diff options
Diffstat (limited to 'source4/heimdal/lib/gssapi')
72 files changed, 964 insertions, 494 deletions
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi/gssapi.h index f8b599a664..9fe2bb8b46 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi.h @@ -53,6 +53,10 @@ #endif #endif +#ifndef GSSAPI_DEPRECATED +#define GSSAPI_DEPRECATED __attribute__((deprecated)) +#endif + /* * Now define the three implementation-dependent types. */ @@ -102,6 +106,11 @@ typedef struct gss_buffer_set_desc_struct { gss_buffer_desc *elements; } gss_buffer_set_desc, *gss_buffer_set_t; +typedef struct gss_iov_buffer_desc_struct { + OM_uint32 type; + gss_buffer_desc buffer; +} gss_iov_buffer_desc, *gss_iov_buffer_t; + /* * For now, define a QOP-type as an OM_uint32 */ @@ -178,6 +187,7 @@ typedef OM_uint32 gss_qop_t; #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) #define GSS_C_EMPTY_BUFFER {0, NULL} +#define GSS_C_NO_IOV_BUFFER ((gss_iov_buffer_t)0) /* * Some alternate names for a couple of the above @@ -206,6 +216,27 @@ typedef OM_uint32 gss_qop_t; */ #define GSS_C_INDEFINITE 0xfffffffful +/* + * Type of gss_wrap_iov()/gss_unwrap_iov(). + */ + +#define GSS_IOV_BUFFER_TYPE_EMPTY 0 +#define GSS_IOV_BUFFER_TYPE_DATA 1 +#define GSS_IOV_BUFFER_TYPE_HEADER 2 +#define GSS_IOV_BUFFER_TYPE_MECH_PARAMS 3 + +#define GSS_IOV_BUFFER_TYPE_TRAILER 7 +#define GSS_IOV_BUFFER_TYPE_PADDING 9 +#define GSS_IOV_BUFFER_TYPE_STREAM 10 +#define GSS_IOV_BUFFER_TYPE_SIGN_ONLY 11 + +#define GSS_IOV_BUFFER_TYPE_FLAG_MASK 0xffff0000 +#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE 0x00010000 +#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED 0x00020000 + +#define GSS_IOV_BUFFER_TYPE(_t) ((_t) & ~GSS_IOV_BUFFER_TYPE_FLAG_MASK) +#define GSS_IOV_BUFFER_FLAGS(_t) ((_t) & GSS_IOV_BUFFER_TYPE_FLAG_MASK) + #ifdef __cplusplus extern "C" { #endif @@ -311,12 +342,6 @@ extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_EXPORT_NAME; extern GSSAPI_LIB_VARIABLE gss_OID GSS_SASL_DIGEST_MD5_MECHANISM; -/* - * NTLM mechanism - */ - -extern GSSAPI_LIB_VARIABLE gss_OID GSS_NTLM_MECHANISM; - /* Major status codes */ #define GSS_S_COMPLETE 0 @@ -744,6 +769,75 @@ gss_pseudo_random ); /* + * AEAD support + */ + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_wrap_iov(OM_uint32 * /* minor_status */, + gss_ctx_id_t /* context_handle */, + int /* conf_req_flag */, + gss_qop_t /* qop_req */, + int * /* conf_state */, + gss_iov_buffer_desc * /*iov */, + int /* iov_count */); + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_unwrap_iov(OM_uint32 * /* minor_status */, + gss_ctx_id_t /* context_handle */, + int * /* conf_state */, + gss_qop_t * /* qop_state */, + gss_iov_buffer_desc * /* iov */, + int /* iov_count */); + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_wrap_iov_length(OM_uint32 * /* minor_status */, + gss_ctx_id_t /* context_handle */, + int /* conf_req_flag */, + gss_qop_t /* qop_req */, + int * /* conf_state */, + gss_iov_buffer_desc * /* iov */, + int /* iov_count */); + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_release_iov_buffer(OM_uint32 * /* minor_status */, + gss_iov_buffer_desc * /* iov */, + int /* iov_count */); + + +OM_uint32 +gss_store_cred(OM_uint32 * /* minor_status */, + gss_cred_id_t /* input_cred_handle */, + gss_cred_usage_t /* cred_usage */, + const gss_OID /* desired_mech */, + OM_uint32 /* overwrite_cred */, + OM_uint32 /* default_cred */, + gss_OID_set * /* elements_stored */, + gss_cred_usage_t * /* cred_usage_stored */); + + +/* + * Query functions + */ + +typedef struct { + size_t header; /**< size of header */ + size_t trailer; /**< size of trailer */ + size_t max_msg_size; /**< maximum message size */ + size_t buffers; /**< extra GSS_IOV_BUFFER_TYPE_EMPTY buffer to pass */ + size_t blocksize; /**< Specificed optimal size of messages, also + is the maximum padding size + (GSS_IOV_BUFFER_TYPE_PADDING) */ +} gss_context_stream_sizes; + +extern gss_OID GSSAPI_LIB_VARIABLE GSS_C_ATTR_STREAM_SIZES; + + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_context_query_attributes(OM_uint32 * /* minor_status */, + gss_OID /* attribute */, + void * /*data*/, + size_t /* len */); +/* * The following routines are obsolete variants of gss_get_mic, * gss_verify_mic, gss_wrap and gss_unwrap. They should be * provided by GSSAPI V2 implementations for backwards @@ -754,7 +848,7 @@ gss_pseudo_random * obsolete versions of these routines and their current forms. */ -OM_uint32 GSSAPI_LIB_FUNCTION gss_sign +OM_uint32 GSSAPI_LIB_FUNCTION GSSAPI_DEPRECATED gss_sign (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, int /*qop_req*/, @@ -762,7 +856,7 @@ OM_uint32 GSSAPI_LIB_FUNCTION gss_sign gss_buffer_t /*message_token*/ ); -OM_uint32 GSSAPI_LIB_FUNCTION gss_verify +OM_uint32 GSSAPI_LIB_FUNCTION GSSAPI_DEPRECATED gss_verify (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, gss_buffer_t /*message_buffer*/, @@ -770,7 +864,7 @@ OM_uint32 GSSAPI_LIB_FUNCTION gss_verify int * /*qop_state*/ ); -OM_uint32 GSSAPI_LIB_FUNCTION gss_seal +OM_uint32 GSSAPI_LIB_FUNCTION GSSAPI_DEPRECATED gss_seal (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, int /*conf_req_flag*/, @@ -780,7 +874,7 @@ OM_uint32 GSSAPI_LIB_FUNCTION gss_seal gss_buffer_t /*output_message_buffer*/ ); -OM_uint32 GSSAPI_LIB_FUNCTION gss_unseal +OM_uint32 GSSAPI_LIB_FUNCTION GSSAPI_DEPRECATED gss_unseal (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, gss_buffer_t /*input_message_buffer*/, @@ -809,7 +903,4 @@ gss_decapsulate_token(gss_buffer_t /* input_token */, } #endif -#include <gssapi/gssapi_krb5.h> -#include <gssapi/gssapi_spnego.h> - #endif /* GSSAPI_GSSAPI_H_ */ diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h index a821f73d2a..0baccf5098 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h @@ -36,7 +36,7 @@ #ifndef GSSAPI_KRB5_H_ #define GSSAPI_KRB5_H_ -#include <gssapi/gssapi.h> +#include <gssapi.h> #ifdef __cplusplus extern "C" { diff --git a/source4/heimdal/lib/gssapi/gssapi_mech.h b/source4/heimdal/lib/gssapi/gssapi_mech.h index b360de13fc..6470df30a0 100644 --- a/source4/heimdal/lib/gssapi/gssapi_mech.h +++ b/source4/heimdal/lib/gssapi/gssapi_mech.h @@ -307,7 +307,45 @@ typedef OM_uint32 _gss_pseudo_random( gss_buffer_t prf_out ); -#define GMI_VERSION 1 +typedef OM_uint32 +_gss_wrap_iov_t(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int * conf_state, + gss_iov_buffer_desc *iov, + int iov_count); + +typedef OM_uint32 +_gss_unwrap_iov_t(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count); + +typedef OM_uint32 +_gss_wrap_iov_length_t(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count); + +typedef OM_uint32 +_gss_store_cred_t(OM_uint32 *minor_status, + gss_cred_id_t input_cred_handle, + gss_cred_usage_t cred_usage, + const gss_OID desired_mech, + OM_uint32 overwrite_cred, + OM_uint32 default_cred, + gss_OID_set *elements_stored, + gss_cred_usage_t *cred_usage_stored); + + + +#define GMI_VERSION 2 typedef struct gssapi_mech_interface_desc { unsigned gm_version; @@ -347,6 +385,10 @@ typedef struct gssapi_mech_interface_desc { _gss_set_sec_context_option *gm_set_sec_context_option; _gss_set_cred_option *gm_set_cred_option; _gss_pseudo_random *gm_pseudo_random; + _gss_wrap_iov_t *gm_wrap_iov; + _gss_unwrap_iov_t *gm_unwrap_iov; + _gss_wrap_iov_length_t *gm_wrap_iov_length; + _gss_store_cred_t *gm_store_cred; } gssapi_mech_interface_desc, *gssapi_mech_interface; gssapi_mech_interface diff --git a/source4/heimdal/lib/gssapi/krb5/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c index 119d49a0c5..f5181cc311 100644 --- a/source4/heimdal/lib/gssapi/krb5/8003.c +++ b/source4/heimdal/lib/gssapi/krb5/8003.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index 626afa9384..e0944852a7 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -74,12 +74,10 @@ _gsskrb5_register_acceptor_identity (const char *identity) } void -_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx) +_gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor) { + krb5_error_code ret; krb5_keyblock *key; - int acceptor = (ctx->more_flags & LOCAL) == 0; - - *is_cfx = 0; if (acceptor) { if (ctx->auth_context->local_subkey) @@ -108,12 +106,16 @@ _gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx) case ETYPE_ARCFOUR_HMAC_MD5_56: break; default : - *is_cfx = 1; + ctx->more_flags |= IS_CFX; + if ((acceptor && ctx->auth_context->local_subkey) || (!acceptor && ctx->auth_context->remote_subkey)) ctx->more_flags |= ACCEPTOR_SUBKEY; break; } + if (ctx->crypto) + krb5_crypto_destroy(context, ctx->crypto); + ret = krb5_crypto_init(context, key, 0, &ctx->crypto); } @@ -136,7 +138,8 @@ gsskrb5_accept_delegated_token kret = krb5_cc_default (context, &ccache); } else { *delegated_cred_handle = NULL; - kret = krb5_cc_gen_new (context, &krb5_mcc_ops, &ccache); + kret = krb5_cc_new_unique (context, krb5_cc_type_memory, + NULL, &ccache); } if (kret) { ctx->flags &= ~GSS_C_DELEG_FLAG; @@ -210,7 +213,8 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status, ctx->auth_context, &seq_number); - _gsskrb5i_is_cfx(ctx, &is_cfx); + _gsskrb5i_is_cfx(context, ctx, 1); + is_cfx = (ctx->more_flags & IS_CFX); ret = _gssapi_msg_order_create(minor_status, &ctx->order, @@ -381,7 +385,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, server, in, &out); krb5_rd_req_in_ctx_free(context, in); - if (kret == KRB5KRB_AP_ERR_SKEW) { + if (kret == KRB5KRB_AP_ERR_SKEW || kret == KRB5KRB_AP_ERR_TKT_NYV) { /* * No reply in non-MUTUAL mode, but we don't know that its * non-MUTUAL mode yet, thats inside the 8003 checksum, so @@ -526,7 +530,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, krb5_data outbuf; int use_subkey = 0; - _gsskrb5i_is_cfx(ctx, &is_cfx); + _gsskrb5i_is_cfx(context, ctx, 1); + is_cfx = (ctx->more_flags & IS_CFX); if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) { use_subkey = 1; diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c index be680840f5..bfab5667be 100644 --- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -187,7 +187,8 @@ static OM_uint32 acquire_initiator_cred krb5_get_init_creds_opt_free(context, opt); if (kret) goto end; - kret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache); + kret = krb5_cc_new_unique(context, krb5_cc_type_memory, + NULL, &ccache); if (kret) goto end; kret = krb5_cc_initialize(context, ccache, cred.client); diff --git a/source4/heimdal/lib/gssapi/krb5/add_cred.c b/source4/heimdal/lib/gssapi/krb5/add_cred.c index d6fd8f6f15..aa96a45e45 100644 --- a/source4/heimdal/lib/gssapi/krb5/add_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/add_cred.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -168,8 +168,8 @@ OM_uint32 _gsskrb5_add_cred ( } if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, - &handle->ccache); + ret = krb5_cc_new_unique(context, type, + NULL, &handle->ccache); if (ret) { *minor_status = ret; goto failure; diff --git a/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c b/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c index ff0afdc059..fa115d964a 100644 --- a/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c +++ b/source4/heimdal/lib/gssapi/krb5/address_to_krb5addr.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" #include <roken.h> diff --git a/source4/heimdal/lib/gssapi/krb5/aeap.c b/source4/heimdal/lib/gssapi/krb5/aeap.c new file mode 100644 index 0000000000..7dab7877d7 --- /dev/null +++ b/source4/heimdal/lib/gssapi/krb5/aeap.c @@ -0,0 +1,271 @@ +/* + * Copyright (c) 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gsskrb5_locl.h" + +#include <roken.h> + +static OM_uint32 +iov_allocate(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, int iov_count) +{ + unsigned int i; + + for (i = 0; i < iov_count; i++) { + if (GSS_IOV_BUFFER_FLAGS(iov[i].type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE){ + void *ptr = malloc(iov[i].buffer.length); + if (ptr == NULL) + abort(); + if (iov[i].buffer.value) + memcpy(ptr, iov[i].buffer.value, iov[i].buffer.length); + iov[i].buffer.value = ptr; + iov[i].type |= GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED; + } + } + return GSS_S_COMPLETE; +} + +static OM_uint32 +iov_map(OM_uint32 *minor_status, + const gss_iov_buffer_desc *iov, + int iov_count, + krb5_crypto_iov *data) +{ + unsigned int i; + + for (i = 0; i < iov_count; i++) { + switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) { + case GSS_IOV_BUFFER_TYPE_EMPTY: + data[i].flags = KRB5_CRYPTO_TYPE_EMPTY; + break; + case GSS_IOV_BUFFER_TYPE_DATA: + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + break; + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; + break; + case GSS_IOV_BUFFER_TYPE_HEADER: + data[i].flags = KRB5_CRYPTO_TYPE_HEADER; + break; + case GSS_IOV_BUFFER_TYPE_TRAILER: + data[i].flags = KRB5_CRYPTO_TYPE_TRAILER; + break; + case GSS_IOV_BUFFER_TYPE_PADDING: + data[i].flags = KRB5_CRYPTO_TYPE_PADDING; + break; + case GSS_IOV_BUFFER_TYPE_STREAM: + abort(); + break; + default: + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + data[i].data.data = iov[i].buffer.value; + data[i].data.length = iov[i].buffer.length; + } + return GSS_S_COMPLETE; +} + +OM_uint32 GSSAPI_LIB_FUNCTION +_gk_wrap_iov(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int * conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; + krb5_context context; + OM_uint32 major_status, junk; + krb5_crypto_iov *data; + krb5_error_code ret; + unsigned usage; + + GSSAPI_KRB5_INIT (&context); + + major_status = iov_allocate(minor_status, iov, iov_count); + if (major_status != GSS_S_COMPLETE) + return major_status; + + data = calloc(iov_count, sizeof(data[0])); + if (data == NULL) { + gss_release_iov_buffer(&junk, iov, iov_count); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + major_status = iov_map(minor_status, iov, iov_count, data); + if (major_status != GSS_S_COMPLETE) { + gss_release_iov_buffer(&junk, iov, iov_count); + free(data); + return major_status; + } + + if (ctx->more_flags & LOCAL) { + usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; + } else { + usage = KRB5_KU_USAGE_INITIATOR_SIGN; + } + + ret = krb5_encrypt_iov_ivec(context, ctx->crypto, usage, + data, iov_count, NULL); + free(data); + if (ret) { + gss_release_iov_buffer(&junk, iov, iov_count); + *minor_status = ret; + return GSS_S_FAILURE; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 GSSAPI_LIB_FUNCTION +_gk_unwrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; + krb5_context context; + krb5_error_code ret; + OM_uint32 major_status, junk; + krb5_crypto_iov *data; + unsigned usage; + + GSSAPI_KRB5_INIT (&context); + + major_status = iov_allocate(minor_status, iov, iov_count); + if (major_status != GSS_S_COMPLETE) + return major_status; + + data = calloc(iov_count, sizeof(data[0])); + if (data == NULL) { + gss_release_iov_buffer(&junk, iov, iov_count); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + major_status = iov_map(minor_status, iov, iov_count, data); + if (major_status != GSS_S_COMPLETE) { + gss_release_iov_buffer(&junk, iov, iov_count); + free(data); + return major_status; + } + + if (ctx->more_flags & LOCAL) { + usage = KRB5_KU_USAGE_INITIATOR_SIGN; + } else { + usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; + } + + ret = krb5_decrypt_iov_ivec(context, ctx->crypto, usage, + data, iov_count, NULL); + free(data); + if (ret) { + *minor_status = ret; + gss_release_iov_buffer(&junk, iov, iov_count); + return GSS_S_FAILURE; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 GSSAPI_LIB_FUNCTION +_gk_wrap_iov_length(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; + krb5_context context; + unsigned int i; + size_t size; + size_t *padding = NULL; + + GSSAPI_KRB5_INIT (&context); + *minor_status = 0; + + for (size = 0, i = 0; i < iov_count; i++) { + switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) { + case GSS_IOV_BUFFER_TYPE_EMPTY: + break; + case GSS_IOV_BUFFER_TYPE_DATA: + size += iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_HEADER: + iov[i].buffer.length = + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER); + size += iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_TRAILER: + iov[i].buffer.length = + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER); + size += iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_PADDING: + if (padding != NULL) { + *minor_status = 0; + return GSS_S_FAILURE; + } + padding = &iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_STREAM: + size += iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + break; + default: + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + } + if (padding) { + size_t pad = krb5_crypto_length(context, ctx->crypto, + KRB5_CRYPTO_TYPE_PADDING); + if (pad > 1) { + *padding = pad - (size % pad); + if (*padding == pad) + *padding = 0; + } else + *padding = 0; + } + + return GSS_S_COMPLETE; +} diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c index 7288b58493..b48cfebcf1 100644 --- a/source4/heimdal/lib/gssapi/krb5/arcfour.c +++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c index fa2258ce82..3a206b1be1 100644 --- a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c +++ b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c index d029f55ce4..7ae26e2e7a 100755 --- a/source4/heimdal/lib/gssapi/krb5/cfx.c +++ b/source4/heimdal/lib/gssapi/krb5/cfx.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -101,49 +101,47 @@ _gsskrb5cfx_wrap_length_cfx(const gsskrb5_ctx context_handle, return 0; } -krb5_error_code -_gsskrb5cfx_max_wrap_length_cfx(krb5_context context, - krb5_crypto crypto, +OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, + const gsskrb5_ctx ctx, + krb5_context context, int conf_req_flag, - size_t input_length, - OM_uint32 *output_length) + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size) { krb5_error_code ret; - *output_length = 0; + *max_input_size = 0; /* 16-byte header is always first */ - if (input_length < 16) + if (req_output_size < 16) return 0; - input_length -= 16; + req_output_size -= 16; if (conf_req_flag) { size_t wrapped_size, sz; - wrapped_size = input_length + 1; + wrapped_size = req_output_size + 1; do { wrapped_size--; sz = krb5_get_wrapped_length(context, - crypto, wrapped_size); - } while (wrapped_size && sz > input_length); - if (wrapped_size == 0) { - *output_length = 0; + ctx->crypto, wrapped_size); + } while (wrapped_size && sz > req_output_size); + if (wrapped_size == 0) return 0; - } /* inner header */ - if (wrapped_size < 16) { - *output_length = 0; + if (wrapped_size < 16) return 0; - } + wrapped_size -= 16; - *output_length = wrapped_size; + *max_input_size = wrapped_size; } else { krb5_cksumtype type; size_t cksumsize; - ret = krb5_crypto_get_checksum_type(context, crypto, &type); + ret = krb5_crypto_get_checksum_type(context, ctx->crypto, &type); if (ret) return ret; @@ -151,48 +149,16 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_context context, if (ret) return ret; - if (input_length < cksumsize) + if (req_output_size < cksumsize) return 0; /* Checksum is concatenated with data */ - *output_length = input_length - cksumsize; + *max_input_size = req_output_size - cksumsize; } return 0; } - -OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size, - krb5_keyblock *key) -{ - krb5_error_code ret; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag, - req_output_size, max_input_size); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - krb5_crypto_destroy(context, crypto); - - return GSS_S_COMPLETE; -} - /* * Rotate "rrc" bytes to the front or back */ @@ -238,16 +204,14 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate) } OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, int conf_req_flag, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key) + gss_buffer_t output_message_buffer) { - krb5_crypto crypto; gss_cfx_wrap_token token; krb5_error_code ret; unsigned usage; @@ -257,19 +221,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, int32_t seq_number; u_char *p; - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = _gsskrb5cfx_wrap_length_cfx(context_handle, context, - crypto, conf_req_flag, + ret = _gsskrb5cfx_wrap_length_cfx(ctx, context, + ctx->crypto, conf_req_flag, input_message_buffer->length, &wrapped_len, &cksumsize, &padlength); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -280,7 +237,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, output_message_buffer->value = malloc(output_message_buffer->length); if (output_message_buffer->value == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -290,9 +246,9 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, token->TOK_ID[1] = 0x04; token->Flags = 0; token->Filler = 0xFF; - if ((context_handle->more_flags & LOCAL) == 0) + if ((ctx->more_flags & LOCAL) == 0) token->Flags |= CFXSentByAcceptor; - if (context_handle->more_flags & ACCEPTOR_SUBKEY) + if (ctx->more_flags & ACCEPTOR_SUBKEY) token->Flags |= CFXAcceptorSubkey; if (conf_req_flag) { /* @@ -329,16 +285,16 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, token->RRC[0] = 0; token->RRC[1] = 0; - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); krb5_auth_con_getlocalseqnumber(context, - context_handle->auth_context, + ctx->auth_context, &seq_number); _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); krb5_auth_con_setlocalseqnumber(context, - context_handle->auth_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* * If confidentiality is requested, the token header is @@ -349,7 +305,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, * calculated over the plaintext concatenated with the * token header. */ - if (context_handle->more_flags & LOCAL) { + if (ctx->more_flags & LOCAL) { usage = KRB5_KU_USAGE_INITIATOR_SEAL; } else { usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; @@ -370,14 +326,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, memcpy(p + input_message_buffer->length + padlength, token, sizeof(*token)); - ret = krb5_encrypt(context, crypto, + ret = krb5_encrypt(context, ctx->crypto, usage, p, input_message_buffer->length + padlength + sizeof(*token), &cipher); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } @@ -389,14 +344,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, * this is really ugly, but needed against windows * for DCERPC, as windows rotates by EC+RRC. */ - if (IS_DCE_STYLE(context_handle)) { + if (IS_DCE_STYLE(ctx)) { ret = rrc_rotate(cipher.data, cipher.length, rrc+padlength, FALSE); } else { ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE); } if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } @@ -409,21 +363,19 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, buf = malloc(input_message_buffer->length + sizeof(*token)); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_FAILURE; } memcpy(buf, input_message_buffer->value, input_message_buffer->length); memcpy(buf + input_message_buffer->length, token, sizeof(*token)); - ret = krb5_create_checksum(context, crypto, + ret = krb5_create_checksum(context, ctx->crypto, usage, 0, buf, input_message_buffer->length + sizeof(*token), &cksum); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); free(buf); return GSS_S_FAILURE; @@ -446,7 +398,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, input_message_buffer->length + cksum.checksum.length, rrc, FALSE); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); free_Checksum(&cksum); return GSS_S_FAILURE; @@ -454,8 +405,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, free_Checksum(&cksum); } - krb5_crypto_destroy(context, crypto); - if (conf_state != NULL) { *conf_state = conf_req_flag; } @@ -465,15 +414,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key) + gss_qop_t *qop_state) { - krb5_crypto crypto; gss_cfx_wrap_token token; u_char token_flags; krb5_error_code ret; @@ -503,11 +450,11 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, (CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey); if (token_flags & CFXSentByAcceptor) { - if ((context_handle->more_flags & LOCAL) == 0) + if ((ctx->more_flags & LOCAL) == 0) return GSS_S_DEFECTIVE_TOKEN; } - if (context_handle->more_flags & ACCEPTOR_SUBKEY) { + if (ctx->more_flags & ACCEPTOR_SUBKEY) { if ((token_flags & CFXAcceptorSubkey) == 0) return GSS_S_DEFECTIVE_TOKEN; } else { @@ -537,26 +484,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, return GSS_S_UNSEQ_TOKEN; } - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gssapi_msg_order_check(ctx->order, seq_number_lo); if (ret != 0) { *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); _gsskrb5_release_buffer(minor_status, output_message_buffer); return ret; } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* * Decrypt and/or verify checksum */ - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - if (context_handle->more_flags & LOCAL) { + if (ctx->more_flags & LOCAL) { usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; } else { usage = KRB5_KU_USAGE_INITIATOR_SEAL; @@ -571,27 +513,24 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, * this is really ugly, but needed against windows * for DCERPC, as windows rotates by EC+RRC. */ - if (IS_DCE_STYLE(context_handle)) { + if (IS_DCE_STYLE(ctx)) { *minor_status = rrc_rotate(p, len, rrc+ec, TRUE); } else { *minor_status = rrc_rotate(p, len, rrc, TRUE); } if (*minor_status != 0) { - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } - ret = krb5_decrypt(context, crypto, usage, + ret = krb5_decrypt(context, ctx->crypto, usage, p, len, &data); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); return GSS_S_BAD_MIC; } /* Check that there is room for the pad and token header */ if (data.length < ec + sizeof(*token)) { - krb5_crypto_destroy(context, crypto); krb5_data_free(&data); return GSS_S_DEFECTIVE_TOKEN; } @@ -604,7 +543,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Check the integrity of the header */ if (memcmp(p, token, sizeof(*token)) != 0) { - krb5_crypto_destroy(context, crypto); krb5_data_free(&data); return GSS_S_BAD_MIC; } @@ -617,16 +555,15 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Rotate by RRC; bogus to do this in-place XXX */ *minor_status = rrc_rotate(p, len, rrc, TRUE); if (*minor_status != 0) { - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } /* Determine checksum type */ ret = krb5_crypto_get_checksum_type(context, - crypto, &cksum.cksumtype); + ctx->crypto, + &cksum.cksumtype); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -635,7 +572,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, /* Check we have at least as much data as the checksum */ if (len < cksum.checksum.length) { *minor_status = ERANGE; - krb5_crypto_destroy(context, crypto); return GSS_S_BAD_MIC; } @@ -647,7 +583,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, output_message_buffer->value = malloc(len + sizeof(*token)); if (output_message_buffer->value == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -664,21 +599,18 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, token->RRC[0] = 0; token->RRC[1] = 0; - ret = krb5_verify_checksum(context, crypto, + ret = krb5_verify_checksum(context, ctx->crypto, usage, output_message_buffer->value, len + sizeof(*token), &cksum); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); _gsskrb5_release_buffer(minor_status, output_message_buffer); return GSS_S_BAD_MIC; } } - krb5_crypto_destroy(context, crypto); - if (qop_state != NULL) { *qop_state = GSS_C_QOP_DEFAULT; } @@ -688,14 +620,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, gss_qop_t qop_req, const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key) + gss_buffer_t message_token) { - krb5_crypto crypto; gss_cfx_mic_token token; krb5_error_code ret; unsigned usage; @@ -704,17 +634,10 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, size_t len; int32_t seq_number; - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - len = message_buffer->length + sizeof(*token); buf = malloc(len); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } @@ -724,38 +647,36 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, token->TOK_ID[0] = 0x04; token->TOK_ID[1] = 0x04; token->Flags = 0; - if ((context_handle->more_flags & LOCAL) == 0) + if ((ctx->more_flags & LOCAL) == 0) token->Flags |= CFXSentByAcceptor; - if (context_handle->more_flags & ACCEPTOR_SUBKEY) + if (ctx->more_flags & ACCEPTOR_SUBKEY) token->Flags |= CFXAcceptorSubkey; memset(token->Filler, 0xFF, 5); - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); krb5_auth_con_getlocalseqnumber(context, - context_handle->auth_context, + ctx->auth_context, &seq_number); _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); krb5_auth_con_setlocalseqnumber(context, - context_handle->auth_context, + ctx->auth_context, ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - if (context_handle->more_flags & LOCAL) { + if (ctx->more_flags & LOCAL) { usage = KRB5_KU_USAGE_INITIATOR_SIGN; } else { usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; } - ret = krb5_create_checksum(context, crypto, + ret = krb5_create_checksum(context, ctx->crypto, usage, 0, buf, len, &cksum); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); free(buf); return GSS_S_FAILURE; } - krb5_crypto_destroy(context, crypto); /* Determine MIC length */ message_token->length = sizeof(*token) + cksum.checksum.length; @@ -780,14 +701,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, } OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key) + gss_qop_t *qop_state) { - krb5_crypto crypto; gss_cfx_mic_token token; u_char token_flags; krb5_error_code ret; @@ -814,10 +733,10 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey); if (token_flags & CFXSentByAcceptor) { - if ((context_handle->more_flags & LOCAL) == 0) + if ((ctx->more_flags & LOCAL) == 0) return GSS_S_DEFECTIVE_TOKEN; } - if (context_handle->more_flags & ACCEPTOR_SUBKEY) { + if (ctx->more_flags & ACCEPTOR_SUBKEY) { if ((token_flags & CFXAcceptorSubkey) == 0) return GSS_S_DEFECTIVE_TOKEN; } else { @@ -839,36 +758,29 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, return GSS_S_UNSEQ_TOKEN; } - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gssapi_msg_order_check(ctx->order, seq_number_lo); if (ret != 0) { *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return ret; } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); /* * Verify checksum */ - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_crypto_get_checksum_type(context, crypto, + ret = krb5_crypto_get_checksum_type(context, ctx->crypto, &cksum.cksumtype); if (ret != 0) { *minor_status = ret; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } cksum.checksum.data = p + sizeof(*token); cksum.checksum.length = token_buffer->length - sizeof(*token); - if (context_handle->more_flags & LOCAL) { + if (ctx->more_flags & LOCAL) { usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; } else { usage = KRB5_KU_USAGE_INITIATOR_SIGN; @@ -877,18 +789,16 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, buf = malloc(message_buffer->length + sizeof(*token)); if (buf == NULL) { *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } memcpy(buf, message_buffer->value, message_buffer->length); memcpy(buf + message_buffer->length, token, sizeof(*token)); - ret = krb5_verify_checksum(context, crypto, + ret = krb5_verify_checksum(context, ctx->crypto, usage, buf, sizeof(*token) + message_buffer->length, &cksum); - krb5_crypto_destroy(context, crypto); if (ret != 0) { *minor_status = ret; free(buf); diff --git a/source4/heimdal/lib/gssapi/krb5/compare_name.c b/source4/heimdal/lib/gssapi/krb5/compare_name.c index d92f3ef405..fbb0f0218e 100644 --- a/source4/heimdal/lib/gssapi/krb5/compare_name.c +++ b/source4/heimdal/lib/gssapi/krb5/compare_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/compat.c b/source4/heimdal/lib/gssapi/krb5/compat.c index ee0d07d983..012602c074 100644 --- a/source4/heimdal/lib/gssapi/krb5/compat.c +++ b/source4/heimdal/lib/gssapi/krb5/compat.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/context_time.c b/source4/heimdal/lib/gssapi/krb5/context_time.c index 3854b68782..3230389938 100644 --- a/source4/heimdal/lib/gssapi/krb5/context_time.c +++ b/source4/heimdal/lib/gssapi/krb5/context_time.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c index 8961642671..40a8fab1b7 100644 --- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c index 22386fa737..a2a5de9fe7 100644 --- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c index 5ccfe9d015..ea0831815a 100644 --- a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -74,6 +74,8 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status, if (ctx->service_keyblock) krb5_free_keyblock (context, ctx->service_keyblock); krb5_data_free(&ctx->fwd_data); + if (ctx->crypto) + krb5_crypto_destroy(context, ctx->crypto); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); diff --git a/source4/heimdal/lib/gssapi/krb5/display_name.c b/source4/heimdal/lib/gssapi/krb5/display_name.c index d1834ebaf8..0b37731510 100644 --- a/source4/heimdal/lib/gssapi/krb5/display_name.c +++ b/source4/heimdal/lib/gssapi/krb5/display_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/display_status.c b/source4/heimdal/lib/gssapi/krb5/display_status.c index 18622610d5..4136c25e53 100644 --- a/source4/heimdal/lib/gssapi/krb5/display_status.c +++ b/source4/heimdal/lib/gssapi/krb5/display_status.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/duplicate_name.c b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c index 6c281f43de..2b5e5c0ef4 100644 --- a/source4/heimdal/lib/gssapi/krb5/duplicate_name.c +++ b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/encapsulate.c b/source4/heimdal/lib/gssapi/krb5/encapsulate.c index 19c6ec8ca7..838a34d7db 100644 --- a/source4/heimdal/lib/gssapi/krb5/encapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/encapsulate.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/export_name.c b/source4/heimdal/lib/gssapi/krb5/export_name.c index b28777ea2e..bad73611dc 100644 --- a/source4/heimdal/lib/gssapi/krb5/export_name.c +++ b/source4/heimdal/lib/gssapi/krb5/export_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/export_sec_context.c b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c index 842921fe50..305d5c334e 100644 --- a/source4/heimdal/lib/gssapi/krb5/export_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index 4efa61fd70..1c28f7c141 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" #include <gssapi_mech.h> RCSID("$Id$"); @@ -469,7 +469,10 @@ static gssapi_mech_interface_desc krb5_mech = { _gsskrb5_inquire_cred_by_oid, _gsskrb5_set_sec_context_option, _gsskrb5_set_cred_option, - _gsskrb5_pseudo_random + _gsskrb5_pseudo_random, + _gk_wrap_iov, + _gk_unwrap_iov, + _gk_wrap_iov_length }; gssapi_mech_interface diff --git a/source4/heimdal/lib/gssapi/krb5/get_mic.c b/source4/heimdal/lib/gssapi/krb5/get_mic.c index 199c414ef4..66aaba44d6 100644 --- a/source4/heimdal/lib/gssapi/krb5/get_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/get_mic.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -284,6 +284,10 @@ OM_uint32 _gsskrb5_get_mic GSSAPI_KRB5_INIT (&context); + if (ctx->more_flags & IS_CFX) + return _gssapi_mic_cfx (minor_status, ctx, context, qop_req, + message_buffer, message_token); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); ret = _gsskrb5i_get_token_key(ctx, context, &key); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); @@ -308,8 +312,7 @@ OM_uint32 _gsskrb5_get_mic message_buffer, message_token, key); break; default : - ret = _gssapi_mic_cfx (minor_status, ctx, context, qop_req, - message_buffer, message_token, key); + abort(); break; } krb5_free_keyblock (context, key); diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h index 6db842395f..aadb80db0d 100644 --- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h +++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h @@ -36,14 +36,13 @@ #ifndef GSSKRB5_LOCL_H #define GSSKRB5_LOCL_H -#ifdef HAVE_CONFIG_H #include <config.h> -#endif #include <krb5_locl.h> #include <gkrb5_err.h> #include <gssapi.h> #include <gssapi_mech.h> +#include <gssapi_krb5.h> #include <assert.h> #include "cfx.h" @@ -54,7 +53,7 @@ struct gss_msg_order; -typedef struct { +typedef struct gsskrb5_ctx { struct krb5_auth_context_data *auth_context; krb5_principal source, target; #define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0) @@ -64,7 +63,8 @@ typedef struct { COMPAT_OLD_DES3_SELECTED = 8, ACCEPTOR_SUBKEY = 16, RETRIED = 32, - CLOSE_CCACHE = 64 + CLOSE_CCACHE = 64, + IS_CFX = 128 } more_flags; enum gss_ctx_id_t_state { /* initiator states */ @@ -85,6 +85,7 @@ typedef struct { struct gss_msg_order *order; krb5_keyblock *service_keyblock; krb5_data fwd_data; + krb5_crypto crypto; } *gsskrb5_ctx; typedef struct { @@ -119,7 +120,7 @@ struct gssapi_thr_context { * Prototypes */ -#include <krb5/gsskrb5-private.h> +#include <gsskrb5-private.h> #define GSSAPI_KRB5_INIT(ctx) do { \ krb5_error_code kret_gss_init; \ diff --git a/source4/heimdal/lib/gssapi/krb5/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c index 2f6b002f30..8f5387fe2b 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_name.c +++ b/source4/heimdal/lib/gssapi/krb5/import_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c index e1e8e551b4..ba1a977d2d 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c index 05b9447746..3702106e79 100644 --- a/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c +++ b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/init.c b/source4/heimdal/lib/gssapi/krb5/init.c index 6c1c5949e0..b28e6a4c12 100644 --- a/source4/heimdal/lib/gssapi/krb5/init.c +++ b/source4/heimdal/lib/gssapi/krb5/init.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index dfa0e935e6..4b632bd95a 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -131,6 +131,7 @@ _gsskrb5_create_ctx( krb5_data_zero(&ctx->fwd_data); ctx->lifetime = GSS_C_INDEFINITE; ctx->order = NULL; + ctx->crypto = NULL; HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); kret = krb5_auth_con_init (context, &ctx->auth_context); @@ -257,7 +258,8 @@ gsskrb5_initiator_ready( krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number); - _gsskrb5i_is_cfx(ctx, &is_cfx); + _gsskrb5i_is_cfx(context, ctx, 0); + is_cfx = (ctx->more_flags & IS_CFX); ret = _gssapi_msg_order_create(minor_status, &ctx->order, @@ -552,8 +554,10 @@ init_auth_restart flags |= GSS_C_REPLAY_FLAG; if (req_flags & GSS_C_SEQUENCE_FLAG) flags |= GSS_C_SEQUENCE_FLAG; +#if 0 if (req_flags & GSS_C_ANON_FLAG) ; /* XXX */ +#endif if (req_flags & GSS_C_DCE_STYLE) { /* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */ flags |= GSS_C_DCE_STYLE | GSS_C_MUTUAL_FLAG; @@ -686,7 +690,6 @@ repl_mutual krb5_error_code kret; krb5_data indata; krb5_ap_rep_enc_part *repl; - int is_cfx = 0; output_token->length = 0; output_token->value = NULL; @@ -759,20 +762,6 @@ repl_mutual krb5_free_ap_rep_enc_part (context, repl); - _gsskrb5i_is_cfx(ctx, &is_cfx); - if (is_cfx) { - krb5_keyblock *key = NULL; - - kret = krb5_auth_con_getremotesubkey(context, - ctx->auth_context, - &key); - if (kret == 0 && key != NULL) { - ctx->more_flags |= ACCEPTOR_SUBKEY; - krb5_free_keyblock (context, key); - } - } - - *minor_status = 0; if (time_rec) { ret = _gsskrb5_lifetime_left(minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_context.c b/source4/heimdal/lib/gssapi/krb5/inquire_context.c index e0aeb032ce..188a6135a4 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_context.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c index bb75978adb..27e3014923 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c index cdf05d7934..1fd9733940 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c index 2bcc17683b..5a35202a6a 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c index 4fd730deab..5d54bd6508 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c index a9d6495c7b..9eba7b7f4d 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c index 8d40706294..f8ef2a3aa4 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -242,7 +242,7 @@ static OM_uint32 inquire_sec_context_has_updated_spnego * mechanism. */ HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - _gsskrb5i_is_cfx(context_handle, &is_updated); + is_updated = (context_handle->more_flags & IS_CFX); if (is_updated == 0) { krb5_keyblock *acceptor_subkey; @@ -282,7 +282,7 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status, HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - _gsskrb5i_is_cfx(context_handle, &is_cfx); + is_cfx = (context_handle->more_flags & IS_CFX); sp = krb5_storage_emem(); if (sp == NULL) { @@ -445,6 +445,7 @@ get_service_keyblock HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); if (ctx->service_keyblock == NULL) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + krb5_storage_free(sp); _gsskrb5_set_status(EINVAL, "No service keyblock on gssapi context"); *minor_status = EINVAL; return GSS_S_FAILURE; diff --git a/source4/heimdal/lib/gssapi/krb5/prf.c b/source4/heimdal/lib/gssapi/krb5/prf.c index 9cbe603435..9fd13f51bd 100644 --- a/source4/heimdal/lib/gssapi/krb5/prf.c +++ b/source4/heimdal/lib/gssapi/krb5/prf.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/process_context_token.c b/source4/heimdal/lib/gssapi/krb5/process_context_token.c index 6892d3ca60..3229b36292 100644 --- a/source4/heimdal/lib/gssapi/krb5/process_context_token.c +++ b/source4/heimdal/lib/gssapi/krb5/process_context_token.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -44,15 +44,12 @@ OM_uint32 _gsskrb5_process_context_token ( krb5_context context; OM_uint32 ret = GSS_S_FAILURE; gss_buffer_desc empty_buffer; - gss_qop_t qop_state; empty_buffer.length = 0; empty_buffer.value = NULL; GSSAPI_KRB5_INIT (&context); - qop_state = GSS_C_QOP_DEFAULT; - ret = _gsskrb5_verify_mic_internal(minor_status, (gsskrb5_ctx)context_handle, context, diff --git a/source4/heimdal/lib/gssapi/krb5/release_buffer.c b/source4/heimdal/lib/gssapi/krb5/release_buffer.c index a0f37c06f4..18e0279939 100644 --- a/source4/heimdal/lib/gssapi/krb5/release_buffer.c +++ b/source4/heimdal/lib/gssapi/krb5/release_buffer.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/release_cred.c b/source4/heimdal/lib/gssapi/krb5/release_cred.c index 5a0ec829d2..62674a1d53 100644 --- a/source4/heimdal/lib/gssapi/krb5/release_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/release_cred.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -61,8 +61,6 @@ OM_uint32 _gsskrb5_release_cred if (cred->keytab != NULL) krb5_kt_close(context, cred->keytab); if (cred->ccache != NULL) { - const krb5_cc_ops *ops; - ops = krb5_cc_get_ops(context, cred->ccache); if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE) krb5_cc_destroy(context, cred->ccache); else diff --git a/source4/heimdal/lib/gssapi/krb5/release_name.c b/source4/heimdal/lib/gssapi/krb5/release_name.c index d39c705433..5491052c59 100644 --- a/source4/heimdal/lib/gssapi/krb5/release_name.c +++ b/source4/heimdal/lib/gssapi/krb5/release_name.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/sequence.c b/source4/heimdal/lib/gssapi/krb5/sequence.c index 61164ffec1..6391d44429 100644 --- a/source4/heimdal/lib/gssapi/krb5/sequence.c +++ b/source4/heimdal/lib/gssapi/krb5/sequence.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c index e47e6fdb6c..2a2390f8d1 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index 6591ab04dd..460cfe942a 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -34,7 +34,7 @@ * glue routine for _gsskrb5_inquire_sec_context_by_oid */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index f34f72542e..0e87cb88b7 100644 --- a/source4/heimdal/lib/gssapi/krb5/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -393,11 +393,16 @@ OM_uint32 _gsskrb5_unwrap output_message_buffer->value = NULL; output_message_buffer->length = 0; + if (qop_state != NULL) + *qop_state = GSS_C_QOP_DEFAULT; GSSAPI_KRB5_INIT (&context); - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; + if (ctx->more_flags & IS_CFX) + return _gssapi_unwrap_cfx (minor_status, ctx, context, + input_message_buffer, output_message_buffer, + conf_state, qop_state); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); ret = _gsskrb5i_get_token_key(ctx, context, &key); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); @@ -427,9 +432,7 @@ OM_uint32 _gsskrb5_unwrap conf_state, qop_state, key); break; default : - ret = _gssapi_unwrap_cfx (minor_status, ctx, context, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); + abort(); break; } krb5_free_keyblock (context, key); diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index 1832d35b5a..6eb7ae4b08 100644 --- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -266,7 +266,7 @@ retry: OM_uint32 _gsskrb5_verify_mic_internal (OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, + const gsskrb5_ctx ctx, krb5_context context, const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, @@ -278,9 +278,14 @@ _gsskrb5_verify_mic_internal OM_uint32 ret; krb5_keytype keytype; - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gsskrb5i_get_token_key(context_handle, context, &key); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); + if (ctx->more_flags & IS_CFX) + return _gssapi_verify_mic_cfx (minor_status, ctx, + context, message_buffer, token_buffer, + qop_state); + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gsskrb5i_get_token_key(ctx, context, &key); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); if (ret) { *minor_status = ret; return GSS_S_FAILURE; @@ -289,28 +294,24 @@ _gsskrb5_verify_mic_internal krb5_enctype_to_keytype (context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : - ret = verify_mic_des (minor_status, context_handle, context, + ret = verify_mic_des (minor_status, ctx, context, message_buffer, token_buffer, qop_state, key, type); break; case KEYTYPE_DES3 : - ret = verify_mic_des3 (minor_status, context_handle, context, + ret = verify_mic_des3 (minor_status, ctx, context, message_buffer, token_buffer, qop_state, key, type); break; case KEYTYPE_ARCFOUR : case KEYTYPE_ARCFOUR_56 : - ret = _gssapi_verify_mic_arcfour (minor_status, context_handle, + ret = _gssapi_verify_mic_arcfour (minor_status, ctx, context, message_buffer, token_buffer, qop_state, key, type); break; default : - ret = _gssapi_verify_mic_cfx (minor_status, context_handle, - context, - message_buffer, token_buffer, qop_state, - key); - break; + abort(); } krb5_free_keyblock (context, key); diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index ad21bcb57b..b9f4c237c7 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "krb5/gsskrb5_locl.h" +#include "gsskrb5_locl.h" RCSID("$Id$"); @@ -154,6 +154,11 @@ _gsskrb5_wrap_size_limit ( GSSAPI_KRB5_INIT (&context); + if (ctx->more_flags & IS_CFX) + return _gssapi_wrap_size_cfx(minor_status, ctx, context, + conf_req_flag, qop_req, + req_output_size, max_input_size); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); ret = _gsskrb5i_get_token_key(ctx, context, &key); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); @@ -177,9 +182,7 @@ _gsskrb5_wrap_size_limit ( ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); break; default : - ret = _gssapi_wrap_size_cfx(minor_status, ctx, context, - conf_req_flag, qop_req, - req_output_size, max_input_size, key); + abort(); break; } krb5_free_keyblock (context, key); @@ -530,8 +533,16 @@ OM_uint32 _gsskrb5_wrap krb5_keytype keytype; const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; + output_message_buffer->value = NULL; + output_message_buffer->length = 0; + GSSAPI_KRB5_INIT (&context); + if (ctx->more_flags & IS_CFX) + return _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag, + qop_req, input_message_buffer, conf_state, + output_message_buffer); + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); ret = _gsskrb5i_get_token_key(ctx, context, &key); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); @@ -559,9 +570,7 @@ OM_uint32 _gsskrb5_wrap output_message_buffer, key); break; default : - ret = _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); + abort(); break; } krb5_free_keyblock (context, key); diff --git a/source4/heimdal/lib/gssapi/mech/context.c b/source4/heimdal/lib/gssapi/mech/context.c index a06a1e9e37..b032d8aa0e 100644 --- a/source4/heimdal/lib/gssapi/mech/context.c +++ b/source4/heimdal/lib/gssapi/mech/context.c @@ -1,4 +1,4 @@ -#include "mech/mech_locl.h" +#include "mech_locl.h" #include "heim_threads.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c index 50011a9b0d..134511f34b 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c @@ -260,7 +260,8 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, if (mech_ret_flags & GSS_C_DELEG_FLAG) { if (!delegated_cred_handle) { m->gm_release_cred(minor_status, &delegated_mc); - *ret_flags &= ~GSS_C_DELEG_FLAG; + if (ret_flags) + *ret_flags &= ~GSS_C_DELEG_FLAG; } else if (delegated_mc) { struct _gss_cred *dcred; struct _gss_mechanism_cred *dmc; diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c index b21b3f62e8..a8ebe644ab 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c @@ -51,7 +51,7 @@ gss_acquire_cred(OM_uint32 *minor_status, *minor_status = 0; if (output_cred_handle) - *output_cred_handle = GSS_C_NO_CREDENTIAL; + return GSS_S_CALL_INACCESSIBLE_READ; if (actual_mechs) *actual_mechs = GSS_C_NO_OID_SET; if (time_rec) diff --git a/source4/heimdal/lib/gssapi/mech/gss_aeap.c b/source4/heimdal/lib/gssapi/mech/gss_aeap.c new file mode 100644 index 0000000000..cbe0cd1460 --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_aeap.c @@ -0,0 +1,184 @@ +/* + * AEAD support + */ + +#include "mech_locl.h" +RCSID("$Id$"); + +/** + * Encrypts or sign the data. + * + * The maximum packet size is gss_context_stream_sizes.max_msg_size. + * + * The caller needs provide the folloing buffers: + * + * - HEADER (of size gss_context_stream_sizes.header) + * SIGN_ONLY (optional, zero or more) + * DATA + * SIGN_ONLY (optional, zero or more) + * PADDING (of size gss_context_stream_sizes.blocksize) + * TRAILER (of size gss_context_stream_sizes.trailer) + * + * - on DCE-RPC mode, the caller can skip PADDING and TRAILER if the + * DATA elements is padded to a block bountry. + * + * To generate gss_wrap() compatible packets, use: HEADER | DATA | PADDING | TRAILER + * + * The input sizes of HEADER, PADDING and TRAILER can be fetched using gss_wrap_iov_length() or + * gss_context_query_attributes(). + * + * @ingroup gssapi + */ + + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_wrap_iov(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int * conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m; + + if (minor_status) + *minor_status = 0; + if (conf_state) + *conf_state = 0; + if (ctx == NULL) + return GSS_S_NO_CONTEXT; + if (iov == NULL && iov_count != 0) + return GSS_S_CALL_INACCESSIBLE_READ; + + m = ctx->gc_mech; + + if (m->gm_wrap_iov == NULL) { + if (minor_status) + *minor_status = 0; + return GSS_S_UNAVAILABLE; + } + + return (m->gm_wrap_iov)(minor_status, ctx->gc_ctx, + conf_req_flag, qop_req, conf_state, + iov, iov_count); +} + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_unwrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m; + + if (minor_status) + *minor_status = 0; + if (conf_state) + *conf_state = 0; + if (qop_state) + *qop_state = 0; + if (ctx == NULL) + return GSS_S_NO_CONTEXT; + if (iov == NULL && iov_count != 0) + return GSS_S_CALL_INACCESSIBLE_READ; + + m = ctx->gc_mech; + + if (m->gm_unwrap_iov == NULL) { + *minor_status = 0; + return GSS_S_UNAVAILABLE; + } + + return (m->gm_unwrap_iov)(minor_status, ctx->gc_ctx, + conf_state, qop_state, + iov, iov_count); +} + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_wrap_iov_length(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + gssapi_mech_interface m; + + if (minor_status) + *minor_status = 0; + if (conf_state) + *conf_state = 0; + if (ctx == NULL) + return GSS_S_NO_CONTEXT; + if (iov == NULL && iov_count != 0) + return GSS_S_CALL_INACCESSIBLE_READ; + + m = ctx->gc_mech; + + if (m->gm_wrap_iov_length == NULL) { + *minor_status = 0; + return GSS_S_UNAVAILABLE; + } + + return (m->gm_wrap_iov_length)(minor_status, ctx->gc_ctx, + conf_req_flag, qop_req, conf_state, + iov, iov_count); +} + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_release_iov_buffer(OM_uint32 *minor_status, + gss_iov_buffer_desc *iov, + int iov_count) +{ + OM_uint32 junk; + size_t i; + + if (minor_status) + *minor_status = 0; + if (iov == NULL && iov_count != 0) + return GSS_S_CALL_INACCESSIBLE_READ; + + for (i = 0; i < iov_count; i++) { + if (iov[i].type & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED) + continue; + gss_release_buffer(&junk, &iov[i].buffer); + } + return GSS_S_COMPLETE; +} + +/** + * Query the context for parameters. + * + * SSPI equivalent if this function is QueryContextAttributes. + * + * - GSS_C_ATTR_STREAM_SIZES data is a gss_context_stream_sizes. + */ + +static gss_OID_desc gss_c_attr_stream_sizes_desc = + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03")}; + +gss_OID GSSAPI_LIB_VARIABLE GSS_C_ATTR_STREAM_SIZES = + &gss_c_attr_stream_sizes_desc; + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_context_query_attributes(OM_uint32 *minor_status, + gss_OID attribute, + void *data, + size_t len) +{ + *minor_status = 0; + + if (gss_oid_equal(GSS_C_ATTR_STREAM_SIZES, attribute)) { + memset(data, 0, len); + return GSS_S_COMPLETE; + } + + return GSS_S_FAILURE; +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c index 91a08fb2bc..db976f2453 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c @@ -29,6 +29,30 @@ #include "mech_locl.h" RCSID("$Id$"); +/** + * gss_canonicalize_name takes a Internal Name (IN) and converts in into a + * mechanism specific Mechanism Name (MN). + * + * The input name may multiple name, or generic name types. + * + * If the input_name if of the GSS_C_NT_USER_NAME, and the Kerberos + * mechanism is specified, the resulting MN type is a + * GSS_KRB5_NT_PRINCIPAL_NAME. + * + * For more information about @ref internalVSmechname. + * + * @param minor_status minor status code. + * @param input_name name to covert, unchanged by gss_canonicalize_name(). + * @param mech_type the type to convert Name too. + * @param output_name the resulting type, release with + * gss_release_name(), independent of input_name. + * + * @returns a gss_error code, see gss_display_status() about printing + * the error code. + * + * @ingroup gssapi + */ + OM_uint32 GSSAPI_LIB_FUNCTION gss_canonicalize_name(OM_uint32 *minor_status, const gss_name_t input_name, diff --git a/source4/heimdal/lib/gssapi/mech/gss_get_mic.c b/source4/heimdal/lib/gssapi/mech/gss_get_mic.c index 9cd5060fc9..3a0f3fb757 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_get_mic.c +++ b/source4/heimdal/lib/gssapi/mech/gss_get_mic.c @@ -37,7 +37,7 @@ gss_get_mic(OM_uint32 *minor_status, gss_buffer_t message_token) { struct _gss_context *ctx = (struct _gss_context *) context_handle; - gssapi_mech_interface m = ctx->gc_mech; + gssapi_mech_interface m; _mg_buffer_zero(message_token); if (ctx == NULL) { @@ -45,6 +45,8 @@ gss_get_mic(OM_uint32 *minor_status, return GSS_S_NO_CONTEXT; } + m = ctx->gc_mech; + return (m->gm_get_mic(minor_status, ctx->gc_ctx, qop_req, message_buffer, message_token)); } diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_name.c b/source4/heimdal/lib/gssapi/mech/gss_import_name.c index 040e228410..c1dffdc614 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_import_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_import_name.c @@ -145,9 +145,12 @@ gss_import_name(OM_uint32 *minor_status, const gss_OID input_name_type, gss_name_t *output_name) { + struct _gss_mechanism_name *mn; gss_OID name_type = input_name_type; - OM_uint32 major_status; + OM_uint32 major_status, ms; struct _gss_name *name; + struct _gss_mech_switch *m; + gss_name_t rname; *output_name = GSS_C_NO_NAME; @@ -156,6 +159,8 @@ gss_import_name(OM_uint32 *minor_status, return (GSS_S_BAD_NAME); } + _gss_load_mech(); + /* * Use GSS_NT_USER_NAME as default name type. */ @@ -172,29 +177,15 @@ gss_import_name(OM_uint32 *minor_status, input_name_buffer, output_name); } - /* - * Only allow certain name types. This is pretty bogus - we - * should figure out the list of supported name types using - * gss_inquire_names_for_mech. - */ - if (!gss_oid_equal(name_type, GSS_C_NT_USER_NAME) - && !gss_oid_equal(name_type, GSS_C_NT_MACHINE_UID_NAME) - && !gss_oid_equal(name_type, GSS_C_NT_STRING_UID_NAME) - && !gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE_X) - && !gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE) - && !gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS) - && !gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) { - *minor_status = 0; - return (GSS_S_BAD_NAMETYPE); - } *minor_status = 0; - name = malloc(sizeof(struct _gss_name)); + name = calloc(1, sizeof(struct _gss_name)); if (!name) { *minor_status = ENOMEM; return (GSS_S_FAILURE); } - memset(name, 0, sizeof(struct _gss_name)); + + SLIST_INIT(&name->gn_mn); major_status = _gss_copy_oid(minor_status, name_type, &name->gn_type); @@ -205,14 +196,62 @@ gss_import_name(OM_uint32 *minor_status, major_status = _gss_copy_buffer(minor_status, input_name_buffer, &name->gn_value); - if (major_status) { - gss_name_t rname = (gss_name_t)name; - gss_release_name(minor_status, &rname); - return (GSS_S_FAILURE); + if (major_status) + goto out; + + /* + * Walk over the mechs and import the name into a mech name + * for those supported this nametype. + */ + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + int present = 0; + + major_status = gss_test_oid_set_member(minor_status, + name_type, m->gm_name_types, &present); + + if (major_status || present == 0) + continue; + + mn = malloc(sizeof(struct _gss_mechanism_name)); + if (!mn) { + *minor_status = ENOMEM; + major_status = GSS_S_FAILURE; + goto out; + } + + major_status = (*m->gm_mech.gm_import_name)(minor_status, + &name->gn_value, + (name->gn_type.elements + ? &name->gn_type : GSS_C_NO_OID), + &mn->gmn_name); + if (major_status != GSS_S_COMPLETE) { + _gss_mg_error(&m->gm_mech, major_status, *minor_status); + free(mn); + goto out; + } + + mn->gmn_mech = &m->gm_mech; + mn->gmn_mech_oid = &m->gm_mech_oid; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); } - SLIST_INIT(&name->gn_mn); + /* + * If we can't find a mn for the name, bail out already here. + */ + + mn = SLIST_FIRST(&name->gn_mn); + if (!mn) { + *minor_status = 0; + major_status = GSS_S_NAME_NOT_MN; + goto out; + } *output_name = (gss_name_t) name; return (GSS_S_COMPLETE); + + out: + rname = (gss_name_t)name; + gss_release_name(&ms, &rname); + return major_status; } diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 5318f6cdba..5d883c45c2 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -278,7 +278,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, || *context_handle == GSS_C_NO_CONTEXT || version != 1) { - ret = EINVAL; + *minor_status = EINVAL; return GSS_S_FAILURE; } @@ -715,7 +715,7 @@ gsskrb5_extract_key(OM_uint32 *minor_status, krb5_storage *sp = NULL; if (context_handle == GSS_C_NO_CONTEXT) { - ret = EINVAL; + *minor_status = EINVAL; return GSS_S_FAILURE; } diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c index fc2e8816c5..3321819d28 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c +++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c @@ -186,6 +186,15 @@ add_builtin(gssapi_mech_interface mech) gss_add_oid_set_member(&minor_status, &m->gm_mech.gm_mech_oid, &_gss_mech_oids); + /* pick up the oid sets of names */ + + if (m->gm_mech.gm_inquire_names_for_mech) { + (*m->gm_mech.gm_inquire_names_for_mech)(&minor_status, + &m->gm_mech.gm_mech_oid, &m->gm_name_types); + } else { + gss_create_empty_oid_set(&minor_status, &m->gm_name_types); + } + SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link); return 0; } @@ -221,9 +230,7 @@ _gss_load_mech(void) add_builtin(__gss_krb5_initialize()); add_builtin(__gss_spnego_initialize()); -#ifndef HEIMDAL_SMALLER add_builtin(__gss_ntlm_initialize()); -#endif #ifdef HAVE_DLOPEN fp = fopen(_PATH_GSS_MECH, "r"); @@ -308,6 +315,9 @@ _gss_load_mech(void) OPTSYM(set_sec_context_option); OPTSYM(set_cred_option); OPTSYM(pseudo_random); + OPTSYM(wrap_iov); + OPTSYM(unwrap_iov); + OPTSYM(wrap_iov_length); SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link); continue; diff --git a/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c b/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c index b907f94038..771efcb434 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c +++ b/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c @@ -45,7 +45,7 @@ gss_pseudo_random(OM_uint32 *minor_status, gss_buffer_t prf_out) { struct _gss_context *ctx = (struct _gss_context *) context; - gssapi_mech_interface m = ctx->gc_mech; + gssapi_mech_interface m; OM_uint32 major_status; _mg_buffer_zero(prf_out); @@ -56,6 +56,8 @@ gss_pseudo_random(OM_uint32 *minor_status, return GSS_S_NO_CONTEXT; } + m = ctx->gc_mech; + if (m->gm_pseudo_random == NULL) return GSS_S_UNAVAILABLE; diff --git a/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c b/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c index 1a411729c6..60ef3bff85 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c +++ b/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c @@ -37,7 +37,7 @@ gss_verify_mic(OM_uint32 *minor_status, gss_qop_t *qop_state) { struct _gss_context *ctx = (struct _gss_context *) context_handle; - gssapi_mech_interface m = ctx->gc_mech; + gssapi_mech_interface m; if (qop_state) *qop_state = 0; @@ -46,6 +46,8 @@ gss_verify_mic(OM_uint32 *minor_status, return GSS_S_NO_CONTEXT; } + m = ctx->gc_mech; + return (m->gm_verify_mic(minor_status, ctx->gc_ctx, message_buffer, token_buffer, qop_state)); } diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap.c b/source4/heimdal/lib/gssapi/mech/gss_wrap.c index b3363d3f20..9476d01ddd 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_wrap.c +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap.c @@ -39,7 +39,7 @@ gss_wrap(OM_uint32 *minor_status, gss_buffer_t output_message_buffer) { struct _gss_context *ctx = (struct _gss_context *) context_handle; - gssapi_mech_interface m = ctx->gc_mech; + gssapi_mech_interface m; if (conf_state) *conf_state = 0; @@ -49,6 +49,8 @@ gss_wrap(OM_uint32 *minor_status, return GSS_S_NO_CONTEXT; } + m = ctx->gc_mech; + return (m->gm_wrap(minor_status, ctx->gc_ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer)); diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c index 15b86a9367..a5a80b21d7 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c @@ -38,7 +38,7 @@ gss_wrap_size_limit(OM_uint32 *minor_status, OM_uint32 *max_input_size) { struct _gss_context *ctx = (struct _gss_context *) context_handle; - gssapi_mech_interface m = ctx->gc_mech; + gssapi_mech_interface m; *max_input_size = 0; if (ctx == NULL) { @@ -46,6 +46,8 @@ gss_wrap_size_limit(OM_uint32 *minor_status, return GSS_S_NO_CONTEXT; } + m = ctx->gc_mech; + return (m->gm_wrap_size_limit(minor_status, ctx->gc_ctx, conf_req_flag, qop_req, req_output_size, max_input_size)); } diff --git a/source4/heimdal/lib/gssapi/mech/mech_locl.h b/source4/heimdal/lib/gssapi/mech/mech_locl.h index 42c069eb2d..17721fd3ce 100644 --- a/source4/heimdal/lib/gssapi/mech/mech_locl.h +++ b/source4/heimdal/lib/gssapi/mech/mech_locl.h @@ -53,6 +53,7 @@ #include <gssapi.h> #include <gssapi_mech.h> +#include <gssapi_krb5.h> #include "mechqueue.h" diff --git a/source4/heimdal/lib/gssapi/mech/mech_switch.h b/source4/heimdal/lib/gssapi/mech/mech_switch.h index e83a4c8a5a..56e3b7dea7 100644 --- a/source4/heimdal/lib/gssapi/mech/mech_switch.h +++ b/source4/heimdal/lib/gssapi/mech/mech_switch.h @@ -32,6 +32,7 @@ struct _gss_mech_switch { SLIST_ENTRY(_gss_mech_switch) gm_link; gss_OID_desc gm_mech_oid; + gss_OID_set gm_name_types; void *gm_so; gssapi_mech_interface_desc gm_mech; }; diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c index cabd806fbf..158126d99f 100644 --- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" +#include "spnego_locl.h" RCSID("$Id$"); @@ -494,7 +494,7 @@ acceptor_complete(OM_uint32 * minor_status, *get_mic = 1; } - if (verify_mic || get_mic) { + if (verify_mic || *get_mic) { int eret; size_t buf_len; @@ -512,7 +512,7 @@ acceptor_complete(OM_uint32 * minor_status, if (verify_mic) { ret = verify_mechlist_mic(minor_status, ctx, mech_buf, mic); if (ret) { - if (get_mic) + if (*get_mic) send_reject (minor_status, output_token); if (buf.value) free(buf.value); diff --git a/source4/heimdal/lib/gssapi/spnego/compat.c b/source4/heimdal/lib/gssapi/spnego/compat.c index 67d9b202a7..ee25b59435 100644 --- a/source4/heimdal/lib/gssapi/spnego/compat.c +++ b/source4/heimdal/lib/gssapi/spnego/compat.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" +#include "spnego_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/spnego/context_stubs.c b/source4/heimdal/lib/gssapi/spnego/context_stubs.c index 5bc1a48656..1998c44edf 100644 --- a/source4/heimdal/lib/gssapi/spnego/context_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/context_stubs.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" +#include "spnego_locl.h" RCSID("$Id$"); @@ -62,6 +62,7 @@ spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs) return ret; } } + gss_release_oid_set(&junk, &m); return ret; } @@ -598,7 +599,7 @@ out: gss_release_oid_set(&junk, &mechs); - return GSS_S_COMPLETE; + return ret; } OM_uint32 _gss_spnego_inquire_mechs_for_name ( @@ -642,128 +643,6 @@ OM_uint32 _gss_spnego_duplicate_name ( return gss_duplicate_name(minor_status, src_name, dest_name); } -OM_uint32 _gss_spnego_sign - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - gssspnego_ctx ctx; - - *minor_status = 0; - - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - return gss_sign(minor_status, - ctx->negotiated_ctx_id, - qop_req, - message_buffer, - message_token); -} - -OM_uint32 _gss_spnego_verify - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state - ) -{ - gssspnego_ctx ctx; - - *minor_status = 0; - - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - return gss_verify(minor_status, - ctx->negotiated_ctx_id, - message_buffer, - token_buffer, - qop_state); -} - -OM_uint32 _gss_spnego_seal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - gssspnego_ctx ctx; - - *minor_status = 0; - - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - return gss_seal(minor_status, - ctx->negotiated_ctx_id, - conf_req_flag, - qop_req, - input_message_buffer, - conf_state, - output_message_buffer); -} - -OM_uint32 _gss_spnego_unseal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state - ) -{ - gssspnego_ctx ctx; - - *minor_status = 0; - - if (context_handle == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - ctx = (gssspnego_ctx)context_handle; - - if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { - return GSS_S_NO_CONTEXT; - } - - return gss_unseal(minor_status, - ctx->negotiated_ctx_id, - input_message_buffer, - output_message_buffer, - conf_state, - qop_state); -} - #if 0 OM_uint32 _gss_spnego_unwrap_ex (OM_uint32 * minor_status, diff --git a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c index f6b3fecaa0..a3a984e22c 100644 --- a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" +#include "spnego_locl.h" RCSID("$Id$"); diff --git a/source4/heimdal/lib/gssapi/spnego/external.c b/source4/heimdal/lib/gssapi/spnego/external.c index 02404237a7..2dc809bbba 100644 --- a/source4/heimdal/lib/gssapi/spnego/external.c +++ b/source4/heimdal/lib/gssapi/spnego/external.c @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" +#include "spnego_locl.h" #include <gssapi_mech.h> RCSID("$Id$"); @@ -71,7 +71,7 @@ static gssapi_mech_interface_desc spnego_mech = { _gss_spnego_inquire_cred_by_mech, _gss_spnego_export_sec_context, _gss_spnego_import_sec_context, - _gss_spnego_inquire_names_for_mech, + NULL /* _gss_spnego_inquire_names_for_mech */, _gss_spnego_inquire_mechs_for_name, _gss_spnego_canonicalize_name, _gss_spnego_duplicate_name, diff --git a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c index 7a5814413b..ac32432d55 100644 --- a/source4/heimdal/lib/gssapi/spnego/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/init_sec_context.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -#include "spnego/spnego_locl.h" +#include "spnego_locl.h" RCSID("$Id$"); @@ -392,8 +392,7 @@ spnego_reply ) { OM_uint32 ret, minor; - NegTokenResp resp; - size_t len, taglen; + NegotiationToken resp; gss_OID_desc mech; int require_mic; size_t buf_len; @@ -414,27 +413,23 @@ spnego_reply mech_buf.value = NULL; mech_buf.length = 0; - ret = der_match_tag_and_length(input_token->value, input_token->length, - ASN1_C_CONTEXT, CONS, 1, &len, &taglen); + ret = decode_NegotiationToken(input_token->value, input_token->length, + &resp, NULL); if (ret) - return ret; + return ret; - if (len > input_token->length - taglen) - return ASN1_OVERRUN; - - ret = decode_NegTokenResp((const unsigned char *)input_token->value+taglen, - len, &resp, NULL); - if (ret) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; + if (resp.element != choice_NegotiationToken_negTokenResp) { + free_NegotiationToken(&resp); + *minor_status = 0; + return GSS_S_BAD_MECH; } - if (resp.negResult == NULL - || *(resp.negResult) == reject - /* || resp.supportedMech == NULL */ + if (resp.u.negTokenResp.negResult == NULL + || *(resp.u.negTokenResp.negResult) == reject + /* || resp.u.negTokenResp.supportedMech == NULL */ ) { - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); return GSS_S_BAD_MECH; } @@ -445,16 +440,16 @@ spnego_reply HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - if (resp.supportedMech) { + if (resp.u.negTokenResp.supportedMech) { if (ctx->oidlen) { - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_BAD_MECH; } ret = der_put_oid(ctx->oidbuf + sizeof(ctx->oidbuf) - 1, sizeof(ctx->oidbuf), - resp.supportedMech, + resp.u.negTokenResp.supportedMech, &ctx->oidlen); /* Avoid recursively embedded SPNEGO */ if (ret || (ctx->oidlen == GSS_SPNEGO_MECHANISM->length && @@ -462,7 +457,7 @@ spnego_reply GSS_SPNEGO_MECHANISM->elements, ctx->oidlen) == 0)) { - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_BAD_MECH; } @@ -478,19 +473,19 @@ spnego_reply ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT; } } else if (ctx->oidlen == 0) { - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_BAD_MECH; } /* if a token (of non zero length), or no context, pass to underlaying mech */ - if ((resp.responseToken != NULL && resp.responseToken->length) || + if ((resp.u.negTokenResp.responseToken != NULL && resp.u.negTokenResp.responseToken->length) || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { gss_buffer_desc mech_input_token; - if (resp.responseToken) { - mech_input_token.length = resp.responseToken->length; - mech_input_token.value = resp.responseToken->data; + if (resp.u.negTokenResp.responseToken) { + mech_input_token.length = resp.u.negTokenResp.responseToken->length; + mech_input_token.value = resp.u.negTokenResp.responseToken->data; } else { mech_input_token.length = 0; mech_input_token.value = NULL; @@ -518,7 +513,7 @@ spnego_reply &ctx->mech_time_rec); if (GSS_ERROR(ret)) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); gss_mg_collect_error(&mech, ret, minor); *minor_status = minor; return ret; @@ -526,12 +521,12 @@ spnego_reply if (ret == GSS_S_COMPLETE) { ctx->open = 1; } - } else if (*(resp.negResult) == accept_completed) { + } else if (*(resp.u.negTokenResp.negResult) == accept_completed) { if (ctx->maybe_open) ctx->open = 1; } - if (*(resp.negResult) == request_mic) { + if (*(resp.u.negTokenResp.negResult) == request_mic) { ctx->require_mic = 1; } @@ -540,14 +535,14 @@ spnego_reply * Verify the mechListMIC if one was provided or CFX was * used and a non-preferred mechanism was selected */ - if (resp.mechListMIC != NULL) { + if (resp.u.negTokenResp.mechListMIC != NULL) { require_mic = 1; } else { ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic); if (ret) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); gss_release_buffer(&minor, &mech_output_token); return ret; } @@ -561,7 +556,7 @@ spnego_reply &ctx->initiator_mech_types, &buf_len, ret); if (ret) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); gss_release_buffer(&minor, &mech_output_token); *minor_status = ret; return GSS_S_FAILURE; @@ -569,15 +564,15 @@ spnego_reply if (mech_buf.length != buf_len) abort(); - if (resp.mechListMIC == NULL) { + if (resp.u.negTokenResp.mechListMIC == NULL) { HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); free(mech_buf.value); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); *minor_status = 0; return GSS_S_DEFECTIVE_TOKEN; } - mic_buf.length = resp.mechListMIC->length; - mic_buf.value = resp.mechListMIC->data; + mic_buf.length = resp.u.negTokenResp.mechListMIC->length; + mic_buf.value = resp.u.negTokenResp.mechListMIC->data; if (mech_output_token.length == 0) { ret = gss_verify_mic(minor_status, @@ -589,7 +584,7 @@ spnego_reply HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); free(mech_buf.value); gss_release_buffer(&minor, &mech_output_token); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); return GSS_S_DEFECTIVE_TOKEN; } ctx->verified_mic = 1; @@ -604,7 +599,7 @@ spnego_reply if (mech_buf.value != NULL) free(mech_buf.value); - free_NegTokenResp(&resp); + free_NegotiationToken(&resp); gss_release_buffer(&minor, &mech_output_token); if (actual_mech_type) diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h index 8344e750ae..44fa8b117d 100644 --- a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h +++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h @@ -35,9 +35,7 @@ #ifndef SPNEGO_LOCL_H #define SPNEGO_LOCL_H -#ifdef HAVE_CONFIG_H #include <config.h> -#endif #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> @@ -50,8 +48,9 @@ #include <pthread.h> #endif -#include <gssapi/gssapi_spnego.h> #include <gssapi.h> +#include <gssapi_krb5.h> +#include <gssapi_spnego.h> #include <assert.h> #include <stdlib.h> #include <string.h> @@ -67,7 +66,7 @@ #include <gssapi_mech.h> #include "spnego_asn1.h" -#include "mech/utils.h" +#include "utils.h" #include <der.h> #include <roken.h> @@ -109,6 +108,6 @@ typedef struct { extern gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc; extern gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc; -#include <spnego/spnego-private.h> +#include <spnego-private.h> #endif /* SPNEGO_LOCL_H */ |