diff options
Diffstat (limited to 'source4/heimdal/lib/gssapi')
72 files changed, 962 insertions, 466 deletions
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi/gssapi.h index fbc638c48f..63f66f7313 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi.h 21004 2007-06-08 01:53:10Z lha $ */ +/* $Id: gssapi.h 23025 2008-04-17 10:01:57Z lha $ */ #ifndef GSSAPI_GSSAPI_H_ #define GSSAPI_GSSAPI_H_ @@ -43,6 +43,16 @@ #include <krb5-types.h> +#ifndef BUILD_GSSAPI_LIB +#if defined(_WIN32) +#define GSSAPI_LIB_FUNCTION _stdcall __declspec(dllimport) +#define GSSAPI_LIB_VARIABLE __declspec(dllimport) +#else +#define GSSAPI_LIB_FUNCTION +#define GSSAPI_LIB_VARIABLE +#endif +#endif + /* * Now define the three implementation-dependent types. */ @@ -210,7 +220,7 @@ extern "C" { * GSS_C_NT_USER_NAME should be initialized to point * to that gss_OID_desc. */ -extern gss_OID GSS_C_NT_USER_NAME; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_USER_NAME; /* * The implementation must reserve static storage for a @@ -223,7 +233,7 @@ extern gss_OID GSS_C_NT_USER_NAME; * The constant GSS_C_NT_MACHINE_UID_NAME should be * initialized to point to that gss_OID_desc. */ -extern gss_OID GSS_C_NT_MACHINE_UID_NAME; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_MACHINE_UID_NAME; /* * The implementation must reserve static storage for a @@ -236,7 +246,7 @@ extern gss_OID GSS_C_NT_MACHINE_UID_NAME; * The constant GSS_C_NT_STRING_UID_NAME should be * initialized to point to that gss_OID_desc. */ -extern gss_OID GSS_C_NT_STRING_UID_NAME; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_STRING_UID_NAME; /* * The implementation must reserve static storage for a @@ -255,7 +265,7 @@ extern gss_OID GSS_C_NT_STRING_UID_NAME; * parameter, but should not be emitted by GSS-API * implementations */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; /* * The implementation must reserve static storage for a @@ -268,7 +278,7 @@ extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; * GSS_C_NT_HOSTBASED_SERVICE should be initialized * to point to that gss_OID_desc. */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_HOSTBASED_SERVICE; /* * The implementation must reserve static storage for a @@ -280,7 +290,7 @@ extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; * and GSS_C_NT_ANONYMOUS should be initialized to point * to that gss_OID_desc. */ -extern gss_OID GSS_C_NT_ANONYMOUS; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_ANONYMOUS; /* * The implementation must reserve static storage for a @@ -292,19 +302,19 @@ extern gss_OID GSS_C_NT_ANONYMOUS; * GSS_C_NT_EXPORT_NAME should be initialized to point * to that gss_OID_desc. */ -extern gss_OID GSS_C_NT_EXPORT_NAME; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_NT_EXPORT_NAME; /* * Digest mechanism */ -extern gss_OID GSS_SASL_DIGEST_MD5_MECHANISM; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_SASL_DIGEST_MD5_MECHANISM; /* * NTLM mechanism */ -extern gss_OID GSS_NTLM_MECHANISM; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_NTLM_MECHANISM; /* Major status codes */ @@ -387,7 +397,7 @@ extern gss_OID GSS_NTLM_MECHANISM; * Finally, function prototypes for the GSS-API routines. */ -OM_uint32 gss_acquire_cred +OM_uint32 GSSAPI_LIB_FUNCTION gss_acquire_cred (OM_uint32 * /*minor_status*/, const gss_name_t /*desired_name*/, OM_uint32 /*time_req*/, @@ -398,12 +408,12 @@ OM_uint32 gss_acquire_cred OM_uint32 * /*time_rec*/ ); -OM_uint32 gss_release_cred +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_cred (OM_uint32 * /*minor_status*/, gss_cred_id_t * /*cred_handle*/ ); -OM_uint32 gss_init_sec_context +OM_uint32 GSSAPI_LIB_FUNCTION gss_init_sec_context (OM_uint32 * /*minor_status*/, const gss_cred_id_t /*initiator_cred_handle*/, gss_ctx_id_t * /*context_handle*/, @@ -419,7 +429,7 @@ OM_uint32 gss_init_sec_context OM_uint32 * /*time_rec*/ ); -OM_uint32 gss_accept_sec_context +OM_uint32 GSSAPI_LIB_FUNCTION gss_accept_sec_context (OM_uint32 * /*minor_status*/, gss_ctx_id_t * /*context_handle*/, const gss_cred_id_t /*acceptor_cred_handle*/, @@ -433,25 +443,25 @@ OM_uint32 gss_accept_sec_context gss_cred_id_t * /*delegated_cred_handle*/ ); -OM_uint32 gss_process_context_token +OM_uint32 GSSAPI_LIB_FUNCTION gss_process_context_token (OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, const gss_buffer_t /*token_buffer*/ ); -OM_uint32 gss_delete_sec_context +OM_uint32 GSSAPI_LIB_FUNCTION gss_delete_sec_context (OM_uint32 * /*minor_status*/, gss_ctx_id_t * /*context_handle*/, gss_buffer_t /*output_token*/ ); -OM_uint32 gss_context_time +OM_uint32 GSSAPI_LIB_FUNCTION gss_context_time (OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, OM_uint32 * /*time_rec*/ ); -OM_uint32 gss_get_mic +OM_uint32 GSSAPI_LIB_FUNCTION gss_get_mic (OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, gss_qop_t /*qop_req*/, @@ -459,7 +469,7 @@ OM_uint32 gss_get_mic gss_buffer_t /*message_token*/ ); -OM_uint32 gss_verify_mic +OM_uint32 GSSAPI_LIB_FUNCTION gss_verify_mic (OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, const gss_buffer_t /*message_buffer*/, @@ -467,7 +477,7 @@ OM_uint32 gss_verify_mic gss_qop_t * /*qop_state*/ ); -OM_uint32 gss_wrap +OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap (OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, int /*conf_req_flag*/, @@ -477,7 +487,7 @@ OM_uint32 gss_wrap gss_buffer_t /*output_message_buffer*/ ); -OM_uint32 gss_unwrap +OM_uint32 GSSAPI_LIB_FUNCTION gss_unwrap (OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, const gss_buffer_t /*input_message_buffer*/, @@ -486,7 +496,7 @@ OM_uint32 gss_unwrap gss_qop_t * /*qop_state*/ ); -OM_uint32 gss_display_status +OM_uint32 GSSAPI_LIB_FUNCTION gss_display_status (OM_uint32 * /*minor_status*/, OM_uint32 /*status_value*/, int /*status_type*/, @@ -495,54 +505,54 @@ OM_uint32 gss_display_status gss_buffer_t /*status_string*/ ); -OM_uint32 gss_indicate_mechs +OM_uint32 GSSAPI_LIB_FUNCTION gss_indicate_mechs (OM_uint32 * /*minor_status*/, gss_OID_set * /*mech_set*/ ); -OM_uint32 gss_compare_name +OM_uint32 GSSAPI_LIB_FUNCTION gss_compare_name (OM_uint32 * /*minor_status*/, const gss_name_t /*name1*/, const gss_name_t /*name2*/, int * /*name_equal*/ ); -OM_uint32 gss_display_name +OM_uint32 GSSAPI_LIB_FUNCTION gss_display_name (OM_uint32 * /*minor_status*/, const gss_name_t /*input_name*/, gss_buffer_t /*output_name_buffer*/, gss_OID * /*output_name_type*/ ); -OM_uint32 gss_import_name +OM_uint32 GSSAPI_LIB_FUNCTION gss_import_name (OM_uint32 * /*minor_status*/, const gss_buffer_t /*input_name_buffer*/, const gss_OID /*input_name_type*/, gss_name_t * /*output_name*/ ); -OM_uint32 gss_export_name +OM_uint32 GSSAPI_LIB_FUNCTION gss_export_name (OM_uint32 * /*minor_status*/, const gss_name_t /*input_name*/, gss_buffer_t /*exported_name*/ ); -OM_uint32 gss_release_name +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_name (OM_uint32 * /*minor_status*/, gss_name_t * /*input_name*/ ); -OM_uint32 gss_release_buffer +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_buffer (OM_uint32 * /*minor_status*/, gss_buffer_t /*buffer*/ ); -OM_uint32 gss_release_oid_set +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_oid_set (OM_uint32 * /*minor_status*/, gss_OID_set * /*set*/ ); -OM_uint32 gss_inquire_cred +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred (OM_uint32 * /*minor_status*/, const gss_cred_id_t /*cred_handle*/, gss_name_t * /*name*/, @@ -551,7 +561,7 @@ OM_uint32 gss_inquire_cred gss_OID_set * /*mechanisms*/ ); -OM_uint32 gss_inquire_context ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_context ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, gss_name_t * /*src_name*/, @@ -563,7 +573,7 @@ OM_uint32 gss_inquire_context ( int * /*open_context*/ ); -OM_uint32 gss_wrap_size_limit ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap_size_limit ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, int /*conf_req_flag*/, @@ -572,7 +582,7 @@ OM_uint32 gss_wrap_size_limit ( OM_uint32 * /*max_input_size*/ ); -OM_uint32 gss_add_cred ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_add_cred ( OM_uint32 * /*minor_status*/, const gss_cred_id_t /*input_cred_handle*/, const gss_name_t /*desired_name*/, @@ -586,7 +596,7 @@ OM_uint32 gss_add_cred ( OM_uint32 * /*acceptor_time_rec*/ ); -OM_uint32 gss_inquire_cred_by_mech ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred_by_mech ( OM_uint32 * /*minor_status*/, const gss_cred_id_t /*cred_handle*/, const gss_OID /*mech_type*/, @@ -596,80 +606,81 @@ OM_uint32 gss_inquire_cred_by_mech ( gss_cred_usage_t * /*cred_usage*/ ); -OM_uint32 gss_export_sec_context ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_export_sec_context ( OM_uint32 * /*minor_status*/, gss_ctx_id_t * /*context_handle*/, gss_buffer_t /*interprocess_token*/ ); -OM_uint32 gss_import_sec_context ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_import_sec_context ( OM_uint32 * /*minor_status*/, const gss_buffer_t /*interprocess_token*/, gss_ctx_id_t * /*context_handle*/ ); -OM_uint32 gss_create_empty_oid_set ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_create_empty_oid_set ( OM_uint32 * /*minor_status*/, gss_OID_set * /*oid_set*/ ); -OM_uint32 gss_add_oid_set_member ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_add_oid_set_member ( OM_uint32 * /*minor_status*/, const gss_OID /*member_oid*/, gss_OID_set * /*oid_set*/ ); -OM_uint32 gss_test_oid_set_member ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_test_oid_set_member ( OM_uint32 * /*minor_status*/, const gss_OID /*member*/, const gss_OID_set /*set*/, int * /*present*/ ); -OM_uint32 gss_inquire_names_for_mech ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_names_for_mech ( OM_uint32 * /*minor_status*/, const gss_OID /*mechanism*/, gss_OID_set * /*name_types*/ ); -OM_uint32 gss_inquire_mechs_for_name ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_mechs_for_name ( OM_uint32 * /*minor_status*/, const gss_name_t /*input_name*/, gss_OID_set * /*mech_types*/ ); -OM_uint32 gss_canonicalize_name ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_canonicalize_name ( OM_uint32 * /*minor_status*/, const gss_name_t /*input_name*/, const gss_OID /*mech_type*/, gss_name_t * /*output_name*/ ); -OM_uint32 gss_duplicate_name ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_duplicate_name ( OM_uint32 * /*minor_status*/, const gss_name_t /*src_name*/, gss_name_t * /*dest_name*/ ); -OM_uint32 gss_duplicate_oid ( +OM_uint32 GSSAPI_LIB_FUNCTION gss_duplicate_oid ( OM_uint32 * /* minor_status */, gss_OID /* src_oid */, gss_OID * /* dest_oid */ ); -OM_uint32 + +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_oid (OM_uint32 * /*minor_status*/, gss_OID * /* oid */ ); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_oid_to_str( OM_uint32 * /*minor_status*/, gss_OID /* oid */, gss_buffer_t /* str */ ); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_sec_context_by_oid( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, @@ -677,38 +688,38 @@ gss_inquire_sec_context_by_oid( gss_buffer_set_t *data_set ); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_set_sec_context_option (OM_uint32 *minor_status, gss_ctx_id_t *context_handle, const gss_OID desired_object, const gss_buffer_t value); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_set_cred_option (OM_uint32 *minor_status, gss_cred_id_t *cred_handle, const gss_OID object, const gss_buffer_t value); -int +int GSSAPI_LIB_FUNCTION gss_oid_equal(const gss_OID a, const gss_OID b); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_create_empty_buffer_set (OM_uint32 * minor_status, gss_buffer_set_t *buffer_set); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_add_buffer_set_member (OM_uint32 * minor_status, const gss_buffer_t member_buffer, gss_buffer_set_t *buffer_set); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_buffer_set (OM_uint32 * minor_status, gss_buffer_set_t *buffer_set); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred_by_oid(OM_uint32 *minor_status, const gss_cred_id_t cred_handle, const gss_OID desired_object, @@ -721,7 +732,7 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status, #define GSS_C_PRF_KEY_FULL 0 #define GSS_C_PRF_KEY_PARTIAL 1 -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_pseudo_random (OM_uint32 *minor_status, gss_ctx_id_t context, @@ -742,7 +753,7 @@ gss_pseudo_random * obsolete versions of these routines and their current forms. */ -OM_uint32 gss_sign +OM_uint32 GSSAPI_LIB_FUNCTION gss_sign (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, int /*qop_req*/, @@ -750,7 +761,7 @@ OM_uint32 gss_sign gss_buffer_t /*message_token*/ ); -OM_uint32 gss_verify +OM_uint32 GSSAPI_LIB_FUNCTION gss_verify (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, gss_buffer_t /*message_buffer*/, @@ -758,7 +769,7 @@ OM_uint32 gss_verify int * /*qop_state*/ ); -OM_uint32 gss_seal +OM_uint32 GSSAPI_LIB_FUNCTION gss_seal (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, int /*conf_req_flag*/, @@ -768,7 +779,7 @@ OM_uint32 gss_seal gss_buffer_t /*output_message_buffer*/ ); -OM_uint32 gss_unseal +OM_uint32 GSSAPI_LIB_FUNCTION gss_unseal (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, gss_buffer_t /*input_message_buffer*/, @@ -781,18 +792,18 @@ OM_uint32 gss_unseal * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, const gss_ctx_id_t context_handle, const gss_OID desired_object, gss_buffer_set_t *data_set); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_encapsulate_token(gss_buffer_t /* input_token */, gss_OID /* oid */, gss_buffer_t /* output_token */); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_decapsulate_token(gss_buffer_t /* input_token */, gss_OID /* oid */, gss_buffer_t /* output_token */); diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h index 2223f4f22f..55f7886658 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi_krb5.h 22655 2008-02-26 12:40:35Z lha $ */ +/* $Id: gssapi_krb5.h 23420 2008-07-26 18:37:48Z lha $ */ #ifndef GSSAPI_KRB5_H_ #define GSSAPI_KRB5_H_ @@ -46,12 +46,12 @@ extern "C" { * This is for kerberos5 names. */ -extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; -extern gss_OID GSS_KRB5_NT_USER_NAME; -extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME; -extern gss_OID GSS_KRB5_NT_STRING_UID_NAME; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_USER_NAME; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_MACHINE_UID_NAME; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_NT_STRING_UID_NAME; -extern gss_OID GSS_KRB5_MECHANISM; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_MECHANISM; /* for compatibility with MIT api */ @@ -59,28 +59,30 @@ extern gss_OID GSS_KRB5_MECHANISM; #define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME /* Extensions set contexts options */ -extern gss_OID GSS_KRB5_COPY_CCACHE_X; -extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X; -extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X; -extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X; -extern gss_OID GSS_KRB5_SEND_TO_KDC_X; -extern gss_OID GSS_KRB5_SET_DEFAULT_REALM_X; -extern gss_OID GSS_KRB5_CCACHE_NAME_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_COPY_CCACHE_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_COMPAT_DES3_MIC_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SEND_TO_KDC_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_DEFAULT_REALM_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_CCACHE_NAME_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_TIME_OFFSET_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_TIME_OFFSET_X; /* Extensions inquire context */ -extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X; -extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X; -extern gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO; -extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X; -extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X; -extern gss_OID GSS_KRB5_GET_SUBKEY_X; -extern gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X; -extern gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X; -extern gss_OID GSS_KRB5_GET_AUTHTIME_X; -extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_TKT_FLAGS_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_SUBKEY_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_AUTHTIME_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X; /* Extensions creds */ -extern gss_OID GSS_KRB5_IMPORT_CRED_X; -extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X; -extern gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_IMPORT_CRED_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X; /* * kerberos mechanism specific functions @@ -90,39 +92,42 @@ struct krb5_keytab_data; struct krb5_ccache_data; struct Principal; -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_ccache_name(OM_uint32 * /*minor_status*/, const char * /*name */, const char ** /*out_name */); -OM_uint32 gsskrb5_register_acceptor_identity +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_register_acceptor_identity (const char */*identity*/); -OM_uint32 gss_krb5_copy_ccache +OM_uint32 GSSAPI_LIB_FUNCTION krb5_gss_register_acceptor_identity + (const char */*identity*/); + +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_copy_ccache (OM_uint32 */*minor*/, gss_cred_id_t /*cred*/, struct krb5_ccache_data */*out*/); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_import_cred(OM_uint32 */*minor*/, struct krb5_ccache_data * /*in*/, struct Principal * /*keytab_principal*/, struct krb5_keytab_data * /*keytab*/, gss_cred_id_t */*out*/); -OM_uint32 gss_krb5_get_tkt_flags +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_get_tkt_flags (OM_uint32 */*minor*/, gss_ctx_id_t /*context_handle*/, OM_uint32 */*tkt_flags*/); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_extract_authz_data_from_sec_context (OM_uint32 * /*minor_status*/, gss_ctx_id_t /*context_handle*/, int /*ad_type*/, gss_buffer_t /*ad_data*/); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_set_dns_canonicalize(int); struct gsskrb5_send_to_kdc { @@ -130,30 +135,36 @@ struct gsskrb5_send_to_kdc { void *ptr; }; -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_set_default_realm(const char *); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *); struct EncryptionKey; -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, gss_ctx_id_t context_handle, struct EncryptionKey **out); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, gss_ctx_id_t context_handle, struct EncryptionKey **out); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_get_subkey(OM_uint32 *minor_status, gss_ctx_id_t context_handle, struct EncryptionKey **out); +OM_uint32 GSSAPI_LIB_FUNCTION +gsskrb5_set_time_offset(int); + +OM_uint32 GSSAPI_LIB_FUNCTION +gsskrb5_get_time_offset(int *); + /* * Lucid - NFSv4 interface to GSS-API KRB5 to expose key material to * do GSS content token handling in-kernel. @@ -196,19 +207,19 @@ typedef struct gss_krb5_lucid_context_version { * Function declarations */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, OM_uint32 version, void **kctx); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *kctx); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, gss_cred_id_t cred, OM_uint32 num_enctypes, diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h index fbb7906369..3358863a80 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi_spnego.h 18335 2006-10-07 22:26:21Z lha $ */ +/* $Id: gssapi_spnego.h 23025 2008-04-17 10:01:57Z lha $ */ #ifndef GSSAPI_SPNEGO_H_ #define GSSAPI_SPNEGO_H_ @@ -48,7 +48,7 @@ extern "C" { * negotiation token is identified by the Object Identifier * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). */ -extern gss_OID GSS_SPNEGO_MECHANISM; +extern GSSAPI_LIB_VARIABLE gss_OID GSS_SPNEGO_MECHANISM; #define gss_mech_spnego GSS_SPNEGO_MECHANISM #ifdef __cplusplus diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index 73b93ceba4..8dbd087da6 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: accept_sec_context.c 20199 2007-02-07 22:36:39Z lha $"); +RCSID("$Id: accept_sec_context.c 23433 2008-07-26 18:44:26Z lha $"); HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; krb5_keytab _gsskrb5_keytab; @@ -251,6 +251,62 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status, } static OM_uint32 +send_error_token(OM_uint32 *minor_status, + krb5_context context, + krb5_error_code kret, + krb5_principal server, + krb5_data *indata, + gss_buffer_t output_token) +{ + krb5_principal ap_req_server = NULL; + krb5_error_code ret; + krb5_data outbuf; + + /* build server from request if the acceptor had not selected one */ + if (server == NULL) { + AP_REQ ap_req; + + ret = krb5_decode_ap_req(context, indata, &ap_req); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + ret = _krb5_principalname2krb5_principal(context, + &ap_req_server, + ap_req.ticket.sname, + ap_req.ticket.realm); + free_AP_REQ(&ap_req); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + server = ap_req_server; + } + + ret = krb5_mk_error(context, kret, NULL, NULL, NULL, + server, NULL, NULL, &outbuf); + if (ap_req_server) + krb5_free_principal(context, ap_req_server); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + ret = _gsskrb5_encapsulate(minor_status, + &outbuf, + output_token, + "\x03\x00", + GSS_KRB5_MECHANISM); + krb5_data_free (&outbuf); + if (ret) + return ret; + + *minor_status = 0; + return GSS_S_CONTINUE_NEEDED; +} + + +static OM_uint32 gsskrb5_acceptor_start(OM_uint32 * minor_status, gsskrb5_ctx ctx, krb5_context context, @@ -304,6 +360,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, { krb5_rd_req_in_ctx in = NULL; krb5_rd_req_out_ctx out = NULL; + krb5_principal server = NULL; + + if (acceptor_cred) + server = acceptor_cred->principal; kret = krb5_rd_req_in_ctx_alloc(context, &in); if (kret == 0) @@ -319,17 +379,20 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, kret = krb5_rd_req_ctx(context, &ctx->auth_context, &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal, + server, in, &out); krb5_rd_req_in_ctx_free(context, in); if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; + /* + * No reply in non-MUTUAL mode, but we don't know that its + * non-MUTUAL mode yet, thats inside the 8003 checksum. + */ + return send_error_token(minor_status, context, kret, + server, &indata, output_token); } /* - * We need to remember some data on the context_handle. + * we need to remember some data on the context_handle. */ kret = krb5_rd_req_out_get_ap_req_options(context, out, &ap_options); diff --git a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c index abad986550..9c618ac6a6 100644 --- a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: delete_sec_context.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: delete_sec_context.c 23420 2008-07-26 18:37:48Z lha $"); OM_uint32 _gsskrb5_delete_sec_context(OM_uint32 * minor_status, @@ -61,6 +61,8 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status, HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); krb5_auth_con_free (context, ctx->auth_context); + if (ctx->kcred) + krb5_free_creds(context, ctx->kcred); if(ctx->source) krb5_free_principal (context, ctx->source); if(ctx->target) diff --git a/source4/heimdal/lib/gssapi/krb5/display_status.c b/source4/heimdal/lib/gssapi/krb5/display_status.c index c0192522a7..f932261ffa 100644 --- a/source4/heimdal/lib/gssapi/krb5/display_status.c +++ b/source4/heimdal/lib/gssapi/krb5/display_status.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: display_status.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: display_status.c 23316 2008-06-23 04:32:32Z lha $"); static const char * calling_error(OM_uint32 v) @@ -135,7 +135,7 @@ _gsskrb5_set_status (const char *fmt, ...) vasprintf(&str, fmt, args); va_end(args); if (str) { - krb5_set_error_string(context, str); + krb5_set_error_message(context, 0, str); free(str); } } diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index 03fe61dc57..2ee018708a 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -34,7 +34,7 @@ #include "krb5/gsskrb5_locl.h" #include <gssapi_mech.h> -RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $"); +RCSID("$Id: external.c 23420 2008-07-26 18:37:48Z lha $"); /* * The implementation must reserve static storage for a @@ -49,9 +49,10 @@ RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $"); */ static gss_OID_desc gss_c_nt_user_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")}; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")}; -gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_USER_NAME = + &gss_c_nt_user_name_oid_desc; /* * The implementation must reserve static storage for a @@ -66,9 +67,10 @@ gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; */ static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")}; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")}; -gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_MACHINE_UID_NAME = + &gss_c_nt_machine_uid_name_oid_desc; /* * The implementation must reserve static storage for a @@ -83,9 +85,10 @@ gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; */ static gss_OID_desc gss_c_nt_string_uid_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")}; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")}; -gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_STRING_UID_NAME = + &gss_c_nt_string_uid_name_oid_desc; /* * The implementation must reserve static storage for a @@ -106,9 +109,10 @@ gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; */ static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc = -{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")}; + {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")}; -gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_HOSTBASED_SERVICE_X = + &gss_c_nt_hostbased_service_x_oid_desc; /* * The implementation must reserve static storage for a @@ -122,9 +126,10 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc; * to point to that gss_OID_desc. */ static gss_OID_desc gss_c_nt_hostbased_service_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")}; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")}; -gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_HOSTBASED_SERVICE = + &gss_c_nt_hostbased_service_oid_desc; /* * The implementation must reserve static storage for a @@ -138,9 +143,10 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc; */ static gss_OID_desc gss_c_nt_anonymous_oid_desc = -{6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")}; + {6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")}; -gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_ANONYMOUS = + &gss_c_nt_anonymous_oid_desc; /* * The implementation must reserve static storage for a @@ -154,9 +160,10 @@ gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc; */ static gss_OID_desc gss_c_nt_export_name_oid_desc = -{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") }; + {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") }; -gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_NT_EXPORT_NAME = + &gss_c_nt_export_name_oid_desc; /* * This name form shall be represented by the Object Identifier {iso(1) @@ -166,9 +173,10 @@ gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc; */ static gss_OID_desc gss_krb5_nt_principal_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") }; + {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") }; -gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_PRINCIPAL_NAME = + &gss_krb5_nt_principal_name_oid_desc; /* * This name form shall be represented by the Object Identifier {iso(1) @@ -177,7 +185,8 @@ gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc; * type is "GSS_KRB5_NT_USER_NAME". */ -gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_USER_NAME = + &gss_c_nt_user_name_oid_desc; /* * This name form shall be represented by the Object Identifier {iso(1) @@ -186,7 +195,8 @@ gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */ -gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_MACHINE_UID_NAME = + &gss_c_nt_machine_uid_name_oid_desc; /* * This name form shall be represented by the Object Identifier {iso(1) @@ -195,7 +205,8 @@ gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ -gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_NT_STRING_UID_NAME = + &gss_c_nt_string_uid_name_oid_desc; /* * To support ongoing experimentation, testing, and evolution of the @@ -217,14 +228,15 @@ gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; #if 0 /* This is the old OID */ static gss_OID_desc gss_krb5_mechanism_oid_desc = -{5, rk_UNCONST("\x2b\x05\x01\x05\x02")}; + {5, rk_UNCONST("\x2b\x05\x01\x05\x02")}; #endif static gss_OID_desc gss_krb5_mechanism_oid_desc = -{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; -gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_MECHANISM = + &gss_krb5_mechanism_oid_desc; /* * draft-ietf-cat-iakerb-09, IAKERB: @@ -240,23 +252,26 @@ gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; */ static gss_OID_desc gss_iakerb_proxy_mechanism_oid_desc = -{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")}; + {7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")}; -gss_OID GSS_IAKERB_PROXY_MECHANISM = &gss_iakerb_proxy_mechanism_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_IAKERB_PROXY_MECHANISM = + &gss_iakerb_proxy_mechanism_oid_desc; static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc = -{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") }; + {7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") }; -gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_IAKERB_MIN_MSG_MECHANISM = + &gss_iakerb_min_msg_mechanism_oid_desc; /* * */ static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc = -{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}; + {9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}; -gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_C_PEER_HAS_UPDATED_SPNEGO = + &gss_c_peer_has_updated_spnego_oid_desc; /* * 1.2.752.43.13 Heimdal GSS-API Extentions @@ -264,111 +279,143 @@ gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc; /* 1.2.752.43.13.1 */ static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")}; -gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_COPY_CCACHE_X = + &gss_krb5_copy_ccache_x_oid_desc; /* 1.2.752.43.13.2 */ static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")}; -gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_TKT_FLAGS_X = + &gss_krb5_get_tkt_flags_x_oid_desc; /* 1.2.752.43.13.3 */ static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")}; -gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = + &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc; /* 1.2.752.43.13.4 */ static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")}; -gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_COMPAT_DES3_MIC_X = + &gss_krb5_compat_des3_mic_x_oid_desc; /* 1.2.752.43.13.5 */ static gss_OID_desc gss_krb5_register_acceptor_identity_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")}; -gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = &gss_krb5_register_acceptor_identity_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = + &gss_krb5_register_acceptor_identity_x_desc; /* 1.2.752.43.13.6 */ static gss_OID_desc gss_krb5_export_lucid_context_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")}; -gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X = &gss_krb5_export_lucid_context_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXPORT_LUCID_CONTEXT_X = + &gss_krb5_export_lucid_context_x_desc; /* 1.2.752.43.13.6.1 */ static gss_OID_desc gss_krb5_export_lucid_context_v1_x_desc = -{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")}; + {7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")}; -gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = &gss_krb5_export_lucid_context_v1_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = + &gss_krb5_export_lucid_context_v1_x_desc; /* 1.2.752.43.13.7 */ static gss_OID_desc gss_krb5_set_dns_canonicalize_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")}; -gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X = &gss_krb5_set_dns_canonicalize_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_DNS_CANONICALIZE_X = + &gss_krb5_set_dns_canonicalize_x_desc; /* 1.2.752.43.13.8 */ static gss_OID_desc gss_krb5_get_subkey_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")}; -gss_OID GSS_KRB5_GET_SUBKEY_X = &gss_krb5_get_subkey_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_SUBKEY_X = + &gss_krb5_get_subkey_x_desc; /* 1.2.752.43.13.9 */ static gss_OID_desc gss_krb5_get_initiator_subkey_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")}; -gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X = &gss_krb5_get_initiator_subkey_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_INITIATOR_SUBKEY_X = + &gss_krb5_get_initiator_subkey_x_desc; /* 1.2.752.43.13.10 */ static gss_OID_desc gss_krb5_get_acceptor_subkey_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")}; -gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = &gss_krb5_get_acceptor_subkey_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = + &gss_krb5_get_acceptor_subkey_x_desc; /* 1.2.752.43.13.11 */ static gss_OID_desc gss_krb5_send_to_kdc_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")}; -gss_OID GSS_KRB5_SEND_TO_KDC_X = &gss_krb5_send_to_kdc_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SEND_TO_KDC_X = + &gss_krb5_send_to_kdc_x_desc; /* 1.2.752.43.13.12 */ static gss_OID_desc gss_krb5_get_authtime_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")}; -gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_AUTHTIME_X = + &gss_krb5_get_authtime_x_desc; /* 1.2.752.43.13.13 */ static gss_OID_desc gss_krb5_get_service_keyblock_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")}; -gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_SERVICE_KEYBLOCK_X = + &gss_krb5_get_service_keyblock_x_desc; /* 1.2.752.43.13.14 */ static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")}; -gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = + &gss_krb5_set_allowable_enctypes_x_desc; /* 1.2.752.43.13.15 */ static gss_OID_desc gss_krb5_set_default_realm_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")}; -gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_DEFAULT_REALM_X = + &gss_krb5_set_default_realm_x_desc; /* 1.2.752.43.13.16 */ static gss_OID_desc gss_krb5_ccache_name_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")}; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")}; -gss_OID GSS_KRB5_CCACHE_NAME_X = &gss_krb5_ccache_name_x_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_CCACHE_NAME_X = + &gss_krb5_ccache_name_x_desc; + +/* 1.2.752.43.13.17 */ +static gss_OID_desc gss_krb5_set_time_offset_x_desc = + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")}; + +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_SET_TIME_OFFSET_X = + &gss_krb5_set_time_offset_x_desc; + +/* 1.2.752.43.13.18 */ +static gss_OID_desc gss_krb5_get_time_offset_x_desc = + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12")}; + +gss_OID GSSAPI_LIB_VARIABLE GSS_KRB5_GET_TIME_OFFSET_X = + &gss_krb5_get_time_offset_x_desc; /* 1.2.752.43.14.1 */ static gss_OID_desc gss_sasl_digest_md5_mechanism_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; -gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc; +gss_OID GSSAPI_LIB_VARIABLE GSS_SASL_DIGEST_MD5_MECHANISM = + &gss_sasl_digest_md5_mechanism_desc; /* * Context for krb5 calls. diff --git a/source4/heimdal/lib/gssapi/krb5/get_mic.c b/source4/heimdal/lib/gssapi/krb5/get_mic.c index 133481ffe1..f689e624a8 100644 --- a/source4/heimdal/lib/gssapi/krb5/get_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/get_mic.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: get_mic.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: get_mic.c 23112 2008-04-27 18:51:26Z lha $"); static OM_uint32 mic_des @@ -88,7 +88,7 @@ mic_des memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); memcpy (p - 8, hash, 8); /* SGN_CKSUM */ @@ -108,7 +108,7 @@ mic_des (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h index 3e8c1b8fa6..d9af44f960 100644 --- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h +++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gsskrb5_locl.h 22655 2008-02-26 12:40:35Z lha $ */ +/* $Id: gsskrb5_locl.h 23435 2008-07-26 20:49:35Z lha $ */ #ifndef GSSKRB5_LOCL_H #define GSSKRB5_LOCL_H @@ -62,11 +62,14 @@ typedef struct { enum { LOCAL = 1, OPEN = 2, COMPAT_OLD_DES3 = 4, COMPAT_OLD_DES3_SELECTED = 8, - ACCEPTOR_SUBKEY = 16 + ACCEPTOR_SUBKEY = 16, + RETRIED = 32, + CLOSE_CCACHE = 64 } more_flags; enum gss_ctx_id_t_state { /* initiator states */ INITIATOR_START, + INITIATOR_RESTART, INITIATOR_WAIT_FOR_MUTAL, INITIATOR_READY, /* acceptor states */ @@ -74,6 +77,8 @@ typedef struct { ACCEPTOR_WAIT_FOR_DCESTYLE, ACCEPTOR_READY } state; + krb5_creds *kcred; + krb5_ccache ccache; struct krb5_ticket *ticket; OM_uint32 lifetime; HEIMDAL_MUTEX ctx_id_mutex; diff --git a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c index 3300036a81..5fd8c94104 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: import_sec_context.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: import_sec_context.c 22997 2008-04-15 19:36:25Z lha $"); OM_uint32 _gsskrb5_import_sec_context ( @@ -52,8 +52,7 @@ _gsskrb5_import_sec_context ( krb5_data data; gss_buffer_desc buffer; krb5_keyblock keyblock; - int32_t tmp; - int32_t flags; + int32_t flags, tmp; gsskrb5_ctx ctx; gss_name_t name; @@ -96,8 +95,9 @@ _gsskrb5_import_sec_context ( /* retrieve the auth context */ ac = ctx->auth_context; - if (krb5_ret_uint32 (sp, &ac->flags) != 0) + if (krb5_ret_int32 (sp, &tmp) != 0) goto failure; + ac->flags = tmp; if (flags & SC_LOCAL_ADDRESS) { if (krb5_ret_address (sp, localp = &local) != 0) goto failure; diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index c455a5dc8b..c9b9e15588 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: init_sec_context.c 22671 2008-03-09 23:57:54Z lha $"); +RCSID("$Id: init_sec_context.c 23422 2008-07-26 18:38:29Z lha $"); /* * copy the addresses from `input_chan_bindings' (if any) to @@ -121,6 +121,8 @@ _gsskrb5_create_ctx( ctx->auth_context = NULL; ctx->source = NULL; ctx->target = NULL; + ctx->kcred = NULL; + ctx->ccache = NULL; ctx->state = state; ctx->flags = 0; ctx->more_flags = 0; @@ -134,9 +136,7 @@ _gsskrb5_create_ctx( kret = krb5_auth_con_init (context, &ctx->auth_context); if (kret) { *minor_status = kret; - HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); - return GSS_S_FAILURE; } @@ -232,27 +232,32 @@ gsskrb5_initiator_ready( gsskrb5_ctx ctx, krb5_context context) { - OM_uint32 ret; - int32_t seq_number; - int is_cfx = 0; - OM_uint32 flags = ctx->flags; - - krb5_auth_getremoteseqnumber (context, - ctx->auth_context, - &seq_number); - - _gsskrb5i_is_cfx(ctx, &is_cfx); - - ret = _gssapi_msg_order_create(minor_status, - &ctx->order, - _gssapi_msg_order_f(flags), - seq_number, 0, is_cfx); - if (ret) return ret; + OM_uint32 ret; + int32_t seq_number; + int is_cfx = 0; + OM_uint32 flags = ctx->flags; + + krb5_free_creds(context, ctx->kcred); + ctx->kcred = NULL; - ctx->state = INITIATOR_READY; - ctx->more_flags |= OPEN; + if (ctx->more_flags & CLOSE_CCACHE) + krb5_cc_close(context, ctx->ccache); + ctx->ccache = NULL; - return GSS_S_COMPLETE; + krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number); + + _gsskrb5i_is_cfx(ctx, &is_cfx); + + ret = _gssapi_msg_order_create(minor_status, + &ctx->order, + _gssapi_msg_order_f(flags), + seq_number, 0, is_cfx); + if (ret) return ret; + + ctx->state = INITIATOR_READY; + ctx->more_flags |= OPEN; + + return GSS_S_COMPLETE; } /* @@ -333,7 +338,6 @@ init_auth const gss_OID mech_type, OM_uint32 req_flags, OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, const gss_buffer_t input_token, gss_OID * actual_mech_type, gss_buffer_t output_token, @@ -343,14 +347,7 @@ init_auth { OM_uint32 ret = GSS_S_FAILURE; krb5_error_code kret; - krb5_flags ap_options; - krb5_creds *kcred = NULL; krb5_data outbuf; - krb5_ccache ccache = NULL; - uint32_t flags; - krb5_data authenticator; - Checksum cksum; - krb5_enctype enctype; krb5_data fwd_data; OM_uint32 lifetime_rec; @@ -363,16 +360,17 @@ init_auth *actual_mech_type = GSS_KRB5_MECHANISM; if (cred == NULL) { - kret = krb5_cc_default (context, &ccache); + kret = krb5_cc_default (context, &ctx->ccache); if (kret) { *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } + ctx->more_flags |= CLOSE_CCACHE; } else - ccache = cred->ccache; + ctx->ccache = cred->ccache; - kret = krb5_cc_get_principal (context, ccache, &ctx->source); + kret = krb5_cc_get_principal (context, ctx->ccache, &ctx->source); if (kret) { *minor_status = kret; ret = GSS_S_FAILURE; @@ -407,16 +405,16 @@ init_auth ret = gsskrb5_get_creds(minor_status, context, - ccache, + ctx->ccache, ctx, ctx->target, time_req, time_rec, - &kcred); + &ctx->kcred); if (ret) goto failure; - ctx->lifetime = kcred->times.endtime; + ctx->lifetime = ctx->kcred->times.endtime; ret = _gsskrb5_lifetime_left(minor_status, context, @@ -434,17 +432,59 @@ init_auth krb5_auth_con_setkey(context, ctx->auth_context, - &kcred->session); + &ctx->kcred->session); kret = krb5_auth_con_generatelocalsubkey(context, ctx->auth_context, - &kcred->session); + &ctx->kcred->session); if(kret) { *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } - + + return GSS_S_COMPLETE; + +failure: + if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE)) + krb5_cc_close(context, ctx->ccache); + ctx->ccache = NULL; + + return ret; + +} + +static OM_uint32 +init_auth_restart +(OM_uint32 * minor_status, + gsskrb5_cred cred, + gsskrb5_ctx ctx, + krb5_context context, + OM_uint32 req_flags, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec + ) +{ + OM_uint32 ret = GSS_S_FAILURE; + krb5_error_code kret; + krb5_flags ap_options; + krb5_data outbuf; + uint32_t flags; + krb5_data authenticator; + Checksum cksum; + krb5_enctype enctype; + krb5_data fwd_data, timedata; + int32_t offset = 0, oldoffset; + + krb5_data_zero(&outbuf); + krb5_data_zero(&fwd_data); + + *minor_status = 0; + /* * If the credential doesn't have ok-as-delegate, check what local * policy say about ok-as-delegate, default is FALSE that makes @@ -452,12 +492,24 @@ init_auth * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the * KDC doesn't set ok-as-delegate. */ - if (!kcred->flags.b.ok_as_delegate) { - krb5_boolean delegate; + if (!ctx->kcred->flags.b.ok_as_delegate) { + krb5_boolean delegate, realm_setting; + krb5_data data; - krb5_appdefault_boolean(context, - "gssapi", name->realm, - "ok-as-delegate", FALSE, &delegate); + realm_setting = FALSE; + + ret = krb5_cc_get_config(context, ctx->ccache, NULL, + "realm-config", &data); + if (ret == 0) { + /* XXX 1 is use ok-as-delegate */ + if (data.length > 0 && (((unsigned char *)data.data)[0]) & 1) + realm_setting = TRUE; + krb5_data_free(&data); + } + + krb5_appdefault_boolean(context, "gssapi", ctx->target->realm, + "ok-as-delegate", realm_setting, + &delegate); if (delegate) req_flags &= ~GSS_C_DELEG_FLAG; } @@ -467,7 +519,8 @@ init_auth if (req_flags & GSS_C_DELEG_FLAG) do_delegation (context, ctx->auth_context, - ccache, kcred, name, &fwd_data, &flags); + ctx->ccache, ctx->kcred, ctx->target, + &fwd_data, &flags); if (req_flags & GSS_C_MUTUAL_FLAG) { flags |= GSS_C_MUTUAL_FLAG; @@ -518,16 +571,33 @@ init_auth enctype = ctx->auth_context->keyblock->keytype; + ret = krb5_cc_get_config(context, ctx->ccache, ctx->target, + "time-offset", &timedata); + if (ret == 0) { + if (timedata.length == 4) { + const u_char *p = timedata.data; + offset = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); + } + krb5_data_free(&timedata); + } + + if (offset) { + krb5_get_kdc_sec_offset (context, &oldoffset, NULL); + krb5_set_kdc_sec_offset (context, offset, -1); + } + kret = krb5_build_authenticator (context, ctx->auth_context, enctype, - kcred, + ctx->kcred, &cksum, NULL, &authenticator, KRB5_KU_AP_REQ_AUTH); if (kret) { + if (offset) + krb5_set_kdc_sec_offset (context, oldoffset, -1); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; @@ -535,11 +605,12 @@ init_auth kret = krb5_build_ap_req (context, enctype, - kcred, + ctx->kcred, ap_options, authenticator, &outbuf); - + if (offset) + krb5_set_kdc_sec_offset (context, oldoffset, -1); if (kret) { *minor_status = kret; ret = GSS_S_FAILURE; @@ -552,16 +623,12 @@ init_auth } else { ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, (u_char *)"\x01\x00", GSS_KRB5_MECHANISM); + krb5_data_free (&outbuf); if (ret) goto failure; - - krb5_data_free (&outbuf); } - krb5_free_creds(context, kcred); free_Checksum(&cksum); - if (cred == NULL) - krb5_cc_close(context, ccache); if (flags & GSS_C_MUTUAL_FLAG) { ctx->state = INITIATOR_WAIT_FOR_MUTAL; @@ -570,15 +637,14 @@ init_auth return gsskrb5_initiator_ready(minor_status, ctx, context); failure: - if(kcred) - krb5_free_creds(context, kcred); - if (ccache && cred == NULL) - krb5_cc_close(context, ccache); + if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE)) + krb5_cc_close(context, ctx->ccache); + ctx->ccache = NULL; return ret; - } + static OM_uint32 repl_mutual (OM_uint32 * minor_status, @@ -617,8 +683,46 @@ repl_mutual &indata, "\x02\x00", GSS_KRB5_MECHANISM); - if (ret) { - /* XXX - Handle AP_ERROR */ + if (ret == GSS_S_DEFECTIVE_TOKEN) { + /* check if there is an error token sent instead */ + ret = _gsskrb5_decapsulate (minor_status, + input_token, + &indata, + "\x03\x00", + GSS_KRB5_MECHANISM); + if (ret == GSS_S_COMPLETE) { + KRB_ERROR error; + + kret = krb5_rd_error(context, &indata, &error); + if (kret == 0) { + kret = krb5_error_from_rd_error(context, &error, NULL); + + /* save the time skrew for this host */ + if (kret == KRB5KRB_AP_ERR_SKEW) { + krb5_data timedata; + unsigned char p[4]; + int32_t t = error.stime - time(NULL); + + p[0] = (t >> 24) & 0xFF; + p[1] = (t >> 16) & 0xFF; + p[2] = (t >> 8) & 0xFF; + p[3] = (t >> 0) & 0xFF; + + timedata.data = p; + timedata.length = sizeof(p); + + krb5_cc_set_config(context, ctx->ccache, ctx->target, + "time-offset", &timedata); + + if ((ctx->more_flags & RETRIED) == 0) + ctx->state = INITIATOR_RESTART; + ctx->more_flags |= RETRIED; + } + free_KRB_ERROR (&error); + } + *minor_status = kret; + return GSS_S_FAILURE; + } return ret; } } @@ -661,30 +765,31 @@ repl_mutual *ret_flags = ctx->flags; if (req_flags & GSS_C_DCE_STYLE) { - int32_t con_flags; + int32_t local_seq, remote_seq; krb5_data outbuf; - /* Do don't do sequence number for the mk-rep */ - krb5_auth_con_removeflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - &con_flags); + /* + * So DCE_STYLE is strange. The client echos the seq number + * that the server used in the server's mk_rep in its own + * mk_rep(). After when done, it resets to it's own seq number + * for the gss_wrap calls. + */ - kret = krb5_mk_rep(context, - ctx->auth_context, - &outbuf); + krb5_auth_getremoteseqnumber(context, ctx->auth_context, &remote_seq); + krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &local_seq); + krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, remote_seq); + + kret = krb5_mk_rep(context, ctx->auth_context, &outbuf); if (kret) { *minor_status = kret; return GSS_S_FAILURE; } + /* reset local seq number */ + krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq); + output_token->length = outbuf.length; output_token->value = outbuf.data; - - krb5_auth_con_removeflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - NULL); } return gsskrb5_initiator_ready(minor_status, ctx, context); @@ -768,6 +873,7 @@ OM_uint32 _gsskrb5_init_sec_context HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + again: switch (ctx->state) { case INITIATOR_START: ret = init_auth(minor_status, @@ -778,12 +884,26 @@ OM_uint32 _gsskrb5_init_sec_context mech_type, req_flags, time_req, - input_chan_bindings, input_token, actual_mech_type, output_token, ret_flags, time_rec); + if (ret != GSS_S_COMPLETE) + break; + /* FALL THOUGH */ + case INITIATOR_RESTART: + ret = init_auth_restart(minor_status, + cred, + ctx, + context, + req_flags, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); break; case INITIATOR_WAIT_FOR_MUTAL: ret = repl_mutual(minor_status, @@ -798,6 +918,8 @@ OM_uint32 _gsskrb5_init_sec_context output_token, ret_flags, time_rec); + if (ctx->state == INITIATOR_RESTART) + goto again; break; case INITIATOR_READY: /* diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c index 85b50d0322..8c554fb8e0 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c @@ -32,7 +32,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: set_cred_option.c 22655 2008-02-26 12:40:35Z lha $"); +RCSID("$Id: set_cred_option.c 23331 2008-06-27 12:01:48Z lha $"); /* 1.2.752.43.13.17 */ static gss_OID_desc gss_krb5_cred_no_ci_flags_x_oid_desc = diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index 50441a11ad..fd76838af5 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -36,7 +36,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: set_sec_context_option.c 20384 2007-04-18 08:51:06Z lha $"); +RCSID("$Id: set_sec_context_option.c 23420 2008-07-26 18:37:48Z lha $"); static OM_uint32 get_bool(OM_uint32 *minor_status, @@ -70,6 +70,36 @@ get_string(OM_uint32 *minor_status, return GSS_S_COMPLETE; } +static OM_uint32 +get_int32(OM_uint32 *minor_status, + const gss_buffer_t value, + OM_uint32 *ret) +{ + *minor_status = 0; + if (value == NULL || value->length == 0) + *ret = 0; + else if (value->length == sizeof(*ret)) + memcpy(ret, value->value, sizeof(*ret)); + else + return GSS_S_UNAVAILABLE; + + return GSS_S_COMPLETE; +} + +static OM_uint32 +set_int32(OM_uint32 *minor_status, + const gss_buffer_t value, + OM_uint32 set) +{ + *minor_status = 0; + if (value->length == sizeof(set)) + memcpy(value->value, &set, sizeof(set)); + else + return GSS_S_UNAVAILABLE; + + return GSS_S_COMPLETE; +} + OM_uint32 _gsskrb5_set_sec_context_option (OM_uint32 *minor_status, @@ -185,6 +215,35 @@ _gsskrb5_set_sec_context_option return GSS_S_FAILURE; return GSS_S_COMPLETE; + } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_TIME_OFFSET_X)) { + OM_uint32 offset; + time_t t; + + maj_stat = get_int32(minor_status, value, &offset); + if (maj_stat != GSS_S_COMPLETE) + return maj_stat; + + t = time(NULL) + offset; + + krb5_set_real_time(context, t, 0); + + *minor_status = 0; + return GSS_S_COMPLETE; + } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_TIME_OFFSET_X)) { + krb5_timestamp sec; + int32_t usec; + time_t t; + + t = time(NULL); + + krb5_us_timeofday (context, &sec, &usec); + + maj_stat = set_int32(minor_status, value, sec - t); + if (maj_stat != GSS_S_COMPLETE) + return maj_stat; + + *minor_status = 0; + return GSS_S_COMPLETE; } *minor_status = EINVAL; diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index d0a33d86fb..eec4078a70 100644 --- a/source4/heimdal/lib/gssapi/krb5/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: unwrap.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: unwrap.c 23112 2008-04-27 18:51:26Z lha $"); static OM_uint32 unwrap_des @@ -93,7 +93,7 @@ unwrap_des for (i = 0; i < sizeof(deskey); ++i) deskey[i] ^= 0xf0; - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); memset (&zero, 0, sizeof(zero)); DES_cbc_encrypt ((void *)p, (void *)p, @@ -119,7 +119,7 @@ unwrap_des memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); if (memcmp (p - 8, hash, 8) != 0) @@ -130,7 +130,7 @@ unwrap_des HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); p -= 16; - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)hash, DES_DECRYPT); diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index 52381afcc2..560c14bc89 100644 --- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: verify_mic.c 19031 2006-11-13 18:02:57Z lha $"); +RCSID("$Id: verify_mic.c 23112 2008-04-27 18:51:26Z lha $"); static OM_uint32 verify_mic_des @@ -83,7 +83,7 @@ verify_mic_des memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); if (memcmp (p - 8, hash, 8) != 0) { @@ -97,7 +97,7 @@ verify_mic_des HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); p -= 16; - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)hash, DES_DECRYPT); diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index d41379870a..6d00f2adcf 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -33,7 +33,7 @@ #include "krb5/gsskrb5_locl.h" -RCSID("$Id: wrap.c 19035 2006-11-14 09:49:56Z lha $"); +RCSID("$Id: wrap.c 23316 2008-06-23 04:32:32Z lha $"); /* * Return initiator subkey, or if that doesn't exists, the subkey. @@ -61,7 +61,7 @@ _gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx, ctx->auth_context, key); if (ret == 0 && *key == NULL) { - krb5_set_error_string(context, "No initiator subkey available"); + krb5_set_error_message(context, 0, "No initiator subkey available"); return GSS_KRB5_S_KG_NO_SUBKEY; } return ret; @@ -85,7 +85,7 @@ _gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx, key); } if (ret == 0 && *key == NULL) { - krb5_set_error_string(context, "No acceptor subkey available"); + krb5_set_error_message(context, 0, "No acceptor subkey available"); return GSS_KRB5_S_KG_NO_SUBKEY; } return ret; @@ -106,7 +106,7 @@ _gsskrb5i_get_token_key(const gsskrb5_ctx ctx, _gsskrb5i_get_initiator_subkey(ctx, context, key); } if (*key == NULL) { - krb5_set_error_string(context, "No token key available"); + krb5_set_error_message(context, 0, "No token key available"); return GSS_KRB5_S_KG_NO_SUBKEY; } return 0; @@ -259,7 +259,7 @@ wrap_des memset (&zero, 0, sizeof(zero)); memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); memcpy (p - 8, hash, 8); @@ -279,7 +279,7 @@ wrap_des (ctx->more_flags & LOCAL) ? 0 : 0xFF, 4); - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); DES_cbc_encrypt ((void *)p, (void *)p, 8, &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); @@ -296,7 +296,7 @@ wrap_des for (i = 0; i < sizeof(deskey); ++i) deskey[i] ^= 0xf0; - DES_set_key (&deskey, &schedule); + DES_set_key_unchecked (&deskey, &schedule); memset (&zero, 0, sizeof(zero)); DES_cbc_encrypt ((void *)p, (void *)p, diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c index cb1b62308c..a2757140ae 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_acquire_cred.c 21478 2007-07-10 16:32:01Z lha $"); +RCSID("$Id: gss_acquire_cred.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_acquire_cred(OM_uint32 *minor_status, const gss_name_t desired_name, OM_uint32 time_req, diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c index 09b592b5da..49efa20c8b 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_add_cred.c 21474 2007-07-10 16:30:23Z lha $"); +RCSID("$Id: gss_add_cred.c 23025 2008-04-17 10:01:57Z lha $"); static struct _gss_mechanism_cred * _gss_copy_cred(struct _gss_mechanism_cred *mc) @@ -71,7 +71,7 @@ _gss_copy_cred(struct _gss_mechanism_cred *mc) return (new_mc); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_add_cred(OM_uint32 *minor_status, const gss_cred_id_t input_cred_handle, const gss_name_t desired_name, diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c index 87d1ab3725..d89adbf63a 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c @@ -32,9 +32,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_add_oid_set_member.c 18817 2006-10-22 09:36:13Z lha $"); +RCSID("$Id: gss_add_oid_set_member.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_add_oid_set_member (OM_uint32 * minor_status, const gss_OID member_oid, gss_OID_set * oid_set) diff --git a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c index 56e0039379..091e219367 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c +++ b/source4/heimdal/lib/gssapi/mech/gss_buffer_set.c @@ -31,9 +31,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_buffer_set.c 18885 2006-10-24 21:53:02Z lha $"); +RCSID("$Id: gss_buffer_set.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_create_empty_buffer_set (OM_uint32 * minor_status, gss_buffer_set_t *buffer_set) @@ -55,7 +55,7 @@ gss_create_empty_buffer_set return GSS_S_COMPLETE; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_add_buffer_set_member (OM_uint32 * minor_status, const gss_buffer_t member_buffer, @@ -97,7 +97,7 @@ gss_add_buffer_set_member return GSS_S_COMPLETE; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_buffer_set(OM_uint32 * minor_status, gss_buffer_set_t *buffer_set) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c index c950c03166..d242c56a90 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_canonicalize_name.c 21476 2007-07-10 16:31:27Z lha $"); +RCSID("$Id: gss_canonicalize_name.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_canonicalize_name(OM_uint32 *minor_status, const gss_name_t input_name, const gss_OID mech_type, diff --git a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c index 617ff13d98..1eb7625ee2 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_compare_name.c 21475 2007-07-10 16:31:03Z lha $"); +RCSID("$Id: gss_compare_name.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_compare_name(OM_uint32 *minor_status, const gss_name_t name1_arg, const gss_name_t name2_arg, diff --git a/source4/heimdal/lib/gssapi/mech/gss_context_time.c b/source4/heimdal/lib/gssapi/mech/gss_context_time.c index 47999f35cf..8dce822a9f 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_context_time.c +++ b/source4/heimdal/lib/gssapi/mech/gss_context_time.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_context_time.c 17700 2006-06-28 09:00:26Z lha $"); +RCSID("$Id: gss_context_time.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_context_time(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, OM_uint32 *time_rec) diff --git a/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c b/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c index 841271b1fd..8dd3527349 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c +++ b/source4/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_create_empty_oid_set.c 19951 2007-01-17 10:14:58Z lha $"); +RCSID("$Id: gss_create_empty_oid_set.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_create_empty_oid_set(OM_uint32 *minor_status, gss_OID_set *oid_set) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c index e8b86e4d22..8f93925585 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c @@ -32,9 +32,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_decapsulate_token.c 19951 2007-01-17 10:14:58Z lha $"); +RCSID("$Id: gss_decapsulate_token.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_decapsulate_token(gss_buffer_t input_token, gss_OID oid, gss_buffer_t output_token) diff --git a/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c index 8c40994739..91273bcf56 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_delete_sec_context.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_delete_sec_context.c 19951 2007-01-17 10:14:58Z lha $"); +RCSID("$Id: gss_delete_sec_context.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_delete_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, gss_buffer_t output_token) diff --git a/source4/heimdal/lib/gssapi/mech/gss_display_name.c b/source4/heimdal/lib/gssapi/mech/gss_display_name.c index fc10933692..0d82400246 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_display_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_display_name.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_display_name.c 21246 2007-06-20 15:25:19Z lha $"); +RCSID("$Id: gss_display_name.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_display_name(OM_uint32 *minor_status, const gss_name_t input_name, gss_buffer_t output_name_buffer, diff --git a/source4/heimdal/lib/gssapi/mech/gss_display_status.c b/source4/heimdal/lib/gssapi/mech/gss_display_status.c index 37ded26db6..5bbc89b1ec 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_display_status.c +++ b/source4/heimdal/lib/gssapi/mech/gss_display_status.c @@ -59,7 +59,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_display_status.c 21247 2007-06-21 00:37:27Z lha $"); +RCSID("$Id: gss_display_status.c 23025 2008-04-17 10:01:57Z lha $"); static const char * calling_error(OM_uint32 v) @@ -136,7 +136,7 @@ supplementary_error(OM_uint32 v) } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_display_status(OM_uint32 *minor_status, OM_uint32 status_value, int status_type, diff --git a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c index 476d451375..32ecbbacb2 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c @@ -32,9 +32,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_encapsulate_token.c 19954 2007-01-17 11:50:23Z lha $"); +RCSID("$Id: gss_encapsulate_token.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_encapsulate_token(gss_buffer_t input_token, gss_OID oid, gss_buffer_t output_token) diff --git a/source4/heimdal/lib/gssapi/mech/gss_export_name.c b/source4/heimdal/lib/gssapi/mech/gss_export_name.c index 11c9dd2db5..22053202aa 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_export_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_export_name.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_export_name.c 19954 2007-01-17 11:50:23Z lha $"); +RCSID("$Id: gss_export_name.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_export_name(OM_uint32 *minor_status, const gss_name_t input_name, gss_buffer_t exported_name) diff --git a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c index cf13bc0cd3..053d203ba1 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_export_sec_context.c 19954 2007-01-17 11:50:23Z lha $"); +RCSID("$Id: gss_export_sec_context.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_export_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, gss_buffer_t interprocess_token) diff --git a/source4/heimdal/lib/gssapi/mech/gss_get_mic.c b/source4/heimdal/lib/gssapi/mech/gss_get_mic.c index 496dd2065c..7b33ac0ed9 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_get_mic.c +++ b/source4/heimdal/lib/gssapi/mech/gss_get_mic.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_get_mic.c 19954 2007-01-17 11:50:23Z lha $"); +RCSID("$Id: gss_get_mic.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_get_mic(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, gss_qop_t qop_req, diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_name.c b/source4/heimdal/lib/gssapi/mech/gss_import_name.c index 6f55a1d61c..104452f5b9 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_import_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_import_name.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_import_name.c 19954 2007-01-17 11:50:23Z lha $"); +RCSID("$Id: gss_import_name.c 23025 2008-04-17 10:01:57Z lha $"); static OM_uint32 _gss_import_export_name(OM_uint32 *minor_status, @@ -139,7 +139,7 @@ _gss_import_export_name(OM_uint32 *minor_status, return (GSS_S_COMPLETE); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_import_name(OM_uint32 *minor_status, const gss_buffer_t input_name_buffer, const gss_OID input_name_type, diff --git a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c index 44ca1b2677..c68849ce00 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_import_sec_context.c 19956 2007-01-17 12:04:16Z lha $"); +RCSID("$Id: gss_import_sec_context.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_import_sec_context(OM_uint32 *minor_status, const gss_buffer_t interprocess_token, gss_ctx_id_t *context_handle) diff --git a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c index 00c6ed28ee..cafb660991 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c +++ b/source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_indicate_mechs.c 17803 2006-07-05 22:36:49Z lha $"); +RCSID("$Id: gss_indicate_mechs.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_indicate_mechs(OM_uint32 *minor_status, gss_OID_set *mech_set) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c index b9a1680dcb..d0e92f41ce 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_init_sec_context.c 21479 2007-07-10 16:32:19Z lha $"); +RCSID("$Id: gss_init_sec_context.c 23025 2008-04-17 10:01:57Z lha $"); static gss_cred_id_t _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type) @@ -45,7 +45,7 @@ _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type) return GSS_C_NO_CREDENTIAL; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_init_sec_context(OM_uint32 * minor_status, const gss_cred_id_t initiator_cred_handle, gss_ctx_id_t * context_handle, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c index d45baac602..26f4038071 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_context.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_inquire_context.c 21125 2007-06-18 20:11:07Z lha $"); +RCSID("$Id: gss_inquire_context.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_context(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, gss_name_t *src_name, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c index 97c3628225..1610be5538 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred.c @@ -27,7 +27,7 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_inquire_cred.c 20626 2007-05-08 13:56:49Z lha $"); +RCSID("$Id: gss_inquire_cred.c 23025 2008-04-17 10:01:57Z lha $"); #define AUSAGE 1 #define IUSAGE 2 @@ -43,7 +43,7 @@ updateusage(gss_cred_usage_t usage, int *usagemask) *usagemask |= IUSAGE; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred(OM_uint32 *minor_status, const gss_cred_id_t cred_handle, gss_name_t *name_ret, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c index aa83efb0c2..fedd963ffa 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_inquire_cred_by_mech.c 21124 2007-06-18 20:08:24Z lha $"); +RCSID("$Id: gss_inquire_cred_by_mech.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred_by_mech(OM_uint32 *minor_status, const gss_cred_id_t cred_handle, const gss_OID mech_type, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c index 7b53a2ff4a..c1bbf3a724 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c @@ -31,9 +31,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_inquire_cred_by_oid.c 19960 2007-01-17 15:09:24Z lha $"); +RCSID("$Id: gss_inquire_cred_by_oid.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_cred_by_oid (OM_uint32 *minor_status, const gss_cred_id_t cred_handle, const gss_OID desired_object, diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c index 5330a747a6..6b06a33053 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_inquire_mechs_for_name.c 17844 2006-07-20 02:04:00Z lha $"); +RCSID("$Id: gss_inquire_mechs_for_name.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_mechs_for_name(OM_uint32 *minor_status, const gss_name_t input_name, gss_OID_set *mech_types) diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c index 65b52cbbc3..1ba1ee0563 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_inquire_names_for_mech.c 19960 2007-01-17 15:09:24Z lha $"); +RCSID("$Id: gss_inquire_names_for_mech.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_names_for_mech(OM_uint32 *minor_status, const gss_OID mechanism, gss_OID_set *name_types) diff --git a/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c index fd8219ce02..b06a3e10f0 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c @@ -31,9 +31,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_inquire_sec_context_by_oid.c 19961 2007-01-17 15:57:51Z lha $"); +RCSID("$Id: gss_inquire_sec_context_by_oid.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, const gss_ctx_id_t context_handle, const gss_OID desired_object, diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c index 03081cb70f..d6b89e3e23 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c +++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c @@ -27,13 +27,13 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_krb5.c 21889 2007-08-09 07:43:24Z lha $"); +RCSID("$Id: gss_krb5.c 23420 2008-07-26 18:37:48Z lha $"); #include <krb5.h> #include <roken.h> -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_copy_ccache(OM_uint32 *minor_status, gss_cred_id_t cred, krb5_ccache out) @@ -91,7 +91,7 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status, return ret; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_import_cred(OM_uint32 *minor_status, krb5_ccache id, krb5_principal keytab_principal, @@ -186,7 +186,7 @@ out: return major_status; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_register_acceptor_identity(const char *identity) { struct _gss_mech_switch *m; @@ -208,7 +208,14 @@ gsskrb5_register_acceptor_identity(const char *identity) return (GSS_S_COMPLETE); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION +krb5_gss_register_acceptor_identity(const char *identity) +{ + return gsskrb5_register_acceptor_identity(identity); +} + + +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_set_dns_canonicalize(int flag) { struct _gss_mech_switch *m; @@ -253,7 +260,7 @@ free_key(gss_krb5_lucid_key_t *key) memset(key, 0, sizeof(*key)); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, OM_uint32 version, @@ -396,7 +403,7 @@ out: return GSS_S_COMPLETE; } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) { gss_krb5_lucid_context_v1_t *ctx = c; @@ -424,7 +431,7 @@ gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, gss_cred_id_t cred, OM_uint32 num_enctypes, @@ -478,7 +485,7 @@ out: * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) { struct _gss_mech_switch *m; @@ -509,7 +516,7 @@ gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_ccache_name(OM_uint32 *minor_status, const char *name, const char **out_name) @@ -541,7 +548,7 @@ gss_krb5_ccache_name(OM_uint32 *minor_status, * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, time_t *authtime) @@ -596,7 +603,7 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int ad_type, @@ -769,7 +776,7 @@ out: * */ -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, gss_ctx_id_t context_handle, krb5_keyblock **keyblock) @@ -780,7 +787,7 @@ gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, keyblock); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, gss_ctx_id_t context_handle, krb5_keyblock **keyblock) @@ -791,7 +798,7 @@ gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, keyblock); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_get_subkey(OM_uint32 *minor_status, gss_ctx_id_t context_handle, krb5_keyblock **keyblock) @@ -802,7 +809,7 @@ gsskrb5_get_subkey(OM_uint32 *minor_status, keyblock); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gsskrb5_set_default_realm(const char *realm) { struct _gss_mech_switch *m; @@ -824,7 +831,7 @@ gsskrb5_set_default_realm(const char *realm) return (GSS_S_COMPLETE); } -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_krb5_get_tkt_flags(OM_uint32 *minor_status, gss_ctx_id_t context_handle, OM_uint32 *tkt_flags) @@ -863,3 +870,53 @@ gss_krb5_get_tkt_flags(OM_uint32 *minor_status, return GSS_S_COMPLETE; } +OM_uint32 GSSAPI_LIB_FUNCTION +gsskrb5_set_time_offset(int offset) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 junk; + int32_t o = offset; + + _gss_load_mech(); + + buffer.value = &o; + buffer.length = sizeof(o); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_SET_TIME_OFFSET_X, &buffer); + } + + return (GSS_S_COMPLETE); +} + +OM_uint32 GSSAPI_LIB_FUNCTION +gsskrb5_get_time_offset(int *offset) +{ + struct _gss_mech_switch *m; + gss_buffer_desc buffer; + OM_uint32 maj_stat, junk; + int32_t o; + + _gss_load_mech(); + + buffer.value = &o; + buffer.length = sizeof(o); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_mech.gm_set_sec_context_option == NULL) + continue; + maj_stat = m->gm_mech.gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_GET_TIME_OFFSET_X, &buffer); + + if (maj_stat == GSS_S_COMPLETE) { + *offset = o; + return maj_stat; + } + } + + return (GSS_S_UNAVAILABLE); +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c index fe65ad1ae1..8abbb7d0cc 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c +++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c @@ -28,7 +28,7 @@ #include "mech_locl.h" #include <heim_threads.h> -RCSID("$Id: gss_mech_switch.c 21698 2007-07-26 19:07:11Z lha $"); +RCSID("$Id: gss_mech_switch.c 23471 2008-07-27 12:17:49Z lha $"); #ifndef _PATH_GSS_MECH #define _PATH_GSS_MECH "/etc/gss/mech" @@ -46,7 +46,7 @@ static int _gss_string_to_oid(const char* s, gss_OID oid) { int number_count, i, j; - int byte_count; + size_t byte_count; const char *p, *q; char *res; @@ -118,7 +118,7 @@ _gss_string_to_oid(const char* s, gss_OID oid) * The number is encoded in seven bit chunks. */ unsigned int t; - int bytes; + unsigned int bytes; bytes = 0; for (t = number; t; t >>= 7) @@ -229,6 +229,7 @@ _gss_load_mech(void) HEIMDAL_MUTEX_unlock(&_gss_mech_mutex); return; } + rk_cloexec_file(fp); while (fgets(buf, sizeof(buf), fp)) { if (*buf == '#') diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c index 8c75410cc1..b272316115 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c +++ b/source4/heimdal/lib/gssapi/mech/gss_oid_equal.c @@ -32,9 +32,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_oid_equal.c 17702 2006-06-28 09:07:08Z lha $"); +RCSID("$Id: gss_oid_equal.c 23025 2008-04-17 10:01:57Z lha $"); -int +int GSSAPI_LIB_FUNCTION gss_oid_equal(const gss_OID a, const gss_OID b) { if (a == b) diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c index e2cecaf6b4..4678a3e710 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c +++ b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c @@ -32,9 +32,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_oid_to_str.c 21409 2007-07-04 14:19:11Z lha $"); +RCSID("$Id: gss_oid_to_str.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str) { int ret; diff --git a/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c b/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c index dff6b04f14..db55bc24be 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c +++ b/source4/heimdal/lib/gssapi/mech/gss_process_context_token.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_process_context_token.c 17700 2006-06-28 09:00:26Z lha $"); +RCSID("$Id: gss_process_context_token.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_process_context_token(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t token_buffer) diff --git a/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c b/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c new file mode 100644 index 0000000000..ba027cb95a --- /dev/null +++ b/source4/heimdal/lib/gssapi/mech/gss_pseudo_random.c @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: gss_pseudo_random.c 23025 2008-04-17 10:01:57Z lha $ */ + +#include "mech_locl.h" +RCSID("$Id: gss_pseudo_random.c 23025 2008-04-17 10:01:57Z lha $"); + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_pseudo_random(OM_uint32 *minor_status, + gss_ctx_id_t context, + int prf_key, + const gss_buffer_t prf_in, + ssize_t desired_output_len, + gss_buffer_t prf_out) +{ + struct _gss_context *ctx = (struct _gss_context *) context; + gssapi_mech_interface m = ctx->gc_mech; + OM_uint32 major_status; + + _mg_buffer_zero(prf_out); + *minor_status = 0; + + if (ctx == NULL) { + *minor_status = 0; + return GSS_S_NO_CONTEXT; + } + + if (m->gm_pseudo_random == NULL) + return GSS_S_UNAVAILABLE; + + major_status = (*m->gm_pseudo_random)(minor_status, ctx->gc_ctx, + prf_key, prf_in, desired_output_len, + prf_out); + if (major_status != GSS_S_COMPLETE) + _gss_mg_error(m, major_status, *minor_status); + + return major_status; +} diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c b/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c index fc55cae030..eb1bf34985 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_buffer.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_release_buffer.c 19962 2007-01-17 15:59:04Z lha $"); +RCSID("$Id: gss_release_buffer.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_buffer(OM_uint32 *minor_status, gss_buffer_t buffer) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_cred.c b/source4/heimdal/lib/gssapi/mech/gss_release_cred.c index b26dbd7865..9648929c91 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_cred.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_release_cred.c 19963 2007-01-17 16:01:22Z lha $"); +RCSID("$Id: gss_release_cred.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) { struct _gss_cred *cred = (struct _gss_cred *) *cred_handle; diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_name.c b/source4/heimdal/lib/gssapi/mech/gss_release_name.c index 313eab8245..d8c36c10a7 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_name.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_name.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_release_name.c 18812 2006-10-22 07:59:06Z lha $"); +RCSID("$Id: gss_release_name.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_name(OM_uint32 *minor_status, gss_name_t *input_name) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_oid.c b/source4/heimdal/lib/gssapi/mech/gss_release_oid.c index 7754787fa8..ccc59638fb 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_oid.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_oid.c @@ -33,9 +33,9 @@ #include "mech_locl.h" -RCSID("$Id: gss_release_oid.c 17747 2006-06-30 09:34:54Z lha $"); +RCSID("$Id: gss_release_oid.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_oid(OM_uint32 *minor_status, gss_OID *oid) { gss_OID o = *oid; diff --git a/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c b/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c index 388cfdbf4c..00b1f4656d 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c +++ b/source4/heimdal/lib/gssapi/mech/gss_release_oid_set.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_release_oid_set.c 22144 2007-12-04 17:31:55Z lha $"); +RCSID("$Id: gss_release_oid_set.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_release_oid_set(OM_uint32 *minor_status, gss_OID_set *set) { diff --git a/source4/heimdal/lib/gssapi/mech/gss_seal.c b/source4/heimdal/lib/gssapi/mech/gss_seal.c index 71c5e70dc7..7979455430 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_seal.c +++ b/source4/heimdal/lib/gssapi/mech/gss_seal.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_seal.c 17700 2006-06-28 09:00:26Z lha $"); +RCSID("$Id: gss_seal.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_seal(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, diff --git a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c index c32291396f..bbd75c9849 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c +++ b/source4/heimdal/lib/gssapi/mech/gss_set_cred_option.c @@ -31,9 +31,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_set_cred_option.c 21126 2007-06-18 20:19:59Z lha $"); +RCSID("$Id: gss_set_cred_option.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_set_cred_option (OM_uint32 *minor_status, gss_cred_id_t *cred_handle, const gss_OID object, diff --git a/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c b/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c index d312251f53..48377fd6bc 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c @@ -31,9 +31,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_set_sec_context_option.c 19928 2007-01-16 10:37:54Z lha $"); +RCSID("$Id: gss_set_sec_context_option.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_set_sec_context_option (OM_uint32 *minor_status, gss_ctx_id_t *context_handle, const gss_OID object, diff --git a/source4/heimdal/lib/gssapi/mech/gss_sign.c b/source4/heimdal/lib/gssapi/mech/gss_sign.c index 5268197c61..c91b6490d2 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_sign.c +++ b/source4/heimdal/lib/gssapi/mech/gss_sign.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_sign.c 17700 2006-06-28 09:00:26Z lha $"); +RCSID("$Id: gss_sign.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_sign(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int qop_req, diff --git a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c index fc3c5ddeef..ee42cc5d1a 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c +++ b/source4/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_test_oid_set_member.c 17700 2006-06-28 09:00:26Z lha $"); +RCSID("$Id: gss_test_oid_set_member.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_test_oid_set_member(OM_uint32 *minor_status, const gss_OID member, const gss_OID_set set, diff --git a/source4/heimdal/lib/gssapi/mech/gss_unseal.c b/source4/heimdal/lib/gssapi/mech/gss_unseal.c index 205cc6e326..d6f73c5522 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_unseal.c +++ b/source4/heimdal/lib/gssapi/mech/gss_unseal.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_unseal.c 17700 2006-06-28 09:00:26Z lha $"); +RCSID("$Id: gss_unseal.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_unseal(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer, diff --git a/source4/heimdal/lib/gssapi/mech/gss_unwrap.c b/source4/heimdal/lib/gssapi/mech/gss_unwrap.c index 69c125356b..4866bacbe5 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_unwrap.c +++ b/source4/heimdal/lib/gssapi/mech/gss_unwrap.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_unwrap.c 17700 2006-06-28 09:00:26Z lha $"); +RCSID("$Id: gss_unwrap.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_unwrap(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t input_message_buffer, diff --git a/source4/heimdal/lib/gssapi/mech/gss_verify.c b/source4/heimdal/lib/gssapi/mech/gss_verify.c index f11cac7d2e..d82ceee984 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_verify.c +++ b/source4/heimdal/lib/gssapi/mech/gss_verify.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_verify.c 17700 2006-06-28 09:00:26Z lha $"); +RCSID("$Id: gss_verify.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_verify(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t message_buffer, diff --git a/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c b/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c index 118f50735f..c58c63ac0f 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c +++ b/source4/heimdal/lib/gssapi/mech/gss_verify_mic.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_verify_mic.c 19965 2007-01-17 16:23:47Z lha $"); +RCSID("$Id: gss_verify_mic.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_verify_mic(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, const gss_buffer_t message_buffer, diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap.c b/source4/heimdal/lib/gssapi/mech/gss_wrap.c index 0eb9dfbc6d..f6b5077d0e 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_wrap.c +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_wrap.c 19965 2007-01-17 16:23:47Z lha $"); +RCSID("$Id: gss_wrap.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, diff --git a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c index 35b3ad723d..14f373dada 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c +++ b/source4/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c @@ -27,9 +27,9 @@ */ #include "mech_locl.h" -RCSID("$Id: gss_wrap_size_limit.c 19965 2007-01-17 16:23:47Z lha $"); +RCSID("$Id: gss_wrap_size_limit.c 23025 2008-04-17 10:01:57Z lha $"); -OM_uint32 +OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap_size_limit(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c index df25b0f4bf..6b618092fe 100644 --- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -33,7 +33,7 @@ #include "spnego/spnego_locl.h" -RCSID("$Id: accept_sec_context.c 22600 2008-02-21 12:46:24Z lha $"); +RCSID("$Id: accept_sec_context.c 23158 2008-05-02 09:45:28Z lha $"); static OM_uint32 send_reject (OM_uint32 *minor_status, @@ -376,6 +376,9 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, char mechbuf[64]; size_t mech_len; gss_OID_desc oid; + gss_OID oidp; + gss_OID_set mechs; + int i; OM_uint32 ret, junk; ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1, @@ -396,27 +399,29 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, *minor_status = 0; /* Translate broken MS Kebreros OID */ - if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc)) { - gssapi_mech_interface mech; + if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc)) + oidp = &_gss_spnego_krb5_mechanism_oid_desc; + else + oidp = &oid; - mech = __gss_get_mechanism(&_gss_spnego_krb5_mechanism_oid_desc); - if (mech == NULL) - return GSS_S_BAD_MECH; - ret = gss_duplicate_oid(minor_status, - &_gss_spnego_mskrb_mechanism_oid_desc, - mech_p); - } else { - gssapi_mech_interface mech; + ret = gss_indicate_mechs(&junk, &mechs); + if (ret) + return (ret); - mech = __gss_get_mechanism(&oid); - if (mech == NULL) - return GSS_S_BAD_MECH; + for (i = 0; i < mechs->count; i++) + if (gss_oid_equal(&mechs->elements[i], oidp)) + break; - ret = gss_duplicate_oid(minor_status, - &mech->gm_mech_oid, - mech_p); + if (i == mechs->count) { + gss_release_oid_set(&junk, &mechs); + return GSS_S_BAD_MECH; } + gss_release_oid_set(&junk, &mechs); + + ret = gss_duplicate_oid(minor_status, + &oid, /* possibly this should be oidp */ + mech_p); if (verify_p) { gss_name_t name = GSS_C_NO_NAME; @@ -635,9 +640,6 @@ acceptor_start if (ctx->mech_src_name != GSS_C_NO_NAME) gss_release_name(&junk, &ctx->mech_src_name); - if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL) - _gss_spnego_release_cred(&junk, &ctx->delegated_cred_id); - ret = gss_accept_sec_context(minor_status, &ctx->negotiated_ctx_id, mech_cred, @@ -649,19 +651,20 @@ acceptor_start &ctx->mech_flags, &ctx->mech_time_rec, &mech_delegated_cred); + + if (mech_delegated_cred && delegated_cred_handle) { + _gss_spnego_alloc_cred(&junk, + mech_delegated_cred, + delegated_cred_handle); + } else if (mech_delegated_cred != GSS_C_NO_CREDENTIAL) + gss_release_cred(&junk, &mech_delegated_cred); + if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { ctx->preferred_mech_type = preferred_mech_type; ctx->negotiated_mech_type = preferred_mech_type; if (ret == GSS_S_COMPLETE) ctx->open = 1; - if (mech_delegated_cred && delegated_cred_handle) - ret = _gss_spnego_alloc_cred(&junk, - mech_delegated_cred, - delegated_cred_handle); - else - gss_release_cred(&junk, &mech_delegated_cred); - ret = acceptor_complete(minor_status, ctx, &get_mic, @@ -740,10 +743,6 @@ out: *src_name = (gss_name_t)name; } } - if (delegated_cred_handle != NULL) { - *delegated_cred_handle = ctx->delegated_cred_id; - ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL; - } } if (mech_type != NULL) @@ -780,7 +779,7 @@ acceptor_continue gss_cred_id_t *delegated_cred_handle ) { - OM_uint32 ret, ret2, minor; + OM_uint32 ret, ret2, minor, junk; NegotiationToken nt; size_t nt_len; NegTokenResp *na; @@ -836,27 +835,16 @@ acceptor_continue if (mech_input_token != GSS_C_NO_BUFFER) { gss_cred_id_t mech_cred; - gss_cred_id_t mech_delegated_cred; - gss_cred_id_t *mech_delegated_cred_p; + gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL; if (acceptor_cred != NULL) mech_cred = acceptor_cred->negotiated_cred_id; else mech_cred = GSS_C_NO_CREDENTIAL; - if (delegated_cred_handle != NULL) { - mech_delegated_cred = GSS_C_NO_CREDENTIAL; - mech_delegated_cred_p = &mech_delegated_cred; - } else { - mech_delegated_cred_p = NULL; - } - if (ctx->mech_src_name != GSS_C_NO_NAME) gss_release_name(&minor, &ctx->mech_src_name); - if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL) - _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id); - ret = gss_accept_sec_context(&minor, &ctx->negotiated_ctx_id, mech_cred, @@ -867,16 +855,16 @@ acceptor_continue &obuf, &ctx->mech_flags, &ctx->mech_time_rec, - mech_delegated_cred_p); + &mech_delegated_cred); + + if (mech_delegated_cred && delegated_cred_handle) { + _gss_spnego_alloc_cred(&junk, + mech_delegated_cred, + delegated_cred_handle); + } else if (mech_delegated_cred != GSS_C_NO_CREDENTIAL) + gss_release_cred(&junk, &mech_delegated_cred); + if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) { - if (mech_delegated_cred_p != NULL && - mech_delegated_cred != GSS_C_NO_CREDENTIAL) { - ret2 = _gss_spnego_alloc_cred(minor_status, - mech_delegated_cred, - &ctx->delegated_cred_id); - if (ret2 != GSS_S_COMPLETE) - ret = ret2; - } mech_output_token = &obuf; } if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) { @@ -958,10 +946,6 @@ acceptor_continue *src_name = (gss_name_t)name; } } - if (delegated_cred_handle != NULL) { - *delegated_cred_handle = ctx->delegated_cred_id; - ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL; - } } if (mech_type != NULL) diff --git a/source4/heimdal/lib/gssapi/spnego/compat.c b/source4/heimdal/lib/gssapi/spnego/compat.c index 287f4f760e..36de854784 100644 --- a/source4/heimdal/lib/gssapi/spnego/compat.c +++ b/source4/heimdal/lib/gssapi/spnego/compat.c @@ -32,7 +32,7 @@ #include "spnego/spnego_locl.h" -RCSID("$Id: compat.c 21866 2007-08-08 11:31:29Z lha $"); +RCSID("$Id: compat.c 22688 2008-03-16 11:33:58Z lha $"); /* * Apparently Microsoft got the OID wrong, and used @@ -76,7 +76,6 @@ OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status, ctx->mech_flags = 0; ctx->mech_time_rec = 0; ctx->mech_src_name = GSS_C_NO_NAME; - ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL; ctx->open = 0; ctx->local = 0; @@ -124,8 +123,6 @@ OM_uint32 _gss_spnego_internal_delete_sec_context if (ctx->initiator_mech_types.val != NULL) free_MechTypeList(&ctx->initiator_mech_types); - _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id); - gss_release_oid(&minor, &ctx->preferred_mech_type); ctx->negotiated_mech_type = GSS_C_NO_OID; diff --git a/source4/heimdal/lib/gssapi/spnego/context_stubs.c b/source4/heimdal/lib/gssapi/spnego/context_stubs.c index 0169017ee5..6f1c3eb4b6 100644 --- a/source4/heimdal/lib/gssapi/spnego/context_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/context_stubs.c @@ -32,7 +32,7 @@ #include "spnego/spnego_locl.h" -RCSID("$Id: context_stubs.c 22604 2008-02-21 21:12:48Z lha $"); +RCSID("$Id: context_stubs.c 22688 2008-03-16 11:33:58Z lha $"); static OM_uint32 spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs) @@ -907,7 +907,7 @@ OM_uint32 _gss_spnego_set_sec_context_option return GSS_S_NO_CONTEXT; } - ctx = (gssspnego_ctx)context_handle; + ctx = (gssspnego_ctx)*context_handle; if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) { return GSS_S_NO_CONTEXT; @@ -919,3 +919,31 @@ OM_uint32 _gss_spnego_set_sec_context_option value); } + +OM_uint32 +_gss_spnego_pseudo_random(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int prf_key, + const gss_buffer_t prf_in, + ssize_t desired_output_len, + gss_buffer_t prf_out) +{ + gssspnego_ctx ctx; + + *minor_status = 0; + + if (context_handle == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + ctx = (gssspnego_ctx)context_handle; + + if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return gss_pseudo_random(minor_status, + ctx->negotiated_ctx_id, + prf_key, + prf_in, + desired_output_len, + prf_out); +} diff --git a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c index 2362e99019..d87d7d618e 100644 --- a/source4/heimdal/lib/gssapi/spnego/cred_stubs.c +++ b/source4/heimdal/lib/gssapi/spnego/cred_stubs.c @@ -32,7 +32,7 @@ #include "spnego/spnego_locl.h" -RCSID("$Id: cred_stubs.c 20619 2007-05-08 13:43:45Z lha $"); +RCSID("$Id: cred_stubs.c 22688 2008-03-16 11:33:58Z lha $"); OM_uint32 _gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) @@ -334,3 +334,23 @@ OM_uint32 _gss_spnego_inquire_cred_by_oid return ret; } +OM_uint32 +_gss_spnego_set_cred_option (OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_OID object, + const gss_buffer_t value) +{ + gssspnego_cred cred; + + if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = 0; + return GSS_S_NO_CRED; + } + + cred = (gssspnego_cred)*cred_handle; + return gss_set_cred_option(minor_status, + &cred->negotiated_cred_id, + object, + value); +} + diff --git a/source4/heimdal/lib/gssapi/spnego/external.c b/source4/heimdal/lib/gssapi/spnego/external.c index 6c9a03a3b0..317d358707 100644 --- a/source4/heimdal/lib/gssapi/spnego/external.c +++ b/source4/heimdal/lib/gssapi/spnego/external.c @@ -33,7 +33,7 @@ #include "spnego/spnego_locl.h" #include <gssapi_mech.h> -RCSID("$Id: external.c 22600 2008-02-21 12:46:24Z lha $"); +RCSID("$Id: external.c 22688 2008-03-16 11:33:58Z lha $"); /* * RFC2478, SPNEGO: @@ -57,8 +57,8 @@ static gssapi_mech_interface_desc spnego_mech = { _gss_spnego_verify_mic, _gss_spnego_wrap, _gss_spnego_unwrap, - NULL, - NULL, + NULL, /* gm_display_status */ + NULL, /* gm_indicate_mechs */ _gss_spnego_compare_name, _gss_spnego_display_name, _gss_spnego_import_name, @@ -74,7 +74,12 @@ static gssapi_mech_interface_desc spnego_mech = { _gss_spnego_inquire_names_for_mech, _gss_spnego_inquire_mechs_for_name, _gss_spnego_canonicalize_name, - _gss_spnego_duplicate_name + _gss_spnego_duplicate_name, + _gss_spnego_inquire_sec_context_by_oid, + _gss_spnego_inquire_cred_by_oid, + _gss_spnego_set_sec_context_option, + _gss_spnego_set_cred_option, + _gss_spnego_pseudo_random }; gssapi_mech_interface diff --git a/source4/heimdal/lib/gssapi/spnego/spnego-private.h b/source4/heimdal/lib/gssapi/spnego/spnego-private.h index 69f4d8423d..3b20d737b7 100644 --- a/source4/heimdal/lib/gssapi/spnego/spnego-private.h +++ b/source4/heimdal/lib/gssapi/spnego/spnego-private.h @@ -225,6 +225,15 @@ _gss_spnego_process_context_token ( const gss_buffer_t token_buffer ); OM_uint32 +_gss_spnego_pseudo_random ( + OM_uint32 */*minor_status*/, + gss_ctx_id_t /*context_handle*/, + int /*prf_key*/, + const gss_buffer_t /*prf_in*/, + ssize_t /*desired_output_len*/, + gss_buffer_t /*prf_out*/); + +OM_uint32 _gss_spnego_release_cred ( OM_uint32 */*minor_status*/, gss_cred_id_t */*cred_handle*/); @@ -251,6 +260,13 @@ _gss_spnego_seal ( gss_buffer_t output_message_buffer ); OM_uint32 +_gss_spnego_set_cred_option ( + OM_uint32 */*minor_status*/, + gss_cred_id_t */*cred_handle*/, + const gss_OID /*object*/, + const gss_buffer_t /*value*/); + +OM_uint32 _gss_spnego_set_sec_context_option ( OM_uint32 * /*minor_status*/, gss_ctx_id_t * /*context_handle*/, diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h index 44b24688e1..6eb808efbc 100644 --- a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h +++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h @@ -30,7 +30,7 @@ * SUCH DAMAGE. */ -/* $Id: spnego_locl.h 19411 2006-12-18 15:42:03Z lha $ */ +/* $Id: spnego_locl.h 23161 2008-05-05 09:56:20Z lha $ */ #ifndef SPNEGO_LOCL_H #define SPNEGO_LOCL_H @@ -86,7 +86,6 @@ typedef struct { OM_uint32 mech_flags; OM_uint32 mech_time_rec; gss_name_t mech_src_name; - gss_cred_id_t delegated_cred_id; unsigned int open : 1; unsigned int local : 1; unsigned int require_mic : 1; |