diff options
Diffstat (limited to 'source4/heimdal/lib/gssapi/krb5')
47 files changed, 463 insertions, 269 deletions
diff --git a/source4/heimdal/lib/gssapi/krb5/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c index 119d49a0c5..f5181cc311 100644 --- a/source4/heimdal/lib/gssapi/krb5/8003.c +++ b/source4/heimdal/lib/gssapi/krb5/8003.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index 626afa9384..e0944852a7 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -74,12 +74,10 @@ _gsskrb5_register_acceptor_identity (const char *identity) } void -_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx) +_gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor) { + krb5_error_code ret; krb5_keyblock *key; - int acceptor = (ctx->more_flags & LOCAL) == 0; - - *is_cfx = 0; if (acceptor) { if (ctx->auth_context->local_subkey) @@ -108,12 +106,16 @@ _gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx) case ETYPE_ARCFOUR_HMAC_MD5_56: break; default : - *is_cfx = 1; + ctx->more_flags |= IS_CFX; + if ((acceptor && ctx->auth_context->local_subkey) || (!acceptor && ctx->auth_context->remote_subkey)) ctx->more_flags |= ACCEPTOR_SUBKEY; break; } + if (ctx->crypto) + krb5_crypto_destroy(context, ctx->crypto); + ret = krb5_crypto_init(context, key, 0, &ctx->crypto); } @@ -136,7 +138,8 @@ gsskrb5_accept_delegated_token kret = krb5_cc_default (context, &ccache); } else { *delegated_cred_handle = NULL; - kret = krb5_cc_gen_new (context, &krb5_mcc_ops, &ccache); + kret = krb5_cc_new_unique (context, krb5_cc_type_memory, + NULL, &ccache); } if (kret) { ctx->flags &= ~GSS_C_DELEG_FLAG; @@ -210,7 +213,8 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status, ctx->auth_context, &seq_number); - _gsskrb5i_is_cfx(ctx, &is_cfx); + _gsskrb5i_is_cfx(context, ctx, 1); + is_cfx = (ctx->more_flags & IS_CFX); ret = _gssapi_msg_order_create(minor_status, &ctx->order, @@ -381,7 +385,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, server, in, &out); krb5_rd_req_in_ctx_free(context, in); - if (kret == KRB5KRB_AP_ERR_SKEW) { + if (kret == KRB5KRB_AP_ERR_SKEW || kret == KRB5KRB_AP_ERR_TKT_NYV) { /* * No reply in non-MUTUAL mode, but we don't know that its * non-MUTUAL mode yet, thats inside the 8003 checksum, so @@ -526,7 +530,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, krb5_data outbuf; int use_subkey = 0; - _gsskrb5i_is_cfx(ctx, &is_cfx); + _gsskrb5i_is_cfx(context, ctx, 1); + is_cfx = (ctx->more_flags & IS_CFX); if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) { use_subkey = 1; diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c index be680840f5..bfab5667be 100644 --- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -187,7 +187,8 @@ static OM_uint32 acquire_initiator_cred krb5_get_init_creds_opt_free(context, opt); if (kret) goto end; - kret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache); + kret = krb5_cc_new_unique(context, krb5_cc_type_memory, + NULL, &ccache); if (kret) goto end; kret = krb5_cc_initialize(context, ccache, cred.client); diff --git a/source4/heimdal/lib/gssapi/krb5/add_cred.c b/source4/heimdal/lib/gssapi/krb5/add_cred.c index d6fd8f6f15..aa96a45e45 100644 --- a/source4/heimdal/lib/gssapi/krb5/add_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/add_cred.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -168,8 +168,8 @@ OM_uint32 _gsskrb5_add_cred ( } if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, - &handle->ccache); + ret = krb5_cc_new_unique(context, type, + NULL, &handle->ccache); if (ret) { *minor_status = ret; goto failure; diff --git a/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c b/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c index ff0afdc059..fa115d964a 100644 --- a/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c +++ b/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" #include <roken.h> diff --git a/source4/heimdal/lib/gssapi/krb5/aeap.c b/source4/heimdal/lib/gssapi/krb5/aeap.c new file mode 100644 index 0000000000..7dab7877d7 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/aeap.c @@ -0,0 +1,271 @@ +/* + * Copyright (c) 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gsskrb5_locl.h" + +#include <roken.h> + +static OM_uint32 +iov_allocate(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, int iov_count) +{ + unsigned int i; + + for (i = 0; i < iov_count; i++) { + if (GSS_IOV_BUFFER_FLAGS(iov[i].type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE){ + void *ptr = malloc(iov[i].buffer.length); + if (ptr == NULL) + abort(); + if (iov[i].buffer.value) + memcpy(ptr, iov[i].buffer.value, iov[i].buffer.length); + iov[i].buffer.value = ptr; + iov[i].type |= GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED; + } + } + return GSS_S_COMPLETE; +} + +static OM_uint32 +iov_map(OM_uint32 *minor_status, + const gss_iov_buffer_desc *iov, + int iov_count, + krb5_crypto_iov *data) +{ + unsigned int i; + + for (i = 0; i < iov_count; i++) { + switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) { + case GSS_IOV_BUFFER_TYPE_EMPTY: + data[i].flags = KRB5_CRYPTO_TYPE_EMPTY; + break; + case GSS_IOV_BUFFER_TYPE_DATA: + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + break; + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; + break; + case GSS_IOV_BUFFER_TYPE_HEADER: + data[i].flags = KRB5_CRYPTO_TYPE_HEADER; + break; + case GSS_IOV_BUFFER_TYPE_TRAILER: + data[i].flags = KRB5_CRYPTO_TYPE_TRAILER; + break; + case GSS_IOV_BUFFER_TYPE_PADDING: + data[i].flags = KRB5_CRYPTO_TYPE_PADDING; + break; + case GSS_IOV_BUFFER_TYPE_STREAM: + abort(); + break; + default: + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + data[i].data.data = iov[i].buffer.value; + data[i].data.length = iov[i].buffer.length; + } + return GSS_S_COMPLETE; +} + +OM_uint32 GSSAPI_LIB_FUNCTION +_gk_wrap_iov(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int * conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; + krb5_context context; + OM_uint32 major_status, junk; + krb5_crypto_iov *data; + krb5_error_code ret; + unsigned usage; + + GSSAPI_KRB5_INIT (&context); + + major_status = iov_allocate(minor_status, iov, iov_count); + if (major_status != GSS_S_COMPLETE) + return major_status; + + data = calloc(iov_count, sizeof(data[0])); + if (data == NULL) { + gss_release_iov_buffer(&junk, iov, iov_count); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + major_status = iov_map(minor_status, iov, iov_count, data); + if (major_status != GSS_S_COMPLETE) { + gss_release_iov_buffer(&junk, iov, iov_count); + free(data); + return major_status; + } + + if (ctx->more_flags & LOCAL) { + usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; + } else { + usage = KRB5_KU_USAGE_INITIATOR_SIGN; + } + + ret = krb5_encrypt_iov_ivec(context, ctx->crypto, usage, + data, iov_count, NULL); + free(data); + if (ret) { + gss_release_iov_buffer(&junk, iov, iov_count); + *minor_status = ret; + return GSS_S_FAILURE; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 GSSAPI_LIB_FUNCTION +_gk_unwrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; + krb5_context context; + krb5_error_code ret; + OM_uint32 major_status, junk; + krb5_crypto_iov *data; + unsigned usage; + + GSSAPI_KRB5_INIT (&context); + + major_status = iov_allocate(minor_status, iov, iov_count); + if (major_status != GSS_S_COMPLETE) + return major_status; + + data = calloc(iov_count, sizeof(data[0])); + if (data == NULL) { + gss_release_iov_buffer(&junk, iov, iov_count); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + major_status = iov_map(minor_status, iov, iov_count, data); + if (major_status != GSS_S_COMPLETE) { + gss_release_iov_buffer(&junk, iov, iov_count); + free(data); + return major_status; + } + + if (ctx->more_flags & LOCAL) { + usage = KRB5_KU_USAGE_INITIATOR_SIGN; + } else { + usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; + } + + ret = krb5_decrypt_iov_ivec(context, ctx->crypto, usage, + data, iov_count, NULL); + free(data); + if (ret) { + *minor_status = ret; + gss_release_iov_buffer(&junk, iov, iov_count); + return GSS_S_FAILURE; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 GSSAPI_LIB_FUNCTION +_gk_wrap_iov_length(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; + krb5_context context; + unsigned int i; + size_t size; + size_t *padding = NULL; + + GSSAPI_KRB5_INIT (&context); + *minor_status = 0; + + for (size = 0, i = 0; i < iov_count; i++) { + switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) { + case GSS_IOV_BUFFER_TYPE_EMPTY: + break; + case GSS_IOV_BUFFER_TYPE_DATA: + size += iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_HEADER: + iov[i].buffer.length = + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER); + size += iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_TRAILER: + iov[i].buffer.length = + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER); + size += iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_PADDING: + if (padding != NULL) { + *minor_status = 0; + return GSS_S_FAILURE; + } + padding = &iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_STREAM: + size += iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + break; + default: + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + } + if (padding) { + size_t pad = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_PADDING); + if (pad > 1) { + *padding = pad - (size % pad); + if (*padding == pad) + *padding = 0; + } else + *padding = 0; + } + + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c index 7288b58493..b48cfebcf1 100644 --- a/source4/heimdal/lib/gssapi/krb5/arcfour.c +++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c index fa2258ce82..3a206b1be1 100644 --- a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c +++ b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c index d029f55ce4..7ae26e2e7a 100755 --- a/source4/heimdal/lib/gssapi/krb5/cfx.c +++ b/source4/heimdal/lib/gssapi/krb5/cfx.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -101,49 +101,47 @@ _gsskrb5cfx_wrap_length_cfx(const gsskrb5_ctx context_handle, return 0; } -krb5_error_code -_gsskrb5cfx_max_wrap_length_cfx(krb5_context context, - krb5_crypto crypto, +OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, + const gsskrb5_ctx ctx, + krb5_context context, int conf_req_flag, - size_t input_length, - OM_uint32 *output_length) + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size) { krb5_error_code ret; - *output_length = 0; + *max_input_size = 0; /* 16-byte header is always first */ - if (input_length < 16) + if (req_output_size < 16) return 0; - input_length -= 16; + req_output_size -= 16; if (conf_req_flag) { size_t wrapped_size, sz; - wrapped_size = input_length + 1; + wrapped_size = req_output_size + 1; do { wrapped_size--; sz = krb5_get_wrapped_length(context, - crypto, wrapped_size); - } while (wrapped_size && sz > input_length); - if (wrapped_size == 0) { - *output_length = 0; + ctx->crypto, wrapped_size); + } while (wrapped_size && sz > req_output_size); + if (wrapped_size == 0) return 0; - } /* inner header */ - if (wrapped_size < 16) { - *output_length = 0; + if (wrapped_size < 16) return 0; - } + wrapped_size -= 16; - *output_length = wrapped_size; + *max_input_size = wrapped_size; } else { krb5_cksumtype type; size_t cksumsize; - ret = krb5_crypto_get_checksum_type(context, crypto, &type); + ret = krb5_crypto_get_checksum_type(context, ctx->crypto, &type); if (ret) return ret; @@ -151,48 +149,16 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_context context, if (ret) return ret; - if (input_length < cksumsize) + if (req_output_size < cksumsize) return 0; /* Checksum is concatenated with data */ - *output_length = input_length - cksumsize; + *max_input_size = req_output_size - cksumsize; } return 0; } - -OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size, - krb5_keyblock *key) -{ - krb5_error_code ret; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag, - req_output_size, max_input_size); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - krb5_crypto_destroy(context, crypto); - - return GSS_S_COMPLETE; -} - /* * Rotate "rrc" bytes to the front or back */ @@ -238,16 +204,14 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate) } OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key) + gss_buffer_t output_message_buffer) { - krb5_crypto crypto; gss_cfx_wrap_token token; krb5_error_code ret; unsigned usage; @@ -257,19 +221,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, int32_t seq_number; u_char *p; - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = _gsskrb5cfx_wrap_length_cfx(context_handle, context, - crypto, conf_req_flag, + ret = _gsskrb5cfx_wrap_length_cfx(ctx, context, + ctx->crypto, conf_req_flag, input_message_buffer->length, &wrapped_len, &cksumsize, &padlength); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -280,7 +237,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, output_message_buffer->value = malloc(output_message_buffer->length); if (output_message_buffer->value == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -290,9 +246,9 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, token->TOK_ID[1] = 0x04; token->Flags = 0; token->Filler = 0xFF; - if ((context_handle->more_flags & LOCAL) == 0) + if ((ctx->more_flags & LOCAL) == 0) token->Flags |= CFXSentByAcceptor; - if (context_handle->more_flags & ACCEPTOR_SUBKEY) + if (ctx->more_flags & ACCEPTOR_SUBKEY) token->Flags |= CFXAcceptorSubkey; if (conf_req_flag) { /* @@ -329,16 +285,16 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, token->RRC[0] = 0; token->RRC[1] = 0; - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); krb5_auth_con_getlocalseqnumber(context, - context_handle->auth_context, + ctx->auth_context, &seq_number); _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); krb5_auth_con_setlocalseqnumber(context, - context_handle->auth_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* * If confidentiality is requested, the token header is @@ -349,7 +305,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, * calculated over the plaintext concatenated with the * token header. */ - if (context_handle->more_flags & LOCAL) { + if (ctx->more_flags & LOCAL) { usage = KRB5_KU_USAGE_INITIATOR_SEAL; } else { usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; @@ -370,14 +326,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, memcpy(p + input_message_buffer->length + padlength, token, sizeof(*token)); - ret = krb5_encrypt(context, crypto, + ret = krb5_encrypt(context, ctx->crypto, usage, p, input_message_buffer->length + padlength + sizeof(*token), &cipher); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } @@ -389,14 +344,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, * this is really ugly, but needed against windows * for DCERPC, as windows rotates by EC+RRC. */ - if (IS_DCE_STYLE(context_handle)) { + if (IS_DCE_STYLE(ctx)) { ret = rrc_rotate(cipher.data, cipher.length, rrc+padlength, FALSE); } else { ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE); } if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } @@ -409,21 +363,19 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, buf = malloc(input_message_buffer->length + sizeof(*token)); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } memcpy(buf, input_message_buffer->value, input_message_buffer->length); memcpy(buf + input_message_buffer->length, token, sizeof(*token)); - ret = krb5_create_checksum(context, crypto, + ret = krb5_create_checksum(context, ctx->crypto, usage, 0, buf, input_message_buffer->length + sizeof(*token), &cksum); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); free(buf); return GSS_S_FAILURE; @@ -446,7 +398,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, input_message_buffer->length + cksum.checksum.length, rrc, FALSE); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); free_Checksum(&cksum); return GSS_S_FAILURE; @@ -454,8 +405,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, free_Checksum(&cksum); } - krb5_crypto_destroy(context, crypto); - if (conf_state != NULL) { *conf_state = conf_req_flag; } @@ -465,15 +414,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key) + gss_qop_t *qop_state) { - krb5_crypto crypto; gss_cfx_wrap_token token; u_char token_flags; krb5_error_code ret; @@ -503,11 +450,11 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, (CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey); if (token_flags & CFXSentByAcceptor) { - if ((context_handle->more_flags & LOCAL) == 0) + if ((ctx->more_flags & LOCAL) == 0) return GSS_S_DEFECTIVE_TOKEN; } - if (context_handle->more_flags & ACCEPTOR_SUBKEY) { + if (ctx->more_flags & ACCEPTOR_SUBKEY) { if ((token_flags & CFXAcceptorSubkey) == 0) return GSS_S_DEFECTIVE_TOKEN; } else { @@ -537,26 +484,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, return GSS_S_UNSEQ_TOKEN; } - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gssapi_msg_order_check(ctx->order, seq_number_lo); if (ret != 0) { *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); _gsskrb5_release_buffer(minor_status, output_message_buffer); return ret; } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* * Decrypt and/or verify checksum */ - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - if (context_handle->more_flags & LOCAL) { + if (ctx->more_flags & LOCAL) { usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; } else { usage = KRB5_KU_USAGE_INITIATOR_SEAL; @@ -571,27 +513,24 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, * this is really ugly, but needed against windows * for DCERPC, as windows rotates by EC+RRC. */ - if (IS_DCE_STYLE(context_handle)) { + if (IS_DCE_STYLE(ctx)) { *minor_status = rrc_rotate(p, len, rrc+ec, TRUE); } else { *minor_status = rrc_rotate(p, len, rrc, TRUE); } if (*minor_status != 0) { - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } - ret = krb5_decrypt(context, crypto, usage, + ret = krb5_decrypt(context, ctx->crypto, usage, p, len, &data); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); return GSS_S_BAD_MIC; } /* Check that there is room for the pad and token header */ if (data.length < ec + sizeof(*token)) { - krb5_crypto_destroy(context, crypto); krb5_data_free(&data); return GSS_S_DEFECTIVE_TOKEN; } @@ -604,7 +543,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Check the integrity of the header */ if (memcmp(p, token, sizeof(*token)) != 0) { - krb5_crypto_destroy(context, crypto); krb5_data_free(&data); return GSS_S_BAD_MIC; } @@ -617,16 +555,15 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Rotate by RRC; bogus to do this in-place XXX */ *minor_status = rrc_rotate(p, len, rrc, TRUE); if (*minor_status != 0) { - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } /* Determine checksum type */ ret = krb5_crypto_get_checksum_type(context, - crypto, &cksum.cksumtype); + ctx->crypto, + &cksum.cksumtype); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -635,7 +572,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Check we have at least as much data as the checksum */ if (len < cksum.checksum.length) { *minor_status = ERANGE; - krb5_crypto_destroy(context, crypto); return GSS_S_BAD_MIC; } @@ -647,7 +583,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, output_message_buffer->value = malloc(len + sizeof(*token)); if (output_message_buffer->value == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -664,21 +599,18 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, token->RRC[0] = 0; token->RRC[1] = 0; - ret = krb5_verify_checksum(context, crypto, + ret = krb5_verify_checksum(context, ctx->crypto, usage, output_message_buffer->value, len + sizeof(*token), &cksum); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_BAD_MIC; } } - krb5_crypto_destroy(context, crypto); - if (qop_state != NULL) { *qop_state = GSS_C_QOP_DEFAULT; } @@ -688,14 +620,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, gss_qop_t qop_req, const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key) + gss_buffer_t message_token) { - krb5_crypto crypto; gss_cfx_mic_token token; krb5_error_code ret; unsigned usage; @@ -704,17 +634,10 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, size_t len; int32_t seq_number; - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - len = message_buffer->length + sizeof(*token); buf = malloc(len); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -724,38 +647,36 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, token->TOK_ID[0] = 0x04; token->TOK_ID[1] = 0x04; token->Flags = 0; - if ((context_handle->more_flags & LOCAL) == 0) + if ((ctx->more_flags & LOCAL) == 0) token->Flags |= CFXSentByAcceptor; - if (context_handle->more_flags & ACCEPTOR_SUBKEY) + if (ctx->more_flags & ACCEPTOR_SUBKEY) token->Flags |= CFXAcceptorSubkey; memset(token->Filler, 0xFF, 5); - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); krb5_auth_con_getlocalseqnumber(context, - context_handle->auth_context, + ctx->auth_context, &seq_number); _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); krb5_auth_con_setlocalseqnumber(context, - context_handle->auth_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - if (context_handle->more_flags & LOCAL) { + if (ctx->more_flags & LOCAL) { usage = KRB5_KU_USAGE_INITIATOR_SIGN; } else { usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; } - ret = krb5_create_checksum(context, crypto, + ret = krb5_create_checksum(context, ctx->crypto, usage, 0, buf, len, &cksum); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); free(buf); return GSS_S_FAILURE; } - krb5_crypto_destroy(context, crypto); /* Determine MIC length */ message_token->length = sizeof(*token) + cksum.checksum.length; @@ -780,14 +701,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key) + gss_qop_t *qop_state) { - krb5_crypto crypto; gss_cfx_mic_token token; u_char token_flags; krb5_error_code ret; @@ -814,10 +733,10 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey); if (token_flags & CFXSentByAcceptor) { - if ((context_handle->more_flags & LOCAL) == 0) + if ((ctx->more_flags & LOCAL) == 0) return GSS_S_DEFECTIVE_TOKEN; } - if (context_handle->more_flags & ACCEPTOR_SUBKEY) { + if (ctx->more_flags & ACCEPTOR_SUBKEY) { if ((token_flags & CFXAcceptorSubkey) == 0) return GSS_S_DEFECTIVE_TOKEN; } else { @@ -839,36 +758,29 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, return GSS_S_UNSEQ_TOKEN; } - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gssapi_msg_order_check(ctx->order, seq_number_lo); if (ret != 0) { *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return ret; } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* * Verify checksum */ - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_crypto_get_checksum_type(context, crypto, + ret = krb5_crypto_get_checksum_type(context, ctx->crypto, &cksum.cksumtype); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } cksum.checksum.data = p + sizeof(*token); cksum.checksum.length = token_buffer->length - sizeof(*token); - if (context_handle->more_flags & LOCAL) { + if (ctx->more_flags & LOCAL) { usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; } else { usage = KRB5_KU_USAGE_INITIATOR_SIGN; @@ -877,18 +789,16 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, buf = malloc(message_buffer->length + sizeof(*token)); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } memcpy(buf, message_buffer->value, message_buffer->length); memcpy(buf + message_buffer->length, token, sizeof(*token)); - ret = krb5_verify_checksum(context, crypto, + ret = krb5_verify_checksum(context, ctx->crypto, usage, buf, sizeof(*token) + message_buffer->length, &cksum); - krb5_crypto_destroy(context, crypto); if (ret != 0) { *minor_status = ret; free(buf); diff --git a/source4/heimdal/lib/gssapi/krb5/compare_name.c b/source4/heimdal/lib/gssapi/krb5/compare_name.c index d92f3ef405..fbb0f0218e 100644 --- a/source4/heimdal/lib/gssapi/krb5/compare_name.c +++ b/source4/heimdal/lib/gssapi/krb5/compare_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/compat.c b/source4/heimdal/lib/gssapi/krb5/compat.c index ee0d07d983..012602c074 100644 --- a/source4/heimdal/lib/gssapi/krb5/compat.c +++ b/source4/heimdal/lib/gssapi/krb5/compat.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/context_time.c b/source4/heimdal/lib/gssapi/krb5/context_time.c index 3854b68782..3230389938 100644 --- a/source4/heimdal/lib/gssapi/krb5/context_time.c +++ b/source4/heimdal/lib/gssapi/krb5/context_time.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c index 8961642671..40a8fab1b7 100644 --- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c index 22386fa737..a2a5de9fe7 100644 --- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c index 5ccfe9d015..ea0831815a 100644 --- a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -74,6 +74,8 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status, if (ctx->service_keyblock) krb5_free_keyblock (context, ctx->service_keyblock); krb5_data_free(&ctx->fwd_data); + if (ctx->crypto) + krb5_crypto_destroy(context, ctx->crypto); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); diff --git a/source4/heimdal/lib/gssapi/krb5/display_name.c b/source4/heimdal/lib/gssapi/krb5/display_name.c index d1834ebaf8..0b37731510 100644 --- a/source4/heimdal/lib/gssapi/krb5/display_name.c +++ b/source4/heimdal/lib/gssapi/krb5/display_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/display_status.c b/source4/heimdal/lib/gssapi/krb5/display_status.c index 18622610d5..4136c25e53 100644 --- a/source4/heimdal/lib/gssapi/krb5/display_status.c +++ b/source4/heimdal/lib/gssapi/krb5/display_status.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/duplicate_name.c b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c index 6c281f43de..2b5e5c0ef4 100644 --- a/source4/heimdal/lib/gssapi/krb5/duplicate_name.c +++ b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/encapsulate.c b/source4/heimdal/lib/gssapi/krb5/encapsulate.c index 19c6ec8ca7..838a34d7db 100644 --- a/source4/heimdal/lib/gssapi/krb5/encapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/encapsulate.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/export_name.c b/source4/heimdal/lib/gssapi/krb5/export_name.c index b28777ea2e..bad73611dc 100644 --- a/source4/heimdal/lib/gssapi/krb5/export_name.c +++ b/source4/heimdal/lib/gssapi/krb5/export_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/export_sec_context.c b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c index 842921fe50..305d5c334e 100644 --- a/source4/heimdal/lib/gssapi/krb5/export_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index 4efa61fd70..1c28f7c141 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" #include <gssapi_mech.h> RCSID("$Id$"); @@ -469,7 +469,10 @@ static gssapi_mech_interface_desc krb5_mech = { _gsskrb5_inquire_cred_by_oid, _gsskrb5_set_sec_context_option, _gsskrb5_set_cred_option, - _gsskrb5_pseudo_random + _gsskrb5_pseudo_random, + _gk_wrap_iov, + _gk_unwrap_iov, + _gk_wrap_iov_length }; gssapi_mech_interface diff --git a/source4/heimdal/lib/gssapi/krb5/get_mic.c b/source4/heimdal/lib/gssapi/krb5/get_mic.c index 199c414ef4..66aaba44d6 100644 --- a/source4/heimdal/lib/gssapi/krb5/get_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/get_mic.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -284,6 +284,10 @@ OM_uint32 _gsskrb5_get_mic GSSAPI_KRB5_INIT (&context); + if (ctx->more_flags & IS_CFX) + return _gssapi_mic_cfx (minor_status, ctx, context, qop_req, + message_buffer, message_token); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); ret = _gsskrb5i_get_token_key(ctx, context, &key); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); @@ -308,8 +312,7 @@ OM_uint32 _gsskrb5_get_mic message_buffer, message_token, key); break; default : - ret = _gssapi_mic_cfx (minor_status, ctx, context, qop_req, - message_buffer, message_token, key); + abort(); break; } krb5_free_keyblock (context, key); diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h index 6db842395f..aadb80db0d 100644 --- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h +++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h @@ -36,14 +36,13 @@ #ifndef GSSKRB5_LOCL_H #define GSSKRB5_LOCL_H -#ifdef HAVE_CONFIG_H #include <config.h> -#endif #include <krb5_locl.h> #include <gkrb5_err.h> #include <gssapi.h> #include <gssapi_mech.h> +#include <gssapi_krb5.h> #include <assert.h> #include "cfx.h" @@ -54,7 +53,7 @@ struct gss_msg_order; -typedef struct { +typedef struct gsskrb5_ctx { struct krb5_auth_context_data *auth_context; krb5_principal source, target; #define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0) @@ -64,7 +63,8 @@ typedef struct { COMPAT_OLD_DES3_SELECTED = 8, ACCEPTOR_SUBKEY = 16, RETRIED = 32, - CLOSE_CCACHE = 64 + CLOSE_CCACHE = 64, + IS_CFX = 128 } more_flags; enum gss_ctx_id_t_state { /* initiator states */ @@ -85,6 +85,7 @@ typedef struct { struct gss_msg_order *order; krb5_keyblock *service_keyblock; krb5_data fwd_data; + krb5_crypto crypto; } *gsskrb5_ctx; typedef struct { @@ -119,7 +120,7 @@ struct gssapi_thr_context { * Prototypes */ -#include <krb5/gsskrb5-private.h> +#include <gsskrb5-private.h> #define GSSAPI_KRB5_INIT(ctx) do { \ krb5_error_code kret_gss_init; \ diff --git a/source4/heimdal/lib/gssapi/krb5/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c index 2f6b002f30..8f5387fe2b 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_name.c +++ b/source4/heimdal/lib/gssapi/krb5/import_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c index e1e8e551b4..ba1a977d2d 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c index 05b9447746..3702106e79 100644 --- a/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c +++ b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/init.c b/source4/heimdal/lib/gssapi/krb5/init.c index 6c1c5949e0..b28e6a4c12 100644 --- a/source4/heimdal/lib/gssapi/krb5/init.c +++ b/source4/heimdal/lib/gssapi/krb5/init.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index dfa0e935e6..4b632bd95a 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -131,6 +131,7 @@ _gsskrb5_create_ctx( krb5_data_zero(&ctx->fwd_data); ctx->lifetime = GSS_C_INDEFINITE; ctx->order = NULL; + ctx->crypto = NULL; HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); kret = krb5_auth_con_init (context, &ctx->auth_context); @@ -257,7 +258,8 @@ gsskrb5_initiator_ready( krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number); - _gsskrb5i_is_cfx(ctx, &is_cfx); + _gsskrb5i_is_cfx(context, ctx, 0); + is_cfx = (ctx->more_flags & IS_CFX); ret = _gssapi_msg_order_create(minor_status, &ctx->order, @@ -552,8 +554,10 @@ init_auth_restart flags |= GSS_C_REPLAY_FLAG; if (req_flags & GSS_C_SEQUENCE_FLAG) flags |= GSS_C_SEQUENCE_FLAG; +#if 0 if (req_flags & GSS_C_ANON_FLAG) ; /* XXX */ +#endif if (req_flags & GSS_C_DCE_STYLE) { /* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */ flags |= GSS_C_DCE_STYLE | GSS_C_MUTUAL_FLAG; @@ -686,7 +690,6 @@ repl_mutual krb5_error_code kret; krb5_data indata; krb5_ap_rep_enc_part *repl; - int is_cfx = 0; output_token->length = 0; output_token->value = NULL; @@ -759,20 +762,6 @@ repl_mutual krb5_free_ap_rep_enc_part (context, repl); - _gsskrb5i_is_cfx(ctx, &is_cfx); - if (is_cfx) { - krb5_keyblock *key = NULL; - - kret = krb5_auth_con_getremotesubkey(context, - ctx->auth_context, - &key); - if (kret == 0 && key != NULL) { - ctx->more_flags |= ACCEPTOR_SUBKEY; - krb5_free_keyblock (context, key); - } - } - - *minor_status = 0; if (time_rec) { ret = _gsskrb5_lifetime_left(minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_context.c b/source4/heimdal/lib/gssapi/krb5/inquire_context.c index e0aeb032ce..188a6135a4 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_context.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c index bb75978adb..27e3014923 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c index cdf05d7934..1fd9733940 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c index 2bcc17683b..5a35202a6a 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c index 4fd730deab..5d54bd6508 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c index a9d6495c7b..9eba7b7f4d 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c index 8d40706294..f8ef2a3aa4 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -242,7 +242,7 @@ static OM_uint32 inquire_sec_context_has_updated_spnego * mechanism. */ HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - _gsskrb5i_is_cfx(context_handle, &is_updated); + is_updated = (context_handle->more_flags & IS_CFX); if (is_updated == 0) { krb5_keyblock *acceptor_subkey; @@ -282,7 +282,7 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status, HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - _gsskrb5i_is_cfx(context_handle, &is_cfx); + is_cfx = (context_handle->more_flags & IS_CFX); sp = krb5_storage_emem(); if (sp == NULL) { @@ -445,6 +445,7 @@ get_service_keyblock HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); if (ctx->service_keyblock == NULL) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + krb5_storage_free(sp); _gsskrb5_set_status(EINVAL, "No service keyblock on gssapi context"); *minor_status = EINVAL; return GSS_S_FAILURE; diff --git a/source4/heimdal/lib/gssapi/krb5/prf.c b/source4/heimdal/lib/gssapi/krb5/prf.c index 9cbe603435..9fd13f51bd 100644 --- a/source4/heimdal/lib/gssapi/krb5/prf.c +++ b/source4/heimdal/lib/gssapi/krb5/prf.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/process_context_token.c b/source4/heimdal/lib/gssapi/krb5/process_context_token.c index 6892d3ca60..3229b36292 100644 --- a/source4/heimdal/lib/gssapi/krb5/process_context_token.c +++ b/source4/heimdal/lib/gssapi/krb5/process_context_token.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -44,15 +44,12 @@ OM_uint32 _gsskrb5_process_context_token ( krb5_context context; OM_uint32 ret = GSS_S_FAILURE; gss_buffer_desc empty_buffer; - gss_qop_t qop_state; empty_buffer.length = 0; empty_buffer.value = NULL; GSSAPI_KRB5_INIT (&context); - qop_state = GSS_C_QOP_DEFAULT; - ret = _gsskrb5_verify_mic_internal(minor_status, (gsskrb5_ctx)context_handle, context, diff --git a/source4/heimdal/lib/gssapi/krb5/release_buffer.c b/source4/heimdal/lib/gssapi/krb5/release_buffer.c index a0f37c06f4..18e0279939 100644 --- a/source4/heimdal/lib/gssapi/krb5/release_buffer.c +++ b/source4/heimdal/lib/gssapi/krb5/release_buffer.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/release_cred.c b/source4/heimdal/lib/gssapi/krb5/release_cred.c index 5a0ec829d2..62674a1d53 100644 --- a/source4/heimdal/lib/gssapi/krb5/release_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/release_cred.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -61,8 +61,6 @@ OM_uint32 _gsskrb5_release_cred if (cred->keytab != NULL) krb5_kt_close(context, cred->keytab); if (cred->ccache != NULL) { - const krb5_cc_ops *ops; - ops = krb5_cc_get_ops(context, cred->ccache); if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE) krb5_cc_destroy(context, cred->ccache); else diff --git a/source4/heimdal/lib/gssapi/krb5/release_name.c b/source4/heimdal/lib/gssapi/krb5/release_name.c index d39c705433..5491052c59 100644 --- a/source4/heimdal/lib/gssapi/krb5/release_name.c +++ b/source4/heimdal/lib/gssapi/krb5/release_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/sequence.c b/source4/heimdal/lib/gssapi/krb5/sequence.c index 61164ffec1..6391d44429 100644 --- a/source4/heimdal/lib/gssapi/krb5/sequence.c +++ b/source4/heimdal/lib/gssapi/krb5/sequence.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c index e47e6fdb6c..2a2390f8d1 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index 6591ab04dd..460cfe942a 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -34,7 +34,7 @@ * glue routine for _gsskrb5_inquire_sec_context_by_oid */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index f34f72542e..0e87cb88b7 100644 --- a/source4/heimdal/lib/gssapi/krb5/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -393,11 +393,16 @@ OM_uint32 _gsskrb5_unwrap output_message_buffer->value = NULL; output_message_buffer->length = 0; + if (qop_state != NULL) + *qop_state = GSS_C_QOP_DEFAULT; GSSAPI_KRB5_INIT (&context); - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; + if (ctx->more_flags & IS_CFX) + return _gssapi_unwrap_cfx (minor_status, ctx, context, + input_message_buffer, output_message_buffer, + conf_state, qop_state); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); ret = _gsskrb5i_get_token_key(ctx, context, &key); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); @@ -427,9 +432,7 @@ OM_uint32 _gsskrb5_unwrap conf_state, qop_state, key); break; default : - ret = _gssapi_unwrap_cfx (minor_status, ctx, context, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); + abort(); break; } krb5_free_keyblock (context, key); diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index 1832d35b5a..6eb7ae4b08 100644 --- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -266,7 +266,7 @@ retry: OM_uint32 _gsskrb5_verify_mic_internal (OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, @@ -278,9 +278,14 @@ _gsskrb5_verify_mic_internal OM_uint32 ret; krb5_keytype keytype; - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gsskrb5i_get_token_key(context_handle, context, &key); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + if (ctx->more_flags & IS_CFX) + return _gssapi_verify_mic_cfx (minor_status, ctx, + context, message_buffer, token_buffer, + qop_state); + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(ctx, context, &key); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); if (ret) { *minor_status = ret; return GSS_S_FAILURE; @@ -289,28 +294,24 @@ _gsskrb5_verify_mic_internal krb5_enctype_to_keytype (context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : - ret = verify_mic_des (minor_status, context_handle, context, + ret = verify_mic_des (minor_status, ctx, context, message_buffer, token_buffer, qop_state, key, type); break; case KEYTYPE_DES3 : - ret = verify_mic_des3 (minor_status, context_handle, context, + ret = verify_mic_des3 (minor_status, ctx, context, message_buffer, token_buffer, qop_state, key, type); break; case KEYTYPE_ARCFOUR : case KEYTYPE_ARCFOUR_56 : - ret = _gssapi_verify_mic_arcfour (minor_status, context_handle, + ret = _gssapi_verify_mic_arcfour (minor_status, ctx, context, message_buffer, token_buffer, qop_state, key, type); break; default : - ret = _gssapi_verify_mic_cfx (minor_status, context_handle, - context, - message_buffer, token_buffer, qop_state, - key); - break; + abort(); } krb5_free_keyblock (context, key); diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index ad21bcb57b..b9f4c237c7 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -154,6 +154,11 @@ _gsskrb5_wrap_size_limit ( GSSAPI_KRB5_INIT (&context); + if (ctx->more_flags & IS_CFX) + return _gssapi_wrap_size_cfx(minor_status, ctx, context, + conf_req_flag, qop_req, + req_output_size, max_input_size); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); ret = _gsskrb5i_get_token_key(ctx, context, &key); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); @@ -177,9 +182,7 @@ _gsskrb5_wrap_size_limit ( ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); break; default : - ret = _gssapi_wrap_size_cfx(minor_status, ctx, context, - conf_req_flag, qop_req, - req_output_size, max_input_size, key); + abort(); break; } krb5_free_keyblock (context, key); @@ -530,8 +533,16 @@ OM_uint32 _gsskrb5_wrap krb5_keytype keytype; const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; + output_message_buffer->value = NULL; + output_message_buffer->length = 0; + GSSAPI_KRB5_INIT (&context); + if (ctx->more_flags & IS_CFX) + return _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag, + qop_req, input_message_buffer, conf_state, + output_message_buffer); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); ret = _gsskrb5i_get_token_key(ctx, context, &key); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); @@ -559,9 +570,7 @@ OM_uint32 _gsskrb5_wrap output_message_buffer, key); break; default : - ret = _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); + abort(); break; } krb5_free_keyblock (context, key); |