diff options
Diffstat (limited to 'source4/heimdal/lib/gssapi')
69 files changed, 995 insertions, 495 deletions
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi/gssapi.h index caa1af8b3a..fa53a29d24 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi.h @@ -31,8 +31,6 @@ * SUCH DAMAGE. */ -/* $Id$ */ - #ifndef GSSAPI_GSSAPI_H_ #define GSSAPI_GSSAPI_H_ @@ -55,13 +53,11 @@ #endif #endif -#ifndef GSSAPI_DEPRECATED +#ifndef GSSAPI_DEPRECATED_FUNCTION #if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) -#define GSSAPI_DEPRECATED __attribute__((deprecated)) -#elif defined(_MSC_VER) -#define GSSAPI_DEPRECATED __declspec(deprecated) +#define GSSAPI_DEPRECATED_FUNCTION(X) __attribute__((deprecated)) #else -#define GSSAPI_DEPRECATED +#define GSSAPI_DEPRECATED_FUNCTION(X) #endif #endif @@ -375,7 +371,7 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_anonymous_oid_desc; * to that gss_OID_desc. */ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc; -#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc) +#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc) /* Major status codes */ @@ -447,6 +443,11 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc; #define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET) /* + * Apparently awating spec fix. + */ +#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE + +/* * Supplementary info bits: */ #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) @@ -459,6 +460,9 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc; * Finally, function prototypes for the GSS-API routines. */ +#define GSS_C_OPTION_MASK 0xffff +#define GSS_C_CRED_NO_UI 0x10000 + GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred (OM_uint32 * /*minor_status*/, const gss_name_t /*desired_name*/, @@ -827,7 +831,7 @@ typedef struct { size_t blocksize; /**< Specificed optimal size of messages, also is the maximum padding size (GSS_IOV_BUFFER_TYPE_PADDING) */ -} gss_context_stream_sizes; +} gss_context_stream_sizes; extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_attr_stream_sizes_oid_desc; #define GSS_C_ATTR_STREAM_SIZES (&__gss_c_attr_stream_sizes_oid_desc) @@ -850,23 +854,23 @@ gss_context_query_attributes(OM_uint32 * /* minor_status */, * obsolete versions of these routines and their current forms. */ -GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, int /*qop_req*/, gss_buffer_t /*message_buffer*/, gss_buffer_t /*message_token*/ - ); + ) GSSAPI_DEPRECATED_FUNCTION("Use gss_get_mic"); -GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, gss_buffer_t /*message_buffer*/, gss_buffer_t /*token_buffer*/, int * /*qop_state*/ - ); + ) GSSAPI_DEPRECATED_FUNCTION("Use gss_verify_mic"); -GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, int /*conf_req_flag*/, @@ -874,29 +878,29 @@ GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal gss_buffer_t /*input_message_buffer*/, int * /*conf_state*/, gss_buffer_t /*output_message_buffer*/ - ); + ) GSSAPI_DEPRECATED_FUNCTION("Use gss_wrap"); -GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, gss_buffer_t /*input_message_buffer*/, gss_buffer_t /*output_message_buffer*/, int * /*conf_state*/, int * /*qop_state*/ - ); + ) GSSAPI_DEPRECATED_FUNCTION("Use gss_unwrap"); /** * */ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL -gss_encapsulate_token(const gss_buffer_t /* input_token */, - const gss_OID /* oid */, +gss_encapsulate_token(gss_const_buffer_t /* input_token */, + gss_const_OID /* oid */, gss_buffer_t /* output_token */); GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL -gss_decapsulate_token(const gss_buffer_t /* input_token */, - const gss_OID /* oid */, +gss_decapsulate_token(gss_const_buffer_t /* input_token */, + gss_const_OID /* oid */, gss_buffer_t /* output_token */); @@ -990,6 +994,56 @@ gss_display_mech_attr(OM_uint32 * minor_status, gss_buffer_t long_desc); /* + * Solaris compat + */ + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred_with_password + (OM_uint32 * /*minor_status*/, + const gss_name_t /*desired_name*/, + const gss_buffer_t /*password*/, + OM_uint32 /*time_req*/, + const gss_OID_set /*desired_mechs*/, + gss_cred_usage_t /*cred_usage*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * /*time_rec*/ + ); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_cred_with_password ( + OM_uint32 * /*minor_status*/, + const gss_cred_id_t /*input_cred_handle*/, + const gss_name_t /*desired_name*/, + const gss_OID /*desired_mech*/, + const gss_buffer_t /*password*/, + gss_cred_usage_t /*cred_usage*/, + OM_uint32 /*initiator_time_req*/, + OM_uint32 /*acceptor_time_req*/, + gss_cred_id_t * /*output_cred_handle*/, + gss_OID_set * /*actual_mechs*/, + OM_uint32 * /*initiator_time_rec*/, + OM_uint32 * /*acceptor_time_rec*/ + ); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_pname_to_uid( + OM_uint32 *minor, + const gss_name_t name, + const gss_OID mech_type, + uid_t *uidOut); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_authorize_localname( + OM_uint32 *minor, + const gss_name_t name, + const gss_name_t user); + +GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL +gss_userok(const gss_name_t name, + const char *user); + +extern GSSAPI_LIB_VARIABLE gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER; + +/* * Naming extensions */ @@ -1051,4 +1105,6 @@ gss_name_to_oid(const char *name); GSSAPI_CPP_END +#undef GSSAPI_DEPRECATED_FUNCTION + #endif /* GSSAPI_GSSAPI_H_ */ diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h index e7b56dc7d4..9465efc77f 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h @@ -109,6 +109,13 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_name_oid_desc; extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_description_oid_desc; #define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc) + /* credential types */ +extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_password_oid_desc; +#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc) + +extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_certificate_oid_desc; +#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc) + /* Heimdal mechanisms - 1.2.752.43.14 */ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc; #define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc) diff --git a/source4/heimdal/lib/gssapi/gssapi_mech.h b/source4/heimdal/lib/gssapi/gssapi_mech.h index 1431dbcee6..e4ccfdb0cd 100644 --- a/source4/heimdal/lib/gssapi/gssapi_mech.h +++ b/source4/heimdal/lib/gssapi/gssapi_mech.h @@ -355,14 +355,14 @@ _gss_import_cred_t(OM_uint32 * minor_status, typedef OM_uint32 GSSAPI_CALLCONV -_gss_acquire_cred_ex_t(void * /* status */, - const gss_name_t /* desired_name */, - OM_uint32 /* flags */, - OM_uint32 /* time_req */, - gss_cred_usage_t /* cred_usage */, - void * /* identity */, - void * /* ctx */, - void (* /*complete */)(void *, OM_uint32, void *, gss_cred_id_t, OM_uint32)); +_gss_acquire_cred_ext_t(OM_uint32 * /*minor_status */, + const gss_name_t /* desired_name */, + gss_const_OID /* credential_type */, + const void * /* credential_data */, + OM_uint32 /* time_req */, + gss_const_OID /* desired_mech */, + gss_cred_usage_t /* cred_usage */, + gss_cred_id_t * /* output_cred_handle */); typedef void GSSAPI_CALLCONV _gss_iter_creds_t(OM_uint32 /* flags */, @@ -460,13 +460,28 @@ struct gss_mo_desc_struct { int (*set)(gss_const_OID, gss_mo_desc *, int, gss_buffer_t); }; +typedef OM_uint32 GSSAPI_CALLCONV _gss_pname_to_uid_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* name */ + const gss_OID, /* mech_type */ + uid_t * /* uidOut */ + ); + +typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* name */ + gss_const_buffer_t, /* user */ + gss_const_OID /* user_name_type */ + ); + +/* mechglue internal */ +struct gss_mech_compat_desc_struct; #define GMI_VERSION 5 /* gm_flags */ #define GM_USE_MG_CRED 1 /* uses mech glue credentials */ - typedef struct gssapi_mech_interface_desc { unsigned gm_version; const char *gm_name; @@ -512,7 +527,7 @@ typedef struct gssapi_mech_interface_desc { _gss_store_cred_t *gm_store_cred; _gss_export_cred_t *gm_export_cred; _gss_import_cred_t *gm_import_cred; - _gss_acquire_cred_ex_t *gm_acquire_cred_ex; + _gss_acquire_cred_ext_t *gm_acquire_cred_ext; _gss_iter_creds_t *gm_iter_creds; _gss_destroy_cred_t *gm_destroy_cred; _gss_cred_hold_t *gm_cred_hold; @@ -521,12 +536,15 @@ typedef struct gssapi_mech_interface_desc { _gss_cred_label_set_t *gm_cred_label_set; gss_mo_desc *gm_mo; size_t gm_mo_num; + _gss_pname_to_uid_t *gm_pname_to_uid; + _gss_authorize_localname_t *gm_authorize_localname; _gss_display_name_ext_t *gm_display_name_ext; _gss_inquire_name_t *gm_inquire_name; _gss_get_name_attribute_t *gm_get_name_attribute; _gss_set_name_attribute_t *gm_set_name_attribute; _gss_delete_name_attribute_t *gm_delete_name_attribute; _gss_export_name_composite_t *gm_export_name_composite; + struct gss_mech_compat_desc_struct *gm_compat; } gssapi_mech_interface_desc, *gssapi_mech_interface; gssapi_mech_interface @@ -552,4 +570,25 @@ struct _gss_oid_name_table { extern struct _gss_oid_name_table _gss_ont_mech[]; extern struct _gss_oid_name_table _gss_ont_ma[]; +/* + * Extended credentials acqusition API, not to be exported until + * it or something equivalent has been standardised. + */ +extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc; +#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc) + +extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc; +#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc) + +OM_uint32 _gss_acquire_cred_ext + (OM_uint32 * /*minor_status*/, + const gss_name_t /*desired_name*/, + gss_const_OID /*credential_type*/, + const void * /*credential_data*/, + OM_uint32 /*time_req*/, + gss_const_OID /*desired_mech*/, + gss_cred_usage_t /*cred_usage*/, + gss_cred_id_t * /*output_cred_handle*/ + ); + #endif /* GSSAPI_MECH_H */ diff --git a/source4/heimdal/lib/gssapi/krb5/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c index 65db343cad..d4555c5104 100644 --- a/source4/heimdal/lib/gssapi/krb5/8003.c +++ b/source4/heimdal/lib/gssapi/krb5/8003.c @@ -92,7 +92,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num); EVP_DigestUpdate(ctx, num, sizeof(num)); if (b->acceptor_address.length) - EVP_DigestUpdate(ctx, + EVP_DigestUpdate(ctx, b->acceptor_address.value, b->acceptor_address.length); _gsskrb5_encode_om_uint32 (b->application_data.length, num); diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index a5e9d054c4..5a00e124c2 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -36,12 +36,32 @@ HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; krb5_keytab _gsskrb5_keytab; +static krb5_error_code +validate_keytab(krb5_context context, const char *name, krb5_keytab *id) +{ + krb5_error_code ret; + + ret = krb5_kt_resolve(context, name, id); + if (ret) + return ret; + + ret = krb5_kt_have_content(context, *id); + if (ret) { + krb5_kt_close(context, *id); + *id = NULL; + } + + return ret; +} + OM_uint32 -_gsskrb5_register_acceptor_identity (const char *identity) +_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity) { krb5_context context; krb5_error_code ret; + *min_stat = 0; + ret = _gsskrb5_init(&context); if(ret) return GSS_S_FAILURE; @@ -55,19 +75,29 @@ _gsskrb5_register_acceptor_identity (const char *identity) if (identity == NULL) { ret = krb5_kt_default(context, &_gsskrb5_keytab); } else { - char *p = NULL; - - ret = asprintf(&p, "FILE:%s", identity); - if(ret < 0 || p == NULL) { - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - return GSS_S_FAILURE; + /* + * First check if we can the keytab as is and if it has content... + */ + ret = validate_keytab(context, identity, &_gsskrb5_keytab); + /* + * if it doesn't, lets prepend FILE: and try again + */ + if (ret) { + char *p = NULL; + ret = asprintf(&p, "FILE:%s", identity); + if(ret < 0 || p == NULL) { + HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); + return GSS_S_FAILURE; + } + ret = validate_keytab(context, p, &_gsskrb5_keytab); + free(p); } - ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab); - free(p); } HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - if(ret) + if(ret) { + *min_stat = ret; return GSS_S_FAILURE; + } return GSS_S_COMPLETE; } @@ -93,7 +123,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor) if (key == NULL) return; - + switch (key->keytype) { case ETYPE_DES_CBC_CRC: case ETYPE_DES_CBC_MD4: @@ -171,7 +201,7 @@ gsskrb5_accept_delegated_token if (delegated_cred_handle) { gsskrb5_cred handle; - + ret = _gsskrb5_krb5_import_cred(minor_status, ccache, NULL, @@ -541,10 +571,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, if(ctx->flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; int use_subkey = 0; - + _gsskrb5i_is_cfx(context, ctx, 1); is_cfx = (ctx->more_flags & IS_CFX); - + if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) { use_subkey = 1; } else { @@ -572,7 +602,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL); } - + kret = krb5_mk_rep(context, ctx->auth_context, &outbuf); @@ -580,7 +610,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, *minor_status = kret; return GSS_S_FAILURE; } - + if (IS_DCE_STYLE(ctx)) { output_token->length = outbuf.length; output_token->value = outbuf.data; @@ -659,7 +689,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, krb5_error_code kret; krb5_data inbuf; int32_t r_seq_number, l_seq_number; - + /* * We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP */ @@ -706,7 +736,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, { krb5_ap_rep_enc_part *repl; int32_t auth_flags; - + krb5_auth_con_removeflags(context, ctx->auth_context, KRB5_AUTH_CONTEXT_DO_TIME, @@ -735,7 +765,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, if (lifetime_rec == 0) { return GSS_S_CONTEXT_EXPIRED; } - + if (time_rec) *time_rec = lifetime_rec; } @@ -793,7 +823,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status, { kret = krb5_auth_con_setremoteseqnumber(context, ctx->auth_context, - r_seq_number); + r_seq_number); if (kret) { *minor_status = kret; return GSS_S_FAILURE; diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c index d0042e874b..0f1f5f81cf 100644 --- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c @@ -46,7 +46,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status, memset(&in_cred, 0, sizeof(in_cred)); in_cred.client = principal; - + realm = krb5_principal_get_realm(context, principal); if (realm == NULL) { _gsskrb5_clear_status (); @@ -81,17 +81,18 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status, static krb5_error_code get_keytab(krb5_context context, krb5_keytab *keytab) { - char kt_name[256]; krb5_error_code kret; HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); if (_gsskrb5_keytab != NULL) { - kret = krb5_kt_get_name(context, - _gsskrb5_keytab, - kt_name, sizeof(kt_name)); - if (kret == 0) - kret = krb5_kt_resolve(context, kt_name, keytab); + char *name = NULL; + + kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name); + if (kret == 0) { + kret = krb5_kt_resolve(context, name, keytab); + krb5_xfree(name); + } } else kret = krb5_kt_default(context, keytab); @@ -103,13 +104,13 @@ get_keytab(krb5_context context, krb5_keytab *keytab) static OM_uint32 acquire_initiator_cred (OM_uint32 * minor_status, krb5_context context, + gss_const_OID credential_type, + const void *credential_data, const gss_name_t desired_name, OM_uint32 time_req, - const gss_OID_set desired_mechs, + gss_const_OID desired_mech, gss_cred_usage_t cred_usage, - gsskrb5_cred handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec + gsskrb5_cred handle ) { OM_uint32 ret; @@ -132,6 +133,12 @@ static OM_uint32 acquire_initiator_cred * errors while searching. */ + if (credential_type != GSS_C_NO_OID && + !gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) { + kret = KRB5_NOCREDS_SUPPLIED; /* XXX */ + goto end; + } + if (handle->principal) { kret = krb5_cc_cache_match (context, handle->principal, @@ -174,14 +181,29 @@ static OM_uint32 acquire_initiator_cred if (kret) goto end; } - kret = get_keytab(context, &keytab); - if (kret) - goto end; kret = krb5_get_init_creds_opt_alloc(context, &opt); if (kret) goto end; - kret = krb5_get_init_creds_keytab(context, &cred, - handle->principal, keytab, 0, NULL, opt); + if (credential_type != GSS_C_NO_OID && + gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) { + gss_buffer_t password = (gss_buffer_t)credential_data; + + /* XXX are we requiring password to be NUL terminated? */ + + kret = krb5_get_init_creds_password(context, &cred, + handle->principal, + password->value, + NULL, NULL, 0, NULL, opt); + } else { + kret = get_keytab(context, &keytab); + if (kret) { + krb5_get_init_creds_opt_free(context, opt); + goto end; + } + kret = krb5_get_init_creds_keytab(context, &cred, + handle->principal, keytab, + 0, NULL, opt); + } krb5_get_init_creds_opt_free(context, opt); if (kret) goto end; @@ -233,19 +255,25 @@ end: static OM_uint32 acquire_acceptor_cred (OM_uint32 * minor_status, krb5_context context, + gss_const_OID credential_type, + const void *credential_data, const gss_name_t desired_name, OM_uint32 time_req, - const gss_OID_set desired_mechs, + gss_const_OID desired_mech, gss_cred_usage_t cred_usage, - gsskrb5_cred handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec + gsskrb5_cred handle ) { OM_uint32 ret; krb5_error_code kret; ret = GSS_S_FAILURE; + + if (credential_type != GSS_C_NO_OID) { + kret = EINVAL; + goto end; + } + kret = get_keytab(context, &handle->keytab); if (kret) goto end; @@ -299,23 +327,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred OM_uint32 * time_rec ) { - krb5_context context; - gsskrb5_cred handle; OM_uint32 ret; - if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return GSS_S_FAILURE; - } - - GSSAPI_KRB5_INIT(&context); - - *output_cred_handle = NULL; - if (time_rec) - *time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - if (desired_mechs) { int present = 0; @@ -329,6 +342,54 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } } + ret = _gsskrb5_acquire_cred_ext(minor_status, + desired_name, + GSS_C_NO_OID, + NULL, + time_req, + GSS_KRB5_MECHANISM, + cred_usage, + output_cred_handle); + if (ret) + return ret; + + + ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle, + NULL, time_rec, NULL, actual_mechs); + if (ret) { + OM_uint32 tmp; + _gsskrb5_release_cred(&tmp, output_cred_handle); + } + + return ret; +} + +OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext +(OM_uint32 * minor_status, + const gss_name_t desired_name, + gss_const_OID credential_type, + const void *credential_data, + OM_uint32 time_req, + gss_const_OID desired_mech, + gss_cred_usage_t cred_usage, + gss_cred_id_t * output_cred_handle + ) +{ + krb5_context context; + gsskrb5_cred handle; + OM_uint32 ret; + + cred_usage &= GSS_C_OPTION_MASK; + + if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { + *minor_status = GSS_KRB5_S_G_BAD_USAGE; + return GSS_S_FAILURE; + } + + GSSAPI_KRB5_INIT(&context); + + *output_cred_handle = NULL; + handle = calloc(1, sizeof(*handle)); if (handle == NULL) { *minor_status = ENOMEM; @@ -338,7 +399,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred HEIMDAL_MUTEX_init(&handle->cred_id_mutex); if (desired_name != GSS_C_NO_NAME) { - ret = _gsskrb5_canon_name(minor_status, context, 1, NULL, desired_name, &handle->principal); if (ret) { @@ -349,9 +409,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { ret = acquire_initiator_cred(minor_status, context, + credential_type, credential_data, desired_name, time_req, - desired_mechs, cred_usage, handle, - actual_mechs, time_rec); + desired_mech, cred_usage, handle); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); krb5_free_principal(context, handle->principal); @@ -361,8 +421,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { ret = acquire_acceptor_cred(minor_status, context, + credential_type, credential_data, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); + desired_mech, cred_usage, handle); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); krb5_free_principal(context, handle->principal); @@ -374,9 +435,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred if (ret == GSS_S_COMPLETE) ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle, - NULL, time_rec, NULL, actual_mechs); if (ret != GSS_S_COMPLETE) { if (handle->mechanisms != NULL) gss_release_oid_set(NULL, &handle->mechanisms); @@ -385,17 +443,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred free(handle); return (ret); } - *minor_status = 0; - if (time_rec) { - ret = _gsskrb5_lifetime_left(minor_status, - context, - handle->lifetime, - time_rec); - - if (ret) - return ret; - } handle->usage = cred_usage; + *minor_status = 0; *output_cred_handle = (gss_cred_id_t)handle; return (GSS_S_COMPLETE); } diff --git a/source4/heimdal/lib/gssapi/krb5/add_cred.c b/source4/heimdal/lib/gssapi/krb5/add_cred.c index a326613edd..00cf55f62d 100644 --- a/source4/heimdal/lib/gssapi/krb5/add_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/add_cred.c @@ -81,7 +81,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( return(GSS_S_FAILURE); } } - + /* check that we have the same name */ if (dname != NULL && krb5_principal_compare(context, dname, @@ -110,7 +110,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( handle->ccache = NULL; handle->mechanisms = NULL; HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - + ret = GSS_S_FAILURE; kret = krb5_copy_principal(context, cred->principal, @@ -123,23 +123,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( } if (cred->keytab) { - char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; - int len; - - ret = GSS_S_FAILURE; + char *name = NULL; - kret = krb5_kt_get_type(context, cred->keytab, - name, KRB5_KT_PREFIX_MAX_LEN); - if (kret) { - *minor_status = kret; - goto failure; - } - len = strlen(name); - name[len++] = ':'; + ret = GSS_S_FAILURE; - kret = krb5_kt_get_name(context, cred->keytab, - name + len, - sizeof(name) - len); + kret = krb5_kt_get_full_name(context, cred->keytab, &name); if (kret) { *minor_status = kret; goto failure; @@ -147,6 +135,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( kret = krb5_kt_resolve(context, name, &handle->keytab); + krb5_xfree(name); if (kret){ *minor_status = kret; goto failure; @@ -166,7 +155,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( } if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_new_unique(context, type, + ret = krb5_cc_new_unique(context, type, NULL, &handle->ccache); if (ret) { *minor_status = ret; @@ -186,20 +175,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( *minor_status = ENOMEM; goto failure; } - + kret = asprintf(&type_name, "%s:%s", type, name); if (kret < 0 || type_name == NULL) { *minor_status = ENOMEM; goto failure; } - + kret = krb5_cc_resolve(context, type_name, &handle->ccache); free(type_name); if (kret) { *minor_status = kret; goto failure; - } + } } } ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); diff --git a/source4/heimdal/lib/gssapi/krb5/aeap.c b/source4/heimdal/lib/gssapi/krb5/aeap.c index 040cd3ee76..47913e4aec 100644 --- a/source4/heimdal/lib/gssapi/krb5/aeap.c +++ b/source4/heimdal/lib/gssapi/krb5/aeap.c @@ -69,11 +69,11 @@ _gk_unwrap_iov(OM_uint32 *minor_status, krb5_context context; GSSAPI_KRB5_INIT (&context); - + if (ctx->more_flags & IS_CFX) return _gssapi_unwrap_cfx_iov(minor_status, ctx, context, conf_state, qop_state, iov, iov_count); - + return GSS_S_FAILURE; } @@ -88,13 +88,13 @@ _gk_wrap_iov_length(OM_uint32 * minor_status, { const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; krb5_context context; - + GSSAPI_KRB5_INIT (&context); - + if (ctx->more_flags & IS_CFX) return _gssapi_wrap_iov_length_cfx(minor_status, ctx, context, conf_req_flag, qop_req, conf_state, iov, iov_count); - + return GSS_S_FAILURE; } diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c index dc59e997bd..0264207e4a 100644 --- a/source4/heimdal/lib/gssapi/krb5/arcfour.c +++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c @@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type) + const char *type) { krb5_error_code ret; uint32_t seq_number; @@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, p = token_buffer->value; omret = _gsskrb5_verify_header (&p, token_buffer->length, - (u_char *)type, + type, GSS_KRB5_MECHANISM); if (omret) return omret; @@ -309,7 +309,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0); EVP_Cipher(&rc4_key, SND_SEQ, p, 8); @@ -462,7 +462,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, if(conf_req_flag) { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen); @@ -481,7 +481,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8); @@ -581,7 +581,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8); @@ -629,7 +629,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, if(conf_flag) { EVP_CIPHER_CTX rc4_key; - + EVP_CIPHER_CTX_init(&rc4_key); EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8); diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c index 1189718adc..3c1536b60e 100755 --- a/source4/heimdal/lib/gssapi/krb5/cfx.c +++ b/source4/heimdal/lib/gssapi/krb5/cfx.c @@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *header, *trailer, *padding; size_t gsshsize, k5hsize; size_t gsstsize, k5tsize; - size_t i, rrc = 0, ec = 0; + size_t rrc = 0, ec = 0; + int i; gss_cfx_wrap_token token; krb5_error_code ret; int32_t seq_number; @@ -424,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, token->Flags = 0; token->Filler = 0xFF; + if ((ctx->more_flags & LOCAL) == 0) + token->Flags |= CFXSentByAcceptor; + if (ctx->more_flags & ACCEPTOR_SUBKEY) token->Flags |= CFXAcceptorSubkey; @@ -565,7 +569,7 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, plain packet: {data | "header" | gss-trailer (krb5 checksum) - + don't do RRC != 0 */ @@ -647,7 +651,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING || GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER) len += iov[i].buffer.length; - + p = malloc(len); if (p == NULL) { *minor_status = ENOMEM; @@ -666,7 +670,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int q += iov[i].buffer.length; } } - assert((q - p) == len); + assert((size_t)(q - p) == len); /* unrotate first part */ q = p + rrc; diff --git a/source4/heimdal/lib/gssapi/krb5/compat.c b/source4/heimdal/lib/gssapi/krb5/compat.c index 221d219c69..3381dffa19 100644 --- a/source4/heimdal/lib/gssapi/krb5/compat.c +++ b/source4/heimdal/lib/gssapi/krb5/compat.c @@ -59,7 +59,7 @@ check_compat(OM_uint32 *minor_status, *compat = match_val; break; } - + krb5_free_principal(context, match); match = NULL; } diff --git a/source4/heimdal/lib/gssapi/krb5/context_time.c b/source4/heimdal/lib/gssapi/krb5/context_time.c index 7b27906b5b..cb1550011c 100644 --- a/source4/heimdal/lib/gssapi/krb5/context_time.c +++ b/source4/heimdal/lib/gssapi/krb5/context_time.c @@ -88,6 +88,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_context_time if (*time_rec == 0) return GSS_S_CONTEXT_EXPIRED; - + return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c index 4e65fc1cf3..e332d29c84 100644 --- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c @@ -100,7 +100,7 @@ _gsskrb5_krb5_import_cred(OM_uint32 *minor_status, *minor_status = kret; return GSS_S_FAILURE; } - + if (keytab_principal) { krb5_boolean match; diff --git a/source4/heimdal/lib/gssapi/krb5/creds.c b/source4/heimdal/lib/gssapi/krb5/creds.c index d2c253e84b..fa45d19b98 100644 --- a/source4/heimdal/lib/gssapi/krb5/creds.c +++ b/source4/heimdal/lib/gssapi/krb5/creds.c @@ -47,7 +47,7 @@ _gsskrb5_export_cred(OM_uint32 *minor_status, char *str; GSSAPI_KRB5_INIT (&context); - + if (handle->usage != GSS_C_INITIATE && handle->usage != GSS_C_BOTH) { *minor_status = GSS_KRB5_S_G_BAD_USAGE; return GSS_S_FAILURE; @@ -93,14 +93,14 @@ _gsskrb5_export_cred(OM_uint32 *minor_status, *minor_status = ret; return GSS_S_FAILURE; } - + ret = krb5_cc_get_full_name(context, handle->ccache, &str); if (ret) { krb5_storage_free(sp); *minor_status = ret; return GSS_S_FAILURE; } - + ret = krb5_store_string(sp, str); free(str); if (ret) { @@ -222,7 +222,7 @@ _gsskrb5_import_cred(OM_uint32 * minor_status, *minor_status = ret; return GSS_S_FAILURE; } - + ret = krb5_cc_resolve(context, str, &id); krb5_xfree(str); if (ret) { diff --git a/source4/heimdal/lib/gssapi/krb5/encapsulate.c b/source4/heimdal/lib/gssapi/krb5/encapsulate.c index 79cd9232e1..fe5dac7c60 100644 --- a/source4/heimdal/lib/gssapi/krb5/encapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/encapsulate.c @@ -114,7 +114,7 @@ _gssapi_encapsulate( if (output_token->value == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; - } + } p = _gssapi_make_mech_header (output_token->value, len, mech); memcpy (p, in_data->data, in_data->length); @@ -145,7 +145,7 @@ _gsskrb5_encapsulate( if (output_token->value == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; - } + } p = _gsskrb5_make_header (output_token->value, len, type, mech); memcpy (p, in_data->data, in_data->length); diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index d6f14a48f7..26ede2487d 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_SASL_MECH_NAME, GSS_MO_MA, "SASL mech name", - "GS2-KRB5", + rk_UNCONST("GS2-KRB5"), _gss_mo_get_ctx_as_string, NULL }, @@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_MECH_NAME, GSS_MO_MA, "Mechanism name", - "KRB5", + rk_UNCONST("KRB5"), _gss_mo_get_ctx_as_string, NULL }, @@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_MECH_DESCRIPTION, GSS_MO_MA, "Mechanism description", - "Heimdal Kerberos 5 mech", + rk_UNCONST("Heimdal Kerberos 5 mech"), _gss_mo_get_ctx_as_string, NULL }, @@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = { static gssapi_mech_interface_desc krb5_mech = { GMI_VERSION, "kerberos 5", - {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }, + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }, 0, _gsskrb5_acquire_cred, _gsskrb5_release_cred, @@ -315,7 +315,7 @@ static gssapi_mech_interface_desc krb5_mech = { _gsskrb5_store_cred, _gsskrb5_export_cred, _gsskrb5_import_cred, - NULL, + _gsskrb5_acquire_cred_ext, NULL, NULL, NULL, @@ -323,7 +323,16 @@ static gssapi_mech_interface_desc krb5_mech = { NULL, NULL, krb5_mo, - sizeof(krb5_mo) / sizeof(krb5_mo[0]) + sizeof(krb5_mo) / sizeof(krb5_mo[0]), + _gsskrb5_pname_to_uid, + _gsskrb5_authorize_localname, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL }; gssapi_mech_interface diff --git a/source4/heimdal/lib/gssapi/krb5/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c index 2a071a305e..5fe512672f 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_name.c +++ b/source4/heimdal/lib/gssapi/krb5/import_name.c @@ -107,9 +107,9 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context, return GSS_S_BAD_NAME; else if (p->name.name_string.len > 1) hostname = p->name.name_string.val[1]; - + service = p->name.name_string.val[0]; - + ret = krb5_sname_to_principal(context, hostname, service, diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index 53855ca045..5f8b01b727 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -41,7 +41,7 @@ static OM_uint32 set_addresses (krb5_context context, krb5_auth_context ac, - const gss_channel_bindings_t input_chan_bindings) + const gss_channel_bindings_t input_chan_bindings) { /* Port numbers are expected to be in application_data.value, * initator's port first */ @@ -422,11 +422,6 @@ init_auth goto failure; } - ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); - if (ret) - goto failure; - - /* * This is hideous glue for (NFS) clients that wants to limit the * available enctypes to what it can support (encryption in @@ -458,17 +453,21 @@ init_auth * DNS canonicalizion. */ ret = gsskrb5_get_creds(minor_status, context, ctx->ccache, - ctx, name, 0, time_req, + ctx, name, 0, time_req, time_rec); if (ret && allow_dns) ret = gsskrb5_get_creds(minor_status, context, ctx->ccache, - ctx, name, 1, time_req, + ctx, name, 1, time_req, time_rec); if (ret) goto failure; ctx->lifetime = ctx->kcred->times.endtime; + ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); + if (ret) + goto failure; + ret = _gsskrb5_lifetime_left(minor_status, context, ctx->lifetime, @@ -530,7 +529,7 @@ init_auth_restart Checksum cksum; krb5_enctype enctype; krb5_data fwd_data, timedata; - int32_t offset = 0, oldoffset; + int32_t offset = 0, oldoffset = 0; uint32_t flagmask; krb5_data_zero(&outbuf); @@ -544,7 +543,7 @@ init_auth_restart */ if (!ctx->kcred->flags.b.ok_as_delegate) { krb5_data data; - + ret = krb5_cc_get_config(context, ctx->ccache, NULL, "realm-config", &data); if (ret == 0) { @@ -676,7 +675,8 @@ init_auth_restart output_token->length = outbuf.length; } else { ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, - (u_char *)"\x01\x00", GSS_KRB5_MECHANISM); + (u_char *)(intptr_t)"\x01\x00", + GSS_KRB5_MECHANISM); krb5_data_free (&outbuf); if (ret) goto failure; @@ -848,9 +848,9 @@ repl_mutual *minor_status = kret; return GSS_S_FAILURE; } - + /* reset local seq number */ - krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); + krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); output_token->length = outbuf.length; output_token->value = outbuf.data; @@ -911,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context return GSS_S_BAD_MECH; if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) { - OM_uint32 ret; + OM_uint32 ret1; if (*context_handle != GSS_C_NO_CONTEXT) { *minor_status = 0; return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; } - ret = _gsskrb5_create_ctx(minor_status, + ret1 = _gsskrb5_create_ctx(minor_status, context_handle, context, input_chan_bindings, INITIATOR_START); - if (ret) - return ret; + if (ret1) + return ret1; } if (*context_handle == GSS_C_NO_CONTEXT) { @@ -953,7 +953,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context ret_flags, time_rec); if (ret != GSS_S_COMPLETE) - break; + break; /* FALL THOUGH */ case INITIATOR_RESTART: ret = init_auth_restart(minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c index d3798623ff..f88199692c 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c @@ -95,12 +95,12 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred if (output_name != NULL) { if (icred && icred->principal != NULL) { gss_name_t name; - + if (acred && acred->principal) name = (gss_name_t)acred->principal; else name = (gss_name_t)icred->principal; - + ret = _gsskrb5_duplicate_name(minor_status, name, output_name); if (ret) goto out; diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c index dc02b99851..65bd49c971 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c @@ -72,6 +72,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_names_for_mech ( if (ret != GSS_S_COMPLETE) gss_release_oid_set(NULL, name_types); - + return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c index 14816e7a05..b57217a4e8 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c @@ -159,10 +159,10 @@ static OM_uint32 inquire_sec_context_get_subkey { gss_buffer_desc value; - + value.length = data.length; value.value = data.data; - + maj_stat = gss_add_buffer_set_member(minor_status, &value, data_set); @@ -179,6 +179,46 @@ out: return maj_stat; } +static OM_uint32 inquire_sec_context_get_sspi_session_key + (OM_uint32 *minor_status, + const gsskrb5_ctx context_handle, + krb5_context context, + gss_buffer_set_t *data_set) +{ + krb5_keyblock *key; + OM_uint32 maj_stat = GSS_S_COMPLETE; + krb5_error_code ret; + gss_buffer_desc value; + + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(context_handle, context, &key); + HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + + if (ret) + goto out; + if (key == NULL) { + ret = EINVAL; + goto out; + } + + value.length = key->keyvalue.length; + value.value = key->keyvalue.data; + + maj_stat = gss_add_buffer_set_member(minor_status, + &value, + data_set); + krb5_free_keyblock(context, key); + + /* MIT also returns the enctype encoded as an OID in data_set[1] */ + +out: + if (ret) { + *minor_status = ret; + maj_stat = GSS_S_FAILURE; + } + return maj_stat; +} + static OM_uint32 inquire_sec_context_authz_data (OM_uint32 *minor_status, const gsskrb5_ctx context_handle, @@ -464,10 +504,10 @@ get_service_keyblock { gss_buffer_desc value; - + value.length = data.length; value.value = data.data; - + maj_stat = gss_add_buffer_set_member(minor_status, &value, data_set); @@ -530,6 +570,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid context, ACCEPTOR_KEY, data_set); + } else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) { + return inquire_sec_context_get_sspi_session_key(minor_status, + ctx, + context, + data_set); } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) { return get_authtime(minor_status, ctx, data_set); } else if (oid_prefix_equal(desired_object, diff --git a/source4/heimdal/lib/gssapi/krb5/prf.c b/source4/heimdal/lib/gssapi/krb5/prf.c index 323b4cc722..162a309709 100644 --- a/source4/heimdal/lib/gssapi/krb5/prf.c +++ b/source4/heimdal/lib/gssapi/krb5/prf.c @@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, krb5_crypto crypto; krb5_data input, output; uint32_t num; + OM_uint32 junk; unsigned char *p; krb5_keyblock *key = NULL; + size_t dol; if (ctx == NULL) { *minor_status = 0; return GSS_S_NO_CONTEXT; } - if (desired_output_len <= 0) { + if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) { *minor_status = 0; return GSS_S_FAILURE; } + dol = desired_output_len; GSSAPI_KRB5_INIT (&context); @@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, return GSS_S_FAILURE; } - prf_out->value = malloc(desired_output_len); + prf_out->value = malloc(dol); if (prf_out->value == NULL) { _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory"); *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } - prf_out->length = desired_output_len; + prf_out->length = dol; HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); input.length = prf_in->length + 4; input.data = malloc(prf_in->length + 4); if (input.data == NULL) { - OM_uint32 junk; _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory"); *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; gss_release_buffer(&junk, prf_out); @@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_FAILURE; } - memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length); + memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length); num = 0; p = prf_out->value; - while(desired_output_len > 0) { + while(dol > 0) { + size_t tsize; + _gsskrb5_encode_om_uint32(num, input.data); + ret = krb5_crypto_prf(context, crypto, &input, &output); if (ret) { - OM_uint32 junk; *minor_status = ret; free(input.data); gss_release_buffer(&junk, prf_out); @@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_FAILURE; } - memcpy(p, output.data, min(desired_output_len, output.length)); + + tsize = min(dol, output.length); + memcpy(p, output.data, tsize); p += output.length; - desired_output_len -= output.length; + dol -= tsize; krb5_data_free(&output); num++; } diff --git a/source4/heimdal/lib/gssapi/krb5/process_context_token.c b/source4/heimdal/lib/gssapi/krb5/process_context_token.c index 4feda0de04..0cc1c07cfb 100644 --- a/source4/heimdal/lib/gssapi/krb5/process_context_token.c +++ b/source4/heimdal/lib/gssapi/krb5/process_context_token.c @@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token ( (gsskrb5_ctx)context_handle, context, token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); + GSS_C_QOP_DEFAULT, + "\x01\x02"); if (ret == GSS_S_COMPLETE) ret = _gsskrb5_delete_sec_context(minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/sequence.c b/source4/heimdal/lib/gssapi/krb5/sequence.c index fbbc5b6c70..2e0e7b20f9 100644 --- a/source4/heimdal/lib/gssapi/krb5/sequence.c +++ b/source4/heimdal/lib/gssapi/krb5/sequence.c @@ -64,7 +64,7 @@ msg_order_alloc(OM_uint32 *minor_status, if (*o == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; - } + } *minor_status = 0; return GSS_S_COMPLETE; @@ -141,7 +141,7 @@ OM_uint32 _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num) { OM_uint32 r; - int i; + size_t i; if (o == NULL) return GSS_S_COMPLETE; diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c index 5ff6172fb9..bd38716751 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c @@ -209,7 +209,7 @@ no_ci_flags(OM_uint32 *minor_status, cred = (gsskrb5_cred)*cred_handle; cred->cred_flags |= GSS_CF_NO_CI_FLAGS; - + *minor_status = 0; return GSS_S_COMPLETE; @@ -241,7 +241,7 @@ _gsskrb5_set_cred_option if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) { return no_ci_flags(minor_status, context, cred_handle, value); } - + *minor_status = EINVAL; return GSS_S_FAILURE; diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index 237af1a52c..141ff722fb 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option if (maj_stat != GSS_S_COMPLETE) return maj_stat; - _gsskrb5_register_acceptor_identity(str); + maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str); free(str); - *minor_status = 0; - return GSS_S_COMPLETE; + return maj_stat; } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) { char *str; @@ -222,7 +221,7 @@ _gsskrb5_set_sec_context_option return maj_stat; t = time(NULL) + offset; - + krb5_set_real_time(context, t, 0); *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/krb5/store_cred.c b/source4/heimdal/lib/gssapi/krb5/store_cred.c index 21f9f6e8ab..a3aa2fb83e 100644 --- a/source4/heimdal/lib/gssapi/krb5/store_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/store_cred.c @@ -103,7 +103,7 @@ _gsskrb5_store_cred(OM_uint32 *minor_status, *minor_status = ret; return(GSS_S_FAILURE); } - + if (default_cred) krb5_cc_switch(context, id); diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index 7620d691bd..d6bc204777 100644 --- a/source4/heimdal/lib/gssapi/krb5/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -54,7 +54,7 @@ unwrap_des DES_key_schedule schedule; DES_cblock deskey; DES_cblock zero; - int i; + size_t i; uint32_t seq_number; size_t padlength; OM_uint32 ret; @@ -98,6 +98,7 @@ unwrap_des if(cstate) { /* decrypt data */ memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); + memset (&zero, 0, sizeof(zero)); for (i = 0; i < sizeof(deskey); ++i) deskey[i] ^= 0xf0; diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index 9a5445698b..3123787ff4 100644 --- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -44,7 +44,7 @@ verify_mic_des const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type + const char *type ) { u_char *p; @@ -142,7 +142,7 @@ verify_mic_des3 const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type + const char *type ) { u_char *p; @@ -276,7 +276,7 @@ _gsskrb5_verify_mic_internal const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, - char * type + const char * type ) { krb5_keyblock *key; @@ -348,7 +348,7 @@ _gsskrb5_verify_mic (gsskrb5_ctx)context_handle, context, message_buffer, token_buffer, - qop_state, "\x01\x01"); + qop_state, (void *)(intptr_t)"\x01\x01"); return ret; } diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index 54f92df609..efd0d82c49 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -214,7 +214,7 @@ wrap_des EVP_CIPHER_CTX des_ctx; DES_cblock deskey; DES_cblock zero; - int i; + size_t i; int32_t seq_number; size_t len, total_len, padlength, datalen; diff --git a/source4/heimdal/lib/gssapi/mech/cred.h b/source4/heimdal/lib/gssapi/mech/cred.h index adffe6893e..5661b53239 100644 --- a/source4/heimdal/lib/gssapi/mech/cred.h +++ b/source4/heimdal/lib/gssapi/mech/cred.h @@ -39,3 +39,19 @@ struct _gss_cred { struct _gss_mechanism_cred_list gc_mc; }; +struct _gss_mechanism_cred * +_gss_copy_cred(struct _gss_mechanism_cred *mc); + +struct _gss_mechanism_name; + +OM_uint32 +_gss_acquire_mech_cred(OM_uint32 *minor_status, + gssapi_mech_interface m, + const struct _gss_mechanism_name *mn, + gss_const_OID credential_type, + const void *credential_data, + OM_uint32 time_req, + gss_const_OID desired_mech, + gss_cred_usage_t cred_usage, + struct _gss_mechanism_cred **output_cred_handle); + diff --git a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c index 92d7e7f05d..bf7ea03f72 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c @@ -34,17 +34,17 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid) unsigned char *p = input_token->value; size_t len = input_token->length; size_t a, b; - + /* * Token must start with [APPLICATION 0] SEQUENCE. * But if it doesn't assume it is DCE-STYLE Kerberos! */ if (len == 0) return (GSS_S_DEFECTIVE_TOKEN); - + p++; len--; - + /* * Decode the length and make sure it agrees with the * token length. @@ -71,7 +71,7 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid) } if (a != len) return (GSS_S_DEFECTIVE_TOKEN); - + /* * Decode the OID for the mechanism. Simplify life by * assuming that the OID length is less than 128 bytes. @@ -84,9 +84,9 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid) p += 2; len -= 2; mech_oid->elements = p; - + return GSS_S_COMPLETE; -} +} static gss_OID_desc krb5_mechanism = {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; @@ -221,7 +221,7 @@ gss_accept_sec_context(OM_uint32 *minor_status, acceptor_mc = GSS_C_NO_CREDENTIAL; } delegated_mc = GSS_C_NO_CREDENTIAL; - + mech_ret_flags = 0; major_status = m->gm_accept_sec_context(minor_status, &ctx->gc_ctx, @@ -267,7 +267,7 @@ gss_accept_sec_context(OM_uint32 *minor_status, mech_ret_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); } else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) { - /* + /* * If the returned mech_type is not the same * as the mech, assume its pseudo mech type * and the returned type is already a diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c index c9900148c2..ade65df8ec 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c @@ -46,7 +46,7 @@ gss_acquire_cred(OM_uint32 *minor_status, struct _gss_cred *cred; struct _gss_mechanism_cred *mc; OM_uint32 min_time, cred_time; - int i; + size_t i; *minor_status = 0; if (output_cred_handle == NULL) diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c index 19deea5b06..a998bc60ff 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c @@ -28,7 +28,7 @@ #include "mech_locl.h" -static struct _gss_mechanism_cred * +struct _gss_mechanism_cred * _gss_copy_cred(struct _gss_mechanism_cred *mc) { struct _gss_mechanism_cred *new_mc; diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c index 191a4a305c..a23270511e 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c @@ -47,7 +47,7 @@ * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_aeap.c b/source4/heimdal/lib/gssapi/mech/gss_aeap.c index 141b6ae5ac..3008c0d344 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_aeap.c +++ b/source4/heimdal/lib/gssapi/mech/gss_aeap.c @@ -1,6 +1,6 @@ /* * AEAD support - */ + */ #include "mech_locl.h" @@ -90,7 +90,7 @@ gss_unwrap_iov(OM_uint32 *minor_status, int iov_count) { struct _gss_context *ctx = (struct _gss_context *) context_handle; - gssapi_mech_interface m; + gssapi_mech_interface m; if (minor_status) *minor_status = 0; @@ -168,7 +168,7 @@ gss_release_iov_buffer(OM_uint32 *minor_status, int iov_count) { OM_uint32 junk; - size_t i; + int i; if (minor_status) *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c index 3099b163b5..48fb720ad0 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c +++ b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c @@ -100,7 +100,7 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_release_buffer_set(OM_uint32 * minor_status, gss_buffer_set_t *buffer_set) { - int i; + size_t i; OM_uint32 minor; *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c index e87931dc78..bd8ff52120 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c @@ -48,7 +48,7 @@ * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_cred.c b/source4/heimdal/lib/gssapi/mech/gss_cred.c index b8fa11185a..99de68776e 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_cred.c @@ -85,7 +85,7 @@ gss_export_cred(OM_uint32 * minor_status, } ret = krb5_storage_write(sp, buffer.value, buffer.length); - if (ret != buffer.length) { + if (ret < 0 || (size_t)ret != buffer.length) { gss_release_buffer(minor_status, &buffer); krb5_storage_free(sp); *minor_status = EINVAL; @@ -183,7 +183,7 @@ gss_import_cred(OM_uint32 * minor_status, buffer.value = data.data; buffer.length = data.length; - major = m->gm_import_cred(minor_status, + major = m->gm_import_cred(minor_status, &buffer, &mcred); krb5_data_free(&data); if (major) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c index 0fe3b4f5a5..3f2974e8ca 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c @@ -34,8 +34,8 @@ #include "mech_locl.h" GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL -gss_decapsulate_token(const gss_buffer_t input_token, - const gss_OID oid, +gss_decapsulate_token(gss_const_buffer_t input_token, + gss_const_OID oid, gss_buffer_t output_token) { GSSAPIContextToken ct; @@ -55,7 +55,7 @@ gss_decapsulate_token(const gss_buffer_t input_token, if (ret) { der_free_oid(&o); return GSS_S_FAILURE; - } + } if (der_heim_oid_cmp(&ct.thisMech, &o) == 0) { status = GSS_S_COMPLETE; diff --git a/source4/heimdal/lib/gssapi/mech/gss_display_status.c b/source4/heimdal/lib/gssapi/mech/gss_display_status.c index d6aaf98827..1e508caa9b 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_display_status.c +++ b/source4/heimdal/lib/gssapi/mech/gss_display_status.c @@ -190,7 +190,7 @@ gss_display_status(OM_uint32 *minor_status, oid.value = rk_UNCONST("unknown"); oid.length = 7; } - + e = asprintf (&buf, "unknown mech-code %lu for mech %.*s", (unsigned long)status_value, (int)oid.length, (char *)oid.value); diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c index 053825bbc3..a76c87cb85 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c @@ -52,7 +52,7 @@ gss_duplicate_name(OM_uint32 *minor_status, if (major_status != GSS_S_COMPLETE) return (major_status); new_name = (struct _gss_name *) *dest_name; - + HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { struct _gss_mechanism_name *mn2; _gss_find_mn(minor_status, new_name, @@ -67,10 +67,10 @@ gss_duplicate_name(OM_uint32 *minor_status, memset(new_name, 0, sizeof(struct _gss_name)); HEIM_SLIST_INIT(&new_name->gn_mn); *dest_name = (gss_name_t) new_name; - + HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { struct _gss_mechanism_name *new_mn; - + new_mn = malloc(sizeof(*new_mn)); if (!new_mn) { *minor_status = ENOMEM; @@ -78,7 +78,7 @@ gss_duplicate_name(OM_uint32 *minor_status, } new_mn->gmn_mech = mn->gmn_mech; new_mn->gmn_mech_oid = mn->gmn_mech_oid; - + major_status = mn->gmn_mech->gm_duplicate_name(minor_status, mn->gmn_name, &new_mn->gmn_name); diff --git a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c index fc0ec736bb..1b1f973eaa 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c @@ -34,8 +34,8 @@ #include "mech_locl.h" GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL -gss_encapsulate_token(const gss_buffer_t input_token, - const gss_OID oid, +gss_encapsulate_token(gss_const_buffer_t input_token, + gss_const_OID oid, gss_buffer_t output_token) { GSSAPIContextToken ct; @@ -58,7 +58,7 @@ gss_encapsulate_token(const gss_buffer_t input_token, if (ret) { _mg_buffer_zero(output_token); return GSS_S_FAILURE; - } + } if (output_token->length != size) abort(); diff --git a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c index babc8ebdf4..369f3a2257 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c @@ -42,7 +42,7 @@ gss_export_sec_context(OM_uint32 *minor_status, major_status = m->gm_export_sec_context(minor_status, &ctx->gc_ctx, &buf); - + if (major_status == GSS_S_COMPLETE) { unsigned char *p; diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_name.c b/source4/heimdal/lib/gssapi/mech/gss_import_name.c index 574c058fc2..d1b3dc95b4 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_import_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_import_name.c @@ -41,6 +41,7 @@ _gss_import_export_name(OM_uint32 *minor_status, gssapi_mech_interface m; struct _gss_name *name; gss_name_t new_canonical_name; + int composite = 0; *minor_status = 0; *output_name = 0; @@ -50,8 +51,17 @@ _gss_import_export_name(OM_uint32 *minor_status, */ if (len < 2) return (GSS_S_BAD_NAME); - if (p[0] != 4 || p[1] != 1) + if (p[0] != 4) return (GSS_S_BAD_NAME); + switch (p[1]) { + case 1: /* non-composite name */ + break; + case 2: /* composite name */ + composite = 1; + break; + default: + return (GSS_S_BAD_NAME); + } p += 2; len -= 2; @@ -106,7 +116,7 @@ _gss_import_export_name(OM_uint32 *minor_status, p += 4; len -= 4; - if (len != t) + if (!composite && len != t) return (GSS_S_BAD_NAME); m = __gss_get_mechanism(&mech_oid); @@ -159,7 +169,7 @@ _gss_import_export_name(OM_uint32 *minor_status, * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ @@ -231,7 +241,7 @@ gss_import_name(OM_uint32 *minor_status, HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) { int present = 0; - major_status = gss_test_oid_set_member(minor_status, + major_status = gss_test_oid_set_member(minor_status, name_type, m->gm_name_types, &present); if (major_status || present == 0) diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c index 2a376fefea..9865db78d4 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c @@ -58,7 +58,7 @@ gss_import_sec_context(OM_uint32 *minor_status, mech_oid.elements = p + 2; buf.length = len - 2 - mech_oid.length; buf.value = p + 2 + mech_oid.length; - + m = __gss_get_mechanism(&mech_oid); if (!m) return (GSS_S_DEFECTIVE_TOKEN); diff --git a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c index 59a1dcf22b..8fd53d956d 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c +++ b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c @@ -35,14 +35,14 @@ gss_indicate_mechs(OM_uint32 *minor_status, struct _gss_mech_switch *m; OM_uint32 major_status; gss_OID_set set; - int i; + size_t i; _gss_load_mech(); major_status = gss_create_empty_oid_set(minor_status, mech_set); if (major_status) return (major_status); - + HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) { if (m->gm_mech.gm_indicate_mechs) { major_status = m->gm_mech.gm_indicate_mechs( diff --git a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c index cf111ecbae..af0170a50a 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c @@ -99,7 +99,7 @@ _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type) * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c index 0658267b2f..2568075988 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c @@ -37,7 +37,7 @@ gss_inquire_context(OM_uint32 *minor_status, gss_OID *mech_type, OM_uint32 *ctx_flags, int *locally_initiated, - int *open) + int *xopen) { OM_uint32 major_status; struct _gss_context *ctx = (struct _gss_context *) context_handle; @@ -47,8 +47,8 @@ gss_inquire_context(OM_uint32 *minor_status, if (locally_initiated) *locally_initiated = 0; - if (open) - *open = 0; + if (xopen) + *xopen = 0; if (lifetime_rec) *lifetime_rec = 0; @@ -68,7 +68,7 @@ gss_inquire_context(OM_uint32 *minor_status, mech_type, ctx_flags, locally_initiated, - open); + xopen); if (major_status != GSS_S_COMPLETE) { _gss_mg_error(m, major_status, *minor_status); diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c index 900370a5db..e674dd48f3 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c @@ -52,7 +52,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status, HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET; - int i; + size_t i; m = mc->gmc_mech; if (m == NULL) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 594b41ef8e..fe88a384b5 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -188,7 +188,7 @@ out: GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gsskrb5_register_acceptor_identity(const char *identity) { - struct _gss_mech_switch *m; + gssapi_mech_interface m; gss_buffer_desc buffer; OM_uint32 junk; @@ -197,14 +197,12 @@ gsskrb5_register_acceptor_identity(const char *identity) buffer.value = rk_UNCONST(identity); buffer.length = strlen(identity); - HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) { - if (m->gm_mech.gm_set_sec_context_option == NULL) - continue; - m->gm_mech.gm_set_sec_context_option(&junk, NULL, - GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer); - } + m = __gss_get_mechanism(GSS_KRB5_MECHANISM); + if (m == NULL || m->gm_set_sec_context_option == NULL) + return GSS_S_FAILURE; - return (GSS_S_COMPLETE); + return m->gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer); } GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL @@ -441,7 +439,7 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, gss_buffer_desc buffer; krb5_storage *sp; krb5_data data; - int i; + size_t i; sp = krb5_storage_emem(); if (sp == NULL) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c index f7f75c13f9..55e01094ff 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c +++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c @@ -62,7 +62,7 @@ _gss_string_to_oid(const char* s, gss_OID oid) if (q) q = q + 1; number_count++; } - + /* * The first two numbers are in the first byte and each * subsequent number is encoded in a variable byte sequence. @@ -126,7 +126,7 @@ _gss_string_to_oid(const char* s, gss_OID oid) while (bytes) { if (res) { int bit = 7*(bytes-1); - + *res = (number >> bit) & 0x7f; if (bytes != 1) *res |= 0x80; @@ -152,7 +152,8 @@ _gss_string_to_oid(const char* s, gss_OID oid) #define SYM(name) \ do { \ m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \ - if (!m->gm_mech.gm_ ## name) { \ + if (!m->gm_mech.gm_ ## name || \ + m->gm_mech.gm_ ##name == gss_ ## name) { \ fprintf(stderr, "can't find symbol gss_" #name "\n"); \ goto bad; \ } \ @@ -160,7 +161,28 @@ do { \ #define OPTSYM(name) \ do { \ - m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \ + m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \ + if (m->gm_mech.gm_ ## name == gss_ ## name) \ + m->gm_mech.gm_ ## name = NULL; \ +} while (0) + +#define OPTSPISYM(name) \ +do { \ + m->gm_mech.gm_ ## name = dlsym(so, "gssspi_" #name); \ +} while (0) + +#define COMPATSYM(name) \ +do { \ + m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gss_" #name); \ + if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \ + m->gm_mech.gm_compat->gmc_ ## name = NULL; \ +} while (0) + +#define COMPATSPISYM(name) \ +do { \ + m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gssspi_" #name);\ + if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \ + m->gm_mech.gm_compat->gmc_ ## name = NULL; \ } while (0) /* @@ -283,28 +305,26 @@ _gss_load_mech(void) #endif so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP); - if (!so) { + if (so == NULL) { /* fprintf(stderr, "dlopen: %s\n", dlerror()); */ - free(mech_oid.elements); - continue; + goto bad; } - m = malloc(sizeof(*m)); - if (!m) { - free(mech_oid.elements); - break; - } + m = calloc(1, sizeof(*m)); + if (m == NULL) + goto bad; + m->gm_so = so; m->gm_mech.gm_mech_oid = mech_oid; m->gm_mech.gm_flags = 0; - + m->gm_mech.gm_compat = calloc(1, sizeof(struct gss_mech_compat_desc_struct)); + if (m->gm_mech.gm_compat == NULL) + goto bad; + major_status = gss_add_oid_set_member(&minor_status, &m->gm_mech.gm_mech_oid, &_gss_mech_oids); - if (major_status) { - free(m->gm_mech.gm_mech_oid.elements); - free(m); - continue; - } + if (GSS_ERROR(major_status)) + goto bad; SYM(acquire_cred); SYM(release_cred); @@ -338,34 +358,64 @@ _gss_load_mech(void) OPTSYM(inquire_cred_by_oid); OPTSYM(inquire_sec_context_by_oid); OPTSYM(set_sec_context_option); - OPTSYM(set_cred_option); + OPTSPISYM(set_cred_option); OPTSYM(pseudo_random); OPTSYM(wrap_iov); OPTSYM(unwrap_iov); OPTSYM(wrap_iov_length); + OPTSYM(store_cred); + OPTSYM(export_cred); + OPTSYM(import_cred); +#if 0 + OPTSYM(acquire_cred_ext); + OPTSYM(iter_creds); + OPTSYM(destroy_cred); + OPTSYM(cred_hold); + OPTSYM(cred_unhold); + OPTSYM(cred_label_get); + OPTSYM(cred_label_set); +#endif OPTSYM(display_name_ext); OPTSYM(inquire_name); OPTSYM(get_name_attribute); OPTSYM(set_name_attribute); OPTSYM(delete_name_attribute); OPTSYM(export_name_composite); + OPTSYM(pname_to_uid); + OPTSPISYM(authorize_localname); mi = dlsym(so, "gss_mo_init"); if (mi != NULL) { - major_status = mi(&minor_status, - &mech_oid, - &m->gm_mech.gm_mo, - &m->gm_mech.gm_mo_num); + major_status = mi(&minor_status, &mech_oid, + &m->gm_mech.gm_mo, &m->gm_mech.gm_mo_num); if (GSS_ERROR(major_status)) goto bad; + } else { + /* API-as-SPI compatibility */ + COMPATSYM(inquire_saslname_for_mech); + COMPATSYM(inquire_mech_for_saslname); + COMPATSYM(inquire_attrs_for_mech); + COMPATSPISYM(acquire_cred_with_password); } + /* pick up the oid sets of names */ + + if (m->gm_mech.gm_inquire_names_for_mech) + (*m->gm_mech.gm_inquire_names_for_mech)(&minor_status, + &m->gm_mech.gm_mech_oid, &m->gm_name_types); + + if (m->gm_name_types == NULL) + gss_create_empty_oid_set(&minor_status, &m->gm_name_types); + HEIM_SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link); continue; bad: - free(m->gm_mech.gm_mech_oid.elements); - free(m); + if (m != NULL) { + free(m->gm_mech.gm_compat); + free(m->gm_mech.gm_mech_oid.elements); + free(m); + } dlclose(so); continue; } diff --git a/source4/heimdal/lib/gssapi/mech/gss_mo.c b/source4/heimdal/lib/gssapi/mech/gss_mo.c index cb24b764a5..ad74d9237a 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_mo.c +++ b/source4/heimdal/lib/gssapi/mech/gss_mo.c @@ -4,6 +4,7 @@ * All rights reserved. * * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * Portions Copyright (c) 2010 PADL Software Pty Ltd. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,13 +36,14 @@ #include "mech_locl.h" +#include <crypto-headers.h> + static int get_option_def(int def, gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value) { return def; } - int _gss_mo_get_option_1(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value) { @@ -60,10 +62,10 @@ _gss_mo_get_ctx_as_string(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t valu if (value) { value->value = strdup((char *)mo->ctx); if (value->value == NULL) - return 1; + return GSS_S_FAILURE; value->length = strlen((char *)mo->ctx); } - return 0; + return GSS_S_COMPLETE; } GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL @@ -79,7 +81,8 @@ gss_mo_set(gss_const_OID mech, gss_const_OID option, for (n = 0; n < m->gm_mo_num; n++) if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].set) return m->gm_mo[n].set(mech, &m->gm_mo[n], enable, value); - return 0; + + return GSS_S_UNAVAILABLE; } GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL @@ -91,13 +94,13 @@ gss_mo_get(gss_const_OID mech, gss_const_OID option, gss_buffer_t value) _mg_buffer_zero(value); if ((m = __gss_get_mechanism(mech)) == NULL) - return 0; + return GSS_S_BAD_MECH; for (n = 0; n < m->gm_mo_num; n++) if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].get) return m->gm_mo[n].get(mech, &m->gm_mo[n], value); - return 0; + return GSS_S_UNAVAILABLE; } static void @@ -147,7 +150,8 @@ gss_mo_name(gss_const_OID mech, gss_const_OID option, gss_buffer_t name) for (n = 0; n < m->gm_mo_num; n++) { if (gss_oid_equal(option, m->gm_mo[n].option)) { /* - * If ther is no name, its because its a GSS_C_MA and there is already a table for that. + * If there is no name, its because its a GSS_C_MA and + * there is already a table for that. */ if (m->gm_mo[n].name) { name->value = strdup(m->gm_mo[n].name); @@ -175,14 +179,86 @@ mo_value(const gss_const_OID mech, gss_const_OID option, gss_buffer_t name) if (name == NULL) return GSS_S_COMPLETE; - if (gss_mo_get(mech, option, name) != 0 && name->length == 0) - return GSS_S_FAILURE; + return gss_mo_get(mech, option, name); +} + +/* code derived from draft-ietf-cat-sasl-gssapi-01 */ +static char basis_32[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"; + +static OM_uint32 +make_sasl_name(OM_uint32 *minor, const gss_OID mech, char sasl_name[16]) +{ + EVP_MD_CTX *ctx; + char *p = sasl_name; + u_char hdr[2], hash[20], *h = hash; + + if (mech->length > 127) + return GSS_S_BAD_MECH; + + hdr[0] = 0x06; + hdr[1] = mech->length; + + ctx = EVP_MD_CTX_create(); + EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); + EVP_DigestUpdate(ctx, hdr, 2); + EVP_DigestUpdate(ctx, mech->elements, mech->length); + EVP_DigestFinal_ex(ctx, hash, NULL); + + memcpy(p, "GS2-", 4); + p += 4; + + *p++ = basis_32[(h[0] >> 3)]; + *p++ = basis_32[((h[0] & 7) << 2) | (h[1] >> 6)]; + *p++ = basis_32[(h[1] & 0x3f) >> 1]; + *p++ = basis_32[((h[1] & 1) << 4) | (h[2] >> 4)]; + *p++ = basis_32[((h[2] & 0xf) << 1) | (h[3] >> 7)]; + *p++ = basis_32[(h[3] & 0x7f) >> 2]; + *p++ = basis_32[((h[3] & 3) << 3) | (h[4] >> 5)]; + *p++ = basis_32[(h[4] & 0x1f)]; + *p++ = basis_32[(h[5] >> 3)]; + *p++ = basis_32[((h[5] & 7) << 2) | (h[6] >> 6)]; + *p++ = basis_32[(h[6] & 0x3f) >> 1]; + + *p = '\0'; return GSS_S_COMPLETE; } +/* + * gss_inquire_saslname_for_mech() wrapper that uses MIT SPI + */ +static OM_uint32 +inquire_saslname_for_mech_compat(OM_uint32 *minor, + const gss_OID desired_mech, + gss_buffer_t sasl_mech_name, + gss_buffer_t mech_name, + gss_buffer_t mech_description) +{ + struct gss_mech_compat_desc_struct *gmc; + gssapi_mech_interface m; + OM_uint32 major; + + m = __gss_get_mechanism(desired_mech); + if (m == NULL) + return GSS_S_BAD_MECH; + + gmc = m->gm_compat; + + if (gmc != NULL && gmc->gmc_inquire_saslname_for_mech != NULL) { + major = gmc->gmc_inquire_saslname_for_mech(minor, + desired_mech, + sasl_mech_name, + mech_name, + mech_description); + } else { + major = GSS_S_UNAVAILABLE; + } + + return major; +} + /** - * Returns differnt protocol names and description of the mechanism. + * Returns different protocol names and description of the mechanism. * * @param minor_status minor status code * @param desired_mech mech list query @@ -215,15 +291,41 @@ gss_inquire_saslname_for_mech(OM_uint32 *minor_status, return GSS_S_BAD_MECH; major = mo_value(desired_mech, GSS_C_MA_SASL_MECH_NAME, sasl_mech_name); - if (major) return major; + if (major == GSS_S_COMPLETE) { + /* Native SPI */ + major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name); + if (GSS_ERROR(major)) + return major; + + major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description); + if (GSS_ERROR(major)) + return major; + } - major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name); - if (major) return major; + if (GSS_ERROR(major)) { + /* API-as-SPI compatibility */ + major = inquire_saslname_for_mech_compat(minor_status, + desired_mech, + sasl_mech_name, + mech_name, + mech_description); + } - major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description); - if (major) return major; + if (GSS_ERROR(major)) { + /* Algorithmically dervied SASL mechanism name */ + char buf[16]; + gss_buffer_desc tmp = { sizeof(buf) - 1, buf }; - return GSS_S_COMPLETE; + major = make_sasl_name(minor_status, desired_mech, buf); + if (GSS_ERROR(major)) + return major; + + major = _gss_copy_buffer(minor_status, &tmp, sasl_mech_name); + if (GSS_ERROR(major)) + return major; + } + + return major; } /** @@ -243,29 +345,91 @@ gss_inquire_mech_for_saslname(OM_uint32 *minor_status, { struct _gss_mech_switch *m; gss_buffer_desc name; - OM_uint32 major; + OM_uint32 major, junk; + char buf[16]; _gss_load_mech(); *mech_type = NULL; HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) { - - major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name); - if (major) - continue; - if (name.length == sasl_mech_name->length && - memcmp(name.value, sasl_mech_name->value, name.length) == 0) { - gss_release_buffer(&major, &name); - *mech_type = &m->gm_mech_oid; - return 0; + struct gss_mech_compat_desc_struct *gmc; + + /* Native SPI */ + major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name); + if (major == GSS_S_COMPLETE && + name.length == sasl_mech_name->length && + memcmp(name.value, sasl_mech_name->value, name.length) == 0) { + gss_release_buffer(&junk, &name); + *mech_type = &m->gm_mech_oid; + return GSS_S_COMPLETE; } - gss_release_buffer(&major, &name); + gss_release_buffer(&junk, &name); + + if (GSS_ERROR(major)) { + /* API-as-SPI compatibility */ + gmc = m->gm_mech.gm_compat; + if (gmc && gmc->gmc_inquire_mech_for_saslname) { + major = gmc->gmc_inquire_mech_for_saslname(minor_status, + sasl_mech_name, + mech_type); + if (major == GSS_S_COMPLETE) + return GSS_S_COMPLETE; + } + } + + if (GSS_ERROR(major)) { + /* Algorithmically dervied SASL mechanism name */ + if (sasl_mech_name->length == 16 && + make_sasl_name(minor_status, &m->gm_mech_oid, buf) == GSS_S_COMPLETE && + memcmp(buf, sasl_mech_name->value, 16) == 0) { + *mech_type = &m->gm_mech_oid; + return GSS_S_COMPLETE; + } + } } return GSS_S_BAD_MECH; } +/* + * Test mechanism against indicated attributes using both Heimdal and + * MIT SPIs. + */ +static int +test_mech_attrs(gssapi_mech_interface mi, + gss_const_OID_set mech_attrs, + gss_const_OID_set against_attrs, + int except) +{ + size_t n, m; + int eq = 0; + + if (against_attrs == GSS_C_NO_OID_SET) + return 1; + + for (n = 0; n < against_attrs->count; n++) { + for (m = 0; m < mi->gm_mo_num; m++) { + eq = gss_oid_equal(mi->gm_mo[m].option, + &against_attrs->elements[n]); + if (eq) + break; + } + if (mech_attrs != GSS_C_NO_OID_SET) { + for (m = 0; m < mech_attrs->count; m++) { + eq = gss_oid_equal(&mech_attrs->elements[m], + &against_attrs->elements[n]); + if (eq) + break; + } + } + if (!eq ^ except) + return 0; + } + + return 1; +} + /** * Return set of mechanism that fullfill the criteria * @@ -286,57 +450,49 @@ gss_indicate_mechs_by_attrs(OM_uint32 * minor_status, gss_OID_set *mechs) { struct _gss_mech_switch *ms; + gss_OID_set mech_attrs = GSS_C_NO_OID_SET; + gss_OID_set known_mech_attrs = GSS_C_NO_OID_SET; OM_uint32 major; - size_t n, m; major = gss_create_empty_oid_set(minor_status, mechs); - if (major) + if (GSS_ERROR(major)) return major; _gss_load_mech(); HEIM_SLIST_FOREACH(ms, &_gss_mechs, gm_link) { gssapi_mech_interface mi = &ms->gm_mech; - - if (desired_mech_attrs) { - for (n = 0; n < desired_mech_attrs->count; n++) { - for (m = 0; m < mi->gm_mo_num; m++) - if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n])) - break; - if (m == mi->gm_mo_num) - goto next; - } - } - - if (except_mech_attrs) { - for (n = 0; n < desired_mech_attrs->count; n++) { - for (m = 0; m < mi->gm_mo_num; m++) { - if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n])) - goto next; - } - } - } - - if (critical_mech_attrs) { - for (n = 0; n < desired_mech_attrs->count; n++) { - for (m = 0; m < mi->gm_mo_num; m++) { - if (mi->gm_mo[m].flags & GSS_MO_MA_CRITICAL) - continue; - if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n])) - break; - } - if (m == mi->gm_mo_num) - goto next; - } - } - - - next: - do { } while(0); + struct gss_mech_compat_desc_struct *gmc = mi->gm_compat; + OM_uint32 tmp; + + if (gmc && gmc->gmc_inquire_attrs_for_mech) { + major = gmc->gmc_inquire_attrs_for_mech(minor_status, + &mi->gm_mech_oid, + &mech_attrs, + &known_mech_attrs); + if (GSS_ERROR(major)) + continue; + } + + /* + * Test mechanism supports all of desired_mech_attrs; + * none of except_mech_attrs; + * and knows of all critical_mech_attrs. + */ + if (test_mech_attrs(mi, mech_attrs, desired_mech_attrs, 0) && + test_mech_attrs(mi, mech_attrs, except_mech_attrs, 1) && + test_mech_attrs(mi, known_mech_attrs, critical_mech_attrs, 0)) { + major = gss_add_oid_set_member(minor_status, &mi->gm_mech_oid, mechs); + } + + gss_release_oid_set(&tmp, &mech_attrs); + gss_release_oid_set(&tmp, &known_mech_attrs); + + if (GSS_ERROR(major)) + break; } - - return GSS_S_FAILURE; + return major; } /** @@ -361,30 +517,45 @@ gss_inquire_attrs_for_mech(OM_uint32 * minor_status, { OM_uint32 major, junk; + if (known_mech_attrs) + *known_mech_attrs = GSS_C_NO_OID_SET; + if (mech_attr && mech) { gssapi_mech_interface m; + struct gss_mech_compat_desc_struct *gmc; if ((m = __gss_get_mechanism(mech)) == NULL) { *minor_status = 0; return GSS_S_BAD_MECH; } - major = gss_create_empty_oid_set(minor_status, mech_attr); - if (major != GSS_S_COMPLETE) + gmc = m->gm_compat; + + if (gmc && gmc->gmc_inquire_attrs_for_mech) { + major = gmc->gmc_inquire_attrs_for_mech(minor_status, + mech, + mech_attr, + known_mech_attrs); + } else { + major = gss_create_empty_oid_set(minor_status, mech_attr); + if (major == GSS_S_COMPLETE) + add_all_mo(m, mech_attr, GSS_MO_MA); + } + if (GSS_ERROR(major)) return major; - - add_all_mo(m, mech_attr, GSS_MO_MA); - } + } if (known_mech_attrs) { struct _gss_mech_switch *m; - major = gss_create_empty_oid_set(minor_status, known_mech_attrs); - if (major) { - if (mech_attr) - gss_release_oid_set(&junk, mech_attr); - return major; - } + if (*known_mech_attrs == GSS_C_NO_OID_SET) { + major = gss_create_empty_oid_set(minor_status, known_mech_attrs); + if (GSS_ERROR(major)) { + if (mech_attr) + gss_release_oid_set(&junk, mech_attr); + return major; + } + } _gss_load_mech(); @@ -434,28 +605,28 @@ gss_display_mech_attr(OM_uint32 * minor_status, return GSS_S_BAD_MECH_ATTR; if (name) { - gss_buffer_desc n; - n.value = rk_UNCONST(ma->name); - n.length = strlen(ma->name); - major = _gss_copy_buffer(minor_status, &n, name); + gss_buffer_desc bd; + bd.value = rk_UNCONST(ma->name); + bd.length = strlen(ma->name); + major = _gss_copy_buffer(minor_status, &bd, name); if (major != GSS_S_COMPLETE) return major; } if (short_desc) { - gss_buffer_desc n; - n.value = rk_UNCONST(ma->short_desc); - n.length = strlen(ma->short_desc); - major = _gss_copy_buffer(minor_status, &n, short_desc); + gss_buffer_desc bd; + bd.value = rk_UNCONST(ma->short_desc); + bd.length = strlen(ma->short_desc); + major = _gss_copy_buffer(minor_status, &bd, short_desc); if (major != GSS_S_COMPLETE) return major; } if (long_desc) { - gss_buffer_desc n; - n.value = rk_UNCONST(ma->long_desc); - n.length = strlen(ma->long_desc); - major = _gss_copy_buffer(minor_status, &n, long_desc); + gss_buffer_desc bd; + bd.value = rk_UNCONST(ma->long_desc); + bd.length = strlen(ma->long_desc); + major = _gss_copy_buffer(minor_status, &bd, long_desc); if (major != GSS_S_COMPLETE) return major; } diff --git a/source4/heimdal/lib/gssapi/mech/gss_names.c b/source4/heimdal/lib/gssapi/mech/gss_names.c index 4b470c775f..43e0e2a85c 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_names.c +++ b/source4/heimdal/lib/gssapi/mech/gss_names.c @@ -58,7 +58,7 @@ _gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech, mn = malloc(sizeof(struct _gss_mechanism_name)); if (!mn) return GSS_S_FAILURE; - + major_status = m->gm_import_name(minor_status, &name->gn_value, (name->gn_type.elements diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid.c b/source4/heimdal/lib/gssapi/mech/gss_oid.c index bac97cacd0..916d1e4dda 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_oid.c @@ -2,220 +2,226 @@ #include "mech_locl.h" /* GSS_KRB5_COPY_CCACHE_X - 1.2.752.43.13.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01") }; /* GSS_KRB5_GET_TKT_FLAGS_X - 1.2.752.43.13.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02") }; /* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X - 1.2.752.43.13.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x03" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03") }; /* GSS_KRB5_COMPAT_DES3_MIC_X - 1.2.752.43.13.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x04" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04") }; /* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - 1.2.752.43.13.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05") }; /* GSS_KRB5_EXPORT_LUCID_CONTEXT_X - 1.2.752.43.13.6 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x06" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06") }; /* GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X - 1.2.752.43.13.6.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x06\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01") }; /* GSS_KRB5_SET_DNS_CANONICALIZE_X - 1.2.752.43.13.7 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x07" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07") }; /* GSS_KRB5_GET_SUBKEY_X - 1.2.752.43.13.8 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x08" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08") }; /* GSS_KRB5_GET_INITIATOR_SUBKEY_X - 1.2.752.43.13.9 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x09" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09") }; /* GSS_KRB5_GET_ACCEPTOR_SUBKEY_X - 1.2.752.43.13.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a") }; /* GSS_KRB5_SEND_TO_KDC_X - 1.2.752.43.13.11 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b") }; /* GSS_KRB5_GET_AUTHTIME_X - 1.2.752.43.13.12 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0c" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c") }; /* GSS_KRB5_GET_SERVICE_KEYBLOCK_X - 1.2.752.43.13.13 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0d" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d") }; /* GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X - 1.2.752.43.13.14 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0e" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e") }; /* GSS_KRB5_SET_DEFAULT_REALM_X - 1.2.752.43.13.15 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0f" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f") }; /* GSS_KRB5_CCACHE_NAME_X - 1.2.752.43.13.16 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x10" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10") }; /* GSS_KRB5_SET_TIME_OFFSET_X - 1.2.752.43.13.17 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x11" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11") }; /* GSS_KRB5_GET_TIME_OFFSET_X - 1.2.752.43.13.18 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x12" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12") }; /* GSS_KRB5_PLUGIN_REGISTER_X - 1.2.752.43.13.19 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x13" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x13") }; /* GSS_NTLM_GET_SESSION_KEY_X - 1.2.752.43.13.20 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x14" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x14") }; /* GSS_C_NT_NTLM - 1.2.752.43.13.21 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x15" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x15") }; /* GSS_C_NT_DN - 1.2.752.43.13.22 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x16" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x16") }; /* GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL - 1.2.752.43.13.23 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x17" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x17") }; /* GSS_C_NTLM_AVGUEST - 1.2.752.43.13.24 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x18" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x18") }; /* GSS_C_NTLM_V1 - 1.2.752.43.13.25 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x19" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x19") }; /* GSS_C_NTLM_V2 - 1.2.752.43.13.26 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1a") }; /* GSS_C_NTLM_SESSION_KEY - 1.2.752.43.13.27 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1b") }; /* GSS_C_NTLM_FORCE_V1 - 1.2.752.43.13.28 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1c" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1c") }; /* GSS_KRB5_CRED_NO_CI_FLAGS_X - 1.2.752.43.13.29 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1d" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1d") }; /* GSS_KRB5_IMPORT_CRED_X - 1.2.752.43.13.30 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1e" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1e") }; /* GSS_C_MA_SASL_MECH_NAME - 1.2.752.43.13.100 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x64" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x64") }; /* GSS_C_MA_MECH_NAME - 1.2.752.43.13.101 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x65" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x65") }; /* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x66" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") }; + +/* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */ +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" }; + +/* GSS_C_CRED_CERTIFICATE - 1.2.752.43.13.201 */ +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x49" }; /* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; /* GSS_NETLOGON_MECHANISM - 1.2.752.43.14.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x02") }; /* GSS_NETLOGON_SET_SESSION_KEY_X - 1.2.752.43.14.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x03" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x03") }; /* GSS_NETLOGON_SET_SIGN_ALGORITHM_X - 1.2.752.43.14.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x04" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x04") }; /* GSS_NETLOGON_NT_NETBIOS_DNS_NAME - 1.2.752.43.14.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x05") }; /* GSS_C_INQ_WIN2K_PAC_X - 1.2.752.43.13.3.128 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, "\x2a\x85\x70\x2b\x0d\x03\x81\x00" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03\x81\x00") }; /* GSS_C_INQ_SSPI_SESSION_KEY - 1.2.840.113554.1.2.2.5.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05") }; /* GSS_KRB5_MECHANISM - 1.2.840.113554.1.2.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; /* GSS_NTLM_MECHANISM - 1.3.6.1.4.1.311.2.2.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") }; /* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, "\x2b\x06\x01\x05\x05\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") }; /* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, "\x2b\x06\x01\x04\x01\xca\x29\x13\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xca\x29\x13\x05") }; /* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x01") }; /* GSS_C_MA_MECH_PSEUDO - 1.3.6.1.5.5.13.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x02") }; /* GSS_C_MA_MECH_COMPOSITE - 1.3.6.1.5.5.13.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x03" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x03") }; /* GSS_C_MA_MECH_NEGO - 1.3.6.1.5.5.13.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x04" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x04") }; /* GSS_C_MA_MECH_GLUE - 1.3.6.1.5.5.13.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x05") }; /* GSS_C_MA_NOT_MECH - 1.3.6.1.5.5.13.6 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x06" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x06") }; /* GSS_C_MA_DEPRECATED - 1.3.6.1.5.5.13.7 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x07" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x07") }; /* GSS_C_MA_NOT_DFLT_MECH - 1.3.6.1.5.5.13.8 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x08" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x08") }; /* GSS_C_MA_ITOK_FRAMED - 1.3.6.1.5.5.13.9 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x09" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x09") }; /* GSS_C_MA_AUTH_INIT - 1.3.6.1.5.5.13.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0a") }; /* GSS_C_MA_AUTH_TARG - 1.3.6.1.5.5.13.11 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0b") }; /* GSS_C_MA_AUTH_INIT_INIT - 1.3.6.1.5.5.13.12 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0c" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0c") }; /* GSS_C_MA_AUTH_TARG_INIT - 1.3.6.1.5.5.13.13 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0d" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0d") }; /* GSS_C_MA_AUTH_INIT_ANON - 1.3.6.1.5.5.13.14 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0e" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0e") }; /* GSS_C_MA_AUTH_TARG_ANON - 1.3.6.1.5.5.13.15 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0f" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0f") }; /* GSS_C_MA_DELEG_CRED - 1.3.6.1.5.5.13.16 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x10" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x10") }; /* GSS_C_MA_INTEG_PROT - 1.3.6.1.5.5.13.17 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x11" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x11") }; /* GSS_C_MA_CONF_PROT - 1.3.6.1.5.5.13.18 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x12" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x12") }; /* GSS_C_MA_MIC - 1.3.6.1.5.5.13.19 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x13" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x13") }; /* GSS_C_MA_WRAP - 1.3.6.1.5.5.13.20 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x14" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x14") }; /* GSS_C_MA_PROT_READY - 1.3.6.1.5.5.13.21 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x15" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x15") }; /* GSS_C_MA_REPLAY_DET - 1.3.6.1.5.5.13.22 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x16" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x16") }; /* GSS_C_MA_OOS_DET - 1.3.6.1.5.5.13.23 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x17" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x17") }; /* GSS_C_MA_CBINDINGS - 1.3.6.1.5.5.13.24 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x18" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x18") }; /* GSS_C_MA_PFS - 1.3.6.1.5.5.13.25 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x19" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x19") }; /* GSS_C_MA_COMPRESS - 1.3.6.1.5.5.13.26 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1a") }; /* GSS_C_MA_CTX_TRANS - 1.3.6.1.5.5.13.27 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1b") }; struct _gss_oid_name_table _gss_ont_ma[] = { { GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" }, diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c index 7d6ded39e4..b125ede66f 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c +++ b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c @@ -43,7 +43,7 @@ * * @return non-zero when both oid are the same OID, zero when they are * not the same. - * + * * @ingroup gssapi */ diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_name.c b/source4/heimdal/lib/gssapi/mech/gss_release_name.c index 759eaec4c3..fd0b5df36b 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_name.c @@ -40,7 +40,7 @@ * * @returns a gss_error code, see gss_display_status() about printing * the error code. - * + * * @ingroup gssapi */ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL diff --git a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c index 62be485a07..d33453d92f 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c +++ b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c @@ -93,13 +93,13 @@ gss_set_cred_option (OM_uint32 *minor_status, HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { m = mc->gmc_mech; - + if (m == NULL) return GSS_S_BAD_MECH; - + if (m->gm_set_cred_option == NULL) continue; - + major_status = m->gm_set_cred_option(minor_status, &mc->gmc_cred, object, value); if (major_status == GSS_S_COMPLETE) diff --git a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c index 4c4d349045..715d34bf06 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c @@ -34,7 +34,7 @@ gss_test_oid_set_member(OM_uint32 *minor_status, const gss_OID_set set, int *present) { - int i; + size_t i; *present = 0; for (i = 0; i < set->count; i++) diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c index e79814aea7..9bebcf6cf0 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c @@ -38,7 +38,7 @@ gss_wrap_size_limit(OM_uint32 *minor_status, { struct _gss_context *ctx = (struct _gss_context *) context_handle; gssapi_mech_interface m; - + *max_input_size = 0; if (ctx == NULL) { *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/mech/mech_locl.h b/source4/heimdal/lib/gssapi/mech/mech_locl.h index cb10c23c38..6c23ac5256 100644 --- a/source4/heimdal/lib/gssapi/mech/mech_locl.h +++ b/source4/heimdal/lib/gssapi/mech/mech_locl.h @@ -62,6 +62,7 @@ #include "mech_switch.h" #include "name.h" #include "utils.h" +#include "compat.h" #define _mg_buffer_zero(buffer) \ do { \ diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c index 35bc56fbb7..3a51dd3a0a 100644 --- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -90,7 +90,7 @@ send_supported_mechs (OM_uint32 *minor_status, gss_buffer_t output_token) { NegotiationTokenWin nt; - size_t buf_len; + size_t buf_len = 0; gss_buffer_desc data; OM_uint32 ret; @@ -132,8 +132,10 @@ send_supported_mechs (OM_uint32 *minor_status, *minor_status = ret; return GSS_S_FAILURE; } - if (data.length != buf_len) + if (data.length != buf_len) { abort(); + UNREACHABLE(return GSS_S_FAILURE); + } ret = gss_encapsulate_token(&data, GSS_SPNEGO_MECHANISM, output_token); @@ -316,7 +318,7 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, gss_OID_desc oid; gss_OID oidp; gss_OID_set mechs; - int i; + size_t i; OM_uint32 ret, junk; ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1, @@ -368,12 +370,13 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, host = getenv("GSSAPI_SPNEGO_NAME"); if (host == NULL || issuid()) { + int rv; if (gethostname(hostname, sizeof(hostname)) != 0) { *minor_status = errno; return GSS_S_FAILURE; } - i = asprintf(&str, "host@%s", hostname); - if (i < 0 || str == NULL) { + rv = asprintf(&str, "host@%s", hostname); + if (rv < 0 || str == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } @@ -410,10 +413,6 @@ acceptor_complete(OM_uint32 * minor_status, { OM_uint32 ret; int require_mic, verify_mic; - gss_buffer_desc buf; - - buf.length = 0; - buf.value = NULL; ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic); if (ret) @@ -435,11 +434,11 @@ acceptor_complete(OM_uint32 * minor_status, verify_mic = 0; *get_mic = 1; } - + if (verify_mic || *get_mic) { int eret; - size_t buf_len; - + size_t buf_len = 0; + ASN1_MALLOC_ENCODE(MechTypeList, mech_buf->value, mech_buf->length, &ctx->initiator_mech_types, &buf_len, eret); @@ -447,24 +446,19 @@ acceptor_complete(OM_uint32 * minor_status, *minor_status = eret; return GSS_S_FAILURE; } - if (buf.length != buf_len) - abort(); + heim_assert(mech_buf->length == buf_len, "Internal ASN.1 error"); + UNREACHABLE(return GSS_S_FAILURE); } - + if (verify_mic) { ret = verify_mechlist_mic(minor_status, ctx, mech_buf, mic); if (ret) { if (*get_mic) send_reject (minor_status, output_token); - if (buf.value) - free(buf.value); return ret; } ctx->verified_mic = 1; } - if (buf.value) - free(buf.value); - } else *get_mic = 0; @@ -491,7 +485,6 @@ acceptor_start NegotiationToken nt; size_t nt_len; NegTokenInit *ni; - int i; gss_buffer_desc data; gss_buffer_t mech_input_token = GSS_C_NO_BUFFER; gss_buffer_desc mech_output_token; @@ -507,7 +500,7 @@ acceptor_start if (input_token_buffer->length == 0) return send_supported_mechs (minor_status, output_token); - + ret = _gss_spnego_alloc_sec_context(minor_status, context_handle); if (ret != GSS_S_COMPLETE) return ret; @@ -573,7 +566,7 @@ acceptor_start if (ctx->mech_src_name != GSS_C_NO_NAME) gss_release_name(&junk, &ctx->mech_src_name); - + ret = gss_accept_sec_context(minor_status, &ctx->negotiated_ctx_id, acceptor_cred_handle, @@ -613,13 +606,14 @@ acceptor_start */ if (!first_ok && ni->mechToken != NULL) { + size_t j; preferred_mech_type = GSS_C_NO_OID; /* Call glue layer to find first mech we support */ - for (i = 1; i < ni->mechTypes.len; ++i) { + for (j = 1; j < ni->mechTypes.len; ++j) { ret = select_mech(minor_status, - &ni->mechTypes.val[i], + &ni->mechTypes.val[j], 1, &preferred_mech_type); if (ret == 0) diff --git a/source4/heimdal/lib/gssapi/spnego/compat.c b/source4/heimdal/lib/gssapi/spnego/compat.c index b23658cfd1..cf5ee30a84 100644 --- a/source4/heimdal/lib/gssapi/spnego/compat.c +++ b/source4/heimdal/lib/gssapi/spnego/compat.c @@ -41,10 +41,10 @@ * Kerberos mechanism. */ gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc = - {9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"}; + {9, rk_UNCONST("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02")}; gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc = - {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; /* * Allocate a SPNEGO context handle @@ -241,7 +241,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status, gss_OID_set supported_mechs = GSS_C_NO_OID_SET; gss_OID first_mech = GSS_C_NO_OID; OM_uint32 ret; - int i; + size_t i; mechtypelist->len = 0; mechtypelist->val = NULL; diff --git a/source4/heimdal/lib/gssapi/spnego/context_stubs.c b/source4/heimdal/lib/gssapi/spnego/context_stubs.c index 18c13fe299..60b348ec46 100644 --- a/source4/heimdal/lib/gssapi/spnego/context_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/context_stubs.c @@ -37,7 +37,7 @@ spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs) { OM_uint32 ret, junk; gss_OID_set m; - int i; + size_t i; ret = gss_indicate_mechs(minor_status, &m); if (ret != GSS_S_COMPLETE) @@ -565,7 +565,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_names_for_mech ( { gss_OID_set mechs, names, n; OM_uint32 ret, junk; - int i, j; + size_t i, j; *name_types = NULL; diff --git a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c index 2920f3d9b5..fc43d6a4a6 100644 --- a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c @@ -70,7 +70,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred OM_uint32 ret, tmp; gss_OID_set_desc actual_desired_mechs; gss_OID_set mechs; - int i, j; + size_t i, j; *output_cred_handle = GSS_C_NO_CREDENTIAL; diff --git a/source4/heimdal/lib/gssapi/spnego/external.c b/source4/heimdal/lib/gssapi/spnego/external.c index 5054754150..ca06d46e82 100644 --- a/source4/heimdal/lib/gssapi/spnego/external.c +++ b/source4/heimdal/lib/gssapi/spnego/external.c @@ -39,13 +39,12 @@ * negotiation token is identified by the Object Identifier * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). */ - static gss_mo_desc spnego_mo[] = { { GSS_C_MA_SASL_MECH_NAME, GSS_MO_MA, "SASL mech name", - "SPNEGO", + rk_UNCONST("SPNEGO"), _gss_mo_get_ctx_as_string, NULL }, @@ -53,7 +52,7 @@ static gss_mo_desc spnego_mo[] = { GSS_C_MA_MECH_NAME, GSS_MO_MA, "Mechanism name", - "SPNEGO", + rk_UNCONST("SPNEGO"), _gss_mo_get_ctx_as_string, NULL }, @@ -61,7 +60,7 @@ static gss_mo_desc spnego_mo[] = { GSS_C_MA_MECH_DESCRIPTION, GSS_MO_MA, "Mechanism description", - "Heimdal SPNEGO Mechanism", + rk_UNCONST("Heimdal SPNEGO Mechanism"), _gss_mo_get_ctx_as_string, NULL }, @@ -78,7 +77,7 @@ static gss_mo_desc spnego_mo[] = { static gssapi_mech_interface_desc spnego_mech = { GMI_VERSION, "spnego", - {6, (void *)"\x2b\x06\x01\x05\x05\x02"}, + {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") }, 0, _gss_spnego_acquire_cred, _gss_spnego_release_cred, @@ -128,7 +127,13 @@ static gssapi_mech_interface_desc spnego_mech = { NULL, NULL, spnego_mo, - sizeof(spnego_mo) / sizeof(spnego_mo[0]) + sizeof(spnego_mo) / sizeof(spnego_mo[0]), + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, }; gssapi_mech_interface diff --git a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c index c9e182129d..b4b1bcefc5 100644 --- a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c @@ -392,7 +392,7 @@ spnego_reply NegotiationToken resp; gss_OID_desc mech; int require_mic; - size_t buf_len; + size_t buf_len = 0; gss_buffer_desc mic_buf, mech_buf; gss_buffer_desc mech_output_token; gssspnego_ctx ctx; @@ -557,8 +557,10 @@ spnego_reply *minor_status = ret; return GSS_S_FAILURE; } - if (mech_buf.length != buf_len) + if (mech_buf.length != buf_len) { abort(); + UNREACHABLE(return GSS_S_FAILURE); + } if (resp.u.negTokenResp.mechListMIC == NULL) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h index dacaa3310e..3e151c7c2a 100644 --- a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h +++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h @@ -71,6 +71,8 @@ #include "utils.h" #include <der.h> +#include <heimbase.h> + #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) typedef struct { diff --git a/source4/heimdal/lib/gssapi/version-script.map b/source4/heimdal/lib/gssapi/version-script.map index 7591121333..ebd8ee21ac 100644 --- a/source4/heimdal/lib/gssapi/version-script.map +++ b/source4/heimdal/lib/gssapi/version-script.map @@ -2,7 +2,8 @@ HEIMDAL_GSS_2.0 { global: - __gss_c_nt_anonymous; +# __gss_c_nt_anonymous; + __gss_c_nt_anonymous_oid_desc; __gss_c_nt_export_name_oid_desc; __gss_c_nt_hostbased_service_oid_desc; __gss_c_nt_hostbased_service_x_oid_desc; @@ -11,11 +12,17 @@ HEIMDAL_GSS_2.0 { __gss_c_nt_user_name_oid_desc; __gss_krb5_nt_principal_name_oid_desc; __gss_c_attr_stream_sizes_oid_desc; + __gss_c_cred_password_oid_desc; + __gss_c_cred_certificate_oid_desc; + GSS_C_ATTR_LOCAL_LOGIN_USER; gss_accept_sec_context; gss_acquire_cred; + gss_acquire_cred_with_password; gss_add_buffer_set_member; gss_add_cred; + gss_add_cred_with_password; gss_add_oid_set_member; + gss_authorize_localname; gss_canonicalize_name; gss_compare_name; gss_context_query_attributes; @@ -61,6 +68,7 @@ HEIMDAL_GSS_2.0 { gss_mg_collect_error; gss_oid_equal; gss_oid_to_str; + gss_pname_to_uid; gss_process_context_token; gss_pseudo_random; gss_release_buffer; @@ -75,10 +83,12 @@ HEIMDAL_GSS_2.0 { gss_set_name_attribute; gss_set_sec_context_option; gss_sign; + gss_store_cred; gss_test_oid_set_member; gss_unseal; gss_unwrap; gss_unwrap_iov; + gss_userok; gss_verify; gss_verify_mic; gss_wrap; |