diff options
Diffstat (limited to 'crypto/heimdal/lib/gssapi/krb5')
53 files changed, 0 insertions, 12093 deletions
diff --git a/crypto/heimdal/lib/gssapi/krb5/8003.c b/crypto/heimdal/lib/gssapi/krb5/8003.c deleted file mode 100644 index 619cbf97fcbd..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/8003.c +++ /dev/null @@ -1,248 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: 8003.c 18334 2006-10-07 22:16:04Z lha $"); - -krb5_error_code -_gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p) -{ - p[0] = (n >> 0) & 0xFF; - p[1] = (n >> 8) & 0xFF; - p[2] = (n >> 16) & 0xFF; - p[3] = (n >> 24) & 0xFF; - return 0; -} - -krb5_error_code -_gsskrb5_encode_be_om_uint32(OM_uint32 n, u_char *p) -{ - p[0] = (n >> 24) & 0xFF; - p[1] = (n >> 16) & 0xFF; - p[2] = (n >> 8) & 0xFF; - p[3] = (n >> 0) & 0xFF; - return 0; -} - -krb5_error_code -_gsskrb5_decode_om_uint32(const void *ptr, OM_uint32 *n) -{ - const u_char *p = ptr; - *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); - return 0; -} - -krb5_error_code -_gsskrb5_decode_be_om_uint32(const void *ptr, OM_uint32 *n) -{ - const u_char *p = ptr; - *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); - return 0; -} - -static krb5_error_code -hash_input_chan_bindings (const gss_channel_bindings_t b, - u_char *p) -{ - u_char num[4]; - MD5_CTX md5; - - MD5_Init(&md5); - _gsskrb5_encode_om_uint32 (b->initiator_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - _gsskrb5_encode_om_uint32 (b->initiator_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->initiator_address.length) - MD5_Update (&md5, - b->initiator_address.value, - b->initiator_address.length); - _gsskrb5_encode_om_uint32 (b->acceptor_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->acceptor_address.length) - MD5_Update (&md5, - b->acceptor_address.value, - b->acceptor_address.length); - _gsskrb5_encode_om_uint32 (b->application_data.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->application_data.length) - MD5_Update (&md5, - b->application_data.value, - b->application_data.length); - MD5_Final (p, &md5); - return 0; -} - -/* - * create a checksum over the chanel bindings in - * `input_chan_bindings', `flags' and `fwd_data' and return it in - * `result' - */ - -OM_uint32 -_gsskrb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result) -{ - u_char *p; - - /* - * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value - * field's format) */ - result->cksumtype = CKSUMTYPE_GSSAPI; - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) - result->checksum.length = 24 + 4 + fwd_data->length; - else - result->checksum.length = 24; - result->checksum.data = malloc (result->checksum.length); - if (result->checksum.data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = result->checksum.data; - _gsskrb5_encode_om_uint32 (16, p); - p += 4; - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { - memset (p, 0, 16); - } else { - hash_input_chan_bindings (input_chan_bindings, p); - } - p += 16; - _gsskrb5_encode_om_uint32 (flags, p); - p += 4; - - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { - - *p++ = (1 >> 0) & 0xFF; /* DlgOpt */ /* == 1 */ - *p++ = (1 >> 8) & 0xFF; /* DlgOpt */ /* == 0 */ - *p++ = (fwd_data->length >> 0) & 0xFF; /* Dlgth */ - *p++ = (fwd_data->length >> 8) & 0xFF; /* Dlgth */ - memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length); - - p += fwd_data->length; - } - - return GSS_S_COMPLETE; -} - -/* - * verify the checksum in `cksum' over `input_chan_bindings' - * returning `flags' and `fwd_data' - */ - -OM_uint32 -_gsskrb5_verify_8003_checksum( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data) -{ - unsigned char hash[16]; - unsigned char *p; - OM_uint32 length; - int DlgOpt; - static unsigned char zeros[16]; - - if (cksum == NULL) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - /* XXX should handle checksums > 24 bytes */ - if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p = cksum->checksum.data; - _gsskrb5_decode_om_uint32(p, &length); - if(length != sizeof(hash)) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p += 4; - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && memcmp(p, zeros, sizeof(zeros)) != 0) { - if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - if(memcmp(hash, p, sizeof(hash)) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - } - - p += sizeof(hash); - - _gsskrb5_decode_om_uint32(p, flags); - p += 4; - - if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { - if(cksum->checksum.length < 28) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - DlgOpt = (p[0] << 0) | (p[1] << 8); - p += 2; - if (DlgOpt != 1) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - fwd_data->length = (p[0] << 0) | (p[1] << 8); - p += 2; - if(cksum->checksum.length < 28 + fwd_data->length) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - fwd_data->data = malloc(fwd_data->length); - if (fwd_data->data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(fwd_data->data, p, fwd_data->length); - } - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/accept_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/accept_sec_context.c deleted file mode 100644 index 73b93ceba4c6..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: accept_sec_context.c 20199 2007-02-07 22:36:39Z lha $"); - -HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; -krb5_keytab _gsskrb5_keytab; - -OM_uint32 -_gsskrb5_register_acceptor_identity (const char *identity) -{ - krb5_context context; - krb5_error_code ret; - - ret = _gsskrb5_init(&context); - if(ret) - return GSS_S_FAILURE; - - HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - - if(_gsskrb5_keytab != NULL) { - krb5_kt_close(context, _gsskrb5_keytab); - _gsskrb5_keytab = NULL; - } - if (identity == NULL) { - ret = krb5_kt_default(context, &_gsskrb5_keytab); - } else { - char *p; - - asprintf(&p, "FILE:%s", identity); - if(p == NULL) { - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - return GSS_S_FAILURE; - } - ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab); - free(p); - } - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - if(ret) - return GSS_S_FAILURE; - return GSS_S_COMPLETE; -} - -void -_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx) -{ - krb5_keyblock *key; - int acceptor = (ctx->more_flags & LOCAL) == 0; - - *is_cfx = 0; - - if (acceptor) { - if (ctx->auth_context->local_subkey) - key = ctx->auth_context->local_subkey; - else - key = ctx->auth_context->remote_subkey; - } else { - if (ctx->auth_context->remote_subkey) - key = ctx->auth_context->remote_subkey; - else - key = ctx->auth_context->local_subkey; - } - if (key == NULL) - key = ctx->auth_context->keyblock; - - if (key == NULL) - return; - - switch (key->keytype) { - case ETYPE_DES_CBC_CRC: - case ETYPE_DES_CBC_MD4: - case ETYPE_DES_CBC_MD5: - case ETYPE_DES3_CBC_MD5: - case ETYPE_DES3_CBC_SHA1: - case ETYPE_ARCFOUR_HMAC_MD5: - case ETYPE_ARCFOUR_HMAC_MD5_56: - break; - default : - *is_cfx = 1; - if ((acceptor && ctx->auth_context->local_subkey) || - (!acceptor && ctx->auth_context->remote_subkey)) - ctx->more_flags |= ACCEPTOR_SUBKEY; - break; - } -} - - -static OM_uint32 -gsskrb5_accept_delegated_token -(OM_uint32 * minor_status, - gsskrb5_ctx ctx, - krb5_context context, - gss_cred_id_t * delegated_cred_handle - ) -{ - krb5_ccache ccache = NULL; - krb5_error_code kret; - int32_t ac_flags, ret = GSS_S_COMPLETE; - - *minor_status = 0; - - /* XXX Create a new delegated_cred_handle? */ - if (delegated_cred_handle == NULL) { - kret = krb5_cc_default (context, &ccache); - } else { - *delegated_cred_handle = NULL; - kret = krb5_cc_gen_new (context, &krb5_mcc_ops, &ccache); - } - if (kret) { - ctx->flags &= ~GSS_C_DELEG_FLAG; - goto out; - } - - kret = krb5_cc_initialize(context, ccache, ctx->source); - if (kret) { - ctx->flags &= ~GSS_C_DELEG_FLAG; - goto out; - } - - krb5_auth_con_removeflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_TIME, - &ac_flags); - kret = krb5_rd_cred2(context, - ctx->auth_context, - ccache, - &ctx->fwd_data); - krb5_auth_con_setflags(context, - ctx->auth_context, - ac_flags); - if (kret) { - ctx->flags &= ~GSS_C_DELEG_FLAG; - ret = GSS_S_FAILURE; - *minor_status = kret; - goto out; - } - - if (delegated_cred_handle) { - gsskrb5_cred handle; - - ret = _gsskrb5_import_cred(minor_status, - ccache, - NULL, - NULL, - delegated_cred_handle); - if (ret != GSS_S_COMPLETE) - goto out; - - handle = (gsskrb5_cred) *delegated_cred_handle; - - handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; - krb5_cc_close(context, ccache); - ccache = NULL; - } - -out: - if (ccache) { - /* Don't destroy the default cred cache */ - if (delegated_cred_handle == NULL) - krb5_cc_close(context, ccache); - else - krb5_cc_destroy(context, ccache); - } - return ret; -} - -static OM_uint32 -gsskrb5_acceptor_ready(OM_uint32 * minor_status, - gsskrb5_ctx ctx, - krb5_context context, - gss_cred_id_t *delegated_cred_handle) -{ - OM_uint32 ret; - int32_t seq_number; - int is_cfx = 0; - - krb5_auth_getremoteseqnumber (context, - ctx->auth_context, - &seq_number); - - _gsskrb5i_is_cfx(ctx, &is_cfx); - - ret = _gssapi_msg_order_create(minor_status, - &ctx->order, - _gssapi_msg_order_f(ctx->flags), - seq_number, 0, is_cfx); - if (ret) - return ret; - - /* - * If requested, set local sequence num to remote sequence if this - * isn't a mutual authentication context - */ - if (!(ctx->flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(ctx->flags)) { - krb5_auth_con_setlocalseqnumber(context, - ctx->auth_context, - seq_number); - } - - /* - * We should handle the delegation ticket, in case it's there - */ - if (ctx->fwd_data.length > 0 && (ctx->flags & GSS_C_DELEG_FLAG)) { - ret = gsskrb5_accept_delegated_token(minor_status, - ctx, - context, - delegated_cred_handle); - if (ret) - return ret; - } else { - /* Well, looks like it wasn't there after all */ - ctx->flags &= ~GSS_C_DELEG_FLAG; - } - - ctx->state = ACCEPTOR_READY; - ctx->more_flags |= OPEN; - - return GSS_S_COMPLETE; -} - -static OM_uint32 -gsskrb5_acceptor_start(OM_uint32 * minor_status, - gsskrb5_ctx ctx, - krb5_context context, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle) -{ - krb5_error_code kret; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data indata; - krb5_flags ap_options; - krb5_keytab keytab = NULL; - int is_cfx = 0; - const gsskrb5_cred acceptor_cred = (gsskrb5_cred)acceptor_cred_handle; - - /* - * We may, or may not, have an escapsulation. - */ - ret = _gsskrb5_decapsulate (minor_status, - input_token_buffer, - &indata, - "\x01\x00", - GSS_KRB5_MECHANISM); - - if (ret) { - /* Assume that there is no OID wrapping. */ - indata.length = input_token_buffer->length; - indata.data = input_token_buffer->value; - } - - /* - * We need to get our keytab - */ - if (acceptor_cred == NULL) { - if (_gsskrb5_keytab != NULL) - keytab = _gsskrb5_keytab; - } else if (acceptor_cred->keytab != NULL) { - keytab = acceptor_cred->keytab; - } - - /* - * We need to check the ticket and create the AP-REP packet - */ - - { - krb5_rd_req_in_ctx in = NULL; - krb5_rd_req_out_ctx out = NULL; - - kret = krb5_rd_req_in_ctx_alloc(context, &in); - if (kret == 0) - kret = krb5_rd_req_in_set_keytab(context, in, keytab); - if (kret) { - if (in) - krb5_rd_req_in_ctx_free(context, in); - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; - } - - kret = krb5_rd_req_ctx(context, - &ctx->auth_context, - &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal, - in, &out); - krb5_rd_req_in_ctx_free(context, in); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; - } - - /* - * We need to remember some data on the context_handle. - */ - kret = krb5_rd_req_out_get_ap_req_options(context, out, - &ap_options); - if (kret == 0) - kret = krb5_rd_req_out_get_ticket(context, out, - &ctx->ticket); - if (kret == 0) - kret = krb5_rd_req_out_get_keyblock(context, out, - &ctx->service_keyblock); - ctx->lifetime = ctx->ticket->ticket.endtime; - - krb5_rd_req_out_ctx_free(context, out); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; - } - } - - - /* - * We need to copy the principal names to the context and the - * calling layer. - */ - kret = krb5_copy_principal(context, - ctx->ticket->client, - &ctx->source); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - } - - kret = krb5_copy_principal(context, - ctx->ticket->server, - &ctx->target); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; - } - - /* - * We need to setup some compat stuff, this assumes that - * context_handle->target is already set. - */ - ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); - if (ret) - return ret; - - if (src_name != NULL) { - kret = krb5_copy_principal (context, - ctx->ticket->client, - (gsskrb5_name*)src_name); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; - } - } - - /* - * We need to get the flags out of the 8003 checksum. - */ - { - krb5_authenticator authenticator; - - kret = krb5_auth_con_getauthenticator(context, - ctx->auth_context, - &authenticator); - if(kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; - } - - if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { - ret = _gsskrb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &ctx->flags, - &ctx->fwd_data); - - krb5_free_authenticator(context, &authenticator); - if (ret) { - return ret; - } - } else { - krb5_crypto crypto; - - kret = krb5_crypto_init(context, - ctx->auth_context->keyblock, - 0, &crypto); - if(kret) { - krb5_free_authenticator(context, &authenticator); - - ret = GSS_S_FAILURE; - *minor_status = kret; - return ret; - } - - /* - * Windows accepts Samba3's use of a kerberos, rather than - * GSSAPI checksum here - */ - - kret = krb5_verify_checksum(context, - crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0, - authenticator->cksum); - krb5_free_authenticator(context, &authenticator); - krb5_crypto_destroy(context, crypto); - - if(kret) { - ret = GSS_S_BAD_SIG; - *minor_status = kret; - return ret; - } - - /* - * Samba style get some flags (but not DCE-STYLE) - */ - ctx->flags = - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; - } - } - - if(ctx->flags & GSS_C_MUTUAL_FLAG) { - krb5_data outbuf; - - _gsskrb5i_is_cfx(ctx, &is_cfx); - - if (is_cfx != 0 - || (ap_options & AP_OPTS_USE_SUBKEY)) { - kret = krb5_auth_con_addflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_USE_SUBKEY, - NULL); - ctx->more_flags |= ACCEPTOR_SUBKEY; - } - - kret = krb5_mk_rep(context, - ctx->auth_context, - &outbuf); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - - if (IS_DCE_STYLE(ctx)) { - output_token->length = outbuf.length; - output_token->value = outbuf.data; - } else { - ret = _gsskrb5_encapsulate(minor_status, - &outbuf, - output_token, - "\x02\x00", - GSS_KRB5_MECHANISM); - krb5_data_free (&outbuf); - if (ret) - return ret; - } - } - - ctx->flags |= GSS_C_TRANS_FLAG; - - /* Remember the flags */ - - ctx->lifetime = ctx->ticket->ticket.endtime; - ctx->more_flags |= OPEN; - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (time_rec) { - ret = _gsskrb5_lifetime_left(minor_status, - context, - ctx->lifetime, - time_rec); - if (ret) { - return ret; - } - } - - /* - * When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from - * the client. - */ - if (IS_DCE_STYLE(ctx)) { - /* - * Return flags to caller, but we haven't processed - * delgations yet - */ - if (ret_flags) - *ret_flags = (ctx->flags & ~GSS_C_DELEG_FLAG); - - ctx->state = ACCEPTOR_WAIT_FOR_DCESTYLE; - return GSS_S_CONTINUE_NEEDED; - } - - ret = gsskrb5_acceptor_ready(minor_status, ctx, context, - delegated_cred_handle); - - if (ret_flags) - *ret_flags = ctx->flags; - - return ret; -} - -static OM_uint32 -acceptor_wait_for_dcestyle(OM_uint32 * minor_status, - gsskrb5_ctx ctx, - krb5_context context, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_data inbuf; - int32_t r_seq_number, l_seq_number; - - /* - * We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP - */ - - inbuf.length = input_token_buffer->length; - inbuf.data = input_token_buffer->value; - - /* - * We need to remeber the old remote seq_number, then check if the - * client has replied with our local seq_number, and then reset - * the remote seq_number to the old value - */ - { - kret = krb5_auth_con_getlocalseqnumber(context, - ctx->auth_context, - &l_seq_number); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_auth_getremoteseqnumber(context, - ctx->auth_context, - &r_seq_number); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_auth_con_setremoteseqnumber(context, - ctx->auth_context, - l_seq_number); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - /* - * We need to verify the AP_REP, but we need to flag that this is - * DCE_STYLE, so don't check the timestamps this time, but put the - * flag DO_TIME back afterward. - */ - { - krb5_ap_rep_enc_part *repl; - int32_t auth_flags; - - krb5_auth_con_removeflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_TIME, - &auth_flags); - - kret = krb5_rd_rep(context, ctx->auth_context, &inbuf, &repl); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - krb5_free_ap_rep_enc_part(context, repl); - krb5_auth_con_setflags(context, ctx->auth_context, auth_flags); - } - - /* We need to check the liftime */ - { - OM_uint32 lifetime_rec; - - ret = _gsskrb5_lifetime_left(minor_status, - context, - ctx->lifetime, - &lifetime_rec); - if (ret) { - return ret; - } - if (lifetime_rec == 0) { - return GSS_S_CONTEXT_EXPIRED; - } - - if (time_rec) *time_rec = lifetime_rec; - } - - /* We need to give the caller the flags which are in use */ - if (ret_flags) *ret_flags = ctx->flags; - - if (src_name) { - kret = krb5_copy_principal(context, - ctx->source, - (gsskrb5_name*)src_name); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - /* - * After the krb5_rd_rep() the remote and local seq_number should - * be the same, because the client just replies the seq_number - * from our AP-REP in its AP-REP, but then the client uses the - * seq_number from its AP-REQ for GSS_wrap() - */ - { - int32_t tmp_r_seq_number, tmp_l_seq_number; - - kret = krb5_auth_getremoteseqnumber(context, - ctx->auth_context, - &tmp_r_seq_number); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_auth_con_getlocalseqnumber(context, - ctx->auth_context, - &tmp_l_seq_number); - if (kret) { - - *minor_status = kret; - return GSS_S_FAILURE; - } - - /* - * Here we check if the client has responsed with our local seq_number, - */ - if (tmp_r_seq_number != tmp_l_seq_number) { - return GSS_S_UNSEQ_TOKEN; - } - } - - /* - * We need to reset the remote seq_number, because the client will use, - * the old one for the GSS_wrap() calls - */ - { - kret = krb5_auth_con_setremoteseqnumber(context, - ctx->auth_context, - r_seq_number); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - } - - return gsskrb5_acceptor_ready(minor_status, ctx, context, - delegated_cred_handle); -} - - -OM_uint32 -_gsskrb5_accept_sec_context(OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle) -{ - krb5_context context; - OM_uint32 ret; - gsskrb5_ctx ctx; - - GSSAPI_KRB5_INIT(&context); - - output_token->length = 0; - output_token->value = NULL; - - if (src_name != NULL) - *src_name = NULL; - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (*context_handle == GSS_C_NO_CONTEXT) { - ret = _gsskrb5_create_ctx(minor_status, - context_handle, - context, - input_chan_bindings, - ACCEPTOR_START); - if (ret) - return ret; - } - - ctx = (gsskrb5_ctx)*context_handle; - - - /* - * TODO: check the channel_bindings - * (above just sets them to krb5 layer) - */ - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - - switch (ctx->state) { - case ACCEPTOR_START: - ret = gsskrb5_acceptor_start(minor_status, - ctx, - context, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - break; - case ACCEPTOR_WAIT_FOR_DCESTYLE: - ret = acceptor_wait_for_dcestyle(minor_status, - ctx, - context, - acceptor_cred_handle, - input_token_buffer, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle); - break; - case ACCEPTOR_READY: - /* - * If we get there, the caller have called - * gss_accept_sec_context() one time too many. - */ - ret = GSS_S_BAD_STATUS; - break; - default: - /* TODO: is this correct here? --metze */ - ret = GSS_S_BAD_STATUS; - break; - } - - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - if (GSS_ERROR(ret)) { - OM_uint32 min2; - _gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER); - } - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/acquire_cred.c b/crypto/heimdal/lib/gssapi/krb5/acquire_cred.c deleted file mode 100644 index 6e13a4287b62..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/acquire_cred.c +++ /dev/null @@ -1,398 +0,0 @@ -/* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: acquire_cred.c 22124 2007-12-04 00:03:52Z lha $"); - -OM_uint32 -__gsskrb5_ccache_lifetime(OM_uint32 *minor_status, - krb5_context context, - krb5_ccache id, - krb5_principal principal, - OM_uint32 *lifetime) -{ - krb5_creds in_cred, *out_cred; - krb5_const_realm realm; - krb5_error_code kret; - - memset(&in_cred, 0, sizeof(in_cred)); - in_cred.client = principal; - - realm = krb5_principal_get_realm(context, principal); - if (realm == NULL) { - _gsskrb5_clear_status (); - *minor_status = KRB5_PRINC_NOMATCH; /* XXX */ - return GSS_S_FAILURE; - } - - kret = krb5_make_principal(context, &in_cred.server, - realm, KRB5_TGS_NAME, realm, NULL); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_get_credentials(context, 0, - id, &in_cred, &out_cred); - krb5_free_principal(context, in_cred.server); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - - *lifetime = out_cred->times.endtime; - krb5_free_creds(context, out_cred); - - return GSS_S_COMPLETE; -} - - - - -static krb5_error_code -get_keytab(krb5_context context, krb5_keytab *keytab) -{ - char kt_name[256]; - krb5_error_code kret; - - HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - - if (_gsskrb5_keytab != NULL) { - kret = krb5_kt_get_name(context, - _gsskrb5_keytab, - kt_name, sizeof(kt_name)); - if (kret == 0) - kret = krb5_kt_resolve(context, kt_name, keytab); - } else - kret = krb5_kt_default(context, keytab); - - HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - - return (kret); -} - -static OM_uint32 acquire_initiator_cred - (OM_uint32 * minor_status, - krb5_context context, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gsskrb5_cred handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_creds cred; - krb5_principal def_princ; - krb5_get_init_creds_opt *opt; - krb5_ccache ccache; - krb5_keytab keytab; - krb5_error_code kret; - - keytab = NULL; - ccache = NULL; - def_princ = NULL; - ret = GSS_S_FAILURE; - memset(&cred, 0, sizeof(cred)); - - /* If we have a preferred principal, lets try to find it in all - * caches, otherwise, fall back to default cache. Ignore - * errors. */ - if (handle->principal) - kret = krb5_cc_cache_match (context, - handle->principal, - NULL, - &ccache); - - if (ccache == NULL) { - kret = krb5_cc_default(context, &ccache); - if (kret) - goto end; - } - kret = krb5_cc_get_principal(context, ccache, - &def_princ); - if (kret != 0) { - /* we'll try to use a keytab below */ - krb5_cc_destroy(context, ccache); - ccache = NULL; - kret = 0; - } else if (handle->principal == NULL) { - kret = krb5_copy_principal(context, def_princ, - &handle->principal); - if (kret) - goto end; - } else if (handle->principal != NULL && - krb5_principal_compare(context, handle->principal, - def_princ) == FALSE) { - /* Before failing, lets check the keytab */ - krb5_free_principal(context, def_princ); - def_princ = NULL; - } - if (def_princ == NULL) { - /* We have no existing credentials cache, - * so attempt to get a TGT using a keytab. - */ - if (handle->principal == NULL) { - kret = krb5_get_default_principal(context, - &handle->principal); - if (kret) - goto end; - } - kret = get_keytab(context, &keytab); - if (kret) - goto end; - kret = krb5_get_init_creds_opt_alloc(context, &opt); - if (kret) - goto end; - kret = krb5_get_init_creds_keytab(context, &cred, - handle->principal, keytab, 0, NULL, opt); - krb5_get_init_creds_opt_free(context, opt); - if (kret) - goto end; - kret = krb5_cc_gen_new(context, &krb5_mcc_ops, - &ccache); - if (kret) - goto end; - kret = krb5_cc_initialize(context, ccache, cred.client); - if (kret) - goto end; - kret = krb5_cc_store_cred(context, ccache, &cred); - if (kret) - goto end; - handle->lifetime = cred.times.endtime; - handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; - } else { - - ret = __gsskrb5_ccache_lifetime(minor_status, - context, - ccache, - handle->principal, - &handle->lifetime); - if (ret != GSS_S_COMPLETE) - goto end; - kret = 0; - } - - handle->ccache = ccache; - ret = GSS_S_COMPLETE; - -end: - if (cred.client != NULL) - krb5_free_cred_contents(context, &cred); - if (def_princ != NULL) - krb5_free_principal(context, def_princ); - if (keytab != NULL) - krb5_kt_close(context, keytab); - if (ret != GSS_S_COMPLETE) { - if (ccache != NULL) - krb5_cc_close(context, ccache); - if (kret != 0) { - *minor_status = kret; - } - } - return (ret); -} - -static OM_uint32 acquire_acceptor_cred - (OM_uint32 * minor_status, - krb5_context context, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gsskrb5_cred handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - - kret = 0; - ret = GSS_S_FAILURE; - kret = get_keytab(context, &handle->keytab); - if (kret) - goto end; - - /* check that the requested principal exists in the keytab */ - if (handle->principal) { - krb5_keytab_entry entry; - - kret = krb5_kt_get_entry(context, handle->keytab, - handle->principal, 0, 0, &entry); - if (kret) - goto end; - krb5_kt_free_entry(context, &entry); - ret = GSS_S_COMPLETE; - } else { - /* - * Check if there is at least one entry in the keytab before - * declaring it as an useful keytab. - */ - krb5_keytab_entry tmp; - krb5_kt_cursor c; - - kret = krb5_kt_start_seq_get (context, handle->keytab, &c); - if (kret) - goto end; - if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) { - krb5_kt_free_entry(context, &tmp); - ret = GSS_S_COMPLETE; /* ok found one entry */ - } - krb5_kt_end_seq_get (context, handle->keytab, &c); - } -end: - if (ret != GSS_S_COMPLETE) { - if (handle->keytab != NULL) - krb5_kt_close(context, handle->keytab); - if (kret != 0) { - *minor_status = kret; - } - } - return (ret); -} - -OM_uint32 _gsskrb5_acquire_cred -(OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - krb5_context context; - gsskrb5_cred handle; - OM_uint32 ret; - - if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) { - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return GSS_S_FAILURE; - } - - GSSAPI_KRB5_INIT(&context); - - *output_cred_handle = NULL; - if (time_rec) - *time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - - if (desired_mechs) { - int present = 0; - - ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - desired_mechs, &present); - if (ret) - return ret; - if (!present) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - } - - handle = calloc(1, sizeof(*handle)); - if (handle == NULL) { - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - - if (desired_name != GSS_C_NO_NAME) { - krb5_principal name = (krb5_principal)desired_name; - ret = krb5_copy_principal(context, name, &handle->principal); - if (ret) { - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - *minor_status = ret; - free(handle); - return GSS_S_FAILURE; - } - } - if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { - ret = acquire_initiator_cred(minor_status, context, - desired_name, time_req, - desired_mechs, cred_usage, handle, - actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(context, handle->principal); - free(handle); - return (ret); - } - } - if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { - ret = acquire_acceptor_cred(minor_status, context, - desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(context, handle->principal); - free(handle); - return (ret); - } - } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle, - NULL, time_rec, NULL, actual_mechs); - if (ret != GSS_S_COMPLETE) { - if (handle->mechanisms != NULL) - gss_release_oid_set(NULL, &handle->mechanisms); - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - krb5_free_principal(context, handle->principal); - free(handle); - return (ret); - } - *minor_status = 0; - if (time_rec) { - ret = _gsskrb5_lifetime_left(minor_status, - context, - handle->lifetime, - time_rec); - - if (ret) - return ret; - } - handle->usage = cred_usage; - *output_cred_handle = (gss_cred_id_t)handle; - return (GSS_S_COMPLETE); -} diff --git a/crypto/heimdal/lib/gssapi/krb5/add_cred.c b/crypto/heimdal/lib/gssapi/krb5/add_cred.c deleted file mode 100644 index 9a1045a889f6..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/add_cred.c +++ /dev/null @@ -1,252 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: add_cred.c 20688 2007-05-17 18:44:31Z lha $"); - -OM_uint32 _gsskrb5_add_cred ( - OM_uint32 *minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *initiator_time_rec, - OM_uint32 *acceptor_time_rec) -{ - krb5_context context; - OM_uint32 ret, lifetime; - gsskrb5_cred cred, handle; - krb5_const_principal dname; - - handle = NULL; - cred = (gsskrb5_cred)input_cred_handle; - dname = (krb5_const_principal)desired_name; - - GSSAPI_KRB5_INIT (&context); - - if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - - if (cred == NULL && output_cred_handle == NULL) { - *minor_status = 0; - return GSS_S_NO_CRED; - } - - if (cred == NULL) { /* XXX standard conformance failure */ - *minor_status = 0; - return GSS_S_NO_CRED; - } - - /* check if requested output usage is compatible with output usage */ - if (output_cred_handle != NULL) { - HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return(GSS_S_FAILURE); - } - } - - /* check that we have the same name */ - if (dname != NULL && - krb5_principal_compare(context, dname, - cred->principal) != FALSE) { - if (output_cred_handle) - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - /* make a copy */ - if (output_cred_handle) { - krb5_error_code kret; - - handle = calloc(1, sizeof(*handle)); - if (handle == NULL) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - handle->usage = cred_usage; - handle->lifetime = cred->lifetime; - handle->principal = NULL; - handle->keytab = NULL; - handle->ccache = NULL; - handle->mechanisms = NULL; - HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - - ret = GSS_S_FAILURE; - - kret = krb5_copy_principal(context, cred->principal, - &handle->principal); - if (kret) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - free(handle); - *minor_status = kret; - return GSS_S_FAILURE; - } - - if (cred->keytab) { - char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; - int len; - - ret = GSS_S_FAILURE; - - kret = krb5_kt_get_type(context, cred->keytab, - name, KRB5_KT_PREFIX_MAX_LEN); - if (kret) { - *minor_status = kret; - goto failure; - } - len = strlen(name); - name[len++] = ':'; - - kret = krb5_kt_get_name(context, cred->keytab, - name + len, - sizeof(name) - len); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_kt_resolve(context, name, - &handle->keytab); - if (kret){ - *minor_status = kret; - goto failure; - } - } - - if (cred->ccache) { - const char *type, *name; - char *type_name; - - ret = GSS_S_FAILURE; - - type = krb5_cc_get_type(context, cred->ccache); - if (type == NULL){ - *minor_status = ENOMEM; - goto failure; - } - - if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, - &handle->ccache); - if (ret) { - *minor_status = ret; - goto failure; - } - - ret = krb5_cc_copy_cache(context, cred->ccache, - handle->ccache); - if (ret) { - *minor_status = ret; - goto failure; - } - - } else { - name = krb5_cc_get_name(context, cred->ccache); - if (name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - asprintf(&type_name, "%s:%s", type, name); - if (type_name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - kret = krb5_cc_resolve(context, type_name, - &handle->ccache); - free(type_name); - if (kret) { - *minor_status = kret; - goto failure; - } - } - } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret) - goto failure; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret) - goto failure; - } - - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - - ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred, - NULL, &lifetime, NULL, actual_mechs); - if (ret) - goto failure; - - if (initiator_time_rec) - *initiator_time_rec = lifetime; - if (acceptor_time_rec) - *acceptor_time_rec = lifetime; - - if (output_cred_handle) { - *output_cred_handle = (gss_cred_id_t)handle; - } - - *minor_status = 0; - return ret; - - failure: - - if (handle) { - if (handle->principal) - krb5_free_principal(context, handle->principal); - if (handle->keytab) - krb5_kt_close(context, handle->keytab); - if (handle->ccache) - krb5_cc_destroy(context, handle->ccache); - if (handle->mechanisms) - gss_release_oid_set(NULL, &handle->mechanisms); - free(handle); - } - if (output_cred_handle) - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/address_to_krb5addr.c b/crypto/heimdal/lib/gssapi/krb5/address_to_krb5addr.c deleted file mode 100644 index 18a90fe9a762..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/address_to_krb5addr.c +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -#include <roken.h> - -krb5_error_code -_gsskrb5i_address_to_krb5addr(krb5_context context, - OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address) -{ - int addr_type; - struct sockaddr sa; - krb5_socklen_t sa_size = sizeof(sa); - krb5_error_code problem; - - if (gss_addr == NULL) - return GSS_S_FAILURE; - - switch (gss_addr_type) { -#ifdef HAVE_IPV6 - case GSS_C_AF_INET6: addr_type = AF_INET6; - break; -#endif /* HAVE_IPV6 */ - - case GSS_C_AF_INET: addr_type = AF_INET; - break; - default: - return GSS_S_FAILURE; - } - - problem = krb5_h_addr2sockaddr (context, - addr_type, - gss_addr->value, - &sa, - &sa_size, - port); - if (problem) - return GSS_S_FAILURE; - - problem = krb5_sockaddr2address (context, &sa, address); - - return problem; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/arcfour.c b/crypto/heimdal/lib/gssapi/krb5/arcfour.c deleted file mode 100644 index 032da36ebc86..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/arcfour.c +++ /dev/null @@ -1,760 +0,0 @@ -/* - * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: arcfour.c 19031 2006-11-13 18:02:57Z lha $"); - -/* - * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt - * - * The arcfour message have the following formats: - * - * MIC token - * TOK_ID[2] = 01 01 - * SGN_ALG[2] = 11 00 - * Filler[4] - * SND_SEQ[8] - * SGN_CKSUM[8] - * - * WRAP token - * TOK_ID[2] = 02 01 - * SGN_ALG[2]; - * SEAL_ALG[2] - * Filler[2] - * SND_SEQ[2] - * SGN_CKSUM[8] - * Confounder[8] - */ - -/* - * WRAP in DCE-style have a fixed size header, the oid and length over - * the WRAP header is a total of - * GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE + - * GSS_ARCFOUR_WRAP_TOKEN_SIZE byte (ie total of 45 bytes overhead, - * remember the 2 bytes from APPL [0] SEQ). - */ - -#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 -#define GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE 13 - - -static krb5_error_code -arcfour_mic_key(krb5_context context, krb5_keyblock *key, - void *cksum_data, size_t cksum_size, - void *key6_data, size_t key6_size) -{ - krb5_error_code ret; - - Checksum cksum_k5; - krb5_keyblock key5; - char k5_data[16]; - - Checksum cksum_k6; - - char T[4]; - - memset(T, 0, 4); - cksum_k5.checksum.data = k5_data; - cksum_k5.checksum.length = sizeof(k5_data); - - if (key->keytype == KEYTYPE_ARCFOUR_56) { - char L40[14] = "fortybits"; - - memcpy(L40 + 10, T, sizeof(T)); - ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, - L40, 14, 0, key, &cksum_k5); - memset(&k5_data[7], 0xAB, 9); - } else { - ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, - T, 4, 0, key, &cksum_k5); - } - if (ret) - return ret; - - key5.keytype = KEYTYPE_ARCFOUR; - key5.keyvalue = cksum_k5.checksum; - - cksum_k6.checksum.data = key6_data; - cksum_k6.checksum.length = key6_size; - - return krb5_hmac(context, CKSUMTYPE_RSA_MD5, - cksum_data, cksum_size, 0, &key5, &cksum_k6); -} - - -static krb5_error_code -arcfour_mic_cksum(krb5_context context, - krb5_keyblock *key, unsigned usage, - u_char *sgn_cksum, size_t sgn_cksum_sz, - const u_char *v1, size_t l1, - const void *v2, size_t l2, - const void *v3, size_t l3) -{ - Checksum CKSUM; - u_char *ptr; - size_t len; - krb5_crypto crypto; - krb5_error_code ret; - - assert(sgn_cksum_sz == 8); - - len = l1 + l2 + l3; - - ptr = malloc(len); - if (ptr == NULL) - return ENOMEM; - - memcpy(ptr, v1, l1); - memcpy(ptr + l1, v2, l2); - memcpy(ptr + l1 + l2, v3, l3); - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free(ptr); - return ret; - } - - ret = krb5_create_checksum(context, - crypto, - usage, - 0, - ptr, len, - &CKSUM); - free(ptr); - if (ret == 0) { - memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz); - free_Checksum(&CKSUM); - } - krb5_crypto_destroy(context, crypto); - - return ret; -} - - -OM_uint32 -_gssapi_get_mic_arcfour(OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key) -{ - krb5_error_code ret; - int32_t seq_number; - size_t len, total_len; - u_char k6_data[16], *p0, *p; - RC4_KEY rc4_key; - - _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p0 = _gssapi_make_mech_header(message_token->value, - len, - GSS_KRB5_MECHANISM); - p = p0; - - *p++ = 0x01; /* TOK_ID */ - *p++ = 0x01; - *p++ = 0x11; /* SGN_ALG */ - *p++ = 0x00; - *p++ = 0xff; /* Filler */ - *p++ = 0xff; - *p++ = 0xff; - *p++ = 0xff; - - p = NULL; - - ret = arcfour_mic_cksum(context, - key, KRB5_KU_USAGE_SIGN, - p0 + 16, 8, /* SGN_CKSUM */ - p0, 8, /* TOK_ID, SGN_ALG, Filer */ - message_buffer->value, message_buffer->length, - NULL, 0); - if (ret) { - _gsskrb5_release_buffer(minor_status, message_token); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = arcfour_mic_key(context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - _gsskrb5_release_buffer(minor_status, message_token); - *minor_status = ret; - return GSS_S_FAILURE; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (context, - context_handle->auth_context, - &seq_number); - p = p0 + 8; /* SND_SEQ */ - _gsskrb5_encode_be_om_uint32(seq_number, p); - - krb5_auth_con_setlocalseqnumber (context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4); - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p, p); - - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - - -OM_uint32 -_gssapi_verify_mic_arcfour(OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type) -{ - krb5_error_code ret; - uint32_t seq_number; - OM_uint32 omret; - u_char SND_SEQ[8], cksum_data[8], *p; - char k6_data[16]; - int cmp; - - if (qop_state) - *qop_state = 0; - - p = token_buffer->value; - omret = _gsskrb5_verify_header (&p, - token_buffer->length, - (u_char *)type, - GSS_KRB5_MECHANISM); - if (omret) - return omret; - - if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - - ret = arcfour_mic_cksum(context, - key, KRB5_KU_USAGE_SIGN, - cksum_data, sizeof(cksum_data), - p - 8, 8, - message_buffer->value, message_buffer->length, - NULL, 0); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = arcfour_mic_key(context, key, - cksum_data, sizeof(cksum_data), - k6_data, sizeof(k6_data)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - cmp = memcmp(cksum_data, p + 8, 8); - if (cmp) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), (void*)k6_data); - RC4 (&rc4_key, 8, p, SND_SEQ); - - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - memset(SND_SEQ, 0, sizeof(SND_SEQ)); - if (cmp != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - omret = _gssapi_msg_order_check(context_handle->order, seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (omret) - return omret; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 -_gssapi_wrap_arcfour(OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key) -{ - u_char Klocaldata[16], k6_data[16], *p, *p0; - size_t len, total_len, datalen; - krb5_keyblock Klocal; - krb5_error_code ret; - int32_t seq_number; - - if (conf_state) - *conf_state = 0; - - datalen = input_message_buffer->length; - - if (IS_DCE_STYLE(context_handle)) { - len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; - _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - total_len += datalen; - } else { - datalen += 1; /* padding */ - len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE; - _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - } - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p0 = _gssapi_make_mech_header(output_message_buffer->value, - len, - GSS_KRB5_MECHANISM); - p = p0; - - *p++ = 0x02; /* TOK_ID */ - *p++ = 0x01; - *p++ = 0x11; /* SGN_ALG */ - *p++ = 0x00; - if (conf_req_flag) { - *p++ = 0x10; /* SEAL_ALG */ - *p++ = 0x00; - } else { - *p++ = 0xff; /* SEAL_ALG */ - *p++ = 0xff; - } - *p++ = 0xff; /* Filler */ - *p++ = 0xff; - - p = NULL; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (context, - context_handle->auth_context, - &seq_number); - - _gsskrb5_encode_be_om_uint32(seq_number, p0 + 8); - - krb5_auth_con_setlocalseqnumber (context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - memset (p0 + 8 + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xff, - 4); - - krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */ - - /* p points to data */ - p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE; - memcpy(p, input_message_buffer->value, input_message_buffer->length); - - if (!IS_DCE_STYLE(context_handle)) - p[input_message_buffer->length] = 1; /* padding */ - - ret = arcfour_mic_cksum(context, - key, KRB5_KU_USAGE_SEAL, - p0 + 16, 8, /* SGN_CKSUM */ - p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */ - p0 + 24, 8, /* Confounder */ - p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - datalen); - if (ret) { - *minor_status = ret; - _gsskrb5_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - - { - int i; - - Klocal.keytype = key->keytype; - Klocal.keyvalue.data = Klocaldata; - Klocal.keyvalue.length = sizeof(Klocaldata); - - for (i = 0; i < 16; i++) - Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; - } - ret = arcfour_mic_key(context, &Klocal, - p0 + 8, 4, /* SND_SEQ */ - k6_data, sizeof(k6_data)); - memset(Klocaldata, 0, sizeof(Klocaldata)); - if (ret) { - _gsskrb5_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - - if(conf_req_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), (void *)k6_data); - /* XXX ? */ - RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */ - memset(&rc4_key, 0, sizeof(rc4_key)); - } - memset(k6_data, 0, sizeof(k6_data)); - - ret = arcfour_mic_key(context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - _gsskrb5_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - if (conf_state) - *conf_state = conf_req_flag; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key) -{ - u_char Klocaldata[16]; - krb5_keyblock Klocal; - krb5_error_code ret; - uint32_t seq_number; - size_t datalen; - OM_uint32 omret; - u_char k6_data[16], SND_SEQ[8], Confounder[8]; - u_char cksum_data[8]; - u_char *p, *p0; - int cmp; - int conf_flag; - size_t padlen = 0, len; - - if (conf_state) - *conf_state = 0; - if (qop_state) - *qop_state = 0; - - p0 = input_message_buffer->value; - - if (IS_DCE_STYLE(context_handle)) { - len = GSS_ARCFOUR_WRAP_TOKEN_SIZE + - GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE; - if (input_message_buffer->length < len) - return GSS_S_BAD_MECH; - } else { - len = input_message_buffer->length; - } - - omret = _gssapi_verify_mech_header(&p0, - len, - GSS_KRB5_MECHANISM); - if (omret) - return omret; - - /* length of mech header */ - len = (p0 - (u_char *)input_message_buffer->value) + - GSS_ARCFOUR_WRAP_TOKEN_SIZE; - - if (len > input_message_buffer->length) - return GSS_S_BAD_MECH; - - /* length of data */ - datalen = input_message_buffer->length - len; - - p = p0; - - if (memcmp(p, "\x02\x01", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ - return GSS_S_BAD_SIG; - p += 2; - - if (memcmp (p, "\x10\x00", 2) == 0) - conf_flag = 1; - else if (memcmp (p, "\xff\xff", 2) == 0) - conf_flag = 0; - else - return GSS_S_BAD_SIG; - - p += 2; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_BAD_MIC; - p = NULL; - - ret = arcfour_mic_key(context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - if (cmp != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - { - int i; - - Klocal.keytype = key->keytype; - Klocal.keyvalue.data = Klocaldata; - Klocal.keyvalue.length = sizeof(Klocaldata); - - for (i = 0; i < 16; i++) - Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; - } - ret = arcfour_mic_key(context, &Klocal, - SND_SEQ, 4, - k6_data, sizeof(k6_data)); - memset(Klocaldata, 0, sizeof(Klocaldata)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - output_message_buffer->value = malloc(datalen); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - output_message_buffer->length = datalen; - - if(conf_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */ - RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - output_message_buffer->value); - memset(&rc4_key, 0, sizeof(rc4_key)); - } else { - memcpy(Confounder, p0 + 24, 8); /* Confounder */ - memcpy(output_message_buffer->value, - p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - datalen); - } - memset(k6_data, 0, sizeof(k6_data)); - - if (!IS_DCE_STYLE(context_handle)) { - ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); - if (ret) { - _gsskrb5_release_buffer(minor_status, output_message_buffer); - *minor_status = 0; - return ret; - } - output_message_buffer->length -= padlen; - } - - ret = arcfour_mic_cksum(context, - key, KRB5_KU_USAGE_SEAL, - cksum_data, sizeof(cksum_data), - p0, 8, - Confounder, sizeof(Confounder), - output_message_buffer->value, - output_message_buffer->length + padlen); - if (ret) { - _gsskrb5_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ - if (cmp) { - _gsskrb5_release_buffer(minor_status, output_message_buffer); - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - omret = _gssapi_msg_order_check(context_handle->order, seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (omret) - return omret; - - if (conf_state) - *conf_state = conf_flag; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -max_wrap_length_arcfour(const gsskrb5_ctx ctx, - krb5_crypto crypto, - size_t input_length, - OM_uint32 *max_input_size) -{ - /* - * if GSS_C_DCE_STYLE is in use: - * - we only need to encapsulate the WRAP token - * However, since this is a fixed since, we just - */ - if (IS_DCE_STYLE(ctx)) { - size_t len, total_len; - - len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; - _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - - if (input_length < len) - *max_input_size = 0; - else - *max_input_size = input_length - len; - - } else { - size_t extrasize = GSS_ARCFOUR_WRAP_TOKEN_SIZE; - size_t blocksize = 8; - size_t len, total_len; - - len = 8 + input_length + blocksize + extrasize; - - _gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - - total_len -= input_length; /* token length */ - if (total_len < input_length) { - *max_input_size = (input_length - total_len); - (*max_input_size) &= (~(OM_uint32)(blocksize - 1)); - } else { - *max_input_size = 0; - } - } - - return GSS_S_COMPLETE; -} - -OM_uint32 -_gssapi_wrap_size_arcfour(OM_uint32 *minor_status, - const gsskrb5_ctx ctx, - krb5_context context, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size, - krb5_keyblock *key) -{ - krb5_error_code ret; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = max_wrap_length_arcfour(ctx, crypto, - req_output_size, max_input_size); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - krb5_crypto_destroy(context, crypto); - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/canonicalize_name.c b/crypto/heimdal/lib/gssapi/krb5/canonicalize_name.c deleted file mode 100644 index c1744abd3bec..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/canonicalize_name.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: canonicalize_name.c 18334 2006-10-07 22:16:04Z lha $"); - -OM_uint32 _gsskrb5_canonicalize_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t * output_name - ) -{ - return _gsskrb5_duplicate_name (minor_status, input_name, output_name); -} diff --git a/crypto/heimdal/lib/gssapi/krb5/ccache_name.c b/crypto/heimdal/lib/gssapi/krb5/ccache_name.c deleted file mode 100644 index 6f332463553c..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/ccache_name.c +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: ccache_name.c 19031 2006-11-13 18:02:57Z lha $"); - -char *last_out_name; - -OM_uint32 -_gsskrb5_krb5_ccache_name(OM_uint32 *minor_status, - const char *name, - const char **out_name) -{ - krb5_context context; - krb5_error_code kret; - - *minor_status = 0; - - GSSAPI_KRB5_INIT(&context); - - if (out_name) { - const char *n; - - if (last_out_name) { - free(last_out_name); - last_out_name = NULL; - } - - n = krb5_cc_default_name(context); - if (n == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - last_out_name = strdup(n); - if (last_out_name == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - *out_name = last_out_name; - } - - kret = krb5_cc_set_default_name(context, name); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/cfx.c b/crypto/heimdal/lib/gssapi/krb5/cfx.c deleted file mode 100644 index 6452f802ab84..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/cfx.c +++ /dev/null @@ -1,878 +0,0 @@ -/* - * Copyright (c) 2003, PADL Software Pty Ltd. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of PADL Software nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: cfx.c 19031 2006-11-13 18:02:57Z lha $"); - -/* - * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt - */ - -#define CFXSentByAcceptor (1 << 0) -#define CFXSealed (1 << 1) -#define CFXAcceptorSubkey (1 << 2) - -krb5_error_code -_gsskrb5cfx_wrap_length_cfx(krb5_context context, - krb5_crypto crypto, - int conf_req_flag, - size_t input_length, - size_t *output_length, - size_t *cksumsize, - uint16_t *padlength) -{ - krb5_error_code ret; - krb5_cksumtype type; - - /* 16-byte header is always first */ - *output_length = sizeof(gss_cfx_wrap_token_desc); - *padlength = 0; - - ret = krb5_crypto_get_checksum_type(context, crypto, &type); - if (ret) - return ret; - - ret = krb5_checksumsize(context, type, cksumsize); - if (ret) - return ret; - - if (conf_req_flag) { - size_t padsize; - - /* Header is concatenated with data before encryption */ - input_length += sizeof(gss_cfx_wrap_token_desc); - - ret = krb5_crypto_getpadsize(context, crypto, &padsize); - if (ret) { - return ret; - } - if (padsize > 1) { - /* XXX check this */ - *padlength = padsize - (input_length % padsize); - - /* We add the pad ourselves (noted here for completeness only) */ - input_length += *padlength; - } - - *output_length += krb5_get_wrapped_length(context, - crypto, input_length); - } else { - /* Checksum is concatenated with data */ - *output_length += input_length + *cksumsize; - } - - assert(*output_length > input_length); - - return 0; -} - -krb5_error_code -_gsskrb5cfx_max_wrap_length_cfx(krb5_context context, - krb5_crypto crypto, - int conf_req_flag, - size_t input_length, - OM_uint32 *output_length) -{ - krb5_error_code ret; - - *output_length = 0; - - /* 16-byte header is always first */ - if (input_length < 16) - return 0; - input_length -= 16; - - if (conf_req_flag) { - size_t wrapped_size, sz; - - wrapped_size = input_length + 1; - do { - wrapped_size--; - sz = krb5_get_wrapped_length(context, - crypto, wrapped_size); - } while (wrapped_size && sz > input_length); - if (wrapped_size == 0) { - *output_length = 0; - return 0; - } - - /* inner header */ - if (wrapped_size < 16) { - *output_length = 0; - return 0; - } - wrapped_size -= 16; - - *output_length = wrapped_size; - } else { - krb5_cksumtype type; - size_t cksumsize; - - ret = krb5_crypto_get_checksum_type(context, crypto, &type); - if (ret) - return ret; - - ret = krb5_checksumsize(context, type, &cksumsize); - if (ret) - return ret; - - if (input_length < cksumsize) - return 0; - - /* Checksum is concatenated with data */ - *output_length = input_length - cksumsize; - } - - return 0; -} - - -OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size, - krb5_keyblock *key) -{ - krb5_error_code ret; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag, - req_output_size, max_input_size); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - krb5_crypto_destroy(context, crypto); - - return GSS_S_COMPLETE; -} - -/* - * Rotate "rrc" bytes to the front or back - */ - -static krb5_error_code -rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate) -{ - u_char *tmp, buf[256]; - size_t left; - - if (len == 0) - return 0; - - rrc %= len; - - if (rrc == 0) - return 0; - - left = len - rrc; - - if (rrc <= sizeof(buf)) { - tmp = buf; - } else { - tmp = malloc(rrc); - if (tmp == NULL) - return ENOMEM; - } - - if (unrotate) { - memcpy(tmp, data, rrc); - memmove(data, (u_char *)data + rrc, left); - memcpy((u_char *)data + left, tmp, rrc); - } else { - memcpy(tmp, (u_char *)data + left, rrc); - memmove((u_char *)data + rrc, data, left); - memcpy(data, tmp, rrc); - } - - if (rrc > sizeof(buf)) - free(tmp); - - return 0; -} - -OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key) -{ - krb5_crypto crypto; - gss_cfx_wrap_token token; - krb5_error_code ret; - unsigned usage; - krb5_data cipher; - size_t wrapped_len, cksumsize; - uint16_t padlength, rrc = 0; - int32_t seq_number; - u_char *p; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = _gsskrb5cfx_wrap_length_cfx(context, - crypto, conf_req_flag, - input_message_buffer->length, - &wrapped_len, &cksumsize, &padlength); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - /* Always rotate encrypted token (if any) and checksum to header */ - rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize; - - output_message_buffer->length = wrapped_len; - output_message_buffer->value = malloc(output_message_buffer->length); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - p = output_message_buffer->value; - token = (gss_cfx_wrap_token)p; - token->TOK_ID[0] = 0x05; - token->TOK_ID[1] = 0x04; - token->Flags = 0; - token->Filler = 0xFF; - if ((context_handle->more_flags & LOCAL) == 0) - token->Flags |= CFXSentByAcceptor; - if (context_handle->more_flags & ACCEPTOR_SUBKEY) - token->Flags |= CFXAcceptorSubkey; - if (conf_req_flag) { - /* - * In Wrap tokens with confidentiality, the EC field is - * used to encode the size (in bytes) of the random filler. - */ - token->Flags |= CFXSealed; - token->EC[0] = (padlength >> 8) & 0xFF; - token->EC[1] = (padlength >> 0) & 0xFF; - } else { - /* - * In Wrap tokens without confidentiality, the EC field is - * used to encode the size (in bytes) of the trailing - * checksum. - * - * This is not used in the checksum calcuation itself, - * because the checksum length could potentially vary - * depending on the data length. - */ - token->EC[0] = 0; - token->EC[1] = 0; - } - - /* - * In Wrap tokens that provide for confidentiality, the RRC - * field in the header contains the hex value 00 00 before - * encryption. - * - * In Wrap tokens that do not provide for confidentiality, - * both the EC and RRC fields in the appended checksum - * contain the hex value 00 00 for the purpose of calculating - * the checksum. - */ - token->RRC[0] = 0; - token->RRC[1] = 0; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber(context, - context_handle->auth_context, - &seq_number); - _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); - _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); - krb5_auth_con_setlocalseqnumber(context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* - * If confidentiality is requested, the token header is - * appended to the plaintext before encryption; the resulting - * token is {"header" | encrypt(plaintext | pad | "header")}. - * - * If no confidentiality is requested, the checksum is - * calculated over the plaintext concatenated with the - * token header. - */ - if (context_handle->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_INITIATOR_SEAL; - } else { - usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; - } - - if (conf_req_flag) { - /* - * Any necessary padding is added here to ensure that the - * encrypted token header is always at the end of the - * ciphertext. - * - * The specification does not require that the padding - * bytes are initialized. - */ - p += sizeof(*token); - memcpy(p, input_message_buffer->value, input_message_buffer->length); - memset(p + input_message_buffer->length, 0xFF, padlength); - memcpy(p + input_message_buffer->length + padlength, - token, sizeof(*token)); - - ret = krb5_encrypt(context, crypto, - usage, p, - input_message_buffer->length + padlength + - sizeof(*token), - &cipher); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - _gsskrb5_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - assert(sizeof(*token) + cipher.length == wrapped_len); - token->RRC[0] = (rrc >> 8) & 0xFF; - token->RRC[1] = (rrc >> 0) & 0xFF; - - ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - _gsskrb5_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - memcpy(p, cipher.data, cipher.length); - krb5_data_free(&cipher); - } else { - char *buf; - Checksum cksum; - - buf = malloc(input_message_buffer->length + sizeof(*token)); - if (buf == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); - _gsskrb5_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - memcpy(buf, input_message_buffer->value, input_message_buffer->length); - memcpy(buf + input_message_buffer->length, token, sizeof(*token)); - - ret = krb5_create_checksum(context, crypto, - usage, 0, buf, - input_message_buffer->length + - sizeof(*token), - &cksum); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - _gsskrb5_release_buffer(minor_status, output_message_buffer); - free(buf); - return GSS_S_FAILURE; - } - - free(buf); - - assert(cksum.checksum.length == cksumsize); - token->EC[0] = (cksum.checksum.length >> 8) & 0xFF; - token->EC[1] = (cksum.checksum.length >> 0) & 0xFF; - token->RRC[0] = (rrc >> 8) & 0xFF; - token->RRC[1] = (rrc >> 0) & 0xFF; - - p += sizeof(*token); - memcpy(p, input_message_buffer->value, input_message_buffer->length); - memcpy(p + input_message_buffer->length, - cksum.checksum.data, cksum.checksum.length); - - ret = rrc_rotate(p, - input_message_buffer->length + cksum.checksum.length, rrc, FALSE); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - _gsskrb5_release_buffer(minor_status, output_message_buffer); - free_Checksum(&cksum); - return GSS_S_FAILURE; - } - free_Checksum(&cksum); - } - - krb5_crypto_destroy(context, crypto); - - if (conf_state != NULL) { - *conf_state = conf_req_flag; - } - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key) -{ - krb5_crypto crypto; - gss_cfx_wrap_token token; - u_char token_flags; - krb5_error_code ret; - unsigned usage; - krb5_data data; - uint16_t ec, rrc; - OM_uint32 seq_number_lo, seq_number_hi; - size_t len; - u_char *p; - - *minor_status = 0; - - if (input_message_buffer->length < sizeof(*token)) { - return GSS_S_DEFECTIVE_TOKEN; - } - - p = input_message_buffer->value; - - token = (gss_cfx_wrap_token)p; - - if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) { - return GSS_S_DEFECTIVE_TOKEN; - } - - /* Ignore unknown flags */ - token_flags = token->Flags & - (CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey); - - if (token_flags & CFXSentByAcceptor) { - if ((context_handle->more_flags & LOCAL) == 0) - return GSS_S_DEFECTIVE_TOKEN; - } - - if (context_handle->more_flags & ACCEPTOR_SUBKEY) { - if ((token_flags & CFXAcceptorSubkey) == 0) - return GSS_S_DEFECTIVE_TOKEN; - } else { - if (token_flags & CFXAcceptorSubkey) - return GSS_S_DEFECTIVE_TOKEN; - } - - if (token->Filler != 0xFF) { - return GSS_S_DEFECTIVE_TOKEN; - } - - if (conf_state != NULL) { - *conf_state = (token_flags & CFXSealed) ? 1 : 0; - } - - ec = (token->EC[0] << 8) | token->EC[1]; - rrc = (token->RRC[0] << 8) | token->RRC[1]; - - /* - * Check sequence number - */ - _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); - _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); - if (seq_number_hi) { - /* no support for 64-bit sequence numbers */ - *minor_status = ERANGE; - return GSS_S_UNSEQ_TOKEN; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); - if (ret != 0) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - _gsskrb5_release_buffer(minor_status, output_message_buffer); - return ret; - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* - * Decrypt and/or verify checksum - */ - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - if (context_handle->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; - } else { - usage = KRB5_KU_USAGE_INITIATOR_SEAL; - } - - p += sizeof(*token); - len = input_message_buffer->length; - len -= (p - (u_char *)input_message_buffer->value); - - /* Rotate by RRC; bogus to do this in-place XXX */ - *minor_status = rrc_rotate(p, len, rrc, TRUE); - if (*minor_status != 0) { - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - if (token_flags & CFXSealed) { - ret = krb5_decrypt(context, crypto, usage, - p, len, &data); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - return GSS_S_BAD_MIC; - } - - /* Check that there is room for the pad and token header */ - if (data.length < ec + sizeof(*token)) { - krb5_crypto_destroy(context, crypto); - krb5_data_free(&data); - return GSS_S_DEFECTIVE_TOKEN; - } - p = data.data; - p += data.length - sizeof(*token); - - /* RRC is unprotected; don't modify input buffer */ - ((gss_cfx_wrap_token)p)->RRC[0] = token->RRC[0]; - ((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1]; - - /* Check the integrity of the header */ - if (memcmp(p, token, sizeof(*token)) != 0) { - krb5_crypto_destroy(context, crypto); - krb5_data_free(&data); - return GSS_S_BAD_MIC; - } - - output_message_buffer->value = data.data; - output_message_buffer->length = data.length - ec - sizeof(*token); - } else { - Checksum cksum; - - /* Determine checksum type */ - ret = krb5_crypto_get_checksum_type(context, - crypto, &cksum.cksumtype); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - cksum.checksum.length = ec; - - /* Check we have at least as much data as the checksum */ - if (len < cksum.checksum.length) { - *minor_status = ERANGE; - krb5_crypto_destroy(context, crypto); - return GSS_S_BAD_MIC; - } - - /* Length now is of the plaintext only, no checksum */ - len -= cksum.checksum.length; - cksum.checksum.data = p + len; - - output_message_buffer->length = len; /* for later */ - output_message_buffer->value = malloc(len + sizeof(*token)); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - /* Checksum is over (plaintext-data | "header") */ - memcpy(output_message_buffer->value, p, len); - memcpy((u_char *)output_message_buffer->value + len, - token, sizeof(*token)); - - /* EC is not included in checksum calculation */ - token = (gss_cfx_wrap_token)((u_char *)output_message_buffer->value + - len); - token->EC[0] = 0; - token->EC[1] = 0; - token->RRC[0] = 0; - token->RRC[1] = 0; - - ret = krb5_verify_checksum(context, crypto, - usage, - output_message_buffer->value, - len + sizeof(*token), - &cksum); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - _gsskrb5_release_buffer(minor_status, output_message_buffer); - return GSS_S_BAD_MIC; - } - } - - krb5_crypto_destroy(context, crypto); - - if (qop_state != NULL) { - *qop_state = GSS_C_QOP_DEFAULT; - } - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key) -{ - krb5_crypto crypto; - gss_cfx_mic_token token; - krb5_error_code ret; - unsigned usage; - Checksum cksum; - u_char *buf; - size_t len; - int32_t seq_number; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - len = message_buffer->length + sizeof(*token); - buf = malloc(len); - if (buf == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - memcpy(buf, message_buffer->value, message_buffer->length); - - token = (gss_cfx_mic_token)(buf + message_buffer->length); - token->TOK_ID[0] = 0x04; - token->TOK_ID[1] = 0x04; - token->Flags = 0; - if ((context_handle->more_flags & LOCAL) == 0) - token->Flags |= CFXSentByAcceptor; - if (context_handle->more_flags & ACCEPTOR_SUBKEY) - token->Flags |= CFXAcceptorSubkey; - memset(token->Filler, 0xFF, 5); - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber(context, - context_handle->auth_context, - &seq_number); - _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); - _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); - krb5_auth_con_setlocalseqnumber(context, - context_handle->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - if (context_handle->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_INITIATOR_SIGN; - } else { - usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; - } - - ret = krb5_create_checksum(context, crypto, - usage, 0, buf, len, &cksum); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - free(buf); - return GSS_S_FAILURE; - } - krb5_crypto_destroy(context, crypto); - - /* Determine MIC length */ - message_token->length = sizeof(*token) + cksum.checksum.length; - message_token->value = malloc(message_token->length); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - free_Checksum(&cksum); - free(buf); - return GSS_S_FAILURE; - } - - /* Token is { "header" | get_mic("header" | plaintext-data) } */ - memcpy(message_token->value, token, sizeof(*token)); - memcpy((u_char *)message_token->value + sizeof(*token), - cksum.checksum.data, cksum.checksum.length); - - free_Checksum(&cksum); - free(buf); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key) -{ - krb5_crypto crypto; - gss_cfx_mic_token token; - u_char token_flags; - krb5_error_code ret; - unsigned usage; - OM_uint32 seq_number_lo, seq_number_hi; - u_char *buf, *p; - Checksum cksum; - - *minor_status = 0; - - if (token_buffer->length < sizeof(*token)) { - return GSS_S_DEFECTIVE_TOKEN; - } - - p = token_buffer->value; - - token = (gss_cfx_mic_token)p; - - if (token->TOK_ID[0] != 0x04 || token->TOK_ID[1] != 0x04) { - return GSS_S_DEFECTIVE_TOKEN; - } - - /* Ignore unknown flags */ - token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey); - - if (token_flags & CFXSentByAcceptor) { - if ((context_handle->more_flags & LOCAL) == 0) - return GSS_S_DEFECTIVE_TOKEN; - } - if (context_handle->more_flags & ACCEPTOR_SUBKEY) { - if ((token_flags & CFXAcceptorSubkey) == 0) - return GSS_S_DEFECTIVE_TOKEN; - } else { - if (token_flags & CFXAcceptorSubkey) - return GSS_S_DEFECTIVE_TOKEN; - } - - if (memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) { - return GSS_S_DEFECTIVE_TOKEN; - } - - /* - * Check sequence number - */ - _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); - _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); - if (seq_number_hi) { - *minor_status = ERANGE; - return GSS_S_UNSEQ_TOKEN; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); - if (ret != 0) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* - * Verify checksum - */ - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret != 0) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_crypto_get_checksum_type(context, crypto, - &cksum.cksumtype); - if (ret != 0) { - *minor_status = ret; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - - cksum.checksum.data = p + sizeof(*token); - cksum.checksum.length = token_buffer->length - sizeof(*token); - - if (context_handle->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; - } else { - usage = KRB5_KU_USAGE_INITIATOR_SIGN; - } - - buf = malloc(message_buffer->length + sizeof(*token)); - if (buf == NULL) { - *minor_status = ENOMEM; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - memcpy(buf, message_buffer->value, message_buffer->length); - memcpy(buf + message_buffer->length, token, sizeof(*token)); - - ret = krb5_verify_checksum(context, crypto, - usage, - buf, - sizeof(*token) + message_buffer->length, - &cksum); - krb5_crypto_destroy(context, crypto); - if (ret != 0) { - *minor_status = ret; - free(buf); - return GSS_S_BAD_MIC; - } - - free(buf); - - if (qop_state != NULL) { - *qop_state = GSS_C_QOP_DEFAULT; - } - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/cfx.h b/crypto/heimdal/lib/gssapi/krb5/cfx.h deleted file mode 100644 index 672704a8418d..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/cfx.h +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (c) 2003, PADL Software Pty Ltd. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of PADL Software nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: cfx.h 19031 2006-11-13 18:02:57Z lha $ */ - -#ifndef GSSAPI_CFX_H_ -#define GSSAPI_CFX_H_ 1 - -/* - * Implementation of draft-ietf-krb-wg-gssapi-cfx-01.txt - */ - -typedef struct gss_cfx_mic_token_desc_struct { - u_char TOK_ID[2]; /* 04 04 */ - u_char Flags; - u_char Filler[5]; - u_char SND_SEQ[8]; -} gss_cfx_mic_token_desc, *gss_cfx_mic_token; - -typedef struct gss_cfx_wrap_token_desc_struct { - u_char TOK_ID[2]; /* 04 05 */ - u_char Flags; - u_char Filler; - u_char EC[2]; - u_char RRC[2]; - u_char SND_SEQ[8]; -} gss_cfx_wrap_token_desc, *gss_cfx_wrap_token; - -typedef struct gss_cfx_delete_token_desc_struct { - u_char TOK_ID[2]; /* 05 04 */ - u_char Flags; - u_char Filler[5]; - u_char SND_SEQ[8]; -} gss_cfx_delete_token_desc, *gss_cfx_delete_token; - -#endif /* GSSAPI_CFX_H_ */ diff --git a/crypto/heimdal/lib/gssapi/krb5/compare_name.c b/crypto/heimdal/lib/gssapi/krb5/compare_name.c deleted file mode 100644 index 3f3b59d11621..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/compare_name.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: compare_name.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 _gsskrb5_compare_name - (OM_uint32 * minor_status, - const gss_name_t name1, - const gss_name_t name2, - int * name_equal - ) -{ - krb5_const_principal princ1 = (krb5_const_principal)name1; - krb5_const_principal princ2 = (krb5_const_principal)name2; - krb5_context context; - - GSSAPI_KRB5_INIT(&context); - - *name_equal = krb5_principal_compare (context, - princ1, princ2); - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/compat.c b/crypto/heimdal/lib/gssapi/krb5/compat.c deleted file mode 100644 index a0f075621a49..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/compat.c +++ /dev/null @@ -1,128 +0,0 @@ -/* - * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: compat.c 19031 2006-11-13 18:02:57Z lha $"); - - -static krb5_error_code -check_compat(OM_uint32 *minor_status, - krb5_context context, krb5_const_principal name, - const char *option, krb5_boolean *compat, - krb5_boolean match_val) -{ - krb5_error_code ret = 0; - char **p, **q; - krb5_principal match; - - - p = krb5_config_get_strings(context, NULL, "gssapi", - option, NULL); - if(p == NULL) - return 0; - - match = NULL; - for(q = p; *q; q++) { - ret = krb5_parse_name(context, *q, &match); - if (ret) - break; - - if (krb5_principal_match(context, name, match)) { - *compat = match_val; - break; - } - - krb5_free_principal(context, match); - match = NULL; - } - if (match) - krb5_free_principal(context, match); - krb5_config_free_strings(p); - - if (ret) { - if (minor_status) - *minor_status = ret; - return GSS_S_FAILURE; - } - - return 0; -} - -/* - * ctx->ctx_id_mutex is assumed to be locked - */ - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, - gsskrb5_ctx ctx, - krb5_context context) -{ - krb5_boolean use_compat = FALSE; - OM_uint32 ret; - - if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) { - ret = check_compat(minor_status, context, ctx->target, - "broken_des3_mic", &use_compat, TRUE); - if (ret) - return ret; - ret = check_compat(minor_status, context, ctx->target, - "correct_des3_mic", &use_compat, FALSE); - if (ret) - return ret; - - if (use_compat) - ctx->more_flags |= COMPAT_OLD_DES3; - ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; - } - return 0; -} - -#if 0 -OM_uint32 -gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) -{ - *minor_status = 0; - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - if (on) { - ctx->more_flags |= COMPAT_OLD_DES3; - } else { - ctx->more_flags &= ~COMPAT_OLD_DES3; - } - ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - return 0; -} -#endif diff --git a/crypto/heimdal/lib/gssapi/krb5/context_time.c b/crypto/heimdal/lib/gssapi/krb5/context_time.c deleted file mode 100644 index b57ac7854e69..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/context_time.c +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: context_time.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 -_gsskrb5_lifetime_left(OM_uint32 *minor_status, - krb5_context context, - OM_uint32 lifetime, - OM_uint32 *lifetime_rec) -{ - krb5_timestamp timeret; - krb5_error_code kret; - - if (lifetime == 0) { - *lifetime_rec = GSS_C_INDEFINITE; - return GSS_S_COMPLETE; - } - - kret = krb5_timeofday(context, &timeret); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - - if (lifetime < timeret) - *lifetime_rec = 0; - else - *lifetime_rec = lifetime - timeret; - - return GSS_S_COMPLETE; -} - - -OM_uint32 _gsskrb5_context_time - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - OM_uint32 * time_rec - ) -{ - krb5_context context; - OM_uint32 lifetime; - OM_uint32 major_status; - const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; - - GSSAPI_KRB5_INIT (&context); - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - lifetime = ctx->lifetime; - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - major_status = _gsskrb5_lifetime_left(minor_status, context, - lifetime, time_rec); - if (major_status != GSS_S_COMPLETE) - return major_status; - - *minor_status = 0; - - if (*time_rec == 0) - return GSS_S_CONTEXT_EXPIRED; - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/copy_ccache.c b/crypto/heimdal/lib/gssapi/krb5/copy_ccache.c deleted file mode 100644 index 66d797c19933..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/copy_ccache.c +++ /dev/null @@ -1,195 +0,0 @@ -/* - * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: copy_ccache.c 20688 2007-05-17 18:44:31Z lha $"); - -#if 0 -OM_uint32 -gss_krb5_copy_ccache(OM_uint32 *minor_status, - krb5_context context, - gss_cred_id_t cred, - krb5_ccache out) -{ - krb5_error_code kret; - - HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - - if (cred->ccache == NULL) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - kret = krb5_cc_copy_cache(context, cred->ccache, out); - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - *minor_status = 0; - return GSS_S_COMPLETE; -} -#endif - - -OM_uint32 -_gsskrb5_import_cred(OM_uint32 *minor_status, - krb5_ccache id, - krb5_principal keytab_principal, - krb5_keytab keytab, - gss_cred_id_t *cred) -{ - krb5_context context; - krb5_error_code kret; - gsskrb5_cred handle; - OM_uint32 ret; - - *cred = NULL; - - GSSAPI_KRB5_INIT (&context); - - handle = calloc(1, sizeof(*handle)); - if (handle == NULL) { - _gsskrb5_clear_status (); - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - HEIMDAL_MUTEX_init(&handle->cred_id_mutex); - - handle->usage = 0; - - if (id) { - char *str; - - handle->usage |= GSS_C_INITIATE; - - kret = krb5_cc_get_principal(context, id, - &handle->principal); - if (kret) { - free(handle); - *minor_status = kret; - return GSS_S_FAILURE; - } - - if (keytab_principal) { - krb5_boolean match; - - match = krb5_principal_compare(context, - handle->principal, - keytab_principal); - if (match == FALSE) { - krb5_free_principal(context, handle->principal); - free(handle); - _gsskrb5_clear_status (); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - } - - ret = __gsskrb5_ccache_lifetime(minor_status, - context, - id, - handle->principal, - &handle->lifetime); - if (ret != GSS_S_COMPLETE) { - krb5_free_principal(context, handle->principal); - free(handle); - return ret; - } - - - kret = krb5_cc_get_full_name(context, id, &str); - if (kret) - goto out; - - kret = krb5_cc_resolve(context, str, &handle->ccache); - free(str); - if (kret) - goto out; - } - - - if (keytab) { - char *str; - - handle->usage |= GSS_C_ACCEPT; - - if (keytab_principal && handle->principal == NULL) { - kret = krb5_copy_principal(context, - keytab_principal, - &handle->principal); - if (kret) - goto out; - } - - kret = krb5_kt_get_full_name(context, keytab, &str); - if (kret) - goto out; - - kret = krb5_kt_resolve(context, str, &handle->keytab); - free(str); - if (kret) - goto out; - } - - - if (id || keytab) { - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret != GSS_S_COMPLETE) { - kret = *minor_status; - goto out; - } - } - - *minor_status = 0; - *cred = (gss_cred_id_t)handle; - return GSS_S_COMPLETE; - -out: - gss_release_oid_set(minor_status, &handle->mechanisms); - if (handle->ccache) - krb5_cc_close(context, handle->ccache); - if (handle->keytab) - krb5_kt_close(context, handle->keytab); - if (handle->principal) - krb5_free_principal(context, handle->principal); - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - free(handle); - *minor_status = kret; - return GSS_S_FAILURE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c deleted file mode 100644 index 39176faff442..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c +++ /dev/null @@ -1,209 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: decapsulate.c 18334 2006-10-07 22:16:04Z lha $"); - -/* - * return the length of the mechanism in token or -1 - * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN - */ - -ssize_t -_gsskrb5_get_mech (const u_char *ptr, - size_t total_len, - const u_char **mech_ret) -{ - size_t len, len_len, mech_len, foo; - const u_char *p = ptr; - int e; - - if (total_len < 1) - return -1; - if (*p++ != 0x60) - return -1; - e = der_get_length (p, total_len - 1, &len, &len_len); - if (e || 1 + len_len + len != total_len) - return -1; - p += len_len; - if (*p++ != 0x06) - return -1; - e = der_get_length (p, total_len - 1 - len_len - 1, - &mech_len, &foo); - if (e) - return -1; - p += foo; - *mech_ret = p; - return mech_len; -} - -OM_uint32 -_gssapi_verify_mech_header(u_char **str, - size_t total_len, - gss_OID mech) -{ - const u_char *p; - ssize_t mech_len; - - mech_len = _gsskrb5_get_mech (*str, total_len, &p); - if (mech_len < 0) - return GSS_S_DEFECTIVE_TOKEN; - - if (mech_len != mech->length) - return GSS_S_BAD_MECH; - if (memcmp(p, - mech->elements, - mech->length) != 0) - return GSS_S_BAD_MECH; - p += mech_len; - *str = rk_UNCONST(p); - return GSS_S_COMPLETE; -} - -OM_uint32 -_gsskrb5_verify_header(u_char **str, - size_t total_len, - const void *type, - gss_OID oid) -{ - OM_uint32 ret; - size_t len; - u_char *p = *str; - - ret = _gssapi_verify_mech_header(str, total_len, oid); - if (ret) - return ret; - - len = total_len - (*str - p); - - if (len < 2) - return GSS_S_DEFECTIVE_TOKEN; - - if (memcmp (*str, type, 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - *str += 2; - - return 0; -} - -/* - * Remove the GSS-API wrapping from `in_token' giving `out_data. - * Does not copy data, so just free `in_token'. - */ - -OM_uint32 -_gssapi_decapsulate( - OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - const gss_OID mech -) -{ - u_char *p; - OM_uint32 ret; - - p = input_token_buffer->value; - ret = _gssapi_verify_mech_header(&p, - input_token_buffer->length, - mech); - if (ret) { - *minor_status = 0; - return ret; - } - - out_data->length = input_token_buffer->length - - (p - (u_char *)input_token_buffer->value); - out_data->data = p; - return GSS_S_COMPLETE; -} - -/* - * Remove the GSS-API wrapping from `in_token' giving `out_data. - * Does not copy data, so just free `in_token'. - */ - -OM_uint32 -_gsskrb5_decapsulate(OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - const void *type, - gss_OID oid) -{ - u_char *p; - OM_uint32 ret; - - p = input_token_buffer->value; - ret = _gsskrb5_verify_header(&p, - input_token_buffer->length, - type, - oid); - if (ret) { - *minor_status = 0; - return ret; - } - - out_data->length = input_token_buffer->length - - (p - (u_char *)input_token_buffer->value); - out_data->data = p; - return GSS_S_COMPLETE; -} - -/* - * Verify padding of a gss wrapped message and return its length. - */ - -OM_uint32 -_gssapi_verify_pad(gss_buffer_t wrapped_token, - size_t datalen, - size_t *padlen) -{ - u_char *pad; - size_t padlength; - int i; - - pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; - padlength = *pad; - - if (padlength > datalen) - return GSS_S_BAD_MECH; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - *padlen = padlength; - - return 0; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/delete_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/delete_sec_context.c deleted file mode 100644 index abad98655026..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/delete_sec_context.c +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: delete_sec_context.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 -_gsskrb5_delete_sec_context(OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token) -{ - krb5_context context; - gsskrb5_ctx ctx; - - GSSAPI_KRB5_INIT (&context); - - *minor_status = 0; - - if (output_token) { - output_token->length = 0; - output_token->value = NULL; - } - - if (*context_handle == GSS_C_NO_CONTEXT) - return GSS_S_COMPLETE; - - ctx = (gsskrb5_ctx) *context_handle; - *context_handle = GSS_C_NO_CONTEXT; - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - - krb5_auth_con_free (context, ctx->auth_context); - if(ctx->source) - krb5_free_principal (context, ctx->source); - if(ctx->target) - krb5_free_principal (context, ctx->target); - if (ctx->ticket) - krb5_free_ticket (context, ctx->ticket); - if(ctx->order) - _gssapi_msg_order_destroy(&ctx->order); - if (ctx->service_keyblock) - krb5_free_keyblock (context, ctx->service_keyblock); - krb5_data_free(&ctx->fwd_data); - - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); - memset(ctx, 0, sizeof(*ctx)); - free (ctx); - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/display_name.c b/crypto/heimdal/lib/gssapi/krb5/display_name.c deleted file mode 100644 index 727c447d2a06..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/display_name.c +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: display_name.c 21077 2007-06-12 22:42:56Z lha $"); - -OM_uint32 _gsskrb5_display_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID * output_name_type - ) -{ - krb5_context context; - krb5_const_principal name = (krb5_const_principal)input_name; - krb5_error_code kret; - char *buf; - size_t len; - - GSSAPI_KRB5_INIT (&context); - - kret = krb5_unparse_name_flags (context, name, - KRB5_PRINCIPAL_UNPARSE_DISPLAY, &buf); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - len = strlen (buf); - output_name_buffer->length = len; - output_name_buffer->value = malloc(len + 1); - if (output_name_buffer->value == NULL) { - free (buf); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (output_name_buffer->value, buf, len); - ((char *)output_name_buffer->value)[len] = '\0'; - free (buf); - if (output_name_type) - *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/display_status.c b/crypto/heimdal/lib/gssapi/krb5/display_status.c deleted file mode 100644 index c0192522a72a..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/display_status.c +++ /dev/null @@ -1,200 +0,0 @@ -/* - * Copyright (c) 1998 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: display_status.c 19031 2006-11-13 18:02:57Z lha $"); - -static const char * -calling_error(OM_uint32 v) -{ - static const char *msgs[] = { - NULL, /* 0 */ - "A required input parameter could not be read.", /* */ - "A required output parameter could not be written.", /* */ - "A parameter was malformed" - }; - - v >>= GSS_C_CALLING_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown calling error"; - else - return msgs[v]; -} - -static const char * -routine_error(OM_uint32 v) -{ - static const char *msgs[] = { - NULL, /* 0 */ - "An unsupported mechanism was requested", - "An invalid name was supplied", - "A supplied name was of an unsupported type", - "Incorrect channel bindings were supplied", - "An invalid status code was supplied", - "A token had an invalid MIC", - "No credentials were supplied, " - "or the credentials were unavailable or inaccessible.", - "No context has been established", - "A token was invalid", - "A credential was invalid", - "The referenced credentials have expired", - "The context has expired", - "Miscellaneous failure (see text)", - "The quality-of-protection requested could not be provide", - "The operation is forbidden by local security policy", - "The operation or option is not available", - "The requested credential element already exists", - "The provided name was not a mechanism name.", - }; - - v >>= GSS_C_ROUTINE_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -static const char * -supplementary_error(OM_uint32 v) -{ - static const char *msgs[] = { - "normal completion", - "continuation call to routine required", - "duplicate per-message token detected", - "timed-out per-message token detected", - "reordered (early) per-message token detected", - "skipped predecessor token(s) detected" - }; - - v >>= GSS_C_SUPPLEMENTARY_OFFSET; - - if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -void -_gsskrb5_clear_status (void) -{ - krb5_context context; - - if (_gsskrb5_init (&context) != 0) - return; - krb5_clear_error_string(context); -} - -void -_gsskrb5_set_status (const char *fmt, ...) -{ - krb5_context context; - va_list args; - char *str; - - if (_gsskrb5_init (&context) != 0) - return; - - va_start(args, fmt); - vasprintf(&str, fmt, args); - va_end(args); - if (str) { - krb5_set_error_string(context, str); - free(str); - } -} - -OM_uint32 _gsskrb5_display_status -(OM_uint32 *minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 *message_context, - gss_buffer_t status_string) -{ - krb5_context context; - char *buf; - - GSSAPI_KRB5_INIT (&context); - - status_string->length = 0; - status_string->value = NULL; - - if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_C_GSS_CODE; - } - - if (status_type == GSS_C_GSS_CODE) { - if (GSS_SUPPLEMENTARY_INFO(status_value)) - asprintf(&buf, "%s", - supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value))); - else - asprintf (&buf, "%s %s", - calling_error(GSS_CALLING_ERROR(status_value)), - routine_error(GSS_ROUTINE_ERROR(status_value))); - } else if (status_type == GSS_C_MECH_CODE) { - buf = krb5_get_error_string(context); - if (buf == NULL) { - const char *tmp = krb5_get_err_text (context, status_value); - if (tmp == NULL) - asprintf(&buf, "unknown mech error-code %u", - (unsigned)status_value); - else - buf = strdup(tmp); - } - } else { - *minor_status = EINVAL; - return GSS_S_BAD_STATUS; - } - - if (buf == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *message_context = 0; - *minor_status = 0; - - status_string->length = strlen(buf); - status_string->value = buf; - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/duplicate_name.c b/crypto/heimdal/lib/gssapi/krb5/duplicate_name.c deleted file mode 100644 index 7337f1ab72b8..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/duplicate_name.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: duplicate_name.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 _gsskrb5_duplicate_name ( - OM_uint32 * minor_status, - const gss_name_t src_name, - gss_name_t * dest_name - ) -{ - krb5_context context; - krb5_const_principal src = (krb5_const_principal)src_name; - krb5_principal *dest = (krb5_principal *)dest_name; - krb5_error_code kret; - - GSSAPI_KRB5_INIT (&context); - - kret = krb5_copy_principal (context, src, dest); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } else { - *minor_status = 0; - return GSS_S_COMPLETE; - } -} diff --git a/crypto/heimdal/lib/gssapi/krb5/encapsulate.c b/crypto/heimdal/lib/gssapi/krb5/encapsulate.c deleted file mode 100644 index 58dcb5c9c4b2..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/encapsulate.c +++ /dev/null @@ -1,155 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: encapsulate.c 18459 2006-10-14 10:12:16Z lha $"); - -void -_gssapi_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech) -{ - size_t len_len; - - *len = 1 + 1 + mech->length + data_len; - - len_len = der_length_len(*len); - - *total_len = 1 + len_len + *len; -} - -void -_gsskrb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len, - const gss_OID mech) -{ - _gssapi_encap_length(data_len + 2, len, total_len, mech); -} - -void * -_gsskrb5_make_header (void *ptr, - size_t len, - const void *type, - const gss_OID mech) -{ - u_char *p = ptr; - p = _gssapi_make_mech_header(p, len, mech); - memcpy (p, type, 2); - p += 2; - return p; -} - -void * -_gssapi_make_mech_header(void *ptr, - size_t len, - const gss_OID mech) -{ - u_char *p = ptr; - int e; - size_t len_len, foo; - - *p++ = 0x60; - len_len = der_length_len(len); - e = der_put_length (p + len_len - 1, len_len, len, &foo); - if(e || foo != len_len) - abort (); - p += len_len; - *p++ = 0x06; - *p++ = mech->length; - memcpy (p, mech->elements, mech->length); - p += mech->length; - return p; -} - -/* - * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings. - */ - -OM_uint32 -_gssapi_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const gss_OID mech -) -{ - size_t len, outer_len; - void *p; - - _gssapi_encap_length (in_data->length, &len, &outer_len, mech); - - output_token->length = outer_len; - output_token->value = malloc (outer_len); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = _gssapi_make_mech_header (output_token->value, len, mech); - memcpy (p, in_data->data, in_data->length); - return GSS_S_COMPLETE; -} - -/* - * Give it a krb5_data and it will encapsulate with extra GSS-API krb5 - * wrappings. - */ - -OM_uint32 -_gsskrb5_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - const void *type, - const gss_OID mech -) -{ - size_t len, outer_len; - u_char *p; - - _gsskrb5_encap_length (in_data->length, &len, &outer_len, mech); - - output_token->length = outer_len; - output_token->value = malloc (outer_len); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = _gsskrb5_make_header (output_token->value, len, type, mech); - memcpy (p, in_data->data, in_data->length); - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/export_name.c b/crypto/heimdal/lib/gssapi/krb5/export_name.c deleted file mode 100644 index efa45a2638bf..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/export_name.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: export_name.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 _gsskrb5_export_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name - ) -{ - krb5_context context; - krb5_const_principal princ = (krb5_const_principal)input_name; - krb5_error_code kret; - char *buf, *name; - size_t len; - - GSSAPI_KRB5_INIT (&context); - - kret = krb5_unparse_name (context, princ, &name); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - len = strlen (name); - - exported_name->length = 10 + len + GSS_KRB5_MECHANISM->length; - exported_name->value = malloc(exported_name->length); - if (exported_name->value == NULL) { - free (name); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - buf = exported_name->value; - memcpy(buf, "\x04\x01", 2); - buf += 2; - buf[0] = ((GSS_KRB5_MECHANISM->length + 2) >> 8) & 0xff; - buf[1] = (GSS_KRB5_MECHANISM->length + 2) & 0xff; - buf+= 2; - buf[0] = 0x06; - buf[1] = (GSS_KRB5_MECHANISM->length) & 0xFF; - buf+= 2; - - memcpy(buf, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - buf += GSS_KRB5_MECHANISM->length; - - buf[0] = (len >> 24) & 0xff; - buf[1] = (len >> 16) & 0xff; - buf[2] = (len >> 8) & 0xff; - buf[3] = (len) & 0xff; - buf += 4; - - memcpy (buf, name, len); - - free (name); - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/export_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/export_sec_context.c deleted file mode 100644 index 00218617a07b..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/export_sec_context.c +++ /dev/null @@ -1,240 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: export_sec_context.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 -_gsskrb5_export_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t interprocess_token - ) -{ - krb5_context context; - const gsskrb5_ctx ctx = (const gsskrb5_ctx) *context_handle; - krb5_storage *sp; - krb5_auth_context ac; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data data; - gss_buffer_desc buffer; - int flags; - OM_uint32 minor; - krb5_error_code kret; - - GSSAPI_KRB5_INIT (&context); - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - - if (!(ctx->flags & GSS_C_TRANS_FLAG)) { - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - *minor_status = 0; - return GSS_S_UNAVAILABLE; - } - - sp = krb5_storage_emem (); - if (sp == NULL) { - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ac = ctx->auth_context; - - /* flagging included fields */ - - flags = 0; - if (ac->local_address) - flags |= SC_LOCAL_ADDRESS; - if (ac->remote_address) - flags |= SC_REMOTE_ADDRESS; - if (ac->keyblock) - flags |= SC_KEYBLOCK; - if (ac->local_subkey) - flags |= SC_LOCAL_SUBKEY; - if (ac->remote_subkey) - flags |= SC_REMOTE_SUBKEY; - - kret = krb5_store_int32 (sp, flags); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* marshall auth context */ - - kret = krb5_store_int32 (sp, ac->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->local_address) { - kret = krb5_store_address (sp, *ac->local_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_address) { - kret = krb5_store_address (sp, *ac->remote_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int16 (sp, ac->local_port); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int16 (sp, ac->remote_port); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->keyblock) { - kret = krb5_store_keyblock (sp, *ac->keyblock); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->local_subkey) { - kret = krb5_store_keyblock (sp, *ac->local_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_subkey) { - kret = krb5_store_keyblock (sp, *ac->remote_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int32 (sp, ac->local_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->remote_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, ac->keytype); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->cksumtype); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* names */ - - ret = _gsskrb5_export_name (minor_status, - (gss_name_t)ctx->source, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - kret = krb5_store_data (sp, data); - _gsskrb5_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - ret = _gsskrb5_export_name (minor_status, - (gss_name_t)ctx->target, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - - ret = GSS_S_FAILURE; - - kret = krb5_store_data (sp, data); - _gsskrb5_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, ctx->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ctx->more_flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ctx->lifetime); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = _gssapi_msg_order_export(sp, ctx->order); - if (kret ) { - *minor_status = kret; - goto failure; - } - - kret = krb5_storage_to_data (sp, &data); - krb5_storage_free (sp); - if (kret) { - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - *minor_status = kret; - return GSS_S_FAILURE; - } - interprocess_token->length = data.length; - interprocess_token->value = data.data; - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - ret = _gsskrb5_delete_sec_context (minor_status, context_handle, - GSS_C_NO_BUFFER); - if (ret != GSS_S_COMPLETE) - _gsskrb5_release_buffer (NULL, interprocess_token); - *minor_status = 0; - return ret; - failure: - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - krb5_storage_free (sp); - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/external.c b/crypto/heimdal/lib/gssapi/krb5/external.c deleted file mode 100644 index 03fe61dc5744..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/external.c +++ /dev/null @@ -1,425 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" -#include <gssapi_mech.h> - -RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $"); - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_user_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")}; - -gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")}; - -gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_string_uid_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")}; - -gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ - -static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc = -{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -static gss_OID_desc gss_c_nt_hostbased_service_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_anonymous_oid_desc = -{6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")}; - -gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_export_name_oid_desc = -{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") }; - -gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * krb5(2) krb5_name(1)}. The recommended symbolic name for this type - * is "GSS_KRB5_NT_PRINCIPAL_NAME". - */ - -static gss_OID_desc gss_krb5_nt_principal_name_oid_desc = -{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") }; - -gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) user_name(1)}. The recommended symbolic name for this - * type is "GSS_KRB5_NT_USER_NAME". - */ - -gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) machine_uid_name(2)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) string_uid_name(3)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_STRING_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * To support ongoing experimentation, testing, and evolution of the - * specification, the Kerberos V5 GSS-API mechanism as defined in this - * and any successor memos will be identified with the following Object - * Identifier, as defined in RFC-1510, until the specification is - * advanced to the level of Proposed Standard RFC: - * - * {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)} - * - * Upon advancement to the level of Proposed Standard RFC, the Kerberos - * V5 GSS-API mechanism will be identified by an Object Identifier - * having the value: - * - * {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - * gssapi(2) krb5(2)} - */ - -#if 0 /* This is the old OID */ - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{5, rk_UNCONST("\x2b\x05\x01\x05\x02")}; - -#endif - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; - -gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; - -/* - * draft-ietf-cat-iakerb-09, IAKERB: - * The mechanism ID for IAKERB proxy GSS-API Kerberos, in accordance - * with the mechanism proposed by SPNEGO [7] for negotiating protocol - * variations, is: {iso(1) org(3) dod(6) internet(1) security(5) - * mechanisms(5) iakerb(10) iakerbProxyProtocol(1)}. The proposed - * mechanism ID for IAKERB minimum messages GSS-API Kerberos, in - * accordance with the mechanism proposed by SPNEGO for negotiating - * protocol variations, is: {iso(1) org(3) dod(6) internet(1) - * security(5) mechanisms(5) iakerb(10) - * iakerbMinimumMessagesProtocol(2)}. - */ - -static gss_OID_desc gss_iakerb_proxy_mechanism_oid_desc = -{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")}; - -gss_OID GSS_IAKERB_PROXY_MECHANISM = &gss_iakerb_proxy_mechanism_oid_desc; - -static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc = -{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") }; - -gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc; - -/* - * - */ - -static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc = -{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}; - -gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc; - -/* - * 1.2.752.43.13 Heimdal GSS-API Extentions - */ - -/* 1.2.752.43.13.1 */ -static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")}; - -gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc; - -/* 1.2.752.43.13.2 */ -static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")}; - -gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc; - -/* 1.2.752.43.13.3 */ -static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")}; - -gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc; - -/* 1.2.752.43.13.4 */ -static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")}; - -gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc; - -/* 1.2.752.43.13.5 */ -static gss_OID_desc gss_krb5_register_acceptor_identity_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")}; - -gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = &gss_krb5_register_acceptor_identity_x_desc; - -/* 1.2.752.43.13.6 */ -static gss_OID_desc gss_krb5_export_lucid_context_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")}; - -gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X = &gss_krb5_export_lucid_context_x_desc; - -/* 1.2.752.43.13.6.1 */ -static gss_OID_desc gss_krb5_export_lucid_context_v1_x_desc = -{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")}; - -gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = &gss_krb5_export_lucid_context_v1_x_desc; - -/* 1.2.752.43.13.7 */ -static gss_OID_desc gss_krb5_set_dns_canonicalize_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")}; - -gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X = &gss_krb5_set_dns_canonicalize_x_desc; - -/* 1.2.752.43.13.8 */ -static gss_OID_desc gss_krb5_get_subkey_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")}; - -gss_OID GSS_KRB5_GET_SUBKEY_X = &gss_krb5_get_subkey_x_desc; - -/* 1.2.752.43.13.9 */ -static gss_OID_desc gss_krb5_get_initiator_subkey_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")}; - -gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X = &gss_krb5_get_initiator_subkey_x_desc; - -/* 1.2.752.43.13.10 */ -static gss_OID_desc gss_krb5_get_acceptor_subkey_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")}; - -gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = &gss_krb5_get_acceptor_subkey_x_desc; - -/* 1.2.752.43.13.11 */ -static gss_OID_desc gss_krb5_send_to_kdc_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")}; - -gss_OID GSS_KRB5_SEND_TO_KDC_X = &gss_krb5_send_to_kdc_x_desc; - -/* 1.2.752.43.13.12 */ -static gss_OID_desc gss_krb5_get_authtime_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")}; - -gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc; - -/* 1.2.752.43.13.13 */ -static gss_OID_desc gss_krb5_get_service_keyblock_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")}; - -gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc; - -/* 1.2.752.43.13.14 */ -static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")}; - -gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc; - -/* 1.2.752.43.13.15 */ -static gss_OID_desc gss_krb5_set_default_realm_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")}; - -gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc; - -/* 1.2.752.43.13.16 */ -static gss_OID_desc gss_krb5_ccache_name_x_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")}; - -gss_OID GSS_KRB5_CCACHE_NAME_X = &gss_krb5_ccache_name_x_desc; - -/* 1.2.752.43.14.1 */ -static gss_OID_desc gss_sasl_digest_md5_mechanism_desc = -{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; - -gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc; - -/* - * Context for krb5 calls. - */ - -/* - * - */ - -static gssapi_mech_interface_desc krb5_mech = { - GMI_VERSION, - "kerberos 5", - {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }, - _gsskrb5_acquire_cred, - _gsskrb5_release_cred, - _gsskrb5_init_sec_context, - _gsskrb5_accept_sec_context, - _gsskrb5_process_context_token, - _gsskrb5_delete_sec_context, - _gsskrb5_context_time, - _gsskrb5_get_mic, - _gsskrb5_verify_mic, - _gsskrb5_wrap, - _gsskrb5_unwrap, - _gsskrb5_display_status, - _gsskrb5_indicate_mechs, - _gsskrb5_compare_name, - _gsskrb5_display_name, - _gsskrb5_import_name, - _gsskrb5_export_name, - _gsskrb5_release_name, - _gsskrb5_inquire_cred, - _gsskrb5_inquire_context, - _gsskrb5_wrap_size_limit, - _gsskrb5_add_cred, - _gsskrb5_inquire_cred_by_mech, - _gsskrb5_export_sec_context, - _gsskrb5_import_sec_context, - _gsskrb5_inquire_names_for_mech, - _gsskrb5_inquire_mechs_for_name, - _gsskrb5_canonicalize_name, - _gsskrb5_duplicate_name, - _gsskrb5_inquire_sec_context_by_oid, - _gsskrb5_inquire_cred_by_oid, - _gsskrb5_set_sec_context_option, - _gsskrb5_set_cred_option, - _gsskrb5_pseudo_random -}; - -gssapi_mech_interface -__gss_krb5_initialize(void) -{ - return &krb5_mech; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/get_mic.c b/crypto/heimdal/lib/gssapi/krb5/get_mic.c deleted file mode 100644 index 133481ffe173..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/get_mic.c +++ /dev/null @@ -1,317 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: get_mic.c 19031 2006-11-13 18:02:57Z lha $"); - -static OM_uint32 -mic_des - (OM_uint32 * minor_status, - const gsskrb5_ctx ctx, - krb5_context context, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - DES_key_schedule schedule; - DES_cblock deskey; - DES_cblock zero; - int32_t seq_number; - size_t len, total_len; - - _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - message_token->length = 0; - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = _gsskrb5_make_header(message_token->value, - len, - "\x01\x01", /* TOK_ID */ - GSS_KRB5_MECHANISM); - - memcpy (p, "\x00\x00", 2); /* SGN_ALG = DES MAC MD5 */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* Filler */ - p += 4; - - /* Fill in later (SND-SEQ) */ - memset (p, 0, 16); - p += 16; - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); - DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - &schedule, &zero); - memcpy (p - 8, hash, 8); /* SGN_CKSUM */ - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - /* sequence number */ - krb5_auth_con_getlocalseqnumber (context, - ctx->auth_context, - &seq_number); - - p -= 16; /* SND_SEQ */ - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (ctx->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - DES_set_key (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (context, - ctx->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -mic_des3 - (OM_uint32 * minor_status, - const gsskrb5_ctx ctx, - krb5_context context, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - Checksum cksum; - u_char seq[8]; - - int32_t seq_number; - size_t len, total_len; - - krb5_crypto crypto; - krb5_error_code kret; - krb5_data encdata; - char *tmp; - char ivec[8]; - - _gsskrb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - message_token->length = 0; - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = _gsskrb5_make_header(message_token->value, - len, - "\x01\x01", /* TOK-ID */ - GSS_KRB5_MECHANISM); - - memcpy (p, "\x04\x00", 2); /* SGN_ALG = HMAC SHA1 DES3-KD */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* filler */ - p += 4; - - /* this should be done in parts */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - free (message_token->value); - message_token->value = NULL; - message_token->length = 0; - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - kret = krb5_crypto_init(context, key, 0, &crypto); - if (kret) { - free (message_token->value); - message_token->value = NULL; - message_token->length = 0; - free (tmp); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_create_checksum (context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - tmp, - message_buffer->length + 8, - &cksum); - free (tmp); - krb5_crypto_destroy (context, crypto); - if (kret) { - free (message_token->value); - message_token->value = NULL; - message_token->length = 0; - *minor_status = kret; - return GSS_S_FAILURE; - } - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - /* sequence number */ - krb5_auth_con_getlocalseqnumber (context, - ctx->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (ctx->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - kret = krb5_crypto_init(context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (kret) { - free (message_token->value); - message_token->value = NULL; - message_token->length = 0; - *minor_status = kret; - return GSS_S_FAILURE; - } - - if (ctx->more_flags & COMPAT_OLD_DES3) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - kret = krb5_encrypt_ivec (context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, ivec); - krb5_crypto_destroy (context, crypto); - if (kret) { - free (message_token->value); - message_token->value = NULL; - message_token->length = 0; - *minor_status = kret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (context, - ctx->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - free_Checksum (&cksum); - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gsskrb5_get_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - krb5_context context; - const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - GSSAPI_KRB5_INIT (&context); - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - ret = _gsskrb5i_get_token_key(ctx, context, &key); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = mic_des (minor_status, ctx, context, qop_req, - message_buffer, message_token, key); - break; - case KEYTYPE_DES3 : - ret = mic_des3 (minor_status, ctx, context, qop_req, - message_buffer, message_token, key); - break; - case KEYTYPE_ARCFOUR: - case KEYTYPE_ARCFOUR_56: - ret = _gssapi_get_mic_arcfour (minor_status, ctx, context, qop_req, - message_buffer, message_token, key); - break; - default : - ret = _gssapi_mic_cfx (minor_status, ctx, context, qop_req, - message_buffer, message_token, key); - break; - } - krb5_free_keyblock (context, key); - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/gkrb5_err.et b/crypto/heimdal/lib/gssapi/krb5/gkrb5_err.et deleted file mode 100644 index dbfdbdf2f122..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/gkrb5_err.et +++ /dev/null @@ -1,31 +0,0 @@ -# -# extended gss krb5 error messages -# - -id "$Id: gkrb5_err.et 20049 2007-01-24 00:14:24Z lha $" - -error_table gk5 - -prefix GSS_KRB5_S - -error_code G_BAD_SERVICE_NAME, "No @ in SERVICE-NAME name string" -error_code G_BAD_STRING_UID, "STRING-UID-NAME contains nondigits" -error_code G_NOUSER, "UID does not resolve to username" -error_code G_VALIDATE_FAILED, "Validation error" -error_code G_BUFFER_ALLOC, "Couldn't allocate gss_buffer_t data" -error_code G_BAD_MSG_CTX, "Message context invalid" -error_code G_WRONG_SIZE, "Buffer is the wrong size" -error_code G_BAD_USAGE, "Credential usage type is unknown" -error_code G_UNKNOWN_QOP, "Unknown quality of protection specified" - -index 128 - -error_code KG_CCACHE_NOMATCH, "Principal in credential cache does not match desired name" -error_code KG_KEYTAB_NOMATCH, "No principal in keytab matches desired name" -error_code KG_TGT_MISSING, "Credential cache has no TGT" -error_code KG_NO_SUBKEY, "Authenticator has no subkey" -error_code KG_CONTEXT_ESTABLISHED, "Context is already fully established" -error_code KG_BAD_SIGN_TYPE, "Unknown signature type in token" -error_code KG_BAD_LENGTH, "Invalid field length in token" -error_code KG_CTX_INCOMPLETE, "Attempt to use incomplete security context" -error_code KG_INPUT_TOO_LONG, "Input too long" diff --git a/crypto/heimdal/lib/gssapi/krb5/gsskrb5-private.h b/crypto/heimdal/lib/gssapi/krb5/gsskrb5-private.h deleted file mode 100644 index c2239f134625..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/gsskrb5-private.h +++ /dev/null @@ -1,703 +0,0 @@ -/* This is a generated file */ -#ifndef __gsskrb5_private_h__ -#define __gsskrb5_private_h__ - -#include <stdarg.h> - -gssapi_mech_interface -__gss_krb5_initialize (void); - -OM_uint32 -__gsskrb5_ccache_lifetime ( - OM_uint32 */*minor_status*/, - krb5_context /*context*/, - krb5_ccache /*id*/, - krb5_principal /*principal*/, - OM_uint32 */*lifetime*/); - -OM_uint32 -_gss_DES3_get_mic_compat ( - OM_uint32 */*minor_status*/, - gsskrb5_ctx /*ctx*/, - krb5_context /*context*/); - -OM_uint32 -_gssapi_decapsulate ( - OM_uint32 */*minor_status*/, - gss_buffer_t /*input_token_buffer*/, - krb5_data */*out_data*/, - const gss_OID mech ); - -void -_gssapi_encap_length ( - size_t /*data_len*/, - size_t */*len*/, - size_t */*total_len*/, - const gss_OID /*mech*/); - -OM_uint32 -_gssapi_encapsulate ( - OM_uint32 */*minor_status*/, - const krb5_data */*in_data*/, - gss_buffer_t /*output_token*/, - const gss_OID mech ); - -OM_uint32 -_gssapi_get_mic_arcfour ( - OM_uint32 * /*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/, - krb5_keyblock */*key*/); - -void * -_gssapi_make_mech_header ( - void */*ptr*/, - size_t /*len*/, - const gss_OID /*mech*/); - -OM_uint32 -_gssapi_mic_cfx ( - OM_uint32 */*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/, - krb5_keyblock */*key*/); - -OM_uint32 -_gssapi_msg_order_check ( - struct gss_msg_order */*o*/, - OM_uint32 /*seq_num*/); - -OM_uint32 -_gssapi_msg_order_create ( - OM_uint32 */*minor_status*/, - struct gss_msg_order **/*o*/, - OM_uint32 /*flags*/, - OM_uint32 /*seq_num*/, - OM_uint32 /*jitter_window*/, - int /*use_64*/); - -OM_uint32 -_gssapi_msg_order_destroy (struct gss_msg_order **/*m*/); - -krb5_error_code -_gssapi_msg_order_export ( - krb5_storage */*sp*/, - struct gss_msg_order */*o*/); - -OM_uint32 -_gssapi_msg_order_f (OM_uint32 /*flags*/); - -OM_uint32 -_gssapi_msg_order_import ( - OM_uint32 */*minor_status*/, - krb5_storage */*sp*/, - struct gss_msg_order **/*o*/); - -OM_uint32 -_gssapi_unwrap_arcfour ( - OM_uint32 */*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - const gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int */*conf_state*/, - gss_qop_t */*qop_state*/, - krb5_keyblock */*key*/); - -OM_uint32 -_gssapi_unwrap_cfx ( - OM_uint32 */*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - const gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int */*conf_state*/, - gss_qop_t */*qop_state*/, - krb5_keyblock */*key*/); - -OM_uint32 -_gssapi_verify_mech_header ( - u_char **/*str*/, - size_t /*total_len*/, - gss_OID /*mech*/); - -OM_uint32 -_gssapi_verify_mic_arcfour ( - OM_uint32 * /*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - const gss_buffer_t /*message_buffer*/, - const gss_buffer_t /*token_buffer*/, - gss_qop_t * /*qop_state*/, - krb5_keyblock */*key*/, - char */*type*/); - -OM_uint32 -_gssapi_verify_mic_cfx ( - OM_uint32 */*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - const gss_buffer_t /*message_buffer*/, - const gss_buffer_t /*token_buffer*/, - gss_qop_t */*qop_state*/, - krb5_keyblock */*key*/); - -OM_uint32 -_gssapi_verify_pad ( - gss_buffer_t /*wrapped_token*/, - size_t /*datalen*/, - size_t */*padlen*/); - -OM_uint32 -_gssapi_wrap_arcfour ( - OM_uint32 * /*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/, - krb5_keyblock */*key*/); - -OM_uint32 -_gssapi_wrap_cfx ( - OM_uint32 */*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*input_message_buffer*/, - int */*conf_state*/, - gss_buffer_t /*output_message_buffer*/, - krb5_keyblock */*key*/); - -OM_uint32 -_gssapi_wrap_size_arcfour ( - OM_uint32 */*minor_status*/, - const gsskrb5_ctx /*ctx*/, - krb5_context /*context*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - OM_uint32 /*req_output_size*/, - OM_uint32 */*max_input_size*/, - krb5_keyblock */*key*/); - -OM_uint32 -_gssapi_wrap_size_cfx ( - OM_uint32 */*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - OM_uint32 /*req_output_size*/, - OM_uint32 */*max_input_size*/, - krb5_keyblock */*key*/); - -OM_uint32 -_gsskrb5_accept_sec_context ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - const gss_cred_id_t /*acceptor_cred_handle*/, - const gss_buffer_t /*input_token_buffer*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - gss_name_t * /*src_name*/, - gss_OID * /*mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/, - gss_cred_id_t * /*delegated_cred_handle*/); - -OM_uint32 -_gsskrb5_acquire_cred ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*desired_name*/, - OM_uint32 /*time_req*/, - const gss_OID_set /*desired_mechs*/, - gss_cred_usage_t /*cred_usage*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * time_rec ); - -OM_uint32 -_gsskrb5_add_cred ( - OM_uint32 */*minor_status*/, - const gss_cred_id_t /*input_cred_handle*/, - const gss_name_t /*desired_name*/, - const gss_OID /*desired_mech*/, - gss_cred_usage_t /*cred_usage*/, - OM_uint32 /*initiator_time_req*/, - OM_uint32 /*acceptor_time_req*/, - gss_cred_id_t */*output_cred_handle*/, - gss_OID_set */*actual_mechs*/, - OM_uint32 */*initiator_time_rec*/, - OM_uint32 */*acceptor_time_rec*/); - -OM_uint32 -_gsskrb5_canonicalize_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - const gss_OID /*mech_type*/, - gss_name_t * output_name ); - -void -_gsskrb5_clear_status (void); - -OM_uint32 -_gsskrb5_compare_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*name1*/, - const gss_name_t /*name2*/, - int * name_equal ); - -OM_uint32 -_gsskrb5_context_time ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - OM_uint32 * time_rec ); - -OM_uint32 -_gsskrb5_create_8003_checksum ( - OM_uint32 */*minor_status*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - OM_uint32 /*flags*/, - const krb5_data */*fwd_data*/, - Checksum */*result*/); - -OM_uint32 -_gsskrb5_create_ctx ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - krb5_context /*context*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - enum gss_ctx_id_t_state /*state*/); - -OM_uint32 -_gsskrb5_decapsulate ( - OM_uint32 */*minor_status*/, - gss_buffer_t /*input_token_buffer*/, - krb5_data */*out_data*/, - const void */*type*/, - gss_OID /*oid*/); - -krb5_error_code -_gsskrb5_decode_be_om_uint32 ( - const void */*ptr*/, - OM_uint32 */*n*/); - -krb5_error_code -_gsskrb5_decode_om_uint32 ( - const void */*ptr*/, - OM_uint32 */*n*/); - -OM_uint32 -_gsskrb5_delete_sec_context ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*output_token*/); - -OM_uint32 -_gsskrb5_display_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*output_name_buffer*/, - gss_OID * output_name_type ); - -OM_uint32 -_gsskrb5_display_status ( - OM_uint32 */*minor_status*/, - OM_uint32 /*status_value*/, - int /*status_type*/, - const gss_OID /*mech_type*/, - OM_uint32 */*message_context*/, - gss_buffer_t /*status_string*/); - -OM_uint32 -_gsskrb5_duplicate_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*src_name*/, - gss_name_t * dest_name ); - -void -_gsskrb5_encap_length ( - size_t /*data_len*/, - size_t */*len*/, - size_t */*total_len*/, - const gss_OID /*mech*/); - -OM_uint32 -_gsskrb5_encapsulate ( - OM_uint32 */*minor_status*/, - const krb5_data */*in_data*/, - gss_buffer_t /*output_token*/, - const void */*type*/, - const gss_OID mech ); - -krb5_error_code -_gsskrb5_encode_be_om_uint32 ( - OM_uint32 /*n*/, - u_char */*p*/); - -krb5_error_code -_gsskrb5_encode_om_uint32 ( - OM_uint32 /*n*/, - u_char */*p*/); - -OM_uint32 -_gsskrb5_export_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t exported_name ); - -OM_uint32 -_gsskrb5_export_sec_context ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t interprocess_token ); - -ssize_t -_gsskrb5_get_mech ( - const u_char */*ptr*/, - size_t /*total_len*/, - const u_char **/*mech_ret*/); - -OM_uint32 -_gsskrb5_get_mic ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*message_buffer*/, - gss_buffer_t message_token ); - -OM_uint32 -_gsskrb5_get_tkt_flags ( - OM_uint32 */*minor_status*/, - gsskrb5_ctx /*ctx*/, - OM_uint32 */*tkt_flags*/); - -OM_uint32 -_gsskrb5_import_cred ( - OM_uint32 */*minor_status*/, - krb5_ccache /*id*/, - krb5_principal /*keytab_principal*/, - krb5_keytab /*keytab*/, - gss_cred_id_t */*cred*/); - -OM_uint32 -_gsskrb5_import_name ( - OM_uint32 * /*minor_status*/, - const gss_buffer_t /*input_name_buffer*/, - const gss_OID /*input_name_type*/, - gss_name_t * output_name ); - -OM_uint32 -_gsskrb5_import_sec_context ( - OM_uint32 * /*minor_status*/, - const gss_buffer_t /*interprocess_token*/, - gss_ctx_id_t * context_handle ); - -OM_uint32 -_gsskrb5_indicate_mechs ( - OM_uint32 * /*minor_status*/, - gss_OID_set * mech_set ); - -krb5_error_code -_gsskrb5_init (krb5_context */*context*/); - -OM_uint32 -_gsskrb5_init_sec_context ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*initiator_cred_handle*/, - gss_ctx_id_t * /*context_handle*/, - const gss_name_t /*target_name*/, - const gss_OID /*mech_type*/, - OM_uint32 /*req_flags*/, - OM_uint32 /*time_req*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - const gss_buffer_t /*input_token*/, - gss_OID * /*actual_mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * time_rec ); - -OM_uint32 -_gsskrb5_inquire_context ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_name_t * /*src_name*/, - gss_name_t * /*targ_name*/, - OM_uint32 * /*lifetime_rec*/, - gss_OID * /*mech_type*/, - OM_uint32 * /*ctx_flags*/, - int * /*locally_initiated*/, - int * open_context ); - -OM_uint32 -_gsskrb5_inquire_cred ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - gss_name_t * /*output_name*/, - OM_uint32 * /*lifetime*/, - gss_cred_usage_t * /*cred_usage*/, - gss_OID_set * mechanisms ); - -OM_uint32 -_gsskrb5_inquire_cred_by_mech ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - const gss_OID /*mech_type*/, - gss_name_t * /*name*/, - OM_uint32 * /*initiator_lifetime*/, - OM_uint32 * /*acceptor_lifetime*/, - gss_cred_usage_t * cred_usage ); - -OM_uint32 -_gsskrb5_inquire_cred_by_oid ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - const gss_OID /*desired_object*/, - gss_buffer_set_t */*data_set*/); - -OM_uint32 -_gsskrb5_inquire_mechs_for_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_OID_set * mech_types ); - -OM_uint32 -_gsskrb5_inquire_names_for_mech ( - OM_uint32 * /*minor_status*/, - const gss_OID /*mechanism*/, - gss_OID_set * name_types ); - -OM_uint32 -_gsskrb5_inquire_sec_context_by_oid ( - OM_uint32 */*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_OID /*desired_object*/, - gss_buffer_set_t */*data_set*/); - -OM_uint32 -_gsskrb5_krb5_ccache_name ( - OM_uint32 */*minor_status*/, - const char */*name*/, - const char **/*out_name*/); - -OM_uint32 -_gsskrb5_lifetime_left ( - OM_uint32 */*minor_status*/, - krb5_context /*context*/, - OM_uint32 /*lifetime*/, - OM_uint32 */*lifetime_rec*/); - -void * -_gsskrb5_make_header ( - void */*ptr*/, - size_t /*len*/, - const void */*type*/, - const gss_OID /*mech*/); - -OM_uint32 -_gsskrb5_process_context_token ( - OM_uint32 */*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t token_buffer ); - -OM_uint32 -_gsskrb5_pseudo_random ( - OM_uint32 */*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*prf_key*/, - const gss_buffer_t /*prf_in*/, - ssize_t /*desired_output_len*/, - gss_buffer_t /*prf_out*/); - -OM_uint32 -_gsskrb5_register_acceptor_identity (const char */*identity*/); - -OM_uint32 -_gsskrb5_release_buffer ( - OM_uint32 * /*minor_status*/, - gss_buffer_t buffer ); - -OM_uint32 -_gsskrb5_release_cred ( - OM_uint32 * /*minor_status*/, - gss_cred_id_t * cred_handle ); - -OM_uint32 -_gsskrb5_release_name ( - OM_uint32 * /*minor_status*/, - gss_name_t * input_name ); - -OM_uint32 -_gsskrb5_seal ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - int /*qop_req*/, - gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t output_message_buffer ); - -OM_uint32 -_gsskrb5_set_cred_option ( - OM_uint32 */*minor_status*/, - gss_cred_id_t */*cred_handle*/, - const gss_OID /*desired_object*/, - const gss_buffer_t /*value*/); - -OM_uint32 -_gsskrb5_set_sec_context_option ( - OM_uint32 */*minor_status*/, - gss_ctx_id_t */*context_handle*/, - const gss_OID /*desired_object*/, - const gss_buffer_t /*value*/); - -void -_gsskrb5_set_status ( - const char */*fmt*/, - ...); - -OM_uint32 -_gsskrb5_sign ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*qop_req*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t message_token ); - -OM_uint32 -_gsskrb5_unseal ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - int * qop_state ); - -OM_uint32 -_gsskrb5_unwrap ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - gss_qop_t * qop_state ); - -OM_uint32 -_gsskrb5_verify ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*token_buffer*/, - int * qop_state ); - -OM_uint32 -_gsskrb5_verify_8003_checksum ( - OM_uint32 */*minor_status*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - const Checksum */*cksum*/, - OM_uint32 */*flags*/, - krb5_data */*fwd_data*/); - -OM_uint32 -_gsskrb5_verify_header ( - u_char **/*str*/, - size_t /*total_len*/, - const void */*type*/, - gss_OID /*oid*/); - -OM_uint32 -_gsskrb5_verify_mic ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*message_buffer*/, - const gss_buffer_t /*token_buffer*/, - gss_qop_t * qop_state ); - -OM_uint32 -_gsskrb5_verify_mic_internal ( - OM_uint32 * /*minor_status*/, - const gsskrb5_ctx /*context_handle*/, - krb5_context /*context*/, - const gss_buffer_t /*message_buffer*/, - const gss_buffer_t /*token_buffer*/, - gss_qop_t * /*qop_state*/, - char * type ); - -OM_uint32 -_gsskrb5_wrap ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t output_message_buffer ); - -OM_uint32 -_gsskrb5_wrap_size_limit ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - OM_uint32 /*req_output_size*/, - OM_uint32 * max_input_size ); - -krb5_error_code -_gsskrb5cfx_max_wrap_length_cfx ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - int /*conf_req_flag*/, - size_t /*input_length*/, - OM_uint32 */*output_length*/); - -krb5_error_code -_gsskrb5cfx_wrap_length_cfx ( - krb5_context /*context*/, - krb5_crypto /*crypto*/, - int /*conf_req_flag*/, - size_t /*input_length*/, - size_t */*output_length*/, - size_t */*cksumsize*/, - uint16_t */*padlength*/); - -krb5_error_code -_gsskrb5i_address_to_krb5addr ( - krb5_context /*context*/, - OM_uint32 /*gss_addr_type*/, - gss_buffer_desc */*gss_addr*/, - int16_t /*port*/, - krb5_address */*address*/); - -krb5_error_code -_gsskrb5i_get_acceptor_subkey ( - const gsskrb5_ctx /*ctx*/, - krb5_context /*context*/, - krb5_keyblock **/*key*/); - -krb5_error_code -_gsskrb5i_get_initiator_subkey ( - const gsskrb5_ctx /*ctx*/, - krb5_context /*context*/, - krb5_keyblock **/*key*/); - -OM_uint32 -_gsskrb5i_get_token_key ( - const gsskrb5_ctx /*ctx*/, - krb5_context /*context*/, - krb5_keyblock **/*key*/); - -void -_gsskrb5i_is_cfx ( - gsskrb5_ctx /*ctx*/, - int */*is_cfx*/); - -#endif /* __gsskrb5_private_h__ */ diff --git a/crypto/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/crypto/heimdal/lib/gssapi/krb5/gsskrb5_locl.h deleted file mode 100644 index 6ffb6070352f..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/gsskrb5_locl.h +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: gsskrb5_locl.h 20324 2007-04-12 16:46:01Z lha $ */ - -#ifndef GSSKRB5_LOCL_H -#define GSSKRB5_LOCL_H - -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - -#include <krb5_locl.h> -#include <gkrb5_err.h> -#include <gssapi.h> -#include <gssapi_mech.h> -#include <assert.h> - -#include "cfx.h" - -/* - * - */ - -struct gss_msg_order; - -typedef struct { - struct krb5_auth_context_data *auth_context; - krb5_principal source, target; -#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0) - OM_uint32 flags; - enum { LOCAL = 1, OPEN = 2, - COMPAT_OLD_DES3 = 4, - COMPAT_OLD_DES3_SELECTED = 8, - ACCEPTOR_SUBKEY = 16 - } more_flags; - enum gss_ctx_id_t_state { - /* initiator states */ - INITIATOR_START, - INITIATOR_WAIT_FOR_MUTAL, - INITIATOR_READY, - /* acceptor states */ - ACCEPTOR_START, - ACCEPTOR_WAIT_FOR_DCESTYLE, - ACCEPTOR_READY - } state; - struct krb5_ticket *ticket; - OM_uint32 lifetime; - HEIMDAL_MUTEX ctx_id_mutex; - struct gss_msg_order *order; - krb5_keyblock *service_keyblock; - krb5_data fwd_data; -} *gsskrb5_ctx; - -typedef struct { - krb5_principal principal; - int cred_flags; -#define GSS_CF_DESTROY_CRED_ON_RELEASE 1 - struct krb5_keytab_data *keytab; - OM_uint32 lifetime; - gss_cred_usage_t usage; - gss_OID_set mechanisms; - struct krb5_ccache_data *ccache; - HEIMDAL_MUTEX cred_id_mutex; - krb5_enctype *enctypes; -} *gsskrb5_cred; - -typedef struct Principal *gsskrb5_name; - -/* - * - */ - -extern krb5_keytab _gsskrb5_keytab; -extern HEIMDAL_MUTEX gssapi_keytab_mutex; - -struct gssapi_thr_context { - HEIMDAL_MUTEX mutex; - char *error_string; -}; - -/* - * Prototypes - */ - -#include <krb5/gsskrb5-private.h> - -#define GSSAPI_KRB5_INIT(ctx) do { \ - krb5_error_code kret_gss_init; \ - if((kret_gss_init = _gsskrb5_init (ctx)) != 0) { \ - *minor_status = kret_gss_init; \ - return GSS_S_FAILURE; \ - } \ -} while (0) - -/* sec_context flags */ - -#define SC_LOCAL_ADDRESS 0x01 -#define SC_REMOTE_ADDRESS 0x02 -#define SC_KEYBLOCK 0x04 -#define SC_LOCAL_SUBKEY 0x08 -#define SC_REMOTE_SUBKEY 0x10 - -#endif diff --git a/crypto/heimdal/lib/gssapi/krb5/import_name.c b/crypto/heimdal/lib/gssapi/krb5/import_name.c deleted file mode 100644 index bf31db923256..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/import_name.c +++ /dev/null @@ -1,225 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: import_name.c 19031 2006-11-13 18:02:57Z lha $"); - -static OM_uint32 -parse_krb5_name (OM_uint32 *minor_status, - krb5_context context, - const char *name, - gss_name_t *output_name) -{ - krb5_principal princ; - krb5_error_code kerr; - - kerr = krb5_parse_name (context, name, &princ); - - if (kerr == 0) { - *output_name = (gss_name_t)princ; - return GSS_S_COMPLETE; - } - *minor_status = kerr; - - if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) - return GSS_S_BAD_NAME; - - return GSS_S_FAILURE; -} - -static OM_uint32 -import_krb5_name (OM_uint32 *minor_status, - krb5_context context, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - OM_uint32 ret; - char *tmp; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - ret = parse_krb5_name(minor_status, context, tmp, output_name); - free(tmp); - - return ret; -} - -static OM_uint32 -import_hostbased_name (OM_uint32 *minor_status, - krb5_context context, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - krb5_error_code kerr; - char *tmp; - char *p; - char *host; - char local_hostname[MAXHOSTNAMELEN]; - krb5_principal princ = NULL; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - p = strchr (tmp, '@'); - if (p != NULL) { - *p = '\0'; - host = p + 1; - } else { - if (gethostname(local_hostname, sizeof(local_hostname)) < 0) { - *minor_status = errno; - free (tmp); - return GSS_S_FAILURE; - } - host = local_hostname; - } - - kerr = krb5_sname_to_principal (context, - host, - tmp, - KRB5_NT_SRV_HST, - &princ); - free (tmp); - *minor_status = kerr; - if (kerr == 0) { - *output_name = (gss_name_t)princ; - return GSS_S_COMPLETE; - } - - if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) - return GSS_S_BAD_NAME; - - return GSS_S_FAILURE; -} - -static OM_uint32 -import_export_name (OM_uint32 *minor_status, - krb5_context context, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - unsigned char *p; - uint32_t length; - OM_uint32 ret; - char *name; - - if (input_name_buffer->length < 10 + GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - p = input_name_buffer->value; - - if (memcmp(&p[0], "\x04\x01\x00", 3) != 0 || - p[3] != GSS_KRB5_MECHANISM->length + 2 || - p[4] != 0x06 || - p[5] != GSS_KRB5_MECHANISM->length || - memcmp(&p[6], GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_NAME; - - p += 6 + GSS_KRB5_MECHANISM->length; - - length = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; - p += 4; - - if (length > input_name_buffer->length - 10 - GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - name = malloc(length + 1); - if (name == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(name, p, length); - name[length] = '\0'; - - ret = parse_krb5_name(minor_status, context, name, output_name); - free(name); - - return ret; -} - -OM_uint32 _gsskrb5_import_name - (OM_uint32 * minor_status, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t * output_name - ) -{ - krb5_context context; - - *minor_status = 0; - *output_name = GSS_C_NO_NAME; - - GSSAPI_KRB5_INIT (&context); - - if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE) || - gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE_X)) - return import_hostbased_name (minor_status, - context, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NO_OID) - || gss_oid_equal(input_name_type, GSS_C_NT_USER_NAME) - || gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) - /* default printable syntax */ - return import_krb5_name (minor_status, - context, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) { - return import_export_name(minor_status, - context, - input_name_buffer, - output_name); - } else { - *minor_status = 0; - return GSS_S_BAD_NAMETYPE; - } -} diff --git a/crypto/heimdal/lib/gssapi/krb5/import_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/import_sec_context.c deleted file mode 100644 index 3300036a81b3..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/import_sec_context.c +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: import_sec_context.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 -_gsskrb5_import_sec_context ( - OM_uint32 * minor_status, - const gss_buffer_t interprocess_token, - gss_ctx_id_t * context_handle - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_context context; - krb5_error_code kret; - krb5_storage *sp; - krb5_auth_context ac; - krb5_address local, remote; - krb5_address *localp, *remotep; - krb5_data data; - gss_buffer_desc buffer; - krb5_keyblock keyblock; - int32_t tmp; - int32_t flags; - gsskrb5_ctx ctx; - gss_name_t name; - - GSSAPI_KRB5_INIT (&context); - - *context_handle = GSS_C_NO_CONTEXT; - - localp = remotep = NULL; - - sp = krb5_storage_from_mem (interprocess_token->value, - interprocess_token->length); - if (sp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - ctx = calloc(1, sizeof(*ctx)); - if (ctx == NULL) { - *minor_status = ENOMEM; - krb5_storage_free (sp); - return GSS_S_FAILURE; - } - HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); - - kret = krb5_auth_con_init (context, - &ctx->auth_context); - if (kret) { - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - /* flags */ - - *minor_status = 0; - - if (krb5_ret_int32 (sp, &flags) != 0) - goto failure; - - /* retrieve the auth context */ - - ac = ctx->auth_context; - if (krb5_ret_uint32 (sp, &ac->flags) != 0) - goto failure; - if (flags & SC_LOCAL_ADDRESS) { - if (krb5_ret_address (sp, localp = &local) != 0) - goto failure; - } - - if (flags & SC_REMOTE_ADDRESS) { - if (krb5_ret_address (sp, remotep = &remote) != 0) - goto failure; - } - - krb5_auth_con_setaddrs (context, ac, localp, remotep); - if (localp) - krb5_free_address (context, localp); - if (remotep) - krb5_free_address (context, remotep); - localp = remotep = NULL; - - if (krb5_ret_int16 (sp, &ac->local_port) != 0) - goto failure; - - if (krb5_ret_int16 (sp, &ac->remote_port) != 0) - goto failure; - if (flags & SC_KEYBLOCK) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setkey (context, ac, &keyblock); - krb5_free_keyblock_contents (context, &keyblock); - } - if (flags & SC_LOCAL_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setlocalsubkey (context, ac, &keyblock); - krb5_free_keyblock_contents (context, &keyblock); - } - if (flags & SC_REMOTE_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setremotesubkey (context, ac, &keyblock); - krb5_free_keyblock_contents (context, &keyblock); - } - if (krb5_ret_uint32 (sp, &ac->local_seqnumber)) - goto failure; - if (krb5_ret_uint32 (sp, &ac->remote_seqnumber)) - goto failure; - - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->keytype = tmp; - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->cksumtype = tmp; - - /* names */ - - if (krb5_ret_data (sp, &data)) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &name); - if (ret) { - ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID, - &name); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - ctx->source = (krb5_principal)name; - krb5_data_free (&data); - - if (krb5_ret_data (sp, &data) != 0) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &name); - if (ret) { - ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID, - &name); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - ctx->target = (krb5_principal)name; - krb5_data_free (&data); - - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - ctx->flags = tmp; - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - ctx->more_flags = tmp; - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - ctx->lifetime = tmp; - - ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order); - if (ret) - goto failure; - - krb5_storage_free (sp); - - *context_handle = (gss_ctx_id_t)ctx; - - return GSS_S_COMPLETE; - -failure: - krb5_auth_con_free (context, - ctx->auth_context); - if (ctx->source != NULL) - krb5_free_principal(context, ctx->source); - if (ctx->target != NULL) - krb5_free_principal(context, ctx->target); - if (localp) - krb5_free_address (context, localp); - if (remotep) - krb5_free_address (context, remotep); - if(ctx->order) - _gssapi_msg_order_destroy(&ctx->order); - HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); - krb5_storage_free (sp); - free (ctx); - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/indicate_mechs.c b/crypto/heimdal/lib/gssapi/krb5/indicate_mechs.c deleted file mode 100644 index eb886c24d347..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/indicate_mechs.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: indicate_mechs.c 20688 2007-05-17 18:44:31Z lha $"); - -OM_uint32 _gsskrb5_indicate_mechs - (OM_uint32 * minor_status, - gss_OID_set * mech_set - ) -{ - OM_uint32 ret, junk; - - ret = gss_create_empty_oid_set(minor_status, mech_set); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, mech_set); - if (ret) { - gss_release_oid_set(&junk, mech_set); - return ret; - } - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/init.c b/crypto/heimdal/lib/gssapi/krb5/init.c deleted file mode 100644 index 3bbdcc8ff1a2..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/init.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003, 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: init.c 19031 2006-11-13 18:02:57Z lha $"); - -static HEIMDAL_MUTEX context_mutex = HEIMDAL_MUTEX_INITIALIZER; -static int created_key; -static HEIMDAL_thread_key context_key; - -static void -destroy_context(void *ptr) -{ - krb5_context context = ptr; - - if (context == NULL) - return; - krb5_free_context(context); -} - -krb5_error_code -_gsskrb5_init (krb5_context *context) -{ - krb5_error_code ret = 0; - - HEIMDAL_MUTEX_lock(&context_mutex); - - if (!created_key) { - HEIMDAL_key_create(&context_key, destroy_context, ret); - if (ret) { - HEIMDAL_MUTEX_unlock(&context_mutex); - return ret; - } - created_key = 1; - } - HEIMDAL_MUTEX_unlock(&context_mutex); - - *context = HEIMDAL_getspecific(context_key); - if (*context == NULL) { - - ret = krb5_init_context(context); - if (ret == 0) { - HEIMDAL_setspecific(context_key, *context, ret); - if (ret) { - krb5_free_context(*context); - *context = NULL; - } - } - } - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/init_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/init_sec_context.c deleted file mode 100644 index 05f7978e4337..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/init_sec_context.c +++ /dev/null @@ -1,811 +0,0 @@ -/* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: init_sec_context.c 22071 2007-11-14 20:04:50Z lha $"); - -/* - * copy the addresses from `input_chan_bindings' (if any) to - * the auth context `ac' - */ - -static OM_uint32 -set_addresses (krb5_context context, - krb5_auth_context ac, - const gss_channel_bindings_t input_chan_bindings) -{ - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - krb5_error_code kret; - - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS - || input_chan_bindings->application_data.length != - 2 * sizeof(ac->local_port)) - return 0; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - ac->local_port = - *(int16_t *) input_chan_bindings->application_data.value; - - ac->remote_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - kret = _gsskrb5i_address_to_krb5addr(context, - input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - ac->remote_port, - &acceptor_addr); - if (kret) - return kret; - - kret = _gsskrb5i_address_to_krb5addr(context, - input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - ac->local_port, - &initiator_addr); - if (kret) { - krb5_free_address (context, &acceptor_addr); - return kret; - } - - kret = krb5_auth_con_setaddrs(context, - ac, - &initiator_addr, /* local address */ - &acceptor_addr); /* remote address */ - - krb5_free_address (context, &initiator_addr); - krb5_free_address (context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - return kret; -} - -OM_uint32 -_gsskrb5_create_ctx( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - krb5_context context, - const gss_channel_bindings_t input_chan_bindings, - enum gss_ctx_id_t_state state) -{ - krb5_error_code kret; - gsskrb5_ctx ctx; - - *context_handle = NULL; - - ctx = malloc(sizeof(*ctx)); - if (ctx == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ctx->auth_context = NULL; - ctx->source = NULL; - ctx->target = NULL; - ctx->state = state; - ctx->flags = 0; - ctx->more_flags = 0; - ctx->service_keyblock = NULL; - ctx->ticket = NULL; - krb5_data_zero(&ctx->fwd_data); - ctx->lifetime = GSS_C_INDEFINITE; - ctx->order = NULL; - HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); - - kret = krb5_auth_con_init (context, &ctx->auth_context); - if (kret) { - *minor_status = kret; - - HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); - - return GSS_S_FAILURE; - } - - kret = set_addresses(context, ctx->auth_context, input_chan_bindings); - if (kret) { - *minor_status = kret; - - HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); - - krb5_auth_con_free(context, ctx->auth_context); - - return GSS_S_BAD_BINDINGS; - } - - /* - * We need a sequence number - */ - - krb5_auth_con_addflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE | - KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, - NULL); - - *context_handle = (gss_ctx_id_t)ctx; - - return GSS_S_COMPLETE; -} - - -static OM_uint32 -gsskrb5_get_creds( - OM_uint32 * minor_status, - krb5_context context, - krb5_ccache ccache, - gsskrb5_ctx ctx, - krb5_const_principal target_name, - OM_uint32 time_req, - OM_uint32 * time_rec, - krb5_creds ** cred) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_creds this_cred; - OM_uint32 lifetime_rec; - - *cred = NULL; - - memset(&this_cred, 0, sizeof(this_cred)); - this_cred.client = ctx->source; - this_cred.server = ctx->target; - - if (time_req && time_req != GSS_C_INDEFINITE) { - krb5_timestamp ts; - - krb5_timeofday (context, &ts); - this_cred.times.endtime = ts + time_req; - } else { - this_cred.times.endtime = 0; - } - - this_cred.session.keytype = KEYTYPE_NULL; - - kret = krb5_get_credentials(context, - 0, - ccache, - &this_cred, - cred); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - - ctx->lifetime = (*cred)->times.endtime; - - ret = _gsskrb5_lifetime_left(minor_status, context, - ctx->lifetime, &lifetime_rec); - if (ret) return ret; - - if (lifetime_rec == 0) { - *minor_status = 0; - return GSS_S_CONTEXT_EXPIRED; - } - - if (time_rec) *time_rec = lifetime_rec; - - return GSS_S_COMPLETE; -} - -static OM_uint32 -gsskrb5_initiator_ready( - OM_uint32 * minor_status, - gsskrb5_ctx ctx, - krb5_context context) -{ - OM_uint32 ret; - int32_t seq_number; - int is_cfx = 0; - OM_uint32 flags = ctx->flags; - - krb5_auth_getremoteseqnumber (context, - ctx->auth_context, - &seq_number); - - _gsskrb5i_is_cfx(ctx, &is_cfx); - - ret = _gssapi_msg_order_create(minor_status, - &ctx->order, - _gssapi_msg_order_f(flags), - seq_number, 0, is_cfx); - if (ret) return ret; - - ctx->state = INITIATOR_READY; - ctx->more_flags |= OPEN; - - return GSS_S_COMPLETE; -} - -/* - * handle delegated creds in init-sec-context - */ - -static void -do_delegation (krb5_context context, - krb5_auth_context ac, - krb5_ccache ccache, - krb5_creds *cred, - krb5_const_principal name, - krb5_data *fwd_data, - uint32_t *flags) -{ - krb5_creds creds; - KDCOptions fwd_flags; - krb5_error_code kret; - - memset (&creds, 0, sizeof(creds)); - krb5_data_zero (fwd_data); - - kret = krb5_cc_get_principal(context, ccache, &creds.client); - if (kret) - goto out; - - kret = krb5_build_principal(context, - &creds.server, - strlen(creds.client->realm), - creds.client->realm, - KRB5_TGS_NAME, - creds.client->realm, - NULL); - if (kret) - goto out; - - creds.times.endtime = 0; - - memset(&fwd_flags, 0, sizeof(fwd_flags)); - fwd_flags.forwarded = 1; - fwd_flags.forwardable = 1; - - if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/ - name->name.name_string.len < 2) - goto out; - - kret = krb5_get_forwarded_creds(context, - ac, - ccache, - KDCOptions2int(fwd_flags), - name->name.name_string.val[1], - &creds, - fwd_data); - - out: - if (kret) - *flags &= ~GSS_C_DELEG_FLAG; - else - *flags |= GSS_C_DELEG_FLAG; - - if (creds.client) - krb5_free_principal(context, creds.client); - if (creds.server) - krb5_free_principal(context, creds.server); -} - -/* - * first stage of init-sec-context - */ - -static OM_uint32 -init_auth -(OM_uint32 * minor_status, - gsskrb5_cred initiator_cred_handle, - gsskrb5_ctx ctx, - krb5_context context, - krb5_const_principal name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_flags ap_options; - krb5_creds *cred = NULL; - krb5_data outbuf; - krb5_ccache ccache = NULL; - uint32_t flags; - krb5_data authenticator; - Checksum cksum; - krb5_enctype enctype; - krb5_data fwd_data; - OM_uint32 lifetime_rec; - - krb5_data_zero(&outbuf); - krb5_data_zero(&fwd_data); - - *minor_status = 0; - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - if (initiator_cred_handle == NULL) { - kret = krb5_cc_default (context, &ccache); - if (kret) { - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - } else - ccache = initiator_cred_handle->ccache; - - kret = krb5_cc_get_principal (context, ccache, &ctx->source); - if (kret) { - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_copy_principal (context, name, &ctx->target); - if (kret) { - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); - if (ret) - goto failure; - - - /* - * This is hideous glue for (NFS) clients that wants to limit the - * available enctypes to what it can support (encryption in - * kernel). If there is no enctypes selected for this credential, - * reset it to the default set of enctypes. - */ - { - krb5_enctype *enctypes = NULL; - - if (initiator_cred_handle && initiator_cred_handle->enctypes) - enctypes = initiator_cred_handle->enctypes; - krb5_set_default_in_tkt_etypes(context, enctypes); - } - - ret = gsskrb5_get_creds(minor_status, - context, - ccache, - ctx, - ctx->target, - time_req, - time_rec, - &cred); - if (ret) - goto failure; - - ctx->lifetime = cred->times.endtime; - - ret = _gsskrb5_lifetime_left(minor_status, - context, - ctx->lifetime, - &lifetime_rec); - if (ret) { - goto failure; - } - - if (lifetime_rec == 0) { - *minor_status = 0; - ret = GSS_S_CONTEXT_EXPIRED; - goto failure; - } - - krb5_auth_con_setkey(context, - ctx->auth_context, - &cred->session); - - kret = krb5_auth_con_generatelocalsubkey(context, - ctx->auth_context, - &cred->session); - if(kret) { - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - /* - * If the credential doesn't have ok-as-delegate, check what local - * policy say about ok-as-delegate, default is FALSE that makes - * code ignore the KDC setting and follow what the application - * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the - * KDC doesn't set ok-as-delegate. - */ - if (!cred->flags.b.ok_as_delegate) { - krb5_boolean delegate; - - krb5_appdefault_boolean(context, - "gssapi", name->realm, - "ok-as-delegate", FALSE, &delegate); - if (delegate) - req_flags &= ~GSS_C_DELEG_FLAG; - } - - flags = 0; - ap_options = 0; - if (req_flags & GSS_C_DELEG_FLAG) - do_delegation (context, - ctx->auth_context, - ccache, cred, name, &fwd_data, &flags); - - if (req_flags & GSS_C_MUTUAL_FLAG) { - flags |= GSS_C_MUTUAL_FLAG; - ap_options |= AP_OPTS_MUTUAL_REQUIRED; - } - - if (req_flags & GSS_C_REPLAY_FLAG) - flags |= GSS_C_REPLAY_FLAG; - if (req_flags & GSS_C_SEQUENCE_FLAG) - flags |= GSS_C_SEQUENCE_FLAG; - if (req_flags & GSS_C_ANON_FLAG) - ; /* XXX */ - if (req_flags & GSS_C_DCE_STYLE) { - /* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */ - flags |= GSS_C_DCE_STYLE | GSS_C_MUTUAL_FLAG; - ap_options |= AP_OPTS_MUTUAL_REQUIRED; - } - if (req_flags & GSS_C_IDENTIFY_FLAG) - flags |= GSS_C_IDENTIFY_FLAG; - if (req_flags & GSS_C_EXTENDED_ERROR_FLAG) - flags |= GSS_C_EXTENDED_ERROR_FLAG; - - flags |= GSS_C_CONF_FLAG; - flags |= GSS_C_INTEG_FLAG; - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) - *ret_flags = flags; - ctx->flags = flags; - ctx->more_flags |= LOCAL; - - ret = _gsskrb5_create_8003_checksum (minor_status, - input_chan_bindings, - flags, - &fwd_data, - &cksum); - krb5_data_free (&fwd_data); - if (ret) - goto failure; - - enctype = ctx->auth_context->keyblock->keytype; - - kret = krb5_build_authenticator (context, - ctx->auth_context, - enctype, - cred, - &cksum, - NULL, - &authenticator, - KRB5_KU_AP_REQ_AUTH); - - if (kret) { - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_build_ap_req (context, - enctype, - cred, - ap_options, - authenticator, - &outbuf); - - if (kret) { - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, - (u_char *)"\x01\x00", GSS_KRB5_MECHANISM); - if (ret) - goto failure; - - krb5_data_free (&outbuf); - krb5_free_creds(context, cred); - free_Checksum(&cksum); - if (initiator_cred_handle == NULL) - krb5_cc_close(context, ccache); - - if (flags & GSS_C_MUTUAL_FLAG) { - ctx->state = INITIATOR_WAIT_FOR_MUTAL; - return GSS_S_CONTINUE_NEEDED; - } - - return gsskrb5_initiator_ready(minor_status, ctx, context); -failure: - if(cred) - krb5_free_creds(context, cred); - if (ccache && initiator_cred_handle == NULL) - krb5_cc_close(context, ccache); - - return ret; - -} - -static OM_uint32 -repl_mutual -(OM_uint32 * minor_status, - gsskrb5_ctx ctx, - krb5_context context, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_data indata; - krb5_ap_rep_enc_part *repl; - int is_cfx = 0; - - output_token->length = 0; - output_token->value = NULL; - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - if (ctx->flags & GSS_C_DCE_STYLE) { - /* There is no OID wrapping. */ - indata.length = input_token->length; - indata.data = input_token->value; - } else { - ret = _gsskrb5_decapsulate (minor_status, - input_token, - &indata, - "\x02\x00", - GSS_KRB5_MECHANISM); - if (ret) { - /* XXX - Handle AP_ERROR */ - return ret; - } - } - - kret = krb5_rd_rep (context, - ctx->auth_context, - &indata, - &repl); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - krb5_free_ap_rep_enc_part (context, - repl); - - _gsskrb5i_is_cfx(ctx, &is_cfx); - if (is_cfx) { - krb5_keyblock *key = NULL; - - kret = krb5_auth_con_getremotesubkey(context, - ctx->auth_context, - &key); - if (kret == 0 && key != NULL) { - ctx->more_flags |= ACCEPTOR_SUBKEY; - krb5_free_keyblock (context, key); - } - } - - - *minor_status = 0; - if (time_rec) { - ret = _gsskrb5_lifetime_left(minor_status, - context, - ctx->lifetime, - time_rec); - } else { - ret = GSS_S_COMPLETE; - } - if (ret_flags) - *ret_flags = ctx->flags; - - if (req_flags & GSS_C_DCE_STYLE) { - int32_t con_flags; - krb5_data outbuf; - - /* Do don't do sequence number for the mk-rep */ - krb5_auth_con_removeflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - &con_flags); - - kret = krb5_mk_rep(context, - ctx->auth_context, - &outbuf); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - - output_token->length = outbuf.length; - output_token->value = outbuf.data; - - krb5_auth_con_removeflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE, - NULL); - } - - return gsskrb5_initiator_ready(minor_status, ctx, context); -} - -/* - * gss_init_sec_context - */ - -OM_uint32 _gsskrb5_init_sec_context -(OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - krb5_context context; - gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle; - krb5_const_principal name = (krb5_const_principal)target_name; - gsskrb5_ctx ctx; - OM_uint32 ret; - - GSSAPI_KRB5_INIT (&context); - - output_token->length = 0; - output_token->value = NULL; - - if (context_handle == NULL) { - *minor_status = 0; - return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; - } - - if (ret_flags) - *ret_flags = 0; - if (time_rec) - *time_rec = 0; - - if (target_name == GSS_C_NO_NAME) { - if (actual_mech_type) - *actual_mech_type = GSS_C_NO_OID; - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - if (mech_type != GSS_C_NO_OID && - !gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) - return GSS_S_BAD_MECH; - - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) { - OM_uint32 ret; - - if (*context_handle != GSS_C_NO_CONTEXT) { - *minor_status = 0; - return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; - } - - ret = _gsskrb5_create_ctx(minor_status, - context_handle, - context, - input_chan_bindings, - INITIATOR_START); - if (ret) - return ret; - } - - if (*context_handle == GSS_C_NO_CONTEXT) { - *minor_status = 0; - return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; - } - - ctx = (gsskrb5_ctx) *context_handle; - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - - switch (ctx->state) { - case INITIATOR_START: - ret = init_auth(minor_status, - cred, - ctx, - context, - name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - break; - case INITIATOR_WAIT_FOR_MUTAL: - ret = repl_mutual(minor_status, - ctx, - context, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - break; - case INITIATOR_READY: - /* - * If we get there, the caller have called - * gss_init_sec_context() one time too many. - */ - *minor_status = 0; - ret = GSS_S_BAD_STATUS; - break; - default: - *minor_status = 0; - ret = GSS_S_BAD_STATUS; - break; - } - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - /* destroy context in case of error */ - if (GSS_ERROR(ret)) { - OM_uint32 min2; - _gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER); - } - - return ret; - -} diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_context.c b/crypto/heimdal/lib/gssapi/krb5/inquire_context.c deleted file mode 100644 index 41430568b005..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/inquire_context.c +++ /dev/null @@ -1,112 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: inquire_context.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 _gsskrb5_inquire_context ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_name_t * src_name, - gss_name_t * targ_name, - OM_uint32 * lifetime_rec, - gss_OID * mech_type, - OM_uint32 * ctx_flags, - int * locally_initiated, - int * open_context - ) -{ - krb5_context context; - OM_uint32 ret; - gsskrb5_ctx ctx = (gsskrb5_ctx)context_handle; - gss_name_t name; - - if (src_name) - *src_name = GSS_C_NO_NAME; - if (targ_name) - *targ_name = GSS_C_NO_NAME; - - GSSAPI_KRB5_INIT (&context); - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - - if (src_name) { - name = (gss_name_t)ctx->source; - ret = _gsskrb5_duplicate_name (minor_status, name, src_name); - if (ret) - goto failed; - } - - if (targ_name) { - name = (gss_name_t)ctx->target; - ret = _gsskrb5_duplicate_name (minor_status, name, targ_name); - if (ret) - goto failed; - } - - if (lifetime_rec) { - ret = _gsskrb5_lifetime_left(minor_status, - context, - ctx->lifetime, - lifetime_rec); - if (ret) - goto failed; - } - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (ctx_flags) - *ctx_flags = ctx->flags; - - if (locally_initiated) - *locally_initiated = ctx->more_flags & LOCAL; - - if (open_context) - *open_context = ctx->more_flags & OPEN; - - *minor_status = 0; - - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - return GSS_S_COMPLETE; - -failed: - if (src_name) - _gsskrb5_release_name(NULL, src_name); - if (targ_name) - _gsskrb5_release_name(NULL, targ_name); - - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_cred.c b/crypto/heimdal/lib/gssapi/krb5/inquire_cred.c deleted file mode 100644 index 47bf71e686ff..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/inquire_cred.c +++ /dev/null @@ -1,182 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: inquire_cred.c 20688 2007-05-17 18:44:31Z lha $"); - -OM_uint32 _gsskrb5_inquire_cred -(OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - gss_name_t * output_name, - OM_uint32 * lifetime, - gss_cred_usage_t * cred_usage, - gss_OID_set * mechanisms - ) -{ - krb5_context context; - gss_cred_id_t aqcred_init = GSS_C_NO_CREDENTIAL; - gss_cred_id_t aqcred_accept = GSS_C_NO_CREDENTIAL; - gsskrb5_cred acred = NULL, icred = NULL; - OM_uint32 ret; - - *minor_status = 0; - - if (output_name) - *output_name = NULL; - if (mechanisms) - *mechanisms = GSS_C_NO_OID_SET; - - GSSAPI_KRB5_INIT (&context); - - if (cred_handle == GSS_C_NO_CREDENTIAL) { - ret = _gsskrb5_acquire_cred(minor_status, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - GSS_C_ACCEPT, - &aqcred_accept, - NULL, - NULL); - if (ret == GSS_S_COMPLETE) - acred = (gsskrb5_cred)aqcred_accept; - - ret = _gsskrb5_acquire_cred(minor_status, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - GSS_C_INITIATE, - &aqcred_init, - NULL, - NULL); - if (ret == GSS_S_COMPLETE) - icred = (gsskrb5_cred)aqcred_init; - - if (icred == NULL && acred == NULL) { - *minor_status = 0; - return GSS_S_NO_CRED; - } - } else - acred = (gsskrb5_cred)cred_handle; - - if (acred) - HEIMDAL_MUTEX_lock(&acred->cred_id_mutex); - if (icred) - HEIMDAL_MUTEX_lock(&icred->cred_id_mutex); - - if (output_name != NULL) { - if (icred && icred->principal != NULL) { - gss_name_t name; - - if (acred && acred->principal) - name = (gss_name_t)acred->principal; - else - name = (gss_name_t)icred->principal; - - ret = _gsskrb5_duplicate_name(minor_status, name, output_name); - if (ret) - goto out; - } else if (acred && acred->usage == GSS_C_ACCEPT) { - krb5_principal princ; - *minor_status = krb5_sname_to_principal(context, NULL, - NULL, KRB5_NT_SRV_HST, - &princ); - if (*minor_status) { - ret = GSS_S_FAILURE; - goto out; - } - *output_name = (gss_name_t)princ; - } else { - krb5_principal princ; - *minor_status = krb5_get_default_principal(context, - &princ); - if (*minor_status) { - ret = GSS_S_FAILURE; - goto out; - } - *output_name = (gss_name_t)princ; - } - } - if (lifetime != NULL) { - OM_uint32 alife = GSS_C_INDEFINITE, ilife = GSS_C_INDEFINITE; - - if (acred) alife = acred->lifetime; - if (icred) ilife = icred->lifetime; - - ret = _gsskrb5_lifetime_left(minor_status, - context, - min(alife,ilife), - lifetime); - if (ret) - goto out; - } - if (cred_usage != NULL) { - if (acred && icred) - *cred_usage = GSS_C_BOTH; - else if (acred) - *cred_usage = GSS_C_ACCEPT; - else if (icred) - *cred_usage = GSS_C_INITIATE; - else - abort(); - } - - if (mechanisms != NULL) { - ret = gss_create_empty_oid_set(minor_status, mechanisms); - if (ret) - goto out; - if (acred) - ret = gss_add_oid_set_member(minor_status, - &acred->mechanisms->elements[0], - mechanisms); - if (ret == GSS_S_COMPLETE && icred) - ret = gss_add_oid_set_member(minor_status, - &icred->mechanisms->elements[0], - mechanisms); - if (ret) - goto out; - } - ret = GSS_S_COMPLETE; -out: - if (acred) - HEIMDAL_MUTEX_unlock(&acred->cred_id_mutex); - if (icred) - HEIMDAL_MUTEX_unlock(&icred->cred_id_mutex); - - if (aqcred_init != GSS_C_NO_CREDENTIAL) - ret = _gsskrb5_release_cred(minor_status, &aqcred_init); - if (aqcred_accept != GSS_C_NO_CREDENTIAL) - ret = _gsskrb5_release_cred(minor_status, &aqcred_accept); - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c b/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c deleted file mode 100644 index a8af2145bea8..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2003, 2006, 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: inquire_cred_by_mech.c 20634 2007-05-09 15:33:01Z lha $"); - -OM_uint32 _gsskrb5_inquire_cred_by_mech ( - OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t * name, - OM_uint32 * initiator_lifetime, - OM_uint32 * acceptor_lifetime, - gss_cred_usage_t * cred_usage - ) -{ - gss_cred_usage_t usage; - OM_uint32 maj_stat; - OM_uint32 lifetime; - - maj_stat = - _gsskrb5_inquire_cred (minor_status, cred_handle, - name, &lifetime, &usage, NULL); - if (maj_stat) - return maj_stat; - - if (initiator_lifetime) { - if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH) - *initiator_lifetime = lifetime; - else - *initiator_lifetime = 0; - } - - if (acceptor_lifetime) { - if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH) - *acceptor_lifetime = lifetime; - else - *acceptor_lifetime = 0; - } - - if (cred_usage) - *cred_usage = usage; - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c b/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c deleted file mode 100644 index da50b11d934a..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 2004, PADL Software Pty Ltd. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of PADL Software nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: inquire_cred_by_oid.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 _gsskrb5_inquire_cred_by_oid - (OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - const gss_OID desired_object, - gss_buffer_set_t *data_set) -{ - krb5_context context; - gsskrb5_cred cred = (gsskrb5_cred)cred_handle; - krb5_error_code ret; - gss_buffer_desc buffer; - char *str; - - GSSAPI_KRB5_INIT (&context); - - if (gss_oid_equal(desired_object, GSS_KRB5_COPY_CCACHE_X) == 0) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - - if (cred->ccache == NULL) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - ret = krb5_cc_get_full_name(context, cred->ccache, &str); - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - buffer.value = str; - buffer.length = strlen(str); - - ret = gss_add_buffer_set_member(minor_status, &buffer, data_set); - if (ret != GSS_S_COMPLETE) - _gsskrb5_clear_status (); - - free(str); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c b/crypto/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c deleted file mode 100644 index 0ce051f19c0c..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: inquire_mechs_for_name.c 20688 2007-05-17 18:44:31Z lha $"); - -OM_uint32 _gsskrb5_inquire_mechs_for_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - gss_OID_set * mech_types - ) -{ - OM_uint32 ret; - - ret = gss_create_empty_oid_set(minor_status, mech_types); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, - GSS_KRB5_MECHANISM, - mech_types); - if (ret) - gss_release_oid_set(NULL, mech_types); - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/crypto/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c deleted file mode 100644 index 64abd3c34a9f..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: inquire_names_for_mech.c 20688 2007-05-17 18:44:31Z lha $"); - - -static gss_OID *name_list[] = { - &GSS_C_NT_HOSTBASED_SERVICE, - &GSS_C_NT_USER_NAME, - &GSS_KRB5_NT_PRINCIPAL_NAME, - &GSS_C_NT_EXPORT_NAME, - NULL -}; - -OM_uint32 _gsskrb5_inquire_names_for_mech ( - OM_uint32 * minor_status, - const gss_OID mechanism, - gss_OID_set * name_types - ) -{ - OM_uint32 ret; - int i; - - *minor_status = 0; - - if (gss_oid_equal(mechanism, GSS_KRB5_MECHANISM) == 0 && - gss_oid_equal(mechanism, GSS_C_NULL_OID) == 0) { - *name_types = GSS_C_NO_OID_SET; - return GSS_S_BAD_MECH; - } - - ret = gss_create_empty_oid_set(minor_status, name_types); - if (ret != GSS_S_COMPLETE) - return ret; - - for (i = 0; name_list[i] != NULL; i++) { - ret = gss_add_oid_set_member(minor_status, - *(name_list[i]), - name_types); - if (ret != GSS_S_COMPLETE) - break; - } - - if (ret != GSS_S_COMPLETE) - gss_release_oid_set(NULL, name_types); - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/crypto/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c deleted file mode 100644 index 5ca7536e6a39..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c +++ /dev/null @@ -1,557 +0,0 @@ -/* - * Copyright (c) 2004, PADL Software Pty Ltd. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of PADL Software nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: inquire_sec_context_by_oid.c 19031 2006-11-13 18:02:57Z lha $"); - -static int -oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix) -{ - int ret; - heim_oid oid; - heim_oid prefix; - - *suffix = 0; - - ret = der_get_oid(oid_enc->elements, oid_enc->length, - &oid, NULL); - if (ret) { - return 0; - } - - ret = der_get_oid(prefix_enc->elements, prefix_enc->length, - &prefix, NULL); - if (ret) { - der_free_oid(&oid); - return 0; - } - - ret = 0; - - if (oid.length - 1 == prefix.length) { - *suffix = oid.components[oid.length - 1]; - oid.length--; - ret = (der_heim_oid_cmp(&oid, &prefix) == 0); - oid.length++; - } - - der_free_oid(&oid); - der_free_oid(&prefix); - - return ret; -} - -static OM_uint32 inquire_sec_context_tkt_flags - (OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - gss_buffer_set_t *data_set) -{ - OM_uint32 tkt_flags; - unsigned char buf[4]; - gss_buffer_desc value; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - if (context_handle->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - _gsskrb5_set_status("No ticket from which to obtain flags"); - *minor_status = EINVAL; - return GSS_S_BAD_MECH; - } - - tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - _gsskrb5_encode_om_uint32(tkt_flags, buf); - value.length = sizeof(buf); - value.value = buf; - - return gss_add_buffer_set_member(minor_status, - &value, - data_set); -} - -enum keytype { ACCEPTOR_KEY, INITIATOR_KEY, TOKEN_KEY }; - -static OM_uint32 inquire_sec_context_get_subkey - (OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - enum keytype keytype, - gss_buffer_set_t *data_set) -{ - krb5_keyblock *key = NULL; - krb5_storage *sp = NULL; - krb5_data data; - OM_uint32 maj_stat = GSS_S_COMPLETE; - krb5_error_code ret; - - krb5_data_zero(&data); - - sp = krb5_storage_emem(); - if (sp == NULL) { - _gsskrb5_clear_status(); - ret = ENOMEM; - goto out; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - switch(keytype) { - case ACCEPTOR_KEY: - ret = _gsskrb5i_get_acceptor_subkey(context_handle, context, &key); - break; - case INITIATOR_KEY: - ret = _gsskrb5i_get_initiator_subkey(context_handle, context, &key); - break; - case TOKEN_KEY: - ret = _gsskrb5i_get_token_key(context_handle, context, &key); - break; - default: - _gsskrb5_set_status("%d is not a valid subkey type", keytype); - ret = EINVAL; - break; - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (ret) - goto out; - if (key == NULL) { - _gsskrb5_set_status("have no subkey of type %d", keytype); - ret = EINVAL; - goto out; - } - - ret = krb5_store_keyblock(sp, *key); - krb5_free_keyblock (context, key); - if (ret) - goto out; - - ret = krb5_storage_to_data(sp, &data); - if (ret) - goto out; - - { - gss_buffer_desc value; - - value.length = data.length; - value.value = data.data; - - maj_stat = gss_add_buffer_set_member(minor_status, - &value, - data_set); - } - -out: - krb5_data_free(&data); - if (sp) - krb5_storage_free(sp); - if (ret) { - *minor_status = ret; - maj_stat = GSS_S_FAILURE; - } - return maj_stat; -} - -static OM_uint32 inquire_sec_context_authz_data - (OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - unsigned ad_type, - gss_buffer_set_t *data_set) -{ - krb5_data data; - gss_buffer_desc ad_data; - OM_uint32 ret; - - *minor_status = 0; - *data_set = GSS_C_NO_BUFFER_SET; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - if (context_handle->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - *minor_status = EINVAL; - _gsskrb5_set_status("No ticket to obtain authz data from"); - return GSS_S_NO_CONTEXT; - } - - ret = krb5_ticket_get_authorization_data_type(context, - context_handle->ticket, - ad_type, - &data); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ad_data.value = data.data; - ad_data.length = data.length; - - ret = gss_add_buffer_set_member(minor_status, - &ad_data, - data_set); - - krb5_data_free(&data); - - return ret; -} - -static OM_uint32 inquire_sec_context_has_updated_spnego - (OM_uint32 *minor_status, - const gsskrb5_ctx context_handle, - gss_buffer_set_t *data_set) -{ - int is_updated = 0; - - *minor_status = 0; - *data_set = GSS_C_NO_BUFFER_SET; - - /* - * For Windows SPNEGO implementations, both the initiator and the - * acceptor are assumed to have been updated if a "newer" [CLAR] or - * different enctype is negotiated for use by the Kerberos GSS-API - * mechanism. - */ - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - _gsskrb5i_is_cfx(context_handle, &is_updated); - if (is_updated == 0) { - krb5_keyblock *acceptor_subkey; - - if (context_handle->more_flags & LOCAL) - acceptor_subkey = context_handle->auth_context->remote_subkey; - else - acceptor_subkey = context_handle->auth_context->local_subkey; - - if (acceptor_subkey != NULL) - is_updated = (acceptor_subkey->keytype != - context_handle->auth_context->keyblock->keytype); - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - return is_updated ? GSS_S_COMPLETE : GSS_S_FAILURE; -} - -/* - * - */ - -static OM_uint32 -export_lucid_sec_context_v1(OM_uint32 *minor_status, - gsskrb5_ctx context_handle, - krb5_context context, - gss_buffer_set_t *data_set) -{ - krb5_storage *sp = NULL; - OM_uint32 major_status = GSS_S_COMPLETE; - krb5_error_code ret; - krb5_keyblock *key = NULL; - int32_t number; - int is_cfx; - krb5_data data; - - *minor_status = 0; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - _gsskrb5i_is_cfx(context_handle, &is_cfx); - - sp = krb5_storage_emem(); - if (sp == NULL) { - _gsskrb5_clear_status(); - ret = ENOMEM; - goto out; - } - - ret = krb5_store_int32(sp, 1); - if (ret) goto out; - ret = krb5_store_int32(sp, (context_handle->more_flags & LOCAL) ? 1 : 0); - if (ret) goto out; - ret = krb5_store_int32(sp, context_handle->lifetime); - if (ret) goto out; - krb5_auth_con_getlocalseqnumber (context, - context_handle->auth_context, - &number); - ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */ - ret = krb5_store_uint32(sp, (uint32_t)number); - krb5_auth_getremoteseqnumber (context, - context_handle->auth_context, - &number); - ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */ - ret = krb5_store_uint32(sp, (uint32_t)number); - ret = krb5_store_int32(sp, (is_cfx) ? 1 : 0); - if (ret) goto out; - - ret = _gsskrb5i_get_token_key(context_handle, context, &key); - if (ret) goto out; - - if (is_cfx == 0) { - int sign_alg, seal_alg; - - switch (key->keytype) { - case ETYPE_DES_CBC_CRC: - case ETYPE_DES_CBC_MD4: - case ETYPE_DES_CBC_MD5: - sign_alg = 0; - seal_alg = 0; - break; - case ETYPE_DES3_CBC_MD5: - case ETYPE_DES3_CBC_SHA1: - sign_alg = 4; - seal_alg = 2; - break; - case ETYPE_ARCFOUR_HMAC_MD5: - case ETYPE_ARCFOUR_HMAC_MD5_56: - sign_alg = 17; - seal_alg = 16; - break; - default: - sign_alg = -1; - seal_alg = -1; - break; - } - ret = krb5_store_int32(sp, sign_alg); - if (ret) goto out; - ret = krb5_store_int32(sp, seal_alg); - if (ret) goto out; - /* ctx_key */ - ret = krb5_store_keyblock(sp, *key); - if (ret) goto out; - } else { - int subkey_p = (context_handle->more_flags & ACCEPTOR_SUBKEY) ? 1 : 0; - - /* have_acceptor_subkey */ - ret = krb5_store_int32(sp, subkey_p); - if (ret) goto out; - /* ctx_key */ - ret = krb5_store_keyblock(sp, *key); - if (ret) goto out; - /* acceptor_subkey */ - if (subkey_p) { - ret = krb5_store_keyblock(sp, *key); - if (ret) goto out; - } - } - ret = krb5_storage_to_data(sp, &data); - if (ret) goto out; - - { - gss_buffer_desc ad_data; - - ad_data.value = data.data; - ad_data.length = data.length; - - ret = gss_add_buffer_set_member(minor_status, &ad_data, data_set); - krb5_data_free(&data); - if (ret) - goto out; - } - -out: - if (key) - krb5_free_keyblock (context, key); - if (sp) - krb5_storage_free(sp); - if (ret) { - *minor_status = ret; - major_status = GSS_S_FAILURE; - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return major_status; -} - -static OM_uint32 -get_authtime(OM_uint32 *minor_status, - gsskrb5_ctx ctx, - gss_buffer_set_t *data_set) - -{ - gss_buffer_desc value; - unsigned char buf[4]; - OM_uint32 authtime; - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - if (ctx->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - _gsskrb5_set_status("No ticket to obtain auth time from"); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - authtime = ctx->ticket->ticket.authtime; - - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - _gsskrb5_encode_om_uint32(authtime, buf); - value.length = sizeof(buf); - value.value = buf; - - return gss_add_buffer_set_member(minor_status, - &value, - data_set); -} - - -static OM_uint32 -get_service_keyblock - (OM_uint32 *minor_status, - gsskrb5_ctx ctx, - gss_buffer_set_t *data_set) -{ - krb5_storage *sp = NULL; - krb5_data data; - OM_uint32 maj_stat = GSS_S_COMPLETE; - krb5_error_code ret = EINVAL; - - sp = krb5_storage_emem(); - if (sp == NULL) { - _gsskrb5_clear_status(); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - if (ctx->service_keyblock == NULL) { - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - _gsskrb5_set_status("No service keyblock on gssapi context"); - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - krb5_data_zero(&data); - - ret = krb5_store_keyblock(sp, *ctx->service_keyblock); - - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - if (ret) - goto out; - - ret = krb5_storage_to_data(sp, &data); - if (ret) - goto out; - - { - gss_buffer_desc value; - - value.length = data.length; - value.value = data.data; - - maj_stat = gss_add_buffer_set_member(minor_status, - &value, - data_set); - } - -out: - krb5_data_free(&data); - if (sp) - krb5_storage_free(sp); - if (ret) { - *minor_status = ret; - maj_stat = GSS_S_FAILURE; - } - return maj_stat; -} -/* - * - */ - -OM_uint32 _gsskrb5_inquire_sec_context_by_oid - (OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_OID desired_object, - gss_buffer_set_t *data_set) -{ - krb5_context context; - const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; - unsigned suffix; - - if (ctx == NULL) { - *minor_status = EINVAL; - return GSS_S_NO_CONTEXT; - } - - GSSAPI_KRB5_INIT (&context); - - if (gss_oid_equal(desired_object, GSS_KRB5_GET_TKT_FLAGS_X)) { - return inquire_sec_context_tkt_flags(minor_status, - ctx, - data_set); - } else if (gss_oid_equal(desired_object, GSS_C_PEER_HAS_UPDATED_SPNEGO)) { - return inquire_sec_context_has_updated_spnego(minor_status, - ctx, - data_set); - } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SUBKEY_X)) { - return inquire_sec_context_get_subkey(minor_status, - ctx, - context, - TOKEN_KEY, - data_set); - } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_INITIATOR_SUBKEY_X)) { - return inquire_sec_context_get_subkey(minor_status, - ctx, - context, - INITIATOR_KEY, - data_set); - } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X)) { - return inquire_sec_context_get_subkey(minor_status, - ctx, - context, - ACCEPTOR_KEY, - data_set); - } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) { - return get_authtime(minor_status, ctx, data_set); - } else if (oid_prefix_equal(desired_object, - GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X, - &suffix)) { - return inquire_sec_context_authz_data(minor_status, - ctx, - context, - suffix, - data_set); - } else if (oid_prefix_equal(desired_object, - GSS_KRB5_EXPORT_LUCID_CONTEXT_X, - &suffix)) { - if (suffix == 1) - return export_lucid_sec_context_v1(minor_status, - ctx, - context, - data_set); - *minor_status = 0; - return GSS_S_FAILURE; - } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SERVICE_KEYBLOCK_X)) { - return get_service_keyblock(minor_status, ctx, data_set); - } else { - *minor_status = 0; - return GSS_S_FAILURE; - } -} - diff --git a/crypto/heimdal/lib/gssapi/krb5/prf.c b/crypto/heimdal/lib/gssapi/krb5/prf.c deleted file mode 100644 index f79c9374a9c7..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/prf.c +++ /dev/null @@ -1,143 +0,0 @@ -/* - * Copyright (c) 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: prf.c 21129 2007-06-18 20:28:44Z lha $"); - -OM_uint32 -_gsskrb5_pseudo_random(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int prf_key, - const gss_buffer_t prf_in, - ssize_t desired_output_len, - gss_buffer_t prf_out) -{ - gsskrb5_ctx ctx = (gsskrb5_ctx)context_handle; - krb5_context context; - krb5_error_code ret; - krb5_crypto crypto; - krb5_data input, output; - uint32_t num; - unsigned char *p; - krb5_keyblock *key = NULL; - - if (ctx == NULL) { - *minor_status = 0; - return GSS_S_NO_CONTEXT; - } - - if (desired_output_len <= 0) { - *minor_status = 0; - return GSS_S_FAILURE; - } - - GSSAPI_KRB5_INIT (&context); - - switch(prf_key) { - case GSS_C_PRF_KEY_FULL: - _gsskrb5i_get_acceptor_subkey(ctx, context, &key); - break; - case GSS_C_PRF_KEY_PARTIAL: - _gsskrb5i_get_initiator_subkey(ctx, context, &key); - break; - default: - _gsskrb5_set_status("unknown kerberos prf_key"); - *minor_status = 0; - return GSS_S_FAILURE; - } - - if (key == NULL) { - _gsskrb5_set_status("no prf_key found"); - *minor_status = 0; - return GSS_S_FAILURE; - } - - ret = krb5_crypto_init(context, key, 0, &crypto); - krb5_free_keyblock (context, key); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - prf_out->value = malloc(desired_output_len); - if (prf_out->value == NULL) { - _gsskrb5_set_status("Out of memory"); - *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; - krb5_crypto_destroy(context, crypto); - return GSS_S_FAILURE; - } - prf_out->length = desired_output_len; - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - - input.length = prf_in->length + 4; - input.data = malloc(prf_in->length + 4); - if (input.data == NULL) { - OM_uint32 junk; - _gsskrb5_set_status("Out of memory"); - *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; - gss_release_buffer(&junk, prf_out); - krb5_crypto_destroy(context, crypto); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - return GSS_S_FAILURE; - } - memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length); - - num = 0; - p = prf_out->value; - while(desired_output_len > 0) { - _gsskrb5_encode_om_uint32(num, input.data); - ret = krb5_crypto_prf(context, crypto, &input, &output); - if (ret) { - OM_uint32 junk; - *minor_status = ret; - free(input.data); - gss_release_buffer(&junk, prf_out); - krb5_crypto_destroy(context, crypto); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - return GSS_S_FAILURE; - } - memcpy(p, output.data, min(desired_output_len, output.length)); - p += output.length; - desired_output_len -= output.length; - krb5_data_free(&output); - num++; - } - - krb5_crypto_destroy(context, crypto); - - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/process_context_token.c b/crypto/heimdal/lib/gssapi/krb5/process_context_token.c deleted file mode 100644 index 15638f57fcc5..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/process_context_token.c +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: process_context_token.c 19031 2006-11-13 18:02:57Z lha $"); - -OM_uint32 _gsskrb5_process_context_token ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_buffer - ) -{ - krb5_context context; - OM_uint32 ret = GSS_S_FAILURE; - gss_buffer_desc empty_buffer; - gss_qop_t qop_state; - - empty_buffer.length = 0; - empty_buffer.value = NULL; - - GSSAPI_KRB5_INIT (&context); - - qop_state = GSS_C_QOP_DEFAULT; - - ret = _gsskrb5_verify_mic_internal(minor_status, - (gsskrb5_ctx)context_handle, - context, - token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); - - if (ret == GSS_S_COMPLETE) - ret = _gsskrb5_delete_sec_context(minor_status, - rk_UNCONST(&context_handle), - GSS_C_NO_BUFFER); - if (ret == GSS_S_COMPLETE) - *minor_status = 0; - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/release_buffer.c b/crypto/heimdal/lib/gssapi/krb5/release_buffer.c deleted file mode 100644 index 5dff62631ab4..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/release_buffer.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: release_buffer.c 18334 2006-10-07 22:16:04Z lha $"); - -OM_uint32 _gsskrb5_release_buffer - (OM_uint32 * minor_status, - gss_buffer_t buffer - ) -{ - *minor_status = 0; - free (buffer->value); - buffer->value = NULL; - buffer->length = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/release_cred.c b/crypto/heimdal/lib/gssapi/krb5/release_cred.c deleted file mode 100644 index ab5695b097b1..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/release_cred.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: release_cred.c 20753 2007-05-31 22:50:06Z lha $"); - -OM_uint32 _gsskrb5_release_cred - (OM_uint32 * minor_status, - gss_cred_id_t * cred_handle - ) -{ - krb5_context context; - gsskrb5_cred cred; - OM_uint32 junk; - - *minor_status = 0; - - if (*cred_handle == NULL) - return GSS_S_COMPLETE; - - cred = (gsskrb5_cred)*cred_handle; - *cred_handle = GSS_C_NO_CREDENTIAL; - - GSSAPI_KRB5_INIT (&context); - - HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); - - if (cred->principal != NULL) - krb5_free_principal(context, cred->principal); - if (cred->keytab != NULL) - krb5_kt_close(context, cred->keytab); - if (cred->ccache != NULL) { - const krb5_cc_ops *ops; - ops = krb5_cc_get_ops(context, cred->ccache); - if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE) - krb5_cc_destroy(context, cred->ccache); - else - krb5_cc_close(context, cred->ccache); - } - gss_release_oid_set(&junk, &cred->mechanisms); - if (cred->enctypes) - free(cred->enctypes); - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - HEIMDAL_MUTEX_destroy(&cred->cred_id_mutex); - memset(cred, 0, sizeof(*cred)); - free(cred); - return GSS_S_COMPLETE; -} - diff --git a/crypto/heimdal/lib/gssapi/krb5/release_name.c b/crypto/heimdal/lib/gssapi/krb5/release_name.c deleted file mode 100644 index 80b91930fd37..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/release_name.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: release_name.c 21128 2007-06-18 20:26:50Z lha $"); - -OM_uint32 _gsskrb5_release_name - (OM_uint32 * minor_status, - gss_name_t * input_name - ) -{ - krb5_context context; - krb5_principal name = (krb5_principal)*input_name; - - *minor_status = 0; - - GSSAPI_KRB5_INIT (&context); - - *input_name = GSS_C_NO_NAME; - - krb5_free_principal(context, name); - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/sequence.c b/crypto/heimdal/lib/gssapi/krb5/sequence.c deleted file mode 100644 index 677a3c8d0778..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/sequence.c +++ /dev/null @@ -1,294 +0,0 @@ -/* - * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: sequence.c 18334 2006-10-07 22:16:04Z lha $"); - -#define DEFAULT_JITTER_WINDOW 20 - -struct gss_msg_order { - OM_uint32 flags; - OM_uint32 start; - OM_uint32 length; - OM_uint32 jitter_window; - OM_uint32 first_seq; - OM_uint32 elem[1]; -}; - - -/* - * - */ - -static OM_uint32 -msg_order_alloc(OM_uint32 *minor_status, - struct gss_msg_order **o, - OM_uint32 jitter_window) -{ - size_t len; - - len = jitter_window * sizeof((*o)->elem[0]); - len += sizeof(**o); - len -= sizeof((*o)->elem[0]); - - *o = calloc(1, len); - if (*o == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -/* - * - */ - -OM_uint32 -_gssapi_msg_order_create(OM_uint32 *minor_status, - struct gss_msg_order **o, - OM_uint32 flags, - OM_uint32 seq_num, - OM_uint32 jitter_window, - int use_64) -{ - OM_uint32 ret; - - if (jitter_window == 0) - jitter_window = DEFAULT_JITTER_WINDOW; - - ret = msg_order_alloc(minor_status, o, jitter_window); - if(ret != GSS_S_COMPLETE) - return ret; - - (*o)->flags = flags; - (*o)->length = 0; - (*o)->first_seq = seq_num; - (*o)->jitter_window = jitter_window; - (*o)->elem[0] = seq_num - 1; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 -_gssapi_msg_order_destroy(struct gss_msg_order **m) -{ - free(*m); - *m = NULL; - return GSS_S_COMPLETE; -} - -static void -elem_set(struct gss_msg_order *o, unsigned int slot, OM_uint32 val) -{ - o->elem[slot % o->jitter_window] = val; -} - -static void -elem_insert(struct gss_msg_order *o, - unsigned int after_slot, - OM_uint32 seq_num) -{ - assert(o->jitter_window > after_slot); - - if (o->length > after_slot) - memmove(&o->elem[after_slot + 1], &o->elem[after_slot], - (o->length - after_slot - 1) * sizeof(o->elem[0])); - - elem_set(o, after_slot, seq_num); - - if (o->length < o->jitter_window) - o->length++; -} - -/* rule 1: expected sequence number */ -/* rule 2: > expected sequence number */ -/* rule 3: seqnum < seqnum(first) */ -/* rule 4+5: seqnum in [seqnum(first),seqnum(last)] */ - -OM_uint32 -_gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num) -{ - OM_uint32 r; - int i; - - if (o == NULL) - return GSS_S_COMPLETE; - - if ((o->flags & (GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG)) == 0) - return GSS_S_COMPLETE; - - /* check if the packet is the next in order */ - if (o->elem[0] == seq_num - 1) { - elem_insert(o, 0, seq_num); - return GSS_S_COMPLETE; - } - - r = (o->flags & (GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG))==GSS_C_REPLAY_FLAG; - - /* sequence number larger then largest sequence number - * or smaller then the first sequence number */ - if (seq_num > o->elem[0] - || seq_num < o->first_seq - || o->length == 0) - { - elem_insert(o, 0, seq_num); - if (r) { - return GSS_S_COMPLETE; - } else { - return GSS_S_GAP_TOKEN; - } - } - - assert(o->length > 0); - - /* sequence number smaller the first sequence number */ - if (seq_num < o->elem[o->length - 1]) { - if (r) - return(GSS_S_OLD_TOKEN); - else - return(GSS_S_UNSEQ_TOKEN); - } - - if (seq_num == o->elem[o->length - 1]) { - return GSS_S_DUPLICATE_TOKEN; - } - - for (i = 0; i < o->length - 1; i++) { - if (o->elem[i] == seq_num) - return GSS_S_DUPLICATE_TOKEN; - if (o->elem[i + 1] < seq_num && o->elem[i] < seq_num) { - elem_insert(o, i, seq_num); - if (r) - return GSS_S_COMPLETE; - else - return GSS_S_UNSEQ_TOKEN; - } - } - - return GSS_S_FAILURE; -} - -OM_uint32 -_gssapi_msg_order_f(OM_uint32 flags) -{ - return flags & (GSS_C_SEQUENCE_FLAG|GSS_C_REPLAY_FLAG); -} - -/* - * Translate `o` into inter-process format and export in to `sp'. - */ - -krb5_error_code -_gssapi_msg_order_export(krb5_storage *sp, struct gss_msg_order *o) -{ - krb5_error_code kret; - OM_uint32 i; - - kret = krb5_store_int32(sp, o->flags); - if (kret) - return kret; - kret = krb5_store_int32(sp, o->start); - if (kret) - return kret; - kret = krb5_store_int32(sp, o->length); - if (kret) - return kret; - kret = krb5_store_int32(sp, o->jitter_window); - if (kret) - return kret; - kret = krb5_store_int32(sp, o->first_seq); - if (kret) - return kret; - - for (i = 0; i < o->jitter_window; i++) { - kret = krb5_store_int32(sp, o->elem[i]); - if (kret) - return kret; - } - - return 0; -} - -OM_uint32 -_gssapi_msg_order_import(OM_uint32 *minor_status, - krb5_storage *sp, - struct gss_msg_order **o) -{ - OM_uint32 ret; - krb5_error_code kret; - int32_t i, flags, start, length, jitter_window, first_seq; - - kret = krb5_ret_int32(sp, &flags); - if (kret) - goto failed; - ret = krb5_ret_int32(sp, &start); - if (kret) - goto failed; - ret = krb5_ret_int32(sp, &length); - if (kret) - goto failed; - ret = krb5_ret_int32(sp, &jitter_window); - if (kret) - goto failed; - ret = krb5_ret_int32(sp, &first_seq); - if (kret) - goto failed; - - ret = msg_order_alloc(minor_status, o, jitter_window); - if (ret != GSS_S_COMPLETE) - return ret; - - (*o)->flags = flags; - (*o)->start = start; - (*o)->length = length; - (*o)->jitter_window = jitter_window; - (*o)->first_seq = first_seq; - - for( i = 0; i < jitter_window; i++ ) { - kret = krb5_ret_int32(sp, (int32_t*)&((*o)->elem[i])); - if (kret) - goto failed; - } - - *minor_status = 0; - return GSS_S_COMPLETE; - -failed: - _gssapi_msg_order_destroy(o); - *minor_status = kret; - return GSS_S_FAILURE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/set_cred_option.c b/crypto/heimdal/lib/gssapi/krb5/set_cred_option.c deleted file mode 100644 index d0ca1c4d95dd..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/set_cred_option.c +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Copyright (c) 2004, PADL Software Pty Ltd. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of PADL Software nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: set_cred_option.c 20325 2007-04-12 16:49:17Z lha $"); - -static gss_OID_desc gss_krb5_import_cred_x_oid_desc = -{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */ - -gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc; - -static OM_uint32 -import_cred(OM_uint32 *minor_status, - krb5_context context, - gss_cred_id_t *cred_handle, - const gss_buffer_t value) -{ - OM_uint32 major_stat; - krb5_error_code ret; - krb5_principal keytab_principal = NULL; - krb5_keytab keytab = NULL; - krb5_storage *sp = NULL; - krb5_ccache id = NULL; - char *str; - - if (cred_handle == NULL || *cred_handle != GSS_C_NO_CREDENTIAL) { - *minor_status = 0; - return GSS_S_FAILURE; - } - - sp = krb5_storage_from_mem(value->value, value->length); - if (sp == NULL) { - *minor_status = 0; - return GSS_S_FAILURE; - } - - /* credential cache name */ - ret = krb5_ret_string(sp, &str); - if (ret) { - *minor_status = ret; - major_stat = GSS_S_FAILURE; - goto out; - } - if (str[0]) { - ret = krb5_cc_resolve(context, str, &id); - if (ret) { - *minor_status = ret; - major_stat = GSS_S_FAILURE; - goto out; - } - } - free(str); - str = NULL; - - /* keytab principal name */ - ret = krb5_ret_string(sp, &str); - if (ret == 0 && str[0]) - ret = krb5_parse_name(context, str, &keytab_principal); - if (ret) { - *minor_status = ret; - major_stat = GSS_S_FAILURE; - goto out; - } - free(str); - str = NULL; - - /* keytab principal */ - ret = krb5_ret_string(sp, &str); - if (ret) { - *minor_status = ret; - major_stat = GSS_S_FAILURE; - goto out; - } - if (str[0]) { - ret = krb5_kt_resolve(context, str, &keytab); - if (ret) { - *minor_status = ret; - major_stat = GSS_S_FAILURE; - goto out; - } - } - free(str); - str = NULL; - - major_stat = _gsskrb5_import_cred(minor_status, id, keytab_principal, - keytab, cred_handle); -out: - if (id) - krb5_cc_close(context, id); - if (keytab_principal) - krb5_free_principal(context, keytab_principal); - if (keytab) - krb5_kt_close(context, keytab); - if (str) - free(str); - if (sp) - krb5_storage_free(sp); - - return major_stat; -} - - -static OM_uint32 -allowed_enctypes(OM_uint32 *minor_status, - krb5_context context, - gss_cred_id_t *cred_handle, - const gss_buffer_t value) -{ - OM_uint32 major_stat; - krb5_error_code ret; - size_t len, i; - krb5_enctype *enctypes = NULL; - krb5_storage *sp = NULL; - gsskrb5_cred cred; - - if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) { - *minor_status = 0; - return GSS_S_FAILURE; - } - - cred = (gsskrb5_cred)*cred_handle; - - if ((value->length % 4) != 0) { - *minor_status = 0; - major_stat = GSS_S_FAILURE; - goto out; - } - - len = value->length / 4; - enctypes = malloc((len + 1) * 4); - if (enctypes == NULL) { - *minor_status = ENOMEM; - major_stat = GSS_S_FAILURE; - goto out; - } - - sp = krb5_storage_from_mem(value->value, value->length); - if (sp == NULL) { - *minor_status = ENOMEM; - major_stat = GSS_S_FAILURE; - goto out; - } - - for (i = 0; i < len; i++) { - uint32_t e; - - ret = krb5_ret_uint32(sp, &e); - if (ret) { - *minor_status = ret; - major_stat = GSS_S_FAILURE; - goto out; - } - enctypes[i] = e; - } - enctypes[i] = 0; - - if (cred->enctypes) - free(cred->enctypes); - cred->enctypes = enctypes; - - krb5_storage_free(sp); - - return GSS_S_COMPLETE; - -out: - if (sp) - krb5_storage_free(sp); - if (enctypes) - free(enctypes); - - return major_stat; -} - - -OM_uint32 -_gsskrb5_set_cred_option - (OM_uint32 *minor_status, - gss_cred_id_t *cred_handle, - const gss_OID desired_object, - const gss_buffer_t value) -{ - krb5_context context; - - GSSAPI_KRB5_INIT (&context); - - if (value == GSS_C_NO_BUFFER) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - if (gss_oid_equal(desired_object, GSS_KRB5_IMPORT_CRED_X)) - return import_cred(minor_status, context, cred_handle, value); - - if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X)) - return allowed_enctypes(minor_status, context, cred_handle, value); - - *minor_status = EINVAL; - return GSS_S_FAILURE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/crypto/heimdal/lib/gssapi/krb5/set_sec_context_option.c deleted file mode 100644 index 50441a11ad3c..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ /dev/null @@ -1,192 +0,0 @@ -/* - * Copyright (c) 2004, PADL Software Pty Ltd. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of PADL Software nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * glue routine for _gsskrb5_inquire_sec_context_by_oid - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: set_sec_context_option.c 20384 2007-04-18 08:51:06Z lha $"); - -static OM_uint32 -get_bool(OM_uint32 *minor_status, - const gss_buffer_t value, - int *flag) -{ - if (value->value == NULL || value->length != 1) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - *flag = *((const char *)value->value) != 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -get_string(OM_uint32 *minor_status, - const gss_buffer_t value, - char **str) -{ - if (value == NULL || value->length == 0) { - *str = NULL; - } else { - *str = malloc(value->length + 1); - if (*str == NULL) { - *minor_status = 0; - return GSS_S_UNAVAILABLE; - } - memcpy(*str, value->value, value->length); - (*str)[value->length] = '\0'; - } - return GSS_S_COMPLETE; -} - -OM_uint32 -_gsskrb5_set_sec_context_option - (OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - const gss_OID desired_object, - const gss_buffer_t value) -{ - krb5_context context; - OM_uint32 maj_stat; - - GSSAPI_KRB5_INIT (&context); - - if (value == GSS_C_NO_BUFFER) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) { - gsskrb5_ctx ctx; - int flag; - - if (*context_handle == GSS_C_NO_CONTEXT) { - *minor_status = EINVAL; - return GSS_S_NO_CONTEXT; - } - - maj_stat = get_bool(minor_status, value, &flag); - if (maj_stat != GSS_S_COMPLETE) - return maj_stat; - - ctx = (gsskrb5_ctx)*context_handle; - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - if (flag) - ctx->more_flags |= COMPAT_OLD_DES3; - else - ctx->more_flags &= ~COMPAT_OLD_DES3; - ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - return GSS_S_COMPLETE; - } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DNS_CANONICALIZE_X)) { - int flag; - - maj_stat = get_bool(minor_status, value, &flag); - if (maj_stat != GSS_S_COMPLETE) - return maj_stat; - - krb5_set_dns_canonicalize_hostname(context, flag); - return GSS_S_COMPLETE; - - } else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) { - char *str; - - maj_stat = get_string(minor_status, value, &str); - if (maj_stat != GSS_S_COMPLETE) - return maj_stat; - - _gsskrb5_register_acceptor_identity(str); - free(str); - - *minor_status = 0; - return GSS_S_COMPLETE; - - } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) { - char *str; - - maj_stat = get_string(minor_status, value, &str); - if (maj_stat != GSS_S_COMPLETE) - return maj_stat; - if (str == NULL) { - *minor_status = 0; - return GSS_S_CALL_INACCESSIBLE_READ; - } - - krb5_set_default_realm(context, str); - free(str); - - *minor_status = 0; - return GSS_S_COMPLETE; - - } else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) { - - if (value == NULL || value->length == 0) { - krb5_set_send_to_kdc_func(context, NULL, NULL); - } else { - struct gsskrb5_send_to_kdc c; - - if (value->length != sizeof(c)) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - memcpy(&c, value->value, sizeof(c)); - krb5_set_send_to_kdc_func(context, - (krb5_send_to_kdc_func)c.func, - c.ptr); - } - - *minor_status = 0; - return GSS_S_COMPLETE; - } else if (gss_oid_equal(desired_object, GSS_KRB5_CCACHE_NAME_X)) { - char *str; - - maj_stat = get_string(minor_status, value, &str); - if (maj_stat != GSS_S_COMPLETE) - return maj_stat; - if (str == NULL) { - *minor_status = 0; - return GSS_S_CALL_INACCESSIBLE_READ; - } - - *minor_status = krb5_cc_set_default_name(context, str); - free(str); - if (*minor_status) - return GSS_S_FAILURE; - - return GSS_S_COMPLETE; - } - - *minor_status = EINVAL; - return GSS_S_FAILURE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/test_cfx.c b/crypto/heimdal/lib/gssapi/krb5/test_cfx.c deleted file mode 100644 index b4536228a6e1..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/test_cfx.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - * Copyright (c) 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: test_cfx.c 19031 2006-11-13 18:02:57Z lha $"); - -struct range { - size_t lower; - size_t upper; -}; - -struct range tests[] = { - { 0, 1040 }, - { 2040, 2080 }, - { 4080, 5000 }, - { 8180, 8292 }, - { 9980, 10010 } -}; - -static void -test_range(const struct range *r, int integ, - krb5_context context, krb5_crypto crypto) -{ - krb5_error_code ret; - size_t size, rsize; - - for (size = r->lower; size < r->upper; size++) { - OM_uint32 max_wrap_size; - size_t cksumsize; - uint16_t padsize; - - ret = _gsskrb5cfx_max_wrap_length_cfx(context, - crypto, - integ, - size, - &max_wrap_size); - if (ret) - krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret); - if (max_wrap_size == 0) - continue; - - ret = _gsskrb5cfx_wrap_length_cfx(context, - crypto, - integ, - max_wrap_size, - &rsize, &cksumsize, &padsize); - if (ret) - krb5_errx(context, 1, "_gsskrb5cfx_wrap_length_cfx: %d", ret); - - if (size < rsize) - krb5_errx(context, 1, - "size (%d) < rsize (%d) for max_wrap_size %d", - (int)size, (int)rsize, (int)max_wrap_size); - } -} - -static void -test_special(krb5_context context, krb5_crypto crypto, - int integ, size_t testsize) -{ - krb5_error_code ret; - size_t rsize; - OM_uint32 max_wrap_size; - size_t cksumsize; - uint16_t padsize; - - ret = _gsskrb5cfx_max_wrap_length_cfx(context, - crypto, - integ, - testsize, - &max_wrap_size); - if (ret) - krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret); - - ret = _gsskrb5cfx_wrap_length_cfx(context, - crypto, - integ, - max_wrap_size, - &rsize, &cksumsize, &padsize); - if (ret) - krb5_errx(context, 1, "_gsskrb5cfx_wrap_length_cfx: %d", ret); - - if (testsize < rsize) - krb5_errx(context, 1, - "testsize (%d) < rsize (%d) for max_wrap_size %d", - (int)testsize, (int)rsize, (int)max_wrap_size); -} - - - - -int -main(int argc, char **argv) -{ - krb5_keyblock keyblock; - krb5_error_code ret; - krb5_context context; - krb5_crypto crypto; - int i; - - ret = krb5_init_context(&context); - if (ret) - errx(1, "krb5_context_init: %d", ret); - - ret = krb5_generate_random_keyblock(context, - ENCTYPE_AES256_CTS_HMAC_SHA1_96, - &keyblock); - if (ret) - krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); - - ret = krb5_crypto_init(context, &keyblock, 0, &crypto); - if (ret) - krb5_err(context, 1, ret, "krb5_crypto_init"); - - test_special(context, crypto, 1, 60); - test_special(context, crypto, 0, 60); - - for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { - test_range(&tests[i], 1, context, crypto); - test_range(&tests[i], 0, context, crypto); - } - - krb5_free_keyblock_contents(context, &keyblock); - krb5_crypto_destroy(context, crypto); - krb5_free_context(context); - - return 0; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/ticket_flags.c b/crypto/heimdal/lib/gssapi/krb5/ticket_flags.c deleted file mode 100644 index 51d8159262af..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/ticket_flags.c +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: ticket_flags.c 18334 2006-10-07 22:16:04Z lha $"); - -OM_uint32 -_gsskrb5_get_tkt_flags(OM_uint32 *minor_status, - gsskrb5_ctx ctx, - OM_uint32 *tkt_flags) -{ - if (ctx == NULL) { - *minor_status = EINVAL; - return GSS_S_NO_CONTEXT; - } - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - - if (ctx->ticket == NULL) { - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - *minor_status = EINVAL; - return GSS_S_BAD_MECH; - } - - *tkt_flags = TicketFlags2int(ctx->ticket->ticket.flags); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/unwrap.c b/crypto/heimdal/lib/gssapi/krb5/unwrap.c deleted file mode 100644 index d0a33d86fbfc..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/unwrap.c +++ /dev/null @@ -1,413 +0,0 @@ -/* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: unwrap.c 19031 2006-11-13 18:02:57Z lha $"); - -static OM_uint32 -unwrap_des - (OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p, *seq; - size_t len; - MD5_CTX md5; - u_char hash[16]; - DES_key_schedule schedule; - DES_cblock deskey; - DES_cblock zero; - int i; - uint32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - int cmp; - - p = input_message_buffer->value; - ret = _gsskrb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01", - GSS_KRB5_MECHANISM); - if (ret) - return ret; - - if (memcmp (p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x00\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xFF\xFF", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 16; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - DES_set_key (&deskey, &schedule); - memset (&zero, 0, sizeof(zero)); - DES_cbc_encrypt ((void *)p, - (void *)p, - input_message_buffer->length - len, - &schedule, - &zero, - DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - } - /* check pad */ - ret = _gssapi_verify_pad(input_message_buffer, - input_message_buffer->length - len, - &padlength); - if (ret) - return ret; - - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, input_message_buffer->length - len); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); - DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - &schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) - return GSS_S_BAD_MIC; - - /* verify sequence number */ - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - p -= 16; - DES_set_key (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - - seq = p; - _gsskrb5_decode_om_uint32(seq, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); - - if (cmp != 0) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 24, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -static OM_uint32 -unwrap_des3 - (OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p; - size_t len; - u_char *seq; - krb5_data seq_data; - u_char cksum[20]; - uint32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - krb5_crypto crypto; - Checksum csum; - int cmp; - - p = input_message_buffer->value; - ret = _gsskrb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01", - GSS_KRB5_MECHANISM); - if (ret) - return ret; - - if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x02\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xff\xff", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 28; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - krb5_data tmp; - - ret = krb5_crypto_init(context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_decrypt(context, crypto, KRB5_KU_USAGE_SEAL, - p, input_message_buffer->length - len, &tmp); - krb5_crypto_destroy(context, crypto); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == input_message_buffer->length - len); - - memcpy (p, tmp.data, tmp.length); - krb5_data_free(&tmp); - } - /* check pad */ - ret = _gssapi_verify_pad(input_message_buffer, - input_message_buffer->length - len, - &padlength); - if (ret) - return ret; - - /* verify sequence number */ - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - p -= 28; - - ret = krb5_crypto_init(context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - *minor_status = ret; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_FAILURE; - } - { - DES_cblock ivec; - - memcpy(&ivec, p + 8, 8); - ret = krb5_decrypt_ivec (context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, - &ivec); - } - krb5_crypto_destroy (context, crypto); - if (ret) { - *minor_status = ret; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_FAILURE; - } - if (seq_data.length != 8) { - krb5_data_free (&seq_data); - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - seq = seq_data.data; - _gsskrb5_decode_om_uint32(seq, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); - - krb5_data_free (&seq_data); - if (cmp != 0) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - /* verify checksum */ - - memcpy (cksum, p + 8, 20); - - memcpy (p + 20, p - 8, 8); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = cksum; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_verify_checksum (context, crypto, - KRB5_KU_USAGE_SIGN, - p + 20, - input_message_buffer->length - len + 8, - &csum); - krb5_crypto_destroy (context, crypto); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 36, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -OM_uint32 _gsskrb5_unwrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state - ) -{ - krb5_keyblock *key; - krb5_context context; - OM_uint32 ret; - krb5_keytype keytype; - gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; - - output_message_buffer->value = NULL; - output_message_buffer->length = 0; - - GSSAPI_KRB5_INIT (&context); - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - ret = _gsskrb5i_get_token_key(ctx, context, &key); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (context, key->keytype, &keytype); - - *minor_status = 0; - - switch (keytype) { - case KEYTYPE_DES : - ret = unwrap_des (minor_status, ctx, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - case KEYTYPE_DES3 : - ret = unwrap_des3 (minor_status, ctx, context, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - case KEYTYPE_ARCFOUR: - case KEYTYPE_ARCFOUR_56: - ret = _gssapi_unwrap_arcfour (minor_status, ctx, context, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - default : - ret = _gssapi_unwrap_cfx (minor_status, ctx, context, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - } - krb5_free_keyblock (context, key); - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/v1.c b/crypto/heimdal/lib/gssapi/krb5/v1.c deleted file mode 100644 index c5ebeb9dd77e..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/v1.c +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: v1.c 18334 2006-10-07 22:16:04Z lha $"); - -/* These functions are for V1 compatibility */ - -OM_uint32 _gsskrb5_sign - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - return _gsskrb5_get_mic(minor_status, - context_handle, - (gss_qop_t)qop_req, - message_buffer, - message_token); -} - -OM_uint32 _gsskrb5_verify - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state - ) -{ - return _gsskrb5_verify_mic(minor_status, - context_handle, - message_buffer, - token_buffer, - (gss_qop_t *)qop_state); -} - -OM_uint32 _gsskrb5_seal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - return _gsskrb5_wrap(minor_status, - context_handle, - conf_req_flag, - (gss_qop_t)qop_req, - input_message_buffer, - conf_state, - output_message_buffer); -} - -OM_uint32 _gsskrb5_unseal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state - ) -{ - return _gsskrb5_unwrap(minor_status, - context_handle, - input_message_buffer, - output_message_buffer, - conf_state, - (gss_qop_t *)qop_state); -} diff --git a/crypto/heimdal/lib/gssapi/krb5/verify_mic.c b/crypto/heimdal/lib/gssapi/krb5/verify_mic.c deleted file mode 100644 index 52381afcc28a..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/verify_mic.c +++ /dev/null @@ -1,344 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: verify_mic.c 19031 2006-11-13 18:02:57Z lha $"); - -static OM_uint32 -verify_mic_des - (OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16], *seq; - DES_key_schedule schedule; - DES_cblock zero; - DES_cblock deskey; - uint32_t seq_number; - OM_uint32 ret; - int cmp; - - p = token_buffer->value; - ret = _gsskrb5_verify_header (&p, - token_buffer->length, - type, - GSS_KRB5_MECHANISM); - if (ret) - return ret; - - if (memcmp(p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - p += 16; - - /* verify checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, - message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - DES_set_key (&deskey, &schedule); - DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - &schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) { - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - return GSS_S_BAD_MIC; - } - - /* verify sequence number */ - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - p -= 16; - DES_set_key (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - - seq = p; - _gsskrb5_decode_om_uint32(seq, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); - - if (cmp != 0) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -verify_mic_des3 - (OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - u_char *seq; - uint32_t seq_number; - OM_uint32 ret; - krb5_crypto crypto; - krb5_data seq_data; - int cmp, docompat; - Checksum csum; - char *tmp; - char ivec[8]; - - p = token_buffer->value; - ret = _gsskrb5_verify_header (&p, - token_buffer->length, - type, - GSS_KRB5_MECHANISM); - if (ret) - return ret; - - if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - - ret = krb5_crypto_init(context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret){ - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* verify sequence number */ - docompat = 0; -retry: - if (docompat) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - ret = krb5_decrypt_ivec (context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, ivec); - if (ret) { - if (docompat++) { - krb5_crypto_destroy (context, crypto); - *minor_status = ret; - return GSS_S_FAILURE; - } else - goto retry; - } - - if (seq_data.length != 8) { - krb5_data_free (&seq_data); - if (docompat++) { - krb5_crypto_destroy (context, crypto); - return GSS_S_BAD_MIC; - } else - goto retry; - } - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - - seq = seq_data.data; - _gsskrb5_decode_om_uint32(seq, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4); - - krb5_data_free (&seq_data); - if (cmp != 0) { - krb5_crypto_destroy (context, crypto); - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { - krb5_crypto_destroy (context, crypto); - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; - } - - /* verify checksum */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - krb5_crypto_destroy (context, crypto); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = p + 8; - - ret = krb5_verify_checksum (context, crypto, - KRB5_KU_USAGE_SIGN, - tmp, message_buffer->length + 8, - &csum); - free (tmp); - if (ret) { - krb5_crypto_destroy (context, crypto); - *minor_status = ret; - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return GSS_S_BAD_MIC; - } - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - - krb5_crypto_destroy (context, crypto); - return GSS_S_COMPLETE; -} - -OM_uint32 -_gsskrb5_verify_mic_internal - (OM_uint32 * minor_status, - const gsskrb5_ctx context_handle, - krb5_context context, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); - ret = _gsskrb5i_get_token_key(context_handle, context, &key); - HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - *minor_status = 0; - krb5_enctype_to_keytype (context, key->keytype, &keytype); - switch (keytype) { - case KEYTYPE_DES : - ret = verify_mic_des (minor_status, context_handle, context, - message_buffer, token_buffer, qop_state, key, - type); - break; - case KEYTYPE_DES3 : - ret = verify_mic_des3 (minor_status, context_handle, context, - message_buffer, token_buffer, qop_state, key, - type); - break; - case KEYTYPE_ARCFOUR : - case KEYTYPE_ARCFOUR_56 : - ret = _gssapi_verify_mic_arcfour (minor_status, context_handle, - context, - message_buffer, token_buffer, - qop_state, key, type); - break; - default : - ret = _gssapi_verify_mic_cfx (minor_status, context_handle, - context, - message_buffer, token_buffer, qop_state, - key); - break; - } - krb5_free_keyblock (context, key); - - return ret; -} - -OM_uint32 -_gsskrb5_verify_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state - ) -{ - krb5_context context; - OM_uint32 ret; - - GSSAPI_KRB5_INIT (&context); - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - - ret = _gsskrb5_verify_mic_internal(minor_status, - (gsskrb5_ctx)context_handle, - context, - message_buffer, token_buffer, - qop_state, "\x01\x01"); - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/krb5/wrap.c b/crypto/heimdal/lib/gssapi/krb5/wrap.c deleted file mode 100644 index d41379870ae9..000000000000 --- a/crypto/heimdal/lib/gssapi/krb5/wrap.c +++ /dev/null @@ -1,551 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5/gsskrb5_locl.h" - -RCSID("$Id: wrap.c 19035 2006-11-14 09:49:56Z lha $"); - -/* - * Return initiator subkey, or if that doesn't exists, the subkey. - */ - -krb5_error_code -_gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx, - krb5_context context, - krb5_keyblock **key) -{ - krb5_error_code ret; - *key = NULL; - - if (ctx->more_flags & LOCAL) { - ret = krb5_auth_con_getlocalsubkey(context, - ctx->auth_context, - key); - } else { - ret = krb5_auth_con_getremotesubkey(context, - ctx->auth_context, - key); - } - if (ret == 0 && *key == NULL) - ret = krb5_auth_con_getkey(context, - ctx->auth_context, - key); - if (ret == 0 && *key == NULL) { - krb5_set_error_string(context, "No initiator subkey available"); - return GSS_KRB5_S_KG_NO_SUBKEY; - } - return ret; -} - -krb5_error_code -_gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx, - krb5_context context, - krb5_keyblock **key) -{ - krb5_error_code ret; - *key = NULL; - - if (ctx->more_flags & LOCAL) { - ret = krb5_auth_con_getremotesubkey(context, - ctx->auth_context, - key); - } else { - ret = krb5_auth_con_getlocalsubkey(context, - ctx->auth_context, - key); - } - if (ret == 0 && *key == NULL) { - krb5_set_error_string(context, "No acceptor subkey available"); - return GSS_KRB5_S_KG_NO_SUBKEY; - } - return ret; -} - -OM_uint32 -_gsskrb5i_get_token_key(const gsskrb5_ctx ctx, - krb5_context context, - krb5_keyblock **key) -{ - _gsskrb5i_get_acceptor_subkey(ctx, context, key); - if(*key == NULL) { - /* - * Only use the initiator subkey or ticket session key if an - * acceptor subkey was not required. - */ - if ((ctx->more_flags & ACCEPTOR_SUBKEY) == 0) - _gsskrb5i_get_initiator_subkey(ctx, context, key); - } - if (*key == NULL) { - krb5_set_error_string(context, "No token key available"); - return GSS_KRB5_S_KG_NO_SUBKEY; - } - return 0; -} - -static OM_uint32 -sub_wrap_size ( - OM_uint32 req_output_size, - OM_uint32 * max_input_size, - int blocksize, - int extrasize - ) -{ - size_t len, total_len; - - len = 8 + req_output_size + blocksize + extrasize; - - _gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); - - total_len -= req_output_size; /* token length */ - if (total_len < req_output_size) { - *max_input_size = (req_output_size - total_len); - (*max_input_size) &= (~(OM_uint32)(blocksize - 1)); - } else { - *max_input_size = 0; - } - return GSS_S_COMPLETE; -} - -OM_uint32 -_gsskrb5_wrap_size_limit ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 * max_input_size - ) -{ - krb5_context context; - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; - - GSSAPI_KRB5_INIT (&context); - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - ret = _gsskrb5i_get_token_key(ctx, context, &key); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); - break; - case KEYTYPE_ARCFOUR: - case KEYTYPE_ARCFOUR_56: - ret = _gssapi_wrap_size_arcfour(minor_status, ctx, context, - conf_req_flag, qop_req, - req_output_size, max_input_size, key); - break; - case KEYTYPE_DES3 : - ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); - break; - default : - ret = _gssapi_wrap_size_cfx(minor_status, ctx, context, - conf_req_flag, qop_req, - req_output_size, max_input_size, key); - break; - } - krb5_free_keyblock (context, key); - *minor_status = 0; - return ret; -} - -static OM_uint32 -wrap_des - (OM_uint32 * minor_status, - const gsskrb5_ctx ctx, - krb5_context context, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - DES_key_schedule schedule; - DES_cblock deskey; - DES_cblock zero; - int i; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 22; - _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - output_message_buffer->length = 0; - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = _gsskrb5_make_header(output_message_buffer->value, - len, - "\x02\x01", /* TOK_ID */ - GSS_KRB5_MECHANISM); - - /* SGN_ALG */ - memcpy (p, "\x00\x00", 2); - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x00\x00", 2); - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* fill in later */ - memset (p, 0, 16); - p += 16; - - /* confounder + data + pad */ - krb5_generate_random_block(p, 8); - memcpy (p + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 8 + input_message_buffer->length, padlength, padlength); - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, datalen); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key (&deskey, &schedule); - DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - &schedule, &zero); - memcpy (p - 8, hash, 8); - - /* sequence number */ - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - krb5_auth_con_getlocalseqnumber (context, - ctx->auth_context, - &seq_number); - - p -= 16; - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (ctx->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - DES_set_key (&deskey, &schedule); - DES_cbc_encrypt ((void *)p, (void *)p, 8, - &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (context, - ctx->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - /* encrypt the data */ - p += 16; - - if(conf_req_flag) { - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - DES_set_key (&deskey, &schedule); - memset (&zero, 0, sizeof(zero)); - DES_cbc_encrypt ((void *)p, - (void *)p, - datalen, - &schedule, - &zero, - DES_ENCRYPT); - } - memset (deskey, 0, sizeof(deskey)); - memset (&schedule, 0, sizeof(schedule)); - - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -wrap_des3 - (OM_uint32 * minor_status, - const gsskrb5_ctx ctx, - krb5_context context, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - u_char seq[8]; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - uint32_t ret; - krb5_crypto crypto; - Checksum cksum; - krb5_data encdata; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 34; - _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - output_message_buffer->length = 0; - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = _gsskrb5_make_header(output_message_buffer->value, - len, - "\x02\x01", /* TOK_ID */ - GSS_KRB5_MECHANISM); - - /* SGN_ALG */ - memcpy (p, "\x04\x00", 2); /* HMAC SHA1 DES3-KD */ - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x02\x00", 2); /* DES3-KD */ - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* calculate checksum (the above + confounder + data + pad) */ - - memcpy (p + 20, p - 8, 8); - krb5_generate_random_block(p + 28, 8); - memcpy (p + 28 + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength); - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free (output_message_buffer->value); - output_message_buffer->length = 0; - output_message_buffer->value = NULL; - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_create_checksum (context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - p + 20, - datalen + 8, - &cksum); - krb5_crypto_destroy (context, crypto); - if (ret) { - free (output_message_buffer->value); - output_message_buffer->length = 0; - output_message_buffer->value = NULL; - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* zero out SND_SEQ + SGN_CKSUM in case */ - memset (p, 0, 28); - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - free_Checksum (&cksum); - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - /* sequence number */ - krb5_auth_con_getlocalseqnumber (context, - ctx->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (ctx->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - - ret = krb5_crypto_init(context, key, ETYPE_DES3_CBC_NONE, - &crypto); - if (ret) { - free (output_message_buffer->value); - output_message_buffer->length = 0; - output_message_buffer->value = NULL; - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - DES_cblock ivec; - - memcpy (&ivec, p + 8, 8); - ret = krb5_encrypt_ivec (context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, - &ivec); - } - krb5_crypto_destroy (context, crypto); - if (ret) { - free (output_message_buffer->value); - output_message_buffer->length = 0; - output_message_buffer->value = NULL; - *minor_status = ret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (context, - ctx->auth_context, - ++seq_number); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - - /* encrypt the data */ - p += 28; - - if(conf_req_flag) { - krb5_data tmp; - - ret = krb5_crypto_init(context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - free (output_message_buffer->value); - output_message_buffer->length = 0; - output_message_buffer->value = NULL; - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_encrypt(context, crypto, KRB5_KU_USAGE_SEAL, - p, datalen, &tmp); - krb5_crypto_destroy(context, crypto); - if (ret) { - free (output_message_buffer->value); - output_message_buffer->length = 0; - output_message_buffer->value = NULL; - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == datalen); - - memcpy (p, tmp.data, datalen); - krb5_data_free(&tmp); - } - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gsskrb5_wrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - krb5_context context; - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; - - GSSAPI_KRB5_INIT (&context); - - HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - ret = _gsskrb5i_get_token_key(ctx, context, &key); - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = wrap_des (minor_status, ctx, context, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - case KEYTYPE_DES3 : - ret = wrap_des3 (minor_status, ctx, context, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - case KEYTYPE_ARCFOUR: - case KEYTYPE_ARCFOUR_56: - ret = _gssapi_wrap_arcfour (minor_status, ctx, context, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - default : - ret = _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - } - krb5_free_keyblock (context, key); - return ret; -} |