summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/gssapi')
-rw-r--r--source4/heimdal/lib/gssapi/gssapi/gssapi.h98
-rw-r--r--source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h7
-rw-r--r--source4/heimdal/lib/gssapi/gssapi_mech.h59
-rw-r--r--source4/heimdal/lib/gssapi/krb5/8003.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/accept_sec_context.c70
-rw-r--r--source4/heimdal/lib/gssapi/krb5/acquire_cred.c153
-rw-r--r--source4/heimdal/lib/gssapi/krb5/add_cred.c31
-rw-r--r--source4/heimdal/lib/gssapi/krb5/aeap.c10
-rw-r--r--source4/heimdal/lib/gssapi/krb5/arcfour.c14
-rwxr-xr-xsource4/heimdal/lib/gssapi/krb5/cfx.c12
-rw-r--r--source4/heimdal/lib/gssapi/krb5/compat.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/context_time.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/copy_ccache.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/creds.c8
-rw-r--r--source4/heimdal/lib/gssapi/krb5/encapsulate.c4
-rw-r--r--source4/heimdal/lib/gssapi/krb5/external.c21
-rw-r--r--source4/heimdal/lib/gssapi/krb5/import_name.c4
-rw-r--r--source4/heimdal/lib/gssapi/krb5/init_sec_context.c36
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_cred.c4
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c53
-rw-r--r--source4/heimdal/lib/gssapi/krb5/prf.c24
-rw-r--r--source4/heimdal/lib/gssapi/krb5/process_context_token.c3
-rw-r--r--source4/heimdal/lib/gssapi/krb5/sequence.c4
-rw-r--r--source4/heimdal/lib/gssapi/krb5/set_cred_option.c4
-rw-r--r--source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c7
-rw-r--r--source4/heimdal/lib/gssapi/krb5/store_cred.c2
-rw-r--r--source4/heimdal/lib/gssapi/krb5/unwrap.c3
-rw-r--r--source4/heimdal/lib/gssapi/krb5/verify_mic.c8
-rw-r--r--source4/heimdal/lib/gssapi/krb5/wrap.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/cred.h16
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c16
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_add_cred.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_aeap.c6
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_buffer_set.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_cred.c4
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c6
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_display_status.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c8
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c6
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_import_name.c18
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c4
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_inquire_context.c8
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_krb5.c16
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_mech_switch.c100
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_mo.c351
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_names.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_oid.c150
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_oid_equal.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_release_name.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c6
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c2
-rw-r--r--source4/heimdal/lib/gssapi/mech/mech_locl.h1
-rw-r--r--source4/heimdal/lib/gssapi/spnego/accept_sec_context.c44
-rw-r--r--source4/heimdal/lib/gssapi/spnego/compat.c6
-rw-r--r--source4/heimdal/lib/gssapi/spnego/context_stubs.c4
-rw-r--r--source4/heimdal/lib/gssapi/spnego/cred_stubs.c2
-rw-r--r--source4/heimdal/lib/gssapi/spnego/external.c17
-rw-r--r--source4/heimdal/lib/gssapi/spnego/init_sec_context.c6
-rw-r--r--source4/heimdal/lib/gssapi/spnego/spnego_locl.h2
-rw-r--r--source4/heimdal/lib/gssapi/version-script.map12
69 files changed, 995 insertions, 495 deletions
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi/gssapi.h
index caa1af8b3a..fa53a29d24 100644
--- a/source4/heimdal/lib/gssapi/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi/gssapi.h
@@ -31,8 +31,6 @@
* SUCH DAMAGE.
*/
-/* $Id$ */
-
#ifndef GSSAPI_GSSAPI_H_
#define GSSAPI_GSSAPI_H_
@@ -55,13 +53,11 @@
#endif
#endif
-#ifndef GSSAPI_DEPRECATED
+#ifndef GSSAPI_DEPRECATED_FUNCTION
#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
-#define GSSAPI_DEPRECATED __attribute__((deprecated))
-#elif defined(_MSC_VER)
-#define GSSAPI_DEPRECATED __declspec(deprecated)
+#define GSSAPI_DEPRECATED_FUNCTION(X) __attribute__((deprecated))
#else
-#define GSSAPI_DEPRECATED
+#define GSSAPI_DEPRECATED_FUNCTION(X)
#endif
#endif
@@ -375,7 +371,7 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_anonymous_oid_desc;
* to that gss_OID_desc.
*/
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
-#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc)
+#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc)
/* Major status codes */
@@ -447,6 +443,11 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
#define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
/*
+ * Apparently awating spec fix.
+ */
+#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
+
+/*
* Supplementary info bits:
*/
#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
@@ -459,6 +460,9 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
* Finally, function prototypes for the GSS-API routines.
*/
+#define GSS_C_OPTION_MASK 0xffff
+#define GSS_C_CRED_NO_UI 0x10000
+
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
@@ -827,7 +831,7 @@ typedef struct {
size_t blocksize; /**< Specificed optimal size of messages, also
is the maximum padding size
(GSS_IOV_BUFFER_TYPE_PADDING) */
-} gss_context_stream_sizes;
+} gss_context_stream_sizes;
extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_attr_stream_sizes_oid_desc;
#define GSS_C_ATTR_STREAM_SIZES (&__gss_c_attr_stream_sizes_oid_desc)
@@ -850,23 +854,23 @@ gss_context_query_attributes(OM_uint32 * /* minor_status */,
* obsolete versions of these routines and their current forms.
*/
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*qop_req*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
- );
+ ) GSSAPI_DEPRECATED_FUNCTION("Use gss_get_mic");
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*token_buffer*/,
int * /*qop_state*/
- );
+ ) GSSAPI_DEPRECATED_FUNCTION("Use gss_verify_mic");
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
@@ -874,29 +878,29 @@ GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
- );
+ ) GSSAPI_DEPRECATED_FUNCTION("Use gss_wrap");
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
int * /*qop_state*/
- );
+ ) GSSAPI_DEPRECATED_FUNCTION("Use gss_unwrap");
/**
*
*/
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_encapsulate_token(const gss_buffer_t /* input_token */,
- const gss_OID /* oid */,
+gss_encapsulate_token(gss_const_buffer_t /* input_token */,
+ gss_const_OID /* oid */,
gss_buffer_t /* output_token */);
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_decapsulate_token(const gss_buffer_t /* input_token */,
- const gss_OID /* oid */,
+gss_decapsulate_token(gss_const_buffer_t /* input_token */,
+ gss_const_OID /* oid */,
gss_buffer_t /* output_token */);
@@ -990,6 +994,56 @@ gss_display_mech_attr(OM_uint32 * minor_status,
gss_buffer_t long_desc);
/*
+ * Solaris compat
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred_with_password
+ (OM_uint32 * /*minor_status*/,
+ const gss_name_t /*desired_name*/,
+ const gss_buffer_t /*password*/,
+ OM_uint32 /*time_req*/,
+ const gss_OID_set /*desired_mechs*/,
+ gss_cred_usage_t /*cred_usage*/,
+ gss_cred_id_t * /*output_cred_handle*/,
+ gss_OID_set * /*actual_mechs*/,
+ OM_uint32 * /*time_rec*/
+ );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_cred_with_password (
+ OM_uint32 * /*minor_status*/,
+ const gss_cred_id_t /*input_cred_handle*/,
+ const gss_name_t /*desired_name*/,
+ const gss_OID /*desired_mech*/,
+ const gss_buffer_t /*password*/,
+ gss_cred_usage_t /*cred_usage*/,
+ OM_uint32 /*initiator_time_req*/,
+ OM_uint32 /*acceptor_time_req*/,
+ gss_cred_id_t * /*output_cred_handle*/,
+ gss_OID_set * /*actual_mechs*/,
+ OM_uint32 * /*initiator_time_rec*/,
+ OM_uint32 * /*acceptor_time_rec*/
+ );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_pname_to_uid(
+ OM_uint32 *minor,
+ const gss_name_t name,
+ const gss_OID mech_type,
+ uid_t *uidOut);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_authorize_localname(
+ OM_uint32 *minor,
+ const gss_name_t name,
+ const gss_name_t user);
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_userok(const gss_name_t name,
+ const char *user);
+
+extern GSSAPI_LIB_VARIABLE gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER;
+
+/*
* Naming extensions
*/
@@ -1051,4 +1105,6 @@ gss_name_to_oid(const char *name);
GSSAPI_CPP_END
+#undef GSSAPI_DEPRECATED_FUNCTION
+
#endif /* GSSAPI_GSSAPI_H_ */
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h
index e7b56dc7d4..9465efc77f 100644
--- a/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h
+++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h
@@ -109,6 +109,13 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_name_oid_desc;
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_description_oid_desc;
#define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc)
+ /* credential types */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_password_oid_desc;
+#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_certificate_oid_desc;
+#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
+
/* Heimdal mechanisms - 1.2.752.43.14 */
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc;
#define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc)
diff --git a/source4/heimdal/lib/gssapi/gssapi_mech.h b/source4/heimdal/lib/gssapi/gssapi_mech.h
index 1431dbcee6..e4ccfdb0cd 100644
--- a/source4/heimdal/lib/gssapi/gssapi_mech.h
+++ b/source4/heimdal/lib/gssapi/gssapi_mech.h
@@ -355,14 +355,14 @@ _gss_import_cred_t(OM_uint32 * minor_status,
typedef OM_uint32 GSSAPI_CALLCONV
-_gss_acquire_cred_ex_t(void * /* status */,
- const gss_name_t /* desired_name */,
- OM_uint32 /* flags */,
- OM_uint32 /* time_req */,
- gss_cred_usage_t /* cred_usage */,
- void * /* identity */,
- void * /* ctx */,
- void (* /*complete */)(void *, OM_uint32, void *, gss_cred_id_t, OM_uint32));
+_gss_acquire_cred_ext_t(OM_uint32 * /*minor_status */,
+ const gss_name_t /* desired_name */,
+ gss_const_OID /* credential_type */,
+ const void * /* credential_data */,
+ OM_uint32 /* time_req */,
+ gss_const_OID /* desired_mech */,
+ gss_cred_usage_t /* cred_usage */,
+ gss_cred_id_t * /* output_cred_handle */);
typedef void GSSAPI_CALLCONV
_gss_iter_creds_t(OM_uint32 /* flags */,
@@ -460,13 +460,28 @@ struct gss_mo_desc_struct {
int (*set)(gss_const_OID, gss_mo_desc *, int, gss_buffer_t);
};
+typedef OM_uint32 GSSAPI_CALLCONV _gss_pname_to_uid_t (
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* name */
+ const gss_OID, /* mech_type */
+ uid_t * /* uidOut */
+ );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t (
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* name */
+ gss_const_buffer_t, /* user */
+ gss_const_OID /* user_name_type */
+ );
+
+/* mechglue internal */
+struct gss_mech_compat_desc_struct;
#define GMI_VERSION 5
/* gm_flags */
#define GM_USE_MG_CRED 1 /* uses mech glue credentials */
-
typedef struct gssapi_mech_interface_desc {
unsigned gm_version;
const char *gm_name;
@@ -512,7 +527,7 @@ typedef struct gssapi_mech_interface_desc {
_gss_store_cred_t *gm_store_cred;
_gss_export_cred_t *gm_export_cred;
_gss_import_cred_t *gm_import_cred;
- _gss_acquire_cred_ex_t *gm_acquire_cred_ex;
+ _gss_acquire_cred_ext_t *gm_acquire_cred_ext;
_gss_iter_creds_t *gm_iter_creds;
_gss_destroy_cred_t *gm_destroy_cred;
_gss_cred_hold_t *gm_cred_hold;
@@ -521,12 +536,15 @@ typedef struct gssapi_mech_interface_desc {
_gss_cred_label_set_t *gm_cred_label_set;
gss_mo_desc *gm_mo;
size_t gm_mo_num;
+ _gss_pname_to_uid_t *gm_pname_to_uid;
+ _gss_authorize_localname_t *gm_authorize_localname;
_gss_display_name_ext_t *gm_display_name_ext;
_gss_inquire_name_t *gm_inquire_name;
_gss_get_name_attribute_t *gm_get_name_attribute;
_gss_set_name_attribute_t *gm_set_name_attribute;
_gss_delete_name_attribute_t *gm_delete_name_attribute;
_gss_export_name_composite_t *gm_export_name_composite;
+ struct gss_mech_compat_desc_struct *gm_compat;
} gssapi_mech_interface_desc, *gssapi_mech_interface;
gssapi_mech_interface
@@ -552,4 +570,25 @@ struct _gss_oid_name_table {
extern struct _gss_oid_name_table _gss_ont_mech[];
extern struct _gss_oid_name_table _gss_ont_ma[];
+/*
+ * Extended credentials acqusition API, not to be exported until
+ * it or something equivalent has been standardised.
+ */
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc;
+#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
+
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc;
+#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
+
+OM_uint32 _gss_acquire_cred_ext
+ (OM_uint32 * /*minor_status*/,
+ const gss_name_t /*desired_name*/,
+ gss_const_OID /*credential_type*/,
+ const void * /*credential_data*/,
+ OM_uint32 /*time_req*/,
+ gss_const_OID /*desired_mech*/,
+ gss_cred_usage_t /*cred_usage*/,
+ gss_cred_id_t * /*output_cred_handle*/
+ );
+
#endif /* GSSAPI_MECH_H */
diff --git a/source4/heimdal/lib/gssapi/krb5/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c
index 65db343cad..d4555c5104 100644
--- a/source4/heimdal/lib/gssapi/krb5/8003.c
+++ b/source4/heimdal/lib/gssapi/krb5/8003.c
@@ -92,7 +92,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
_gsskrb5_encode_om_uint32 (b->acceptor_address.length, num);
EVP_DigestUpdate(ctx, num, sizeof(num));
if (b->acceptor_address.length)
- EVP_DigestUpdate(ctx,
+ EVP_DigestUpdate(ctx,
b->acceptor_address.value,
b->acceptor_address.length);
_gsskrb5_encode_om_uint32 (b->application_data.length, num);
diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index a5e9d054c4..5a00e124c2 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -36,12 +36,32 @@
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
+static krb5_error_code
+validate_keytab(krb5_context context, const char *name, krb5_keytab *id)
+{
+ krb5_error_code ret;
+
+ ret = krb5_kt_resolve(context, name, id);
+ if (ret)
+ return ret;
+
+ ret = krb5_kt_have_content(context, *id);
+ if (ret) {
+ krb5_kt_close(context, *id);
+ *id = NULL;
+ }
+
+ return ret;
+}
+
OM_uint32
-_gsskrb5_register_acceptor_identity (const char *identity)
+_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity)
{
krb5_context context;
krb5_error_code ret;
+ *min_stat = 0;
+
ret = _gsskrb5_init(&context);
if(ret)
return GSS_S_FAILURE;
@@ -55,19 +75,29 @@ _gsskrb5_register_acceptor_identity (const char *identity)
if (identity == NULL) {
ret = krb5_kt_default(context, &_gsskrb5_keytab);
} else {
- char *p = NULL;
-
- ret = asprintf(&p, "FILE:%s", identity);
- if(ret < 0 || p == NULL) {
- HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
- return GSS_S_FAILURE;
+ /*
+ * First check if we can the keytab as is and if it has content...
+ */
+ ret = validate_keytab(context, identity, &_gsskrb5_keytab);
+ /*
+ * if it doesn't, lets prepend FILE: and try again
+ */
+ if (ret) {
+ char *p = NULL;
+ ret = asprintf(&p, "FILE:%s", identity);
+ if(ret < 0 || p == NULL) {
+ HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
+ return GSS_S_FAILURE;
+ }
+ ret = validate_keytab(context, p, &_gsskrb5_keytab);
+ free(p);
}
- ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab);
- free(p);
}
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
- if(ret)
+ if(ret) {
+ *min_stat = ret;
return GSS_S_FAILURE;
+ }
return GSS_S_COMPLETE;
}
@@ -93,7 +123,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor)
if (key == NULL)
return;
-
+
switch (key->keytype) {
case ETYPE_DES_CBC_CRC:
case ETYPE_DES_CBC_MD4:
@@ -171,7 +201,7 @@ gsskrb5_accept_delegated_token
if (delegated_cred_handle) {
gsskrb5_cred handle;
-
+
ret = _gsskrb5_krb5_import_cred(minor_status,
ccache,
NULL,
@@ -541,10 +571,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if(ctx->flags & GSS_C_MUTUAL_FLAG) {
krb5_data outbuf;
int use_subkey = 0;
-
+
_gsskrb5i_is_cfx(context, ctx, 1);
is_cfx = (ctx->more_flags & IS_CFX);
-
+
if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {
use_subkey = 1;
} else {
@@ -572,7 +602,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
KRB5_AUTH_CONTEXT_USE_SUBKEY,
NULL);
}
-
+
kret = krb5_mk_rep(context,
ctx->auth_context,
&outbuf);
@@ -580,7 +610,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
*minor_status = kret;
return GSS_S_FAILURE;
}
-
+
if (IS_DCE_STYLE(ctx)) {
output_token->length = outbuf.length;
output_token->value = outbuf.data;
@@ -659,7 +689,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
krb5_error_code kret;
krb5_data inbuf;
int32_t r_seq_number, l_seq_number;
-
+
/*
* We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP
*/
@@ -706,7 +736,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
{
krb5_ap_rep_enc_part *repl;
int32_t auth_flags;
-
+
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
@@ -735,7 +765,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
if (lifetime_rec == 0) {
return GSS_S_CONTEXT_EXPIRED;
}
-
+
if (time_rec) *time_rec = lifetime_rec;
}
@@ -793,7 +823,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
{
kret = krb5_auth_con_setremoteseqnumber(context,
ctx->auth_context,
- r_seq_number);
+ r_seq_number);
if (kret) {
*minor_status = kret;
return GSS_S_FAILURE;
diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
index d0042e874b..0f1f5f81cf 100644
--- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c
@@ -46,7 +46,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
memset(&in_cred, 0, sizeof(in_cred));
in_cred.client = principal;
-
+
realm = krb5_principal_get_realm(context, principal);
if (realm == NULL) {
_gsskrb5_clear_status ();
@@ -81,17 +81,18 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
static krb5_error_code
get_keytab(krb5_context context, krb5_keytab *keytab)
{
- char kt_name[256];
krb5_error_code kret;
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if (_gsskrb5_keytab != NULL) {
- kret = krb5_kt_get_name(context,
- _gsskrb5_keytab,
- kt_name, sizeof(kt_name));
- if (kret == 0)
- kret = krb5_kt_resolve(context, kt_name, keytab);
+ char *name = NULL;
+
+ kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name);
+ if (kret == 0) {
+ kret = krb5_kt_resolve(context, name, keytab);
+ krb5_xfree(name);
+ }
} else
kret = krb5_kt_default(context, keytab);
@@ -103,13 +104,13 @@ get_keytab(krb5_context context, krb5_keytab *keytab)
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
+ gss_const_OID credential_type,
+ const void *credential_data,
const gss_name_t desired_name,
OM_uint32 time_req,
- const gss_OID_set desired_mechs,
+ gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
- gsskrb5_cred handle,
- gss_OID_set * actual_mechs,
- OM_uint32 * time_rec
+ gsskrb5_cred handle
)
{
OM_uint32 ret;
@@ -132,6 +133,12 @@ static OM_uint32 acquire_initiator_cred
* errors while searching.
*/
+ if (credential_type != GSS_C_NO_OID &&
+ !gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+ kret = KRB5_NOCREDS_SUPPLIED; /* XXX */
+ goto end;
+ }
+
if (handle->principal) {
kret = krb5_cc_cache_match (context,
handle->principal,
@@ -174,14 +181,29 @@ static OM_uint32 acquire_initiator_cred
if (kret)
goto end;
}
- kret = get_keytab(context, &keytab);
- if (kret)
- goto end;
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
- kret = krb5_get_init_creds_keytab(context, &cred,
- handle->principal, keytab, 0, NULL, opt);
+ if (credential_type != GSS_C_NO_OID &&
+ gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+ gss_buffer_t password = (gss_buffer_t)credential_data;
+
+ /* XXX are we requiring password to be NUL terminated? */
+
+ kret = krb5_get_init_creds_password(context, &cred,
+ handle->principal,
+ password->value,
+ NULL, NULL, 0, NULL, opt);
+ } else {
+ kret = get_keytab(context, &keytab);
+ if (kret) {
+ krb5_get_init_creds_opt_free(context, opt);
+ goto end;
+ }
+ kret = krb5_get_init_creds_keytab(context, &cred,
+ handle->principal, keytab,
+ 0, NULL, opt);
+ }
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
@@ -233,19 +255,25 @@ end:
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
+ gss_const_OID credential_type,
+ const void *credential_data,
const gss_name_t desired_name,
OM_uint32 time_req,
- const gss_OID_set desired_mechs,
+ gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
- gsskrb5_cred handle,
- gss_OID_set * actual_mechs,
- OM_uint32 * time_rec
+ gsskrb5_cred handle
)
{
OM_uint32 ret;
krb5_error_code kret;
ret = GSS_S_FAILURE;
+
+ if (credential_type != GSS_C_NO_OID) {
+ kret = EINVAL;
+ goto end;
+ }
+
kret = get_keytab(context, &handle->keytab);
if (kret)
goto end;
@@ -299,23 +327,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
OM_uint32 * time_rec
)
{
- krb5_context context;
- gsskrb5_cred handle;
OM_uint32 ret;
- if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
- *minor_status = GSS_KRB5_S_G_BAD_USAGE;
- return GSS_S_FAILURE;
- }
-
- GSSAPI_KRB5_INIT(&context);
-
- *output_cred_handle = NULL;
- if (time_rec)
- *time_rec = 0;
- if (actual_mechs)
- *actual_mechs = GSS_C_NO_OID_SET;
-
if (desired_mechs) {
int present = 0;
@@ -329,6 +342,54 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
}
+ ret = _gsskrb5_acquire_cred_ext(minor_status,
+ desired_name,
+ GSS_C_NO_OID,
+ NULL,
+ time_req,
+ GSS_KRB5_MECHANISM,
+ cred_usage,
+ output_cred_handle);
+ if (ret)
+ return ret;
+
+
+ ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle,
+ NULL, time_rec, NULL, actual_mechs);
+ if (ret) {
+ OM_uint32 tmp;
+ _gsskrb5_release_cred(&tmp, output_cred_handle);
+ }
+
+ return ret;
+}
+
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
+(OM_uint32 * minor_status,
+ const gss_name_t desired_name,
+ gss_const_OID credential_type,
+ const void *credential_data,
+ OM_uint32 time_req,
+ gss_const_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t * output_cred_handle
+ )
+{
+ krb5_context context;
+ gsskrb5_cred handle;
+ OM_uint32 ret;
+
+ cred_usage &= GSS_C_OPTION_MASK;
+
+ if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
+ *minor_status = GSS_KRB5_S_G_BAD_USAGE;
+ return GSS_S_FAILURE;
+ }
+
+ GSSAPI_KRB5_INIT(&context);
+
+ *output_cred_handle = NULL;
+
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
*minor_status = ENOMEM;
@@ -338,7 +399,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
if (desired_name != GSS_C_NO_NAME) {
-
ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
desired_name, &handle->principal);
if (ret) {
@@ -349,9 +409,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, context,
+ credential_type, credential_data,
desired_name, time_req,
- desired_mechs, cred_usage, handle,
- actual_mechs, time_rec);
+ desired_mech, cred_usage, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
@@ -361,8 +421,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, context,
+ credential_type, credential_data,
desired_name, time_req,
- desired_mechs, cred_usage, handle, actual_mechs, time_rec);
+ desired_mech, cred_usage, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
@@ -374,9 +435,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
if (ret == GSS_S_COMPLETE)
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
- if (ret == GSS_S_COMPLETE)
- ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
- NULL, time_rec, NULL, actual_mechs);
if (ret != GSS_S_COMPLETE) {
if (handle->mechanisms != NULL)
gss_release_oid_set(NULL, &handle->mechanisms);
@@ -385,17 +443,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
free(handle);
return (ret);
}
- *minor_status = 0;
- if (time_rec) {
- ret = _gsskrb5_lifetime_left(minor_status,
- context,
- handle->lifetime,
- time_rec);
-
- if (ret)
- return ret;
- }
handle->usage = cred_usage;
+ *minor_status = 0;
*output_cred_handle = (gss_cred_id_t)handle;
return (GSS_S_COMPLETE);
}
diff --git a/source4/heimdal/lib/gssapi/krb5/add_cred.c b/source4/heimdal/lib/gssapi/krb5/add_cred.c
index a326613edd..00cf55f62d 100644
--- a/source4/heimdal/lib/gssapi/krb5/add_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/add_cred.c
@@ -81,7 +81,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
return(GSS_S_FAILURE);
}
}
-
+
/* check that we have the same name */
if (dname != NULL &&
krb5_principal_compare(context, dname,
@@ -110,7 +110,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
handle->ccache = NULL;
handle->mechanisms = NULL;
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
-
+
ret = GSS_S_FAILURE;
kret = krb5_copy_principal(context, cred->principal,
@@ -123,23 +123,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
}
if (cred->keytab) {
- char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN];
- int len;
-
- ret = GSS_S_FAILURE;
+ char *name = NULL;
- kret = krb5_kt_get_type(context, cred->keytab,
- name, KRB5_KT_PREFIX_MAX_LEN);
- if (kret) {
- *minor_status = kret;
- goto failure;
- }
- len = strlen(name);
- name[len++] = ':';
+ ret = GSS_S_FAILURE;
- kret = krb5_kt_get_name(context, cred->keytab,
- name + len,
- sizeof(name) - len);
+ kret = krb5_kt_get_full_name(context, cred->keytab, &name);
if (kret) {
*minor_status = kret;
goto failure;
@@ -147,6 +135,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
kret = krb5_kt_resolve(context, name,
&handle->keytab);
+ krb5_xfree(name);
if (kret){
*minor_status = kret;
goto failure;
@@ -166,7 +155,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
}
if (strcmp(type, "MEMORY") == 0) {
- ret = krb5_cc_new_unique(context, type,
+ ret = krb5_cc_new_unique(context, type,
NULL, &handle->ccache);
if (ret) {
*minor_status = ret;
@@ -186,20 +175,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
*minor_status = ENOMEM;
goto failure;
}
-
+
kret = asprintf(&type_name, "%s:%s", type, name);
if (kret < 0 || type_name == NULL) {
*minor_status = ENOMEM;
goto failure;
}
-
+
kret = krb5_cc_resolve(context, type_name,
&handle->ccache);
free(type_name);
if (kret) {
*minor_status = kret;
goto failure;
- }
+ }
}
}
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
diff --git a/source4/heimdal/lib/gssapi/krb5/aeap.c b/source4/heimdal/lib/gssapi/krb5/aeap.c
index 040cd3ee76..47913e4aec 100644
--- a/source4/heimdal/lib/gssapi/krb5/aeap.c
+++ b/source4/heimdal/lib/gssapi/krb5/aeap.c
@@ -69,11 +69,11 @@ _gk_unwrap_iov(OM_uint32 *minor_status,
krb5_context context;
GSSAPI_KRB5_INIT (&context);
-
+
if (ctx->more_flags & IS_CFX)
return _gssapi_unwrap_cfx_iov(minor_status, ctx, context,
conf_state, qop_state, iov, iov_count);
-
+
return GSS_S_FAILURE;
}
@@ -88,13 +88,13 @@ _gk_wrap_iov_length(OM_uint32 * minor_status,
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_context context;
-
+
GSSAPI_KRB5_INIT (&context);
-
+
if (ctx->more_flags & IS_CFX)
return _gssapi_wrap_iov_length_cfx(minor_status, ctx, context,
conf_req_flag, qop_req, conf_state,
iov, iov_count);
-
+
return GSS_S_FAILURE;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c
index dc59e997bd..0264207e4a 100644
--- a/source4/heimdal/lib/gssapi/krb5/arcfour.c
+++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c
@@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
- char *type)
+ const char *type)
{
krb5_error_code ret;
uint32_t seq_number;
@@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
p = token_buffer->value;
omret = _gsskrb5_verify_header (&p,
token_buffer->length,
- (u_char *)type,
+ type,
GSS_KRB5_MECHANISM);
if (omret)
return omret;
@@ -309,7 +309,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
{
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0);
EVP_Cipher(&rc4_key, SND_SEQ, p, 8);
@@ -462,7 +462,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
if(conf_req_flag) {
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen);
@@ -481,7 +481,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
{
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
@@ -581,7 +581,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
{
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8);
@@ -629,7 +629,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
if(conf_flag) {
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8);
diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c
index 1189718adc..3c1536b60e 100755
--- a/source4/heimdal/lib/gssapi/krb5/cfx.c
+++ b/source4/heimdal/lib/gssapi/krb5/cfx.c
@@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
gss_iov_buffer_desc *header, *trailer, *padding;
size_t gsshsize, k5hsize;
size_t gsstsize, k5tsize;
- size_t i, rrc = 0, ec = 0;
+ size_t rrc = 0, ec = 0;
+ int i;
gss_cfx_wrap_token token;
krb5_error_code ret;
int32_t seq_number;
@@ -424,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
token->Flags = 0;
token->Filler = 0xFF;
+ if ((ctx->more_flags & LOCAL) == 0)
+ token->Flags |= CFXSentByAcceptor;
+
if (ctx->more_flags & ACCEPTOR_SUBKEY)
token->Flags |= CFXAcceptorSubkey;
@@ -565,7 +569,7 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
plain packet:
{data | "header" | gss-trailer (krb5 checksum)
-
+
don't do RRC != 0
*/
@@ -647,7 +651,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int
GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||
GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)
len += iov[i].buffer.length;
-
+
p = malloc(len);
if (p == NULL) {
*minor_status = ENOMEM;
@@ -666,7 +670,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int
q += iov[i].buffer.length;
}
}
- assert((q - p) == len);
+ assert((size_t)(q - p) == len);
/* unrotate first part */
q = p + rrc;
diff --git a/source4/heimdal/lib/gssapi/krb5/compat.c b/source4/heimdal/lib/gssapi/krb5/compat.c
index 221d219c69..3381dffa19 100644
--- a/source4/heimdal/lib/gssapi/krb5/compat.c
+++ b/source4/heimdal/lib/gssapi/krb5/compat.c
@@ -59,7 +59,7 @@ check_compat(OM_uint32 *minor_status,
*compat = match_val;
break;
}
-
+
krb5_free_principal(context, match);
match = NULL;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/context_time.c b/source4/heimdal/lib/gssapi/krb5/context_time.c
index 7b27906b5b..cb1550011c 100644
--- a/source4/heimdal/lib/gssapi/krb5/context_time.c
+++ b/source4/heimdal/lib/gssapi/krb5/context_time.c
@@ -88,6 +88,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_context_time
if (*time_rec == 0)
return GSS_S_CONTEXT_EXPIRED;
-
+
return GSS_S_COMPLETE;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
index 4e65fc1cf3..e332d29c84 100644
--- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
+++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c
@@ -100,7 +100,7 @@ _gsskrb5_krb5_import_cred(OM_uint32 *minor_status,
*minor_status = kret;
return GSS_S_FAILURE;
}
-
+
if (keytab_principal) {
krb5_boolean match;
diff --git a/source4/heimdal/lib/gssapi/krb5/creds.c b/source4/heimdal/lib/gssapi/krb5/creds.c
index d2c253e84b..fa45d19b98 100644
--- a/source4/heimdal/lib/gssapi/krb5/creds.c
+++ b/source4/heimdal/lib/gssapi/krb5/creds.c
@@ -47,7 +47,7 @@ _gsskrb5_export_cred(OM_uint32 *minor_status,
char *str;
GSSAPI_KRB5_INIT (&context);
-
+
if (handle->usage != GSS_C_INITIATE && handle->usage != GSS_C_BOTH) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
@@ -93,14 +93,14 @@ _gsskrb5_export_cred(OM_uint32 *minor_status,
*minor_status = ret;
return GSS_S_FAILURE;
}
-
+
ret = krb5_cc_get_full_name(context, handle->ccache, &str);
if (ret) {
krb5_storage_free(sp);
*minor_status = ret;
return GSS_S_FAILURE;
}
-
+
ret = krb5_store_string(sp, str);
free(str);
if (ret) {
@@ -222,7 +222,7 @@ _gsskrb5_import_cred(OM_uint32 * minor_status,
*minor_status = ret;
return GSS_S_FAILURE;
}
-
+
ret = krb5_cc_resolve(context, str, &id);
krb5_xfree(str);
if (ret) {
diff --git a/source4/heimdal/lib/gssapi/krb5/encapsulate.c b/source4/heimdal/lib/gssapi/krb5/encapsulate.c
index 79cd9232e1..fe5dac7c60 100644
--- a/source4/heimdal/lib/gssapi/krb5/encapsulate.c
+++ b/source4/heimdal/lib/gssapi/krb5/encapsulate.c
@@ -114,7 +114,7 @@ _gssapi_encapsulate(
if (output_token->value == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
- }
+ }
p = _gssapi_make_mech_header (output_token->value, len, mech);
memcpy (p, in_data->data, in_data->length);
@@ -145,7 +145,7 @@ _gsskrb5_encapsulate(
if (output_token->value == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
- }
+ }
p = _gsskrb5_make_header (output_token->value, len, type, mech);
memcpy (p, in_data->data, in_data->length);
diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c
index d6f14a48f7..26ede2487d 100644
--- a/source4/heimdal/lib/gssapi/krb5/external.c
+++ b/source4/heimdal/lib/gssapi/krb5/external.c
@@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = {
GSS_C_MA_SASL_MECH_NAME,
GSS_MO_MA,
"SASL mech name",
- "GS2-KRB5",
+ rk_UNCONST("GS2-KRB5"),
_gss_mo_get_ctx_as_string,
NULL
},
@@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = {
GSS_C_MA_MECH_NAME,
GSS_MO_MA,
"Mechanism name",
- "KRB5",
+ rk_UNCONST("KRB5"),
_gss_mo_get_ctx_as_string,
NULL
},
@@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = {
GSS_C_MA_MECH_DESCRIPTION,
GSS_MO_MA,
"Mechanism description",
- "Heimdal Kerberos 5 mech",
+ rk_UNCONST("Heimdal Kerberos 5 mech"),
_gss_mo_get_ctx_as_string,
NULL
},
@@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = {
static gssapi_mech_interface_desc krb5_mech = {
GMI_VERSION,
"kerberos 5",
- {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
+ {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") },
0,
_gsskrb5_acquire_cred,
_gsskrb5_release_cred,
@@ -315,7 +315,7 @@ static gssapi_mech_interface_desc krb5_mech = {
_gsskrb5_store_cred,
_gsskrb5_export_cred,
_gsskrb5_import_cred,
- NULL,
+ _gsskrb5_acquire_cred_ext,
NULL,
NULL,
NULL,
@@ -323,7 +323,16 @@ static gssapi_mech_interface_desc krb5_mech = {
NULL,
NULL,
krb5_mo,
- sizeof(krb5_mo) / sizeof(krb5_mo[0])
+ sizeof(krb5_mo) / sizeof(krb5_mo[0]),
+ _gsskrb5_pname_to_uid,
+ _gsskrb5_authorize_localname,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL
};
gssapi_mech_interface
diff --git a/source4/heimdal/lib/gssapi/krb5/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c
index 2a071a305e..5fe512672f 100644
--- a/source4/heimdal/lib/gssapi/krb5/import_name.c
+++ b/source4/heimdal/lib/gssapi/krb5/import_name.c
@@ -107,9 +107,9 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
return GSS_S_BAD_NAME;
else if (p->name.name_string.len > 1)
hostname = p->name.name_string.val[1];
-
+
service = p->name.name_string.val[0];
-
+
ret = krb5_sname_to_principal(context,
hostname,
service,
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index 53855ca045..5f8b01b727 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -41,7 +41,7 @@
static OM_uint32
set_addresses (krb5_context context,
krb5_auth_context ac,
- const gss_channel_bindings_t input_chan_bindings)
+ const gss_channel_bindings_t input_chan_bindings)
{
/* Port numbers are expected to be in application_data.value,
* initator's port first */
@@ -422,11 +422,6 @@ init_auth
goto failure;
}
- ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
- if (ret)
- goto failure;
-
-
/*
* This is hideous glue for (NFS) clients that wants to limit the
* available enctypes to what it can support (encryption in
@@ -458,17 +453,21 @@ init_auth
* DNS canonicalizion.
*/
ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
- ctx, name, 0, time_req,
+ ctx, name, 0, time_req,
time_rec);
if (ret && allow_dns)
ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
- ctx, name, 1, time_req,
+ ctx, name, 1, time_req,
time_rec);
if (ret)
goto failure;
ctx->lifetime = ctx->kcred->times.endtime;
+ ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
+ if (ret)
+ goto failure;
+
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
@@ -530,7 +529,7 @@ init_auth_restart
Checksum cksum;
krb5_enctype enctype;
krb5_data fwd_data, timedata;
- int32_t offset = 0, oldoffset;
+ int32_t offset = 0, oldoffset = 0;
uint32_t flagmask;
krb5_data_zero(&outbuf);
@@ -544,7 +543,7 @@ init_auth_restart
*/
if (!ctx->kcred->flags.b.ok_as_delegate) {
krb5_data data;
-
+
ret = krb5_cc_get_config(context, ctx->ccache, NULL,
"realm-config", &data);
if (ret == 0) {
@@ -676,7 +675,8 @@ init_auth_restart
output_token->length = outbuf.length;
} else {
ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
- (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
+ (u_char *)(intptr_t)"\x01\x00",
+ GSS_KRB5_MECHANISM);
krb5_data_free (&outbuf);
if (ret)
goto failure;
@@ -848,9 +848,9 @@ repl_mutual
*minor_status = kret;
return GSS_S_FAILURE;
}
-
+
/* reset local seq number */
- krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
+ krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
output_token->length = outbuf.length;
output_token->value = outbuf.data;
@@ -911,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
return GSS_S_BAD_MECH;
if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
- OM_uint32 ret;
+ OM_uint32 ret1;
if (*context_handle != GSS_C_NO_CONTEXT) {
*minor_status = 0;
return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
}
- ret = _gsskrb5_create_ctx(minor_status,
+ ret1 = _gsskrb5_create_ctx(minor_status,
context_handle,
context,
input_chan_bindings,
INITIATOR_START);
- if (ret)
- return ret;
+ if (ret1)
+ return ret1;
}
if (*context_handle == GSS_C_NO_CONTEXT) {
@@ -953,7 +953,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
ret_flags,
time_rec);
if (ret != GSS_S_COMPLETE)
- break;
+ break;
/* FALL THOUGH */
case INITIATOR_RESTART:
ret = init_auth_restart(minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c
index d3798623ff..f88199692c 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c
@@ -95,12 +95,12 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred
if (output_name != NULL) {
if (icred && icred->principal != NULL) {
gss_name_t name;
-
+
if (acred && acred->principal)
name = (gss_name_t)acred->principal;
else
name = (gss_name_t)icred->principal;
-
+
ret = _gsskrb5_duplicate_name(minor_status, name, output_name);
if (ret)
goto out;
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
index dc02b99851..65bd49c971 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
@@ -72,6 +72,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_names_for_mech (
if (ret != GSS_S_COMPLETE)
gss_release_oid_set(NULL, name_types);
-
+
return GSS_S_COMPLETE;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
index 14816e7a05..b57217a4e8 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
@@ -159,10 +159,10 @@ static OM_uint32 inquire_sec_context_get_subkey
{
gss_buffer_desc value;
-
+
value.length = data.length;
value.value = data.data;
-
+
maj_stat = gss_add_buffer_set_member(minor_status,
&value,
data_set);
@@ -179,6 +179,46 @@ out:
return maj_stat;
}
+static OM_uint32 inquire_sec_context_get_sspi_session_key
+ (OM_uint32 *minor_status,
+ const gsskrb5_ctx context_handle,
+ krb5_context context,
+ gss_buffer_set_t *data_set)
+{
+ krb5_keyblock *key;
+ OM_uint32 maj_stat = GSS_S_COMPLETE;
+ krb5_error_code ret;
+ gss_buffer_desc value;
+
+ HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+ ret = _gsskrb5i_get_token_key(context_handle, context, &key);
+ HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+ if (ret)
+ goto out;
+ if (key == NULL) {
+ ret = EINVAL;
+ goto out;
+ }
+
+ value.length = key->keyvalue.length;
+ value.value = key->keyvalue.data;
+
+ maj_stat = gss_add_buffer_set_member(minor_status,
+ &value,
+ data_set);
+ krb5_free_keyblock(context, key);
+
+ /* MIT also returns the enctype encoded as an OID in data_set[1] */
+
+out:
+ if (ret) {
+ *minor_status = ret;
+ maj_stat = GSS_S_FAILURE;
+ }
+ return maj_stat;
+}
+
static OM_uint32 inquire_sec_context_authz_data
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
@@ -464,10 +504,10 @@ get_service_keyblock
{
gss_buffer_desc value;
-
+
value.length = data.length;
value.value = data.data;
-
+
maj_stat = gss_add_buffer_set_member(minor_status,
&value,
data_set);
@@ -530,6 +570,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid
context,
ACCEPTOR_KEY,
data_set);
+ } else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) {
+ return inquire_sec_context_get_sspi_session_key(minor_status,
+ ctx,
+ context,
+ data_set);
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
return get_authtime(minor_status, ctx, data_set);
} else if (oid_prefix_equal(desired_object,
diff --git a/source4/heimdal/lib/gssapi/krb5/prf.c b/source4/heimdal/lib/gssapi/krb5/prf.c
index 323b4cc722..162a309709 100644
--- a/source4/heimdal/lib/gssapi/krb5/prf.c
+++ b/source4/heimdal/lib/gssapi/krb5/prf.c
@@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
krb5_crypto crypto;
krb5_data input, output;
uint32_t num;
+ OM_uint32 junk;
unsigned char *p;
krb5_keyblock *key = NULL;
+ size_t dol;
if (ctx == NULL) {
*minor_status = 0;
return GSS_S_NO_CONTEXT;
}
- if (desired_output_len <= 0) {
+ if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) {
*minor_status = 0;
return GSS_S_FAILURE;
}
+ dol = desired_output_len;
GSSAPI_KRB5_INIT (&context);
@@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
- prf_out->value = malloc(desired_output_len);
+ prf_out->value = malloc(dol);
if (prf_out->value == NULL) {
_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
- prf_out->length = desired_output_len;
+ prf_out->length = dol;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
input.length = prf_in->length + 4;
input.data = malloc(prf_in->length + 4);
if (input.data == NULL) {
- OM_uint32 junk;
_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
gss_release_buffer(&junk, prf_out);
@@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
- memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length);
+ memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length);
num = 0;
p = prf_out->value;
- while(desired_output_len > 0) {
+ while(dol > 0) {
+ size_t tsize;
+
_gsskrb5_encode_om_uint32(num, input.data);
+
ret = krb5_crypto_prf(context, crypto, &input, &output);
if (ret) {
- OM_uint32 junk;
*minor_status = ret;
free(input.data);
gss_release_buffer(&junk, prf_out);
@@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
- memcpy(p, output.data, min(desired_output_len, output.length));
+
+ tsize = min(dol, output.length);
+ memcpy(p, output.data, tsize);
p += output.length;
- desired_output_len -= output.length;
+ dol -= tsize;
krb5_data_free(&output);
num++;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/process_context_token.c b/source4/heimdal/lib/gssapi/krb5/process_context_token.c
index 4feda0de04..0cc1c07cfb 100644
--- a/source4/heimdal/lib/gssapi/krb5/process_context_token.c
+++ b/source4/heimdal/lib/gssapi/krb5/process_context_token.c
@@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token (
(gsskrb5_ctx)context_handle,
context,
token_buffer, &empty_buffer,
- GSS_C_QOP_DEFAULT, "\x01\x02");
+ GSS_C_QOP_DEFAULT,
+ "\x01\x02");
if (ret == GSS_S_COMPLETE)
ret = _gsskrb5_delete_sec_context(minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/sequence.c b/source4/heimdal/lib/gssapi/krb5/sequence.c
index fbbc5b6c70..2e0e7b20f9 100644
--- a/source4/heimdal/lib/gssapi/krb5/sequence.c
+++ b/source4/heimdal/lib/gssapi/krb5/sequence.c
@@ -64,7 +64,7 @@ msg_order_alloc(OM_uint32 *minor_status,
if (*o == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
- }
+ }
*minor_status = 0;
return GSS_S_COMPLETE;
@@ -141,7 +141,7 @@ OM_uint32
_gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
{
OM_uint32 r;
- int i;
+ size_t i;
if (o == NULL)
return GSS_S_COMPLETE;
diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
index 5ff6172fb9..bd38716751 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c
@@ -209,7 +209,7 @@ no_ci_flags(OM_uint32 *minor_status,
cred = (gsskrb5_cred)*cred_handle;
cred->cred_flags |= GSS_CF_NO_CI_FLAGS;
-
+
*minor_status = 0;
return GSS_S_COMPLETE;
@@ -241,7 +241,7 @@ _gsskrb5_set_cred_option
if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) {
return no_ci_flags(minor_status, context, cred_handle, value);
}
-
+
*minor_status = EINVAL;
return GSS_S_FAILURE;
diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
index 237af1a52c..141ff722fb 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
@@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
- _gsskrb5_register_acceptor_identity(str);
+ maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
free(str);
- *minor_status = 0;
- return GSS_S_COMPLETE;
+ return maj_stat;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
char *str;
@@ -222,7 +221,7 @@ _gsskrb5_set_sec_context_option
return maj_stat;
t = time(NULL) + offset;
-
+
krb5_set_real_time(context, t, 0);
*minor_status = 0;
diff --git a/source4/heimdal/lib/gssapi/krb5/store_cred.c b/source4/heimdal/lib/gssapi/krb5/store_cred.c
index 21f9f6e8ab..a3aa2fb83e 100644
--- a/source4/heimdal/lib/gssapi/krb5/store_cred.c
+++ b/source4/heimdal/lib/gssapi/krb5/store_cred.c
@@ -103,7 +103,7 @@ _gsskrb5_store_cred(OM_uint32 *minor_status,
*minor_status = ret;
return(GSS_S_FAILURE);
}
-
+
if (default_cred)
krb5_cc_switch(context, id);
diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
index 7620d691bd..d6bc204777 100644
--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
@@ -54,7 +54,7 @@ unwrap_des
DES_key_schedule schedule;
DES_cblock deskey;
DES_cblock zero;
- int i;
+ size_t i;
uint32_t seq_number;
size_t padlength;
OM_uint32 ret;
@@ -98,6 +98,7 @@ unwrap_des
if(cstate) {
/* decrypt data */
memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+ memset (&zero, 0, sizeof(zero));
for (i = 0; i < sizeof(deskey); ++i)
deskey[i] ^= 0xf0;
diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c
index 9a5445698b..3123787ff4 100644
--- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c
+++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c
@@ -44,7 +44,7 @@ verify_mic_des
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
- char *type
+ const char *type
)
{
u_char *p;
@@ -142,7 +142,7 @@ verify_mic_des3
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
- char *type
+ const char *type
)
{
u_char *p;
@@ -276,7 +276,7 @@ _gsskrb5_verify_mic_internal
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
- char * type
+ const char * type
)
{
krb5_keyblock *key;
@@ -348,7 +348,7 @@ _gsskrb5_verify_mic
(gsskrb5_ctx)context_handle,
context,
message_buffer, token_buffer,
- qop_state, "\x01\x01");
+ qop_state, (void *)(intptr_t)"\x01\x01");
return ret;
}
diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c
index 54f92df609..efd0d82c49 100644
--- a/source4/heimdal/lib/gssapi/krb5/wrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/wrap.c
@@ -214,7 +214,7 @@ wrap_des
EVP_CIPHER_CTX des_ctx;
DES_cblock deskey;
DES_cblock zero;
- int i;
+ size_t i;
int32_t seq_number;
size_t len, total_len, padlength, datalen;
diff --git a/source4/heimdal/lib/gssapi/mech/cred.h b/source4/heimdal/lib/gssapi/mech/cred.h
index adffe6893e..5661b53239 100644
--- a/source4/heimdal/lib/gssapi/mech/cred.h
+++ b/source4/heimdal/lib/gssapi/mech/cred.h
@@ -39,3 +39,19 @@ struct _gss_cred {
struct _gss_mechanism_cred_list gc_mc;
};
+struct _gss_mechanism_cred *
+_gss_copy_cred(struct _gss_mechanism_cred *mc);
+
+struct _gss_mechanism_name;
+
+OM_uint32
+_gss_acquire_mech_cred(OM_uint32 *minor_status,
+ gssapi_mech_interface m,
+ const struct _gss_mechanism_name *mn,
+ gss_const_OID credential_type,
+ const void *credential_data,
+ OM_uint32 time_req,
+ gss_const_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ struct _gss_mechanism_cred **output_cred_handle);
+
diff --git a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
index 92d7e7f05d..bf7ea03f72 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
@@ -34,17 +34,17 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
unsigned char *p = input_token->value;
size_t len = input_token->length;
size_t a, b;
-
+
/*
* Token must start with [APPLICATION 0] SEQUENCE.
* But if it doesn't assume it is DCE-STYLE Kerberos!
*/
if (len == 0)
return (GSS_S_DEFECTIVE_TOKEN);
-
+
p++;
len--;
-
+
/*
* Decode the length and make sure it agrees with the
* token length.
@@ -71,7 +71,7 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
}
if (a != len)
return (GSS_S_DEFECTIVE_TOKEN);
-
+
/*
* Decode the OID for the mechanism. Simplify life by
* assuming that the OID length is less than 128 bytes.
@@ -84,9 +84,9 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
p += 2;
len -= 2;
mech_oid->elements = p;
-
+
return GSS_S_COMPLETE;
-}
+}
static gss_OID_desc krb5_mechanism =
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
@@ -221,7 +221,7 @@ gss_accept_sec_context(OM_uint32 *minor_status,
acceptor_mc = GSS_C_NO_CREDENTIAL;
}
delegated_mc = GSS_C_NO_CREDENTIAL;
-
+
mech_ret_flags = 0;
major_status = m->gm_accept_sec_context(minor_status,
&ctx->gc_ctx,
@@ -267,7 +267,7 @@ gss_accept_sec_context(OM_uint32 *minor_status,
mech_ret_flags &=
~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
} else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) {
- /*
+ /*
* If the returned mech_type is not the same
* as the mech, assume its pseudo mech type
* and the returned type is already a
diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
index c9900148c2..ade65df8ec 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
@@ -46,7 +46,7 @@ gss_acquire_cred(OM_uint32 *minor_status,
struct _gss_cred *cred;
struct _gss_mechanism_cred *mc;
OM_uint32 min_time, cred_time;
- int i;
+ size_t i;
*minor_status = 0;
if (output_cred_handle == NULL)
diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c
index 19deea5b06..a998bc60ff 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c
@@ -28,7 +28,7 @@
#include "mech_locl.h"
-static struct _gss_mechanism_cred *
+struct _gss_mechanism_cred *
_gss_copy_cred(struct _gss_mechanism_cred *mc)
{
struct _gss_mechanism_cred *new_mc;
diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c
index 191a4a305c..a23270511e 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c
@@ -47,7 +47,7 @@
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
diff --git a/source4/heimdal/lib/gssapi/mech/gss_aeap.c b/source4/heimdal/lib/gssapi/mech/gss_aeap.c
index 141b6ae5ac..3008c0d344 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_aeap.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_aeap.c
@@ -1,6 +1,6 @@
/*
* AEAD support
- */
+ */
#include "mech_locl.h"
@@ -90,7 +90,7 @@ gss_unwrap_iov(OM_uint32 *minor_status,
int iov_count)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
- gssapi_mech_interface m;
+ gssapi_mech_interface m;
if (minor_status)
*minor_status = 0;
@@ -168,7 +168,7 @@ gss_release_iov_buffer(OM_uint32 *minor_status,
int iov_count)
{
OM_uint32 junk;
- size_t i;
+ int i;
if (minor_status)
*minor_status = 0;
diff --git a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c
index 3099b163b5..48fb720ad0 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c
@@ -100,7 +100,7 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_release_buffer_set(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set)
{
- int i;
+ size_t i;
OM_uint32 minor;
*minor_status = 0;
diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
index e87931dc78..bd8ff52120 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
@@ -48,7 +48,7 @@
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
diff --git a/source4/heimdal/lib/gssapi/mech/gss_cred.c b/source4/heimdal/lib/gssapi/mech/gss_cred.c
index b8fa11185a..99de68776e 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_cred.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_cred.c
@@ -85,7 +85,7 @@ gss_export_cred(OM_uint32 * minor_status,
}
ret = krb5_storage_write(sp, buffer.value, buffer.length);
- if (ret != buffer.length) {
+ if (ret < 0 || (size_t)ret != buffer.length) {
gss_release_buffer(minor_status, &buffer);
krb5_storage_free(sp);
*minor_status = EINVAL;
@@ -183,7 +183,7 @@ gss_import_cred(OM_uint32 * minor_status,
buffer.value = data.data;
buffer.length = data.length;
- major = m->gm_import_cred(minor_status,
+ major = m->gm_import_cred(minor_status,
&buffer, &mcred);
krb5_data_free(&data);
if (major) {
diff --git a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c
index 0fe3b4f5a5..3f2974e8ca 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c
@@ -34,8 +34,8 @@
#include "mech_locl.h"
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_decapsulate_token(const gss_buffer_t input_token,
- const gss_OID oid,
+gss_decapsulate_token(gss_const_buffer_t input_token,
+ gss_const_OID oid,
gss_buffer_t output_token)
{
GSSAPIContextToken ct;
@@ -55,7 +55,7 @@ gss_decapsulate_token(const gss_buffer_t input_token,
if (ret) {
der_free_oid(&o);
return GSS_S_FAILURE;
- }
+ }
if (der_heim_oid_cmp(&ct.thisMech, &o) == 0) {
status = GSS_S_COMPLETE;
diff --git a/source4/heimdal/lib/gssapi/mech/gss_display_status.c b/source4/heimdal/lib/gssapi/mech/gss_display_status.c
index d6aaf98827..1e508caa9b 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_display_status.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_display_status.c
@@ -190,7 +190,7 @@ gss_display_status(OM_uint32 *minor_status,
oid.value = rk_UNCONST("unknown");
oid.length = 7;
}
-
+
e = asprintf (&buf, "unknown mech-code %lu for mech %.*s",
(unsigned long)status_value,
(int)oid.length, (char *)oid.value);
diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
index 053825bbc3..a76c87cb85 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
@@ -52,7 +52,7 @@ gss_duplicate_name(OM_uint32 *minor_status,
if (major_status != GSS_S_COMPLETE)
return (major_status);
new_name = (struct _gss_name *) *dest_name;
-
+
HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
struct _gss_mechanism_name *mn2;
_gss_find_mn(minor_status, new_name,
@@ -67,10 +67,10 @@ gss_duplicate_name(OM_uint32 *minor_status,
memset(new_name, 0, sizeof(struct _gss_name));
HEIM_SLIST_INIT(&new_name->gn_mn);
*dest_name = (gss_name_t) new_name;
-
+
HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
struct _gss_mechanism_name *new_mn;
-
+
new_mn = malloc(sizeof(*new_mn));
if (!new_mn) {
*minor_status = ENOMEM;
@@ -78,7 +78,7 @@ gss_duplicate_name(OM_uint32 *minor_status,
}
new_mn->gmn_mech = mn->gmn_mech;
new_mn->gmn_mech_oid = mn->gmn_mech_oid;
-
+
major_status =
mn->gmn_mech->gm_duplicate_name(minor_status,
mn->gmn_name, &new_mn->gmn_name);
diff --git a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c
index fc0ec736bb..1b1f973eaa 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c
@@ -34,8 +34,8 @@
#include "mech_locl.h"
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_encapsulate_token(const gss_buffer_t input_token,
- const gss_OID oid,
+gss_encapsulate_token(gss_const_buffer_t input_token,
+ gss_const_OID oid,
gss_buffer_t output_token)
{
GSSAPIContextToken ct;
@@ -58,7 +58,7 @@ gss_encapsulate_token(const gss_buffer_t input_token,
if (ret) {
_mg_buffer_zero(output_token);
return GSS_S_FAILURE;
- }
+ }
if (output_token->length != size)
abort();
diff --git a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c
index babc8ebdf4..369f3a2257 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c
@@ -42,7 +42,7 @@ gss_export_sec_context(OM_uint32 *minor_status,
major_status = m->gm_export_sec_context(minor_status,
&ctx->gc_ctx, &buf);
-
+
if (major_status == GSS_S_COMPLETE) {
unsigned char *p;
diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_name.c b/source4/heimdal/lib/gssapi/mech/gss_import_name.c
index 574c058fc2..d1b3dc95b4 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_import_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_import_name.c
@@ -41,6 +41,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
gssapi_mech_interface m;
struct _gss_name *name;
gss_name_t new_canonical_name;
+ int composite = 0;
*minor_status = 0;
*output_name = 0;
@@ -50,8 +51,17 @@ _gss_import_export_name(OM_uint32 *minor_status,
*/
if (len < 2)
return (GSS_S_BAD_NAME);
- if (p[0] != 4 || p[1] != 1)
+ if (p[0] != 4)
return (GSS_S_BAD_NAME);
+ switch (p[1]) {
+ case 1: /* non-composite name */
+ break;
+ case 2: /* composite name */
+ composite = 1;
+ break;
+ default:
+ return (GSS_S_BAD_NAME);
+ }
p += 2;
len -= 2;
@@ -106,7 +116,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
p += 4;
len -= 4;
- if (len != t)
+ if (!composite && len != t)
return (GSS_S_BAD_NAME);
m = __gss_get_mechanism(&mech_oid);
@@ -159,7 +169,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
@@ -231,7 +241,7 @@ gss_import_name(OM_uint32 *minor_status,
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
int present = 0;
- major_status = gss_test_oid_set_member(minor_status,
+ major_status = gss_test_oid_set_member(minor_status,
name_type, m->gm_name_types, &present);
if (major_status || present == 0)
diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c
index 2a376fefea..9865db78d4 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c
@@ -58,7 +58,7 @@ gss_import_sec_context(OM_uint32 *minor_status,
mech_oid.elements = p + 2;
buf.length = len - 2 - mech_oid.length;
buf.value = p + 2 + mech_oid.length;
-
+
m = __gss_get_mechanism(&mech_oid);
if (!m)
return (GSS_S_DEFECTIVE_TOKEN);
diff --git a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c
index 59a1dcf22b..8fd53d956d 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c
@@ -35,14 +35,14 @@ gss_indicate_mechs(OM_uint32 *minor_status,
struct _gss_mech_switch *m;
OM_uint32 major_status;
gss_OID_set set;
- int i;
+ size_t i;
_gss_load_mech();
major_status = gss_create_empty_oid_set(minor_status, mech_set);
if (major_status)
return (major_status);
-
+
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (m->gm_mech.gm_indicate_mechs) {
major_status = m->gm_mech.gm_indicate_mechs(
diff --git a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
index cf111ecbae..af0170a50a 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
@@ -99,7 +99,7 @@ _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c
index 0658267b2f..2568075988 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c
@@ -37,7 +37,7 @@ gss_inquire_context(OM_uint32 *minor_status,
gss_OID *mech_type,
OM_uint32 *ctx_flags,
int *locally_initiated,
- int *open)
+ int *xopen)
{
OM_uint32 major_status;
struct _gss_context *ctx = (struct _gss_context *) context_handle;
@@ -47,8 +47,8 @@ gss_inquire_context(OM_uint32 *minor_status,
if (locally_initiated)
*locally_initiated = 0;
- if (open)
- *open = 0;
+ if (xopen)
+ *xopen = 0;
if (lifetime_rec)
*lifetime_rec = 0;
@@ -68,7 +68,7 @@ gss_inquire_context(OM_uint32 *minor_status,
mech_type,
ctx_flags,
locally_initiated,
- open);
+ xopen);
if (major_status != GSS_S_COMPLETE) {
_gss_mg_error(m, major_status, *minor_status);
diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c
index 900370a5db..e674dd48f3 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c
@@ -52,7 +52,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status,
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET;
- int i;
+ size_t i;
m = mc->gmc_mech;
if (m == NULL) {
diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
index 594b41ef8e..fe88a384b5 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
@@ -188,7 +188,7 @@ out:
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gsskrb5_register_acceptor_identity(const char *identity)
{
- struct _gss_mech_switch *m;
+ gssapi_mech_interface m;
gss_buffer_desc buffer;
OM_uint32 junk;
@@ -197,14 +197,12 @@ gsskrb5_register_acceptor_identity(const char *identity)
buffer.value = rk_UNCONST(identity);
buffer.length = strlen(identity);
- HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
- if (m->gm_mech.gm_set_sec_context_option == NULL)
- continue;
- m->gm_mech.gm_set_sec_context_option(&junk, NULL,
- GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
- }
+ m = __gss_get_mechanism(GSS_KRB5_MECHANISM);
+ if (m == NULL || m->gm_set_sec_context_option == NULL)
+ return GSS_S_FAILURE;
- return (GSS_S_COMPLETE);
+ return m->gm_set_sec_context_option(&junk, NULL,
+ GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
}
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
@@ -441,7 +439,7 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
gss_buffer_desc buffer;
krb5_storage *sp;
krb5_data data;
- int i;
+ size_t i;
sp = krb5_storage_emem();
if (sp == NULL) {
diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
index f7f75c13f9..55e01094ff 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
@@ -62,7 +62,7 @@ _gss_string_to_oid(const char* s, gss_OID oid)
if (q) q = q + 1;
number_count++;
}
-
+
/*
* The first two numbers are in the first byte and each
* subsequent number is encoded in a variable byte sequence.
@@ -126,7 +126,7 @@ _gss_string_to_oid(const char* s, gss_OID oid)
while (bytes) {
if (res) {
int bit = 7*(bytes-1);
-
+
*res = (number >> bit) & 0x7f;
if (bytes != 1)
*res |= 0x80;
@@ -152,7 +152,8 @@ _gss_string_to_oid(const char* s, gss_OID oid)
#define SYM(name) \
do { \
m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \
- if (!m->gm_mech.gm_ ## name) { \
+ if (!m->gm_mech.gm_ ## name || \
+ m->gm_mech.gm_ ##name == gss_ ## name) { \
fprintf(stderr, "can't find symbol gss_" #name "\n"); \
goto bad; \
} \
@@ -160,7 +161,28 @@ do { \
#define OPTSYM(name) \
do { \
- m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \
+ m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \
+ if (m->gm_mech.gm_ ## name == gss_ ## name) \
+ m->gm_mech.gm_ ## name = NULL; \
+} while (0)
+
+#define OPTSPISYM(name) \
+do { \
+ m->gm_mech.gm_ ## name = dlsym(so, "gssspi_" #name); \
+} while (0)
+
+#define COMPATSYM(name) \
+do { \
+ m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gss_" #name); \
+ if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \
+ m->gm_mech.gm_compat->gmc_ ## name = NULL; \
+} while (0)
+
+#define COMPATSPISYM(name) \
+do { \
+ m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gssspi_" #name);\
+ if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \
+ m->gm_mech.gm_compat->gmc_ ## name = NULL; \
} while (0)
/*
@@ -283,28 +305,26 @@ _gss_load_mech(void)
#endif
so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP);
- if (!so) {
+ if (so == NULL) {
/* fprintf(stderr, "dlopen: %s\n", dlerror()); */
- free(mech_oid.elements);
- continue;
+ goto bad;
}
- m = malloc(sizeof(*m));
- if (!m) {
- free(mech_oid.elements);
- break;
- }
+ m = calloc(1, sizeof(*m));
+ if (m == NULL)
+ goto bad;
+
m->gm_so = so;
m->gm_mech.gm_mech_oid = mech_oid;
m->gm_mech.gm_flags = 0;
-
+ m->gm_mech.gm_compat = calloc(1, sizeof(struct gss_mech_compat_desc_struct));
+ if (m->gm_mech.gm_compat == NULL)
+ goto bad;
+
major_status = gss_add_oid_set_member(&minor_status,
&m->gm_mech.gm_mech_oid, &_gss_mech_oids);
- if (major_status) {
- free(m->gm_mech.gm_mech_oid.elements);
- free(m);
- continue;
- }
+ if (GSS_ERROR(major_status))
+ goto bad;
SYM(acquire_cred);
SYM(release_cred);
@@ -338,34 +358,64 @@ _gss_load_mech(void)
OPTSYM(inquire_cred_by_oid);
OPTSYM(inquire_sec_context_by_oid);
OPTSYM(set_sec_context_option);
- OPTSYM(set_cred_option);
+ OPTSPISYM(set_cred_option);
OPTSYM(pseudo_random);
OPTSYM(wrap_iov);
OPTSYM(unwrap_iov);
OPTSYM(wrap_iov_length);
+ OPTSYM(store_cred);
+ OPTSYM(export_cred);
+ OPTSYM(import_cred);
+#if 0
+ OPTSYM(acquire_cred_ext);
+ OPTSYM(iter_creds);
+ OPTSYM(destroy_cred);
+ OPTSYM(cred_hold);
+ OPTSYM(cred_unhold);
+ OPTSYM(cred_label_get);
+ OPTSYM(cred_label_set);
+#endif
OPTSYM(display_name_ext);
OPTSYM(inquire_name);
OPTSYM(get_name_attribute);
OPTSYM(set_name_attribute);
OPTSYM(delete_name_attribute);
OPTSYM(export_name_composite);
+ OPTSYM(pname_to_uid);
+ OPTSPISYM(authorize_localname);
mi = dlsym(so, "gss_mo_init");
if (mi != NULL) {
- major_status = mi(&minor_status,
- &mech_oid,
- &m->gm_mech.gm_mo,
- &m->gm_mech.gm_mo_num);
+ major_status = mi(&minor_status, &mech_oid,
+ &m->gm_mech.gm_mo, &m->gm_mech.gm_mo_num);
if (GSS_ERROR(major_status))
goto bad;
+ } else {
+ /* API-as-SPI compatibility */
+ COMPATSYM(inquire_saslname_for_mech);
+ COMPATSYM(inquire_mech_for_saslname);
+ COMPATSYM(inquire_attrs_for_mech);
+ COMPATSPISYM(acquire_cred_with_password);
}
+ /* pick up the oid sets of names */
+
+ if (m->gm_mech.gm_inquire_names_for_mech)
+ (*m->gm_mech.gm_inquire_names_for_mech)(&minor_status,
+ &m->gm_mech.gm_mech_oid, &m->gm_name_types);
+
+ if (m->gm_name_types == NULL)
+ gss_create_empty_oid_set(&minor_status, &m->gm_name_types);
+
HEIM_SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link);
continue;
bad:
- free(m->gm_mech.gm_mech_oid.elements);
- free(m);
+ if (m != NULL) {
+ free(m->gm_mech.gm_compat);
+ free(m->gm_mech.gm_mech_oid.elements);
+ free(m);
+ }
dlclose(so);
continue;
}
diff --git a/source4/heimdal/lib/gssapi/mech/gss_mo.c b/source4/heimdal/lib/gssapi/mech/gss_mo.c
index cb24b764a5..ad74d9237a 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_mo.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_mo.c
@@ -4,6 +4,7 @@
* All rights reserved.
*
* Portions Copyright (c) 2010 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2010 PADL Software Pty Ltd. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -35,13 +36,14 @@
#include "mech_locl.h"
+#include <crypto-headers.h>
+
static int
get_option_def(int def, gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
{
return def;
}
-
int
_gss_mo_get_option_1(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
{
@@ -60,10 +62,10 @@ _gss_mo_get_ctx_as_string(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t valu
if (value) {
value->value = strdup((char *)mo->ctx);
if (value->value == NULL)
- return 1;
+ return GSS_S_FAILURE;
value->length = strlen((char *)mo->ctx);
}
- return 0;
+ return GSS_S_COMPLETE;
}
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
@@ -79,7 +81,8 @@ gss_mo_set(gss_const_OID mech, gss_const_OID option,
for (n = 0; n < m->gm_mo_num; n++)
if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].set)
return m->gm_mo[n].set(mech, &m->gm_mo[n], enable, value);
- return 0;
+
+ return GSS_S_UNAVAILABLE;
}
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
@@ -91,13 +94,13 @@ gss_mo_get(gss_const_OID mech, gss_const_OID option, gss_buffer_t value)
_mg_buffer_zero(value);
if ((m = __gss_get_mechanism(mech)) == NULL)
- return 0;
+ return GSS_S_BAD_MECH;
for (n = 0; n < m->gm_mo_num; n++)
if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].get)
return m->gm_mo[n].get(mech, &m->gm_mo[n], value);
- return 0;
+ return GSS_S_UNAVAILABLE;
}
static void
@@ -147,7 +150,8 @@ gss_mo_name(gss_const_OID mech, gss_const_OID option, gss_buffer_t name)
for (n = 0; n < m->gm_mo_num; n++) {
if (gss_oid_equal(option, m->gm_mo[n].option)) {
/*
- * If ther is no name, its because its a GSS_C_MA and there is already a table for that.
+ * If there is no name, its because its a GSS_C_MA and
+ * there is already a table for that.
*/
if (m->gm_mo[n].name) {
name->value = strdup(m->gm_mo[n].name);
@@ -175,14 +179,86 @@ mo_value(const gss_const_OID mech, gss_const_OID option, gss_buffer_t name)
if (name == NULL)
return GSS_S_COMPLETE;
- if (gss_mo_get(mech, option, name) != 0 && name->length == 0)
- return GSS_S_FAILURE;
+ return gss_mo_get(mech, option, name);
+}
+
+/* code derived from draft-ietf-cat-sasl-gssapi-01 */
+static char basis_32[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+
+static OM_uint32
+make_sasl_name(OM_uint32 *minor, const gss_OID mech, char sasl_name[16])
+{
+ EVP_MD_CTX *ctx;
+ char *p = sasl_name;
+ u_char hdr[2], hash[20], *h = hash;
+
+ if (mech->length > 127)
+ return GSS_S_BAD_MECH;
+
+ hdr[0] = 0x06;
+ hdr[1] = mech->length;
+
+ ctx = EVP_MD_CTX_create();
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctx, hdr, 2);
+ EVP_DigestUpdate(ctx, mech->elements, mech->length);
+ EVP_DigestFinal_ex(ctx, hash, NULL);
+
+ memcpy(p, "GS2-", 4);
+ p += 4;
+
+ *p++ = basis_32[(h[0] >> 3)];
+ *p++ = basis_32[((h[0] & 7) << 2) | (h[1] >> 6)];
+ *p++ = basis_32[(h[1] & 0x3f) >> 1];
+ *p++ = basis_32[((h[1] & 1) << 4) | (h[2] >> 4)];
+ *p++ = basis_32[((h[2] & 0xf) << 1) | (h[3] >> 7)];
+ *p++ = basis_32[(h[3] & 0x7f) >> 2];
+ *p++ = basis_32[((h[3] & 3) << 3) | (h[4] >> 5)];
+ *p++ = basis_32[(h[4] & 0x1f)];
+ *p++ = basis_32[(h[5] >> 3)];
+ *p++ = basis_32[((h[5] & 7) << 2) | (h[6] >> 6)];
+ *p++ = basis_32[(h[6] & 0x3f) >> 1];
+
+ *p = '\0';
return GSS_S_COMPLETE;
}
+/*
+ * gss_inquire_saslname_for_mech() wrapper that uses MIT SPI
+ */
+static OM_uint32
+inquire_saslname_for_mech_compat(OM_uint32 *minor,
+ const gss_OID desired_mech,
+ gss_buffer_t sasl_mech_name,
+ gss_buffer_t mech_name,
+ gss_buffer_t mech_description)
+{
+ struct gss_mech_compat_desc_struct *gmc;
+ gssapi_mech_interface m;
+ OM_uint32 major;
+
+ m = __gss_get_mechanism(desired_mech);
+ if (m == NULL)
+ return GSS_S_BAD_MECH;
+
+ gmc = m->gm_compat;
+
+ if (gmc != NULL && gmc->gmc_inquire_saslname_for_mech != NULL) {
+ major = gmc->gmc_inquire_saslname_for_mech(minor,
+ desired_mech,
+ sasl_mech_name,
+ mech_name,
+ mech_description);
+ } else {
+ major = GSS_S_UNAVAILABLE;
+ }
+
+ return major;
+}
+
/**
- * Returns differnt protocol names and description of the mechanism.
+ * Returns different protocol names and description of the mechanism.
*
* @param minor_status minor status code
* @param desired_mech mech list query
@@ -215,15 +291,41 @@ gss_inquire_saslname_for_mech(OM_uint32 *minor_status,
return GSS_S_BAD_MECH;
major = mo_value(desired_mech, GSS_C_MA_SASL_MECH_NAME, sasl_mech_name);
- if (major) return major;
+ if (major == GSS_S_COMPLETE) {
+ /* Native SPI */
+ major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name);
+ if (GSS_ERROR(major))
+ return major;
+
+ major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description);
+ if (GSS_ERROR(major))
+ return major;
+ }
- major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name);
- if (major) return major;
+ if (GSS_ERROR(major)) {
+ /* API-as-SPI compatibility */
+ major = inquire_saslname_for_mech_compat(minor_status,
+ desired_mech,
+ sasl_mech_name,
+ mech_name,
+ mech_description);
+ }
- major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description);
- if (major) return major;
+ if (GSS_ERROR(major)) {
+ /* Algorithmically dervied SASL mechanism name */
+ char buf[16];
+ gss_buffer_desc tmp = { sizeof(buf) - 1, buf };
- return GSS_S_COMPLETE;
+ major = make_sasl_name(minor_status, desired_mech, buf);
+ if (GSS_ERROR(major))
+ return major;
+
+ major = _gss_copy_buffer(minor_status, &tmp, sasl_mech_name);
+ if (GSS_ERROR(major))
+ return major;
+ }
+
+ return major;
}
/**
@@ -243,29 +345,91 @@ gss_inquire_mech_for_saslname(OM_uint32 *minor_status,
{
struct _gss_mech_switch *m;
gss_buffer_desc name;
- OM_uint32 major;
+ OM_uint32 major, junk;
+ char buf[16];
_gss_load_mech();
*mech_type = NULL;
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
-
- major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name);
- if (major)
- continue;
- if (name.length == sasl_mech_name->length &&
- memcmp(name.value, sasl_mech_name->value, name.length) == 0) {
- gss_release_buffer(&major, &name);
- *mech_type = &m->gm_mech_oid;
- return 0;
+ struct gss_mech_compat_desc_struct *gmc;
+
+ /* Native SPI */
+ major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name);
+ if (major == GSS_S_COMPLETE &&
+ name.length == sasl_mech_name->length &&
+ memcmp(name.value, sasl_mech_name->value, name.length) == 0) {
+ gss_release_buffer(&junk, &name);
+ *mech_type = &m->gm_mech_oid;
+ return GSS_S_COMPLETE;
}
- gss_release_buffer(&major, &name);
+ gss_release_buffer(&junk, &name);
+
+ if (GSS_ERROR(major)) {
+ /* API-as-SPI compatibility */
+ gmc = m->gm_mech.gm_compat;
+ if (gmc && gmc->gmc_inquire_mech_for_saslname) {
+ major = gmc->gmc_inquire_mech_for_saslname(minor_status,
+ sasl_mech_name,
+ mech_type);
+ if (major == GSS_S_COMPLETE)
+ return GSS_S_COMPLETE;
+ }
+ }
+
+ if (GSS_ERROR(major)) {
+ /* Algorithmically dervied SASL mechanism name */
+ if (sasl_mech_name->length == 16 &&
+ make_sasl_name(minor_status, &m->gm_mech_oid, buf) == GSS_S_COMPLETE &&
+ memcmp(buf, sasl_mech_name->value, 16) == 0) {
+ *mech_type = &m->gm_mech_oid;
+ return GSS_S_COMPLETE;
+ }
+ }
}
return GSS_S_BAD_MECH;
}
+/*
+ * Test mechanism against indicated attributes using both Heimdal and
+ * MIT SPIs.
+ */
+static int
+test_mech_attrs(gssapi_mech_interface mi,
+ gss_const_OID_set mech_attrs,
+ gss_const_OID_set against_attrs,
+ int except)
+{
+ size_t n, m;
+ int eq = 0;
+
+ if (against_attrs == GSS_C_NO_OID_SET)
+ return 1;
+
+ for (n = 0; n < against_attrs->count; n++) {
+ for (m = 0; m < mi->gm_mo_num; m++) {
+ eq = gss_oid_equal(mi->gm_mo[m].option,
+ &against_attrs->elements[n]);
+ if (eq)
+ break;
+ }
+ if (mech_attrs != GSS_C_NO_OID_SET) {
+ for (m = 0; m < mech_attrs->count; m++) {
+ eq = gss_oid_equal(&mech_attrs->elements[m],
+ &against_attrs->elements[n]);
+ if (eq)
+ break;
+ }
+ }
+ if (!eq ^ except)
+ return 0;
+ }
+
+ return 1;
+}
+
/**
* Return set of mechanism that fullfill the criteria
*
@@ -286,57 +450,49 @@ gss_indicate_mechs_by_attrs(OM_uint32 * minor_status,
gss_OID_set *mechs)
{
struct _gss_mech_switch *ms;
+ gss_OID_set mech_attrs = GSS_C_NO_OID_SET;
+ gss_OID_set known_mech_attrs = GSS_C_NO_OID_SET;
OM_uint32 major;
- size_t n, m;
major = gss_create_empty_oid_set(minor_status, mechs);
- if (major)
+ if (GSS_ERROR(major))
return major;
_gss_load_mech();
HEIM_SLIST_FOREACH(ms, &_gss_mechs, gm_link) {
gssapi_mech_interface mi = &ms->gm_mech;
-
- if (desired_mech_attrs) {
- for (n = 0; n < desired_mech_attrs->count; n++) {
- for (m = 0; m < mi->gm_mo_num; m++)
- if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
- break;
- if (m == mi->gm_mo_num)
- goto next;
- }
- }
-
- if (except_mech_attrs) {
- for (n = 0; n < desired_mech_attrs->count; n++) {
- for (m = 0; m < mi->gm_mo_num; m++) {
- if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
- goto next;
- }
- }
- }
-
- if (critical_mech_attrs) {
- for (n = 0; n < desired_mech_attrs->count; n++) {
- for (m = 0; m < mi->gm_mo_num; m++) {
- if (mi->gm_mo[m].flags & GSS_MO_MA_CRITICAL)
- continue;
- if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
- break;
- }
- if (m == mi->gm_mo_num)
- goto next;
- }
- }
-
-
- next:
- do { } while(0);
+ struct gss_mech_compat_desc_struct *gmc = mi->gm_compat;
+ OM_uint32 tmp;
+
+ if (gmc && gmc->gmc_inquire_attrs_for_mech) {
+ major = gmc->gmc_inquire_attrs_for_mech(minor_status,
+ &mi->gm_mech_oid,
+ &mech_attrs,
+ &known_mech_attrs);
+ if (GSS_ERROR(major))
+ continue;
+ }
+
+ /*
+ * Test mechanism supports all of desired_mech_attrs;
+ * none of except_mech_attrs;
+ * and knows of all critical_mech_attrs.
+ */
+ if (test_mech_attrs(mi, mech_attrs, desired_mech_attrs, 0) &&
+ test_mech_attrs(mi, mech_attrs, except_mech_attrs, 1) &&
+ test_mech_attrs(mi, known_mech_attrs, critical_mech_attrs, 0)) {
+ major = gss_add_oid_set_member(minor_status, &mi->gm_mech_oid, mechs);
+ }
+
+ gss_release_oid_set(&tmp, &mech_attrs);
+ gss_release_oid_set(&tmp, &known_mech_attrs);
+
+ if (GSS_ERROR(major))
+ break;
}
-
- return GSS_S_FAILURE;
+ return major;
}
/**
@@ -361,30 +517,45 @@ gss_inquire_attrs_for_mech(OM_uint32 * minor_status,
{
OM_uint32 major, junk;
+ if (known_mech_attrs)
+ *known_mech_attrs = GSS_C_NO_OID_SET;
+
if (mech_attr && mech) {
gssapi_mech_interface m;
+ struct gss_mech_compat_desc_struct *gmc;
if ((m = __gss_get_mechanism(mech)) == NULL) {
*minor_status = 0;
return GSS_S_BAD_MECH;
}
- major = gss_create_empty_oid_set(minor_status, mech_attr);
- if (major != GSS_S_COMPLETE)
+ gmc = m->gm_compat;
+
+ if (gmc && gmc->gmc_inquire_attrs_for_mech) {
+ major = gmc->gmc_inquire_attrs_for_mech(minor_status,
+ mech,
+ mech_attr,
+ known_mech_attrs);
+ } else {
+ major = gss_create_empty_oid_set(minor_status, mech_attr);
+ if (major == GSS_S_COMPLETE)
+ add_all_mo(m, mech_attr, GSS_MO_MA);
+ }
+ if (GSS_ERROR(major))
return major;
-
- add_all_mo(m, mech_attr, GSS_MO_MA);
- }
+ }
if (known_mech_attrs) {
struct _gss_mech_switch *m;
- major = gss_create_empty_oid_set(minor_status, known_mech_attrs);
- if (major) {
- if (mech_attr)
- gss_release_oid_set(&junk, mech_attr);
- return major;
- }
+ if (*known_mech_attrs == GSS_C_NO_OID_SET) {
+ major = gss_create_empty_oid_set(minor_status, known_mech_attrs);
+ if (GSS_ERROR(major)) {
+ if (mech_attr)
+ gss_release_oid_set(&junk, mech_attr);
+ return major;
+ }
+ }
_gss_load_mech();
@@ -434,28 +605,28 @@ gss_display_mech_attr(OM_uint32 * minor_status,
return GSS_S_BAD_MECH_ATTR;
if (name) {
- gss_buffer_desc n;
- n.value = rk_UNCONST(ma->name);
- n.length = strlen(ma->name);
- major = _gss_copy_buffer(minor_status, &n, name);
+ gss_buffer_desc bd;
+ bd.value = rk_UNCONST(ma->name);
+ bd.length = strlen(ma->name);
+ major = _gss_copy_buffer(minor_status, &bd, name);
if (major != GSS_S_COMPLETE)
return major;
}
if (short_desc) {
- gss_buffer_desc n;
- n.value = rk_UNCONST(ma->short_desc);
- n.length = strlen(ma->short_desc);
- major = _gss_copy_buffer(minor_status, &n, short_desc);
+ gss_buffer_desc bd;
+ bd.value = rk_UNCONST(ma->short_desc);
+ bd.length = strlen(ma->short_desc);
+ major = _gss_copy_buffer(minor_status, &bd, short_desc);
if (major != GSS_S_COMPLETE)
return major;
}
if (long_desc) {
- gss_buffer_desc n;
- n.value = rk_UNCONST(ma->long_desc);
- n.length = strlen(ma->long_desc);
- major = _gss_copy_buffer(minor_status, &n, long_desc);
+ gss_buffer_desc bd;
+ bd.value = rk_UNCONST(ma->long_desc);
+ bd.length = strlen(ma->long_desc);
+ major = _gss_copy_buffer(minor_status, &bd, long_desc);
if (major != GSS_S_COMPLETE)
return major;
}
diff --git a/source4/heimdal/lib/gssapi/mech/gss_names.c b/source4/heimdal/lib/gssapi/mech/gss_names.c
index 4b470c775f..43e0e2a85c 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_names.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_names.c
@@ -58,7 +58,7 @@ _gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech,
mn = malloc(sizeof(struct _gss_mechanism_name));
if (!mn)
return GSS_S_FAILURE;
-
+
major_status = m->gm_import_name(minor_status,
&name->gn_value,
(name->gn_type.elements
diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid.c b/source4/heimdal/lib/gssapi/mech/gss_oid.c
index bac97cacd0..916d1e4dda 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_oid.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_oid.c
@@ -2,220 +2,226 @@
#include "mech_locl.h"
/* GSS_KRB5_COPY_CCACHE_X - 1.2.752.43.13.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01") };
/* GSS_KRB5_GET_TKT_FLAGS_X - 1.2.752.43.13.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02") };
/* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X - 1.2.752.43.13.3 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x03" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03") };
/* GSS_KRB5_COMPAT_DES3_MIC_X - 1.2.752.43.13.4 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x04" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04") };
/* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - 1.2.752.43.13.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05") };
/* GSS_KRB5_EXPORT_LUCID_CONTEXT_X - 1.2.752.43.13.6 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x06" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06") };
/* GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X - 1.2.752.43.13.6.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x06\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01") };
/* GSS_KRB5_SET_DNS_CANONICALIZE_X - 1.2.752.43.13.7 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x07" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07") };
/* GSS_KRB5_GET_SUBKEY_X - 1.2.752.43.13.8 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x08" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08") };
/* GSS_KRB5_GET_INITIATOR_SUBKEY_X - 1.2.752.43.13.9 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x09" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09") };
/* GSS_KRB5_GET_ACCEPTOR_SUBKEY_X - 1.2.752.43.13.10 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a") };
/* GSS_KRB5_SEND_TO_KDC_X - 1.2.752.43.13.11 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b") };
/* GSS_KRB5_GET_AUTHTIME_X - 1.2.752.43.13.12 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0c" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c") };
/* GSS_KRB5_GET_SERVICE_KEYBLOCK_X - 1.2.752.43.13.13 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0d" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d") };
/* GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X - 1.2.752.43.13.14 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0e" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e") };
/* GSS_KRB5_SET_DEFAULT_REALM_X - 1.2.752.43.13.15 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0f" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f") };
/* GSS_KRB5_CCACHE_NAME_X - 1.2.752.43.13.16 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x10" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10") };
/* GSS_KRB5_SET_TIME_OFFSET_X - 1.2.752.43.13.17 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x11" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11") };
/* GSS_KRB5_GET_TIME_OFFSET_X - 1.2.752.43.13.18 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x12" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12") };
/* GSS_KRB5_PLUGIN_REGISTER_X - 1.2.752.43.13.19 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x13" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x13") };
/* GSS_NTLM_GET_SESSION_KEY_X - 1.2.752.43.13.20 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x14" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x14") };
/* GSS_C_NT_NTLM - 1.2.752.43.13.21 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x15" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x15") };
/* GSS_C_NT_DN - 1.2.752.43.13.22 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x16" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x16") };
/* GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL - 1.2.752.43.13.23 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x17" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x17") };
/* GSS_C_NTLM_AVGUEST - 1.2.752.43.13.24 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x18" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x18") };
/* GSS_C_NTLM_V1 - 1.2.752.43.13.25 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x19" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x19") };
/* GSS_C_NTLM_V2 - 1.2.752.43.13.26 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1a") };
/* GSS_C_NTLM_SESSION_KEY - 1.2.752.43.13.27 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1b") };
/* GSS_C_NTLM_FORCE_V1 - 1.2.752.43.13.28 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1c" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1c") };
/* GSS_KRB5_CRED_NO_CI_FLAGS_X - 1.2.752.43.13.29 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1d" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1d") };
/* GSS_KRB5_IMPORT_CRED_X - 1.2.752.43.13.30 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1e" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1e") };
/* GSS_C_MA_SASL_MECH_NAME - 1.2.752.43.13.100 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x64" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x64") };
/* GSS_C_MA_MECH_NAME - 1.2.752.43.13.101 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x65" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x65") };
/* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x66" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") };
+
+/* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" };
+
+/* GSS_C_CRED_CERTIFICATE - 1.2.752.43.13.201 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x49" };
/* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
/* GSS_NETLOGON_MECHANISM - 1.2.752.43.14.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x02") };
/* GSS_NETLOGON_SET_SESSION_KEY_X - 1.2.752.43.14.3 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x03" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x03") };
/* GSS_NETLOGON_SET_SIGN_ALGORITHM_X - 1.2.752.43.14.4 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x04" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x04") };
/* GSS_NETLOGON_NT_NETBIOS_DNS_NAME - 1.2.752.43.14.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x05") };
/* GSS_C_INQ_WIN2K_PAC_X - 1.2.752.43.13.3.128 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, "\x2a\x85\x70\x2b\x0d\x03\x81\x00" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03\x81\x00") };
/* GSS_C_INQ_SSPI_SESSION_KEY - 1.2.840.113554.1.2.2.5.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05") };
/* GSS_KRB5_MECHANISM - 1.2.840.113554.1.2.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
/* GSS_NTLM_MECHANISM - 1.3.6.1.4.1.311.2.2.10 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") };
/* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, "\x2b\x06\x01\x05\x05\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") };
/* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, "\x2b\x06\x01\x04\x01\xca\x29\x13\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xca\x29\x13\x05") };
/* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x01") };
/* GSS_C_MA_MECH_PSEUDO - 1.3.6.1.5.5.13.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x02") };
/* GSS_C_MA_MECH_COMPOSITE - 1.3.6.1.5.5.13.3 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x03" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x03") };
/* GSS_C_MA_MECH_NEGO - 1.3.6.1.5.5.13.4 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x04" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x04") };
/* GSS_C_MA_MECH_GLUE - 1.3.6.1.5.5.13.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x05") };
/* GSS_C_MA_NOT_MECH - 1.3.6.1.5.5.13.6 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x06" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x06") };
/* GSS_C_MA_DEPRECATED - 1.3.6.1.5.5.13.7 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x07" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x07") };
/* GSS_C_MA_NOT_DFLT_MECH - 1.3.6.1.5.5.13.8 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x08" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x08") };
/* GSS_C_MA_ITOK_FRAMED - 1.3.6.1.5.5.13.9 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x09" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x09") };
/* GSS_C_MA_AUTH_INIT - 1.3.6.1.5.5.13.10 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0a") };
/* GSS_C_MA_AUTH_TARG - 1.3.6.1.5.5.13.11 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0b") };
/* GSS_C_MA_AUTH_INIT_INIT - 1.3.6.1.5.5.13.12 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0c" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0c") };
/* GSS_C_MA_AUTH_TARG_INIT - 1.3.6.1.5.5.13.13 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0d" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0d") };
/* GSS_C_MA_AUTH_INIT_ANON - 1.3.6.1.5.5.13.14 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0e" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0e") };
/* GSS_C_MA_AUTH_TARG_ANON - 1.3.6.1.5.5.13.15 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0f" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0f") };
/* GSS_C_MA_DELEG_CRED - 1.3.6.1.5.5.13.16 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x10" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x10") };
/* GSS_C_MA_INTEG_PROT - 1.3.6.1.5.5.13.17 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x11" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x11") };
/* GSS_C_MA_CONF_PROT - 1.3.6.1.5.5.13.18 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x12" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x12") };
/* GSS_C_MA_MIC - 1.3.6.1.5.5.13.19 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x13" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x13") };
/* GSS_C_MA_WRAP - 1.3.6.1.5.5.13.20 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x14" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x14") };
/* GSS_C_MA_PROT_READY - 1.3.6.1.5.5.13.21 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x15" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x15") };
/* GSS_C_MA_REPLAY_DET - 1.3.6.1.5.5.13.22 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x16" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x16") };
/* GSS_C_MA_OOS_DET - 1.3.6.1.5.5.13.23 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x17" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x17") };
/* GSS_C_MA_CBINDINGS - 1.3.6.1.5.5.13.24 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x18" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x18") };
/* GSS_C_MA_PFS - 1.3.6.1.5.5.13.25 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x19" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x19") };
/* GSS_C_MA_COMPRESS - 1.3.6.1.5.5.13.26 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1a") };
/* GSS_C_MA_CTX_TRANS - 1.3.6.1.5.5.13.27 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1b") };
struct _gss_oid_name_table _gss_ont_ma[] = {
{ GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" },
diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c
index 7d6ded39e4..b125ede66f 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c
@@ -43,7 +43,7 @@
*
* @return non-zero when both oid are the same OID, zero when they are
* not the same.
- *
+ *
* @ingroup gssapi
*/
diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_name.c b/source4/heimdal/lib/gssapi/mech/gss_release_name.c
index 759eaec4c3..fd0b5df36b 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_release_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_release_name.c
@@ -40,7 +40,7 @@
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
diff --git a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c
index 62be485a07..d33453d92f 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c
@@ -93,13 +93,13 @@ gss_set_cred_option (OM_uint32 *minor_status,
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
m = mc->gmc_mech;
-
+
if (m == NULL)
return GSS_S_BAD_MECH;
-
+
if (m->gm_set_cred_option == NULL)
continue;
-
+
major_status = m->gm_set_cred_option(minor_status,
&mc->gmc_cred, object, value);
if (major_status == GSS_S_COMPLETE)
diff --git a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c
index 4c4d349045..715d34bf06 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c
@@ -34,7 +34,7 @@ gss_test_oid_set_member(OM_uint32 *minor_status,
const gss_OID_set set,
int *present)
{
- int i;
+ size_t i;
*present = 0;
for (i = 0; i < set->count; i++)
diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c
index e79814aea7..9bebcf6cf0 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c
@@ -38,7 +38,7 @@ gss_wrap_size_limit(OM_uint32 *minor_status,
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
gssapi_mech_interface m;
-
+
*max_input_size = 0;
if (ctx == NULL) {
*minor_status = 0;
diff --git a/source4/heimdal/lib/gssapi/mech/mech_locl.h b/source4/heimdal/lib/gssapi/mech/mech_locl.h
index cb10c23c38..6c23ac5256 100644
--- a/source4/heimdal/lib/gssapi/mech/mech_locl.h
+++ b/source4/heimdal/lib/gssapi/mech/mech_locl.h
@@ -62,6 +62,7 @@
#include "mech_switch.h"
#include "name.h"
#include "utils.h"
+#include "compat.h"
#define _mg_buffer_zero(buffer) \
do { \
diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
index 35bc56fbb7..3a51dd3a0a 100644
--- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
@@ -90,7 +90,7 @@ send_supported_mechs (OM_uint32 *minor_status,
gss_buffer_t output_token)
{
NegotiationTokenWin nt;
- size_t buf_len;
+ size_t buf_len = 0;
gss_buffer_desc data;
OM_uint32 ret;
@@ -132,8 +132,10 @@ send_supported_mechs (OM_uint32 *minor_status,
*minor_status = ret;
return GSS_S_FAILURE;
}
- if (data.length != buf_len)
+ if (data.length != buf_len) {
abort();
+ UNREACHABLE(return GSS_S_FAILURE);
+ }
ret = gss_encapsulate_token(&data, GSS_SPNEGO_MECHANISM, output_token);
@@ -316,7 +318,7 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
gss_OID_desc oid;
gss_OID oidp;
gss_OID_set mechs;
- int i;
+ size_t i;
OM_uint32 ret, junk;
ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1,
@@ -368,12 +370,13 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
host = getenv("GSSAPI_SPNEGO_NAME");
if (host == NULL || issuid()) {
+ int rv;
if (gethostname(hostname, sizeof(hostname)) != 0) {
*minor_status = errno;
return GSS_S_FAILURE;
}
- i = asprintf(&str, "host@%s", hostname);
- if (i < 0 || str == NULL) {
+ rv = asprintf(&str, "host@%s", hostname);
+ if (rv < 0 || str == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
@@ -410,10 +413,6 @@ acceptor_complete(OM_uint32 * minor_status,
{
OM_uint32 ret;
int require_mic, verify_mic;
- gss_buffer_desc buf;
-
- buf.length = 0;
- buf.value = NULL;
ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic);
if (ret)
@@ -435,11 +434,11 @@ acceptor_complete(OM_uint32 * minor_status,
verify_mic = 0;
*get_mic = 1;
}
-
+
if (verify_mic || *get_mic) {
int eret;
- size_t buf_len;
-
+ size_t buf_len = 0;
+
ASN1_MALLOC_ENCODE(MechTypeList,
mech_buf->value, mech_buf->length,
&ctx->initiator_mech_types, &buf_len, eret);
@@ -447,24 +446,19 @@ acceptor_complete(OM_uint32 * minor_status,
*minor_status = eret;
return GSS_S_FAILURE;
}
- if (buf.length != buf_len)
- abort();
+ heim_assert(mech_buf->length == buf_len, "Internal ASN.1 error");
+ UNREACHABLE(return GSS_S_FAILURE);
}
-
+
if (verify_mic) {
ret = verify_mechlist_mic(minor_status, ctx, mech_buf, mic);
if (ret) {
if (*get_mic)
send_reject (minor_status, output_token);
- if (buf.value)
- free(buf.value);
return ret;
}
ctx->verified_mic = 1;
}
- if (buf.value)
- free(buf.value);
-
} else
*get_mic = 0;
@@ -491,7 +485,6 @@ acceptor_start
NegotiationToken nt;
size_t nt_len;
NegTokenInit *ni;
- int i;
gss_buffer_desc data;
gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
gss_buffer_desc mech_output_token;
@@ -507,7 +500,7 @@ acceptor_start
if (input_token_buffer->length == 0)
return send_supported_mechs (minor_status, output_token);
-
+
ret = _gss_spnego_alloc_sec_context(minor_status, context_handle);
if (ret != GSS_S_COMPLETE)
return ret;
@@ -573,7 +566,7 @@ acceptor_start
if (ctx->mech_src_name != GSS_C_NO_NAME)
gss_release_name(&junk, &ctx->mech_src_name);
-
+
ret = gss_accept_sec_context(minor_status,
&ctx->negotiated_ctx_id,
acceptor_cred_handle,
@@ -613,13 +606,14 @@ acceptor_start
*/
if (!first_ok && ni->mechToken != NULL) {
+ size_t j;
preferred_mech_type = GSS_C_NO_OID;
/* Call glue layer to find first mech we support */
- for (i = 1; i < ni->mechTypes.len; ++i) {
+ for (j = 1; j < ni->mechTypes.len; ++j) {
ret = select_mech(minor_status,
- &ni->mechTypes.val[i],
+ &ni->mechTypes.val[j],
1,
&preferred_mech_type);
if (ret == 0)
diff --git a/source4/heimdal/lib/gssapi/spnego/compat.c b/source4/heimdal/lib/gssapi/spnego/compat.c
index b23658cfd1..cf5ee30a84 100644
--- a/source4/heimdal/lib/gssapi/spnego/compat.c
+++ b/source4/heimdal/lib/gssapi/spnego/compat.c
@@ -41,10 +41,10 @@
* Kerberos mechanism.
*/
gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc =
- {9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"};
+ {9, rk_UNCONST("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02")};
gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc =
- {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+ {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
/*
* Allocate a SPNEGO context handle
@@ -241,7 +241,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
gss_OID_set supported_mechs = GSS_C_NO_OID_SET;
gss_OID first_mech = GSS_C_NO_OID;
OM_uint32 ret;
- int i;
+ size_t i;
mechtypelist->len = 0;
mechtypelist->val = NULL;
diff --git a/source4/heimdal/lib/gssapi/spnego/context_stubs.c b/source4/heimdal/lib/gssapi/spnego/context_stubs.c
index 18c13fe299..60b348ec46 100644
--- a/source4/heimdal/lib/gssapi/spnego/context_stubs.c
+++ b/source4/heimdal/lib/gssapi/spnego/context_stubs.c
@@ -37,7 +37,7 @@ spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs)
{
OM_uint32 ret, junk;
gss_OID_set m;
- int i;
+ size_t i;
ret = gss_indicate_mechs(minor_status, &m);
if (ret != GSS_S_COMPLETE)
@@ -565,7 +565,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_names_for_mech (
{
gss_OID_set mechs, names, n;
OM_uint32 ret, junk;
- int i, j;
+ size_t i, j;
*name_types = NULL;
diff --git a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c
index 2920f3d9b5..fc43d6a4a6 100644
--- a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c
+++ b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c
@@ -70,7 +70,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred
OM_uint32 ret, tmp;
gss_OID_set_desc actual_desired_mechs;
gss_OID_set mechs;
- int i, j;
+ size_t i, j;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
diff --git a/source4/heimdal/lib/gssapi/spnego/external.c b/source4/heimdal/lib/gssapi/spnego/external.c
index 5054754150..ca06d46e82 100644
--- a/source4/heimdal/lib/gssapi/spnego/external.c
+++ b/source4/heimdal/lib/gssapi/spnego/external.c
@@ -39,13 +39,12 @@
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
-
static gss_mo_desc spnego_mo[] = {
{
GSS_C_MA_SASL_MECH_NAME,
GSS_MO_MA,
"SASL mech name",
- "SPNEGO",
+ rk_UNCONST("SPNEGO"),
_gss_mo_get_ctx_as_string,
NULL
},
@@ -53,7 +52,7 @@ static gss_mo_desc spnego_mo[] = {
GSS_C_MA_MECH_NAME,
GSS_MO_MA,
"Mechanism name",
- "SPNEGO",
+ rk_UNCONST("SPNEGO"),
_gss_mo_get_ctx_as_string,
NULL
},
@@ -61,7 +60,7 @@ static gss_mo_desc spnego_mo[] = {
GSS_C_MA_MECH_DESCRIPTION,
GSS_MO_MA,
"Mechanism description",
- "Heimdal SPNEGO Mechanism",
+ rk_UNCONST("Heimdal SPNEGO Mechanism"),
_gss_mo_get_ctx_as_string,
NULL
},
@@ -78,7 +77,7 @@ static gss_mo_desc spnego_mo[] = {
static gssapi_mech_interface_desc spnego_mech = {
GMI_VERSION,
"spnego",
- {6, (void *)"\x2b\x06\x01\x05\x05\x02"},
+ {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") },
0,
_gss_spnego_acquire_cred,
_gss_spnego_release_cred,
@@ -128,7 +127,13 @@ static gssapi_mech_interface_desc spnego_mech = {
NULL,
NULL,
spnego_mo,
- sizeof(spnego_mo) / sizeof(spnego_mo[0])
+ sizeof(spnego_mo) / sizeof(spnego_mo[0]),
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
};
gssapi_mech_interface
diff --git a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c
index c9e182129d..b4b1bcefc5 100644
--- a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c
@@ -392,7 +392,7 @@ spnego_reply
NegotiationToken resp;
gss_OID_desc mech;
int require_mic;
- size_t buf_len;
+ size_t buf_len = 0;
gss_buffer_desc mic_buf, mech_buf;
gss_buffer_desc mech_output_token;
gssspnego_ctx ctx;
@@ -557,8 +557,10 @@ spnego_reply
*minor_status = ret;
return GSS_S_FAILURE;
}
- if (mech_buf.length != buf_len)
+ if (mech_buf.length != buf_len) {
abort();
+ UNREACHABLE(return GSS_S_FAILURE);
+ }
if (resp.u.negTokenResp.mechListMIC == NULL) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h
index dacaa3310e..3e151c7c2a 100644
--- a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h
+++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h
@@ -71,6 +71,8 @@
#include "utils.h"
#include <der.h>
+#include <heimbase.h>
+
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
typedef struct {
diff --git a/source4/heimdal/lib/gssapi/version-script.map b/source4/heimdal/lib/gssapi/version-script.map
index 7591121333..ebd8ee21ac 100644
--- a/source4/heimdal/lib/gssapi/version-script.map
+++ b/source4/heimdal/lib/gssapi/version-script.map
@@ -2,7 +2,8 @@
HEIMDAL_GSS_2.0 {
global:
- __gss_c_nt_anonymous;
+# __gss_c_nt_anonymous;
+ __gss_c_nt_anonymous_oid_desc;
__gss_c_nt_export_name_oid_desc;
__gss_c_nt_hostbased_service_oid_desc;
__gss_c_nt_hostbased_service_x_oid_desc;
@@ -11,11 +12,17 @@ HEIMDAL_GSS_2.0 {
__gss_c_nt_user_name_oid_desc;
__gss_krb5_nt_principal_name_oid_desc;
__gss_c_attr_stream_sizes_oid_desc;
+ __gss_c_cred_password_oid_desc;
+ __gss_c_cred_certificate_oid_desc;
+ GSS_C_ATTR_LOCAL_LOGIN_USER;
gss_accept_sec_context;
gss_acquire_cred;
+ gss_acquire_cred_with_password;
gss_add_buffer_set_member;
gss_add_cred;
+ gss_add_cred_with_password;
gss_add_oid_set_member;
+ gss_authorize_localname;
gss_canonicalize_name;
gss_compare_name;
gss_context_query_attributes;
@@ -61,6 +68,7 @@ HEIMDAL_GSS_2.0 {
gss_mg_collect_error;
gss_oid_equal;
gss_oid_to_str;
+ gss_pname_to_uid;
gss_process_context_token;
gss_pseudo_random;
gss_release_buffer;
@@ -75,10 +83,12 @@ HEIMDAL_GSS_2.0 {
gss_set_name_attribute;
gss_set_sec_context_option;
gss_sign;
+ gss_store_cred;
gss_test_oid_set_member;
gss_unseal;
gss_unwrap;
gss_unwrap_iov;
+ gss_userok;
gss_verify;
gss_verify_mic;
gss_wrap;