diff options
Diffstat (limited to 'src/lib/gssapi/krb5')
46 files changed, 6708 insertions, 6643 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 3ae460e1f..8d01f5e67 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 2000, 2004, 2007, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -6,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,11 +21,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -34,7 +35,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -46,14 +47,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -64,7 +65,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -84,7 +85,7 @@ #define CFX_ACCEPTOR_SUBKEY 1 #endif -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT /* Decode, decrypt and store the forwarded creds in the local ccache. */ static krb5_error_code @@ -99,91 +100,91 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) krb5_ccache ccache = NULL; krb5_gss_cred_id_t cred = NULL; krb5_auth_context new_auth_ctx = NULL; - krb5_int32 flags_org; - - if ((retval = krb5_auth_con_getflags(context, auth_context, &flags_org))) - return retval; - krb5_auth_con_setflags(context, auth_context, - 0); - - /* - * By the time krb5_rd_cred is called here (after krb5_rd_req has been - * called in krb5_gss_accept_sec_context), the "keyblock" field of - * auth_context contains a pointer to the session key, and the - * "recv_subkey" field might contain a session subkey. Either of - * these (the "recv_subkey" if it isn't NULL, otherwise the - * "keyblock") might have been used to encrypt the encrypted part of - * the KRB_CRED message that contains the forwarded credentials. (The - * Java Crypto and Security Implementation from the DSTC in Australia - * always uses the session key. But apparently it never negotiates a - * subkey, so this code works fine against a JCSI client.) Up to the - * present, though, GSSAPI clients linked against the MIT code (which - * is almost all GSSAPI clients) don't encrypt the KRB_CRED message at - * all -- at this level. So if the first call to krb5_rd_cred fails, - * we should call it a second time with another auth context freshly - * created by krb5_auth_con_init. All of its keyblock fields will be - * NULL, so krb5_rd_cred will assume that the KRB_CRED message is - * unencrypted. (The MIT code doesn't actually send the KRB_CRED - * message in the clear -- the "authenticator" whose "checksum" ends up - * containing the KRB_CRED message does get encrypted.) - */ - if (krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) { - if ((retval = krb5_auth_con_init(context, &new_auth_ctx))) - goto cleanup; - krb5_auth_con_setflags(context, new_auth_ctx, 0); - if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf, - &creds, NULL))) - goto cleanup; - } + krb5_int32 flags_org; + + if ((retval = krb5_auth_con_getflags(context, auth_context, &flags_org))) + return retval; + krb5_auth_con_setflags(context, auth_context, + 0); + + /* + * By the time krb5_rd_cred is called here (after krb5_rd_req has been + * called in krb5_gss_accept_sec_context), the "keyblock" field of + * auth_context contains a pointer to the session key, and the + * "recv_subkey" field might contain a session subkey. Either of + * these (the "recv_subkey" if it isn't NULL, otherwise the + * "keyblock") might have been used to encrypt the encrypted part of + * the KRB_CRED message that contains the forwarded credentials. (The + * Java Crypto and Security Implementation from the DSTC in Australia + * always uses the session key. But apparently it never negotiates a + * subkey, so this code works fine against a JCSI client.) Up to the + * present, though, GSSAPI clients linked against the MIT code (which + * is almost all GSSAPI clients) don't encrypt the KRB_CRED message at + * all -- at this level. So if the first call to krb5_rd_cred fails, + * we should call it a second time with another auth context freshly + * created by krb5_auth_con_init. All of its keyblock fields will be + * NULL, so krb5_rd_cred will assume that the KRB_CRED message is + * unencrypted. (The MIT code doesn't actually send the KRB_CRED + * message in the clear -- the "authenticator" whose "checksum" ends up + * containing the KRB_CRED message does get encrypted.) + */ + if (krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) { + if ((retval = krb5_auth_con_init(context, &new_auth_ctx))) + goto cleanup; + krb5_auth_con_setflags(context, new_auth_ctx, 0); + if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf, + &creds, NULL))) + goto cleanup; + } if ((retval = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) { - ccache = NULL; + ccache = NULL; goto cleanup; } if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client))) - goto cleanup; + goto cleanup; if ((retval = krb5_cc_store_cred(context, ccache, creds[0]))) - goto cleanup; + goto cleanup; /* generate a delegated credential handle */ if (out_cred) { - /* allocate memory for a cred_t... */ - if (!(cred = - (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))) { - retval = ENOMEM; /* out of memory? */ - goto cleanup; - } - - /* zero it out... */ - memset(cred, 0, sizeof(krb5_gss_cred_id_rec)); - - retval = k5_mutex_init(&cred->lock); - if (retval) { - xfree(cred); - cred = NULL; - goto cleanup; - } - - /* copy the client principle into it... */ - if ((retval = - krb5_copy_principal(context, creds[0]->client, &(cred->princ)))) { - k5_mutex_destroy(&cred->lock); - retval = ENOMEM; /* out of memory? */ - xfree(cred); /* clean up memory on failure */ - cred = NULL; - goto cleanup; - } - - cred->usage = GSS_C_INITIATE; /* we can't accept with this */ - /* cred->princ already set */ - cred->prerfc_mech = 1; /* this cred will work with all three mechs */ - cred->rfc_mech = 1; - cred->keytab = NULL; /* no keytab associated with this... */ - cred->tgt_expire = creds[0]->times.endtime; /* store the end time */ - cred->ccache = ccache; /* the ccache containing the credential */ - ccache = NULL; /* cred takes ownership so don't destroy */ + /* allocate memory for a cred_t... */ + if (!(cred = + (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))) { + retval = ENOMEM; /* out of memory? */ + goto cleanup; + } + + /* zero it out... */ + memset(cred, 0, sizeof(krb5_gss_cred_id_rec)); + + retval = k5_mutex_init(&cred->lock); + if (retval) { + xfree(cred); + cred = NULL; + goto cleanup; + } + + /* copy the client principle into it... */ + if ((retval = + krb5_copy_principal(context, creds[0]->client, &(cred->princ)))) { + k5_mutex_destroy(&cred->lock); + retval = ENOMEM; /* out of memory? */ + xfree(cred); /* clean up memory on failure */ + cred = NULL; + goto cleanup; + } + + cred->usage = GSS_C_INITIATE; /* we can't accept with this */ + /* cred->princ already set */ + cred->prerfc_mech = 1; /* this cred will work with all three mechs */ + cred->rfc_mech = 1; + cred->keytab = NULL; /* no keytab associated with this... */ + cred->tgt_expire = creds[0]->times.endtime; /* store the end time */ + cred->ccache = ccache; /* the ccache containing the credential */ + ccache = NULL; /* cred takes ownership so don't destroy */ } /* If there were errors, there might have been a memory leak @@ -193,16 +194,16 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) */ cleanup: if (creds) - krb5_free_tgt_creds(context, creds); + krb5_free_tgt_creds(context, creds); if (ccache) - (void)krb5_cc_destroy(context, ccache); + (void)krb5_cc_destroy(context, ccache); if (out_cred) - *out_cred = cred; /* return credential */ + *out_cred = cred; /* return credential */ if (new_auth_ctx) - krb5_auth_con_free(context, new_auth_ctx); + krb5_auth_con_free(context, new_auth_ctx); krb5_auth_con_setflags(context, auth_context, flags_org); @@ -211,286 +212,286 @@ cleanup: OM_uint32 -krb5_gss_accept_sec_context(minor_status, context_handle, - verifier_cred_handle, input_token, - input_chan_bindings, src_name, mech_type, - output_token, ret_flags, time_rec, - delegated_cred_handle) - OM_uint32 *minor_status; - gss_ctx_id_t *context_handle; - gss_cred_id_t verifier_cred_handle; - gss_buffer_t input_token; - gss_channel_bindings_t input_chan_bindings; - gss_name_t *src_name; - gss_OID *mech_type; - gss_buffer_t output_token; - OM_uint32 *ret_flags; - OM_uint32 *time_rec; - gss_cred_id_t *delegated_cred_handle; +krb5_gss_accept_sec_context(minor_status, context_handle, + verifier_cred_handle, input_token, + input_chan_bindings, src_name, mech_type, + output_token, ret_flags, time_rec, + delegated_cred_handle) + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_cred_id_t verifier_cred_handle; + gss_buffer_t input_token; + gss_channel_bindings_t input_chan_bindings; + gss_name_t *src_name; + gss_OID *mech_type; + gss_buffer_t output_token; + OM_uint32 *ret_flags; + OM_uint32 *time_rec; + gss_cred_id_t *delegated_cred_handle; { - krb5_context context; - unsigned char *ptr, *ptr2; - char *sptr; - long tmp; - size_t md5len; - int bigend; - krb5_gss_cred_id_t cred = 0; - krb5_data ap_rep, ap_req; - unsigned int i; - krb5_error_code code; - krb5_address addr, *paddr; - krb5_authenticator *authdat = 0; - krb5_checksum reqcksum; - krb5_principal name = NULL; - krb5_ui_4 gss_flags = 0; - int decode_req_message = 0; - krb5_gss_ctx_id_rec *ctx = 0; - krb5_timestamp now; - gss_buffer_desc token; - krb5_auth_context auth_context = NULL; - krb5_ticket * ticket = NULL; - int option_id; - krb5_data option; - const gss_OID_desc *mech_used = NULL; - OM_uint32 major_status = GSS_S_FAILURE; - OM_uint32 tmp_minor_status; - krb5_error krb_error_data; - krb5_data scratch; - gss_cred_id_t cred_handle = NULL; - krb5_gss_cred_id_t deleg_cred = NULL; - krb5int_access kaccess; - int cred_rcache = 0; - - code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); - if (code) { - *minor_status = code; - return(GSS_S_FAILURE); - } - - code = krb5_gss_init_context(&context); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } - - /* set up returns to be freeable */ - - if (src_name) - *src_name = (gss_name_t) NULL; - output_token->length = 0; - output_token->value = NULL; - token.value = 0; - reqcksum.contents = 0; - ap_req.data = 0; - ap_rep.data = 0; - - if (mech_type) - *mech_type = GSS_C_NULL_OID; - /* return a bogus cred handle */ - if (delegated_cred_handle) - *delegated_cred_handle = GSS_C_NO_CREDENTIAL; - - /* - * Context handle must be unspecified. Actually, it must be - * non-established, but currently, accept_sec_context never returns - * a non-established context handle. - */ - /*SUPPRESS 29*/ - if (*context_handle != GSS_C_NO_CONTEXT) { - *minor_status = EINVAL; - save_error_string(EINVAL, "accept_sec_context called with existing context handle"); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - - /* handle default cred handle */ - if (verifier_cred_handle == GSS_C_NO_CREDENTIAL) { - major_status = krb5_gss_acquire_cred(minor_status, GSS_C_NO_NAME, - GSS_C_INDEFINITE, GSS_C_NO_OID_SET, - GSS_C_ACCEPT, &cred_handle, - NULL, NULL); - if (major_status != GSS_S_COMPLETE) { - code = *minor_status; - goto fail; - } - } else { - major_status = krb5_gss_validate_cred(minor_status, - verifier_cred_handle); - if (GSS_ERROR(major_status)) { - code = *minor_status; - goto fail; - } - cred_handle = verifier_cred_handle; - } - - cred = (krb5_gss_cred_id_t) cred_handle; - - /* make sure the supplied credentials are valid for accept */ - - if ((cred->usage != GSS_C_ACCEPT) && - (cred->usage != GSS_C_BOTH)) { - code = 0; - major_status = GSS_S_NO_CRED; - goto fail; - } - - /* verify the token's integrity, and leave the token in ap_req. - figure out which mech oid was used, and save it */ - - ptr = (unsigned char *) input_token->value; - - if (!(code = g_verify_token_header(gss_mech_krb5, - &(ap_req.length), - &ptr, KG_TOK_CTX_AP_REQ, - input_token->length, 1))) { - mech_used = gss_mech_krb5; - } else if ((code == G_WRONG_MECH) - &&!(code = g_verify_token_header((gss_OID) gss_mech_krb5_wrong, - &(ap_req.length), - &ptr, KG_TOK_CTX_AP_REQ, - input_token->length, 1))) { - mech_used = gss_mech_krb5_wrong; - } else if ((code == G_WRONG_MECH) && - !(code = g_verify_token_header(gss_mech_krb5_old, - &(ap_req.length), - &ptr, KG_TOK_CTX_AP_REQ, - input_token->length, 1))) { - /* - * Previous versions of this library used the old mech_id - * and some broken behavior (wrong IV on checksum - * encryption). We support the old mech_id for - * compatibility, and use it to decide when to use the - * old behavior. - */ - mech_used = gss_mech_krb5_old; - } else if (code == G_WRONG_TOKID) { - major_status = GSS_S_CONTINUE_NEEDED; - code = KRB5KRB_AP_ERR_MSG_TYPE; - mech_used = gss_mech_krb5; - goto fail; - } else { - major_status = GSS_S_DEFECTIVE_TOKEN; - goto fail; - } - - sptr = (char *) ptr; - TREAD_STR(sptr, ap_req.data, ap_req.length); - decode_req_message = 1; - - /* construct the sender_addr */ - - if ((input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) && - (input_chan_bindings->initiator_addrtype == GSS_C_AF_INET)) { - /* XXX is this right? */ - addr.addrtype = ADDRTYPE_INET; - addr.length = input_chan_bindings->initiator_address.length; - addr.contents = input_chan_bindings->initiator_address.value; - - paddr = &addr; - } else { - paddr = NULL; - } - - /* decode the AP_REQ message */ - - /* decode the message */ - - if ((code = krb5_auth_con_init(context, &auth_context))) { - major_status = GSS_S_FAILURE; - save_error_info(code, context); - goto fail; - } - if (cred->rcache) { - cred_rcache = 1; - if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { - major_status = GSS_S_FAILURE; - goto fail; - } - } - if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) { - major_status = GSS_S_FAILURE; - goto fail; - } - - if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ, - cred->keytab, NULL, &ticket))) { - major_status = GSS_S_FAILURE; - goto fail; - } - krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - - krb5_auth_con_getauthenticator(context, auth_context, &authdat); + krb5_context context; + unsigned char *ptr, *ptr2; + char *sptr; + long tmp; + size_t md5len; + int bigend; + krb5_gss_cred_id_t cred = 0; + krb5_data ap_rep, ap_req; + unsigned int i; + krb5_error_code code; + krb5_address addr, *paddr; + krb5_authenticator *authdat = 0; + krb5_checksum reqcksum; + krb5_principal name = NULL; + krb5_ui_4 gss_flags = 0; + int decode_req_message = 0; + krb5_gss_ctx_id_rec *ctx = 0; + krb5_timestamp now; + gss_buffer_desc token; + krb5_auth_context auth_context = NULL; + krb5_ticket * ticket = NULL; + int option_id; + krb5_data option; + const gss_OID_desc *mech_used = NULL; + OM_uint32 major_status = GSS_S_FAILURE; + OM_uint32 tmp_minor_status; + krb5_error krb_error_data; + krb5_data scratch; + gss_cred_id_t cred_handle = NULL; + krb5_gss_cred_id_t deleg_cred = NULL; + krb5int_access kaccess; + int cred_rcache = 0; + + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) { + *minor_status = code; + return(GSS_S_FAILURE); + } + + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } + + /* set up returns to be freeable */ + + if (src_name) + *src_name = (gss_name_t) NULL; + output_token->length = 0; + output_token->value = NULL; + token.value = 0; + reqcksum.contents = 0; + ap_req.data = 0; + ap_rep.data = 0; + + if (mech_type) + *mech_type = GSS_C_NULL_OID; + /* return a bogus cred handle */ + if (delegated_cred_handle) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + + /* + * Context handle must be unspecified. Actually, it must be + * non-established, but currently, accept_sec_context never returns + * a non-established context handle. + */ + /*SUPPRESS 29*/ + if (*context_handle != GSS_C_NO_CONTEXT) { + *minor_status = EINVAL; + save_error_string(EINVAL, "accept_sec_context called with existing context handle"); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + + /* handle default cred handle */ + if (verifier_cred_handle == GSS_C_NO_CREDENTIAL) { + major_status = krb5_gss_acquire_cred(minor_status, GSS_C_NO_NAME, + GSS_C_INDEFINITE, GSS_C_NO_OID_SET, + GSS_C_ACCEPT, &cred_handle, + NULL, NULL); + if (major_status != GSS_S_COMPLETE) { + code = *minor_status; + goto fail; + } + } else { + major_status = krb5_gss_validate_cred(minor_status, + verifier_cred_handle); + if (GSS_ERROR(major_status)) { + code = *minor_status; + goto fail; + } + cred_handle = verifier_cred_handle; + } + + cred = (krb5_gss_cred_id_t) cred_handle; + + /* make sure the supplied credentials are valid for accept */ + + if ((cred->usage != GSS_C_ACCEPT) && + (cred->usage != GSS_C_BOTH)) { + code = 0; + major_status = GSS_S_NO_CRED; + goto fail; + } + + /* verify the token's integrity, and leave the token in ap_req. + figure out which mech oid was used, and save it */ + + ptr = (unsigned char *) input_token->value; + + if (!(code = g_verify_token_header(gss_mech_krb5, + &(ap_req.length), + &ptr, KG_TOK_CTX_AP_REQ, + input_token->length, 1))) { + mech_used = gss_mech_krb5; + } else if ((code == G_WRONG_MECH) + &&!(code = g_verify_token_header((gss_OID) gss_mech_krb5_wrong, + &(ap_req.length), + &ptr, KG_TOK_CTX_AP_REQ, + input_token->length, 1))) { + mech_used = gss_mech_krb5_wrong; + } else if ((code == G_WRONG_MECH) && + !(code = g_verify_token_header(gss_mech_krb5_old, + &(ap_req.length), + &ptr, KG_TOK_CTX_AP_REQ, + input_token->length, 1))) { + /* + * Previous versions of this library used the old mech_id + * and some broken behavior (wrong IV on checksum + * encryption). We support the old mech_id for + * compatibility, and use it to decide when to use the + * old behavior. + */ + mech_used = gss_mech_krb5_old; + } else if (code == G_WRONG_TOKID) { + major_status = GSS_S_CONTINUE_NEEDED; + code = KRB5KRB_AP_ERR_MSG_TYPE; + mech_used = gss_mech_krb5; + goto fail; + } else { + major_status = GSS_S_DEFECTIVE_TOKEN; + goto fail; + } + + sptr = (char *) ptr; + TREAD_STR(sptr, ap_req.data, ap_req.length); + decode_req_message = 1; + + /* construct the sender_addr */ + + if ((input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) && + (input_chan_bindings->initiator_addrtype == GSS_C_AF_INET)) { + /* XXX is this right? */ + addr.addrtype = ADDRTYPE_INET; + addr.length = input_chan_bindings->initiator_address.length; + addr.contents = input_chan_bindings->initiator_address.value; + + paddr = &addr; + } else { + paddr = NULL; + } + + /* decode the AP_REQ message */ + + /* decode the message */ + + if ((code = krb5_auth_con_init(context, &auth_context))) { + major_status = GSS_S_FAILURE; + save_error_info(code, context); + goto fail; + } + if (cred->rcache) { + cred_rcache = 1; + if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { + major_status = GSS_S_FAILURE; + goto fail; + } + } + if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) { + major_status = GSS_S_FAILURE; + goto fail; + } + + if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ, + cred->keytab, NULL, &ticket))) { + major_status = GSS_S_FAILURE; + goto fail; + } + krb5_auth_con_setflags(context, auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE); + + krb5_auth_con_getauthenticator(context, auth_context, &authdat); #if 0 - /* make sure the necessary parts of the authdat are present */ - - if ((authdat->authenticator->subkey == NULL) || - (authdat->ticket->enc_part2 == NULL)) { - code = KG_NO_SUBKEY; - major_status = GSS_S_FAILURE; - goto fail; - } + /* make sure the necessary parts of the authdat are present */ + + if ((authdat->authenticator->subkey == NULL) || + (authdat->ticket->enc_part2 == NULL)) { + code = KG_NO_SUBKEY; + major_status = GSS_S_FAILURE; + goto fail; + } #endif - { - /* gss krb5 v1 */ + { + /* gss krb5 v1 */ - /* stash this now, for later. */ - code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &md5len); - if (code) { - major_status = GSS_S_FAILURE; - goto fail; - } + /* stash this now, for later. */ + code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &md5len); + if (code) { + major_status = GSS_S_FAILURE; + goto fail; + } - /* verify that the checksum is correct */ + /* verify that the checksum is correct */ - /* - The checksum may be either exactly 24 bytes, in which case - no options are specified, or greater than 24 bytes, in which case - one or more options are specified. Currently, the only valid - option is KRB5_GSS_FOR_CREDS_OPTION ( = 1 ). - */ + /* + The checksum may be either exactly 24 bytes, in which case + no options are specified, or greater than 24 bytes, in which case + one or more options are specified. Currently, the only valid + option is KRB5_GSS_FOR_CREDS_OPTION ( = 1 ). + */ - if ((authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) || - (authdat->checksum->length < 24)) { - code = 0; - major_status = GSS_S_BAD_BINDINGS; - goto fail; - } + if ((authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) || + (authdat->checksum->length < 24)) { + code = 0; + major_status = GSS_S_BAD_BINDINGS; + goto fail; + } - /* - "Be liberal in what you accept, and - conservative in what you send" - -- rfc1123 + /* + "Be liberal in what you accept, and + conservative in what you send" + -- rfc1123 - This code will let this acceptor interoperate with an initiator - using little-endian or big-endian integer encoding. - */ + This code will let this acceptor interoperate with an initiator + using little-endian or big-endian integer encoding. + */ - ptr = (unsigned char *) authdat->checksum->contents; - bigend = 0; + ptr = (unsigned char *) authdat->checksum->contents; + bigend = 0; - TREAD_INT(ptr, tmp, bigend); + TREAD_INT(ptr, tmp, bigend); - if (tmp != md5len) { - ptr = (unsigned char *) authdat->checksum->contents; - bigend = 1; + if (tmp != md5len) { + ptr = (unsigned char *) authdat->checksum->contents; + bigend = 1; - TREAD_INT(ptr, tmp, bigend); + TREAD_INT(ptr, tmp, bigend); - if (tmp != md5len) { - code = KG_BAD_LENGTH; - major_status = GSS_S_FAILURE; - goto fail; - } - } + if (tmp != md5len) { + code = KG_BAD_LENGTH; + major_status = GSS_S_FAILURE; + goto fail; + } + } - /* at this point, bigend is set according to the initiator's - byte order */ + /* at this point, bigend is set according to the initiator's + byte order */ - /* + /* The following section of code attempts to implement the optional channel binding facility as described in RFC2743. @@ -503,507 +504,506 @@ krb5_gss_accept_sec_context(minor_status, context_handle, a checksum and compare against those provided by the client. */ - if ((code = kg_checksum_channel_bindings(context, - input_chan_bindings, - &reqcksum, bigend))) { - major_status = GSS_S_BAD_BINDINGS; - goto fail; - } - - /* Always read the clients bindings - eventhough we might ignore them */ - TREAD_STR(ptr, ptr2, reqcksum.length); - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) { - if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) { - xfree(reqcksum.contents); - reqcksum.contents = 0; - code = 0; - major_status = GSS_S_BAD_BINDINGS; - goto fail; - } - - } - - xfree(reqcksum.contents); - reqcksum.contents = 0; - - TREAD_INT(ptr, gss_flags, bigend); + if ((code = kg_checksum_channel_bindings(context, + input_chan_bindings, + &reqcksum, bigend))) { + major_status = GSS_S_BAD_BINDINGS; + goto fail; + } + + /* Always read the clients bindings - eventhough we might ignore them */ + TREAD_STR(ptr, ptr2, reqcksum.length); + + if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS ) { + if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) { + xfree(reqcksum.contents); + reqcksum.contents = 0; + code = 0; + major_status = GSS_S_BAD_BINDINGS; + goto fail; + } + + } + + xfree(reqcksum.contents); + reqcksum.contents = 0; + + TREAD_INT(ptr, gss_flags, bigend); #if 0 - gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if - there's a delegation, we'll set - it below */ + gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if + there's a delegation, we'll set + it below */ #endif - decode_req_message = 0; + decode_req_message = 0; - /* if the checksum length > 24, there are options to process */ + /* if the checksum length > 24, there are options to process */ - if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) { + if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) { - i = authdat->checksum->length - 24; + i = authdat->checksum->length - 24; - if (i >= 4) { + if (i >= 4) { - TREAD_INT16(ptr, option_id, bigend); + TREAD_INT16(ptr, option_id, bigend); - TREAD_INT16(ptr, option.length, bigend); + TREAD_INT16(ptr, option.length, bigend); - i -= 4; + i -= 4; - if (i < option.length || option.length < 0) { - code = KG_BAD_LENGTH; - major_status = GSS_S_FAILURE; - goto fail; - } + if (i < option.length || option.length < 0) { + code = KG_BAD_LENGTH; + major_status = GSS_S_FAILURE; + goto fail; + } - /* have to use ptr2, since option.data is wrong type and - macro uses ptr as both lvalue and rvalue */ + /* have to use ptr2, since option.data is wrong type and + macro uses ptr as both lvalue and rvalue */ - TREAD_STR(ptr, ptr2, option.length); - option.data = (char *) ptr2; + TREAD_STR(ptr, ptr2, option.length); + option.data = (char *) ptr2; - i -= option.length; + i -= option.length; - if (option_id != KRB5_GSS_FOR_CREDS_OPTION) { - major_status = GSS_S_FAILURE; - goto fail; - } + if (option_id != KRB5_GSS_FOR_CREDS_OPTION) { + major_status = GSS_S_FAILURE; + goto fail; + } - /* store the delegated credential */ + /* store the delegated credential */ - code = rd_and_store_for_creds(context, auth_context, &option, - (delegated_cred_handle) ? - &deleg_cred : NULL); - if (code) { - major_status = GSS_S_FAILURE; - goto fail; - } + code = rd_and_store_for_creds(context, auth_context, &option, + (delegated_cred_handle) ? + &deleg_cred : NULL); + if (code) { + major_status = GSS_S_FAILURE; + goto fail; + } - } /* if i >= 4 */ - /* ignore any additional trailing data, for now */ + } /* if i >= 4 */ + /* ignore any additional trailing data, for now */ #ifdef CFX_EXERCISE - { - FILE *f = fopen("/tmp/gsslog", "a"); - if (f) { - fprintf(f, - "initial context token with delegation, %d extra bytes\n", - i); - fclose(f); - } - } + { + FILE *f = fopen("/tmp/gsslog", "a"); + if (f) { + fprintf(f, + "initial context token with delegation, %d extra bytes\n", + i); + fclose(f); + } + } #endif - } else { + } else { #ifdef CFX_EXERCISE - { - FILE *f = fopen("/tmp/gsslog", "a"); - if (f) { - if (gss_flags & GSS_C_DELEG_FLAG) - fprintf(f, - "initial context token, delegation flag but too small\n"); - else - /* no deleg flag, length might still be too big */ - fprintf(f, - "initial context token, %d extra bytes\n", - authdat->checksum->length - 24); - fclose(f); - } - } + { + FILE *f = fopen("/tmp/gsslog", "a"); + if (f) { + if (gss_flags & GSS_C_DELEG_FLAG) + fprintf(f, + "initial context token, delegation flag but too small\n"); + else + /* no deleg flag, length might still be too big */ + fprintf(f, + "initial context token, %d extra bytes\n", + authdat->checksum->length - 24); + fclose(f); + } + } #endif - } - } - - /* create the ctx struct and start filling it in */ - - if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec))) - == NULL) { - code = ENOMEM; - major_status = GSS_S_FAILURE; - goto fail; - } - - memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); - ctx->mech_used = (gss_OID) mech_used; - ctx->auth_context = auth_context; - ctx->initiate = 0; - ctx->gss_flags = (GSS_C_TRANS_FLAG | - ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | - GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); - ctx->seed_init = 0; - ctx->big_endian = bigend; - ctx->cred_rcache = cred_rcache; - - /* Intern the ctx pointer so that delete_sec_context works */ - if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { - xfree(ctx); - ctx = 0; - - code = G_VALIDATE_FAILED; - major_status = GSS_S_FAILURE; - goto fail; - } - - if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) { - major_status = GSS_S_FAILURE; - goto fail; - } - - if ((code = krb5_copy_principal(context, authdat->client, &ctx->there))) { - major_status = GSS_S_FAILURE; - goto fail; - } - - if ((code = krb5_auth_con_getrecvsubkey(context, auth_context, - &ctx->subkey))) { - major_status = GSS_S_FAILURE; - goto fail; - } - - /* use the session key if the subkey isn't present */ - - if (ctx->subkey == NULL) { - if ((code = krb5_auth_con_getkey(context, auth_context, - &ctx->subkey))) { - major_status = GSS_S_FAILURE; - goto fail; - } - } - - if (ctx->subkey == NULL) { - /* this isn't a very good error, but it's not clear to me this - can actually happen */ - major_status = GSS_S_FAILURE; - code = KRB5KDC_ERR_NULL_KEY; - goto fail; - } - - ctx->proto = 0; - switch(ctx->subkey->enctype) { - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_CRC: - ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW; - ctx->signalg = SGN_ALG_DES_MAC_MD5; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_DES; - - /* fill in the encryption descriptors */ - - if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) { - major_status = GSS_S_FAILURE; - goto fail; - } - - for (i=0; i<ctx->enc->length; i++) - /*SUPPRESS 113*/ - ctx->enc->contents[i] ^= 0xf0; - - goto copy_subkey_to_seq; - - case ENCTYPE_DES3_CBC_SHA1: - ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; - ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; - ctx->cksum_size = 20; - ctx->sealalg = SEAL_ALG_DES3KD; - - /* fill in the encryption descriptors */ - copy_subkey: - if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) { - major_status = GSS_S_FAILURE; - goto fail; - } - copy_subkey_to_seq: - if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) { - major_status = GSS_S_FAILURE; - goto fail; - } - break; - - case ENCTYPE_ARCFOUR_HMAC: - ctx->signalg = SGN_ALG_HMAC_MD5 ; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; - goto copy_subkey; - - default: - ctx->signalg = -1; - ctx->sealalg = -1; - ctx->proto = 1; - code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype, - &ctx->cksumtype); - if (code) - goto fail; - code = krb5_c_checksum_length(context, ctx->cksumtype, - &ctx->cksum_size); - if (code) - goto fail; - ctx->have_acceptor_subkey = 0; - goto copy_subkey; - } - - ctx->endtime = ticket->enc_part2->times.endtime; - ctx->krb_flags = ticket->enc_part2->flags; - - krb5_free_ticket(context, ticket); /* Done with ticket */ - - { - krb5_ui_4 seq_temp; - krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp); - ctx->seq_recv = seq_temp; - } - - if ((code = krb5_timeofday(context, &now))) { - major_status = GSS_S_FAILURE; - goto fail; - } - - if (ctx->endtime < now) { - code = 0; - major_status = GSS_S_CREDENTIALS_EXPIRED; - goto fail; - } - - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); - - /* at this point, the entire context structure is filled in, - so it can be released. */ - - /* generate an AP_REP if necessary */ - - if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { - unsigned char * ptr3; - krb5_ui_4 seq_temp; - int cfx_generate_subkey; - - if (ctx->proto == 1) - cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY; - else - cfx_generate_subkey = 0; - - if (cfx_generate_subkey) { - krb5_int32 acflags; - code = krb5_auth_con_getflags(context, auth_context, &acflags); - if (code == 0) { - acflags |= KRB5_AUTH_CONTEXT_USE_SUBKEY; - code = krb5_auth_con_setflags(context, auth_context, acflags); - } - if (code) { - major_status = GSS_S_FAILURE; - goto fail; - } - } - - if ((code = krb5_mk_rep(context, auth_context, &ap_rep))) { - major_status = GSS_S_FAILURE; - goto fail; - } - - krb5_auth_con_getlocalseqnumber(context, auth_context, &seq_temp); - ctx->seq_send = seq_temp & 0xffffffffL; - - if (cfx_generate_subkey) { - /* Get the new acceptor subkey. With the code above, there - should always be one if we make it to this point. */ - code = krb5_auth_con_getsendsubkey(context, auth_context, - &ctx->acceptor_subkey); - if (code != 0) { - major_status = GSS_S_FAILURE; - goto fail; - } - code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, - ctx->acceptor_subkey->enctype, - &ctx->acceptor_subkey_cksumtype); - if (code) { - major_status = GSS_S_FAILURE; - goto fail; - } - ctx->have_acceptor_subkey = 1; - } - - /* the reply token hasn't been sent yet, but that's ok. */ - ctx->gss_flags |= GSS_C_PROT_READY_FLAG; - ctx->established = 1; - - token.length = g_token_size(mech_used, ap_rep.length); - - if ((token.value = (unsigned char *) xmalloc(token.length)) - == NULL) { - major_status = GSS_S_FAILURE; - code = ENOMEM; - goto fail; - } - ptr3 = token.value; - g_make_token_header(mech_used, ap_rep.length, - &ptr3, KG_TOK_CTX_AP_REP); - - TWRITE_STR(ptr3, ap_rep.data, ap_rep.length); - - ctx->established = 1; - - } else { - token.length = 0; - token.value = NULL; - ctx->seq_send = ctx->seq_recv; - - ctx->established = 1; - } - - /* set the return arguments */ - - if (src_name) { - if ((code = krb5_copy_principal(context, ctx->there, &name))) { - major_status = GSS_S_FAILURE; - goto fail; - } - /* intern the src_name */ - if (! kg_save_name((gss_name_t) name)) { - code = G_VALIDATE_FAILED; - major_status = GSS_S_FAILURE; - goto fail; - } - } - - if (mech_type) - *mech_type = (gss_OID) mech_used; - - if (time_rec) - *time_rec = ctx->endtime - now; - - if (ret_flags) - *ret_flags = ctx->gss_flags; - - *context_handle = (gss_ctx_id_t)ctx; - *output_token = token; - - if (src_name) - *src_name = (gss_name_t) name; - - if (delegated_cred_handle && deleg_cred) { - if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) { - major_status = GSS_S_FAILURE; - code = G_VALIDATE_FAILED; - goto fail; - } - - *delegated_cred_handle = (gss_cred_id_t) deleg_cred; - } - - /* finally! */ - - *minor_status = 0; - major_status = GSS_S_COMPLETE; - - fail: - if (authdat) - krb5_free_authenticator(context, authdat); - /* The ctx structure has the handle of the auth_context */ - if (auth_context && !ctx) { - if (cred_rcache) - (void)krb5_auth_con_setrcache(context, auth_context, NULL); - - krb5_auth_con_free(context, auth_context); - } - if (reqcksum.contents) - xfree(reqcksum.contents); - if (ap_rep.data) - krb5_free_data_contents(context, &ap_rep); - - if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) { - ctx->k5_context = context; - context = NULL; - goto done; - } - - /* from here on is the real "fail" code */ - - if (ctx) - (void) krb5_gss_delete_sec_context(&tmp_minor_status, - (gss_ctx_id_t *) &ctx, NULL); - if (deleg_cred) { /* free memory associated with the deleg credential */ - if (deleg_cred->ccache) - (void)krb5_cc_close(context, deleg_cred->ccache); - if (deleg_cred->princ) - krb5_free_principal(context, deleg_cred->princ); - xfree(deleg_cred); - } - if (token.value) - xfree(token.value); - if (name) { - (void) kg_delete_name((gss_name_t) name); - krb5_free_principal(context, name); - } - - *minor_status = code; - - /* - * If decode_req_message is set, then we need to decode the ap_req - * message to determine whether or not to send a response token. - * We need to do this because for some errors we won't be able to - * decode the authenticator to read out the gss_flags field. - */ - if (decode_req_message) { - krb5_ap_req * request; - - if (decode_krb5_ap_req(&ap_req, &request)) - goto done; - - if (request->ap_options & AP_OPTS_MUTUAL_REQUIRED) - gss_flags |= GSS_C_MUTUAL_FLAG; - krb5_free_ap_req(context, request); - } - - if (cred - && ((gss_flags & GSS_C_MUTUAL_FLAG) - || (major_status == GSS_S_CONTINUE_NEEDED))) { - unsigned int tmsglen; - int toktype; - - /* - * The client is expecting a response, so we can send an - * error token back - */ - memset(&krb_error_data, 0, sizeof(krb_error_data)); - - code -= ERROR_TABLE_BASE_krb5; - if (code < 0 || code > 128) - code = 60 /* KRB_ERR_GENERIC */; - - krb_error_data.error = code; - (void) krb5_us_timeofday(context, &krb_error_data.stime, - &krb_error_data.susec); - krb_error_data.server = cred->princ; - - code = krb5_mk_error(context, &krb_error_data, &scratch); - if (code) - goto done; - - tmsglen = scratch.length; - toktype = KG_TOK_CTX_ERROR; - - token.length = g_token_size(mech_used, tmsglen); - token.value = (unsigned char *) xmalloc(token.length); - if (!token.value) - goto done; - - ptr = token.value; - g_make_token_header(mech_used, tmsglen, &ptr, toktype); - - TWRITE_STR(ptr, scratch.data, scratch.length); - krb5_free_data_contents(context, &scratch); - - *output_token = token; - } - - done: - if (!verifier_cred_handle && cred_handle) { - krb5_gss_release_cred(&tmp_minor_status, &cred_handle); - } - if (context) { - if (major_status && *minor_status) - save_error_info(*minor_status, context); - krb5_free_context(context); - } - return (major_status); + } + } + + /* create the ctx struct and start filling it in */ + + if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec))) + == NULL) { + code = ENOMEM; + major_status = GSS_S_FAILURE; + goto fail; + } + + memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); + ctx->mech_used = (gss_OID) mech_used; + ctx->auth_context = auth_context; + ctx->initiate = 0; + ctx->gss_flags = (GSS_C_TRANS_FLAG | + ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); + ctx->seed_init = 0; + ctx->big_endian = bigend; + ctx->cred_rcache = cred_rcache; + + /* Intern the ctx pointer so that delete_sec_context works */ + if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { + xfree(ctx); + ctx = 0; + + code = G_VALIDATE_FAILED; + major_status = GSS_S_FAILURE; + goto fail; + } + + if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) { + major_status = GSS_S_FAILURE; + goto fail; + } + + if ((code = krb5_copy_principal(context, authdat->client, &ctx->there))) { + major_status = GSS_S_FAILURE; + goto fail; + } + + if ((code = krb5_auth_con_getrecvsubkey(context, auth_context, + &ctx->subkey))) { + major_status = GSS_S_FAILURE; + goto fail; + } + + /* use the session key if the subkey isn't present */ + + if (ctx->subkey == NULL) { + if ((code = krb5_auth_con_getkey(context, auth_context, + &ctx->subkey))) { + major_status = GSS_S_FAILURE; + goto fail; + } + } + + if (ctx->subkey == NULL) { + /* this isn't a very good error, but it's not clear to me this + can actually happen */ + major_status = GSS_S_FAILURE; + code = KRB5KDC_ERR_NULL_KEY; + goto fail; + } + + ctx->proto = 0; + switch(ctx->subkey->enctype) { + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_CRC: + ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW; + ctx->signalg = SGN_ALG_DES_MAC_MD5; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_DES; + + /* fill in the encryption descriptors */ + + if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) { + major_status = GSS_S_FAILURE; + goto fail; + } + + for (i=0; i<ctx->enc->length; i++) + /*SUPPRESS 113*/ + ctx->enc->contents[i] ^= 0xf0; + + goto copy_subkey_to_seq; + + case ENCTYPE_DES3_CBC_SHA1: + ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; + ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; + ctx->cksum_size = 20; + ctx->sealalg = SEAL_ALG_DES3KD; + + /* fill in the encryption descriptors */ + copy_subkey: + if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) { + major_status = GSS_S_FAILURE; + goto fail; + } + copy_subkey_to_seq: + if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) { + major_status = GSS_S_FAILURE; + goto fail; + } + break; + + case ENCTYPE_ARCFOUR_HMAC: + ctx->signalg = SGN_ALG_HMAC_MD5 ; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; + goto copy_subkey; + + default: + ctx->signalg = -1; + ctx->sealalg = -1; + ctx->proto = 1; + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype, + &ctx->cksumtype); + if (code) + goto fail; + code = krb5_c_checksum_length(context, ctx->cksumtype, + &ctx->cksum_size); + if (code) + goto fail; + ctx->have_acceptor_subkey = 0; + goto copy_subkey; + } + + ctx->endtime = ticket->enc_part2->times.endtime; + ctx->krb_flags = ticket->enc_part2->flags; + + krb5_free_ticket(context, ticket); /* Done with ticket */ + + { + krb5_ui_4 seq_temp; + krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp); + ctx->seq_recv = seq_temp; + } + + if ((code = krb5_timeofday(context, &now))) { + major_status = GSS_S_FAILURE; + goto fail; + } + + if (ctx->endtime < now) { + code = 0; + major_status = GSS_S_CREDENTIALS_EXPIRED; + goto fail; + } + + g_order_init(&(ctx->seqstate), ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); + + /* at this point, the entire context structure is filled in, + so it can be released. */ + + /* generate an AP_REP if necessary */ + + if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { + unsigned char * ptr3; + krb5_ui_4 seq_temp; + int cfx_generate_subkey; + + if (ctx->proto == 1) + cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY; + else + cfx_generate_subkey = 0; + + if (cfx_generate_subkey) { + krb5_int32 acflags; + code = krb5_auth_con_getflags(context, auth_context, &acflags); + if (code == 0) { + acflags |= KRB5_AUTH_CONTEXT_USE_SUBKEY; + code = krb5_auth_con_setflags(context, auth_context, acflags); + } + if (code) { + major_status = GSS_S_FAILURE; + goto fail; + } + } + + if ((code = krb5_mk_rep(context, auth_context, &ap_rep))) { + major_status = GSS_S_FAILURE; + goto fail; + } + + krb5_auth_con_getlocalseqnumber(context, auth_context, &seq_temp); + ctx->seq_send = seq_temp & 0xffffffffL; + + if (cfx_generate_subkey) { + /* Get the new acceptor subkey. With the code above, there + should always be one if we make it to this point. */ + code = krb5_auth_con_getsendsubkey(context, auth_context, + &ctx->acceptor_subkey); + if (code != 0) { + major_status = GSS_S_FAILURE; + goto fail; + } + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, + ctx->acceptor_subkey->enctype, + &ctx->acceptor_subkey_cksumtype); + if (code) { + major_status = GSS_S_FAILURE; + goto fail; + } + ctx->have_acceptor_subkey = 1; + } + + /* the reply token hasn't been sent yet, but that's ok. */ + ctx->gss_flags |= GSS_C_PROT_READY_FLAG; + ctx->established = 1; + + token.length = g_token_size(mech_used, ap_rep.length); + + if ((token.value = (unsigned char *) xmalloc(token.length)) + == NULL) { + major_status = GSS_S_FAILURE; + code = ENOMEM; + goto fail; + } + ptr3 = token.value; + g_make_token_header(mech_used, ap_rep.length, + &ptr3, KG_TOK_CTX_AP_REP); + + TWRITE_STR(ptr3, ap_rep.data, ap_rep.length); + + ctx->established = 1; + + } else { + token.length = 0; + token.value = NULL; + ctx->seq_send = ctx->seq_recv; + + ctx->established = 1; + } + + /* set the return arguments */ + + if (src_name) { + if ((code = krb5_copy_principal(context, ctx->there, &name))) { + major_status = GSS_S_FAILURE; + goto fail; + } + /* intern the src_name */ + if (! kg_save_name((gss_name_t) name)) { + code = G_VALIDATE_FAILED; + major_status = GSS_S_FAILURE; + goto fail; + } + } + + if (mech_type) + *mech_type = (gss_OID) mech_used; + + if (time_rec) + *time_rec = ctx->endtime - now; + + if (ret_flags) + *ret_flags = ctx->gss_flags; + + *context_handle = (gss_ctx_id_t)ctx; + *output_token = token; + + if (src_name) + *src_name = (gss_name_t) name; + + if (delegated_cred_handle && deleg_cred) { + if (!kg_save_cred_id((gss_cred_id_t) deleg_cred)) { + major_status = GSS_S_FAILURE; + code = G_VALIDATE_FAILED; + goto fail; + } + + *delegated_cred_handle = (gss_cred_id_t) deleg_cred; + } + + /* finally! */ + + *minor_status = 0; + major_status = GSS_S_COMPLETE; + +fail: + if (authdat) + krb5_free_authenticator(context, authdat); + /* The ctx structure has the handle of the auth_context */ + if (auth_context && !ctx) { + if (cred_rcache) + (void)krb5_auth_con_setrcache(context, auth_context, NULL); + + krb5_auth_con_free(context, auth_context); + } + if (reqcksum.contents) + xfree(reqcksum.contents); + if (ap_rep.data) + krb5_free_data_contents(context, &ap_rep); + + if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) { + ctx->k5_context = context; + context = NULL; + goto done; + } + + /* from here on is the real "fail" code */ + + if (ctx) + (void) krb5_gss_delete_sec_context(&tmp_minor_status, + (gss_ctx_id_t *) &ctx, NULL); + if (deleg_cred) { /* free memory associated with the deleg credential */ + if (deleg_cred->ccache) + (void)krb5_cc_close(context, deleg_cred->ccache); + if (deleg_cred->princ) + krb5_free_principal(context, deleg_cred->princ); + xfree(deleg_cred); + } + if (token.value) + xfree(token.value); + if (name) { + (void) kg_delete_name((gss_name_t) name); + krb5_free_principal(context, name); + } + + *minor_status = code; + + /* + * If decode_req_message is set, then we need to decode the ap_req + * message to determine whether or not to send a response token. + * We need to do this because for some errors we won't be able to + * decode the authenticator to read out the gss_flags field. + */ + if (decode_req_message) { + krb5_ap_req * request; + + if (decode_krb5_ap_req(&ap_req, &request)) + goto done; + + if (request->ap_options & AP_OPTS_MUTUAL_REQUIRED) + gss_flags |= GSS_C_MUTUAL_FLAG; + krb5_free_ap_req(context, request); + } + + if (cred + && ((gss_flags & GSS_C_MUTUAL_FLAG) + || (major_status == GSS_S_CONTINUE_NEEDED))) { + unsigned int tmsglen; + int toktype; + + /* + * The client is expecting a response, so we can send an + * error token back + */ + memset(&krb_error_data, 0, sizeof(krb_error_data)); + + code -= ERROR_TABLE_BASE_krb5; + if (code < 0 || code > 128) + code = 60 /* KRB_ERR_GENERIC */; + + krb_error_data.error = code; + (void) krb5_us_timeofday(context, &krb_error_data.stime, + &krb_error_data.susec); + krb_error_data.server = cred->princ; + + code = krb5_mk_error(context, &krb_error_data, &scratch); + if (code) + goto done; + + tmsglen = scratch.length; + toktype = KG_TOK_CTX_ERROR; + + token.length = g_token_size(mech_used, tmsglen); + token.value = (unsigned char *) xmalloc(token.length); + if (!token.value) + goto done; + + ptr = token.value; + g_make_token_header(mech_used, tmsglen, &ptr, toktype); + + TWRITE_STR(ptr, scratch.data, scratch.length); + krb5_free_data_contents(context, &scratch); + + *output_token = token; + } + +done: + if (!verifier_cred_handle && cred_handle) { + krb5_gss_release_cred(&tmp_minor_status, &cred_handle); + } + if (context) { + if (major_status && *minor_status) + save_error_info(*minor_status, context); + krb5_free_context(context); + } + return (major_status); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index a36dfe060..daf899223 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 2000, 2007, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -6,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,11 +21,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -34,7 +35,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -46,14 +47,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -64,7 +65,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -104,590 +105,590 @@ krb5_gss_register_acceptor_identity(const char *keytab) err = gssint_initialize_library(); if (err != 0) - return GSS_S_FAILURE; + return GSS_S_FAILURE; if (keytab == NULL) - return GSS_S_FAILURE; + return GSS_S_FAILURE; new = strdup(keytab); if (new == NULL) - return GSS_S_FAILURE; + return GSS_S_FAILURE; err = k5_mutex_lock(&gssint_krb5_keytab_lock); if (err) { - free(new); - return GSS_S_FAILURE; + free(new); + return GSS_S_FAILURE; } old = krb5_gss_keytab; krb5_gss_keytab = new; k5_mutex_unlock(&gssint_krb5_keytab_lock); if (old != NULL) - free(old); + free(old); return GSS_S_COMPLETE; } /* get credentials corresponding to a key in the krb5 keytab. If the default name is requested, return the name in output_princ. - If output_princ is non-NULL, the caller will use or free it, regardless - of the return value. + If output_princ is non-NULL, the caller will use or free it, regardless + of the return value. If successful, set the keytab-specific fields in cred - */ +*/ -static OM_uint32 +static OM_uint32 acquire_accept_cred(context, minor_status, desired_name, output_princ, cred) - krb5_context context; - OM_uint32 *minor_status; - gss_name_t desired_name; - krb5_principal *output_princ; - krb5_gss_cred_id_rec *cred; + krb5_context context; + OM_uint32 *minor_status; + gss_name_t desired_name; + krb5_principal *output_princ; + krb5_gss_cred_id_rec *cred; { - krb5_error_code code; - krb5_principal princ; - krb5_keytab kt; - krb5_keytab_entry entry; - - *output_princ = NULL; - cred->keytab = NULL; - - /* open the default keytab */ - - code = gssint_initialize_library(); - if (code != 0) { - *minor_status = code; - return GSS_S_FAILURE; - } - code = k5_mutex_lock(&gssint_krb5_keytab_lock); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } - if (krb5_gss_keytab != NULL) { - code = krb5_kt_resolve(context, krb5_gss_keytab, &kt); - k5_mutex_unlock(&gssint_krb5_keytab_lock); - } else { - k5_mutex_unlock(&gssint_krb5_keytab_lock); - code = krb5_kt_default(context, &kt); - } - - if (code) { - *minor_status = code; - return(GSS_S_CRED_UNAVAIL); - } - - if (desired_name != GSS_C_NO_NAME) { - princ = (krb5_principal) desired_name; - if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) { - (void) krb5_kt_close(context, kt); - if (code == KRB5_KT_NOTFOUND) { - char *errstr = krb5_get_error_message(context, code); - krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr); - krb5_free_error_message(context, errstr); - *minor_status = KG_KEYTAB_NOMATCH; - } else - *minor_status = code; - return(GSS_S_CRED_UNAVAIL); - } - krb5_kt_free_entry(context, &entry); - - /* Open the replay cache for this principal. */ - if ((code = krb5_get_server_rcache(context, - krb5_princ_component(context, princ, 0), - &cred->rcache))) { - *minor_status = code; - return(GSS_S_FAILURE); - } - - } + krb5_error_code code; + krb5_principal princ; + krb5_keytab kt; + krb5_keytab_entry entry; + + *output_princ = NULL; + cred->keytab = NULL; + + /* open the default keytab */ + + code = gssint_initialize_library(); + if (code != 0) { + *minor_status = code; + return GSS_S_FAILURE; + } + code = k5_mutex_lock(&gssint_krb5_keytab_lock); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } + if (krb5_gss_keytab != NULL) { + code = krb5_kt_resolve(context, krb5_gss_keytab, &kt); + k5_mutex_unlock(&gssint_krb5_keytab_lock); + } else { + k5_mutex_unlock(&gssint_krb5_keytab_lock); + code = krb5_kt_default(context, &kt); + } + + if (code) { + *minor_status = code; + return(GSS_S_CRED_UNAVAIL); + } + + if (desired_name != GSS_C_NO_NAME) { + princ = (krb5_principal) desired_name; + if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) { + (void) krb5_kt_close(context, kt); + if (code == KRB5_KT_NOTFOUND) { + char *errstr = krb5_get_error_message(context, code); + krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr); + krb5_free_error_message(context, errstr); + *minor_status = KG_KEYTAB_NOMATCH; + } else + *minor_status = code; + return(GSS_S_CRED_UNAVAIL); + } + krb5_kt_free_entry(context, &entry); + + /* Open the replay cache for this principal. */ + if ((code = krb5_get_server_rcache(context, + krb5_princ_component(context, princ, 0), + &cred->rcache))) { + *minor_status = code; + return(GSS_S_FAILURE); + } + + } /* hooray. we made it */ - cred->keytab = kt; + cred->keytab = kt; - return(GSS_S_COMPLETE); + return(GSS_S_COMPLETE); } #endif /* LEAN_CLIENT */ /* get credentials corresponding to the default credential cache. If the default name is requested, return the name in output_princ. - If output_princ is non-NULL, the caller will use or free it, regardless - of the return value. + If output_princ is non-NULL, the caller will use or free it, regardless + of the return value. If successful, set the ccache-specific fields in cred. - */ +*/ -static OM_uint32 +static OM_uint32 acquire_init_cred(context, minor_status, desired_name, output_princ, cred) - krb5_context context; - OM_uint32 *minor_status; - gss_name_t desired_name; - krb5_principal *output_princ; - krb5_gss_cred_id_rec *cred; + krb5_context context; + OM_uint32 *minor_status; + gss_name_t desired_name; + krb5_principal *output_princ; + krb5_gss_cred_id_rec *cred; { - krb5_error_code code; - krb5_ccache ccache; - krb5_principal princ, tmp_princ; - krb5_flags flags; - krb5_cc_cursor cur; - krb5_creds creds; - int got_endtime; - int caller_provided_ccache_name = 0; - - cred->ccache = NULL; - - /* load the GSS ccache name into the kg_context */ - - if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) - return(GSS_S_FAILURE); - - /* check to see if the caller provided a ccache name if so - * we will just use that and not search the cache collection */ - if (GSS_ERROR(kg_caller_provided_ccache_name (minor_status, &caller_provided_ccache_name))) { - return(GSS_S_FAILURE); - } + krb5_error_code code; + krb5_ccache ccache; + krb5_principal princ, tmp_princ; + krb5_flags flags; + krb5_cc_cursor cur; + krb5_creds creds; + int got_endtime; + int caller_provided_ccache_name = 0; + + cred->ccache = NULL; + + /* load the GSS ccache name into the kg_context */ + + if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) + return(GSS_S_FAILURE); + + /* check to see if the caller provided a ccache name if so + * we will just use that and not search the cache collection */ + if (GSS_ERROR(kg_caller_provided_ccache_name (minor_status, &caller_provided_ccache_name))) { + return(GSS_S_FAILURE); + } #if defined(USE_KIM) || defined(USE_LEASH) - if (desired_name && !caller_provided_ccache_name) { + if (desired_name && !caller_provided_ccache_name) { #if defined(USE_KIM) - kim_error err = KIM_NO_ERROR; - kim_ccache kimccache = NULL; - kim_identity identity = NULL; - - err = kim_identity_create_from_krb5_principal (&identity, - context, - (krb5_principal) desired_name); - - if (!err) { - err = kim_ccache_create_new_if_needed (&kimccache, - identity, - KIM_OPTIONS_DEFAULT); - } - - if (!err) { - err = kim_ccache_get_krb5_ccache (kimccache, context, &ccache); - } - - kim_ccache_free (&kimccache); - kim_identity_free (&identity); - - if (err) { - *minor_status = err; - return(GSS_S_CRED_UNAVAIL); - } - + kim_error err = KIM_NO_ERROR; + kim_ccache kimccache = NULL; + kim_identity identity = NULL; + + err = kim_identity_create_from_krb5_principal (&identity, + context, + (krb5_principal) desired_name); + + if (!err) { + err = kim_ccache_create_new_if_needed (&kimccache, + identity, + KIM_OPTIONS_DEFAULT); + } + + if (!err) { + err = kim_ccache_get_krb5_ccache (kimccache, context, &ccache); + } + + kim_ccache_free (&kimccache); + kim_identity_free (&identity); + + if (err) { + *minor_status = err; + return(GSS_S_CRED_UNAVAIL); + } + #elif defined(USE_LEASH) - if ( hLeashDLL == INVALID_HANDLE_VALUE ) { - hLeashDLL = LoadLibrary(LEASH_DLL); - if ( hLeashDLL != INVALID_HANDLE_VALUE ) { - (FARPROC) pLeash_AcquireInitialTicketsIfNeeded = - GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded"); - } - } - - if ( pLeash_AcquireInitialTicketsIfNeeded ) { - char ccname[256]=""; - pLeash_AcquireInitialTicketsIfNeeded(context, (krb5_principal) desired_name, ccname, sizeof(ccname)); - if (!ccname[0]) { - *minor_status = KRB5_CC_NOTFOUND; - return(GSS_S_CRED_UNAVAIL); - } - - if ((code = krb5_cc_resolve (context, ccname, &ccache))) { - *minor_status = code; - return(GSS_S_CRED_UNAVAIL); - } - } else { - /* leash dll not available, open the default credential cache */ - - if ((code = krb5int_cc_default(context, &ccache))) { - *minor_status = code; - return(GSS_S_CRED_UNAVAIL); - } - } + if ( hLeashDLL == INVALID_HANDLE_VALUE ) { + hLeashDLL = LoadLibrary(LEASH_DLL); + if ( hLeashDLL != INVALID_HANDLE_VALUE ) { + (FARPROC) pLeash_AcquireInitialTicketsIfNeeded = + GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded"); + } + } + + if ( pLeash_AcquireInitialTicketsIfNeeded ) { + char ccname[256]=""; + pLeash_AcquireInitialTicketsIfNeeded(context, (krb5_principal) desired_name, ccname, sizeof(ccname)); + if (!ccname[0]) { + *minor_status = KRB5_CC_NOTFOUND; + return(GSS_S_CRED_UNAVAIL); + } + + if ((code = krb5_cc_resolve (context, ccname, &ccache))) { + *minor_status = code; + return(GSS_S_CRED_UNAVAIL); + } + } else { + /* leash dll not available, open the default credential cache */ + + if ((code = krb5int_cc_default(context, &ccache))) { + *minor_status = code; + return(GSS_S_CRED_UNAVAIL); + } + } #endif /* USE_LEASH */ - } else + } else #endif /* USE_KIM || USE_LEASH */ - { - /* open the default credential cache */ - - if ((code = krb5int_cc_default(context, &ccache))) { - *minor_status = code; - return(GSS_S_CRED_UNAVAIL); - } - } - - /* turn off OPENCLOSE mode while extensive frobbing is going on */ - - flags = 0; /* turns off OPENCLOSE mode */ - if ((code = krb5_cc_set_flags(context, ccache, flags))) { - (void)krb5_cc_close(context, ccache); - *minor_status = code; - return(GSS_S_CRED_UNAVAIL); - } - - /* get out the principal name and see if it matches */ - - if ((code = krb5_cc_get_principal(context, ccache, &princ))) { - (void)krb5_cc_close(context, ccache); - *minor_status = code; - return(GSS_S_FAILURE); - } - - if (desired_name != (gss_name_t) NULL) { - if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) { - (void)krb5_free_principal(context, princ); - (void)krb5_cc_close(context, ccache); - *minor_status = KG_CCACHE_NOMATCH; - return(GSS_S_CRED_UNAVAIL); - } - (void)krb5_free_principal(context, princ); - princ = (krb5_principal) desired_name; - } else { - *output_princ = princ; - } - - /* iterate over the ccache, find the tgt */ - - if ((code = krb5_cc_start_seq_get(context, ccache, &cur))) { - (void)krb5_cc_close(context, ccache); - *minor_status = code; - return(GSS_S_FAILURE); - } - - /* this is hairy. If there's a tgt for the principal's local realm - in here, that's what we want for the expire time. But if - there's not, then we want to use the first key. */ - - got_endtime = 0; - - code = krb5_build_principal_ext(context, &tmp_princ, - krb5_princ_realm(context, princ)->length, - krb5_princ_realm(context, princ)->data, - 6, "krbtgt", - krb5_princ_realm(context, princ)->length, - krb5_princ_realm(context, princ)->data, - 0); - if (code) { - (void)krb5_cc_close(context, ccache); - *minor_status = code; - return(GSS_S_FAILURE); - } - while (!(code = krb5_cc_next_cred(context, ccache, &cur, &creds))) { - if (krb5_principal_compare(context, tmp_princ, creds.server)) { - cred->tgt_expire = creds.times.endtime; - got_endtime = 1; - *minor_status = 0; - code = 0; - krb5_free_cred_contents(context, &creds); - break; - } - if (got_endtime == 0) { - cred->tgt_expire = creds.times.endtime; - got_endtime = 1; - } - krb5_free_cred_contents(context, &creds); - } - krb5_free_principal(context, tmp_princ); - - if (code && code != KRB5_CC_END) { - /* this means some error occurred reading the ccache */ - (void)krb5_cc_end_seq_get(context, ccache, &cur); - (void)krb5_cc_close(context, ccache); - *minor_status = code; - return(GSS_S_FAILURE); - } else if (! got_endtime) { - /* this means the ccache was entirely empty */ - (void)krb5_cc_end_seq_get(context, ccache, &cur); - (void)krb5_cc_close(context, ccache); - *minor_status = KG_EMPTY_CCACHE; - return(GSS_S_FAILURE); - } else { - /* this means that we found an endtime to use. */ - if ((code = krb5_cc_end_seq_get(context, ccache, &cur))) { - (void)krb5_cc_close(context, ccache); - *minor_status = code; - return(GSS_S_FAILURE); - } - flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */ - if ((code = krb5_cc_set_flags(context, ccache, flags))) { - (void)krb5_cc_close(context, ccache); - *minor_status = code; - return(GSS_S_FAILURE); - } - } - - /* the credentials match and are valid */ - - cred->ccache = ccache; - /* minor_status is set while we are iterating over the ccache */ - return(GSS_S_COMPLETE); + { + /* open the default credential cache */ + + if ((code = krb5int_cc_default(context, &ccache))) { + *minor_status = code; + return(GSS_S_CRED_UNAVAIL); + } + } + + /* turn off OPENCLOSE mode while extensive frobbing is going on */ + + flags = 0; /* turns off OPENCLOSE mode */ + if ((code = krb5_cc_set_flags(context, ccache, flags))) { + (void)krb5_cc_close(context, ccache); + *minor_status = code; + return(GSS_S_CRED_UNAVAIL); + } + + /* get out the principal name and see if it matches */ + + if ((code = krb5_cc_get_principal(context, ccache, &princ))) { + (void)krb5_cc_close(context, ccache); + *minor_status = code; + return(GSS_S_FAILURE); + } + + if (desired_name != (gss_name_t) NULL) { + if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) { + (void)krb5_free_principal(context, princ); + (void)krb5_cc_close(context, ccache); + *minor_status = KG_CCACHE_NOMATCH; + return(GSS_S_CRED_UNAVAIL); + } + (void)krb5_free_principal(context, princ); + princ = (krb5_principal) desired_name; + } else { + *output_princ = princ; + } + + /* iterate over the ccache, find the tgt */ + + if ((code = krb5_cc_start_seq_get(context, ccache, &cur))) { + (void)krb5_cc_close(context, ccache); + *minor_status = code; + return(GSS_S_FAILURE); + } + + /* this is hairy. If there's a tgt for the principal's local realm + in here, that's what we want for the expire time. But if + there's not, then we want to use the first key. */ + + got_endtime = 0; + + code = krb5_build_principal_ext(context, &tmp_princ, + krb5_princ_realm(context, princ)->length, + krb5_princ_realm(context, princ)->data, + 6, "krbtgt", + krb5_princ_realm(context, princ)->length, + krb5_princ_realm(context, princ)->data, + 0); + if (code) { + (void)krb5_cc_close(context, ccache); + *minor_status = code; + return(GSS_S_FAILURE); + } + while (!(code = krb5_cc_next_cred(context, ccache, &cur, &creds))) { + if (krb5_principal_compare(context, tmp_princ, creds.server)) { + cred->tgt_expire = creds.times.endtime; + got_endtime = 1; + *minor_status = 0; + code = 0; + krb5_free_cred_contents(context, &creds); + break; + } + if (got_endtime == 0) { + cred->tgt_expire = creds.times.endtime; + got_endtime = 1; + } + krb5_free_cred_contents(context, &creds); + } + krb5_free_principal(context, tmp_princ); + + if (code && code != KRB5_CC_END) { + /* this means some error occurred reading the ccache */ + (void)krb5_cc_end_seq_get(context, ccache, &cur); + (void)krb5_cc_close(context, ccache); + *minor_status = code; + return(GSS_S_FAILURE); + } else if (! got_endtime) { + /* this means the ccache was entirely empty */ + (void)krb5_cc_end_seq_get(context, ccache, &cur); + (void)krb5_cc_close(context, ccache); + *minor_status = KG_EMPTY_CCACHE; + return(GSS_S_FAILURE); + } else { + /* this means that we found an endtime to use. */ + if ((code = krb5_cc_end_seq_get(context, ccache, &cur))) { + (void)krb5_cc_close(context, ccache); + *minor_status = code; + return(GSS_S_FAILURE); + } + flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */ + if ((code = krb5_cc_set_flags(context, ccache, flags))) { + (void)krb5_cc_close(context, ccache); + *minor_status = code; + return(GSS_S_FAILURE); + } + } + + /* the credentials match and are valid */ + + cred->ccache = ccache; + /* minor_status is set while we are iterating over the ccache */ + return(GSS_S_COMPLETE); } - + /*ARGSUSED*/ OM_uint32 krb5_gss_acquire_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, output_cred_handle, - actual_mechs, time_rec) - OM_uint32 *minor_status; - gss_name_t desired_name; - OM_uint32 time_req; - gss_OID_set desired_mechs; - gss_cred_usage_t cred_usage; - gss_cred_id_t *output_cred_handle; - gss_OID_set *actual_mechs; - OM_uint32 *time_rec; + desired_mechs, cred_usage, output_cred_handle, + actual_mechs, time_rec) + OM_uint32 *minor_status; + gss_name_t desired_name; + OM_uint32 time_req; + gss_OID_set desired_mechs; + gss_cred_usage_t cred_usage; + gss_cred_id_t *output_cred_handle; + gss_OID_set *actual_mechs; + OM_uint32 *time_rec; { - krb5_context context; - size_t i; - krb5_gss_cred_id_t cred; - gss_OID_set ret_mechs; - int req_old, req_new; - OM_uint32 ret; - krb5_error_code code; - - code = gssint_initialize_library(); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } - - code = krb5_gss_init_context(&context); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } - - /* make sure all outputs are valid */ - - *output_cred_handle = NULL; - if (actual_mechs) - *actual_mechs = NULL; - if (time_rec) - *time_rec = 0; - - /* validate the name */ - - /*SUPPRESS 29*/ - if ((desired_name != (gss_name_t) NULL) && - (! kg_validate_name(desired_name))) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - krb5_free_context(context); - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - } - - /* verify that the requested mechanism set is the default, or - contains krb5 */ - - if (desired_mechs == GSS_C_NULL_OID_SET) { - req_old = 1; - req_new = 1; - } else { - req_old = 0; - req_new = 0; - - for (i=0; i<desired_mechs->count; i++) { - if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i]))) - req_old++; - if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i]))) - req_new++; - } - - if (!req_old && !req_new) { - *minor_status = 0; - krb5_free_context(context); - return(GSS_S_BAD_MECH); - } - } - - /* create the gss cred structure */ - - if ((cred = - (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) == NULL) { - *minor_status = ENOMEM; - krb5_free_context(context); - return(GSS_S_FAILURE); - } - memset(cred, 0, sizeof(krb5_gss_cred_id_rec)); - - cred->usage = cred_usage; - cred->princ = NULL; - cred->prerfc_mech = req_old; - cred->rfc_mech = req_new; + krb5_context context; + size_t i; + krb5_gss_cred_id_t cred; + gss_OID_set ret_mechs; + int req_old, req_new; + OM_uint32 ret; + krb5_error_code code; + + code = gssint_initialize_library(); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } + + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } + + /* make sure all outputs are valid */ + + *output_cred_handle = NULL; + if (actual_mechs) + *actual_mechs = NULL; + if (time_rec) + *time_rec = 0; + + /* validate the name */ + + /*SUPPRESS 29*/ + if ((desired_name != (gss_name_t) NULL) && + (! kg_validate_name(desired_name))) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } + + /* verify that the requested mechanism set is the default, or + contains krb5 */ + + if (desired_mechs == GSS_C_NULL_OID_SET) { + req_old = 1; + req_new = 1; + } else { + req_old = 0; + req_new = 0; + + for (i=0; i<desired_mechs->count; i++) { + if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i]))) + req_old++; + if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i]))) + req_new++; + } + + if (!req_old && !req_new) { + *minor_status = 0; + krb5_free_context(context); + return(GSS_S_BAD_MECH); + } + } + + /* create the gss cred structure */ + + if ((cred = + (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) == NULL) { + *minor_status = ENOMEM; + krb5_free_context(context); + return(GSS_S_FAILURE); + } + memset(cred, 0, sizeof(krb5_gss_cred_id_rec)); + + cred->usage = cred_usage; + cred->princ = NULL; + cred->prerfc_mech = req_old; + cred->rfc_mech = req_new; #ifndef LEAN_CLIENT - cred->keytab = NULL; + cred->keytab = NULL; #endif /* LEAN_CLIENT */ - cred->ccache = NULL; - - code = k5_mutex_init(&cred->lock); - if (code) { - *minor_status = code; - krb5_free_context(context); - return GSS_S_FAILURE; - } - /* Note that we don't need to lock this GSSAPI credential record - here, because no other thread can gain access to it until we - return it. */ - - if ((cred_usage != GSS_C_INITIATE) && - (cred_usage != GSS_C_ACCEPT) && - (cred_usage != GSS_C_BOTH)) { - k5_mutex_destroy(&cred->lock); - xfree(cred); - *minor_status = (OM_uint32) G_BAD_USAGE; - krb5_free_context(context); - return(GSS_S_FAILURE); - } - - /* if requested, acquire credentials for accepting */ - /* this will fill in cred->princ if the desired_name is not specified */ + cred->ccache = NULL; + + code = k5_mutex_init(&cred->lock); + if (code) { + *minor_status = code; + krb5_free_context(context); + return GSS_S_FAILURE; + } + /* Note that we don't need to lock this GSSAPI credential record + here, because no other thread can gain access to it until we + return it. */ + + if ((cred_usage != GSS_C_INITIATE) && + (cred_usage != GSS_C_ACCEPT) && + (cred_usage != GSS_C_BOTH)) { + k5_mutex_destroy(&cred->lock); + xfree(cred); + *minor_status = (OM_uint32) G_BAD_USAGE; + krb5_free_context(context); + return(GSS_S_FAILURE); + } + + /* if requested, acquire credentials for accepting */ + /* this will fill in cred->princ if the desired_name is not specified */ #ifndef LEAN_CLIENT - if ((cred_usage == GSS_C_ACCEPT) || - (cred_usage == GSS_C_BOTH)) - if ((ret = acquire_accept_cred(context, minor_status, desired_name, - &(cred->princ), cred)) - != GSS_S_COMPLETE) { - if (cred->princ) - krb5_free_principal(context, cred->princ); - k5_mutex_destroy(&cred->lock); - xfree(cred); - /* minor_status set by acquire_accept_cred() */ - save_error_info(*minor_status, context); - krb5_free_context(context); - return(ret); - } + if ((cred_usage == GSS_C_ACCEPT) || + (cred_usage == GSS_C_BOTH)) + if ((ret = acquire_accept_cred(context, minor_status, desired_name, + &(cred->princ), cred)) + != GSS_S_COMPLETE) { + if (cred->princ) + krb5_free_principal(context, cred->princ); + k5_mutex_destroy(&cred->lock); + xfree(cred); + /* minor_status set by acquire_accept_cred() */ + save_error_info(*minor_status, context); + krb5_free_context(context); + return(ret); + } #endif /* LEAN_CLIENT */ - /* if requested, acquire credentials for initiation */ - /* this will fill in cred->princ if it wasn't set above, and - the desired_name is not specified */ - - if ((cred_usage == GSS_C_INITIATE) || - (cred_usage == GSS_C_BOTH)) - if ((ret = - acquire_init_cred(context, minor_status, - cred->princ?(gss_name_t)cred->princ:desired_name, - &(cred->princ), cred)) - != GSS_S_COMPLETE) { + /* if requested, acquire credentials for initiation */ + /* this will fill in cred->princ if it wasn't set above, and + the desired_name is not specified */ + + if ((cred_usage == GSS_C_INITIATE) || + (cred_usage == GSS_C_BOTH)) + if ((ret = + acquire_init_cred(context, minor_status, + cred->princ?(gss_name_t)cred->princ:desired_name, + &(cred->princ), cred)) + != GSS_S_COMPLETE) { #ifndef LEAN_CLIENT - if (cred->keytab) - krb5_kt_close(context, cred->keytab); + if (cred->keytab) + krb5_kt_close(context, cred->keytab); #endif /* LEAN_CLIENT */ - if (cred->princ) - krb5_free_principal(context, cred->princ); - k5_mutex_destroy(&cred->lock); - xfree(cred); - /* minor_status set by acquire_init_cred() */ - save_error_info(*minor_status, context); - krb5_free_context(context); - return(ret); - } - - /* if the princ wasn't filled in already, fill it in now */ - - if (!cred->princ && (desired_name != GSS_C_NO_NAME)) - if ((code = krb5_copy_principal(context, (krb5_principal) desired_name, - &(cred->princ)))) { - if (cred->ccache) - (void)krb5_cc_close(context, cred->ccache); + if (cred->princ) + krb5_free_principal(context, cred->princ); + k5_mutex_destroy(&cred->lock); + xfree(cred); + /* minor_status set by acquire_init_cred() */ + save_error_info(*minor_status, context); + krb5_free_context(context); + return(ret); + } + + /* if the princ wasn't filled in already, fill it in now */ + + if (!cred->princ && (desired_name != GSS_C_NO_NAME)) + if ((code = krb5_copy_principal(context, (krb5_principal) desired_name, + &(cred->princ)))) { + if (cred->ccache) + (void)krb5_cc_close(context, cred->ccache); #ifndef LEAN_CLIENT - if (cred->keytab) - (void)krb5_kt_close(context, cred->keytab); + if (cred->keytab) + (void)krb5_kt_close(context, cred->keytab); #endif /* LEAN_CLIENT */ - k5_mutex_destroy(&cred->lock); - xfree(cred); - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - - /*** at this point, the cred structure has been completely created */ - - /* compute time_rec */ - - if (cred_usage == GSS_C_ACCEPT) { - if (time_rec) - *time_rec = GSS_C_INDEFINITE; - } else { - krb5_timestamp now; - - if ((code = krb5_timeofday(context, &now))) { - if (cred->ccache) - (void)krb5_cc_close(context, cred->ccache); + k5_mutex_destroy(&cred->lock); + xfree(cred); + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + + /*** at this point, the cred structure has been completely created */ + + /* compute time_rec */ + + if (cred_usage == GSS_C_ACCEPT) { + if (time_rec) + *time_rec = GSS_C_INDEFINITE; + } else { + krb5_timestamp now; + + if ((code = krb5_timeofday(context, &now))) { + if (cred->ccache) + (void)krb5_cc_close(context, cred->ccache); #ifndef LEAN_CLIENT - if (cred->keytab) - (void)krb5_kt_close(context, cred->keytab); + if (cred->keytab) + (void)krb5_kt_close(context, cred->keytab); #endif /* LEAN_CLIENT */ - if (cred->princ) - krb5_free_principal(context, cred->princ); - k5_mutex_destroy(&cred->lock); - xfree(cred); - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - - if (time_rec) - *time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0; - } - - /* create mechs */ - - if (actual_mechs) { - if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status, - &ret_mechs)) || - (cred->prerfc_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5_old, - &ret_mechs))) || - (cred->rfc_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5, - &ret_mechs)))) { - if (cred->ccache) - (void)krb5_cc_close(context, cred->ccache); + if (cred->princ) + krb5_free_principal(context, cred->princ); + k5_mutex_destroy(&cred->lock); + xfree(cred); + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + + if (time_rec) + *time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0; + } + + /* create mechs */ + + if (actual_mechs) { + if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status, + &ret_mechs)) || + (cred->prerfc_mech && + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + gss_mech_krb5_old, + &ret_mechs))) || + (cred->rfc_mech && + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + gss_mech_krb5, + &ret_mechs)))) { + if (cred->ccache) + (void)krb5_cc_close(context, cred->ccache); #ifndef LEAN_CLIENT - if (cred->keytab) - (void)krb5_kt_close(context, cred->keytab); + if (cred->keytab) + (void)krb5_kt_close(context, cred->keytab); #endif /* LEAN_CLIENT */ - if (cred->princ) - krb5_free_principal(context, cred->princ); - k5_mutex_destroy(&cred->lock); - xfree(cred); - /* *minor_status set above */ - krb5_free_context(context); - return(ret); - } - } - - /* intern the credential handle */ - - if (! kg_save_cred_id((gss_cred_id_t) cred)) { - free(ret_mechs->elements); - free(ret_mechs); - if (cred->ccache) - (void)krb5_cc_close(context, cred->ccache); + if (cred->princ) + krb5_free_principal(context, cred->princ); + k5_mutex_destroy(&cred->lock); + xfree(cred); + /* *minor_status set above */ + krb5_free_context(context); + return(ret); + } + } + + /* intern the credential handle */ + + if (! kg_save_cred_id((gss_cred_id_t) cred)) { + free(ret_mechs->elements); + free(ret_mechs); + if (cred->ccache) + (void)krb5_cc_close(context, cred->ccache); #ifndef LEAN_CLIENT - if (cred->keytab) - (void)krb5_kt_close(context, cred->keytab); + if (cred->keytab) + (void)krb5_kt_close(context, cred->keytab); #endif /* LEAN_CLIENT */ - if (cred->princ) - krb5_free_principal(context, cred->princ); - k5_mutex_destroy(&cred->lock); - xfree(cred); - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - save_error_string(*minor_status, "error saving credentials"); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - - /* return success */ - - *minor_status = 0; - *output_cred_handle = (gss_cred_id_t) cred; - if (actual_mechs) - *actual_mechs = ret_mechs; - - krb5_free_context(context); - return(GSS_S_COMPLETE); + if (cred->princ) + krb5_free_principal(context, cred->princ); + k5_mutex_destroy(&cred->lock); + xfree(cred); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + save_error_string(*minor_status, "error saving credentials"); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + + /* return success */ + + *minor_status = 0; + *output_cred_handle = (gss_cred_id_t) cred; + if (actual_mechs) + *actual_mechs = ret_mechs; + + krb5_free_context(context); + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/add_cred.c b/src/lib/gssapi/krb5/add_cred.c index fdcd9c0d3..3652f918b 100644 --- a/src/lib/gssapi/krb5/add_cred.c +++ b/src/lib/gssapi/krb5/add_cred.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 2000, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -6,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,18 +21,18 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -42,7 +43,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -62,26 +63,26 @@ /* V2 interface */ OM_uint32 krb5_gss_add_cred(minor_status, input_cred_handle, - desired_name, desired_mech, cred_usage, - initiator_time_req, acceptor_time_req, - output_cred_handle, actual_mechs, - initiator_time_rec, acceptor_time_rec) - OM_uint32 *minor_status; - gss_cred_id_t input_cred_handle; - gss_name_t desired_name; - gss_OID desired_mech; - gss_cred_usage_t cred_usage; - OM_uint32 initiator_time_req; - OM_uint32 acceptor_time_req; - gss_cred_id_t *output_cred_handle; - gss_OID_set *actual_mechs; - OM_uint32 *initiator_time_rec; - OM_uint32 *acceptor_time_rec; + desired_name, desired_mech, cred_usage, + initiator_time_req, acceptor_time_req, + output_cred_handle, actual_mechs, + initiator_time_rec, acceptor_time_rec) + OM_uint32 *minor_status; + gss_cred_id_t input_cred_handle; + gss_name_t desired_name; + gss_OID desired_mech; + gss_cred_usage_t cred_usage; + OM_uint32 initiator_time_req; + OM_uint32 acceptor_time_req; + gss_cred_id_t *output_cred_handle; + gss_OID_set *actual_mechs; + OM_uint32 *initiator_time_rec; + OM_uint32 *acceptor_time_rec; { - krb5_context context; - OM_uint32 major_status, lifetime; - krb5_gss_cred_id_t cred; - krb5_error_code code; + krb5_context context; + OM_uint32 major_status, lifetime; + krb5_gss_cred_id_t cred; + krb5_error_code code; /* this is pretty simple, since there's not really any difference between the underlying mechanisms. The main hair is in copying @@ -90,18 +91,18 @@ krb5_gss_add_cred(minor_status, input_cred_handle, /* check if the desired_mech is bogus */ if (!g_OID_equal(desired_mech, gss_mech_krb5) && - !g_OID_equal(desired_mech, gss_mech_krb5_old)) { - *minor_status = 0; - return(GSS_S_BAD_MECH); + !g_OID_equal(desired_mech, gss_mech_krb5_old)) { + *minor_status = 0; + return(GSS_S_BAD_MECH); } /* check if the desired_mech is bogus */ if ((cred_usage != GSS_C_INITIATE) && - (cred_usage != GSS_C_ACCEPT) && - (cred_usage != GSS_C_BOTH)) { - *minor_status = (OM_uint32) G_BAD_USAGE; - return(GSS_S_FAILURE); + (cred_usage != GSS_C_ACCEPT) && + (cred_usage != GSS_C_BOTH)) { + *minor_status = (OM_uint32) G_BAD_USAGE; + return(GSS_S_FAILURE); } /* since the default credential includes all the mechanisms, @@ -109,22 +110,22 @@ krb5_gss_add_cred(minor_status, input_cred_handle, /*SUPPRESS 29*/ if (input_cred_handle == GSS_C_NO_CREDENTIAL) { - *minor_status = 0; - return(GSS_S_DUPLICATE_ELEMENT); + *minor_status = 0; + return(GSS_S_DUPLICATE_ELEMENT); } code = krb5_gss_init_context(&context); if (code) { - *minor_status = code; - return GSS_S_FAILURE; + *minor_status = code; + return GSS_S_FAILURE; } major_status = krb5_gss_validate_cred_1(minor_status, input_cred_handle, - context); + context); if (GSS_ERROR(major_status)) { - save_error_info(*minor_status, context); - krb5_free_context(context); - return major_status; + save_error_info(*minor_status, context); + krb5_free_context(context); + return major_status; } cred = (krb5_gss_cred_id_t) input_cred_handle; @@ -134,252 +135,252 @@ krb5_gss_add_cred(minor_status, input_cred_handle, if copying */ if (!((cred->usage == cred_usage) || - ((cred->usage == GSS_C_BOTH) && - (output_cred_handle != NULL)))) { - *minor_status = (OM_uint32) G_BAD_USAGE; - krb5_free_context(context); - return(GSS_S_FAILURE); + ((cred->usage == GSS_C_BOTH) && + (output_cred_handle != NULL)))) { + *minor_status = (OM_uint32) G_BAD_USAGE; + krb5_free_context(context); + return(GSS_S_FAILURE); } /* check that desired_mech isn't already in the credential */ if ((g_OID_equal(desired_mech, gss_mech_krb5_old) && cred->prerfc_mech) || - (g_OID_equal(desired_mech, gss_mech_krb5) && cred->rfc_mech)) { - *minor_status = 0; - krb5_free_context(context); - return(GSS_S_DUPLICATE_ELEMENT); + (g_OID_equal(desired_mech, gss_mech_krb5) && cred->rfc_mech)) { + *minor_status = 0; + krb5_free_context(context); + return(GSS_S_DUPLICATE_ELEMENT); } if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) { - save_error_info(*minor_status, context); - krb5_free_context(context); - return GSS_S_FAILURE; + save_error_info(*minor_status, context); + krb5_free_context(context); + return GSS_S_FAILURE; } /* verify the desired_name */ /*SUPPRESS 29*/ if ((desired_name != (gss_name_t) NULL) && - (! kg_validate_name(desired_name))) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - krb5_free_context(context); - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + (! kg_validate_name(desired_name))) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); } /* make sure the desired_name is the same as the existing one */ if (desired_name && - !krb5_principal_compare(context, (krb5_principal) desired_name, - cred->princ)) { - *minor_status = 0; - krb5_free_context(context); - return(GSS_S_BAD_NAME); + !krb5_principal_compare(context, (krb5_principal) desired_name, + cred->princ)) { + *minor_status = 0; + krb5_free_context(context); + return(GSS_S_BAD_NAME); } /* copy the cred if necessary */ if (output_cred_handle) { - /* make a copy */ - krb5_gss_cred_id_t new_cred; - char ktboth[1024]; - const char *kttype, *cctype, *ccname; - char ccboth[1024]; - - if ((new_cred = - (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) - == NULL) { - *minor_status = ENOMEM; - krb5_free_context(context); - return(GSS_S_FAILURE); - } - memset(new_cred, 0, sizeof(krb5_gss_cred_id_rec)); - - new_cred->usage = cred_usage; - new_cred->prerfc_mech = cred->prerfc_mech; - new_cred->rfc_mech = cred->rfc_mech; - new_cred->tgt_expire = cred->tgt_expire; - - if (cred->princ) - code = krb5_copy_principal(context, cred->princ, &new_cred->princ); - if (code) { - xfree(new_cred); - - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } -#ifndef LEAN_CLIENT - if (cred->keytab) { - kttype = krb5_kt_get_type(context, cred->keytab); - if ((strlen(kttype)+2) > sizeof(ktboth)) { - if (new_cred->princ) - krb5_free_principal(context, new_cred->princ); - xfree(new_cred); - - *minor_status = ENOMEM; - krb5_free_context(context); - return(GSS_S_FAILURE); - } - - strncpy(ktboth, kttype, sizeof(ktboth) - 1); - ktboth[sizeof(ktboth) - 1] = '\0'; - strncat(ktboth, ":", sizeof(ktboth) - 1 - strlen(ktboth)); - - code = krb5_kt_get_name(context, cred->keytab, - ktboth+strlen(ktboth), - sizeof(ktboth)-strlen(ktboth)); - if (code) { - if(new_cred->princ) - krb5_free_principal(context, new_cred->princ); - xfree(new_cred); - - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - - code = krb5_kt_resolve(context, ktboth, &new_cred->keytab); - if (code) { - if (new_cred->princ) - krb5_free_principal(context, new_cred->princ); - xfree(new_cred); - - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - } else { + /* make a copy */ + krb5_gss_cred_id_t new_cred; + char ktboth[1024]; + const char *kttype, *cctype, *ccname; + char ccboth[1024]; + + if ((new_cred = + (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec))) + == NULL) { + *minor_status = ENOMEM; + krb5_free_context(context); + return(GSS_S_FAILURE); + } + memset(new_cred, 0, sizeof(krb5_gss_cred_id_rec)); + + new_cred->usage = cred_usage; + new_cred->prerfc_mech = cred->prerfc_mech; + new_cred->rfc_mech = cred->rfc_mech; + new_cred->tgt_expire = cred->tgt_expire; + + if (cred->princ) + code = krb5_copy_principal(context, cred->princ, &new_cred->princ); + if (code) { + xfree(new_cred); + + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } +#ifndef LEAN_CLIENT + if (cred->keytab) { + kttype = krb5_kt_get_type(context, cred->keytab); + if ((strlen(kttype)+2) > sizeof(ktboth)) { + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); + + *minor_status = ENOMEM; + krb5_free_context(context); + return(GSS_S_FAILURE); + } + + strncpy(ktboth, kttype, sizeof(ktboth) - 1); + ktboth[sizeof(ktboth) - 1] = '\0'; + strncat(ktboth, ":", sizeof(ktboth) - 1 - strlen(ktboth)); + + code = krb5_kt_get_name(context, cred->keytab, + ktboth+strlen(ktboth), + sizeof(ktboth)-strlen(ktboth)); + if (code) { + if(new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); + + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + + code = krb5_kt_resolve(context, ktboth, &new_cred->keytab); + if (code) { + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); + + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + } else { #endif /* LEAN_CLIENT */ - new_cred->keytab = NULL; -#ifndef LEAN_CLIENT - } + new_cred->keytab = NULL; +#ifndef LEAN_CLIENT + } #endif /* LEAN_CLIENT */ - - if (cred->rcache) { - /* Open the replay cache for this principal. */ - if ((code = krb5_get_server_rcache(context, - krb5_princ_component(context, cred->princ, 0), - &new_cred->rcache))) { -#ifndef LEAN_CLIENT - if (new_cred->keytab) - krb5_kt_close(context, new_cred->keytab); + + if (cred->rcache) { + /* Open the replay cache for this principal. */ + if ((code = krb5_get_server_rcache(context, + krb5_princ_component(context, cred->princ, 0), + &new_cred->rcache))) { +#ifndef LEAN_CLIENT + if (new_cred->keytab) + krb5_kt_close(context, new_cred->keytab); #endif /* LEAN_CLIENT */ - if (new_cred->princ) - krb5_free_principal(context, new_cred->princ); - xfree(new_cred); - - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - } else { - new_cred->rcache = NULL; - } - - if (cred->ccache) { - cctype = krb5_cc_get_type(context, cred->ccache); - ccname = krb5_cc_get_name(context, cred->ccache); - - if ((strlen(cctype)+strlen(ccname)+2) > sizeof(ccboth)) { - if (new_cred->rcache) - krb5_rc_close(context, new_cred->rcache); -#ifndef LEAN_CLIENT - if (new_cred->keytab) - krb5_kt_close(context, new_cred->keytab); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); + + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + } else { + new_cred->rcache = NULL; + } + + if (cred->ccache) { + cctype = krb5_cc_get_type(context, cred->ccache); + ccname = krb5_cc_get_name(context, cred->ccache); + + if ((strlen(cctype)+strlen(ccname)+2) > sizeof(ccboth)) { + if (new_cred->rcache) + krb5_rc_close(context, new_cred->rcache); +#ifndef LEAN_CLIENT + if (new_cred->keytab) + krb5_kt_close(context, new_cred->keytab); #endif /* LEAN_CLIENT */ - if (new_cred->princ) - krb5_free_principal(context, new_cred->princ); - xfree(new_cred); - - krb5_free_context(context); - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - - strncpy(ccboth, cctype, sizeof(ccboth) - 1); - ccboth[sizeof(ccboth) - 1] = '\0'; - strncat(ccboth, ":", sizeof(ccboth) - 1 - strlen(ccboth)); - strncat(ccboth, ccname, sizeof(ccboth) - 1 - strlen(ccboth)); - - code = krb5_cc_resolve(context, ccboth, &new_cred->ccache); - if (code) { - if (new_cred->rcache) - krb5_rc_close(context, new_cred->rcache); -#ifndef LEAN_CLIENT - if (new_cred->keytab) - krb5_kt_close(context, new_cred->keytab); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); + + krb5_free_context(context); + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + + strncpy(ccboth, cctype, sizeof(ccboth) - 1); + ccboth[sizeof(ccboth) - 1] = '\0'; + strncat(ccboth, ":", sizeof(ccboth) - 1 - strlen(ccboth)); + strncat(ccboth, ccname, sizeof(ccboth) - 1 - strlen(ccboth)); + + code = krb5_cc_resolve(context, ccboth, &new_cred->ccache); + if (code) { + if (new_cred->rcache) + krb5_rc_close(context, new_cred->rcache); +#ifndef LEAN_CLIENT + if (new_cred->keytab) + krb5_kt_close(context, new_cred->keytab); #endif /* LEAN_CLIENT */ - if (new_cred->princ) - krb5_free_principal(context, new_cred->princ); - xfree(new_cred); - - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - } else { - new_cred->ccache = NULL; - } - - /* intern the credential handle */ - - if (! kg_save_cred_id((gss_cred_id_t) new_cred)) { - if (new_cred->ccache) - krb5_cc_close(context, new_cred->ccache); - if (new_cred->rcache) - krb5_rc_close(context, new_cred->rcache); -#ifndef LEAN_CLIENT - if (new_cred->keytab) - krb5_kt_close(context, new_cred->keytab); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); + + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + } else { + new_cred->ccache = NULL; + } + + /* intern the credential handle */ + + if (! kg_save_cred_id((gss_cred_id_t) new_cred)) { + if (new_cred->ccache) + krb5_cc_close(context, new_cred->ccache); + if (new_cred->rcache) + krb5_rc_close(context, new_cred->rcache); +#ifndef LEAN_CLIENT + if (new_cred->keytab) + krb5_kt_close(context, new_cred->keytab); #endif /* LEAN_CLIENT */ - if (new_cred->princ) - krb5_free_principal(context, new_cred->princ); - xfree(new_cred); - krb5_free_context(context); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); + xfree(new_cred); + krb5_free_context(context); - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_FAILURE); - } + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_FAILURE); + } - /* modify new_cred */ + /* modify new_cred */ - cred = new_cred; + cred = new_cred; } - + /* set the flag for the new mechanism */ if (g_OID_equal(desired_mech, gss_mech_krb5_old)) - cred->prerfc_mech = 1; + cred->prerfc_mech = 1; else if (g_OID_equal(desired_mech, gss_mech_krb5)) - cred->rfc_mech = 1; + cred->rfc_mech = 1; /* set the outputs */ - if (GSS_ERROR(major_status = krb5_gss_inquire_cred(minor_status, - (gss_cred_id_t)cred, - NULL, &lifetime, - NULL, actual_mechs))) { - OM_uint32 dummy; - - if (output_cred_handle) - (void) krb5_gss_release_cred(&dummy, (gss_cred_id_t *) &cred); - krb5_free_context(context); - - return(major_status); + if (GSS_ERROR(major_status = krb5_gss_inquire_cred(minor_status, + (gss_cred_id_t)cred, + NULL, &lifetime, + NULL, actual_mechs))) { + OM_uint32 dummy; + + if (output_cred_handle) + (void) krb5_gss_release_cred(&dummy, (gss_cred_id_t *) &cred); + krb5_free_context(context); + + return(major_status); } if (initiator_time_rec) - *initiator_time_rec = lifetime; + *initiator_time_rec = lifetime; if (acceptor_time_rec) - *acceptor_time_rec = lifetime; + *acceptor_time_rec = lifetime; if (output_cred_handle) - *output_cred_handle = (gss_cred_id_t)cred; + *output_cred_handle = (gss_cred_id_t)cred; krb5_free_context(context); *minor_status = 0; diff --git a/src/lib/gssapi/krb5/canon_name.c b/src/lib/gssapi/krb5/canon_name.c index 0f7c9cd9c..b113a343e 100644 --- a/src/lib/gssapi/krb5/canon_name.c +++ b/src/lib/gssapi/krb5/canon_name.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/canon_name.c * @@ -30,15 +31,15 @@ /* This is trivial since we're a single mechanism implementation */ OM_uint32 krb5_gss_canonicalize_name(OM_uint32 *minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t *output_name) + const gss_name_t input_name, + const gss_OID mech_type, + gss_name_t *output_name) { if ((mech_type != GSS_C_NULL_OID) && - !g_OID_equal(gss_mech_krb5, mech_type) && - !g_OID_equal(gss_mech_krb5_old, mech_type)) { - *minor_status = 0; - return(GSS_S_BAD_MECH); + !g_OID_equal(gss_mech_krb5, mech_type) && + !g_OID_equal(gss_mech_krb5_old, mech_type)) { + *minor_status = 0; + return(GSS_S_BAD_MECH); } return(gss_duplicate_name(minor_status, input_name, output_name)); diff --git a/src/lib/gssapi/krb5/compare_name.c b/src/lib/gssapi/krb5/compare_name.c index 805f9f1d7..e456ed50a 100644 --- a/src/lib/gssapi/krb5/compare_name.c +++ b/src/lib/gssapi/krb5/compare_name.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,33 +29,33 @@ OM_uint32 krb5_gss_compare_name(minor_status, name1, name2, name_equal) - OM_uint32 *minor_status; - gss_name_t name1; - gss_name_t name2; - int *name_equal; -{ - krb5_context context; - krb5_error_code code; + OM_uint32 *minor_status; + gss_name_t name1; + gss_name_t name2; + int *name_equal; +{ + krb5_context context; + krb5_error_code code; - if (! kg_validate_name(name1)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - } + if (! kg_validate_name(name1)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } - if (! kg_validate_name(name2)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - } + if (! kg_validate_name(name2)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } - code = krb5_gss_init_context(&context); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } - *minor_status = 0; - *name_equal = krb5_principal_compare(context, (krb5_principal) name1, - (krb5_principal) name2); - krb5_free_context(context); - return(GSS_S_COMPLETE); + *minor_status = 0; + *name_equal = krb5_principal_compare(context, (krb5_principal) name1, + (krb5_principal) name2); + krb5_free_context(context); + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c index adaa62506..ec16239c4 100644 --- a/src/lib/gssapi/krb5/context_time.c +++ b/src/lib/gssapi/krb5/context_time.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,41 +29,41 @@ OM_uint32 krb5_gss_context_time(minor_status, context_handle, time_rec) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - OM_uint32 *time_rec; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + OM_uint32 *time_rec; { - krb5_error_code code; - krb5_gss_ctx_id_rec *ctx; - krb5_timestamp now; - krb5_deltat lifetime; + krb5_error_code code; + krb5_gss_ctx_id_rec *ctx; + krb5_timestamp now; + krb5_deltat lifetime; - /* validate the context handle */ - if (! kg_validate_ctx_id(context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); - } + /* validate the context handle */ + if (! kg_validate_ctx_id(context_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); + } - ctx = (krb5_gss_ctx_id_rec *) context_handle; + ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { - *minor_status = KG_CTX_INCOMPLETE; - return(GSS_S_NO_CONTEXT); - } + if (! ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } - if ((code = krb5_timeofday(ctx->k5_context, &now))) { - *minor_status = code; - save_error_info(*minor_status, ctx->k5_context); - return(GSS_S_FAILURE); - } + if ((code = krb5_timeofday(ctx->k5_context, &now))) { + *minor_status = code; + save_error_info(*minor_status, ctx->k5_context); + return(GSS_S_FAILURE); + } - if ((lifetime = ctx->endtime - now) <= 0) { - *time_rec = 0; - *minor_status = 0; - return(GSS_S_CONTEXT_EXPIRED); - } else { - *time_rec = lifetime; - *minor_status = 0; - return(GSS_S_COMPLETE); - } + if ((lifetime = ctx->endtime - now) <= 0) { + *time_rec = 0; + *minor_status = 0; + return(GSS_S_CONTEXT_EXPIRED); + } else { + *time_rec = lifetime; + *minor_status = 0; + return(GSS_S_COMPLETE); + } } diff --git a/src/lib/gssapi/krb5/copy_ccache.c b/src/lib/gssapi/krb5/copy_ccache.c index 8553d92db..2071df44a 100644 --- a/src/lib/gssapi/krb5/copy_ccache.c +++ b/src/lib/gssapi/krb5/copy_ccache.c @@ -1,57 +1,58 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ #include "gssapiP_krb5.h" -OM_uint32 KRB5_CALLCONV +OM_uint32 KRB5_CALLCONV gss_krb5int_copy_ccache(minor_status, cred_handle, out_ccache) - OM_uint32 *minor_status; - gss_cred_id_t cred_handle; - krb5_ccache out_ccache; + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; + krb5_ccache out_ccache; { - OM_uint32 major_status; - krb5_gss_cred_id_t k5creds; - krb5_cc_cursor cursor; - krb5_creds creds; - krb5_error_code code; - krb5_context context; + OM_uint32 major_status; + krb5_gss_cred_id_t k5creds; + krb5_cc_cursor cursor; + krb5_creds creds; + krb5_error_code code; + krb5_context context; - /* validate the cred handle */ - major_status = krb5_gss_validate_cred(minor_status, cred_handle); - if (major_status) - return(major_status); - - k5creds = (krb5_gss_cred_id_t) cred_handle; - code = k5_mutex_lock(&k5creds->lock); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } - if (k5creds->usage == GSS_C_ACCEPT) { - k5_mutex_unlock(&k5creds->lock); - *minor_status = (OM_uint32) G_BAD_USAGE; - return(GSS_S_FAILURE); - } + /* validate the cred handle */ + major_status = krb5_gss_validate_cred(minor_status, cred_handle); + if (major_status) + return(major_status); - code = krb5_gss_init_context(&context); - if (code) { - k5_mutex_unlock(&k5creds->lock); - *minor_status = code; - return GSS_S_FAILURE; - } + k5creds = (krb5_gss_cred_id_t) cred_handle; + code = k5_mutex_lock(&k5creds->lock); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } + if (k5creds->usage == GSS_C_ACCEPT) { + k5_mutex_unlock(&k5creds->lock); + *minor_status = (OM_uint32) G_BAD_USAGE; + return(GSS_S_FAILURE); + } - code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor); - if (code) { - k5_mutex_unlock(&k5creds->lock); - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, &creds)) - code = krb5_cc_store_cred(context, out_ccache, &creds); - krb5_cc_end_seq_get(context, k5creds->ccache, &cursor); - k5_mutex_unlock(&k5creds->lock); - *minor_status = code; - if (code) - save_error_info(*minor_status, context); - krb5_free_context(context); - return code ? GSS_S_FAILURE : GSS_S_COMPLETE; + code = krb5_gss_init_context(&context); + if (code) { + k5_mutex_unlock(&k5creds->lock); + *minor_status = code; + return GSS_S_FAILURE; + } + + code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor); + if (code) { + k5_mutex_unlock(&k5creds->lock); + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, &creds)) + code = krb5_cc_store_cred(context, out_ccache, &creds); + krb5_cc_end_seq_get(context, k5creds->ccache, &cursor); + k5_mutex_unlock(&k5creds->lock); + *minor_status = code; + if (code) + save_error_info(*minor_status, context); + krb5_free_context(context); + return code ? GSS_S_FAILURE : GSS_S_COMPLETE; } diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c index 60755d251..b2ace922c 100644 --- a/src/lib/gssapi/krb5/delete_sec_context.c +++ b/src/lib/gssapi/krb5/delete_sec_context.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,94 +29,94 @@ OM_uint32 krb5_gss_delete_sec_context(minor_status, context_handle, output_token) - OM_uint32 *minor_status; - gss_ctx_id_t *context_handle; - gss_buffer_t output_token; + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_buffer_t output_token; { - krb5_context context; - krb5_gss_ctx_id_rec *ctx; + krb5_context context; + krb5_gss_ctx_id_rec *ctx; - if (output_token) { - output_token->length = 0; - output_token->value = NULL; - } + if (output_token) { + output_token->length = 0; + output_token->value = NULL; + } - /*SUPPRESS 29*/ - if (*context_handle == GSS_C_NO_CONTEXT) { - *minor_status = 0; - return(GSS_S_COMPLETE); - } + /*SUPPRESS 29*/ + if (*context_handle == GSS_C_NO_CONTEXT) { + *minor_status = 0; + return(GSS_S_COMPLETE); + } - /*SUPPRESS 29*/ - /* validate the context handle */ - if (! kg_validate_ctx_id(*context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); - } + /*SUPPRESS 29*/ + /* validate the context handle */ + if (! kg_validate_ctx_id(*context_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); + } - ctx = (krb5_gss_ctx_id_t) *context_handle; - context = ctx->k5_context; + ctx = (krb5_gss_ctx_id_t) *context_handle; + context = ctx->k5_context; - /* construct a delete context token if necessary */ + /* construct a delete context token if necessary */ - if (output_token) { - OM_uint32 major; - gss_buffer_desc empty; - empty.length = 0; empty.value = NULL; + if (output_token) { + OM_uint32 major; + gss_buffer_desc empty; + empty.length = 0; empty.value = NULL; - if ((major = kg_seal(minor_status, *context_handle, 0, - GSS_C_QOP_DEFAULT, - &empty, NULL, output_token, KG_TOK_DEL_CTX))) { - save_error_info(*minor_status, context); - return(major); - } - } + if ((major = kg_seal(minor_status, *context_handle, 0, + GSS_C_QOP_DEFAULT, + &empty, NULL, output_token, KG_TOK_DEL_CTX))) { + save_error_info(*minor_status, context); + return(major); + } + } - /* invalidate the context handle */ + /* invalidate the context handle */ - (void)kg_delete_ctx_id(*context_handle); + (void)kg_delete_ctx_id(*context_handle); - /* free all the context state */ + /* free all the context state */ - if (ctx->seqstate) - g_order_free(&(ctx->seqstate)); + if (ctx->seqstate) + g_order_free(&(ctx->seqstate)); - if (ctx->enc) - krb5_free_keyblock(context, ctx->enc); + if (ctx->enc) + krb5_free_keyblock(context, ctx->enc); - if (ctx->seq) - krb5_free_keyblock(context, ctx->seq); + if (ctx->seq) + krb5_free_keyblock(context, ctx->seq); - if (ctx->here) - krb5_free_principal(context, ctx->here); - if (ctx->there) - krb5_free_principal(context, ctx->there); - if (ctx->subkey) - krb5_free_keyblock(context, ctx->subkey); - if (ctx->acceptor_subkey) - krb5_free_keyblock(context, ctx->acceptor_subkey); + if (ctx->here) + krb5_free_principal(context, ctx->here); + if (ctx->there) + krb5_free_principal(context, ctx->there); + if (ctx->subkey) + krb5_free_keyblock(context, ctx->subkey); + if (ctx->acceptor_subkey) + krb5_free_keyblock(context, ctx->acceptor_subkey); - if (ctx->auth_context) { - if (ctx->cred_rcache) - (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL); + if (ctx->auth_context) { + if (ctx->cred_rcache) + (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL); - krb5_auth_con_free(context, ctx->auth_context); - } + krb5_auth_con_free(context, ctx->auth_context); + } - if (ctx->mech_used) - gss_release_oid(minor_status, &ctx->mech_used); - - if (ctx->k5_context) - krb5_free_context(ctx->k5_context); + if (ctx->mech_used) + gss_release_oid(minor_status, &ctx->mech_used); - /* Zero out context */ - memset(ctx, 0, sizeof(*ctx)); - xfree(ctx); + if (ctx->k5_context) + krb5_free_context(ctx->k5_context); - /* zero the handle itself */ + /* Zero out context */ + memset(ctx, 0, sizeof(*ctx)); + xfree(ctx); - *context_handle = GSS_C_NO_CONTEXT; + /* zero the handle itself */ - *minor_status = 0; - return(GSS_S_COMPLETE); + *context_handle = GSS_C_NO_CONTEXT; + + *minor_status = 0; + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/disp_name.c b/src/lib/gssapi/krb5/disp_name.c index 1f67d5129..d6bf0f7ba 100644 --- a/src/lib/gssapi/krb5/disp_name.c +++ b/src/lib/gssapi/krb5/disp_name.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -23,53 +24,53 @@ #include "gssapiP_krb5.h" OM_uint32 -krb5_gss_display_name(minor_status, input_name, output_name_buffer, - output_name_type) - OM_uint32 *minor_status; - gss_name_t input_name; - gss_buffer_t output_name_buffer; - gss_OID *output_name_type; +krb5_gss_display_name(minor_status, input_name, output_name_buffer, + output_name_type) + OM_uint32 *minor_status; + gss_name_t input_name; + gss_buffer_t output_name_buffer; + gss_OID *output_name_type; { - krb5_context context; - krb5_error_code code; - char *str; + krb5_context context; + krb5_error_code code; + char *str; - code = krb5_gss_init_context(&context); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } - output_name_buffer->length = 0; - output_name_buffer->value = NULL; + output_name_buffer->length = 0; + output_name_buffer->value = NULL; - if (! kg_validate_name(input_name)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - krb5_free_context(context); - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - } + if (! kg_validate_name(input_name)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } - if ((code = krb5_unparse_name(context, - (krb5_principal) input_name, &str))) { - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } + if ((code = krb5_unparse_name(context, + (krb5_principal) input_name, &str))) { + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } - if (! g_make_string_buffer(str, output_name_buffer)) { - krb5_free_unparsed_name(context, str); - krb5_free_context(context); + if (! g_make_string_buffer(str, output_name_buffer)) { + krb5_free_unparsed_name(context, str); + krb5_free_context(context); - *minor_status = (OM_uint32) G_BUFFER_ALLOC; - return(GSS_S_FAILURE); - } + *minor_status = (OM_uint32) G_BUFFER_ALLOC; + return(GSS_S_FAILURE); + } - krb5_free_unparsed_name(context, str); - krb5_free_context(context); + krb5_free_unparsed_name(context, str); + krb5_free_context(context); - *minor_status = 0; - if (output_name_type) - *output_name_type = (gss_OID) gss_nt_krb5_name; - return(GSS_S_COMPLETE); + *minor_status = 0; + if (output_name_type) + *output_name_type = (gss_OID) gss_nt_krb5_name; + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/disp_status.c b/src/lib/gssapi/krb5/disp_status.c index 9a0399d78..2ee6aceec 100644 --- a/src/lib/gssapi/krb5/disp_status.c +++ b/src/lib/gssapi/krb5/disp_status.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -30,11 +31,11 @@ static inline int compare_OM_uint32 (OM_uint32 a, OM_uint32 b) { if (a < b) - return -1; + return -1; else if (a == b) - return 0; + return 0; else - return 1; + return 1; } static inline void free_string (char *s) @@ -49,19 +50,19 @@ char *get_error_message(OM_uint32 minor_code) char *msg = 0; #ifdef DEBUG fprintf(stderr, "%s(%lu, p=%p)", __func__, (unsigned long) minor_code, - (void *) p); + (void *) p); #endif if (p) { - char **v = gsserrmap_find(p, minor_code); - if (v) { - msg = *v; + char **v = gsserrmap_find(p, minor_code); + if (v) { + msg = *v; #ifdef DEBUG - fprintf(stderr, " FOUND!"); + fprintf(stderr, " FOUND!"); #endif - } + } } if (msg == 0) - msg = error_message(minor_code); + msg = error_message(minor_code); #ifdef DEBUG fprintf(stderr, " -> %p/%s\n", (void *) msg, msg); #endif @@ -78,24 +79,24 @@ static int save_error_string_nocopy(OM_uint32 minor_code, char *msg) #endif p = k5_getspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE); if (!p) { - p = malloc(sizeof(*p)); - if (p == NULL) { - ret = 1; - goto fail; - } - if (gsserrmap_init(p) != 0) { - free(p); - p = NULL; - ret = 1; - goto fail; - } - if (k5_setspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE, p) != 0) { - gsserrmap_destroy(p); - free(p); - p = NULL; - ret = 1; - goto fail; - } + p = malloc(sizeof(*p)); + if (p == NULL) { + ret = 1; + goto fail; + } + if (gsserrmap_init(p) != 0) { + free(p); + p = NULL; + ret = 1; + goto fail; + } + if (k5_setspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE, p) != 0) { + gsserrmap_destroy(p); + free(p); + p = NULL; + ret = 1; + goto fail; + } } ret = gsserrmap_replace_or_insert(p, minor_code, msg); fail: @@ -108,8 +109,8 @@ void save_error_string(OM_uint32 minor_code, char *msg) { char *s = strdup(msg); if (s) { - if (save_error_string_nocopy(minor_code, s) != 0) - free(s); + if (save_error_string_nocopy(minor_code, s) != 0) + free(s); } } void save_error_message(OM_uint32 minor_code, const char *format, ...) @@ -122,8 +123,8 @@ void save_error_message(OM_uint32 minor_code, const char *format, ...) n = vasprintf(&s, format, ap); va_end(ap); if (n >= 0) { - if (save_error_string_nocopy(minor_code, s) != 0) - free(s); + if (save_error_string_nocopy(minor_code, s) != 0) + free(s); } } void krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx) @@ -132,12 +133,12 @@ void krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx) #ifdef DEBUG fprintf(stderr, "%s(%lu, ctx=%p)\n", __func__, - (unsigned long) minor_code, (void *)ctx); + (unsigned long) minor_code, (void *)ctx); #endif s = krb5_get_error_message(ctx, minor_code); #ifdef DEBUG fprintf(stderr, "%s(%lu, ctx=%p) saving: %s\n", __func__, - (unsigned long) minor_code, (void *)ctx, s); + (unsigned long) minor_code, (void *)ctx, s); #endif save_error_string(minor_code, s); /* The get_error_message call above resets the error message in @@ -154,44 +155,44 @@ void krb5_gss_delete_error_info(void *p) OM_uint32 krb5_gss_display_status(minor_status, status_value, status_type, - mech_type, message_context, status_string) - OM_uint32 *minor_status; - OM_uint32 status_value; - int status_type; - gss_OID mech_type; - OM_uint32 *message_context; - gss_buffer_t status_string; + mech_type, message_context, status_string) + OM_uint32 *minor_status; + OM_uint32 status_value; + int status_type; + gss_OID mech_type; + OM_uint32 *message_context; + gss_buffer_t status_string; { - status_string->length = 0; - status_string->value = NULL; + status_string->length = 0; + status_string->value = NULL; - if ((mech_type != GSS_C_NULL_OID) && - !g_OID_equal(gss_mech_krb5, mech_type) && - !g_OID_equal(gss_mech_krb5_old, mech_type)) { - *minor_status = 0; - return(GSS_S_BAD_MECH); + if ((mech_type != GSS_C_NULL_OID) && + !g_OID_equal(gss_mech_krb5, mech_type) && + !g_OID_equal(gss_mech_krb5_old, mech_type)) { + *minor_status = 0; + return(GSS_S_BAD_MECH); } - if (status_type == GSS_C_GSS_CODE) { - return(g_display_major_status(minor_status, status_value, - message_context, status_string)); - } else if (status_type == GSS_C_MECH_CODE) { - (void) gssint_initialize_library(); + if (status_type == GSS_C_GSS_CODE) { + return(g_display_major_status(minor_status, status_value, + message_context, status_string)); + } else if (status_type == GSS_C_MECH_CODE) { + (void) gssint_initialize_library(); - if (*message_context) { - *minor_status = (OM_uint32) G_BAD_MSG_CTX; - return(GSS_S_FAILURE); - } + if (*message_context) { + *minor_status = (OM_uint32) G_BAD_MSG_CTX; + return(GSS_S_FAILURE); + } - /* If this fails, there's not much we can do... */ - if (g_make_string_buffer(krb5_gss_get_error_message(status_value), - status_string) != 0) - *minor_status = ENOMEM; - else - *minor_status = 0; - return 0; - } else { - *minor_status = 0; - return(GSS_S_BAD_STATUS); - } + /* If this fails, there's not much we can do... */ + if (g_make_string_buffer(krb5_gss_get_error_message(status_value), + status_string) != 0) + *minor_status = ENOMEM; + else + *minor_status = 0; + return 0; + } else { + *minor_status = 0; + return(GSS_S_BAD_STATUS); + } } diff --git a/src/lib/gssapi/krb5/duplicate_name.c b/src/lib/gssapi/krb5/duplicate_name.c index 5d352bdf3..add3a2ed0 100644 --- a/src/lib/gssapi/krb5/duplicate_name.c +++ b/src/lib/gssapi/krb5/duplicate_name.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/duplicate_name.c * @@ -28,53 +29,47 @@ #include "gssapiP_krb5.h" OM_uint32 krb5_gss_duplicate_name(OM_uint32 *minor_status, - const gss_name_t input_name, - gss_name_t *dest_name) + const gss_name_t input_name, + gss_name_t *dest_name) { - krb5_context context; - krb5_error_code code; - krb5_principal princ, outprinc; + krb5_context context; + krb5_error_code code; + krb5_principal princ, outprinc; - if (minor_status) - *minor_status = 0; - - code = krb5_gss_init_context(&context); - if (code) { - if (minor_status) - *minor_status = code; - return GSS_S_FAILURE; - } - - if (! kg_validate_name(input_name)) { - if (minor_status) - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - krb5_free_context(context); - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - } - - princ = (krb5_principal)input_name; - if ((code = krb5_copy_principal(context, princ, &outprinc))) { - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - - if (! kg_save_name((gss_name_t) outprinc)) { - krb5_free_principal(context, outprinc); - krb5_free_context(context); - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_FAILURE); - } - - krb5_free_context(context); - *dest_name = (gss_name_t) outprinc; - return(GSS_S_COMPLETE); - -} + if (minor_status) + *minor_status = 0; + code = krb5_gss_init_context(&context); + if (code) { + if (minor_status) + *minor_status = code; + return GSS_S_FAILURE; + } + if (! kg_validate_name(input_name)) { + if (minor_status) + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } + princ = (krb5_principal)input_name; + if ((code = krb5_copy_principal(context, princ, &outprinc))) { + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + if (! kg_save_name((gss_name_t) outprinc)) { + krb5_free_principal(context, outprinc); + krb5_free_context(context); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_FAILURE); + } + krb5_free_context(context); + *dest_name = (gss_name_t) outprinc; + return(GSS_S_COMPLETE); +} diff --git a/src/lib/gssapi/krb5/export_name.c b/src/lib/gssapi/krb5/export_name.c index 9a54032b1..d55a174e0 100644 --- a/src/lib/gssapi/krb5/export_name.c +++ b/src/lib/gssapi/krb5/export_name.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/export_name.c * @@ -28,68 +29,68 @@ #include "gssapiP_krb5.h" OM_uint32 krb5_gss_export_name(OM_uint32 *minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name) + const gss_name_t input_name, + gss_buffer_t exported_name) { - krb5_context context; - krb5_error_code code; - size_t length; - char *str, *cp; + krb5_context context; + krb5_error_code code; + size_t length; + char *str, *cp; - if (minor_status) - *minor_status = 0; + if (minor_status) + *minor_status = 0; - code = krb5_gss_init_context(&context); - if (code) { - if (minor_status) - *minor_status = code; - return GSS_S_FAILURE; - } + code = krb5_gss_init_context(&context); + if (code) { + if (minor_status) + *minor_status = code; + return GSS_S_FAILURE; + } - exported_name->length = 0; - exported_name->value = NULL; - - if (! kg_validate_name(input_name)) { - if (minor_status) - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - krb5_free_context(context); - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - } + exported_name->length = 0; + exported_name->value = NULL; - if ((code = krb5_unparse_name(context, (krb5_principal) input_name, - &str))) { - if (minor_status) - *minor_status = code; - save_error_info(code, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } + if (! kg_validate_name(input_name)) { + if (minor_status) + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } - krb5_free_context(context); - length = strlen(str); - exported_name->length = 10 + length + gss_mech_krb5->length; - exported_name->value = malloc(exported_name->length); - if (!exported_name->value) { - free(str); - if (minor_status) - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - cp = exported_name->value; + if ((code = krb5_unparse_name(context, (krb5_principal) input_name, + &str))) { + if (minor_status) + *minor_status = code; + save_error_info(code, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } - /* Note: we assume the OID will be less than 128 bytes... */ - *cp++ = 0x04; *cp++ = 0x01; - store_16_be(gss_mech_krb5->length+2, cp); - cp += 2; - *cp++ = 0x06; - *cp++ = (gss_mech_krb5->length) & 0xFF; - memcpy(cp, gss_mech_krb5->elements, gss_mech_krb5->length); - cp += gss_mech_krb5->length; - store_32_be(length, cp); - cp += 4; - memcpy(cp, str, length); + krb5_free_context(context); + length = strlen(str); + exported_name->length = 10 + length + gss_mech_krb5->length; + exported_name->value = malloc(exported_name->length); + if (!exported_name->value) { + free(str); + if (minor_status) + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + cp = exported_name->value; - free(str); + /* Note: we assume the OID will be less than 128 bytes... */ + *cp++ = 0x04; *cp++ = 0x01; + store_16_be(gss_mech_krb5->length+2, cp); + cp += 2; + *cp++ = 0x06; + *cp++ = (gss_mech_krb5->length) & 0xFF; + memcpy(cp, gss_mech_krb5->elements, gss_mech_krb5->length); + cp += gss_mech_krb5->length; + store_32_be(length, cp); + cp += 4; + memcpy(cp, str, length); - return(GSS_S_COMPLETE); + free(str); + + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c index f20d853d0..6b618d795 100644 --- a/src/lib/gssapi/krb5/export_sec_context.c +++ b/src/lib/gssapi/krb5/export_sec_context.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/export_sec_context.c * @@ -26,22 +27,22 @@ */ /* - * export_sec_context.c - Externalize the security context. + * export_sec_context.c - Externalize the security context. */ #include "gssapiP_krb5.h" #ifndef LEAN_CLIENT OM_uint32 krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) - OM_uint32 *minor_status; - gss_ctx_id_t *context_handle; - gss_buffer_t interprocess_token; + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_buffer_t interprocess_token; { - krb5_context context = NULL; - krb5_error_code kret; - OM_uint32 retval; - size_t bufsize, blen; - krb5_gss_ctx_id_t ctx; - krb5_octet *obuffer, *obp; + krb5_context context = NULL; + krb5_error_code kret; + OM_uint32 retval; + size_t bufsize, blen; + krb5_gss_ctx_id_t ctx; + krb5_octet *obuffer, *obp; /* Assume a tragic failure */ obuffer = (krb5_octet *) NULL; @@ -49,35 +50,35 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) *minor_status = 0; if (!kg_validate_ctx_id(*context_handle)) { - kret = (OM_uint32) G_VALIDATE_FAILED; - retval = GSS_S_NO_CONTEXT; - goto error_out; + kret = (OM_uint32) G_VALIDATE_FAILED; + retval = GSS_S_NO_CONTEXT; + goto error_out; } ctx = (krb5_gss_ctx_id_t) *context_handle; context = ctx->k5_context; kret = krb5_gss_ser_init(context); if (kret) - goto error_out; + goto error_out; /* Determine size needed for externalization of context */ bufsize = 0; if ((kret = kg_ctx_size(context, (krb5_pointer) ctx, - &bufsize))) - goto error_out; + &bufsize))) + goto error_out; /* Allocate the buffer */ if ((obuffer = (krb5_octet *) xmalloc(bufsize)) == NULL) { - kret = ENOMEM; - goto error_out; + kret = ENOMEM; + goto error_out; } obp = obuffer; blen = bufsize; /* Externalize the context */ if ((kret = kg_ctx_externalize(context, - (krb5_pointer) ctx, &obp, &blen))) - goto error_out; + (krb5_pointer) ctx, &obp, &blen))) + goto error_out; /* Success! Return the buffer */ interprocess_token->length = bufsize - blen; @@ -93,14 +94,14 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) error_out: if (retval != GSS_S_COMPLETE) - if (kret != 0 && context != 0) - save_error_info(kret, context); + if (kret != 0 && context != 0) + save_error_info(kret, context); if (obuffer && bufsize) { - memset(obuffer, 0, bufsize); - xfree(obuffer); + memset(obuffer, 0, bufsize); + xfree(obuffer); } - if (*minor_status == 0) - *minor_status = (OM_uint32) kret; + if (*minor_status == 0) + *minor_status = (OM_uint32) kret; return(retval); } #endif /* LEAN_CLIENT */ diff --git a/src/lib/gssapi/krb5/get_tkt_flags.c b/src/lib/gssapi/krb5/get_tkt_flags.c index 19841a086..f4d9b92d2 100644 --- a/src/lib/gssapi/krb5/get_tkt_flags.c +++ b/src/lib/gssapi/krb5/get_tkt_flags.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -26,30 +27,30 @@ * $Id$ */ -OM_uint32 KRB5_CALLCONV +OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags(minor_status, context_handle, ticket_flags) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - krb5_flags *ticket_flags; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + krb5_flags *ticket_flags; { - krb5_gss_ctx_id_rec *ctx; + krb5_gss_ctx_id_rec *ctx; - /* validate the context handle */ - if (! kg_validate_ctx_id(context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); - } + /* validate the context handle */ + if (! kg_validate_ctx_id(context_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); + } - ctx = (krb5_gss_ctx_id_rec *) context_handle; + ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { - *minor_status = KG_CTX_INCOMPLETE; - return(GSS_S_NO_CONTEXT); - } + if (! ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } - if (ticket_flags) - *ticket_flags = ctx->krb_flags; + if (ticket_flags) + *ticket_flags = ctx->krb_flags; - *minor_status = 0; - return(GSS_S_COMPLETE); + *minor_status = 0; + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 33036fc53..617024b7c 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 2000, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -6,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,11 +21,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -34,7 +35,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -85,44 +86,44 @@ #define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002" -#define CKSUMTYPE_KG_CB 0x8003 +#define CKSUMTYPE_KG_CB 0x8003 -#define KG_TOK_CTX_AP_REQ 0x0100 -#define KG_TOK_CTX_AP_REP 0x0200 -#define KG_TOK_CTX_ERROR 0x0300 -#define KG_TOK_SIGN_MSG 0x0101 -#define KG_TOK_SEAL_MSG 0x0201 -#define KG_TOK_MIC_MSG 0x0101 -#define KG_TOK_WRAP_MSG 0x0201 -#define KG_TOK_DEL_CTX 0x0102 +#define KG_TOK_CTX_AP_REQ 0x0100 +#define KG_TOK_CTX_AP_REP 0x0200 +#define KG_TOK_CTX_ERROR 0x0300 +#define KG_TOK_SIGN_MSG 0x0101 +#define KG_TOK_SEAL_MSG 0x0201 +#define KG_TOK_MIC_MSG 0x0101 +#define KG_TOK_WRAP_MSG 0x0201 +#define KG_TOK_DEL_CTX 0x0102 -#define KG2_TOK_INITIAL 0x0101 -#define KG2_TOK_RESPONSE 0x0202 -#define KG2_TOK_MIC 0x0303 -#define KG2_TOK_WRAP_INTEG 0x0404 -#define KG2_TOK_WRAP_PRIV 0x0505 +#define KG2_TOK_INITIAL 0x0101 +#define KG2_TOK_RESPONSE 0x0202 +#define KG2_TOK_MIC 0x0303 +#define KG2_TOK_WRAP_INTEG 0x0404 +#define KG2_TOK_WRAP_PRIV 0x0505 #define KRB5_GSS_FOR_CREDS_OPTION 1 -#define KG2_RESP_FLAG_ERROR 0x0001 -#define KG2_RESP_FLAG_DELEG_OK 0x0002 +#define KG2_RESP_FLAG_ERROR 0x0001 +#define KG2_RESP_FLAG_DELEG_OK 0x0002 /* These are to be stored in little-endian order, i.e., des-mac is stored as 02 00. */ enum sgn_alg { - SGN_ALG_DES_MAC_MD5 = 0x0000, - SGN_ALG_MD2_5 = 0x0001, - SGN_ALG_DES_MAC = 0x0002, - SGN_ALG_3 = 0x0003, /* not published */ - SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */ - SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004 + SGN_ALG_DES_MAC_MD5 = 0x0000, + SGN_ALG_MD2_5 = 0x0001, + SGN_ALG_DES_MAC = 0x0002, + SGN_ALG_3 = 0x0003, /* not published */ + SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */ + SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004 }; enum seal_alg { - SEAL_ALG_NONE = 0xffff, - SEAL_ALG_DES = 0x0000, - SEAL_ALG_1 = 0x0001, /* not published */ - SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */ - SEAL_ALG_DES3KD = 0x0002 + SEAL_ALG_NONE = 0xffff, + SEAL_ALG_DES = 0x0000, + SEAL_ALG_1 = 0x0001, /* not published */ + SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */ + SEAL_ALG_DES3KD = 0x0002 }; /* for 3DES */ @@ -131,20 +132,20 @@ enum seal_alg { #define KG_USAGE_SEQ 24 /* for draft-ietf-krb-wg-gssapi-cfx-01 */ -#define KG_USAGE_ACCEPTOR_SEAL 22 -#define KG_USAGE_ACCEPTOR_SIGN 23 -#define KG_USAGE_INITIATOR_SEAL 24 -#define KG_USAGE_INITIATOR_SIGN 25 +#define KG_USAGE_ACCEPTOR_SEAL 22 +#define KG_USAGE_ACCEPTOR_SIGN 23 +#define KG_USAGE_INITIATOR_SEAL 24 +#define KG_USAGE_INITIATOR_SIGN 25 enum qop { - GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */ - GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002, - GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003, - GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004, - GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff, - GSS_KRB5_CONF_C_QOP_DES = 0x0100, - GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200, - GSS_KRB5_CONF_C_QOP_MASK = 0xff00 + GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */ + GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002, + GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003, + GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004, + GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff, + GSS_KRB5_CONF_C_QOP_DES = 0x0100, + GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200, + GSS_KRB5_CONF_C_QOP_MASK = 0xff00 }; /** internal types **/ @@ -152,61 +153,61 @@ enum qop { typedef krb5_principal krb5_gss_name_t; typedef struct _krb5_gss_cred_id_rec { - /* protect against simultaneous accesses */ - k5_mutex_t lock; + /* protect against simultaneous accesses */ + k5_mutex_t lock; - /* name/type of credential */ - gss_cred_usage_t usage; - krb5_principal princ; /* this is not interned as a gss_name_t */ - int prerfc_mech; - int rfc_mech; + /* name/type of credential */ + gss_cred_usage_t usage; + krb5_principal princ; /* this is not interned as a gss_name_t */ + int prerfc_mech; + int rfc_mech; - /* keytab (accept) data */ - krb5_keytab keytab; - krb5_rcache rcache; + /* keytab (accept) data */ + krb5_keytab keytab; + krb5_rcache rcache; - /* ccache (init) data */ - krb5_ccache ccache; - krb5_timestamp tgt_expire; - krb5_enctype *req_enctypes; /* limit negotiated enctypes to this list */ -} krb5_gss_cred_id_rec, *krb5_gss_cred_id_t; + /* ccache (init) data */ + krb5_ccache ccache; + krb5_timestamp tgt_expire; + krb5_enctype *req_enctypes; /* limit negotiated enctypes to this list */ +} krb5_gss_cred_id_rec, *krb5_gss_cred_id_t; typedef struct _krb5_gss_ctx_id_rec { - unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */ - unsigned int established : 1; - unsigned int big_endian : 1; - unsigned int have_acceptor_subkey : 1; - unsigned int seed_init : 1; /* XXX tested but never actually set */ - OM_uint32 gss_flags; - unsigned char seed[16]; - krb5_principal here; - krb5_principal there; - krb5_keyblock *subkey; - int signalg; - size_t cksum_size; - int sealalg; - krb5_keyblock *enc; - krb5_keyblock *seq; - krb5_timestamp endtime; - krb5_flags krb_flags; - /* XXX these used to be signed. the old spec is inspecific, and - the new spec specifies unsigned. I don't believe that the change - affects the wire encoding. */ - gssint_uint64 seq_send; - gssint_uint64 seq_recv; - void *seqstate; - krb5_context k5_context; - krb5_auth_context auth_context; - gss_OID_desc *mech_used; + unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */ + unsigned int established : 1; + unsigned int big_endian : 1; + unsigned int have_acceptor_subkey : 1; + unsigned int seed_init : 1; /* XXX tested but never actually set */ + OM_uint32 gss_flags; + unsigned char seed[16]; + krb5_principal here; + krb5_principal there; + krb5_keyblock *subkey; + int signalg; + size_t cksum_size; + int sealalg; + krb5_keyblock *enc; + krb5_keyblock *seq; + krb5_timestamp endtime; + krb5_flags krb_flags; + /* XXX these used to be signed. the old spec is inspecific, and + the new spec specifies unsigned. I don't believe that the change + affects the wire encoding. */ + gssint_uint64 seq_send; + gssint_uint64 seq_recv; + void *seqstate; + krb5_context k5_context; + krb5_auth_context auth_context; + gss_OID_desc *mech_used; /* Protocol spec revision 0 => RFC 1964 with 3DES and RC4 enhancements 1 => draft-ietf-krb-wg-gssapi-cfx-01 No others defined so far. */ - int proto; - krb5_cksumtype cksumtype; /* for "main" subkey */ - krb5_keyblock *acceptor_subkey; /* CFX only */ - krb5_cksumtype acceptor_subkey_cksumtype; - int cred_rcache; /* did we get rcache from creds? */ + int proto; + krb5_cksumtype cksumtype; /* for "main" subkey */ + krb5_keyblock *acceptor_subkey; /* CFX only */ + krb5_cksumtype acceptor_subkey_cksumtype; + int cred_rcache; /* did we get rcache from creds? */ } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t; extern g_set kg_vdb; @@ -217,471 +218,471 @@ extern k5_mutex_t gssint_krb5_keytab_lock; /* helper macros */ -#define kg_save_name(name) g_save_name(&kg_vdb,name) -#define kg_save_cred_id(cred) g_save_cred_id(&kg_vdb,cred) -#define kg_save_ctx_id(ctx) g_save_ctx_id(&kg_vdb,ctx) -#define kg_save_lucidctx_id(lctx) g_save_lucidctx_id(&kg_vdb,lctx) +#define kg_save_name(name) g_save_name(&kg_vdb,name) +#define kg_save_cred_id(cred) g_save_cred_id(&kg_vdb,cred) +#define kg_save_ctx_id(ctx) g_save_ctx_id(&kg_vdb,ctx) +#define kg_save_lucidctx_id(lctx) g_save_lucidctx_id(&kg_vdb,lctx) -#define kg_validate_name(name) g_validate_name(&kg_vdb,name) -#define kg_validate_cred_id(cred) g_validate_cred_id(&kg_vdb,cred) -#define kg_validate_ctx_id(ctx) g_validate_ctx_id(&kg_vdb,ctx) -#define kg_validate_lucidctx_id(lctx) g_validate_lucidctx_id(&kg_vdb,lctx) +#define kg_validate_name(name) g_validate_name(&kg_vdb,name) +#define kg_validate_cred_id(cred) g_validate_cred_id(&kg_vdb,cred) +#define kg_validate_ctx_id(ctx) g_validate_ctx_id(&kg_vdb,ctx) +#define kg_validate_lucidctx_id(lctx) g_validate_lucidctx_id(&kg_vdb,lctx) -#define kg_delete_name(name) g_delete_name(&kg_vdb,name) -#define kg_delete_cred_id(cred) g_delete_cred_id(&kg_vdb,cred) -#define kg_delete_ctx_id(ctx) g_delete_ctx_id(&kg_vdb,ctx) -#define kg_delete_lucidctx_id(lctx) g_delete_lucidctx_id(&kg_vdb,lctx) +#define kg_delete_name(name) g_delete_name(&kg_vdb,name) +#define kg_delete_cred_id(cred) g_delete_cred_id(&kg_vdb,cred) +#define kg_delete_ctx_id(ctx) g_delete_ctx_id(&kg_vdb,ctx) +#define kg_delete_lucidctx_id(lctx) g_delete_lucidctx_id(&kg_vdb,lctx) /** helper functions **/ -OM_uint32 kg_get_defcred - (OM_uint32 *minor_status, - gss_cred_id_t *cred); +OM_uint32 kg_get_defcred +(OM_uint32 *minor_status, + gss_cred_id_t *cred); krb5_error_code kg_checksum_channel_bindings - (krb5_context context, gss_channel_bindings_t cb, - krb5_checksum *cksum, - int bigend); +(krb5_context context, gss_channel_bindings_t cb, + krb5_checksum *cksum, + int bigend); krb5_error_code kg_make_seq_num (krb5_context context, - krb5_keyblock *key, - int direction, krb5_ui_4 seqnum, unsigned char *cksum, - unsigned char *buf); + krb5_keyblock *key, + int direction, krb5_ui_4 seqnum, unsigned char *cksum, + unsigned char *buf); krb5_error_code kg_get_seq_num (krb5_context context, - krb5_keyblock *key, - unsigned char *cksum, unsigned char *buf, int *direction, - krb5_ui_4 *seqnum); + krb5_keyblock *key, + unsigned char *cksum, unsigned char *buf, int *direction, + krb5_ui_4 *seqnum); krb5_error_code kg_make_seed (krb5_context context, - krb5_keyblock *key, - unsigned char *seed); + krb5_keyblock *key, + unsigned char *seed); int kg_confounder_size (krb5_context context, krb5_keyblock *key); -krb5_error_code kg_make_confounder (krb5_context context, - krb5_keyblock *key, unsigned char *buf); +krb5_error_code kg_make_confounder (krb5_context context, + krb5_keyblock *key, unsigned char *buf); -krb5_error_code kg_encrypt (krb5_context context, - krb5_keyblock *key, int usage, - krb5_pointer iv, - krb5_const_pointer in, - krb5_pointer out, - unsigned int length); +krb5_error_code kg_encrypt (krb5_context context, + krb5_keyblock *key, int usage, + krb5_pointer iv, + krb5_const_pointer in, + krb5_pointer out, + unsigned int length); krb5_error_code kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage, - const unsigned char *kd_data, size_t kd_data_len, - const unsigned char *input_buf, size_t input_len, - unsigned char *output_buf); + const unsigned char *kd_data, size_t kd_data_len, + const unsigned char *input_buf, size_t input_len, + unsigned char *output_buf); krb5_error_code kg_decrypt (krb5_context context, - krb5_keyblock *key, int usage, - krb5_pointer iv, - krb5_const_pointer in, - krb5_pointer out, - unsigned int length); + krb5_keyblock *key, int usage, + krb5_pointer iv, + krb5_const_pointer in, + krb5_pointer out, + unsigned int length); OM_uint32 kg_seal (OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - int toktype); + gss_ctx_id_t context_handle, + int conf_req_flag, + int qop_req, + gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer, + int toktype); OM_uint32 kg_unseal (OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_token_buffer, - gss_buffer_t message_buffer, - int *conf_state, - int *qop_state, - int toktype); + gss_ctx_id_t context_handle, + gss_buffer_t input_token_buffer, + gss_buffer_t message_buffer, + int *conf_state, + int *qop_state, + int toktype); OM_uint32 kg_seal_size (OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 output_size, - OM_uint32 *input_size); + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 output_size, + OM_uint32 *input_size); krb5_error_code kg_ctx_size (krb5_context kcontext, - krb5_pointer arg, - size_t *sizep); + krb5_pointer arg, + size_t *sizep); krb5_error_code kg_ctx_externalize (krb5_context kcontext, - krb5_pointer arg, - krb5_octet **buffer, - size_t *lenremain); + krb5_pointer arg, + krb5_octet **buffer, + size_t *lenremain); krb5_error_code kg_ctx_internalize (krb5_context kcontext, - krb5_pointer *argp, - krb5_octet **buffer, - size_t *lenremain); + krb5_pointer *argp, + krb5_octet **buffer, + size_t *lenremain); OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status); -OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status, +OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status, int *out_caller_provided_name); -OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status, +OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status, const char **out_name); -OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status, +OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status, const char *name); /** declarations of internal name mechanism functions **/ OM_uint32 krb5_gss_acquire_cred (OM_uint32*, /* minor_status */ - gss_name_t, /* desired_name */ - OM_uint32, /* time_req */ - gss_OID_set, /* desired_mechs */ - gss_cred_usage_t, /* cred_usage */ - gss_cred_id_t*, /* output_cred_handle */ - gss_OID_set*, /* actual_mechs */ - OM_uint32* /* time_rec */ - ); + gss_name_t, /* desired_name */ + OM_uint32, /* time_req */ + gss_OID_set, /* desired_mechs */ + gss_cred_usage_t, /* cred_usage */ + gss_cred_id_t*, /* output_cred_handle */ + gss_OID_set*, /* actual_mechs */ + OM_uint32* /* time_rec */ +); OM_uint32 krb5_gss_release_cred (OM_uint32*, /* minor_status */ - gss_cred_id_t* /* cred_handle */ - ); + gss_cred_id_t* /* cred_handle */ +); OM_uint32 krb5_gss_init_sec_context (OM_uint32*, /* minor_status */ - gss_cred_id_t, /* claimant_cred_handle */ - gss_ctx_id_t*, /* context_handle */ - gss_name_t, /* target_name */ - gss_OID, /* mech_type */ - OM_uint32, /* req_flags */ - OM_uint32, /* time_req */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_buffer_t, /* input_token */ - gss_OID*, /* actual_mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32*, /* ret_flags */ - OM_uint32* /* time_rec */ - ); + gss_cred_id_t, /* claimant_cred_handle */ + gss_ctx_id_t*, /* context_handle */ + gss_name_t, /* target_name */ + gss_OID, /* mech_type */ + OM_uint32, /* req_flags */ + OM_uint32, /* time_req */ + gss_channel_bindings_t, + /* input_chan_bindings */ + gss_buffer_t, /* input_token */ + gss_OID*, /* actual_mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32*, /* ret_flags */ + OM_uint32* /* time_rec */ +); #ifndef LEAN_CLIENT OM_uint32 krb5_gss_accept_sec_context (OM_uint32*, /* minor_status */ - gss_ctx_id_t*, /* context_handle */ - gss_cred_id_t, /* verifier_cred_handle */ - gss_buffer_t, /* input_token_buffer */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_name_t*, /* src_name */ - gss_OID*, /* mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32*, /* ret_flags */ - OM_uint32*, /* time_rec */ - gss_cred_id_t* /* delegated_cred_handle */ - ); + gss_ctx_id_t*, /* context_handle */ + gss_cred_id_t, /* verifier_cred_handle */ + gss_buffer_t, /* input_token_buffer */ + gss_channel_bindings_t, + /* input_chan_bindings */ + gss_name_t*, /* src_name */ + gss_OID*, /* mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32*, /* ret_flags */ + OM_uint32*, /* time_rec */ + gss_cred_id_t* /* delegated_cred_handle */ +); #endif /* LEAN_CLIENT */ OM_uint32 krb5_gss_process_context_token (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t /* token_buffer */ - ); + gss_ctx_id_t, /* context_handle */ + gss_buffer_t /* token_buffer */ +); OM_uint32 krb5_gss_delete_sec_context (OM_uint32*, /* minor_status */ - gss_ctx_id_t*, /* context_handle */ - gss_buffer_t /* output_token */ - ); + gss_ctx_id_t*, /* context_handle */ + gss_buffer_t /* output_token */ +); OM_uint32 krb5_gss_context_time (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - OM_uint32* /* time_rec */ - ); + gss_ctx_id_t, /* context_handle */ + OM_uint32* /* time_rec */ +); OM_uint32 krb5_gss_sign (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); + gss_ctx_id_t, /* context_handle */ + int, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ +); OM_uint32 krb5_gss_verify (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* token_buffer */ - int* /* qop_state */ - ); + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* token_buffer */ + int* /* qop_state */ +); OM_uint32 krb5_gss_seal (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - int, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int*, /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + int, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int*, /* conf_state */ + gss_buffer_t /* output_message_buffer */ +); OM_uint32 krb5_gss_unseal (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int*, /* conf_state */ - int* /* qop_state */ - ); + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int*, /* conf_state */ + int* /* qop_state */ +); OM_uint32 krb5_gss_display_status (OM_uint32*, /* minor_status */ - OM_uint32, /* status_value */ - int, /* status_type */ - gss_OID, /* mech_type */ - OM_uint32*, /* message_context */ - gss_buffer_t /* status_string */ - ); + OM_uint32, /* status_value */ + int, /* status_type */ + gss_OID, /* mech_type */ + OM_uint32*, /* message_context */ + gss_buffer_t /* status_string */ +); OM_uint32 krb5_gss_indicate_mechs (OM_uint32*, /* minor_status */ - gss_OID_set* /* mech_set */ - ); + gss_OID_set* /* mech_set */ +); OM_uint32 krb5_gss_compare_name (OM_uint32*, /* minor_status */ - gss_name_t, /* name1 */ - gss_name_t, /* name2 */ - int* /* name_equal */ - ); + gss_name_t, /* name1 */ + gss_name_t, /* name2 */ + int* /* name_equal */ +); OM_uint32 krb5_gss_display_name (OM_uint32*, /* minor_status */ - gss_name_t, /* input_name */ - gss_buffer_t, /* output_name_buffer */ - gss_OID* /* output_name_type */ - ); + gss_name_t, /* input_name */ + gss_buffer_t, /* output_name_buffer */ + gss_OID* /* output_name_type */ +); OM_uint32 krb5_gss_import_name (OM_uint32*, /* minor_status */ - gss_buffer_t, /* input_name_buffer */ - gss_OID, /* input_name_type */ - gss_name_t* /* output_name */ - ); + gss_buffer_t, /* input_name_buffer */ + gss_OID, /* input_name_type */ + gss_name_t* /* output_name */ +); OM_uint32 krb5_gss_release_name (OM_uint32*, /* minor_status */ - gss_name_t* /* input_name */ - ); + gss_name_t* /* input_name */ +); OM_uint32 krb5_gss_inquire_cred (OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - gss_name_t *, /* name */ - OM_uint32 *, /* lifetime */ - gss_cred_usage_t*,/* cred_usage */ - gss_OID_set * /* mechanisms */ - ); + gss_cred_id_t, /* cred_handle */ + gss_name_t *, /* name */ + OM_uint32 *, /* lifetime */ + gss_cred_usage_t*,/* cred_usage */ + gss_OID_set * /* mechanisms */ +); OM_uint32 krb5_gss_inquire_context (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_name_t*, /* initiator_name */ - gss_name_t*, /* acceptor_name */ - OM_uint32*, /* lifetime_rec */ - gss_OID*, /* mech_type */ - OM_uint32*, /* ret_flags */ - int*, /* locally_initiated */ - int* /* open */ - ); + gss_ctx_id_t, /* context_handle */ + gss_name_t*, /* initiator_name */ + gss_name_t*, /* acceptor_name */ + OM_uint32*, /* lifetime_rec */ + gss_OID*, /* mech_type */ + OM_uint32*, /* ret_flags */ + int*, /* locally_initiated */ + int* /* open */ +); /* New V2 entry points */ OM_uint32 krb5_gss_get_mic -(OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_qop_t, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); +(OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ +); OM_uint32 krb5_gss_verify_mic -(OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* message_token */ - gss_qop_t * /* qop_state */ - ); +(OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* message_token */ + gss_qop_t * /* qop_state */ +); OM_uint32 krb5_gss_wrap -(OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int *, /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); +(OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ +); OM_uint32 krb5_gss_unwrap -(OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int *, /* conf_state */ - gss_qop_t * /* qop_state */ - ); +(OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int *, /* conf_state */ + gss_qop_t * /* qop_state */ +); OM_uint32 krb5_gss_wrap_size_limit -(OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - OM_uint32, /* req_output_size */ - OM_uint32 * /* max_input_size */ - ); +(OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + OM_uint32, /* req_output_size */ + OM_uint32 * /* max_input_size */ +); OM_uint32 krb5_gss_import_name_object -(OM_uint32 *, /* minor_status */ - void *, /* input_name */ - gss_OID, /* input_name_type */ - gss_name_t * /* output_name */ - ); +(OM_uint32 *, /* minor_status */ + void *, /* input_name */ + gss_OID, /* input_name_type */ + gss_name_t * /* output_name */ +); OM_uint32 krb5_gss_export_name_object -(OM_uint32 *, /* minor_status */ - gss_name_t, /* input_name */ - gss_OID, /* desired_name_type */ - void * * /* output_name */ - ); +(OM_uint32 *, /* minor_status */ + gss_name_t, /* input_name */ + gss_OID, /* desired_name_type */ + void * * /* output_name */ +); OM_uint32 krb5_gss_add_cred -(OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* input_cred_handle */ - gss_name_t, /* desired_name */ - gss_OID, /* desired_mech */ - gss_cred_usage_t, /* cred_usage */ - OM_uint32, /* initiator_time_req */ - OM_uint32, /* acceptor_time_req */ - gss_cred_id_t *, /* output_cred_handle */ - gss_OID_set *, /* actual_mechs */ - OM_uint32 *, /* initiator_time_rec */ - OM_uint32 * /* acceptor_time_rec */ - ); +(OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* input_cred_handle */ + gss_name_t, /* desired_name */ + gss_OID, /* desired_mech */ + gss_cred_usage_t, /* cred_usage */ + OM_uint32, /* initiator_time_req */ + OM_uint32, /* acceptor_time_req */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 *, /* initiator_time_rec */ + OM_uint32 * /* acceptor_time_rec */ +); OM_uint32 krb5_gss_inquire_cred_by_mech -(OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - gss_OID, /* mech_type */ - gss_name_t *, /* name */ - OM_uint32 *, /* initiator_lifetime */ - OM_uint32 *, /* acceptor_lifetime */ - gss_cred_usage_t * /* cred_usage */ - ); +(OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + gss_OID, /* mech_type */ + gss_name_t *, /* name */ + OM_uint32 *, /* initiator_lifetime */ + OM_uint32 *, /* acceptor_lifetime */ + gss_cred_usage_t * /* cred_usage */ +); #ifndef LEAN_CLIENT OM_uint32 krb5_gss_export_sec_context -(OM_uint32 *, /* minor_status */ - gss_ctx_id_t *, /* context_handle */ - gss_buffer_t /* interprocess_token */ - ); +(OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* interprocess_token */ +); OM_uint32 krb5_gss_import_sec_context -(OM_uint32 *, /* minor_status */ - gss_buffer_t, /* interprocess_token */ - gss_ctx_id_t * /* context_handle */ - ); +(OM_uint32 *, /* minor_status */ + gss_buffer_t, /* interprocess_token */ + gss_ctx_id_t * /* context_handle */ +); #endif /* LEAN_CLIENT */ krb5_error_code krb5_gss_ser_init(krb5_context); OM_uint32 krb5_gss_release_oid -(OM_uint32 *, /* minor_status */ - gss_OID * /* oid */ - ); +(OM_uint32 *, /* minor_status */ + gss_OID * /* oid */ +); OM_uint32 krb5_gss_internal_release_oid -(OM_uint32 *, /* minor_status */ - gss_OID * /* oid */ - ); +(OM_uint32 *, /* minor_status */ + gss_OID * /* oid */ +); OM_uint32 krb5_gss_inquire_names_for_mech -(OM_uint32 *, /* minor_status */ - gss_OID, /* mechanism */ - gss_OID_set * /* name_types */ - ); +(OM_uint32 *, /* minor_status */ + gss_OID, /* mechanism */ + gss_OID_set * /* name_types */ +); OM_uint32 krb5_gss_canonicalize_name -(OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - const gss_OID, /* mech_type */ - gss_name_t * /* output_name */ - ); - +(OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + const gss_OID, /* mech_type */ + gss_name_t * /* output_name */ +); + OM_uint32 krb5_gss_export_name -(OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - gss_buffer_t /* exported_name */ - ); +(OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_buffer_t /* exported_name */ +); OM_uint32 krb5_gss_duplicate_name -(OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - gss_name_t * /* dest_name */ - ); +(OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_name_t * /* dest_name */ +); OM_uint32 krb5_gss_validate_cred -(OM_uint32 *, /* minor_status */ - gss_cred_id_t /* cred */ - ); +(OM_uint32 *, /* minor_status */ + gss_cred_id_t /* cred */ +); OM_uint32 krb5_gss_validate_cred_1(OM_uint32 * /* minor_status */, - gss_cred_id_t /* cred_handle */, - krb5_context /* context */); + gss_cred_id_t /* cred_handle */, + krb5_context /* context */); gss_OID krb5_gss_convert_static_mech_oid(gss_OID oid); - + krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context, - krb5_gss_ctx_id_rec *, - const gss_buffer_desc *, - gss_buffer_t, - int, int); + krb5_gss_ctx_id_rec *, + const gss_buffer_desc *, + gss_buffer_t, + int, int); OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr, - OM_uint32 *minor_status, - krb5_gss_ctx_id_rec *ctx, - unsigned char *ptr, - unsigned int bodysize, - gss_buffer_t message_buffer, - int *conf_state, int *qop_state, - int toktype); + OM_uint32 *minor_status, + krb5_gss_ctx_id_rec *ctx, + unsigned char *ptr, + unsigned int bodysize, + gss_buffer_t message_buffer, + int *conf_state, int *qop_state, + int toktype); /* * These take unglued krb5-mech-specific contexts. */ -OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags - (OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - krb5_flags *ticket_flags); +OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags +(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_flags *ticket_flags); OM_uint32 KRB5_CALLCONV gss_krb5int_copy_ccache - (OM_uint32 *minor_status, - gss_cred_id_t cred_handle, - krb5_ccache out_ccache); +(OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + krb5_ccache out_ccache); OM_uint32 KRB5_CALLCONV -gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, - gss_cred_id_t cred, - OM_uint32 num_ktypes, - krb5_enctype *ktypes); +gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, + gss_cred_id_t cred, + OM_uint32 num_ktypes, + krb5_enctype *ktypes); OM_uint32 KRB5_CALLCONV gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - OM_uint32 version, - void **kctx); + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **kctx); extern k5_mutex_t kg_kdc_flag_mutex; @@ -701,8 +702,8 @@ krb5_gss_save_error_message(OM_uint32 minor_code, const char *format, ...) __attribute__((__format__(__printf__, 2, 3))) #endif ; -extern void -krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx); + extern void + krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx); #define get_error_message krb5_gss_get_error_message #define save_error_string krb5_gss_save_error_string #define save_error_message krb5_gss_save_error_message diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index 95a876371..64812a78b 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -22,14 +23,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -40,7 +41,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -61,21 +62,21 @@ /* * The OID of the draft krb5 mechanism, assigned by IETF, is: - * iso(1) org(3) dod(5) internet(1) security(5) - * kerberosv5(2) = 1.3.5.1.5.2 + * iso(1) org(3) dod(5) internet(1) security(5) + * kerberosv5(2) = 1.3.5.1.5.2 * The OID of the krb5_name type is: - * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) - * krb5(2) krb5_name(1) = 1.2.840.113554.1.2.2.1 + * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) krb5_name(1) = 1.2.840.113554.1.2.2.1 * The OID of the krb5_principal type is: - * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) - * krb5(2) krb5_principal(2) = 1.2.840.113554.1.2.2.2 + * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) krb5_principal(2) = 1.2.840.113554.1.2.2.2 * The OID of the proposed standard krb5 mechanism is: - * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) - * krb5(2) = 1.2.840.113554.1.2.2 + * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) = 1.2.840.113554.1.2.2 * The OID of the proposed standard krb5 v2 mechanism is: - * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) - * krb5v2(3) = 1.2.840.113554.1.2.3 - * + * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) + * krb5v2(3) = 1.2.840.113554.1.2.3 + * */ /* @@ -86,26 +87,26 @@ */ const gss_OID_desc krb5_gss_oid_array[] = { - /* this is the official, rfc-specified OID */ - {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID}, - /* this pre-RFC mech OID */ - {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID}, - /* this is the unofficial, incorrect mech OID emitted by MS */ - {GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID}, - /* this is the v2 assigned OID */ - {9, "\052\206\110\206\367\022\001\002\003"}, - /* these two are name type OID's */ + /* this is the official, rfc-specified OID */ + {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID}, + /* this pre-RFC mech OID */ + {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID}, + /* this is the unofficial, incorrect mech OID emitted by MS */ + {GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID}, + /* this is the v2 assigned OID */ + {9, "\052\206\110\206\367\022\001\002\003"}, + /* these two are name type OID's */ /* 2.1.1. Kerberos Principal Name Form: (rfc 1964) * This name form shall be represented by the Object Identifier {iso(1) * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) * krb5(2) krb5_name(1)}. The recommended symbolic name for this type * is "GSS_KRB5_NT_PRINCIPAL_NAME". */ - {10, "\052\206\110\206\367\022\001\002\002\001"}, + {10, "\052\206\110\206\367\022\001\002\002\001"}, - /* gss_nt_krb5_principal. Object identifier for a krb5_principal. Do not use. */ - {10, "\052\206\110\206\367\022\001\002\002\002"}, - { 0, 0 } + /* gss_nt_krb5_principal. Object identifier for a krb5_principal. Do not use. */ + {10, "\052\206\110\206\367\022\001\002\002\002"}, + { 0, 0 } }; const gss_OID_desc * const gss_mech_krb5 = krb5_gss_oid_array+0; @@ -116,11 +117,11 @@ const gss_OID_desc * const gss_nt_krb5_principal = krb5_gss_oid_array+5; const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+4; static const gss_OID_set_desc oidsets[] = { - {1, (gss_OID) krb5_gss_oid_array+0}, - {1, (gss_OID) krb5_gss_oid_array+1}, - {3, (gss_OID) krb5_gss_oid_array+0}, - {1, (gss_OID) krb5_gss_oid_array+2}, - {3, (gss_OID) krb5_gss_oid_array+0}, + {1, (gss_OID) krb5_gss_oid_array+0}, + {1, (gss_OID) krb5_gss_oid_array+1}, + {3, (gss_OID) krb5_gss_oid_array+0}, + {1, (gss_OID) krb5_gss_oid_array+2}, + {3, (gss_OID) krb5_gss_oid_array+0}, }; const gss_OID_set_desc * const gss_mech_set_krb5 = oidsets+0; @@ -137,54 +138,54 @@ g_set kg_vdb = G_SET_INIT; */ OM_uint32 kg_get_defcred(minor_status, cred) - OM_uint32 *minor_status; - gss_cred_id_t *cred; + OM_uint32 *minor_status; + gss_cred_id_t *cred; { OM_uint32 major; - - if ((major = krb5_gss_acquire_cred(minor_status, - (gss_name_t) NULL, GSS_C_INDEFINITE, - GSS_C_NULL_OID_SET, GSS_C_INITIATE, - cred, NULL, NULL)) && GSS_ERROR(major)) { - return(major); - } - *minor_status = 0; - return(GSS_S_COMPLETE); + + if ((major = krb5_gss_acquire_cred(minor_status, + (gss_name_t) NULL, GSS_C_INDEFINITE, + GSS_C_NULL_OID_SET, GSS_C_INITIATE, + cred, NULL, NULL)) && GSS_ERROR(major)) { + return(major); + } + *minor_status = 0; + return(GSS_S_COMPLETE); } OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status) { OM_uint32 err = 0; - - /* + + /* * Sync up the context ccache name with the GSSAPI ccache name. - * If kg_ccache_name is NULL -- normal unless someone has called - * gss_krb5_ccache_name() -- then the system default ccache will + * If kg_ccache_name is NULL -- normal unless someone has called + * gss_krb5_ccache_name() -- then the system default ccache will * be picked up and used by resetting the context default ccache. * This is needed for platforms which support multiple ccaches. */ - + if (!err) { /* if NULL, resets the context default ccache */ err = krb5_cc_set_default_name(context, - (char *) k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME)); + (char *) k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME)); } - + *minor_status = err; return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; } /* This function returns whether or not the caller set a cccache name. Used by - * gss_acquire_cred to figure out if the caller wants to only look at this + * gss_acquire_cred to figure out if the caller wants to only look at this * ccache or search the cache collection for the desired name */ OM_uint32 -kg_caller_provided_ccache_name (OM_uint32 *minor_status, -int *out_caller_provided_name) +kg_caller_provided_ccache_name (OM_uint32 *minor_status, + int *out_caller_provided_name) { if (out_caller_provided_name) { - *out_caller_provided_name = - (k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME) != NULL); + *out_caller_provided_name = + (k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME) != NULL); } *minor_status = 0; @@ -199,31 +200,31 @@ kg_get_ccache_name (OM_uint32 *minor_status, const char **out_name) char *kg_ccache_name; kg_ccache_name = k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME); - + if (kg_ccache_name != NULL) { - name = strdup(kg_ccache_name); - if (name == NULL) - err = ENOMEM; + name = strdup(kg_ccache_name); + if (name == NULL) + err = ENOMEM; } else { - krb5_context context = NULL; - - /* Reset the context default ccache (see text above), and then - retrieve it. */ - err = krb5_gss_init_context(&context); - if (!err) - err = krb5_cc_set_default_name (context, NULL); - if (!err) { - name = krb5_cc_default_name(context); - if (name) { - name = strdup(name); - if (name == NULL) - err = ENOMEM; - } - } - if (err && context) - save_error_info(err, context); - if (context) - krb5_free_context(context); + krb5_context context = NULL; + + /* Reset the context default ccache (see text above), and then + retrieve it. */ + err = krb5_gss_init_context(&context); + if (!err) + err = krb5_cc_set_default_name (context, NULL); + if (!err) { + name = krb5_cc_default_name(context); + if (name) { + name = strdup(name); + if (name == NULL) + err = ENOMEM; + } + } + if (err && context) + save_error_info(err, context); + if (context) + krb5_free_context(context); } if (!err) { @@ -231,7 +232,7 @@ kg_get_ccache_name (OM_uint32 *minor_status, const char **out_name) *out_name = name; } } - + *minor_status = err; return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; } @@ -245,12 +246,12 @@ kg_set_ccache_name (OM_uint32 *minor_status, const char *name) krb5_error_code kerr; if (name) { - new_name = malloc(strlen(name) + 1); - if (new_name == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - strcpy(new_name, name); + new_name = malloc(strlen(name) + 1); + if (new_name == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + strcpy(new_name, name); } kg_ccache_name = k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME); @@ -259,11 +260,11 @@ kg_set_ccache_name (OM_uint32 *minor_status, const char *name) new_name = swap; kerr = k5_setspecific(K5_KEY_GSS_KRB5_CCACHE_NAME, kg_ccache_name); if (kerr != 0) { - /* Can't store, so free up the storage. */ - free(kg_ccache_name); - /* ??? free(new_name); */ - *minor_status = kerr; - return GSS_S_FAILURE; + /* Can't store, so free up the storage. */ + free(kg_ccache_name); + /* ??? free(new_name); */ + *minor_status = kerr; + return GSS_S_FAILURE; } free (new_name); diff --git a/src/lib/gssapi/krb5/gssapi_krb5.hin b/src/lib/gssapi/krb5/gssapi_krb5.hin index b9660e5b3..67791a580 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.hin +++ b/src/lib/gssapi/krb5/gssapi_krb5.hin @@ -1,6 +1,7 @@ -/* -*- c -*- +/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -50,7 +51,7 @@ GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; * "GSS_C_NT_HOSTBASED_SERVICE". */ /* 2.2.1. User Name Form */ -#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME +#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME /* This name form shall be represented by the Object Identifier {iso(1) * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) * generic(1) user_name(1)}. The recommended symbolic name for this @@ -68,7 +69,7 @@ GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; /* This name form shall be represented by the Object Identifier {iso(1) * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) * generic(1) string_uid_name(3)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ + * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5; GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old; @@ -82,12 +83,12 @@ GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal; GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; -#define gss_krb5_nt_general_name gss_nt_krb5_name -#define gss_krb5_nt_principal gss_nt_krb5_principal -#define gss_krb5_nt_service_name gss_nt_service_name -#define gss_krb5_nt_user_name gss_nt_user_name -#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name -#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name +#define gss_krb5_nt_general_name gss_nt_krb5_name +#define gss_krb5_nt_principal gss_nt_krb5_principal +#define gss_krb5_nt_service_name gss_nt_service_name +#define gss_krb5_nt_user_name gss_nt_user_name +#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name +#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name #if defined(_WIN32) @@ -99,48 +100,48 @@ typedef uint64_t gss_uint64; typedef struct gss_krb5_lucid_key { - OM_uint32 type; /* key encryption type */ - OM_uint32 length; /* length of key data */ - void * data; /* actual key data */ + OM_uint32 type; /* key encryption type */ + OM_uint32 length; /* length of key data */ + void * data; /* actual key data */ } gss_krb5_lucid_key_t; typedef struct gss_krb5_rfc1964_keydata { - OM_uint32 sign_alg; /* signing algorthm */ - OM_uint32 seal_alg; /* seal/encrypt algorthm */ - gss_krb5_lucid_key_t ctx_key; - /* Context key - (Kerberos session key or subkey) */ + OM_uint32 sign_alg; /* signing algorthm */ + OM_uint32 seal_alg; /* seal/encrypt algorthm */ + gss_krb5_lucid_key_t ctx_key; + /* Context key + (Kerberos session key or subkey) */ } gss_krb5_rfc1964_keydata_t; typedef struct gss_krb5_cfx_keydata { - OM_uint32 have_acceptor_subkey; - /* 1 if there is an acceptor_subkey - present, 0 otherwise */ - gss_krb5_lucid_key_t ctx_key; - /* Context key - (Kerberos session key or subkey) */ - gss_krb5_lucid_key_t acceptor_subkey; - /* acceptor-asserted subkey or - 0's if no acceptor subkey */ + OM_uint32 have_acceptor_subkey; + /* 1 if there is an acceptor_subkey + present, 0 otherwise */ + gss_krb5_lucid_key_t ctx_key; + /* Context key + (Kerberos session key or subkey) */ + gss_krb5_lucid_key_t acceptor_subkey; + /* acceptor-asserted subkey or + 0's if no acceptor subkey */ } gss_krb5_cfx_keydata_t; typedef struct gss_krb5_lucid_context_v1 { - OM_uint32 version; /* Structure version number (1) - MUST be at beginning of struct! */ - OM_uint32 initiate; /* Are we the initiator? */ - OM_uint32 endtime; /* expiration time of context */ - gss_uint64 send_seq; /* sender sequence number */ - gss_uint64 recv_seq; /* receive sequence number */ - OM_uint32 protocol; /* 0: rfc1964, - 1: draft-ietf-krb-wg-gssapi-cfx-07 */ - /* - * if (protocol == 0) rfc1964_kd should be used - * and cfx_kd contents are invalid and should be zero - * if (protocol == 1) cfx_kd should be used - * and rfc1964_kd contents are invalid and should be zero - */ - gss_krb5_rfc1964_keydata_t rfc1964_kd; - gss_krb5_cfx_keydata_t cfx_kd; + OM_uint32 version; /* Structure version number (1) + MUST be at beginning of struct! */ + OM_uint32 initiate; /* Are we the initiator? */ + OM_uint32 endtime; /* expiration time of context */ + gss_uint64 send_seq; /* sender sequence number */ + gss_uint64 recv_seq; /* receive sequence number */ + OM_uint32 protocol; /* 0: rfc1964, + 1: draft-ietf-krb-wg-gssapi-cfx-07 */ + /* + * if (protocol == 0) rfc1964_kd should be used + * and cfx_kd contents are invalid and should be zero + * if (protocol == 1) cfx_kd should be used + * and rfc1964_kd contents are invalid and should be zero + */ + gss_krb5_rfc1964_keydata_t rfc1964_kd; + gss_krb5_cfx_keydata_t cfx_kd; } gss_krb5_lucid_context_v1_t; /* @@ -148,7 +149,7 @@ typedef struct gss_krb5_lucid_context_v1 { * See example below for usage. */ typedef struct gss_krb5_lucid_context_version { - OM_uint32 version; /* Structure version number */ + OM_uint32 version; /* Structure version number */ } gss_krb5_lucid_context_version_t; @@ -159,19 +160,19 @@ typedef struct gss_krb5_lucid_context_version { OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *); -OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags - (OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - krb5_flags *ticket_flags); +OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags( + OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_flags *ticket_flags); -OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache - (OM_uint32 *minor_status, - gss_cred_id_t cred_handle, - krb5_ccache out_ccache); +OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache( + OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + krb5_ccache out_ccache); -OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name - (OM_uint32 *minor_status, const char *name, - const char **out_name); +OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name( + OM_uint32 *minor_status, const char *name, + const char **out_name); /* * gss_krb5_set_allowable_enctypes @@ -197,14 +198,14 @@ OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name * */ OM_uint32 KRB5_CALLCONV -gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, - gss_cred_id_t cred, - OM_uint32 num_ktypes, - krb5_enctype *ktypes); +gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, + gss_cred_id_t cred, + OM_uint32 num_ktypes, + krb5_enctype *ktypes); /* * Returns a non-opaque (lucid) version of the internal context - * information. + * information. * * Note that context_handle must not be used again by the caller * after this call. The GSS implementation is free to release any @@ -212,7 +213,7 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, * GSS implementation whether it returns pointers to existing data, * or copies of the data. The caller should treat the returned * lucid context as read-only. - * + * * The caller must call gss_krb5_free_lucid_context() to free * the context and allocated resources when it is finished with it. * @@ -228,33 +229,33 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, * (XXX Need error definition(s)) * * For example: - * void *return_ctx; - * gss_krb5_lucid_context_v1_t *ctx; - * OM_uint32 min_stat, maj_stat; - * OM_uint32 vers; - * gss_ctx_id_t *ctx_handle; + * void *return_ctx; + * gss_krb5_lucid_context_v1_t *ctx; + * OM_uint32 min_stat, maj_stat; + * OM_uint32 vers; + * gss_ctx_id_t *ctx_handle; * - * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, - * ctx_handle, 1, &return_ctx); - * // Verify success + * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, + * ctx_handle, 1, &return_ctx); + * // Verify success * - * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version; - * switch (vers) { - * case 1: - * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx; - * break; - * default: - * // Error, unknown version returned - * break; - * } + * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version; + * switch (vers) { + * case 1: + * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx; + * break; + * default: + * // Error, unknown version returned + * break; + * } * */ OM_uint32 KRB5_CALLCONV gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - OM_uint32 version, - void **kctx); + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **kctx); /* * Frees the allocated storage associated with an @@ -262,7 +263,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, */ OM_uint32 KRB5_CALLCONV gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, - void *kctx); + void *kctx); #ifdef __cplusplus diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index 58bc19f91..6879c766f 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -39,201 +40,201 @@ /* * errors: - * GSS_S_BAD_NAMETYPE if the type is bogus - * GSS_S_BAD_NAME if the type is good but the name is bogus - * GSS_S_FAILURE if memory allocation fails + * GSS_S_BAD_NAMETYPE if the type is bogus + * GSS_S_BAD_NAME if the type is good but the name is bogus + * GSS_S_FAILURE if memory allocation fails */ OM_uint32 -krb5_gss_import_name(minor_status, input_name_buffer, - input_name_type, output_name) - OM_uint32 *minor_status; - gss_buffer_t input_name_buffer; - gss_OID input_name_type; - gss_name_t *output_name; +krb5_gss_import_name(minor_status, input_name_buffer, + input_name_type, output_name) + OM_uint32 *minor_status; + gss_buffer_t input_name_buffer; + gss_OID input_name_type; + gss_name_t *output_name; { - krb5_context context; - krb5_principal princ; - krb5_error_code code; - char *stringrep, *tmp, *tmp2, *cp; - OM_uint32 length; + krb5_context context; + krb5_principal princ; + krb5_error_code code; + char *stringrep, *tmp, *tmp2, *cp; + OM_uint32 length; #ifndef NO_PASSWORD - struct passwd *pw; + struct passwd *pw; #endif - code = krb5_gss_init_context(&context); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } - - /* set up default returns */ - - *output_name = NULL; - *minor_status = 0; - - /* Go find the appropriate string rep to pass into parse_name */ - - if ((input_name_type != GSS_C_NULL_OID) && - (g_OID_equal(input_name_type, gss_nt_service_name) || - g_OID_equal(input_name_type, gss_nt_service_name_v2))) { - char *service, *host; - - if ((tmp = - (char *) xmalloc(input_name_buffer->length + 1)) == NULL) { - *minor_status = ENOMEM; - krb5_free_context(context); - return(GSS_S_FAILURE); - } - - memcpy(tmp, input_name_buffer->value, input_name_buffer->length); - tmp[input_name_buffer->length] = 0; - - service = tmp; - if ((host = strchr(tmp, '@'))) { - *host = '\0'; - host++; - } - - code = krb5_sname_to_principal(context, host, service, KRB5_NT_SRV_HST, - &princ); - - xfree(tmp); - } else if ((input_name_type != GSS_C_NULL_OID) && - (g_OID_equal(input_name_type, gss_nt_krb5_principal))) { - krb5_principal input; - - if (input_name_buffer->length != sizeof(krb5_principal)) { - *minor_status = (OM_uint32) G_WRONG_SIZE; - krb5_free_context(context); - return(GSS_S_BAD_NAME); - } - - input = *((krb5_principal *) input_name_buffer->value); - - if ((code = krb5_copy_principal(context, input, &princ))) { - *minor_status = code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_FAILURE); - } - } else { + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } + + /* set up default returns */ + + *output_name = NULL; + *minor_status = 0; + + /* Go find the appropriate string rep to pass into parse_name */ + + if ((input_name_type != GSS_C_NULL_OID) && + (g_OID_equal(input_name_type, gss_nt_service_name) || + g_OID_equal(input_name_type, gss_nt_service_name_v2))) { + char *service, *host; + + if ((tmp = + (char *) xmalloc(input_name_buffer->length + 1)) == NULL) { + *minor_status = ENOMEM; + krb5_free_context(context); + return(GSS_S_FAILURE); + } + + memcpy(tmp, input_name_buffer->value, input_name_buffer->length); + tmp[input_name_buffer->length] = 0; + + service = tmp; + if ((host = strchr(tmp, '@'))) { + *host = '\0'; + host++; + } + + code = krb5_sname_to_principal(context, host, service, KRB5_NT_SRV_HST, + &princ); + + xfree(tmp); + } else if ((input_name_type != GSS_C_NULL_OID) && + (g_OID_equal(input_name_type, gss_nt_krb5_principal))) { + krb5_principal input; + + if (input_name_buffer->length != sizeof(krb5_principal)) { + *minor_status = (OM_uint32) G_WRONG_SIZE; + krb5_free_context(context); + return(GSS_S_BAD_NAME); + } + + input = *((krb5_principal *) input_name_buffer->value); + + if ((code = krb5_copy_principal(context, input, &princ))) { + *minor_status = code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_FAILURE); + } + } else { #ifndef NO_PASSWORD - uid_t uid; - struct passwd pwx; - char pwbuf[BUFSIZ]; + uid_t uid; + struct passwd pwx; + char pwbuf[BUFSIZ]; #endif - stringrep = NULL; + stringrep = NULL; - if ((tmp = - (char *) xmalloc(input_name_buffer->length + 1)) == NULL) { - *minor_status = ENOMEM; - krb5_free_context(context); - return(GSS_S_FAILURE); - } - tmp2 = 0; + if ((tmp = + (char *) xmalloc(input_name_buffer->length + 1)) == NULL) { + *minor_status = ENOMEM; + krb5_free_context(context); + return(GSS_S_FAILURE); + } + tmp2 = 0; - memcpy(tmp, input_name_buffer->value, input_name_buffer->length); - tmp[input_name_buffer->length] = 0; + memcpy(tmp, input_name_buffer->value, input_name_buffer->length); + tmp[input_name_buffer->length] = 0; - if ((input_name_type == GSS_C_NULL_OID) || - g_OID_equal(input_name_type, gss_nt_krb5_name) || - g_OID_equal(input_name_type, gss_nt_user_name)) { - stringrep = (char *) tmp; + if ((input_name_type == GSS_C_NULL_OID) || + g_OID_equal(input_name_type, gss_nt_krb5_name) || + g_OID_equal(input_name_type, gss_nt_user_name)) { + stringrep = (char *) tmp; #ifndef NO_PASSWORD - } else if (g_OID_equal(input_name_type, gss_nt_machine_uid_name)) { - uid = *(uid_t *) input_name_buffer->value; - do_getpwuid: - if (k5_getpwuid_r(uid, &pwx, pwbuf, sizeof(pwbuf), &pw) == 0) - stringrep = pw->pw_name; - else - *minor_status = (OM_uint32) G_NOUSER; - } else if (g_OID_equal(input_name_type, gss_nt_string_uid_name)) { - uid = atoi(tmp); - goto do_getpwuid; + } else if (g_OID_equal(input_name_type, gss_nt_machine_uid_name)) { + uid = *(uid_t *) input_name_buffer->value; + do_getpwuid: + if (k5_getpwuid_r(uid, &pwx, pwbuf, sizeof(pwbuf), &pw) == 0) + stringrep = pw->pw_name; + else + *minor_status = (OM_uint32) G_NOUSER; + } else if (g_OID_equal(input_name_type, gss_nt_string_uid_name)) { + uid = atoi(tmp); + goto do_getpwuid; #endif - } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) { - cp = tmp; - if (*cp++ != 0x04) - goto fail_name; - if (*cp++ != 0x01) - goto fail_name; - if (*cp++ != 0x00) - goto fail_name; - length = *cp++; - if (length != gss_mech_krb5->length+2) - goto fail_name; - if (*cp++ != 0x06) - goto fail_name; - length = *cp++; - if (length != gss_mech_krb5->length) - goto fail_name; - if (memcmp(cp, gss_mech_krb5->elements, length) != 0) - goto fail_name; - cp += length; - length = *cp++; - length = (length << 8) | *cp++; - length = (length << 8) | *cp++; - length = (length << 8) | *cp++; - tmp2 = malloc(length+1); - if (tmp2 == NULL) { - xfree(tmp); - *minor_status = ENOMEM; - krb5_free_context(context); - return GSS_S_FAILURE; - } - strncpy(tmp2, cp, length); - tmp2[length] = 0; - - stringrep = tmp2; - } else { - xfree(tmp); - krb5_free_context(context); - return(GSS_S_BAD_NAMETYPE); - } - - /* at this point, stringrep is set, or if not, *minor_status is. */ - - if (stringrep) - code = krb5_parse_name(context, (char *) stringrep, &princ); - else { - fail_name: - xfree(tmp); - if (tmp2) - xfree(tmp2); - krb5_free_context(context); - return(GSS_S_BAD_NAME); - } - - if (tmp2) - xfree(tmp2); - xfree(tmp); - } - - /* at this point, a krb5 function has been called to set princ. code - contains the return status */ - - if (code) { - *minor_status = (OM_uint32) code; - save_error_info(*minor_status, context); - krb5_free_context(context); - return(GSS_S_BAD_NAME); - } - - /* save the name in the validation database */ - - if (! kg_save_name((gss_name_t) princ)) { - krb5_free_principal(context, princ); - krb5_free_context(context); - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_FAILURE); - } - - krb5_free_context(context); - - /* return it */ - - *output_name = (gss_name_t) princ; - return(GSS_S_COMPLETE); + } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) { + cp = tmp; + if (*cp++ != 0x04) + goto fail_name; + if (*cp++ != 0x01) + goto fail_name; + if (*cp++ != 0x00) + goto fail_name; + length = *cp++; + if (length != gss_mech_krb5->length+2) + goto fail_name; + if (*cp++ != 0x06) + goto fail_name; + length = *cp++; + if (length != gss_mech_krb5->length) + goto fail_name; + if (memcmp(cp, gss_mech_krb5->elements, length) != 0) + goto fail_name; + cp += length; + length = *cp++; + length = (length << 8) | *cp++; + length = (length << 8) | *cp++; + length = (length << 8) | *cp++; + tmp2 = malloc(length+1); + if (tmp2 == NULL) { + xfree(tmp); + *minor_status = ENOMEM; + krb5_free_context(context); + return GSS_S_FAILURE; + } + strncpy(tmp2, cp, length); + tmp2[length] = 0; + + stringrep = tmp2; + } else { + xfree(tmp); + krb5_free_context(context); + return(GSS_S_BAD_NAMETYPE); + } + + /* at this point, stringrep is set, or if not, *minor_status is. */ + + if (stringrep) + code = krb5_parse_name(context, (char *) stringrep, &princ); + else { + fail_name: + xfree(tmp); + if (tmp2) + xfree(tmp2); + krb5_free_context(context); + return(GSS_S_BAD_NAME); + } + + if (tmp2) + xfree(tmp2); + xfree(tmp); + } + + /* at this point, a krb5 function has been called to set princ. code + contains the return status */ + + if (code) { + *minor_status = (OM_uint32) code; + save_error_info(*minor_status, context); + krb5_free_context(context); + return(GSS_S_BAD_NAME); + } + + /* save the name in the validation database */ + + if (! kg_save_name((gss_name_t) princ)) { + krb5_free_principal(context, princ); + krb5_free_context(context); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_FAILURE); + } + + krb5_free_context(context); + + /* return it */ + + *output_name = (gss_name_t) princ; + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/import_sec_context.c b/src/lib/gssapi/krb5/import_sec_context.c index b0d71c883..fc6b6aff2 100644 --- a/src/lib/gssapi/krb5/import_sec_context.c +++ b/src/lib/gssapi/krb5/import_sec_context.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/import_sec_context.c * @@ -26,7 +27,7 @@ */ /* - * import_sec_context.c - Internalize the security context. + * import_sec_context.c - Internalize the security context. */ #include "gssapiP_krb5.h" /* for serialization initialization functions */ @@ -37,19 +38,19 @@ * the OID if possible. */ gss_OID krb5_gss_convert_static_mech_oid(oid) - gss_OID oid; + gss_OID oid; { - const gss_OID_desc *p; - OM_uint32 minor_status; - - for (p = krb5_gss_oid_array; p->length; p++) { - if ((oid->length == p->length) && - (memcmp(oid->elements, p->elements, p->length) == 0)) { - gss_release_oid(&minor_status, &oid); - return (gss_OID) p; - } - } - return oid; + const gss_OID_desc *p; + OM_uint32 minor_status; + + for (p = krb5_gss_oid_array; p->length; p++) { + if ((oid->length == p->length) && + (memcmp(oid->elements, p->elements, p->length) == 0)) { + gss_release_oid(&minor_status, &oid); + return (gss_OID) p; + } + } + return oid; } krb5_error_code @@ -57,28 +58,28 @@ krb5_gss_ser_init (krb5_context context) { krb5_error_code code; static krb5_error_code (KRB5_CALLCONV *const fns[])(krb5_context) = { - krb5_ser_context_init, krb5_ser_auth_context_init, - krb5_ser_ccache_init, krb5_ser_rcache_init, krb5_ser_keytab_init, + krb5_ser_context_init, krb5_ser_auth_context_init, + krb5_ser_ccache_init, krb5_ser_rcache_init, krb5_ser_keytab_init, }; unsigned int i; for (i = 0; i < sizeof(fns)/sizeof(fns[0]); i++) - if ((code = (fns[i])(context)) != 0) - return code; + if ((code = (fns[i])(context)) != 0) + return code; return 0; } OM_uint32 krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle) - OM_uint32 *minor_status; - gss_buffer_t interprocess_token; - gss_ctx_id_t *context_handle; + OM_uint32 *minor_status; + gss_buffer_t interprocess_token; + gss_ctx_id_t *context_handle; { - krb5_context context; - krb5_error_code kret = 0; - size_t blen; - krb5_gss_ctx_id_t ctx; - krb5_octet *ibp; + krb5_context context; + krb5_error_code kret = 0; + size_t blen; + krb5_gss_ctx_id_t ctx; + krb5_octet *ibp; /* This is a bit screwy. We create a krb5 context because we need one when calling the serialization code. However, one of the @@ -86,15 +87,15 @@ krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle) we can throw this one away. */ kret = krb5_gss_init_context(&context); if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; + *minor_status = kret; + return GSS_S_FAILURE; } kret = krb5_gss_ser_init(context); if (kret) { - *minor_status = kret; - save_error_info(*minor_status, context); - krb5_free_context(context); - return GSS_S_FAILURE; + *minor_status = kret; + save_error_info(*minor_status, context); + krb5_free_context(context); + return GSS_S_FAILURE; } /* Assume a tragic failure */ @@ -107,20 +108,20 @@ krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle) kret = kg_ctx_internalize(context, (krb5_pointer *) &ctx, &ibp, &blen); krb5_free_context(context); if (kret) { - *minor_status = (OM_uint32) kret; - save_error_info(*minor_status, context); - return(GSS_S_FAILURE); + *minor_status = (OM_uint32) kret; + save_error_info(*minor_status, context); + return(GSS_S_FAILURE); } /* intern the context handle */ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { - (void)krb5_gss_delete_sec_context(minor_status, - (gss_ctx_id_t *) &ctx, NULL); - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_FAILURE); + (void)krb5_gss_delete_sec_context(minor_status, + (gss_ctx_id_t *) &ctx, NULL); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_FAILURE); } ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used); - + *context_handle = (gss_ctx_id_t) ctx; *minor_status = 0; diff --git a/src/lib/gssapi/krb5/indicate_mechs.c b/src/lib/gssapi/krb5/indicate_mechs.c index c7ee4746f..53b8be3e0 100644 --- a/src/lib/gssapi/krb5/indicate_mechs.c +++ b/src/lib/gssapi/krb5/indicate_mechs.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -29,16 +30,16 @@ OM_uint32 krb5_gss_indicate_mechs(minor_status, mech_set) - OM_uint32 *minor_status; - gss_OID_set *mech_set; + OM_uint32 *minor_status; + gss_OID_set *mech_set; { - *minor_status = 0; + *minor_status = 0; - if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) { - *mech_set = GSS_C_NO_OID_SET; - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } + if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) { + *mech_set = GSS_C_NO_OID_SET; + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } - return(GSS_S_COMPLETE); + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 3e3f0192a..40bc0bcbd 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 2000,2002, 2003, 2007 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -6,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,11 +21,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -34,7 +35,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -46,14 +47,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -64,7 +65,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -92,7 +93,7 @@ int krb5_gss_dbg_client_expcreds = 0; * ccache. */ static krb5_error_code get_credentials(context, cred, server, now, - endtime, out_creds) + endtime, out_creds) krb5_context context; krb5_gss_cred_id_t cred; krb5_principal server; @@ -100,24 +101,24 @@ static krb5_error_code get_credentials(context, cred, server, now, krb5_timestamp endtime; krb5_creds **out_creds; { - krb5_error_code code; - krb5_creds in_creds; + krb5_error_code code; + krb5_creds in_creds; k5_mutex_assert_locked(&cred->lock); memset((char *) &in_creds, 0, sizeof(krb5_creds)); if ((code = krb5_copy_principal(context, cred->princ, &in_creds.client))) - goto cleanup; + goto cleanup; if ((code = krb5_copy_principal(context, server, &in_creds.server))) - goto cleanup; + goto cleanup; in_creds.times.endtime = endtime; in_creds.keyblock.enctype = 0; code = krb5_get_credentials(context, 0, cred->ccache, - &in_creds, out_creds); + &in_creds, out_creds); if (code) - goto cleanup; + goto cleanup; /* * Enforce a stricter limit (without timeskew forgiveness at the @@ -125,16 +126,16 @@ static krb5_error_code get_credentials(context, cred, server, now, * non-forgiving. */ if (!krb5_gss_dbg_client_expcreds && *out_creds != NULL && - (*out_creds)->times.endtime < now) { - code = KRB5KRB_AP_ERR_TKT_EXPIRED; - goto cleanup; + (*out_creds)->times.endtime < now) { + code = KRB5KRB_AP_ERR_TKT_EXPIRED; + goto cleanup; } - + cleanup: if (in_creds.client) - krb5_free_principal(context, in_creds.client); + krb5_free_principal(context, in_creds.client); if (in_creds.server) - krb5_free_principal(context, in_creds.server); + krb5_free_principal(context, in_creds.server); return code; } struct gss_checksum_data { @@ -149,7 +150,7 @@ struct gss_checksum_data { #endif static krb5_error_code KRB5_CALLCONV make_gss_checksum (krb5_context context, krb5_auth_context auth_context, - void *cksum_data, krb5_data **out) + void *cksum_data, krb5_data **out) { krb5_error_code code; krb5_int32 con_flags; @@ -163,48 +164,48 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, /* build the checksum field */ if (data->ctx->gss_flags & GSS_C_DELEG_FLAG) { - /* first get KRB_CRED message, so we know its length */ + /* first get KRB_CRED message, so we know its length */ - /* clear the time check flag that was set in krb5_auth_con_init() */ - krb5_auth_con_getflags(context, auth_context, &con_flags); - krb5_auth_con_setflags(context, auth_context, - con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); + /* clear the time check flag that was set in krb5_auth_con_init() */ + krb5_auth_con_getflags(context, auth_context, &con_flags); + krb5_auth_con_setflags(context, auth_context, + con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); - code = krb5_fwd_tgt_creds(context, auth_context, 0, - data->cred->princ, data->ctx->there, - data->cred->ccache, 1, - &credmsg); + code = krb5_fwd_tgt_creds(context, auth_context, 0, + data->cred->princ, data->ctx->there, + data->cred->ccache, 1, + &credmsg); - /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */ - krb5_auth_con_setflags(context, auth_context, con_flags); + /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */ + krb5_auth_con_setflags(context, auth_context, con_flags); - if (code) { - /* don't fail here; just don't accept/do the delegation + if (code) { + /* don't fail here; just don't accept/do the delegation request */ - data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG; + data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG; - data->checksum_data.length = 24; - } else { - if (credmsg.length+28 > KRB5_INT16_MAX) { - krb5_free_data_contents(context, &credmsg); - return(KRB5KRB_ERR_FIELD_TOOLONG); - } + data->checksum_data.length = 24; + } else { + if (credmsg.length+28 > KRB5_INT16_MAX) { + krb5_free_data_contents(context, &credmsg); + return(KRB5KRB_ERR_FIELD_TOOLONG); + } - data->checksum_data.length = 28+credmsg.length; - } + data->checksum_data.length = 28+credmsg.length; + } } else { - data->checksum_data.length = 24; + data->checksum_data.length = 24; } #ifdef CFX_EXERCISE if (data->ctx->auth_context->keyblock != NULL - && data->ctx->auth_context->keyblock->enctype == 18) { - srand(time(0) ^ getpid()); - /* Our ftp client code stupidly assumes a base64-encoded - version of the token will fit in 10K, so don't make this - too big. */ - junk = rand() & 0xff; + && data->ctx->auth_context->keyblock->enctype == 18) { + srand(time(0) ^ getpid()); + /* Our ftp client code stupidly assumes a base64-encoded + version of the token will fit in 10K, so don't make this + too big. */ + junk = rand() & 0xff; } else - junk = 0; + junk = 0; #else junk = 0; #endif @@ -215,10 +216,10 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, (maybe) KRB_CRED msg */ if ((data->checksum_data.data = - (char *) xmalloc(data->checksum_data.length)) == NULL) { - if (credmsg.data) - krb5_free_data_contents(context, &credmsg); - return(ENOMEM); + (char *) xmalloc(data->checksum_data.length)) == NULL) { + if (credmsg.data) + krb5_free_data_contents(context, &credmsg); + return(ENOMEM); } ptr = data->checksum_data.data; @@ -231,19 +232,19 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, xfree(data->md5.contents); if (credmsg.data) { - TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0); - TWRITE_INT16(ptr, credmsg.length, 0); - TWRITE_STR(ptr, (unsigned char *) credmsg.data, credmsg.length); + TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0); + TWRITE_INT16(ptr, credmsg.length, 0); + TWRITE_STR(ptr, (unsigned char *) credmsg.data, credmsg.length); - /* free credmsg data */ - krb5_free_data_contents(context, &credmsg); + /* free credmsg data */ + krb5_free_data_contents(context, &credmsg); } if (junk) - memset(ptr, 'i', junk); + memset(ptr, 'i', junk); *out = &data->checksum_data; return 0; } - + static krb5_error_code make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) krb5_context context; @@ -273,7 +274,7 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) return(code); krb5_auth_con_set_req_cksumtype(context, ctx->auth_context, - CKSUMTYPE_KG_CB); + CKSUMTYPE_KG_CB); cksum_struct.md5 = md5; cksum_struct.ctx = ctx; cksum_struct.cred = cred; @@ -283,15 +284,15 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES3_CBC_SHA1: - code = make_gss_checksum(context, ctx->auth_context, &cksum_struct, - &checksum_data); - if (code) - goto cleanup; - break; + code = make_gss_checksum(context, ctx->auth_context, &cksum_struct, + &checksum_data); + if (code) + goto cleanup; + break; default: - krb5_auth_con_set_checksum_func(context, ctx->auth_context, - make_gss_checksum, &cksum_struct); - break; + krb5_auth_con_set_checksum_func(context, ctx->auth_context, + make_gss_checksum, &cksum_struct); + break; } @@ -300,51 +301,51 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) mk_req_flags = AP_OPTS_USE_SUBKEY; if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) - mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED; + mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED; code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags, - checksum_data, k_cred, &ap_req); + checksum_data, k_cred, &ap_req); krb5_free_data_contents(context, &cksum_struct.checksum_data); if (code) - goto cleanup; + goto cleanup; + + /* store the interesting stuff from creds and authent */ + ctx->endtime = k_cred->times.endtime; + ctx->krb_flags = k_cred->ticket_flags; - /* store the interesting stuff from creds and authent */ - ctx->endtime = k_cred->times.endtime; - ctx->krb_flags = k_cred->ticket_flags; + /* build up the token */ - /* build up the token */ + /* allocate space for the token */ + tlen = g_token_size((gss_OID) mech_type, ap_req.length); - /* allocate space for the token */ - tlen = g_token_size((gss_OID) mech_type, ap_req.length); + if ((t = (unsigned char *) xmalloc(tlen)) == NULL) { + code = ENOMEM; + goto cleanup; + } - if ((t = (unsigned char *) xmalloc(tlen)) == NULL) { - code = ENOMEM; - goto cleanup; - } + /* fill in the buffer */ - /* fill in the buffer */ + ptr = t; - ptr = t; + g_make_token_header(mech_type, ap_req.length, + &ptr, KG_TOK_CTX_AP_REQ); - g_make_token_header(mech_type, ap_req.length, - &ptr, KG_TOK_CTX_AP_REQ); + TWRITE_STR(ptr, (unsigned char *) ap_req.data, ap_req.length); - TWRITE_STR(ptr, (unsigned char *) ap_req.data, ap_req.length); + /* pass it back */ - /* pass it back */ + token->length = tlen; + token->value = (void *) t; - token->length = tlen; - token->value = (void *) t; + code = 0; - code = 0; - - cleanup: - if (checksum_data && checksum_data->data) - krb5_free_data_contents(context, checksum_data); - if (ap_req.data) - krb5_free_data_contents(context, &ap_req); +cleanup: + if (checksum_data && checksum_data->data) + krb5_free_data_contents(context, checksum_data); + if (ap_req.data) + krb5_free_data_contents(context, &ap_req); - return (code); + return (code); } /* @@ -354,87 +355,87 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) */ static OM_uint32 setup_enc( - OM_uint32 *minor_status, - krb5_gss_ctx_id_rec *ctx, - krb5_context context) + OM_uint32 *minor_status, + krb5_gss_ctx_id_rec *ctx, + krb5_context context) { - krb5_error_code code; - unsigned int i; - krb5int_access kaccess; - - code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); - if (code) - goto fail; - - ctx->have_acceptor_subkey = 0; - ctx->proto = 0; - ctx->cksumtype = 0; - switch(ctx->subkey->enctype) { - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_CRC: - ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW; - ctx->signalg = SGN_ALG_DES_MAC_MD5; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_DES; - - /* The encryption key is the session key XOR - 0xf0f0f0f0f0f0f0f0. */ - if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) - goto fail; - - for (i=0; i<ctx->enc->length; i++) - ctx->enc->contents[i] ^= 0xf0; - - goto copy_subkey_to_seq; - - case ENCTYPE_DES3_CBC_SHA1: - /* MIT extension */ - ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; - ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; - ctx->cksum_size = 20; - ctx->sealalg = SEAL_ALG_DES3KD; - - copy_subkey: - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc); - if (code) - goto fail; - copy_subkey_to_seq: - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq); - if (code) { - krb5_free_keyblock (context, ctx->enc); - goto fail; - } - break; - - case ENCTYPE_ARCFOUR_HMAC: - /* Microsoft extension */ - ctx->signalg = SGN_ALG_HMAC_MD5 ; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; - - goto copy_subkey; - - default: - /* Fill some fields we shouldn't be using on this path - with garbage. */ - ctx->signalg = -10; - ctx->sealalg = -10; - - ctx->proto = 1; - code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype, - &ctx->cksumtype); - if (code) - goto fail; - code = krb5_c_checksum_length(context, ctx->cksumtype, - &ctx->cksum_size); - if (code) - goto fail; - goto copy_subkey; - } + krb5_error_code code; + unsigned int i; + krb5int_access kaccess; + + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) + goto fail; + + ctx->have_acceptor_subkey = 0; + ctx->proto = 0; + ctx->cksumtype = 0; + switch(ctx->subkey->enctype) { + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_CRC: + ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW; + ctx->signalg = SGN_ALG_DES_MAC_MD5; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_DES; + + /* The encryption key is the session key XOR + 0xf0f0f0f0f0f0f0f0. */ + if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) + goto fail; + + for (i=0; i<ctx->enc->length; i++) + ctx->enc->contents[i] ^= 0xf0; + + goto copy_subkey_to_seq; + + case ENCTYPE_DES3_CBC_SHA1: + /* MIT extension */ + ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; + ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; + ctx->cksum_size = 20; + ctx->sealalg = SEAL_ALG_DES3KD; + + copy_subkey: + code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc); + if (code) + goto fail; + copy_subkey_to_seq: + code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq); + if (code) { + krb5_free_keyblock (context, ctx->enc); + goto fail; + } + break; + + case ENCTYPE_ARCFOUR_HMAC: + /* Microsoft extension */ + ctx->signalg = SGN_ALG_HMAC_MD5 ; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; + + goto copy_subkey; + + default: + /* Fill some fields we shouldn't be using on this path + with garbage. */ + ctx->signalg = -10; + ctx->sealalg = -10; + + ctx->proto = 1; + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype, + &ctx->cksumtype); + if (code) + goto fail; + code = krb5_c_checksum_length(context, ctx->cksumtype, + &ctx->cksum_size); + if (code) + goto fail; + goto copy_subkey; + } fail: - *minor_status = code; - return GSS_S_FAILURE; + *minor_status = code; + return GSS_S_FAILURE; } /* @@ -444,204 +445,204 @@ fail: */ static OM_uint32 new_connection( - OM_uint32 *minor_status, - krb5_gss_cred_id_t cred, - gss_ctx_id_t *context_handle, - gss_name_t target_name, - gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - krb5_context context, - int default_mech) + OM_uint32 *minor_status, + krb5_gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + krb5_context context, + int default_mech) { - OM_uint32 major_status; - krb5_error_code code; - krb5_creds *k_cred; - krb5_gss_ctx_id_rec *ctx, *ctx_free; - krb5_timestamp now; - gss_buffer_desc token; - - k5_mutex_assert_locked(&cred->lock); - major_status = GSS_S_FAILURE; - token.length = 0; - token.value = NULL; - - /* make sure the cred is usable for init */ - - if ((cred->usage != GSS_C_INITIATE) && - (cred->usage != GSS_C_BOTH)) { - *minor_status = 0; - return(GSS_S_NO_CRED); - } - - /* complain if the input token is non-null */ - - if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { - *minor_status = 0; - return(GSS_S_DEFECTIVE_TOKEN); - } - - /* create the ctx */ - - if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec))) - == NULL) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - - /* fill in the ctx */ - memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); - ctx_free = ctx; - if ((code = krb5_auth_con_init(context, &ctx->auth_context))) - goto fail; - krb5_auth_con_setflags(context, ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - - /* limit the encryption types negotiated (if requested) */ - if (cred->req_enctypes) { - if ((code = krb5_set_default_tgs_enctypes(context, - cred->req_enctypes))) { - goto fail; - } - } - - ctx->initiate = 1; - ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | - GSS_C_TRANS_FLAG | - ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | - GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); - ctx->seed_init = 0; - ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ - ctx->seqstate = 0; - - if ((code = krb5_timeofday(context, &now))) - goto fail; - - if (time_req == 0 || time_req == GSS_C_INDEFINITE) { - ctx->endtime = 0; - } else { - ctx->endtime = now + time_req; - } - - if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) - goto fail; - - if ((code = krb5_copy_principal(context, (krb5_principal) target_name, - &ctx->there))) - goto fail; - - code = get_credentials(context, cred, ctx->there, now, - ctx->endtime, &k_cred); - if (code) - goto fail; - - if (default_mech) { - mech_type = (gss_OID) gss_mech_krb5; - } - - if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used) - != GSS_S_COMPLETE) { - code = *minor_status; - goto fail; - } - /* - * Now try to make it static if at all possible.... - */ - ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used); - - { - /* gsskrb5 v1 */ - krb5_ui_4 seq_temp; - if ((code = make_ap_req_v1(context, ctx, - cred, k_cred, input_chan_bindings, - mech_type, &token))) { - if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) || - (code == KG_EMPTY_CCACHE)) - major_status = GSS_S_NO_CRED; - if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) - major_status = GSS_S_CREDENTIALS_EXPIRED; - goto fail; - } - - krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp); - ctx->seq_send = seq_temp; - krb5_auth_con_getsendsubkey(context, ctx->auth_context, - &ctx->subkey); - } - - major_status = setup_enc(minor_status, ctx, context); - - if (k_cred) { - krb5_free_creds(context, k_cred); - k_cred = 0; - } - - /* at this point, the context is constructed and valid, - hence, releaseable */ - - /* intern the context handle */ - - if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { - code = G_VALIDATE_FAILED; - goto fail; - } - *context_handle = (gss_ctx_id_t) ctx; - ctx_free = 0; - - /* compute time_rec */ - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; - *time_rec = ctx->endtime - now; - } - - /* set the other returns */ - *output_token = token; - - if (ret_flags) - *ret_flags = ctx->gss_flags; - - if (actual_mech_type) - *actual_mech_type = mech_type; - - /* return successfully */ - - *minor_status = 0; - if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { - ctx->established = 0; - return(GSS_S_CONTINUE_NEEDED); - } else { - ctx->seq_recv = ctx->seq_send; - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); - ctx->gss_flags |= GSS_C_PROT_READY_FLAG; - ctx->established = 1; - return(GSS_S_COMPLETE); - } + OM_uint32 major_status; + krb5_error_code code; + krb5_creds *k_cred; + krb5_gss_ctx_id_rec *ctx, *ctx_free; + krb5_timestamp now; + gss_buffer_desc token; + + k5_mutex_assert_locked(&cred->lock); + major_status = GSS_S_FAILURE; + token.length = 0; + token.value = NULL; + + /* make sure the cred is usable for init */ + + if ((cred->usage != GSS_C_INITIATE) && + (cred->usage != GSS_C_BOTH)) { + *minor_status = 0; + return(GSS_S_NO_CRED); + } + + /* complain if the input token is non-null */ + + if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + + /* create the ctx */ + + if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec))) + == NULL) { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + + /* fill in the ctx */ + memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); + ctx_free = ctx; + if ((code = krb5_auth_con_init(context, &ctx->auth_context))) + goto fail; + krb5_auth_con_setflags(context, ctx->auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE); + + /* limit the encryption types negotiated (if requested) */ + if (cred->req_enctypes) { + if ((code = krb5_set_default_tgs_enctypes(context, + cred->req_enctypes))) { + goto fail; + } + } + + ctx->initiate = 1; + ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | + GSS_C_TRANS_FLAG | + ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); + ctx->seed_init = 0; + ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ + ctx->seqstate = 0; + + if ((code = krb5_timeofday(context, &now))) + goto fail; + + if (time_req == 0 || time_req == GSS_C_INDEFINITE) { + ctx->endtime = 0; + } else { + ctx->endtime = now + time_req; + } + + if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) + goto fail; + + if ((code = krb5_copy_principal(context, (krb5_principal) target_name, + &ctx->there))) + goto fail; + + code = get_credentials(context, cred, ctx->there, now, + ctx->endtime, &k_cred); + if (code) + goto fail; + + if (default_mech) { + mech_type = (gss_OID) gss_mech_krb5; + } + + if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used) + != GSS_S_COMPLETE) { + code = *minor_status; + goto fail; + } + /* + * Now try to make it static if at all possible.... + */ + ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used); + + { + /* gsskrb5 v1 */ + krb5_ui_4 seq_temp; + if ((code = make_ap_req_v1(context, ctx, + cred, k_cred, input_chan_bindings, + mech_type, &token))) { + if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) || + (code == KG_EMPTY_CCACHE)) + major_status = GSS_S_NO_CRED; + if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) + major_status = GSS_S_CREDENTIALS_EXPIRED; + goto fail; + } + + krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp); + ctx->seq_send = seq_temp; + krb5_auth_con_getsendsubkey(context, ctx->auth_context, + &ctx->subkey); + } + + major_status = setup_enc(minor_status, ctx, context); + + if (k_cred) { + krb5_free_creds(context, k_cred); + k_cred = 0; + } + + /* at this point, the context is constructed and valid, + hence, releaseable */ + + /* intern the context handle */ + + if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { + code = G_VALIDATE_FAILED; + goto fail; + } + *context_handle = (gss_ctx_id_t) ctx; + ctx_free = 0; + + /* compute time_rec */ + if (time_rec) { + if ((code = krb5_timeofday(context, &now))) + goto fail; + *time_rec = ctx->endtime - now; + } + + /* set the other returns */ + *output_token = token; + + if (ret_flags) + *ret_flags = ctx->gss_flags; + + if (actual_mech_type) + *actual_mech_type = mech_type; + + /* return successfully */ + + *minor_status = 0; + if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { + ctx->established = 0; + return(GSS_S_CONTINUE_NEEDED); + } else { + ctx->seq_recv = ctx->seq_send; + g_order_init(&(ctx->seqstate), ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); + ctx->gss_flags |= GSS_C_PROT_READY_FLAG; + ctx->established = 1; + return(GSS_S_COMPLETE); + } fail: - if (ctx_free) { - if (ctx_free->auth_context) - krb5_auth_con_free(context, ctx_free->auth_context); - if (ctx_free->here) - krb5_free_principal(context, ctx_free->here); - if (ctx_free->there) - krb5_free_principal(context, ctx_free->there); - if (ctx_free->subkey) - krb5_free_keyblock(context, ctx_free->subkey); - xfree(ctx_free); - } else - (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); - - *minor_status = code; - return (major_status); + if (ctx_free) { + if (ctx_free->auth_context) + krb5_auth_con_free(context, ctx_free->auth_context); + if (ctx_free->here) + krb5_free_principal(context, ctx_free->here); + if (ctx_free->there) + krb5_free_principal(context, ctx_free->there); + if (ctx_free->subkey) + krb5_free_keyblock(context, ctx_free->subkey); + xfree(ctx_free); + } else + (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); + + *minor_status = code; + return (major_status); } /* @@ -651,180 +652,180 @@ fail: */ static OM_uint32 mutual_auth( - OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_name_t target_name, - gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - krb5_context context) + OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + krb5_context context) { - OM_uint32 major_status; - unsigned char *ptr; - char *sptr; - krb5_data ap_rep; - krb5_ap_rep_enc_part *ap_rep_data; - krb5_timestamp now; - krb5_gss_ctx_id_rec *ctx; - krb5_error *krb_error; - krb5_error_code code; - krb5int_access kaccess; - - major_status = GSS_S_FAILURE; - - code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); - if (code) - goto fail; - - /* validate the context handle */ - /*SUPPRESS 29*/ - if (! kg_validate_ctx_id(*context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); - } - - ctx = (krb5_gss_ctx_id_t) *context_handle; - - /* make sure the context is non-established, and that certain - arguments are unchanged */ - - if ((ctx->established) || - ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) { - code = KG_CONTEXT_ESTABLISHED; - goto fail; - } - - if (! krb5_principal_compare(context, ctx->there, - (krb5_principal) target_name)) { - (void)krb5_gss_delete_sec_context(minor_status, - context_handle, NULL); - code = 0; - major_status = GSS_S_BAD_NAME; - goto fail; - } - - /* verify the token and leave the AP_REP message in ap_rep */ - - if (input_token == GSS_C_NO_BUFFER) { - (void)krb5_gss_delete_sec_context(minor_status, - context_handle, NULL); - code = 0; - major_status = GSS_S_DEFECTIVE_TOKEN; - goto fail; - } - - ptr = (unsigned char *) input_token->value; - - if (g_verify_token_header(ctx->mech_used, - &(ap_rep.length), - &ptr, KG_TOK_CTX_AP_REP, - input_token->length, 1)) { - if (g_verify_token_header((gss_OID) ctx->mech_used, - &(ap_rep.length), - &ptr, KG_TOK_CTX_ERROR, - input_token->length, 1) == 0) { - - /* Handle a KRB_ERROR message from the server */ - - sptr = (char *) ptr; /* PC compiler bug */ - TREAD_STR(sptr, ap_rep.data, ap_rep.length); - - code = krb5_rd_error(context, &ap_rep, &krb_error); - if (code) - goto fail; - if (krb_error->error) - code = krb_error->error + ERROR_TABLE_BASE_krb5; - else - code = 0; - krb5_free_error(context, krb_error); - goto fail; - } else { - *minor_status = 0; - return(GSS_S_DEFECTIVE_TOKEN); - } - } - - sptr = (char *) ptr; /* PC compiler bug */ - TREAD_STR(sptr, ap_rep.data, ap_rep.length); - - /* decode the ap_rep */ - if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep, - &ap_rep_data))) { - /* - * XXX A hack for backwards compatiblity. - * To be removed in 1999 -- proven - */ - krb5_auth_con_setuseruserkey(context, ctx->auth_context, - ctx->subkey); - if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep, - &ap_rep_data))) - goto fail; - } - - /* store away the sequence number */ - ctx->seq_recv = ap_rep_data->seq_number; - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto); - - if (ctx->proto == 1 && ap_rep_data->subkey) { - /* Keep acceptor's subkey. */ - ctx->have_acceptor_subkey = 1; - code = krb5_copy_keyblock(context, ap_rep_data->subkey, - &ctx->acceptor_subkey); - if (code) - goto fail; - code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, - ctx->acceptor_subkey->enctype, - &ctx->acceptor_subkey_cksumtype); - if (code) - goto fail; - } - - /* free the ap_rep_data */ - krb5_free_ap_rep_enc_part(context, ap_rep_data); - - /* set established */ - ctx->established = 1; - - /* set returns */ - - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; - *time_rec = ctx->endtime - now; - } - - if (ret_flags) - *ret_flags = ctx->gss_flags; - - if (actual_mech_type) - *actual_mech_type = mech_type; - - /* success */ - - *minor_status = 0; - return GSS_S_COMPLETE; + OM_uint32 major_status; + unsigned char *ptr; + char *sptr; + krb5_data ap_rep; + krb5_ap_rep_enc_part *ap_rep_data; + krb5_timestamp now; + krb5_gss_ctx_id_rec *ctx; + krb5_error *krb_error; + krb5_error_code code; + krb5int_access kaccess; + + major_status = GSS_S_FAILURE; + + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) + goto fail; + + /* validate the context handle */ + /*SUPPRESS 29*/ + if (! kg_validate_ctx_id(*context_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); + } + + ctx = (krb5_gss_ctx_id_t) *context_handle; + + /* make sure the context is non-established, and that certain + arguments are unchanged */ + + if ((ctx->established) || + ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) { + code = KG_CONTEXT_ESTABLISHED; + goto fail; + } + + if (! krb5_principal_compare(context, ctx->there, + (krb5_principal) target_name)) { + (void)krb5_gss_delete_sec_context(minor_status, + context_handle, NULL); + code = 0; + major_status = GSS_S_BAD_NAME; + goto fail; + } + + /* verify the token and leave the AP_REP message in ap_rep */ + + if (input_token == GSS_C_NO_BUFFER) { + (void)krb5_gss_delete_sec_context(minor_status, + context_handle, NULL); + code = 0; + major_status = GSS_S_DEFECTIVE_TOKEN; + goto fail; + } + + ptr = (unsigned char *) input_token->value; + + if (g_verify_token_header(ctx->mech_used, + &(ap_rep.length), + &ptr, KG_TOK_CTX_AP_REP, + input_token->length, 1)) { + if (g_verify_token_header((gss_OID) ctx->mech_used, + &(ap_rep.length), + &ptr, KG_TOK_CTX_ERROR, + input_token->length, 1) == 0) { + + /* Handle a KRB_ERROR message from the server */ + + sptr = (char *) ptr; /* PC compiler bug */ + TREAD_STR(sptr, ap_rep.data, ap_rep.length); + + code = krb5_rd_error(context, &ap_rep, &krb_error); + if (code) + goto fail; + if (krb_error->error) + code = krb_error->error + ERROR_TABLE_BASE_krb5; + else + code = 0; + krb5_free_error(context, krb_error); + goto fail; + } else { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + } + + sptr = (char *) ptr; /* PC compiler bug */ + TREAD_STR(sptr, ap_rep.data, ap_rep.length); + + /* decode the ap_rep */ + if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep, + &ap_rep_data))) { + /* + * XXX A hack for backwards compatiblity. + * To be removed in 1999 -- proven + */ + krb5_auth_con_setuseruserkey(context, ctx->auth_context, + ctx->subkey); + if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep, + &ap_rep_data))) + goto fail; + } + + /* store away the sequence number */ + ctx->seq_recv = ap_rep_data->seq_number; + g_order_init(&(ctx->seqstate), ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto); + + if (ctx->proto == 1 && ap_rep_data->subkey) { + /* Keep acceptor's subkey. */ + ctx->have_acceptor_subkey = 1; + code = krb5_copy_keyblock(context, ap_rep_data->subkey, + &ctx->acceptor_subkey); + if (code) + goto fail; + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, + ctx->acceptor_subkey->enctype, + &ctx->acceptor_subkey_cksumtype); + if (code) + goto fail; + } + + /* free the ap_rep_data */ + krb5_free_ap_rep_enc_part(context, ap_rep_data); + + /* set established */ + ctx->established = 1; + + /* set returns */ + + if (time_rec) { + if ((code = krb5_timeofday(context, &now))) + goto fail; + *time_rec = ctx->endtime - now; + } + + if (ret_flags) + *ret_flags = ctx->gss_flags; + + if (actual_mech_type) + *actual_mech_type = mech_type; + + /* success */ + + *minor_status = 0; + return GSS_S_COMPLETE; fail: - (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); + (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); - *minor_status = code; - return (major_status); + *minor_status = code; + return (major_status); } OM_uint32 krb5_gss_init_sec_context(minor_status, claimant_cred_handle, - context_handle, target_name, mech_type, - req_flags, time_req, input_chan_bindings, - input_token, actual_mech_type, output_token, - ret_flags, time_rec) + context_handle, target_name, mech_type, + req_flags, time_req, input_chan_bindings, + input_token, actual_mech_type, output_token, + ret_flags, time_rec) OM_uint32 *minor_status; gss_cred_id_t claimant_cred_handle; gss_ctx_id_t *context_handle; @@ -839,142 +840,142 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, OM_uint32 *ret_flags; OM_uint32 *time_rec; { - krb5_context context; - krb5_gss_cred_id_t cred; - int err; - krb5_error_code kerr; - int default_mech = 0; - OM_uint32 major_status; - OM_uint32 tmp_min_stat; - - if (*context_handle == GSS_C_NO_CONTEXT) { - kerr = krb5_gss_init_context(&context); - if (kerr) { - *minor_status = kerr; - return GSS_S_FAILURE; - } - if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) { - save_error_info(*minor_status, context); - krb5_free_context(context); - return GSS_S_FAILURE; - } - } else { - context = ((krb5_gss_ctx_id_rec *)*context_handle)->k5_context; - } - - /* set up return values so they can be "freed" successfully */ - - major_status = GSS_S_FAILURE; /* Default major code */ - output_token->length = 0; - output_token->value = NULL; - if (actual_mech_type) - *actual_mech_type = NULL; - - /* verify that the target_name is valid and usable */ - - if (! kg_validate_name(target_name)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - save_error_info(*minor_status, context); - if (*context_handle == GSS_C_NO_CONTEXT) - krb5_free_context(context); - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - } - - /* verify the credential, or use the default */ - /*SUPPRESS 29*/ - if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) { - major_status = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred); - if (major_status && GSS_ERROR(major_status)) { - if (*context_handle == GSS_C_NO_CONTEXT) - krb5_free_context(context); - return(major_status); - } - } else { - major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle); - if (GSS_ERROR(major_status)) { - save_error_info(*minor_status, context); - if (*context_handle == GSS_C_NO_CONTEXT) - krb5_free_context(context); - return(major_status); - } - cred = (krb5_gss_cred_id_t) claimant_cred_handle; - } - kerr = k5_mutex_lock(&cred->lock); - if (kerr) { - krb5_free_context(context); - *minor_status = kerr; - return GSS_S_FAILURE; - } - - /* verify the mech_type */ - - err = 0; - if (mech_type == GSS_C_NULL_OID) { - default_mech = 1; - if (cred->rfc_mech) { - mech_type = (gss_OID) gss_mech_krb5; - } else if (cred->prerfc_mech) { - mech_type = (gss_OID) gss_mech_krb5_old; - } else { - err = 1; - } - } else if (g_OID_equal(mech_type, gss_mech_krb5)) { - if (!cred->rfc_mech) - err = 1; - } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) { - if (!cred->prerfc_mech) - err = 1; - } else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) { - if (!cred->rfc_mech) - err = 1; - } else { - err = 1; - } - - if (err) { - k5_mutex_unlock(&cred->lock); - if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) - krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); - *minor_status = 0; - if (*context_handle == GSS_C_NO_CONTEXT) - krb5_free_context(context); - return(GSS_S_BAD_MECH); - } - - /* is this a new connection or not? */ - - /*SUPPRESS 29*/ - if (*context_handle == GSS_C_NO_CONTEXT) { - major_status = new_connection(minor_status, cred, context_handle, - target_name, mech_type, req_flags, - time_req, input_chan_bindings, - input_token, actual_mech_type, - output_token, ret_flags, time_rec, - context, default_mech); - k5_mutex_unlock(&cred->lock); - if (*context_handle == GSS_C_NO_CONTEXT) { - save_error_info (*minor_status, context); - krb5_free_context(context); - } else - ((krb5_gss_ctx_id_rec *) *context_handle)->k5_context = context; - } else { - /* mutual_auth doesn't care about the credentials */ - k5_mutex_unlock(&cred->lock); - major_status = mutual_auth(minor_status, context_handle, - target_name, mech_type, req_flags, - time_req, input_chan_bindings, - input_token, actual_mech_type, - output_token, ret_flags, time_rec, - context); - /* If context_handle is now NO_CONTEXT, mutual_auth called - delete_sec_context, which would've zapped the krb5 context - too. */ - } - - if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) - krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred); - - return(major_status); + krb5_context context; + krb5_gss_cred_id_t cred; + int err; + krb5_error_code kerr; + int default_mech = 0; + OM_uint32 major_status; + OM_uint32 tmp_min_stat; + + if (*context_handle == GSS_C_NO_CONTEXT) { + kerr = krb5_gss_init_context(&context); + if (kerr) { + *minor_status = kerr; + return GSS_S_FAILURE; + } + if (GSS_ERROR(kg_sync_ccache_name(context, minor_status))) { + save_error_info(*minor_status, context); + krb5_free_context(context); + return GSS_S_FAILURE; + } + } else { + context = ((krb5_gss_ctx_id_rec *)*context_handle)->k5_context; + } + + /* set up return values so they can be "freed" successfully */ + + major_status = GSS_S_FAILURE; /* Default major code */ + output_token->length = 0; + output_token->value = NULL; + if (actual_mech_type) + *actual_mech_type = NULL; + + /* verify that the target_name is valid and usable */ + + if (! kg_validate_name(target_name)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + save_error_info(*minor_status, context); + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } + + /* verify the credential, or use the default */ + /*SUPPRESS 29*/ + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) { + major_status = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred); + if (major_status && GSS_ERROR(major_status)) { + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + return(major_status); + } + } else { + major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle); + if (GSS_ERROR(major_status)) { + save_error_info(*minor_status, context); + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + return(major_status); + } + cred = (krb5_gss_cred_id_t) claimant_cred_handle; + } + kerr = k5_mutex_lock(&cred->lock); + if (kerr) { + krb5_free_context(context); + *minor_status = kerr; + return GSS_S_FAILURE; + } + + /* verify the mech_type */ + + err = 0; + if (mech_type == GSS_C_NULL_OID) { + default_mech = 1; + if (cred->rfc_mech) { + mech_type = (gss_OID) gss_mech_krb5; + } else if (cred->prerfc_mech) { + mech_type = (gss_OID) gss_mech_krb5_old; + } else { + err = 1; + } + } else if (g_OID_equal(mech_type, gss_mech_krb5)) { + if (!cred->rfc_mech) + err = 1; + } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) { + if (!cred->prerfc_mech) + err = 1; + } else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) { + if (!cred->rfc_mech) + err = 1; + } else { + err = 1; + } + + if (err) { + k5_mutex_unlock(&cred->lock); + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); + *minor_status = 0; + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + return(GSS_S_BAD_MECH); + } + + /* is this a new connection or not? */ + + /*SUPPRESS 29*/ + if (*context_handle == GSS_C_NO_CONTEXT) { + major_status = new_connection(minor_status, cred, context_handle, + target_name, mech_type, req_flags, + time_req, input_chan_bindings, + input_token, actual_mech_type, + output_token, ret_flags, time_rec, + context, default_mech); + k5_mutex_unlock(&cred->lock); + if (*context_handle == GSS_C_NO_CONTEXT) { + save_error_info (*minor_status, context); + krb5_free_context(context); + } else + ((krb5_gss_ctx_id_rec *) *context_handle)->k5_context = context; + } else { + /* mutual_auth doesn't care about the credentials */ + k5_mutex_unlock(&cred->lock); + major_status = mutual_auth(minor_status, context_handle, + target_name, mech_type, req_flags, + time_req, input_chan_bindings, + input_token, actual_mech_type, + output_token, ret_flags, time_rec, + context); + /* If context_handle is now NO_CONTEXT, mutual_auth called + delete_sec_context, which would've zapped the krb5 context + too. */ + } + + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred); + + return(major_status); } #ifndef _WIN32 @@ -992,16 +993,16 @@ krb5_gss_init_context (krb5_context *ctxp) err = gssint_initialize_library(); if (err) - return err; + return err; #ifndef _WIN32 err = k5_mutex_lock(&kg_kdc_flag_mutex); if (err) - return err; + return err; is_kdc = kdc_flag; k5_mutex_unlock(&kg_kdc_flag_mutex); if (is_kdc) - return krb5int_init_context_kdc(ctxp); + return krb5int_init_context_kdc(ctxp); #endif return krb5_init_context(ctxp); @@ -1015,13 +1016,12 @@ krb5_gss_use_kdc_context() err = gssint_initialize_library(); if (err) - return err; + return err; err = k5_mutex_lock(&kg_kdc_flag_mutex); if (err) - return err; + return err; kdc_flag = 1; k5_mutex_unlock(&kg_kdc_flag_mutex); return 0; } #endif - diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c index ab9d81a4f..74ae178d8 100644 --- a/src/lib/gssapi/krb5/inq_context.c +++ b/src/lib/gssapi/krb5/inq_context.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -23,113 +24,113 @@ #include "gssapiP_krb5.h" OM_uint32 -krb5_gss_inquire_context(minor_status, context_handle, initiator_name, - acceptor_name, lifetime_rec, mech_type, ret_flags, - locally_initiated, opened) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_name_t *initiator_name; - gss_name_t *acceptor_name; - OM_uint32 *lifetime_rec; - gss_OID *mech_type; - OM_uint32 *ret_flags; - int *locally_initiated; - int *opened; +krb5_gss_inquire_context(minor_status, context_handle, initiator_name, + acceptor_name, lifetime_rec, mech_type, ret_flags, + locally_initiated, opened) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_name_t *initiator_name; + gss_name_t *acceptor_name; + OM_uint32 *lifetime_rec; + gss_OID *mech_type; + OM_uint32 *ret_flags; + int *locally_initiated; + int *opened; { - krb5_context context; - krb5_error_code code; - krb5_gss_ctx_id_rec *ctx; - krb5_principal initiator, acceptor; - krb5_timestamp now; - krb5_deltat lifetime; - - if (initiator_name) - *initiator_name = (gss_name_t) NULL; - if (acceptor_name) - *acceptor_name = (gss_name_t) NULL; - - /* validate the context handle */ - if (! kg_validate_ctx_id(context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); - } - - ctx = (krb5_gss_ctx_id_rec *) context_handle; - - if (! ctx->established) { - *minor_status = KG_CTX_INCOMPLETE; - return(GSS_S_NO_CONTEXT); - } - - initiator = NULL; - acceptor = NULL; - context = ctx->k5_context; - - if ((code = krb5_timeofday(context, &now))) { - *minor_status = code; - save_error_info(*minor_status, context); - return(GSS_S_FAILURE); - } - - if ((lifetime = ctx->endtime - now) < 0) - lifetime = 0; - - if (initiator_name) { - if ((code = krb5_copy_principal(context, - ctx->initiate?ctx->here:ctx->there, - &initiator))) { - *minor_status = code; - save_error_info(*minor_status, context); - return(GSS_S_FAILURE); - } - if (! kg_save_name((gss_name_t) initiator)) { - krb5_free_principal(context, initiator); - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_FAILURE); - } - } - - if (acceptor_name) { - if ((code = krb5_copy_principal(context, - ctx->initiate?ctx->there:ctx->here, - &acceptor))) { - if (initiator) krb5_free_principal(context, initiator); - *minor_status = code; - save_error_info(*minor_status, context); - return(GSS_S_FAILURE); - } - if (! kg_save_name((gss_name_t) acceptor)) { - krb5_free_principal(context, acceptor); - if (initiator) { - kg_delete_name((gss_name_t) initiator); - krb5_free_principal(context, initiator); - } - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_FAILURE); - } - } - - if (initiator_name) - *initiator_name = (gss_name_t) initiator; - - if (acceptor_name) - *acceptor_name = (gss_name_t) acceptor; - - if (lifetime_rec) - *lifetime_rec = lifetime; - - if (mech_type) - *mech_type = (gss_OID) ctx->mech_used; - - if (ret_flags) - *ret_flags = ctx->gss_flags; - - if (locally_initiated) - *locally_initiated = ctx->initiate; - - if (opened) - *opened = ctx->established; - - *minor_status = 0; - return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); + krb5_context context; + krb5_error_code code; + krb5_gss_ctx_id_rec *ctx; + krb5_principal initiator, acceptor; + krb5_timestamp now; + krb5_deltat lifetime; + + if (initiator_name) + *initiator_name = (gss_name_t) NULL; + if (acceptor_name) + *acceptor_name = (gss_name_t) NULL; + + /* validate the context handle */ + if (! kg_validate_ctx_id(context_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); + } + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + + if (! ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } + + initiator = NULL; + acceptor = NULL; + context = ctx->k5_context; + + if ((code = krb5_timeofday(context, &now))) { + *minor_status = code; + save_error_info(*minor_status, context); + return(GSS_S_FAILURE); + } + + if ((lifetime = ctx->endtime - now) < 0) + lifetime = 0; + + if (initiator_name) { + if ((code = krb5_copy_principal(context, + ctx->initiate?ctx->here:ctx->there, + &initiator))) { + *minor_status = code; + save_error_info(*minor_status, context); + return(GSS_S_FAILURE); + } + if (! kg_save_name((gss_name_t) initiator)) { + krb5_free_principal(context, initiator); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_FAILURE); + } + } + + if (acceptor_name) { + if ((code = krb5_copy_principal(context, + ctx->initiate?ctx->there:ctx->here, + &acceptor))) { + if (initiator) krb5_free_principal(context, initiator); + *minor_status = code; + save_error_info(*minor_status, context); + return(GSS_S_FAILURE); + } + if (! kg_save_name((gss_name_t) acceptor)) { + krb5_free_principal(context, acceptor); + if (initiator) { + kg_delete_name((gss_name_t) initiator); + krb5_free_principal(context, initiator); + } + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_FAILURE); + } + } + + if (initiator_name) + *initiator_name = (gss_name_t) initiator; + + if (acceptor_name) + *acceptor_name = (gss_name_t) acceptor; + + if (lifetime_rec) + *lifetime_rec = lifetime; + + if (mech_type) + *mech_type = (gss_OID) ctx->mech_used; + + if (ret_flags) + *ret_flags = ctx->gss_flags; + + if (locally_initiated) + *locally_initiated = ctx->initiate; + + if (opened) + *opened = ctx->established; + + *minor_status = 0; + return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c index aa50d1231..d23d7f951 100644 --- a/src/lib/gssapi/krb5/inq_cred.c +++ b/src/lib/gssapi/krb5/inq_cred.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 2000, 2007 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -6,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,11 +21,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -34,7 +35,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -46,14 +47,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -64,7 +65,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -74,195 +75,194 @@ OM_uint32 krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, - cred_usage, mechanisms) - OM_uint32 *minor_status; - gss_cred_id_t cred_handle; - gss_name_t *name; - OM_uint32 *lifetime_ret; - gss_cred_usage_t *cred_usage; - gss_OID_set *mechanisms; + cred_usage, mechanisms) + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; + gss_name_t *name; + OM_uint32 *lifetime_ret; + gss_cred_usage_t *cred_usage; + gss_OID_set *mechanisms; { - krb5_context context; - krb5_gss_cred_id_t cred; - krb5_error_code code; - krb5_timestamp now; - krb5_deltat lifetime; - krb5_principal ret_name; - gss_OID_set mechs; - OM_uint32 ret; + krb5_context context; + krb5_gss_cred_id_t cred; + krb5_error_code code; + krb5_timestamp now; + krb5_deltat lifetime; + krb5_principal ret_name; + gss_OID_set mechs; + OM_uint32 ret; + + ret = GSS_S_FAILURE; + ret_name = NULL; - ret = GSS_S_FAILURE; - ret_name = NULL; + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } - code = krb5_gss_init_context(&context); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } + if (name) *name = NULL; + if (mechanisms) *mechanisms = NULL; - if (name) *name = NULL; - if (mechanisms) *mechanisms = NULL; + /* check for default credential */ + /*SUPPRESS 29*/ + if (cred_handle == GSS_C_NO_CREDENTIAL) { + OM_uint32 major; - /* check for default credential */ - /*SUPPRESS 29*/ - if (cred_handle == GSS_C_NO_CREDENTIAL) { - OM_uint32 major; + if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) && + GSS_ERROR(major)) { + krb5_free_context(context); + return(major); + } + } else { + OM_uint32 major; - if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) && - GSS_ERROR(major)) { - krb5_free_context(context); - return(major); - } - } else { - OM_uint32 major; - - major = krb5_gss_validate_cred(minor_status, cred_handle); - if (GSS_ERROR(major)) { - krb5_free_context(context); - return(major); - } - cred = (krb5_gss_cred_id_t) cred_handle; - } + major = krb5_gss_validate_cred(minor_status, cred_handle); + if (GSS_ERROR(major)) { + krb5_free_context(context); + return(major); + } + cred = (krb5_gss_cred_id_t) cred_handle; + } - if ((code = krb5_timeofday(context, &now))) { - *minor_status = code; - ret = GSS_S_FAILURE; - goto fail; - } + if ((code = krb5_timeofday(context, &now))) { + *minor_status = code; + ret = GSS_S_FAILURE; + goto fail; + } - code = k5_mutex_lock(&cred->lock); - if (code != 0) { - *minor_status = code; - ret = GSS_S_FAILURE; - goto fail; - } - if (cred->tgt_expire > 0) { - if ((lifetime = cred->tgt_expire - now) < 0) - lifetime = 0; - } - else - lifetime = GSS_C_INDEFINITE; + code = k5_mutex_lock(&cred->lock); + if (code != 0) { + *minor_status = code; + ret = GSS_S_FAILURE; + goto fail; + } + if (cred->tgt_expire > 0) { + if ((lifetime = cred->tgt_expire - now) < 0) + lifetime = 0; + } + else + lifetime = GSS_C_INDEFINITE; - if (name) { - if (cred->princ && - (code = krb5_copy_principal(context, cred->princ, &ret_name))) { - k5_mutex_unlock(&cred->lock); - *minor_status = code; - save_error_info(*minor_status, context); - ret = GSS_S_FAILURE; - goto fail; - } - } + if (name) { + if (cred->princ && + (code = krb5_copy_principal(context, cred->princ, &ret_name))) { + k5_mutex_unlock(&cred->lock); + *minor_status = code; + save_error_info(*minor_status, context); + ret = GSS_S_FAILURE; + goto fail; + } + } - if (mechanisms) { - if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status, - &mechs)) || - (cred->prerfc_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5_old, - &mechs))) || - (cred->rfc_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5, - &mechs)))) { - k5_mutex_unlock(&cred->lock); - if (ret_name) - krb5_free_principal(context, ret_name); - /* *minor_status set above */ - goto fail; - } - } + if (mechanisms) { + if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status, + &mechs)) || + (cred->prerfc_mech && + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + gss_mech_krb5_old, + &mechs))) || + (cred->rfc_mech && + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + gss_mech_krb5, + &mechs)))) { + k5_mutex_unlock(&cred->lock); + if (ret_name) + krb5_free_principal(context, ret_name); + /* *minor_status set above */ + goto fail; + } + } - if (name) { - if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) { - k5_mutex_unlock(&cred->lock); - if (cred_handle == GSS_C_NO_CREDENTIAL) - krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); + if (name) { + if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) { + k5_mutex_unlock(&cred->lock); + if (cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); - (void) gss_release_oid_set(minor_status, &mechs); - krb5_free_principal(context, ret_name); - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - krb5_free_context(context); - return(GSS_S_FAILURE); - } - if (ret_name != NULL) - *name = (gss_name_t) ret_name; - else - *name = GSS_C_NO_NAME; - } + (void) gss_release_oid_set(minor_status, &mechs); + krb5_free_principal(context, ret_name); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); + return(GSS_S_FAILURE); + } + if (ret_name != NULL) + *name = (gss_name_t) ret_name; + else + *name = GSS_C_NO_NAME; + } - if (lifetime_ret) - *lifetime_ret = lifetime; + if (lifetime_ret) + *lifetime_ret = lifetime; - if (cred_usage) - *cred_usage = cred->usage; - k5_mutex_unlock(&cred->lock); + if (cred_usage) + *cred_usage = cred->usage; + k5_mutex_unlock(&cred->lock); - if (mechanisms) - *mechanisms = mechs; + if (mechanisms) + *mechanisms = mechs; - if (cred_handle == GSS_C_NO_CREDENTIAL) - krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); + if (cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); - krb5_free_context(context); - *minor_status = 0; - return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE); + krb5_free_context(context); + *minor_status = 0; + return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE); fail: - if (cred_handle == GSS_C_NO_CREDENTIAL) { - OM_uint32 tmp_min_stat; + if (cred_handle == GSS_C_NO_CREDENTIAL) { + OM_uint32 tmp_min_stat; - krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred); - } - krb5_free_context(context); - return ret; + krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred); + } + krb5_free_context(context); + return ret; } /* V2 interface */ OM_uint32 krb5_gss_inquire_cred_by_mech(minor_status, cred_handle, - mech_type, name, initiator_lifetime, - acceptor_lifetime, cred_usage) - OM_uint32 *minor_status; - gss_cred_id_t cred_handle; - gss_OID mech_type; - gss_name_t *name; - OM_uint32 *initiator_lifetime; - OM_uint32 *acceptor_lifetime; + mech_type, name, initiator_lifetime, + acceptor_lifetime, cred_usage) + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; + gss_OID mech_type; + gss_name_t *name; + OM_uint32 *initiator_lifetime; + OM_uint32 *acceptor_lifetime; gss_cred_usage_t *cred_usage; { - krb5_gss_cred_id_t cred; - OM_uint32 lifetime; - OM_uint32 mstat; + krb5_gss_cred_id_t cred; + OM_uint32 lifetime; + OM_uint32 mstat; /* * We only know how to handle our own creds. */ if ((mech_type != GSS_C_NULL_OID) && - !g_OID_equal(gss_mech_krb5_old, mech_type) && - !g_OID_equal(gss_mech_krb5, mech_type)) { - *minor_status = 0; - return(GSS_S_NO_CRED); + !g_OID_equal(gss_mech_krb5_old, mech_type) && + !g_OID_equal(gss_mech_krb5, mech_type)) { + *minor_status = 0; + return(GSS_S_NO_CRED); } cred = (krb5_gss_cred_id_t) cred_handle; mstat = krb5_gss_inquire_cred(minor_status, - cred_handle, - name, - &lifetime, - cred_usage, - (gss_OID_set *) NULL); + cred_handle, + name, + &lifetime, + cred_usage, + (gss_OID_set *) NULL); if (mstat == GSS_S_COMPLETE) { - if (cred && - ((cred->usage == GSS_C_INITIATE) || - (cred->usage == GSS_C_BOTH)) && - initiator_lifetime) - *initiator_lifetime = lifetime; - if (cred && - ((cred->usage == GSS_C_ACCEPT) || - (cred->usage == GSS_C_BOTH)) && - acceptor_lifetime) - *acceptor_lifetime = lifetime; + if (cred && + ((cred->usage == GSS_C_INITIATE) || + (cred->usage == GSS_C_BOTH)) && + initiator_lifetime) + *initiator_lifetime = lifetime; + if (cred && + ((cred->usage == GSS_C_ACCEPT) || + (cred->usage == GSS_C_BOTH)) && + acceptor_lifetime) + *acceptor_lifetime = lifetime; } return(mstat); } - diff --git a/src/lib/gssapi/krb5/inq_names.c b/src/lib/gssapi/krb5/inq_names.c index c9e3dc9ad..2301b1ff4 100644 --- a/src/lib/gssapi/krb5/inq_names.c +++ b/src/lib/gssapi/krb5/inq_names.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/inq_names.c * @@ -32,68 +33,68 @@ OM_uint32 krb5_gss_inquire_names_for_mech(minor_status, mechanism, name_types) - OM_uint32 *minor_status; - gss_OID mechanism; - gss_OID_set *name_types; + OM_uint32 *minor_status; + gss_OID mechanism; + gss_OID_set *name_types; { - OM_uint32 major, minor; + OM_uint32 major, minor; /* * We only know how to handle our own mechanism. */ if ((mechanism != GSS_C_NULL_OID) && - !g_OID_equal(gss_mech_krb5, mechanism) && - !g_OID_equal(gss_mech_krb5_old, mechanism)) { - *minor_status = 0; - return(GSS_S_BAD_MECH); + !g_OID_equal(gss_mech_krb5, mechanism) && + !g_OID_equal(gss_mech_krb5_old, mechanism)) { + *minor_status = 0; + return(GSS_S_BAD_MECH); } /* We're okay. Create an empty OID set */ major = gss_create_empty_oid_set(minor_status, name_types); if (major == GSS_S_COMPLETE) { - /* Now add our members. */ - if ( - ((major = generic_gss_add_oid_set_member(minor_status, - gss_nt_user_name, - name_types) - ) == GSS_S_COMPLETE) && - ((major = generic_gss_add_oid_set_member(minor_status, - gss_nt_machine_uid_name, - name_types) - ) == GSS_S_COMPLETE) && - ((major = generic_gss_add_oid_set_member(minor_status, - gss_nt_string_uid_name, - name_types) - ) == GSS_S_COMPLETE) && - ((major = generic_gss_add_oid_set_member(minor_status, - gss_nt_service_name, - name_types) - ) == GSS_S_COMPLETE) && - ((major = generic_gss_add_oid_set_member(minor_status, - gss_nt_service_name_v2, - name_types) - ) == GSS_S_COMPLETE) && - ((major = generic_gss_add_oid_set_member(minor_status, - gss_nt_exported_name, - name_types) - ) == GSS_S_COMPLETE) && - ((major = generic_gss_add_oid_set_member(minor_status, - gss_nt_krb5_name, - name_types) - ) == GSS_S_COMPLETE) - ) { - major = generic_gss_add_oid_set_member(minor_status, - gss_nt_krb5_principal, - name_types); - } + /* Now add our members. */ + if ( + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_user_name, + name_types) + ) == GSS_S_COMPLETE) && + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_machine_uid_name, + name_types) + ) == GSS_S_COMPLETE) && + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_string_uid_name, + name_types) + ) == GSS_S_COMPLETE) && + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_service_name, + name_types) + ) == GSS_S_COMPLETE) && + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_service_name_v2, + name_types) + ) == GSS_S_COMPLETE) && + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_exported_name, + name_types) + ) == GSS_S_COMPLETE) && + ((major = generic_gss_add_oid_set_member(minor_status, + gss_nt_krb5_name, + name_types) + ) == GSS_S_COMPLETE) + ) { + major = generic_gss_add_oid_set_member(minor_status, + gss_nt_krb5_principal, + name_types); + } - /* - * If we choked, then release the set, but don't overwrite the minor - * status with the release call. - */ - if (major != GSS_S_COMPLETE) - (void) gss_release_oid_set(&minor, - name_types); + /* + * If we choked, then release the set, but don't overwrite the minor + * status with the release call. + */ + if (major != GSS_S_COMPLETE) + (void) gss_release_oid_set(&minor, + name_types); } return(major); } diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index e019e1b13..d51fb7344 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. * @@ -52,19 +53,19 @@ static krb5_error_code make_seal_token_v1 (krb5_context context, - krb5_keyblock *enc, - krb5_keyblock *seq, - gssint_uint64 *seqnum, - int direction, - gss_buffer_t text, - gss_buffer_t token, - int signalg, - size_t cksum_size, - int sealalg, - int do_encrypt, - int toktype, - int bigend, - gss_OID oid) + krb5_keyblock *enc, + krb5_keyblock *seq, + gssint_uint64 *seqnum, + int direction, + gss_buffer_t text, + gss_buffer_t token, + int signalg, + size_t cksum_size, + int sealalg, + int do_encrypt, + int toktype, + int bigend, + gss_OID oid) { krb5_error_code code; size_t sumlen; @@ -72,12 +73,12 @@ make_seal_token_v1 (krb5_context context, krb5_data plaind; krb5_checksum md5cksum; krb5_checksum cksum; - /* msglen contains the message length - * we are signing/encrypting. tmsglen - * contains the length of the message - * we plan to write out to the token. - * tlen is the length of the token - * including header. */ + /* msglen contains the message length + * we are signing/encrypting. tmsglen + * contains the length of the message + * we plan to write out to the token. + * tlen is the length of the token + * including header. */ unsigned conflen=0, tmsglen, tlen, msglen; unsigned char *t, *ptr; unsigned char *plain; @@ -89,30 +90,30 @@ make_seal_token_v1 (krb5_context context, /* create the token buffer */ /* Do we need confounder? */ if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG))) - conflen = kg_confounder_size(context, enc); + conflen = kg_confounder_size(context, enc); else conflen = 0; if (toktype == KG_TOK_SEAL_MSG) { - switch (sealalg) { - case SEAL_ALG_MICROSOFT_RC4: - msglen = conflen + text->length+1; - pad = 1; - break; - default: - /* XXX knows that des block size is 8 */ - msglen = (conflen+text->length+8)&(~7); - pad = 8-(text->length%8); - } - tmsglen = msglen; + switch (sealalg) { + case SEAL_ALG_MICROSOFT_RC4: + msglen = conflen + text->length+1; + pad = 1; + break; + default: + /* XXX knows that des block size is 8 */ + msglen = (conflen+text->length+8)&(~7); + pad = 8-(text->length%8); + } + tmsglen = msglen; } else { - tmsglen = 0; - msglen = text->length; - pad = 0; + tmsglen = 0; + msglen = text->length; + pad = 0; } tlen = g_token_size((gss_OID) oid, 14+cksum_size+tmsglen); if ((t = (unsigned char *) xmalloc(tlen)) == NULL) - return(ENOMEM); + return(ENOMEM); /*** fill in the token */ @@ -125,12 +126,12 @@ make_seal_token_v1 (krb5_context context, /* 2..3 SEAL_ALG or Filler */ if ((toktype == KG_TOK_SEAL_MSG) && do_encrypt) { - ptr[2] = sealalg & 0xff; - ptr[3] = (sealalg >> 8) & 0xff; + ptr[2] = sealalg & 0xff; + ptr[3] = (sealalg >> 8) & 0xff; } else { - /* No seal */ - ptr[2] = 0xff; - ptr[3] = 0xff; + /* No seal */ + ptr[2] = 0xff; + ptr[3] = 0xff; } /* 4..5 Filler */ @@ -143,40 +144,40 @@ make_seal_token_v1 (krb5_context context, switch (signalg) { case SGN_ALG_DES_MAC_MD5: case SGN_ALG_MD2_5: - md5cksum.checksum_type = CKSUMTYPE_RSA_MD5; - break; + md5cksum.checksum_type = CKSUMTYPE_RSA_MD5; + break; case SGN_ALG_HMAC_SHA1_DES3_KD: - md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; - break; + md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; + break; case SGN_ALG_HMAC_MD5: - md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; - if (toktype != KG_TOK_SEAL_MSG) - sign_usage = 15; - break; + md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; + if (toktype != KG_TOK_SEAL_MSG) + sign_usage = 15; + break; default: case SGN_ALG_DES_MAC: - abort (); + abort (); } code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen); if (code) { - xfree(t); - return(code); + xfree(t); + return(code); } md5cksum.length = sumlen; if ((plain = (unsigned char *) xmalloc(msglen ? msglen : 1)) == NULL) { - xfree(t); - return(ENOMEM); + xfree(t); + return(ENOMEM); } if (conflen) { - if ((code = kg_make_confounder(context, enc, plain))) { - xfree(plain); - xfree(t); - return(code); - } + if ((code = kg_make_confounder(context, enc, plain))) { + xfree(plain); + xfree(t); + return(code); + } } memcpy(plain+conflen, text->value, text->length); @@ -186,59 +187,59 @@ make_seal_token_v1 (krb5_context context, /* 8 = head of token body as specified by mech spec */ if (! (data_ptr = - (char *) xmalloc(8 + (bigend ? text->length : msglen)))) { - xfree(plain); - xfree(t); - return(ENOMEM); + (char *) xmalloc(8 + (bigend ? text->length : msglen)))) { + xfree(plain); + xfree(t); + return(ENOMEM); } (void) memcpy(data_ptr, ptr-2, 8); if (bigend) - (void) memcpy(data_ptr+8, text->value, text->length); + (void) memcpy(data_ptr+8, text->value, text->length); else - (void) memcpy(data_ptr+8, plain, msglen); + (void) memcpy(data_ptr+8, plain, msglen); plaind.length = 8 + (bigend ? text->length : msglen); plaind.data = data_ptr; code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq, - sign_usage, &plaind, &md5cksum); + sign_usage, &plaind, &md5cksum); xfree(data_ptr); if (code) { - xfree(plain); - xfree(t); - return(code); + xfree(plain); + xfree(t); + return(code); } switch(signalg) { case SGN_ALG_DES_MAC_MD5: case 3: - if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL, - (g_OID_equal(oid, gss_mech_krb5_old) ? - seq->contents : NULL), - md5cksum.contents, md5cksum.contents, 16))) { - krb5_free_checksum_contents(context, &md5cksum); - xfree (plain); - xfree(t); - return code; - } + if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL, + (g_OID_equal(oid, gss_mech_krb5_old) ? + seq->contents : NULL), + md5cksum.contents, md5cksum.contents, 16))) { + krb5_free_checksum_contents(context, &md5cksum); + xfree (plain); + xfree(t); + return code; + } - cksum.length = cksum_size; - cksum.contents = md5cksum.contents + 16 - cksum.length; + cksum.length = cksum_size; + cksum.contents = md5cksum.contents + 16 - cksum.length; - memcpy(ptr+14, cksum.contents, cksum.length); - break; + memcpy(ptr+14, cksum.contents, cksum.length); + break; case SGN_ALG_HMAC_SHA1_DES3_KD: - /* - * Using key derivation, the call to krb5_c_make_checksum - * already dealt with encrypting. - */ - if (md5cksum.length != cksum_size) - abort (); - memcpy (ptr+14, md5cksum.contents, md5cksum.length); - break; + /* + * Using key derivation, the call to krb5_c_make_checksum + * already dealt with encrypting. + */ + if (md5cksum.length != cksum_size) + abort (); + memcpy (ptr+14, md5cksum.contents, md5cksum.length); + break; case SGN_ALG_HMAC_MD5: - memcpy (ptr+14, md5cksum.contents, cksum_size); - break; + memcpy (ptr+14, md5cksum.contents, cksum_size); + break; } krb5_free_checksum_contents(context, &md5cksum); @@ -246,61 +247,61 @@ make_seal_token_v1 (krb5_context context, /* create the seq_num */ if ((code = kg_make_seq_num(context, seq, direction?0:0xff, *seqnum, - ptr+14, ptr+6))) { - xfree (plain); - xfree(t); - return(code); + ptr+14, ptr+6))) { + xfree (plain); + xfree(t); + return(code); } if (do_encrypt) { - switch(sealalg) { - case SEAL_ALG_MICROSOFT_RC4: - { - unsigned char bigend_seqnum[4]; - krb5_keyblock *enc_key; - int i; - bigend_seqnum[0] = (*seqnum>>24) & 0xff; - bigend_seqnum[1] = (*seqnum>>16) & 0xff; - bigend_seqnum[2] = (*seqnum>>8) & 0xff; - bigend_seqnum[3] = *seqnum & 0xff; - code = krb5_copy_keyblock (context, enc, &enc_key); - if (code) - { - xfree(plain); - xfree(t); - return(code); - } - assert (enc_key->length == 16); - for (i = 0; i <= 15; i++) - ((char *) enc_key->contents)[i] ^=0xf0; - code = kg_arcfour_docrypt (enc_key, 0, - bigend_seqnum, 4, - plain, tmsglen, - ptr+14+cksum_size); - krb5_free_keyblock (context, enc_key); - if (code) - { - xfree(plain); - xfree(t); - return(code); - } - } - break; - default: - if ((code = kg_encrypt(context, enc, KG_USAGE_SEAL, NULL, - (krb5_pointer) plain, - (krb5_pointer) (ptr+cksum_size+14), - tmsglen))) { - xfree(plain); - xfree(t); - return(code); - } - } + switch(sealalg) { + case SEAL_ALG_MICROSOFT_RC4: + { + unsigned char bigend_seqnum[4]; + krb5_keyblock *enc_key; + int i; + bigend_seqnum[0] = (*seqnum>>24) & 0xff; + bigend_seqnum[1] = (*seqnum>>16) & 0xff; + bigend_seqnum[2] = (*seqnum>>8) & 0xff; + bigend_seqnum[3] = *seqnum & 0xff; + code = krb5_copy_keyblock (context, enc, &enc_key); + if (code) + { + xfree(plain); + xfree(t); + return(code); + } + assert (enc_key->length == 16); + for (i = 0; i <= 15; i++) + ((char *) enc_key->contents)[i] ^=0xf0; + code = kg_arcfour_docrypt (enc_key, 0, + bigend_seqnum, 4, + plain, tmsglen, + ptr+14+cksum_size); + krb5_free_keyblock (context, enc_key); + if (code) + { + xfree(plain); + xfree(t); + return(code); + } + } + break; + default: + if ((code = kg_encrypt(context, enc, KG_USAGE_SEAL, NULL, + (krb5_pointer) plain, + (krb5_pointer) (ptr+cksum_size+14), + tmsglen))) { + xfree(plain); + xfree(t); + return(code); + } + } }else { - if (tmsglen) - memcpy(ptr+14+cksum_size, plain, tmsglen); + if (tmsglen) + memcpy(ptr+14+cksum_size, plain, tmsglen); } - xfree(plain); + xfree(plain); /* that's it. return the token */ @@ -319,7 +320,7 @@ make_seal_token_v1 (krb5_context context, OM_uint32 kg_seal(minor_status, context_handle, conf_req_flag, qop_req, - input_message_buffer, conf_state, output_message_buffer, toktype) + input_message_buffer, conf_state, output_message_buffer, toktype) OM_uint32 *minor_status; gss_ctx_id_t context_handle; int conf_req_flag; @@ -339,64 +340,64 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, /* Only default qop or matching established cryptosystem is allowed. - There are NO EXTENSIONS to this set for AES and friends! The - new spec says "just use 0". The old spec plus extensions would - actually allow for certain non-zero values. Fix this to handle - them later. */ + There are NO EXTENSIONS to this set for AES and friends! The + new spec says "just use 0". The old spec plus extensions would + actually allow for certain non-zero values. Fix this to handle + them later. */ if (qop_req != 0) { - *minor_status = (OM_uint32) G_UNKNOWN_QOP; - return GSS_S_FAILURE; + *minor_status = (OM_uint32) G_UNKNOWN_QOP; + return GSS_S_FAILURE; } /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); } ctx = (krb5_gss_ctx_id_rec *) context_handle; if (! ctx->established) { - *minor_status = KG_CTX_INCOMPLETE; - return(GSS_S_NO_CONTEXT); + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); } context = ctx->k5_context; if ((code = krb5_timeofday(context, &now))) { - *minor_status = code; - save_error_info(*minor_status, context); - return(GSS_S_FAILURE); + *minor_status = code; + save_error_info(*minor_status, context); + return(GSS_S_FAILURE); } switch (ctx->proto) { case 0: - code = make_seal_token_v1(context, ctx->enc, ctx->seq, - &ctx->seq_send, ctx->initiate, - input_message_buffer, output_message_buffer, - ctx->signalg, ctx->cksum_size, ctx->sealalg, - conf_req_flag, toktype, ctx->big_endian, - ctx->mech_used); - break; + code = make_seal_token_v1(context, ctx->enc, ctx->seq, + &ctx->seq_send, ctx->initiate, + input_message_buffer, output_message_buffer, + ctx->signalg, ctx->cksum_size, ctx->sealalg, + conf_req_flag, toktype, ctx->big_endian, + ctx->mech_used); + break; case 1: - code = gss_krb5int_make_seal_token_v3(context, ctx, - input_message_buffer, - output_message_buffer, - conf_req_flag, toktype); - break; + code = gss_krb5int_make_seal_token_v3(context, ctx, + input_message_buffer, + output_message_buffer, + conf_req_flag, toktype); + break; default: - code = G_UNKNOWN_QOP; /* XXX */ - break; + code = G_UNKNOWN_QOP; /* XXX */ + break; } if (code) { - *minor_status = code; - save_error_info(*minor_status, context); - return(GSS_S_FAILURE); + *minor_status = code; + save_error_info(*minor_status, context); + return(GSS_S_FAILURE); } if (conf_state) - *conf_state = conf_req_flag; + *conf_state = conf_req_flag; *minor_status = 0; return((ctx->endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c index c8a168a17..53da04d8d 100644 --- a/src/lib/gssapi/krb5/k5sealv3.c +++ b/src/lib/gssapi/krb5/k5sealv3.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/k5sealv3.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,14 +23,14 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ /* draft-ietf-krb-wg-gssapi-cfx-05 */ #include <assert.h> -#include "k5-platform.h" /* for 64-bit support */ -#include "k5-int.h" /* for zap() */ +#include "k5-platform.h" /* for 64-bit support */ +#include "k5-int.h" /* for zap() */ #include "gssapiP_krb5.h" #include <stdarg.h> @@ -44,14 +45,14 @@ rotate_left (void *ptr, size_t bufsiz, size_t rc) void *tbuf; if (bufsiz == 0) - return 1; + return 1; rc = rc % bufsiz; if (rc == 0) - return 1; + return 1; tbuf = malloc(rc); if (tbuf == 0) - return 0; + return 0; memcpy(tbuf, ptr, rc); memmove(ptr, (char *)ptr + rc, bufsiz - rc); memcpy((char *)ptr + bufsiz - rc, tbuf, rc); @@ -61,16 +62,16 @@ rotate_left (void *ptr, size_t bufsiz, size_t rc) static const gss_buffer_desc empty_message = { 0, 0 }; -#define FLAG_SENDER_IS_ACCEPTOR 0x01 -#define FLAG_WRAP_CONFIDENTIAL 0x02 -#define FLAG_ACCEPTOR_SUBKEY 0x04 +#define FLAG_SENDER_IS_ACCEPTOR 0x01 +#define FLAG_WRAP_CONFIDENTIAL 0x02 +#define FLAG_ACCEPTOR_SUBKEY 0x04 krb5_error_code gss_krb5int_make_seal_token_v3 (krb5_context context, - krb5_gss_ctx_id_rec *ctx, - const gss_buffer_desc * message, - gss_buffer_t token, - int conf_req_flag, int toktype) + krb5_gss_ctx_id_rec *ctx, + const gss_buffer_desc * message, + gss_buffer_t token, + int conf_req_flag, int toktype) { size_t bufsize = 16; unsigned char *outbuf = 0; @@ -91,196 +92,196 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; key_usage = (toktype == KG_TOK_WRAP_MSG - ? (ctx->initiate - ? KG_USAGE_INITIATOR_SEAL - : KG_USAGE_ACCEPTOR_SEAL) - : (ctx->initiate - ? KG_USAGE_INITIATOR_SIGN - : KG_USAGE_ACCEPTOR_SIGN)); + ? (ctx->initiate + ? KG_USAGE_INITIATOR_SEAL + : KG_USAGE_ACCEPTOR_SEAL) + : (ctx->initiate + ? KG_USAGE_INITIATOR_SIGN + : KG_USAGE_ACCEPTOR_SIGN)); if (ctx->have_acceptor_subkey) { - key = ctx->acceptor_subkey; + key = ctx->acceptor_subkey; } else { - key = ctx->enc; + key = ctx->enc; } #ifdef CFX_EXERCISE { - static int initialized = 0; - if (!initialized) { - srand(time(0)); - initialized = 1; - } + static int initialized = 0; + if (!initialized) { + srand(time(0)); + initialized = 1; + } } #endif if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { - krb5_data plain; - krb5_enc_data cipher; - size_t ec_max; - - /* 300: Adds some slop. */ - if (SIZE_MAX - 300 < message->length) - return ENOMEM; - ec_max = SIZE_MAX - message->length - 300; - if (ec_max > 0xffff) - ec_max = 0xffff; + krb5_data plain; + krb5_enc_data cipher; + size_t ec_max; + + /* 300: Adds some slop. */ + if (SIZE_MAX - 300 < message->length) + return ENOMEM; + ec_max = SIZE_MAX - message->length - 300; + if (ec_max > 0xffff) + ec_max = 0xffff; #ifdef CFX_EXERCISE - /* For testing only. For performance, always set ec = 0. */ - ec = ec_max & rand(); + /* For testing only. For performance, always set ec = 0. */ + ec = ec_max & rand(); #else - ec = 0; + ec = 0; #endif - plain.length = message->length + 16 + ec; - plain.data = malloc(message->length + 16 + ec); - if (plain.data == NULL) - return ENOMEM; - - /* Get size of ciphertext. */ - bufsize = 16 + krb5_encrypt_size (plain.length, ctx->enc->enctype); - /* Allocate space for header plus encrypted data. */ - outbuf = malloc(bufsize); - if (outbuf == NULL) { - free(plain.data); - return ENOMEM; - } - - /* TOK_ID */ - store_16_be(0x0504, outbuf); - /* flags */ - outbuf[2] = (acceptor_flag - | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0) - | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); - /* filler */ - outbuf[3] = 0xff; - /* EC */ - store_16_be(ec, outbuf+4); - /* RRC */ - store_16_be(0, outbuf+6); - store_64_be(ctx->seq_send, outbuf+8); - - memcpy(plain.data, message->value, message->length); - memset(plain.data + message->length, 'x', ec); - memcpy(plain.data + message->length + ec, outbuf, 16); - - cipher.ciphertext.data = outbuf + 16; - cipher.ciphertext.length = bufsize - 16; - cipher.enctype = key->enctype; - err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher); - zap(plain.data, plain.length); - free(plain.data); - plain.data = 0; - if (err) - goto error; - - /* Now that we know we're returning a valid token.... */ - ctx->seq_send++; + plain.length = message->length + 16 + ec; + plain.data = malloc(message->length + 16 + ec); + if (plain.data == NULL) + return ENOMEM; + + /* Get size of ciphertext. */ + bufsize = 16 + krb5_encrypt_size (plain.length, ctx->enc->enctype); + /* Allocate space for header plus encrypted data. */ + outbuf = malloc(bufsize); + if (outbuf == NULL) { + free(plain.data); + return ENOMEM; + } + + /* TOK_ID */ + store_16_be(0x0504, outbuf); + /* flags */ + outbuf[2] = (acceptor_flag + | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0) + | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); + /* filler */ + outbuf[3] = 0xff; + /* EC */ + store_16_be(ec, outbuf+4); + /* RRC */ + store_16_be(0, outbuf+6); + store_64_be(ctx->seq_send, outbuf+8); + + memcpy(plain.data, message->value, message->length); + memset(plain.data + message->length, 'x', ec); + memcpy(plain.data + message->length + ec, outbuf, 16); + + cipher.ciphertext.data = outbuf + 16; + cipher.ciphertext.length = bufsize - 16; + cipher.enctype = key->enctype; + err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher); + zap(plain.data, plain.length); + free(plain.data); + plain.data = 0; + if (err) + goto error; + + /* Now that we know we're returning a valid token.... */ + ctx->seq_send++; #ifdef CFX_EXERCISE - rrc = rand() & 0xffff; - if (rotate_left(outbuf+16, bufsize-16, - (bufsize-16) - (rrc % (bufsize - 16)))) - store_16_be(rrc, outbuf+6); - /* If the rotate fails, don't worry about it. */ + rrc = rand() & 0xffff; + if (rotate_left(outbuf+16, bufsize-16, + (bufsize-16) - (rrc % (bufsize - 16)))) + store_16_be(rrc, outbuf+6); + /* If the rotate fails, don't worry about it. */ #endif } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) { - krb5_data plain; + krb5_data plain; - /* Here, message is the application-supplied data; message2 is - what goes into the output token. They may be the same, or - message2 may be empty (for MIC). */ + /* Here, message is the application-supplied data; message2 is + what goes into the output token. They may be the same, or + message2 may be empty (for MIC). */ - tok_id = 0x0504; + tok_id = 0x0504; wrap_with_checksum: - plain.length = message->length + 16; - plain.data = malloc(message->length + 16); - if (plain.data == NULL) - return ENOMEM; - - if (ctx->cksum_size > 0xffff) - abort(); - - bufsize = 16 + message2->length + ctx->cksum_size; - outbuf = malloc(bufsize); - if (outbuf == NULL) { - free(plain.data); - plain.data = 0; - err = ENOMEM; - goto error; - } - - /* TOK_ID */ - store_16_be(tok_id, outbuf); - /* flags */ - outbuf[2] = (acceptor_flag - | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); - /* filler */ - outbuf[3] = 0xff; - if (toktype == KG_TOK_WRAP_MSG) { - /* Use 0 for checksum calculation, substitute - checksum length later. */ - /* EC */ - store_16_be(0, outbuf+4); - /* RRC */ - store_16_be(0, outbuf+6); - } else { - /* MIC and DEL store 0xFF in EC and RRC. */ - store_16_be(0xffff, outbuf+4); - store_16_be(0xffff, outbuf+6); - } - store_64_be(ctx->seq_send, outbuf+8); - - memcpy(plain.data, message->value, message->length); - memcpy(plain.data + message->length, outbuf, 16); - - /* Fill in the output token -- data contents, if any, and - space for the checksum. */ - if (message2->length) - memcpy(outbuf + 16, message2->value, message2->length); - - sum.contents = outbuf + 16 + message2->length; - sum.length = ctx->cksum_size; - - err = krb5_c_make_checksum(context, ctx->cksumtype, key, - key_usage, &plain, &sum); - zap(plain.data, plain.length); - free(plain.data); - plain.data = 0; - if (err) { - zap(outbuf,bufsize); - goto error; - } - if (sum.length != ctx->cksum_size) - abort(); - memcpy(outbuf + 16 + message2->length, sum.contents, ctx->cksum_size); - krb5_free_checksum_contents(context, &sum); - sum.contents = 0; - /* Now that we know we're actually generating the token... */ - ctx->seq_send++; - - if (toktype == KG_TOK_WRAP_MSG) { + plain.length = message->length + 16; + plain.data = malloc(message->length + 16); + if (plain.data == NULL) + return ENOMEM; + + if (ctx->cksum_size > 0xffff) + abort(); + + bufsize = 16 + message2->length + ctx->cksum_size; + outbuf = malloc(bufsize); + if (outbuf == NULL) { + free(plain.data); + plain.data = 0; + err = ENOMEM; + goto error; + } + + /* TOK_ID */ + store_16_be(tok_id, outbuf); + /* flags */ + outbuf[2] = (acceptor_flag + | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); + /* filler */ + outbuf[3] = 0xff; + if (toktype == KG_TOK_WRAP_MSG) { + /* Use 0 for checksum calculation, substitute + checksum length later. */ + /* EC */ + store_16_be(0, outbuf+4); + /* RRC */ + store_16_be(0, outbuf+6); + } else { + /* MIC and DEL store 0xFF in EC and RRC. */ + store_16_be(0xffff, outbuf+4); + store_16_be(0xffff, outbuf+6); + } + store_64_be(ctx->seq_send, outbuf+8); + + memcpy(plain.data, message->value, message->length); + memcpy(plain.data + message->length, outbuf, 16); + + /* Fill in the output token -- data contents, if any, and + space for the checksum. */ + if (message2->length) + memcpy(outbuf + 16, message2->value, message2->length); + + sum.contents = outbuf + 16 + message2->length; + sum.length = ctx->cksum_size; + + err = krb5_c_make_checksum(context, ctx->cksumtype, key, + key_usage, &plain, &sum); + zap(plain.data, plain.length); + free(plain.data); + plain.data = 0; + if (err) { + zap(outbuf,bufsize); + goto error; + } + if (sum.length != ctx->cksum_size) + abort(); + memcpy(outbuf + 16 + message2->length, sum.contents, ctx->cksum_size); + krb5_free_checksum_contents(context, &sum); + sum.contents = 0; + /* Now that we know we're actually generating the token... */ + ctx->seq_send++; + + if (toktype == KG_TOK_WRAP_MSG) { #ifdef CFX_EXERCISE - rrc = rand() & 0xffff; - /* If the rotate fails, don't worry about it. */ - if (rotate_left(outbuf+16, bufsize-16, - (bufsize-16) - (rrc % (bufsize - 16)))) - store_16_be(rrc, outbuf+6); + rrc = rand() & 0xffff; + /* If the rotate fails, don't worry about it. */ + if (rotate_left(outbuf+16, bufsize-16, + (bufsize-16) - (rrc % (bufsize - 16)))) + store_16_be(rrc, outbuf+6); #endif - /* Fix up EC field. */ - store_16_be(ctx->cksum_size, outbuf+4); - } else { - store_16_be(0xffff, outbuf+6); - } + /* Fix up EC field. */ + store_16_be(ctx->cksum_size, outbuf+4); + } else { + store_16_be(0xffff, outbuf+6); + } } else if (toktype == KG_TOK_MIC_MSG) { - tok_id = 0x0404; - message2 = &empty_message; - goto wrap_with_checksum; + tok_id = 0x0404; + message2 = &empty_message; + goto wrap_with_checksum; } else if (toktype == KG_TOK_DEL_CTX) { - tok_id = 0x0405; - message = message2 = &empty_message; - goto wrap_with_checksum; + tok_id = 0x0405; + message = message2 = &empty_message; + goto wrap_with_checksum; } else - abort(); + abort(); token->value = outbuf; token->length = bufsize; @@ -298,11 +299,11 @@ error: OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr, - OM_uint32 *minor_status, - krb5_gss_ctx_id_rec *ctx, - unsigned char *ptr, unsigned int bodysize, - gss_buffer_t message_buffer, - int *conf_state, int *qop_state, int toktype) + OM_uint32 *minor_status, + krb5_gss_ctx_id_rec *ctx, + unsigned char *ptr, unsigned int bodysize, + gss_buffer_t message_buffer, + int *conf_state, int *qop_state, int toktype) { krb5_context context = *contextptr; krb5_data plain; @@ -320,16 +321,16 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, assert(ctx->proto == 1); if (qop_state) - *qop_state = GSS_C_QOP_DEFAULT; + *qop_state = GSS_C_QOP_DEFAULT; acceptor_flag = ctx->initiate ? FLAG_SENDER_IS_ACCEPTOR : 0; key_usage = (toktype == KG_TOK_WRAP_MSG - ? (!ctx->initiate - ? KG_USAGE_INITIATOR_SEAL - : KG_USAGE_ACCEPTOR_SEAL) - : (!ctx->initiate - ? KG_USAGE_INITIATOR_SIGN - : KG_USAGE_ACCEPTOR_SIGN)); + ? (!ctx->initiate + ? KG_USAGE_INITIATOR_SEAL + : KG_USAGE_ACCEPTOR_SEAL) + : (!ctx->initiate + ? KG_USAGE_INITIATOR_SIGN + : KG_USAGE_ACCEPTOR_SIGN)); /* Oops. I wrote this code assuming ptr would be at the start of the token header. */ @@ -338,174 +339,174 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, if (bodysize < 16) { defective: - *minor_status = 0; - return GSS_S_DEFECTIVE_TOKEN; + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; } if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) { - *minor_status = G_BAD_DIRECTION; - return GSS_S_BAD_SIG; + *minor_status = G_BAD_DIRECTION; + return GSS_S_BAD_SIG; } /* Two things to note here. - First, we can't really enforce the use of the acceptor's subkey, - if we're the acceptor; the initiator may have sent messages - before getting the subkey. We could probably enforce it if - we're the initiator. - - Second, if someone tweaks the code to not set the flag telling - the krb5 library to generate a new subkey in the AP-REP - message, the MIT library may include a subkey anyways -- - namely, a copy of the AP-REQ subkey, if it was provided. So - the initiator may think we wanted a subkey, and set the flag, - even though we weren't trying to set the subkey. The "other" - key, the one not asserted by the acceptor, will have the same - value in that case, though, so we can just ignore the flag. */ + First, we can't really enforce the use of the acceptor's subkey, + if we're the acceptor; the initiator may have sent messages + before getting the subkey. We could probably enforce it if + we're the initiator. + + Second, if someone tweaks the code to not set the flag telling + the krb5 library to generate a new subkey in the AP-REP + message, the MIT library may include a subkey anyways -- + namely, a copy of the AP-REQ subkey, if it was provided. So + the initiator may think we wanted a subkey, and set the flag, + even though we weren't trying to set the subkey. The "other" + key, the one not asserted by the acceptor, will have the same + value in that case, though, so we can just ignore the flag. */ if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) { - key = ctx->acceptor_subkey; + key = ctx->acceptor_subkey; } else { - key = ctx->enc; + key = ctx->enc; } if (toktype == KG_TOK_WRAP_MSG) { - if (load_16_be(ptr) != 0x0504) - goto defective; - if (ptr[3] != 0xff) - goto defective; - ec = load_16_be(ptr+4); - rrc = load_16_be(ptr+6); - seqnum = load_64_be(ptr+8); - if (!rotate_left(ptr+16, bodysize-16, rrc)) { - no_mem: - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) { - /* confidentiality */ - krb5_enc_data cipher; - unsigned char *althdr; - - if (conf_state) - *conf_state = 1; - /* Do we have no decrypt_size function? - - For all current cryptosystems, the ciphertext size will - be larger than the plaintext size. */ - cipher.enctype = key->enctype; - cipher.ciphertext.length = bodysize - 16; - cipher.ciphertext.data = ptr + 16; - plain.length = bodysize - 16; - plain.data = malloc(plain.length); - if (plain.data == NULL) - goto no_mem; - err = krb5_c_decrypt(context, key, key_usage, 0, - &cipher, &plain); - if (err) { - free(plain.data); - goto error; - } - /* Don't use bodysize here! Use the fact that - cipher.ciphertext.length has been adjusted to the - correct length. */ - althdr = plain.data + plain.length - 16; - if (load_16_be(althdr) != 0x0504 - || althdr[2] != ptr[2] - || althdr[3] != ptr[3] - || memcmp(althdr+8, ptr+8, 8)) { - free(plain.data); - goto defective; - } - message_buffer->value = plain.data; - message_buffer->length = plain.length - ec - 16; - if(message_buffer->length == 0) { - free(message_buffer->value); - message_buffer->value = NULL; - } - } else { - /* no confidentiality */ - if (conf_state) - *conf_state = 0; - if (ec + 16 < ec) - /* overflow check */ - goto defective; - if (ec + 16 > bodysize) - goto defective; - /* We have: header | msg | cksum. - We need cksum(msg | header). - Rotate the first two. */ - store_16_be(0, ptr+4); - store_16_be(0, ptr+6); - plain.length = bodysize-ec; - plain.data = ptr; - if (!rotate_left(ptr, bodysize-ec, 16)) - goto no_mem; - sum.length = ec; - if (sum.length != ctx->cksum_size) { - *minor_status = 0; - return GSS_S_BAD_SIG; - } - sum.contents = ptr+bodysize-ec; - sum.checksum_type = ctx->cksumtype; - err = krb5_c_verify_checksum(context, key, key_usage, - &plain, &sum, &valid); - if (err) - goto error; - if (!valid) { - *minor_status = 0; - return GSS_S_BAD_SIG; - } - message_buffer->length = plain.length - 16; - message_buffer->value = malloc(message_buffer->length); - if (message_buffer->value == NULL) - goto no_mem; - memcpy(message_buffer->value, plain.data, message_buffer->length); - } - err = g_order_check(&ctx->seqstate, seqnum); - *minor_status = 0; - return err; + if (load_16_be(ptr) != 0x0504) + goto defective; + if (ptr[3] != 0xff) + goto defective; + ec = load_16_be(ptr+4); + rrc = load_16_be(ptr+6); + seqnum = load_64_be(ptr+8); + if (!rotate_left(ptr+16, bodysize-16, rrc)) { + no_mem: + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) { + /* confidentiality */ + krb5_enc_data cipher; + unsigned char *althdr; + + if (conf_state) + *conf_state = 1; + /* Do we have no decrypt_size function? + + For all current cryptosystems, the ciphertext size will + be larger than the plaintext size. */ + cipher.enctype = key->enctype; + cipher.ciphertext.length = bodysize - 16; + cipher.ciphertext.data = ptr + 16; + plain.length = bodysize - 16; + plain.data = malloc(plain.length); + if (plain.data == NULL) + goto no_mem; + err = krb5_c_decrypt(context, key, key_usage, 0, + &cipher, &plain); + if (err) { + free(plain.data); + goto error; + } + /* Don't use bodysize here! Use the fact that + cipher.ciphertext.length has been adjusted to the + correct length. */ + althdr = plain.data + plain.length - 16; + if (load_16_be(althdr) != 0x0504 + || althdr[2] != ptr[2] + || althdr[3] != ptr[3] + || memcmp(althdr+8, ptr+8, 8)) { + free(plain.data); + goto defective; + } + message_buffer->value = plain.data; + message_buffer->length = plain.length - ec - 16; + if(message_buffer->length == 0) { + free(message_buffer->value); + message_buffer->value = NULL; + } + } else { + /* no confidentiality */ + if (conf_state) + *conf_state = 0; + if (ec + 16 < ec) + /* overflow check */ + goto defective; + if (ec + 16 > bodysize) + goto defective; + /* We have: header | msg | cksum. + We need cksum(msg | header). + Rotate the first two. */ + store_16_be(0, ptr+4); + store_16_be(0, ptr+6); + plain.length = bodysize-ec; + plain.data = ptr; + if (!rotate_left(ptr, bodysize-ec, 16)) + goto no_mem; + sum.length = ec; + if (sum.length != ctx->cksum_size) { + *minor_status = 0; + return GSS_S_BAD_SIG; + } + sum.contents = ptr+bodysize-ec; + sum.checksum_type = ctx->cksumtype; + err = krb5_c_verify_checksum(context, key, key_usage, + &plain, &sum, &valid); + if (err) + goto error; + if (!valid) { + *minor_status = 0; + return GSS_S_BAD_SIG; + } + message_buffer->length = plain.length - 16; + message_buffer->value = malloc(message_buffer->length); + if (message_buffer->value == NULL) + goto no_mem; + memcpy(message_buffer->value, plain.data, message_buffer->length); + } + err = g_order_check(&ctx->seqstate, seqnum); + *minor_status = 0; + return err; } else if (toktype == KG_TOK_MIC_MSG) { - /* wrap token, no confidentiality */ - if (load_16_be(ptr) != 0x0404) - goto defective; + /* wrap token, no confidentiality */ + if (load_16_be(ptr) != 0x0404) + goto defective; verify_mic_1: - if (ptr[3] != 0xff) - goto defective; - if (load_32_be(ptr+4) != 0xffffffffL) - goto defective; - seqnum = load_64_be(ptr+8); - plain.length = message_buffer->length + 16; - plain.data = malloc(plain.length); - if (plain.data == NULL) - goto no_mem; - if (message_buffer->length) - memcpy(plain.data, message_buffer->value, message_buffer->length); - memcpy(plain.data + message_buffer->length, ptr, 16); - sum.length = bodysize - 16; - sum.contents = ptr + 16; - sum.checksum_type = ctx->cksumtype; - err = krb5_c_verify_checksum(context, key, key_usage, - &plain, &sum, &valid); - free(plain.data); - plain.data = NULL; - if (err) { - error: - *minor_status = err; - save_error_info(*minor_status, context); - return GSS_S_BAD_SIG; /* XXX */ - } - if (!valid) { - *minor_status = 0; - return GSS_S_BAD_SIG; - } - err = g_order_check(&ctx->seqstate, seqnum); - *minor_status = 0; - return err; + if (ptr[3] != 0xff) + goto defective; + if (load_32_be(ptr+4) != 0xffffffffL) + goto defective; + seqnum = load_64_be(ptr+8); + plain.length = message_buffer->length + 16; + plain.data = malloc(plain.length); + if (plain.data == NULL) + goto no_mem; + if (message_buffer->length) + memcpy(plain.data, message_buffer->value, message_buffer->length); + memcpy(plain.data + message_buffer->length, ptr, 16); + sum.length = bodysize - 16; + sum.contents = ptr + 16; + sum.checksum_type = ctx->cksumtype; + err = krb5_c_verify_checksum(context, key, key_usage, + &plain, &sum, &valid); + free(plain.data); + plain.data = NULL; + if (err) { + error: + *minor_status = err; + save_error_info(*minor_status, context); + return GSS_S_BAD_SIG; /* XXX */ + } + if (!valid) { + *minor_status = 0; + return GSS_S_BAD_SIG; + } + err = g_order_check(&ctx->seqstate, seqnum); + *minor_status = 0; + return err; } else if (toktype == KG_TOK_DEL_CTX) { - if (load_16_be(ptr) != 0x0405) - goto defective; - message_buffer = &empty_message; - goto verify_mic_1; + if (load_16_be(ptr) != 0x0405) + goto defective; + message_buffer = &empty_message; + goto verify_mic_1; } else { - goto defective; + goto defective; } } diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 72afb4576..f80be3fa2 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 2001, 2007 by the Massachusetts Institute of Technology. * Copyright 1993 by OpenVision Technologies, Inc. @@ -58,7 +59,7 @@ static OM_uint32 kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - conf_state, qop_state, toktype) + conf_state, qop_state, toktype) krb5_context context; OM_uint32 *minor_status; krb5_gss_ctx_id_rec *ctx; @@ -89,8 +90,8 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, krb5_keyusage sign_usage = KG_USAGE_SIGN; if (toktype == KG_TOK_SEAL_MSG) { - message_buffer->length = 0; - message_buffer->value = NULL; + message_buffer->length = 0; + message_buffer->value = NULL; } /* get the sign and seal algorithms */ @@ -101,141 +102,141 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, /* Sanity checks */ if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) { - *minor_status = 0; - return GSS_S_DEFECTIVE_TOKEN; + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; } if ((toktype != KG_TOK_SEAL_MSG) && - (sealalg != 0xffff)) { - *minor_status = 0; - return GSS_S_DEFECTIVE_TOKEN; + (sealalg != 0xffff)) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; } /* in the current spec, there is only one valid seal algorithm per key type, so a simple comparison is ok */ if ((toktype == KG_TOK_SEAL_MSG) && - !((sealalg == 0xffff) || - (sealalg == ctx->sealalg))) { - *minor_status = 0; - return GSS_S_DEFECTIVE_TOKEN; + !((sealalg == 0xffff) || + (sealalg == ctx->sealalg))) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; } /* there are several mappings of seal algorithms to sign algorithms, but few enough that we can try them all. */ if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) || - (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) || - (ctx->sealalg == SEAL_ALG_DES3KD && - signalg != SGN_ALG_HMAC_SHA1_DES3_KD)|| - (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 && - signalg != SGN_ALG_HMAC_MD5)) { - *minor_status = 0; - return GSS_S_DEFECTIVE_TOKEN; + (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) || + (ctx->sealalg == SEAL_ALG_DES3KD && + signalg != SGN_ALG_HMAC_SHA1_DES3_KD)|| + (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 && + signalg != SGN_ALG_HMAC_MD5)) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; } switch (signalg) { case SGN_ALG_DES_MAC_MD5: case SGN_ALG_MD2_5: case SGN_ALG_HMAC_MD5: - cksum_len = 8; - if (toktype != KG_TOK_SEAL_MSG) - sign_usage = 15; - break; + cksum_len = 8; + if (toktype != KG_TOK_SEAL_MSG) + sign_usage = 15; + break; case SGN_ALG_3: - cksum_len = 16; - break; + cksum_len = 16; + break; case SGN_ALG_HMAC_SHA1_DES3_KD: - cksum_len = 20; - break; + cksum_len = 20; + break; default: - *minor_status = 0; - return GSS_S_DEFECTIVE_TOKEN; + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; } /* get the token parameters */ if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction, - &seqnum))) { - *minor_status = code; - return(GSS_S_BAD_SIG); + &seqnum))) { + *minor_status = code; + return(GSS_S_BAD_SIG); } /* decode the message, if SEAL */ if (toktype == KG_TOK_SEAL_MSG) { - int tmsglen = bodysize-(14+cksum_len); - if (sealalg != 0xffff) { - if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - if (ctx->enc->enctype == ENCTYPE_ARCFOUR_HMAC) { - unsigned char bigend_seqnum[4]; - krb5_keyblock *enc_key; - int i; - bigend_seqnum[0] = (seqnum>>24) & 0xff; - bigend_seqnum[1] = (seqnum>>16) & 0xff; - bigend_seqnum[2] = (seqnum>>8) & 0xff; - bigend_seqnum[3] = seqnum & 0xff; - code = krb5_copy_keyblock (context, ctx->enc, &enc_key); - if (code) - { - xfree(plain); - *minor_status = code; - return(GSS_S_FAILURE); - } - - assert (enc_key->length == 16); - for (i = 0; i <= 15; i++) - ((char *) enc_key->contents)[i] ^=0xf0; - code = kg_arcfour_docrypt (enc_key, 0, - &bigend_seqnum[0], 4, - ptr+14+cksum_len, tmsglen, - plain); - krb5_free_keyblock (context, enc_key); - } else { - code = kg_decrypt(context, ctx->enc, KG_USAGE_SEAL, NULL, - ptr+14+cksum_len, plain, tmsglen); - } - if (code) { - xfree(plain); - *minor_status = code; - return(GSS_S_FAILURE); - } - } else { - plain = ptr+14+cksum_len; - } - - plainlen = tmsglen; - - if ((sealalg == 0xffff) && ctx->big_endian) { - token.length = tmsglen; - } else { - conflen = kg_confounder_size(context, ctx->enc); - token.length = tmsglen - conflen - plain[tmsglen-1]; - } - - if (token.length) { - if ((token.value = (void *) xmalloc(token.length)) == NULL) { - if (sealalg != 0xffff) - xfree(plain); - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - memcpy(token.value, plain+conflen, token.length); - } else { - token.value = NULL; - } + int tmsglen = bodysize-(14+cksum_len); + if (sealalg != 0xffff) { + if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + if (ctx->enc->enctype == ENCTYPE_ARCFOUR_HMAC) { + unsigned char bigend_seqnum[4]; + krb5_keyblock *enc_key; + int i; + bigend_seqnum[0] = (seqnum>>24) & 0xff; + bigend_seqnum[1] = (seqnum>>16) & 0xff; + bigend_seqnum[2] = (seqnum>>8) & 0xff; + bigend_seqnum[3] = seqnum & 0xff; + code = krb5_copy_keyblock (context, ctx->enc, &enc_key); + if (code) + { + xfree(plain); + *minor_status = code; + return(GSS_S_FAILURE); + } + + assert (enc_key->length == 16); + for (i = 0; i <= 15; i++) + ((char *) enc_key->contents)[i] ^=0xf0; + code = kg_arcfour_docrypt (enc_key, 0, + &bigend_seqnum[0], 4, + ptr+14+cksum_len, tmsglen, + plain); + krb5_free_keyblock (context, enc_key); + } else { + code = kg_decrypt(context, ctx->enc, KG_USAGE_SEAL, NULL, + ptr+14+cksum_len, plain, tmsglen); + } + if (code) { + xfree(plain); + *minor_status = code; + return(GSS_S_FAILURE); + } + } else { + plain = ptr+14+cksum_len; + } + + plainlen = tmsglen; + + if ((sealalg == 0xffff) && ctx->big_endian) { + token.length = tmsglen; + } else { + conflen = kg_confounder_size(context, ctx->enc); + token.length = tmsglen - conflen - plain[tmsglen-1]; + } + + if (token.length) { + if ((token.value = (void *) xmalloc(token.length)) == NULL) { + if (sealalg != 0xffff) + xfree(plain); + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + memcpy(token.value, plain+conflen, token.length); + } else { + token.value = NULL; + } } else if (toktype == KG_TOK_SIGN_MSG) { - token = *message_buffer; - plain = token.value; - plainlen = token.length; + token = *message_buffer; + plain = token.value; + plainlen = token.length; } else { - token.length = 0; - token.value = NULL; - plain = token.value; - plainlen = token.length; + token.length = 0; + token.value = NULL; + plain = token.value; + plainlen = token.length; } /* compute the checksum of the message */ @@ -246,224 +247,224 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, case SGN_ALG_MD2_5: case SGN_ALG_DES_MAC: case SGN_ALG_3: - md5cksum.checksum_type = CKSUMTYPE_RSA_MD5; - break; + md5cksum.checksum_type = CKSUMTYPE_RSA_MD5; + break; case SGN_ALG_HMAC_MD5: - md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; - break; + md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; + break; case SGN_ALG_HMAC_SHA1_DES3_KD: - md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; - break; + md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; + break; default: - abort (); + abort (); } code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen); if (code) - return(code); + return(code); md5cksum.length = sumlen; switch (signalg) { case SGN_ALG_DES_MAC_MD5: case SGN_ALG_3: - /* compute the checksum of the message */ - - /* 8 = bytes of token body to be checksummed according to spec */ - - if (! (data_ptr = (void *) - xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) { - if (sealalg != 0xffff) - xfree(plain); - if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - - (void) memcpy(data_ptr, ptr-2, 8); - - if (ctx->big_endian) - (void) memcpy(data_ptr+8, token.value, token.length); - else - (void) memcpy(data_ptr+8, plain, plainlen); - - plaind.length = 8 + (ctx->big_endian ? token.length : plainlen); - plaind.data = data_ptr; - code = krb5_c_make_checksum(context, md5cksum.checksum_type, - ctx->seq, sign_usage, - &plaind, &md5cksum); - xfree(data_ptr); - - if (code) { - if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = code; - return(GSS_S_FAILURE); - } - - if ((code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL, - (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ? - ctx->seq->contents : NULL), - md5cksum.contents, md5cksum.contents, 16))) { - krb5_free_checksum_contents(context, &md5cksum); - if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = code; - return GSS_S_FAILURE; - } - - if (signalg == 0) - cksum.length = 8; - else - cksum.length = 16; - cksum.contents = md5cksum.contents + 16 - cksum.length; - - code = memcmp(cksum.contents, ptr+14, cksum.length); - break; + /* compute the checksum of the message */ + + /* 8 = bytes of token body to be checksummed according to spec */ + + if (! (data_ptr = (void *) + xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) { + if (sealalg != 0xffff) + xfree(plain); + if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + + (void) memcpy(data_ptr, ptr-2, 8); + + if (ctx->big_endian) + (void) memcpy(data_ptr+8, token.value, token.length); + else + (void) memcpy(data_ptr+8, plain, plainlen); + + plaind.length = 8 + (ctx->big_endian ? token.length : plainlen); + plaind.data = data_ptr; + code = krb5_c_make_checksum(context, md5cksum.checksum_type, + ctx->seq, sign_usage, + &plaind, &md5cksum); + xfree(data_ptr); + + if (code) { + if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = code; + return(GSS_S_FAILURE); + } + + if ((code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL, + (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ? + ctx->seq->contents : NULL), + md5cksum.contents, md5cksum.contents, 16))) { + krb5_free_checksum_contents(context, &md5cksum); + if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = code; + return GSS_S_FAILURE; + } + + if (signalg == 0) + cksum.length = 8; + else + cksum.length = 16; + cksum.contents = md5cksum.contents + 16 - cksum.length; + + code = memcmp(cksum.contents, ptr+14, cksum.length); + break; case SGN_ALG_MD2_5: - if (!ctx->seed_init && - (code = kg_make_seed(context, ctx->subkey, ctx->seed))) { - krb5_free_checksum_contents(context, &md5cksum); - if (sealalg != 0xffff) - xfree(plain); - if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = code; - return GSS_S_FAILURE; - } - - if (! (data_ptr = (void *) - xmalloc(sizeof(ctx->seed) + 8 + - (ctx->big_endian ? token.length : plainlen)))) { - krb5_free_checksum_contents(context, &md5cksum); - if (sealalg == 0) - xfree(plain); - if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - (void) memcpy(data_ptr, ptr-2, 8); - (void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed)); - if (ctx->big_endian) - (void) memcpy(data_ptr+8+sizeof(ctx->seed), - token.value, token.length); - else - (void) memcpy(data_ptr+8+sizeof(ctx->seed), - plain, plainlen); - plaind.length = 8 + sizeof(ctx->seed) + - (ctx->big_endian ? token.length : plainlen); - plaind.data = data_ptr; - krb5_free_checksum_contents(context, &md5cksum); - code = krb5_c_make_checksum(context, md5cksum.checksum_type, - ctx->seq, sign_usage, - &plaind, &md5cksum); - xfree(data_ptr); - - if (code) { - if (sealalg == 0) - xfree(plain); - if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = code; - return(GSS_S_FAILURE); - } - - code = memcmp(md5cksum.contents, ptr+14, 8); - /* Falls through to defective-token?? */ + if (!ctx->seed_init && + (code = kg_make_seed(context, ctx->subkey, ctx->seed))) { + krb5_free_checksum_contents(context, &md5cksum); + if (sealalg != 0xffff) + xfree(plain); + if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = code; + return GSS_S_FAILURE; + } + + if (! (data_ptr = (void *) + xmalloc(sizeof(ctx->seed) + 8 + + (ctx->big_endian ? token.length : plainlen)))) { + krb5_free_checksum_contents(context, &md5cksum); + if (sealalg == 0) + xfree(plain); + if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + (void) memcpy(data_ptr, ptr-2, 8); + (void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed)); + if (ctx->big_endian) + (void) memcpy(data_ptr+8+sizeof(ctx->seed), + token.value, token.length); + else + (void) memcpy(data_ptr+8+sizeof(ctx->seed), + plain, plainlen); + plaind.length = 8 + sizeof(ctx->seed) + + (ctx->big_endian ? token.length : plainlen); + plaind.data = data_ptr; + krb5_free_checksum_contents(context, &md5cksum); + code = krb5_c_make_checksum(context, md5cksum.checksum_type, + ctx->seq, sign_usage, + &plaind, &md5cksum); + xfree(data_ptr); + + if (code) { + if (sealalg == 0) + xfree(plain); + if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = code; + return(GSS_S_FAILURE); + } + + code = memcmp(md5cksum.contents, ptr+14, 8); + /* Falls through to defective-token?? */ default: - *minor_status = 0; - return(GSS_S_DEFECTIVE_TOKEN); + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); case SGN_ALG_HMAC_SHA1_DES3_KD: case SGN_ALG_HMAC_MD5: - /* compute the checksum of the message */ - - /* 8 = bytes of token body to be checksummed according to spec */ - - if (! (data_ptr = (void *) - xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) { - if (sealalg != 0xffff) - xfree(plain); - if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - - (void) memcpy(data_ptr, ptr-2, 8); - - if (ctx->big_endian) - (void) memcpy(data_ptr+8, token.value, token.length); - else - (void) memcpy(data_ptr+8, plain, plainlen); - - plaind.length = 8 + (ctx->big_endian ? token.length : plainlen); - plaind.data = data_ptr; - code = krb5_c_make_checksum(context, md5cksum.checksum_type, - ctx->seq, sign_usage, - &plaind, &md5cksum); - xfree(data_ptr); - - if (code) { - if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = code; - return(GSS_S_FAILURE); - } - - code = memcmp(md5cksum.contents, ptr+14, cksum_len); - break; + /* compute the checksum of the message */ + + /* 8 = bytes of token body to be checksummed according to spec */ + + if (! (data_ptr = (void *) + xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) { + if (sealalg != 0xffff) + xfree(plain); + if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + + (void) memcpy(data_ptr, ptr-2, 8); + + if (ctx->big_endian) + (void) memcpy(data_ptr+8, token.value, token.length); + else + (void) memcpy(data_ptr+8, plain, plainlen); + + plaind.length = 8 + (ctx->big_endian ? token.length : plainlen); + plaind.data = data_ptr; + code = krb5_c_make_checksum(context, md5cksum.checksum_type, + ctx->seq, sign_usage, + &plaind, &md5cksum); + xfree(data_ptr); + + if (code) { + if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = code; + return(GSS_S_FAILURE); + } + + code = memcmp(md5cksum.contents, ptr+14, cksum_len); + break; } krb5_free_checksum_contents(context, &md5cksum); if (sealalg != 0xffff) - xfree(plain); + xfree(plain); /* compare the computed checksum against the transmitted checksum */ if (code) { - if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = 0; - return(GSS_S_BAD_SIG); + if (toktype == KG_TOK_SEAL_MSG) + xfree(token.value); + *minor_status = 0; + return(GSS_S_BAD_SIG); } /* it got through unscathed. Make sure the context is unexpired */ if (toktype == KG_TOK_SEAL_MSG) - *message_buffer = token; + *message_buffer = token; if (conf_state) - *conf_state = (sealalg != 0xffff); + *conf_state = (sealalg != 0xffff); if (qop_state) - *qop_state = GSS_C_QOP_DEFAULT; + *qop_state = GSS_C_QOP_DEFAULT; if ((code = krb5_timeofday(context, &now))) { - *minor_status = code; - return(GSS_S_FAILURE); + *minor_status = code; + return(GSS_S_FAILURE); } if (now > ctx->endtime) { - *minor_status = 0; - return(GSS_S_CONTEXT_EXPIRED); + *minor_status = 0; + return(GSS_S_CONTEXT_EXPIRED); } /* do sequencing checks */ if ((ctx->initiate && direction != 0xff) || - (!ctx->initiate && direction != 0)) { - if (toktype == KG_TOK_SEAL_MSG) { - xfree(token.value); - message_buffer->value = NULL; - message_buffer->length = 0; - } - *minor_status = G_BAD_DIRECTION; - return(GSS_S_BAD_SIG); + (!ctx->initiate && direction != 0)) { + if (toktype == KG_TOK_SEAL_MSG) { + xfree(token.value); + message_buffer->value = NULL; + message_buffer->length = 0; + } + *minor_status = G_BAD_DIRECTION; + return(GSS_S_BAD_SIG); } retval = g_order_check(&(ctx->seqstate), seqnum); @@ -479,7 +480,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, OM_uint32 kg_unseal(minor_status, context_handle, input_token_buffer, - message_buffer, conf_state, qop_state, toktype) + message_buffer, conf_state, qop_state, toktype) OM_uint32 *minor_status; gss_ctx_id_t context_handle; gss_buffer_t input_token_buffer; @@ -497,15 +498,15 @@ kg_unseal(minor_status, context_handle, input_token_buffer, /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); } ctx = (krb5_gss_ctx_id_rec *) context_handle; if (! ctx->established) { - *minor_status = KG_CTX_INCOMPLETE; - return(GSS_S_NO_CONTEXT); + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); } /* parse the token, leave the data in message_buffer, setting conf_state */ @@ -515,40 +516,40 @@ kg_unseal(minor_status, context_handle, input_token_buffer, ptr = (unsigned char *) input_token_buffer->value; if (ctx->proto) - switch (toktype) { - case KG_TOK_SIGN_MSG: - toktype2 = 0x0404; - break; - case KG_TOK_SEAL_MSG: - toktype2 = 0x0504; - break; - case KG_TOK_DEL_CTX: - toktype2 = 0x0405; - break; - default: - toktype2 = toktype; - break; - } + switch (toktype) { + case KG_TOK_SIGN_MSG: + toktype2 = 0x0404; + break; + case KG_TOK_SEAL_MSG: + toktype2 = 0x0504; + break; + case KG_TOK_DEL_CTX: + toktype2 = 0x0405; + break; + default: + toktype2 = toktype; + break; + } else - toktype2 = toktype; + toktype2 = toktype; err = g_verify_token_header(ctx->mech_used, - &bodysize, &ptr, toktype2, - input_token_buffer->length, - !ctx->proto); + &bodysize, &ptr, toktype2, + input_token_buffer->length, + !ctx->proto); if (err) { - *minor_status = err; - return GSS_S_DEFECTIVE_TOKEN; + *minor_status = err; + return GSS_S_DEFECTIVE_TOKEN; } if (ctx->proto == 0) - ret = kg_unseal_v1(ctx->k5_context, minor_status, ctx, ptr, bodysize, - message_buffer, conf_state, qop_state, - toktype); + ret = kg_unseal_v1(ctx->k5_context, minor_status, ctx, ptr, bodysize, + message_buffer, conf_state, qop_state, + toktype); else - ret = gss_krb5int_unseal_token_v3(&ctx->k5_context, minor_status, ctx, - ptr, bodysize, message_buffer, - conf_state, qop_state, toktype); + ret = gss_krb5int_unseal_token_v3(&ctx->k5_context, minor_status, ctx, + ptr, bodysize, message_buffer, + conf_state, qop_state, toktype); if (ret != 0) - save_error_info (*minor_status, ctx->k5_context); + save_error_info (*minor_status, ctx->k5_context); return ret; } diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c index 2bdac009f..62905e421 100644 --- a/src/lib/gssapi/krb5/krb5_gss_glue.c +++ b/src/lib/gssapi/krb5/krb5_gss_glue.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -30,312 +31,347 @@ /** mechglue wrappers **/ -static OM_uint32 k5glue_acquire_cred -(void *, OM_uint32*, /* minor_status */ - gss_name_t, /* desired_name */ - OM_uint32, /* time_req */ - gss_OID_set, /* desired_mechs */ - gss_cred_usage_t, /* cred_usage */ - gss_cred_id_t*, /* output_cred_handle */ - gss_OID_set*, /* actual_mechs */ - OM_uint32* /* time_rec */ - ); - -static OM_uint32 k5glue_release_cred -(void *, OM_uint32*, /* minor_status */ - gss_cred_id_t* /* cred_handle */ - ); - -static OM_uint32 k5glue_init_sec_context -(void *, OM_uint32*, /* minor_status */ - gss_cred_id_t, /* claimant_cred_handle */ - gss_ctx_id_t*, /* context_handle */ - gss_name_t, /* target_name */ - gss_OID, /* mech_type */ - OM_uint32, /* req_flags */ - OM_uint32, /* time_req */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_buffer_t, /* input_token */ - gss_OID*, /* actual_mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32*, /* ret_flags */ - OM_uint32* /* time_rec */ - ); - +static OM_uint32 k5glue_acquire_cred( + void *, + OM_uint32*, /* minor_status */ + gss_name_t, /* desired_name */ + OM_uint32, /* time_req */ + gss_OID_set, /* desired_mechs */ + gss_cred_usage_t, /* cred_usage */ + gss_cred_id_t*, /* output_cred_handle */ + gss_OID_set*, /* actual_mechs */ + OM_uint32* /* time_rec */ +); + +static OM_uint32 k5glue_release_cred( + void *, + OM_uint32*, /* minor_status */ + gss_cred_id_t* /* cred_handle */ +); + +static OM_uint32 k5glue_init_sec_context( + void *, + OM_uint32*, /* minor_status */ + gss_cred_id_t, /* claimant_cred_handle */ + gss_ctx_id_t*, /* context_handle */ + gss_name_t, /* target_name */ + gss_OID, /* mech_type */ + OM_uint32, /* req_flags */ + OM_uint32, /* time_req */ + gss_channel_bindings_t, + /* input_chan_bindings */ + gss_buffer_t, /* input_token */ + gss_OID*, /* actual_mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32*, /* ret_flags */ + OM_uint32* /* time_rec */ +); + #ifndef LEAN_CLIENT -static OM_uint32 k5glue_accept_sec_context -(void *, OM_uint32*, /* minor_status */ - gss_ctx_id_t*, /* context_handle */ - gss_cred_id_t, /* verifier_cred_handle */ - gss_buffer_t, /* input_token_buffer */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_name_t*, /* src_name */ - gss_OID*, /* mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32*, /* ret_flags */ - OM_uint32*, /* time_rec */ - gss_cred_id_t* /* delegated_cred_handle */ - ); +static OM_uint32 k5glue_accept_sec_context( + void *, + OM_uint32*, /* minor_status */ + gss_ctx_id_t*, /* context_handle */ + gss_cred_id_t, /* verifier_cred_handle */ + gss_buffer_t, /* input_token_buffer */ + gss_channel_bindings_t, + /* input_chan_bindings */ + gss_name_t*, /* src_name */ + gss_OID*, /* mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32*, /* ret_flags */ + OM_uint32*, /* time_rec */ + gss_cred_id_t* /* delegated_cred_handle */ +); #endif /* LEAN_CLIENT */ -static OM_uint32 k5glue_process_context_token -(void *, OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t /* token_buffer */ - ); - -static OM_uint32 k5glue_delete_sec_context -(void *, OM_uint32*, /* minor_status */ - gss_ctx_id_t*, /* context_handle */ - gss_buffer_t /* output_token */ - ); - -static OM_uint32 k5glue_context_time -(void *, OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - OM_uint32* /* time_rec */ - ); - -static OM_uint32 k5glue_sign -(void *, OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); - -static OM_uint32 k5glue_verify -(void *, OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* token_buffer */ - int* /* qop_state */ - ); - -static OM_uint32 k5glue_seal -(void *, OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - int, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int*, /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - -static OM_uint32 k5glue_unseal -(void *, OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int*, /* conf_state */ - int* /* qop_state */ - ); - -static OM_uint32 k5glue_display_status -(void *, OM_uint32*, /* minor_status */ - OM_uint32, /* status_value */ - int, /* status_type */ - gss_OID, /* mech_type */ - OM_uint32*, /* message_context */ - gss_buffer_t /* status_string */ - ); - -static OM_uint32 k5glue_indicate_mechs -(void *, OM_uint32*, /* minor_status */ - gss_OID_set* /* mech_set */ - ); - -static OM_uint32 k5glue_compare_name -(void *, OM_uint32*, /* minor_status */ - gss_name_t, /* name1 */ - gss_name_t, /* name2 */ - int* /* name_equal */ - ); - -static OM_uint32 k5glue_display_name -(void *, OM_uint32*, /* minor_status */ - gss_name_t, /* input_name */ - gss_buffer_t, /* output_name_buffer */ - gss_OID* /* output_name_type */ - ); - -static OM_uint32 k5glue_import_name -(void *, OM_uint32*, /* minor_status */ - gss_buffer_t, /* input_name_buffer */ - gss_OID, /* input_name_type */ - gss_name_t* /* output_name */ - ); - -static OM_uint32 k5glue_release_name -(void *, OM_uint32*, /* minor_status */ - gss_name_t* /* input_name */ - ); - -static OM_uint32 k5glue_inquire_cred -(void *, OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - gss_name_t *, /* name */ - OM_uint32 *, /* lifetime */ - gss_cred_usage_t*,/* cred_usage */ - gss_OID_set * /* mechanisms */ - ); - -static OM_uint32 k5glue_inquire_context -(void *, OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_name_t*, /* initiator_name */ - gss_name_t*, /* acceptor_name */ - OM_uint32*, /* lifetime_rec */ - gss_OID*, /* mech_type */ - OM_uint32*, /* ret_flags */ - int*, /* locally_initiated */ - int* /* open */ - ); +static OM_uint32 k5glue_process_context_token( + void *, + OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t /* token_buffer */ +); + +static OM_uint32 k5glue_delete_sec_context( + void *, + OM_uint32*, /* minor_status */ + gss_ctx_id_t*, /* context_handle */ + gss_buffer_t /* output_token */ +); + +static OM_uint32 k5glue_context_time( + void *, + OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + OM_uint32* /* time_rec */ +); + +static OM_uint32 k5glue_sign( + void *, OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ +); + +static OM_uint32 k5glue_verify( + void *, + OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* token_buffer */ + int* /* qop_state */ +); + +static OM_uint32 k5glue_seal( + void *, + OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + int, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int*, /* conf_state */ + gss_buffer_t /* output_message_buffer */ +); + +static OM_uint32 k5glue_unseal( + void *, + OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int*, /* conf_state */ + int* /* qop_state */ +); + +static OM_uint32 k5glue_display_status( + void *, + OM_uint32*, /* minor_status */ + OM_uint32, /* status_value */ + int, /* status_type */ + gss_OID, /* mech_type */ + OM_uint32*, /* message_context */ + gss_buffer_t /* status_string */ +); + +static OM_uint32 k5glue_indicate_mechs( + void *, + OM_uint32*, /* minor_status */ + gss_OID_set* /* mech_set */ +); + +static OM_uint32 k5glue_compare_name( + void *, + OM_uint32*, /* minor_status */ + gss_name_t, /* name1 */ + gss_name_t, /* name2 */ + int* /* name_equal */ +); + +static OM_uint32 k5glue_display_name( + void *, + OM_uint32*, /* minor_status */ + gss_name_t, /* input_name */ + gss_buffer_t, /* output_name_buffer */ + gss_OID* /* output_name_type */ +); + +static OM_uint32 k5glue_import_name( + void *, + OM_uint32*, /* minor_status */ + gss_buffer_t, /* input_name_buffer */ + gss_OID, /* input_name_type */ + gss_name_t* /* output_name */ +); + +static OM_uint32 k5glue_release_name( + void *, + OM_uint32*, /* minor_status */ + gss_name_t* /* input_name */ +); + +static OM_uint32 k5glue_inquire_cred( + void *, + OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + gss_name_t *, /* name */ + OM_uint32 *, /* lifetime */ + gss_cred_usage_t*,/* cred_usage */ + gss_OID_set * /* mechanisms */ +); + +static OM_uint32 k5glue_inquire_context( + void *, + OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_name_t*, /* initiator_name */ + gss_name_t*, /* acceptor_name */ + OM_uint32*, /* lifetime_rec */ + gss_OID*, /* mech_type */ + OM_uint32*, /* ret_flags */ + int*, /* locally_initiated */ + int* /* open */ +); #if 0 /* New V2 entry points */ -static OM_uint32 k5glue_get_mic -(void *, OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_qop_t, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); - -static OM_uint32 k5glue_verify_mic -(void *, OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* message_token */ - gss_qop_t * /* qop_state */ - ); - -static OM_uint32 k5glue_wrap -(void *, OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int *, /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - -static OM_uint32 k5glue_unwrap -(void *, OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int *, /* conf_state */ - gss_qop_t * /* qop_state */ - ); +static OM_uint32 k5glue_get_mic( + void *, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ +); + +static OM_uint32 k5glue_verify_mic( + void *, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* message_token */ + gss_qop_t * /* qop_state */ +); + +static OM_uint32 k5glue_wrap( + void *, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ +); + +static OM_uint32 k5glue_unwrap( + void *, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int *, /* conf_state */ + gss_qop_t * /* qop_state */ +); #endif -static OM_uint32 k5glue_wrap_size_limit -(void *, OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - OM_uint32, /* req_output_size */ - OM_uint32 * /* max_input_size */ - ); +static OM_uint32 k5glue_wrap_size_limit( + void *, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + OM_uint32, /* req_output_size */ + OM_uint32 * /* max_input_size */ +); #if 0 -static OM_uint32 k5glue_import_name_object -(void *, OM_uint32 *, /* minor_status */ - void *, /* input_name */ - gss_OID, /* input_name_type */ - gss_name_t * /* output_name */ - ); - -static OM_uint32 k5glue_export_name_object -(void *, OM_uint32 *, /* minor_status */ - gss_name_t, /* input_name */ - gss_OID, /* desired_name_type */ - void * * /* output_name */ - ); +static OM_uint32 k5glue_import_name_object( + void *, + OM_uint32 *, /* minor_status */ + void *, /* input_name */ + gss_OID, /* input_name_type */ + gss_name_t * /* output_name */ +); + +static OM_uint32 k5glue_export_name_object( + void *, + OM_uint32 *, /* minor_status */ + gss_name_t, /* input_name */ + gss_OID, /* desired_name_type */ + void * * /* output_name */ +); #endif -static OM_uint32 k5glue_add_cred -(void *, OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* input_cred_handle */ - gss_name_t, /* desired_name */ - gss_OID, /* desired_mech */ - gss_cred_usage_t, /* cred_usage */ - OM_uint32, /* initiator_time_req */ - OM_uint32, /* acceptor_time_req */ - gss_cred_id_t *, /* output_cred_handle */ - gss_OID_set *, /* actual_mechs */ - OM_uint32 *, /* initiator_time_rec */ - OM_uint32 * /* acceptor_time_rec */ - ); - -static OM_uint32 k5glue_inquire_cred_by_mech -(void *, OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - gss_OID, /* mech_type */ - gss_name_t *, /* name */ - OM_uint32 *, /* initiator_lifetime */ - OM_uint32 *, /* acceptor_lifetime */ - gss_cred_usage_t * /* cred_usage */ - ); +static OM_uint32 k5glue_add_cred( + void *, + OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* input_cred_handle */ + gss_name_t, /* desired_name */ + gss_OID, /* desired_mech */ + gss_cred_usage_t, /* cred_usage */ + OM_uint32, /* initiator_time_req */ + OM_uint32, /* acceptor_time_req */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 *, /* initiator_time_rec */ + OM_uint32 * /* acceptor_time_rec */ +); + +static OM_uint32 k5glue_inquire_cred_by_mech( + void *, + OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + gss_OID, /* mech_type */ + gss_name_t *, /* name */ + OM_uint32 *, /* initiator_lifetime */ + OM_uint32 *, /* acceptor_lifetime */ + gss_cred_usage_t * /* cred_usage */ +); #ifndef LEAN_CLIENT -static OM_uint32 k5glue_export_sec_context -(void *, OM_uint32 *, /* minor_status */ - gss_ctx_id_t *, /* context_handle */ - gss_buffer_t /* interprocess_token */ - ); - -static OM_uint32 k5glue_import_sec_context -(void *, OM_uint32 *, /* minor_status */ - gss_buffer_t, /* interprocess_token */ - gss_ctx_id_t * /* context_handle */ - ); +static OM_uint32 k5glue_export_sec_context( + void *, + OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* interprocess_token */ +); + +static OM_uint32 k5glue_import_sec_context( + void *, + OM_uint32 *, /* minor_status */ + gss_buffer_t, /* interprocess_token */ + gss_ctx_id_t * /* context_handle */ +); #endif /* LEAN_CLIENT */ krb5_error_code k5glue_ser_init(krb5_context); -static OM_uint32 k5glue_internal_release_oid -(void *, OM_uint32 *, /* minor_status */ - gss_OID * /* oid */ - ); +static OM_uint32 k5glue_internal_release_oid( + void *, + OM_uint32 *, /* minor_status */ + gss_OID * /* oid */ +); -static OM_uint32 k5glue_inquire_names_for_mech -(void *, OM_uint32 *, /* minor_status */ - gss_OID, /* mechanism */ - gss_OID_set * /* name_types */ - ); +static OM_uint32 k5glue_inquire_names_for_mech( + void *, + OM_uint32 *, /* minor_status */ + gss_OID, /* mechanism */ + gss_OID_set * /* name_types */ +); #if 0 -static OM_uint32 k5glue_canonicalize_name -(void *, OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - const gss_OID, /* mech_type */ - gss_name_t * /* output_name */ - ); +static OM_uint32 k5glue_canonicalize_name( + void *, + OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + const gss_OID, /* mech_type */ + gss_name_t * /* output_name */ +); #endif -static OM_uint32 k5glue_export_name -(void *, OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - gss_buffer_t /* exported_name */ - ); +static OM_uint32 k5glue_export_name( + void *, + OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_buffer_t /* exported_name */ +); #if 0 -static OM_uint32 k5glue_duplicate_name -(void *, OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - gss_name_t * /* dest_name */ - ); +static OM_uint32 k5glue_duplicate_name( + void *, + OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_name_t * /* dest_name */ +); #endif #if 0 -static OM_uint32 k5glue_validate_cred -(void *, OM_uint32 *, /* minor_status */ - gss_cred_id_t /* cred */ - ); +static OM_uint32 k5glue_validate_cred( + void *, + OM_uint32 *, /* minor_status */ + gss_cred_id_t /* cred */ +); #endif /* @@ -343,72 +379,72 @@ static OM_uint32 k5glue_validate_cred * ensure that both dispatch tables contain identical function * pointers. */ -#ifndef LEAN_CLIENT -#define KRB5_GSS_CONFIG_INIT \ - NULL, \ - k5glue_acquire_cred, \ - k5glue_release_cred, \ - k5glue_init_sec_context, \ - k5glue_accept_sec_context, \ - k5glue_process_context_token, \ - k5glue_delete_sec_context, \ - k5glue_context_time, \ - k5glue_sign, \ - k5glue_verify, \ - k5glue_seal, \ - k5glue_unseal, \ - k5glue_display_status, \ - k5glue_indicate_mechs, \ - k5glue_compare_name, \ - k5glue_display_name, \ - k5glue_import_name, \ - k5glue_release_name, \ - k5glue_inquire_cred, \ - k5glue_add_cred, \ - k5glue_export_sec_context, \ - k5glue_import_sec_context, \ - k5glue_inquire_cred_by_mech, \ - k5glue_inquire_names_for_mech, \ - k5glue_inquire_context, \ - k5glue_internal_release_oid, \ - k5glue_wrap_size_limit, \ - k5glue_export_name, \ - NULL /* store_cred */ - -#else /* LEAN_CLIENT */ - -#define KRB5_GSS_CONFIG_INIT \ - NULL, \ - k5glue_acquire_cred, \ - k5glue_release_cred, \ - k5glue_init_sec_context, \ - NULL, \ - k5glue_process_context_token, \ - k5glue_delete_sec_context, \ - k5glue_context_time, \ - k5glue_sign, \ - k5glue_verify, \ - k5glue_seal, \ - k5glue_unseal, \ - k5glue_display_status, \ - k5glue_indicate_mechs, \ - k5glue_compare_name, \ - k5glue_display_name, \ - k5glue_import_name, \ - k5glue_release_name, \ - k5glue_inquire_cred, \ - k5glue_add_cred, \ - NULL, \ - NULL, \ - k5glue_inquire_cred_by_mech, \ - k5glue_inquire_names_for_mech, \ - k5glue_inquire_context, \ - k5glue_internal_release_oid, \ - k5glue_wrap_size_limit, \ - k5glue_export_name, \ - NULL /* store_cred */ - -#endif /* LEAN_CLIENT */ +#ifndef LEAN_CLIENT +#define KRB5_GSS_CONFIG_INIT \ + NULL, \ + k5glue_acquire_cred, \ + k5glue_release_cred, \ + k5glue_init_sec_context, \ + k5glue_accept_sec_context, \ + k5glue_process_context_token, \ + k5glue_delete_sec_context, \ + k5glue_context_time, \ + k5glue_sign, \ + k5glue_verify, \ + k5glue_seal, \ + k5glue_unseal, \ + k5glue_display_status, \ + k5glue_indicate_mechs, \ + k5glue_compare_name, \ + k5glue_display_name, \ + k5glue_import_name, \ + k5glue_release_name, \ + k5glue_inquire_cred, \ + k5glue_add_cred, \ + k5glue_export_sec_context, \ + k5glue_import_sec_context, \ + k5glue_inquire_cred_by_mech, \ + k5glue_inquire_names_for_mech, \ + k5glue_inquire_context, \ + k5glue_internal_release_oid, \ + k5glue_wrap_size_limit, \ + k5glue_export_name, \ + NULL /* store_cred */ + +#else /* LEAN_CLIENT */ + +#define KRB5_GSS_CONFIG_INIT \ + NULL, \ + k5glue_acquire_cred, \ + k5glue_release_cred, \ + k5glue_init_sec_context, \ + NULL, \ + k5glue_process_context_token, \ + k5glue_delete_sec_context, \ + k5glue_context_time, \ + k5glue_sign, \ + k5glue_verify, \ + k5glue_seal, \ + k5glue_unseal, \ + k5glue_display_status, \ + k5glue_indicate_mechs, \ + k5glue_compare_name, \ + k5glue_display_name, \ + k5glue_import_name, \ + k5glue_release_name, \ + k5glue_inquire_cred, \ + k5glue_add_cred, \ + NULL, \ + NULL, \ + k5glue_inquire_cred_by_mech, \ + k5glue_inquire_names_for_mech, \ + k5glue_inquire_context, \ + k5glue_internal_release_oid, \ + k5glue_wrap_size_limit, \ + k5glue_export_name, \ + NULL /* store_cred */ + +#endif /* LEAN_CLIENT */ static struct gss_config krb5_mechanism = { @@ -448,7 +484,7 @@ gssint_get_mech_configs(void) char *envstr = getenv("MS_FORCE_NO_MSOID"); if (envstr != NULL && strcmp(envstr, "1") == 0) { - return krb5_mech_configs_hack; + return krb5_mech_configs_hack; } #endif return krb5_mech_configs; @@ -457,82 +493,82 @@ gssint_get_mech_configs(void) #ifndef LEAN_CLIENT static OM_uint32 k5glue_accept_sec_context(ctx, minor_status, context_handle, verifier_cred_handle, - input_token, input_chan_bindings, src_name, mech_type, - output_token, ret_flags, time_rec, delegated_cred_handle) + input_token, input_chan_bindings, src_name, mech_type, + output_token, ret_flags, time_rec, delegated_cred_handle) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t *context_handle; - gss_cred_id_t verifier_cred_handle; - gss_buffer_t input_token; - gss_channel_bindings_t input_chan_bindings; - gss_name_t *src_name; - gss_OID *mech_type; - gss_buffer_t output_token; - OM_uint32 *ret_flags; - OM_uint32 *time_rec; - gss_cred_id_t *delegated_cred_handle; + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_cred_id_t verifier_cred_handle; + gss_buffer_t input_token; + gss_channel_bindings_t input_chan_bindings; + gss_name_t *src_name; + gss_OID *mech_type; + gss_buffer_t output_token; + OM_uint32 *ret_flags; + OM_uint32 *time_rec; + gss_cred_id_t *delegated_cred_handle; { - return(krb5_gss_accept_sec_context(minor_status, - context_handle, - verifier_cred_handle, - input_token, - input_chan_bindings, - src_name, - mech_type, - output_token, - ret_flags, - time_rec, - delegated_cred_handle)); + return(krb5_gss_accept_sec_context(minor_status, + context_handle, + verifier_cred_handle, + input_token, + input_chan_bindings, + src_name, + mech_type, + output_token, + ret_flags, + time_rec, + delegated_cred_handle)); } #endif /* LEAN_CLIENT */ static OM_uint32 k5glue_acquire_cred(ctx, minor_status, desired_name, time_req, desired_mechs, - cred_usage, output_cred_handle, actual_mechs, time_rec) + cred_usage, output_cred_handle, actual_mechs, time_rec) void *ctx; - OM_uint32 *minor_status; - gss_name_t desired_name; - OM_uint32 time_req; - gss_OID_set desired_mechs; - gss_cred_usage_t cred_usage; - gss_cred_id_t *output_cred_handle; - gss_OID_set *actual_mechs; - OM_uint32 *time_rec; + OM_uint32 *minor_status; + gss_name_t desired_name; + OM_uint32 time_req; + gss_OID_set desired_mechs; + gss_cred_usage_t cred_usage; + gss_cred_id_t *output_cred_handle; + gss_OID_set *actual_mechs; + OM_uint32 *time_rec; { - return(krb5_gss_acquire_cred(minor_status, - desired_name, - time_req, - desired_mechs, - cred_usage, - output_cred_handle, - actual_mechs, - time_rec)); + return(krb5_gss_acquire_cred(minor_status, + desired_name, + time_req, + desired_mechs, + cred_usage, + output_cred_handle, + actual_mechs, + time_rec)); } /* V2 */ static OM_uint32 k5glue_add_cred(ctx, minor_status, input_cred_handle, desired_name, desired_mech, - cred_usage, initiator_time_req, acceptor_time_req, - output_cred_handle, actual_mechs, initiator_time_rec, - acceptor_time_rec) + cred_usage, initiator_time_req, acceptor_time_req, + output_cred_handle, actual_mechs, initiator_time_rec, + acceptor_time_rec) void *ctx; - OM_uint32 *minor_status; - gss_cred_id_t input_cred_handle; - gss_name_t desired_name; - gss_OID desired_mech; - gss_cred_usage_t cred_usage; - OM_uint32 initiator_time_req; - OM_uint32 acceptor_time_req; - gss_cred_id_t *output_cred_handle; - gss_OID_set *actual_mechs; - OM_uint32 *initiator_time_rec; - OM_uint32 *acceptor_time_rec; + OM_uint32 *minor_status; + gss_cred_id_t input_cred_handle; + gss_name_t desired_name; + gss_OID desired_mech; + gss_cred_usage_t cred_usage; + OM_uint32 initiator_time_req; + OM_uint32 acceptor_time_req; + gss_cred_id_t *output_cred_handle; + gss_OID_set *actual_mechs; + OM_uint32 *initiator_time_rec; + OM_uint32 *acceptor_time_rec; { return(krb5_gss_add_cred(minor_status, input_cred_handle, desired_name, - desired_mech, cred_usage, initiator_time_req, - acceptor_time_req, output_cred_handle, - actual_mechs, initiator_time_rec, - acceptor_time_rec)); + desired_mech, cred_usage, initiator_time_req, + acceptor_time_req, output_cred_handle, + actual_mechs, initiator_time_rec, + acceptor_time_rec)); } #if 0 @@ -540,9 +576,9 @@ k5glue_add_cred(ctx, minor_status, input_cred_handle, desired_name, desired_mech static OM_uint32 k5glue_add_oid_set_member(ctx, minor_status, member_oid, oid_set) void *ctx; - OM_uint32 *minor_status; - gss_OID member_oid; - gss_OID_set *oid_set; + OM_uint32 *minor_status; + gss_OID member_oid; + gss_OID_set *oid_set; { return(generic_gss_add_oid_set_member(minor_status, member_oid, oid_set)); } @@ -551,24 +587,24 @@ k5glue_add_oid_set_member(ctx, minor_status, member_oid, oid_set) static OM_uint32 k5glue_compare_name(ctx, minor_status, name1, name2, name_equal) void *ctx; - OM_uint32 *minor_status; - gss_name_t name1; - gss_name_t name2; - int *name_equal; + OM_uint32 *minor_status; + gss_name_t name1; + gss_name_t name2; + int *name_equal; { - return(krb5_gss_compare_name(minor_status, name1, - name2, name_equal)); + return(krb5_gss_compare_name(minor_status, name1, + name2, name_equal)); } static OM_uint32 k5glue_context_time(ctx, minor_status, context_handle, time_rec) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - OM_uint32 *time_rec; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + OM_uint32 *time_rec; { - return(krb5_gss_context_time(minor_status, context_handle, - time_rec)); + return(krb5_gss_context_time(minor_status, context_handle, + time_rec)); } #if 0 @@ -576,8 +612,8 @@ k5glue_context_time(ctx, minor_status, context_handle, time_rec) static OM_uint32 k5glue_create_empty_oid_set(ctx, minor_status, oid_set) void *ctx; - OM_uint32 *minor_status; - gss_OID_set *oid_set; + OM_uint32 *minor_status; + gss_OID_set *oid_set; { return(generic_gss_create_empty_oid_set(minor_status, oid_set)); } @@ -586,90 +622,90 @@ k5glue_create_empty_oid_set(ctx, minor_status, oid_set) static OM_uint32 k5glue_delete_sec_context(ctx, minor_status, context_handle, output_token) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t *context_handle; - gss_buffer_t output_token; + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_buffer_t output_token; { - return(krb5_gss_delete_sec_context(minor_status, - context_handle, output_token)); + return(krb5_gss_delete_sec_context(minor_status, + context_handle, output_token)); } static OM_uint32 k5glue_display_name(ctx, minor_status, input_name, output_name_buffer, output_name_type) void *ctx; - OM_uint32 *minor_status; - gss_name_t input_name; - gss_buffer_t output_name_buffer; - gss_OID *output_name_type; + OM_uint32 *minor_status; + gss_name_t input_name; + gss_buffer_t output_name_buffer; + gss_OID *output_name_type; { - return(krb5_gss_display_name(minor_status, input_name, - output_name_buffer, output_name_type)); + return(krb5_gss_display_name(minor_status, input_name, + output_name_buffer, output_name_type)); } static OM_uint32 k5glue_display_status(ctx, minor_status, status_value, status_type, - mech_type, message_context, status_string) + mech_type, message_context, status_string) void *ctx; - OM_uint32 *minor_status; - OM_uint32 status_value; - int status_type; - gss_OID mech_type; - OM_uint32 *message_context; - gss_buffer_t status_string; + OM_uint32 *minor_status; + OM_uint32 status_value; + int status_type; + gss_OID mech_type; + OM_uint32 *message_context; + gss_buffer_t status_string; { - return(krb5_gss_display_status(minor_status, status_value, - status_type, mech_type, message_context, - status_string)); + return(krb5_gss_display_status(minor_status, status_value, + status_type, mech_type, message_context, + status_string)); } #ifndef LEAN_CLIENT /* V2 */ static OM_uint32 k5glue_export_sec_context(ctx, minor_status, context_handle, interprocess_token) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t *context_handle; - gss_buffer_t interprocess_token; + OM_uint32 *minor_status; + gss_ctx_id_t *context_handle; + gss_buffer_t interprocess_token; { - return(krb5_gss_export_sec_context(minor_status, - context_handle, - interprocess_token)); + return(krb5_gss_export_sec_context(minor_status, + context_handle, + interprocess_token)); } #endif /* LEAN_CLIENT */ #if 0 /* V2 */ static OM_uint32 k5glue_get_mic(ctx, minor_status, context_handle, qop_req, - message_buffer, message_token) + message_buffer, message_token) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_qop_t qop_req; - gss_buffer_t message_buffer; - gss_buffer_t message_token; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_qop_t qop_req; + gss_buffer_t message_buffer; + gss_buffer_t message_token; { return(krb5_gss_get_mic(minor_status, context_handle, - qop_req, message_buffer, message_token)); + qop_req, message_buffer, message_token)); } #endif static OM_uint32 k5glue_import_name(ctx, minor_status, input_name_buffer, input_name_type, output_name) void *ctx; - OM_uint32 *minor_status; - gss_buffer_t input_name_buffer; - gss_OID input_name_type; - gss_name_t *output_name; + OM_uint32 *minor_status; + gss_buffer_t input_name_buffer; + gss_OID input_name_type; + gss_name_t *output_name; { #if 0 OM_uint32 err; err = gssint_initialize_library(); if (err) { - *minor_status = err; - return GSS_S_FAILURE; + *minor_status = err; + return GSS_S_FAILURE; } #endif return(krb5_gss_import_name(minor_status, input_name_buffer, - input_name_type, output_name)); + input_name_type, output_name)); } #ifndef LEAN_CLIENT @@ -677,118 +713,118 @@ k5glue_import_name(ctx, minor_status, input_name_buffer, input_name_type, output static OM_uint32 k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle) void *ctx; - OM_uint32 *minor_status; - gss_buffer_t interprocess_token; - gss_ctx_id_t *context_handle; + OM_uint32 *minor_status; + gss_buffer_t interprocess_token; + gss_ctx_id_t *context_handle; { - return(krb5_gss_import_sec_context(minor_status, - interprocess_token, - context_handle)); + return(krb5_gss_import_sec_context(minor_status, + interprocess_token, + context_handle)); } #endif /* LEAN_CLIENT */ static OM_uint32 k5glue_indicate_mechs(ctx, minor_status, mech_set) void *ctx; - OM_uint32 *minor_status; - gss_OID_set *mech_set; + OM_uint32 *minor_status; + gss_OID_set *mech_set; { - return(krb5_gss_indicate_mechs(minor_status, mech_set)); + return(krb5_gss_indicate_mechs(minor_status, mech_set)); } static OM_uint32 k5glue_init_sec_context(ctx, minor_status, claimant_cred_handle, context_handle, - target_name, mech_type, req_flags, time_req, - input_chan_bindings, input_token, actual_mech_type, - output_token, ret_flags, time_rec) + target_name, mech_type, req_flags, time_req, + input_chan_bindings, input_token, actual_mech_type, + output_token, ret_flags, time_rec) void *ctx; - OM_uint32 *minor_status; - gss_cred_id_t claimant_cred_handle; - gss_ctx_id_t *context_handle; - gss_name_t target_name; - gss_OID mech_type; - OM_uint32 req_flags; - OM_uint32 time_req; - gss_channel_bindings_t input_chan_bindings; - gss_buffer_t input_token; - gss_OID *actual_mech_type; - gss_buffer_t output_token; - OM_uint32 *ret_flags; - OM_uint32 *time_rec; + OM_uint32 *minor_status; + gss_cred_id_t claimant_cred_handle; + gss_ctx_id_t *context_handle; + gss_name_t target_name; + gss_OID mech_type; + OM_uint32 req_flags; + OM_uint32 time_req; + gss_channel_bindings_t input_chan_bindings; + gss_buffer_t input_token; + gss_OID *actual_mech_type; + gss_buffer_t output_token; + OM_uint32 *ret_flags; + OM_uint32 *time_rec; { - return(krb5_gss_init_sec_context(minor_status, - claimant_cred_handle, context_handle, - target_name, mech_type, req_flags, - time_req, input_chan_bindings, input_token, - actual_mech_type, output_token, ret_flags, - time_rec)); + return(krb5_gss_init_sec_context(minor_status, + claimant_cred_handle, context_handle, + target_name, mech_type, req_flags, + time_req, input_chan_bindings, input_token, + actual_mech_type, output_token, ret_flags, + time_rec)); } static OM_uint32 k5glue_inquire_context(ctx, minor_status, context_handle, initiator_name, acceptor_name, - lifetime_rec, mech_type, ret_flags, - locally_initiated, opened) + lifetime_rec, mech_type, ret_flags, + locally_initiated, opened) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_name_t *initiator_name; - gss_name_t *acceptor_name; - OM_uint32 *lifetime_rec; - gss_OID *mech_type; - OM_uint32 *ret_flags; - int *locally_initiated; - int *opened; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_name_t *initiator_name; + gss_name_t *acceptor_name; + OM_uint32 *lifetime_rec; + gss_OID *mech_type; + OM_uint32 *ret_flags; + int *locally_initiated; + int *opened; { - return(krb5_gss_inquire_context(minor_status, context_handle, - initiator_name, acceptor_name, lifetime_rec, - mech_type, ret_flags, locally_initiated, - opened)); + return(krb5_gss_inquire_context(minor_status, context_handle, + initiator_name, acceptor_name, lifetime_rec, + mech_type, ret_flags, locally_initiated, + opened)); } static OM_uint32 k5glue_inquire_cred(ctx, minor_status, cred_handle, name, lifetime_ret, - cred_usage, mechanisms) + cred_usage, mechanisms) void *ctx; - OM_uint32 *minor_status; - gss_cred_id_t cred_handle; - gss_name_t *name; - OM_uint32 *lifetime_ret; - gss_cred_usage_t *cred_usage; - gss_OID_set *mechanisms; + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; + gss_name_t *name; + OM_uint32 *lifetime_ret; + gss_cred_usage_t *cred_usage; + gss_OID_set *mechanisms; { - return(krb5_gss_inquire_cred(minor_status, cred_handle, - name, lifetime_ret, cred_usage, mechanisms)); + return(krb5_gss_inquire_cred(minor_status, cred_handle, + name, lifetime_ret, cred_usage, mechanisms)); } /* V2 */ static OM_uint32 k5glue_inquire_cred_by_mech(ctx, minor_status, cred_handle, mech_type, name, - initiator_lifetime, acceptor_lifetime, cred_usage) + initiator_lifetime, acceptor_lifetime, cred_usage) void *ctx; - OM_uint32 *minor_status; - gss_cred_id_t cred_handle; - gss_OID mech_type; - gss_name_t *name; - OM_uint32 *initiator_lifetime; - OM_uint32 *acceptor_lifetime; - gss_cred_usage_t *cred_usage; + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; + gss_OID mech_type; + gss_name_t *name; + OM_uint32 *initiator_lifetime; + OM_uint32 *acceptor_lifetime; + gss_cred_usage_t *cred_usage; { - return(krb5_gss_inquire_cred_by_mech(minor_status, cred_handle, - mech_type, name, initiator_lifetime, - acceptor_lifetime, cred_usage)); + return(krb5_gss_inquire_cred_by_mech(minor_status, cred_handle, + mech_type, name, initiator_lifetime, + acceptor_lifetime, cred_usage)); } /* V2 */ static OM_uint32 k5glue_inquire_names_for_mech(ctx, minor_status, mechanism, name_types) void *ctx; - OM_uint32 *minor_status; - gss_OID mechanism; - gss_OID_set *name_types; + OM_uint32 *minor_status; + gss_OID mechanism; + gss_OID_set *name_types; { return(krb5_gss_inquire_names_for_mech(minor_status, - mechanism, - name_types)); + mechanism, + name_types)); } #if 0 @@ -796,9 +832,9 @@ k5glue_inquire_names_for_mech(ctx, minor_status, mechanism, name_types) static OM_uint32 k5glue_oid_to_str(ctx, minor_status, oid, oid_str) void *ctx; - OM_uint32 *minor_status; - gss_OID oid; - gss_buffer_t oid_str; + OM_uint32 *minor_status; + gss_OID oid; + gss_buffer_t oid_str; { return(generic_gss_oid_to_str(minor_status, oid, oid_str)); } @@ -807,41 +843,41 @@ k5glue_oid_to_str(ctx, minor_status, oid, oid_str) static OM_uint32 k5glue_process_context_token(ctx, minor_status, context_handle, token_buffer) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t token_buffer; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t token_buffer; { - return(krb5_gss_process_context_token(minor_status, - context_handle, token_buffer)); + return(krb5_gss_process_context_token(minor_status, + context_handle, token_buffer)); } static OM_uint32 k5glue_release_cred(ctx, minor_status, cred_handle) void *ctx; - OM_uint32 *minor_status; - gss_cred_id_t *cred_handle; + OM_uint32 *minor_status; + gss_cred_id_t *cred_handle; { - return(krb5_gss_release_cred(minor_status, cred_handle)); + return(krb5_gss_release_cred(minor_status, cred_handle)); } static OM_uint32 k5glue_release_name(ctx, minor_status, input_name) void *ctx; - OM_uint32 *minor_status; - gss_name_t *input_name; + OM_uint32 *minor_status; + gss_name_t *input_name; { - return(krb5_gss_release_name(minor_status, input_name)); + return(krb5_gss_release_name(minor_status, input_name)); } #if 0 static OM_uint32 k5glue_release_buffer(ctx, minor_status, buffer) void *ctx; - OM_uint32 *minor_status; - gss_buffer_t buffer; + OM_uint32 *minor_status; + gss_buffer_t buffer; { - return(generic_gss_release_buffer(minor_status, - buffer)); + return(generic_gss_release_buffer(minor_status, + buffer)); } #endif @@ -849,8 +885,8 @@ k5glue_release_buffer(ctx, minor_status, buffer) static OM_uint32 k5glue_internal_release_oid(ctx, minor_status, oid) void *ctx; - OM_uint32 *minor_status; - gss_OID *oid; + OM_uint32 *minor_status; + gss_OID *oid; { return(krb5_gss_internal_release_oid(minor_status, oid)); } @@ -859,87 +895,87 @@ k5glue_internal_release_oid(ctx, minor_status, oid) static OM_uint32 k5glue_release_oid_set(ctx, minor_status, set) void *ctx; - OM_uint32 * minor_status; - gss_OID_set *set; + OM_uint32 * minor_status; + gss_OID_set *set; { - return(generic_gss_release_oid_set(minor_status, set)); + return(generic_gss_release_oid_set(minor_status, set)); } #endif /* V1 only */ static OM_uint32 k5glue_seal(ctx, minor_status, context_handle, conf_req_flag, qop_req, - input_message_buffer, conf_state, output_message_buffer) + input_message_buffer, conf_state, output_message_buffer) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - int conf_req_flag; - int qop_req; - gss_buffer_t input_message_buffer; - int *conf_state; - gss_buffer_t output_message_buffer; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + int qop_req; + gss_buffer_t input_message_buffer; + int *conf_state; + gss_buffer_t output_message_buffer; { - return(krb5_gss_seal(minor_status, context_handle, - conf_req_flag, qop_req, input_message_buffer, - conf_state, output_message_buffer)); + return(krb5_gss_seal(minor_status, context_handle, + conf_req_flag, qop_req, input_message_buffer, + conf_state, output_message_buffer)); } static OM_uint32 k5glue_sign(ctx, minor_status, context_handle, - qop_req, message_buffer, - message_token) + qop_req, message_buffer, + message_token) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - int qop_req; - gss_buffer_t message_buffer; - gss_buffer_t message_token; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int qop_req; + gss_buffer_t message_buffer; + gss_buffer_t message_token; { - return(krb5_gss_sign(minor_status, context_handle, - qop_req, message_buffer, message_token)); + return(krb5_gss_sign(minor_status, context_handle, + qop_req, message_buffer, message_token)); } #if 0 /* V2 */ static OM_uint32 k5glue_verify_mic(ctx, minor_status, context_handle, - message_buffer, token_buffer, qop_state) + message_buffer, token_buffer, qop_state) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t message_buffer; - gss_buffer_t token_buffer; - gss_qop_t *qop_state; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t message_buffer; + gss_buffer_t token_buffer; + gss_qop_t *qop_state; { return(krb5_gss_verify_mic(minor_status, context_handle, - message_buffer, token_buffer, qop_state)); + message_buffer, token_buffer, qop_state)); } /* V2 */ static OM_uint32 k5glue_wrap(ctx, minor_status, context_handle, conf_req_flag, qop_req, - input_message_buffer, conf_state, output_message_buffer) + input_message_buffer, conf_state, output_message_buffer) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - int conf_req_flag; - gss_qop_t qop_req; - gss_buffer_t input_message_buffer; - int *conf_state; - gss_buffer_t output_message_buffer; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + gss_buffer_t input_message_buffer; + int *conf_state; + gss_buffer_t output_message_buffer; { return(krb5_gss_wrap(minor_status, context_handle, conf_req_flag, qop_req, - input_message_buffer, conf_state, - output_message_buffer)); + input_message_buffer, conf_state, + output_message_buffer)); } /* V2 */ static OM_uint32 k5glue_str_to_oid(ctx, minor_status, oid_str, oid) void *ctx; - OM_uint32 *minor_status; - gss_buffer_t oid_str; - gss_OID *oid; + OM_uint32 *minor_status; + gss_buffer_t oid_str; + gss_OID *oid; { return(generic_gss_str_to_oid(minor_status, oid_str, oid)); } @@ -948,84 +984,84 @@ k5glue_str_to_oid(ctx, minor_status, oid_str, oid) static OM_uint32 k5glue_test_oid_set_member(ctx, minor_status, member, set, present) void *ctx; - OM_uint32 *minor_status; - gss_OID member; - gss_OID_set set; - int *present; + OM_uint32 *minor_status; + gss_OID member; + gss_OID_set set; + int *present; { return(generic_gss_test_oid_set_member(minor_status, member, set, - present)); + present)); } #endif /* V1 only */ static OM_uint32 k5glue_unseal(ctx, minor_status, context_handle, input_message_buffer, - output_message_buffer, conf_state, qop_state) + output_message_buffer, conf_state, qop_state) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t input_message_buffer; - gss_buffer_t output_message_buffer; - int *conf_state; - int *qop_state; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t input_message_buffer; + gss_buffer_t output_message_buffer; + int *conf_state; + int *qop_state; { - return(krb5_gss_unseal(minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state)); + return(krb5_gss_unseal(minor_status, context_handle, + input_message_buffer, output_message_buffer, + conf_state, qop_state)); } #if 0 /* V2 */ static OM_uint32 -k5glue_unwrap(ctx, minor_status, context_handle, input_message_buffer, - output_message_buffer, conf_state, qop_state) +k5glue_unwrap(ctx, minor_status, context_handle, input_message_buffer, + output_message_buffer, conf_state, qop_state) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t input_message_buffer; - gss_buffer_t output_message_buffer; - int *conf_state; - gss_qop_t *qop_state; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t input_message_buffer; + gss_buffer_t output_message_buffer; + int *conf_state; + gss_qop_t *qop_state; { return(krb5_gss_unwrap(minor_status, context_handle, input_message_buffer, - output_message_buffer, conf_state, qop_state)); + output_message_buffer, conf_state, qop_state)); } #endif /* V1 only */ static OM_uint32 k5glue_verify(ctx, minor_status, context_handle, message_buffer, - token_buffer, qop_state) + token_buffer, qop_state) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t message_buffer; - gss_buffer_t token_buffer; - int *qop_state; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t message_buffer; + gss_buffer_t token_buffer; + int *qop_state; { - return(krb5_gss_verify(minor_status, - context_handle, - message_buffer, - token_buffer, - qop_state)); + return(krb5_gss_verify(minor_status, + context_handle, + message_buffer, + token_buffer, + qop_state)); } /* V2 interface */ static OM_uint32 k5glue_wrap_size_limit(ctx, minor_status, context_handle, conf_req_flag, - qop_req, req_output_size, max_input_size) + qop_req, req_output_size, max_input_size) void *ctx; - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - int conf_req_flag; - gss_qop_t qop_req; - OM_uint32 req_output_size; - OM_uint32 *max_input_size; + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + OM_uint32 req_output_size; + OM_uint32 *max_input_size; { - return(krb5_gss_wrap_size_limit(minor_status, context_handle, - conf_req_flag, qop_req, - req_output_size, max_input_size)); + return(krb5_gss_wrap_size_limit(minor_status, context_handle, + conf_req_flag, qop_req, + req_output_size, max_input_size)); } #if 0 @@ -1033,13 +1069,13 @@ k5glue_wrap_size_limit(ctx, minor_status, context_handle, conf_req_flag, static OM_uint32 k5glue_canonicalize_name(ctx, minor_status, input_name, mech_type, output_name) void *ctx; - OM_uint32 *minor_status; - const gss_name_t input_name; - const gss_OID mech_type; - gss_name_t *output_name; + OM_uint32 *minor_status; + const gss_name_t input_name; + const gss_OID mech_type; + gss_name_t *output_name; { - return krb5_gss_canonicalize_name(minor_status, input_name, - mech_type, output_name); + return krb5_gss_canonicalize_name(minor_status, input_name, + mech_type, output_name); } #endif @@ -1047,11 +1083,11 @@ k5glue_canonicalize_name(ctx, minor_status, input_name, mech_type, output_name) static OM_uint32 k5glue_export_name(ctx, minor_status, input_name, exported_name) void *ctx; - OM_uint32 *minor_status; - const gss_name_t input_name; - gss_buffer_t exported_name; + OM_uint32 *minor_status; + const gss_name_t input_name; + gss_buffer_t exported_name; { - return krb5_gss_export_name(minor_status, input_name, exported_name); + return krb5_gss_export_name(minor_status, input_name, exported_name); } #if 0 @@ -1059,11 +1095,11 @@ k5glue_export_name(ctx, minor_status, input_name, exported_name) static OM_uint32 k5glue_duplicate_name(ctx, minor_status, input_name, dest_name) void *ctx; - OM_uint32 *minor_status; - const gss_name_t input_name; - gss_name_t *dest_name; + OM_uint32 *minor_status; + const gss_name_t input_name; + gss_name_t *dest_name; { - return krb5_gss_duplicate_name(minor_status, input_name, dest_name); + return krb5_gss_duplicate_name(minor_status, input_name, dest_name); } #endif @@ -1077,13 +1113,13 @@ gss_krb5_get_tkt_flags( uctx = (gss_union_ctx_id_t)context_handle; if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) && - !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type)) - return GSS_S_BAD_MECH; + !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type)) + return GSS_S_BAD_MECH; return gss_krb5int_get_tkt_flags(minor_status, uctx->internal_ctx_id, - ticket_flags); + ticket_flags); } -OM_uint32 KRB5_CALLCONV +OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache( OM_uint32 *minor_status, gss_cred_id_t cred_handle, @@ -1096,11 +1132,11 @@ gss_krb5_copy_ccache( mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type); if (mcred != GSS_C_NO_CREDENTIAL) - return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache); + return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache); mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type); if (mcred != GSS_C_NO_CREDENTIAL) - return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache); + return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache); return GSS_S_DEFECTIVE_CREDENTIAL; } @@ -1117,16 +1153,16 @@ gss_krb5_export_lucid_sec_context( uctx = (gss_union_ctx_id_t)*context_handle; if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) && - !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type)) - return GSS_S_BAD_MECH; + !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type)) + return GSS_S_BAD_MECH; return gss_krb5int_export_lucid_sec_context(minor_status, - &uctx->internal_ctx_id, - version, kctx); + &uctx->internal_ctx_id, + version, kctx); } OM_uint32 KRB5_CALLCONV gss_krb5_set_allowable_enctypes( - OM_uint32 *minor_status, + OM_uint32 *minor_status, gss_cred_id_t cred, OM_uint32 num_ktypes, krb5_enctype *ktypes) @@ -1137,13 +1173,13 @@ gss_krb5_set_allowable_enctypes( ucred = (gss_union_cred_t)cred; mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type); if (mcred != GSS_C_NO_CREDENTIAL) - return gss_krb5int_set_allowable_enctypes(minor_status, mcred, - num_ktypes, ktypes); + return gss_krb5int_set_allowable_enctypes(minor_status, mcred, + num_ktypes, ktypes); mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type); if (mcred != GSS_C_NO_CREDENTIAL) - return gss_krb5int_set_allowable_enctypes(minor_status, mcred, - num_ktypes, ktypes); + return gss_krb5int_set_allowable_enctypes(minor_status, mcred, + num_ktypes, ktypes); return GSS_S_DEFECTIVE_CREDENTIAL; } diff --git a/src/lib/gssapi/krb5/lucid_context.c b/src/lib/gssapi/krb5/lucid_context.c index 086bea427..338c38b8c 100644 --- a/src/lib/gssapi/krb5/lucid_context.c +++ b/src/lib/gssapi/krb5/lucid_context.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/lucid_context.c * @@ -61,31 +62,31 @@ make_external_lucid_ctx_v1( OM_uint32 KRB5_CALLCONV gss_krb5int_export_lucid_sec_context( - OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - OM_uint32 version, - void **kctx) + OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **kctx) { - krb5_error_code kret = 0; - OM_uint32 retval; - krb5_gss_ctx_id_t ctx; - void *lctx = NULL; + krb5_error_code kret = 0; + OM_uint32 retval; + krb5_gss_ctx_id_t ctx; + void *lctx = NULL; /* Assume failure */ retval = GSS_S_FAILURE; *minor_status = 0; if (kctx) - *kctx = NULL; + *kctx = NULL; else { - kret = EINVAL; - goto error_out; + kret = EINVAL; + goto error_out; } if (!kg_validate_ctx_id(*context_handle)) { - kret = (OM_uint32) G_VALIDATE_FAILED; - retval = GSS_S_NO_CONTEXT; - goto error_out; + kret = (OM_uint32) G_VALIDATE_FAILED; + retval = GSS_S_NO_CONTEXT; + goto error_out; } ctx = (krb5_gss_ctx_id_t) *context_handle; @@ -93,21 +94,21 @@ gss_krb5int_export_lucid_sec_context( /* Externalize a structure of the right version */ switch (version) { case 1: - kret = make_external_lucid_ctx_v1((krb5_pointer)ctx, - version, &lctx); + kret = make_external_lucid_ctx_v1((krb5_pointer)ctx, + version, &lctx); break; default: - kret = (OM_uint32) KG_LUCID_VERSION; - break; + kret = (OM_uint32) KG_LUCID_VERSION; + break; } if (kret) - goto error_out; + goto error_out; /* Success! Record the context and return the buffer */ if (! kg_save_lucidctx_id((void *)lctx)) { - kret = G_VALIDATE_FAILED; - goto error_out; + kret = G_VALIDATE_FAILED; + goto error_out; } *kctx = lctx; @@ -123,8 +124,8 @@ gss_krb5int_export_lucid_sec_context( return (retval); error_out: - if (*minor_status == 0) - *minor_status = (OM_uint32) kret; + if (*minor_status == 0) + *minor_status = (OM_uint32) kret; return(retval); } @@ -137,39 +138,39 @@ gss_krb5_free_lucid_sec_context( OM_uint32 *minor_status, void *kctx) { - OM_uint32 retval; - krb5_error_code kret = 0; - int version; + OM_uint32 retval; + krb5_error_code kret = 0; + int version; /* Assume failure */ retval = GSS_S_FAILURE; *minor_status = 0; if (!kctx) { - kret = EINVAL; - goto error_out; + kret = EINVAL; + goto error_out; } /* Verify pointer is valid lucid context */ if (! kg_validate_lucidctx_id(kctx)) { - kret = G_VALIDATE_FAILED; - goto error_out; + kret = G_VALIDATE_FAILED; + goto error_out; } /* Determine version and call correct free routine */ version = ((gss_krb5_lucid_context_version_t *)kctx)->version; switch (version) { case 1: - (void)kg_delete_lucidctx_id(kctx); - free_external_lucid_ctx_v1((gss_krb5_lucid_context_v1_t*) kctx); - break; + (void)kg_delete_lucidctx_id(kctx); + free_external_lucid_ctx_v1((gss_krb5_lucid_context_v1_t*) kctx); + break; default: - kret = EINVAL; - break; + kret = EINVAL; + break; } if (kret) - goto error_out; + goto error_out; /* Success! */ *minor_status = 0; @@ -178,8 +179,8 @@ gss_krb5_free_lucid_sec_context( return (retval); error_out: - if (*minor_status == 0) - *minor_status = (OM_uint32) kret; + if (*minor_status == 0) + *minor_status = (OM_uint32) kret; return(retval); } @@ -199,8 +200,8 @@ make_external_lucid_ctx_v1( /* Allocate the structure */ if ((lctx = xmalloc(bufsize)) == NULL) { - retval = ENOMEM; - goto error_out; + retval = ENOMEM; + goto error_out; } memset(lctx, 0, bufsize); @@ -214,29 +215,29 @@ make_external_lucid_ctx_v1( /* gctx->proto == 0 ==> rfc1964-style key information gctx->proto == 1 ==> cfx-style (draft-ietf-krb-wg-gssapi-cfx-07) keys */ if (gctx->proto == 0) { - lctx->rfc1964_kd.sign_alg = gctx->signalg; - lctx->rfc1964_kd.seal_alg = gctx->sealalg; - /* Copy key */ - if ((retval = copy_keyblock_to_lucid_key(gctx->subkey, - &lctx->rfc1964_kd.ctx_key))) - goto error_out; + lctx->rfc1964_kd.sign_alg = gctx->signalg; + lctx->rfc1964_kd.seal_alg = gctx->sealalg; + /* Copy key */ + if ((retval = copy_keyblock_to_lucid_key(gctx->subkey, + &lctx->rfc1964_kd.ctx_key))) + goto error_out; } else if (gctx->proto == 1) { - /* Copy keys */ - /* (subkey is always present, either a copy of the kerberos - session key or a subkey) */ - if ((retval = copy_keyblock_to_lucid_key(gctx->subkey, - &lctx->cfx_kd.ctx_key))) - goto error_out; - if (gctx->have_acceptor_subkey) { - if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey, - &lctx->cfx_kd.acceptor_subkey))) - goto error_out; - lctx->cfx_kd.have_acceptor_subkey = 1; - } + /* Copy keys */ + /* (subkey is always present, either a copy of the kerberos + session key or a subkey) */ + if ((retval = copy_keyblock_to_lucid_key(gctx->subkey, + &lctx->cfx_kd.ctx_key))) + goto error_out; + if (gctx->have_acceptor_subkey) { + if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey, + &lctx->cfx_kd.acceptor_subkey))) + goto error_out; + lctx->cfx_kd.have_acceptor_subkey = 1; + } } else { - return EINVAL; /* XXX better error code? */ + return EINVAL; /* XXX better error code? */ } /* Success! */ @@ -245,7 +246,7 @@ make_external_lucid_ctx_v1( error_out: if (lctx) { - free_external_lucid_ctx_v1(lctx); + free_external_lucid_ctx_v1(lctx); } return retval; @@ -258,13 +259,13 @@ copy_keyblock_to_lucid_key( gss_krb5_lucid_key_t *lkey) { if (!k5key || !k5key->contents || k5key->length == 0) - return EINVAL; + return EINVAL; memset(lkey, 0, sizeof(gss_krb5_lucid_key_t)); /* Allocate storage for the key data */ if ((lkey->data = xmalloc(k5key->length)) == NULL) { - return ENOMEM; + return ENOMEM; } memcpy(lkey->data, k5key->contents, k5key->length); lkey->length = k5key->length; @@ -280,11 +281,11 @@ free_lucid_key_data( gss_krb5_lucid_key_t *key) { if (key) { - if (key->data && key->length) { - memset(key->data, 0, key->length); - xfree(key->data); - memset(key, 0, sizeof(gss_krb5_lucid_key_t)); - } + if (key->data && key->length) { + memset(key->data, 0, key->length); + xfree(key->data); + memset(key, 0, sizeof(gss_krb5_lucid_key_t)); + } } } /* Free any storage associated with a gss_krb5_lucid_context_v1 structure */ @@ -293,15 +294,15 @@ free_external_lucid_ctx_v1( gss_krb5_lucid_context_v1_t *ctx) { if (ctx) { - if (ctx->protocol == 0) { - free_lucid_key_data(&ctx->rfc1964_kd.ctx_key); - } - if (ctx->protocol == 1) { - free_lucid_key_data(&ctx->cfx_kd.ctx_key); - if (ctx->cfx_kd.have_acceptor_subkey) - free_lucid_key_data(&ctx->cfx_kd.acceptor_subkey); - } - xfree(ctx); - ctx = NULL; + if (ctx->protocol == 0) { + free_lucid_key_data(&ctx->rfc1964_kd.ctx_key); + } + if (ctx->protocol == 1) { + free_lucid_key_data(&ctx->cfx_kd.ctx_key); + if (ctx->cfx_kd.have_acceptor_subkey) + free_lucid_key_data(&ctx->cfx_kd.acceptor_subkey); + } + xfree(ctx); + ctx = NULL; } } diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c index 49d8ec3f9..9a4d282ac 100644 --- a/src/lib/gssapi/krb5/process_context_token.c +++ b/src/lib/gssapi/krb5/process_context_token.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -27,38 +28,38 @@ */ OM_uint32 -krb5_gss_process_context_token(minor_status, context_handle, - token_buffer) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t token_buffer; +krb5_gss_process_context_token(minor_status, context_handle, + token_buffer) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t token_buffer; { - krb5_gss_ctx_id_rec *ctx; - OM_uint32 majerr; + krb5_gss_ctx_id_rec *ctx; + OM_uint32 majerr; - /* validate the context handle */ - if (! kg_validate_ctx_id(context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); - } + /* validate the context handle */ + if (! kg_validate_ctx_id(context_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); + } - ctx = (krb5_gss_ctx_id_t) context_handle; + ctx = (krb5_gss_ctx_id_t) context_handle; - if (! ctx->established) { - *minor_status = KG_CTX_INCOMPLETE; - return(GSS_S_NO_CONTEXT); - } + if (! ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); + } - /* "unseal" the token */ + /* "unseal" the token */ - if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle, - token_buffer, - GSS_C_NO_BUFFER, NULL, NULL, - KG_TOK_DEL_CTX))) - return(majerr); + if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle, + token_buffer, + GSS_C_NO_BUFFER, NULL, NULL, + KG_TOK_DEL_CTX))) + return(majerr); - /* that's it. delete the context */ + /* that's it. delete the context */ - return(krb5_gss_delete_sec_context(minor_status, &context_handle, - GSS_C_NO_BUFFER)); + return(krb5_gss_delete_sec_context(minor_status, &context_handle, + GSS_C_NO_BUFFER)); } diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c index 1b4a6ce55..833054326 100644 --- a/src/lib/gssapi/krb5/rel_cred.c +++ b/src/lib/gssapi/krb5/rel_cred.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -22,74 +23,74 @@ #include "gssapiP_krb5.h" -OM_uint32 +OM_uint32 krb5_gss_release_cred(minor_status, cred_handle) - OM_uint32 *minor_status; - gss_cred_id_t *cred_handle; + OM_uint32 *minor_status; + gss_cred_id_t *cred_handle; { - krb5_context context; - krb5_gss_cred_id_t cred; - krb5_error_code code1, code2, code3; + krb5_context context; + krb5_gss_cred_id_t cred; + krb5_error_code code1, code2, code3; - code1 = krb5_gss_init_context(&context); - if (code1) { - *minor_status = code1; - return GSS_S_FAILURE; - } + code1 = krb5_gss_init_context(&context); + if (code1) { + *minor_status = code1; + return GSS_S_FAILURE; + } - if (*cred_handle == GSS_C_NO_CREDENTIAL) { - *minor_status = 0; - krb5_free_context(context); - return(GSS_S_COMPLETE); - } + if (*cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = 0; + krb5_free_context(context); + return(GSS_S_COMPLETE); + } - if (! kg_delete_cred_id(*cred_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - krb5_free_context(context); - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_NO_CRED); - } + if (! kg_delete_cred_id(*cred_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_NO_CRED); + } - cred = (krb5_gss_cred_id_t)*cred_handle; + cred = (krb5_gss_cred_id_t)*cred_handle; - k5_mutex_destroy(&cred->lock); - /* ignore error destroying mutex */ + k5_mutex_destroy(&cred->lock); + /* ignore error destroying mutex */ - if (cred->ccache) - code1 = krb5_cc_close(context, cred->ccache); - else - code1 = 0; + if (cred->ccache) + code1 = krb5_cc_close(context, cred->ccache); + else + code1 = 0; -#ifndef LEAN_CLIENT - if (cred->keytab) - code2 = krb5_kt_close(context, cred->keytab); - else +#ifndef LEAN_CLIENT + if (cred->keytab) + code2 = krb5_kt_close(context, cred->keytab); + else #endif /* LEAN_CLIENT */ - code2 = 0; + code2 = 0; - if (cred->rcache) - code3 = krb5_rc_close(context, cred->rcache); - else - code3 = 0; - if (cred->princ) - krb5_free_principal(context, cred->princ); + if (cred->rcache) + code3 = krb5_rc_close(context, cred->rcache); + else + code3 = 0; + if (cred->princ) + krb5_free_principal(context, cred->princ); - if (cred->req_enctypes) - free(cred->req_enctypes); + if (cred->req_enctypes) + free(cred->req_enctypes); - xfree(cred); + xfree(cred); - *cred_handle = NULL; + *cred_handle = NULL; - *minor_status = 0; - if (code1) - *minor_status = code1; - if (code2) - *minor_status = code2; - if (code3) - *minor_status = code3; + *minor_status = 0; + if (code1) + *minor_status = code1; + if (code2) + *minor_status = code2; + if (code3) + *minor_status = code3; - if (*minor_status) - save_error_info(*minor_status, context); - krb5_free_context(context); - return(*minor_status?GSS_S_FAILURE:GSS_S_COMPLETE); + if (*minor_status) + save_error_info(*minor_status, context); + krb5_free_context(context); + return(*minor_status?GSS_S_FAILURE:GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/rel_name.c b/src/lib/gssapi/krb5/rel_name.c index d906a70c0..49d194448 100644 --- a/src/lib/gssapi/krb5/rel_name.c +++ b/src/lib/gssapi/krb5/rel_name.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -24,31 +25,31 @@ OM_uint32 krb5_gss_release_name(minor_status, input_name) - OM_uint32 *minor_status; - gss_name_t *input_name; + OM_uint32 *minor_status; + gss_name_t *input_name; { - krb5_context context; - krb5_error_code code; + krb5_context context; + krb5_error_code code; - code = krb5_gss_init_context(&context); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } + code = krb5_gss_init_context(&context); + if (code) { + *minor_status = code; + return GSS_S_FAILURE; + } - if (! kg_validate_name(*input_name)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - krb5_free_context(context); - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - } + if (! kg_validate_name(*input_name)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + krb5_free_context(context); + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } - (void)kg_delete_name(*input_name); + (void)kg_delete_name(*input_name); - krb5_free_principal(context, (krb5_principal) *input_name); - krb5_free_context(context); + krb5_free_principal(context, (krb5_principal) *input_name); + krb5_free_context(context); - *input_name = (gss_name_t) NULL; + *input_name = (gss_name_t) NULL; - *minor_status = 0; - return(GSS_S_COMPLETE); + *minor_status = 0; + return(GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/krb5/rel_oid.c b/src/lib/gssapi/krb5/rel_oid.c index 7e45781ef..7a08da2be 100644 --- a/src/lib/gssapi/krb5/rel_oid.c +++ b/src/lib/gssapi/krb5/rel_oid.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/rel_oid.c * @@ -31,13 +32,13 @@ #include "gssapiP_krb5.h" OM_uint32 krb5_gss_internal_release_oid (OM_uint32 *, /* minor_status */ - gss_OID * /* oid */ - ); + gss_OID * /* oid */ +); OM_uint32 krb5_gss_release_oid(minor_status, oid) - OM_uint32 *minor_status; - gss_OID *oid; + OM_uint32 *minor_status; + gss_OID *oid; { /* * The V2 API says the following! @@ -49,38 +50,37 @@ krb5_gss_release_oid(minor_status, oid) * allocated OID values with OIDs returned by GSS-API. */ if (krb5_gss_internal_release_oid(minor_status, oid) != GSS_S_COMPLETE) { - /* Pawn it off on the generic routine */ - return(generic_gss_release_oid(minor_status, oid)); + /* Pawn it off on the generic routine */ + return(generic_gss_release_oid(minor_status, oid)); } else { - *oid = GSS_C_NO_OID; - *minor_status = 0; - return(GSS_S_COMPLETE); + *oid = GSS_C_NO_OID; + *minor_status = 0; + return(GSS_S_COMPLETE); } } OM_uint32 krb5_gss_internal_release_oid(minor_status, oid) - OM_uint32 *minor_status; - gss_OID *oid; + OM_uint32 *minor_status; + gss_OID *oid; { /* * This function only knows how to release internal OIDs. It will * return GSS_S_CONTINUE_NEEDED for any OIDs it does not recognize. */ - + *minor_status = 0; if ((*oid != gss_mech_krb5) && - (*oid != gss_mech_krb5_old) && - (*oid != gss_mech_krb5_wrong) && - (*oid != gss_nt_krb5_name) && - (*oid != gss_nt_krb5_principal)) { - /* We don't know about this OID */ - return(GSS_S_CONTINUE_NEEDED); + (*oid != gss_mech_krb5_old) && + (*oid != gss_mech_krb5_wrong) && + (*oid != gss_nt_krb5_name) && + (*oid != gss_nt_krb5_principal)) { + /* We don't know about this OID */ + return(GSS_S_CONTINUE_NEEDED); } else { - *oid = GSS_C_NO_OID; - return(GSS_S_COMPLETE); + *oid = GSS_C_NO_OID; + return(GSS_S_COMPLETE); } } - diff --git a/src/lib/gssapi/krb5/seal.c b/src/lib/gssapi/krb5/seal.c index 63d3dabe0..9598de7d9 100644 --- a/src/lib/gssapi/krb5/seal.c +++ b/src/lib/gssapi/krb5/seal.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,36 +29,35 @@ OM_uint32 krb5_gss_seal(minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - int conf_req_flag; - int qop_req; - gss_buffer_t input_message_buffer; - int *conf_state; - gss_buffer_t output_message_buffer; + qop_req, input_message_buffer, conf_state, + output_message_buffer) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + int qop_req; + gss_buffer_t input_message_buffer; + int *conf_state; + gss_buffer_t output_message_buffer; { - return(kg_seal(minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, KG_TOK_SEAL_MSG)); + return(kg_seal(minor_status, context_handle, conf_req_flag, + qop_req, input_message_buffer, conf_state, + output_message_buffer, KG_TOK_SEAL_MSG)); } /* V2 interface */ OM_uint32 krb5_gss_wrap(minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - int conf_req_flag; - gss_qop_t qop_req; - gss_buffer_t input_message_buffer; - int *conf_state; - gss_buffer_t output_message_buffer; + qop_req, input_message_buffer, conf_state, + output_message_buffer) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + gss_buffer_t input_message_buffer; + int *conf_state; + gss_buffer_t output_message_buffer; { return(kg_seal(minor_status, context_handle, conf_req_flag, - (int) qop_req, input_message_buffer, conf_state, - output_message_buffer, KG_TOK_WRAP_MSG)); + (int) qop_req, input_message_buffer, conf_state, + output_message_buffer, KG_TOK_WRAP_MSG)); } - diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c index 92bb302f0..5babd7668 100644 --- a/src/lib/gssapi/krb5/ser_sctx.c +++ b/src/lib/gssapi/krb5/ser_sctx.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/ser_sctx.c * @@ -32,8 +33,8 @@ #include "gssapiP_krb5.h" /* - * This module contains routines to [de]serialize - * krb5_gss_enc_desc and krb5_gss_ctx_id_t. + * This module contains routines to [de]serialize + * krb5_gss_enc_desc and krb5_gss_ctx_id_t. * XXX This whole serialization abstraction is unnecessary in a * non-messaging environment, which krb5 is. Someday, this should * all get redone without the extra level of indirection. I've done @@ -45,190 +46,190 @@ static krb5_error_code kg_oid_externalize(kcontext, arg, buffer, lenremain) - krb5_context kcontext; - krb5_pointer arg; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer arg; + krb5_octet **buffer; + size_t *lenremain; { - gss_OID oid = (gss_OID) arg; - krb5_error_code err; - - err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain); - if (err) - return err; - err = krb5_ser_pack_int32((krb5_int32) oid->length, - buffer, lenremain); - if (err) - return err; - err = krb5_ser_pack_bytes((krb5_octet *) oid->elements, - oid->length, buffer, lenremain); - if (err) - return err; - err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain); - return err; + gss_OID oid = (gss_OID) arg; + krb5_error_code err; + + err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain); + if (err) + return err; + err = krb5_ser_pack_int32((krb5_int32) oid->length, + buffer, lenremain); + if (err) + return err; + err = krb5_ser_pack_bytes((krb5_octet *) oid->elements, + oid->length, buffer, lenremain); + if (err) + return err; + err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain); + return err; } static krb5_error_code kg_oid_internalize(kcontext, argp, buffer, lenremain) - krb5_context kcontext; - krb5_pointer *argp; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer *argp; + krb5_octet **buffer; + size_t *lenremain; { - gss_OID oid; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - - bp = *buffer; - remain = *lenremain; - - /* Read in and check our magic number */ - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - return (EINVAL); - - if (ibuf != KV5M_GSS_OID) - return (EINVAL); - - oid = (gss_OID) malloc(sizeof(gss_OID_desc)); - if (oid == NULL) - return ENOMEM; - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { - free(oid); - return EINVAL; - } - oid->length = ibuf; - oid->elements = malloc(ibuf); - if (oid->elements == 0) { - free(oid); - return ENOMEM; - } - if (krb5_ser_unpack_bytes((krb5_octet *) oid->elements, - oid->length, &bp, &remain)) { - free(oid->elements); - free(oid); - return EINVAL; - } - - /* Read in and check our trailing magic number */ - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { - free(oid->elements); - free(oid); - return (EINVAL); - } - - if (ibuf != KV5M_GSS_OID) { - free(oid->elements); - free(oid); - return (EINVAL); - } - - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) oid; - return 0; + gss_OID oid; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + + bp = *buffer; + remain = *lenremain; + + /* Read in and check our magic number */ + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) + return (EINVAL); + + if (ibuf != KV5M_GSS_OID) + return (EINVAL); + + oid = (gss_OID) malloc(sizeof(gss_OID_desc)); + if (oid == NULL) + return ENOMEM; + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { + free(oid); + return EINVAL; + } + oid->length = ibuf; + oid->elements = malloc(ibuf); + if (oid->elements == 0) { + free(oid); + return ENOMEM; + } + if (krb5_ser_unpack_bytes((krb5_octet *) oid->elements, + oid->length, &bp, &remain)) { + free(oid->elements); + free(oid); + return EINVAL; + } + + /* Read in and check our trailing magic number */ + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { + free(oid->elements); + free(oid); + return (EINVAL); + } + + if (ibuf != KV5M_GSS_OID) { + free(oid->elements); + free(oid); + return (EINVAL); + } + + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) oid; + return 0; } static krb5_error_code kg_oid_size(kcontext, arg, sizep) - krb5_context kcontext; - krb5_pointer arg; - size_t *sizep; + krb5_context kcontext; + krb5_pointer arg; + size_t *sizep; { - krb5_error_code kret; - gss_OID oid; - size_t required; + krb5_error_code kret; + gss_OID oid; + size_t required; - kret = EINVAL; - if ((oid = (gss_OID) arg)) { - required = 2*sizeof(krb5_int32); /* For the header and trailer */ - required += sizeof(krb5_int32); - required += oid->length; + kret = EINVAL; + if ((oid = (gss_OID) arg)) { + required = 2*sizeof(krb5_int32); /* For the header and trailer */ + required += sizeof(krb5_int32); + required += oid->length; - kret = 0; + kret = 0; - *sizep += required; - } + *sizep += required; + } - return(kret); + return(kret); } static krb5_error_code kg_queue_externalize(kcontext, arg, buffer, lenremain) - krb5_context kcontext; - krb5_pointer arg; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer arg; + krb5_octet **buffer; + size_t *lenremain; { krb5_error_code err; err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); if (err == 0) - err = g_queue_externalize(arg, buffer, lenremain); + err = g_queue_externalize(arg, buffer, lenremain); if (err == 0) - err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); + err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); return err; } static krb5_error_code kg_queue_internalize(kcontext, argp, buffer, lenremain) - krb5_context kcontext; - krb5_pointer *argp; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer *argp; + krb5_octet **buffer; + size_t *lenremain; { - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - krb5_error_code err; - - bp = *buffer; - remain = *lenremain; - - /* Read in and check our magic number */ - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - return (EINVAL); - - if (ibuf != KV5M_GSS_QUEUE) - return (EINVAL); - - err = g_queue_internalize(argp, &bp, &remain); - if (err) - return err; - - /* Read in and check our trailing magic number */ - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { - g_order_free(argp); - return (EINVAL); - } - - if (ibuf != KV5M_GSS_QUEUE) { - g_order_free(argp); - return (EINVAL); - } - - *buffer = bp; - *lenremain = remain; - return 0; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + krb5_error_code err; + + bp = *buffer; + remain = *lenremain; + + /* Read in and check our magic number */ + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) + return (EINVAL); + + if (ibuf != KV5M_GSS_QUEUE) + return (EINVAL); + + err = g_queue_internalize(argp, &bp, &remain); + if (err) + return err; + + /* Read in and check our trailing magic number */ + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { + g_order_free(argp); + return (EINVAL); + } + + if (ibuf != KV5M_GSS_QUEUE) { + g_order_free(argp); + return (EINVAL); + } + + *buffer = bp; + *lenremain = remain; + return 0; } static krb5_error_code kg_queue_size(kcontext, arg, sizep) - krb5_context kcontext; - krb5_pointer arg; - size_t *sizep; + krb5_context kcontext; + krb5_pointer arg; + size_t *sizep; { - krb5_error_code kret; - size_t required; - - kret = EINVAL; - if (arg) { - required = 2*sizeof(krb5_int32); /* For the header and trailer */ - g_queue_size(arg, &required); - - kret = 0; - *sizep += required; - } - return(kret); + krb5_error_code kret; + size_t required; + + kret = EINVAL; + if (arg) { + required = 2*sizeof(krb5_int32); /* For the header and trailer */ + g_queue_size(arg, &required); + + kret = 0; + *sizep += required; + } + return(kret); } /* @@ -236,108 +237,108 @@ kg_queue_size(kcontext, arg, sizep) */ krb5_error_code kg_ctx_size(kcontext, arg, sizep) - krb5_context kcontext; - krb5_pointer arg; - size_t *sizep; + krb5_context kcontext; + krb5_pointer arg; + size_t *sizep; { - krb5_error_code kret; - krb5_gss_ctx_id_rec *ctx; - size_t required; + krb5_error_code kret; + krb5_gss_ctx_id_rec *ctx; + size_t required; /* * krb5_gss_ctx_id_rec requires: - * krb5_int32 for KG_CONTEXT - * krb5_int32 for initiate. - * krb5_int32 for established. - * krb5_int32 for big_endian. - * krb5_int32 for have_acceptor_subkey. - * krb5_int32 for seed_init. - * krb5_int32 for gss_flags. - * sizeof(seed) for seed - * ... for here - * ... for there - * ... for subkey - * krb5_int32 for signalg. - * krb5_int32 for cksum_size. - * krb5_int32 for sealalg. - * ... for enc - * ... for seq - * krb5_int32 for endtime. - * krb5_int32 for flags. - * krb5_int64 for seq_send. - * krb5_int64 for seq_recv. - * ... for seqstate - * ... for auth_context - * ... for mech_used - * krb5_int32 for proto - * krb5_int32 for cksumtype - * ... for acceptor_subkey - * krb5_int32 for acceptor_key_cksumtype - * krb5_int32 for cred_rcache - * krb5_int32 for trailer. + * krb5_int32 for KG_CONTEXT + * krb5_int32 for initiate. + * krb5_int32 for established. + * krb5_int32 for big_endian. + * krb5_int32 for have_acceptor_subkey. + * krb5_int32 for seed_init. + * krb5_int32 for gss_flags. + * sizeof(seed) for seed + * ... for here + * ... for there + * ... for subkey + * krb5_int32 for signalg. + * krb5_int32 for cksum_size. + * krb5_int32 for sealalg. + * ... for enc + * ... for seq + * krb5_int32 for endtime. + * krb5_int32 for flags. + * krb5_int64 for seq_send. + * krb5_int64 for seq_recv. + * ... for seqstate + * ... for auth_context + * ... for mech_used + * krb5_int32 for proto + * krb5_int32 for cksumtype + * ... for acceptor_subkey + * krb5_int32 for acceptor_key_cksumtype + * krb5_int32 for cred_rcache + * krb5_int32 for trailer. */ kret = EINVAL; if ((ctx = (krb5_gss_ctx_id_rec *) arg)) { - required = 17*sizeof(krb5_int32); - required += 2*sizeof(krb5_int64); - required += sizeof(ctx->seed); - - kret = 0; - if (!kret && ctx->here) - kret = krb5_size_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) ctx->here, - &required); - - if (!kret && ctx->there) - kret = krb5_size_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) ctx->there, - &required); - - if (!kret && ctx->subkey) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->subkey, - &required); - - if (!kret && ctx->enc) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->enc, - &required); - - if (!kret && ctx->seq) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->seq, - &required); - - if (!kret) - kret = kg_oid_size(kcontext, - (krb5_pointer) ctx->mech_used, - &required); - - if (!kret && ctx->seqstate) - kret = kg_queue_size(kcontext, ctx->seqstate, &required); - - if (!kret) - kret = krb5_size_opaque(kcontext, - KV5M_CONTEXT, - (krb5_pointer) ctx->k5_context, - &required); - if (!kret) - kret = krb5_size_opaque(kcontext, - KV5M_AUTH_CONTEXT, - (krb5_pointer) ctx->auth_context, - &required); - if (!kret && ctx->acceptor_subkey) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->acceptor_subkey, - &required); - if (!kret) - *sizep += required; + required = 17*sizeof(krb5_int32); + required += 2*sizeof(krb5_int64); + required += sizeof(ctx->seed); + + kret = 0; + if (!kret && ctx->here) + kret = krb5_size_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) ctx->here, + &required); + + if (!kret && ctx->there) + kret = krb5_size_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) ctx->there, + &required); + + if (!kret && ctx->subkey) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->subkey, + &required); + + if (!kret && ctx->enc) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->enc, + &required); + + if (!kret && ctx->seq) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->seq, + &required); + + if (!kret) + kret = kg_oid_size(kcontext, + (krb5_pointer) ctx->mech_used, + &required); + + if (!kret && ctx->seqstate) + kret = kg_queue_size(kcontext, ctx->seqstate, &required); + + if (!kret) + kret = krb5_size_opaque(kcontext, + KV5M_CONTEXT, + (krb5_pointer) ctx->k5_context, + &required); + if (!kret) + kret = krb5_size_opaque(kcontext, + KV5M_AUTH_CONTEXT, + (krb5_pointer) ctx->auth_context, + &required); + if (!kret && ctx->acceptor_subkey) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->acceptor_subkey, + &required); + if (!kret) + *sizep += required; } return(kret); } @@ -347,20 +348,20 @@ kg_ctx_size(kcontext, arg, sizep) */ krb5_error_code kg_ctx_externalize(kcontext, arg, buffer, lenremain) - krb5_context kcontext; - krb5_pointer arg; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer arg; + krb5_octet **buffer; + size_t *lenremain; { - krb5_error_code kret; - krb5_gss_ctx_id_rec *ctx; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_gss_ctx_id_rec *ctx; + size_t required; + krb5_octet *bp; + size_t remain; krb5int_access kaccess; kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); - if (kret) + if (kret) return(kret); required = 0; @@ -368,122 +369,122 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) remain = *lenremain; kret = EINVAL; if ((ctx = (krb5_gss_ctx_id_rec *) arg)) { - kret = ENOMEM; - if (!kg_ctx_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain); - - /* Now static data */ - (void) krb5_ser_pack_int32((krb5_int32) ctx->initiate, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->established, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->gss_flags, - &bp, &remain); - (void) krb5_ser_pack_bytes((krb5_octet *) ctx->seed, - sizeof(ctx->seed), - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->signalg, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->cksum_size, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->sealalg, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->endtime, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags, - &bp, &remain); - (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_send, - &bp, &remain); - (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_recv, - &bp, &remain); - - /* Now dynamic data */ - kret = 0; - - if (!kret && ctx->mech_used) - kret = kg_oid_externalize(kcontext, ctx->mech_used, - &bp, &remain); - - if (!kret && ctx->here) - kret = krb5_externalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) ctx->here, - &bp, &remain); - - if (!kret && ctx->there) - kret = krb5_externalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) ctx->there, - &bp, &remain); - - if (!kret && ctx->subkey) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->subkey, - &bp, &remain); - - if (!kret && ctx->enc) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->enc, - &bp, &remain); - - if (!kret && ctx->seq) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->seq, - &bp, &remain); - - if (!kret && ctx->seqstate) - kret = kg_queue_externalize(kcontext, - ctx->seqstate, &bp, &remain); - - if (!kret) - kret = krb5_externalize_opaque(kcontext, - KV5M_CONTEXT, - (krb5_pointer) ctx->k5_context, - &bp, &remain); - - if (!kret) - kret = krb5_externalize_opaque(kcontext, - KV5M_AUTH_CONTEXT, - (krb5_pointer) ctx->auth_context, - &bp, &remain); - - if (!kret) - kret = krb5_ser_pack_int32((krb5_int32) ctx->proto, - &bp, &remain); - if (!kret) - kret = krb5_ser_pack_int32((krb5_int32) ctx->cksumtype, - &bp, &remain); - if (!kret && ctx->acceptor_subkey) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->acceptor_subkey, - &bp, &remain); - if (!kret) - kret = krb5_ser_pack_int32((krb5_int32) ctx->acceptor_subkey_cksumtype, - &bp, &remain); - - if (!kret) - kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache, - &bp, &remain); - /* trailer */ - if (!kret) - kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain); - if (!kret) { - *buffer = bp; - *lenremain = remain; - } - } + kret = ENOMEM; + if (!kg_ctx_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain); + + /* Now static data */ + (void) krb5_ser_pack_int32((krb5_int32) ctx->initiate, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->established, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->gss_flags, + &bp, &remain); + (void) krb5_ser_pack_bytes((krb5_octet *) ctx->seed, + sizeof(ctx->seed), + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->signalg, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->cksum_size, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->sealalg, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->endtime, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags, + &bp, &remain); + (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_send, + &bp, &remain); + (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_recv, + &bp, &remain); + + /* Now dynamic data */ + kret = 0; + + if (!kret && ctx->mech_used) + kret = kg_oid_externalize(kcontext, ctx->mech_used, + &bp, &remain); + + if (!kret && ctx->here) + kret = krb5_externalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) ctx->here, + &bp, &remain); + + if (!kret && ctx->there) + kret = krb5_externalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) ctx->there, + &bp, &remain); + + if (!kret && ctx->subkey) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->subkey, + &bp, &remain); + + if (!kret && ctx->enc) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->enc, + &bp, &remain); + + if (!kret && ctx->seq) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->seq, + &bp, &remain); + + if (!kret && ctx->seqstate) + kret = kg_queue_externalize(kcontext, + ctx->seqstate, &bp, &remain); + + if (!kret) + kret = krb5_externalize_opaque(kcontext, + KV5M_CONTEXT, + (krb5_pointer) ctx->k5_context, + &bp, &remain); + + if (!kret) + kret = krb5_externalize_opaque(kcontext, + KV5M_AUTH_CONTEXT, + (krb5_pointer) ctx->auth_context, + &bp, &remain); + + if (!kret) + kret = krb5_ser_pack_int32((krb5_int32) ctx->proto, + &bp, &remain); + if (!kret) + kret = krb5_ser_pack_int32((krb5_int32) ctx->cksumtype, + &bp, &remain); + if (!kret && ctx->acceptor_subkey) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->acceptor_subkey, + &bp, &remain); + if (!kret) + kret = krb5_ser_pack_int32((krb5_int32) ctx->acceptor_subkey_cksumtype, + &bp, &remain); + + if (!kret) + kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache, + &bp, &remain); + /* trailer */ + if (!kret) + kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain); + if (!kret) { + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } @@ -493,16 +494,16 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) */ krb5_error_code kg_ctx_internalize(kcontext, argp, buffer, lenremain) - krb5_context kcontext; - krb5_pointer *argp; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer *argp; + krb5_octet **buffer; + size_t *lenremain; { - krb5_error_code kret; - krb5_gss_ctx_id_rec *ctx; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_gss_ctx_id_rec *ctx; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; krb5int_access kaccess; kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); @@ -514,167 +515,167 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KG_CONTEXT) { - kret = ENOMEM; - - /* Get a context */ - if ((remain >= (17*sizeof(krb5_int32) - + 2*sizeof(krb5_int64) - + sizeof(ctx->seed))) && - (ctx = (krb5_gss_ctx_id_rec *) - xmalloc(sizeof(krb5_gss_ctx_id_rec)))) { - memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); - - ctx->k5_context = kcontext; - - /* Get static data */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->initiate = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->established = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->big_endian = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->have_acceptor_subkey = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->seed_init = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->gss_flags = (int) ibuf; - (void) krb5_ser_unpack_bytes((krb5_octet *) ctx->seed, - sizeof(ctx->seed), - &bp, &remain); - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->signalg = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->cksum_size = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->sealalg = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->endtime = (krb5_timestamp) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->krb_flags = (krb5_flags) ibuf; - (void) (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_send, &bp, &remain); - kret = (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_recv, &bp, &remain); - if (kret) { - free(ctx); - return kret; - } - - { - krb5_pointer tmp; - kret = kg_oid_internalize(kcontext, &tmp, &bp, - &remain); - if (kret == 0) - ctx->mech_used = tmp; - else if (kret == EINVAL) - kret = 0; - } - /* Now get substructure data */ - if ((kret = krb5_internalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer *) &ctx->here, - &bp, &remain))) { - if (kret == EINVAL) - kret = 0; - } - if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer *) &ctx->there, - &bp, &remain))) { - if (kret == EINVAL) - kret = 0; - } - if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) &ctx->subkey, - &bp, &remain))) { - if (kret == EINVAL) - kret = 0; - } - if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) &ctx->enc, - &bp, &remain))) { - if (kret == EINVAL) - kret = 0; - } - if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) &ctx->seq, - &bp, &remain))) { - if (kret == EINVAL) - kret = 0; - } - - if (!kret) { - kret = kg_queue_internalize(kcontext, &ctx->seqstate, - &bp, &remain); - if (kret == EINVAL) - kret = 0; - } - - if (!kret) - kret = krb5_internalize_opaque(kcontext, - KV5M_CONTEXT, - (krb5_pointer *) &ctx->k5_context, - &bp, &remain); - - if (!kret) - kret = krb5_internalize_opaque(kcontext, - KV5M_AUTH_CONTEXT, - (krb5_pointer *) &ctx->auth_context, - &bp, &remain); - - if (!kret) - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->proto = ibuf; - if (!kret) - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->cksumtype = ibuf; - if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) &ctx->acceptor_subkey, - &bp, &remain))) { - if (kret == EINVAL) - kret = 0; - } - if (!kret) - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->cred_rcache = ibuf; - if (!kret) - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->acceptor_subkey_cksumtype = ibuf; - - /* Get trailer */ - if (!kret) - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && ibuf != KG_CONTEXT) - kret = EINVAL; - - if (!kret) { - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) ctx; - } else { - if (ctx->seq) - krb5_free_keyblock(kcontext, ctx->seq); - if (ctx->enc) - krb5_free_keyblock(kcontext, ctx->enc); - if (ctx->subkey) - krb5_free_keyblock(kcontext, ctx->subkey); - if (ctx->there) - krb5_free_principal(kcontext, ctx->there); - if (ctx->here) - krb5_free_principal(kcontext, ctx->here); - xfree(ctx); - } - } + kret = ENOMEM; + + /* Get a context */ + if ((remain >= (17*sizeof(krb5_int32) + + 2*sizeof(krb5_int64) + + sizeof(ctx->seed))) && + (ctx = (krb5_gss_ctx_id_rec *) + xmalloc(sizeof(krb5_gss_ctx_id_rec)))) { + memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); + + ctx->k5_context = kcontext; + + /* Get static data */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->initiate = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->established = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->big_endian = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->have_acceptor_subkey = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->seed_init = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->gss_flags = (int) ibuf; + (void) krb5_ser_unpack_bytes((krb5_octet *) ctx->seed, + sizeof(ctx->seed), + &bp, &remain); + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->signalg = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->cksum_size = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->sealalg = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->endtime = (krb5_timestamp) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->krb_flags = (krb5_flags) ibuf; + (void) (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_send, &bp, &remain); + kret = (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_recv, &bp, &remain); + if (kret) { + free(ctx); + return kret; + } + + { + krb5_pointer tmp; + kret = kg_oid_internalize(kcontext, &tmp, &bp, + &remain); + if (kret == 0) + ctx->mech_used = tmp; + else if (kret == EINVAL) + kret = 0; + } + /* Now get substructure data */ + if ((kret = krb5_internalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer *) &ctx->here, + &bp, &remain))) { + if (kret == EINVAL) + kret = 0; + } + if (!kret && + (kret = krb5_internalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer *) &ctx->there, + &bp, &remain))) { + if (kret == EINVAL) + kret = 0; + } + if (!kret && + (kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) &ctx->subkey, + &bp, &remain))) { + if (kret == EINVAL) + kret = 0; + } + if (!kret && + (kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) &ctx->enc, + &bp, &remain))) { + if (kret == EINVAL) + kret = 0; + } + if (!kret && + (kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) &ctx->seq, + &bp, &remain))) { + if (kret == EINVAL) + kret = 0; + } + + if (!kret) { + kret = kg_queue_internalize(kcontext, &ctx->seqstate, + &bp, &remain); + if (kret == EINVAL) + kret = 0; + } + + if (!kret) + kret = krb5_internalize_opaque(kcontext, + KV5M_CONTEXT, + (krb5_pointer *) &ctx->k5_context, + &bp, &remain); + + if (!kret) + kret = krb5_internalize_opaque(kcontext, + KV5M_AUTH_CONTEXT, + (krb5_pointer *) &ctx->auth_context, + &bp, &remain); + + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->proto = ibuf; + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->cksumtype = ibuf; + if (!kret && + (kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) &ctx->acceptor_subkey, + &bp, &remain))) { + if (kret == EINVAL) + kret = 0; + } + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->cred_rcache = ibuf; + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->acceptor_subkey_cksumtype = ibuf; + + /* Get trailer */ + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && ibuf != KG_CONTEXT) + kret = EINVAL; + + if (!kret) { + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) ctx; + } else { + if (ctx->seq) + krb5_free_keyblock(kcontext, ctx->seq); + if (ctx->enc) + krb5_free_keyblock(kcontext, ctx->enc); + if (ctx->subkey) + krb5_free_keyblock(kcontext, ctx->subkey); + if (ctx->there) + krb5_free_principal(kcontext, ctx->there); + if (ctx->here) + krb5_free_principal(kcontext, ctx->here); + xfree(ctx); + } + } } return(kret); } diff --git a/src/lib/gssapi/krb5/set_allowable_enctypes.c b/src/lib/gssapi/krb5/set_allowable_enctypes.c index 396a6f645..e35a153c4 100644 --- a/src/lib/gssapi/krb5/set_allowable_enctypes.c +++ b/src/lib/gssapi/krb5/set_allowable_enctypes.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/set_allowable_enctypes.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -59,10 +60,10 @@ #include "gssapi_krb5.h" OM_uint32 KRB5_CALLCONV -gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, - gss_cred_id_t cred_handle, - OM_uint32 num_ktypes, - krb5_enctype *ktypes) +gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + OM_uint32 num_ktypes, + krb5_enctype *ktypes) { unsigned int i; krb5_enctype * new_ktypes; @@ -77,50 +78,50 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, /* verify and valildate cred handle */ if (cred_handle == GSS_C_NO_CREDENTIAL) { - kerr = KRB5_NOCREDS_SUPPLIED; - goto error_out; + kerr = KRB5_NOCREDS_SUPPLIED; + goto error_out; } major_status = krb5_gss_validate_cred(&temp_status, cred_handle); if (GSS_ERROR(major_status)) { - kerr = temp_status; - goto error_out; + kerr = temp_status; + goto error_out; } cred = (krb5_gss_cred_id_t) cred_handle; if (ktypes) { - for (i = 0; i < num_ktypes && ktypes[i]; i++) { - if (!krb5_c_valid_enctype(ktypes[i])) { - kerr = KRB5_PROG_ETYPE_NOSUPP; - goto error_out; - } - } + for (i = 0; i < num_ktypes && ktypes[i]; i++) { + if (!krb5_c_valid_enctype(ktypes[i])) { + kerr = KRB5_PROG_ETYPE_NOSUPP; + goto error_out; + } + } } else { - kerr = k5_mutex_lock(&cred->lock); - if (kerr) - goto error_out; - if (cred->req_enctypes) - free(cred->req_enctypes); - cred->req_enctypes = NULL; - k5_mutex_unlock(&cred->lock); - return GSS_S_COMPLETE; + kerr = k5_mutex_lock(&cred->lock); + if (kerr) + goto error_out; + if (cred->req_enctypes) + free(cred->req_enctypes); + cred->req_enctypes = NULL; + k5_mutex_unlock(&cred->lock); + return GSS_S_COMPLETE; } /* Copy the requested ktypes into the cred structure */ if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * (i + 1)))) { - memcpy(new_ktypes, ktypes, sizeof(krb5_enctype) * i); - new_ktypes[i] = 0; /* "null-terminate" the list */ + memcpy(new_ktypes, ktypes, sizeof(krb5_enctype) * i); + new_ktypes[i] = 0; /* "null-terminate" the list */ } else { - kerr = ENOMEM; - goto error_out; + kerr = ENOMEM; + goto error_out; } kerr = k5_mutex_lock(&cred->lock); if (kerr) { - free(new_ktypes); - goto error_out; + free(new_ktypes); + goto error_out; } if (cred->req_enctypes) - free(cred->req_enctypes); + free(cred->req_enctypes); cred->req_enctypes = new_ktypes; k5_mutex_unlock(&cred->lock); diff --git a/src/lib/gssapi/krb5/set_ccache.c b/src/lib/gssapi/krb5/set_ccache.c index 931058290..2c82cfdfc 100644 --- a/src/lib/gssapi/krb5/set_ccache.c +++ b/src/lib/gssapi/krb5/set_ccache.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/gssapi/krb5/set_ccache.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -31,11 +32,11 @@ #include "gssapiP_krb5.h" #include "gss_libinit.h" -OM_uint32 KRB5_CALLCONV +OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name(minor_status, name, out_name) - OM_uint32 *minor_status; - const char *name; - const char **out_name; + OM_uint32 *minor_status; + const char *name; + const char **out_name; { char *old_name = NULL; OM_uint32 err = 0; @@ -44,8 +45,8 @@ gss_krb5_ccache_name(minor_status, name, out_name) err = gssint_initialize_library(); if (err) { - *minor_status = err; - return GSS_S_FAILURE; + *minor_status = err; + return GSS_S_FAILURE; } gss_out_name = k5_getspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME); @@ -59,7 +60,7 @@ gss_krb5_ccache_name(minor_status, name, out_name) if (!err) { old_name = gss_out_name; gss_out_name = tmp_name; - } + } } /* If out_name was NULL, we keep the same gss_out_name value, and don't free up any storage (leave old_name NULL). */ @@ -69,12 +70,12 @@ gss_krb5_ccache_name(minor_status, name, out_name) minor = k5_setspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, gss_out_name); if (minor) { - /* Um. Now what? */ - if (err == 0) { - err = minor; - } - free(gss_out_name); - gss_out_name = NULL; + /* Um. Now what? */ + if (err == 0) { + err = minor; + } + free(gss_out_name); + gss_out_name = NULL; } if (!err) { @@ -82,11 +83,11 @@ gss_krb5_ccache_name(minor_status, name, out_name) *out_name = gss_out_name; } } - + if (old_name != NULL) { free (old_name); } - + *minor_status = err; return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; } diff --git a/src/lib/gssapi/krb5/sign.c b/src/lib/gssapi/krb5/sign.c index 2d192c9bb..cc09f3228 100644 --- a/src/lib/gssapi/krb5/sign.c +++ b/src/lib/gssapi/krb5/sign.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,30 +29,30 @@ OM_uint32 krb5_gss_sign(minor_status, context_handle, - qop_req, message_buffer, - message_token) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - int qop_req; - gss_buffer_t message_buffer; - gss_buffer_t message_token; + qop_req, message_buffer, + message_token) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int qop_req; + gss_buffer_t message_buffer; + gss_buffer_t message_token; { - return(kg_seal(minor_status, context_handle, 0, - qop_req, message_buffer, NULL, - message_token, KG_TOK_SIGN_MSG)); + return(kg_seal(minor_status, context_handle, 0, + qop_req, message_buffer, NULL, + message_token, KG_TOK_SIGN_MSG)); } /* V2 interface */ OM_uint32 krb5_gss_get_mic(minor_status, context_handle, qop_req, - message_buffer, message_token) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_qop_t qop_req; - gss_buffer_t message_buffer; - gss_buffer_t message_token; + message_buffer, message_token) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_qop_t qop_req; + gss_buffer_t message_buffer; + gss_buffer_t message_token; { return(kg_seal(minor_status, context_handle, 0, - (int) qop_req, message_buffer, NULL, - message_token, KG_TOK_MIC_MSG)); + (int) qop_req, message_buffer, NULL, + message_token, KG_TOK_MIC_MSG)); } diff --git a/src/lib/gssapi/krb5/unseal.c b/src/lib/gssapi/krb5/unseal.c index 71dc11048..381df9364 100644 --- a/src/lib/gssapi/krb5/unseal.c +++ b/src/lib/gssapi/krb5/unseal.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,39 +29,39 @@ OM_uint32 krb5_gss_unseal(minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t input_message_buffer; - gss_buffer_t output_message_buffer; - int *conf_state; - int *qop_state; + input_message_buffer, output_message_buffer, + conf_state, qop_state) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t input_message_buffer; + gss_buffer_t output_message_buffer; + int *conf_state; + int *qop_state; { - return(kg_unseal(minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, KG_TOK_SEAL_MSG)); + return(kg_unseal(minor_status, context_handle, + input_message_buffer, output_message_buffer, + conf_state, qop_state, KG_TOK_SEAL_MSG)); } /* V2 interface */ OM_uint32 krb5_gss_unwrap(minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t input_message_buffer; - gss_buffer_t output_message_buffer; - int *conf_state; - gss_qop_t *qop_state; + input_message_buffer, output_message_buffer, + conf_state, qop_state) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t input_message_buffer; + gss_buffer_t output_message_buffer; + int *conf_state; + gss_qop_t *qop_state; { - OM_uint32 rstat; - int qstate; + OM_uint32 rstat; + int qstate; rstat = kg_unseal(minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, &qstate, KG_TOK_WRAP_MSG); + input_message_buffer, output_message_buffer, + conf_state, &qstate, KG_TOK_WRAP_MSG); if (!rstat && qop_state) - *qop_state = (gss_qop_t) qstate; + *qop_state = (gss_qop_t) qstate; return(rstat); } diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c index 235d74947..b863572a7 100644 --- a/src/lib/gssapi/krb5/util_cksum.c +++ b/src/lib/gssapi/krb5/util_cksum.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,81 +29,81 @@ /* Checksumming the channel bindings always uses plain MD5. */ krb5_error_code kg_checksum_channel_bindings(context, cb, cksum, bigend) - krb5_context context; - gss_channel_bindings_t cb; - krb5_checksum *cksum; - int bigend; + krb5_context context; + gss_channel_bindings_t cb; + krb5_checksum *cksum; + int bigend; { - size_t len; - char *buf = 0; - char *ptr; - size_t sumlen; - krb5_data plaind; - krb5_error_code code; - void *temp; - - /* initialize the the cksum */ - code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen); - if (code) - return(code); - - cksum->checksum_type = CKSUMTYPE_RSA_MD5; - cksum->length = sumlen; - - /* generate a buffer full of zeros if no cb specified */ - - if (cb == GSS_C_NO_CHANNEL_BINDINGS) { - if ((cksum->contents = (krb5_octet *) xmalloc(cksum->length)) == NULL) { - return(ENOMEM); - } - memset(cksum->contents, '\0', cksum->length); - return(0); - } - - /* create the buffer to checksum into */ - - len = (sizeof(krb5_int32)*5+ - cb->initiator_address.length+ - cb->acceptor_address.length+ - cb->application_data.length); - - if ((buf = (char *) xmalloc(len)) == NULL) - return(ENOMEM); - - /* helper macros. This code currently depends on a long being 32 - bits, and htonl dtrt. */ - - ptr = buf; - - TWRITE_INT(ptr, cb->initiator_addrtype, bigend); - TWRITE_BUF(ptr, cb->initiator_address, bigend); - TWRITE_INT(ptr, cb->acceptor_addrtype, bigend); - TWRITE_BUF(ptr, cb->acceptor_address, bigend); - TWRITE_BUF(ptr, cb->application_data, bigend); - - /* checksum the data */ - - plaind.length = len; - plaind.data = buf; - - code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0, - &plaind, cksum); - if (code) - goto cleanup; - - if ((temp = xmalloc(cksum->length)) == NULL) { - krb5_free_checksum_contents(context, cksum); - code = ENOMEM; - goto cleanup; - } - - memcpy(temp, cksum->contents, cksum->length); - krb5_free_checksum_contents(context, cksum); - cksum->contents = (krb5_octet *)temp; - - /* success */ - cleanup: - if (buf) - xfree(buf); - return code; + size_t len; + char *buf = 0; + char *ptr; + size_t sumlen; + krb5_data plaind; + krb5_error_code code; + void *temp; + + /* initialize the the cksum */ + code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen); + if (code) + return(code); + + cksum->checksum_type = CKSUMTYPE_RSA_MD5; + cksum->length = sumlen; + + /* generate a buffer full of zeros if no cb specified */ + + if (cb == GSS_C_NO_CHANNEL_BINDINGS) { + if ((cksum->contents = (krb5_octet *) xmalloc(cksum->length)) == NULL) { + return(ENOMEM); + } + memset(cksum->contents, '\0', cksum->length); + return(0); + } + + /* create the buffer to checksum into */ + + len = (sizeof(krb5_int32)*5+ + cb->initiator_address.length+ + cb->acceptor_address.length+ + cb->application_data.length); + + if ((buf = (char *) xmalloc(len)) == NULL) + return(ENOMEM); + + /* helper macros. This code currently depends on a long being 32 + bits, and htonl dtrt. */ + + ptr = buf; + + TWRITE_INT(ptr, cb->initiator_addrtype, bigend); + TWRITE_BUF(ptr, cb->initiator_address, bigend); + TWRITE_INT(ptr, cb->acceptor_addrtype, bigend); + TWRITE_BUF(ptr, cb->acceptor_address, bigend); + TWRITE_BUF(ptr, cb->application_data, bigend); + + /* checksum the data */ + + plaind.length = len; + plaind.data = buf; + + code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0, + &plaind, cksum); + if (code) + goto cleanup; + + if ((temp = xmalloc(cksum->length)) == NULL) { + krb5_free_checksum_contents(context, cksum); + code = ENOMEM; + goto cleanup; + } + + memcpy(temp, cksum->contents, cksum->length); + krb5_free_checksum_contents(context, cksum); + cksum->contents = (krb5_octet *)temp; + + /* success */ +cleanup: + if (buf) + xfree(buf); + return code; } diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c index dad4b023d..a0d0747e6 100644 --- a/src/lib/gssapi/krb5/util_crypt.c +++ b/src/lib/gssapi/krb5/util_crypt.c @@ -1,7 +1,8 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* - * Copyright2001 by the Massachusetts Institute of Technology. + * Copyright2001 by the Massachusetts Institute of Technology. * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -11,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -23,14 +24,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -41,7 +42,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -55,186 +56,185 @@ int kg_confounder_size(context, key) - krb5_context context; - krb5_keyblock *key; + krb5_context context; + krb5_keyblock *key; { - krb5_error_code code; - size_t blocksize; - /* We special case rc4*/ - if (key->enctype == ENCTYPE_ARCFOUR_HMAC) - return 8; - code = krb5_c_block_size(context, key->enctype, &blocksize); - if (code) - return(-1); /* XXX */ - - return(blocksize); + krb5_error_code code; + size_t blocksize; + /* We special case rc4*/ + if (key->enctype == ENCTYPE_ARCFOUR_HMAC) + return 8; + code = krb5_c_block_size(context, key->enctype, &blocksize); + if (code) + return(-1); /* XXX */ + + return(blocksize); } krb5_error_code kg_make_confounder(context, key, buf) - krb5_context context; - krb5_keyblock *key; - unsigned char *buf; + krb5_context context; + krb5_keyblock *key; + unsigned char *buf; { - krb5_error_code code; - size_t blocksize; - krb5_data lrandom; + krb5_error_code code; + size_t blocksize; + krb5_data lrandom; - code = krb5_c_block_size(context, key->enctype, &blocksize); - if (code) - return(code); + code = krb5_c_block_size(context, key->enctype, &blocksize); + if (code) + return(code); - lrandom.length = blocksize; - lrandom.data = buf; + lrandom.length = blocksize; + lrandom.data = buf; - return(krb5_c_random_make_octets(context, &lrandom)); + return(krb5_c_random_make_octets(context, &lrandom)); } krb5_error_code kg_encrypt(context, key, usage, iv, in, out, length) - krb5_context context; - krb5_keyblock *key; - int usage; - krb5_pointer iv; - krb5_const_pointer in; - krb5_pointer out; - unsigned int length; + krb5_context context; + krb5_keyblock *key; + int usage; + krb5_pointer iv; + krb5_const_pointer in; + krb5_pointer out; + unsigned int length; { - krb5_error_code code; - size_t blocksize; - krb5_data ivd, *pivd, inputd; - krb5_enc_data outputd; - - if (iv) { - code = krb5_c_block_size(context, key->enctype, &blocksize); - if (code) - return(code); - - ivd.length = blocksize; - ivd.data = malloc(ivd.length); - if (ivd.data == NULL) - return ENOMEM; - memcpy(ivd.data, iv, ivd.length); - pivd = &ivd; - } else { - pivd = NULL; - } - - inputd.length = length; - inputd.data = in; - - outputd.ciphertext.length = length; - outputd.ciphertext.data = out; - - code = krb5_c_encrypt(context, key, usage, pivd, &inputd, &outputd); - if (pivd != NULL) - free(pivd->data); - return code; + krb5_error_code code; + size_t blocksize; + krb5_data ivd, *pivd, inputd; + krb5_enc_data outputd; + + if (iv) { + code = krb5_c_block_size(context, key->enctype, &blocksize); + if (code) + return(code); + + ivd.length = blocksize; + ivd.data = malloc(ivd.length); + if (ivd.data == NULL) + return ENOMEM; + memcpy(ivd.data, iv, ivd.length); + pivd = &ivd; + } else { + pivd = NULL; + } + + inputd.length = length; + inputd.data = in; + + outputd.ciphertext.length = length; + outputd.ciphertext.data = out; + + code = krb5_c_encrypt(context, key, usage, pivd, &inputd, &outputd); + if (pivd != NULL) + free(pivd->data); + return code; } /* length is the length of the cleartext. */ krb5_error_code kg_decrypt(context, key, usage, iv, in, out, length) - krb5_context context; - krb5_keyblock *key; - int usage; - krb5_pointer iv; - krb5_const_pointer in; - krb5_pointer out; - unsigned int length; + krb5_context context; + krb5_keyblock *key; + int usage; + krb5_pointer iv; + krb5_const_pointer in; + krb5_pointer out; + unsigned int length; { - krb5_error_code code; - size_t blocksize; - krb5_data ivd, *pivd, outputd; - krb5_enc_data inputd; - - if (iv) { - code = krb5_c_block_size(context, key->enctype, &blocksize); - if (code) - return(code); - - ivd.length = blocksize; - ivd.data = malloc(ivd.length); - if (ivd.data == NULL) - return ENOMEM; - memcpy(ivd.data, iv, ivd.length); - pivd = &ivd; - } else { - pivd = NULL; - } - - inputd.enctype = ENCTYPE_UNKNOWN; - inputd.ciphertext.length = length; - inputd.ciphertext.data = in; - - outputd.length = length; - outputd.data = out; - - code = krb5_c_decrypt(context, key, usage, pivd, &inputd, &outputd); - if (pivd != NULL) - free(pivd->data); - return code; + krb5_error_code code; + size_t blocksize; + krb5_data ivd, *pivd, outputd; + krb5_enc_data inputd; + + if (iv) { + code = krb5_c_block_size(context, key->enctype, &blocksize); + if (code) + return(code); + + ivd.length = blocksize; + ivd.data = malloc(ivd.length); + if (ivd.data == NULL) + return ENOMEM; + memcpy(ivd.data, iv, ivd.length); + pivd = &ivd; + } else { + pivd = NULL; + } + + inputd.enctype = ENCTYPE_UNKNOWN; + inputd.ciphertext.length = length; + inputd.ciphertext.data = in; + + outputd.length = length; + outputd.data = out; + + code = krb5_c_decrypt(context, key, usage, pivd, &inputd, &outputd); + if (pivd != NULL) + free(pivd->data); + return code; } krb5_error_code kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage, - const unsigned char *kd_data, size_t kd_data_len, - const unsigned char *input_buf, size_t input_len, - unsigned char *output_buf) + const unsigned char *kd_data, size_t kd_data_len, + const unsigned char *input_buf, size_t input_len, + unsigned char *output_buf) { - krb5_error_code code; - krb5_data input, output; - krb5int_access kaccess; - krb5_keyblock seq_enc_key, usage_key; - unsigned char t[4]; - - usage_key.length = longterm_key->length; - usage_key.contents = malloc(usage_key.length); - if (usage_key.contents == NULL) - return (ENOMEM); - seq_enc_key.length = longterm_key->length; - seq_enc_key.contents = malloc(seq_enc_key.length); - if (seq_enc_key.contents == NULL) { + krb5_error_code code; + krb5_data input, output; + krb5int_access kaccess; + krb5_keyblock seq_enc_key, usage_key; + unsigned char t[4]; + + usage_key.length = longterm_key->length; + usage_key.contents = malloc(usage_key.length); + if (usage_key.contents == NULL) + return (ENOMEM); + seq_enc_key.length = longterm_key->length; + seq_enc_key.contents = malloc(seq_enc_key.length); + if (seq_enc_key.contents == NULL) { + free ((void *) usage_key.contents); + return (ENOMEM); + } + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) + goto cleanup_arcfour; + + t[0] = ms_usage &0xff; + t[1] = (ms_usage>>8) & 0xff; + t[2] = (ms_usage>>16) & 0xff; + t[3] = (ms_usage>>24) & 0xff; + input.data = (void *) &t; + input.length = 4; + output.data = (void *) usage_key.contents; + output.length = usage_key.length; + code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider, + longterm_key, 1, &input, &output); + if (code) + goto cleanup_arcfour; + + input.data = ( void *) kd_data; + input.length = kd_data_len; + output.data = (void *) seq_enc_key.contents; + code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider, + &usage_key, 1, &input, &output); + if (code) + goto cleanup_arcfour; + input.data = ( void * ) input_buf; + input.length = input_len; + output.data = (void * ) output_buf; + output.length = input_len; + code = ((*kaccess.arcfour_enc_provider->encrypt)( + &seq_enc_key, 0, + &input, &output)); +cleanup_arcfour: + memset ((void *) seq_enc_key.contents, 0, seq_enc_key.length); + memset ((void *) usage_key.contents, 0, usage_key.length); free ((void *) usage_key.contents); - return (ENOMEM); - } - code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); - if (code) - goto cleanup_arcfour; - - t[0] = ms_usage &0xff; - t[1] = (ms_usage>>8) & 0xff; - t[2] = (ms_usage>>16) & 0xff; - t[3] = (ms_usage>>24) & 0xff; - input.data = (void *) &t; - input.length = 4; - output.data = (void *) usage_key.contents; - output.length = usage_key.length; - code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider, - longterm_key, 1, &input, &output); - if (code) - goto cleanup_arcfour; - - input.data = ( void *) kd_data; - input.length = kd_data_len; - output.data = (void *) seq_enc_key.contents; - code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider, - &usage_key, 1, &input, &output); - if (code) - goto cleanup_arcfour; - input.data = ( void * ) input_buf; - input.length = input_len; - output.data = (void * ) output_buf; - output.length = input_len; - code = ((*kaccess.arcfour_enc_provider->encrypt)( - &seq_enc_key, 0, - &input, &output)); - cleanup_arcfour: - memset ((void *) seq_enc_key.contents, 0, seq_enc_key.length); - memset ((void *) usage_key.contents, 0, usage_key.length); - free ((void *) usage_key.contents); - free ((void *) seq_enc_key.contents); - return (code); + free ((void *) seq_enc_key.contents); + return (code); } - diff --git a/src/lib/gssapi/krb5/util_seed.c b/src/lib/gssapi/krb5/util_seed.c index 06a5c2aa9..17d49a587 100644 --- a/src/lib/gssapi/krb5/util_seed.c +++ b/src/lib/gssapi/krb5/util_seed.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -29,26 +30,26 @@ static const unsigned char zeros[16] = {0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0}; krb5_error_code kg_make_seed(context, key, seed) - krb5_context context; - krb5_keyblock *key; - unsigned char *seed; + krb5_context context; + krb5_keyblock *key; + unsigned char *seed; { - krb5_error_code code; - krb5_keyblock *tmpkey; - unsigned int i; + krb5_error_code code; + krb5_keyblock *tmpkey; + unsigned int i; - code = krb5_copy_keyblock(context, key, &tmpkey); - if (code) - return(code); + code = krb5_copy_keyblock(context, key, &tmpkey); + if (code) + return(code); - /* reverse the key bytes, as per spec */ + /* reverse the key bytes, as per spec */ - for (i=0; i<tmpkey->length; i++) - tmpkey->contents[i] = key->contents[key->length - 1 - i]; + for (i=0; i<tmpkey->length; i++) + tmpkey->contents[i] = key->contents[key->length - 1 - i]; - code = kg_encrypt(context, tmpkey, KG_USAGE_SEAL, NULL, zeros, seed, 16); + code = kg_encrypt(context, tmpkey, KG_USAGE_SEAL, NULL, zeros, seed, 16); - krb5_free_keyblock(context, tmpkey); + krb5_free_keyblock(context, tmpkey); - return(code); + return(code); } diff --git a/src/lib/gssapi/krb5/util_seqnum.c b/src/lib/gssapi/krb5/util_seqnum.c index ec7da5567..3469e63ed 100644 --- a/src/lib/gssapi/krb5/util_seqnum.c +++ b/src/lib/gssapi/krb5/util_seqnum.c @@ -1,7 +1,8 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* - * Copyright2001 by the Massachusetts Institute of Technology. + * Copyright2001 by the Massachusetts Institute of Technology. * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -11,7 +12,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -30,76 +31,76 @@ krb5_error_code kg_make_seq_num(context, key, direction, seqnum, cksum, buf) - krb5_context context; - krb5_keyblock *key; - int direction; - krb5_ui_4 seqnum; - unsigned char *cksum; - unsigned char *buf; + krb5_context context; + krb5_keyblock *key; + int direction; + krb5_ui_4 seqnum; + unsigned char *cksum; + unsigned char *buf; { - unsigned char plain[8]; + unsigned char plain[8]; - plain[4] = direction; - plain[5] = direction; - plain[6] = direction; - plain[7] = direction; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC ) { - /* Yes, Microsoft used big-endian sequence number.*/ - plain[0] = (seqnum>>24) & 0xff; - plain[1] = (seqnum>>16) & 0xff; - plain[2] = (seqnum>>8) & 0xff; - plain[3] = seqnum & 0xff; - return kg_arcfour_docrypt (key, 0, - cksum, 8, - &plain[0], 8, - buf); - - } - - plain[0] = (unsigned char) (seqnum&0xff); - plain[1] = (unsigned char) ((seqnum>>8)&0xff); - plain[2] = (unsigned char) ((seqnum>>16)&0xff); - plain[3] = (unsigned char) ((seqnum>>24)&0xff); + plain[4] = direction; + plain[5] = direction; + plain[6] = direction; + plain[7] = direction; + if (key->enctype == ENCTYPE_ARCFOUR_HMAC ) { + /* Yes, Microsoft used big-endian sequence number.*/ + plain[0] = (seqnum>>24) & 0xff; + plain[1] = (seqnum>>16) & 0xff; + plain[2] = (seqnum>>8) & 0xff; + plain[3] = seqnum & 0xff; + return kg_arcfour_docrypt (key, 0, + cksum, 8, + &plain[0], 8, + buf); - return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8)); + } + + plain[0] = (unsigned char) (seqnum&0xff); + plain[1] = (unsigned char) ((seqnum>>8)&0xff); + plain[2] = (unsigned char) ((seqnum>>16)&0xff); + plain[3] = (unsigned char) ((seqnum>>24)&0xff); + + return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8)); } krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum) - krb5_context context; - krb5_keyblock *key; - unsigned char *cksum; - unsigned char *buf; - int *direction; - krb5_ui_4 *seqnum; + krb5_context context; + krb5_keyblock *key; + unsigned char *cksum; + unsigned char *buf; + int *direction; + krb5_ui_4 *seqnum; { - krb5_error_code code; - unsigned char plain[8]; + krb5_error_code code; + unsigned char plain[8]; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC) { - code = kg_arcfour_docrypt (key, 0, - cksum, 8, - buf, 8, - plain); - } else { - code = kg_decrypt(context, key, KG_USAGE_SEQ, cksum, buf, plain, 8); - } - if (code) - return(code); + if (key->enctype == ENCTYPE_ARCFOUR_HMAC) { + code = kg_arcfour_docrypt (key, 0, + cksum, 8, + buf, 8, + plain); + } else { + code = kg_decrypt(context, key, KG_USAGE_SEQ, cksum, buf, plain, 8); + } + if (code) + return(code); - if ((plain[4] != plain[5]) || - (plain[4] != plain[6]) || - (plain[4] != plain[7])) - return((krb5_error_code) KG_BAD_SEQ); + if ((plain[4] != plain[5]) || + (plain[4] != plain[6]) || + (plain[4] != plain[7])) + return((krb5_error_code) KG_BAD_SEQ); - *direction = plain[4]; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC) { - *seqnum = (plain[3]|(plain[2]<<8) | (plain[1]<<16)| (plain[0]<<24)); - } else { - *seqnum = ((plain[0]) | - (plain[1]<<8) | - (plain[2]<<16) | - (plain[3]<<24)); - } + *direction = plain[4]; + if (key->enctype == ENCTYPE_ARCFOUR_HMAC) { + *seqnum = (plain[3]|(plain[2]<<8) | (plain[1]<<16)| (plain[0]<<24)); + } else { + *seqnum = ((plain[0]) | + (plain[1]<<8) | + (plain[2]<<16) | + (plain[3]<<24)); + } - return(0); + return(0); } diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c index fb0f15c9d..dd82d5341 100644 --- a/src/lib/gssapi/krb5/val_cred.c +++ b/src/lib/gssapi/krb5/val_cred.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1997, 2007 by Massachusetts Institute of Technology * All Rights Reserved. @@ -6,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,7 +21,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include "gssapiP_krb5.h" @@ -32,37 +33,37 @@ OM_uint32 krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle, - krb5_context context) + krb5_context context) { krb5_gss_cred_id_t cred; krb5_error_code code; krb5_principal princ; if (!kg_validate_cred_id(cred_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL); } cred = (krb5_gss_cred_id_t) cred_handle; code = k5_mutex_lock(&cred->lock); if (code) { - *minor_status = code; - return GSS_S_FAILURE; + *minor_status = code; + return GSS_S_FAILURE; } if (cred->ccache) { - if ((code = krb5_cc_get_principal(context, cred->ccache, &princ))) { - k5_mutex_unlock(&cred->lock); - *minor_status = code; - return(GSS_S_DEFECTIVE_CREDENTIAL); - } - if (!krb5_principal_compare(context, princ, cred->princ)) { - k5_mutex_unlock(&cred->lock); - *minor_status = KG_CCACHE_NOMATCH; - return(GSS_S_DEFECTIVE_CREDENTIAL); - } - (void)krb5_free_principal(context, princ); + if ((code = krb5_cc_get_principal(context, cred->ccache, &princ))) { + k5_mutex_unlock(&cred->lock); + *minor_status = code; + return(GSS_S_DEFECTIVE_CREDENTIAL); + } + if (!krb5_principal_compare(context, princ, cred->princ)) { + k5_mutex_unlock(&cred->lock); + *minor_status = KG_CCACHE_NOMATCH; + return(GSS_S_DEFECTIVE_CREDENTIAL); + } + (void)krb5_free_principal(context, princ); } *minor_status = 0; return GSS_S_COMPLETE; @@ -70,8 +71,8 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle, OM_uint32 krb5_gss_validate_cred(minor_status, cred_handle) - OM_uint32 *minor_status; - gss_cred_id_t cred_handle; + OM_uint32 *minor_status; + gss_cred_id_t cred_handle; { krb5_context context; krb5_error_code code; @@ -79,21 +80,17 @@ krb5_gss_validate_cred(minor_status, cred_handle) code = krb5_gss_init_context(&context); if (code) { - *minor_status = code; - return GSS_S_FAILURE; + *minor_status = code; + return GSS_S_FAILURE; } maj = krb5_gss_validate_cred_1(minor_status, cred_handle, context); if (maj == 0) { - krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t) cred_handle; - k5_mutex_assert_locked(&cred->lock); - k5_mutex_unlock(&cred->lock); + krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t) cred_handle; + k5_mutex_assert_locked(&cred->lock); + k5_mutex_unlock(&cred->lock); } save_error_info(*minor_status, context); krb5_free_context(context); return maj; } - - - - diff --git a/src/lib/gssapi/krb5/verify.c b/src/lib/gssapi/krb5/verify.c index 833697b19..4906ef38a 100644 --- a/src/lib/gssapi/krb5/verify.c +++ b/src/lib/gssapi/krb5/verify.c @@ -1,6 +1,7 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -28,37 +29,37 @@ OM_uint32 krb5_gss_verify(minor_status, context_handle, - message_buffer, token_buffer, - qop_state) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t message_buffer; - gss_buffer_t token_buffer; - int *qop_state; + message_buffer, token_buffer, + qop_state) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t message_buffer; + gss_buffer_t token_buffer; + int *qop_state; { - return(kg_unseal(minor_status, context_handle, - token_buffer, message_buffer, - NULL, qop_state, KG_TOK_SIGN_MSG)); + return(kg_unseal(minor_status, context_handle, + token_buffer, message_buffer, + NULL, qop_state, KG_TOK_SIGN_MSG)); } /* V2 interface */ OM_uint32 krb5_gss_verify_mic(minor_status, context_handle, - message_buffer, token_buffer, - qop_state) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t message_buffer; - gss_buffer_t token_buffer; - gss_qop_t *qop_state; + message_buffer, token_buffer, + qop_state) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + gss_buffer_t message_buffer; + gss_buffer_t token_buffer; + gss_qop_t *qop_state; { - OM_uint32 rstat; - int qstate; + OM_uint32 rstat; + int qstate; rstat = kg_unseal(minor_status, context_handle, - token_buffer, message_buffer, - NULL, &qstate, KG_TOK_MIC_MSG); + token_buffer, message_buffer, + NULL, &qstate, KG_TOK_MIC_MSG); if (!rstat && qop_state) - *qop_state = (gss_qop_t) qstate; + *qop_state = (gss_qop_t) qstate; return(rstat); } diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c index b875a965a..f24004710 100644 --- a/src/lib/gssapi/krb5/wrap_size_limit.c +++ b/src/lib/gssapi/krb5/wrap_size_limit.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 2000 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -6,7 +7,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,11 +21,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ /* * Copyright 1993 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -34,7 +35,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -46,14 +47,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -64,7 +65,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -75,69 +76,69 @@ /* V2 interface */ OM_uint32 krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, - qop_req, req_output_size, max_input_size) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - int conf_req_flag; - gss_qop_t qop_req; - OM_uint32 req_output_size; - OM_uint32 *max_input_size; + qop_req, req_output_size, max_input_size) + OM_uint32 *minor_status; + gss_ctx_id_t context_handle; + int conf_req_flag; + gss_qop_t qop_req; + OM_uint32 req_output_size; + OM_uint32 *max_input_size; { - krb5_gss_ctx_id_rec *ctx; - OM_uint32 data_size, conflen; - OM_uint32 ohlen; - int overhead; + krb5_gss_ctx_id_rec *ctx; + OM_uint32 data_size, conflen; + OM_uint32 ohlen; + int overhead; /* only default qop is allowed */ if (qop_req != GSS_C_QOP_DEFAULT) { - *minor_status = (OM_uint32) G_UNKNOWN_QOP; - return(GSS_S_FAILURE); + *minor_status = (OM_uint32) G_UNKNOWN_QOP; + return(GSS_S_FAILURE); } - + /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); } - + ctx = (krb5_gss_ctx_id_rec *) context_handle; if (! ctx->established) { - *minor_status = KG_CTX_INCOMPLETE; - return(GSS_S_NO_CONTEXT); + *minor_status = KG_CTX_INCOMPLETE; + return(GSS_S_NO_CONTEXT); } if (ctx->proto == 1) { - /* No pseudo-ASN.1 wrapper overhead, so no sequence length and - OID. */ - OM_uint32 sz = req_output_size; - /* Token header: 16 octets. */ - if (conf_req_flag) { - while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size) - sz--; - /* Allow for encrypted copy of header. */ - if (sz > 16) - sz -= 16; - else - sz = 0; + /* No pseudo-ASN.1 wrapper overhead, so no sequence length and + OID. */ + OM_uint32 sz = req_output_size; + /* Token header: 16 octets. */ + if (conf_req_flag) { + while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size) + sz--; + /* Allow for encrypted copy of header. */ + if (sz > 16) + sz -= 16; + else + sz = 0; #ifdef CFX_EXERCISE - /* Allow for EC padding. In the MIT implementation, only - added while testing. */ - if (sz > 65535) - sz -= 65535; - else - sz = 0; + /* Allow for EC padding. In the MIT implementation, only + added while testing. */ + if (sz > 65535) + sz -= 65535; + else + sz = 0; #endif - } else { - /* Allow for token header and checksum. */ - if (sz < 16 + ctx->cksum_size) - sz = 0; - else - sz -= (16 + ctx->cksum_size); - } + } else { + /* Allow for token header and checksum. */ + if (sz < 16 + ctx->cksum_size) + sz = 0; + else + sz -= (16 + ctx->cksum_size); + } - *max_input_size = sz; - *minor_status = 0; - return GSS_S_COMPLETE; + *max_input_size = sz; + *minor_status = 0; + return GSS_S_COMPLETE; } /* Calculate the token size and subtract that from the output size */ @@ -146,17 +147,17 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, conflen = kg_confounder_size(ctx->k5_context, ctx->enc); data_size = (conflen + data_size + 8) & (~(OM_uint32)7); ohlen = g_token_size(ctx->mech_used, - (unsigned int) (data_size + ctx->cksum_size + 14)) - - req_output_size; + (unsigned int) (data_size + ctx->cksum_size + 14)) + - req_output_size; if (ohlen+overhead < req_output_size) - /* - * Cannot have trailer length that will cause us to pad over our - * length. - */ - *max_input_size = (req_output_size - ohlen - overhead) & (~(OM_uint32)7); + /* + * Cannot have trailer length that will cause us to pad over our + * length. + */ + *max_input_size = (req_output_size - ohlen - overhead) & (~(OM_uint32)7); else - *max_input_size = 0; + *max_input_size = 0; *minor_status = 0; return(GSS_S_COMPLETE); |