c0b9f4fe65
similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
254 lines
8.8 KiB
C
254 lines
8.8 KiB
C
/*-
|
|
* Copyright (c) 2005 Doug Rabson
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#include <gssapi/gssapi.h>
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
|
|
#include "mech_switch.h"
|
|
#include "name.h"
|
|
|
|
/*
|
|
* The implementation must reserve static storage for a
|
|
* gss_OID_desc object containing the value
|
|
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
|
|
* "\x01\x02\x01\x01"},
|
|
* corresponding to an object-identifier value of
|
|
* {iso(1) member-body(2) United States(840) mit(113554)
|
|
* infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
|
|
* GSS_C_NT_USER_NAME should be initialized to point
|
|
* to that gss_OID_desc.
|
|
*/
|
|
static gss_OID_desc GSS_C_NT_USER_NAME_storage =
|
|
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"};
|
|
gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage;
|
|
|
|
/*
|
|
* The implementation must reserve static storage for a
|
|
* gss_OID_desc object containing the value
|
|
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
|
|
* "\x01\x02\x01\x02"},
|
|
* corresponding to an object-identifier value of
|
|
* {iso(1) member-body(2) United States(840) mit(113554)
|
|
* infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
|
|
* The constant GSS_C_NT_MACHINE_UID_NAME should be
|
|
* initialized to point to that gss_OID_desc.
|
|
*/
|
|
static gss_OID_desc GSS_C_NT_MACHINE_UID_NAME_storage =
|
|
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"};
|
|
gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage;
|
|
|
|
/*
|
|
* The implementation must reserve static storage for a
|
|
* gss_OID_desc object containing the value
|
|
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
|
|
* "\x01\x02\x01\x03"},
|
|
* corresponding to an object-identifier value of
|
|
* {iso(1) member-body(2) United States(840) mit(113554)
|
|
* infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
|
|
* The constant GSS_C_NT_STRING_UID_NAME should be
|
|
* initialized to point to that gss_OID_desc.
|
|
*/
|
|
static gss_OID_desc GSS_C_NT_STRING_UID_NAME_storage =
|
|
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"};
|
|
gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage;
|
|
|
|
/*
|
|
* The implementation must reserve static storage for a
|
|
* gss_OID_desc object containing the value
|
|
* {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
|
|
* corresponding to an object-identifier value of
|
|
* {iso(1) org(3) dod(6) internet(1) security(5)
|
|
* nametypes(6) gss-host-based-services(2)). The constant
|
|
* GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
|
|
* to that gss_OID_desc. This is a deprecated OID value, and
|
|
* implementations wishing to support hostbased-service names
|
|
* should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
|
|
* defined below, to identify such names;
|
|
* GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
|
|
* for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
|
|
* parameter, but should not be emitted by GSS-API
|
|
* implementations
|
|
*/
|
|
static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X_storage =
|
|
{6, (void *)"\x2b\x06\x01\x05\x06\x02"};
|
|
gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_storage;
|
|
|
|
/*
|
|
* The implementation must reserve static storage for a
|
|
* gss_OID_desc object containing the value
|
|
* {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
|
|
* "\x01\x02\x01\x04"}, corresponding to an
|
|
* object-identifier value of {iso(1) member-body(2)
|
|
* Unites States(840) mit(113554) infosys(1) gssapi(2)
|
|
* generic(1) service_name(4)}. The constant
|
|
* GSS_C_NT_HOSTBASED_SERVICE should be initialized
|
|
* to point to that gss_OID_desc.
|
|
*/
|
|
static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_storage =
|
|
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"};
|
|
gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_storage;
|
|
|
|
/*
|
|
* The implementation must reserve static storage for a
|
|
* gss_OID_desc object containing the value
|
|
* {6, (void *)"\x2b\x06\01\x05\x06\x03"},
|
|
* corresponding to an object identifier value of
|
|
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
|
|
* 6(nametypes), 3(gss-anonymous-name)}. The constant
|
|
* and GSS_C_NT_ANONYMOUS should be initialized to point
|
|
* to that gss_OID_desc.
|
|
*/
|
|
static gss_OID_desc GSS_C_NT_ANONYMOUS_storage =
|
|
{6, (void *)"\x2b\x06\01\x05\x06\x03"};
|
|
gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_storage;
|
|
|
|
/*
|
|
* The implementation must reserve static storage for a
|
|
* gss_OID_desc object containing the value
|
|
* {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
|
|
* corresponding to an object-identifier value of
|
|
* {1(iso), 3(org), 6(dod), 1(internet), 5(security),
|
|
* 6(nametypes), 4(gss-api-exported-name)}. The constant
|
|
* GSS_C_NT_EXPORT_NAME should be initialized to point
|
|
* to that gss_OID_desc.
|
|
*/
|
|
static gss_OID_desc GSS_C_NT_EXPORT_NAME_storage =
|
|
{6, (void *)"\x2b\x06\x01\x05\x06\x04"};
|
|
gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_storage;
|
|
|
|
/*
|
|
* This name form shall be represented by the Object Identifier {iso(1)
|
|
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
|
|
* krb5(2) krb5_name(1)}. The recommended symbolic name for this type
|
|
* is "GSS_KRB5_NT_PRINCIPAL_NAME".
|
|
*/
|
|
static gss_OID_desc GSS_KRB5_NT_PRINCIPAL_NAME_storage =
|
|
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"};
|
|
gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &GSS_KRB5_NT_PRINCIPAL_NAME_storage;
|
|
|
|
/*
|
|
* This name form shall be represented by the Object Identifier {iso(1)
|
|
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
|
|
* generic(1) user_name(1)}. The recommended symbolic name for this
|
|
* type is "GSS_KRB5_NT_USER_NAME".
|
|
*/
|
|
gss_OID GSS_KRB5_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage;
|
|
|
|
/*
|
|
* This name form shall be represented by the Object Identifier {iso(1)
|
|
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
|
|
* generic(1) machine_uid_name(2)}. The recommended symbolic name for
|
|
* this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
|
|
*/
|
|
gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage;
|
|
|
|
/*
|
|
* This name form shall be represented by the Object Identifier {iso(1)
|
|
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
|
|
* generic(1) string_uid_name(3)}. The recommended symbolic name for
|
|
* this type is "GSS_KRB5_NT_STRING_UID_NAME".
|
|
*/
|
|
gss_OID GSS_KRB5_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage;
|
|
|
|
struct _gss_mechanism_name *
|
|
_gss_find_mn(struct _gss_name *name, gss_OID mech)
|
|
{
|
|
OM_uint32 major_status, minor_status;
|
|
struct _gss_mech_switch *m;
|
|
struct _gss_mechanism_name *mn;
|
|
|
|
SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
|
|
if (_gss_oid_equal(mech, mn->gmn_mech_oid))
|
|
break;
|
|
}
|
|
|
|
if (!mn) {
|
|
/*
|
|
* If this name is canonical (i.e. there is only an
|
|
* MN but it is from a different mech), give up now.
|
|
*/
|
|
if (!name->gn_value.value)
|
|
return (0);
|
|
|
|
m = _gss_find_mech_switch(mech);
|
|
if (!m)
|
|
return (0);
|
|
|
|
mn = malloc(sizeof(struct _gss_mechanism_name));
|
|
if (!mn)
|
|
return (0);
|
|
|
|
major_status = m->gm_import_name(&minor_status,
|
|
&name->gn_value,
|
|
(name->gn_type.elements
|
|
? &name->gn_type : GSS_C_NO_OID),
|
|
&mn->gmn_name);
|
|
if (major_status) {
|
|
free(mn);
|
|
return (0);
|
|
}
|
|
|
|
mn->gmn_mech = m;
|
|
mn->gmn_mech_oid = &m->gm_mech_oid;
|
|
SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
|
|
}
|
|
return (mn);
|
|
}
|
|
|
|
/*
|
|
* Make a name from an MN.
|
|
*/
|
|
struct _gss_name *
|
|
_gss_make_name(struct _gss_mech_switch *m, gss_name_t new_mn)
|
|
{
|
|
OM_uint32 minor_status;
|
|
struct _gss_name *name;
|
|
struct _gss_mechanism_name *mn;
|
|
|
|
name = malloc(sizeof(struct _gss_name));
|
|
if (!name)
|
|
return (0);
|
|
memset(name, 0, sizeof(struct _gss_name));
|
|
|
|
mn = malloc(sizeof(struct _gss_mechanism_name));
|
|
if (!mn) {
|
|
free(name);
|
|
return (0);
|
|
}
|
|
|
|
SLIST_INIT(&name->gn_mn);
|
|
mn->gmn_mech = m;
|
|
mn->gmn_mech_oid = &m->gm_mech_oid;
|
|
mn->gmn_name = new_mn;
|
|
SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
|
|
|
|
return (name);
|
|
}
|
|
|