diff options
Diffstat (limited to 'source4/heimdal/lib/gssapi')
77 files changed, 611 insertions, 533 deletions
diff --git a/source4/heimdal/lib/gssapi/gssapi_mech.h b/source4/heimdal/lib/gssapi/gssapi_mech.h index 206a24ef74..65cabf54d1 100644 --- a/source4/heimdal/lib/gssapi/gssapi_mech.h +++ b/source4/heimdal/lib/gssapi/gssapi_mech.h @@ -356,10 +356,15 @@ _gss_import_cred_t(OM_uint32 * minor_status, #define GMI_VERSION 2 +/* gm_flags */ +#define GM_USE_MG_CRED 1 /* uses mech glue credentials */ + + typedef struct gssapi_mech_interface_desc { unsigned gm_version; const char *gm_name; gss_OID_desc gm_mech_oid; + unsigned gm_flags; _gss_acquire_cred_t *gm_acquire_cred; _gss_release_cred_t *gm_release_cred; _gss_init_sec_context_t *gm_init_sec_context; diff --git a/source4/heimdal/lib/gssapi/krb5/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c index a6f0165e72..2c53d67003 100644 --- a/source4/heimdal/lib/gssapi/krb5/8003.c +++ b/source4/heimdal/lib/gssapi/krb5/8003.c @@ -74,32 +74,36 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, u_char *p) { u_char num[4]; - MD5_CTX md5; + EVP_MD_CTX *ctx; + + ctx = EVP_MD_CTX_create(); + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); - MD5_Init(&md5); _gsskrb5_encode_om_uint32 (b->initiator_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); + EVP_DigestUpdate(ctx, num, sizeof(num)); _gsskrb5_encode_om_uint32 (b->initiator_address.length, num); - MD5_Update (&md5, num, sizeof(num)); + EVP_DigestUpdate(ctx, num, sizeof(num)); if (b->initiator_address.length) - MD5_Update (&md5, - b->initiator_address.value, - b->initiator_address.length); + EVP_DigestUpdate(ctx, + b->initiator_address.value, + b->initiator_address.length); _gsskrb5_encode_om_uint32 (b->acceptor_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); + EVP_DigestUpdate(ctx, num, sizeof(num)); _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num); - MD5_Update (&md5, num, sizeof(num)); + EVP_DigestUpdate(ctx, num, sizeof(num)); if (b->acceptor_address.length) - MD5_Update (&md5, - b->acceptor_address.value, - b->acceptor_address.length); + EVP_DigestUpdate(ctx, + b->acceptor_address.value, + b->acceptor_address.length); _gsskrb5_encode_om_uint32 (b->application_data.length, num); - MD5_Update (&md5, num, sizeof(num)); + EVP_DigestUpdate(ctx, num, sizeof(num)); if (b->application_data.length) - MD5_Update (&md5, - b->application_data.value, - b->application_data.length); - MD5_Final (p, &md5); + EVP_DigestUpdate(ctx, + b->application_data.value, + b->application_data.length); + EVP_DigestFinal_ex(ctx, p, NULL); + EVP_MD_CTX_destroy(ctx); + return 0; } @@ -204,7 +208,7 @@ _gsskrb5_verify_8003_checksum( *minor_status = 0; return GSS_S_BAD_BINDINGS; } - if(memcmp(hash, p, sizeof(hash)) != 0) { + if(ct_memcmp(hash, p, sizeof(hash)) != 0) { *minor_status = 0; return GSS_S_BAD_BINDINGS; } diff --git a/source4/heimdal/lib/gssapi/krb5/aeap.c b/source4/heimdal/lib/gssapi/krb5/aeap.c index 38a5ac2dbe..f1aee4bbbf 100644 --- a/source4/heimdal/lib/gssapi/krb5/aeap.c +++ b/source4/heimdal/lib/gssapi/krb5/aeap.c @@ -35,7 +35,7 @@ #include <roken.h> -OM_uint32 GSSAPI_LIB_FUNCTION +OM_uint32 _gk_wrap_iov(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int conf_req_flag, @@ -57,7 +57,7 @@ _gk_wrap_iov(OM_uint32 * minor_status, return GSS_S_FAILURE; } -OM_uint32 GSSAPI_LIB_FUNCTION +OM_uint32 _gk_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int *conf_state, @@ -77,7 +77,7 @@ _gk_unwrap_iov(OM_uint32 *minor_status, return GSS_S_FAILURE; } -OM_uint32 GSSAPI_LIB_FUNCTION +OM_uint32 _gk_wrap_iov_length(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int conf_req_flag, diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c index e7331b0119..dc59e997bd 100644 --- a/source4/heimdal/lib/gssapi/krb5/arcfour.c +++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c @@ -173,7 +173,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status, int32_t seq_number; size_t len, total_len; u_char k6_data[16], *p0, *p; - RC4_KEY rc4_key; + EVP_CIPHER_CTX rc4_key; _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); @@ -235,10 +235,11 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status, memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4); - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p, p); - - memset(&rc4_key, 0, sizeof(rc4_key)); + EVP_CIPHER_CTX_init(&rc4_key); + EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + EVP_Cipher(&rc4_key, p, p, 8); + EVP_CIPHER_CTX_cleanup(&rc4_key); + memset(k6_data, 0, sizeof(k6_data)); *minor_status = 0; @@ -300,19 +301,20 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, return GSS_S_FAILURE; } - cmp = memcmp(cksum_data, p + 8, 8); + cmp = ct_memcmp(cksum_data, p + 8, 8); if (cmp) { *minor_status = 0; return GSS_S_BAD_MIC; } { - RC4_KEY rc4_key; + EVP_CIPHER_CTX rc4_key; - RC4_set_key (&rc4_key, sizeof(k6_data), (void*)k6_data); - RC4 (&rc4_key, 8, p, SND_SEQ); - - memset(&rc4_key, 0, sizeof(rc4_key)); + EVP_CIPHER_CTX_init(&rc4_key); + EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0); + EVP_Cipher(&rc4_key, SND_SEQ, p, 8); + EVP_CIPHER_CTX_cleanup(&rc4_key); + memset(k6_data, 0, sizeof(k6_data)); } @@ -459,12 +461,12 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, if(conf_req_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), (void *)k6_data); - /* XXX ? */ - RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */ - memset(&rc4_key, 0, sizeof(rc4_key)); + EVP_CIPHER_CTX rc4_key; + + EVP_CIPHER_CTX_init(&rc4_key); + EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen); + EVP_CIPHER_CTX_cleanup(&rc4_key); } memset(k6_data, 0, sizeof(k6_data)); @@ -478,11 +480,12 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status, } { - RC4_KEY rc4_key; + EVP_CIPHER_CTX rc4_key; - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); + EVP_CIPHER_CTX_init(&rc4_key); + EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8); + EVP_CIPHER_CTX_cleanup(&rc4_key); memset(k6_data, 0, sizeof(k6_data)); } @@ -577,11 +580,12 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, } { - RC4_KEY rc4_key; + EVP_CIPHER_CTX rc4_key; - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); + EVP_CIPHER_CTX_init(&rc4_key); + EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8); + EVP_CIPHER_CTX_cleanup(&rc4_key); memset(k6_data, 0, sizeof(k6_data)); } @@ -624,13 +628,13 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, output_message_buffer->length = datalen; if(conf_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */ - RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - output_message_buffer->value); - memset(&rc4_key, 0, sizeof(rc4_key)); + EVP_CIPHER_CTX rc4_key; + + EVP_CIPHER_CTX_init(&rc4_key); + EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8); + EVP_Cipher(&rc4_key, output_message_buffer->value, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, datalen); + EVP_CIPHER_CTX_cleanup(&rc4_key); } else { memcpy(Confounder, p0 + 24, 8); /* Confounder */ memcpy(output_message_buffer->value, @@ -662,7 +666,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, return GSS_S_FAILURE; } - cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ + cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ if (cmp) { _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = 0; diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c index 7cc7ee1e74..1a6e975279 100755 --- a/source4/heimdal/lib/gssapi/krb5/cfx.c +++ b/source4/heimdal/lib/gssapi/krb5/cfx.c @@ -213,8 +213,8 @@ _gk_find_buffer(gss_iov_buffer_desc *iov, int iov_count, OM_uint32 type) return NULL; } -static OM_uint32 -allocate_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *buffer, size_t size) +OM_uint32 +_gk_allocate_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *buffer, size_t size) { if (buffer->type & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED) { if (buffer->buffer.length == size) @@ -234,6 +234,43 @@ allocate_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *buffer, size_t siz } +OM_uint32 +_gk_verify_buffers(OM_uint32 *minor_status, + const gsskrb5_ctx ctx, + const gss_iov_buffer_desc *header, + const gss_iov_buffer_desc *padding, + const gss_iov_buffer_desc *trailer) +{ + if (header == NULL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (IS_DCE_STYLE(ctx)) { + /* + * In DCE style mode we reject having a padding or trailer buffer + */ + if (padding) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + if (trailer) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + } else { + /* + * In non-DCE style mode we require having a padding buffer + */ + if (padding == NULL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} OM_uint32 _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, @@ -248,44 +285,99 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *header, *trailer, *padding; size_t gsshsize, k5hsize; size_t gsstsize, k5tsize; - size_t i, padlength, rrc = 0, ec = 0; + size_t i, rrc = 0, ec = 0; gss_cfx_wrap_token token; krb5_error_code ret; int32_t seq_number; unsigned usage; krb5_crypto_iov *data = NULL; - int paddingoffset = 0; - + header = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); if (header == NULL) { *minor_status = EINVAL; return GSS_S_FAILURE; } - krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_PADDING, &padlength); - padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); - if (padlength != 0 && padding == NULL) { - *minor_status = EINVAL; - return GSS_S_FAILURE; + if (padding != NULL) { + padding->buffer.length = 0; } trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); + major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer); + if (major_status != GSS_S_COMPLETE) { + return major_status; + } + if (conf_req_flag) { - ec = padlength; + size_t k5psize = 0; + size_t k5pbase = 0; + size_t k5bsize = 0; + size_t size = 0; - krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER, &k5tsize); - krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER, &k5hsize); + for (i = 0; i < iov_count; i++) { + switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) { + case GSS_IOV_BUFFER_TYPE_DATA: + size += iov[i].buffer.length; + break; + default: + break; + } + } - gsshsize = k5hsize + sizeof(*token); - gsstsize = k5tsize + sizeof(*token); /* encrypted token stored in trailer */ + size += sizeof(gss_cfx_wrap_token_desc); + *minor_status = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_HEADER, + &k5hsize); + if (*minor_status) + return GSS_S_FAILURE; + + *minor_status = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_TRAILER, + &k5tsize); + if (*minor_status) + return GSS_S_FAILURE; + + *minor_status = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_PADDING, + &k5pbase); + if (*minor_status) + return GSS_S_FAILURE; + + if (k5pbase > 1) { + k5psize = k5pbase - (size % k5pbase); + } else { + k5psize = 0; + } + + if (k5psize == 0 && IS_DCE_STYLE(ctx)) { + *minor_status = krb5_crypto_getblocksize(context, ctx->crypto, + &k5bsize); + if (*minor_status) + return GSS_S_FAILURE; + ec = k5bsize; + } else { + ec = k5psize; + } + + gsshsize = sizeof(gss_cfx_wrap_token_desc) + k5hsize; + gsstsize = sizeof(gss_cfx_wrap_token_desc) + ec + k5tsize; } else { + if (IS_DCE_STYLE(ctx)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } - krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_CHECKSUM, &k5tsize); + k5hsize = 0; + *minor_status = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_CHECKSUM, + &k5tsize); + if (*minor_status) + return GSS_S_FAILURE; - gsshsize = sizeof(*token); + gsshsize = sizeof(gss_cfx_wrap_token_desc); gsstsize = k5tsize; } @@ -294,19 +386,13 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, */ if (trailer == NULL) { - /* conf_req_flag=0 doesn't support DCE_STYLE */ - if (conf_req_flag == 0) { - *minor_status = EINVAL; - major_status = GSS_S_FAILURE; - goto failure; - } rrc = gsstsize; if (IS_DCE_STYLE(ctx)) rrc -= ec; gsshsize += gsstsize; gsstsize = 0; } else if (GSS_IOV_BUFFER_FLAGS(trailer->type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE) { - major_status = allocate_buffer(minor_status, trailer, gsstsize); + major_status = _gk_allocate_buffer(minor_status, trailer, gsstsize); if (major_status) goto failure; } else if (trailer->buffer.length < gsstsize) { @@ -321,7 +407,7 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, */ if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE) { - major_status = allocate_buffer(minor_status, header, gsshsize); + major_status = _gk_allocate_buffer(minor_status, header, gsshsize); if (major_status != GSS_S_COMPLETE) goto failure; } else if (header->buffer.length < gsshsize) { @@ -352,8 +438,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, * used to encode the size (in bytes) of the random filler. */ token->Flags |= CFXSealed; - token->EC[0] = (padlength >> 8) & 0xFF; - token->EC[1] = (padlength >> 0) & 0xFF; + token->EC[0] = (ec >> 8) & 0xFF; + token->EC[1] = (ec >> 0) & 0xFF; } else { /* @@ -404,15 +490,15 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, /* plain packet: - {"header" | encrypt(plaintext-data | padding | E"header")} + {"header" | encrypt(plaintext-data | ec-padding | E"header")} Expanded, this is with with RRC = 0: - {"header" | krb5-header | plaintext-data | padding | E"header" | krb5-trailer } + {"header" | krb5-header | plaintext-data | ec-padding | E"header" | krb5-trailer } - In DCE-RPC mode == no trailer: RRC = gss "trailer" == length(padding | E"header" | krb5-trailer) + In DCE-RPC mode == no trailer: RRC = gss "trailer" == length(ec-padding | E"header" | krb5-trailer) - {"header" | padding | E"header" | krb5-trailer | krb5-header | plaintext-data } + {"header" | ec-padding | E"header" | krb5-trailer | krb5-header | plaintext-data } */ i = 0; @@ -425,10 +511,6 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, case GSS_IOV_BUFFER_TYPE_DATA: data[i].flags = KRB5_CRYPTO_TYPE_DATA; break; - case GSS_IOV_BUFFER_TYPE_PADDING: - data[i].flags = KRB5_CRYPTO_TYPE_PADDING; - paddingoffset = i; - break; case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; break; @@ -446,8 +528,6 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, * ciphertext. */ - /* XXX KRB5_CRYPTO_TYPE_PADDING */ - /* encrypted CFX header in trailer (or after the header if in DCE mode). Copy in header into E"header" */ @@ -455,15 +535,16 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, if (trailer) data[i].data.data = trailer->buffer.value; else - data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize - k5tsize - sizeof(*token); + data[i].data.data = ((uint8_t *)header->buffer.value) + sizeof(*token); - data[i].data.length = sizeof(*token); - memcpy(data[i].data.data, token, sizeof(*token)); + data[i].data.length = ec + sizeof(*token); + memset(data[i].data.data, 0xFF, ec); + memcpy(((uint8_t *)data[i].data.data) + ec, token, sizeof(*token)); i++; /* Kerberos trailer comes after the gss trailer */ data[i].flags = KRB5_CRYPTO_TYPE_TRAILER; - data[i].data.data = ((uint8_t *)data[i-1].data.data) + sizeof(*token); + data[i].data.data = ((uint8_t *)data[i-1].data.data) + ec + sizeof(*token); data[i].data.length = k5tsize; i++; @@ -479,9 +560,6 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, token->RRC[1] = (rrc >> 0) & 0xFF; } - if (paddingoffset) - padding->buffer.length = data[paddingoffset].data.length; - } else { /* plain packet: @@ -495,7 +573,6 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, for (i = 0; i < iov_count; i++) { switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) { case GSS_IOV_BUFFER_TYPE_DATA: - case GSS_IOV_BUFFER_TYPE_PADDING: data[i].flags = KRB5_CRYPTO_TYPE_DATA; break; case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: @@ -511,12 +588,17 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, data[i].flags = KRB5_CRYPTO_TYPE_DATA; data[i].data.data = header->buffer.value; - data[i].data.length = header->buffer.length; + data[i].data.length = sizeof(gss_cfx_wrap_token_desc); i++; data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM; - data[i].data.data = trailer->buffer.value; - data[i].data.length = trailer->buffer.length; + if (trailer) { + data[i].data.data = trailer->buffer.value; + } else { + data[i].data.data = (uint8_t *)header->buffer.value + + sizeof(gss_cfx_wrap_token_desc); + } + data[i].data.length = k5tsize; i++; ret = krb5_create_checksum_iov(context, ctx->crypto, usage, data, i, NULL); @@ -526,8 +608,13 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, goto failure; } - token->EC[0] = (trailer->buffer.length >> 8) & 0xFF; - token->EC[1] = (trailer->buffer.length >> 0) & 0xFF; + if (rrc) { + token->RRC[0] = (rrc >> 8) & 0xFF; + token->RRC[1] = (rrc >> 0) & 0xFF; + } + + token->EC[0] = (k5tsize >> 8) & 0xFF; + token->EC[1] = (k5tsize >> 0) & 0xFF; } if (conf_state != NULL) @@ -606,7 +693,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING || GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER) { - memcpy(q, iov[i].buffer.value, MIN(iov[i].buffer.length, skip)); + memcpy(q, iov[i].buffer.value, min(iov[i].buffer.length, skip)); if (iov[i].buffer.length > skip) break; skip -= iov[i].buffer.length; @@ -627,7 +714,7 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, int iov_count) { OM_uint32 seq_number_lo, seq_number_hi, major_status, junk; - gss_iov_buffer_desc *header, *trailer; + gss_iov_buffer_desc *header, *trailer, *padding; gss_cfx_wrap_token token, ttoken; u_char token_flags; krb5_error_code ret; @@ -647,8 +734,19 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, if (header->buffer.length < sizeof(*token)) /* we check exact below */ return GSS_S_DEFECTIVE_TOKEN; + padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); + if (padding != NULL && padding->buffer.length != 0) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); + major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer); + if (major_status != GSS_S_COMPLETE) { + return major_status; + } + token = (gss_cfx_wrap_token)header->buffer.value; if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) @@ -730,14 +828,16 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, size_t gsstsize = k5tsize + sizeof(*token); size_t gsshsize = k5hsize + sizeof(*token); - if (IS_DCE_STYLE(ctx)) - gsstsize += ec; - gsshsize += gsstsize; - if (rrc != gsstsize) { major_status = GSS_S_DEFECTIVE_TOKEN; goto failure; } + + if (IS_DCE_STYLE(ctx)) + gsstsize += ec; + + gsshsize += gsstsize; + if (header->buffer.length != gsshsize) { major_status = GSS_S_DEFECTIVE_TOKEN; goto failure; @@ -764,7 +864,6 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, for (j = 0; j < iov_count; i++, j++) { switch (GSS_IOV_BUFFER_TYPE(iov[j].type)) { case GSS_IOV_BUFFER_TYPE_DATA: - case GSS_IOV_BUFFER_TYPE_PADDING: data[i].flags = KRB5_CRYPTO_TYPE_DATA; break; case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: @@ -782,17 +881,20 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, DCE mode). Copy in header into E"header" */ data[i].flags = KRB5_CRYPTO_TYPE_DATA; - if (trailer) + if (trailer) { data[i].data.data = trailer->buffer.value; - else - data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize - k5tsize - sizeof(*token); - data[i].data.length = sizeof(*token); - ttoken = (gss_cfx_wrap_token)data[i].data.data; + } else { + data[i].data.data = ((uint8_t *)header->buffer.value) + + header->buffer.length - k5hsize - k5tsize - ec- sizeof(*token); + } + + data[i].data.length = ec + sizeof(*token); + ttoken = (gss_cfx_wrap_token)(((uint8_t *)data[i].data.data) + ec); i++; /* Kerberos trailer comes after the gss trailer */ data[i].flags = KRB5_CRYPTO_TYPE_TRAILER; - data[i].data.data = ((uint8_t *)data[i-1].data.data) + sizeof(*token); + data[i].data.data = ((uint8_t *)data[i-1].data.data) + ec + sizeof(*token); data[i].data.length = k5tsize; i++; @@ -807,34 +909,42 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, ttoken->RRC[1] = token->RRC[1]; /* Check the integrity of the header */ - if (memcmp(ttoken, token, sizeof(*token)) != 0) { + if (ct_memcmp(ttoken, token, sizeof(*token)) != 0) { major_status = GSS_S_BAD_MIC; goto failure; } } else { - /* Check RRC */ - if (rrc != 0) { - *minor_status = EINVAL; - major_status = GSS_S_FAILURE; - goto failure; - } + size_t gsstsize = ec; + size_t gsshsize = sizeof(*token); if (trailer == NULL) { + /* Check RRC */ + if (rrc != gsstsize) { + *minor_status = EINVAL; + major_status = GSS_S_FAILURE; + goto failure; + } + + gsshsize += gsstsize; + gsstsize = 0; + } else if (trailer->buffer.length != gsstsize) { + major_status = GSS_S_DEFECTIVE_TOKEN; + goto failure; + } else if (rrc != 0) { + /* Check RRC */ *minor_status = EINVAL; major_status = GSS_S_FAILURE; goto failure; } - if (trailer->buffer.length != ec) { - *minor_status = EINVAL; - major_status = GSS_S_FAILURE; + if (header->buffer.length != gsshsize) { + major_status = GSS_S_DEFECTIVE_TOKEN; goto failure; } for (i = 0; i < iov_count; i++) { switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) { case GSS_IOV_BUFFER_TYPE_DATA: - case GSS_IOV_BUFFER_TYPE_PADDING: data[i].flags = KRB5_CRYPTO_TYPE_DATA; break; case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: @@ -850,12 +960,17 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, data[i].flags = KRB5_CRYPTO_TYPE_DATA; data[i].data.data = header->buffer.value; - data[i].data.length = header->buffer.length; + data[i].data.length = sizeof(*token); i++; data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM; - data[i].data.data = trailer->buffer.value; - data[i].data.length = trailer->buffer.length; + if (trailer) { + data[i].data.data = trailer->buffer.value; + } else { + data[i].data.data = (uint8_t *)header->buffer.value + + sizeof(*token); + } + data[i].data.length = ec; i++; token = (gss_cfx_wrap_token)header->buffer.value; @@ -900,9 +1015,16 @@ _gssapi_wrap_iov_length_cfx(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, int iov_count) { + OM_uint32 major_status; size_t size; int i; - size_t *padding = NULL; + gss_iov_buffer_desc *header = NULL; + gss_iov_buffer_desc *padding = NULL; + gss_iov_buffer_desc *trailer = NULL; + size_t gsshsize = 0; + size_t gsstsize = 0; + size_t k5hsize = 0; + size_t k5tsize = 0; GSSAPI_KRB5_INIT (&context); *minor_status = 0; @@ -915,21 +1037,25 @@ _gssapi_wrap_iov_length_cfx(OM_uint32 *minor_status, size += iov[i].buffer.length; break; case GSS_IOV_BUFFER_TYPE_HEADER: - *minor_status = krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER, &iov[i].buffer.length); - if (*minor_status) + if (header != NULL) { + *minor_status = 0; return GSS_S_FAILURE; + } + header = &iov[i]; break; case GSS_IOV_BUFFER_TYPE_TRAILER: - *minor_status = krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER, &iov[i].buffer.length); - if (*minor_status) + if (trailer != NULL) { + *minor_status = 0; return GSS_S_FAILURE; + } + trailer = &iov[i]; break; case GSS_IOV_BUFFER_TYPE_PADDING: if (padding != NULL) { *minor_status = 0; return GSS_S_FAILURE; } - padding = &iov[i].buffer.length; + padding = &iov[i]; break; case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: break; @@ -938,15 +1064,83 @@ _gssapi_wrap_iov_length_cfx(OM_uint32 *minor_status, return GSS_S_FAILURE; } } + + major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer); + if (major_status != GSS_S_COMPLETE) { + return major_status; + } + + if (conf_req_flag) { + size_t k5psize = 0; + size_t k5pbase = 0; + size_t k5bsize = 0; + size_t ec = 0; + + size += sizeof(gss_cfx_wrap_token_desc); + + *minor_status = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_HEADER, + &k5hsize); + if (*minor_status) + return GSS_S_FAILURE; + + *minor_status = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_TRAILER, + &k5tsize); + if (*minor_status) + return GSS_S_FAILURE; + + *minor_status = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_PADDING, + &k5pbase); + if (*minor_status) + return GSS_S_FAILURE; + + if (k5pbase > 1) { + k5psize = k5pbase - (size % k5pbase); + } else { + k5psize = 0; + } + + if (k5psize == 0 && IS_DCE_STYLE(ctx)) { + *minor_status = krb5_crypto_getblocksize(context, ctx->crypto, + &k5bsize); + if (*minor_status) + return GSS_S_FAILURE; + + ec = k5bsize; + } else { + ec = k5psize; + } + + gsshsize = sizeof(gss_cfx_wrap_token_desc) + k5hsize; + gsstsize = sizeof(gss_cfx_wrap_token_desc) + ec + k5tsize; + } else { + *minor_status = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_CHECKSUM, + &k5tsize); + if (*minor_status) + return GSS_S_FAILURE; + + gsshsize = sizeof(gss_cfx_wrap_token_desc); + gsstsize = k5tsize; + } + + if (trailer != NULL) { + trailer->buffer.length = gsstsize; + } else { + gsshsize += gsstsize; + } + + header->buffer.length = gsshsize; + if (padding) { - size_t pad; - krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_PADDING, &pad); - if (pad > 1) { - *padding = pad - (size % pad); - if (*padding == pad) - *padding = 0; - } else - *padding = 0; + /* padding is done via EC and is contained in the header or trailer */ + padding->buffer.length = 0; + } + + if (conf_state) { + *conf_state = conf_req_flag; } return GSS_S_COMPLETE; @@ -1294,7 +1488,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, ((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1]; /* Check the integrity of the header */ - if (memcmp(p, token, sizeof(*token)) != 0) { + if (ct_memcmp(p, token, sizeof(*token)) != 0) { krb5_data_free(&data); return GSS_S_BAD_MIC; } @@ -1496,7 +1690,7 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, return GSS_S_DEFECTIVE_TOKEN; } - if (memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) { + if (ct_memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) { return GSS_S_DEFECTIVE_TOKEN; } diff --git a/source4/heimdal/lib/gssapi/krb5/creds.c b/source4/heimdal/lib/gssapi/krb5/creds.c index 68cb766bc3..fd40617040 100644 --- a/source4/heimdal/lib/gssapi/krb5/creds.c +++ b/source4/heimdal/lib/gssapi/krb5/creds.c @@ -250,5 +250,6 @@ _gsskrb5_import_cred(OM_uint32 * minor_status, handle->cred_flags = flags; *cred_handle = (gss_cred_id_t)handle; + return GSS_S_COMPLETE; } diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c index 7ccf0b0f79..640c064d0b 100644 --- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c @@ -80,9 +80,9 @@ _gssapi_verify_mech_header(u_char **str, if (mech_len != mech->length) return GSS_S_BAD_MECH; - if (memcmp(p, - mech->elements, - mech->length) != 0) + if (ct_memcmp(p, + mech->elements, + mech->length) != 0) return GSS_S_BAD_MECH; p += mech_len; *str = rk_UNCONST(p); @@ -108,7 +108,7 @@ _gsskrb5_verify_header(u_char **str, if (len < 2) return GSS_S_DEFECTIVE_TOKEN; - if (memcmp (*str, type, 2) != 0) + if (ct_memcmp (*str, type, 2) != 0) return GSS_S_DEFECTIVE_TOKEN; *str += 2; diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index fc835bd845..fd81f3ebeb 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -434,6 +434,7 @@ static gssapi_mech_interface_desc krb5_mech = { GMI_VERSION, "kerberos 5", {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }, + 0, _gsskrb5_acquire_cred, _gsskrb5_release_cred, _gsskrb5_init_sec_context, diff --git a/source4/heimdal/lib/gssapi/krb5/get_mic.c b/source4/heimdal/lib/gssapi/krb5/get_mic.c index ad3009c73e..f3f7fff8ae 100644 --- a/source4/heimdal/lib/gssapi/krb5/get_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/get_mic.c @@ -33,6 +33,8 @@ #include "gsskrb5_locl.h" +#ifdef HEIM_WEAK_CRYPTO + static OM_uint32 mic_des (OM_uint32 * minor_status, @@ -45,9 +47,10 @@ mic_des ) { u_char *p; - MD5_CTX md5; + EVP_MD_CTX *md5; u_char hash[16]; DES_key_schedule schedule; + EVP_CIPHER_CTX des_ctx; DES_cblock deskey; DES_cblock zero; int32_t seq_number; @@ -79,10 +82,12 @@ mic_des p += 16; /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, message_buffer->length); - MD5_Final (hash, &md5); + md5 = EVP_MD_CTX_create(); + EVP_DigestInit_ex(md5, EVP_md5(), NULL); + EVP_DigestUpdate(md5, p - 24, 8); + EVP_DigestUpdate(md5, message_buffer->value, message_buffer->length); + EVP_DigestFinal_ex(md5, hash, NULL); + EVP_MD_CTX_destroy(md5); memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); @@ -106,9 +111,10 @@ mic_des (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - DES_set_key_unchecked (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); + EVP_CIPHER_CTX_init(&des_ctx); + EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1); + EVP_Cipher(&des_ctx, p, p, 8); + EVP_CIPHER_CTX_cleanup(&des_ctx); krb5_auth_con_setlocalseqnumber (context, ctx->auth_context, @@ -121,6 +127,7 @@ mic_des *minor_status = 0; return GSS_S_COMPLETE; } +#endif static OM_uint32 mic_des3 @@ -297,8 +304,12 @@ OM_uint32 _gsskrb5_get_mic switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = mic_des (minor_status, ctx, context, qop_req, message_buffer, message_token, key); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_DES3 : ret = mic_des3 (minor_status, ctx, context, qop_req, diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h index aadb80db0d..d91670821a 100644 --- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h +++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h @@ -111,11 +111,6 @@ typedef struct Principal *gsskrb5_name; extern krb5_keytab _gsskrb5_keytab; extern HEIMDAL_MUTEX gssapi_keytab_mutex; -struct gssapi_thr_context { - HEIMDAL_MUTEX mutex; - char *error_string; -}; - /* * Prototypes */ diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index b269d06798..1954c101c7 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -175,20 +175,21 @@ gsskrb5_get_creds( const gss_name_t target_name, int use_dns, OM_uint32 time_req, - OM_uint32 * time_rec, - krb5_creds ** cred) + OM_uint32 * time_rec) { OM_uint32 ret; krb5_error_code kret; krb5_creds this_cred; OM_uint32 lifetime_rec; - *cred = NULL; - if (ctx->target) { krb5_free_principal(context, ctx->target); ctx->target = NULL; } + if (ctx->kcred) { + krb5_free_creds(context, ctx->kcred); + ctx->kcred = NULL; + } ret = _gsskrb5_canon_name(minor_status, context, use_dns, ctx->source, target_name, &ctx->target); @@ -214,13 +215,13 @@ gsskrb5_get_creds( 0, ccache, &this_cred, - cred); + &ctx->kcred); if (kret) { *minor_status = kret; return GSS_S_FAILURE; } - ctx->lifetime = (*cred)->times.endtime; + ctx->lifetime = ctx->kcred->times.endtime; ret = _gsskrb5_lifetime_left(minor_status, context, ctx->lifetime, &lifetime_rec); @@ -427,11 +428,11 @@ init_auth */ ret = gsskrb5_get_creds(minor_status, context, ctx->ccache, ctx, name, 0, time_req, - time_rec, &ctx->kcred); + time_rec); if (ret && allow_dns) ret = gsskrb5_get_creds(minor_status, context, ctx->ccache, ctx, name, 1, time_req, - time_rec, &ctx->kcred); + time_rec); if (ret) goto failure; diff --git a/source4/heimdal/lib/gssapi/krb5/prf.c b/source4/heimdal/lib/gssapi/krb5/prf.c index 76ae3b78ed..737ccb6834 100644 --- a/source4/heimdal/lib/gssapi/krb5/prf.c +++ b/source4/heimdal/lib/gssapi/krb5/prf.c @@ -132,6 +132,7 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, krb5_data_free(&output); num++; } + free(input.data); krb5_crypto_destroy(context, crypto); diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index 20cf952b4e..5e0042e28b 100644 --- a/source4/heimdal/lib/gssapi/krb5/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -33,6 +33,8 @@ #include "gsskrb5_locl.h" +#ifdef HEIM_WEAK_CRYPTO + static OM_uint32 unwrap_des (OM_uint32 * minor_status, @@ -46,8 +48,9 @@ unwrap_des { u_char *p, *seq; size_t len; - MD5_CTX md5; + EVP_MD_CTX *md5; u_char hash[16]; + EVP_CIPHER_CTX des_ctx; DES_key_schedule schedule; DES_cblock deskey; DES_cblock zero; @@ -98,16 +101,13 @@ unwrap_des for (i = 0; i < sizeof(deskey); ++i) deskey[i] ^= 0xf0; - DES_set_key_unchecked (&deskey, &schedule); - memset (&zero, 0, sizeof(zero)); - DES_cbc_encrypt ((void *)p, - (void *)p, - input_message_buffer->length - len, - &schedule, - &zero, - DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); + + + EVP_CIPHER_CTX_init(&des_ctx); + EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0); + EVP_Cipher(&des_ctx, p, p, input_message_buffer->length - len); + EVP_CIPHER_CTX_cleanup(&des_ctx); + memset (&schedule, 0, sizeof(schedule)); } @@ -122,17 +122,19 @@ unwrap_des return ret; } - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, input_message_buffer->length - len); - MD5_Final (hash, &md5); + md5 = EVP_MD_CTX_create(); + EVP_DigestInit_ex(md5, EVP_md5(), NULL); + EVP_DigestUpdate(md5, p - 24, 8); + EVP_DigestUpdate(md5, p, input_message_buffer->length - len); + EVP_DigestFinal_ex(md5, hash, NULL); + EVP_MD_CTX_destroy(md5); memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) + if (ct_memcmp (p - 8, hash, 8) != 0) return GSS_S_BAD_MIC; /* verify sequence number */ @@ -140,9 +142,11 @@ unwrap_des HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); p -= 16; - DES_set_key_unchecked (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)hash, DES_DECRYPT); + + EVP_CIPHER_CTX_init(&des_ctx); + EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0); + EVP_Cipher(&des_ctx, p, p, 8); + EVP_CIPHER_CTX_cleanup(&des_ctx); memset (deskey, 0, sizeof(deskey)); memset (&schedule, 0, sizeof(schedule)); @@ -151,9 +155,9 @@ unwrap_des _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); + cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4); else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); + cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4); if (cmp != 0) { HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -180,6 +184,7 @@ unwrap_des output_message_buffer->length); return GSS_S_COMPLETE; } +#endif static OM_uint32 unwrap_des3 @@ -224,16 +229,16 @@ unwrap_des3 if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ return GSS_S_BAD_SIG; p += 2; - if (memcmp (p, "\x02\x00", 2) == 0) { + if (ct_memcmp (p, "\x02\x00", 2) == 0) { cstate = 1; - } else if (memcmp (p, "\xff\xff", 2) == 0) { + } else if (ct_memcmp (p, "\xff\xff", 2) == 0) { cstate = 0; } else return GSS_S_BAD_MIC; p += 2; if(conf_state != NULL) *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) + if (ct_memcmp (p, "\xff\xff", 2) != 0) return GSS_S_DEFECTIVE_TOKEN; p += 2; p += 28; @@ -314,9 +319,9 @@ unwrap_des3 _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); + cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4); else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); + cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4); krb5_data_free (&seq_data); if (cmp != 0) { @@ -414,9 +419,13 @@ OM_uint32 _gsskrb5_unwrap switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = unwrap_des (minor_status, ctx, input_message_buffer, output_message_buffer, conf_state, qop_state, key); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_DES3 : ret = unwrap_des3 (minor_status, ctx, context, diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index c7e16e81f7..0b5b6e1ccd 100644 --- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -33,6 +33,8 @@ #include "gsskrb5_locl.h" +#ifdef HEIM_WEAK_CRYPTO + static OM_uint32 verify_mic_des (OM_uint32 * minor_status, @@ -46,9 +48,10 @@ verify_mic_des ) { u_char *p; - MD5_CTX md5; + EVP_MD_CTX *md5; u_char hash[16], *seq; DES_key_schedule schedule; + EVP_CIPHER_CTX des_ctx; DES_cblock zero; DES_cblock deskey; uint32_t seq_number; @@ -72,11 +75,12 @@ verify_mic_des p += 16; /* verify checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, - message_buffer->length); - MD5_Final (hash, &md5); + md5 = EVP_MD_CTX_create(); + EVP_DigestInit_ex(md5, EVP_md5(), NULL); + EVP_DigestUpdate(md5, p - 24, 8); + EVP_DigestUpdate(md5, message_buffer->value, message_buffer->length); + EVP_DigestFinal_ex(md5, hash, NULL); + EVP_MD_CTX_destroy(md5); memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); @@ -84,7 +88,7 @@ verify_mic_des DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) { + if (ct_memcmp (p - 8, hash, 8) != 0) { memset (deskey, 0, sizeof(deskey)); memset (&schedule, 0, sizeof(schedule)); return GSS_S_BAD_MIC; @@ -95,9 +99,11 @@ verify_mic_des HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); p -= 16; - DES_set_key_unchecked (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)hash, DES_DECRYPT); + + EVP_CIPHER_CTX_init(&des_ctx); + EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0); + EVP_Cipher(&des_ctx, p, p, 8); + EVP_CIPHER_CTX_cleanup(&des_ctx); memset (deskey, 0, sizeof(deskey)); memset (&schedule, 0, sizeof(schedule)); @@ -106,9 +112,9 @@ verify_mic_des _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); + cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4); else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); + cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4); if (cmp != 0) { HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -125,6 +131,7 @@ verify_mic_des return GSS_S_COMPLETE; } +#endif static OM_uint32 verify_mic_des3 @@ -207,9 +214,9 @@ retry: _gsskrb5_decode_om_uint32(seq, &seq_number); if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); + cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4); else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); + cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4); krb5_data_free (&seq_data); if (cmp != 0) { @@ -292,9 +299,13 @@ _gsskrb5_verify_mic_internal krb5_enctype_to_keytype (context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = verify_mic_des (minor_status, ctx, context, message_buffer, token_buffer, qop_state, key, type); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_DES3 : ret = verify_mic_des3 (minor_status, ctx, context, diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index 3de13f908f..9078fb3dd7 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -168,7 +168,11 @@ _gsskrb5_wrap_size_limit ( switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: @@ -188,6 +192,8 @@ _gsskrb5_wrap_size_limit ( return ret; } +#ifdef HEIM_WEAK_CRYPTO + static OM_uint32 wrap_des (OM_uint32 * minor_status, @@ -202,9 +208,10 @@ wrap_des ) { u_char *p; - MD5_CTX md5; + EVP_MD_CTX *md5; u_char hash[16]; DES_key_schedule schedule; + EVP_CIPHER_CTX des_ctx; DES_cblock deskey; DES_cblock zero; int i; @@ -262,10 +269,12 @@ wrap_des memset (p + 8 + input_message_buffer->length, padlength, padlength); /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, datalen); - MD5_Final (hash, &md5); + md5 = EVP_MD_CTX_create(); + EVP_DigestInit_ex(md5, EVP_md5(), NULL); + EVP_DigestUpdate(md5, p - 24, 8); + EVP_DigestUpdate(md5, p, datalen); + EVP_DigestFinal_ex(md5, hash, NULL); + EVP_MD_CTX_destroy(md5); memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); @@ -289,9 +298,10 @@ wrap_des (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - DES_set_key_unchecked (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); + EVP_CIPHER_CTX_init(&des_ctx); + EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1); + EVP_Cipher(&des_ctx, p, p, 8); + EVP_CIPHER_CTX_cleanup(&des_ctx); krb5_auth_con_setlocalseqnumber (context, ctx->auth_context, @@ -306,14 +316,11 @@ wrap_des for (i = 0; i < sizeof(deskey); ++i) deskey[i] ^= 0xf0; - DES_set_key_unchecked (&deskey, &schedule); - memset (&zero, 0, sizeof(zero)); - DES_cbc_encrypt ((void *)p, - (void *)p, - datalen, - &schedule, - &zero, - DES_ENCRYPT); + + EVP_CIPHER_CTX_init(&des_ctx); + EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, deskey, zero, 1); + EVP_Cipher(&des_ctx, p, p, datalen); + EVP_CIPHER_CTX_cleanup(&des_ctx); } memset (deskey, 0, sizeof(deskey)); memset (&schedule, 0, sizeof(schedule)); @@ -324,6 +331,8 @@ wrap_des return GSS_S_COMPLETE; } +#endif + static OM_uint32 wrap_des3 (OM_uint32 * minor_status, @@ -552,9 +561,13 @@ OM_uint32 _gsskrb5_wrap switch (keytype) { case KEYTYPE_DES : +#ifdef HEIM_WEAK_CRYPTO ret = wrap_des (minor_status, ctx, context, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, key); +#else + ret = GSS_S_FAILURE; +#endif break; case KEYTYPE_DES3 : ret = wrap_des3 (minor_status, ctx, context, conf_req_flag, diff --git a/source4/heimdal/lib/gssapi/mech/context.c b/source4/heimdal/lib/gssapi/mech/context.c index b032d8aa0e..96e5edc32b 100644 --- a/source4/heimdal/lib/gssapi/mech/context.c +++ b/source4/heimdal/lib/gssapi/mech/context.c @@ -1,8 +1,6 @@ #include "mech_locl.h" #include "heim_threads.h" -RCSID("$Id$"); - struct mg_thread_ctx { gss_OID mech; OM_uint32 maj_stat; diff --git a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c index 134511f34b..1529ab1137 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); static OM_uint32 parse_header(const gss_buffer_t input_token, gss_OID mech_oid) @@ -161,6 +160,7 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, struct _gss_mechanism_cred *mc; gss_cred_id_t acceptor_mc, delegated_mc; gss_name_t src_mn; + gss_OID mech_ret_type = NULL; *minor_status = 0; if (src_name) @@ -228,7 +228,7 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, input_token, input_chan_bindings, &src_mn, - mech_type, + &mech_ret_type, output_token, &mech_ret_flags, time_rec, @@ -241,6 +241,9 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, return (major_status); } + if (mech_type) + *mech_type = mech_ret_type; + if (src_name && src_mn) { /* * Make a new name and mark it as an MN. @@ -262,6 +265,15 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, m->gm_release_cred(minor_status, &delegated_mc); if (ret_flags) *ret_flags &= ~GSS_C_DELEG_FLAG; + } else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) { + /* + * If the returned mech_type is not the same + * as the mech, assume its pseudo mech type + * and the returned type is already a + * mech-glue object + */ + *delegated_cred_handle = delegated_mc; + } else if (delegated_mc) { struct _gss_cred *dcred; struct _gss_mechanism_cred *dmc; diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c index b1bc7dd981..75a7978d89 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_acquire_cred(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c index d190852884..08c7882784 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); static struct _gss_mechanism_cred * _gss_copy_cred(struct _gss_mechanism_cred *mc) diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c index d10b1e7e43..b866125291 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c @@ -32,7 +32,24 @@ */ #include "mech_locl.h" -RCSID("$Id$"); + +/** + * Add a oid to the oid set, function does not make a copy of the oid, + * so the pointer to member_oid needs to be stable for the whole time + * oid_set is used. + * + * If there is a duplicate member of the oid, the new member is not + * added to to the set. + * + * @param minor_status minor status code. + * @param member_oid member to add to the oid set + * @param oid_set oid set to add the member too + * + * @returns a gss_error code, see gss_display_status() about printing + * the error code. + * + * @ingroup gssapi + */ OM_uint32 GSSAPI_LIB_FUNCTION gss_add_oid_set_member (OM_uint32 * minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c index 9f0bb4cce3..58863c3112 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c +++ b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c @@ -31,7 +31,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_create_empty_buffer_set diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c index db976f2453..1bb94b3468 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); /** * gss_canonicalize_name takes a Internal Name (IN) and converts in into a diff --git a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c index 3f2d0013c5..9481218de2 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_compare_name(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_context_time.c b/source4/heimdal/lib/gssapi/mech/gss_context_time.c index df89612060..d99f71f77a 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_context_time.c +++ b/source4/heimdal/lib/gssapi/mech/gss_context_time.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_context_time(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c b/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c index 8858f28498..36337a5435 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c +++ b/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_create_empty_oid_set(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c index 6681fc5a34..8db0832d86 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c @@ -32,7 +32,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_decapsulate_token(gss_buffer_t input_token, diff --git a/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c index 96abae6b33..c2575927c3 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_delete_sec_context(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_display_name.c b/source4/heimdal/lib/gssapi/mech/gss_display_name.c index d720ffe880..0b75592246 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_display_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_display_name.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_display_name(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_display_status.c b/source4/heimdal/lib/gssapi/mech/gss_display_status.c index daa62bfcd9..60c5b8f523 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_display_status.c +++ b/source4/heimdal/lib/gssapi/mech/gss_display_status.c @@ -59,7 +59,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); static const char * calling_error(OM_uint32 v) diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c index 1690ae6c51..87775878ef 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 gss_duplicate_name(OM_uint32 *minor_status, const gss_name_t src_name, diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_oid.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_oid.c index b6aa226fda..165b07e5ae 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_duplicate_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_oid.c @@ -32,7 +32,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 gss_duplicate_oid ( OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c index b5434be85a..e14b00f9ce 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c @@ -32,7 +32,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_encapsulate_token(gss_buffer_t input_token, diff --git a/source4/heimdal/lib/gssapi/mech/gss_export_name.c b/source4/heimdal/lib/gssapi/mech/gss_export_name.c index 7c1e6791da..7f7c1afe68 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_export_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_export_name.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_export_name(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c index f3a6dc4fb5..0fc19e2af7 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_export_sec_context(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_get_mic.c b/source4/heimdal/lib/gssapi/mech/gss_get_mic.c index 3a0f3fb757..f4921b60db 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_get_mic.c +++ b/source4/heimdal/lib/gssapi/mech/gss_get_mic.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_get_mic(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_name.c b/source4/heimdal/lib/gssapi/mech/gss_import_name.c index c1dffdc614..19ab75a84c 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_import_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_import_name.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); static OM_uint32 _gss_import_export_name(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c index 01ca9f10df..e08d3b7af4 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_import_sec_context(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c index 34c0bb55d8..ab95a18ee6 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c +++ b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_indicate_mechs(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c index 579000a7ec..dfebe26109 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); static gss_cred_id_t _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type) @@ -119,7 +118,10 @@ gss_init_sec_context(OM_uint32 * minor_status, /* * If we have a cred, find the cred for this mechanism. */ - cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type); + if (m->gm_flags & GM_USE_MG_CRED) + cred_handle = initiator_cred_handle; + else + cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type); major_status = m->gm_init_sec_context(minor_status, cred_handle, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c index 8872f121d0..e000af00ef 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_context(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c index 3587572672..e5faf58764 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); #define AUSAGE 1 #define IUSAGE 2 diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c index 47a2eaf279..39c5e711b7 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred_by_mech(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c index 733d919fd9..3b821ce823 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c @@ -31,7 +31,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred_by_oid (OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c index e953ccb5da..f0e23e664a 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_mechs_for_name(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c index a630d76216..c796f05227 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_names_for_mech(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c index 9ba892dc0e..ffa0c44fa3 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c @@ -31,7 +31,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 5d883c45c2..1611d91d02 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); #include <krb5.h> #include <roken.h> diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c index 3321819d28..d060badfe1 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c +++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c @@ -28,7 +28,6 @@ #include "mech_locl.h" #include <heim_threads.h> -RCSID("$Id$"); #ifndef _PATH_GSS_MECH #define _PATH_GSS_MECH "/etc/gss/mech" @@ -272,6 +271,7 @@ _gss_load_mech(void) free(m); continue; } + m->gm_mech.gm_flags = 0; major_status = gss_add_oid_set_member(&minor_status, &m->gm_mech.gm_mech_oid, &_gss_mech_oids); diff --git a/source4/heimdal/lib/gssapi/mech/gss_names.c b/source4/heimdal/lib/gssapi/mech/gss_names.c index ada53d0bfd..6a7ccd5c71 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_names.c +++ b/source4/heimdal/lib/gssapi/mech/gss_names.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 _gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech, diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c index a99eb09e50..93ee6b2a2d 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c +++ b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c @@ -32,7 +32,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); int GSSAPI_LIB_FUNCTION gss_oid_equal(const gss_OID a, const gss_OID b) diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c index 92d997bed9..114e7d63e4 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c +++ b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c @@ -32,7 +32,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str) diff --git a/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c b/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c index 9dc3f5b904..738ff7d8e2 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_process_context_token(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c b/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c index 771efcb434..96b40a6af6 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c +++ b/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c @@ -34,7 +34,6 @@ /* $Id$ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_pseudo_random(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c b/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c index 1af5289157..9aad034ab2 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_release_buffer(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_cred.c b/source4/heimdal/lib/gssapi/mech/gss_release_cred.c index 40777fa2a1..463fddb2ba 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_cred.c @@ -27,7 +27,28 @@ */ #include "mech_locl.h" -RCSID("$Id$"); + +/** + * Release a credentials + * + * Its ok to release the GSS_C_NO_CREDENTIAL/NULL credential, it will + * return a GSS_S_COMPLETE error code. On return cred_handle is set ot + * GSS_C_NO_CREDENTIAL. + * + * Example: + * + * @code + * gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; + * major = gss_release_cred(&minor, &cred); + * @endcode + * + * @param minor_status minor status return code, mech specific + * @param cred_handle a pointer to the credential too release + * + * @return an gssapi error code + * + * @ingroup gssapi + */ OM_uint32 GSSAPI_LIB_FUNCTION gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_name.c b/source4/heimdal/lib/gssapi/mech/gss_release_name.c index c5e348d5c0..84553ee05d 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_name.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_release_name(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_oid.c b/source4/heimdal/lib/gssapi/mech/gss_release_oid.c index 8d0ea4367c..458e94d711 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_oid.c @@ -33,7 +33,6 @@ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_release_oid(OM_uint32 *minor_status, gss_OID *oid) diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c b/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c index 0ccb9e4dc6..f875d39d0c 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_release_oid_set(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_seal.c b/source4/heimdal/lib/gssapi/mech/gss_seal.c index f6636456ea..8c1e9eba1c 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_seal.c +++ b/source4/heimdal/lib/gssapi/mech/gss_seal.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_seal(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c index 20eaa14d9e..86a136159e 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c +++ b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c @@ -31,7 +31,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_set_cred_option (OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c b/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c index 735d59322e..ca0ec00ef7 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c @@ -31,7 +31,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_set_sec_context_option (OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_sign.c b/source4/heimdal/lib/gssapi/mech/gss_sign.c index 1d73641355..8a1b1e363f 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_sign.c +++ b/source4/heimdal/lib/gssapi/mech/gss_sign.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_sign(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c index ca1dca8fad..7995f4df00 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_test_oid_set_member(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_unseal.c b/source4/heimdal/lib/gssapi/mech/gss_unseal.c index 539e65a01c..8815790575 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_unseal.c +++ b/source4/heimdal/lib/gssapi/mech/gss_unseal.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_unseal(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_unwrap.c b/source4/heimdal/lib/gssapi/mech/gss_unwrap.c index 693bbe020b..7285e46598 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_unwrap.c +++ b/source4/heimdal/lib/gssapi/mech/gss_unwrap.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_unwrap(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_utils.c b/source4/heimdal/lib/gssapi/mech/gss_utils.c index 6e05acff03..2071621b23 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_utils.c +++ b/source4/heimdal/lib/gssapi/mech/gss_utils.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 _gss_copy_oid(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_verify.c b/source4/heimdal/lib/gssapi/mech/gss_verify.c index f287cb4816..e60d6507be 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_verify.c +++ b/source4/heimdal/lib/gssapi/mech/gss_verify.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_verify(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c b/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c index 60ef3bff85..c535e3ffce 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c +++ b/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_verify_mic(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap.c b/source4/heimdal/lib/gssapi/mech/gss_wrap.c index 9476d01ddd..fb8a17bbe6 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_wrap.c +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c index a5a80b21d7..49af364668 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c @@ -27,7 +27,6 @@ */ #include "mech_locl.h" -RCSID("$Id$"); OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap_size_limit(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c index 2bdfc28ebf..247c25611f 100644 --- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -496,7 +496,6 @@ acceptor_start gss_buffer_desc mech_buf; gss_OID preferred_mech_type = GSS_C_NO_OID; gssspnego_ctx ctx; - gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle; int get_mic = 0; int first_ok = 0; @@ -564,25 +563,18 @@ acceptor_start &preferred_mech_type); if (ret == 0 && ni->mechToken != NULL) { - gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL; - gss_cred_id_t mech_cred; gss_buffer_desc ibuf; ibuf.length = ni->mechToken->length; ibuf.value = ni->mechToken->data; mech_input_token = &ibuf; - if (acceptor_cred != NULL) - mech_cred = acceptor_cred->negotiated_cred_id; - else - mech_cred = GSS_C_NO_CREDENTIAL; - if (ctx->mech_src_name != GSS_C_NO_NAME) gss_release_name(&junk, &ctx->mech_src_name); ret = gss_accept_sec_context(minor_status, &ctx->negotiated_ctx_id, - mech_cred, + acceptor_cred_handle, mech_input_token, input_chan_bindings, &ctx->mech_src_name, @@ -590,18 +582,10 @@ acceptor_start &mech_output_token, &ctx->mech_flags, &ctx->mech_time_rec, - &mech_delegated_cred); - - if (mech_delegated_cred && delegated_cred_handle) { - _gss_spnego_alloc_cred(&junk, - mech_delegated_cred, - delegated_cred_handle); - } else if (mech_delegated_cred != GSS_C_NO_CREDENTIAL) - gss_release_cred(&junk, &mech_delegated_cred); + delegated_cred_handle); if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { ctx->preferred_mech_type = preferred_mech_type; - ctx->negotiated_mech_type = preferred_mech_type; if (ret == GSS_S_COMPLETE) ctx->open = 1; @@ -646,7 +630,6 @@ acceptor_start } ctx->preferred_mech_type = preferred_mech_type; - ctx->negotiated_mech_type = preferred_mech_type; } /* @@ -719,7 +702,7 @@ acceptor_continue gss_cred_id_t *delegated_cred_handle ) { - OM_uint32 ret, ret2, minor, junk; + OM_uint32 ret, ret2, minor; NegotiationToken nt; size_t nt_len; NegTokenResp *na; @@ -728,7 +711,6 @@ acceptor_continue gss_buffer_t mech_output_token = GSS_C_NO_BUFFER; gss_buffer_desc mech_buf; gssspnego_ctx ctx; - gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle; mech_buf.value = NULL; @@ -774,20 +756,13 @@ acceptor_continue } if (mech_input_token != GSS_C_NO_BUFFER) { - gss_cred_id_t mech_cred; - gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL; - - if (acceptor_cred != NULL) - mech_cred = acceptor_cred->negotiated_cred_id; - else - mech_cred = GSS_C_NO_CREDENTIAL; if (ctx->mech_src_name != GSS_C_NO_NAME) gss_release_name(&minor, &ctx->mech_src_name); ret = gss_accept_sec_context(&minor, &ctx->negotiated_ctx_id, - mech_cred, + acceptor_cred_handle, mech_input_token, input_chan_bindings, &ctx->mech_src_name, @@ -795,14 +770,7 @@ acceptor_continue &obuf, &ctx->mech_flags, &ctx->mech_time_rec, - &mech_delegated_cred); - - if (mech_delegated_cred && delegated_cred_handle) { - _gss_spnego_alloc_cred(&junk, - mech_delegated_cred, - delegated_cred_handle); - } else if (mech_delegated_cred != GSS_C_NO_CREDENTIAL) - gss_release_cred(&junk, &mech_delegated_cred); + delegated_cred_handle); if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { mech_output_token = &obuf; diff --git a/source4/heimdal/lib/gssapi/spnego/compat.c b/source4/heimdal/lib/gssapi/spnego/compat.c index ee25b59435..b2f535e58f 100644 --- a/source4/heimdal/lib/gssapi/spnego/compat.c +++ b/source4/heimdal/lib/gssapi/spnego/compat.c @@ -142,7 +142,6 @@ OM_uint32 _gss_spnego_internal_delete_sec_context HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); free(ctx); - *context_handle = NULL; return ret; } @@ -236,7 +235,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status, gss_name_t target_name, OM_uint32 (*func)(gss_name_t, gss_OID), int includeMSCompatOID, - const gssspnego_cred cred_handle, + const gss_cred_id_t cred_handle, MechTypeList *mechtypelist, gss_OID *preferred_mech) { @@ -248,9 +247,9 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status, mechtypelist->len = 0; mechtypelist->val = NULL; - if (cred_handle != NULL) { + if (cred_handle) { ret = gss_inquire_cred(minor_status, - cred_handle->negotiated_cred_id, + cred_handle, NULL, NULL, NULL, diff --git a/source4/heimdal/lib/gssapi/spnego/context_stubs.c b/source4/heimdal/lib/gssapi/spnego/context_stubs.c index 1998c44edf..c0d47b9f63 100644 --- a/source4/heimdal/lib/gssapi/spnego/context_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/context_stubs.c @@ -643,84 +643,70 @@ OM_uint32 _gss_spnego_duplicate_name ( return gss_duplicate_name(minor_status, src_name, dest_name); } -#if 0 -OM_uint32 _gss_spnego_unwrap_ex - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_header_buffer, - const gss_buffer_t associated_data_buffer, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state) +OM_uint32 +_gss_spnego_wrap_iov(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int * conf_state, + gss_iov_buffer_desc *iov, + int iov_count) { - gssspnego_ctx ctx; + gssspnego_ctx ctx = (gssspnego_ctx)context_handle; *minor_status = 0; - if (context_handle == GSS_C_NO_CONTEXT) { + if (ctx == NULL || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) return GSS_S_NO_CONTEXT; - } - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - return gss_unwrap_ex(minor_status, - ctx->negotiated_ctx_id, - token_header_buffer, - associated_data_buffer, - input_message_buffer, - output_message_buffer, - conf_state, - qop_state); + return gss_wrap_iov(minor_status, ctx->negotiated_ctx_id, + conf_req_flag, qop_req, conf_state, + iov, iov_count); } -OM_uint32 _gss_spnego_wrap_ex - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t associated_data_buffer, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_token_buffer, - gss_buffer_t output_message_buffer - ) +OM_uint32 +_gss_spnego_unwrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) { - gssspnego_ctx ctx; + gssspnego_ctx ctx = (gssspnego_ctx)context_handle; *minor_status = 0; - if (context_handle == GSS_C_NO_CONTEXT) { + if (ctx == NULL || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) return GSS_S_NO_CONTEXT; - } - ctx = (gssspnego_ctx)context_handle; + return gss_unwrap_iov(minor_status, + ctx->negotiated_ctx_id, + conf_state, qop_state, + iov, iov_count); +} - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } +OM_uint32 +_gss_spnego_wrap_iov_length(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + gssspnego_ctx ctx = (gssspnego_ctx)context_handle; - if ((ctx->mech_flags & GSS_C_DCE_STYLE) == 0 && - associated_data_buffer->length != input_message_buffer->length) { - *minor_status = EINVAL; - return GSS_S_BAD_QOP; - } + *minor_status = 0; + + if (ctx == NULL || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; - return gss_wrap_ex(minor_status, - ctx->negotiated_ctx_id, - conf_req_flag, - qop_req, - associated_data_buffer, - input_message_buffer, - conf_state, - output_token_buffer, - output_message_buffer); + return gss_wrap_iov_length(minor_status, ctx->negotiated_ctx_id, + conf_req_flag, qop_req, conf_state, + iov, iov_count); } +#if 0 OM_uint32 _gss_spnego_complete_auth_token (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, diff --git a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c index a10a10f1ef..b1eb0be6da 100644 --- a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c @@ -37,50 +37,20 @@ RCSID("$Id$"); OM_uint32 _gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) { - gssspnego_cred cred; OM_uint32 ret; *minor_status = 0; - if (*cred_handle == GSS_C_NO_CREDENTIAL) { + if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) return GSS_S_COMPLETE; - } - cred = (gssspnego_cred)*cred_handle; - ret = gss_release_cred(minor_status, &cred->negotiated_cred_id); + ret = gss_release_cred(minor_status, cred_handle); - free(cred); *cred_handle = GSS_C_NO_CREDENTIAL; return ret; } -OM_uint32 -_gss_spnego_alloc_cred(OM_uint32 *minor_status, - gss_cred_id_t mech_cred_handle, - gss_cred_id_t *cred_handle) -{ - gssspnego_cred cred; - - if (*cred_handle != GSS_C_NO_CREDENTIAL) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - cred = calloc(1, sizeof(*cred)); - if (cred == NULL) { - *cred_handle = GSS_C_NO_CREDENTIAL; - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - cred->negotiated_cred_id = mech_cred_handle; - - *cred_handle = (gss_cred_id_t)cred; - - return GSS_S_COMPLETE; -} - /* * For now, just a simple wrapper that avoids recursion. When * we support gss_{get,set}_neg_mechs() we will need to expose @@ -103,8 +73,6 @@ OM_uint32 _gss_spnego_acquire_cred gss_OID_set_desc actual_desired_mechs; gss_OID_set mechs; int i, j; - gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL; - gssspnego_cred cred; *output_cred_handle = GSS_C_NO_CREDENTIAL; @@ -140,22 +108,14 @@ OM_uint32 _gss_spnego_acquire_cred } actual_desired_mechs.count = j; - ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL, - &cred_handle); - if (ret != GSS_S_COMPLETE) - goto out; - - cred = (gssspnego_cred)cred_handle; ret = gss_acquire_cred(minor_status, name, time_req, &actual_desired_mechs, cred_usage, - &cred->negotiated_cred_id, + output_cred_handle, actual_mechs, time_rec); if (ret != GSS_S_COMPLETE) goto out; - *output_cred_handle = cred_handle; - out: gss_release_name(minor_status, &name); gss_release_oid_set(&tmp, &mechs); @@ -163,7 +123,7 @@ out: free(actual_desired_mechs.elements); } if (ret != GSS_S_COMPLETE) { - _gss_spnego_release_cred(&tmp, &cred_handle); + _gss_spnego_release_cred(&tmp, output_cred_handle); } return ret; @@ -178,7 +138,6 @@ OM_uint32 _gss_spnego_inquire_cred gss_OID_set * mechanisms ) { - gssspnego_cred cred; spnego_name sname = NULL; OM_uint32 ret; @@ -195,10 +154,8 @@ OM_uint32 _gss_spnego_inquire_cred } } - cred = (gssspnego_cred)cred_handle; - ret = gss_inquire_cred(minor_status, - cred->negotiated_cred_id, + cred_handle, sname ? &sname->mech : NULL, lifetime, cred_usage, @@ -214,55 +171,6 @@ OM_uint32 _gss_spnego_inquire_cred return ret; } -OM_uint32 _gss_spnego_add_cred ( - OM_uint32 * minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * initiator_time_rec, - OM_uint32 * acceptor_time_rec - ) -{ - gss_cred_id_t spnego_output_cred_handle = GSS_C_NO_CREDENTIAL; - OM_uint32 ret, tmp; - gssspnego_cred input_cred, output_cred; - - *output_cred_handle = GSS_C_NO_CREDENTIAL; - - ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL, - &spnego_output_cred_handle); - if (ret) - return ret; - - input_cred = (gssspnego_cred)input_cred_handle; - output_cred = (gssspnego_cred)spnego_output_cred_handle; - - ret = gss_add_cred(minor_status, - input_cred->negotiated_cred_id, - desired_name, - desired_mech, - cred_usage, - initiator_time_req, - acceptor_time_req, - &output_cred->negotiated_cred_id, - actual_mechs, - initiator_time_rec, - acceptor_time_rec); - if (ret) { - _gss_spnego_release_cred(&tmp, &spnego_output_cred_handle); - return ret; - } - - *output_cred_handle = spnego_output_cred_handle; - - return GSS_S_COMPLETE; -} - OM_uint32 _gss_spnego_inquire_cred_by_mech ( OM_uint32 * minor_status, const gss_cred_id_t cred_handle, @@ -273,7 +181,6 @@ OM_uint32 _gss_spnego_inquire_cred_by_mech ( gss_cred_usage_t * cred_usage ) { - gssspnego_cred cred; spnego_name sname = NULL; OM_uint32 ret; @@ -290,10 +197,8 @@ OM_uint32 _gss_spnego_inquire_cred_by_mech ( } } - cred = (gssspnego_cred)cred_handle; - ret = gss_inquire_cred_by_mech(minor_status, - cred->negotiated_cred_id, + cred_handle, mech_type, sname ? &sname->mech : NULL, initiator_lifetime, @@ -317,17 +222,15 @@ OM_uint32 _gss_spnego_inquire_cred_by_oid const gss_OID desired_object, gss_buffer_set_t *data_set) { - gssspnego_cred cred; OM_uint32 ret; if (cred_handle == GSS_C_NO_CREDENTIAL) { *minor_status = 0; return GSS_S_NO_CRED; } - cred = (gssspnego_cred)cred_handle; ret = gss_inquire_cred_by_oid(minor_status, - cred->negotiated_cred_id, + cred_handle, desired_object, data_set); @@ -340,16 +243,13 @@ _gss_spnego_set_cred_option (OM_uint32 *minor_status, const gss_OID object, const gss_buffer_t value) { - gssspnego_cred cred; - if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) { *minor_status = 0; return GSS_S_NO_CRED; } - cred = (gssspnego_cred)*cred_handle; return gss_set_cred_option(minor_status, - &cred->negotiated_cred_id, + cred_handle, object, value); } @@ -360,9 +260,7 @@ _gss_spnego_export_cred (OM_uint32 *minor_status, gss_cred_id_t cred_handle, gss_buffer_t value) { - gssspnego_cred cred = (gssspnego_cred)cred_handle; - - return gss_export_cred(minor_status, cred->negotiated_cred_id, value); + return gss_export_cred(minor_status, cred_handle, value); } OM_uint32 @@ -370,23 +268,6 @@ _gss_spnego_import_cred (OM_uint32 *minor_status, gss_buffer_t value, gss_cred_id_t *cred_handle) { - gssspnego_cred cred; - OM_uint32 major; - - *cred_handle = GSS_C_NO_CREDENTIAL; - - cred = calloc(1, sizeof(*cred)); - if (cred == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - major = gss_import_cred(minor_status, value, &cred->negotiated_cred_id); - if (major == GSS_S_COMPLETE) - *cred_handle = (gss_cred_id_t)cred; - else - free(cred); - - return major; + return gss_import_cred(minor_status, value, cred_handle); } diff --git a/source4/heimdal/lib/gssapi/spnego/external.c b/source4/heimdal/lib/gssapi/spnego/external.c index f3edcba389..9d50a61a75 100644 --- a/source4/heimdal/lib/gssapi/spnego/external.c +++ b/source4/heimdal/lib/gssapi/spnego/external.c @@ -46,6 +46,7 @@ static gssapi_mech_interface_desc spnego_mech = { GMI_VERSION, "spnego", {6, (void *)"\x2b\x06\x01\x05\x05\x02"}, + 0, _gss_spnego_acquire_cred, _gss_spnego_release_cred, _gss_spnego_init_sec_context, @@ -67,7 +68,7 @@ static gssapi_mech_interface_desc spnego_mech = { _gss_spnego_inquire_cred, _gss_spnego_inquire_context, _gss_spnego_wrap_size_limit, - _gss_spnego_add_cred, + gss_add_cred, _gss_spnego_inquire_cred_by_mech, _gss_spnego_export_sec_context, _gss_spnego_import_sec_context, @@ -80,9 +81,9 @@ static gssapi_mech_interface_desc spnego_mech = { _gss_spnego_set_sec_context_option, _gss_spnego_set_cred_option, _gss_spnego_pseudo_random, - NULL, - NULL, - NULL, + _gss_spnego_wrap_iov, + _gss_spnego_unwrap_iov, + _gss_spnego_wrap_iov_length, NULL, _gss_spnego_export_cred, _gss_spnego_import_cred diff --git a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c index ac32432d55..6afd524a5b 100644 --- a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c @@ -179,7 +179,7 @@ spnego_reply_internal(OM_uint32 *minor_status, static OM_uint32 spnego_initial (OM_uint32 * minor_status, - gssspnego_cred cred, + gss_cred_id_t cred, gss_ctx_id_t * context_handle, const gss_name_t target_name, const gss_OID mech_type, @@ -254,8 +254,7 @@ spnego_initial /* generate optimistic token */ sub = gss_init_sec_context(&minor, - (cred != NULL) ? cred->negotiated_cred_id : - GSS_C_NO_CREDENTIAL, + cred, &ctx->negotiated_ctx_id, ctx->target_name, ctx->preferred_mech_type, @@ -377,7 +376,7 @@ spnego_initial static OM_uint32 spnego_reply (OM_uint32 * minor_status, - const gssspnego_cred cred, + const gss_cred_id_t cred, gss_ctx_id_t * context_handle, const gss_name_t target_name, const gss_OID mech_type, @@ -498,8 +497,7 @@ spnego_reply /* Fall through as if the negotiated mechanism was requested explicitly */ ret = gss_init_sec_context(&minor, - (cred != NULL) ? cred->negotiated_cred_id : - GSS_C_NO_CREDENTIAL, + cred, &ctx->negotiated_ctx_id, ctx->target_name, &mech, @@ -629,11 +627,9 @@ OM_uint32 _gss_spnego_init_sec_context OM_uint32 * time_rec ) { - gssspnego_cred cred = (gssspnego_cred)initiator_cred_handle; - if (*context_handle == GSS_C_NO_CONTEXT) return spnego_initial (minor_status, - cred, + initiator_cred_handle, context_handle, target_name, mech_type, @@ -647,7 +643,7 @@ OM_uint32 _gss_spnego_init_sec_context time_rec); else return spnego_reply (minor_status, - cred, + initiator_cred_handle, context_handle, target_name, mech_type, diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h index 44fa8b117d..e8cad14881 100644 --- a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h +++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h @@ -74,10 +74,6 @@ #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) typedef struct { - gss_cred_id_t negotiated_cred_id; -} *gssspnego_cred; - -typedef struct { MechTypeList initiator_mech_types; gss_OID preferred_mech_type; gss_OID negotiated_mech_type; |