = (gss_name_t)icred->principal; + + ret = _gsskrb5_duplicate_name(minor_status, name, output_name); + if (ret) + goto out; + } else if (acred && acred->usage == GSS_C_ACCEPT) { + krb5_principal princ; + *minor_status = krb5_sname_to_principal(_gsskrb5_context, NULL, + NULL, KRB5_NT_SRV_HST, + &princ); + if (*minor_status) { + ret = GSS_S_FAILURE; + goto out; + } + *output_name = (gss_name_t)princ; + } else { + krb5_principal princ; + *minor_status = krb5_get_default_principal(_gsskrb5_context, + &princ); + if (*minor_status) { + ret = GSS_S_FAILURE; + goto out; + } + *output_name = (gss_name_t)princ; + } + } + if (lifetime != NULL) { + OM_uint32 alife = GSS_C_INDEFINITE, ilife = GSS_C_INDEFINITE; + + if (acred) alife = acred->lifetime; + if (icred) ilife = icred->lifetime; + + ret = _gsskrb5_lifetime_left(minor_status, + min(alife,ilife), + lifetime); + if (ret) + goto out; + } + if (cred_usage != NULL) { + if (acred && icred) + *cred_usage = GSS_C_BOTH; + else if (acred) + *cred_usage = GSS_C_ACCEPT; + else if (icred) + *cred_usage = GSS_C_INITIATE; + else + abort(); + } + + if (mechanisms != NULL) { + ret = _gsskrb5_create_empty_oid_set(minor_status, mechanisms); + if (ret) + goto out; + if (acred) + ret = _gsskrb5_add_oid_set_member(minor_status, + &acred->mechanisms->elements[0], + mechanisms); + if (ret == GSS_S_COMPLETE && icred) + ret = _gsskrb5_add_oid_set_member(minor_status, + &icred->mechanisms->elements[0], + mechanisms); + if (ret) + goto out; + } + ret = GSS_S_COMPLETE; +out: + if (acred) + HEIMDAL_MUTEX_unlock(&acred->cred_id_mutex); + if (icred) + HEIMDAL_MUTEX_unlock(&icred->cred_id_mutex); + + if (aqcred_init != GSS_C_NO_CREDENTIAL) + ret = _gsskrb5_release_cred(minor_status, &aqcred_init); + if (aqcred_accept != GSS_C_NO_CREDENTIAL) + ret = _gsskrb5_release_cred(minor_status, &aqcred_accept); + + return ret; +} diff --git a/source4/heimdal/lib/gssapi/arcfour.h b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c index 0406b64b09..954a5e3119 100644 --- a/source4/heimdal/lib/gssapi/arcfour.h +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c @@ -31,53 +31,53 @@ * SUCH DAMAGE. */ -/* $Id: arcfour.h,v 1.5 2004/03/07 22:30:57 lha Exp $ */ +#include "krb5/gsskrb5_locl.h" -#ifndef GSSAPI_ARCFOUR_H_ -#define GSSAPI_ARCFOUR_H_ 1 +RCSID("$Id: inquire_cred_by_mech.c,v 1.4 2006/10/07 22:15:08 lha Exp $"); -#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 -#define GSS_ARCFOUR_WRAP_TOKEN_OFFSET 13 +OM_uint32 _gsskrb5_inquire_cred_by_mech ( + OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + const gss_OID mech_type, + gss_name_t * name, + OM_uint32 * initiator_lifetime, + OM_uint32 * acceptor_lifetime, + gss_cred_usage_t * cred_usage + ) +{ + OM_uint32 ret; + OM_uint32 lifetime; -OM_uint32 _gssapi_wrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key); + if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && + gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { + *minor_status = EINVAL; + return GSS_S_BAD_MECH; + } -OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key); + ret = _gsskrb5_inquire_cred (minor_status, + cred_handle, + name, + &lifetime, + cred_usage, + NULL); + + if (ret == 0 && cred_handle != GSS_C_NO_CREDENTIAL) { + gsskrb5_cred cred = (gsskrb5_cred)cred_handle; + gss_cred_usage_t usage; -OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key); + HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); + usage = cred->usage; + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); -OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key, - char *type); -OM_uint32 -_gssapi_wrap_size_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_input_size, - OM_uint32 * output_size, - OM_uint32 * padlen, - krb5_keyblock *key); + if (initiator_lifetime) { + if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH) + *initiator_lifetime = lifetime; + } + if (acceptor_lifetime) { + if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH) + *acceptor_lifetime = lifetime; + } + } -#endif /* GSSAPI_ARCFOUR_H_ */ + return ret; +} diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c new file mode 100644 index 0000000000..26927c740c --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: inquire_cred_by_oid.c,v 1.4 2006/10/07 22:15:10 lha Exp $"); + +OM_uint32 _gsskrb5_inquire_cred_by_oid + (OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + gsskrb5_cred cred = (gsskrb5_cred)cred_handle; + krb5_error_code ret; + gss_buffer_desc buffer; + char *str; + + if (gss_oid_equal(desired_object, GSS_KRB5_COPY_CCACHE_X) == 0) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); + + if (cred->ccache == NULL) { + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ret = krb5_cc_get_full_name(_gsskrb5_context, cred->ccache, &str); + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + if (ret) { + *minor_status = ret; + _gsskrb5_set_error_string (); + return GSS_S_FAILURE; + } + + buffer.value = str; + buffer.length = strlen(str); + + ret = gss_add_buffer_set_member(minor_status, &buffer, data_set); + if (ret != GSS_S_COMPLETE) + _gsskrb5_clear_status (); + + free(str); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c new file mode 100644 index 0000000000..5c1f082f45 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: inquire_mechs_for_name.c,v 1.3 2006/10/07 22:15:13 lha Exp $"); + +OM_uint32 _gsskrb5_inquire_mechs_for_name ( + OM_uint32 * minor_status, + const gss_name_t input_name, + gss_OID_set * mech_types + ) +{ + OM_uint32 ret; + + ret = _gsskrb5_create_empty_oid_set(minor_status, mech_types); + if (ret) + return ret; + + ret = _gsskrb5_add_oid_set_member(minor_status, + GSS_KRB5_MECHANISM, + mech_types); + if (ret) + _gsskrb5_release_oid_set(NULL, mech_types); + + return ret; +} diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c new file mode 100644 index 0000000000..5d8aefab1c --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: inquire_names_for_mech.c,v 1.3 2006/10/07 22:15:15 lha Exp $"); + + +static gss_OID *name_list[] = { + &GSS_C_NT_HOSTBASED_SERVICE, + &GSS_C_NT_USER_NAME, + &GSS_KRB5_NT_PRINCIPAL_NAME, + &GSS_C_NT_EXPORT_NAME, + NULL +}; + +OM_uint32 _gsskrb5_inquire_names_for_mech ( + OM_uint32 * minor_status, + const gss_OID mechanism, + gss_OID_set * name_types + ) +{ + OM_uint32 ret; + int i; + + *minor_status = 0; + + if (gss_oid_equal(mechanism, GSS_KRB5_MECHANISM) == 0 && + gss_oid_equal(mechanism, GSS_C_NULL_OID) == 0) { + *name_types = GSS_C_NO_OID_SET; + return GSS_S_BAD_MECH; + } + + ret = _gsskrb5_create_empty_oid_set(minor_status, name_types); + if (ret != GSS_S_COMPLETE) + return ret; + + for (i = 0; name_list[i] != NULL; i++) { + ret = _gsskrb5_add_oid_set_member(minor_status, + *(name_list[i]), + name_types); + if (ret != GSS_S_COMPLETE) + break; + } + + if (ret != GSS_S_COMPLETE) + _gsskrb5_release_oid_set(NULL, name_types); + + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c new file mode 100644 index 0000000000..0b46cc5495 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c @@ -0,0 +1,559 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: inquire_sec_context_by_oid.c,v 1.8 2006/10/24 15:55:28 lha Exp $"); + +static int +oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix) +{ + int ret; + heim_oid oid; + heim_oid prefix; + + *suffix = 0; + + ret = der_get_oid(oid_enc->elements, oid_enc->length, + &oid, NULL); + if (ret) { + return 0; + } + + ret = der_get_oid(prefix_enc->elements, prefix_enc->length, + &prefix, NULL); + if (ret) { + der_free_oid(&oid); + return 0; + } + + ret = 0; + + if (oid.length - 1 == prefix.length) { + *suffix = oid.components[oid.length - 1]; + oid.length--; + ret = (der_heim_oid_cmp(&oid, &prefix) == 0); + oid.length++; + } + + der_free_oid(&oid); + der_free_oid(&prefix); + + return ret; +} + +static OM_uint32 inquire_sec_context_tkt_flags + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + gss_buffer_set_t *data_set) +{ + OM_uint32 tkt_flags; + unsigned char buf[4]; + gss_buffer_desc value; + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + + if (context_handle->ticket == NULL) { + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + _gsskrb5_set_status("No ticket from which to obtain flags"); + *minor_status = EINVAL; + return GSS_S_BAD_MECH; + } + + tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags); + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + _gsskrb5_encode_om_uint32(tkt_flags, buf); + value.length = sizeof(buf); + value.value = buf; + + return gss_add_buffer_set_member(minor_status, + &value, + data_set); +} + +enum keytype { ACCEPTOR_KEY, INITIATOR_KEY, TOKEN_KEY }; + +static OM_uint32 inquire_sec_context_get_subkey + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + enum keytype keytype, + gss_buffer_set_t *data_set) +{ + krb5_keyblock *key = NULL; + krb5_storage *sp = NULL; + krb5_data data; + OM_uint32 maj_stat = GSS_S_COMPLETE; + krb5_error_code ret; + + krb5_data_zero(&data); + + sp = krb5_storage_emem(); + if (sp == NULL) { + _gsskrb5_clear_status(); + ret = ENOMEM; + goto out; + } + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + switch(keytype) { + case ACCEPTOR_KEY: + ret = _gsskrb5i_get_acceptor_subkey(context_handle, &key); + if (ret) + _gsskrb5_set_error_string (); + break; + case INITIATOR_KEY: + ret = _gsskrb5i_get_initiator_subkey(context_handle, &key); + if (ret) + _gsskrb5_set_error_string (); + break; + case TOKEN_KEY: + ret = _gsskrb5i_get_token_key(context_handle, &key); + if (ret) + _gsskrb5_set_error_string (); + break; + default: + _gsskrb5_set_status("%d is not a valid subkey type", keytype); + ret = EINVAL; + break; + } + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + if (ret) + goto out; + + ret = krb5_store_keyblock(sp, *key); + krb5_free_keyblock (_gsskrb5_context, key); + if (ret) { + _gsskrb5_set_error_string (); + goto out; + } + + ret = krb5_storage_to_data(sp, &data); + if (ret) { + _gsskrb5_set_error_string (); + goto out; + } + + { + gss_buffer_desc value; + + value.length = data.length; + value.value = data.data; + + maj_stat = gss_add_buffer_set_member(minor_status, + &value, + data_set); + } + +out: + krb5_data_free(&data); + if (sp) + krb5_storage_free(sp); + if (ret) { + *minor_status = ret; + maj_stat = GSS_S_FAILURE; + } + return maj_stat; +} + +static OM_uint32 inquire_sec_context_authz_data + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + unsigned ad_type, + gss_buffer_set_t *data_set) +{ + krb5_data data; + gss_buffer_desc ad_data; + OM_uint32 ret; + + *minor_status = 0; + *data_set = GSS_C_NO_BUFFER_SET; + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + if (context_handle->ticket == NULL) { + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + *minor_status = EINVAL; + _gsskrb5_set_status("No ticket to obtain authz data from"); + return GSS_S_NO_CONTEXT; + } + + ret = krb5_ticket_get_authorization_data_type(_gsskrb5_context, + context_handle->ticket, + ad_type, + &data); + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + if (ret) { + _gsskrb5_set_error_string (); + *minor_status = ret; + return GSS_S_FAILURE; + } + + ad_data.value = data.data; + ad_data.length = data.length; + + ret = gss_add_buffer_set_member(minor_status, + &ad_data, + data_set); + + krb5_data_free(&data); + + return ret; +} + +static OM_uint32 inquire_sec_context_has_updated_spnego + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + gss_buffer_set_t *data_set) +{ + int is_updated = 0; + + *minor_status = 0; + *data_set = GSS_C_NO_BUFFER_SET; + + /* + * For Windows SPNEGO implementations, both the initiator and the + * acceptor are assumed to have been updated if a "newer" [CLAR] or + * different enctype is negotiated for use by the Kerberos GSS-API + * mechanism. + */ + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + _gsskrb5i_is_cfx(context_handle, &is_updated); + if (is_updated == 0) { + krb5_keyblock *acceptor_subkey; + + if (context_handle->more_flags & LOCAL) + acceptor_subkey = context_handle->auth_context->remote_subkey; + else + acceptor_subkey = context_handle->auth_context->local_subkey; + + if (acceptor_subkey != NULL) + is_updated = (acceptor_subkey->keytype != + context_handle->auth_context->keyblock->keytype); + } + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + return is_updated ? GSS_S_COMPLETE : GSS_S_FAILURE; +} + +/* + * + */ + +static OM_uint32 +export_lucid_sec_context_v1(OM_uint32 *minor_status, + gsskrb5_ctx context_handle, + gss_buffer_set_t *data_set) +{ + krb5_storage *sp = NULL; + OM_uint32 major_status = GSS_S_COMPLETE; + krb5_error_code ret; + krb5_keyblock *key = NULL; + int32_t number; + int is_cfx; + krb5_data data; + + *minor_status = 0; + + GSSAPI_KRB5_INIT (); + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + + _gsskrb5i_is_cfx(context_handle, &is_cfx); + + sp = krb5_storage_emem(); + if (sp == NULL) { + _gsskrb5_clear_status(); + ret = ENOMEM; + goto out; + } + + ret = krb5_store_int32(sp, 1); + if (ret) goto out; + ret = krb5_store_int32(sp, (context_handle->more_flags & LOCAL) ? 1 : 0); + if (ret) goto out; + ret = krb5_store_int32(sp, context_handle->lifetime); + if (ret) goto out; + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, + context_handle->auth_context, + &number); + ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */ + ret = krb5_store_uint32(sp, (uint32_t)number); + krb5_auth_getremoteseqnumber (_gsskrb5_context, + context_handle->auth_context, + &number); + ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */ + ret = krb5_store_uint32(sp, (uint32_t)number); + ret = krb5_store_int32(sp, (is_cfx) ? 1 : 0); + if (ret) goto out; + + ret = _gsskrb5i_get_token_key(context_handle, &key); + if (ret) goto out; + + if (is_cfx == 0) { + int sign_alg, seal_alg; + + switch (key->keytype) { + case ETYPE_DES_CBC_CRC: + case ETYPE_DES_CBC_MD4: + case ETYPE_DES_CBC_MD5: + sign_alg = 0; + seal_alg = 0; + break; + case ETYPE_DES3_CBC_MD5: + case ETYPE_DES3_CBC_SHA1: + sign_alg = 4; + seal_alg = 2; + break; + case ETYPE_ARCFOUR_HMAC_MD5: + case ETYPE_ARCFOUR_HMAC_MD5_56: + sign_alg = 17; + seal_alg = 16; + break; + default: + sign_alg = -1; + seal_alg = -1; + break; + } + ret = krb5_store_int32(sp, sign_alg); + if (ret) goto out; + ret = krb5_store_int32(sp, seal_alg); + if (ret) goto out; + /* ctx_key */ + ret = krb5_store_keyblock(sp, *key); + if (ret) goto out; + } else { + int subkey_p = (context_handle->more_flags & ACCEPTOR_SUBKEY) ? 1 : 0; + + /* have_acceptor_subkey */ + ret = krb5_store_int32(sp, subkey_p); + if (ret) goto out; + /* ctx_key */ + ret = krb5_store_keyblock(sp, *key); + if (ret) goto out; + /* acceptor_subkey */ + if (subkey_p) { + ret = krb5_store_keyblock(sp, *key); + if (ret) goto out; + } + } + ret = krb5_storage_to_data(sp, &data); + if (ret) goto out; + + { + gss_buffer_desc ad_data; + + ad_data.value = data.data; + ad_data.length = data.length; + + ret = gss_add_buffer_set_member(minor_status, &ad_data, data_set); + krb5_data_free(&data); + if (ret) + goto out; + } + +out: + if (key) + krb5_free_keyblock (_gsskrb5_context, key); + if (sp) + krb5_storage_free(sp); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + } + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + return major_status; +} + +static OM_uint32 +get_authtime(OM_uint32 *minor_status, + gsskrb5_ctx ctx, + gss_buffer_set_t *data_set) + +{ + gss_buffer_desc value; + OM_uint32 authtime; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + if (ctx->ticket == NULL) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + _gsskrb5_set_status("No ticket to obtain auth time from"); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + authtime = ctx->ticket->ticket.authtime; + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + value.length = 4; + value.value = malloc(value.length); + if (!value.value) { + _gsskrb5_clear_status(); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + _gsskrb5_encode_om_uint32(authtime, value.value); + + return gss_add_buffer_set_member(minor_status, + &value, + data_set); +} + + +static OM_uint32 +get_service_keyblock + (OM_uint32 *minor_status, + gsskrb5_ctx ctx, + gss_buffer_set_t *data_set) +{ + krb5_storage *sp = NULL; + krb5_data data; + OM_uint32 maj_stat = GSS_S_COMPLETE; + krb5_error_code ret = EINVAL; + + sp = krb5_storage_emem(); + if (sp == NULL) { + _gsskrb5_clear_status(); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + if (ctx->service_keyblock == NULL) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + _gsskrb5_set_status("No service keyblock on gssapi context"); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + krb5_data_zero(&data); + + ret = krb5_store_keyblock(sp, *ctx->service_keyblock); + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + if (ret) + goto out; + + ret = krb5_storage_to_data(sp, &data); + if (ret) + goto out; + + { + gss_buffer_desc value; + + value.length = data.length; + value.value = data.data; + + maj_stat = gss_add_buffer_set_member(minor_status, + &value, + data_set); + } + +out: + krb5_data_free(&data); + if (sp) + krb5_storage_free(sp); + if (ret) { + _gsskrb5_set_error_string (); + *minor_status = ret; + maj_stat = GSS_S_FAILURE; + } + return maj_stat; +} +/* + * + */ + +OM_uint32 _gsskrb5_inquire_sec_context_by_oid + (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; + unsigned suffix; + + if (ctx == NULL) { + *minor_status = EINVAL; + return GSS_S_NO_CONTEXT; + } + + if (gss_oid_equal(desired_object, GSS_KRB5_GET_TKT_FLAGS_X)) { + return inquire_sec_context_tkt_flags(minor_status, + ctx, + data_set); + } else if (gss_oid_equal(desired_object, GSS_C_PEER_HAS_UPDATED_SPNEGO)) { + return inquire_sec_context_has_updated_spnego(minor_status, + ctx, + data_set); + } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SUBKEY_X)) { + return inquire_sec_context_get_subkey(minor_status, + ctx, + TOKEN_KEY, + data_set); + } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_INITIATOR_SUBKEY_X)) { + return inquire_sec_context_get_subkey(minor_status, + ctx, + INITIATOR_KEY, + data_set); + } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X)) { + return inquire_sec_context_get_subkey(minor_status, + ctx, + ACCEPTOR_KEY, + data_set); + } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) { + return get_authtime(minor_status, ctx, data_set); + } else if (oid_prefix_equal(desired_object, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X, + &suffix)) { + return inquire_sec_context_authz_data(minor_status, + ctx, + suffix, + data_set); + } else if (oid_prefix_equal(desired_object, + GSS_KRB5_EXPORT_LUCID_CONTEXT_X, + &suffix)) { + if (suffix == 1) + return export_lucid_sec_context_v1(minor_status, + ctx, + data_set); + *minor_status = 0; + return GSS_S_FAILURE; + } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SERVICE_KEYBLOCK_X)) { + return get_service_keyblock(minor_status, ctx, data_set); + } else { + *minor_status = 0; + return GSS_S_FAILURE; + } +} + diff --git a/source4/heimdal/lib/gssapi/krb5/process_context_token.c b/source4/heimdal/lib/gssapi/krb5/process_context_token.c new file mode 100644 index 0000000000..99568c9dd0 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/process_context_token.c @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: process_context_token.c,v 1.4 2006/10/07 22:15:19 lha Exp $"); + +OM_uint32 _gsskrb5_process_context_token ( + OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t token_buffer + ) +{ + OM_uint32 ret = GSS_S_FAILURE; + gss_buffer_desc empty_buffer; + gss_qop_t qop_state; + + empty_buffer.length = 0; + empty_buffer.value = NULL; + + qop_state = GSS_C_QOP_DEFAULT; + + ret = _gsskrb5_verify_mic_internal(minor_status, + (gsskrb5_ctx)context_handle, + token_buffer, &empty_buffer, + GSS_C_QOP_DEFAULT, "\x01\x02"); + + if (ret == GSS_S_COMPLETE) + ret = _gsskrb5_delete_sec_context(minor_status, + rk_UNCONST(&context_handle), + GSS_C_NO_BUFFER); + if (ret == GSS_S_COMPLETE) + *minor_status = 0; + + return ret; +} diff --git a/source4/heimdal/lib/gssapi/release_buffer.c b/source4/heimdal/lib/gssapi/krb5/release_buffer.c index 258b76f627..b62ad02117 100644 --- a/source4/heimdal/lib/gssapi/release_buffer.c +++ b/source4/heimdal/lib/gssapi/krb5/release_buffer.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: release_buffer.c,v 1.5 2003/03/16 17:58:20 lha Exp $"); +RCSID("$Id: release_buffer.c,v 1.7 2006/10/07 22:15:22 lha Exp $"); -OM_uint32 gss_release_buffer +OM_uint32 _gsskrb5_release_buffer (OM_uint32 * minor_status, gss_buffer_t buffer ) diff --git a/source4/heimdal/lib/gssapi/release_cred.c b/source4/heimdal/lib/gssapi/krb5/release_cred.c index fc9fc3fc01..662461ccfd 100644 --- a/source4/heimdal/lib/gssapi/release_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/release_cred.c @@ -31,43 +31,46 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: release_cred.c,v 1.11 2005/11/02 08:57:35 lha Exp $"); +RCSID("$Id: release_cred.c,v 1.13 2006/10/07 22:15:24 lha Exp $"); -OM_uint32 gss_release_cred +OM_uint32 _gsskrb5_release_cred (OM_uint32 * minor_status, gss_cred_id_t * cred_handle ) { + gsskrb5_cred cred; + *minor_status = 0; - if (*cred_handle == GSS_C_NO_CREDENTIAL) { + if (*cred_handle == NULL) return GSS_S_COMPLETE; - } + + cred = (gsskrb5_cred)*cred_handle; + *cred_handle = GSS_C_NO_CREDENTIAL; GSSAPI_KRB5_INIT (); - HEIMDAL_MUTEX_lock(&(*cred_handle)->cred_id_mutex); + HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - if ((*cred_handle)->principal != NULL) - krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); - if ((*cred_handle)->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); - if ((*cred_handle)->ccache != NULL) { + if (cred->principal != NULL) + krb5_free_principal(_gsskrb5_context, cred->principal); + if (cred->keytab != NULL) + krb5_kt_close(_gsskrb5_context, cred->keytab); + if (cred->ccache != NULL) { const krb5_cc_ops *ops; - ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache); - if ((*cred_handle)->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE) - krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache); + ops = krb5_cc_get_ops(_gsskrb5_context, cred->ccache); + if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE) + krb5_cc_destroy(_gsskrb5_context, cred->ccache); else - krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); + krb5_cc_close(_gsskrb5_context, cred->ccache); } - gss_release_oid_set(NULL, &(*cred_handle)->mechanisms); - HEIMDAL_MUTEX_unlock(&(*cred_handle)->cred_id_mutex); - HEIMDAL_MUTEX_destroy(&(*cred_handle)->cred_id_mutex); - memset(*cred_handle, 0, sizeof(**cred_handle)); - free(*cred_handle); - *cred_handle = GSS_C_NO_CREDENTIAL; + _gsskrb5_release_oid_set(NULL, &cred->mechanisms); + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + HEIMDAL_MUTEX_destroy(&cred->cred_id_mutex); + memset(cred, 0, sizeof(*cred)); + free(cred); return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/release_name.c b/source4/heimdal/lib/gssapi/krb5/release_name.c index 6894ffae49..a92ad939a5 100644 --- a/source4/heimdal/lib/gssapi/release_name.c +++ b/source4/heimdal/lib/gssapi/krb5/release_name.c @@ -31,20 +31,25 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: release_name.c,v 1.7 2003/03/16 17:52:48 lha Exp $"); +RCSID("$Id: release_name.c,v 1.10 2006/10/07 22:15:26 lha Exp $"); -OM_uint32 gss_release_name +OM_uint32 _gsskrb5_release_name (OM_uint32 * minor_status, gss_name_t * input_name ) { + krb5_principal name = (krb5_principal)*input_name; + GSSAPI_KRB5_INIT (); + if (minor_status) *minor_status = 0; - krb5_free_principal(gssapi_krb5_context, - *input_name); + *input_name = GSS_C_NO_NAME; + + krb5_free_principal(_gsskrb5_context, name); + return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/release_oid_set.c b/source4/heimdal/lib/gssapi/krb5/release_oid_set.c index 04eb01565f..a9f79a3082 100644 --- a/source4/heimdal/lib/gssapi/release_oid_set.c +++ b/source4/heimdal/lib/gssapi/krb5/release_oid_set.c @@ -31,11 +31,11 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: release_oid_set.c,v 1.5 2003/03/16 17:53:25 lha Exp $"); +RCSID("$Id: release_oid_set.c,v 1.7 2006/10/07 22:15:30 lha Exp $"); -OM_uint32 gss_release_oid_set +OM_uint32 _gsskrb5_release_oid_set (OM_uint32 * minor_status, gss_OID_set * set ) diff --git a/source4/heimdal/lib/gssapi/sequence.c b/source4/heimdal/lib/gssapi/krb5/sequence.c index 35a9b924af..3014edd04d 100755 --- a/source4/heimdal/lib/gssapi/sequence.c +++ b/source4/heimdal/lib/gssapi/krb5/sequence.c @@ -31,9 +31,9 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: sequence.c,v 1.6 2006/04/12 17:43:39 lha Exp $"); +RCSID("$Id: sequence.c,v 1.8 2006/10/07 22:15:32 lha Exp $"); #define DEFAULT_JITTER_WINDOW 20 @@ -159,8 +159,8 @@ _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num) r = (o->flags & (GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG))==GSS_C_REPLAY_FLAG; - /* sequence number larger than largest sequence number - * or smaller than the first sequence number */ + /* sequence number larger then largest sequence number + * or smaller then the first sequence number */ if (seq_num > o->elem[0] || seq_num < o->first_seq || o->length == 0) diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c new file mode 100644 index 0000000000..5807ef0166 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c @@ -0,0 +1,152 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: set_cred_option.c,v 1.4 2006/10/24 20:14:13 lha Exp $"); + +static gss_OID_desc gss_krb5_import_cred_x_oid_desc = +{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */ + +gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc; + +static OM_uint32 +import_cred(OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_buffer_t value) +{ + OM_uint32 major_stat; + krb5_error_code ret; + krb5_principal keytab_principal = NULL; + krb5_keytab keytab = NULL; + krb5_storage *sp = NULL; + krb5_ccache id = NULL; + char *str; + + if (cred_handle == NULL || *cred_handle != GSS_C_NO_CREDENTIAL) { + *minor_status = 0; + return GSS_S_FAILURE; + } + + sp = krb5_storage_from_mem(value->value, value->length); + if (sp == NULL) { + *minor_status = 0; + return GSS_S_FAILURE; + } + + /* credential cache name */ + ret = krb5_ret_string(sp, &str); + if (ret) { + *minor_status = ret; + major_stat = GSS_S_FAILURE; + goto out; + } + if (str[0]) { + ret = krb5_cc_resolve(_gsskrb5_context, str, &id); + if (ret) { + *minor_status = ret; + major_stat = GSS_S_FAILURE; + goto out; + } + } + free(str); + str = NULL; + + /* keytab principal name */ + ret = krb5_ret_string(sp, &str); + if (ret == 0 && str[0]) + ret = krb5_parse_name(_gsskrb5_context, str, &keytab_principal); + if (ret) { + *minor_status = ret; + major_stat = GSS_S_FAILURE; + goto out; + } + free(str); + str = NULL; + + /* keytab principal */ + ret = krb5_ret_string(sp, &str); + if (ret) { + *minor_status = ret; + major_stat = GSS_S_FAILURE; + goto out; + } + if (str[0]) { + ret = krb5_kt_resolve(_gsskrb5_context, str, &keytab); + if (ret) { + *minor_status = ret; + major_stat = GSS_S_FAILURE; + goto out; + } + } + free(str); + str = NULL; + + major_stat = _gsskrb5_import_cred(minor_status, id, keytab_principal, + keytab, cred_handle); +out: + if (id) + krb5_cc_close(_gsskrb5_context, id); + if (keytab_principal) + krb5_free_principal(_gsskrb5_context, keytab_principal); + if (keytab) + krb5_kt_close(_gsskrb5_context, keytab); + if (str) + free(str); + if (sp) + krb5_storage_free(sp); + + return major_stat; +} + + +OM_uint32 +_gsskrb5_set_cred_option + (OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_OID desired_object, + const gss_buffer_t value) +{ + GSSAPI_KRB5_INIT (); + + if (value == GSS_C_NO_BUFFER) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (gss_oid_equal(desired_object, GSS_KRB5_IMPORT_CRED_X)) { + return import_cred(minor_status, cred_handle, value); + } + + *minor_status = EINVAL; + return GSS_S_FAILURE; +} diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c new file mode 100644 index 0000000000..67f5e8e722 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -0,0 +1,147 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * glue routine for _gsskrb5_inquire_sec_context_by_oid + */ + +#include "krb5/gsskrb5_locl.h" + +RCSID("$Id: set_sec_context_option.c,v 1.6 2006/10/20 18:58:22 lha Exp $"); + +static OM_uint32 +get_bool(OM_uint32 *minor_status, + const gss_buffer_t value, + int *flag) +{ + if (value->value == NULL || value->length != 1) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + *flag = *((const char *)value->value) != 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +_gsskrb5_set_sec_context_option + (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID desired_object, + const gss_buffer_t value) +{ + OM_uint32 maj_stat; + + GSSAPI_KRB5_INIT (); + + if (value == GSS_C_NO_BUFFER) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) { + gsskrb5_ctx ctx; + int flag; + + if (*context_handle == GSS_C_NO_CONTEXT) { + *minor_status = EINVAL; + return GSS_S_NO_CONTEXT; + } + + maj_stat = get_bool(minor_status, value, &flag); + if (maj_stat != GSS_S_COMPLETE) + return maj_stat; + + ctx = (gsskrb5_ctx)*context_handle; + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + if (flag) + ctx->more_flags |= COMPAT_OLD_DES3; + else + ctx->more_flags &= ~COMPAT_OLD_DES3; + ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + return GSS_S_COMPLETE; + } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DNS_CANONICALIZE_X)) { + int flag; + + maj_stat = get_bool(minor_status, value, &flag); + if (maj_stat != GSS_S_COMPLETE) + return maj_stat; + + krb5_set_dns_canonicalize_hostname(_gsskrb5_context, flag); + return GSS_S_COMPLETE; + + } else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) { + char *str; + + if (value == NULL || value->length == 0) { + str = NULL; + } else { + str = malloc(value->length + 1); + if (str) { + *minor_status = 0; + return GSS_S_UNAVAILABLE; + } + memcpy(str, value->value, value->length); + str[value->length] = '\0'; + } + + _gsskrb5_register_acceptor_identity(str); + free(str); + + *minor_status = 0; + return GSS_S_COMPLETE; + + } else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) { + + if (value == NULL || value->length == 0) { + krb5_set_send_to_kdc_func(_gsskrb5_context, NULL, NULL); + } else { + struct gsskrb5_send_to_kdc c; + + if (value->length != sizeof(c)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + memcpy(&c, value->value, sizeof(c)); + krb5_set_send_to_kdc_func(_gsskrb5_context, + (krb5_send_to_kdc_func)c.func, + c.ptr); + } + + *minor_status = 0; + return GSS_S_COMPLETE; + } + + + *minor_status = EINVAL; + return GSS_S_FAILURE; +} diff --git a/source4/heimdal/lib/gssapi/test_oid_set_member.c b/source4/heimdal/lib/gssapi/krb5/test_oid_set_member.c index e747c5acc1..5a0ac4418f 100644 --- a/source4/heimdal/lib/gssapi/test_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/krb5/test_oid_set_member.c @@ -31,25 +31,25 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: test_oid_set_member.c,v 1.5 2003/03/16 17:54:06 lha Exp $"); +RCSID("$Id: test_oid_set_member.c,v 1.7 2006/10/07 22:15:50 lha Exp $"); -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * minor_status, +OM_uint32 _gsskrb5_test_oid_set_member + (OM_uint32 * minor_status, const gss_OID member, const gss_OID_set set, int * present ) { - size_t i; + size_t i; - *minor_status = 0; - *present = 0; - for (i = 0; i < set->count; ++i) - if (gss_oid_equal(member, &set->elements[i]) != 0) { - *present = 1; - break; - } - return GSS_S_COMPLETE; + *minor_status = 0; + *present = 0; + for (i = 0; i < set->count; ++i) + if (gss_oid_equal(member, &set->elements[i]) != 0) { + *present = 1; + break; + } + return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index c358c1aa24..758390080c 100644 --- a/source4/heimdal/lib/gssapi/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -31,14 +31,14 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: unwrap.c,v 1.34 2005/04/27 17:50:40 lha Exp $"); +RCSID("$Id: unwrap.c,v 1.38 2006/10/18 15:59:28 lha Exp $"); static OM_uint32 unwrap_des (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int * conf_state, @@ -54,14 +54,14 @@ unwrap_des DES_cblock deskey; DES_cblock zero; int i; - int32_t seq_number; + uint32_t seq_number; size_t padlength; OM_uint32 ret; int cstate; int cmp; p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, + ret = _gsskrb5_verify_header (&p, input_message_buffer->length, "\x02\x01", GSS_KRB5_MECHANISM); @@ -138,7 +138,7 @@ unwrap_des memset (&schedule, 0, sizeof(schedule)); seq = p; - gssapi_decode_om_uint32(seq, &seq_number); + _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); @@ -174,7 +174,7 @@ unwrap_des static OM_uint32 unwrap_des3 (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int * conf_state, @@ -187,7 +187,7 @@ unwrap_des3 u_char *seq; krb5_data seq_data; u_char cksum[20]; - int32_t seq_number; + uint32_t seq_number; size_t padlength; OM_uint32 ret; int cstate; @@ -196,7 +196,7 @@ unwrap_des3 int cmp; p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, + ret = _gsskrb5_verify_header (&p, input_message_buffer->length, "\x02\x01", GSS_KRB5_MECHANISM); @@ -226,18 +226,18 @@ unwrap_des3 /* decrypt data */ krb5_data tmp; - ret = krb5_crypto_init(gssapi_krb5_context, key, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, + ret = krb5_decrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL, p, input_message_buffer->length - len, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } @@ -259,10 +259,10 @@ unwrap_des3 p -= 28; - ret = krb5_crypto_init(gssapi_krb5_context, key, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return GSS_S_FAILURE; @@ -271,15 +271,15 @@ unwrap_des3 DES_cblock ivec; memcpy(&ivec, p + 8, 8); - ret = krb5_decrypt_ivec (gssapi_krb5_context, + ret = krb5_decrypt_ivec (_gsskrb5_context, crypto, KRB5_KU_USAGE_SEQ, p, 8, &seq_data, &ivec); } - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return GSS_S_FAILURE; @@ -292,7 +292,7 @@ unwrap_des3 } seq = seq_data.data; - gssapi_decode_om_uint32(seq, &seq_number); + _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); @@ -325,21 +325,21 @@ unwrap_des3 csum.checksum.length = 20; csum.checksum.data = cksum; - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, + ret = krb5_verify_checksum (_gsskrb5_context, crypto, KRB5_KU_USAGE_SIGN, p + 20, input_message_buffer->length - len + 8, &csum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } @@ -357,7 +357,7 @@ unwrap_des3 return GSS_S_COMPLETE; } -OM_uint32 gss_unwrap +OM_uint32 _gsskrb5_unwrap (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t input_message_buffer, @@ -369,45 +369,48 @@ OM_uint32 gss_unwrap krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; + gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; output_message_buffer->value = NULL; output_message_buffer->length = 0; if (qop_state != NULL) *qop_state = GSS_C_QOP_DEFAULT; - ret = gss_krb5_get_subkey(context_handle, &key); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(ctx, &key); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); *minor_status = 0; switch (keytype) { case KEYTYPE_DES : - ret = unwrap_des (minor_status, context_handle, + ret = unwrap_des (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; case KEYTYPE_DES3 : - ret = unwrap_des3 (minor_status, context_handle, + ret = unwrap_des3 (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: - ret = _gssapi_unwrap_arcfour (minor_status, context_handle, + ret = _gssapi_unwrap_arcfour (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; default : - ret = _gssapi_unwrap_cfx (minor_status, context_handle, + ret = _gssapi_unwrap_cfx (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); return ret; } diff --git a/source4/heimdal/lib/gssapi/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index 7b7d437e99..920937cafc 100644 --- a/source4/heimdal/lib/gssapi/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -31,14 +31,14 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: verify_mic.c,v 1.32 2005/04/27 17:51:04 lha Exp $"); +RCSID("$Id: verify_mic.c,v 1.36 2006/10/18 15:59:30 lha Exp $"); static OM_uint32 verify_mic_des (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, @@ -52,12 +52,12 @@ verify_mic_des DES_key_schedule schedule; DES_cblock zero; DES_cblock deskey; - int32_t seq_number; + uint32_t seq_number; OM_uint32 ret; int cmp; p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, + ret = _gsskrb5_verify_header (&p, token_buffer->length, type, GSS_KRB5_MECHANISM); @@ -104,7 +104,7 @@ verify_mic_des memset (&schedule, 0, sizeof(schedule)); seq = p; - gssapi_decode_om_uint32(seq, &seq_number); + _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); @@ -130,7 +130,7 @@ verify_mic_des static OM_uint32 verify_mic_des3 (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, @@ -140,7 +140,7 @@ verify_mic_des3 { u_char *p; u_char *seq; - int32_t seq_number; + uint32_t seq_number; OM_uint32 ret; krb5_crypto crypto; krb5_data seq_data; @@ -150,7 +150,7 @@ verify_mic_des3 char ivec[8]; p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, + ret = _gsskrb5_verify_header (&p, token_buffer->length, type, GSS_KRB5_MECHANISM); @@ -164,10 +164,10 @@ verify_mic_des3 return GSS_S_BAD_MIC; p += 4; - ret = krb5_crypto_init(gssapi_krb5_context, key, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret){ - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } @@ -180,14 +180,14 @@ retry: else memcpy(ivec, p + 8, 8); - ret = krb5_decrypt_ivec (gssapi_krb5_context, + ret = krb5_decrypt_ivec (_gsskrb5_context, crypto, KRB5_KU_USAGE_SEQ, p, 8, &seq_data, ivec); if (ret) { if (docompat++) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + _gsskrb5_set_error_string (); + krb5_crypto_destroy (_gsskrb5_context, crypto); *minor_status = ret; return GSS_S_FAILURE; } else @@ -197,7 +197,7 @@ retry: if (seq_data.length != 8) { krb5_data_free (&seq_data); if (docompat++) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); return GSS_S_BAD_MIC; } else goto retry; @@ -206,7 +206,7 @@ retry: HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); seq = seq_data.data; - gssapi_decode_om_uint32(seq, &seq_number); + _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); @@ -215,7 +215,7 @@ retry: krb5_data_free (&seq_data); if (cmp != 0) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); *minor_status = 0; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return GSS_S_BAD_MIC; @@ -223,7 +223,7 @@ retry: ret = _gssapi_msg_order_check(context_handle->order, seq_number); if (ret) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); *minor_status = 0; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return ret; @@ -233,7 +233,7 @@ retry: tmp = malloc (message_buffer->length + 8); if (tmp == NULL) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); *minor_status = ENOMEM; return GSS_S_FAILURE; @@ -246,28 +246,28 @@ retry: csum.checksum.length = 20; csum.checksum.data = p + 8; - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, + ret = krb5_verify_checksum (_gsskrb5_context, crypto, KRB5_KU_USAGE_SIGN, tmp, message_buffer->length + 8, &csum); free (tmp); if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + _gsskrb5_set_error_string (); + krb5_crypto_destroy (_gsskrb5_context, crypto); *minor_status = ret; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); return GSS_S_BAD_MIC; } HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); return GSS_S_COMPLETE; } OM_uint32 -gss_verify_mic_internal +_gsskrb5_verify_mic_internal (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx context_handle, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, @@ -278,14 +278,16 @@ gss_verify_mic_internal OM_uint32 ret; krb5_keytype keytype; - ret = gss_krb5_get_subkey(context_handle, &key); + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(context_handle, &key); + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } *minor_status = 0; - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : ret = verify_mic_des (minor_status, context_handle, @@ -309,13 +311,13 @@ gss_verify_mic_internal key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); return ret; } OM_uint32 -gss_verify_mic +_gsskrb5_verify_mic (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t message_buffer, @@ -328,9 +330,10 @@ gss_verify_mic if (qop_state != NULL) *qop_state = GSS_C_QOP_DEFAULT; - ret = gss_verify_mic_internal(minor_status, context_handle, - message_buffer, token_buffer, - qop_state, "\x01\x01"); + ret = _gsskrb5_verify_mic_internal(minor_status, + (gsskrb5_ctx)context_handle, + message_buffer, token_buffer, + qop_state, "\x01\x01"); return ret; } diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index 7072ca2754..8514137999 100644 --- a/source4/heimdal/lib/gssapi/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,110 +31,84 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" +#include "krb5/gsskrb5_locl.h" -RCSID("$Id: wrap.c,v 1.33 2006/05/05 10:27:36 lha Exp $"); +RCSID("$Id: wrap.c,v 1.37 2006/10/18 15:59:33 lha Exp $"); -OM_uint32 -gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t key) +/* + * Return initiator subkey, or if that doesn't exists, the subkey. + */ + +krb5_error_code +_gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx, krb5_keyblock **key) { krb5_error_code ret; - krb5_keyblock *skey = NULL; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->more_flags & LOCAL) { - ret = krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if (ret) { - *minor_status = ret; - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ - } - + *key = NULL; + + if (ctx->more_flags & LOCAL) { + ret = krb5_auth_con_getlocalsubkey(_gsskrb5_context, + ctx->auth_context, + key); } else { - ret = krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if (ret) { - *minor_status = ret; - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ - } - + ret = krb5_auth_con_getremotesubkey(_gsskrb5_context, + ctx->auth_context, + key); } - - /* If there was no subkey, perhaps try this... */ - if(skey == NULL) { - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); + if (*key == NULL) + ret = krb5_auth_con_getkey(_gsskrb5_context, + ctx->auth_context, + key); + if (*key == NULL) { + _gsskrb5_set_status("No initiator subkey available"); + return GSS_KRB5_S_KG_NO_SUBKEY; } + return ret; +} - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); +krb5_error_code +_gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx, krb5_keyblock **key) +{ + krb5_error_code ret; + *key = NULL; - /* ensure never to segfault */ - if(skey == NULL) { - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ + if (ctx->more_flags & LOCAL) { + ret = krb5_auth_con_getremotesubkey(_gsskrb5_context, + ctx->auth_context, + key); + } else { + ret = krb5_auth_con_getlocalsubkey(_gsskrb5_context, + ctx->auth_context, + key); } - - key->length = skey->keyvalue.length; - key->value = malloc (key->length); - if (!key->value) { - krb5_free_keyblock(gssapi_krb5_context, skey); - *minor_status = ENOMEM; - return GSS_S_FAILURE; + if (*key == NULL) { + _gsskrb5_set_status("No acceptor subkey available"); + return GSS_KRB5_S_KG_NO_SUBKEY; } - memcpy(key->value, skey->keyvalue.data, key->length); - krb5_free_keyblock(gssapi_krb5_context, skey); - return 0; + return ret; } OM_uint32 -gss_krb5_get_subkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key) +_gsskrb5i_get_token_key(const gsskrb5_ctx ctx, krb5_keyblock **key) { - krb5_keyblock *skey = NULL; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->more_flags & LOCAL) { - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - } else { - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); + _gsskrb5i_get_acceptor_subkey(ctx, key); + if(*key == NULL) { + /* + * Only use the initiator subkey or ticket session key if an + * acceptor subkey was not required. + */ + if ((ctx->more_flags & ACCEPTOR_SUBKEY) == 0) + _gsskrb5i_get_initiator_subkey(ctx, key); } - /* - * Only use the initiator subkey or ticket session key if - * an acceptor subkey was not required. - */ - if (skey == NULL && - (context_handle->more_flags & ACCEPTOR_SUBKEY) == 0) { - if (context_handle->more_flags & LOCAL) { - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - } else { - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - } - if(skey == NULL) - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); + if (*key == NULL) { + _gsskrb5_set_status("No token key available"); + return GSS_KRB5_S_KG_NO_SUBKEY; } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if(skey == NULL) - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ - *key = skey; + _gsskrb5_clear_status(); return 0; } static OM_uint32 -sub_wrap_size_limit ( +sub_wrap_size ( OM_uint32 req_output_size, OM_uint32 * max_input_size, int blocksize, @@ -145,7 +119,7 @@ sub_wrap_size_limit ( len = 8 + req_output_size + blocksize + extrasize; - gssapi_krb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); total_len -= req_output_size; /* token length */ if (total_len < req_output_size) { @@ -158,7 +132,7 @@ sub_wrap_size_limit ( } OM_uint32 -gss_wrap_size_limit ( +_gsskrb5_wrap_size_limit ( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, @@ -170,118 +144,38 @@ gss_wrap_size_limit ( krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; - OM_uint32 output_size; - OM_uint32 blocksize; + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; - ret = gss_krb5_get_subkey(context_handle, &key); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(ctx, &key); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : - ret = sub_wrap_size_limit(req_output_size, max_input_size, 8, 22); - break; - case KEYTYPE_DES3 : - ret = sub_wrap_size_limit(req_output_size, max_input_size, 8, 34); + ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: - ret = _gssapi_wrap_size_arcfour(minor_status, context_handle, + ret = _gssapi_wrap_size_arcfour(minor_status, ctx, conf_req_flag, qop_req, - req_output_size, &output_size, - &blocksize, key); - - if (output_size > req_output_size) { - *max_input_size = req_output_size - (output_size - req_output_size); - (*max_input_size) &= (~(OM_uint32)(blocksize - 1)); - } else { - *max_input_size = 0; - } - break; - default : - ret = _gssapi_wrap_size_cfx(minor_status, context_handle, - conf_req_flag, qop_req, - req_output_size, &output_size, - &blocksize, key); - if (output_size > req_output_size) { - *max_input_size = req_output_size - (output_size - req_output_size); - (*max_input_size) &= (~(OM_uint32)(blocksize - 1)); - } else { - *max_input_size = 0; - } - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - *minor_status = 0; - return ret; -} - -static OM_uint32 -sub_wrap_size ( - OM_uint32 req_input_size, - OM_uint32 * output_size, - int blocksize, - int extrasize - ) -{ - size_t len, total_len, padlength, datalen; - - padlength = blocksize - (req_input_size % blocksize); - datalen = req_input_size + padlength + 8; - len = datalen + extrasize; - gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); - - *output_size = total_len; - - return GSS_S_COMPLETE; -} - -OM_uint32 -gsskrb5_wrap_size ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_input_size, - OM_uint32 * output_size - ) -{ - krb5_keyblock *key; - OM_uint32 ret, padlen; - krb5_keytype keytype; - - ret = gss_krb5_get_subkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = sub_wrap_size(req_input_size, output_size, 8, 22); + req_output_size, max_input_size, key); break; case KEYTYPE_DES3 : - ret = sub_wrap_size(req_input_size, output_size, 8, 34); - break; - case KEYTYPE_ARCFOUR: - case KEYTYPE_ARCFOUR_56: - ret = _gssapi_wrap_size_arcfour(minor_status, context_handle, - conf_req_flag, qop_req, - req_input_size, output_size, &padlen, key); + ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); break; default : - ret = _gssapi_wrap_size_cfx(minor_status, context_handle, + ret = _gssapi_wrap_size_cfx(minor_status, ctx, conf_req_flag, qop_req, - req_input_size, output_size, &padlen, key); + req_output_size, max_input_size, key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); *minor_status = 0; return ret; } @@ -289,7 +183,7 @@ gsskrb5_wrap_size ( static OM_uint32 wrap_des (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx ctx, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, @@ -311,7 +205,7 @@ wrap_des padlength = 8 - (input_message_buffer->length % 8); datalen = input_message_buffer->length + padlength + 8; len = datalen + 22; - gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); output_message_buffer->length = total_len; output_message_buffer->value = malloc (total_len); @@ -321,7 +215,7 @@ wrap_des return GSS_S_FAILURE; } - p = gssapi_krb5_make_header(output_message_buffer->value, + p = _gsskrb5_make_header(output_message_buffer->value, len, "\x02\x01", /* TOK_ID */ GSS_KRB5_MECHANISM); @@ -363,9 +257,9 @@ wrap_des memcpy (p - 8, hash, 8); /* sequence number */ - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); p -= 16; @@ -374,17 +268,17 @@ wrap_des p[2] = (seq_number >> 16) & 0xFF; p[3] = (seq_number >> 24) & 0xFF; memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, + (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); DES_set_key (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* encrypt the data */ p += 16; @@ -415,7 +309,7 @@ wrap_des static OM_uint32 wrap_des3 (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, + const gsskrb5_ctx ctx, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, @@ -436,7 +330,7 @@ wrap_des3 padlength = 8 - (input_message_buffer->length % 8); datalen = input_message_buffer->length + padlength + 8; len = datalen + 34; - gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); + _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); output_message_buffer->length = total_len; output_message_buffer->value = malloc (total_len); @@ -446,7 +340,7 @@ wrap_des3 return GSS_S_FAILURE; } - p = gssapi_krb5_make_header(output_message_buffer->value, + p = _gsskrb5_make_header(output_message_buffer->value, len, "\x02\x01", /* TOK_ID */ GSS_KRB5_MECHANISM); @@ -472,9 +366,9 @@ wrap_des3 input_message_buffer->length); memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength); - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; @@ -482,16 +376,16 @@ wrap_des3 return GSS_S_FAILURE; } - ret = krb5_create_checksum (gssapi_krb5_context, + ret = krb5_create_checksum (_gsskrb5_context, crypto, KRB5_KU_USAGE_SIGN, 0, p + 20, datalen + 8, &cksum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; @@ -505,10 +399,10 @@ wrap_des3 memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); free_Checksum (&cksum); - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_getlocalseqnumber (_gsskrb5_context, + ctx->auth_context, &seq_number); seq[0] = (seq_number >> 0) & 0xFF; @@ -516,11 +410,11 @@ wrap_des3 seq[2] = (seq_number >> 16) & 0xFF; seq[3] = (seq_number >> 24) & 0xFF; memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, + (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - ret = krb5_crypto_init(gssapi_krb5_context, key, ETYPE_DES3_CBC_NONE, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret) { free (output_message_buffer->value); @@ -534,15 +428,15 @@ wrap_des3 DES_cblock ivec; memcpy (&ivec, p + 8, 8); - ret = krb5_encrypt_ivec (gssapi_krb5_context, + ret = krb5_encrypt_ivec (_gsskrb5_context, crypto, KRB5_KU_USAGE_SEQ, seq, 8, &encdata, &ivec); } - krb5_crypto_destroy (gssapi_krb5_context, crypto); + krb5_crypto_destroy (_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; @@ -555,10 +449,10 @@ wrap_des3 memcpy (p, encdata.data, encdata.length); krb5_data_free (&encdata); - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, + krb5_auth_con_setlocalseqnumber (_gsskrb5_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* encrypt the data */ p += 28; @@ -566,21 +460,21 @@ wrap_des3 if(conf_req_flag) { krb5_data tmp; - ret = krb5_crypto_init(gssapi_krb5_context, key, + ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE, &crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; *minor_status = ret; return GSS_S_FAILURE; } - ret = krb5_encrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, + ret = krb5_encrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL, p, datalen, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); + krb5_crypto_destroy(_gsskrb5_context, crypto); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); free (output_message_buffer->value); output_message_buffer->length = 0; output_message_buffer->value = NULL; @@ -598,7 +492,7 @@ wrap_des3 return GSS_S_COMPLETE; } -OM_uint32 gss_wrap +OM_uint32 _gsskrb5_wrap (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, @@ -611,38 +505,41 @@ OM_uint32 gss_wrap krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; - ret = gss_krb5_get_subkey(context_handle, &key); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(ctx, &key); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); if (ret) { - gssapi_krb5_set_error_string (); + _gsskrb5_set_error_string (); *minor_status = ret; return GSS_S_FAILURE; } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : - ret = wrap_des (minor_status, context_handle, conf_req_flag, + ret = wrap_des (minor_status, ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; case KEYTYPE_DES3 : - ret = wrap_des3 (minor_status, context_handle, conf_req_flag, + ret = wrap_des3 (minor_status, ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: - ret = _gssapi_wrap_arcfour (minor_status, context_handle, conf_req_flag, + ret = _gssapi_wrap_arcfour (minor_status, ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; default : - ret = _gssapi_wrap_cfx (minor_status, context_handle, conf_req_flag, + ret = _gssapi_wrap_cfx (minor_status, ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; } - krb5_free_keyblock (gssapi_krb5_context, key); + krb5_free_keyblock (_gsskrb5_context, key); return ret; } diff --git a/source4/heimdal/lib/gssapi/mech/context.h b/source4/heimdal/lib/gssapi/mech/context.h new file mode 100644 index 0000000000..7a215dd7d8 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/context.h @@ -0,0 +1,35 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/context.h,v 1.1 2005/12/29 14:40:20 dfr Exp $ + * $Id: context.h,v 1.2 2006/06/28 09:00:25 lha Exp $ + */ + +#include <gssapi_mech.h> + +struct _gss_context { + gssapi_mech_interface gc_mech; + gss_ctx_id_t gc_ctx; +}; diff --git a/source4/heimdal/lib/gssapi/mech/cred.h b/source4/heimdal/lib/gssapi/mech/cred.h new file mode 100644 index 0000000000..df89e79727 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/cred.h @@ -0,0 +1,42 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/cred.h,v 1.1 2005/12/29 14:40:20 dfr Exp $ + * $Id: cred.h,v 1.3 2006/10/05 18:26:54 lha Exp $ + */ + +struct _gss_mechanism_cred { + SLIST_ENTRY(_gss_mechanism_cred) gmc_link; + gssapi_mech_interface gmc_mech; /* mechanism ops for MC */ + gss_OID gmc_mech_oid; /* mechanism oid for MC */ + gss_cred_id_t gmc_cred; /* underlying MC */ +}; +SLIST_HEAD(_gss_mechanism_cred_list, _gss_mechanism_cred); + +struct _gss_cred { + gss_cred_usage_t gc_usage; + struct _gss_mechanism_cred_list gc_mc; +}; + diff --git a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c new file mode 100644 index 0000000000..4d634bf20f --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c @@ -0,0 +1,223 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_accept_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_accept_sec_context.c,v 1.6 2006/10/25 00:45:12 lha Exp $"); + +OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t *src_name, + gss_OID *mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + gss_cred_id_t *delegated_cred_handle) +{ + OM_uint32 major_status, mech_ret_flags; + gssapi_mech_interface m; + struct _gss_context *ctx = (struct _gss_context *) *context_handle; + struct _gss_cred *cred = (struct _gss_cred *) acceptor_cred_handle; + struct _gss_mechanism_cred *mc; + gss_cred_id_t acceptor_mc, delegated_mc; + gss_name_t src_mn; + int allocated_ctx; + + *minor_status = 0; + if (src_name) *src_name = 0; + if (mech_type) *mech_type = 0; + if (ret_flags) *ret_flags = 0; + if (time_rec) *time_rec = 0; + if (delegated_cred_handle) *delegated_cred_handle = 0; + output_token->length = 0; + output_token->value = 0; + + /* + * If this is the first call (*context_handle is NULL), we must + * parse the input token to figure out the mechanism to use. + */ + if (*context_handle == GSS_C_NO_CONTEXT) { + unsigned char *p = input_token->value; + size_t len = input_token->length; + size_t a, b; + gss_OID_desc mech_oid; + + /* + * Token must start with [APPLICATION 0] SEQUENCE. + * But if it doesn't assume its DCE-STYLE Kerberos! + */ + if (len == 0) + return (GSS_S_DEFECTIVE_TOKEN); + if (*p != 0x60) { + mech_oid = *GSS_KRB5_MECHANISM; + } else { + p++; + len--; + + /* + * Decode the length and make sure it agrees with the + * token length. + */ + if (len == 0) + return (GSS_S_DEFECTIVE_TOKEN); + if ((*p & 0x80) == 0) { + a = *p; + p++; + len--; + } else { + b = *p & 0x7f; + p++; + len--; + if (len < b) + return (GSS_S_DEFECTIVE_TOKEN); + a = 0; + while (b) { + a = (a << 8) | *p; + p++; + len--; + b--; + } + } + if (a != len) + return (GSS_S_DEFECTIVE_TOKEN); + + /* + * Decode the OID for the mechanism. Simplify life by + * assuming that the OID length is less than 128 bytes. + */ + if (len < 2 || *p != 0x06) + return (GSS_S_DEFECTIVE_TOKEN); + if ((p[1] & 0x80) || p[1] > (len - 2)) + return (GSS_S_DEFECTIVE_TOKEN); + mech_oid.length = p[1]; + p += 2; + len -= 2; + mech_oid.elements = p; + } + /* + * Now that we have a mechanism, we can find the + * implementation. + */ + ctx = malloc(sizeof(struct _gss_context)); + if (!ctx) { + *minor_status = ENOMEM; + return (GSS_S_DEFECTIVE_TOKEN); + } + memset(ctx, 0, sizeof(struct _gss_context)); + m = ctx->gc_mech = __gss_get_mechanism(&mech_oid); + if (!m) { + free(ctx); + return (GSS_S_BAD_MECH); + } + allocated_ctx = 1; + } else { + m = ctx->gc_mech; + allocated_ctx = 0; + } + + if (cred) { + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) + if (mc->gmc_mech == m) + break; + if (!mc) + return (GSS_S_BAD_MECH); + acceptor_mc = mc->gmc_cred; + } else { + acceptor_mc = GSS_C_NO_CREDENTIAL; + } + delegated_mc = GSS_C_NO_CREDENTIAL; + + mech_ret_flags = 0; + major_status = m->gm_accept_sec_context(minor_status, + &ctx->gc_ctx, + acceptor_mc, + input_token, + input_chan_bindings, + &src_mn, + mech_type, + output_token, + &mech_ret_flags, + time_rec, + &delegated_mc); + if (major_status != GSS_S_COMPLETE && + major_status != GSS_S_CONTINUE_NEEDED) + return (major_status); + + if (!src_name) { + m->gm_release_name(minor_status, &src_mn); + } else { + /* + * Make a new name and mark it as an MN. + */ + struct _gss_name *name = _gss_make_name(m, src_mn); + + if (!name) { + m->gm_release_name(minor_status, &src_mn); + return (GSS_S_FAILURE); + } + *src_name = (gss_name_t) name; + } + + if (mech_ret_flags & GSS_C_DELEG_FLAG) { + if (!delegated_cred_handle) { + m->gm_release_cred(minor_status, &delegated_mc); + *ret_flags &= ~GSS_C_DELEG_FLAG; + } else { + struct _gss_cred *dcred; + struct _gss_mechanism_cred *dmc; + + dcred = malloc(sizeof(struct _gss_cred)); + if (!dcred) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + SLIST_INIT(&dcred->gc_mc); + dmc = malloc(sizeof(struct _gss_mechanism_cred)); + if (!dmc) { + free(dcred); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + m->gm_inquire_cred(minor_status, delegated_mc, + 0, 0, &dcred->gc_usage, 0); + dmc->gmc_mech = m; + dmc->gmc_mech_oid = &m->gm_mech_oid; + dmc->gmc_cred = delegated_mc; + SLIST_INSERT_HEAD(&dcred->gc_mc, dmc, gmc_link); + + *delegated_cred_handle = (gss_cred_id_t) dcred; + } + } + + if (ret_flags) + *ret_flags = mech_ret_flags; + *context_handle = (gss_ctx_id_t) ctx; + return (major_status); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c new file mode 100644 index 0000000000..0b3554c0fa --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c @@ -0,0 +1,164 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_acquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_acquire_cred.c,v 1.4 2006/10/25 00:44:55 lha Exp $"); + +OM_uint32 +gss_acquire_cred(OM_uint32 *minor_status, + const gss_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) +{ + OM_uint32 major_status; + gss_OID_set mechs = desired_mechs; + gss_OID_set_desc set; + struct _gss_name *name = (struct _gss_name *) desired_name; + gssapi_mech_interface m; + struct _gss_cred *cred; + struct _gss_mechanism_cred *mc; + OM_uint32 min_time, cred_time; + int i; + + _gss_load_mech(); + + /* + * First make sure that at least one of the requested + * mechanisms is one that we support. + */ + if (mechs) { + for (i = 0; i < mechs->count; i++) { + int t; + gss_test_oid_set_member(minor_status, + &mechs->elements[i], _gss_mech_oids, &t); + if (t) + break; + } + if (i == mechs->count) { + *output_cred_handle = 0; + *minor_status = 0; + return (GSS_S_BAD_MECH); + } + } + + if (actual_mechs) { + major_status = gss_create_empty_oid_set(minor_status, + actual_mechs); + if (major_status) + return (major_status); + } + + cred = malloc(sizeof(struct _gss_cred)); + if (!cred) { + if (actual_mechs) + gss_release_oid_set(minor_status, actual_mechs); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + cred->gc_usage = cred_usage; + SLIST_INIT(&cred->gc_mc); + + if (mechs == GSS_C_NO_OID_SET) + mechs = _gss_mech_oids; + + set.count = 1; + min_time = GSS_C_INDEFINITE; + for (i = 0; i < mechs->count; i++) { + struct _gss_mechanism_name *mn = NULL; + + m = __gss_get_mechanism(&mechs->elements[i]); + if (!m) + continue; + + if (desired_name != GSS_C_NO_NAME) { + mn = _gss_find_mn(name, &mechs->elements[i]); + if (!mn) + continue; + } + + mc = malloc(sizeof(struct _gss_mechanism_cred)); + if (!mc) { + continue; + } + SLIST_INIT(&cred->gc_mc); + mc->gmc_mech = m; + mc->gmc_mech_oid = &m->gm_mech_oid; + + /* + * XXX Probably need to do something with actual_mechs. + */ + set.elements = &mechs->elements[i]; + major_status = m->gm_acquire_cred(minor_status, + (desired_name != GSS_C_NO_NAME + ? mn->gmn_name : GSS_C_NO_NAME), + time_req, &set, cred_usage, + &mc->gmc_cred, NULL, &cred_time); + if (major_status) { + free(mc); + continue; + } + if (cred_time < min_time) + min_time = cred_time; + + if (actual_mechs) { + major_status = gss_add_oid_set_member(minor_status, + mc->gmc_mech_oid, actual_mechs); + if (major_status) { + m->gm_release_cred(minor_status, + &mc->gmc_cred); + free(mc); + continue; + } + } + + SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link); + } + + /* + * If we didn't manage to create a single credential, return + * an error. + */ + if (!SLIST_FIRST(&cred->gc_mc)) { + free(cred); + if (actual_mechs) + gss_release_oid_set(minor_status, actual_mechs); + *output_cred_handle = 0; + *minor_status = 0; + return (GSS_S_NO_CRED); + } + + if (time_rec) + *time_rec = min_time; + *output_cred_handle = (gss_cred_id_t) cred; + *minor_status = 0; + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c new file mode 100644 index 0000000000..beffd54e29 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c @@ -0,0 +1,175 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_add_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_add_cred.c,v 1.3 2006/06/29 08:23:53 lha Exp $"); + +static struct _gss_mechanism_cred * +_gss_copy_cred(struct _gss_mechanism_cred *mc) +{ + struct _gss_mechanism_cred *new_mc; + gssapi_mech_interface m = mc->gmc_mech; + OM_uint32 major_status, minor_status; + gss_name_t name; + gss_cred_id_t cred; + OM_uint32 initiator_lifetime, acceptor_lifetime; + gss_cred_usage_t cred_usage; + + major_status = m->gm_inquire_cred_by_mech(&minor_status, + mc->gmc_cred, mc->gmc_mech_oid, + &name, &initiator_lifetime, &acceptor_lifetime, &cred_usage); + if (major_status) + return (0); + + major_status = m->gm_add_cred(&minor_status, + GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid, + cred_usage, initiator_lifetime, acceptor_lifetime, + &cred, 0, 0, 0); + m->gm_release_name(&minor_status, &name); + + if (major_status) + return (0); + + new_mc = malloc(sizeof(struct _gss_mechanism_cred)); + if (!new_mc) { + m->gm_release_cred(&minor_status, &cred); + return (0); + } + new_mc->gmc_mech = m; + new_mc->gmc_mech_oid = &m->gm_mech_oid; + new_mc->gmc_cred = cred; + + return (new_mc); +} + +OM_uint32 +gss_add_cred(OM_uint32 *minor_status, + const gss_cred_id_t input_cred_handle, + const gss_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec) +{ + OM_uint32 major_status; + gssapi_mech_interface m; + struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle; + struct _gss_cred *new_cred; + gss_cred_id_t release_cred; + struct _gss_mechanism_cred *mc, *target_mc, *copy_mc; + struct _gss_mechanism_name *mn; + OM_uint32 junk; + + *output_cred_handle = 0; + *minor_status = 0; + + new_cred = malloc(sizeof(struct _gss_cred)); + if (!new_cred) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + new_cred->gc_usage = cred_usage; + SLIST_INIT(&new_cred->gc_mc); + + /* + * We go through all the mc attached to the input_cred_handle + * and check the mechanism. If it matches, we call + * gss_add_cred for that mechanism, otherwise we copy the mc + * to new_cred. + */ + target_mc = 0; + if (cred) { + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + if (gss_oid_equal(mc->gmc_mech_oid, desired_mech)) { + target_mc = mc; + } + copy_mc = _gss_copy_cred(mc); + if (!copy_mc) { + release_cred = (gss_cred_id_t)new_cred; + gss_release_cred(&junk, &release_cred); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + SLIST_INSERT_HEAD(&new_cred->gc_mc, copy_mc, gmc_link); + } + } + + /* + * Figure out a suitable mn, if any. + */ + if (desired_name) { + mn = _gss_find_mn((struct _gss_name *) desired_name, + desired_mech); + if (!mn) { + free(new_cred); + return (GSS_S_BAD_NAME); + } + } else { + mn = 0; + } + + m = __gss_get_mechanism(desired_mech); + + mc = malloc(sizeof(struct _gss_mechanism_cred)); + if (!mc) { + release_cred = (gss_cred_id_t)new_cred; + gss_release_cred(&junk, &release_cred); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + mc->gmc_mech = m; + mc->gmc_mech_oid = &m->gm_mech_oid; + + major_status = m->gm_add_cred(minor_status, + target_mc ? target_mc->gmc_cred : GSS_C_NO_CREDENTIAL, + desired_name ? mn->gmn_name : GSS_C_NO_NAME, + desired_mech, + cred_usage, + initiator_time_req, + acceptor_time_req, + &mc->gmc_cred, + actual_mechs, + initiator_time_rec, + acceptor_time_rec); + + if (major_status) { + release_cred = (gss_cred_id_t)new_cred; + gss_release_cred(&junk, &release_cred); + free(mc); + return (major_status); + } + SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link); + *output_cred_handle = (gss_cred_id_t) new_cred; + + return (GSS_S_COMPLETE); +} + diff --git a/source4/heimdal/lib/gssapi/ccache_name.c b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c index 3bebb83c1f..5806cec009 100755..100644 --- a/source4/heimdal/lib/gssapi/ccache_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,50 +31,37 @@ * SUCH DAMAGE. */ -#include "gssapi_locl.h" - -RCSID("$Id: ccache_name.c,v 1.2 2005/06/16 20:38:49 lha Exp $"); - -char *last_out_name; +#include "mech_locl.h" +RCSID("$Id: gss_add_oid_set_member.c,v 1.3 2006/10/22 09:36:13 lha Exp $"); OM_uint32 -gss_krb5_ccache_name(OM_uint32 *minor_status, - const char *name, - const char **out_name) +gss_add_oid_set_member (OM_uint32 * minor_status, + const gss_OID member_oid, + gss_OID_set * oid_set) { - krb5_error_code kret; - - *minor_status = 0; + gss_OID tmp; + size_t n; + OM_uint32 res; + int present; - GSSAPI_KRB5_INIT(); + res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present); + if (res != GSS_S_COMPLETE) + return res; - if (out_name) { - const char *n; - - if (last_out_name) { - free(last_out_name); - last_out_name = NULL; - } - - n = krb5_cc_default_name(gssapi_krb5_context); - if (n == NULL) { - *minor_status = ENOMEM; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - last_out_name = strdup(n); - if (last_out_name == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - *out_name = last_out_name; + if (present) { + *minor_status = 0; + return GSS_S_COMPLETE; } - kret = krb5_cc_set_default_name(gssapi_krb5_context, name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); + n = (*oid_set)->count + 1; + tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc)); + if (tmp == NULL) { + *minor_status = ENOMEM; return GSS_S_FAILURE; } + (*oid_set)->elements = tmp; + (*oid_set)->count = n; + (*oid_set)->elements[n-1] = *member_oid; + *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c new file mode 100644 index 0000000000..9e9bd5e790 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c @@ -0,0 +1,125 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_buffer_set.c,v 1.2 2006/10/24 21:53:02 lha Exp $"); + +OM_uint32 +gss_create_empty_buffer_set + (OM_uint32 * minor_status, + gss_buffer_set_t *buffer_set) +{ + gss_buffer_set_t set; + + set = (gss_buffer_set_desc *) malloc(sizeof(*set)); + if (set == GSS_C_NO_BUFFER_SET) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + set->count = 0; + set->elements = NULL; + + *buffer_set = set; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gss_add_buffer_set_member + (OM_uint32 * minor_status, + const gss_buffer_t member_buffer, + gss_buffer_set_t *buffer_set) +{ + gss_buffer_set_t set; + gss_buffer_t p; + OM_uint32 ret; + + if (*buffer_set == GSS_C_NO_BUFFER_SET) { + ret = gss_create_empty_buffer_set(minor_status, + buffer_set); + if (ret) { + return ret; + } + } + + set = *buffer_set; + set->elements = realloc(set->elements, + (set->count + 1) * sizeof(set->elements[0])); + if (set->elements == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + p = &set->elements[set->count]; + + p->value = malloc(member_buffer->length); + if (p->value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy(p->value, member_buffer->value, member_buffer->length); + p->length = member_buffer->length; + + set->count++; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gss_release_buffer_set(OM_uint32 * minor_status, + gss_buffer_set_t *buffer_set) +{ + int i; + OM_uint32 minor; + + *minor_status = 0; + + if (*buffer_set == GSS_C_NO_BUFFER_SET) + return GSS_S_COMPLETE; + + for (i = 0; i < (*buffer_set)->count; i++) + gss_release_buffer(&minor, &((*buffer_set)->elements[i])); + + free((*buffer_set)->elements); + + (*buffer_set)->elements = NULL; + (*buffer_set)->count = 0; + + free(*buffer_set); + *buffer_set = GSS_C_NO_BUFFER_SET; + + return GSS_S_COMPLETE; +} + diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c new file mode 100644 index 0000000000..38a464be46 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c @@ -0,0 +1,87 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_canonicalize_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_canonicalize_name.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_canonicalize_name(OM_uint32 *minor_status, + const gss_name_t input_name, + const gss_OID mech_type, + gss_name_t *output_name) +{ + OM_uint32 major_status; + struct _gss_name *name = (struct _gss_name *) input_name; + struct _gss_mechanism_name *mn; + gssapi_mech_interface m = __gss_get_mechanism(mech_type); + gss_name_t new_canonical_name; + + *minor_status = 0; + *output_name = 0; + + mn = _gss_find_mn(name, mech_type); + if (!mn) { + return (GSS_S_BAD_MECH); + } + + m = mn->gmn_mech; + major_status = m->gm_canonicalize_name(minor_status, + mn->gmn_name, mech_type, &new_canonical_name); + if (major_status) + return (major_status); + + /* + * Now we make a new name and mark it as an MN. + */ + *minor_status = 0; + name = malloc(sizeof(struct _gss_name)); + if (!name) { + m->gm_release_name(minor_status, &new_canonical_name); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(name, 0, sizeof(struct _gss_name)); + + mn = malloc(sizeof(struct _gss_mechanism_name)); + if (!mn) { + m->gm_release_name(minor_status, &new_canonical_name); + free(name); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + SLIST_INIT(&name->gn_mn); + mn->gmn_mech = m; + mn->gmn_mech_oid = &m->gm_mech_oid; + mn->gmn_name = new_canonical_name; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + + *output_name = (gss_name_t) name; + + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c new file mode 100644 index 0000000000..1068bfabf6 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c @@ -0,0 +1,74 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_compare_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_compare_name.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_compare_name(OM_uint32 *minor_status, + const gss_name_t name1_arg, + const gss_name_t name2_arg, + int *name_equal) +{ + struct _gss_name *name1 = (struct _gss_name *) name1_arg; + struct _gss_name *name2 = (struct _gss_name *) name2_arg; + + /* + * First check the implementation-independant name if both + * names have one. Otherwise, try to find common mechanism + * names and compare them. + */ + if (name1->gn_value.value && name2->gn_value.value) { + *name_equal = 1; + if (!gss_oid_equal(&name1->gn_type, &name2->gn_type)) { + *name_equal = 0; + } else if (name1->gn_value.length != name2->gn_value.length || + memcmp(name1->gn_value.value, name1->gn_value.value, + name1->gn_value.length)) { + *name_equal = 0; + } + } else { + struct _gss_mechanism_name *mn1; + struct _gss_mechanism_name *mn2; + + SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) { + mn2 = _gss_find_mn(name2, mn1->gmn_mech_oid); + if (mn2) { + return (mn1->gmn_mech->gm_compare_name( + minor_status, + mn1->gmn_name, + mn2->gmn_name, + name_equal)); + } + } + *name_equal = 0; + } + + *minor_status = 0; + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_context_time.c b/source4/heimdal/lib/gssapi/mech/gss_context_time.c new file mode 100644 index 0000000000..4b17381776 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_context_time.c @@ -0,0 +1,41 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_context_time.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_context_time.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_context_time(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + OM_uint32 *time_rec) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m = ctx->gc_mech; + + return (m->gm_context_time(minor_status, ctx->gc_ctx, time_rec)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c b/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c new file mode 100644 index 0000000000..7298ec9e83 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c @@ -0,0 +1,52 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_create_empty_oid_set.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_create_empty_oid_set.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_create_empty_oid_set(OM_uint32 *minor_status, + gss_OID_set *oid_set) +{ + gss_OID_set set; + + *minor_status = 0; + *oid_set = 0; + + set = malloc(sizeof(gss_OID_set_desc)); + if (!set) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + set->count = 0; + set->elements = 0; + *oid_set = set; + + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c new file mode 100644 index 0000000000..8ebb848188 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c @@ -0,0 +1,74 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_decapsulate_token.c,v 1.2 2006/10/14 10:04:45 lha Exp $"); + +OM_uint32 +gss_decapsulate_token(gss_buffer_t input_token, + gss_OID oid, + gss_buffer_t output_token) +{ + GSSAPIContextToken ct; + heim_oid o; + OM_uint32 status; + int ret; + size_t size; + + output_token->length = 0; + output_token->value = NULL; + + ret = der_get_oid (oid->elements, oid->length, &o, &size); + if (ret) + return GSS_S_FAILURE; + + ret = decode_GSSAPIContextToken(input_token->value, input_token->length, + &ct, NULL); + if (ret) { + der_free_oid(&o); + return GSS_S_FAILURE; + } + + if (der_heim_oid_cmp(&ct.thisMech, &o) == 0) { + status = GSS_S_COMPLETE; + output_token->value = ct.innerContextToken.data; + output_token->length = ct.innerContextToken.length; + der_free_oid(&ct.thisMech); + } else { + free_GSSAPIContextToken(&ct); + status = GSS_S_FAILURE; + } + der_free_oid(&o); + + return status; +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c new file mode 100644 index 0000000000..06ef8e6d09 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c @@ -0,0 +1,58 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_delete_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_delete_sec_context.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_delete_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token) +{ + OM_uint32 major_status; + struct _gss_context *ctx = (struct _gss_context *) *context_handle; + + *minor_status = 0; + if (ctx) { + /* + * If we have an implementation ctx, delete it, + * otherwise fake an empty token. + */ + if (ctx->gc_ctx) { + major_status = ctx->gc_mech->gm_delete_sec_context( + minor_status, &ctx->gc_ctx, output_token); + } else if (output_token != GSS_C_NO_BUFFER) { + output_token->length = 0; + output_token->value = 0; + } + free(ctx); + *context_handle = 0; + } + + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_display_name.c b/source4/heimdal/lib/gssapi/mech/gss_display_name.c new file mode 100644 index 0000000000..79f62a7a4f --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_display_name.c @@ -0,0 +1,74 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_display_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_display_name.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_display_name(OM_uint32 *minor_status, + const gss_name_t input_name, + gss_buffer_t output_name_buffer, + gss_OID *output_name_type) +{ + OM_uint32 major_status; + struct _gss_name *name = (struct _gss_name *) input_name; + struct _gss_mechanism_name *mn; + + /* + * If we know it, copy the buffer used to import the name in + * the first place. Otherwise, ask all the MNs in turn if + * they can display the thing. + */ + if (name->gn_value.value) { + output_name_buffer->value = malloc(name->gn_value.length); + if (!output_name_buffer->value) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + output_name_buffer->length = name->gn_value.length; + memcpy(output_name_buffer->value, name->gn_value.value, + output_name_buffer->length); + if (output_name_type) + *output_name_type = &name->gn_type; + + *minor_status = 0; + return (GSS_S_COMPLETE); + } else { + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { + major_status = mn->gmn_mech->gm_display_name( + minor_status, mn->gmn_name, + output_name_buffer, + output_name_type); + if (major_status == GSS_S_COMPLETE) + return (GSS_S_COMPLETE); + } + } + + *minor_status = 0; + return (GSS_S_FAILURE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_display_status.c b/source4/heimdal/lib/gssapi/mech/gss_display_status.c new file mode 100644 index 0000000000..7871f5338b --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_display_status.c @@ -0,0 +1,184 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_display_status.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ +/* + * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_display_status.c,v 1.4 2006/07/19 11:02:33 lha Exp $"); + +static const char * +calling_error(OM_uint32 v) +{ + static const char *msgs[] = { + NULL, /* 0 */ + "A required input parameter could not be read.", /* */ + "A required output parameter could not be written.", /* */ + "A parameter was malformed" + }; + + v >>= GSS_C_CALLING_ERROR_OFFSET; + + if (v == 0) + return ""; + else if (v >= sizeof(msgs)/sizeof(*msgs)) + return "unknown calling error"; + else + return msgs[v]; +} + +static const char * +routine_error(OM_uint32 v) +{ + static const char *msgs[] = { + NULL, /* 0 */ + "An unsupported mechanism was requested", + "An invalid name was supplied", + "A supplied name was of an unsupported type", + "Incorrect channel bindings were supplied", + "An invalid status code was supplied", + "A token had an invalid MIC", + "No credentials were supplied, " + "or the credentials were unavailable or inaccessible.", + "No context has been established", + "A token was invalid", + "A credential was invalid", + "The referenced credentials have expired", + "The context has expired", + "Miscellaneous failure (see text)", + "The quality-of-protection requested could not be provide", + "The operation is forbidden by local security policy", + "The operation or option is not available", + "The requested credential element already exists", + "The provided name was not a mechanism name.", + }; + + v >>= GSS_C_ROUTINE_ERROR_OFFSET; + + if (v == 0) + return ""; + else if (v >= sizeof(msgs)/sizeof(*msgs)) + return "unknown routine error"; + else + return msgs[v]; +} + +static const char * +supplementary_error(OM_uint32 v) +{ + static const char *msgs[] = { + "normal completion", + "continuation call to routine required", + "duplicate per-message token detected", + "timed-out per-message token detected", + "reordered (early) per-message token detected", + "skipped predecessor token(s) detected" + }; + + v >>= GSS_C_SUPPLEMENTARY_OFFSET; + + if (v >= sizeof(msgs)/sizeof(*msgs)) + return "unknown routine error"; + else + return msgs[v]; +} + + +OM_uint32 +gss_display_status(OM_uint32 *minor_status, + OM_uint32 status_value, + int status_type, + const gss_OID mech_type, + OM_uint32 *message_content, + gss_buffer_t status_string) +{ + OM_uint32 major_status; + + *minor_status = 0; + switch (status_type) { + case GSS_C_GSS_CODE: { + char *buf; + + if (GSS_SUPPLEMENTARY_INFO(status_value)) + asprintf(&buf, "%s", supplementary_error( + GSS_SUPPLEMENTARY_INFO(status_value))); + else + asprintf (&buf, "%s %s", + calling_error(GSS_CALLING_ERROR(status_value)), + routine_error(GSS_ROUTINE_ERROR(status_value))); + + status_string->length = strlen(buf); + status_string->value = buf; + + return GSS_S_COMPLETE; + } + case GSS_C_MECH_CODE: { + gssapi_mech_interface m; + m = __gss_get_mechanism(mech_type); + if (m) { + major_status = m->gm_display_status(minor_status, + status_value, status_type, mech_type, + message_content, status_string); + if (major_status == GSS_S_COMPLETE) + return (GSS_S_COMPLETE); + } + } + } + status_string->value = NULL; + status_string->length = 0; + return (GSS_S_BAD_STATUS); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c new file mode 100644 index 0000000000..5ef828f472 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c @@ -0,0 +1,75 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_duplicate_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_duplicate_name.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 gss_duplicate_name(OM_uint32 *minor_status, + const gss_name_t src_name, + gss_name_t *dest_name) +{ + OM_uint32 major_status; + struct _gss_name *name = (struct _gss_name *) src_name; + struct _gss_name *new_name; + struct _gss_mechanism_name *mn; + + *minor_status = 0; + + /* + * If this name has a value (i.e. it didn't come from + * gss_canonicalize_name(), we re-import the thing. Otherwise, + * we make an empty name to hold the MN copy. + */ + if (name->gn_value.value) { + major_status = gss_import_name(minor_status, + &name->gn_value, &name->gn_type, dest_name); + if (major_status != GSS_S_COMPLETE) + return (major_status); + new_name = (struct _gss_name *) *dest_name; + } else { + new_name = malloc(sizeof(struct _gss_name)); + if (!new_name) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(new_name, 0, sizeof(struct _gss_name)); + SLIST_INIT(&name->gn_mn); + *dest_name = (gss_name_t) new_name; + } + + /* + * Import the new name into any mechanisms listed in the + * original name. We could probably get away with only doing + * this if the original was canonical. + */ + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { + _gss_find_mn(new_name, mn->gmn_mech_oid); + } + + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_oid.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_oid.c new file mode 100644 index 0000000000..bfb0e75315 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_oid.c @@ -0,0 +1,67 @@ +/* + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_duplicate_oid.c,v 1.1 2006/06/28 09:07:07 lha Exp $"); + +OM_uint32 gss_duplicate_oid ( + OM_uint32 *minor_status, + gss_OID src_oid, + gss_OID *dest_oid + ) +{ + *minor_status = 0; + + if (src_oid == GSS_C_NO_OID) { + *dest_oid = GSS_C_NO_OID; + return GSS_S_COMPLETE; + } + + *dest_oid = malloc(sizeof(**dest_oid)); + if (*dest_oid == GSS_C_NO_OID) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + (*dest_oid)->elements = malloc(src_oid->length); + if ((*dest_oid)->elements == NULL) { + free(*dest_oid); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy((*dest_oid)->elements, src_oid->elements, src_oid->length); + (*dest_oid)->length = src_oid->length; + + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c new file mode 100644 index 0000000000..d1285815ee --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_encapsulate_token.c,v 1.2 2006/10/14 10:05:12 lha Exp $"); + +OM_uint32 +gss_encapsulate_token(gss_buffer_t input_token, + gss_OID oid, + gss_buffer_t output_token) +{ + GSSAPIContextToken ct; + int ret; + size_t size; + + ret = der_get_oid (oid->elements, oid->length, &ct.thisMech, &size); + if (ret) { + output_token->value = NULL; + output_token->length = 0; + return GSS_S_FAILURE; + } + + ct.innerContextToken.data = input_token->value; + ct.innerContextToken.length = input_token->length; + + ASN1_MALLOC_ENCODE(GSSAPIContextToken, + output_token->value, output_token->length, + &ct, &size, ret); + der_free_oid(&ct.thisMech); + if (ret) { + output_token->length = 0; + output_token->value = NULL; + return GSS_S_FAILURE; + } + if (output_token->length != size) + abort(); + + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_export_name.c b/source4/heimdal/lib/gssapi/mech/gss_export_name.c new file mode 100644 index 0000000000..bc1c39c8ee --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_export_name.c @@ -0,0 +1,56 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_export_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_export_name.c,v 1.3 2006/07/05 22:41:57 lha Exp $"); + +OM_uint32 +gss_export_name(OM_uint32 *minor_status, + const gss_name_t input_name, + gss_buffer_t exported_name) +{ + struct _gss_name *name = (struct _gss_name *) input_name; + struct _gss_mechanism_name *mn; + + exported_name->value = NULL; + exported_name->length = 0; + + /* + * If this name already has any attached MNs, export the first + * one, otherwise export based on the first mechanism in our + * list. + */ + mn = SLIST_FIRST(&name->gn_mn); + if (!mn) { + *minor_status = 0; + return (GSS_S_NAME_NOT_MN); + } + + return mn->gmn_mech->gm_export_name(minor_status, + mn->gmn_name, exported_name); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c new file mode 100644 index 0000000000..1acc72b33d --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c @@ -0,0 +1,73 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_export_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_export_sec_context.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_export_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t interprocess_token) +{ + OM_uint32 major_status; + struct _gss_context *ctx = (struct _gss_context *) *context_handle; + gssapi_mech_interface m = ctx->gc_mech; + gss_buffer_desc buf; + + major_status = m->gm_export_sec_context(minor_status, + &ctx->gc_ctx, &buf); + + if (major_status == GSS_S_COMPLETE) { + unsigned char *p; + + free(ctx); + *context_handle = GSS_C_NO_CONTEXT; + interprocess_token->length = buf.length + + 2 + m->gm_mech_oid.length; + interprocess_token->value = malloc(interprocess_token->length); + if (!interprocess_token->value) { + /* + * We are in trouble here - the context is + * already gone. This is allowed as long as we + * set the caller's context_handle to + * GSS_C_NO_CONTEXT, which we did above. + * Return GSS_S_FAILURE. + */ + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + p = interprocess_token->value; + p[0] = m->gm_mech_oid.length >> 8; + p[1] = m->gm_mech_oid.length; + memcpy(p + 2, m->gm_mech_oid.elements, m->gm_mech_oid.length); + memcpy(p + 2 + m->gm_mech_oid.length, buf.value, buf.length); + gss_release_buffer(minor_status, &buf); + } + + return (major_status); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_get_mic.c b/source4/heimdal/lib/gssapi/mech/gss_get_mic.c new file mode 100644 index 0000000000..e9a8f294a4 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_get_mic.c @@ -0,0 +1,44 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_get_mic.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_get_mic.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_get_mic(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + gss_qop_t qop_req, + const gss_buffer_t message_buffer, + gss_buffer_t message_token) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m = ctx->gc_mech; + + return (m->gm_get_mic(minor_status, ctx->gc_ctx, qop_req, + message_buffer, message_token)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_name.c b/source4/heimdal/lib/gssapi/mech/gss_import_name.c new file mode 100644 index 0000000000..9684301ba4 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_import_name.c @@ -0,0 +1,214 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_import_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_import_name.c,v 1.3 2006/06/29 21:23:13 lha Exp $"); + +static OM_uint32 +_gss_import_export_name(OM_uint32 *minor_status, + const gss_buffer_t input_name_buffer, + gss_name_t *output_name) +{ + OM_uint32 major_status; + unsigned char *p = input_name_buffer->value; + size_t len = input_name_buffer->length; + size_t t; + gss_OID_desc mech_oid; + gssapi_mech_interface m; + struct _gss_name *name; + gss_name_t new_canonical_name; + + *minor_status = 0; + *output_name = 0; + + /* + * Make sure that TOK_ID is {4, 1}. + */ + if (len < 2) + return (GSS_S_BAD_NAME); + if (p[0] != 4 || p[1] != 1) + return (GSS_S_BAD_NAME); + p += 2; + len -= 2; + + /* + * Get the mech length and the name length and sanity + * check the size of of the buffer. + */ + if (len < 2) + return (GSS_S_BAD_NAME); + t = (p[0] << 8) + p[1]; + p += 2; + len -= 2; + + /* + * Check the DER encoded OID to make sure it agrees with the + * length we just decoded. + */ + if (p[0] != 6) /* 6=OID */ + return (GSS_S_BAD_NAME); + p++; + len--; + t--; + if (p[0] & 0x80) { + int digits = p[0]; + p++; + len--; + t--; + mech_oid.length = 0; + while (digits--) { + mech_oid.length = (mech_oid.length << 8) | p[0]; + p++; + len--; + t--; + } + } else { + mech_oid.length = p[0]; + p++; + len--; + t--; + } + if (mech_oid.length != t) + return (GSS_S_BAD_NAME); + + mech_oid.elements = p; + + if (len < t + 4) + return (GSS_S_BAD_NAME); + p += t; + len -= t; + + t = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; + p += 4; + len -= 4; + + if (len != t) + return (GSS_S_BAD_NAME); + + m = __gss_get_mechanism(&mech_oid); + if (!m) + return (GSS_S_BAD_MECH); + + /* + * Ask the mechanism to import the name. + */ + major_status = m->gm_import_name(minor_status, + input_name_buffer, GSS_C_NT_EXPORT_NAME, &new_canonical_name); + + /* + * Now we make a new name and mark it as an MN. + */ + name = _gss_make_name(m, new_canonical_name); + if (!name) { + m->gm_release_name(minor_status, &new_canonical_name); + return (GSS_S_FAILURE); + } + + *output_name = (gss_name_t) name; + + *minor_status = 0; + return (GSS_S_COMPLETE); +} + +OM_uint32 +gss_import_name(OM_uint32 *minor_status, + const gss_buffer_t input_name_buffer, + const gss_OID input_name_type, + gss_name_t *output_name) +{ + gss_OID name_type = input_name_type; + OM_uint32 major_status; + struct _gss_name *name; + + if (input_name_buffer->length == 0) { + *minor_status = 0; + *output_name = 0; + return (GSS_S_BAD_NAME); + } + + /* + * Use GSS_NT_USER_NAME as default name type. + */ + if (name_type == GSS_C_NO_OID) + name_type = GSS_C_NT_USER_NAME; + + /* + * If this is an exported name, we need to parse it to find + * the mechanism and then import it as an MN. See RFC 2743 + * section 3.2 for a description of the format. + */ + if (gss_oid_equal(name_type, GSS_C_NT_EXPORT_NAME)) { + return _gss_import_export_name(minor_status, + input_name_buffer, output_name); + } + + /* + * Only allow certain name types. This is pretty bogus - we + * should figure out the list of supported name types using + * gss_inquire_names_for_mech. + */ + if (!gss_oid_equal(name_type, GSS_C_NT_USER_NAME) + && !gss_oid_equal(name_type, GSS_C_NT_MACHINE_UID_NAME) + && !gss_oid_equal(name_type, GSS_C_NT_STRING_UID_NAME) + && !gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE_X) + && !gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE) + && !gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS) + && !gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) { + *minor_status = 0; + *output_name = 0; + return (GSS_S_BAD_NAMETYPE); + } + + *minor_status = 0; + name = malloc(sizeof(struct _gss_name)); + if (!name) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(name, 0, sizeof(struct _gss_name)); + + major_status = _gss_copy_oid(minor_status, + name_type, &name->gn_type); + if (major_status) { + free(name); + return (GSS_S_FAILURE); + } + + major_status = _gss_copy_buffer(minor_status, + input_name_buffer, &name->gn_value); + if (major_status) { + gss_name_t rname = (gss_name_t)name; + gss_release_name(minor_status, &rname); + return (GSS_S_FAILURE); + } + + SLIST_INIT(&name->gn_mn); + + *output_name = (gss_name_t) name; + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c new file mode 100644 index 0000000000..5466f97cf4 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c @@ -0,0 +1,82 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_import_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_import_sec_context.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_import_sec_context(OM_uint32 *minor_status, + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) +{ + OM_uint32 major_status; + gssapi_mech_interface m; + struct _gss_context *ctx; + gss_OID_desc mech_oid; + gss_buffer_desc buf; + unsigned char *p; + size_t len; + + *minor_status = 0; + *context_handle = 0; + + /* + * We added an oid to the front of the token in + * gss_export_sec_context. + */ + p = interprocess_token->value; + len = interprocess_token->length; + if (len < 2) + return (GSS_S_DEFECTIVE_TOKEN); + mech_oid.length = (p[0] << 8) | p[1]; + if (len < mech_oid.length + 2) + return (GSS_S_DEFECTIVE_TOKEN); + mech_oid.elements = p + 2; + buf.length = len - 2 - mech_oid.length; + buf.value = p + 2 + mech_oid.length; + + m = __gss_get_mechanism(&mech_oid); + if (!m) + return (GSS_S_DEFECTIVE_TOKEN); + + ctx = malloc(sizeof(struct _gss_context)); + if (!ctx) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + ctx->gc_mech = m; + major_status = m->gm_import_sec_context(minor_status, + &buf, &ctx->gc_ctx); + if (major_status != GSS_S_COMPLETE) { + free(ctx); + } else { + *context_handle = (gss_ctx_id_t) ctx; + } + + return (major_status); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c new file mode 100644 index 0000000000..0da6c48834 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c @@ -0,0 +1,65 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_indicate_mechs.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_indicate_mechs.c,v 1.3 2006/07/05 22:36:49 lha Exp $"); + +OM_uint32 +gss_indicate_mechs(OM_uint32 *minor_status, + gss_OID_set *mech_set) +{ + struct _gss_mech_switch *m; + OM_uint32 major_status; + gss_OID_set set; + int i; + + _gss_load_mech(); + + major_status = gss_create_empty_oid_set(minor_status, mech_set); + if (major_status) + return (major_status); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_indicate_mechs) { + major_status = m->gm_mech.gm_indicate_mechs( + minor_status, &set); + if (major_status) + continue; + for (i = 0; i < set->count; i++) + major_status = gss_add_oid_set_member( + minor_status, &set->elements[i], mech_set); + gss_release_oid_set(minor_status, &set); + } else { + major_status = gss_add_oid_set_member( + minor_status, &m->gm_mech_oid, mech_set); + } + } + + *minor_status = 0; + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c new file mode 100644 index 0000000000..ccaf91ba9d --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c @@ -0,0 +1,133 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_init_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_init_sec_context.c,v 1.3 2006/07/06 22:30:09 lha Exp $"); + +OM_uint32 +gss_init_sec_context(OM_uint32 * minor_status, + const gss_cred_id_t initiator_cred_handle, + gss_ctx_id_t * context_handle, + const gss_name_t target_name, + const gss_OID input_mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec) +{ + OM_uint32 major_status; + gssapi_mech_interface m; + struct _gss_name *name = (struct _gss_name *) target_name; + struct _gss_mechanism_name *mn; + struct _gss_context *ctx = (struct _gss_context *) *context_handle; + struct _gss_cred *cred = (struct _gss_cred *) initiator_cred_handle; + struct _gss_mechanism_cred *mc; + gss_cred_id_t cred_handle; + int allocated_ctx; + gss_OID mech_type = input_mech_type; + + *minor_status = 0; + + /* + * If we haven't allocated a context yet, do so now and lookup + * the mechanism switch table. If we have one already, make + * sure we use the same mechanism switch as before. + */ + if (!ctx) { + if (mech_type == NULL) + mech_type = GSS_KRB5_MECHANISM; + + ctx = malloc(sizeof(struct _gss_context)); + if (!ctx) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(ctx, 0, sizeof(struct _gss_context)); + m = ctx->gc_mech = __gss_get_mechanism(mech_type); + if (!m) { + free(ctx); + return (GSS_S_BAD_MECH); + } + allocated_ctx = 1; + } else { + m = ctx->gc_mech; + mech_type = &ctx->gc_mech->gm_mech_oid; + allocated_ctx = 0; + } + + /* + * Find the MN for this mechanism. + */ + mn = _gss_find_mn(name, mech_type); + if (mn == NULL) { + if (allocated_ctx) + free(ctx); + return GSS_S_BAD_NAME; + } + + /* + * If we have a cred, find the cred for this mechanism. + */ + cred_handle = GSS_C_NO_CREDENTIAL; + if (cred) { + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + if (gss_oid_equal(mech_type, mc->gmc_mech_oid)) { + cred_handle = mc->gmc_cred; + break; + } + } + } + + major_status = m->gm_init_sec_context(minor_status, + cred_handle, + &ctx->gc_ctx, + mn->gmn_name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + + if (major_status != GSS_S_COMPLETE + && major_status != GSS_S_CONTINUE_NEEDED) { + if (allocated_ctx) + free(ctx); + } else { + *context_handle = (gss_ctx_id_t) ctx; + } + + return (major_status); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c new file mode 100644 index 0000000000..88bbb3941f --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c @@ -0,0 +1,85 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_inquire_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_inquire_context.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_inquire_context(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + gss_name_t *src_name, + gss_name_t *targ_name, + OM_uint32 *lifetime_rec, + gss_OID *mech_type, + OM_uint32 *ctx_flags, + int *locally_initiated, + int *open) +{ + OM_uint32 major_status; + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m = ctx->gc_mech; + struct _gss_name *name; + gss_name_t src_mn, targ_mn; + + major_status = m->gm_inquire_context(minor_status, + ctx->gc_ctx, + src_name ? &src_mn : 0, + targ_name ? &targ_mn : 0, + lifetime_rec, + mech_type, + ctx_flags, + locally_initiated, + open); + + if (src_name) *src_name = 0; + if (targ_name) *targ_name = 0; + + if (major_status != GSS_S_COMPLETE) { + return (major_status); + } + + if (src_name) { + name = _gss_make_name(m, src_mn); + if (!name) { + minor_status = 0; + return (GSS_S_FAILURE); + } + *src_name = (gss_name_t) name; + } + + if (targ_name) { + name = _gss_make_name(m, targ_mn); + if (!name) { + minor_status = 0; + return (GSS_S_FAILURE); + } + *targ_name = (gss_name_t) name; + } + + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c new file mode 100644 index 0000000000..223140205d --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c @@ -0,0 +1,168 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_inquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_inquire_cred.c,v 1.5 2006/07/20 02:03:18 lha Exp $"); + +OM_uint32 +gss_inquire_cred(OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + gss_name_t *name_ret, + OM_uint32 *lifetime, + gss_cred_usage_t *cred_usage, + gss_OID_set *mechanisms) +{ + OM_uint32 major_status; + struct _gss_mech_switch *m; + struct _gss_cred *cred = (struct _gss_cred *) cred_handle; + struct _gss_name *name; + struct _gss_mechanism_name *mn; + OM_uint32 min_lifetime; + int found = 0; + + _gss_load_mech(); + + *minor_status = 0; + if (name_ret) + *name_ret = 0; + if (lifetime) + *lifetime = 0; + if (cred_usage) + *cred_usage = 0; + + if (name_ret) { + name = malloc(sizeof(struct _gss_name)); + if (!name) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(name, 0, sizeof(struct _gss_name)); + SLIST_INIT(&name->gn_mn); + } else { + name = 0; + } + + if (mechanisms) { + major_status = gss_create_empty_oid_set(minor_status, + mechanisms); + if (major_status) { + if (name) free(name); + return (major_status); + } + } + + min_lifetime = GSS_C_INDEFINITE; + if (cred) { + struct _gss_mechanism_cred *mc; + + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + gss_name_t mc_name; + OM_uint32 mc_lifetime; + + major_status = mc->gmc_mech->gm_inquire_cred(minor_status, + mc->gmc_cred, &mc_name, &mc_lifetime, NULL, NULL); + if (major_status) + continue; + + if (name) { + mn = malloc(sizeof(struct _gss_mechanism_name)); + if (!mn) { + mc->gmc_mech->gm_release_name(minor_status, + &mc_name); + continue; + } + mn->gmn_mech = mc->gmc_mech; + mn->gmn_mech_oid = mc->gmc_mech_oid; + mn->gmn_name = mc_name; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + } else { + mc->gmc_mech->gm_release_name(minor_status, + &mc_name); + } + + if (mc_lifetime < min_lifetime) + min_lifetime = mc_lifetime; + + if (mechanisms) + gss_add_oid_set_member(minor_status, + mc->gmc_mech_oid, mechanisms); + found++; + } + } else { + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + gss_name_t mc_name; + OM_uint32 mc_lifetime; + + major_status = m->gm_mech.gm_inquire_cred(minor_status, + GSS_C_NO_CREDENTIAL, &mc_name, &mc_lifetime, + cred_usage, NULL); + if (major_status) + continue; + + if (name && mc_name) { + mn = malloc( + sizeof(struct _gss_mechanism_name)); + if (!mn) { + m->gm_mech.gm_release_name( + minor_status, &mc_name); + continue; + } + mn->gmn_mech = &m->gm_mech; + mn->gmn_mech_oid = &m->gm_mech_oid; + mn->gmn_name = mc_name; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + } else if (mc_name) { + m->gm_mech.gm_release_name(minor_status, + &mc_name); + } + + if (mc_lifetime < min_lifetime) + min_lifetime = mc_lifetime; + + if (mechanisms) + gss_add_oid_set_member(minor_status, + &m->gm_mech_oid, mechanisms); + found++; + } + } + + if (found == 0) { + gss_release_oid_set(minor_status, mechanisms); + *minor_status = 0; + return (GSS_S_NO_CRED); + } + + *minor_status = 0; + if (name_ret) + *name_ret = (gss_name_t) name; + if (lifetime) + *lifetime = min_lifetime; + if (cred && cred_usage) + *cred_usage = cred->gc_usage; + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c new file mode 100644 index 0000000000..771a6956a5 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c @@ -0,0 +1,79 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_inquire_cred_by_mech.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_inquire_cred_by_mech.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_inquire_cred_by_mech(OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + const gss_OID mech_type, + gss_name_t *cred_name, + OM_uint32 *initiator_lifetime, + OM_uint32 *acceptor_lifetime, + gss_cred_usage_t *cred_usage) +{ + OM_uint32 major_status; + gssapi_mech_interface m; + struct _gss_mechanism_cred *mcp; + gss_cred_id_t mc; + gss_name_t mn; + struct _gss_name *name; + + *minor_status = 0; + + m = __gss_get_mechanism(mech_type); + if (!m) + return (GSS_S_NO_CRED); + + if (cred_handle != GSS_C_NO_CREDENTIAL) { + struct _gss_cred *cred = (struct _gss_cred *) cred_handle; + SLIST_FOREACH(mcp, &cred->gc_mc, gmc_link) + if (mcp->gmc_mech == m) + break; + if (!mcp) + return (GSS_S_NO_CRED); + mc = mcp->gmc_cred; + } else { + mc = GSS_C_NO_CREDENTIAL; + } + + major_status = m->gm_inquire_cred_by_mech(minor_status, mc, mech_type, + &mn, initiator_lifetime, acceptor_lifetime, cred_usage); + if (major_status != GSS_S_COMPLETE) + return (major_status); + + name = _gss_make_name(m, mn); + if (!name) { + m->gm_release_name(minor_status, &mn); + return (GSS_S_NO_CRED); + } + + *cred_name = (gss_name_t) name; + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c new file mode 100644 index 0000000000..3cfe89af21 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c @@ -0,0 +1,82 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_inquire_cred_by_oid.c,v 1.2 2006/06/28 16:20:41 lha Exp $"); + +OM_uint32 +gss_inquire_cred_by_oid (OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + struct _gss_cred *cred = (struct _gss_cred *) cred_handle; + OM_uint32 status = GSS_S_COMPLETE; + struct _gss_mechanism_cred *mc; + gssapi_mech_interface m; + gss_buffer_set_t set = GSS_C_NO_BUFFER_SET; + + *minor_status = 0; + + if (cred == NULL) + return GSS_S_NO_CRED; + + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET; + int i; + + m = mc->gmc_mech; + if (m == NULL) + return GSS_S_BAD_MECH; + + if (m->gm_inquire_cred_by_oid == NULL) + continue; + + status = m->gm_inquire_cred_by_oid(minor_status, + mc->gmc_cred, desired_object, &rset); + if (status != GSS_S_COMPLETE) + continue; + + for (i = 0; i < rset->count; i++) { + status = gss_add_buffer_set_member(minor_status, + &rset->elements[i], &set); + if (status != GSS_S_COMPLETE) + break; + } + gss_release_buffer_set(minor_status, &rset); + } + if (set == GSS_C_NO_BUFFER_SET) + status = GSS_S_FAILURE; + *data_set = set; + return status; +} + diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c new file mode 100644 index 0000000000..7052bf8b72 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c @@ -0,0 +1,77 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_inquire_mechs_for_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_inquire_mechs_for_name.c,v 1.3 2006/07/20 02:04:00 lha Exp $"); + +OM_uint32 +gss_inquire_mechs_for_name(OM_uint32 *minor_status, + const gss_name_t input_name, + gss_OID_set *mech_types) +{ + OM_uint32 major_status; + struct _gss_name *name = (struct _gss_name *) input_name; + struct _gss_mech_switch *m; + gss_OID_set name_types; + int present; + + *minor_status = 0; + + _gss_load_mech(); + + major_status = gss_create_empty_oid_set(minor_status, mech_types); + if (major_status) + return (major_status); + + /* + * We go through all the loaded mechanisms and see if this + * name's type is supported by the mechanism. If it is, add + * the mechanism to the set. + */ + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + major_status = gss_inquire_names_for_mech(minor_status, + &m->gm_mech_oid, &name_types); + if (major_status) { + gss_release_oid_set(minor_status, mech_types); + return (major_status); + } + gss_test_oid_set_member(minor_status, + &name->gn_type, name_types, &present); + gss_release_oid_set(minor_status, &name_types); + if (present) { + major_status = gss_add_oid_set_member(minor_status, + &m->gm_mech_oid, mech_types); + if (major_status) { + gss_release_oid_set(minor_status, mech_types); + return (major_status); + } + } + } + + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c new file mode 100644 index 0000000000..2293163b03 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c @@ -0,0 +1,73 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_inquire_names_for_mech.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_inquire_names_for_mech.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_inquire_names_for_mech(OM_uint32 *minor_status, + const gss_OID mechanism, + gss_OID_set *name_types) +{ + OM_uint32 major_status; + gssapi_mech_interface m = __gss_get_mechanism(mechanism); + + *minor_status = 0; + if (!m) + return (GSS_S_BAD_MECH); + + /* + * If the implementation can do it, ask it for a list of + * names, otherwise fake it. + */ + if (m->gm_inquire_names_for_mech) { + return (m->gm_inquire_names_for_mech(minor_status, + mechanism, name_types)); + } else { + major_status = gss_create_empty_oid_set(minor_status, + name_types); + if (major_status) + return (major_status); + major_status = gss_add_oid_set_member(minor_status, + GSS_C_NT_HOSTBASED_SERVICE, name_types); + if (major_status) { + OM_uint32 ms; + gss_release_oid_set(&ms, name_types); + return (major_status); + } + major_status = gss_add_oid_set_member(minor_status, + GSS_C_NT_USER_NAME, name_types); + if (major_status) { + OM_uint32 ms; + gss_release_oid_set(&ms, name_types); + return (major_status); + } + } + + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c new file mode 100644 index 0000000000..7f5632ac55 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_inquire_sec_context_by_oid.c,v 1.1 2006/06/28 09:07:08 lha Exp $"); + +OM_uint32 +gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + OM_uint32 major_status; + gssapi_mech_interface m; + + *minor_status = 0; + + if (ctx == NULL) + return GSS_S_NO_CONTEXT; + + /* + * select the approprate underlying mechanism routine and + * call it. + */ + + m = ctx->gc_mech; + + if (m == NULL) + return GSS_S_BAD_MECH; + + if (m->gm_inquire_sec_context_by_oid != NULL) + major_status = m->gm_inquire_sec_context_by_oid(minor_status, + ctx->gc_ctx, desired_object, data_set); + else + major_status = GSS_S_BAD_MECH; + + return major_status; +} + diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c new file mode 100644 index 0000000000..c6ea3cecb7 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -0,0 +1,710 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_krb5.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +#include "krb5/gsskrb5_locl.h" +RCSID("$Id: gss_krb5.c,v 1.13 2006/10/20 22:05:02 lha Exp $"); + +#include <krb5.h> +#include <roken.h> + + +OM_uint32 +gss_krb5_copy_ccache(OM_uint32 *minor_status, + gss_cred_id_t cred, + krb5_ccache out) +{ + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + krb5_context context; + krb5_error_code kret; + krb5_ccache id; + OM_uint32 ret; + char *str; + + ret = gss_inquire_cred_by_oid(minor_status, + cred, + GSS_KRB5_COPY_CCACHE_X, + &data_set); + if (ret) + return ret; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + kret = krb5_init_context(&context); + if (kret) { + *minor_status = kret; + gss_release_buffer_set(minor_status, &data_set); + return GSS_S_FAILURE; + } + + kret = asprintf(&str, "%.*s", (int)data_set->elements[0].length, + (char *)data_set->elements[0].value); + gss_release_buffer_set(minor_status, &data_set); + if (kret == -1) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + kret = krb5_cc_resolve(context, str, &id); + free(str); + if (kret) { + *minor_status = kret; + return GSS_S_FAILURE; + } + + kret = krb5_cc_copy_cache(context, id, out); + krb5_cc_close(context, id); + krb5_free_context(context); + if (kret) { + *minor_status = kret; + return GSS_S_FAILURE; + } + + return ret; +} + +OM_uint32 +gss_krb5_import_cred(OM_uint32 *minor_status, + krb5_ccache id, + krb5_principal keytab_principal, + krb5_keytab keytab, + gss_cred_id_t *cred) +{ + gss_buffer_desc buffer; + OM_uint32 major_status; + krb5_context context; + krb5_error_code ret; + krb5_storage *sp; + krb5_data data; + char *str; + + *cred = GSS_C_NO_CREDENTIAL; + + ret = krb5_init_context(&context); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + sp = krb5_storage_emem(); + if (sp == NULL) { + *minor_status = ENOMEM; + major_status = GSS_S_FAILURE; + goto out; + } + + if (id) { + ret = krb5_cc_get_full_name(context, id, &str); + if (ret == 0) { + ret = krb5_store_string(sp, str); + free(str); + } + } else + ret = krb5_store_string(sp, ""); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + if (keytab_principal) { + ret = krb5_unparse_name(context, keytab_principal, &str); + if (ret == 0) { + ret = krb5_store_string(sp, str); + free(str); + } + } else + krb5_store_string(sp, ""); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + + if (keytab) { + ret = krb5_kt_get_full_name(context, keytab, &str); + if (ret == 0) { + ret = krb5_store_string(sp, str); + free(str); + } + } else + krb5_store_string(sp, ""); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + krb5_storage_to_data(sp, &data); + + buffer.value = data.data; + buffer.length = data.length; + + major_status = gss_set_cred_option(minor_status, + cred, + GSS_KRB5_IMPORT_CRED_X, + &buffer); + krb5_data_free(&data); +out: + if (sp) + krb5_storage_free(sp); + krb5_free_context(context); + return major_status; +} + +OM_uint32 +gsskrb5_register_acceptor_identity(const char *identity) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + + _gss_load_mech(); + + buffer.value = rk_UNCONST(identity); + buffer.length = strlen(identity); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer); + } + + return (GSS_S_COMPLETE); +} + +OM_uint32 +gsskrb5_set_dns_canonicalize(int flag) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + char b = (flag != 0); + + _gss_load_mech(); + + buffer.value = &b; + buffer.length = sizeof(b); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_SET_DNS_CANONICALIZE_X, &buffer); + } + + return (GSS_S_COMPLETE); +} + + + +static krb5_error_code +set_key(krb5_keyblock *keyblock, gss_krb5_lucid_key_t *key) +{ + key->type = keyblock->keytype; + key->length = keyblock->keyvalue.length; + key->data = malloc(key->length); + if (key->data == NULL && key->length != 0) + return ENOMEM; + memcpy(key->data, keyblock->keyvalue.data, key->length); + return 0; +} + +static void +free_key(gss_krb5_lucid_key_t *key) +{ + memset(key->data, 0, key->length); + free(key->data); + memset(key, 0, sizeof(*key)); +} + + +OM_uint32 +gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **rctx) +{ + krb5_context context = NULL; + krb5_error_code ret; + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 major_status; + gss_krb5_lucid_context_v1_t *ctx = NULL; + krb5_storage *sp = NULL; + uint32_t num; + + if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT || version != 1) { + ret = EINVAL; + return GSS_S_FAILURE; + } + + major_status = + gss_inquire_sec_context_by_oid (minor_status, + *context_handle, + GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X, + &data_set); + if (major_status) + return major_status; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ret = krb5_init_context(&context); + if (ret) + goto out; + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + ret = ENOMEM; + goto out; + } + + sp = krb5_storage_from_mem(data_set->elements[0].value, + data_set->elements[0].length); + if (sp == NULL) { + ret = ENOMEM; + goto out; + } + + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + if (num != 1) { + ret = EINVAL; + goto out; + } + ctx->version = 1; + /* initiator */ + ret = krb5_ret_uint32(sp, &ctx->initiate); + if (ret) goto out; + /* endtime */ + ret = krb5_ret_uint32(sp, &ctx->endtime); + if (ret) goto out; + /* send_seq */ + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->send_seq = ((uint64_t)num) << 32; + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->send_seq |= num; + /* recv_seq */ + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->recv_seq = ((uint64_t)num) << 32; + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->recv_seq |= num; + /* protocol */ + ret = krb5_ret_uint32(sp, &ctx->protocol); + if (ret) goto out; + if (ctx->protocol == 0) { + krb5_keyblock key; + + /* sign_alg */ + ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.sign_alg); + if (ret) goto out; + /* seal_alg */ + ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.seal_alg); + if (ret) goto out; + /* ctx_key */ + ret = krb5_ret_keyblock(sp, &key); + if (ret) goto out; + ret = set_key(&key, &ctx->rfc1964_kd.ctx_key); + krb5_free_keyblock_contents(context, &key); + if (ret) goto out; + } else if (ctx->protocol == 1) { + krb5_keyblock key; + + /* acceptor_subkey */ + ret = krb5_ret_uint32(sp, &ctx->cfx_kd.have_acceptor_subkey); + if (ret) goto out; + /* ctx_key */ + ret = krb5_ret_keyblock(sp, &key); + if (ret) goto out; + ret = set_key(&key, &ctx->cfx_kd.ctx_key); + krb5_free_keyblock_contents(context, &key); + if (ret) goto out; + /* acceptor_subkey */ + if (ctx->cfx_kd.have_acceptor_subkey) { + ret = krb5_ret_keyblock(sp, &key); + if (ret) goto out; + ret = set_key(&key, &ctx->cfx_kd.acceptor_subkey); + krb5_free_keyblock_contents(context, &key); + if (ret) goto out; + } + } else { + ret = EINVAL; + goto out; + } + + *rctx = ctx; + +out: + gss_release_buffer_set(minor_status, &data_set); + if (sp) + krb5_storage_free(sp); + if (context) + krb5_free_context(context); + + if (ret) { + if (ctx) + gss_krb5_free_lucid_sec_context(NULL, ctx); + + *minor_status = ret; + return GSS_S_FAILURE; + } + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) +{ + gss_krb5_lucid_context_v1_t *ctx = c; + + if (ctx->version != 1) { + if (minor_status) + *minor_status = 0; + return GSS_S_FAILURE; + } + + if (ctx->protocol == 0) { + free_key(&ctx->rfc1964_kd.ctx_key); + } else if (ctx->protocol == 1) { + free_key(&ctx->cfx_kd.ctx_key); + if (ctx->cfx_kd.have_acceptor_subkey) + free_key(&ctx->cfx_kd.acceptor_subkey); + } + free(ctx); + if (minor_status) + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + + _gss_load_mech(); + + if (c) { + buffer.value = c; + buffer.length = sizeof(*c); + } else { + buffer.value = NULL; + buffer.length = 0; + } + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_SEND_TO_KDC_X, &buffer); + } + + return (GSS_S_COMPLETE); +} + +OM_uint32 +gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + time_t *authtime) +{ + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 maj_stat; + krb5_error_code ret; + OM_uint32 time32; + + if (context_handle == GSS_C_NO_CONTEXT) { + _gsskrb5_set_status("no context handle"); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + maj_stat = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + GSS_KRB5_GET_AUTHTIME_X, + &data_set); + if (maj_stat) + return maj_stat; + + if (data_set == GSS_C_NO_BUFFER_SET) { + _gsskrb5_set_status("no buffers returned"); + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (data_set->count != 1) { + _gsskrb5_set_status("%d != 1 buffers returned", data_set->count); + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (data_set->elements[0].length != 4) { + gss_release_buffer_set(minor_status, &data_set); + _gsskrb5_set_status("Error extracting authtime from security context: only got %d < 4 bytes", + data_set->elements[0].length); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ret = _gsskrb5_decode_om_uint32(data_set->elements[0].value, &time32); + if (ret) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = ret; + return GSS_S_FAILURE; + } + *authtime = time32; + + gss_release_buffer_set(minor_status, &data_set); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int ad_type, + gss_buffer_t ad_data) +{ + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 maj_stat; + gss_OID_desc authz_oid_flat; + heim_oid authz_oid; + heim_oid new_authz_oid; + size_t size; + + if (context_handle == GSS_C_NO_CONTEXT) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + /* All this to append an integer to an oid... */ + + if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length, + &authz_oid, NULL) != 0) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + new_authz_oid.length = authz_oid.length + 1; + new_authz_oid.components = malloc(new_authz_oid.length * sizeof(*new_authz_oid.components)); + if (!new_authz_oid.components) { + free(authz_oid.components); + + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + memcpy(new_authz_oid.components, authz_oid.components, + authz_oid.length * sizeof(*authz_oid.components)); + + free(authz_oid.components); + + new_authz_oid.components[new_authz_oid.length - 1] = ad_type; + + authz_oid_flat.length = der_length_oid(&new_authz_oid); + authz_oid_flat.elements = malloc(authz_oid_flat.length); + + if (!authz_oid_flat.elements) { + free(new_authz_oid.components); + + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + if (der_put_oid((unsigned char *)authz_oid_flat.elements + authz_oid_flat.length - 1, + authz_oid_flat.length, + &new_authz_oid, &size) != 0) { + free(new_authz_oid.components); + + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + free(new_authz_oid.components); + + /* FINALLY, we have the OID */ + + maj_stat = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + &authz_oid_flat, + &data_set); + + free(authz_oid_flat.elements); + + if (maj_stat) + return maj_stat; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ad_data->value = malloc(data_set->elements[0].length); + if (ad_data->value == NULL) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + ad_data->length = data_set->elements[0].length; + memcpy(ad_data->value, data_set->elements[0].value, ad_data->length); + gss_release_buffer_set(minor_status, &data_set); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +static OM_uint32 +gsskrb5_extract_key(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + const gss_OID oid, + krb5_keyblock **keyblock) +{ + krb5_error_code ret; + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 major_status; + krb5_storage *sp = NULL; + + ret = _gsskrb5_init(); + if(ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + if (context_handle == GSS_C_NO_CONTEXT) { + _gsskrb5_set_status("no context handle"); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + major_status = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + oid, + &data_set); + if (major_status) + return major_status; + + if (data_set == GSS_C_NO_BUFFER_SET) { + _gsskrb5_set_status("no buffers returned"); + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (data_set->count != 1) { + _gsskrb5_set_status("%d != 1 buffers returned", data_set->count); + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + sp = krb5_storage_from_mem(data_set->elements[0].value, + data_set->elements[0].length); + if (sp == NULL) { + ret = ENOMEM; + goto out; + } + + *keyblock = calloc(1, sizeof(**keyblock)); + if (keyblock == NULL) { + ret = ENOMEM; + goto out; + } + + ret = krb5_ret_keyblock(sp, *keyblock); + +out: + gss_release_buffer_set(minor_status, &data_set); + if (sp) + krb5_storage_free(sp); + if (ret) { + _gsskrb5_set_error_string(); + if (keyblock) { + krb5_free_keyblock(_gsskrb5_context, *keyblock); + } + + *minor_status = ret; + return GSS_S_FAILURE; + } + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_keyblock **keyblock) +{ + return gsskrb5_extract_key(minor_status, + context_handle, + GSS_KRB5_GET_SERVICE_KEYBLOCK_X, + keyblock); +} + +OM_uint32 +gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_keyblock **keyblock) +{ + return gsskrb5_extract_key(minor_status, + context_handle, + GSS_KRB5_GET_INITIATOR_SUBKEY_X, + keyblock); +} + +OM_uint32 +gsskrb5_get_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_keyblock **keyblock) +{ + return gsskrb5_extract_key(minor_status, + context_handle, + GSS_KRB5_GET_ACCEPTOR_SUBKEY_X, + keyblock); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c new file mode 100644 index 0000000000..3d01ba69d4 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c @@ -0,0 +1,324 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_mech_switch.c,v 1.2 2006/02/04 09:40:21 dfr Exp $ + */ + +#include "mech_locl.h" +#include <heim_threads.h> +RCSID("$Id: gss_mech_switch.c,v 1.7 2006/10/09 11:13:30 lha Exp $"); + +#ifndef _PATH_GSS_MECH +#define _PATH_GSS_MECH "/etc/gss/mech" +#endif + +struct _gss_mech_switch_list _gss_mechs = { NULL } ; +gss_OID_set _gss_mech_oids; +static HEIMDAL_MUTEX _gss_mech_mutex = HEIMDAL_MUTEX_INITIALIZER; + +/* + * Convert a string containing an OID in 'dot' form + * (e.g. 1.2.840.113554.1.2.2) to a gss_OID. + */ +static int +_gss_string_to_oid(const char* s, gss_OID oid) +{ + int number_count, i, j; + int byte_count; + const char *p, *q; + char *res; + + /* + * First figure out how many numbers in the oid, then + * calculate the compiled oid size. + */ + number_count = 0; + for (p = s; p; p = q) { + q = strchr(p, '.'); + if (q) q = q + 1; + number_count++; + } + + /* + * The first two numbers are in the first byte and each + * subsequent number is encoded in a variable byte sequence. + */ + if (number_count < 2) + return (EINVAL); + + /* + * We do this in two passes. The first pass, we just figure + * out the size. Second time around, we actually encode the + * number. + */ + res = 0; + for (i = 0; i < 2; i++) { + byte_count = 0; + for (p = s, j = 0; p; p = q, j++) { + unsigned int number = 0; + + /* + * Find the end of this number. + */ + q = strchr(p, '.'); + if (q) q = q + 1; + + /* + * Read the number of of the string. Don't + * bother with anything except base ten. + */ + while (*p && *p != '.') { + number = 10 * number + (*p - '0'); + p++; + } + + /* + * Encode the number. The first two numbers + * are packed into the first byte. Subsequent + * numbers are encoded in bytes seven bits at + * a time with the last byte having the high + * bit set. + */ + if (j == 0) { + if (res) + *res = number * 40; + } else if (j == 1) { + if (res) { + *res += number; + res++; + } + byte_count++; + } else if (j >= 2) { + /* + * The number is encoded in seven bit chunks. + */ + unsigned int t; + int bytes; + + bytes = 0; + for (t = number; t; t >>= 7) + bytes++; + if (bytes == 0) bytes = 1; + while (bytes) { + if (res) { + int bit = 7*(bytes-1); + + *res = (number >> bit) & 0x7f; + if (bytes != 1) + *res |= 0x80; + res++; + } + byte_count++; + bytes--; + } + } + } + if (!res) { + res = malloc(byte_count); + if (!res) + return (ENOMEM); + oid->length = byte_count; + oid->elements = res; + } + } + + return (0); +} + +#define SYM(name) \ +do { \ + m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \ + if (!m->gm_mech.gm_ ## name) { \ + fprintf(stderr, "can't find symbol gss_" #name "\n"); \ + goto bad; \ + } \ +} while (0) + +#define OPTSYM(name) \ +do { \ + m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \ +} while (0) + +/* + * + */ +static int +add_builtin(gssapi_mech_interface mech) +{ + struct _gss_mech_switch *m; + OM_uint32 minor_status; + + m = malloc(sizeof(*m)); + if (m == NULL) + return 1; + m->gm_so = NULL; + m->gm_mech = *mech; + m->gm_mech_oid = mech->gm_mech_oid; /* XXX */ + gss_add_oid_set_member(&minor_status, + &m->gm_mech.gm_mech_oid, &_gss_mech_oids); + + SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link); + return 0; +} + +/* + * Load the mechanisms file (/etc/gss/mech). + */ +void +_gss_load_mech(void) +{ + OM_uint32 major_status, minor_status; + FILE *fp; + char buf[256]; + char *p; + char *name, *oid, *lib, *kobj; + struct _gss_mech_switch *m; + void *so; + + + HEIMDAL_MUTEX_lock(&_gss_mech_mutex); + + if (SLIST_FIRST(&_gss_mechs)) { + HEIMDAL_MUTEX_unlock(&_gss_mech_mutex); + return; + } + + major_status = gss_create_empty_oid_set(&minor_status, + &_gss_mech_oids); + if (major_status) { + HEIMDAL_MUTEX_unlock(&_gss_mech_mutex); + return; + } + + add_builtin(__gss_krb5_initialize()); + add_builtin(__gss_spnego_initialize()); + + fp = fopen(_PATH_GSS_MECH, "r"); + if (!fp) { +/* perror(_PATH_GSS_MECH); */ + HEIMDAL_MUTEX_unlock(&_gss_mech_mutex); + return; + } + + while (fgets(buf, sizeof(buf), fp)) { + if (*buf == '#') + continue; + p = buf; + name = strsep(&p, "\t\n "); + if (p) while (isspace((unsigned char)*p)) p++; + oid = strsep(&p, "\t\n "); + if (p) while (isspace((unsigned char)*p)) p++; + lib = strsep(&p, "\t\n "); + if (p) while (isspace((unsigned char)*p)) p++; + kobj = strsep(&p, "\t\n "); + if (!name || !oid || !lib || !kobj) + continue; + +#ifndef RTLD_LOCAL +#define RTLD_LOCAL 0 +#endif + + so = dlopen(lib, RTLD_LOCAL); + if (!so) { +/* fprintf(stderr, "dlopen: %s\n", dlerror()); */ + continue; + } + + m = malloc(sizeof(*m)); + if (!m) + break; + m->gm_so = so; + if (_gss_string_to_oid(oid, &m->gm_mech.gm_mech_oid)) { + free(m); + continue; + } + + major_status = gss_add_oid_set_member(&minor_status, + &m->gm_mech.gm_mech_oid, &_gss_mech_oids); + if (major_status) { + free(m->gm_mech.gm_mech_oid.elements); + free(m); + continue; + } + + SYM(acquire_cred); + SYM(release_cred); + SYM(init_sec_context); + SYM(accept_sec_context); + SYM(process_context_token); + SYM(delete_sec_context); + SYM(context_time); + SYM(get_mic); + SYM(verify_mic); + SYM(wrap); + SYM(unwrap); + SYM(display_status); + SYM(indicate_mechs); + SYM(compare_name); + SYM(display_name); + SYM(import_name); + SYM(export_name); + SYM(release_name); + SYM(inquire_cred); + SYM(inquire_context); + SYM(wrap_size_limit); + SYM(add_cred); + SYM(inquire_cred_by_mech); + SYM(export_sec_context); + SYM(import_sec_context); + SYM(inquire_names_for_mech); + SYM(inquire_mechs_for_name); + SYM(canonicalize_name); + SYM(duplicate_name); + OPTSYM(inquire_cred_by_oid); + OPTSYM(inquire_sec_context_by_oid); + OPTSYM(set_sec_context_option); + OPTSYM(set_cred_option); + + SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link); + continue; + + bad: + free(m->gm_mech.gm_mech_oid.elements); + free(m); + dlclose(so); + continue; + } + fclose(fp); + HEIMDAL_MUTEX_unlock(&_gss_mech_mutex); +} + +gssapi_mech_interface +__gss_get_mechanism(gss_OID mech) +{ + struct _gss_mech_switch *m; + + _gss_load_mech(); + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (gss_oid_equal(&m->gm_mech.gm_mech_oid, mech)) + return &m->gm_mech; + } + return NULL; +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_names.c b/source4/heimdal/lib/gssapi/mech/gss_names.c new file mode 100644 index 0000000000..833c582006 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_names.c @@ -0,0 +1,105 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_names.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_names.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +struct _gss_mechanism_name * +_gss_find_mn(struct _gss_name *name, gss_OID mech) +{ + OM_uint32 major_status, minor_status; + gssapi_mech_interface m; + struct _gss_mechanism_name *mn; + + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { + if (gss_oid_equal(mech, mn->gmn_mech_oid)) + break; + } + + if (!mn) { + /* + * If this name is canonical (i.e. there is only an + * MN but it is from a different mech), give up now. + */ + if (!name->gn_value.value) + return (0); + + m = __gss_get_mechanism(mech); + if (!m) + return (0); + + mn = malloc(sizeof(struct _gss_mechanism_name)); + if (!mn) + return (0); + + major_status = m->gm_import_name(&minor_status, + &name->gn_value, + (name->gn_type.elements + ? &name->gn_type : GSS_C_NO_OID), + &mn->gmn_name); + if (major_status) { + free(mn); + return (0); + } + + mn->gmn_mech = m; + mn->gmn_mech_oid = &m->gm_mech_oid; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + } + return (mn); +} + +/* + * Make a name from an MN. + */ +struct _gss_name * +_gss_make_name(gssapi_mech_interface m, gss_name_t new_mn) +{ + struct _gss_name *name; + struct _gss_mechanism_name *mn; + + name = malloc(sizeof(struct _gss_name)); + if (!name) + return (0); + memset(name, 0, sizeof(struct _gss_name)); + + mn = malloc(sizeof(struct _gss_mechanism_name)); + if (!mn) { + free(name); + return (0); + } + + SLIST_INIT(&name->gn_mn); + mn->gmn_mech = m; + mn->gmn_mech_oid = &m->gm_mech_oid; + mn->gmn_name = new_mn; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + + return (name); +} + diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c new file mode 100644 index 0000000000..1a8b811f37 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_oid_equal.c,v 1.1 2006/06/28 09:07:08 lha Exp $"); + +int +gss_oid_equal(const gss_OID a, const gss_OID b) +{ + if (a == b) + return 1; + if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length) + return 0; + return memcmp(a->elements, b->elements, a->length) == 0; +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c b/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c new file mode 100644 index 0000000000..1e6f39979f --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c @@ -0,0 +1,42 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_process_context_token.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_process_context_token.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_process_context_token(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t token_buffer) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m = ctx->gc_mech; + + return (m->gm_process_context_token(minor_status, ctx->gc_ctx, + token_buffer)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c b/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c new file mode 100644 index 0000000000..66705bb40e --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c @@ -0,0 +1,44 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_release_buffer.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_release_buffer.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_release_buffer(OM_uint32 *minor_status, + gss_buffer_t buffer) +{ + + *minor_status = 0; + if (buffer->value) + free(buffer->value); + buffer->length = 0; + buffer->value = 0; + + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_cred.c b/source4/heimdal/lib/gssapi/mech/gss_release_cred.c new file mode 100644 index 0000000000..760621c861 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_release_cred.c @@ -0,0 +1,52 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_release_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_release_cred.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) +{ + struct _gss_cred *cred = (struct _gss_cred *) *cred_handle; + struct _gss_mechanism_cred *mc; + + if (*cred_handle == GSS_C_NO_CREDENTIAL) + return (GSS_S_COMPLETE); + + while (SLIST_FIRST(&cred->gc_mc)) { + mc = SLIST_FIRST(&cred->gc_mc); + SLIST_REMOVE_HEAD(&cred->gc_mc, gmc_link); + mc->gmc_mech->gm_release_cred(minor_status, &mc->gmc_cred); + free(mc); + } + free(cred); + + *minor_status = 0; + *cred_handle = 0; + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_name.c b/source4/heimdal/lib/gssapi/mech/gss_release_name.c new file mode 100644 index 0000000000..1286cd3b79 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_release_name.c @@ -0,0 +1,55 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_release_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_release_name.c,v 1.3 2006/10/22 07:59:06 lha Exp $"); + +OM_uint32 +gss_release_name(OM_uint32 *minor_status, + gss_name_t *input_name) +{ + struct _gss_name *name = (struct _gss_name *) *input_name; + + *minor_status = 0; + if (name) { + if (name->gn_type.elements) + free(name->gn_type.elements); + while (SLIST_FIRST(&name->gn_mn)) { + struct _gss_mechanism_name *mn; + mn = SLIST_FIRST(&name->gn_mn); + SLIST_REMOVE_HEAD(&name->gn_mn, gmn_link); + mn->gmn_mech->gm_release_name(minor_status, + &mn->gmn_name); + free(mn); + } + gss_release_buffer(minor_status, &name->gn_value); + free(name); + *input_name = GSS_C_NO_NAME; + } + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_oid.c b/source4/heimdal/lib/gssapi/mech/gss_release_oid.c new file mode 100644 index 0000000000..fc84fabd29 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_release_oid.c @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" + +RCSID("$Id: gss_release_oid.c,v 1.1 2006/06/30 09:34:54 lha Exp $"); + +OM_uint32 +gss_release_oid(OM_uint32 *minor_status, gss_OID *oid) +{ + gss_OID o = *oid; + + *oid = GSS_C_NO_OID; + + if (minor_status != NULL) + *minor_status = 0; + + if (o == GSS_C_NO_OID) + return GSS_S_COMPLETE; + + if (o->elements != NULL) { + free(o->elements); + o->elements = NULL; + } + o->length = 0; + free(o); + + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c b/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c new file mode 100644 index 0000000000..101657e4fb --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c @@ -0,0 +1,45 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_release_oid_set.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_release_oid_set.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_release_oid_set(OM_uint32 *minor_status, + gss_OID_set *set) +{ + + *minor_status = 0; + if (*set) { + if ((*set)->elements) + free((*set)->elements); + free(*set); + *set = 0; + } + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_seal.c b/source4/heimdal/lib/gssapi/mech/gss_seal.c new file mode 100644 index 0000000000..2f66f90d4f --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_seal.c @@ -0,0 +1,46 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_seal.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_seal.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_seal(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + int qop_req, + gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer) +{ + + return (gss_wrap(minor_status, + context_handle, conf_req_flag, qop_req, + input_message_buffer, conf_state, + output_message_buffer)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c new file mode 100644 index 0000000000..f8e013da18 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c @@ -0,0 +1,115 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_set_cred_option.c,v 1.7 2006/07/01 08:50:49 lha Exp $"); + +OM_uint32 +gss_set_cred_option (OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_OID object, + const gss_buffer_t value) +{ + struct _gss_cred *cred = (struct _gss_cred *) *cred_handle; + OM_uint32 major_status = GSS_S_COMPLETE; + struct _gss_mechanism_cred *mc; + int one_ok = 0; + + *minor_status = 0; + + _gss_load_mech(); + + if (cred == NULL) { + struct _gss_mech_switch *m; + + cred = malloc(sizeof(*cred)); + if (cred == NULL) + return GSS_S_FAILURE; + + cred->gc_usage = GSS_C_BOTH; /* XXX */ + SLIST_INIT(&cred->gc_mc); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + + if (m->gm_mech.gm_set_cred_option == NULL) + continue; + + mc = malloc(sizeof(*mc)); + if (mc == NULL) { + /* XXX free the other mc's */ + return GSS_S_FAILURE; + } + + mc->gmc_mech = &m->gm_mech; + mc->gmc_mech_oid = &m->gm_mech_oid; + mc->gmc_cred = GSS_C_NO_CREDENTIAL; + + major_status = m->gm_mech.gm_set_cred_option( + minor_status, &mc->gmc_cred, object, value); + + if (major_status) { + free(mc); + continue; + } + one_ok = 1; + SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link); + } + *cred_handle = (gss_cred_id_t)cred; + if (!one_ok) { + OM_uint32 junk; + gss_release_cred(&junk, cred_handle); + } + } else { + gssapi_mech_interface m; + + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + m = mc->gmc_mech; + + if (m == NULL) + return GSS_S_BAD_MECH; + + if (m->gm_set_cred_option == NULL) + continue; + + major_status = m->gm_set_cred_option(minor_status, + &mc->gmc_cred, object, value); + if (major_status == GSS_S_BAD_MECH) + one_ok = 1; + } + } + if (one_ok) { + *minor_status = 0; + return GSS_S_COMPLETE; + } + return major_status; +} + diff --git a/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c b/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c new file mode 100644 index 0000000000..aa562a23b6 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" +RCSID("$Id: gss_set_sec_context_option.c,v 1.2 2006/06/28 14:39:00 lha Exp $"); + +OM_uint32 +gss_set_sec_context_option (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID object, + const gss_buffer_t value) +{ + struct _gss_context *ctx; + OM_uint32 major_status; + gssapi_mech_interface m; + + *minor_status = 0; + + if (context_handle == NULL) + return GSS_S_NO_CONTEXT; + + ctx = (struct _gss_context *) *context_handle; + + if (ctx == NULL) + return GSS_S_NO_CONTEXT; + + m = ctx->gc_mech; + + if (m == NULL) + return GSS_S_BAD_MECH; + + if (m->gm_set_sec_context_option != NULL) + major_status = m->gm_set_sec_context_option(minor_status, + &ctx->gc_ctx, object, value); + else + major_status = GSS_S_BAD_MECH; + + return major_status; +} + diff --git a/source4/heimdal/lib/gssapi/mech/gss_sign.c b/source4/heimdal/lib/gssapi/mech/gss_sign.c new file mode 100644 index 0000000000..8c854e5e43 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_sign.c @@ -0,0 +1,42 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_sign.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_sign.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_sign(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int qop_req, + gss_buffer_t message_buffer, + gss_buffer_t message_token) +{ + + return gss_get_mic(minor_status, + context_handle, qop_req, message_buffer, message_token); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c new file mode 100644 index 0000000000..a71a8b7c92 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c @@ -0,0 +1,47 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_test_oid_set_member.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_test_oid_set_member.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_test_oid_set_member(OM_uint32 *minor_status, + const gss_OID member, + const gss_OID_set set, + int *present) +{ + int i; + + *present = 0; + for (i = 0; i < set->count; i++) + if (gss_oid_equal(member, &set->elements[i])) + *present = 1; + + *minor_status = 0; + return (GSS_S_COMPLETE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_unseal.c b/source4/heimdal/lib/gssapi/mech/gss_unseal.c new file mode 100644 index 0000000000..128dc7883c --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_unseal.c @@ -0,0 +1,44 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_unseal.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_unseal.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_unseal(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + int *qop_state) +{ + + return (gss_unwrap(minor_status, + context_handle, input_message_buffer, + output_message_buffer, conf_state, (gss_qop_t *)qop_state)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_unwrap.c b/source4/heimdal/lib/gssapi/mech/gss_unwrap.c new file mode 100644 index 0000000000..1c9484b18d --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_unwrap.c @@ -0,0 +1,46 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_unwrap.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_unwrap.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_unwrap(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t *qop_state) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m = ctx->gc_mech; + + return (m->gm_unwrap(minor_status, ctx->gc_ctx, + input_message_buffer, output_message_buffer, + conf_state, qop_state)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_utils.c b/source4/heimdal/lib/gssapi/mech/gss_utils.c new file mode 100644 index 0000000000..33ee033209 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_utils.c @@ -0,0 +1,66 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_utils.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_utils.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +_gss_copy_oid(OM_uint32 *minor_status, + const gss_OID from_oid, gss_OID to_oid) +{ + size_t len = from_oid->length; + + *minor_status = 0; + to_oid->elements = malloc(len); + if (!to_oid->elements) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + to_oid->length = len; + memcpy(to_oid->elements, from_oid->elements, len); + return (GSS_S_COMPLETE); +} + + +OM_uint32 +_gss_copy_buffer(OM_uint32 *minor_status, + const gss_buffer_t from_buf, gss_buffer_t to_buf) +{ + size_t len = from_buf->length; + + *minor_status = 0; + to_buf->value = malloc(len); + if (!to_buf->value) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + to_buf->length = len; + memcpy(to_buf->value, from_buf->value, len); + return (GSS_S_COMPLETE); +} + diff --git a/source4/heimdal/lib/gssapi/mech/gss_verify.c b/source4/heimdal/lib/gssapi/mech/gss_verify.c new file mode 100644 index 0000000000..a99d17e2d7 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_verify.c @@ -0,0 +1,43 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_verify.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_verify.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_verify(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t message_buffer, + gss_buffer_t token_buffer, + int *qop_state) +{ + + return (gss_verify_mic(minor_status, + context_handle, message_buffer, token_buffer, + (gss_qop_t *)qop_state)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c b/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c new file mode 100644 index 0000000000..b51ed7a8c4 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c @@ -0,0 +1,44 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_verify_mic.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_verify_mic.c,v 1.2 2006/06/28 09:00:25 lha Exp $"); + +OM_uint32 +gss_verify_mic(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t *qop_state) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m = ctx->gc_mech; + + return (m->gm_verify_mic(minor_status, ctx->gc_ctx, + message_buffer, token_buffer, qop_state)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap.c b/source4/heimdal/lib/gssapi/mech/gss_wrap.c new file mode 100644 index 0000000000..a97ec1308f --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap.c @@ -0,0 +1,47 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_wrap.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_wrap.c,v 1.2 2006/06/28 09:00:26 lha Exp $"); + +OM_uint32 +gss_wrap(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m = ctx->gc_mech; + + return (m->gm_wrap(minor_status, ctx->gc_ctx, + conf_req_flag, qop_req, input_message_buffer, + conf_state, output_message_buffer)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c new file mode 100644 index 0000000000..27493aa90d --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c @@ -0,0 +1,45 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_wrap_size_limit.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" +RCSID("$Id: gss_wrap_size_limit.c,v 1.2 2006/06/28 09:00:26 lha Exp $"); + +OM_uint32 +gss_wrap_size_limit(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m = ctx->gc_mech; + + return (m->gm_wrap_size_limit(minor_status, ctx->gc_ctx, + conf_req_flag, qop_req, req_output_size, max_input_size)); +} diff --git a/source4/heimdal/lib/gssapi/mech/gssapi.asn1 b/source4/heimdal/lib/gssapi/mech/gssapi.asn1 new file mode 100644 index 0000000000..544618b7d4 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gssapi.asn1 @@ -0,0 +1,12 @@ +-- $Id: gssapi.asn1,v 1.3 2006/10/18 21:08:19 lha Exp $ + +GSS-API DEFINITIONS ::= BEGIN + +IMPORTS heim_any_set FROM heim; + +GSSAPIContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE { + thisMech OBJECT IDENTIFIER, + innerContextToken heim_any_set +} + +END
\ No newline at end of file diff --git a/source4/heimdal/lib/gssapi/mech/mech_locl.h b/source4/heimdal/lib/gssapi/mech/mech_locl.h new file mode 100644 index 0000000000..f5db15c5fa --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/mech_locl.h @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: mech_locl.h,v 1.4 2006/10/07 18:25:27 lha Exp $ */ + +#include <config.h> + +#include <krb5-types.h> + +#include <sys/types.h> + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> +#include <dlfcn.h> +#include <errno.h> + +#include <gssapi_asn1.h> +#include <der.h> + +#include <roken.h> + +#include <gssapi.h> +#include <gssapi_mech.h> + +#include "mechqueue.h" + +#include "context.h" +#include "cred.h" +#include "mech_switch.h" +#include "name.h" +#include "utils.h" diff --git a/source4/heimdal/lib/gssapi/mech/mech_switch.h b/source4/heimdal/lib/gssapi/mech/mech_switch.h new file mode 100644 index 0000000000..0984d36ef3 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/mech_switch.h @@ -0,0 +1,42 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/mech_switch.h,v 1.1 2005/12/29 14:40:20 dfr Exp $ + * $Id: mech_switch.h,v 1.3 2006/10/05 18:31:53 lha Exp $ + */ + +#include <gssapi_mech.h> + +struct _gss_mech_switch { + SLIST_ENTRY(_gss_mech_switch) gm_link; + gss_OID_desc gm_mech_oid; + void *gm_so; + gssapi_mech_interface_desc gm_mech; +}; +SLIST_HEAD(_gss_mech_switch_list, _gss_mech_switch); +extern struct _gss_mech_switch_list _gss_mechs; +extern gss_OID_set _gss_mech_oids; + +void _gss_load_mech(void); diff --git a/source4/heimdal/lib/gssapi/mech/mechqueue.h b/source4/heimdal/lib/gssapi/mech/mechqueue.h new file mode 100644 index 0000000000..8434b76c00 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/mechqueue.h @@ -0,0 +1,101 @@ +/* $NetBSD: queue.h,v 1.39 2004/04/18 14:25:34 lukem Exp $ */ + +/* + * Copyright (c) 1991, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)queue.h 8.5 (Berkeley) 8/20/94 + */ + +#ifndef _MECHQUEUE_H_ +#define _MECHQUEUE_H_ + +#ifndef SLIST_HEAD + +/* + * Singly-linked List definitions. + */ +#define SLIST_HEAD(name, type) \ +struct name { \ + struct type *slh_first; /* first element */ \ +} + +#define SLIST_HEAD_INITIALIZER(head) \ + { NULL } + +#define SLIST_ENTRY(type) \ +struct { \ + struct type *sle_next; /* next element */ \ +} + +/* + * Singly-linked List functions. + */ +#define SLIST_INIT(head) do { \ + (head)->slh_first = NULL; \ +} while (/*CONSTCOND*/0) + +#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \ + (elm)->field.sle_next = (slistelm)->field.sle_next; \ + (slistelm)->field.sle_next = (elm); \ +} while (/*CONSTCOND*/0) + +#define SLIST_INSERT_HEAD(head, elm, field) do { \ + (elm)->field.sle_next = (head)->slh_first; \ + (head)->slh_first = (elm); \ +} while (/*CONSTCOND*/0) + +#define SLIST_REMOVE_HEAD(head, field) do { \ + (head)->slh_first = (head)->slh_first->field.sle_next; \ +} while (/*CONSTCOND*/0) + +#define SLIST_REMOVE(head, elm, type, field) do { \ + if ((head)->slh_first == (elm)) { \ + SLIST_REMOVE_HEAD((head), field); \ + } \ + else { \ + struct type *curelm = (head)->slh_first; \ + while(curelm->field.sle_next != (elm)) \ + curelm = curelm->field.sle_next; \ + curelm->field.sle_next = \ + curelm->field.sle_next->field.sle_next; \ + } \ +} while (/*CONSTCOND*/0) + +#define SLIST_FOREACH(var, head, field) \ + for((var) = (head)->slh_first; (var); (var) = (var)->field.sle_next) + +/* + * Singly-linked List access methods. + */ +#define SLIST_EMPTY(head) ((head)->slh_first == NULL) +#define SLIST_FIRST(head) ((head)->slh_first) +#define SLIST_NEXT(elm, field) ((elm)->field.sle_next) + +#endif /* SLIST_HEAD */ + +#endif /* !_MECHQUEUE_H_ */ diff --git a/source4/heimdal/lib/gssapi/mech/name.h b/source4/heimdal/lib/gssapi/mech/name.h new file mode 100644 index 0000000000..3e7443ba20 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/name.h @@ -0,0 +1,47 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/name.h,v 1.1 2005/12/29 14:40:20 dfr Exp $ + * $Id: name.h,v 1.4 2006/10/05 18:36:07 lha Exp $ + */ + +struct _gss_mechanism_name { + SLIST_ENTRY(_gss_mechanism_name) gmn_link; + gssapi_mech_interface gmn_mech; /* mechanism ops for MN */ + gss_OID gmn_mech_oid; /* mechanism oid for MN */ + gss_name_t gmn_name; /* underlying MN */ +}; +SLIST_HEAD(_gss_mechanism_name_list, _gss_mechanism_name); + +struct _gss_name { + gss_OID_desc gn_type; /* type of name */ + gss_buffer_desc gn_value; /* value (as imported) */ + struct _gss_mechanism_name_list gn_mn; /* list of MNs */ +}; + +struct _gss_mechanism_name * + _gss_find_mn(struct _gss_name *name, gss_OID mech); +struct _gss_name * + _gss_make_name(gssapi_mech_interface m, gss_name_t new_mn); diff --git a/source4/heimdal/lib/gssapi/mech/utils.h b/source4/heimdal/lib/gssapi/mech/utils.h new file mode 100644 index 0000000000..75a507298c --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/utils.h @@ -0,0 +1,32 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/utils.h,v 1.1 2005/12/29 14:40:20 dfr Exp $ + * $Id: utils.h,v 1.3 2006/07/20 01:48:25 lha Exp $ + */ + +OM_uint32 _gss_copy_oid(OM_uint32 *, const gss_OID, gss_OID); +OM_uint32 _gss_copy_buffer(OM_uint32 *minor_status, + const gss_buffer_t from_buf, gss_buffer_t to_buf); diff --git a/source4/heimdal/lib/gssapi/spnego.asn1 b/source4/heimdal/lib/gssapi/spnego.asn1 deleted file mode 100755 index 5dc767cf76..0000000000 --- a/source4/heimdal/lib/gssapi/spnego.asn1 +++ /dev/null @@ -1,42 +0,0 @@ --- $Id: spnego.asn1,v 1.4 2004/03/07 13:38:08 lha Exp $ - -SPNEGO DEFINITIONS ::= -BEGIN - -MechType::= OBJECT IDENTIFIER - -MechTypeList ::= SEQUENCE OF MechType - -ContextFlags ::= BIT STRING { - delegFlag (0), - mutualFlag (1), - replayFlag (2), - sequenceFlag (3), - anonFlag (4), - confFlag (5), - integFlag (6) -} - -NegTokenInit ::= SEQUENCE { - mechTypes [0] MechTypeList OPTIONAL, - reqFlags [1] ContextFlags OPTIONAL, - mechToken [2] OCTET STRING OPTIONAL, - mechListMIC [3] OCTET STRING OPTIONAL - } - -NegTokenTarg ::= SEQUENCE { - negResult [0] ENUMERATED { - accept_completed (0), - accept_incomplete (1), - reject (2) } OPTIONAL, - supportedMech [1] MechType OPTIONAL, - responseToken [2] OCTET STRING OPTIONAL, - mechListMIC [3] OCTET STRING OPTIONAL -} - -NegotiationToken ::= CHOICE { - negTokenInit[0] NegTokenInit, - negTokenTarg[1] NegTokenTarg -} - -END diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c new file mode 100644 index 0000000000..8a885a3e2f --- /dev/null +++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -0,0 +1,873 @@ +/* + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * Portions Copyright (c) 2004 PADL Software Pty Ltd. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "spnego/spnego_locl.h" + +RCSID("$Id: accept_sec_context.c,v 1.6 2006/10/07 22:26:57 lha Exp $"); + +OM_uint32 +_gss_spnego_encode_response(OM_uint32 *minor_status, + const NegTokenResp *resp, + gss_buffer_t data, + u_char **ret_buf) +{ + OM_uint32 ret; + u_char *buf; + size_t buf_size, buf_len; + + buf_size = 1024; + buf = malloc(buf_size); + if (buf == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + do { + ret = encode_NegTokenResp(buf + buf_size - 1, + buf_size, + resp, &buf_len); + if (ret == 0) { + size_t tmp; + + ret = der_put_length_and_tag(buf + buf_size - buf_len - 1, + buf_size - buf_len, + buf_len, + ASN1_C_CONTEXT, + CONS, + 1, + &tmp); + if (ret == 0) + buf_len += tmp; + } + if (ret) { + if (ret == ASN1_OVERFLOW) { + u_char *tmp; + + buf_size *= 2; + tmp = realloc (buf, buf_size); + if (tmp == NULL) { + *minor_status = ENOMEM; + free(buf); + return GSS_S_FAILURE; + } + buf = tmp; + } else { + *minor_status = ret; + free(buf); + return GSS_S_FAILURE; + } + } + } while (ret == ASN1_OVERFLOW); + + data->value = buf + buf_size - buf_len; + data->length = buf_len; + *ret_buf = buf; + + return GSS_S_COMPLETE; +} + +static OM_uint32 +send_reject (OM_uint32 *minor_status, + gss_buffer_t output_token) +{ + NegTokenResp resp; + gss_buffer_desc data; + u_char *buf; + OM_uint32 ret; + + ALLOC(resp.negResult, 1); + if (resp.negResult == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + *(resp.negResult) = reject; + resp.supportedMech = NULL; + resp.responseToken = NULL; + resp.mechListMIC = NULL; + + ret = _gss_spnego_encode_response (minor_status, &resp, &data, &buf); + free_NegTokenResp(&resp); + if (ret != GSS_S_COMPLETE) + return ret; + + output_token->value = malloc(data.length); + if (output_token->value == NULL) { + *minor_status = ENOMEM; + ret = GSS_S_FAILURE; + } else { + output_token->length = data.length; + memcpy(output_token->value, data.value, output_token->length); + } + free(buf); + if (ret != GSS_S_COMPLETE) + return ret; + return GSS_S_BAD_MECH; +} + +OM_uint32 +_gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status, + int includeMSCompatOID, + const gssspnego_cred cred_handle, + MechTypeList *mechtypelist, + gss_OID *preferred_mech) +{ + OM_uint32 ret; + gss_OID_set supported_mechs = GSS_C_NO_OID_SET; + int i, count; + + if (cred_handle != NULL) { + ret = gss_inquire_cred(minor_status, + cred_handle->negotiated_cred_id, + NULL, + NULL, + NULL, + &supported_mechs); + } else { + ret = gss_indicate_mechs(minor_status, &supported_mechs); + } + + if (ret != GSS_S_COMPLETE) { + return ret; + } + + if (supported_mechs->count == 0) { + *minor_status = ENOENT; + gss_release_oid_set(minor_status, &supported_mechs); + return GSS_S_FAILURE; + } + + count = supported_mechs->count; + if (includeMSCompatOID) + count++; + + mechtypelist->len = 0; + mechtypelist->val = calloc(count, sizeof(MechType)); + if (mechtypelist->val == NULL) { + *minor_status = ENOMEM; + gss_release_oid_set(minor_status, &supported_mechs); + return GSS_S_FAILURE; + } + + for (i = 0; i < supported_mechs->count; i++) { + ret = _gss_spnego_add_mech_type(&supported_mechs->elements[i], + includeMSCompatOID, + mechtypelist); + if (ret != 0) { + *minor_status = ENOMEM; + ret = GSS_S_FAILURE; + break; + } + } + + if (ret == GSS_S_COMPLETE && preferred_mech != NULL) { + ret = gss_duplicate_oid(minor_status, + &supported_mechs->elements[0], + preferred_mech); + } + + if (ret != GSS_S_COMPLETE) { + free_MechTypeList(mechtypelist); + mechtypelist->len = 0; + mechtypelist->val = NULL; + } + gss_release_oid_set(minor_status, &supported_mechs); + + return ret; +} + +static OM_uint32 +send_supported_mechs (OM_uint32 *minor_status, + gss_buffer_t output_token) +{ + NegTokenInit ni; + char hostname[MAXHOSTNAMELEN], *p; + gss_buffer_desc name_buf; + gss_OID name_type; + gss_name_t target_princ; + gss_name_t canon_princ; + OM_uint32 ret, minor; + u_char *buf; + size_t buf_size, buf_len; + gss_buffer_desc data; + + memset(&ni, 0, sizeof(ni)); + + ni.reqFlags = NULL; + ni.mechToken = NULL; + ni.negHints = NULL; + ni.mechListMIC = NULL; + + ret = _gss_spnego_indicate_mechtypelist(minor_status, 1, + NULL, + &ni.mechTypes, NULL); + if (ret != GSS_S_COMPLETE) { + return ret; + } + + memset(&target_princ, 0, sizeof(target_princ)); + if (gethostname(hostname, sizeof(hostname) - 1) != 0) { + *minor_status = errno; + free_NegTokenInit(&ni); + return GSS_S_FAILURE; + } + + /* Send the constructed SAM name for this host */ + for (p = hostname; *p != '\0' && *p != '.'; p++) { + *p = toupper((unsigned char)*p); + } + *p++ = '$'; + *p = '\0'; + + name_buf.length = strlen(hostname); + name_buf.value = hostname; + + ret = gss_import_name(minor_status, &name_buf, + GSS_C_NO_OID, + &target_princ); + if (ret != GSS_S_COMPLETE) { + return ret; + } + + name_buf.length = 0; + name_buf.value = NULL; + + /* Canonicalize the name using the preferred mechanism */ + ret = gss_canonicalize_name(minor_status, + target_princ, + GSS_C_NO_OID, + &canon_princ); + if (ret != GSS_S_COMPLETE) { + gss_release_name(&minor, &target_princ); + return ret; + } + + ret = gss_display_name(minor_status, canon_princ, + &name_buf, &name_type); + if (ret != GSS_S_COMPLETE) { + gss_release_name(&minor, &canon_princ); + gss_release_name(&minor, &target_princ); + return ret; + } + + gss_release_name(&minor, &canon_princ); + gss_release_name(&minor, &target_princ); + + ALLOC(ni.negHints, 1); + if (ni.negHints == NULL) { + *minor_status = ENOMEM; + gss_release_buffer(&minor, &name_buf); + free_NegTokenInit(&ni); + return GSS_S_FAILURE; + } + + ALLOC(ni.negHints->hintName, 1); + if (ni.negHints->hintName == NULL) { + *minor_status = ENOMEM; + gss_release_buffer(&minor, &name_buf); + free_NegTokenInit(&ni); + return GSS_S_FAILURE; + } + + *(ni.negHints->hintName) = name_buf.value; + name_buf.value = NULL; + ni.negHints->hintAddress = NULL; + + buf_size = 1024; + buf = malloc(buf_size); + if (buf == NULL) { + free_NegTokenInit(&ni); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + do { + ret = encode_NegTokenInit(buf + buf_size - 1, + buf_size, + &ni, &buf_len); + if (ret == 0) { + size_t tmp; + + ret = der_put_length_and_tag(buf + buf_size - buf_len - 1, + buf_size - buf_len, + buf_len, + ASN1_C_CONTEXT, + CONS, + 0, + &tmp); + if (ret == 0) + buf_len += tmp; + } + if (ret) { + if (ret == ASN1_OVERFLOW) { + u_char *tmp; + + buf_size *= 2; + tmp = realloc (buf, buf_size); + if (tmp == NULL) { + *minor_status = ENOMEM; + free(buf); + free_NegTokenInit(&ni); + return GSS_S_FAILURE; + } + buf = tmp; + } else { + *minor_status = ret; + free(buf); + free_NegTokenInit(&ni); + return GSS_S_FAILURE; + } + } + } while (ret == ASN1_OVERFLOW); + + data.value = buf + buf_size - buf_len; + data.length = buf_len; + + ret = gss_encapsulate_token(&data, + GSS_SPNEGO_MECHANISM, + output_token); + free (buf); + free_NegTokenInit (&ni); + + if (ret != GSS_S_COMPLETE) + return ret; + + *minor_status = 0; + + return GSS_S_CONTINUE_NEEDED; +} + +static OM_uint32 +send_accept (OM_uint32 *minor_status, + gssspnego_ctx context_handle, + gss_buffer_t mech_token, + int initial_response, + gss_buffer_t mech_buf, + gss_buffer_t output_token) +{ + NegTokenResp resp; + gss_buffer_desc data; + u_char *buf; + OM_uint32 ret; + gss_buffer_desc mech_mic_buf; + + memset(&resp, 0, sizeof(resp)); + + ALLOC(resp.negResult, 1); + if (resp.negResult == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + if (context_handle->open) { + if (mech_token != GSS_C_NO_BUFFER + && mech_token->length != 0 + && mech_buf != GSS_C_NO_BUFFER) + *(resp.negResult) = accept_incomplete; + else + *(resp.negResult) = accept_completed; + } else { + if (initial_response && context_handle->require_mic) + *(resp.negResult) = request_mic; + else + *(resp.negResult) = accept_incomplete; + } + + if (initial_response) { + ALLOC(resp.supportedMech, 1); + if (resp.supportedMech == NULL) { + free_NegTokenResp(&resp); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + ret = der_get_oid(context_handle->preferred_mech_type->elements, + context_handle->preferred_mech_type->length, + resp.supportedMech, + NULL); + if (ret) { + free_NegTokenResp(&resp); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + } else { + resp.supportedMech = NULL; + } + + if (mech_token != GSS_C_NO_BUFFER && mech_token->length != 0) { + ALLOC(resp.responseToken, 1); + if (resp.responseToken == NULL) { + free_NegTokenResp(&resp); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + resp.responseToken->length = mech_token->length; + resp.responseToken->data = mech_token->value; + mech_token->length = 0; + mech_token->value = NULL; + } else { + resp.responseToken = NULL; + } + + if (mech_buf != GSS_C_NO_BUFFER) { + ALLOC(resp.mechListMIC, 1); + if (resp.mechListMIC == NULL) { + free_NegTokenResp(&resp); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + ret = gss_get_mic(minor_status, + context_handle->negotiated_ctx_id, + 0, + mech_buf, + &mech_mic_buf); + if (ret != GSS_S_COMPLETE) { + free_NegTokenResp(&resp); + return ret; + } + + resp.mechListMIC->length = mech_mic_buf.length; + resp.mechListMIC->data = mech_mic_buf.value; + } else + resp.mechListMIC = NULL; + + ret = _gss_spnego_encode_response (minor_status, &resp, &data, &buf); + if (ret != GSS_S_COMPLETE) { + free_NegTokenResp(&resp); + return ret; + } + + /* + * The response should not be encapsulated, because + * it is a SubsequentContextToken (note though RFC 1964 + * specifies encapsulation for all _Kerberos_ tokens). + */ + output_token->value = malloc(data.length); + if (output_token->value == NULL) { + *minor_status = ENOMEM; + ret = GSS_S_FAILURE; + } else { + output_token->length = data.length; + memcpy(output_token->value, data.value, output_token->length); + } + free(buf); + if (ret != GSS_S_COMPLETE) { + free_NegTokenResp(&resp); + return ret; + } + + ret = (*(resp.negResult) == accept_completed) ? GSS_S_COMPLETE : + GSS_S_CONTINUE_NEEDED; + free_NegTokenResp(&resp); + return ret; +} + + +static OM_uint32 +verify_mechlist_mic + (OM_uint32 *minor_status, + gssspnego_ctx context_handle, + gss_buffer_t mech_buf, + heim_octet_string *mechListMIC + ) +{ + OM_uint32 ret; + gss_buffer_desc mic_buf; + + if (context_handle->verified_mic) { + /* This doesn't make sense, we've already verified it? */ + *minor_status = 0; + return GSS_S_DUPLICATE_TOKEN; + } + + if (mechListMIC == NULL) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + + mic_buf.length = mechListMIC->length; + mic_buf.value = mechListMIC->data; + + ret = gss_verify_mic(minor_status, + context_handle->negotiated_ctx_id, + mech_buf, + &mic_buf, + NULL); + + if (ret != GSS_S_COMPLETE) + ret = GSS_S_DEFECTIVE_TOKEN; + + return ret; +} + +OM_uint32 +_gss_spnego_accept_sec_context + (OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token_buffer, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t * src_name, + gss_OID * mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec, + gss_cred_id_t *delegated_cred_handle + ) +{ + OM_uint32 ret, ret2, minor; + NegTokenInit ni; + NegTokenResp na; + size_t ni_len, na_len; + int i; + gss_buffer_desc data; + size_t len, taglen; + int initialToken; + unsigned int negResult = accept_incomplete; + gss_buffer_t mech_input_token = GSS_C_NO_BUFFER; + gss_buffer_t mech_output_token = GSS_C_NO_BUFFER; + gss_buffer_desc mech_buf; + gss_OID preferred_mech_type = GSS_C_NO_OID; + gssspnego_ctx ctx; + gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle; + + *minor_status = 0; + + output_token->length = 0; + output_token->value = NULL; + + if (src_name != NULL) + *src_name = GSS_C_NO_NAME; + + if (mech_type != NULL) + *mech_type = GSS_C_NO_OID; + + if (ret_flags != NULL) + *ret_flags = 0; + + if (time_rec != NULL) + *time_rec = 0; + + if (delegated_cred_handle != NULL) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + + mech_buf.value = NULL; + + if (*context_handle == GSS_C_NO_CONTEXT) { + ret = _gss_spnego_alloc_sec_context(minor_status, + context_handle); + if (ret != GSS_S_COMPLETE) + return ret; + + if (input_token_buffer->length == 0) { + return send_supported_mechs (minor_status, + output_token); + } + } + + ctx = (gssspnego_ctx)*context_handle; + + /* + * The GSS-API encapsulation is only present on the initial + * context token (negTokenInit). + */ + ret = gss_decapsulate_token (input_token_buffer, + GSS_SPNEGO_MECHANISM, + &data); + initialToken = (ret == GSS_S_COMPLETE); + + if (!initialToken) { + data.value = input_token_buffer->value; + data.length = input_token_buffer->length; + } + + ret = der_match_tag_and_length(data.value, data.length, + ASN1_C_CONTEXT, CONS, + initialToken ? 0 : 1, + &len, &taglen); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + if (len > data.length - taglen) { + *minor_status = ASN1_OVERRUN; + return GSS_S_FAILURE; + } + + if (initialToken) { + ret = decode_NegTokenInit((const unsigned char *)data.value + taglen, + len, &ni, &ni_len); + } else { + ret = decode_NegTokenResp((const unsigned char *)data.value + taglen, + len, &na, &na_len); + } + if (ret) { + *minor_status = ret; + return GSS_S_DEFECTIVE_TOKEN; + } + + if (!initialToken && na.negResult != NULL) { + negResult = *(na.negResult); + } + + if (negResult == reject || negResult == request_mic) { + /* request_mic should only be sent by acceptor */ + free_NegTokenResp(&na); + return GSS_S_DEFECTIVE_TOKEN; + } + + if (initialToken) { + for (i = 0; i < ni.mechTypes.len; ++i) { + /* Call glue layer to find first mech we support */ + ret = _gss_spnego_select_mech(minor_status, &ni.mechTypes.val[i], + &preferred_mech_type); + if (ret == 0) + break; + } + if (preferred_mech_type == GSS_C_NO_OID) { + free_NegTokenInit(&ni); + return GSS_S_BAD_MECH; + } + } + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + if (initialToken) { + ctx->preferred_mech_type = preferred_mech_type; + ctx->initiator_mech_types.len = ni.mechTypes.len; + ctx->initiator_mech_types.val = ni.mechTypes.val; + ni.mechTypes.len = 0; + ni.mechTypes.val = NULL; + } + + { + gss_buffer_desc ibuf, obuf; + int require_mic, verify_mic, get_mic; + int require_response; + heim_octet_string *mic; + + if (initialToken) { + if (ni.mechToken != NULL) { + ibuf.length = ni.mechToken->length; + ibuf.value = ni.mechToken->data; + mech_input_token = &ibuf; + } + } else { + if (na.responseToken != NULL) { + ibuf.length = na.responseToken->length; + ibuf.value = na.responseToken->data; + mech_input_token = &ibuf; + } + } + + if (mech_input_token != GSS_C_NO_BUFFER) { + gss_cred_id_t mech_cred; + gss_cred_id_t mech_delegated_cred; + gss_cred_id_t *mech_delegated_cred_p; + + if (acceptor_cred != NULL) + mech_cred = acceptor_cred->negotiated_cred_id; + else + mech_cred = GSS_C_NO_CREDENTIAL; + + if (delegated_cred_handle != NULL) { + mech_delegated_cred = GSS_C_NO_CREDENTIAL; + mech_delegated_cred_p = &mech_delegated_cred; + } else { + mech_delegated_cred_p = NULL; + } + + if (ctx->mech_src_name != GSS_C_NO_NAME) + gss_release_name(&minor, &ctx->mech_src_name); + + if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL) + _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id); + + ret = gss_accept_sec_context(&minor, + &ctx->negotiated_ctx_id, + mech_cred, + mech_input_token, + input_chan_bindings, + &ctx->mech_src_name, + &ctx->negotiated_mech_type, + &obuf, + &ctx->mech_flags, + &ctx->mech_time_rec, + mech_delegated_cred_p); + if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { + if (mech_delegated_cred_p != NULL && + mech_delegated_cred != GSS_C_NO_CREDENTIAL) { + ret2 = _gss_spnego_alloc_cred(minor_status, + mech_delegated_cred, + &ctx->delegated_cred_id); + if (ret2 != GSS_S_COMPLETE) + ret = ret2; + } + mech_output_token = &obuf; + } + if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) { + if (initialToken) + free_NegTokenInit(&ni); + else + free_NegTokenResp(&na); + send_reject (minor_status, output_token); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + return ret; + } + if (ret == GSS_S_COMPLETE) + ctx->open = 1; + } else + ret = GSS_S_COMPLETE; + + ret2 = _gss_spnego_require_mechlist_mic(minor_status, + ctx, + &require_mic); + if (ret2) + goto out; + + ctx->require_mic = require_mic; + + mic = initialToken ? ni.mechListMIC : na.mechListMIC; + if (mic != NULL) + require_mic = 1; + + if (ctx->open && require_mic) { + if (mech_input_token == GSS_C_NO_BUFFER) { /* Even/One */ + verify_mic = 1; + get_mic = 0; + } else if (mech_output_token != GSS_C_NO_BUFFER && + mech_output_token->length == 0) { /* Odd */ + get_mic = verify_mic = 1; + } else { /* Even/One */ + verify_mic = 0; + get_mic = 1; + } + + if (verify_mic || get_mic) { + int eret; + size_t buf_len; + + ASN1_MALLOC_ENCODE(MechTypeList, + mech_buf.value, mech_buf.length, + &ctx->initiator_mech_types, &buf_len, eret); + if (eret) { + ret2 = GSS_S_FAILURE; + *minor_status = eret; + goto out; + } + if (mech_buf.length != buf_len) + abort(); + } + + if (verify_mic) { + ret2 = verify_mechlist_mic(minor_status, ctx, &mech_buf, mic); + if (ret2) { + if (get_mic) + send_reject (minor_status, output_token); + goto out; + } + + ctx->verified_mic = 1; + } + } else + verify_mic = get_mic = 0; + + if (ctx->mech_flags & GSS_C_DCE_STYLE) + require_response = (negResult != accept_completed); + else + require_response = 0; + + /* + * Check whether we need to send a result: there should be only + * one accept_completed response sent in the entire negotiation + */ + if ((mech_output_token != GSS_C_NO_BUFFER && + mech_output_token->length != 0) + || require_response + || get_mic) { + ret2 = send_accept (minor_status, + ctx, + mech_output_token, + initialToken, + get_mic ? &mech_buf : NULL, + output_token); + if (ret2) + goto out; + } + + out: + if (ret2 != GSS_S_COMPLETE) + ret = ret2; + if (mech_output_token != NULL) + gss_release_buffer(&minor, mech_output_token); + if (mech_buf.value != NULL) + free(mech_buf.value); + if (initialToken) + free_NegTokenInit(&ni); + else + free_NegTokenResp(&na); + } + + if (ret == GSS_S_COMPLETE) { + if (src_name != NULL) { + ret2 = gss_duplicate_name(minor_status, + ctx->mech_src_name, + src_name); + if (ret2 != GSS_S_COMPLETE) + ret = ret2; + } + if (delegated_cred_handle != NULL) { + *delegated_cred_handle = ctx->delegated_cred_id; + ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL; + } + } + + if (mech_type != NULL) + *mech_type = ctx->negotiated_mech_type; + if (ret_flags != NULL) + *ret_flags = ctx->mech_flags; + if (time_rec != NULL) + *time_rec = ctx->mech_time_rec; + + if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + return ret; + } + + _gss_spnego_internal_delete_sec_context(&minor, context_handle, + GSS_C_NO_BUFFER); + + return ret; +} + diff --git a/source4/heimdal/lib/gssapi/spnego/compat.c b/source4/heimdal/lib/gssapi/spnego/compat.c new file mode 100644 index 0000000000..aeae088258 --- /dev/null +++ b/source4/heimdal/lib/gssapi/spnego/compat.c @@ -0,0 +1,285 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "spnego/spnego_locl.h" + +RCSID("$Id: compat.c,v 1.6 2006/10/07 22:26:59 lha Exp $"); + +/* + * Apparently Microsoft got the OID wrong, and used + * 1.2.840.48018.1.2.2 instead. We need both this and + * the correct Kerberos OID here in order to deal with + * this. Because this is manifest in SPNEGO only I'd + * prefer to deal with this here rather than inside the + * Kerberos mechanism. + */ +static gss_OID_desc gss_mskrb_mechanism_oid_desc = + {9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"}; + +static gss_OID_desc gss_krb5_mechanism_oid_desc = + {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; + +/* + * Allocate a SPNEGO context handle + */ +OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status, + gss_ctx_id_t *context_handle) +{ + gssspnego_ctx ctx; + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + ctx->initiator_mech_types.len = 0; + ctx->initiator_mech_types.val = NULL; + ctx->preferred_mech_type = GSS_C_NO_OID; + ctx->negotiated_mech_type = GSS_C_NO_OID; + ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT; + + /* + * Cache these so we can return them before returning + * GSS_S_COMPLETE, even if the mechanism has itself + * completed earlier + */ + ctx->mech_flags = 0; + ctx->mech_time_rec = 0; + ctx->mech_src_name = GSS_C_NO_NAME; + ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL; + + ctx->open = 0; + ctx->local = 0; + ctx->require_mic = 0; + ctx->verified_mic = 0; + + HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); + + *context_handle = (gss_ctx_id_t)ctx; + + return GSS_S_COMPLETE; +} + +/* + * Free a SPNEGO context handle. The caller must have acquired + * the lock before this is called. + */ +OM_uint32 _gss_spnego_internal_delete_sec_context + (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token + ) +{ + gssspnego_ctx ctx; + OM_uint32 ret, minor; + + *minor_status = 0; + + if (context_handle == NULL) { + return GSS_S_NO_CONTEXT; + } + + if (output_token != GSS_C_NO_BUFFER) { + output_token->length = 0; + output_token->value = NULL; + } + + ctx = (gssspnego_ctx)*context_handle; + *context_handle = GSS_C_NO_CONTEXT; + + if (ctx == NULL) { + return GSS_S_NO_CONTEXT; + } + + if (ctx->initiator_mech_types.val != NULL) + free_MechTypeList(&ctx->initiator_mech_types); + + _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id); + + gss_release_oid(&minor, &ctx->preferred_mech_type); + ctx->negotiated_mech_type = GSS_C_NO_OID; + + gss_release_name(&minor, &ctx->mech_src_name); + + if (ctx->negotiated_ctx_id != GSS_C_NO_CONTEXT) { + ret = gss_delete_sec_context(minor_status, + &ctx->negotiated_ctx_id, + output_token); + ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT; + } else { + ret = GSS_S_COMPLETE; + } + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); + + free(ctx); + *context_handle = NULL; + + return ret; +} + +/* + * For compatability with the Windows SPNEGO implementation, the + * default is to ignore the mechListMIC unless CFX is used and + * a non-preferred mechanism was negotiated + */ + +OM_uint32 +_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status, + gssspnego_ctx ctx, + int *require_mic) +{ + gss_buffer_set_t buffer_set = GSS_C_NO_BUFFER_SET; + OM_uint32 minor; + + *minor_status = 0; + *require_mic = 0; + + if (ctx == NULL) { + return GSS_S_COMPLETE; + } + + if (ctx->require_mic) { + /* Acceptor requested it: mandatory to honour */ + *require_mic = 1; + return GSS_S_COMPLETE; + } + + /* + * Check whether peer indicated implicit support for updated SPNEGO + * (eg. in the Kerberos case by using CFX) + */ + if (gss_inquire_sec_context_by_oid(&minor, ctx->negotiated_ctx_id, + GSS_C_PEER_HAS_UPDATED_SPNEGO, + &buffer_set) == GSS_S_COMPLETE) { + *require_mic = 1; + gss_release_buffer_set(&minor, &buffer_set); + } + + /* Safe-to-omit MIC rules follow */ + if (*require_mic) { + if (gss_oid_equal(ctx->negotiated_mech_type, ctx->preferred_mech_type)) { + *require_mic = 0; + } else if (gss_oid_equal(ctx->negotiated_mech_type, &gss_krb5_mechanism_oid_desc) && + gss_oid_equal(ctx->preferred_mech_type, &gss_mskrb_mechanism_oid_desc)) { + *require_mic = 0; + } + } + + return GSS_S_COMPLETE; +} + +int _gss_spnego_add_mech_type(gss_OID mech_type, + int includeMSCompatOID, + MechTypeList *mechtypelist) +{ + int ret; + + if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM)) + return 0; + + if (includeMSCompatOID && + gss_oid_equal(mech_type, &gss_krb5_mechanism_oid_desc)) { + ret = der_get_oid(gss_mskrb_mechanism_oid_desc.elements, + gss_mskrb_mechanism_oid_desc.length, + &mechtypelist->val[mechtypelist->len], + NULL); + if (ret) + return ret; + mechtypelist->len++; + } + ret = der_get_oid(mech_type->elements, + mech_type->length, + &mechtypelist->val[mechtypelist->len], + NULL); + if (ret) + return ret; + mechtypelist->len++; + + return 0; +} + +OM_uint32 +_gss_spnego_select_mech(OM_uint32 *minor_status, + MechType *mechType, + gss_OID *mech_p) +{ + char mechbuf[64]; + size_t mech_len; + gss_OID_desc oid; + OM_uint32 ret; + + ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1, + sizeof(mechbuf), + mechType, + &mech_len); + if (ret) { + return GSS_S_DEFECTIVE_TOKEN; + } + + oid.length = mech_len; + oid.elements = mechbuf + sizeof(mechbuf) - mech_len; + + if (gss_oid_equal(&oid, GSS_SPNEGO_MECHANISM)) { + return GSS_S_BAD_MECH; + } + + *minor_status = 0; + + /* Translate broken MS Kebreros OID */ + if (gss_oid_equal(&oid, &gss_mskrb_mechanism_oid_desc)) { + gssapi_mech_interface mech; + + mech = __gss_get_mechanism(&gss_krb5_mechanism_oid_desc); + if (mech == NULL) + return GSS_S_BAD_MECH; + + ret = gss_duplicate_oid(minor_status, + &gss_mskrb_mechanism_oid_desc, + mech_p); + } else { + gssapi_mech_interface mech; + + mech = __gss_get_mechanism(&oid); + if (mech == NULL) + return GSS_S_BAD_MECH; + + ret = gss_duplicate_oid(minor_status, + &mech->gm_mech_oid, + mech_p); + } + + return ret; +} + diff --git a/source4/heimdal/lib/gssapi/spnego/context_stubs.c b/source4/heimdal/lib/gssapi/spnego/context_stubs.c new file mode 100644 index 0000000000..902ddbbdf9 --- /dev/null +++ b/source4/heimdal/lib/gssapi/spnego/context_stubs.c @@ -0,0 +1,835 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "spnego/spnego_locl.h" + +RCSID("$Id: context_stubs.c,v 1.8 2006/10/07 22:27:01 lha Exp $"); + +static OM_uint32 +spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs) +{ + OM_uint32 ret, junk; + gss_OID_set m; + int i; + + ret = gss_indicate_mechs(minor_status, &m); + if (ret != GSS_S_COMPLETE) + return ret; + + ret = gss_create_empty_oid_set(minor_status, mechs); + if (ret != GSS_S_COMPLETE) { + gss_release_oid_set(&junk, &m); + return ret; + } + + for (i = 0; i < m->count; i++) { + if (gss_oid_equal(&m->elements[i], GSS_SPNEGO_MECHANISM)) + continue; + + ret = gss_add_oid_set_member(minor_status, &m->elements[i], mechs); + if (ret) { + gss_release_oid_set(&junk, &m); + gss_release_oid_set(&junk, mechs); + return ret; + } + } + return ret; +} + + + +OM_uint32 _gss_spnego_process_context_token + (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t token_buffer + ) +{ + gss_ctx_id_t context ; + gssspnego_ctx ctx; + OM_uint32 ret; + + if (context_handle == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + context = context_handle; + ctx = (gssspnego_ctx)context_handle; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + ret = gss_process_context_token(minor_status, + ctx->negotiated_ctx_id, + token_buffer); + if (ret != GSS_S_COMPLETE) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + return ret; + } + + ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT; + + return _gss_spnego_internal_delete_sec_context(minor_status, + &context, + GSS_C_NO_BUFFER); +} + +OM_uint32 _gss_spnego_delete_sec_context + (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token + ) +{ + gssspnego_ctx ctx; + + if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + ctx = (gssspnego_ctx)*context_handle; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + return _gss_spnego_internal_delete_sec_context(minor_status, + context_handle, + output_token); +} + +OM_uint32 _gss_spnego_context_time + (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + OM_uint32 *time_rec + ) +{ + gssspnego_ctx ctx; + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_context_time(minor_status, + ctx->negotiated_ctx_id, + time_rec); +} + +OM_uint32 _gss_spnego_get_mic + (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + gss_qop_t qop_req, + const gss_buffer_t message_buffer, + gss_buffer_t message_token + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_get_mic(minor_status, ctx->negotiated_ctx_id, + qop_req, message_buffer, message_token); +} + +OM_uint32 _gss_spnego_verify_mic + (OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t * qop_state + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_verify_mic(minor_status, + ctx->negotiated_ctx_id, + message_buffer, + token_buffer, + qop_state); +} + +OM_uint32 _gss_spnego_wrap + (OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t input_message_buffer, + int * conf_state, + gss_buffer_t output_message_buffer + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_wrap(minor_status, + ctx->negotiated_ctx_id, + conf_req_flag, + qop_req, + input_message_buffer, + conf_state, + output_message_buffer); +} + +OM_uint32 _gss_spnego_unwrap + (OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int * conf_state, + gss_qop_t * qop_state + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_unwrap(minor_status, + ctx->negotiated_ctx_id, + input_message_buffer, + output_message_buffer, + conf_state, + qop_state); +} + +OM_uint32 _gss_spnego_display_status + (OM_uint32 * minor_status, + OM_uint32 status_value, + int status_type, + const gss_OID mech_type, + OM_uint32 * message_context, + gss_buffer_t status_string + ) +{ + return GSS_S_FAILURE; +} + +OM_uint32 _gss_spnego_compare_name + (OM_uint32 *minor_status, + const gss_name_t name1, + const gss_name_t name2, + int * name_equal + ) +{ + return gss_compare_name(minor_status, name1, name2, name_equal); +} + +OM_uint32 _gss_spnego_display_name + (OM_uint32 * minor_status, + const gss_name_t input_name, + gss_buffer_t output_name_buffer, + gss_OID * output_name_type + ) +{ + return gss_display_name(minor_status, input_name, + output_name_buffer, output_name_type); +} + +OM_uint32 _gss_spnego_import_name + (OM_uint32 * minor_status, + const gss_buffer_t input_name_buffer, + const gss_OID input_name_type, + gss_name_t * output_name + ) +{ + return gss_import_name(minor_status, input_name_buffer, + input_name_type, output_name); +} + +OM_uint32 _gss_spnego_export_name + (OM_uint32 * minor_status, + const gss_name_t input_name, + gss_buffer_t exported_name + ) +{ + return gss_export_name(minor_status, input_name, + exported_name); +} + +OM_uint32 _gss_spnego_release_name + (OM_uint32 * minor_status, + gss_name_t * input_name + ) +{ + return gss_release_name(minor_status, input_name); +} + +OM_uint32 _gss_spnego_inquire_context ( + OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + gss_name_t * src_name, + gss_name_t * targ_name, + OM_uint32 * lifetime_rec, + gss_OID * mech_type, + OM_uint32 * ctx_flags, + int * locally_initiated, + int * open_context + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_inquire_context(minor_status, + ctx->negotiated_ctx_id, + src_name, + targ_name, + lifetime_rec, + mech_type, + ctx_flags, + locally_initiated, + open_context); +} + +OM_uint32 _gss_spnego_wrap_size_limit ( + OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 * max_input_size + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_wrap_size_limit(minor_status, + ctx->negotiated_ctx_id, + conf_req_flag, + qop_req, + req_output_size, + max_input_size); +} + +OM_uint32 _gss_spnego_export_sec_context ( + OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + gss_buffer_t interprocess_token + ) +{ + gssspnego_ctx ctx; + OM_uint32 ret; + + *minor_status = 0; + + if (context_handle == NULL) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)*context_handle; + + if (ctx == NULL) + return GSS_S_NO_CONTEXT; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + return GSS_S_NO_CONTEXT; + } + + ret = gss_export_sec_context(minor_status, + &ctx->negotiated_ctx_id, + interprocess_token); + if (ret == GSS_S_COMPLETE) { + ret = _gss_spnego_internal_delete_sec_context(minor_status, + context_handle, + GSS_C_NO_BUFFER); + if (ret == GSS_S_COMPLETE) + return GSS_S_COMPLETE; + } + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + return ret; +} + +OM_uint32 _gss_spnego_import_sec_context ( + OM_uint32 * minor_status, + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle + ) +{ + OM_uint32 ret, minor; + gss_ctx_id_t context; + gssspnego_ctx ctx; + + ret = _gss_spnego_alloc_sec_context(minor_status, &context); + if (ret != GSS_S_COMPLETE) { + return ret; + } + ctx = (gssspnego_ctx)context; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + ret = gss_import_sec_context(minor_status, + interprocess_token, + &ctx->negotiated_ctx_id); + if (ret != GSS_S_COMPLETE) { + _gss_spnego_internal_delete_sec_context(&minor, context_handle, GSS_C_NO_BUFFER); + return ret; + } + + ctx->open = 1; + /* don't bother filling in the rest of the fields */ + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + *context_handle = (gss_ctx_id_t)ctx; + + return GSS_S_COMPLETE; +} + +OM_uint32 _gss_spnego_inquire_names_for_mech ( + OM_uint32 * minor_status, + const gss_OID mechanism, + gss_OID_set * name_types + ) +{ + gss_OID_set mechs, names, n; + OM_uint32 ret, junk; + int i, j; + + *name_types = NULL; + + ret = spnego_supported_mechs(minor_status, &mechs); + if (ret != GSS_S_COMPLETE) + return ret; + + ret = gss_create_empty_oid_set(minor_status, &names); + if (ret != GSS_S_COMPLETE) + goto out; + + for (i = 0; i < mechs->count; i++) { + ret = gss_inquire_names_for_mech(minor_status, + &mechs->elements[i], + &n); + if (ret) + continue; + + for (j = 0; j < n->count; j++) + gss_add_oid_set_member(minor_status, + &n->elements[j], + &names); + gss_release_oid_set(&junk, &n); + } + + ret = GSS_S_COMPLETE; + *name_types = names; +out: + + gss_release_oid_set(&junk, &mechs); + + return GSS_S_COMPLETE; +} + +OM_uint32 _gss_spnego_inquire_mechs_for_name ( + OM_uint32 * minor_status, + const gss_name_t input_name, + gss_OID_set * mech_types + ) +{ + OM_uint32 ret, junk; + + ret = gss_create_empty_oid_set(minor_status, mech_types); + if (ret) + return ret; + + ret = gss_add_oid_set_member(minor_status, + GSS_SPNEGO_MECHANISM, + mech_types); + if (ret) + gss_release_oid_set(&junk, mech_types); + + return ret; +} + +OM_uint32 _gss_spnego_canonicalize_name ( + OM_uint32 * minor_status, + const gss_name_t input_name, + const gss_OID mech_type, + gss_name_t * output_name + ) +{ + /* XXX */ + return gss_duplicate_name(minor_status, input_name, output_name); +} + +OM_uint32 _gss_spnego_duplicate_name ( + OM_uint32 * minor_status, + const gss_name_t src_name, + gss_name_t * dest_name + ) +{ + return gss_duplicate_name(minor_status, src_name, dest_name); +} + +OM_uint32 _gss_spnego_sign + (OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int qop_req, + gss_buffer_t message_buffer, + gss_buffer_t message_token + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_sign(minor_status, + ctx->negotiated_ctx_id, + qop_req, + message_buffer, + message_token); +} + +OM_uint32 _gss_spnego_verify + (OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t message_buffer, + gss_buffer_t token_buffer, + int * qop_state + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_verify(minor_status, + ctx->negotiated_ctx_id, + message_buffer, + token_buffer, + qop_state); +} + +OM_uint32 _gss_spnego_seal + (OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + int qop_req, + gss_buffer_t input_message_buffer, + int * conf_state, + gss_buffer_t output_message_buffer + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_seal(minor_status, + ctx->negotiated_ctx_id, + conf_req_flag, + qop_req, + input_message_buffer, + conf_state, + output_message_buffer); +} + +OM_uint32 _gss_spnego_unseal + (OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int * conf_state, + int * qop_state + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_unseal(minor_status, + ctx->negotiated_ctx_id, + input_message_buffer, + output_message_buffer, + conf_state, + qop_state); +} + +#if 0 +OM_uint32 _gss_spnego_unwrap_ex + (OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t token_header_buffer, + const gss_buffer_t associated_data_buffer, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int * conf_state, + gss_qop_t * qop_state) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_unwrap_ex(minor_status, + ctx->negotiated_ctx_id, + token_header_buffer, + associated_data_buffer, + input_message_buffer, + output_message_buffer, + conf_state, + qop_state); +} + +OM_uint32 _gss_spnego_wrap_ex + (OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t associated_data_buffer, + const gss_buffer_t input_message_buffer, + int * conf_state, + gss_buffer_t output_token_buffer, + gss_buffer_t output_message_buffer + ) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + if ((ctx->mech_flags & GSS_C_DCE_STYLE) == 0 && + associated_data_buffer->length != input_message_buffer->length) { + *minor_status = EINVAL; + return GSS_S_BAD_QOP; + } + + return gss_wrap_ex(minor_status, + ctx->negotiated_ctx_id, + conf_req_flag, + qop_req, + associated_data_buffer, + input_message_buffer, + conf_state, + output_token_buffer, + output_message_buffer); +} + +OM_uint32 _gss_spnego_complete_auth_token + (OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_complete_auth_token(minor_status, + ctx->negotiated_ctx_id, + input_message_buffer); +} +#endif + +OM_uint32 _gss_spnego_inquire_sec_context_by_oid + (OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_inquire_sec_context_by_oid(minor_status, + ctx->negotiated_ctx_id, + desired_object, + data_set); +} + +OM_uint32 _gss_spnego_set_sec_context_option + (OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + const gss_OID desired_object, + const gss_buffer_t value) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { + return GSS_S_NO_CONTEXT; + } + + return gss_set_sec_context_option(minor_status, + &ctx->negotiated_ctx_id, + desired_object, + value); +} + diff --git a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c new file mode 100644 index 0000000000..8f8edab15e --- /dev/null +++ b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c @@ -0,0 +1,291 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "spnego/spnego_locl.h" + +RCSID("$Id: cred_stubs.c,v 1.5 2006/10/07 22:27:04 lha Exp $"); + +OM_uint32 +_gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) +{ + gssspnego_cred cred; + OM_uint32 ret; + + *minor_status = 0; + + if (*cred_handle == GSS_C_NO_CREDENTIAL) { + return GSS_S_COMPLETE; + } + cred = (gssspnego_cred)*cred_handle; + + ret = gss_release_cred(minor_status, &cred->negotiated_cred_id); + + free(cred); + *cred_handle = GSS_C_NO_CREDENTIAL; + + return ret; +} + +OM_uint32 +_gss_spnego_alloc_cred(OM_uint32 *minor_status, + gss_cred_id_t mech_cred_handle, + gss_cred_id_t *cred_handle) +{ + gssspnego_cred cred; + + if (*cred_handle != GSS_C_NO_CREDENTIAL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + cred = calloc(1, sizeof(*cred)); + if (cred == NULL) { + *cred_handle = GSS_C_NO_CREDENTIAL; + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + cred->negotiated_cred_id = mech_cred_handle; + + *cred_handle = (gss_cred_id_t)cred; + + return GSS_S_COMPLETE; +} + +/* + * For now, just a simple wrapper that avoids recursion. When + * we support gss_{get,set}_neg_mechs() we will need to expose + * more functionality. + */ +OM_uint32 _gss_spnego_acquire_cred +(OM_uint32 *minor_status, + const gss_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t * output_cred_handle, + gss_OID_set * actual_mechs, + OM_uint32 * time_rec + ) +{ + OM_uint32 ret, tmp; + gss_OID_set_desc actual_desired_mechs; + gss_OID_set mechs; + int i, j; + gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL; + gssspnego_cred cred; + + *output_cred_handle = GSS_C_NO_CREDENTIAL; + + ret = gss_indicate_mechs(minor_status, &mechs); + if (ret != GSS_S_COMPLETE) + return ret; + + /* Remove ourselves from this list */ + actual_desired_mechs.count = mechs->count; + actual_desired_mechs.elements = malloc(actual_desired_mechs.count * + sizeof(gss_OID_desc)); + if (actual_desired_mechs.elements == NULL) { + *minor_status = ENOMEM; + ret = GSS_S_FAILURE; + goto out; + } + + for (i = 0, j = 0; i < mechs->count; i++) { + if (gss_oid_equal(&mechs->elements[i], GSS_SPNEGO_MECHANISM)) + continue; + + actual_desired_mechs.elements[j] = mechs->elements[i]; + j++; + } + actual_desired_mechs.count = j; + + ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL, + &cred_handle); + if (ret != GSS_S_COMPLETE) + goto out; + + cred = (gssspnego_cred)cred_handle; + ret = gss_acquire_cred(minor_status, desired_name, + time_req, &actual_desired_mechs, + cred_usage, + &cred->negotiated_cred_id, + actual_mechs, time_rec); + if (ret != GSS_S_COMPLETE) + goto out; + + *output_cred_handle = cred_handle; + +out: + gss_release_oid_set(&tmp, &mechs); + if (actual_desired_mechs.elements != NULL) { + free(actual_desired_mechs.elements); + } + if (ret != GSS_S_COMPLETE) { + _gss_spnego_release_cred(&tmp, &cred_handle); + } + + return ret; +} + +OM_uint32 _gss_spnego_inquire_cred + (OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + gss_name_t * name, + OM_uint32 * lifetime, + gss_cred_usage_t * cred_usage, + gss_OID_set * mechanisms + ) +{ + gssspnego_cred cred; + OM_uint32 ret; + + if (cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = 0; + return GSS_S_NO_CRED; + } + + cred = (gssspnego_cred)cred_handle; + + ret = gss_inquire_cred(minor_status, + cred->negotiated_cred_id, + name, + lifetime, + cred_usage, + mechanisms); + + return ret; +} + +OM_uint32 _gss_spnego_add_cred ( + OM_uint32 * minor_status, + const gss_cred_id_t input_cred_handle, + const gss_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_cred_id_t * output_cred_handle, + gss_OID_set * actual_mechs, + OM_uint32 * initiator_time_rec, + OM_uint32 * acceptor_time_rec + ) +{ + gss_cred_id_t spnego_output_cred_handle = GSS_C_NO_CREDENTIAL; + OM_uint32 ret, tmp; + gssspnego_cred input_cred, output_cred; + + *output_cred_handle = GSS_C_NO_CREDENTIAL; + + ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL, + &spnego_output_cred_handle); + if (ret) + return ret; + + input_cred = (gssspnego_cred)input_cred_handle; + output_cred = (gssspnego_cred)spnego_output_cred_handle; + + ret = gss_add_cred(minor_status, + input_cred->negotiated_cred_id, + desired_name, + desired_mech, + cred_usage, + initiator_time_req, + acceptor_time_req, + &output_cred->negotiated_cred_id, + actual_mechs, + initiator_time_rec, + acceptor_time_rec); + if (ret) { + _gss_spnego_release_cred(&tmp, &spnego_output_cred_handle); + return ret; + } + + *output_cred_handle = spnego_output_cred_handle; + + return GSS_S_COMPLETE; +} + +OM_uint32 _gss_spnego_inquire_cred_by_mech ( + OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + const gss_OID mech_type, + gss_name_t * name, + OM_uint32 * initiator_lifetime, + OM_uint32 * acceptor_lifetime, + gss_cred_usage_t * cred_usage + ) +{ + gssspnego_cred cred; + OM_uint32 ret; + + if (cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = 0; + return GSS_S_NO_CRED; + } + + cred = (gssspnego_cred)cred_handle; + + ret = gss_inquire_cred_by_mech(minor_status, + cred->negotiated_cred_id, + mech_type, + name, + initiator_lifetime, + acceptor_lifetime, + cred_usage); + + return ret; +} + +OM_uint32 _gss_spnego_inquire_cred_by_oid + (OM_uint32 * minor_status, + const gss_cred_id_t cred_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + gssspnego_cred cred; + OM_uint32 ret; + + if (cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = 0; + return GSS_S_NO_CRED; + } + cred = (gssspnego_cred)cred_handle; + + ret = gss_inquire_cred_by_oid(minor_status, + cred->negotiated_cred_id, + desired_object, + data_set); + + return ret; +} + diff --git a/source4/heimdal/lib/gssapi/spnego/external.c b/source4/heimdal/lib/gssapi/spnego/external.c new file mode 100644 index 0000000000..b7e02a55e1 --- /dev/null +++ b/source4/heimdal/lib/gssapi/spnego/external.c @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "spnego/spnego_locl.h" +#include <gssapi_mech.h> + +RCSID("$Id: external.c,v 1.7 2006/10/07 22:27:06 lha Exp $"); + +/* + * RFC2478, SPNEGO: + * The security mechanism of the initial + * negotiation token is identified by the Object Identifier + * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). + */ + +static gssapi_mech_interface_desc spnego_mech = { + GMI_VERSION, + "spnego", + {6, (void *)"\x2b\x06\x01\x05\x05\x02"}, + _gss_spnego_acquire_cred, + _gss_spnego_release_cred, + _gss_spnego_init_sec_context, + _gss_spnego_accept_sec_context, + _gss_spnego_process_context_token, + _gss_spnego_internal_delete_sec_context, + _gss_spnego_context_time, + _gss_spnego_get_mic, + _gss_spnego_verify_mic, + _gss_spnego_wrap, + _gss_spnego_unwrap, + _gss_spnego_display_status, + NULL, + _gss_spnego_compare_name, + _gss_spnego_display_name, + _gss_spnego_import_name, + _gss_spnego_export_name, + _gss_spnego_release_name, + _gss_spnego_inquire_cred, + _gss_spnego_inquire_context, + _gss_spnego_wrap_size_limit, + _gss_spnego_add_cred, + _gss_spnego_inquire_cred_by_mech, + _gss_spnego_export_sec_context, + _gss_spnego_import_sec_context, + _gss_spnego_inquire_names_for_mech, + _gss_spnego_inquire_mechs_for_name, + _gss_spnego_canonicalize_name, + _gss_spnego_duplicate_name +}; + +gssapi_mech_interface +__gss_spnego_initialize(void) +{ + return &spnego_mech; +} + +static gss_OID_desc _gss_spnego_mechanism_desc = + {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; + +gss_OID GSS_SPNEGO_MECHANISM = &_gss_spnego_mechanism_desc; diff --git a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c new file mode 100644 index 0000000000..5a652fdb2e --- /dev/null +++ b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c @@ -0,0 +1,578 @@ +/* + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * Portions Copyright (c) 2004 PADL Software Pty Ltd. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "spnego/spnego_locl.h" + +RCSID("$Id: init_sec_context.c,v 1.6 2006/10/14 10:09:15 lha Exp $"); + +/* + * Send a reply. Note that we only need to send a reply if we + * need to send a MIC or a mechanism token. Otherwise, we can + * return an empty buffer. + * + * The return value of this will be returned to the API, so it + * must return GSS_S_CONTINUE_NEEDED if a token was generated. + */ +static OM_uint32 +spnego_reply_internal(OM_uint32 *minor_status, + gssspnego_ctx context_handle, + const gss_buffer_t mech_buf, + gss_buffer_t mech_token, + gss_buffer_t output_token) +{ + NegTokenResp resp; + gss_buffer_desc mic_buf; + OM_uint32 ret; + gss_buffer_desc data; + u_char *buf; + + if (mech_buf == GSS_C_NO_BUFFER && mech_token->length == 0) { + output_token->length = 0; + output_token->value = NULL; + + return context_handle->open ? GSS_S_COMPLETE : GSS_S_FAILURE; + } + + memset(&resp, 0, sizeof(resp)); + + ALLOC(resp.negResult, 1); + if (resp.negResult == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + resp.supportedMech = NULL; + + output_token->length = 0; + output_token->value = NULL; + + if (mech_token->length == 0) { + resp.responseToken = NULL; + *(resp.negResult) = accept_completed; + } else { + ALLOC(resp.responseToken, 1); + if (resp.responseToken == NULL) { + free_NegTokenResp(&resp); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + resp.responseToken->length = mech_token->length; + resp.responseToken->data = mech_token->value; + mech_token->length = 0; + mech_token->value = NULL; + + *(resp.negResult) = accept_incomplete; + } + + if (mech_buf != GSS_C_NO_BUFFER) { + ALLOC(resp.mechListMIC, 1); + if (resp.mechListMIC == NULL) { + free_NegTokenResp(&resp); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + ret = gss_get_mic(minor_status, + context_handle->negotiated_ctx_id, + 0, + mech_buf, + &mic_buf); + if (ret) { + free_NegTokenResp(&resp); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + resp.mechListMIC->length = mic_buf.length; + resp.mechListMIC->data = mic_buf.value; + } else { + resp.mechListMIC = NULL; + } + + ret = _gss_spnego_encode_response (minor_status, &resp, + &data, &buf); + if (ret) { + free_NegTokenResp(&resp); + return ret; + } + + output_token->value = malloc(data.length); + if (output_token->value == NULL) { + *minor_status = ENOMEM; + ret = GSS_S_FAILURE; + } else { + output_token->length = data.length; + memcpy(output_token->value, data.value, output_token->length); + } + free(buf); + + if (*(resp.negResult) == accept_completed) + ret = GSS_S_COMPLETE; + else + ret = GSS_S_CONTINUE_NEEDED; + + free_NegTokenResp(&resp); + return ret; +} + +static OM_uint32 +spnego_initial + (OM_uint32 * minor_status, + gssspnego_cred cred, + gss_ctx_id_t * context_handle, + const gss_name_t target_name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) +{ + NegTokenInit ni; + int ret; + OM_uint32 sub, minor; + gss_buffer_desc mech_token; + u_char *buf; + size_t buf_size, buf_len; + gss_buffer_desc data; + size_t ni_len; + gss_ctx_id_t context; + gssspnego_ctx ctx; + + memset (&ni, 0, sizeof(ni)); + + *context_handle = GSS_C_NO_CONTEXT; + + *minor_status = 0; + + sub = _gss_spnego_alloc_sec_context(&minor, &context); + if (GSS_ERROR(sub)) { + *minor_status = minor; + return sub; + } + ctx = (gssspnego_ctx)context; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + ctx->local = 1; + + sub = _gss_spnego_indicate_mechtypelist(&minor, 0, + cred, + &ni.mechTypes, + &ctx->preferred_mech_type); + if (GSS_ERROR(sub)) { + *minor_status = minor; + _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); + return sub; + } + + ni.reqFlags = NULL; + + /* + * If we have a credential handle, use it to select the mechanism + * that we will use + */ + + /* generate optimistic token */ + sub = gss_init_sec_context(&minor, + (cred != NULL) ? cred->negotiated_cred_id : + GSS_C_NO_CREDENTIAL, + &ctx->negotiated_ctx_id, + target_name, + GSS_C_NO_OID, + req_flags, + time_req, + input_chan_bindings, + input_token, + &ctx->negotiated_mech_type, + &mech_token, + &ctx->mech_flags, + &ctx->mech_time_rec); + if (GSS_ERROR(sub)) { + free_NegTokenInit(&ni); + *minor_status = minor; + _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); + return sub; + } + + if (mech_token.length != 0) { + ALLOC(ni.mechToken, 1); + if (ni.mechToken == NULL) { + free_NegTokenInit(&ni); + gss_release_buffer(&minor, &mech_token); + _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + ni.mechToken->length = mech_token.length; + ni.mechToken->data = malloc(mech_token.length); + if (ni.mechToken->data == NULL && mech_token.length != 0) { + free_NegTokenInit(&ni); + gss_release_buffer(&minor, &mech_token); + *minor_status = ENOMEM; + _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); + return GSS_S_FAILURE; + } + memcpy(ni.mechToken->data, mech_token.value, mech_token.length); + gss_release_buffer(&minor, &mech_token); + } else + ni.mechToken = NULL; + + ni.mechListMIC = NULL; + + ni_len = length_NegTokenInit(&ni); + buf_size = 1 + der_length_len(ni_len) + ni_len; + + buf = malloc(buf_size); + if (buf == NULL) { + free_NegTokenInit(&ni); + *minor_status = ENOMEM; + _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); + return GSS_S_FAILURE; + } + + ret = encode_NegTokenInit(buf + buf_size - 1, + ni_len, + &ni, &buf_len); + if (ret == 0 && ni_len != buf_len) + abort(); + + if (ret == 0) { + size_t tmp; + + ret = der_put_length_and_tag(buf + buf_size - buf_len - 1, + buf_size - buf_len, + buf_len, + ASN1_C_CONTEXT, + CONS, + 0, + &tmp); + if (ret == 0 && tmp + buf_len != buf_size) + abort(); + } + if (ret) { + *minor_status = ret; + free(buf); + free_NegTokenInit(&ni); + _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); + return GSS_S_FAILURE; + } + + data.value = buf; + data.length = buf_size; + + ctx->initiator_mech_types.len = ni.mechTypes.len; + ctx->initiator_mech_types.val = ni.mechTypes.val; + ni.mechTypes.len = 0; + ni.mechTypes.val = NULL; + + free_NegTokenInit(&ni); + + sub = gss_encapsulate_token(&data, + GSS_SPNEGO_MECHANISM, + output_token); + free (buf); + + if (sub) { + _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); + return sub; + } + + if (actual_mech_type) + *actual_mech_type = ctx->negotiated_mech_type; + if (ret_flags) + *ret_flags = ctx->mech_flags; + if (time_rec) + *time_rec = ctx->mech_time_rec; + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + *context_handle = context; + + return GSS_S_CONTINUE_NEEDED; +} + +static OM_uint32 +spnego_reply + (OM_uint32 * minor_status, + const gssspnego_cred cred, + gss_ctx_id_t * context_handle, + const gss_name_t target_name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) +{ + OM_uint32 ret, minor; + NegTokenResp resp; + u_char oidbuf[17]; + size_t oidlen; + size_t len, taglen; + gss_OID_desc mech; + int require_mic; + size_t buf_len; + gss_buffer_desc mic_buf, mech_buf; + gss_buffer_desc mech_output_token; + gssspnego_ctx ctx; + + *minor_status = 0; + + ctx = (gssspnego_ctx)*context_handle; + + output_token->length = 0; + output_token->value = NULL; + + mech_output_token.length = 0; + mech_output_token.value = NULL; + + mech_buf.value = NULL; + mech_buf.length = 0; + + ret = der_match_tag_and_length(input_token->value, input_token->length, + ASN1_C_CONTEXT, CONS, 1, &len, &taglen); + if (ret) + return ret; + + if (len > input_token->length - taglen) + return ASN1_OVERRUN; + + ret = decode_NegTokenResp((const unsigned char *)input_token->value+taglen, + len, &resp, NULL); + if (ret) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + if (resp.negResult == NULL + || *(resp.negResult) == reject + || resp.supportedMech == NULL) { + free_NegTokenResp(&resp); + return GSS_S_BAD_MECH; + } + + ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1, + sizeof(oidbuf), + resp.supportedMech, + &oidlen); + if (ret || (oidlen == GSS_SPNEGO_MECHANISM->length && + memcmp(oidbuf + sizeof(oidbuf) - oidlen, + GSS_SPNEGO_MECHANISM->elements, + oidlen) == 0)) { + /* Avoid recursively embedded SPNEGO */ + free_NegTokenResp(&resp); + return GSS_S_BAD_MECH; + } + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + + if (resp.responseToken != NULL) { + gss_buffer_desc mech_input_token; + + mech_input_token.length = resp.responseToken->length; + mech_input_token.value = resp.responseToken->data; + + mech.length = oidlen; + mech.elements = oidbuf + sizeof(oidbuf) - oidlen; + + /* Fall through as if the negotiated mechanism + was requested explicitly */ + ret = gss_init_sec_context(&minor, + (cred != NULL) ? cred->negotiated_cred_id : + GSS_C_NO_CREDENTIAL, + &ctx->negotiated_ctx_id, + target_name, + &mech, + req_flags, + time_req, + input_chan_bindings, + &mech_input_token, + &ctx->negotiated_mech_type, + &mech_output_token, + &ctx->mech_flags, + &ctx->mech_time_rec); + if (GSS_ERROR(ret)) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + free_NegTokenResp(&resp); + *minor_status = minor; + return ret; + } + if (ret == GSS_S_COMPLETE) { + ctx->open = 1; + } + } + + if (*(resp.negResult) == request_mic) { + ctx->require_mic = 1; + } + + if (ctx->open) { + /* + * Verify the mechListMIC if one was provided or CFX was + * used and a non-preferred mechanism was selected + */ + if (resp.mechListMIC != NULL) { + require_mic = 1; + } else { + ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, + &require_mic); + if (ret) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + free_NegTokenResp(&resp); + gss_release_buffer(&minor, &mech_output_token); + return ret; + } + } + } else { + require_mic = 0; + } + + if (require_mic) { + ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length, + &ctx->initiator_mech_types, &buf_len, ret); + if (ret) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + free_NegTokenResp(&resp); + gss_release_buffer(&minor, &mech_output_token); + *minor_status = ret; + return GSS_S_FAILURE; + } + if (mech_buf.length != buf_len) + abort(); + + if (resp.mechListMIC == NULL) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + free(mech_buf.value); + free_NegTokenResp(&resp); + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + mic_buf.length = resp.mechListMIC->length; + mic_buf.value = resp.mechListMIC->data; + + if (mech_output_token.length == 0) { + ret = gss_verify_mic(minor_status, + ctx->negotiated_ctx_id, + &mech_buf, + &mic_buf, + NULL); + if (ret) { + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + free(mech_buf.value); + gss_release_buffer(&minor, &mech_output_token); + free_NegTokenResp(&resp); + return GSS_S_DEFECTIVE_TOKEN; + } + ctx->verified_mic = 1; + } + } + + ret = spnego_reply_internal(minor_status, ctx, + require_mic ? &mech_buf : NULL, + &mech_output_token, + output_token); + + if (mech_buf.value != NULL) + free(mech_buf.value); + + free_NegTokenResp(&resp); + gss_release_buffer(&minor, &mech_output_token); + + if (actual_mech_type) + *actual_mech_type = ctx->negotiated_mech_type; + if (ret_flags) + *ret_flags = ctx->mech_flags; + if (time_rec) + *time_rec = ctx->mech_time_rec; + + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + return ret; +} + +OM_uint32 _gss_spnego_init_sec_context + (OM_uint32 * minor_status, + const gss_cred_id_t initiator_cred_handle, + gss_ctx_id_t * context_handle, + const gss_name_t target_name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) +{ + gssspnego_cred cred = (gssspnego_cred)initiator_cred_handle; + + if (*context_handle == GSS_C_NO_CONTEXT) + return spnego_initial (minor_status, + cred, + context_handle, + target_name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + else + return spnego_reply (minor_status, + cred, + context_handle, + target_name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); +} + diff --git a/source4/heimdal/lib/gssapi/spnego/spnego-private.h b/source4/heimdal/lib/gssapi/spnego/spnego-private.h new file mode 100644 index 0000000000..df50f65580 --- /dev/null +++ b/source4/heimdal/lib/gssapi/spnego/spnego-private.h @@ -0,0 +1,347 @@ +/* This is a generated file */ +#ifndef __spnego_private_h__ +#define __spnego_private_h__ + +#include <stdarg.h> + +gssapi_mech_interface +__gss_spnego_initialize (void); + +OM_uint32 +_gss_spnego_accept_sec_context ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + const gss_cred_id_t /*acceptor_cred_handle*/, + const gss_buffer_t /*input_token_buffer*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + gss_name_t * /*src_name*/, + gss_OID * /*mech_type*/, + gss_buffer_t /*output_token*/, + OM_uint32 * /*ret_flags*/, + OM_uint32 * /*time_rec*/, + gss_cred_id_t *delegated_cred_handle ); + +OM_uint32 +_gss_spnego_acquire_cred ( + OM_uint32 */*minor_status*/, + const gss_name_t /*desired_name*/, + OM_uint32 /*time_req*/, + const gss_OID_set /*desired_mechs*/, + gss_cred_usage_t /*cred_usage*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * time_rec ); + +OM_uint32 +_gss_spnego_add_cred ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*input_cred_handle*/, + const gss_name_t /*desired_name*/, + const gss_OID /*desired_mech*/, + gss_cred_usage_t /*cred_usage*/, + OM_uint32 /*initiator_time_req*/, + OM_uint32 /*acceptor_time_req*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * /*initiator_time_rec*/, + OM_uint32 * acceptor_time_rec ); + +int +_gss_spnego_add_mech_type ( + gss_OID /*mech_type*/, + int /*includeMSCompatOID*/, + MechTypeList */*mechtypelist*/); + +OM_uint32 +_gss_spnego_alloc_cred ( + OM_uint32 */*minor_status*/, + gss_cred_id_t /*mech_cred_handle*/, + gss_cred_id_t */*cred_handle*/); + +OM_uint32 +_gss_spnego_alloc_sec_context ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t */*context_handle*/); + +OM_uint32 +_gss_spnego_canonicalize_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + const gss_OID /*mech_type*/, + gss_name_t * output_name ); + +OM_uint32 +_gss_spnego_compare_name ( + OM_uint32 */*minor_status*/, + const gss_name_t /*name1*/, + const gss_name_t /*name2*/, + int * name_equal ); + +OM_uint32 +_gss_spnego_context_time ( + OM_uint32 */*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + OM_uint32 *time_rec ); + +OM_uint32 +_gss_spnego_delete_sec_context ( + OM_uint32 */*minor_status*/, + gss_ctx_id_t */*context_handle*/, + gss_buffer_t output_token ); + +OM_uint32 +_gss_spnego_display_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_buffer_t /*output_name_buffer*/, + gss_OID * output_name_type ); + +OM_uint32 +_gss_spnego_display_status ( + OM_uint32 * /*minor_status*/, + OM_uint32 /*status_value*/, + int /*status_type*/, + const gss_OID /*mech_type*/, + OM_uint32 * /*message_context*/, + gss_buffer_t status_string ); + +OM_uint32 +_gss_spnego_duplicate_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*src_name*/, + gss_name_t * dest_name ); + +OM_uint32 +_gss_spnego_encode_response ( + OM_uint32 */*minor_status*/, + const NegTokenResp */*resp*/, + gss_buffer_t /*data*/, + u_char **/*ret_buf*/); + +OM_uint32 +_gss_spnego_export_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_buffer_t exported_name ); + +OM_uint32 +_gss_spnego_export_sec_context ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + gss_buffer_t interprocess_token ); + +OM_uint32 +_gss_spnego_get_mic ( + OM_uint32 */*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*message_buffer*/, + gss_buffer_t message_token ); + +OM_uint32 +_gss_spnego_import_name ( + OM_uint32 * /*minor_status*/, + const gss_buffer_t /*input_name_buffer*/, + const gss_OID /*input_name_type*/, + gss_name_t * output_name ); + +OM_uint32 +_gss_spnego_import_sec_context ( + OM_uint32 * /*minor_status*/, + const gss_buffer_t /*interprocess_token*/, + gss_ctx_id_t *context_handle ); + +OM_uint32 +_gss_spnego_indicate_mechtypelist ( + OM_uint32 */*minor_status*/, + int /*includeMSCompatOID*/, + const gssspnego_cred /*cred_handle*/, + MechTypeList */*mechtypelist*/, + gss_OID */*preferred_mech*/); + +OM_uint32 +_gss_spnego_init_sec_context ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*initiator_cred_handle*/, + gss_ctx_id_t * /*context_handle*/, + const gss_name_t /*target_name*/, + const gss_OID /*mech_type*/, + OM_uint32 /*req_flags*/, + OM_uint32 /*time_req*/, + const gss_channel_bindings_t /*input_chan_bindings*/, + const gss_buffer_t /*input_token*/, + gss_OID * /*actual_mech_type*/, + gss_buffer_t /*output_token*/, + OM_uint32 * /*ret_flags*/, + OM_uint32 * time_rec ); + +OM_uint32 +_gss_spnego_inquire_context ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + gss_name_t * /*src_name*/, + gss_name_t * /*targ_name*/, + OM_uint32 * /*lifetime_rec*/, + gss_OID * /*mech_type*/, + OM_uint32 * /*ctx_flags*/, + int * /*locally_initiated*/, + int * open_context ); + +OM_uint32 +_gss_spnego_inquire_cred ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + gss_name_t * /*name*/, + OM_uint32 * /*lifetime*/, + gss_cred_usage_t * /*cred_usage*/, + gss_OID_set * mechanisms ); + +OM_uint32 +_gss_spnego_inquire_cred_by_mech ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + const gss_OID /*mech_type*/, + gss_name_t * /*name*/, + OM_uint32 * /*initiator_lifetime*/, + OM_uint32 * /*acceptor_lifetime*/, + gss_cred_usage_t * cred_usage ); + +OM_uint32 +_gss_spnego_inquire_cred_by_oid ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*cred_handle*/, + const gss_OID /*desired_object*/, + gss_buffer_set_t */*data_set*/); + +OM_uint32 +_gss_spnego_inquire_mechs_for_name ( + OM_uint32 * /*minor_status*/, + const gss_name_t /*input_name*/, + gss_OID_set * mech_types ); + +OM_uint32 +_gss_spnego_inquire_names_for_mech ( + OM_uint32 * /*minor_status*/, + const gss_OID /*mechanism*/, + gss_OID_set * name_types ); + +OM_uint32 +_gss_spnego_inquire_sec_context_by_oid ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_OID /*desired_object*/, + gss_buffer_set_t */*data_set*/); + +OM_uint32 +_gss_spnego_internal_delete_sec_context ( + OM_uint32 */*minor_status*/, + gss_ctx_id_t */*context_handle*/, + gss_buffer_t output_token ); + +OM_uint32 +_gss_spnego_process_context_token ( + OM_uint32 */*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t token_buffer ); + +OM_uint32 +_gss_spnego_release_cred ( + OM_uint32 */*minor_status*/, + gss_cred_id_t */*cred_handle*/); + +OM_uint32 +_gss_spnego_release_name ( + OM_uint32 * /*minor_status*/, + gss_name_t * input_name ); + +OM_uint32 +_gss_spnego_require_mechlist_mic ( + OM_uint32 */*minor_status*/, + gssspnego_ctx /*ctx*/, + int */*require_mic*/); + +OM_uint32 +_gss_spnego_seal ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + int /*qop_req*/, + gss_buffer_t /*input_message_buffer*/, + int * /*conf_state*/, + gss_buffer_t output_message_buffer ); + +OM_uint32 +_gss_spnego_select_mech ( + OM_uint32 */*minor_status*/, + MechType */*mechType*/, + gss_OID */*mech_p*/); + +OM_uint32 +_gss_spnego_set_sec_context_option ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t * /*context_handle*/, + const gss_OID /*desired_object*/, + const gss_buffer_t /*value*/); + +OM_uint32 +_gss_spnego_sign ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*qop_req*/, + gss_buffer_t /*message_buffer*/, + gss_buffer_t message_token ); + +OM_uint32 +_gss_spnego_unseal ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int * /*conf_state*/, + int * qop_state ); + +OM_uint32 +_gss_spnego_unwrap ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*input_message_buffer*/, + gss_buffer_t /*output_message_buffer*/, + int * /*conf_state*/, + gss_qop_t * qop_state ); + +OM_uint32 +_gss_spnego_verify ( + OM_uint32 * /*minor_status*/, + gss_ctx_id_t /*context_handle*/, + gss_buffer_t /*message_buffer*/, + gss_buffer_t /*token_buffer*/, + int * qop_state ); + +OM_uint32 +_gss_spnego_verify_mic ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + const gss_buffer_t /*message_buffer*/, + const gss_buffer_t /*token_buffer*/, + gss_qop_t * qop_state ); + +OM_uint32 +_gss_spnego_wrap ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + const gss_buffer_t /*input_message_buffer*/, + int * /*conf_state*/, + gss_buffer_t output_message_buffer ); + +OM_uint32 +_gss_spnego_wrap_size_limit ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + OM_uint32 /*req_output_size*/, + OM_uint32 * max_input_size ); + +#endif /* __spnego_private_h__ */ diff --git a/source4/heimdal/lib/gssapi/spnego/spnego.asn1 b/source4/heimdal/lib/gssapi/spnego/spnego.asn1 new file mode 100644 index 0000000000..187ce0a0a6 --- /dev/null +++ b/source4/heimdal/lib/gssapi/spnego/spnego.asn1 @@ -0,0 +1,51 @@ +-- $Id: spnego.asn1,v 1.1.1.1 2006/06/28 08:34:45 lha Exp $ + +SPNEGO DEFINITIONS ::= +BEGIN + +MechType::= OBJECT IDENTIFIER + +MechTypeList ::= SEQUENCE OF MechType + +ContextFlags ::= BIT STRING { + delegFlag (0), + mutualFlag (1), + replayFlag (2), + sequenceFlag (3), + anonFlag (4), + confFlag (5), + integFlag (6) +} + +NegHints ::= SEQUENCE { + hintName [0] GeneralString OPTIONAL, + hintAddress [1] OCTET STRING OPTIONAL +} + +NegTokenInit ::= SEQUENCE { + mechTypes [0] MechTypeList, + reqFlags [1] ContextFlags OPTIONAL, + mechToken [2] OCTET STRING OPTIONAL, + negHints [3] NegHints OPTIONAL, + mechListMIC [4] OCTET STRING OPTIONAL + } + +-- NB: negResult is not OPTIONAL in the new SPNEGO spec but +-- Windows clients do not always send it +NegTokenResp ::= SEQUENCE { + negResult [0] ENUMERATED { + accept_completed (0), + accept_incomplete (1), + reject (2), + request-mic (3) } OPTIONAL, + supportedMech [1] MechType OPTIONAL, + responseToken [2] OCTET STRING OPTIONAL, + mechListMIC [3] OCTET STRING OPTIONAL +} + +NegotiationToken ::= CHOICE { + negTokenInit[0] NegTokenInit, + negTokenResp[1] NegTokenResp +} + +END diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h new file mode 100644 index 0000000000..571bce5569 --- /dev/null +++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h @@ -0,0 +1,96 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: spnego_locl.h,v 1.11 2006/10/12 06:28:06 lha Exp $ */ + +#ifndef SPNEGO_LOCL_H +#define SPNEGO_LOCL_H + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#ifdef HAVE_SYS_TYPES_H +#include <sys/types.h> +#endif +#ifdef HAVE_SYS_PARAM_H +#include <sys/param.h> +#endif + +#ifdef HAVE_PTHREAD_H +#include <pthread.h> +#endif + +#include <gssapi/gssapi_spnego.h> +#include <gssapi.h> +#include <assert.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <ctype.h> +#ifdef HAVE_NETDB_H +#include <netdb.h> +#endif + +#include <heim_threads.h> +#include <asn1_err.h> + +#include <gssapi_mech.h> + +#include "spnego_asn1.h" +#include <der.h> + +#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) + +typedef struct { + gss_cred_id_t negotiated_cred_id; +} *gssspnego_cred; + +typedef struct { + MechTypeList initiator_mech_types; + gss_OID preferred_mech_type; + gss_OID negotiated_mech_type; + gss_ctx_id_t negotiated_ctx_id; + OM_uint32 mech_flags; + OM_uint32 mech_time_rec; + gss_name_t mech_src_name; + gss_cred_id_t delegated_cred_id; + int open : 1; + int local : 1; + int require_mic : 1; + int verified_mic : 1; + HEIMDAL_MUTEX ctx_id_mutex; +} *gssspnego_ctx; + +#include <spnego/spnego-private.h> + +#endif /* SPNEGO_LOCL_H */ diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c index 4b4e6e673d..0bbf6f2210 100644 --- a/source4/heimdal/lib/hdb/db.c +++ b/source4/heimdal/lib/hdb/db.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: db.c,v 1.35 2005/12/13 11:52:55 lha Exp $"); +RCSID("$Id: db.c,v 1.36 2006/09/12 18:12:37 lha Exp $"); #if HAVE_DB1 @@ -47,7 +47,7 @@ static krb5_error_code DB_close(krb5_context context, HDB *db) { DB *d = (DB*)db->hdb_db; - d->close(d); + (*d->close)(d); return 0; } @@ -95,7 +95,7 @@ DB_seq(krb5_context context, HDB *db, code = db->hdb_lock(context, db, HDB_RLOCK); if(code == -1) return HDB_ERR_DB_INUSE; - code = d->seq(d, &key, &value, flag); + code = (*d->seq)(d, &key, &value, flag); db->hdb_unlock(context, db); /* XXX check value */ if(code == -1) return errno; @@ -172,7 +172,7 @@ DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply) code = db->hdb_lock(context, db, HDB_RLOCK); if(code) return code; - code = d->get(d, &k, &v, 0); + code = (*d->get)(d, &k, &v, 0); db->hdb_unlock(context, db); if(code < 0) return errno; @@ -198,7 +198,7 @@ DB__put(krb5_context context, HDB *db, int replace, code = db->hdb_lock(context, db, HDB_WLOCK); if(code) return code; - code = d->put(d, &k, &v, replace ? 0 : R_NOOVERWRITE); + code = (*d->put)(d, &k, &v, replace ? 0 : R_NOOVERWRITE); db->hdb_unlock(context, db); if(code < 0) return errno; @@ -218,7 +218,7 @@ DB__del(krb5_context context, HDB *db, krb5_data key) code = db->hdb_lock(context, db, HDB_WLOCK); if(code) return code; - code = d->del(d, &k, 0); + code = (*d->del)(d, &k, 0); db->hdb_unlock(context, db); if(code == 1) return HDB_ERR_NOENTRY; diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c index a8995e4138..141c63a8ac 100644 --- a/source4/heimdal/lib/hdb/ext.c +++ b/source4/heimdal/lib/hdb/ext.c @@ -34,7 +34,7 @@ #include "hdb_locl.h" #include <der.h> -RCSID("$Id: ext.c,v 1.2 2006/04/25 10:20:22 lha Exp $"); +RCSID("$Id: ext.c,v 1.6 2006/10/14 10:13:03 lha Exp $"); krb5_error_code hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) @@ -220,6 +220,20 @@ hdb_entry_get_pkinit_acl(const hdb_entry *entry, const HDB_Ext_PKINIT_acl **a) } krb5_error_code +hdb_entry_get_pkinit_hash(const hdb_entry *entry, const HDB_Ext_PKINIT_hash **a) +{ + const HDB_extension *ext; + + ext = hdb_find_extension(entry, choice_HDB_extension_data_pkinit_cert_hash); + if (ext) + *a = &ext->data.u.pkinit_cert_hash; + else + *a = NULL; + + return 0; +} + +krb5_error_code hdb_entry_get_pw_change_time(const hdb_entry *entry, time_t *t) { const HDB_extension *ext; @@ -278,7 +292,7 @@ hdb_entry_get_password(krb5_context context, HDB *db, ext->data.u.password.password.length, &pw); } else { - ret = copy_octet_string(&ext->data.u.password.password, &pw); + ret = der_copy_octet_string(&ext->data.u.password.password, &pw); } if (ret) { krb5_clear_error_string(context); @@ -293,7 +307,7 @@ hdb_entry_get_password(krb5_context context, HDB *db, *p = strdup(str); - free_octet_string(&pw); + der_free_octet_string(&pw); if (*p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; @@ -364,3 +378,19 @@ hdb_entry_clear_password(krb5_context context, hdb_entry *entry) return hdb_clear_extension(context, entry, choice_HDB_extension_data_password); } + +krb5_error_code +hdb_entry_get_ConstrainedDelegACL(const hdb_entry *entry, + const HDB_Ext_Constrained_delegation_acl **a) +{ + const HDB_extension *ext; + + ext = hdb_find_extension(entry, + choice_HDB_extension_data_allowed_to_delegate_to); + if (ext) + *a = &ext->data.u.allowed_to_delegate_to; + else + *a = NULL; + + return 0; +} diff --git a/source4/heimdal/lib/hdb/hdb-protos.h b/source4/heimdal/lib/hdb/hdb-protos.h index 3cc7d2131a..de0545a037 100644 --- a/source4/heimdal/lib/hdb/hdb-protos.h +++ b/source4/heimdal/lib/hdb/hdb-protos.h @@ -71,6 +71,11 @@ hdb_entry_clear_password ( krb5_context /*context*/, hdb_entry */*entry*/); +krb5_error_code +hdb_entry_get_ConstrainedDelegACL ( + const hdb_entry */*entry*/, + const HDB_Ext_Constrained_delegation_acl **/*a*/); + int hdb_entry_get_password ( krb5_context /*context*/, @@ -84,6 +89,11 @@ hdb_entry_get_pkinit_acl ( const HDB_Ext_PKINIT_acl **/*a*/); krb5_error_code +hdb_entry_get_pkinit_hash ( + const hdb_entry */*entry*/, + const HDB_Ext_PKINIT_hash **/*a*/); + +krb5_error_code hdb_entry_get_pw_change_time ( const hdb_entry */*entry*/, time_t */*t*/); diff --git a/source4/heimdal/lib/hdb/hdb.asn1 b/source4/heimdal/lib/hdb/hdb.asn1 index c8a1a34b4f..c8c276ff6e 100644 --- a/source4/heimdal/lib/hdb/hdb.asn1 +++ b/source4/heimdal/lib/hdb/hdb.asn1 @@ -1,4 +1,4 @@ --- $Id: hdb.asn1,v 1.13 2005/08/11 13:15:44 lha Exp $ +-- $Id: hdb.asn1,v 1.17 2006/08/24 10:45:19 lha Exp $ HDB DEFINITIONS ::= BEGIN @@ -41,7 +41,10 @@ HDBFlags ::= BIT STRING { require-hwauth(10), -- must use hwauth ok-as-delegate(11), -- as in TicketFlags user-to-user(12), -- may use user-to-user auth - immutable(13) -- may not be deleted + immutable(13), -- may not be deleted + trusted-for-delegation(14), -- Trusted to print forwardabled tickets + allow-kerberos4(15), -- Allow Kerberos 4 requests + allow-digest(16) -- Allow digest requests } GENERATION ::= SEQUENCE { @@ -52,10 +55,14 @@ GENERATION ::= SEQUENCE { HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE { subject[0] UTF8String, - issuer[1] UTF8String + issuer[1] UTF8String OPTIONAL, + anchor[2] UTF8String OPTIONAL } -HDB-Ext-PKINIT-certificate ::= SEQUENCE OF OCTET STRING +HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE { + digest-type[0] OBJECT IDENTIFIER, + digest[1] OCTET STRING +} HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal @@ -80,7 +87,7 @@ HDB-extension ::= SEQUENCE { -- be rejected data[1] CHOICE { pkinit-acl[0] HDB-Ext-PKINIT-acl, - pkinit-cert[1] HDB-Ext-PKINIT-certificate, + pkinit-cert-hash[1] HDB-Ext-PKINIT-hash, allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl, -- referral-info[3] HDB-Ext-Referrals, lm-owf[4] HDB-Ext-Lan-Manager-OWF, diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c index 555a0d53f6..d1fa4ffd6a 100644 --- a/source4/heimdal/lib/hdb/hdb.c +++ b/source4/heimdal/lib/hdb/hdb.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: hdb.c,v 1.61 2006/04/24 20:57:58 lha Exp $"); +RCSID("$Id: hdb.c,v 1.62 2006/10/06 16:47:22 lha Exp $"); #ifdef HAVE_DLFCN_H #include <dlfcn.h> @@ -58,6 +58,9 @@ static struct hdb_method methods[] = { #ifdef _SAMBA_BUILD_ {"ldb:", hdb_ldb_create}, #endif +#ifdef HAVE_LDB /* Used for integrated samba build */ + {"ldb:", hdb_ldb_create}, +#endif {NULL, NULL} }; @@ -262,7 +265,7 @@ find_dynamic_method (krb5_context context, if (prefix == NULL) krb5_errx(context, 1, "out of memory"); - if (asprintf(&path, HDBDIR "/hdb_%s.so", prefix) == -1) + if (asprintf(&path, LIBDIR "/hdb_%s.so", prefix) == -1) krb5_errx(context, 1, "out of memory"); #ifndef RTLD_NOW @@ -398,6 +401,6 @@ hdb_create(krb5_context context, HDB **db, const char *filename) h = find_dynamic_method (context, filename, &residual); #endif if (h == NULL) - krb5_errx(context, 1, "No database support! (hdb_create(%s))", filename); + krb5_errx(context, 1, "No database support for %s", filename); return (*h->create)(context, db, residual); } diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index d14eea7ddc..69c91d12ad 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -66,17 +66,17 @@ typedef struct hdb_entry_ex { struct hdb_entry_ex *, METHOD_DATA* pa_data_seq, time_t authtime, - EncryptionKey *tgtkey, - EncryptionKey *sessionkey, + const EncryptionKey *tgtkey, + const EncryptionKey *sessionkey, AuthorizationData **out); krb5_error_code (*authz_data_tgs_req)(krb5_context, struct hdb_entry_ex *, krb5_principal client, AuthorizationData *in, time_t authtime, - EncryptionKey *tgtkey, - EncryptionKey *servicekey, - EncryptionKey *sessionkey, + const EncryptionKey *tgtkey, + const EncryptionKey *servicekey, + const EncryptionKey *sessionkey, AuthorizationData **out); } hdb_entry_ex; diff --git a/source4/heimdal/lib/hdb/keys.c b/source4/heimdal/lib/hdb/keys.c index d7c2f2c89b..8d4810f5c9 100644 --- a/source4/heimdal/lib/hdb/keys.c +++ b/source4/heimdal/lib/hdb/keys.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: keys.c,v 1.5 2006/04/25 08:09:38 lha Exp $"); +RCSID("$Id: keys.c,v 1.6 2006/10/22 09:40:12 lha Exp $"); /* * free all the memory used by (len, keys) @@ -334,6 +334,9 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, *ret_key_set = key_set; out: + if (ktypes != default_keytypes) + krb5_config_free_strings(ktypes); + if (ret) { krb5_warn(context, ret, "failed to parse the [kadmin]default_keys values"); diff --git a/source4/heimdal/lib/hdb/keytab.c b/source4/heimdal/lib/hdb/keytab.c index c87b8eca2c..8f473a68a4 100644 --- a/source4/heimdal/lib/hdb/keytab.c +++ b/source4/heimdal/lib/hdb/keytab.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,7 +35,7 @@ /* keytab backend for HDB databases */ -RCSID("$Id: keytab.c,v 1.11 2006/04/27 11:01:30 lha Exp $"); +RCSID("$Id: keytab.c,v 1.16 2006/10/09 12:36:40 lha Exp $"); struct hdb_data { char *dbname; @@ -59,7 +59,7 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id) return ENOMEM; } db = name; - mkey = strrchr(name, ':'); + mkey = strchr(name, ':'); if(mkey == NULL || mkey[1] == '\0') { if(*name == '\0') d->dbname = NULL; @@ -201,6 +201,8 @@ hdb_get_entry(krb5_context context, const char *dbname = d->dbname; const char *mkey = d->mkey; + memset(&ent, 0, sizeof(ent)); + if (dbname == NULL) find_db (context, &dbname, &mkey, principal); @@ -218,26 +220,21 @@ hdb_get_entry(krb5_context context, (*db->hdb_destroy)(context, db); return ret; } - ret = (*db->hdb_fetch)(context, db, principal, HDB_F_DECRYPT|HDB_F_GET_CLIENT|HDB_F_GET_SERVER, &ent); - + ret = (*db->hdb_fetch)(context, db, principal, + HDB_F_DECRYPT| + HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, + &ent); - /* Shutdown the hdb on error */ if(ret == HDB_ERR_NOENTRY) { - (*db->hdb_close)(context, db); - (*db->hdb_destroy)(context, db); - return KRB5_KT_NOTFOUND; - } else if (ret) { - (*db->hdb_close)(context, db); - (*db->hdb_destroy)(context, db); - return ret; - } + ret = KRB5_KT_NOTFOUND; + goto out; + }else if(ret) + goto out; + if(kvno && ent.entry.kvno != kvno) { - /* The order here matters, we must free these in this order - * due to hdb-ldb and Samba4's talloc */ hdb_free_entry(context, &ent); - (*db->hdb_close)(context, db); - (*db->hdb_destroy)(context, db); - return KRB5_KT_NOTFOUND; + ret = KRB5_KT_NOTFOUND; + goto out; } if(enctype == 0) if(ent.entry.keys.len > 0) @@ -254,9 +251,8 @@ hdb_get_entry(krb5_context context, break; } } - /* The order here matters, we must free these in this order - * due to hdb-ldb and Samba4's talloc */ hdb_free_entry(context, &ent); +out: (*db->hdb_close)(context, db); (*db->hdb_destroy)(context, db); return ret; diff --git a/source4/heimdal/lib/krb5/acache.c b/source4/heimdal/lib/krb5/acache.c index b38104fc2d..004926bc89 100644 --- a/source4/heimdal/lib/krb5/acache.c +++ b/source4/heimdal/lib/krb5/acache.c @@ -37,7 +37,7 @@ #include <dlfcn.h> #endif -RCSID("$Id: acache.c,v 1.15 2006/03/27 04:22:23 lha Exp $"); +RCSID("$Id: acache.c,v 1.16 2006/10/19 11:41:38 lha Exp $"); /* XXX should we fetch these for each open ? */ static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER; @@ -113,7 +113,7 @@ init_ccapi(krb5_context context) return KRB5_CC_NOSUPP; } - init_func = dlsym(cc_handle, "cc_initialize"); + init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize"); HEIMDAL_MUTEX_unlock(&acc_mutex); if (init_func == NULL) { krb5_set_error_string(context, "Failed to find cc_initialize" diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c index 895b01f9d8..f68be423b0 100644 --- a/source4/heimdal/lib/krb5/addr_families.c +++ b/source4/heimdal/lib/krb5/addr_families.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: addr_families.c,v 1.52 2006/05/05 09:26:22 lha Exp $"); +RCSID("$Id: addr_families.c,v 1.53 2006/10/22 06:54:00 lha Exp $"); struct addr_operations { int af; @@ -551,6 +551,7 @@ arange_free (krb5_context context, krb5_address *addr) a = addr->address.data; krb5_free_address(context, &a->low); krb5_free_address(context, &a->high); + krb5_data_free(&addr->address); return 0; } diff --git a/source4/heimdal/lib/krb5/asn1_glue.c b/source4/heimdal/lib/krb5/asn1_glue.c index 8f7b886e80..b07e058550 100644 --- a/source4/heimdal/lib/krb5/asn1_glue.c +++ b/source4/heimdal/lib/krb5/asn1_glue.c @@ -37,7 +37,7 @@ #include "krb5_locl.h" -RCSID("$Id: asn1_glue.c,v 1.9 2004/12/29 18:54:15 lha Exp $"); +RCSID("$Id: asn1_glue.c,v 1.10 2006/10/06 17:02:48 lha Exp $"); krb5_error_code KRB5_LIB_FUNCTION _krb5_principal2principalname (PrincipalName *p, diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c index b21d42d653..a96870a7de 100644 --- a/source4/heimdal/lib/krb5/cache.c +++ b/source4/heimdal/lib/krb5/cache.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: cache.c,v 1.79 2006/04/02 00:54:48 lha Exp $"); +RCSID("$Id: cache.c,v 1.82 2006/09/12 17:35:33 lha Exp $"); /* * Add a new ccache type with operations `ops', overwriting any @@ -188,7 +188,7 @@ krb5_cc_new_unique(krb5_context context, const char *type, const krb5_cc_ops *ops; if (type == NULL) - type = "FILE"; + type = KRB5_DEFAULT_CCNAME; ops = krb5_cc_get_prefix_ops(context, type); if (ops == NULL) { @@ -423,7 +423,7 @@ krb5_cc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) { - return id->ops->init(context, id, primary_principal); + return (*id->ops->init)(context, id, primary_principal); } @@ -438,7 +438,7 @@ krb5_cc_destroy(krb5_context context, { krb5_error_code ret; - ret = id->ops->destroy(context, id); + ret = (*id->ops->destroy)(context, id); krb5_cc_close (context, id); return ret; } @@ -453,7 +453,7 @@ krb5_cc_close(krb5_context context, krb5_ccache id) { krb5_error_code ret; - ret = id->ops->close(context, id); + ret = (*id->ops->close)(context, id); free(id); return ret; } @@ -468,7 +468,7 @@ krb5_cc_store_cred(krb5_context context, krb5_ccache id, krb5_creds *creds) { - return id->ops->store(context, id, creds); + return (*id->ops->store)(context, id, creds); } /* @@ -488,8 +488,8 @@ krb5_cc_retrieve_cred(krb5_context context, krb5_cc_cursor cursor; if (id->ops->retrieve != NULL) { - return id->ops->retrieve(context, id, whichfields, - mcreds, creds); + return (*id->ops->retrieve)(context, id, whichfields, + mcreds, creds); } krb5_cc_start_seq_get(context, id, &cursor); @@ -514,7 +514,7 @@ krb5_cc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *principal) { - return id->ops->get_princ(context, id, principal); + return (*id->ops->get_princ)(context, id, principal); } /* @@ -528,7 +528,7 @@ krb5_cc_start_seq_get (krb5_context context, const krb5_ccache id, krb5_cc_cursor *cursor) { - return id->ops->get_first(context, id, cursor); + return (*id->ops->get_first)(context, id, cursor); } /* @@ -543,7 +543,7 @@ krb5_cc_next_cred (krb5_context context, krb5_cc_cursor *cursor, krb5_creds *creds) { - return id->ops->get_next(context, id, cursor, creds); + return (*id->ops->get_next)(context, id, cursor, creds); } /* like krb5_cc_next_cred, but allow for selective retrieval */ @@ -576,7 +576,7 @@ krb5_cc_end_seq_get (krb5_context context, const krb5_ccache id, krb5_cc_cursor *cursor) { - return id->ops->end_get(context, id, cursor); + return (*id->ops->end_get)(context, id, cursor); } /* @@ -607,7 +607,7 @@ krb5_cc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) { - return id->ops->set_flags(context, id, flags); + return (*id->ops->set_flags)(context, id, flags); } /* @@ -672,7 +672,7 @@ krb5_cc_get_version(krb5_context context, const krb5_ccache id) { if(id->ops->get_version) - return id->ops->get_version(context, id); + return (*id->ops->get_version)(context, id); else return 0; } diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c index 594665235b..f7b3ffbf9e 100644 --- a/source4/heimdal/lib/krb5/context.c +++ b/source4/heimdal/lib/krb5/context.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <com_err.h> -RCSID("$Id: context.c,v 1.102 2005/05/18 04:20:50 lha Exp $"); +RCSID("$Id: context.c,v 1.108 2006/10/20 22:26:10 lha Exp $"); #define INIT_FIELD(C, T, E, D, F) \ (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ @@ -181,8 +181,8 @@ init_context_from_config_file(krb5_context context) INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup"); INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc"); INIT_FIELD(context, int, large_msg_size, 6000, "large_message_size"); + INIT_FIELD(context, bool, dns_canonicalize_hostname, TRUE, "dns_canonize_hostname"); context->default_cc_name = NULL; - INIT_FIELD(context, bool, fdns, TRUE, "fdns"); return 0; } @@ -263,7 +263,7 @@ krb5_free_context(krb5_context context) krb5_closelog(context, context->warn_dest); krb5_set_extra_addresses(context, NULL); krb5_set_ignore_addresses(context, NULL); - free(context->send_and_recv); + krb5_set_send_to_kdc_func(context, NULL, NULL); if (context->mutex != NULL) { HEIMDAL_MUTEX_destroy(context->mutex); free(context->mutex); @@ -424,13 +424,17 @@ krb5_free_config_files(char **filenames) } /* - * set `etype' to a malloced list of the default enctypes + * Returns the list of Kerberos encryption types sorted in order of + * most preferred to least preferred encryption type. The array ends + * with ETYPE_NULL. Note that some encryption types might be + * disabled, so you need to check with krb5_enctype_valid() before + * using the encryption type. */ -static krb5_error_code -default_etypes(krb5_context context, krb5_enctype **etype) +const krb5_enctype * KRB5_LIB_FUNCTION +krb5_kerberos_enctypes(krb5_context context) { - krb5_enctype p[] = { + static const krb5_enctype p[] = { ETYPE_AES256_CTS_HMAC_SHA1_96, ETYPE_AES128_CTS_HMAC_SHA1_96, ETYPE_DES3_CBC_SHA1, @@ -438,12 +442,26 @@ default_etypes(krb5_context context, krb5_enctype **etype) ETYPE_ARCFOUR_HMAC_MD5, ETYPE_DES_CBC_MD5, ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_CRC + ETYPE_DES_CBC_CRC, + ETYPE_NULL }; + return p; +} + +/* + * set `etype' to a malloced list of the default enctypes + */ + +static krb5_error_code +default_etypes(krb5_context context, krb5_enctype **etype) +{ + const krb5_enctype *p; krb5_enctype *e = NULL, *ep; int i, n = 0; - for (i = 0; i < sizeof(p)/sizeof(p[0]); i++) { + p = krb5_kerberos_enctypes(context); + + for (i = 0; p[i] != ETYPE_NULL; i++) { if (krb5_enctype_valid(context, p[i]) != 0) continue; ep = realloc(e, (n + 2) * sizeof(*e)); @@ -537,6 +555,9 @@ krb5_init_ets(krb5_context context) krb5_add_et_list(context, initialize_asn1_error_table_r); krb5_add_et_list(context, initialize_heim_error_table_r); krb5_add_et_list(context, initialize_k524_error_table_r); +#ifdef PKINIT + krb5_add_et_list(context, initialize_hx_error_table_r); +#endif } } @@ -662,3 +683,25 @@ krb5_is_thread_safe(void) return FALSE; #endif } + +void KRB5_LIB_FUNCTION +krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag) +{ + context->dns_canonicalize_hostname = flag; +} + +krb5_boolean KRB5_LIB_FUNCTION +krb5_get_dns_canonize_hostname (krb5_context context) +{ + return context->dns_canonicalize_hostname; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec) +{ + if (sec) + *sec = context->kdc_sec_offset; + if (usec) + *usec = context->kdc_usec_offset; + return 0; +} diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c index a3c58051f9..9f6ef6b82b 100644 --- a/source4/heimdal/lib/krb5/crypto.c +++ b/source4/heimdal/lib/krb5/crypto.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.138 2006/05/08 13:47:24 lha Exp $"); +RCSID("$Id: crypto.c,v 1.145 2006/10/22 07:32:40 lha Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -55,7 +55,6 @@ struct krb5_crypto_data { struct key_data key; int num_key_usage; struct key_usage *key_usage; - void *params; }; #define kcrypto_oid_enc(n) { sizeof(n)/sizeof(n[0]), n } @@ -89,13 +88,9 @@ struct key_type { krb5_enctype best_etype; #endif void (*random_key)(krb5_context, krb5_keyblock*); - void (*schedule)(krb5_context, struct key_data *, const void *); + void (*schedule)(krb5_context, struct key_data *); struct salt_type *string_to_key; void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t); - krb5_error_code (*get_params)(krb5_context, const krb5_data *, - void **, krb5_data *); - krb5_error_code (*set_params)(krb5_context, const void *, - const krb5_data *, krb5_data *); }; struct checksum_type { @@ -181,8 +176,7 @@ krb5_DES_random_key(krb5_context context, static void krb5_DES_schedule(krb5_context context, - struct key_data *key, - const void *params) + struct key_data *key) { DES_set_key(key->key->keyvalue.data, key->schedule->data); } @@ -392,8 +386,7 @@ DES3_random_key(krb5_context context, static void DES3_schedule(krb5_context context, - struct key_data *key, - const void *params) + struct key_data *key) { DES_cblock *k = key->key->keyvalue.data; DES_key_schedule *s = key->schedule->data; @@ -546,8 +539,7 @@ DES3_random_to_key(krb5_context context, static void ARCFOUR_schedule(krb5_context context, - struct key_data *kd, - const void *params) + struct key_data *kd) { RC4_set_key (kd->schedule->data, kd->key->keyvalue.length, kd->key->keyvalue.data); @@ -618,15 +610,16 @@ AES_string_to_key(krb5_context context, if (et == NULL) return KRB5_PROG_KEYTYPE_NOSUPP; - key->keytype = enctype; - ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); - if (ret) { - krb5_set_error_string(context, "Failed to allocate pkcs5 key"); - return ret; + kd.schedule = NULL; + ALLOC(kd.key, 1); + if(kd.key == NULL) { + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; } - ret = krb5_copy_keyblock(context, key, &kd.key); + kd.key->keytype = enctype; + ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); if (ret) { - krb5_free_keyblock(context, key); + krb5_set_error_string(context, "Failed to allocate pkcs5 key"); return ret; } @@ -634,8 +627,8 @@ AES_string_to_key(krb5_context context, salt.saltvalue.data, salt.saltvalue.length, iter, et->keytype->size, kd.key->keyvalue.data); - kd.schedule = NULL; if (ret != 1) { + free_key_data(context, &kd); krb5_set_error_string(context, "Error calculating s2k"); return KRB5_PROG_KEYTYPE_NOSUPP; } @@ -655,8 +648,7 @@ struct krb5_aes_schedule { static void AES_schedule(krb5_context context, - struct key_data *kd, - const void *params) + struct key_data *kd) { struct krb5_aes_schedule *key = kd->schedule->data; int bits = kd->key->keyvalue.length * 8; @@ -667,115 +659,6 @@ AES_schedule(krb5_context context, } /* - * RC2 - */ - -struct _RC2_params { - int maximum_effective_key; -}; - -static krb5_error_code -rc2_get_params(krb5_context context, - const krb5_data *data, - void **params, - krb5_data *ivec) -{ - RC2CBCParameter rc2params; - struct _RC2_params *p; - krb5_error_code ret; - size_t size; - - ret = decode_RC2CBCParameter(data->data, data->length, &rc2params, &size); - if (ret) { - krb5_set_error_string(context, "Can't decode RC2 parameters"); - return ret; - } - p = malloc(sizeof(*p)); - if (p == NULL) { - free_RC2CBCParameter(&rc2params); - krb5_set_error_string(context, "malloc - out of memory"); - return ENOMEM; - } - /* XXX */ - switch(rc2params.rc2ParameterVersion) { - case 160: - p->maximum_effective_key = 40; - break; - case 120: - p->maximum_effective_key = 64; - break; - case 58: - p->maximum_effective_key = 128; - break; - - } - if (ivec) - ret = copy_octet_string(&rc2params.iv, ivec); - free_RC2CBCParameter(&rc2params); - *params = p; - - return ret; -} - -static krb5_error_code -rc2_set_params(krb5_context context, - const void *params, - const krb5_data *ivec, - krb5_data *data) -{ - RC2CBCParameter rc2params; - const struct _RC2_params *p = params; - int maximum_effective_key = 128; - krb5_error_code ret; - size_t size; - - memset(&rc2params, 0, sizeof(rc2params)); - - if (p) - maximum_effective_key = p->maximum_effective_key; - - /* XXX */ - switch(maximum_effective_key) { - case 40: - rc2params.rc2ParameterVersion = 160; - break; - case 64: - rc2params.rc2ParameterVersion = 120; - break; - case 128: - rc2params.rc2ParameterVersion = 58; - break; - } - ret = copy_octet_string(ivec, &rc2params.iv); - if (ret) - return ret; - - ASN1_MALLOC_ENCODE(RC2CBCParameter, data->data, data->length, - &rc2params, &size, ret); - if (ret == 0 && size != data->length) - krb5_abortx(context, "Internal asn1 encoder failure"); - free_RC2CBCParameter(&rc2params); - - return ret; -} - -static void -rc2_schedule(krb5_context context, - struct key_data *kd, - const void *params) -{ - const struct _RC2_params *p = params; - int maximum_effective_key = 128; - if (p) - maximum_effective_key = p->maximum_effective_key; - RC2_set_key (kd->schedule->data, - kd->key->keyvalue.length, - kd->key->keyvalue.data, - maximum_effective_key); -} - - -/* * */ @@ -898,18 +781,6 @@ static struct key_type keytype_aes128 = { AES_salt }; -static struct key_type keytype_aes192 = { - KEYTYPE_AES192, - "aes-192", - 192, - 24, - 24, - sizeof(struct krb5_aes_schedule), - NULL, - AES_schedule, - AES_salt -}; - static struct key_type keytype_aes256 = { KEYTYPE_AES256, "aes-256", @@ -934,30 +805,13 @@ static struct key_type keytype_arcfour = { arcfour_salt }; -static struct key_type keytype_rc2 = { - KEYTYPE_RC2, - "rc2", - 128, - 16, - 1, - sizeof(RC2_KEY), - NULL, - rc2_schedule, - NULL, /* XXX salt */ - NULL, - rc2_get_params, - rc2_set_params -}; - static struct key_type *keytypes[] = { &keytype_null, &keytype_des, &keytype_des3_derived, &keytype_des3, &keytype_aes128, - &keytype_aes192, &keytype_aes256, - &keytype_rc2, &keytype_arcfour }; @@ -1247,8 +1101,7 @@ krb5_generate_random_keyblock(krb5_context context, static krb5_error_code _key_schedule(krb5_context context, - struct key_data *key, - const void *params) + struct key_data *key) { krb5_error_code ret; struct encryption_type *et = _find_enctype(key->key->keytype); @@ -1269,7 +1122,7 @@ _key_schedule(krb5_context context, key->schedule = NULL; return ret; } - (*kt->schedule)(context, key, params); + (*kt->schedule)(context, key); return 0; } @@ -1933,7 +1786,7 @@ get_checksum_key(krb5_context context, *key = &crypto->key; } if(ret == 0) - ret = _key_schedule(context, *key, crypto->params); + ret = _key_schedule(context, *key); return ret; } @@ -2290,16 +2143,15 @@ DES_PCBC_encrypt_key_ivec(krb5_context context, void KRB5_LIB_FUNCTION _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const void *aes_key, + size_t len, const AES_KEY *key, unsigned char *ivec, const int encryptp) { unsigned char tmp[AES_BLOCK_SIZE]; - const AES_KEY *key = aes_key; /* XXX remove this when we always have AES */ int i; /* * In the framework of kerberos, the length can never be shorter - * than at least one blocksize. + * then at least one blocksize. */ if (encryptp) { @@ -2838,7 +2690,7 @@ krb5_string_to_enctype(krb5_context context, } krb5_error_code KRB5_LIB_FUNCTION -krb5_enctype_to_oid(krb5_context context, +_krb5_enctype_to_oid(krb5_context context, krb5_enctype etype, heim_oid *oid) { @@ -2853,7 +2705,7 @@ krb5_enctype_to_oid(krb5_context context, return KRB5_PROG_ETYPE_NOSUPP; } krb5_clear_error_string(context); - return copy_oid(et->oid, oid); + return der_copy_oid(et->oid, oid); } krb5_error_code KRB5_LIB_FUNCTION @@ -2863,7 +2715,7 @@ _krb5_oid_to_enctype(krb5_context context, { int i; for(i = 0; i < num_etypes; i++) { - if(etypes[i]->oid && heim_oid_cmp(etypes[i]->oid, oid) == 0) { + if(etypes[i]->oid && der_heim_oid_cmp(etypes[i]->oid, oid) == 0) { *etype = etypes[i]->type; return 0; } @@ -3080,7 +2932,7 @@ encrypt_internal_derived(krb5_context context, ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); if(ret) goto fail; - ret = _key_schedule(context, dkey, crypto->params); + ret = _key_schedule(context, dkey); if(ret) goto fail; #ifdef CRYPTO_DEBUG @@ -3146,7 +2998,7 @@ encrypt_internal(krb5_context context, goto fail; memcpy(p + et->confoundersize, cksum.checksum.data, cksum.checksum.length); free_Checksum(&cksum); - ret = _key_schedule(context, &crypto->key, crypto->params); + ret = _key_schedule(context, &crypto->key); if(ret) goto fail; #ifdef CRYPTO_DEBUG @@ -3246,7 +3098,7 @@ decrypt_internal_derived(krb5_context context, free(p); return ret; } - ret = _key_schedule(context, dkey, crypto->params); + ret = _key_schedule(context, dkey); if(ret) { free(p); return ret; @@ -3313,7 +3165,7 @@ decrypt_internal(krb5_context context, } memcpy(p, data, len); - ret = _key_schedule(context, &crypto->key, crypto->params); + ret = _key_schedule(context, &crypto->key); if(ret) { free(p); return ret; @@ -3613,11 +3465,9 @@ derive_key(krb5_context context, unsigned char *k; unsigned int nblocks = 0, i; krb5_error_code ret = 0; - struct key_type *kt = et->keytype; - /* since RC2 is only the weird crypto alg with parameter and this - * function not defined with work with RC2, this is ok */ - ret = _key_schedule(context, key, NULL); + + ret = _key_schedule(context, key); if(ret) return ret; if(et->blocksize * 8 < kt->bits || @@ -3795,7 +3645,6 @@ krb5_crypto_init(krb5_context context, (*crypto)->key.schedule = NULL; (*crypto)->num_key_usage = 0; (*crypto)->key_usage = NULL; - (*crypto)->params = NULL; return 0; } @@ -3825,80 +3674,11 @@ krb5_crypto_destroy(krb5_context context, free_key_usage(context, &crypto->key_usage[i]); free(crypto->key_usage); free_key_data(context, &crypto->key); - free(crypto->params); free (crypto); return 0; } krb5_error_code KRB5_LIB_FUNCTION -krb5_crypto_get_params(krb5_context context, - const krb5_crypto crypto, - const krb5_data *params, - krb5_data *ivec) -{ - krb5_error_code (*gp)(krb5_context, const krb5_data *,void **,krb5_data *); - krb5_error_code ret; - - gp = crypto->et->keytype->get_params; - if (gp) { - if (crypto->params) { - krb5_set_error_string(context, - "krb5_crypto_get_params called " - "more than once"); - return KRB5_PROG_ETYPE_NOSUPP; - } - ret = (*gp)(context, params, &crypto->params, ivec); - } else { - size_t size; - if (ivec == NULL) - return 0; - ret = decode_CBCParameter(params->data, params->length, ivec, &size); - } - if (ret) - return ret; - if (ivec->length < crypto->et->blocksize) { - krb5_data_free(ivec); - krb5_set_error_string(context, "%s IV of wrong size", - crypto->et->name); - return ASN1_PARSE_ERROR; - } - return 0; -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_crypto_set_params(krb5_context context, - const krb5_crypto crypto, - const krb5_data *ivec, - krb5_data *params) -{ - krb5_error_code (*sp)(krb5_context, const void *, - const krb5_data *, krb5_data *); - krb5_error_code ret; - - sp = crypto->et->keytype->set_params; - if (sp == NULL) { - size_t size; - if (ivec == NULL) - return 0; - ASN1_MALLOC_ENCODE(CBCParameter, params->data, params->length, - ivec, &size, ret); - if (ret) - return ret; - if (size != params->length) - krb5_abortx(context, "Internal asn1 encoder failure"); - return 0; - } - if (crypto->params) { - krb5_set_error_string(context, - "krb5_crypto_set_params called " - "more than once"); - return KRB5_PROG_ETYPE_NOSUPP; - } - return (*sp)(context, crypto->params, ivec, params); -} - - -krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_getblocksize(krb5_context context, krb5_crypto crypto, size_t *blocksize) diff --git a/source4/heimdal/lib/krb5/data.c b/source4/heimdal/lib/krb5/data.c index 3192c4c64f..f0c6d00abe 100644 --- a/source4/heimdal/lib/krb5/data.c +++ b/source4/heimdal/lib/krb5/data.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: data.c,v 1.20 2006/04/02 01:06:07 lha Exp $"); +RCSID("$Id: data.c,v 1.21 2006/10/14 09:45:41 lha Exp $"); void KRB5_LIB_FUNCTION krb5_data_zero(krb5_data *p) @@ -110,7 +110,7 @@ krb5_copy_data(krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - ret = copy_octet_string(indata, *outdata); + ret = der_copy_octet_string(indata, *outdata); if(ret) { krb5_clear_error_string (context); free(*outdata); diff --git a/source4/heimdal/lib/krb5/expand_hostname.c b/source4/heimdal/lib/krb5/expand_hostname.c index f03bf15807..4d0692bcfa 100644 --- a/source4/heimdal/lib/krb5/expand_hostname.c +++ b/source4/heimdal/lib/krb5/expand_hostname.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: expand_hostname.c,v 1.12 2004/05/25 21:24:14 lha Exp $"); +RCSID("$Id: expand_hostname.c,v 1.13 2006/10/17 09:16:32 lha Exp $"); static krb5_error_code copy_hostname(krb5_context context, @@ -62,13 +62,12 @@ krb5_expand_hostname (krb5_context context, struct addrinfo *ai, *a, hints; int error; + if (!context->dns_canonicalize_hostname) + return copy_hostname (context, orig_hostname, new_hostname); + memset (&hints, 0, sizeof(hints)); hints.ai_flags = AI_CANONNAME; - if (!context->fdns) { - return copy_hostname (context, orig_hostname, new_hostname); - } - error = getaddrinfo (orig_hostname, NULL, &hints, &ai); if (error) return copy_hostname (context, orig_hostname, new_hostname); @@ -128,10 +127,9 @@ krb5_expand_hostname_realms (krb5_context context, int error; krb5_error_code ret = 0; - if (!context->fdns) { + if (!context->dns_canonicalize_hostname) return vanilla_hostname (context, orig_hostname, new_hostname, realms); - } memset (&hints, 0, sizeof(hints)); hints.ai_flags = AI_CANONNAME; diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c index 1fa3f9143e..b404c30f6e 100644 --- a/source4/heimdal/lib/krb5/get_cred.c +++ b/source4/heimdal/lib/krb5/get_cred.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: get_cred.c,v 1.109 2006/02/03 11:41:02 lha Exp $"); +RCSID("$Id: get_cred.c,v 1.112 2006/06/06 21:22:54 lha Exp $"); /* * Take the `body' and encode it into `padata' using the credentials @@ -142,6 +142,7 @@ init_tgs_req (krb5_context context, krb5_creds *in_creds, krb5_creds *krbtgt, unsigned nonce, + const METHOD_DATA *padata, krb5_keyblock **subkey, TGS_REQ *t, krb5_key_usage usage) @@ -220,12 +221,22 @@ init_tgs_req (krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); goto fail; } - ALLOC_SEQ(t->padata, 1); + ALLOC_SEQ(t->padata, 1 + padata->len); if (t->padata->val == NULL) { ret = ENOMEM; krb5_set_error_string(context, "malloc: out of memory"); goto fail; } + { + int i; + for (i = 0; i < padata->len; i++) { + ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]); + if (ret) { + krb5_set_error_string(context, "malloc: out of memory"); + goto fail; + } + } + } { krb5_auth_context ac; @@ -268,7 +279,7 @@ init_tgs_req (krb5_context context, ret = make_pa_tgs_req(context, ac, &t->req_body, - t->padata->val, + &t->padata->val[0], krbtgt, usage); if(ret) { @@ -383,8 +394,10 @@ get_cred_kdc_usage(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, krb5_addresses *addresses, - krb5_creds *in_creds, + krb5_creds *in_creds, krb5_creds *krbtgt, + krb5_principal impersonate_principal, + Ticket *second_ticket, krb5_creds *out_creds, krb5_key_usage usage) { @@ -397,36 +410,91 @@ get_cred_kdc_usage(krb5_context context, unsigned nonce; krb5_keyblock *subkey = NULL; size_t len; - Ticket second_ticket; + Ticket second_ticket_data; int send_to_kdc_flags = 0; + METHOD_DATA padata; krb5_data_zero(&resp); krb5_data_zero(&enc); + padata.val = NULL; + padata.len = 0; krb5_generate_random_block(&nonce, sizeof(nonce)); nonce &= 0xffffffff; - if(flags.b.enc_tkt_in_skey){ + if(flags.b.enc_tkt_in_skey && second_ticket == NULL){ ret = decode_Ticket(in_creds->second_ticket.data, in_creds->second_ticket.length, - &second_ticket, &len); + &second_ticket_data, &len); if(ret) return ret; + second_ticket = &second_ticket_data; + } + + + if (impersonate_principal) { + krb5_crypto crypto; + PA_S4U2Self self; + krb5_data data; + void *buf; + size_t size; + + self.name = impersonate_principal->name; + self.realm = impersonate_principal->realm; + self.auth = estrdup("Kerberos"); + + ret = _krb5_s4u2self_to_checksumdata(context, &self, &data); + if (ret) { + free(self.auth); + goto out; + } + + ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto); + if (ret) { + free(self.auth); + krb5_data_free(&data); + goto out; + } + + ret = krb5_create_checksum(context, + crypto, + KRB5_KU_TGS_IMPERSONATE, + 0, + data.data, + data.length, + &self.cksum); + krb5_crypto_destroy(context, crypto); + krb5_data_free(&data); + if (ret) { + free(self.auth); + goto out; + } + + ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret); + free(self.auth); + free_Checksum(&self.cksum); + if (ret) + goto out; + if (len != size) + krb5_abortx(context, "internal asn1 error"); + + ret = krb5_padata_add(context, &padata, KRB5_PADATA_S4U2SELF, buf, len); + if (ret) + goto out; } ret = init_tgs_req (context, id, addresses, flags, - flags.b.enc_tkt_in_skey ? &second_ticket : NULL, + second_ticket, in_creds, krbtgt, nonce, + &padata, &subkey, &req, usage); - if(flags.b.enc_tkt_in_skey) - free_Ticket(&second_ticket); if (ret) goto out; @@ -475,7 +543,7 @@ again: &krbtgt->addresses, nonce, TRUE, - flags.b.request_anonymous, + TRUE /* flags.b.request_anonymous */, decrypt_tkt_with_subkey, subkey); krb5_free_kdc_rep(context, &rep); @@ -497,6 +565,9 @@ again: } out: + if (second_ticket == &second_ticket_data) + free_Ticket(&second_ticket_data); + free_METHOD_DATA(&padata); krb5_data_free(&resp); krb5_data_free(&enc); if(subkey){ @@ -514,16 +585,20 @@ get_cred_kdc(krb5_context context, krb5_addresses *addresses, krb5_creds *in_creds, krb5_creds *krbtgt, + krb5_principal impersonate_principal, + Ticket *second_ticket, krb5_creds *out_creds) { krb5_error_code ret; ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds, - krbtgt, out_creds, KRB5_KU_TGS_REQ_AUTH); + krbtgt, impersonate_principal, second_ticket, + out_creds, KRB5_KU_TGS_REQ_AUTH); if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { krb5_clear_error_string (context); ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds, - krbtgt, out_creds, KRB5_KU_AP_REQ_AUTH); + krbtgt, impersonate_principal, second_ticket, + out_creds, KRB5_KU_AP_REQ_AUTH); } return ret; } @@ -533,6 +608,7 @@ get_cred_kdc(krb5_context context, static krb5_error_code get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, krb5_creds *in_creds, krb5_creds *krbtgt, + krb5_principal impersonate_principal, Ticket *second_ticket, krb5_creds *out_creds) { krb5_error_code ret; @@ -543,7 +619,8 @@ get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, if(addresses.len == 0) addrs = NULL; ret = get_cred_kdc(context, id, flags, addrs, - in_creds, krbtgt, out_creds); + in_creds, krbtgt, impersonate_principal, second_ticket, + out_creds); krb5_free_addresses(context, &addresses); return ret; } @@ -575,7 +652,7 @@ krb5_get_kdc_cred(krb5_context context, return ret; } ret = get_cred_kdc(context, id, flags, addresses, - in_creds, krbtgt, *out_creds); + in_creds, krbtgt, NULL, NULL, *out_creds); krb5_free_creds (context, krbtgt); if(ret) free(*out_creds); @@ -607,7 +684,17 @@ find_cred(krb5_context context, } tgts++; } - krb5_clear_error_string(context); + { + char *str; + ret = krb5_unparse_name(context, server, &str); + if(ret == 0) { + krb5_set_error_string(context, "Matching credential " + "(%s) not found", str); + free(str); + } else { + krb5_clear_error_string(context); + } + } return KRB5_CC_NOTFOUND; } @@ -650,6 +737,8 @@ get_cred_from_kdc_flags(krb5_context context, krb5_kdc_flags flags, krb5_ccache ccache, krb5_creds *in_creds, + krb5_principal impersonate_principal, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -707,10 +796,16 @@ get_cred_from_kdc_flags(krb5_context context, if (noaddr) ret = get_cred_kdc(context, ccache, flags, NULL, - in_creds, &tgts, *out_creds); + in_creds, &tgts, + impersonate_principal, + second_ticket, + *out_creds); else ret = get_cred_kdc_la(context, ccache, flags, - in_creds, &tgts, *out_creds); + in_creds, &tgts, + impersonate_principal, + second_ticket, + *out_creds); if (ret) { free (*out_creds); *out_creds = NULL; @@ -731,7 +826,7 @@ get_cred_from_kdc_flags(krb5_context context, heim_general_string tgt_inst; ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, - &tgt, ret_tgts); + NULL, NULL, &tgt, ret_tgts); if(ret) { krb5_free_principal(context, tmp_creds.server); krb5_free_principal(context, tmp_creds.client); @@ -776,10 +871,12 @@ get_cred_from_kdc_flags(krb5_context context, &noaddr); if (noaddr) ret = get_cred_kdc (context, ccache, flags, NULL, - in_creds, tgt, *out_creds); + in_creds, tgt, NULL, NULL, + *out_creds); else ret = get_cred_kdc_la(context, ccache, flags, - in_creds, tgt, *out_creds); + in_creds, tgt, NULL, NULL, + *out_creds); if (ret) { free (*out_creds); *out_creds = NULL; @@ -800,7 +897,8 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_kdc_flags f; f.i = flags; return get_cred_from_kdc_flags(context, f, ccache, - in_creds, out_creds, ret_tgts); + in_creds, NULL, NULL, + out_creds, ret_tgts); } krb5_error_code KRB5_LIB_FUNCTION @@ -879,15 +977,18 @@ krb5_get_credentials_with_flags(krb5_context context, } if(options & KRB5_GC_USER_USER) flags.b.enc_tkt_in_skey = 1; + if (flags.b.enc_tkt_in_skey) + options |= KRB5_GC_NO_STORE; + tgts = NULL; ret = get_cred_from_kdc_flags(context, flags, ccache, - in_creds, out_creds, &tgts); + in_creds, NULL, NULL, out_creds, &tgts); for(i = 0; tgts && tgts[i]; i++) { krb5_cc_store_cred(context, ccache, tgts[i]); krb5_free_creds(context, tgts[i]); } free(tgts); - if(ret == 0 && flags.b.enc_tkt_in_skey == 0) + if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0) krb5_cc_store_cred(context, ccache, *out_creds); return ret; } @@ -904,3 +1005,200 @@ krb5_get_credentials(krb5_context context, return krb5_get_credentials_with_flags(context, options, flags, ccache, in_creds, out_creds); } + +struct krb5_get_creds_opt_data { + krb5_principal self; + krb5_flags options; + krb5_enctype enctype; + Ticket *ticket; +}; + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt) +{ + *opt = calloc(1, sizeof(**opt)); + if (*opt == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + return 0; +} + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt) +{ + if (opt->self) + krb5_free_principal(context, opt->self); + memset(opt, 0, sizeof(*opt)); + free(opt); +} + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_options(krb5_context context, + krb5_get_creds_opt opt, + krb5_flags options) +{ + opt->options = options; +} + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_add_options(krb5_context context, + krb5_get_creds_opt opt, + krb5_flags options) +{ + opt->options |= options; +} + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_enctype(krb5_context context, + krb5_get_creds_opt opt, + krb5_enctype enctype) +{ + opt->enctype = enctype; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_impersonate(krb5_context context, + krb5_get_creds_opt opt, + krb5_const_principal self) +{ + if (opt->self) + krb5_free_principal(context, opt->self); + return krb5_copy_principal(context, self, &opt->self); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_ticket(krb5_context context, + krb5_get_creds_opt opt, + const Ticket *ticket) +{ + if (opt->ticket) { + free_Ticket(opt->ticket); + free(opt->ticket); + opt->ticket = NULL; + } + if (ticket) { + krb5_error_code ret; + + opt->ticket = malloc(sizeof(*ticket)); + if (opt->ticket == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + ret = copy_Ticket(ticket, opt->ticket); + if (ret) { + free(opt->ticket); + opt->ticket = NULL; + krb5_set_error_string(context, "malloc: out of memory"); + return ret; + } + } + return 0; +} + + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds(krb5_context context, + krb5_get_creds_opt opt, + krb5_ccache ccache, + krb5_const_principal inprinc, + krb5_creds **out_creds) +{ + krb5_kdc_flags flags; + krb5_flags options; + krb5_creds in_creds; + krb5_error_code ret; + krb5_creds **tgts; + krb5_creds *res_creds; + int i; + + memset(&in_creds, 0, sizeof(in_creds)); + in_creds.server = rk_UNCONST(inprinc); + + ret = krb5_cc_get_principal(context, ccache, &in_creds.client); + if (ret) + return ret; + + options = opt->options; + flags.i = 0; + + *out_creds = NULL; + res_creds = calloc(1, sizeof(*res_creds)); + if (res_creds == NULL) { + krb5_free_principal(context, in_creds.client); + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + if (opt->enctype) { + in_creds.session.keytype = opt->enctype; + options |= KRB5_TC_MATCH_KEYTYPE; + } + + /* + * If we got a credential, check if credential is expired before + * returning it. + */ + ret = krb5_cc_retrieve_cred(context, + ccache, + opt->enctype ? KRB5_TC_MATCH_KEYTYPE : 0, + &in_creds, res_creds); + /* + * If we got a credential, check if credential is expired before + * returning it, but only if KRB5_GC_EXPIRED_OK is not set. + */ + if (ret == 0) { + krb5_timestamp timeret; + + /* If expired ok, don't bother checking */ + if(options & KRB5_GC_EXPIRED_OK) { + *out_creds = res_creds; + krb5_free_principal(context, in_creds.client); + return 0; + } + + krb5_timeofday(context, &timeret); + if(res_creds->times.endtime > timeret) { + *out_creds = res_creds; + krb5_free_principal(context, in_creds.client); + return 0; + } + if(options & KRB5_GC_CACHED) + krb5_cc_remove_cred(context, ccache, 0, res_creds); + + } else if(ret != KRB5_CC_END) { + free(res_creds); + krb5_free_principal(context, in_creds.client); + return ret; + } + free(res_creds); + if(options & KRB5_GC_CACHED) { + krb5_clear_error_string (context); + krb5_free_principal(context, in_creds.client); + return KRB5_CC_NOTFOUND; + } + if(options & KRB5_GC_USER_USER) { + flags.b.enc_tkt_in_skey = 1; + options |= KRB5_GC_NO_STORE; + } + if (options & KRB5_GC_FORWARDABLE) + flags.b.forwardable = 1; + if (options & KRB5_GC_NO_TRANSIT_CHECK) + flags.b.disable_transited_check = 1; + + tgts = NULL; + ret = get_cred_from_kdc_flags(context, flags, ccache, + &in_creds, opt->self, opt->ticket, + out_creds, &tgts); + krb5_free_principal(context, in_creds.client); + for(i = 0; tgts && tgts[i]; i++) { + krb5_cc_store_cred(context, ccache, tgts[i]); + krb5_free_creds(context, tgts[i]); + } + free(tgts); + if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0) + krb5_cc_store_cred(context, ccache, *out_creds); + return ret; +} diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index f042cdb573..661d05663b 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -376,7 +376,7 @@ krb5_get_forwarded_creds (krb5_context context, cred.enc_part.cipher.length = buf_size; } else { /* - * Here older versions than 0.7.2 of Heimdal used the local or + * Here older versions then 0.7.2 of Heimdal used the local or * remote subkey. That is wrong, the session key should be * used. Heimdal 0.7.2 and newer have code to try both in the * receiving end. diff --git a/source4/heimdal/lib/krb5/get_host_realm.c b/source4/heimdal/lib/krb5/get_host_realm.c index 33a3438b12..ffc646d98b 100644 --- a/source4/heimdal/lib/krb5/get_host_realm.c +++ b/source4/heimdal/lib/krb5/get_host_realm.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <resolve.h> -RCSID("$Id: get_host_realm.c,v 1.35 2005/08/23 08:14:02 lha Exp $"); +RCSID("$Id: get_host_realm.c,v 1.37 2006/10/17 19:28:36 lha Exp $"); /* To automagically find the correct realm of a host (without * [domain_realm] in krb5.conf) add a text record for your domain with @@ -187,65 +187,71 @@ _krb5_get_host_realm_int (krb5_context context, return 0; } } - - *realms = malloc(2 * sizeof(krb5_realm)); - if (*realms == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - (*realms)[1] = NULL; - p = strchr(host, '.'); if(p != NULL) { p++; - (*realms)[0] = strdup(p); - if((*realms)[0] == NULL) { - free(*realms); + *realms = malloc(2 * sizeof(krb5_realm)); + if (*realms == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - strupr((*realms)[0]); - } else { - krb5_error_code ret; - ret = krb5_get_default_realm(context, &(*realms)[0]); - if(ret) { + + (*realms)[0] = strdup(p); + if((*realms)[0] == NULL) { free(*realms); krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - if((*realms)[0] == NULL) { - free(*realms); - krb5_set_error_string(context, "unable to find realm of host %s", host); - return KRB5_ERR_HOST_REALM_UNKNOWN; - } + strupr((*realms)[0]); + (*realms)[1] = NULL; + return 0; } - return 0; + krb5_set_error_string(context, "unable to find realm of host %s", host); + return KRB5_ERR_HOST_REALM_UNKNOWN; } /* - * Return the realm(s) of `host' as a NULL-terminated list in `realms'. + * Return the realm(s) of `host' as a NULL-terminated list in + * `realms'. Free `realms' with krb5_free_host_realm(). */ krb5_error_code KRB5_LIB_FUNCTION krb5_get_host_realm(krb5_context context, - const char *host, + const char *targethost, krb5_realm **realms) { + const char *host = targethost; char hostname[MAXHOSTNAMELEN]; - krb5_boolean use_dns; + krb5_error_code ret; + int use_dns; if (host == NULL) { - if (gethostname (hostname, sizeof(hostname))) + if (gethostname (hostname, sizeof(hostname))) { + *realms = NULL; return errno; + } host = hostname; } - if (strchr(host, '.') == NULL) { - use_dns = FALSE; - } else { - use_dns = TRUE; - } + /* + * If our local hostname is without components, don't even try to dns. + */ + + use_dns = (strchr(host, '.') != NULL); - return _krb5_get_host_realm_int (context, host, use_dns, realms); + ret = _krb5_get_host_realm_int (context, host, use_dns, realms); + if (ret && targethost != NULL) { + /* + * If there was no realm mapping for the host (and we wasn't + * looking for ourself), guess at the local realm, maybe our + * KDC knows better then we do and we get a referral back. + */ + ret = krb5_get_default_realms(context, realms); + if (ret) { + krb5_set_error_string(context, "Unable to find realm of host %s", + host); + return KRB5_ERR_HOST_REALM_UNKNOWN; + } + } + return ret; } diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c index 5c488d1ddc..ebc96f2279 100644 --- a/source4/heimdal/lib/krb5/get_in_tkt.c +++ b/source4/heimdal/lib/krb5/get_in_tkt.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: get_in_tkt.c,v 1.116 2005/06/15 02:53:20 lha Exp $"); +RCSID("$Id: get_in_tkt.c,v 1.119 2006/10/06 17:05:08 lha Exp $"); krb5_error_code KRB5_LIB_FUNCTION krb5_init_etype (krb5_context context, @@ -137,7 +137,7 @@ _krb5_extract_ticket(krb5_context context, time_t tmp_time; krb5_timestamp sec_now; - ret = _krb5_principalname2krb5_principal (context, + ret = _krb5_principalname2krb5_principal (context, &tmp_principal, rep->kdc_rep.cname, rep->kdc_rep.crealm); @@ -171,7 +171,7 @@ _krb5_extract_ticket(krb5_context context, /* compare server */ - ret = _krb5_principalname2krb5_principal (context, + ret = _krb5_principalname2krb5_principal (context, &tmp_principal, rep->kdc_rep.ticket.sname, rep->kdc_rep.ticket.realm); @@ -411,7 +411,7 @@ add_padata(krb5_context context, static krb5_error_code init_as_req (krb5_context context, - krb5_kdc_flags opts, + KDCOptions opts, krb5_creds *creds, const krb5_addresses *addrs, const krb5_enctype *etypes, @@ -429,7 +429,7 @@ init_as_req (krb5_context context, a->pvno = 5; a->msg_type = krb_as_req; - a->req_body.kdc_options = opts.b; + a->req_body.kdc_options = opts; a->req_body.cname = malloc(sizeof(*a->req_body.cname)); if (a->req_body.cname == NULL) { ret = ENOMEM; @@ -649,14 +649,14 @@ krb5_get_in_cred(krb5_context context, krb5_salt salt; krb5_keyblock *key; size_t size; - krb5_kdc_flags opts; + KDCOptions opts; PA_DATA *pa; krb5_enctype etype; krb5_preauthdata *my_preauth = NULL; unsigned nonce; int done; - opts.i = options; + opts = int2KDCOptions(options); krb5_generate_random_block (&nonce, sizeof(nonce)); nonce &= 0xffffffff; @@ -771,7 +771,7 @@ krb5_get_in_cred(krb5_context context, NULL, nonce, FALSE, - opts.b.request_anonymous, + opts.request_anonymous, decrypt_proc, decryptarg); memset (key->keyvalue.data, 0, key->keyvalue.length); @@ -801,12 +801,9 @@ krb5_get_in_tkt(krb5_context context, krb5_kdc_rep *ret_as_reply) { krb5_error_code ret; - krb5_kdc_flags opts; - opts.i = 0; - opts.b = int2KDCOptions(options); ret = krb5_get_in_cred (context, - opts.i, + options, addrs, etypes, ptypes, diff --git a/source4/heimdal/lib/krb5/heim_err.c b/source4/heimdal/lib/krb5/heim_err.c new file mode 100644 index 0000000000..f72a265ba9 --- /dev/null +++ b/source4/heimdal/lib/krb5/heim_err.c @@ -0,0 +1,162 @@ +/* Generated from heim_err.et */ +/* $Id: heim_err.et,v 1.13 2004/02/13 16:23:40 lha Exp $ */ + +#include <stddef.h> +#include <com_err.h> +#include "heim_err.h" + +static const char *heim_error_strings[] = { + /* 000 */ "Error parsing log destination", + /* 001 */ "Failed to convert v4 principal", + /* 002 */ "Salt type is not supported by enctype", + /* 003 */ "Host not found", + /* 004 */ "Operation not supported", + /* 005 */ "End of file", + /* 006 */ "Failed to get the master key", + /* 007 */ "Unacceptable service used", + /* 008 */ "Reserved heim error (8)", + /* 009 */ "Reserved heim error (9)", + /* 010 */ "Reserved heim error (10)", + /* 011 */ "Reserved heim error (11)", + /* 012 */ "Reserved heim error (12)", + /* 013 */ "Reserved heim error (13)", + /* 014 */ "Reserved heim error (14)", + /* 015 */ "Reserved heim error (15)", + /* 016 */ "Reserved heim error (16)", + /* 017 */ "Reserved heim error (17)", + /* 018 */ "Reserved heim error (18)", + /* 019 */ "Reserved heim error (19)", + /* 020 */ "Reserved heim error (20)", + /* 021 */ "Reserved heim error (21)", + /* 022 */ "Reserved heim error (22)", + /* 023 */ "Reserved heim error (23)", + /* 024 */ "Reserved heim error (24)", + /* 025 */ "Reserved heim error (25)", + /* 026 */ "Reserved heim error (26)", + /* 027 */ "Reserved heim error (27)", + /* 028 */ "Reserved heim error (28)", + /* 029 */ "Reserved heim error (29)", + /* 030 */ "Reserved heim error (30)", + /* 031 */ "Reserved heim error (31)", + /* 032 */ "Reserved heim error (32)", + /* 033 */ "Reserved heim error (33)", + /* 034 */ "Reserved heim error (34)", + /* 035 */ "Reserved heim error (35)", + /* 036 */ "Reserved heim error (36)", + /* 037 */ "Reserved heim error (37)", + /* 038 */ "Reserved heim error (38)", + /* 039 */ "Reserved heim error (39)", + /* 040 */ "Reserved heim error (40)", + /* 041 */ "Reserved heim error (41)", + /* 042 */ "Reserved heim error (42)", + /* 043 */ "Reserved heim error (43)", + /* 044 */ "Reserved heim error (44)", + /* 045 */ "Reserved heim error (45)", + /* 046 */ "Reserved heim error (46)", + /* 047 */ "Reserved heim error (47)", + /* 048 */ "Reserved heim error (48)", + /* 049 */ "Reserved heim error (49)", + /* 050 */ "Reserved heim error (50)", + /* 051 */ "Reserved heim error (51)", + /* 052 */ "Reserved heim error (52)", + /* 053 */ "Reserved heim error (53)", + /* 054 */ "Reserved heim error (54)", + /* 055 */ "Reserved heim error (55)", + /* 056 */ "Reserved heim error (56)", + /* 057 */ "Reserved heim error (57)", + /* 058 */ "Reserved heim error (58)", + /* 059 */ "Reserved heim error (59)", + /* 060 */ "Reserved heim error (60)", + /* 061 */ "Reserved heim error (61)", + /* 062 */ "Reserved heim error (62)", + /* 063 */ "Reserved heim error (63)", + /* 064 */ "Certificate missing", + /* 065 */ "Private key missing", + /* 066 */ "No valid certificate authority", + /* 067 */ "Certificate invalid", + /* 068 */ "Private key invalid", + /* 069 */ "Reserved heim error (69)", + /* 070 */ "Reserved heim error (70)", + /* 071 */ "Reserved heim error (71)", + /* 072 */ "Reserved heim error (72)", + /* 073 */ "Reserved heim error (73)", + /* 074 */ "Reserved heim error (74)", + /* 075 */ "Reserved heim error (75)", + /* 076 */ "Reserved heim error (76)", + /* 077 */ "Reserved heim error (77)", + /* 078 */ "Reserved heim error (78)", + /* 079 */ "Reserved heim error (79)", + /* 080 */ "Reserved heim error (80)", + /* 081 */ "Reserved heim error (81)", + /* 082 */ "Reserved heim error (82)", + /* 083 */ "Reserved heim error (83)", + /* 084 */ "Reserved heim error (84)", + /* 085 */ "Reserved heim error (85)", + /* 086 */ "Reserved heim error (86)", + /* 087 */ "Reserved heim error (87)", + /* 088 */ "Reserved heim error (88)", + /* 089 */ "Reserved heim error (89)", + /* 090 */ "Reserved heim error (90)", + /* 091 */ "Reserved heim error (91)", + /* 092 */ "Reserved heim error (92)", + /* 093 */ "Reserved heim error (93)", + /* 094 */ "Reserved heim error (94)", + /* 095 */ "Reserved heim error (95)", + /* 096 */ "Reserved heim error (96)", + /* 097 */ "Reserved heim error (97)", + /* 098 */ "Reserved heim error (98)", + /* 099 */ "Reserved heim error (99)", + /* 100 */ "Reserved heim error (100)", + /* 101 */ "Reserved heim error (101)", + /* 102 */ "Reserved heim error (102)", + /* 103 */ "Reserved heim error (103)", + /* 104 */ "Reserved heim error (104)", + /* 105 */ "Reserved heim error (105)", + /* 106 */ "Reserved heim error (106)", + /* 107 */ "Reserved heim error (107)", + /* 108 */ "Reserved heim error (108)", + /* 109 */ "Reserved heim error (109)", + /* 110 */ "Reserved heim error (110)", + /* 111 */ "Reserved heim error (111)", + /* 112 */ "Reserved heim error (112)", + /* 113 */ "Reserved heim error (113)", + /* 114 */ "Reserved heim error (114)", + /* 115 */ "Reserved heim error (115)", + /* 116 */ "Reserved heim error (116)", + /* 117 */ "Reserved heim error (117)", + /* 118 */ "Reserved heim error (118)", + /* 119 */ "Reserved heim error (119)", + /* 120 */ "Reserved heim error (120)", + /* 121 */ "Reserved heim error (121)", + /* 122 */ "Reserved heim error (122)", + /* 123 */ "Reserved heim error (123)", + /* 124 */ "Reserved heim error (124)", + /* 125 */ "Reserved heim error (125)", + /* 126 */ "Reserved heim error (126)", + /* 127 */ "Reserved heim error (127)", + /* 128 */ "unknown error from getaddrinfo", + /* 129 */ "address family for nodename not supported", + /* 130 */ "temporary failure in name resolution", + /* 131 */ "invalid value for ai_flags", + /* 132 */ "non-recoverable failure in name resolution", + /* 133 */ "ai_family not supported", + /* 134 */ "memory allocation failure", + /* 135 */ "no address associated with nodename", + /* 136 */ "nodename nor servname provided, or not known", + /* 137 */ "servname not supported for ai_socktype", + /* 138 */ "ai_socktype not supported", + /* 139 */ "system error returned in errno", + NULL +}; + +#define num_errors 140 + +void initialize_heim_error_table_r(struct et_list **list) +{ + initialize_error_table_r(list, heim_error_strings, num_errors, ERROR_TABLE_BASE_heim); +} + +void initialize_heim_error_table(void) +{ + init_error_table(heim_error_strings, ERROR_TABLE_BASE_heim, num_errors); +} diff --git a/source4/heimdal/lib/krb5/heim_threads.h b/source4/heimdal/lib/krb5/heim_threads.h index 41f0f83306..3ebe66beee 100755 --- a/source4/heimdal/lib/krb5/heim_threads.h +++ b/source4/heimdal/lib/krb5/heim_threads.h @@ -53,7 +53,7 @@ /* * NetBSD have a thread lib that we can use that part of libc that * works regardless if application are linked to pthreads or not. - * NetBSD newer than 2.99.11 just use pthread.h, and the same thing + * NetBSD newer then 2.99.11 just use pthread.h, and the same thing * will happen. */ #include <threadlib.h> diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c index 88de280a00..6dacb316d8 100644 --- a/source4/heimdal/lib/krb5/init_creds.c +++ b/source4/heimdal/lib/krb5/init_creds.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds.c,v 1.23 2006/04/02 01:08:30 lha Exp $"); +RCSID("$Id: init_creds.c,v 1.28 2006/09/04 14:28:54 lha Exp $"); void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) @@ -97,6 +97,39 @@ _krb5_get_init_creds_opt_copy(krb5_context context, } void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_free_krb5_error(krb5_get_init_creds_opt *opt) +{ + if (opt->opt_private == NULL || opt->opt_private->error == NULL) + return; + free_KRB_ERROR(opt->opt_private->error); + free(opt->opt_private->error); + opt->opt_private->error = NULL; +} + +void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_set_krb5_error(krb5_context context, + krb5_get_init_creds_opt *opt, + const KRB_ERROR *error) +{ + krb5_error_code ret; + + if (opt->opt_private == NULL) + return; + + _krb5_get_init_creds_opt_free_krb5_error(opt); + + opt->opt_private->error = malloc(sizeof(*opt->opt_private->error)); + if (opt->opt_private->error == NULL) + return; + ret = copy_KRB_ERROR(error, opt->opt_private->error); + if (ret) { + free(opt->opt_private->error); + opt->opt_private->error = NULL; + } +} + + +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opt) { if (opt->opt_private == NULL) @@ -104,6 +137,7 @@ krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opt) if (opt->opt_private->refcount < 1) /* abort ? */ return; if (--opt->opt_private->refcount == 0) { + _krb5_get_init_creds_opt_free_krb5_error(opt); _krb5_get_init_creds_opt_free_pkinit(opt); free(opt->opt_private); } @@ -160,8 +194,6 @@ get_config_bool (krb5_context context, * [realms] or [libdefaults] for some of the values. */ -static krb5_addresses no_addrs = {0, NULL}; - void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_default_flags(krb5_context context, const char *appname, @@ -192,9 +224,9 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, krb5_get_init_creds_opt_set_renew_life(opt, t); krb5_appdefault_boolean(context, appname, realm, "no-addresses", - KRB5_ADDRESSLESS_DEFAULT, &b); + FALSE, &b); if (b) - krb5_get_init_creds_opt_set_address_list (opt, &no_addrs); + krb5_get_init_creds_opt_set_addressless (context, opt, TRUE); #if 0 krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b); @@ -326,7 +358,52 @@ krb5_get_init_creds_opt_set_pac_request(krb5_context context, if (ret) return ret; opt->opt_private->req_pac = req_pac ? - KRB5_PA_PAC_REQ_TRUE : - KRB5_PA_PAC_REQ_FALSE; + KRB5_INIT_CREDS_TRISTATE_TRUE : + KRB5_INIT_CREDS_TRISTATE_FALSE; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_get_error(krb5_context context, + krb5_get_init_creds_opt *opt, + KRB_ERROR **error) +{ + krb5_error_code ret; + + *error = NULL; + + ret = require_ext_opt(context, opt, "init_creds_opt_get_error"); + if (ret) + return ret; + + if (opt->opt_private->error == NULL) + return 0; + + *error = malloc(sizeof(**error)); + if (*error == NULL) { + krb5_set_error_string(context, "malloc - out memory"); + return ENOMEM; + } + + ret = copy_KRB_ERROR(*error, opt->opt_private->error); + if (ret) + krb5_clear_error_string(context); + + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_addressless(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_boolean addressless) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req"); + if (ret) + return ret; + if (addressless) + opt->opt_private->addressless = KRB5_INIT_CREDS_TRISTATE_TRUE; + else + opt->opt_private->addressless = KRB5_INIT_CREDS_TRISTATE_FALSE; return 0; } diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index c05386ec23..d43ae0ae6f 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -33,10 +33,10 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds_pw.c,v 1.94 2006/04/24 08:49:08 lha Exp $"); +RCSID("$Id: init_creds_pw.c,v 1.101 2006/10/02 12:00:59 lha Exp $"); typedef struct krb5_get_init_creds_ctx { - krb5_kdc_flags flags; + KDCOptions flags; krb5_creds cred; krb5_addresses *addrs; krb5_enctype *etypes; @@ -52,7 +52,7 @@ typedef struct krb5_get_init_creds_ctx { const char *password; krb5_s2k_proc key_proc; - krb5_get_init_creds_req_pac req_pac; + krb5_get_init_creds_tristate req_pac; krb5_pk_init_ctx pk_init_ctx; } krb5_get_init_creds_ctx; @@ -256,9 +256,10 @@ print_expire (krb5_context context, } } +static krb5_addresses no_addrs = { 0, NULL }; + static krb5_error_code get_init_creds_common(krb5_context context, - krb5_creds *creds, krb5_principal client, krb5_deltat start_time, const char *in_tkt_service, @@ -275,6 +276,8 @@ get_init_creds_common(krb5_context context, if (options == NULL) { krb5_get_init_creds_opt_init (&default_opt); options = &default_opt; + } else { + _krb5_get_init_creds_opt_free_krb5_error(options); } if (options->opt_private) { @@ -283,13 +286,12 @@ get_init_creds_common(krb5_context context, ctx->req_pac = options->opt_private->req_pac; ctx->pk_init_ctx = options->opt_private->pk_init_ctx; } else - ctx->req_pac = KRB5_PA_PAC_DONT_CARE; + ctx->req_pac = KRB5_INIT_CREDS_TRISTATE_UNSET; if (ctx->key_proc == NULL) ctx->key_proc = default_s2k_func; ctx->pre_auth_types = NULL; - ctx->flags.i = 0; ctx->addrs = NULL; ctx->etypes = NULL; ctx->pre_auth_types = NULL; @@ -300,20 +302,35 @@ get_init_creds_common(krb5_context context, if (ret) return ret; - ctx->flags.i = 0; - if (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE) - ctx->flags.b.forwardable = options->forwardable; + ctx->flags.forwardable = options->forwardable; if (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE) - ctx->flags.b.proxiable = options->proxiable; + ctx->flags.proxiable = options->proxiable; if (start_time) - ctx->flags.b.postdated = 1; + ctx->flags.postdated = 1; if (ctx->cred.times.renew_till) - ctx->flags.b.renewable = 1; - if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST) + ctx->flags.renewable = 1; + if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST) { ctx->addrs = options->address_list; + } else if (options->opt_private) { + switch (options->opt_private->addressless) { + case KRB5_INIT_CREDS_TRISTATE_UNSET: +#if KRB5_ADDRESSLESS_DEFAULT == TRUE + ctx->addrs = &no_addrs; +#else + ctx->addrs = NULL; +#endif + break; + case KRB5_INIT_CREDS_TRISTATE_FALSE: + ctx->addrs = NULL; + break; + case KRB5_INIT_CREDS_TRISTATE_TRUE: + ctx->addrs = &no_addrs; + break; + } + } if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) { etypes = malloc((options->etype_list_length + 1) * sizeof(krb5_enctype)); @@ -341,7 +358,7 @@ get_init_creds_common(krb5_context context, if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT) ; /* XXX */ if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS) - ctx->flags.b.request_anonymous = options->anonymous; + ctx->flags.request_anonymous = options->anonymous; return 0; } @@ -478,7 +495,7 @@ krb5_get_init_creds_keytab(krb5_context context, krb5_error_code ret; krb5_keytab_key_proc_args *a; - ret = get_init_creds_common(context, creds, client, start_time, + ret = get_init_creds_common(context, client, start_time, in_tkt_service, options, &ctx); if (ret) goto out; @@ -493,7 +510,7 @@ krb5_get_init_creds_keytab(krb5_context context, a->keytab = keytab; ret = krb5_get_in_cred (context, - ctx.flags.i, + KDCOptions2int(ctx.flags), ctx.addrs, ctx.etypes, ctx.pre_auth_types, @@ -522,7 +539,7 @@ krb5_get_init_creds_keytab(krb5_context context, static krb5_error_code init_creds_init_as_req (krb5_context context, - krb5_kdc_flags opts, + KDCOptions opts, const krb5_creds *creds, const krb5_addresses *addrs, const krb5_enctype *etypes, @@ -534,7 +551,7 @@ init_creds_init_as_req (krb5_context context, a->pvno = 5; a->msg_type = krb_as_req; - a->req_body.kdc_options = opts.b; + a->req_body.kdc_options = opts; a->req_body.cname = malloc(sizeof(*a->req_body.cname)); if (a->req_body.cname == NULL) { ret = ENOMEM; @@ -1028,12 +1045,12 @@ pa_data_add_pac_request(krb5_context context, void *buf; switch (ctx->req_pac) { - case KRB5_PA_PAC_DONT_CARE: + case KRB5_INIT_CREDS_TRISTATE_UNSET: return 0; /* don't bother */ - case KRB5_PA_PAC_REQ_TRUE: + case KRB5_INIT_CREDS_TRISTATE_TRUE: req.include_pac = 1; break; - case KRB5_PA_PAC_REQ_FALSE: + case KRB5_INIT_CREDS_TRISTATE_FALSE: req.include_pac = 0; } @@ -1176,7 +1193,7 @@ process_pa_data_to_key(krb5_context context, static krb5_error_code init_cred_loop(krb5_context context, - const krb5_get_init_creds_opt *init_cred_opts, + krb5_get_init_creds_opt *init_cred_opts, const krb5_prompter_fct prompter, void *prompter_data, krb5_get_init_creds_ctx *ctx, @@ -1196,6 +1213,8 @@ init_cred_loop(krb5_context context, memset(&md, 0, sizeof(md)); memset(&rep, 0, sizeof(rep)); + _krb5_get_init_creds_opt_free_krb5_error(init_cred_opts); + if (ret_as_reply) memset(ret_as_reply, 0, sizeof(*ret_as_reply)); @@ -1211,7 +1230,7 @@ init_cred_loop(krb5_context context, ctx->pk_nonce = ctx->nonce; /* - * Increase counter when we want other pre-auth types than + * Increase counter when we want other pre-auth types then * KRB5_PA_ENC_TIMESTAMP. */ #define MAX_PA_COUNTER 3 @@ -1306,6 +1325,9 @@ init_cred_loop(krb5_context context, krb5_free_error_contents(context, &error); send_to_kdc_flags |= KRB5_KRBHST_FLAGS_LARGE_MSG; } else { + _krb5_get_init_creds_opt_set_krb5_error(context, + init_cred_opts, + &error); if (ret_as_reply) rep.error = error; else @@ -1332,7 +1354,7 @@ init_cred_loop(krb5_context context, NULL, ctx->nonce, FALSE, - ctx->flags.b.request_anonymous, + ctx->flags.request_anonymous, NULL, NULL); krb5_free_keyblock(context, key); @@ -1344,7 +1366,7 @@ out: if (ret == 0 && ret_as_reply) *ret_as_reply = rep; - else + else krb5_free_kdc_rep (context, &rep); return ret; } @@ -1367,7 +1389,7 @@ krb5_get_init_creds(krb5_context context, memset(&kdc_reply, 0, sizeof(kdc_reply)); - ret = get_init_creds_common(context, creds, client, start_time, + ret = get_init_creds_common(context, client, start_time, in_tkt_service, options, &ctx); if (ret) goto out; @@ -1391,7 +1413,7 @@ krb5_get_init_creds(krb5_context context, case KRB5KDC_ERR_KEY_EXPIRED : /* try to avoid recursion */ - /* don't try to change password where there where none */ + /* don't try to change password where then where none */ if (prompter == NULL || ctx.password == NULL) goto out; @@ -1528,13 +1550,13 @@ krb5_get_init_creds_keyblock(krb5_context context, struct krb5_get_init_creds_ctx ctx; krb5_error_code ret; - ret = get_init_creds_common(context, creds, client, start_time, + ret = get_init_creds_common(context, client, start_time, in_tkt_service, options, &ctx); if (ret) goto out; ret = krb5_get_in_cred (context, - ctx.flags.i, + KDCOptions2int(ctx.flags), ctx.addrs, ctx.etypes, ctx.pre_auth_types, diff --git a/source4/heimdal/lib/krb5/k524_err.c b/source4/heimdal/lib/krb5/k524_err.c new file mode 100644 index 0000000000..266d3ee577 --- /dev/null +++ b/source4/heimdal/lib/krb5/k524_err.c @@ -0,0 +1,30 @@ +/* Generated from k524_err.et */ +/* $Id: k524_err.et,v 1.1 2001/06/20 02:44:11 joda Exp $ */ + +#include <stddef.h> +#include <com_err.h> +#include "k524_err.h" + +static const char *k524_error_strings[] = { + /* 000 */ "wrong keytype in ticket", + /* 001 */ "incorrect network address", + /* 002 */ "cannot convert V5 principal", + /* 003 */ "V5 realm name longer than V4 maximum", + /* 004 */ "kerberos V4 error server", + /* 005 */ "encoding too large at server", + /* 006 */ "decoding out of data", + /* 007 */ "service not responding", + NULL +}; + +#define num_errors 8 + +void initialize_k524_error_table_r(struct et_list **list) +{ + initialize_error_table_r(list, k524_error_strings, num_errors, ERROR_TABLE_BASE_k524); +} + +void initialize_k524_error_table(void) +{ + init_error_table(k524_error_strings, ERROR_TABLE_BASE_k524, num_errors); +} diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h index 9ba288e22b..968b6079b7 100644 --- a/source4/heimdal/lib/krb5/krb5-private.h +++ b/source4/heimdal/lib/krb5/krb5-private.h @@ -17,7 +17,7 @@ _krb5_aes_cts_encrypt ( const unsigned char */*in*/, unsigned char */*out*/, size_t /*len*/, - const void */*aes_key*/, + const AES_KEY */*key*/, unsigned char */*ivec*/, const int /*encryptp*/); @@ -46,6 +46,12 @@ _krb5_dh_group_ok ( struct krb5_dh_moduli **/*moduli*/, char **/*name*/); +krb5_error_code KRB5_LIB_FUNCTION +_krb5_enctype_to_oid ( + krb5_context /*context*/, + krb5_enctype /*etype*/, + heim_oid */*oid*/); + krb5_error_code _krb5_expand_default_cc_name ( krb5_context /*context*/, @@ -101,8 +107,17 @@ _krb5_get_init_creds_opt_copy ( krb5_get_init_creds_opt **/*out*/); void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_free_krb5_error (krb5_get_init_creds_opt */*opt*/); + +void KRB5_LIB_FUNCTION _krb5_get_init_creds_opt_free_pkinit (krb5_get_init_creds_opt */*opt*/); +void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_set_krb5_error ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + const KRB_ERROR */*error*/); + krb5_ssize_t KRB5_LIB_FUNCTION _krb5_get_int ( void */*buffer*/, @@ -312,8 +327,8 @@ _krb5_pk_load_id ( struct krb5_pk_identity **/*ret_id*/, const char */*user_id*/, const char */*anchor_id*/, - char * const */*chain*/, - char * const */*revoke*/, + char * const */*chain_list*/, + char * const */*revoke_list*/, krb5_prompter_fct /*prompter*/, void */*prompter_data*/, char */*password*/); @@ -372,7 +387,7 @@ _krb5_principal2principalname ( krb5_error_code KRB5_LIB_FUNCTION _krb5_principalname2krb5_principal ( - krb5_context /* context */, + krb5_context /*context*/, krb5_principal */*principal*/, const PrincipalName /*from*/, const Realm /*realm*/); @@ -383,6 +398,12 @@ _krb5_put_int ( unsigned long /*value*/, size_t /*size*/); +krb5_error_code KRB5_LIB_FUNCTION +_krb5_s4u2self_to_checksumdata ( + krb5_context /*context*/, + const PA_S4U2Self */*self*/, + krb5_data */*data*/); + int _krb5_send_and_recv_tcp ( int /*fd*/, diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index 37293ff982..2010e25f5a 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -1066,13 +1066,6 @@ krb5_crypto_get_checksum_type ( krb5_cksumtype */*type*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_crypto_get_params ( - krb5_context /*context*/, - const krb5_crypto /*crypto*/, - const krb5_data */*params*/, - krb5_data */*ivec*/); - -krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_getblocksize ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1104,13 +1097,6 @@ krb5_crypto_init ( krb5_crypto */*crypto*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_crypto_set_params ( - krb5_context /*context*/, - const krb5_crypto /*crypto*/, - const krb5_data */*ivec*/, - krb5_data */*params*/); - -krb5_error_code KRB5_LIB_FUNCTION krb5_data_alloc ( krb5_data */*p*/, int /*len*/); @@ -1246,6 +1232,169 @@ krb5_derive_key ( size_t /*constant_len*/, krb5_keyblock **/*derived_key*/); +krb5_error_code +krb5_digest_alloc ( + krb5_context /*context*/, + krb5_digest */*digest*/); + +void +krb5_digest_free (krb5_digest /*digest*/); + +krb5_error_code +krb5_digest_get_a1_hash ( + krb5_context /*context*/, + krb5_digest /*digest*/, + krb5_data */*data*/); + +krb5_error_code +krb5_digest_get_client_binding ( + krb5_context /*context*/, + krb5_digest /*digest*/, + char **/*type*/, + char **/*binding*/); + +const char * +krb5_digest_get_identifier ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +const char * +krb5_digest_get_opaque ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +const char * +krb5_digest_get_responseData ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +const char * +krb5_digest_get_rsp ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +const char * +krb5_digest_get_server_nonce ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +krb5_error_code +krb5_digest_get_tickets ( + krb5_context /*context*/, + krb5_digest /*digest*/, + Ticket **/*tickets*/); + +krb5_error_code +krb5_digest_init_request ( + krb5_context /*context*/, + krb5_digest /*digest*/, + krb5_realm /*realm*/, + krb5_ccache /*ccache*/); + +krb5_error_code +krb5_digest_request ( + krb5_context /*context*/, + krb5_digest /*digest*/, + krb5_realm /*realm*/, + krb5_ccache /*ccache*/); + +krb5_error_code +krb5_digest_set_authentication_user ( + krb5_context /*context*/, + krb5_digest /*digest*/, + krb5_principal /*authentication_user*/); + +krb5_error_code +krb5_digest_set_authid ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*authid*/); + +krb5_error_code +krb5_digest_set_client_nonce ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*nonce*/); + +krb5_error_code +krb5_digest_set_digest ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*dgst*/); + +krb5_error_code +krb5_digest_set_hostname ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*hostname*/); + +krb5_error_code +krb5_digest_set_identifier ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*id*/); + +krb5_error_code +krb5_digest_set_method ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*method*/); + +krb5_error_code +krb5_digest_set_nonceCount ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*nonce_count*/); + +krb5_error_code +krb5_digest_set_opaque ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*opaque*/); + +krb5_error_code +krb5_digest_set_qop ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*qop*/); + +krb5_error_code +krb5_digest_set_realm ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*realm*/); + +krb5_error_code +krb5_digest_set_server_cb ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*type*/, + const char */*binding*/); + +krb5_error_code +krb5_digest_set_server_nonce ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*nonce*/); + +krb5_error_code +krb5_digest_set_type ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*type*/); + +krb5_error_code +krb5_digest_set_uri ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*uri*/); + +krb5_error_code +krb5_digest_set_username ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*username*/); + krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_decode ( krb5_context /*context*/, @@ -1377,12 +1526,6 @@ krb5_enctype_to_keytype ( krb5_keytype */*keytype*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_enctype_to_oid ( - krb5_context /*context*/, - krb5_enctype /*etype*/, - heim_oid */*oid*/); - -krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, @@ -1652,6 +1795,54 @@ krb5_get_credentials_with_flags ( krb5_creds **/*out_creds*/); krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_ccache /*ccache*/, + krb5_const_principal /*inprinc*/, + krb5_creds **/*out_creds*/); + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_add_options ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_flags /*options*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_alloc ( + krb5_context /*context*/, + krb5_get_creds_opt */*opt*/); + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_free ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/); + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_enctype ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_enctype /*enctype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_impersonate ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_const_principal /*self*/); + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_options ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_flags /*options*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_ticket ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + const Ticket */*ticket*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_config_files (char ***/*pfilenames*/); krb5_error_code KRB5_LIB_FUNCTION @@ -1674,6 +1865,9 @@ krb5_get_default_realms ( krb5_context /*context*/, krb5_realm **/*realms*/); +krb5_boolean KRB5_LIB_FUNCTION +krb5_get_dns_canonize_hostname (krb5_context /*context*/); + const char* KRB5_LIB_FUNCTION krb5_get_err_text ( krb5_context /*context*/, @@ -1710,7 +1904,7 @@ krb5_get_forwarded_creds ( krb5_error_code KRB5_LIB_FUNCTION krb5_get_host_realm ( krb5_context /*context*/, - const char */*host*/, + const char */*targethost*/, krb5_realm **/*realms*/); krb5_error_code KRB5_LIB_FUNCTION @@ -1823,6 +2017,12 @@ krb5_get_init_creds_opt_alloc ( void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_free (krb5_get_init_creds_opt */*opt*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_get_error ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + KRB_ERROR **/*error*/); + void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/); @@ -1831,6 +2031,12 @@ krb5_get_init_creds_opt_set_address_list ( krb5_get_init_creds_opt */*opt*/, krb5_addresses */*addresses*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_addressless ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_boolean /*addressless*/); + void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_anonymous ( krb5_get_init_creds_opt */*opt*/, @@ -1874,8 +2080,8 @@ krb5_get_init_creds_opt_set_pkinit ( krb5_principal /*principal*/, const char */*user_id*/, const char */*x509_anchors*/, - char * const * /*chain*/, - char * const * /*revoke*/, + char * const * /*pool*/, + char * const * /*pki_revoke*/, int /*flags*/, krb5_prompter_fct /*prompter*/, void */*prompter_data*/, @@ -1930,6 +2136,12 @@ krb5_get_kdc_cred ( krb5_creds **out_creds ); krb5_error_code KRB5_LIB_FUNCTION +krb5_get_kdc_sec_offset ( + krb5_context /*context*/, + int32_t */*sec*/, + int32_t */*usec*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb524hst ( krb5_context /*context*/, const krb5_realm */*realm*/, @@ -2035,6 +2247,9 @@ krb5_initlog ( krb5_boolean KRB5_LIB_FUNCTION krb5_is_thread_safe (void); +const krb5_enctype * KRB5_LIB_FUNCTION +krb5_kerberos_enctypes (krb5_context /*context*/); + krb5_enctype krb5_keyblock_get_enctype (const krb5_keyblock */*block*/); @@ -2412,15 +2627,10 @@ krb5_parse_name ( krb5_principal */*principal*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_parse_name_mustrealm ( - krb5_context /*context*/, - const char */*name*/, - krb5_principal */*principal*/); - -krb5_error_code KRB5_LIB_FUNCTION -krb5_parse_name_norealm ( +krb5_parse_name_flags ( krb5_context /*context*/, const char */*name*/, + int /*flags*/, krb5_principal */*principal*/); const char* KRB5_LIB_FUNCTION @@ -2447,7 +2657,7 @@ krb5_prepend_config_files_default ( const char */*filelist*/, char ***/*pfilenames*/); -krb5_realm* KRB5_LIB_FUNCTION +krb5_realm * KRB5_LIB_FUNCTION krb5_princ_realm ( krb5_context /*context*/, krb5_principal /*principal*/); @@ -2793,6 +3003,11 @@ krb5_ret_string ( char **/*string*/); krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_stringnl ( + krb5_storage */*sp*/, + char **/*string*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_stringz ( krb5_storage */*sp*/, char **/*string*/); @@ -2877,6 +3092,11 @@ krb5_set_default_realm ( krb5_context /*context*/, const char */*realm*/); +void KRB5_LIB_FUNCTION +krb5_set_dns_canonicalize_hostname ( + krb5_context /*context*/, + krb5_boolean /*flag*/); + krb5_error_code KRB5_LIB_FUNCTION krb5_set_error_string ( krb5_context /*context*/, @@ -2926,10 +3146,9 @@ krb5_set_real_time ( int32_t /*usec*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_set_send_recv_func ( +krb5_set_send_to_kdc_func ( krb5_context /*context*/, - krb5_send_and_recv_func_t /*func*/, - krb5_send_and_recv_close_func_t /*close_fn*/, + krb5_send_to_kdc_func /*func*/, void */*data*/); void KRB5_LIB_FUNCTION @@ -3110,6 +3329,11 @@ krb5_store_string ( const char */*s*/); krb5_error_code KRB5_LIB_FUNCTION +krb5_store_stringnl ( + krb5_storage */*sp*/, + const char */*s*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_stringz ( krb5_storage */*sp*/, const char */*s*/); @@ -3254,24 +3478,26 @@ krb5_unparse_name_fixed ( size_t /*len*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_unparse_name_fixed_short ( +krb5_unparse_name_fixed_flags ( krb5_context /*context*/, krb5_const_principal /*principal*/, + int /*flags*/, char */*name*/, size_t /*len*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_unparse_name_norealm ( +krb5_unparse_name_fixed_short ( krb5_context /*context*/, krb5_const_principal /*principal*/, - char **/*name*/); + char */*name*/, + size_t /*len*/); krb5_error_code KRB5_LIB_FUNCTION -krb5_unparse_name_norealm_fixed ( +krb5_unparse_name_flags ( krb5_context /*context*/, krb5_const_principal /*principal*/, - char */*name*/, - size_t /*len*/); + int /*flags*/, + char **/*name*/); krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_short ( diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 32fdd6d383..4b5058094b 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h,v 1.241 2006/05/05 09:29:36 lha Exp $ */ +/* $Id: krb5.h,v 1.253 2006/10/20 18:12:06 lha Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -72,6 +72,12 @@ typedef const void *krb5_const_pointer; struct krb5_crypto_data; typedef struct krb5_crypto_data *krb5_crypto; +struct krb5_get_creds_opt_data; +typedef struct krb5_get_creds_opt_data *krb5_get_creds_opt; + +struct krb5_digest; +typedef struct krb5_digest *krb5_digest; + typedef CKSUMTYPE krb5_cksumtype; typedef Checksum krb5_checksum; @@ -203,8 +209,16 @@ typedef enum krb5_key_usage { /* Encryption of the SAM-TRACK-ID field */ KRB5_KU_PA_SERVER_REFERRAL = 26, /* Keyusage for the server referral in a TGS req */ - KRB5_KU_SAM_ENC_NONCE_SAD = 27 + KRB5_KU_SAM_ENC_NONCE_SAD = 27, /* Encryption of the SAM-NONCE-OR-SAD field */ + KRB5_KU_TGS_IMPERSONATE = -17, + /* Checksum type used in the impersonate field */ + KRB5_KU_DIGEST_ENCRYPT = -18, + /* Encryption key usage used in the digest encryption field */ + KRB5_KU_DIGEST_OPAQUE = -19, + /* Checksum key usage used in the digest opaque field */ + KRB5_KU_KRB5SIGNEDPATH = -21 + /* Checksum key usage on KRB5SignedPath */ } krb5_key_usage; typedef krb5_key_usage krb5_keyusage; @@ -256,9 +270,7 @@ typedef enum krb5_keytype { KEYTYPE_AES128 = 17, KEYTYPE_AES256 = 18, KEYTYPE_ARCFOUR = 23, - KEYTYPE_ARCFOUR_56 = 24, - KEYTYPE_RC2 = -0x1005, - KEYTYPE_AES192 = -0x1006 + KEYTYPE_ARCFOUR_56 = 24 } krb5_keytype; typedef EncryptionKey krb5_keyblock; @@ -339,6 +351,9 @@ typedef union { #define KRB5_GC_CACHED (1U << 0) #define KRB5_GC_USER_USER (1U << 1) #define KRB5_GC_EXPIRED_OK (1U << 2) +#define KRB5_GC_NO_STORE (1U << 3) +#define KRB5_GC_FORWARDABLE (1U << 4) +#define KRB5_GC_NO_TRANSIT_CHECK (1U << 5) /* constants for compare_creds (and cc_retrieve_cred) */ #define KRB5_TC_DONT_MATCH_REALM (1U << 31) @@ -413,49 +428,6 @@ typedef struct krb5_config_binding krb5_config_binding; typedef krb5_config_binding krb5_config_section; -typedef struct krb5_context_data { - krb5_enctype *etypes; - krb5_enctype *etypes_des; - char **default_realms; - time_t max_skew; - time_t kdc_timeout; - unsigned max_retries; - int32_t kdc_sec_offset; - int32_t kdc_usec_offset; - krb5_config_section *cf; - struct et_list *et_list; - struct krb5_log_facility *warn_dest; - krb5_cc_ops *cc_ops; - int num_cc_ops; - const char *http_proxy; - const char *time_fmt; - krb5_boolean log_utc; - const char *default_keytab; - const char *default_keytab_modify; - krb5_boolean use_admin_kdc; - krb5_addresses *extra_addresses; - krb5_boolean scan_interfaces; /* `ifconfig -a' */ - krb5_boolean srv_lookup; /* do SRV lookups */ - krb5_boolean srv_try_txt; /* try TXT records also */ - int32_t fcache_vno; /* create cache files w/ this - version */ - int num_kt_types; /* # of registered keytab types */ - struct krb5_keytab_data *kt_types; /* registered keytab types */ - const char *date_fmt; - char *error_string; - char error_buf[256]; - krb5_addresses *ignore_addresses; - char *default_cc_name; - int pkinit_flags; - void *mutex; /* protects error_string/error_buf */ - int large_msg_size; - krb5_boolean fdns; /* Lookup hostnames to find full name, or send as-is */ - struct send_and_recv *send_and_recv; /* Alternate functions for KDC communication */ - void *mem_ctx; /* Some parts of Samba4 need a valid - memory context (under the event - context) to use */ -} krb5_context_data; - enum { KRB5_PKINIT_WIN2K = 1, /* wire compatible with Windows 2k */ KRB5_PKINIT_PACKET_CABLE = 2 /* use packet cable standard */ @@ -578,8 +550,8 @@ typedef struct krb5_auth_context_data { krb5_rcache rcache; - krb5_keytype keytype; /* ¿requested key type ? */ - krb5_cksumtype cksumtype; /* ¡requested checksum type! */ + krb5_keytype keytype; /* ¿requested key type ? */ + krb5_cksumtype cksumtype; /* ¡requested checksum type! */ }krb5_auth_context_data, *krb5_auth_context; @@ -609,6 +581,8 @@ typedef EncAPRepPart krb5_ap_rep_enc_part; #define KRB5_TGS_NAME_SIZE (6) #define KRB5_TGS_NAME ("krbtgt") +#define KRB5_DIGEST_NAME ("digest") + /* variables */ extern const char *krb5_config_file; @@ -618,7 +592,8 @@ typedef enum { KRB5_PROMPT_TYPE_PASSWORD = 0x1, KRB5_PROMPT_TYPE_NEW_PASSWORD = 0x2, KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN = 0x3, - KRB5_PROMPT_TYPE_PREAUTH = 0x4 + KRB5_PROMPT_TYPE_PREAUTH = 0x4, + KRB5_PROMPT_TYPE_INFO = 0x5 } krb5_prompt_type; typedef struct _krb5_prompt { @@ -754,12 +729,23 @@ enum { KRB5_KRBHST_FLAGS_LARGE_MSG = 2 }; -typedef int (*krb5_send_and_recv_func_t)(krb5_context, - void *, - krb5_krbhst_info *, - const krb5_data *, - krb5_data *); -typedef void (*krb5_send_and_recv_close_func_t)(krb5_context, void*); +typedef krb5_error_code (*krb5_send_to_kdc_func)(krb5_context, + void *, + krb5_krbhst_info *, + const krb5_data *, + krb5_data *); + +/* flags for krb5_parse_name_flags */ +enum { + KRB5_PRINCIPAL_PARSE_NO_REALM = 1, + KRB5_PRINCIPAL_PARSE_MUST_REALM = 2 +}; + +/* flags for krb5_unparse_name_flags */ +enum { + KRB5_PRINCIPAL_UNPARSE_SHORT = 1, + KRB5_PRINCIPAL_UNPARSE_NO_REALM = 2 +}; struct credentials; /* this is to keep the compiler happy */ struct getargs; diff --git a/source4/heimdal/lib/krb5/krb5_err.c b/source4/heimdal/lib/krb5/krb5_err.c new file mode 100644 index 0000000000..9185f729d5 --- /dev/null +++ b/source4/heimdal/lib/krb5/krb5_err.c @@ -0,0 +1,271 @@ +/* Generated from krb5_err.et */ +/* $Id: krb5_err.et,v 1.14 2006/02/13 11:28:22 lha Exp $ */ + +#include <stddef.h> +#include <com_err.h> +#include "krb5_err.h" + +static const char *krb5_error_strings[] = { + /* 000 */ "No error", + /* 001 */ "Client's entry in database has expired", + /* 002 */ "Server's entry in database has expired", + /* 003 */ "Requested protocol version not supported", + /* 004 */ "Client's key is encrypted in an old master key", + /* 005 */ "Server's key is encrypted in an old master key", + /* 006 */ "Client not found in Kerberos database", + /* 007 */ "Server not found in Kerberos database", + /* 008 */ "Principal has multiple entries in Kerberos database", + /* 009 */ "Client or server has a null key", + /* 010 */ "Ticket is ineligible for postdating", + /* 011 */ "Requested effective lifetime is negative or too short", + /* 012 */ "KDC policy rejects request", + /* 013 */ "KDC can't fulfill requested option", + /* 014 */ "KDC has no support for encryption type", + /* 015 */ "KDC has no support for checksum type", + /* 016 */ "KDC has no support for padata type", + /* 017 */ "KDC has no support for transited type", + /* 018 */ "Clients credentials have been revoked", + /* 019 */ "Credentials for server have been revoked", + /* 020 */ "TGT has been revoked", + /* 021 */ "Client not yet valid - try again later", + /* 022 */ "Server not yet valid - try again later", + /* 023 */ "Password has expired", + /* 024 */ "Preauthentication failed", + /* 025 */ "Additional pre-authentication required", + /* 026 */ "Requested server and ticket don't match", + /* 027 */ "Reserved krb5 error (27)", + /* 028 */ "Reserved krb5 error (28)", + /* 029 */ "Reserved krb5 error (29)", + /* 030 */ "Reserved krb5 error (30)", + /* 031 */ "Decrypt integrity check failed", + /* 032 */ "Ticket expired", + /* 033 */ "Ticket not yet valid", + /* 034 */ "Request is a replay", + /* 035 */ "The ticket isn't for us", + /* 036 */ "Ticket/authenticator don't match", + /* 037 */ "Clock skew too great", + /* 038 */ "Incorrect net address", + /* 039 */ "Protocol version mismatch", + /* 040 */ "Invalid message type", + /* 041 */ "Message stream modified", + /* 042 */ "Message out of order", + /* 043 */ "Invalid cross-realm ticket", + /* 044 */ "Key version is not available", + /* 045 */ "Service key not available", + /* 046 */ "Mutual authentication failed", + /* 047 */ "Incorrect message direction", + /* 048 */ "Alternative authentication method required", + /* 049 */ "Incorrect sequence number in message", + /* 050 */ "Inappropriate type of checksum in message", + /* 051 */ "Policy rejects transited path", + /* 052 */ "Response too big for UDP, retry with TCP", + /* 053 */ "Reserved krb5 error (53)", + /* 054 */ "Reserved krb5 error (54)", + /* 055 */ "Reserved krb5 error (55)", + /* 056 */ "Reserved krb5 error (56)", + /* 057 */ "Reserved krb5 error (57)", + /* 058 */ "Reserved krb5 error (58)", + /* 059 */ "Reserved krb5 error (59)", + /* 060 */ "Generic error (see e-text)", + /* 061 */ "Field is too long for this implementation", + /* 062 */ "Client not trusted", + /* 063 */ "KDC not trusted", + /* 064 */ "Invalid signature", + /* 065 */ "DH parameters not accepted", + /* 066 */ "Reserved krb5 error (66)", + /* 067 */ "Reserved krb5 error (67)", + /* 068 */ "Reserved krb5 error (68)", + /* 069 */ "User to user required", + /* 070 */ "Cannot verify certificate", + /* 071 */ "Certificate invalid", + /* 072 */ "Certificate revoked", + /* 073 */ "Revocation status unknown", + /* 074 */ "Revocation status unknown", + /* 075 */ "Inconsistent key purpose", + /* 076 */ "Digest in certificate not accepted", + /* 077 */ "paChecksum must be included", + /* 078 */ "Digest in signedData not accepted", + /* 079 */ "Public key encryption not supported", + /* 080 */ "Reserved krb5 error (80)", + /* 081 */ "Reserved krb5 error (81)", + /* 082 */ "Reserved krb5 error (82)", + /* 083 */ "Reserved krb5 error (83)", + /* 084 */ "Reserved krb5 error (84)", + /* 085 */ "Reserved krb5 error (85)", + /* 086 */ "Reserved krb5 error (86)", + /* 087 */ "Reserved krb5 error (87)", + /* 088 */ "Reserved krb5 error (88)", + /* 089 */ "Reserved krb5 error (89)", + /* 090 */ "Reserved krb5 error (90)", + /* 091 */ "Reserved krb5 error (91)", + /* 092 */ "Reserved krb5 error (92)", + /* 093 */ "Reserved krb5 error (93)", + /* 094 */ "Reserved krb5 error (94)", + /* 095 */ "Reserved krb5 error (95)", + /* 096 */ "Reserved krb5 error (96)", + /* 097 */ "Reserved krb5 error (97)", + /* 098 */ "Reserved krb5 error (98)", + /* 099 */ "Reserved krb5 error (99)", + /* 100 */ "Reserved krb5 error (100)", + /* 101 */ "Reserved krb5 error (101)", + /* 102 */ "Reserved krb5 error (102)", + /* 103 */ "Reserved krb5 error (103)", + /* 104 */ "Reserved krb5 error (104)", + /* 105 */ "Reserved krb5 error (105)", + /* 106 */ "Reserved krb5 error (106)", + /* 107 */ "Reserved krb5 error (107)", + /* 108 */ "Reserved krb5 error (108)", + /* 109 */ "Reserved krb5 error (109)", + /* 110 */ "Reserved krb5 error (110)", + /* 111 */ "Reserved krb5 error (111)", + /* 112 */ "Reserved krb5 error (112)", + /* 113 */ "Reserved krb5 error (113)", + /* 114 */ "Reserved krb5 error (114)", + /* 115 */ "Reserved krb5 error (115)", + /* 116 */ "Reserved krb5 error (116)", + /* 117 */ "Reserved krb5 error (117)", + /* 118 */ "Reserved krb5 error (118)", + /* 119 */ "Reserved krb5 error (119)", + /* 120 */ "Reserved krb5 error (120)", + /* 121 */ "Reserved krb5 error (121)", + /* 122 */ "Reserved krb5 error (122)", + /* 123 */ "Reserved krb5 error (123)", + /* 124 */ "Reserved krb5 error (124)", + /* 125 */ "Reserved krb5 error (125)", + /* 126 */ "Reserved krb5 error (126)", + /* 127 */ "Reserved krb5 error (127)", + /* 128 */ "$Id: krb5_err.et,v 1.14 2006/02/13 11:28:22 lha Exp $", + /* 129 */ "Invalid flag for file lock mode", + /* 130 */ "Cannot read password", + /* 131 */ "Password mismatch", + /* 132 */ "Password read interrupted", + /* 133 */ "Invalid character in component name", + /* 134 */ "Malformed representation of principal", + /* 135 */ "Can't open/find configuration file", + /* 136 */ "Improper format of configuration file", + /* 137 */ "Insufficient space to return complete information", + /* 138 */ "Invalid message type specified for encoding", + /* 139 */ "Credential cache name malformed", + /* 140 */ "Unknown credential cache type", + /* 141 */ "Matching credential not found", + /* 142 */ "End of credential cache reached", + /* 143 */ "Request did not supply a ticket", + /* 144 */ "Wrong principal in request", + /* 145 */ "Ticket has invalid flag set", + /* 146 */ "Requested principal and ticket don't match", + /* 147 */ "KDC reply did not match expectations", + /* 148 */ "Clock skew too great in KDC reply", + /* 149 */ "Client/server realm mismatch in initial ticket request", + /* 150 */ "Program lacks support for encryption type", + /* 151 */ "Program lacks support for key type", + /* 152 */ "Requested encryption type not used in message", + /* 153 */ "Program lacks support for checksum type", + /* 154 */ "Cannot find KDC for requested realm", + /* 155 */ "Kerberos service unknown", + /* 156 */ "Cannot contact any KDC for requested realm", + /* 157 */ "No local name found for principal name", + /* 158 */ "Mutual authentication failed", + /* 159 */ "Replay cache type is already registered", + /* 160 */ "No more memory to allocate (in replay cache code)", + /* 161 */ "Replay cache type is unknown", + /* 162 */ "Generic unknown RC error", + /* 163 */ "Message is a replay", + /* 164 */ "Replay I/O operation failed XXX", + /* 165 */ "Replay cache type does not support non-volatile storage", + /* 166 */ "Replay cache name parse/format error", + /* 167 */ "End-of-file on replay cache I/O", + /* 168 */ "No more memory to allocate (in replay cache I/O code)", + /* 169 */ "Permission denied in replay cache code", + /* 170 */ "I/O error in replay cache i/o code", + /* 171 */ "Generic unknown RC/IO error", + /* 172 */ "Insufficient system space to store replay information", + /* 173 */ "Can't open/find realm translation file", + /* 174 */ "Improper format of realm translation file", + /* 175 */ "Can't open/find lname translation database", + /* 176 */ "No translation available for requested principal", + /* 177 */ "Improper format of translation database entry", + /* 178 */ "Cryptosystem internal error", + /* 179 */ "Key table name malformed", + /* 180 */ "Unknown Key table type", + /* 181 */ "Key table entry not found", + /* 182 */ "End of key table reached", + /* 183 */ "Cannot write to specified key table", + /* 184 */ "Error writing to key table", + /* 185 */ "Cannot find ticket for requested realm", + /* 186 */ "DES key has bad parity", + /* 187 */ "DES key is a weak key", + /* 188 */ "Bad encryption type", + /* 189 */ "Key size is incompatible with encryption type", + /* 190 */ "Message size is incompatible with encryption type", + /* 191 */ "Credentials cache type is already registered.", + /* 192 */ "Key table type is already registered.", + /* 193 */ "Credentials cache I/O operation failed XXX", + /* 194 */ "Credentials cache file permissions incorrect", + /* 195 */ "No credentials cache file found", + /* 196 */ "Internal file credentials cache error", + /* 197 */ "Error writing to credentials cache file", + /* 198 */ "No more memory to allocate (in credentials cache code)", + /* 199 */ "Bad format in credentials cache", + /* 200 */ "No credentials found with supported encryption types", + /* 201 */ "Invalid KDC option combination (library internal error)", + /* 202 */ "Request missing second ticket", + /* 203 */ "No credentials supplied to library routine", + /* 204 */ "Bad sendauth version was sent", + /* 205 */ "Bad application version was sent (via sendauth)", + /* 206 */ "Bad response (during sendauth exchange)", + /* 207 */ "Server rejected authentication (during sendauth exchange)", + /* 208 */ "Unsupported preauthentication type", + /* 209 */ "Required preauthentication key not supplied", + /* 210 */ "Generic preauthentication failure", + /* 211 */ "Unsupported replay cache format version number", + /* 212 */ "Unsupported credentials cache format version number", + /* 213 */ "Unsupported key table format version number", + /* 214 */ "Program lacks support for address type", + /* 215 */ "Message replay detection requires rcache parameter", + /* 216 */ "Hostname cannot be canonicalized", + /* 217 */ "Cannot determine realm for host", + /* 218 */ "Conversion to service principal undefined for name type", + /* 219 */ "Initial Ticket response appears to be Version 4", + /* 220 */ "Cannot resolve KDC for requested realm", + /* 221 */ "Requesting ticket can't get forwardable tickets", + /* 222 */ "Bad principal name while trying to forward credentials", + /* 223 */ "Looping detected inside krb5_get_in_tkt", + /* 224 */ "Configuration file does not specify default realm", + /* 225 */ "Bad SAM flags in obtain_sam_padata", + /* 226 */ "Invalid encryption type in SAM challenge", + /* 227 */ "Missing checksum in SAM challenge", + /* 228 */ "Bad checksum in SAM challenge", + /* 229 */ "Reserved krb5 error (229)", + /* 230 */ "Reserved krb5 error (230)", + /* 231 */ "Reserved krb5 error (231)", + /* 232 */ "Reserved krb5 error (232)", + /* 233 */ "Reserved krb5 error (233)", + /* 234 */ "Reserved krb5 error (234)", + /* 235 */ "Reserved krb5 error (235)", + /* 236 */ "Reserved krb5 error (236)", + /* 237 */ "Reserved krb5 error (237)", + /* 238 */ "Program called an obsolete, deleted function", + /* 239 */ "Reserved krb5 error (239)", + /* 240 */ "Reserved krb5 error (240)", + /* 241 */ "Reserved krb5 error (241)", + /* 242 */ "Reserved krb5 error (242)", + /* 243 */ "Reserved krb5 error (243)", + /* 244 */ "Reserved krb5 error (244)", + /* 245 */ "Invalid key generation parameters from KDC", + /* 246 */ "Service not available", + /* 247 */ "Credential cache function not supported", + /* 248 */ "Invalid format of Kerberos lifetime or clock skew string", + NULL +}; + +#define num_errors 249 + +void initialize_krb5_error_table_r(struct et_list **list) +{ + initialize_error_table_r(list, krb5_error_strings, num_errors, ERROR_TABLE_BASE_krb5); +} + +void initialize_krb5_error_table(void) +{ + init_error_table(krb5_error_strings, ERROR_TABLE_BASE_krb5, num_errors); +} diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h index 4dcac40c7a..89b3c6ad40 100644 --- a/source4/heimdal/lib/krb5/krb5_locl.h +++ b/source4/heimdal/lib/krb5/krb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5_locl.h,v 1.87 2006/02/09 11:36:27 lha Exp $ */ +/* $Id: krb5_locl.h,v 1.93 2006/10/20 18:13:31 lha Exp $ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -136,6 +136,8 @@ struct sockaddr_dl; #include <krb5_asn1.h> +struct send_to_kdc; + /* XXX glue for pkinit */ struct krb5_pk_identity; struct krb5_pk_cert; @@ -151,6 +153,9 @@ struct _krb5_krb_auth_data; #include <krb5.h> #include <krb5_err.h> #include <asn1_err.h> +#ifdef PKINIT +#include <hx509_err.h> +#endif #include <krb5-private.h> #include "heim_threads.h" @@ -171,10 +176,10 @@ struct _krb5_krb_auth_data; #define KRB5_BUFSIZ 1024 typedef enum { - KRB5_PA_PAC_DONT_CARE = 0, - KRB5_PA_PAC_REQ_TRUE, - KRB5_PA_PAC_REQ_FALSE -} krb5_get_init_creds_req_pac; + KRB5_INIT_CREDS_TRISTATE_UNSET = 0, + KRB5_INIT_CREDS_TRISTATE_TRUE, + KRB5_INIT_CREDS_TRISTATE_FALSE +} krb5_get_init_creds_tristate; struct _krb5_get_init_creds_opt_private { int refcount; @@ -182,12 +187,57 @@ struct _krb5_get_init_creds_opt_private { const char *password; krb5_s2k_proc key_proc; /* PA_PAC_REQUEST */ - krb5_get_init_creds_req_pac req_pac; + krb5_get_init_creds_tristate req_pac; /* PKINIT */ krb5_pk_init_ctx pk_init_ctx; int canonicalize; + KRB_ERROR *error; + krb5_get_init_creds_tristate addressless; }; +typedef struct krb5_context_data { + krb5_enctype *etypes; + krb5_enctype *etypes_des; + char **default_realms; + time_t max_skew; + time_t kdc_timeout; + unsigned max_retries; + int32_t kdc_sec_offset; + int32_t kdc_usec_offset; + krb5_config_section *cf; + struct et_list *et_list; + struct krb5_log_facility *warn_dest; + krb5_cc_ops *cc_ops; + int num_cc_ops; + const char *http_proxy; + const char *time_fmt; + krb5_boolean log_utc; + const char *default_keytab; + const char *default_keytab_modify; + krb5_boolean use_admin_kdc; + krb5_addresses *extra_addresses; + krb5_boolean scan_interfaces; /* `ifconfig -a' */ + krb5_boolean srv_lookup; /* do SRV lookups */ + krb5_boolean srv_try_txt; /* try TXT records also */ + int32_t fcache_vno; /* create cache files w/ this + version */ + int num_kt_types; /* # of registered keytab types */ + struct krb5_keytab_data *kt_types; /* registered keytab types */ + const char *date_fmt; + char *error_string; + char error_buf[256]; + krb5_addresses *ignore_addresses; + char *default_cc_name; + int pkinit_flags; + void *mutex; /* protects error_string/error_buf */ + int large_msg_size; + int dns_canonicalize_hostname; + struct send_to_kdc *send_to_kdc; + void *mem_ctx; /* Some parts of Samba4 need a valid + memory context (under the event + context) to use */ +} krb5_context_data; + /* * Configurable options */ @@ -201,7 +251,7 @@ struct _krb5_get_init_creds_opt_private { #endif #ifndef KRB5_ADDRESSLESS_DEFAULT -#define KRB5_ADDRESSLESS_DEFAULT FALSE +#define KRB5_ADDRESSLESS_DEFAULT TRUE #endif #endif /* __KRB5_LOCL_H__ */ diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c index 221bd706f4..e7b2579229 100644 --- a/source4/heimdal/lib/krb5/krbhst.c +++ b/source4/heimdal/lib/krb5/krbhst.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <resolve.h> -RCSID("$Id: krbhst.c,v 1.55 2006/04/02 10:32:20 lha Exp $"); +RCSID("$Id: krbhst.c,v 1.57 2006/10/06 17:11:02 lha Exp $"); static int string_to_proto(const char *string) @@ -422,6 +422,15 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, struct addrinfo hints; char portstr[NI_MAXSERV]; + /* + * Don't try forever in case the DNS server keep returning us + * entries (like wildcard entries or the .nu TLD) + */ + if(kd->fallback_count >= 5) { + kd->flags |= KD_FALLBACK; + return 0; + } + if(kd->fallback_count == 0) asprintf(&host, "%s.%s.", serv_string, kd->realm); else @@ -659,9 +668,8 @@ common_init(krb5_context context, } /* For 'realms' without a . do not even think of going to DNS */ - if (!strchr(realm, '.')) { + if (!strchr(realm, '.')) kd->flags |= KD_CONFIG_EXISTS; - } if (flags & KRB5_KRBHST_FLAGS_LARGE_MSG) kd->flags |= KD_LARGE_MSG; diff --git a/source4/heimdal/lib/krb5/misc.c b/source4/heimdal/lib/krb5/misc.c index baf63f6d52..f04f8d9996 100644 --- a/source4/heimdal/lib/krb5/misc.c +++ b/source4/heimdal/lib/krb5/misc.c @@ -33,4 +33,53 @@ #include "krb5_locl.h" -RCSID("$Id: misc.c,v 1.5 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: misc.c,v 1.6 2006/06/06 14:57:47 lha Exp $"); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_s4u2self_to_checksumdata(krb5_context context, + const PA_S4U2Self *self, + krb5_data *data) +{ + krb5_error_code ret; + krb5_ssize_t ssize; + krb5_storage *sp; + size_t size; + int i; + + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_clear_error_string(context); + return ENOMEM; + } + ret = krb5_store_int32(sp, self->name.name_type); + if (ret) + goto out; + for (i = 0; i < self->name.name_string.len; i++) { + size = strlen(self->name.name_string.val[i]); + ssize = krb5_storage_write(sp, self->name.name_string.val[i], size); + if (ssize != size) { + ret = ENOMEM; + goto out; + } + } + size = strlen(self->realm); + ssize = krb5_storage_write(sp, self->realm, size); + if (ssize != size) { + ret = ENOMEM; + goto out; + } + size = strlen(self->auth); + ssize = krb5_storage_write(sp, self->auth, size); + if (ssize != size) { + ret = ENOMEM; + goto out; + } + + ret = krb5_storage_to_data(sp, data); + krb5_storage_free(sp); + return ret; + +out: + krb5_clear_error_string(context); + return ret; +} diff --git a/source4/heimdal/lib/krb5/mit_glue.c b/source4/heimdal/lib/krb5/mit_glue.c index b7f06c1582..b9075b3079 100755 --- a/source4/heimdal/lib/krb5/mit_glue.c +++ b/source4/heimdal/lib/krb5/mit_glue.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: mit_glue.c,v 1.7 2005/05/18 04:21:44 lha Exp $"); +RCSID("$Id: mit_glue.c,v 1.8 2006/10/14 09:51:02 lha Exp $"); /* * Glue for MIT API @@ -98,7 +98,7 @@ krb5_c_get_checksum(krb5_context context, const krb5_checksum *cksum, if (*data == NULL) return ENOMEM; - ret = copy_octet_string(&cksum->checksum, *data); + ret = der_copy_octet_string(&cksum->checksum, *data); if (ret) { free(*data); *data = NULL; @@ -113,7 +113,7 @@ krb5_c_set_checksum(krb5_context context, krb5_checksum *cksum, krb5_cksumtype type, const krb5_data *data) { cksum->cksumtype = type; - return copy_octet_string(data, &cksum->checksum); + return der_copy_octet_string(data, &cksum->checksum); } void KRB5_LIB_FUNCTION diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index 00f7b4ebd9..f519b5ad08 100755 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: pkinit.c,v 1.99 2006/05/07 12:32:38 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.110 2006/10/14 09:52:50 lha Exp $"); struct krb5_dh_moduli { char *name; @@ -69,7 +69,7 @@ struct krb5_pk_identity { hx509_certs certs; hx509_certs anchors; hx509_certs certpool; - hx509_revoke_ctx revoke; + hx509_revoke_ctx revokectx; }; struct krb5_pk_cert { @@ -344,8 +344,8 @@ build_auth_pack(krb5_context context, ALLOC(a->clientPublicValue, 1); if (a->clientPublicValue == NULL) return ENOMEM; - ret = copy_oid(oid_id_dhpublicnumber(), - &a->clientPublicValue->algorithm.algorithm); + ret = der_copy_oid(oid_id_dhpublicnumber(), + &a->clientPublicValue->algorithm.algorithm); if (ret) return ret; @@ -392,7 +392,7 @@ build_auth_pack(krb5_context context, ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length, &dh_pub_key, &size, ret); - free_heim_integer(&dh_pub_key); + der_free_heim_integer(&dh_pub_key); if (ret) return ret; if (size != dhbuf.length) @@ -413,7 +413,7 @@ _krb5_pk_mk_ContentInfo(krb5_context context, { krb5_error_code ret; - ret = copy_oid(oid, &content_info->contentType); + ret = der_copy_oid(oid, &content_info->contentType); if (ret) return ret; ALLOC(content_info->content, 1); @@ -672,8 +672,16 @@ _krb5_pk_verify_sign(krb5_context context, contentType, content, &signer_certs); - if (ret) + if (ret) { + char *s = hx509_get_error_string(id->hx509ctx, ret); + if (s) { + krb5_set_error_string(context, + "CMS verify signed failed with %s", s); + free(s); + } else + krb5_clear_error_string(context); return ret; + } *signer = calloc(1, sizeof(**signer)); if (*signer == NULL) { @@ -833,7 +841,9 @@ pk_verify_host(krb5_context context, oid_id_pkinit_san(), &list); if (ret) { - krb5_clear_error_string(context); + krb5_set_error_string(context, "Failed to find the PK-INIT " + "subjectAltName in the KDC certificate"); + return ret; } @@ -845,7 +855,9 @@ pk_verify_host(krb5_context context, &r, NULL); if (ret) { - krb5_clear_error_string(context); + krb5_set_error_string(context, "Failed to decode the PK-INIT " + "subjectAltName in the KDC certificate"); + break; } @@ -856,7 +868,7 @@ pk_verify_host(krb5_context context, { krb5_set_error_string(context, "KDC have wrong realm name in " "the certificate"); - ret = EINVAL; + ret = KRB5_KDC_ERR_INVALID_CERTIFICATE; } free_KRB5PrincipalName(&r); @@ -875,7 +887,8 @@ pk_verify_host(krb5_context context, hi->ai->ai_addr, hi->ai->ai_addrlen); if (ret) - krb5_set_error_string(context, "Address mismatch in the KDC certificate"); + krb5_set_error_string(context, "Address mismatch in " + "the KDC certificate"); } return ret; } @@ -901,7 +914,7 @@ pk_rd_pa_reply_enckey(krb5_context context, krb5_data content; heim_oid contentType = { 0, NULL }; - if (heim_oid_cmp(oid_id_pkcs7_envelopedData(), &rep->contentType)) { + if (der_heim_oid_cmp(oid_id_pkcs7_envelopedData(), &rep->contentType)) { krb5_set_error_string(context, "PKINIT: Invalid content type"); return EINVAL; } @@ -913,8 +926,10 @@ pk_rd_pa_reply_enckey(krb5_context context, ret = hx509_cms_unenvelope(ctx->id->hx509ctx, ctx->id->certs, + HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT, rep->content->data, rep->content->length, + NULL, &contentType, &content); if (ret) @@ -935,7 +950,7 @@ pk_rd_pa_reply_enckey(krb5_context context, goto out; } - if (heim_oid_cmp(&ci.contentType, oid_id_pkcs7_signedData())) { + if (der_heim_oid_cmp(&ci.contentType, oid_id_pkcs7_signedData())) { ret = EINVAL; /* XXX */ krb5_set_error_string(context, "PKINIT: Invalid content type"); goto out; @@ -964,19 +979,18 @@ pk_rd_pa_reply_enckey(krb5_context context, /* make sure that it is the kdc's certificate */ ret = pk_verify_host(context, realm, hi, ctx, host); if (ret) { - krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret); goto out; } #if 0 if (type == COMPAT_WIN2K) { - if (heim_oid_cmp(&contentType, oid_id_pkcs7_data()) != 0) { + if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) != 0) { krb5_set_error_string(context, "PKINIT: reply key, wrong oid"); ret = KRB5KRB_AP_ERR_MSG_TYPE; goto out; } } else { - if (heim_oid_cmp(&contentType, oid_id_pkrkeydata()) != 0) { + if (der_heim_oid_cmp(&contentType, oid_id_pkrkeydata()) != 0) { krb5_set_error_string(context, "PKINIT: reply key, wrong oid"); ret = KRB5KRB_AP_ERR_MSG_TYPE; goto out; @@ -1002,7 +1016,7 @@ pk_rd_pa_reply_enckey(krb5_context context, out: if (host) _krb5_pk_cert_free(host); - free_oid(&contentType); + der_free_oid(&contentType); krb5_data_free(&content); return ret; @@ -1034,7 +1048,7 @@ pk_rd_pa_reply_dh(krb5_context context, krb5_data_zero(&content); memset(&kdc_dh_info, 0, sizeof(kdc_dh_info)); - if (heim_oid_cmp(oid_id_pkcs7_signedData(), &rep->contentType)) { + if (der_heim_oid_cmp(oid_id_pkcs7_signedData(), &rep->contentType)) { krb5_set_error_string(context, "PKINIT: Invalid content type"); return EINVAL; } @@ -1059,7 +1073,7 @@ pk_rd_pa_reply_dh(krb5_context context, if (ret) goto out; - if (heim_oid_cmp(&contentType, oid_id_pkdhkeydata())) { + if (der_heim_oid_cmp(&contentType, oid_id_pkdhkeydata())) { krb5_set_error_string(context, "pkinit - dh reply contains wrong oid"); ret = KRB5KRB_AP_ERR_MSG_TYPE; goto out; @@ -1324,20 +1338,28 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) password_data.data = prompter->reply.data; password_data.length = prompter->reply.length; - prompt.prompt = "Enter your private key passphrase: "; - prompt.hidden = 1; + + prompt.prompt = prompter->prompt; + prompt.hidden = hx509_prompt_hidden(prompter->type); prompt.reply = &password_data; - if (prompter->hidden) + + switch (prompter->type) { + case HX509_PROMPT_TYPE_INFO: + prompt.type = KRB5_PROMPT_TYPE_INFO; + break; + case HX509_PROMPT_TYPE_PASSWORD: + case HX509_PROMPT_TYPE_QUESTION: + default: prompt.type = KRB5_PROMPT_TYPE_PASSWORD; - else - prompt.type = KRB5_PROMPT_TYPE_PREAUTH; /* XXX */ + break; + } ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); if (ret) { memset (prompter->reply.data, 0, prompter->reply.length); - return 0; + return 1; } - return strlen(prompter->reply.data); + return 0; } @@ -1354,8 +1376,8 @@ _krb5_pk_load_id(krb5_context context, struct krb5_pk_identity **ret_id, const char *user_id, const char *anchor_id, - char * const *chain, - char * const *revoke, + char * const *chain_list, + char * const *revoke_list, krb5_prompter_fct prompter, void *prompter_data, char *password) @@ -1392,7 +1414,7 @@ _krb5_pk_load_id(krb5_context context, goto out; ret = hx509_lock_init(id->hx509ctx, &lock); - if (password) + if (password && password[0]) hx509_lock_add_password(lock, password); if (prompter) { @@ -1405,7 +1427,7 @@ _krb5_pk_load_id(krb5_context context, goto out; } - ret = hx509_certs_init(id->hx509ctx, user_id, 0, NULL, &id->certs); + ret = hx509_certs_init(id->hx509ctx, user_id, 0, lock, &id->certs); if (ret) goto out; @@ -1418,33 +1440,36 @@ _krb5_pk_load_id(krb5_context context, if (ret) goto out; - while (chain && *chain) { - ret = hx509_certs_append(id->hx509ctx, id->certpool, NULL, *chain); + while (chain_list && *chain_list) { + ret = hx509_certs_append(id->hx509ctx, id->certpool, + NULL, *chain_list); if (ret) { krb5_set_error_string(context, "pkinit failed to load chain %s", - *chain); + *chain_list); goto out; } - chain++; + chain_list++; } - if (revoke) { - ret = hx509_revoke_init(id->hx509ctx, &id->revoke); + if (revoke_list) { + ret = hx509_revoke_init(id->hx509ctx, &id->revokectx); if (ret) { krb5_set_error_string(context, "revoke failed to init"); goto out; } - while (*revoke) { - ret = hx509_revoke_add_crl(id->hx509ctx, id->revoke, *revoke); + while (*revoke_list) { + ret = hx509_revoke_add_crl(id->hx509ctx, + id->revokectx, + *revoke_list); if (ret) { krb5_set_error_string(context, "pkinit failed to load revoke %s", - *revoke); + *revoke_list); goto out; } - revoke++; + revoke_list++; } } else hx509_context_set_missing_revoke(id->hx509ctx, 1); @@ -1454,7 +1479,7 @@ _krb5_pk_load_id(krb5_context context, goto out; hx509_verify_attach_anchors(id->verify_ctx, id->anchors); - hx509_verify_attach_revoke(id->verify_ctx, id->revoke); + hx509_verify_attach_revoke(id->verify_ctx, id->revokectx); out: if (ret) { @@ -1462,7 +1487,7 @@ out: hx509_certs_free(&id->certs); hx509_certs_free(&id->anchors); hx509_certs_free(&id->certpool); - hx509_revoke_free(&id->revoke); + hx509_revoke_free(&id->revokectx); hx509_context_free(&id->hx509ctx); free(id); } else @@ -1588,9 +1613,9 @@ _krb5_parse_moduli_line(krb5_context context, return 0; out: free(m1->name); - free_heim_integer(&m1->p); - free_heim_integer(&m1->g); - free_heim_integer(&m1->q); + der_free_heim_integer(&m1->p); + der_free_heim_integer(&m1->g); + der_free_heim_integer(&m1->q); free(m1); return ret; } @@ -1601,9 +1626,9 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli) int i; for (i = 0; moduli[i] != NULL; i++) { free(moduli[i]->name); - free_heim_integer(&moduli[i]->p); - free_heim_integer(&moduli[i]->g); - free_heim_integer(&moduli[i]->q); + der_free_heim_integer(&moduli[i]->p); + der_free_heim_integer(&moduli[i]->g); + der_free_heim_integer(&moduli[i]->q); free(moduli[i]); } free(moduli); @@ -1712,9 +1737,9 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits, *name = NULL; for (i = 0; moduli[i] != NULL; i++) { - if (heim_integer_cmp(&moduli[i]->g, g) == 0 && - heim_integer_cmp(&moduli[i]->p, p) == 0 && - (q == NULL || heim_integer_cmp(&moduli[i]->q, q) == 0)) + if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 && + der_heim_integer_cmp(&moduli[i]->p, p) == 0 && + (q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0)) { if (bits && bits > moduli[i]->bits) { krb5_set_error_string(context, "PKINIT: DH group parameter %s " @@ -1769,8 +1794,8 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, krb5_principal principal, const char *user_id, const char *x509_anchors, - char * const * chain, - char * const * revoke, + char * const * pool, + char * const * pki_revoke, int flags, krb5_prompter_fct prompter, void *prompter_data, @@ -1778,6 +1803,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, { #ifdef PKINIT krb5_error_code ret; + char *anchors = NULL; if (opt->opt_private == NULL) { krb5_set_error_string(context, "PKINIT: on non extendable opt"); @@ -1797,12 +1823,33 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, opt->opt_private->pk_init_ctx->require_eku = 1; opt->opt_private->pk_init_ctx->require_krbtgt_otherName = 1; + + /* XXX implement krb5_appdefault_strings */ + if (pool == NULL) + pool = krb5_config_get_strings(context, NULL, + "appdefaults", + "pkinit-pool", + NULL); + + if (pki_revoke == NULL) + pki_revoke = krb5_config_get_strings(context, NULL, + "appdefaults", + "pkinit-revoke", + NULL); + + if (x509_anchors == NULL) { + krb5_appdefault_string(context, "kinit", + krb5_principal_get_realm(context, principal), + "pkinit-anchors", NULL, &anchors); + x509_anchors = anchors; + } + ret = _krb5_pk_load_id(context, &opt->opt_private->pk_init_ctx->id, user_id, x509_anchors, - chain, - revoke, + pool, + pki_revoke, prompter, prompter_data, password); diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c index f6e3847cce..4d13e7db11 100644 --- a/source4/heimdal/lib/krb5/principal.c +++ b/source4/heimdal/lib/krb5/principal.c @@ -41,7 +41,7 @@ #include <fnmatch.h> #include "resolve.h" -RCSID("$Id: principal.c,v 1.95 2006/04/24 15:16:14 lha Exp $"); +RCSID("$Id: principal.c,v 1.99 2006/10/18 06:53:22 lha Exp $"); #define princ_num_comp(P) ((P)->name.name_string.len) #define princ_type(P) ((P)->name.name_type) @@ -91,17 +91,11 @@ krb5_principal_get_comp_string(krb5_context context, return princ_ncomp(principal, component); } -enum realm_presence { - MAY, - MUSTNOT, - MUST -}; - -static krb5_error_code -parse_name(krb5_context context, - const char *name, - enum realm_presence realm_presence, - krb5_principal *principal) +krb5_error_code KRB5_LIB_FUNCTION +krb5_parse_name_flags(krb5_context context, + const char *name, + int flags, + krb5_principal *principal) { krb5_error_code ret; heim_general_string *comp; @@ -117,6 +111,17 @@ parse_name(krb5_context context, char c; int got_realm = 0; + *principal = NULL; + +#define RFLAGS (KRB5_PRINCIPAL_PARSE_NO_REALM|KRB5_PRINCIPAL_PARSE_MUST_REALM) + + if ((flags & RFLAGS) == RFLAGS) { + krb5_set_error_string(context, "Can't require both realm and " + "no realm at the same time"); + return KRB5_ERR_NO_SERVICE; + } +#undef RFLAGS + /* count number of component */ ncomp = 1; for(p = name; *p; p++){ @@ -191,32 +196,33 @@ parse_name(krb5_context context, } *q++ = c; } - if (got_realm) { - if (realm_presence == MUSTNOT) { - krb5_set_error_string (context, "realm found in 'short' principal expected to be without one!"); + if(got_realm){ + if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { + krb5_set_error_string (context, "realm found in 'short' principal " + "expected to be without one"); ret = KRB5_PARSE_MALFORMED; goto exit; - } else { - realm = malloc(q - start + 1); - if (realm == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - ret = ENOMEM; - goto exit; - } - memcpy(realm, start, q - start); - realm[q - start] = 0; } + realm = malloc(q - start + 1); + if (realm == NULL) { + krb5_set_error_string (context, "malloc: out of memory"); + ret = ENOMEM; + goto exit; + } + memcpy(realm, start, q - start); + realm[q - start] = 0; }else{ - if (realm_presence == MAY) { - ret = krb5_get_default_realm (context, &realm); - if (ret) - goto exit; - } else if (realm_presence == MUSTNOT) { - realm = NULL; - } else if (realm_presence == MUST) { - krb5_set_error_string (context, "realm NOT found in principal expected to be with one!"); + if (flags & KRB5_PRINCIPAL_PARSE_MUST_REALM) { + krb5_set_error_string (context, "realm NOT found in principal " + "expected to be with one"); ret = KRB5_PARSE_MALFORMED; goto exit; + } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { + realm = NULL; + } else { + ret = krb5_get_default_realm (context, &realm); + if (ret) + goto exit; } comp[n] = malloc(q - start + 1); @@ -256,24 +262,9 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *principal) { - return parse_name(context, name, MAY, principal); + return krb5_parse_name_flags(context, name, 0, principal); } -krb5_error_code KRB5_LIB_FUNCTION -krb5_parse_name_norealm(krb5_context context, - const char *name, - krb5_principal *principal) -{ - return parse_name(context, name, MUSTNOT, principal); -} - -krb5_error_code KRB5_LIB_FUNCTION -krb5_parse_name_mustrealm(krb5_context context, - const char *name, - krb5_principal *principal) -{ - return parse_name(context, name, MUST, principal); -} static const char quotable_chars[] = " \n\t\b\\/@"; static const char replace_chars[] = " ntb\\/@"; @@ -301,23 +292,47 @@ unparse_name_fixed(krb5_context context, krb5_const_principal principal, char *name, size_t len, - krb5_boolean short_form) + int flags) { size_t idx = 0; int i; + int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0; + int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0; + + if (!no_realm && princ_realm(principal) == NULL) { + krb5_set_error_string(context, "Realm missing from principal, " + "can't unparse"); + return ERANGE; + } + for(i = 0; i < princ_num_comp(principal); i++){ if(i) add_char(name, idx, len, '/'); idx = quote_string(princ_ncomp(principal, i), name, idx, len); - if(idx == len) + if(idx == len) { + krb5_set_error_string(context, "Out of space printing principal"); return ERANGE; + } } /* add realm if different from default realm */ - if(!short_form) { + if(short_form && !no_realm) { + krb5_realm r; + krb5_error_code ret; + ret = krb5_get_default_realm(context, &r); + if(ret) + return ret; + if(strcmp(princ_realm(principal), r) != 0) + short_form = 0; + free(r); + } + if(!short_form && !no_realm) { add_char(name, idx, len, '@'); idx = quote_string(princ_realm(principal), name, idx, len); - if(idx == len) + if(idx == len) { + krb5_set_error_string(context, + "Out of space printing realm of principal"); return ERANGE; + } } return 0; } @@ -328,57 +343,48 @@ krb5_unparse_name_fixed(krb5_context context, char *name, size_t len) { - return unparse_name_fixed(context, principal, name, len, FALSE); + return unparse_name_fixed(context, principal, name, len, 0); } krb5_error_code KRB5_LIB_FUNCTION -krb5_unparse_name_norealm_fixed(krb5_context context, - krb5_const_principal principal, - char *name, - size_t len) +krb5_unparse_name_fixed_short(krb5_context context, + krb5_const_principal principal, + char *name, + size_t len) { - return unparse_name_fixed(context, principal, name, len, TRUE); + return unparse_name_fixed(context, principal, name, len, + KRB5_PRINCIPAL_UNPARSE_SHORT); } krb5_error_code KRB5_LIB_FUNCTION -krb5_unparse_name_fixed_short(krb5_context context, +krb5_unparse_name_fixed_flags(krb5_context context, krb5_const_principal principal, + int flags, char *name, size_t len) { - krb5_realm r; - krb5_error_code ret; - krb5_boolean short_form = TRUE; - ret = krb5_get_default_realm(context, &r); - if(ret) - return ret; - if(strcmp(princ_realm(principal), r) != 0) - short_form = 0; - free(r); - return unparse_name_fixed(context, principal, name, len, short_form); + return unparse_name_fixed(context, principal, name, len, flags); } static krb5_error_code unparse_name(krb5_context context, krb5_const_principal principal, char **name, - krb5_boolean short_flag) + int flags) { size_t len = 0, plen; int i; krb5_error_code ret; /* count length */ - if (!short_flag) { + if (princ_realm(principal)) { plen = strlen(princ_realm(principal)); + if(strcspn(princ_realm(principal), quotable_chars) == plen) len += plen; else len += 2*plen; - len++; - } else { - len = 0; + len++; /* '@' */ } - for(i = 0; i < princ_num_comp(principal); i++){ plen = strlen(princ_ncomp(principal, i)); if(strcspn(princ_ncomp(principal, i), quotable_chars) == plen) @@ -387,13 +393,13 @@ unparse_name(krb5_context context, len += 2*plen; len++; } - len++; + len++; /* '\0' */ *name = malloc(len); if(*name == NULL) { krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } - ret = unparse_name_fixed(context, principal, *name, len, short_flag); + ret = unparse_name_fixed(context, principal, *name, len, flags); if(ret) { free(*name); *name = NULL; @@ -406,32 +412,24 @@ krb5_unparse_name(krb5_context context, krb5_const_principal principal, char **name) { - return unparse_name(context, principal, name, FALSE); + return unparse_name(context, principal, name, 0); } krb5_error_code KRB5_LIB_FUNCTION -krb5_unparse_name_short(krb5_context context, +krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, + int flags, char **name) { - krb5_realm r; - krb5_error_code ret; - krb5_boolean short_form = TRUE; - ret = krb5_get_default_realm(context, &r); - if(ret) - return ret; - if(strcmp(princ_realm(principal), r) != 0) - short_form = 0; - free(r); - return unparse_name(context, principal, name, short_form); + return unparse_name(context, principal, name, flags); } krb5_error_code KRB5_LIB_FUNCTION -krb5_unparse_name_norealm(krb5_context context, - krb5_const_principal principal, - char **name) +krb5_unparse_name_short(krb5_context context, + krb5_const_principal principal, + char **name) { - return unparse_name(context, principal, name, TRUE); + return unparse_name(context, principal, name, KRB5_PRINCIPAL_UNPARSE_SHORT); } #if 0 /* not implemented */ @@ -447,7 +445,7 @@ krb5_unparse_name_ext(krb5_context context, #endif -krb5_realm* KRB5_LIB_FUNCTION +krb5_realm * KRB5_LIB_FUNCTION krb5_princ_realm(krb5_context context, krb5_principal principal) { @@ -455,7 +453,6 @@ krb5_princ_realm(krb5_context context, } - void KRB5_LIB_FUNCTION krb5_princ_set_realm(krb5_context context, krb5_principal principal, diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c index 01b5188bae..46a36c9aac 100644 --- a/source4/heimdal/lib/krb5/rd_cred.c +++ b/source4/heimdal/lib/krb5/rd_cred.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_cred.c,v 1.28 2006/04/02 02:27:33 lha Exp $"); +RCSID("$Id: rd_cred.c,v 1.29 2006/10/06 17:04:47 lha Exp $"); static krb5_error_code compare_addrs(krb5_context context, @@ -265,7 +265,8 @@ krb5_rd_cred(krb5_context context, krb5_abortx(context, "internal error in ASN.1 encoder"); copy_EncryptionKey (&kci->key, &creds->session); if (kci->prealm && kci->pname) - _krb5_principalname2krb5_principal (context, &creds->client, + _krb5_principalname2krb5_principal (context, + &creds->client, *kci->pname, *kci->prealm); if (kci->flags) diff --git a/source4/heimdal/lib/krb5/rd_rep.c b/source4/heimdal/lib/krb5/rd_rep.c index 53138d9f45..6b7f27c3cf 100644 --- a/source4/heimdal/lib/krb5/rd_rep.c +++ b/source4/heimdal/lib/krb5/rd_rep.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_rep.c,v 1.25 2005/06/17 07:49:33 lha Exp $"); +RCSID("$Id: rd_rep.c,v 1.26 2006/08/21 09:19:22 lha Exp $"); krb5_error_code KRB5_LIB_FUNCTION krb5_rd_rep(krb5_context context, @@ -92,7 +92,10 @@ krb5_rd_rep(krb5_context context, if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { if ((*repl)->ctime != auth_context->authenticator->ctime || - (*repl)->cusec != auth_context->authenticator->cusec) { + (*repl)->cusec != auth_context->authenticator->cusec) + { + krb5_free_ap_rep_enc_part(context, *repl); + *repl = NULL; ret = KRB5KRB_AP_ERR_MUT_FAIL; krb5_clear_error_string (context); goto out; @@ -114,6 +117,8 @@ void KRB5_LIB_FUNCTION krb5_free_ap_rep_enc_part (krb5_context context, krb5_ap_rep_enc_part *val) { - free_EncAPRepPart (val); - free (val); + if (val) { + free_EncAPRepPart (val); + free (val); + } } diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index c0bb710a59..c424a73a34 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_req.c,v 1.63 2006/04/10 10:14:44 lha Exp $"); +RCSID("$Id: rd_req.c,v 1.66 2006/10/06 17:04:29 lha Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -376,12 +376,14 @@ krb5_verify_ap_req2(krb5_context context, if(ret) goto out; - ret = _krb5_principalname2krb5_principal(context, - &t->server, ap_req->ticket.sname, + ret = _krb5_principalname2krb5_principal(context, + &t->server, + ap_req->ticket.sname, ap_req->ticket.realm); if (ret) goto out; - ret = _krb5_principalname2krb5_principal(context, - &t->client, t->ticket.cname, + ret = _krb5_principalname2krb5_principal(context, + &t->client, + t->ticket.cname, t->ticket.crealm); if (ret) goto out; @@ -402,10 +404,12 @@ krb5_verify_ap_req2(krb5_context context, krb5_principal p1, p2; krb5_boolean res; - _krb5_principalname2krb5_principal(context, &p1, + _krb5_principalname2krb5_principal(context, + &p1, ac->authenticator->cname, ac->authenticator->crealm); - _krb5_principalname2krb5_principal(context, &p2, + _krb5_principalname2krb5_principal(context, + &p2, t->ticket.cname, t->ticket.crealm); res = krb5_principal_compare (context, p1, p2); @@ -607,7 +611,8 @@ krb5_rd_req_return_keyblock(krb5_context context, return ret; if(server == NULL){ - _krb5_principalname2krb5_principal(context, &service, + _krb5_principalname2krb5_principal(context, + &service, ap_req.ticket.sname, ap_req.ticket.realm); server = service; diff --git a/source4/heimdal/lib/krb5/send_to_kdc.c b/source4/heimdal/lib/krb5/send_to_kdc.c index 0bcafa70a1..11c07c9e8f 100644 --- a/source4/heimdal/lib/krb5/send_to_kdc.c +++ b/source4/heimdal/lib/krb5/send_to_kdc.c @@ -33,32 +33,13 @@ #include "krb5_locl.h" -RCSID("$Id: send_to_kdc.c,v 1.58 2006/04/02 02:32:03 lha Exp $"); +RCSID("$Id: send_to_kdc.c,v 1.60 2006/10/20 18:42:01 lha Exp $"); -struct send_and_recv { - krb5_send_and_recv_func_t func; - krb5_send_and_recv_close_func_t close; - void *data; +struct send_to_kdc { + krb5_send_to_kdc_func func; + void *data; }; -krb5_error_code KRB5_LIB_FUNCTION -krb5_set_send_recv_func(krb5_context context, - krb5_send_and_recv_func_t func, - krb5_send_and_recv_close_func_t close_fn, - void *data) -{ - free(context->send_and_recv); - context->send_and_recv = malloc(sizeof(*context->send_and_recv)); - if (!context->send_and_recv) { - return ENOMEM; - } - context->send_and_recv->func = func; - context->send_and_recv->close = close_fn; - context->send_and_recv->data = data; - return 0; -} - - /* * send the data in `req' on the socket `fd' (which is datagram iff udp) * waiting `tmout' for a reply and returning the reply in `rep'. @@ -346,7 +327,7 @@ krb5_sendto (krb5_context context, krb5_krbhst_handle handle, krb5_data *receive) { - krb5_error_code ret = 0; + krb5_error_code ret; int fd; int i; @@ -356,27 +337,22 @@ krb5_sendto (krb5_context context, while (krb5_krbhst_next(context, handle, &hi) == 0) { struct addrinfo *ai, *a; - if (context->send_and_recv) { - ret = context->send_and_recv->func(context, - context->send_and_recv->data, - hi, send_data, receive); - if (ret) { - continue; - } else if (receive->length != 0) { - return 0; - } else { - continue; - } + if (context->send_to_kdc) { + struct send_to_kdc *s = context->send_to_kdc; + + ret = (*s->func)(context, s->data, + hi, send_data, receive); + if (ret == 0 && receive->length != 0) + goto out; + continue; } if(hi->proto == KRB5_KRBHST_HTTP && context->http_proxy) { - if (send_via_proxy (context, hi, send_data, receive)) { - /* Try again, with next host */ - continue; - } else { - /* Success */ - return 0; + if (send_via_proxy (context, hi, send_data, receive) == 0) { + ret = 0; + goto out; } + continue; } ret = krb5_krbhst_get_addrinfo(context, hi, &ai); @@ -406,15 +382,16 @@ krb5_sendto (krb5_context context, break; } close (fd); - if(ret == 0 && receive->length != 0) { - return 0; - } + if(ret == 0 && receive->length != 0) + goto out; } } krb5_krbhst_reset(context, handle); } krb5_clear_error_string (context); - return KRB5_KDC_UNREACH; + ret = KRB5_KDC_UNREACH; +out: + return ret; } krb5_error_code KRB5_LIB_FUNCTION @@ -456,3 +433,27 @@ krb5_sendto_kdc_flags(krb5_context context, "unable to reach any KDC in realm %s", *realm); return ret; } + +krb5_error_code KRB5_LIB_FUNCTION +krb5_set_send_to_kdc_func(krb5_context context, + krb5_send_to_kdc_func func, + void *data) +{ + free(context->send_to_kdc); + if (func == NULL) { + context->send_to_kdc = NULL; + return 0; + } + + context->send_to_kdc = malloc(sizeof(*context->send_to_kdc)); + if (context->send_to_kdc == NULL) { + krb5_set_error_string(context, "Out of memory"); + return ENOMEM; + } + + context->send_to_kdc->func = func; + context->send_to_kdc->data = data; + return 0; +} + + diff --git a/source4/heimdal/lib/krb5/set_default_realm.c b/source4/heimdal/lib/krb5/set_default_realm.c index fd57b6fe67..965883309c 100644 --- a/source4/heimdal/lib/krb5/set_default_realm.c +++ b/source4/heimdal/lib/krb5/set_default_realm.c @@ -77,19 +77,8 @@ krb5_set_default_realm(krb5_context context, "libdefaults", "default_realm", NULL); - if (realms == NULL) { - char hostname[MAXHOSTNAMELEN]; - if (gethostname (hostname, sizeof(hostname))) { - return errno; - } - - if (strchr(hostname, '.') == NULL) { - /* There is no way we can get this mapping, as we can't do DNS */ - return KRB5_CONFIG_NODEFREALM; - } - ret = krb5_get_host_realm(context, hostname, - &realms); - } + if (realms == NULL) + ret = krb5_get_host_realm(context, NULL, &realms); } else { ret = string_to_list (context, realm, &realms); } diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c index a6f4a011a1..e75f28ca5f 100644 --- a/source4/heimdal/lib/krb5/store.c +++ b/source4/heimdal/lib/krb5/store.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store.c,v 1.58 2006/05/05 07:15:18 lha Exp $"); +RCSID("$Id: store.c,v 1.59 2006/08/18 08:39:13 lha Exp $"); #define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V)) #define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE) @@ -440,6 +440,76 @@ krb5_ret_stringz(krb5_storage *sp, return 0; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_stringnl(krb5_storage *sp, const char *s) +{ + size_t len = strlen(s); + ssize_t ret; + + ret = sp->store(sp, s, len); + if(ret != len) { + if(ret < 0) + return ret; + else + return sp->eof_code; + } + ret = sp->store(sp, "\n", 1); + if(ret != 1) { + if(ret < 0) + return ret; + else + return sp->eof_code; + } + + return 0; + +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_stringnl(krb5_storage *sp, + char **string) +{ + int expect_nl = 0; + char c; + char *s = NULL; + size_t len = 0; + ssize_t ret; + + while((ret = sp->fetch(sp, &c, 1)) == 1){ + char *tmp; + + if (c == '\r') { + expect_nl = 1; + continue; + } + if (expect_nl && c != '\n') { + free(s); + return KRB5_BADMSGTYPE; + } + + len++; + tmp = realloc (s, len); + if (tmp == NULL) { + free (s); + return ENOMEM; + } + s = tmp; + if(c == '\n') { + s[len - 1] = '\0'; + break; + } + s[len - 1] = c; + } + if(ret != 1){ + free(s); + if(ret == 0) + return sp->eof_code; + return ret; + } + *string = s; + return 0; +} + krb5_error_code KRB5_LIB_FUNCTION krb5_store_principal(krb5_storage *sp, diff --git a/source4/heimdal/lib/krb5/store_fd.c b/source4/heimdal/lib/krb5/store_fd.c index 46043a6761..835d3478e2 100644 --- a/source4/heimdal/lib/krb5/store_fd.c +++ b/source4/heimdal/lib/krb5/store_fd.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store_fd.c,v 1.12 2004/05/25 21:43:57 lha Exp $"); +RCSID("$Id: store_fd.c,v 1.13 2006/06/30 21:23:19 lha Exp $"); typedef struct fd_storage { int fd; @@ -74,13 +74,16 @@ krb5_storage_from_fd(int fd) fd = dup(fd); if (fd < 0) return NULL; - sp = malloc(sizeof(krb5_storage)); - if (sp == NULL) + sp = malloc(sizeof(krb5_storage)); + if (sp == NULL) { + close(fd); return NULL; + } sp->data = malloc(sizeof(fd_storage)); if (sp->data == NULL) { + close(fd); free(sp); return NULL; } diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index 99cb778722..fdc2a1b3a5 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: ticket.c,v 1.14 2005/10/27 13:21:42 lha Exp $"); +RCSID("$Id: ticket.c,v 1.15 2006/10/14 09:53:19 lha Exp $"); krb5_error_code KRB5_LIB_FUNCTION krb5_free_ticket(krb5_context context, @@ -107,12 +107,16 @@ find_type_in_ad(krb5_context context, const AuthorizationData *ad, int level) { - krb5_error_code ret = ENOENT; + /* It is not an error if nothing in here, that is reported by *found */ + /* Setting a default error causes found to be set to FALSE, on + * recursion to an second embedded authz data even if the first + * element contains the required type */ + krb5_error_code ret = 0; int i; if (level > 9) { krb5_set_error_string(context, "Authorization data nested deeper " - "than %d levels, stop searching", level); + "then %d levels, stop searching", level); ret = ENOENT; /* XXX */ goto out; } @@ -124,7 +128,7 @@ find_type_in_ad(krb5_context context, */ for (i = 0; i < ad->len; i++) { if (!*found && ad->val[i].ad_type == type) { - ret = copy_octet_string(&ad->val[i].ad_data, data); + ret = der_copy_octet_string(&ad->val[i].ad_data, data); if (ret) { krb5_set_error_string(context, "malloc - out of memory"); goto out; diff --git a/source4/heimdal/lib/roken/bswap.c b/source4/heimdal/lib/roken/bswap.c index dd7ea832af..48b587d2db 100644 --- a/source4/heimdal/lib/roken/bswap.c +++ b/source4/heimdal/lib/roken/bswap.c @@ -34,7 +34,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif -#include <roken.h> +#include "roken.h" RCSID("$Id: bswap.c,v 1.4 2005/04/12 11:28:35 lha Exp $"); diff --git a/source4/heimdal/lib/roken/copyhostent.c b/source4/heimdal/lib/roken/copyhostent.c index 7d458dc1b9..d11fa16303 100644 --- a/source4/heimdal/lib/roken/copyhostent.c +++ b/source4/heimdal/lib/roken/copyhostent.c @@ -36,7 +36,7 @@ RCSID("$Id: copyhostent.c,v 1.3 2005/04/12 11:28:36 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" /* * return a malloced copy of `h' diff --git a/source4/heimdal/lib/roken/freeaddrinfo.c b/source4/heimdal/lib/roken/freeaddrinfo.c index cd2898036b..6311aa29d8 100644 --- a/source4/heimdal/lib/roken/freeaddrinfo.c +++ b/source4/heimdal/lib/roken/freeaddrinfo.c @@ -36,7 +36,7 @@ RCSID("$Id: freeaddrinfo.c,v 1.5 2005/04/12 11:28:41 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" /* * free the list of `struct addrinfo' starting at `ai' diff --git a/source4/heimdal/lib/roken/freehostent.c b/source4/heimdal/lib/roken/freehostent.c index 1ebb01361c..d837ba2503 100644 --- a/source4/heimdal/lib/roken/freehostent.c +++ b/source4/heimdal/lib/roken/freehostent.c @@ -36,7 +36,7 @@ RCSID("$Id: freehostent.c,v 1.3 2005/04/12 11:28:41 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" /* * free a malloced hostent diff --git a/source4/heimdal/lib/roken/gai_strerror.c b/source4/heimdal/lib/roken/gai_strerror.c index 102aa75ea1..52db0f8842 100644 --- a/source4/heimdal/lib/roken/gai_strerror.c +++ b/source4/heimdal/lib/roken/gai_strerror.c @@ -36,7 +36,7 @@ RCSID("$Id: gai_strerror.c,v 1.7 2005/08/05 09:31:35 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" static struct gai_error { int code; diff --git a/source4/heimdal/lib/roken/getaddrinfo.c b/source4/heimdal/lib/roken/getaddrinfo.c index 86af8b72cc..b39131de74 100644 --- a/source4/heimdal/lib/roken/getaddrinfo.c +++ b/source4/heimdal/lib/roken/getaddrinfo.c @@ -36,7 +36,7 @@ RCSID("$Id: getaddrinfo.c,v 1.14 2005/06/16 17:49:29 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" /* * uses hints->ai_socktype and hints->ai_protocol diff --git a/source4/heimdal/lib/roken/getipnodebyaddr.c b/source4/heimdal/lib/roken/getipnodebyaddr.c index 3f447d6d06..841fc46a80 100644 --- a/source4/heimdal/lib/roken/getipnodebyaddr.c +++ b/source4/heimdal/lib/roken/getipnodebyaddr.c @@ -36,7 +36,7 @@ RCSID("$Id: getipnodebyaddr.c,v 1.3 2005/04/12 11:28:47 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" /* * lookup `src, len' (address family `af') in DNS and return a pointer diff --git a/source4/heimdal/lib/roken/getipnodebyname.c b/source4/heimdal/lib/roken/getipnodebyname.c index b928efcc53..0707e4c16c 100644 --- a/source4/heimdal/lib/roken/getipnodebyname.c +++ b/source4/heimdal/lib/roken/getipnodebyname.c @@ -36,7 +36,7 @@ RCSID("$Id: getipnodebyname.c,v 1.4 2005/04/12 11:28:47 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" #ifndef HAVE_H_ERRNO static int h_errno = NO_RECOVERY; diff --git a/source4/heimdal/lib/roken/getprogname.c b/source4/heimdal/lib/roken/getprogname.c index 7eabe40093..f8f1e9d4a2 100644 --- a/source4/heimdal/lib/roken/getprogname.c +++ b/source4/heimdal/lib/roken/getprogname.c @@ -36,7 +36,7 @@ RCSID("$Id: getprogname.c,v 1.3 2005/04/12 11:28:48 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" #ifndef HAVE___PROGNAME const char *__progname; diff --git a/source4/heimdal/lib/roken/hex.c b/source4/heimdal/lib/roken/hex.c index e41b508fcb..ba0f4a4fda 100644 --- a/source4/heimdal/lib/roken/hex.c +++ b/source4/heimdal/lib/roken/hex.c @@ -35,7 +35,7 @@ #include <config.h> RCSID("$Id: hex.c,v 1.8 2006/01/09 17:09:29 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" #include <ctype.h> #include "hex.h" diff --git a/source4/heimdal/lib/roken/hostent_find_fqdn.c b/source4/heimdal/lib/roken/hostent_find_fqdn.c index 1762b11226..24f3b843d8 100644 --- a/source4/heimdal/lib/roken/hostent_find_fqdn.c +++ b/source4/heimdal/lib/roken/hostent_find_fqdn.c @@ -36,7 +36,7 @@ RCSID("$Id: hostent_find_fqdn.c,v 1.3 2005/04/12 11:28:51 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" /* * Try to find a fqdn (with `.') in he if possible, else return h_name diff --git a/source4/heimdal/lib/roken/inet_aton.c b/source4/heimdal/lib/roken/inet_aton.c index 0483a05256..b26dcb87ff 100644 --- a/source4/heimdal/lib/roken/inet_aton.c +++ b/source4/heimdal/lib/roken/inet_aton.c @@ -36,7 +36,7 @@ RCSID("$Id: inet_aton.c,v 1.14 2005/04/12 11:28:52 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" /* Minimal implementation of inet_aton. * Cannot distinguish between failure and a local broadcast address. */ diff --git a/source4/heimdal/lib/roken/issuid.c b/source4/heimdal/lib/roken/issuid.c index e6b5248164..7ccf615451 100644 --- a/source4/heimdal/lib/roken/issuid.c +++ b/source4/heimdal/lib/roken/issuid.c @@ -36,7 +36,7 @@ RCSID("$Id: issuid.c,v 1.6 2005/05/13 07:42:03 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" int ROKEN_LIB_FUNCTION issuid(void) diff --git a/source4/heimdal/lib/roken/resolve.c b/source4/heimdal/lib/roken/resolve.c index a72fb24eab..6a14547c62 100644 --- a/source4/heimdal/lib/roken/resolve.c +++ b/source4/heimdal/lib/roken/resolve.c @@ -34,7 +34,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif -#include <roken.h> +#include "roken.h" #ifdef HAVE_ARPA_NAMESER_H #include <arpa/nameser.h> #endif diff --git a/source4/heimdal/lib/roken/roken.h b/source4/heimdal/lib/roken/roken.h index 853de9b112..9d1ead97e2 100644 --- a/source4/heimdal/lib/roken/roken.h +++ b/source4/heimdal/lib/roken/roken.h @@ -1,6 +1,12 @@ +/* This is an OS dependent, generated file */ + + +#ifndef __ROKEN_H__ +#define __ROKEN_H__ + /* -*- C -*- */ /* - * Copyright (c) 1995-2005 Kungliga Tekniska Högskolan + * Copyright (c) 1995-2005 Kungliga Tekniska H * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,375 +38,122 @@ * SUCH DAMAGE. */ -/* $Id: roken.h.in,v 1.178 2005/09/28 03:04:54 lha Exp $ */ +/* $Id: roken.h.in,v 1.182 2006/10/19 16:35:16 lha Exp $ */ #include <stdio.h> #include <stdlib.h> #include <stdarg.h> -#ifdef HAVE_STDINT_H #include <stdint.h> -#endif #include <string.h> #include <signal.h> -#ifdef _AIX -struct ether_addr; -struct sockaddr_dl; -#endif -#ifdef HAVE_SYS_PARAM_H #include <sys/param.h> -#endif -#ifdef HAVE_INTTYPES_H #include <inttypes.h> -#endif -#ifdef HAVE_SYS_TYPES_H #include <sys/types.h> -#endif -#ifdef HAVE_SYS_BITYPES_H #include <sys/bitypes.h> -#endif -#ifdef HAVE_BIND_BITYPES_H -#include <bind/bitypes.h> -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include <netinet/in6_machtypes.h> -#endif -#ifdef HAVE_UNISTD_H #include <unistd.h> -#endif -#ifdef HAVE_SYS_SOCKET_H #include <sys/socket.h> -#endif -#ifdef HAVE_SYS_UIO_H #include <sys/uio.h> -#endif -#ifdef HAVE_GRP_H #include <grp.h> -#endif -#ifdef HAVE_SYS_STAT_H #include <sys/stat.h> -#endif -#ifdef HAVE_NETINET_IN_H #include <netinet/in.h> -#endif -#ifdef HAVE_NETINET_IN6_H -#include <netinet/in6.h> -#endif -#ifdef HAVE_NETINET6_IN6_H -#include <netinet6/in6.h> -#endif -#ifdef HAVE_ARPA_INET_H #include <arpa/inet.h> -#endif -#ifdef HAVE_NETDB_H #include <netdb.h> -#endif -#ifdef HAVE_ARPA_NAMESER_H #include <arpa/nameser.h> -#endif -#ifdef HAVE_RESOLV_H #include <resolv.h> -#endif -#ifdef HAVE_SYSLOG_H #include <syslog.h> -#endif -#ifdef HAVE_FCNTL_H #include <fcntl.h> -#endif -#ifdef HAVE_ERRNO_H #include <errno.h> -#endif #include <err.h> -#ifdef HAVE_TERMIOS_H #include <termios.h> -#endif -#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 #include <sys/ioctl.h> -#endif -#ifdef TIME_WITH_SYS_TIME #include <sys/time.h> #include <time.h> -#elif defined(HAVE_SYS_TIME_H) -#include <sys/time.h> -#else -#include <time.h> -#endif -#ifdef HAVE_STRINGS_H #include <strings.h> -#endif -#ifdef HAVE_PATHS_H #include <paths.h> -#endif -#ifndef HAVE_SSIZE_T -typedef int ssize_t; -#endif #include <roken-common.h> ROKEN_CPP_START -#ifdef HAVE_UINTPTR_T #define rk_UNCONST(x) ((void *)(uintptr_t)(const void *)(x)) -#else -#define rk_UNCONST(x) ((void *)(unsigned long)(const void *)(x)) -#endif -#if !defined(HAVE_SETSID) && defined(HAVE__SETSID) -#define setsid _setsid -#endif -#ifndef HAVE_PUTENV -int ROKEN_LIB_FUNCTION putenv(const char *); -#endif -#if !defined(HAVE_SETENV) || defined(NEED_SETENV_PROTO) -int ROKEN_LIB_FUNCTION setenv(const char *, const char *, int); -#endif -#if !defined(HAVE_UNSETENV) || defined(NEED_UNSETENV_PROTO) -void ROKEN_LIB_FUNCTION unsetenv(const char *); -#endif -#if !defined(HAVE_GETUSERSHELL) || defined(NEED_GETUSERSHELL_PROTO) -char * ROKEN_LIB_FUNCTION getusershell(void); -void ROKEN_LIB_FUNCTION endusershell(void); -#endif -#if !defined(HAVE_SNPRINTF) || defined(NEED_SNPRINTF_PROTO) -int ROKEN_LIB_FUNCTION snprintf (char *, size_t, const char *, ...) - __attribute__ ((format (printf, 3, 4))); -#endif -#if !defined(HAVE_VSNPRINTF) || defined(NEED_VSNPRINTF_PROTO) -int ROKEN_LIB_FUNCTION - vsnprintf (char *, size_t, const char *, va_list) - __attribute__((format (printf, 3, 0))); -#endif -#if !defined(HAVE_ASPRINTF) || defined(NEED_ASPRINTF_PROTO) -int ROKEN_LIB_FUNCTION - asprintf (char **, const char *, ...) - __attribute__ ((format (printf, 2, 3))); -#endif -#if !defined(HAVE_VASPRINTF) || defined(NEED_VASPRINTF_PROTO) -int ROKEN_LIB_FUNCTION - vasprintf (char **, const char *, va_list) - __attribute__((format (printf, 2, 0))); -#endif -#if !defined(HAVE_ASNPRINTF) || defined(NEED_ASNPRINTF_PROTO) int ROKEN_LIB_FUNCTION asnprintf (char **, size_t, const char *, ...) __attribute__ ((format (printf, 3, 4))); -#endif -#if !defined(HAVE_VASNPRINTF) || defined(NEED_VASNPRINTF_PROTO) int ROKEN_LIB_FUNCTION vasnprintf (char **, size_t, const char *, va_list) __attribute__((format (printf, 3, 0))); -#endif -#ifndef HAVE_STRDUP -char * ROKEN_LIB_FUNCTION strdup(const char *); -#endif -#if !defined(HAVE_STRNDUP) || defined(NEED_STRNDUP_PROTO) -char * ROKEN_LIB_FUNCTION strndup(const char *, size_t); -#endif -#ifndef HAVE_STRLWR char * ROKEN_LIB_FUNCTION strlwr(char *); -#endif -#ifndef HAVE_STRNLEN -size_t ROKEN_LIB_FUNCTION strnlen(const char*, size_t); -#endif -#if !defined(HAVE_STRSEP) || defined(NEED_STRSEP_PROTO) -char * ROKEN_LIB_FUNCTION strsep(char**, const char*); -#endif -#if !defined(HAVE_STRSEP_COPY) || defined(NEED_STRSEP_COPY_PROTO) ssize_t ROKEN_LIB_FUNCTION strsep_copy(const char**, const char*, char*, size_t); -#endif -#ifndef HAVE_STRCASECMP -int ROKEN_LIB_FUNCTION strcasecmp(const char *, const char *); -#endif -#ifdef NEED_FCLOSE_PROTO -int ROKEN_LIB_FUNCTION fclose(FILE *); -#endif -#ifdef NEED_STRTOK_R_PROTO -char * ROKEN_LIB_FUNCTION strtok_r(char *, const char *, char **); -#endif -#ifndef HAVE_STRUPR char * ROKEN_LIB_FUNCTION strupr(char *); -#endif -#ifndef HAVE_STRLCPY size_t ROKEN_LIB_FUNCTION strlcpy (char *, const char *, size_t); -#endif -#ifndef HAVE_STRLCAT size_t ROKEN_LIB_FUNCTION strlcat (char *, const char *, size_t); -#endif -#ifndef HAVE_GETDTABLESIZE -int ROKEN_LIB_FUNCTION getdtablesize(void); -#endif -#if !defined(HAVE_STRERROR) && !defined(strerror) -char * ROKEN_LIB_FUNCTION strerror(int); -#endif -#if !defined(HAVE_HSTRERROR) || defined(NEED_HSTRERROR_PROTO) -/* This causes a fatal error under Psoriasis */ -#if !(defined(SunOS) && (SunOS >= 50)) -const char * ROKEN_LIB_FUNCTION hstrerror(int); -#endif -#endif -#if !HAVE_DECL_H_ERRNO -extern int h_errno; -#endif -#if !defined(HAVE_INET_ATON) || defined(NEED_INET_ATON_PROTO) -int ROKEN_LIB_FUNCTION inet_aton(const char *, struct in_addr *); -#endif -#ifndef HAVE_INET_NTOP -const char * ROKEN_LIB_FUNCTION -inet_ntop(int af, const void *src, char *dst, size_t size); -#endif -#ifndef HAVE_INET_PTON -int ROKEN_LIB_FUNCTION -inet_pton(int, const char *, void *); -#endif -#if !defined(HAVE_GETCWD) -char* ROKEN_LIB_FUNCTION getcwd(char *, size_t); -#endif -#ifdef HAVE_PWD_H #include <pwd.h> struct passwd * ROKEN_LIB_FUNCTION k_getpwnam (const char *); struct passwd * ROKEN_LIB_FUNCTION k_getpwuid (uid_t); -#endif const char * ROKEN_LIB_FUNCTION get_default_username (void); -#ifndef HAVE_SETEUID -int ROKEN_LIB_FUNCTION seteuid(uid_t); -#endif -#ifndef HAVE_SETEGID -int ROKEN_LIB_FUNCTION setegid(gid_t); -#endif -#ifndef HAVE_LSTAT -int ROKEN_LIB_FUNCTION lstat(const char *, struct stat *); -#endif -#if !defined(HAVE_MKSTEMP) || defined(NEED_MKSTEMP_PROTO) int ROKEN_LIB_FUNCTION mkstemp(char *); -#endif -#ifndef HAVE_CGETENT int ROKEN_LIB_FUNCTION cgetent(char **, char **, const char *); int ROKEN_LIB_FUNCTION cgetstr(char *, const char *, char **); -#endif -#ifndef HAVE_INITGROUPS -int ROKEN_LIB_FUNCTION initgroups(const char *, gid_t); -#endif -#ifndef HAVE_FCHOWN -int ROKEN_LIB_FUNCTION fchown(int, uid_t, gid_t); -#endif -#if !defined(HAVE_DAEMON) || defined(NEED_DAEMON_PROTO) -int ROKEN_LIB_FUNCTION daemon(int, int); -#endif -#ifndef HAVE_INNETGR -int ROKEN_LIB_FUNCTION innetgr(const char *, const char *, - const char *, const char *); -#endif -#ifndef HAVE_CHOWN -int ROKEN_LIB_FUNCTION chown(const char *, uid_t, gid_t); -#endif -#ifndef HAVE_RCMD -int ROKEN_LIB_FUNCTION - rcmd(char **, unsigned short, const char *, - const char *, const char *, int *); -#endif - -#if !defined(HAVE_INNETGR) || defined(NEED_INNETGR_PROTO) -int ROKEN_LIB_FUNCTION innetgr(const char*, const char*, - const char*, const char*); -#endif - -#ifndef HAVE_IRUSEROK -int ROKEN_LIB_FUNCTION iruserok(unsigned, int, - const char *, const char *); -#endif - -#if !defined(HAVE_GETHOSTNAME) || defined(NEED_GETHOSTNAME_PROTO) -int ROKEN_LIB_FUNCTION gethostname(char *, int); -#endif - -#ifndef HAVE_WRITEV -ssize_t ROKEN_LIB_FUNCTION -writev(int, const struct iovec *, int); -#endif - -#ifndef HAVE_READV -ssize_t ROKEN_LIB_FUNCTION -readv(int, const struct iovec *, int); -#endif - -#ifndef HAVE_MKSTEMP -int ROKEN_LIB_FUNCTION -mkstemp(char *); -#endif -#ifndef HAVE_PIDFILE + + + + + + void ROKEN_LIB_FUNCTION pidfile (const char*); -#endif -#ifndef HAVE_BSWAP32 unsigned int ROKEN_LIB_FUNCTION bswap32(unsigned int); -#endif -#ifndef HAVE_BSWAP16 unsigned short ROKEN_LIB_FUNCTION bswap16(unsigned short); -#endif - -#ifndef HAVE_FLOCK -#ifndef LOCK_SH -#define LOCK_SH 1 /* Shared lock */ -#endif -#ifndef LOCK_EX -#define LOCK_EX 2 /* Exclusive lock */ -#endif -#ifndef LOCK_NB -#define LOCK_NB 4 /* Don't block when locking */ -#endif -#ifndef LOCK_UN -#define LOCK_UN 8 /* Unlock */ -#endif - -int flock(int fd, int operation); -#endif /* HAVE_FLOCK */ + time_t ROKEN_LIB_FUNCTION tm2time (struct tm, int); @@ -421,140 +174,30 @@ ssize_t ROKEN_LIB_FUNCTION net_read (int, void *, size_t); int ROKEN_LIB_FUNCTION issuid(void); -#ifndef HAVE_STRUCT_WINSIZE -struct winsize { - unsigned short ws_row, ws_col; - unsigned short ws_xpixel, ws_ypixel; -}; -#endif int ROKEN_LIB_FUNCTION get_window_size(int fd, struct winsize *); -#ifndef HAVE_VSYSLOG -void ROKEN_LIB_FUNCTION vsyslog(int, const char *, va_list); -#endif - -#if !HAVE_DECL_OPTARG -extern char *optarg; -#endif -#if !HAVE_DECL_OPTIND -extern int optind; -#endif -#if !HAVE_DECL_OPTERR -extern int opterr; -#endif - -#if !HAVE_DECL_ENVIRON -extern char **environ; -#endif - -#ifndef HAVE_GETIPNODEBYNAME + + + struct hostent * ROKEN_LIB_FUNCTION getipnodebyname (const char *, int, int, int *); -#endif -#ifndef HAVE_GETIPNODEBYADDR struct hostent * ROKEN_LIB_FUNCTION getipnodebyaddr (const void *, size_t, int, int *); -#endif -#ifndef HAVE_FREEHOSTENT void ROKEN_LIB_FUNCTION freehostent (struct hostent *); -#endif -#ifndef HAVE_COPYHOSTENT struct hostent * ROKEN_LIB_FUNCTION copyhostent (const struct hostent *); -#endif -#ifndef HAVE_SOCKLEN_T -typedef int socklen_t; -#endif -#ifndef HAVE_STRUCT_SOCKADDR_STORAGE -#ifndef HAVE_SA_FAMILY_T -typedef unsigned short sa_family_t; -#endif -#ifdef HAVE_IPV6 -#define _SS_MAXSIZE sizeof(struct sockaddr_in6) -#else -#define _SS_MAXSIZE sizeof(struct sockaddr_in) -#endif -#define _SS_ALIGNSIZE sizeof(unsigned long) -#if HAVE_STRUCT_SOCKADDR_SA_LEN -typedef unsigned char roken_sa_family_t; - -#define _SS_PAD1SIZE ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t) - sizeof(unsigned char)) % _SS_ALIGNSIZE) -#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + sizeof(unsigned char) + _SS_PAD1SIZE + _SS_ALIGNSIZE)) - -struct sockaddr_storage { - unsigned char ss_len; - roken_sa_family_t ss_family; - char __ss_pad1[_SS_PAD1SIZE]; - unsigned long __ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1]; -}; - -#else /* !HAVE_STRUCT_SOCKADDR_SA_LEN */ - -typedef unsigned short roken_sa_family_t; - -#define _SS_PAD1SIZE ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t)) % _SS_ALIGNSIZE) -#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + _SS_PAD1SIZE + _SS_ALIGNSIZE)) - -struct sockaddr_storage { - roken_sa_family_t ss_family; - char __ss_pad1[_SS_PAD1SIZE]; - unsigned long __ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1]; -}; - -#endif /* HAVE_STRUCT_SOCKADDR_SA_LEN */ - -#endif /* HAVE_STRUCT_SOCKADDR_STORAGE */ - -#ifndef HAVE_STRUCT_ADDRINFO -struct addrinfo { - int ai_flags; - int ai_family; - int ai_socktype; - int ai_protocol; - size_t ai_addrlen; - char *ai_canonname; - struct sockaddr *ai_addr; - struct addrinfo *ai_next; -}; -#endif - -#ifndef HAVE_GETADDRINFO -int ROKEN_LIB_FUNCTION -getaddrinfo(const char *, - const char *, - const struct addrinfo *, - struct addrinfo **); -#endif - -#ifndef HAVE_GETNAMEINFO -int ROKEN_LIB_FUNCTION -getnameinfo(const struct sockaddr *, socklen_t, - char *, size_t, - char *, size_t, - int); -#endif - -#ifndef HAVE_FREEADDRINFO -void ROKEN_LIB_FUNCTION -freeaddrinfo(struct addrinfo *); -#endif - -#ifndef HAVE_GAI_STRERROR -const char * ROKEN_LIB_FUNCTION -gai_strerror(int); -#endif int ROKEN_LIB_FUNCTION getnameinfo_verified(const struct sockaddr *, socklen_t, @@ -567,130 +210,68 @@ roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); int ROKEN_LIB_FUNCTION roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **); -#ifndef HAVE_STRFTIME -size_t ROKEN_LIB_FUNCTION -strftime (char *, size_t, const char *, const struct tm *); -#endif -#ifndef HAVE_STRPTIME -char * ROKEN_LIB_FUNCTION -strptime (const char *, const char *, struct tm *); -#endif -#ifndef HAVE_EMALLOC void * ROKEN_LIB_FUNCTION emalloc (size_t); -#endif -#ifndef HAVE_ECALLOC void * ROKEN_LIB_FUNCTION ecalloc(size_t, size_t); -#endif -#ifndef HAVE_EREALLOC void * ROKEN_LIB_FUNCTION erealloc (void *, size_t); -#endif -#ifndef HAVE_ESTRDUP char * ROKEN_LIB_FUNCTION estrdup (const char *); -#endif /* * kludges and such */ -#if 1 int ROKEN_LIB_FUNCTION roken_gethostby_setup(const char*, const char*); struct hostent* ROKEN_LIB_FUNCTION roken_gethostbyname(const char*); struct hostent* ROKEN_LIB_FUNCTION roken_gethostbyaddr(const void*, size_t, int); -#else -#ifdef GETHOSTBYNAME_PROTO_COMPATIBLE -#define roken_gethostbyname(x) gethostbyname(x) -#else -#define roken_gethostbyname(x) gethostbyname((char *)x) -#endif - -#ifdef GETHOSTBYADDR_PROTO_COMPATIBLE -#define roken_gethostbyaddr(a, l, t) gethostbyaddr(a, l, t) -#else -#define roken_gethostbyaddr(a, l, t) gethostbyaddr((char *)a, l, t) -#endif -#endif - -#ifdef GETSERVBYNAME_PROTO_COMPATIBLE + #define roken_getservbyname(x,y) getservbyname(x,y) -#else -#define roken_getservbyname(x,y) getservbyname((char *)x, (char *)y) -#endif -#ifdef OPENLOG_PROTO_COMPATIBLE #define roken_openlog(a,b,c) openlog(a,b,c) -#else -#define roken_openlog(a,b,c) openlog((char *)a,b,c) -#endif -#ifdef GETSOCKNAME_PROTO_COMPATIBLE #define roken_getsockname(a,b,c) getsockname(a,b,c) -#else -#define roken_getsockname(a,b,c) getsockname(a, b, (void*)c) -#endif -#ifndef HAVE_SETPROGNAME void ROKEN_LIB_FUNCTION setprogname(const char *); -#endif -#ifndef HAVE_GETPROGNAME const char * ROKEN_LIB_FUNCTION getprogname(void); -#endif -#if !defined(HAVE_SETPROGNAME) && !defined(HAVE_GETPROGNAME) && !HAVE_DECL___PROGNAME extern const char *__progname; -#endif void ROKEN_LIB_FUNCTION mini_inetd_addrinfo (struct addrinfo*); void ROKEN_LIB_FUNCTION mini_inetd (int); -#ifndef HAVE_LOCALTIME_R -struct tm * ROKEN_LIB_FUNCTION -localtime_r(const time_t *, struct tm *); -#endif -#if !defined(HAVE_STRSVIS) || defined(NEED_STRSVIS_PROTO) int ROKEN_LIB_FUNCTION strsvis(char *, const char *, int, const char *); -#endif -#if !defined(HAVE_STRUNVIS) || defined(NEED_STRUNVIS_PROTO) int ROKEN_LIB_FUNCTION strunvis(char *, const char *); -#endif -#if !defined(HAVE_STRVIS) || defined(NEED_STRVIS_PROTO) int ROKEN_LIB_FUNCTION strvis(char *, const char *, int); -#endif -#if !defined(HAVE_STRVISX) || defined(NEED_STRVISX_PROTO) int ROKEN_LIB_FUNCTION strvisx(char *, const char *, size_t, int); -#endif -#if !defined(HAVE_SVIS) || defined(NEED_SVIS_PROTO) char * ROKEN_LIB_FUNCTION svis(char *, int, int, int, const char *); -#endif -#if !defined(HAVE_UNVIS) || defined(NEED_UNVIS_PROTO) int ROKEN_LIB_FUNCTION unvis(char *, int, int *, int); -#endif -#if !defined(HAVE_VIS) || defined(NEED_VIS_PROTO) char * ROKEN_LIB_FUNCTION vis(char *, int, int, int); -#endif -#if !defined(HAVE_CLOSEFROM) int ROKEN_LIB_FUNCTION closefrom(int); -#endif + + +#include <socket_wrapper.h> ROKEN_CPP_END +#define ROKEN_VERSION 0.8pre-samba + +#endif /* __ROKEN_H__ */ diff --git a/source4/heimdal/lib/roken/setprogname.c b/source4/heimdal/lib/roken/setprogname.c index c13e8d4ee1..315fa52e50 100644 --- a/source4/heimdal/lib/roken/setprogname.c +++ b/source4/heimdal/lib/roken/setprogname.c @@ -36,7 +36,7 @@ RCSID("$Id: setprogname.c,v 1.4 2005/08/23 10:19:20 lha Exp $"); #endif -#include <roken.h> +#include "roken.h" #ifndef HAVE___PROGNAME extern const char *__progname; diff --git a/source4/heimdal/lib/roken/signal.c b/source4/heimdal/lib/roken/signal.c index 7076847fb3..d92742d9fb 100644 --- a/source4/heimdal/lib/roken/signal.c +++ b/source4/heimdal/lib/roken/signal.c @@ -37,7 +37,7 @@ RCSID("$Id: signal.c,v 1.13 2005/04/12 11:29:05 lha Exp $"); #endif #include <signal.h> -#include <roken.h> +#include "roken.h" /* * We would like to always use this signal but there is a link error diff --git a/source4/heimdal/lib/roken/strsep.c b/source4/heimdal/lib/roken/strsep.c index f08c33b7a5..e34c10fe26 100644 --- a/source4/heimdal/lib/roken/strsep.c +++ b/source4/heimdal/lib/roken/strsep.c @@ -38,7 +38,7 @@ RCSID("$Id: strsep.c,v 1.4 2005/04/12 11:29:10 lha Exp $"); #include <string.h> -#include <roken.h> +#include "roken.h" #ifndef HAVE_STRSEP diff --git a/source4/heimdal/lib/roken/strsep_copy.c b/source4/heimdal/lib/roken/strsep_copy.c index 34759fe15c..5149838547 100644 --- a/source4/heimdal/lib/roken/strsep_copy.c +++ b/source4/heimdal/lib/roken/strsep_copy.c @@ -38,7 +38,7 @@ RCSID("$Id: strsep_copy.c,v 1.5 2005/04/12 11:29:11 lha Exp $"); #include <string.h> -#include <roken.h> +#include "roken.h" #ifndef HAVE_STRSEP_COPY diff --git a/source4/heimdal_build/asn1_deps.pl b/source4/heimdal_build/asn1_deps.pl index 9c4a65976b..74a77d041b 100755 --- a/source4/heimdal_build/asn1_deps.pl +++ b/source4/heimdal_build/asn1_deps.pl @@ -7,7 +7,7 @@ use File::Basename; my $file = shift; my $prefix = shift; -my $options = shift; +my $options = join(' ', @ARGV); my $x_file; my @x_files = (); my $c_file; @@ -24,7 +24,7 @@ my $header = "$dirname/$prefix.h"; print "$header: $file bin/asn1_compile\n"; print "\t\@echo \"Compiling ASN1 file $file\"\n"; -print "\t\@cd $dirname && ../../../bin/asn1_compile $options $basename $prefix\n\n"; +print "\t\@startdir=`pwd` && cd $dirname && " . ' $$startdir/bin/asn1_compile ' . "$options $basename $prefix\n\n"; open(IN,$file) or die("Can't open $file: $!"); foreach(<IN>) { diff --git a/source4/heimdal_build/config.mk b/source4/heimdal_build/config.mk index e955c28fa6..cd476765b3 100644 --- a/source4/heimdal_build/config.mk +++ b/source4/heimdal_build/config.mk @@ -5,14 +5,26 @@ CFLAGS = -Iheimdal_build -Iheimdal/kdc OBJ_FILES = \ ../heimdal/kdc/default_config.o \ ../heimdal/kdc/kerberos5.o \ + ../heimdal/kdc/krb5tgs.o \ ../heimdal/kdc/pkinit.o \ ../heimdal/kdc/log.o \ ../heimdal/kdc/misc.o \ ../heimdal/kdc/524.o \ ../heimdal/kdc/kerberos4.o \ ../heimdal/kdc/kaserver.o \ - ../heimdal/kdc/process.o -PRIVATE_DEPENDENCIES = HEIMDAL_ROKEN HEIMDAL_KRB5 HEIMDAL_HDB + ../heimdal/kdc/digest.o \ + ../heimdal/kdc/process.o \ + ../heimdal/lib/asn1/asn1_DigestREQ.o \ + ../heimdal/lib/asn1/asn1_DigestRequest.o \ + ../heimdal/lib/asn1/asn1_DigestInit.o \ + ../heimdal/lib/asn1/asn1_DigestReqInner.o \ + ../heimdal/lib/asn1/asn1_DigestREP.o \ + ../heimdal/lib/asn1/asn1_DigestRepInner.o \ + ../heimdal/lib/asn1/asn1_DigestResponse.o \ + ../heimdal/lib/asn1/asn1_DigestInitReply.o \ + ../heimdal/lib/asn1/asn1_DigestError.o \ + ../heimdal/lib/asn1/asn1_KRB5SignedPath.o +PRIVATE_DEPENDENCIES = HEIMDAL_ROKEN HEIMDAL_KRB5 HEIMDAL_HDB HEIMDAL_ASN1 HEIMDAL_DES # End SUBSYSTEM HEIMDAL_KDC ####################### @@ -42,61 +54,136 @@ OBJ_FILES = \ ../heimdal/lib/hdb/asn1_HDB_Ext_Constrained_delegation_acl.o \ ../heimdal/lib/hdb/asn1_HDB_Ext_Lan_Manager_OWF.o \ ../heimdal/lib/hdb/asn1_HDB_Ext_PKINIT_acl.o \ - ../heimdal/lib/hdb/asn1_HDB_Ext_PKINIT_certificate.o \ + ../heimdal/lib/hdb/asn1_HDB_Ext_PKINIT_hash.o \ ../heimdal/lib/hdb/asn1_HDB_Ext_Password.o \ ../heimdal/lib/hdb/asn1_HDB_extension.o \ ../heimdal/lib/hdb/asn1_HDB_extensions.o \ ../heimdal/lib/hdb/asn1_hdb_entry.o \ ../heimdal/lib/hdb/hdb_err.o -PUBLIC_DEPENDENCIES = HDB_LDB HEIMDAL_HDB_KEYS HEIMDAL_ROKEN +PRIVATE_DEPENDENCIES = HDB_LDB HEIMDAL_HDB_KEYS HEIMDAL_ROKEN # End SUBSYSTEM HEIMDAL_HDB ####################### ####################### # Start SUBSYSTEM HEIMDAL_GSSAPI [SUBSYSTEM::HEIMDAL_GSSAPI] -CFLAGS = -Iheimdal_build -Iheimdal/lib/gssapi +CFLAGS = -Iheimdal_build -Iheimdal/lib/gssapi/spnego -Iheimdal/lib/gssapi -Iheimdal/lib/gssapi/krb5 -I heimdal/lib/gssapi/mech OBJ_FILES = \ - ../heimdal/lib/gssapi/init_sec_context.o \ - ../heimdal/lib/gssapi/inquire_cred.o \ - ../heimdal/lib/gssapi/release_buffer.o \ - ../heimdal/lib/gssapi/release_cred.o \ - ../heimdal/lib/gssapi/release_name.o \ - ../heimdal/lib/gssapi/release_oid_set.o \ - ../heimdal/lib/gssapi/sequence.o \ - ../heimdal/lib/gssapi/test_oid_set_member.o \ - ../heimdal/lib/gssapi/unwrap.o \ - ../heimdal/lib/gssapi/verify_mic.o \ - ../heimdal/lib/gssapi/wrap.o \ - ../heimdal/lib/gssapi/address_to_krb5addr.o \ - ../heimdal/lib/gssapi/asn1_ContextFlags.o \ - ../heimdal/lib/gssapi/asn1_MechType.o \ - ../heimdal/lib/gssapi/asn1_MechTypeList.o \ - ../heimdal/lib/gssapi/asn1_NegotiationToken.o \ - ../heimdal/lib/gssapi/asn1_NegTokenInit.o \ - ../heimdal/lib/gssapi/asn1_NegTokenTarg.o \ - ../heimdal/lib/gssapi/8003.o \ - ../heimdal/lib/gssapi/accept_sec_context.o \ - ../heimdal/lib/gssapi/acquire_cred.o \ - ../heimdal/lib/gssapi/add_oid_set_member.o \ - ../heimdal/lib/gssapi/arcfour.o \ - ../heimdal/lib/gssapi/ccache_name.o \ - ../heimdal/lib/gssapi/copy_ccache.o \ - ../heimdal/lib/gssapi/cfx.o \ - ../heimdal/lib/gssapi/compat.o \ - ../heimdal/lib/gssapi/context_time.o \ - ../heimdal/lib/gssapi/create_emtpy_oid_set.o \ - ../heimdal/lib/gssapi/decapsulate.o \ - ../heimdal/lib/gssapi/delete_sec_context.o \ - ../heimdal/lib/gssapi/display_name.o \ - ../heimdal/lib/gssapi/display_status.o \ - ../heimdal/lib/gssapi/duplicate_name.o \ - ../heimdal/lib/gssapi/encapsulate.o \ - ../heimdal/lib/gssapi/external.o \ - ../heimdal/lib/gssapi/get_mic.o \ - ../heimdal/lib/gssapi/import_name.o \ - ../heimdal/lib/gssapi/init.o -PUBLIC_DEPENDENCIES = HEIMDAL_KRB5 + ../heimdal/lib/gssapi/mech/gss_krb5.o \ + ../heimdal/lib/gssapi/mech/gss_mech_switch.o \ + ../heimdal/lib/gssapi/mech/gss_process_context_token.o \ + ../heimdal/lib/gssapi/mech/gss_buffer_set.o \ + ../heimdal/lib/gssapi/mech/gss_add_cred.o \ + ../heimdal/lib/gssapi/mech/gss_add_oid_set_member.o \ + ../heimdal/lib/gssapi/mech/gss_compare_name.o \ + ../heimdal/lib/gssapi/mech/gss_release_oid_set.o \ + ../heimdal/lib/gssapi/mech/gss_create_empty_oid_set.o \ + ../heimdal/lib/gssapi/mech/gss_decapsulate_token.o \ + ../heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.o \ + ../heimdal/lib/gssapi/mech/gss_canonicalize_name.o \ + ../heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.o \ + ../heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.o \ +../heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.o \ +../heimdal/lib/gssapi/mech/gss_wrap_size_limit.o \ +../heimdal/lib/gssapi/mech/gss_names.o \ +../heimdal/lib/gssapi/mech/gss_verify.o \ +../heimdal/lib/gssapi/mech/gss_display_name.o \ +../heimdal/lib/gssapi/mech/gss_duplicate_oid.o \ +../heimdal/lib/gssapi/mech/gss_display_status.o \ +../heimdal/lib/gssapi/mech/gss_release_buffer.o \ +../heimdal/lib/gssapi/mech/gss_release_oid.o \ +../heimdal/lib/gssapi/mech/gss_test_oid_set_member.o \ +../heimdal/lib/gssapi/mech/gss_release_cred.o \ +../heimdal/lib/gssapi/mech/gss_set_sec_context_option.o \ +../heimdal/lib/gssapi/mech/gss_export_name.o \ +../heimdal/lib/gssapi/mech/gss_seal.o \ +../heimdal/lib/gssapi/mech/mech_switch.h \ +../heimdal/lib/gssapi/mech/gss_acquire_cred.o \ +../heimdal/lib/gssapi/mech/gss_unseal.o \ +../heimdal/lib/gssapi/mech/gss_verify_mic.o \ +../heimdal/lib/gssapi/mech/gss_accept_sec_context.o \ +../heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.o \ +../heimdal/lib/gssapi/mech/gss_indicate_mechs.o \ +../heimdal/lib/gssapi/mech/gss_delete_sec_context.o \ +../heimdal/lib/gssapi/mech/gss_sign.o \ +../heimdal/lib/gssapi/mech/gss_utils.o \ +../heimdal/lib/gssapi/mech/gss_init_sec_context.o \ +../heimdal/lib/gssapi/mech/gss_oid_equal.o \ +../heimdal/lib/gssapi/mech/gss_context_time.o \ +../heimdal/lib/gssapi/mech/gss_encapsulate_token.o \ +../heimdal/lib/gssapi/mech/gss_get_mic.o \ +../heimdal/lib/gssapi/mech/gss_import_sec_context.o \ +../heimdal/lib/gssapi/mech/gss_inquire_cred.o \ +../heimdal/lib/gssapi/mech/gss_wrap.o \ +../heimdal/lib/gssapi/mech/gss_import_name.o \ +../heimdal/lib/gssapi/mech/gss_duplicate_name.o \ +../heimdal/lib/gssapi/mech/gss_unwrap.o \ +../heimdal/lib/gssapi/mech/gss_export_sec_context.o \ +../heimdal/lib/gssapi/mech/gss_inquire_context.o \ +../heimdal/lib/gssapi/mech/gss_release_name.o \ +../heimdal/lib/gssapi/mech/gss_set_cred_option.o \ +../heimdal/lib/gssapi/mech/asn1_GSSAPIContextToken.o \ + ../heimdal/lib/gssapi/spnego/init_sec_context.o \ + ../heimdal/lib/gssapi/spnego/external.o \ + ../heimdal/lib/gssapi/spnego/compat.o \ + ../heimdal/lib/gssapi/spnego/context_stubs.o \ + ../heimdal/lib/gssapi/spnego/cred_stubs.o \ + ../heimdal/lib/gssapi/spnego/accept_sec_context.o \ + ../heimdal/lib/gssapi/spnego/asn1_ContextFlags.o \ + ../heimdal/lib/gssapi/spnego/asn1_MechType.o \ + ../heimdal/lib/gssapi/spnego/asn1_MechTypeList.o \ + ../heimdal/lib/gssapi/spnego/asn1_NegHints.o \ + ../heimdal/lib/gssapi/spnego/asn1_NegTokenInit.o \ + ../heimdal/lib/gssapi/spnego/asn1_NegTokenResp.o \ + ../heimdal/lib/gssapi/krb5/copy_ccache.o \ + ../heimdal/lib/gssapi/krb5/delete_sec_context.o \ + ../heimdal/lib/gssapi/krb5/init_sec_context.o \ + ../heimdal/lib/gssapi/krb5/context_time.o \ + ../heimdal/lib/gssapi/krb5/init.o \ + ../heimdal/lib/gssapi/krb5/address_to_krb5addr.o \ + ../heimdal/lib/gssapi/krb5/get_mic.o \ + ../heimdal/lib/gssapi/krb5/inquire_context.o \ + ../heimdal/lib/gssapi/krb5/add_cred.o \ + ../heimdal/lib/gssapi/krb5/inquire_cred.o \ + ../heimdal/lib/gssapi/krb5/inquire_cred_by_oid.o \ + ../heimdal/lib/gssapi/krb5/inquire_cred_by_mech.o \ + ../heimdal/lib/gssapi/krb5/inquire_mechs_for_name.o \ + ../heimdal/lib/gssapi/krb5/inquire_names_for_mech.o \ + ../heimdal/lib/gssapi/krb5/indicate_mechs.o \ + ../heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.o \ + ../heimdal/lib/gssapi/krb5/export_sec_context.o \ + ../heimdal/lib/gssapi/krb5/import_sec_context.o \ + ../heimdal/lib/gssapi/krb5/duplicate_name.o \ + ../heimdal/lib/gssapi/krb5/import_name.o \ + ../heimdal/lib/gssapi/krb5/compare_name.o \ + ../heimdal/lib/gssapi/krb5/export_name.o \ + ../heimdal/lib/gssapi/krb5/canonicalize_name.o \ + ../heimdal/lib/gssapi/krb5/unwrap.o \ + ../heimdal/lib/gssapi/krb5/wrap.o \ + ../heimdal/lib/gssapi/krb5/release_name.o \ + ../heimdal/lib/gssapi/krb5/cfx.o \ + ../heimdal/lib/gssapi/krb5/add_oid_set_member.o \ + ../heimdal/lib/gssapi/krb5/release_oid_set.o \ + ../heimdal/lib/gssapi/krb5/create_emtpy_oid_set.o \ + ../heimdal/lib/gssapi/krb5/8003.o \ + ../heimdal/lib/gssapi/krb5/arcfour.o \ + ../heimdal/lib/gssapi/krb5/encapsulate.o \ + ../heimdal/lib/gssapi/krb5/display_name.o \ + ../heimdal/lib/gssapi/krb5/sequence.o \ + ../heimdal/lib/gssapi/krb5/display_status.o \ + ../heimdal/lib/gssapi/krb5/release_buffer.o \ + ../heimdal/lib/gssapi/krb5/test_oid_set_member.o \ + ../heimdal/lib/gssapi/krb5/external.o \ + ../heimdal/lib/gssapi/krb5/compat.o \ + ../heimdal/lib/gssapi/krb5/acquire_cred.o \ + ../heimdal/lib/gssapi/krb5/release_cred.o \ + ../heimdal/lib/gssapi/krb5/set_cred_option.o \ + ../heimdal/lib/gssapi/krb5/decapsulate.o \ + ../heimdal/lib/gssapi/krb5/verify_mic.o \ + ../heimdal/lib/gssapi/krb5/accept_sec_context.o \ + ../heimdal/lib/gssapi/krb5/set_sec_context_option.o \ + ../heimdal/lib/gssapi/krb5/process_context_token.o +PRIVATE_DEPENDENCIES = HEIMDAL_KRB5 HEIMDAL_ROKEN HEIMDAL_DES HEIMDAL_ASN1 HEIMDAL_GLUE # End SUBSYSTEM HEIMDAL_GSSAPI ####################### @@ -202,8 +289,9 @@ OBJ_FILES = \ ../heimdal/lib/asn1/der_length.o \ ../heimdal/lib/asn1/der_copy.o \ ../heimdal/lib/asn1/der_cmp.o \ + ../heimdal/lib/asn1/extra.o \ + ../heimdal/lib/asn1/timegm.o \ ../heimdal/lib/asn1/asn1_AD_IF_RELEVANT.o \ - ../heimdal/lib/asn1/asn1_AD_KDCIssued.o \ ../heimdal/lib/asn1/asn1_APOptions.o \ ../heimdal/lib/asn1/asn1_AP_REP.o \ ../heimdal/lib/asn1/asn1_AP_REQ.o \ @@ -211,7 +299,7 @@ OBJ_FILES = \ ../heimdal/lib/asn1/asn1_AS_REQ.o \ ../heimdal/lib/asn1/asn1_Authenticator.o \ ../heimdal/lib/asn1/asn1_AuthorizationData.o \ - ../heimdal/lib/asn1/asn1_CBCParameter.o \ + ../heimdal/lib/asn1/asn1_AuthorizationDataElement.o \ ../heimdal/lib/asn1/asn1_CKSUMTYPE.o \ ../heimdal/lib/asn1/asn1_ChangePasswdDataMS.o \ ../heimdal/lib/asn1/asn1_Checksum.o \ @@ -251,15 +339,17 @@ OBJ_FILES = \ ../heimdal/lib/asn1/asn1_PA_DATA.o \ ../heimdal/lib/asn1/asn1_PA_ENC_TS_ENC.o \ ../heimdal/lib/asn1/asn1_PA_PAC_REQUEST.o \ + ../heimdal/lib/asn1/asn1_PA_S4U2Self.o \ ../heimdal/lib/asn1/asn1_Principal.o \ ../heimdal/lib/asn1/asn1_PrincipalName.o \ - ../heimdal/lib/asn1/asn1_RC2CBCParameter.o \ ../heimdal/lib/asn1/asn1_Realm.o \ ../heimdal/lib/asn1/asn1_TGS_REP.o \ ../heimdal/lib/asn1/asn1_TGS_REQ.o \ ../heimdal/lib/asn1/asn1_Ticket.o \ ../heimdal/lib/asn1/asn1_TicketFlags.o \ ../heimdal/lib/asn1/asn1_TransitedEncoding.o \ + ../heimdal/lib/asn1/asn1_KRB5SignedPathData.o \ + ../heimdal/lib/asn1/asn1_KRB5SignedPathPrincipals.o \ ../heimdal/lib/asn1/asn1_err.o \ ../heimdal/lib/asn1/asn1_krb5int32.o \ ../heimdal/lib/asn1/asn1_krb5uint32.o @@ -287,6 +377,8 @@ OBJ_FILES = \ ../heimdal/lib/des/ui.o \ ../heimdal/lib/des/evp.o \ ../heimdal/lib/des/pkcs5.o \ + ../heimdal/lib/des/rand.o \ + ../heimdal/lib/des/rand-unix.o \ ../heimdal/lib/des/hmac.o # End SUBSYSTEM HEIMDAL_DES ####################### @@ -294,19 +386,19 @@ OBJ_FILES = \ ####################### # Start SUBSYSTEM HEIMDAL_ROKEN_GAI_STRERROR [SUBSYSTEM::HEIMDAL_ROKEN_GAI_STRERROR] -CFLAGS = -Iheimdal_build -Iheimdal/lib/roken +CFLAGS = -Iheimdal_build -Iheimdal/lib/roken -Ilib/socket_wrapper OBJ_FILES = ../heimdal/lib/roken/gai_strerror.o [SUBSYSTEM::HEIMDAL_ROKEN_INET_ATON] -CFLAGS = -Iheimdal_build -Iheimdal/lib/roken +CFLAGS = -Iheimdal_build -Iheimdal/lib/roken -Ilib/socket_wrapper OBJ_FILES = ../heimdal/lib/roken/inet_aton.o [SUBSYSTEM::HEIMDAL_ROKEN_GETPROGNAME] -CFLAGS = -Iheimdal_build -Iheimdal/lib/roken +CFLAGS = -Iheimdal_build -Iheimdal/lib/roken -Ilib/socket_wrapper OBJ_FILES = ../heimdal/lib/roken/getprogname.o -[SUBSYSTEM::HEIMDAL_ROKEN_GETPROGNAME_H] -CFLAGS = -Iheimdal_build -Iheimdal/lib/roken +[SUBSYSTEM::HEIMDAL_ROKEN_GETPROGNAME_H] +CFLAGS = -Iheimdal_build -Iheimdal/lib/roken -Ilib/socket_wrapper OBJ_FILES = ../heimdal/lib/roken/getprogname.ho ####################### @@ -326,7 +418,7 @@ PRIVATE_DEPENDENCIES = EXT_SOCKET ####################### # Start SUBSYSTEM HEIMDAL_ROKEN [SUBSYSTEM::HEIMDAL_ROKEN] -CFLAGS = -Iheimdal_build -Iheimdal/lib/roken +CFLAGS = -Iheimdal_build -Iheimdal/lib/roken -Ilib/socket_wrapper OBJ_FILES = \ ../heimdal/lib/roken/base64.o \ ../heimdal/lib/roken/hex.o \ @@ -347,6 +439,7 @@ OBJ_FILES = \ ../heimdal/lib/roken/strsep.o \ ../heimdal/lib/roken/strupr.o \ ../heimdal/lib/roken/strpool.o \ + ../heimdal/lib/roken/estrdup.o \ replace.o PUBLIC_DEPENDENCIES = \ HEIMDAL_ROKEN_ADDRINFO \ @@ -363,7 +456,7 @@ PUBLIC_DEPENDENCIES = \ ####################### # Start SUBSYSTEM HEIMDAL_GLUE [SUBSYSTEM::HEIMDAL_GLUE] -CFLAGS = -Iheimdal_build -Iheimdal/lib/krb5 -Iheimdal/lib/asn1 -Iheimdal/lib/com_err +CFLAGS = -Iheimdal_build -Iheimdal/lib/krb5 -Iheimdal/lib/asn1 -Iheimdal/lib/com_err OBJ_FILES = glue.o PUBLIC_DEPENDENCIES = LIBNETIF # End SUBSYSTEM HEIMDAL_GLUE @@ -383,7 +476,7 @@ PRIVATE_DEPENDENCIES = HEIMDAL_ROKEN ####################### # Start SUBSYSTEM HEIMDAL_ASN1_COMPILE_LEX [SUBSYSTEM::HEIMDAL_ASN1_COMPILE_LEX] -CFLAGS = -Iheimdal_build -Iheimdal/lib/asn1 -Iheimdal/lib/roken +CFLAGS = -Iheimdal_build -Iheimdal/lib/asn1 -Iheimdal/lib/roken -Ilib/socket_wrapper OBJ_FILES = ../heimdal/lib/asn1/lex.ho # End SUBSYSTEM HEIMDAL_ASN1_COMPILE_LEX ####################### @@ -402,6 +495,7 @@ OBJ_FILES = \ ../heimdal/lib/asn1/gen_free.ho \ ../heimdal/lib/asn1/gen_glue.ho \ ../heimdal/lib/asn1/gen_length.ho \ + ../heimdal/lib/asn1/gen_seq.ho \ ../heimdal/lib/asn1/hash.ho \ ../heimdal/lib/asn1/parse.ho \ ../heimdal/lib/roken/emalloc.ho \ @@ -421,7 +515,7 @@ PRIVATE_DEPENDENCIES = HEIMDAL_ASN1_COMPILE_LEX HEIMDAL_ROKEN_GETPROGNAME_H ####################### # Start SUBSYSTEM HEIMDAL_COM_ERR_COMPILE_LEX [SUBSYSTEM::HEIMDAL_COM_ERR_COMPILE_LEX] -CFLAGS = -Iheimdal_build -Iheimdal/lib/com_err -Iheimdal/lib/roken +CFLAGS = -Iheimdal_build -Iheimdal/lib/com_err -Iheimdal/lib/roken -Ilib/socket_wrapper OBJ_FILES = ../heimdal/lib/com_err/lex.ho # End SUBSYSTEM HEIMDAL_COM_ERR_COMPILE_LEX ####################### @@ -444,8 +538,10 @@ PRIVATE_DEPENDENCIES = HEIMDAL_COM_ERR_COMPILE_LEX HEIMDAL_ROKEN_GETPROGNAME_H ####################### include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/hdb/hdb.asn1 hdb_asn1| -include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/gssapi/spnego.asn1 spnego_asn1| -include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/k5.asn1 krb5_asn1 --encode-rfc1510-bit-string| +include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/gssapi/spnego/spnego.asn1 spnego_asn1| +include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/gssapi/mech/gssapi.asn1 gssapi_asn1| +include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/k5.asn1 krb5_asn1 --encode-rfc1510-bit-string --sequence=KRB5SignedPathPrincipals --sequence=AuthorizationData| +include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/digest.asn1 digest_asn1| include perl_path_wrapper.sh et_deps.pl heimdal/lib/asn1/asn1_err.et| include perl_path_wrapper.sh et_deps.pl heimdal/lib/hdb/hdb_err.et| diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index 7359fe63c3..8fd69aecb1 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -462,7 +462,7 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con struct ldb_result *res = NULL; - ret = krb5_unparse_name_norealm(context, principal, &short_princ); + ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ); if (ret != 0) { krb5_set_error_string(context, "LDB_lookup_principal: could not parse principal"); @@ -713,7 +713,9 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, struct ldb_dn *user_dn, *domain_dn; char *principal_string; - ret = krb5_unparse_name_norealm(context, principal, &principal_string); + ret = krb5_unparse_name_flags(context, principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &principal_string); if (ret != 0) { return ret; } diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 5da6be6eca..7d6155e1c0 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -49,7 +49,8 @@ typedef BOOL (*kdc_process_fn_t)(struct kdc_server *kdc, DATA_BLOB *input, DATA_BLOB *reply, struct socket_address *peer_addr, - struct socket_address *my_addr); + struct socket_address *my_addr, + int datagram); /* hold information about one kdc socket */ struct kdc_socket { @@ -157,7 +158,8 @@ static void kdc_recv_handler(struct kdc_socket *kdc_socket) tmp_ctx, &blob, &reply, - src, my_addr); + src, my_addr, + 1 /* Datagram */); if (!ret) { talloc_free(tmp_ctx); return; @@ -240,7 +242,8 @@ static NTSTATUS kdc_tcp_recv(void *private, DATA_BLOB blob) &input, &reply, src_addr, - my_addr); + my_addr, + 0 /* Not datagram */); if (!ret) { talloc_free(tmp_ctx); return NT_STATUS_INTERNAL_ERROR; @@ -306,10 +309,12 @@ static BOOL kdc_process(struct kdc_server *kdc, DATA_BLOB *input, DATA_BLOB *reply, struct socket_address *peer_addr, - struct socket_address *my_addr) + struct socket_address *my_addr, + int datagram_reply) { int ret; krb5_data k5_reply; + krb5_data_zero(&k5_reply); DEBUG(10,("Received KDC packet of length %lu from %s:%d\n", (long)input->length - 4, peer_addr->addr, peer_addr->port)); @@ -319,13 +324,18 @@ static BOOL kdc_process(struct kdc_server *kdc, input->data, input->length, &k5_reply, peer_addr->addr, - peer_addr->sockaddr); + peer_addr->sockaddr, + datagram_reply); if (ret == -1) { *reply = data_blob(NULL, 0); return False; } - *reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length); - krb5_data_free(&k5_reply); + if (k5_reply.length) { + *reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length); + krb5_free_data_contents(kdc->smb_krb5_context->krb5_context, &k5_reply); + } else { + *reply = data_blob(NULL, 0); + } return True; } diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h index f0d2479a25..9cd51f1d97 100644 --- a/source4/kdc/kdc.h +++ b/source4/kdc/kdc.h @@ -37,7 +37,8 @@ BOOL kpasswdd_process(struct kdc_server *kdc, DATA_BLOB *input, DATA_BLOB *reply, struct socket_address *peer_addr, - struct socket_address *my_addr); + struct socket_address *my_addr, + int datagram_reply); /* top level context structure for the kdc server diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 0dcbf9833d..6bc10cdced 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -410,7 +410,8 @@ BOOL kpasswdd_process(struct kdc_server *kdc, DATA_BLOB *input, DATA_BLOB *reply, struct socket_address *peer_addr, - struct socket_address *my_addr) + struct socket_address *my_addr, + int datagram_reply) { BOOL ret; const uint16_t header_len = 6; diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index e80ad060ed..143690ff0d 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -32,7 +32,7 @@ struct krb5_dh_moduli; struct _krb5_krb_auth_data; -#include "heimdal/lib/krb5/krb5-private.h" +#include "heimdal/lib/krb5/krb5_locl.h" /* Given the right private pointer from hdb_ldb, get a PAC from the attached ldb messages */ static krb5_error_code samba_get_pac(krb5_context context, diff --git a/source4/smbd/process_single.c b/source4/smbd/process_single.c index b8708f9ebe..60e5b1f584 100644 --- a/source4/smbd/process_single.c +++ b/source4/smbd/process_single.c @@ -25,18 +25,11 @@ #include "includes.h" #include "smbd/process_model.h" -/* For sepecifiying event context to GSSAPI below */ -#include "system/kerberos.h" -#include "heimdal/lib/gssapi/gssapi_locl.h" - - /* called when the process model is selected */ static void single_model_init(struct event_context *ev) { - /* Hack to ensure that GSSAPI uses the right event context */ - gssapi_krb5_init_ev(ev); } /* diff --git a/source4/smbd/process_standard.c b/source4/smbd/process_standard.c index 1efdd3d0c4..ec774b92df 100644 --- a/source4/smbd/process_standard.c +++ b/source4/smbd/process_standard.c @@ -28,10 +28,6 @@ #include "lib/socket/socket.h" #include "smbd/process_model.h" -/* For specifiying event context to GSSAPI below */ -#include "system/kerberos.h" -#include "heimdal/lib/gssapi/gssapi_locl.h" - #include "param/secrets.h" #ifdef HAVE_SETPROCTITLE @@ -115,9 +111,6 @@ static void standard_accept_connection(struct event_context *ev, DEBUG(0,("standard_accept_connection: tdb_reopen_all failed.\n")); } - /* Hack to ensure that GSSAPI uses the right event context */ - gssapi_krb5_init_ev(ev2); - /* Ensure that the forked children do not expose identical random streams */ set_need_random_reseed(); diff --git a/source4/static_deps.mk b/source4/static_deps.mk index 3ee1c53100..96edd97e43 100644 --- a/source4/static_deps.mk +++ b/source4/static_deps.mk @@ -20,9 +20,11 @@ heimdal_basics: \ heimdal/lib/roken/vis.h \ heimdal/lib/roken/err.h \ heimdal/lib/hdb/hdb_asn1.h \ - heimdal/lib/gssapi/spnego_asn1.h \ + heimdal/lib/gssapi/spnego/spnego_asn1.h \ + heimdal/lib/gssapi/mech/gssapi_asn1.h \ heimdal/lib/asn1/krb5_asn1.h \ heimdal/lib/asn1/asn1_err.h \ + heimdal/lib/asn1/digest_asn1.h \ heimdal/lib/hdb/hdb_err.h \ heimdal/lib/krb5/heim_err.h \ heimdal/lib/krb5/k524_err.h \ diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 629b573ec3..3c122c930b 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -97,14 +97,16 @@ static bool torture_pac_self_check(struct torture_context *tctx) torture_fail(tctx, "auth_anonymous_server_info"); } - ret = krb5_parse_name_norealm(smb_krb5_context->krb5_context, - server_info->account_name, &client_principal); + ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, + server_info->account_name, + KRB5_PRINCIPAL_PARSE_NO_REALM, + &client_principal); if (ret) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); - torture_fail(tctx, "krb5_parse_name_norealm"); + torture_fail(tctx, "krb5_parse_name_flags(norealm)"); } /* OK, go ahead and make a PAC */ |