diff --git a/Makefile.inc1 b/Makefile.inc1 index 5997fec1598b..24206874635a 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -1036,7 +1036,8 @@ _startup_libs+= lib/libc gnu/lib/libgcc__L: lib/libc__L _prebuild_libs= ${_kerberos5_lib_libasn1} ${_kerberos5_lib_libkrb5} \ - ${_kerberos5_lib_libroken} \ + ${_kerberos5_lib_libhx509} ${_kerberos5_lib_libroken} \ + ${_kerberos5_lib_libheimntlm} ${_kerberos5_lib_libgssapi_krb5} \ lib/libbz2 lib/libcom_err lib/libcrypt lib/libexpat \ ${_lib_libgssapi} ${_lib_libipx} \ lib/libkiconv lib/libkvm lib/libmd \ @@ -1068,9 +1069,11 @@ lib/libradius__L secure/lib/libssl__L: secure/lib/libcrypto__L _secure_lib_libssh= secure/lib/libssh secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L .if ${MK_KERBEROS} != "no" -secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \ - kerberos5/lib/libasn1__L lib/libcom_err__L lib/libmd__L \ - kerberos5/lib/libroken__L +kerberos5/lib/libgssapi_krb5__L: kerberos5/lib/libkrb5__L \ + kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \ + lib/libmd__L kerberos5/lib/libroken__L secure/lib/libcrypto__L \ + lib/libcrypt__L +secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libgssapi_krb5__L .endif .endif .endif @@ -1085,7 +1088,10 @@ _lib_libipx= lib/libipx _kerberos5_lib= kerberos5/lib _kerberos5_lib_libasn1= kerberos5/lib/libasn1 _kerberos5_lib_libkrb5= kerberos5/lib/libkrb5 +_kerberos5_lib_libhx509= kerberos5/lib/libhx509 _kerberos5_lib_libroken= kerberos5/lib/libroken +_kerberos5_lib_libheimntlm= kerberos5/lib/libheimntlm +_kerberos5_lib_libgssapi_krb5= kerberos5/lib/libgssapi_krb5 _lib_libgssapi= lib/libgssapi .endif diff --git a/crypto/heimdal/FREEBSD-Xlist b/crypto/heimdal/FREEBSD-Xlist index 669591896990..e0f0e3bae980 100644 --- a/crypto/heimdal/FREEBSD-Xlist +++ b/crypto/heimdal/FREEBSD-Xlist @@ -12,3 +12,6 @@ lib/des lib/editline lib/kdfs lib/otp +lib/gssapi/mech +lib/hcrypto +ylwrap diff --git a/crypto/heimdal/acinclude.m4 b/crypto/heimdal/acinclude.m4 new file mode 100644 index 000000000000..3133232a5167 --- /dev/null +++ b/crypto/heimdal/acinclude.m4 @@ -0,0 +1,10 @@ +dnl $Id: acinclude.m4 13337 2004-02-12 14:19:16Z lha $ +dnl $FreeBSD$ +dnl +dnl Only put things that for some reason can't live in the `cf' +dnl directory in this file. +dnl + +dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $ +dnl +m4_define([upcase],`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl diff --git a/crypto/heimdal/admin/ktutil_locl.h b/crypto/heimdal/admin/ktutil_locl.h index cf6a6f3548da..c2d5e88e532c 100644 --- a/crypto/heimdal/admin/ktutil_locl.h +++ b/crypto/heimdal/admin/ktutil_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ /* - * $Id: ktutil_locl.h,v 1.18 2002/09/10 20:03:45 joda Exp $ + * $Id: ktutil_locl.h 14799 2005-04-15 05:02:39Z lha $ * $FreeBSD$ */ @@ -62,6 +62,7 @@ #include #include +#include extern krb5_context context; @@ -70,15 +71,6 @@ extern char *keytab_string; krb5_keytab ktutil_open_keytab(void); -int kt_add (int argc, char **argv); -int kt_change (int argc, char **argv); -int kt_copy (int argc, char **argv); -int kt_get (int argc, char **argv); -int kt_list(int argc, char **argv); -int kt_purge(int argc, char **argv); -int kt_remove(int argc, char **argv); -int kt_rename(int argc, char **argv); -int srvconv(int argc, char **argv); -int srvcreate(int argc, char **argv); +#include "ktutil-commands.h" #endif /* __KTUTIL_LOCL_H__ */ diff --git a/crypto/heimdal/appl/ftp/ftp/ftp_locl.h b/crypto/heimdal/appl/ftp/ftp/ftp_locl.h index f371ca1e1edf..25362c04d2c5 100644 --- a/crypto/heimdal/appl/ftp/ftp/ftp_locl.h +++ b/crypto/heimdal/appl/ftp/ftp/ftp_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: ftp_locl.h,v 1.37 2002/09/10 20:03:46 joda Exp $ */ +/* $Id: ftp_locl.h 11444 2002-09-10 20:03:49Z joda $ */ /* $FreeBSD$ */ #ifndef __FTP_LOCL_H__ diff --git a/crypto/heimdal/appl/su/Makefile.am b/crypto/heimdal/appl/su/Makefile.am index 357152e7cedc..6bb584f68123 100644 --- a/crypto/heimdal/appl/su/Makefile.am +++ b/crypto/heimdal/appl/su/Makefile.am @@ -1,17 +1,20 @@ -# $Id: Makefile.am,v 1.7 2001/08/28 08:31:22 assar Exp $ +# $Id: Makefile.am 21986 2007-10-19 05:22:57Z lha $ # $FreeBSD$ include $(top_srcdir)/Makefile.am.common -INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) +AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hcrypto) bin_PROGRAMS = su bin_SUIDS = su -su_SOURCES = su.c +su_SOURCES = su.c supaths.h +man_MANS = su.1 LDADD = $(LIB_kafs) \ $(top_builddir)/lib/krb5/libkrb5.la \ $(LIB_krb4) \ - $(LIB_des) \ + $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) + +EXTRA_DIST = $(man_MANS) diff --git a/crypto/heimdal/appl/su/su.c b/crypto/heimdal/appl/su/su.c index 757f39d53fee..e8e47836e3ec 100644 --- a/crypto/heimdal/appl/su/su.c +++ b/crypto/heimdal/appl/su/su.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -36,7 +36,7 @@ #include -RCSID("$Id: su.c,v 1.26.2.1 2003/05/06 12:06:44 joda Exp $"); +RCSID("$Id: su.c 21988 2007-10-19 05:36:54Z lha $"); #include #include @@ -53,6 +53,9 @@ RCSID("$Id: su.c,v 1.26.2.1 2003/05/06 12:06:44 joda Exp $"); #endif #include +#ifdef HAVE_CRYPT_H +#include +#endif #include "crypto-headers.h" #ifdef KRB5 @@ -66,13 +69,7 @@ RCSID("$Id: su.c,v 1.26.2.1 2003/05/06 12:06:44 joda Exp $"); #include #include -#ifndef _PATH_DEFPATH -#define _PATH_DEFPATH "/usr/bin:/bin" -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif +#include "supaths.h" int kerberos_flag = 1; int csh_f_flag; @@ -175,7 +172,9 @@ krb5_verify(const struct passwd *login_info, { krb5_error_code ret; krb5_principal p; + krb5_realm *realms, *r; char *login_name = NULL; + int user_ok = 0; #if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN) login_name = getlogin(); @@ -188,50 +187,63 @@ krb5_verify(const struct passwd *login_info, return 1; } - if (login_name == NULL || strcmp (login_name, "root") == 0) - login_name = login_info->pw_name; - if (strcmp (su_info->pw_name, "root") == 0) - ret = krb5_make_principal(context, &p, NULL, - login_name, - kerberos_instance, - NULL); - else - ret = krb5_make_principal(context, &p, NULL, - su_info->pw_name, - NULL); - if(ret) + ret = krb5_get_default_realms(context, &realms); + if (ret) return 1; + + /* Check all local realms */ + for (r = realms; *r != NULL && !user_ok; r++) { + + if (login_name == NULL || strcmp (login_name, "root") == 0) + login_name = login_info->pw_name; + if (strcmp (su_info->pw_name, "root") == 0) + ret = krb5_make_principal(context, &p, *r, + login_name, + kerberos_instance, + NULL); + else + ret = krb5_make_principal(context, &p, *r, + su_info->pw_name, + NULL); + if (ret) { + krb5_free_host_realm(context, realms); + return 1; + } - if(su_info->pw_uid != 0 || krb5_kuserok(context, p, su_info->pw_name)) { + /* if we are su-ing too root, check with krb5_kuserok */ + if (su_info->pw_uid == 0 && !krb5_kuserok(context, p, su_info->pw_name)) + continue; + ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache); if(ret) { -#if 1 - krb5_warn(context, ret, "krb5_cc_gen_new"); -#endif + krb5_free_host_realm(context, realms); krb5_free_principal (context, p); return 1; } - ret = krb5_verify_user_lrealm(context, p, ccache, NULL, TRUE, NULL); + ret = krb5_verify_user(context, p, ccache, NULL, TRUE, NULL); krb5_free_principal (context, p); - if(ret) { + switch (ret) { + case 0: + user_ok = 1; + break; + case KRB5_LIBOS_PWDINTR : krb5_cc_destroy(context, ccache); - switch (ret) { - case KRB5_LIBOS_PWDINTR : - break; - case KRB5KRB_AP_ERR_BAD_INTEGRITY: - case KRB5KRB_AP_ERR_MODIFIED: - krb5_warnx(context, "Password incorrect"); - break; - default : - krb5_warn(context, ret, "krb5_verify_user"); - break; - } - return 1; + break; + case KRB5KRB_AP_ERR_BAD_INTEGRITY: + case KRB5KRB_AP_ERR_MODIFIED: + krb5_cc_destroy(context, ccache); + krb5_warnx(context, "Password incorrect"); + break; + default : + krb5_cc_destroy(context, ccache); + krb5_warn(context, ret, "krb5_verify_user"); + break; } - return 0; } - krb5_free_principal (context, p); - return 1; + krb5_free_host_realm(context, realms); + if (!user_ok) + return 1; + return 0; } static int @@ -249,8 +261,10 @@ krb5_start_session(void) ret = krb5_cc_copy_cache(context, ccache, ccache2); - asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2), - krb5_cc_get_name(context, ccache2)); + ret = asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2), + krb5_cc_get_name(context, ccache2)); + if (ret == -1) + errx(1, "malloc - out of memory"); esetenv("KRB5CCNAME", cc_name, 1); /* we want to export this even if we don't directly support KRB4 */ @@ -300,10 +314,12 @@ krb_verify(const struct passwd *login_info, krb_kuserok(name, instance, realm, su_info->pw_name) == 0) { char password[128]; char *prompt; - asprintf (&prompt, + ret = asprintf (&prompt, "%s's Password: ", krb_unparse_name_long (name, instance, realm)); - if (des_read_pw_string (password, sizeof (password), prompt, 0)) { + if (ret == -1) + return (1); + if (UI_UTIL_read_pw_string (password, sizeof (password), prompt, 0)) { memset (password, 0, sizeof (password)); free(prompt); return (1); @@ -341,8 +357,29 @@ krb_start_session(void) } #endif +#define GROUP_MEMBER 0 +#define GROUP_MISSING 1 +#define GROUP_EMPTY 2 +#define GROUP_NOT_MEMBER 3 + static int -verify_unix(struct passwd *su) +group_member_p(const char *group, const char *user) +{ + struct group *g; + int i; + g = getgrnam(group); + if(g == NULL) + return GROUP_MISSING; + if(g->gr_mem[0] == NULL) + return GROUP_EMPTY; + for(i = 0; g->gr_mem[i] != NULL; i++) + if(strcmp(user, g->gr_mem[i]) == 0) + return GROUP_MEMBER; + return GROUP_NOT_MEMBER; +} + +static int +verify_unix(struct passwd *login, struct passwd *su) { char prompt[128]; char pw_buf[1024]; @@ -350,13 +387,31 @@ verify_unix(struct passwd *su) int r; if(su->pw_passwd != NULL && *su->pw_passwd != '\0') { snprintf(prompt, sizeof(prompt), "%s's password: ", su->pw_name); - r = des_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0); + r = UI_UTIL_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0); if(r != 0) exit(0); pw = crypt(pw_buf, su->pw_passwd); memset(pw_buf, 0, sizeof(pw_buf)); - if(strcmp(pw, su->pw_passwd) != 0) + if(strcmp(pw, su->pw_passwd) != 0) { + syslog (LOG_ERR | LOG_AUTH, "%s to %s: incorrect password", + login->pw_name, su->pw_name); return 1; + } + } + /* if su:ing to root, check membership of group wheel or root; if + that group doesn't exist, or is empty, allow anyone to su + root */ + if(su->pw_uid == 0) { +#ifndef ROOT_GROUP +#define ROOT_GROUP "wheel" +#endif + int gs = group_member_p(ROOT_GROUP, login->pw_name); + if(gs == GROUP_NOT_MEMBER) { + syslog (LOG_ERR | LOG_AUTH, "%s to %s: not in group %s", + login->pw_name, su->pw_name, ROOT_GROUP); + return 1; + } + return 0; } return 0; } @@ -398,6 +453,9 @@ main(int argc, char **argv) else su_user = argv[optind++]; + if (!issuid() && getuid() != 0) + warnx("Not setuid and you are root, expect this to fail"); + pwd = k_getpwnam(su_user); if(pwd == NULL) errx (1, "unknown login %s", su_user); @@ -434,7 +492,7 @@ main(int argc, char **argv) ok = 4; #endif - if(ok == 0 && login_info->pw_uid && verify_unix(su_info) != 0) { + if(ok == 0 && login_info->pw_uid && verify_unix(login_info, su_info) != 0) { printf("Sorry!\n"); exit(1); } @@ -473,7 +531,7 @@ main(int argc, char **argv) #endif { char *tty = ttyname (STDERR_FILENO); - syslog (LOG_NOTICE | LOG_AUTH, tty ? "%s to %s" : "%s to %s on %s", + syslog (LOG_NOTICE | LOG_AUTH, tty ? "%s to %s on %s" : "%s to %s", login_info->pw_name, su_info->pw_name, tty); } @@ -481,11 +539,23 @@ main(int argc, char **argv) if(!env_flag) { if(full_login) { char *t = getenv ("TERM"); - - environ = malloc (10 * sizeof (char *)); + char **newenv = NULL; + int i, j; + + i = read_environment(_PATH_ETC_ENVIRONMENT, &newenv); + + environ = malloc ((10 + i) * sizeof (char *)); if (environ == NULL) err (1, "malloc"); environ[0] = NULL; + + for (j = 0; j < i; j++) { + char *p = strchr(newenv[j], '='); + *p++ = 0; + esetenv (newenv[j], p, 1); + } + free(newenv); + esetenv ("PATH", _PATH_DEFPATH, 1); if (t) esetenv ("TERM", t, 1); @@ -516,9 +586,10 @@ main(int argc, char **argv) if (args == NULL) err (1, "malloc"); i = 0; - if(full_login) - asprintf(&args[i++], "-%s", p); - else + if(full_login) { + if (asprintf(&args[i++], "-%s", p) == -1) + errx (1, "malloc"); + } else args[i++] = p; if (cmd) { args[i++] = "-c"; diff --git a/crypto/heimdal/cf/broken-getnameinfo.m4 b/crypto/heimdal/cf/broken-getnameinfo.m4 deleted file mode 100644 index bf2897b2cdd8..000000000000 --- a/crypto/heimdal/cf/broken-getnameinfo.m4 +++ /dev/null @@ -1,28 +0,0 @@ -dnl $Id: broken-getnameinfo.m4,v 1.2.12.1 2004/04/01 07:27:32 joda Exp $ -dnl -dnl test for broken AIX getnameinfo - -AC_DEFUN([rk_BROKEN_GETNAMEINFO],[ -AC_CACHE_CHECK([if getnameinfo is broken], ac_cv_func_getnameinfo_broken, -AC_TRY_RUN([[#include -#include -#include -#include -#include - -int -main(int argc, char **argv) -{ - struct sockaddr_in sin; - char host[256]; - memset(&sin, 0, sizeof(sin)); -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - sin.sin_len = sizeof(sin); -#endif - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = 0xffffffff; - sin.sin_port = 0; - return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host), - NULL, 0, 0); -} -]], ac_cv_func_getnameinfo_broken=no, ac_cv_func_getnameinfo_broken=yes))]) diff --git a/crypto/heimdal/cf/check-declaration.m4 b/crypto/heimdal/cf/check-declaration.m4 deleted file mode 100644 index 18bdf8a7a0ab..000000000000 --- a/crypto/heimdal/cf/check-declaration.m4 +++ /dev/null @@ -1,25 +0,0 @@ -dnl $Id: check-declaration.m4,v 1.3.34.1 2004/04/01 07:27:32 joda Exp $ -dnl -dnl -dnl Check if we need the declaration of a variable -dnl - -dnl AC_HAVE_DECLARATION(includes, variable) -AC_DEFUN([AC_CHECK_DECLARATION], [ -AC_MSG_CHECKING([if $2 is properly declared]) -AC_CACHE_VAL(ac_cv_var_$2_declaration, [ -AC_TRY_COMPILE([$1 -extern struct { int foo; } $2;], -[$2.foo = 1;], -eval "ac_cv_var_$2_declaration=no", -eval "ac_cv_var_$2_declaration=yes") -]) - -define(foo, [HAVE_]translit($2, [a-z], [A-Z])[_DECLARATION]) - -AC_MSG_RESULT($ac_cv_var_$2_declaration) -if eval "test \"\$ac_cv_var_$2_declaration\" = yes"; then - AC_DEFINE(foo, 1, [define if your system declares $2]) -fi -undefine([foo]) -]) diff --git a/crypto/heimdal/kadmin/kadmin_locl.h b/crypto/heimdal/kadmin/kadmin_locl.h index 0b36127db0d5..1707c459ffe3 100644 --- a/crypto/heimdal/kadmin/kadmin_locl.h +++ b/crypto/heimdal/kadmin/kadmin_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ /* - * $Id: kadmin_locl.h,v 1.41 2002/09/10 20:04:45 joda Exp $ + * $Id: kadmin_locl.h 17580 2006-05-13 21:28:56Z lha $ * $FreeBSD$ */ @@ -91,92 +91,57 @@ #include #include #include +#include #include #include #include #include #include - extern krb5_context context; extern void * kadm_handle; -#define DECL(X) int X(int, char **) - -DECL(add_new_key); -DECL(cpw_entry); -DECL(del_entry); -DECL(del_enctype); -DECL(exit_kadmin); -DECL(ext_keytab); -DECL(get_entry); -DECL(get_privs); -DECL(help); -DECL(list_princs); -DECL(mod_entry); -DECL(rename_entry); -DECL(init); -DECL(dump); -DECL(load); -DECL(merge); - #undef ALLOC #define ALLOC(X) ((X) = malloc(sizeof(*(X)))) /* util.c */ -void attributes2str(krb5_flags attributes, char *str, size_t len); -int str2attributes(const char *str, krb5_flags *flags); -int parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit); -int edit_attributes (const char *prompt, krb5_flags *attr, int *mask, - int bit); +void attributes2str(krb5_flags, char *, size_t); +int str2attributes(const char *, krb5_flags *); +int parse_attributes (const char *, krb5_flags *, int *, int); +int edit_attributes (const char *, krb5_flags *, int *, int); -void time_t2str(time_t t, char *str, size_t len, int include_time); -int str2time_t (const char *str, time_t *time); -int parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit); -int edit_timet (const char *prompt, krb5_timestamp *value, int *mask, - int bit); +void time_t2str(time_t, char *, size_t, int); +int str2time_t (const char *, time_t *); +int parse_timet (const char *, krb5_timestamp *, int *, int); +int edit_timet (const char *, krb5_timestamp *, int *, + int); -void deltat2str(unsigned t, char *str, size_t len); -int str2deltat(const char *str, krb5_deltat *delta); -int parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit); -int edit_deltat (const char *prompt, krb5_deltat *value, int *mask, int bit); +void deltat2str(unsigned, char *, size_t); +int str2deltat(const char *, krb5_deltat *); +int parse_deltat (const char *, krb5_deltat *, int *, int); +int edit_deltat (const char *, krb5_deltat *, int *, int); -int edit_entry(kadm5_principal_ent_t ent, int *mask, - kadm5_principal_ent_t default_ent, int default_mask); -void set_defaults(kadm5_principal_ent_t ent, int *mask, - kadm5_principal_ent_t default_ent, int default_mask); -int set_entry(krb5_context context, - kadm5_principal_ent_t ent, - int *mask, - const char *max_ticket_life, - const char *max_renewable_life, - const char *expiration, - const char *pw_expiration, - const char *attributes); +int edit_entry(kadm5_principal_ent_t, int *, kadm5_principal_ent_t, int); +void set_defaults(kadm5_principal_ent_t, int *, kadm5_principal_ent_t, int); +int set_entry(krb5_context, kadm5_principal_ent_t, int *, + const char *, const char *, const char *, + const char *, const char *); int -foreach_principal(const char *exp, - int (*func)(krb5_principal, void*), - const char *funcname, - void *data); +foreach_principal(const char *, int (*)(krb5_principal, void*), + const char *, void *); -int parse_des_key (const char *key_string, - krb5_key_data *key_data, const char **err); +int parse_des_key (const char *, krb5_key_data *, const char **); /* server.c */ krb5_error_code kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int); -/* version4.c */ - -void -handle_v4(krb5_context context, krb5_keytab keytab, int len, int fd); - /* random_password.c */ void -random_password(char *pw, size_t len); +random_password(char *, size_t); /* kadm_conn.c */ diff --git a/crypto/heimdal/kadmin/version4.c b/crypto/heimdal/kadmin/version4.c deleted file mode 100644 index ffa9c07f8582..000000000000 --- a/crypto/heimdal/kadmin/version4.c +++ /dev/null @@ -1,1016 +0,0 @@ -/* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "kadmin_locl.h" -#include - -#define Principal krb4_Principal -#define kadm_get krb4_kadm_get -#undef ALLOC -#include -#include -#include -#include - -RCSID("$Id: version4.c,v 1.29.2.1 2004/04/29 12:29:23 lha Exp $"); - -#define KADM_NO_OPCODE -1 -#define KADM_NO_ENCRYPT -2 - -/* - * make an error packet if we fail encrypting - */ - -static void -make_you_lose_packet(int code, krb5_data *reply) -{ - krb5_data_alloc(reply, KADM_VERSIZE + 4); - memcpy(reply->data, KADM_ULOSE, KADM_VERSIZE); - _krb5_put_int((char*)reply->data + KADM_VERSIZE, code, 4); -} - -static int -ret_fields(krb5_storage *sp, char *fields) -{ - return krb5_storage_read(sp, fields, FLDSZ); -} - -static int -store_fields(krb5_storage *sp, char *fields) -{ - return krb5_storage_write(sp, fields, FLDSZ); -} - -static void -ret_vals(krb5_storage *sp, Kadm_vals *vals) -{ - int field; - char *tmp_string; - - memset(vals, 0, sizeof(*vals)); - - ret_fields(sp, vals->fields); - - for(field = 31; field >= 0; field--) { - if(IS_FIELD(field, vals->fields)) { - switch(field) { - case KADM_NAME: - krb5_ret_stringz(sp, &tmp_string); - strlcpy(vals->name, tmp_string, sizeof(vals->name)); - free(tmp_string); - break; - case KADM_INST: - krb5_ret_stringz(sp, &tmp_string); - strlcpy(vals->instance, tmp_string, - sizeof(vals->instance)); - free(tmp_string); - break; - case KADM_EXPDATE: - krb5_ret_int32(sp, &vals->exp_date); - break; - case KADM_ATTR: - krb5_ret_int16(sp, &vals->attributes); - break; - case KADM_MAXLIFE: - krb5_ret_int8(sp, &vals->max_life); - break; - case KADM_DESKEY: - krb5_ret_int32(sp, &vals->key_high); - krb5_ret_int32(sp, &vals->key_low); - break; -#ifdef EXTENDED_KADM - case KADM_MODDATE: - krb5_ret_int32(sp, &vals->mod_date); - break; - case KADM_MODNAME: - krb5_ret_stringz(sp, &tmp_string); - strlcpy(vals->mod_name, tmp_string, - sizeof(vals->mod_name)); - free(tmp_string); - break; - case KADM_MODINST: - krb5_ret_stringz(sp, &tmp_string); - strlcpy(vals->mod_instance, tmp_string, - sizeof(vals->mod_instance)); - free(tmp_string); - break; - case KADM_KVNO: - krb5_ret_int8(sp, &vals->key_version); - break; -#endif - default: - break; - } - } - } -} - -static void -store_vals(krb5_storage *sp, Kadm_vals *vals) -{ - int field; - - store_fields(sp, vals->fields); - - for(field = 31; field >= 0; field--) { - if(IS_FIELD(field, vals->fields)) { - switch(field) { - case KADM_NAME: - krb5_store_stringz(sp, vals->name); - break; - case KADM_INST: - krb5_store_stringz(sp, vals->instance); - break; - case KADM_EXPDATE: - krb5_store_int32(sp, vals->exp_date); - break; - case KADM_ATTR: - krb5_store_int16(sp, vals->attributes); - break; - case KADM_MAXLIFE: - krb5_store_int8(sp, vals->max_life); - break; - case KADM_DESKEY: - krb5_store_int32(sp, vals->key_high); - krb5_store_int32(sp, vals->key_low); - break; -#ifdef EXTENDED_KADM - case KADM_MODDATE: - krb5_store_int32(sp, vals->mod_date); - break; - case KADM_MODNAME: - krb5_store_stringz(sp, vals->mod_name); - break; - case KADM_MODINST: - krb5_store_stringz(sp, vals->mod_instance); - break; - case KADM_KVNO: - krb5_store_int8(sp, vals->key_version); - break; -#endif - default: - break; - } - } - } -} - -static int -flags_4_to_5(char *flags) -{ - int i; - int32_t mask = 0; - for(i = 31; i >= 0; i--) { - if(IS_FIELD(i, flags)) - switch(i) { - case KADM_NAME: - case KADM_INST: - mask |= KADM5_PRINCIPAL; - case KADM_EXPDATE: - mask |= KADM5_PRINC_EXPIRE_TIME; - case KADM_MAXLIFE: - mask |= KADM5_MAX_LIFE; -#ifdef EXTENDED_KADM - case KADM_KVNO: - mask |= KADM5_KEY_DATA; - case KADM_MODDATE: - mask |= KADM5_MOD_TIME; - case KADM_MODNAME: - case KADM_MODINST: - mask |= KADM5_MOD_NAME; -#endif - } - } - return mask; -} - -static void -ent_to_values(krb5_context context, - kadm5_principal_ent_t ent, - int32_t mask, - Kadm_vals *vals) -{ - krb5_error_code ret; - char realm[REALM_SZ]; - time_t exp = 0; - - memset(vals, 0, sizeof(*vals)); - if(mask & KADM5_PRINCIPAL) { - ret = krb5_524_conv_principal(context, ent->principal, - vals->name, vals->instance, realm); - SET_FIELD(KADM_NAME, vals->fields); - SET_FIELD(KADM_INST, vals->fields); - } - if(mask & KADM5_PRINC_EXPIRE_TIME) { - if(ent->princ_expire_time != 0) - exp = ent->princ_expire_time; - } - if(mask & KADM5_PW_EXPIRATION) { - if(ent->pw_expiration != 0 && (exp == 0 || exp > ent->pw_expiration)) - exp = ent->pw_expiration; - } - if(exp) { - vals->exp_date = exp; - SET_FIELD(KADM_EXPDATE, vals->fields); - } - if(mask & KADM5_MAX_LIFE) { - if(ent->max_life == 0) - vals->max_life = 255; - else - vals->max_life = krb_time_to_life(0, ent->max_life); - SET_FIELD(KADM_MAXLIFE, vals->fields); - } - if(mask & KADM5_KEY_DATA) { - if(ent->n_key_data > 0) { -#ifdef EXTENDED_KADM - vals->key_version = ent->key_data[0].key_data_kvno; - SET_FIELD(KADM_KVNO, vals->fields); -#endif - } - /* XXX the key itself? */ - } -#ifdef EXTENDED_KADM - if(mask & KADM5_MOD_TIME) { - vals->mod_date = ent->mod_date; - SET_FIELD(KADM_MODDATE, vals->fields); - } - if(mask & KADM5_MOD_NAME) { - krb5_524_conv_principal(context, ent->mod_name, - vals->mod_name, vals->mod_instance, realm); - SET_FIELD(KADM_MODNAME, vals->fields); - SET_FIELD(KADM_MODINST, vals->fields); - } -#endif -} - -/* - * convert the kadm4 values in `vals' to `ent' (and `mask') - */ - -static krb5_error_code -values_to_ent(krb5_context context, - Kadm_vals *vals, - kadm5_principal_ent_t ent, - int32_t *mask) -{ - krb5_error_code ret; - *mask = 0; - memset(ent, 0, sizeof(*ent)); - - if(IS_FIELD(KADM_NAME, vals->fields)) { - char *inst = NULL; - if(IS_FIELD(KADM_INST, vals->fields)) - inst = vals->instance; - ret = krb5_425_conv_principal(context, - vals->name, - inst, - NULL, - &ent->principal); - if(ret) - return ret; - *mask |= KADM5_PRINCIPAL; - } - if(IS_FIELD(KADM_EXPDATE, vals->fields)) { - ent->princ_expire_time = vals->exp_date; - *mask |= KADM5_PRINC_EXPIRE_TIME; - } - if(IS_FIELD(KADM_MAXLIFE, vals->fields)) { - ent->max_life = krb_life_to_time(0, vals->max_life); - *mask |= KADM5_MAX_LIFE; - } - - if(IS_FIELD(KADM_DESKEY, vals->fields)) { - int i; - ent->key_data = calloc(3, sizeof(*ent->key_data)); - if(ent->key_data == NULL) - return ENOMEM; - for(i = 0; i < 3; i++) { - u_int32_t key_low, key_high; - - ent->key_data[i].key_data_ver = 2; -#ifdef EXTENDED_KADM - if(IS_FIELD(KADM_KVNO, vals->fields)) - ent->key_data[i].key_data_kvno = vals->key_version; -#endif - ent->key_data[i].key_data_type[0] = ETYPE_DES_CBC_MD5; - ent->key_data[i].key_data_length[0] = 8; - if((ent->key_data[i].key_data_contents[0] = malloc(8)) == NULL) - return ENOMEM; - - key_low = ntohl(vals->key_low); - key_high = ntohl(vals->key_high); - memcpy(ent->key_data[i].key_data_contents[0], - &key_low, 4); - memcpy((char*)ent->key_data[i].key_data_contents[0] + 4, - &key_high, 4); - ent->key_data[i].key_data_type[1] = KRB5_PW_SALT; - ent->key_data[i].key_data_length[1] = 0; - ent->key_data[i].key_data_contents[1] = NULL; - } - ent->key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4; - ent->key_data[2].key_data_type[0] = ETYPE_DES_CBC_CRC; - ent->n_key_data = 3; - *mask |= KADM5_KEY_DATA; - } - -#ifdef EXTENDED_KADM - if(IS_FIELD(KADM_MODDATE, vals->fields)) { - ent->mod_date = vals->mod_date; - *mask |= KADM5_MOD_TIME; - } - if(IS_FIELD(KADM_MODNAME, vals->fields)) { - char *inst = NULL; - if(IS_FIELD(KADM_MODINST, vals->fields)) - inst = vals->mod_instance; - ret = krb5_425_conv_principal(context, - vals->mod_name, - inst, - NULL, - &ent->mod_name); - if(ret) - return ret; - *mask |= KADM5_MOD_NAME; - } -#endif - return 0; -} - -/* - * Try to translate a KADM5 error code into a v4 kadmin one. - */ - -static int -error_code(int ret) -{ - switch (ret) { - case 0: - return 0; - case KADM5_FAILURE : - case KADM5_AUTH_GET : - case KADM5_AUTH_ADD : - case KADM5_AUTH_MODIFY : - case KADM5_AUTH_DELETE : - case KADM5_AUTH_INSUFFICIENT : - return KADM_UNAUTH; - case KADM5_BAD_DB : - return KADM_UK_RERROR; - case KADM5_DUP : - return KADM_INUSE; - case KADM5_RPC_ERROR : - case KADM5_NO_SRV : - return KADM_NO_SERV; - case KADM5_NOT_INIT : - return KADM_NO_CONN; - case KADM5_UNK_PRINC : - return KADM_NOENTRY; - case KADM5_PASS_Q_TOOSHORT : -#ifdef KADM_PASS_Q_TOOSHORT - return KADM_PASS_Q_TOOSHORT; -#else - return KADM_INSECURE_PW; -#endif - case KADM5_PASS_Q_CLASS : -#ifdef KADM_PASS_Q_CLASS - return KADM_PASS_Q_CLASS; -#else - return KADM_INSECURE_PW; -#endif - case KADM5_PASS_Q_DICT : -#ifdef KADM_PASS_Q_DICT - return KADM_PASS_Q_DICT; -#else - return KADM_INSECURE_PW; -#endif - case KADM5_PASS_REUSE : - case KADM5_PASS_TOOSOON : - case KADM5_BAD_PASSWORD : - return KADM_INSECURE_PW; - case KADM5_PROTECT_PRINCIPAL : - return KADM_IMMUTABLE; - case KADM5_POLICY_REF : - case KADM5_INIT : - case KADM5_BAD_HIST_KEY : - case KADM5_UNK_POLICY : - case KADM5_BAD_MASK : - case KADM5_BAD_CLASS : - case KADM5_BAD_LENGTH : - case KADM5_BAD_POLICY : - case KADM5_BAD_PRINCIPAL : - case KADM5_BAD_AUX_ATTR : - case KADM5_BAD_HISTORY : - case KADM5_BAD_MIN_PASS_LIFE : - case KADM5_BAD_SERVER_HANDLE : - case KADM5_BAD_STRUCT_VERSION : - case KADM5_OLD_STRUCT_VERSION : - case KADM5_NEW_STRUCT_VERSION : - case KADM5_BAD_API_VERSION : - case KADM5_OLD_LIB_API_VERSION : - case KADM5_OLD_SERVER_API_VERSION : - case KADM5_NEW_LIB_API_VERSION : - case KADM5_NEW_SERVER_API_VERSION : - case KADM5_SECURE_PRINC_MISSING : - case KADM5_NO_RENAME_SALT : - case KADM5_BAD_CLIENT_PARAMS : - case KADM5_BAD_SERVER_PARAMS : - case KADM5_AUTH_LIST : - case KADM5_AUTH_CHANGEPW : - case KADM5_BAD_TL_TYPE : - case KADM5_MISSING_CONF_PARAMS : - case KADM5_BAD_SERVER_NAME : - default : - return KADM_UNAUTH; /* XXX */ - } -} - -/* - * server functions - */ - -static int -kadm_ser_cpw(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - char key[8]; - char *password = NULL; - krb5_error_code ret; - - krb5_warnx(context, "v4-compat %s: CHPASS %s", - principal_string, principal_string); - - ret = krb5_storage_read(message, key + 4, 4); - ret = krb5_storage_read(message, key, 4); - ret = krb5_ret_stringz(message, &password); - - if(password) { - krb5_data pwd_data; - const char *tmp; - - pwd_data.data = password; - pwd_data.length = strlen(password); - - tmp = kadm5_check_password_quality (context, principal, &pwd_data); - - if (tmp != NULL) { - krb5_store_stringz (reply, (char *)tmp); - ret = KADM5_PASS_Q_DICT; - goto fail; - } - ret = kadm5_chpass_principal(kadm_handle, principal, password); - } else { - krb5_key_data key_data[3]; - int i; - for(i = 0; i < 3; i++) { - key_data[i].key_data_ver = 2; - key_data[i].key_data_kvno = 0; - /* key */ - key_data[i].key_data_type[0] = ETYPE_DES_CBC_CRC; - key_data[i].key_data_length[0] = 8; - key_data[i].key_data_contents[0] = malloc(8); - memcpy(key_data[i].key_data_contents[0], &key, 8); - /* salt */ - key_data[i].key_data_type[1] = KRB5_PW_SALT; - key_data[i].key_data_length[1] = 0; - key_data[i].key_data_contents[1] = NULL; - } - key_data[0].key_data_type[0] = ETYPE_DES_CBC_MD5; - key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4; - ret = kadm5_s_chpass_principal_with_key(kadm_handle, - principal, 3, key_data); - } - - if(ret != 0) { - krb5_store_stringz(reply, (char*)krb5_get_err_text(context, ret)); - goto fail; - } - return 0; -fail: - krb5_warn(context, ret, "v4-compat CHPASS"); - return error_code(ret); -} - -static int -kadm_ser_add(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - int32_t mask; - kadm5_principal_ent_rec ent, out; - Kadm_vals values; - krb5_error_code ret; - char name[128]; - - ret_vals(message, &values); - - ret = values_to_ent(context, &values, &ent, &mask); - if(ret) - goto fail; - - krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name)); - krb5_warnx(context, "v4-compat %s: ADD %s", - principal_string, name); - - ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_ADD, - ent.principal); - if (ret) - goto fail; - - ret = kadm5_s_create_principal_with_key(kadm_handle, &ent, mask); - if(ret) { - kadm5_free_principal_ent(kadm_handle, &ent); - goto fail; - } - - mask = KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_MAX_LIFE | - KADM5_KEY_DATA | KADM5_MOD_TIME | KADM5_MOD_NAME; - - kadm5_get_principal(kadm_handle, ent.principal, &out, mask); - ent_to_values(context, &out, mask, &values); - kadm5_free_principal_ent(kadm_handle, &ent); - kadm5_free_principal_ent(kadm_handle, &out); - store_vals(reply, &values); - return 0; -fail: - krb5_warn(context, ret, "v4-compat ADD"); - return error_code(ret); -} - -static int -kadm_ser_get(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - krb5_error_code ret; - Kadm_vals values; - kadm5_principal_ent_rec ent, out; - int32_t mask; - char flags[FLDSZ]; - char name[128]; - - ret_vals(message, &values); - /* XXX BRAIN DAMAGE! these flags are not stored in the same order - as in the header */ - krb5_ret_int8(message, &flags[3]); - krb5_ret_int8(message, &flags[2]); - krb5_ret_int8(message, &flags[1]); - krb5_ret_int8(message, &flags[0]); - ret = values_to_ent(context, &values, &ent, &mask); - if(ret) - goto fail; - - krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name)); - krb5_warnx(context, "v4-compat %s: GET %s", - principal_string, name); - - ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_GET, - ent.principal); - if (ret) - goto fail; - - mask = flags_4_to_5(flags); - - ret = kadm5_get_principal(kadm_handle, ent.principal, &out, mask); - kadm5_free_principal_ent(kadm_handle, &ent); - - if (ret) - goto fail; - - ent_to_values(context, &out, mask, &values); - - kadm5_free_principal_ent(kadm_handle, &out); - - store_vals(reply, &values); - return 0; -fail: - krb5_warn(context, ret, "v4-compat GET"); - return error_code(ret); -} - -static int -kadm_ser_mod(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - Kadm_vals values1, values2; - kadm5_principal_ent_rec ent, out; - int32_t mask; - krb5_error_code ret; - char name[128]; - - ret_vals(message, &values1); - /* why are the old values sent? is the mask the same in the old and - the new entry? */ - ret_vals(message, &values2); - - ret = values_to_ent(context, &values2, &ent, &mask); - if(ret) - goto fail; - - krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name)); - krb5_warnx(context, "v4-compat %s: MOD %s", - principal_string, name); - - ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_MODIFY, - ent.principal); - if (ret) - goto fail; - - ret = kadm5_s_modify_principal(kadm_handle, &ent, mask); - if(ret) { - kadm5_free_principal_ent(kadm_handle, &ent); - krb5_warn(context, ret, "kadm5_s_modify_principal"); - goto fail; - } - - ret = kadm5_get_principal(kadm_handle, ent.principal, &out, mask); - if(ret) { - kadm5_free_principal_ent(kadm_handle, &ent); - krb5_warn(context, ret, "kadm5_s_modify_principal"); - goto fail; - } - - ent_to_values(context, &out, mask, &values1); - - kadm5_free_principal_ent(kadm_handle, &ent); - kadm5_free_principal_ent(kadm_handle, &out); - - store_vals(reply, &values1); - return 0; -fail: - krb5_warn(context, ret, "v4-compat MOD"); - return error_code(ret); -} - -static int -kadm_ser_del(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_storage *message, - krb5_storage *reply) -{ - Kadm_vals values; - kadm5_principal_ent_rec ent; - int32_t mask; - krb5_error_code ret; - char name[128]; - - ret_vals(message, &values); - - ret = values_to_ent(context, &values, &ent, &mask); - if(ret) - goto fail; - - krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name)); - krb5_warnx(context, "v4-compat %s: DEL %s", - principal_string, name); - - ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_DELETE, - ent.principal); - if (ret) - goto fail; - - ret = kadm5_delete_principal(kadm_handle, ent.principal); - - kadm5_free_principal_ent(kadm_handle, &ent); - - if (ret) - goto fail; - - return 0; -fail: - krb5_warn(context, ret, "v4-compat ADD"); - return error_code(ret); -} - -static int -dispatch(krb5_context context, - void *kadm_handle, - krb5_principal principal, - const char *principal_string, - krb5_data msg, - krb5_data *reply) -{ - int retval; - int8_t command; - krb5_storage *sp_in, *sp_out; - - sp_in = krb5_storage_from_data(&msg); - krb5_ret_int8(sp_in, &command); - - sp_out = krb5_storage_emem(); - krb5_storage_write(sp_out, KADM_VERSTR, KADM_VERSIZE); - krb5_store_int32(sp_out, 0); - - switch(command) { - case CHANGE_PW: - retval = kadm_ser_cpw(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - case ADD_ENT: - retval = kadm_ser_add(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - case GET_ENT: - retval = kadm_ser_get(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - case MOD_ENT: - retval = kadm_ser_mod(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - case DEL_ENT: - retval = kadm_ser_del(context, kadm_handle, principal, - principal_string, - sp_in, sp_out); - break; - default: - krb5_warnx(context, "v4-compat %s: unknown opcode: %d", - principal_string, command); - retval = KADM_NO_OPCODE; - break; - } - krb5_storage_free(sp_in); - if(retval) { - krb5_storage_seek(sp_out, KADM_VERSIZE, SEEK_SET); - krb5_store_int32(sp_out, retval); - } - krb5_storage_to_data(sp_out, reply); - krb5_storage_free(sp_out); - return retval; -} - -/* - * Decode a v4 kadmin packet in `message' and create a reply in `reply' - */ - -static void -decode_packet(krb5_context context, - krb5_keytab keytab, - struct sockaddr_in *admin_addr, - struct sockaddr_in *client_addr, - krb5_data message, - krb5_data *reply) -{ - int ret; - KTEXT_ST authent; - AUTH_DAT ad; - MSG_DAT msg_dat; - off_t off = 0; - unsigned long rlen; - char sname[] = "changepw", sinst[] = "kerberos"; - unsigned long checksum; - des_key_schedule schedule; - char *msg = message.data; - void *kadm_handle; - krb5_principal client; - char *client_str; - krb5_keytab_entry entry; - - if(message.length < KADM_VERSIZE + 4 - || strncmp(msg, KADM_VERSTR, KADM_VERSIZE) != 0) { - make_you_lose_packet (KADM_BAD_VER, reply); - return; - } - - off = KADM_VERSIZE; - off += _krb5_get_int(msg + off, &rlen, 4); - memset(&authent, 0, sizeof(authent)); - authent.length = message.length - rlen - KADM_VERSIZE - 4; - - if(rlen > message.length - KADM_VERSIZE - 4 - || authent.length > MAX_KTXT_LEN) { - krb5_warnx(context, "received bad rlen (%lu)", (unsigned long)rlen); - make_you_lose_packet (KADM_LENGTH_ERROR, reply); - return; - } - - memcpy(authent.dat, (char*)msg + off, authent.length); - off += authent.length; - - { - krb5_principal principal; - krb5_keyblock *key; - - ret = krb5_make_principal(context, &principal, NULL, - "changepw", "kerberos", NULL); - if (ret) { - krb5_warn (context, ret, "krb5_make_principal"); - make_you_lose_packet (KADM_NOMEM, reply); - return; - } - ret = krb5_kt_get_entry (context, keytab, principal, 0, - ETYPE_DES_CBC_MD5, &entry); - krb5_kt_close (context, keytab); - if (ret) { - krb5_free_principal(context, principal); - make_you_lose_packet (KADM_NO_AUTH, reply); - return; - } - ret = krb5_copy_keyblock (context, &entry.keyblock,& key); - krb5_kt_free_entry(context, &entry); - krb5_free_principal(context, principal); - if(ret) { - if(ret == KRB5_KT_NOTFOUND) - make_you_lose_packet(KADM_NO_AUTH, reply); - else - /* XXX */ - make_you_lose_packet(KADM_NO_AUTH, reply); - krb5_warn(context, ret, "krb5_kt_read_service_key"); - return; - } - - if(key->keyvalue.length != 8) - krb5_abortx(context, "key has wrong length (%lu)", - (unsigned long)key->keyvalue.length); - krb_set_key(key->keyvalue.data, 0); - krb5_free_keyblock(context, key); - } - - ret = krb_rd_req(&authent, sname, sinst, - client_addr->sin_addr.s_addr, &ad, NULL); - - if(ret) { - make_you_lose_packet(ERROR_TABLE_BASE_krb + ret, reply); - krb5_warnx(context, "krb_rd_req: %d", ret); - return; - } - - ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm, - &client); - if (ret) { - krb5_warnx (context, "krb5_425_conv_principal: %d", ret); - make_you_lose_packet (KADM_NOMEM, reply); - return; - } - - krb5_unparse_name(context, client, &client_str); - - ret = kadm5_init_with_password_ctx(context, - client_str, - NULL, - KADM5_ADMIN_SERVICE, - NULL, 0, 0, - &kadm_handle); - if (ret) { - krb5_warn (context, ret, "kadm5_init_with_password_ctx"); - make_you_lose_packet (KADM_NOMEM, reply); - goto out; - } - - checksum = des_quad_cksum((void *)(msg + off), NULL, rlen, 0, &ad.session); - if(checksum != ad.checksum) { - krb5_warnx(context, "decode_packet: bad checksum"); - make_you_lose_packet (KADM_BAD_CHK, reply); - goto out; - } - des_set_key(&ad.session, schedule); - ret = krb_rd_priv(msg + off, rlen, schedule, &ad.session, - client_addr, admin_addr, &msg_dat); - if (ret) { - make_you_lose_packet (ERROR_TABLE_BASE_krb + ret, reply); - krb5_warnx(context, "krb_rd_priv: %d", ret); - goto out; - } - - { - krb5_data d, r; - int retval; - - d.data = msg_dat.app_data; - d.length = msg_dat.app_length; - - retval = dispatch(context, kadm_handle, - client, client_str, d, &r); - krb5_data_alloc(reply, r.length + 26); - reply->length = krb_mk_priv(r.data, reply->data, r.length, - schedule, &ad.session, - admin_addr, client_addr); - if((ssize_t)reply->length < 0) { - make_you_lose_packet(KADM_NO_ENCRYPT, reply); - goto out; - } - } -out: - krb5_free_principal(context, client); - free(client_str); -} - -void -handle_v4(krb5_context context, - krb5_keytab keytab, - int len, - int fd) -{ - int first = 1; - struct sockaddr_in admin_addr, client_addr; - socklen_t addr_len; - krb5_data message, reply; - ssize_t n; - - addr_len = sizeof(client_addr); - if (getsockname(fd, (struct sockaddr*)&admin_addr, &addr_len) < 0) - krb5_errx (context, 1, "getsockname"); - addr_len = sizeof(client_addr); - if (getpeername(fd, (struct sockaddr*)&client_addr, &addr_len) < 0) - krb5_errx (context, 1, "getpeername"); - - while(1) { - doing_useful_work = 0; - if(term_flag) - exit(0); - if(first) { - if (len < 2) - krb5_errx(context, 1, "received too short len (%d < 2)", len); - /* first time around, we have already read len, and two - bytes of the version string */ - krb5_data_alloc(&message, len); - memcpy(message.data, "KA", 2); - n = krb5_net_read(context, &fd, (char*)message.data + 2, - len - 2); - if (n == 0) - exit (0); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - first = 0; - } else { - char buf[2]; - unsigned long tmp; - ssize_t n; - - n = krb5_net_read(context, &fd, buf, sizeof(2)); - if (n == 0) - exit (0); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - _krb5_get_int(buf, &tmp, 2); - krb5_data_alloc(&message, tmp); - n = krb5_net_read(context, &fd, message.data, message.length); - if (n == 0) - krb5_errx (context, 1, "EOF in krb5_net_read"); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_read"); - } - doing_useful_work = 1; - decode_packet(context, keytab, &admin_addr, &client_addr, - message, &reply); - krb5_data_free(&message); - { - char buf[2]; - - _krb5_put_int(buf, reply.length, sizeof(buf)); - n = krb5_net_write(context, &fd, buf, sizeof(buf)); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_write"); - n = krb5_net_write(context, &fd, reply.data, reply.length); - if (n < 0) - krb5_err (context, 1, errno, "krb5_net_write"); - krb5_data_free(&reply); - } - } -} diff --git a/crypto/heimdal/kdc/headers.h b/crypto/heimdal/kdc/headers.h index 96db9248bebb..bdbc1563e55a 100644 --- a/crypto/heimdal/kdc/headers.h +++ b/crypto/heimdal/kdc/headers.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ /* - * $Id: headers.h,v 1.15 2002/09/10 20:04:46 joda Exp $ + * $Id: headers.h 19658 2007-01-04 00:15:34Z lha $ * $FreeBSD$ */ @@ -73,6 +73,9 @@ #ifdef HAVE_ARPA_INET_H #include #endif +#ifdef HAVE_SYS_WAIT_H +#include +#endif #ifdef HAVE_NETDB_H #include #endif @@ -89,16 +92,14 @@ #include #include #include +#include +#include #include #include -#include /* copy_octet_string */ +#include -#ifdef KRB4 -#include -#include -#define Principal Principal4 -#include -#endif +#include +#include #undef ALLOC #define ALLOC(X) ((X) = malloc(sizeof(*(X)))) diff --git a/crypto/heimdal/lib/asn1/x509.asn1 b/crypto/heimdal/lib/asn1/x509.asn1 deleted file mode 100644 index 4a15844c8563..000000000000 --- a/crypto/heimdal/lib/asn1/x509.asn1 +++ /dev/null @@ -1,23 +0,0 @@ -X509 DEFINITIONS ::= BEGIN - -CertificateSerialNumber ::= INTEGER -- X.509 '97 - -AttributeType ::= OBJECT-IDENTIFIER - -AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType - -AttributeTypeAndValue ::= SEQUENCE { - type AttributeType, - value AttributeValue -} - -RelativeDistinguishedName ::= --SET -SEQUENCE OF AttributeTypeAndValue - -RDNSequence ::= SEQUENCE OF RelativeDistinguishedName - -Name ::= CHOICE { -- RFC2459 - x RDNSequence -} - -END \ No newline at end of file diff --git a/crypto/heimdal/lib/gssapi/8003.c b/crypto/heimdal/lib/gssapi/8003.c deleted file mode 100644 index 3b481822b8cd..000000000000 --- a/crypto/heimdal/lib/gssapi/8003.c +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: 8003.c,v 1.12.2.2 2003/09/18 21:30:57 lha Exp $"); - -krb5_error_code -gssapi_encode_om_uint32(OM_uint32 n, u_char *p) -{ - p[0] = (n >> 0) & 0xFF; - p[1] = (n >> 8) & 0xFF; - p[2] = (n >> 16) & 0xFF; - p[3] = (n >> 24) & 0xFF; - return 0; -} - -krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) -{ - p[0] = (n >> 24) & 0xFF; - p[1] = (n >> 16) & 0xFF; - p[2] = (n >> 8) & 0xFF; - p[3] = (n >> 0) & 0xFF; - return 0; -} - -krb5_error_code -gssapi_decode_om_uint32(u_char *p, OM_uint32 *n) -{ - *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); - return 0; -} - -krb5_error_code -gssapi_decode_be_om_uint32(u_char *p, OM_uint32 *n) -{ - *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); - return 0; -} - -static krb5_error_code -hash_input_chan_bindings (const gss_channel_bindings_t b, - u_char *p) -{ - u_char num[4]; - MD5_CTX md5; - - MD5_Init(&md5); - gssapi_encode_om_uint32 (b->initiator_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->initiator_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->initiator_address.length) - MD5_Update (&md5, - b->initiator_address.value, - b->initiator_address.length); - gssapi_encode_om_uint32 (b->acceptor_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - gssapi_encode_om_uint32 (b->acceptor_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->acceptor_address.length) - MD5_Update (&md5, - b->acceptor_address.value, - b->acceptor_address.length); - gssapi_encode_om_uint32 (b->application_data.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->application_data.length) - MD5_Update (&md5, - b->application_data.value, - b->application_data.length); - MD5_Final (p, &md5); - return 0; -} - -/* - * create a checksum over the chanel bindings in - * `input_chan_bindings', `flags' and `fwd_data' and return it in - * `result' - */ - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result) -{ - u_char *p; - - /* - * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value - * field's format) */ - result->cksumtype = 0x8003; - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) - result->checksum.length = 24 + 4 + fwd_data->length; - else - result->checksum.length = 24; - result->checksum.data = malloc (result->checksum.length); - if (result->checksum.data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = result->checksum.data; - gssapi_encode_om_uint32 (16, p); - p += 4; - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { - memset (p, 0, 16); - } else { - hash_input_chan_bindings (input_chan_bindings, p); - } - p += 16; - gssapi_encode_om_uint32 (flags, p); - p += 4; - - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { -#if 0 - u_char *tmp; - - result->checksum.length = 28 + fwd_data->length; - tmp = realloc(result->checksum.data, result->checksum.length); - if (tmp == NULL) - return ENOMEM; - result->checksum.data = tmp; - - p = (u_char*)result->checksum.data + 24; -#endif - *p++ = (1 >> 0) & 0xFF; /* DlgOpt */ /* == 1 */ - *p++ = (1 >> 8) & 0xFF; /* DlgOpt */ /* == 0 */ - *p++ = (fwd_data->length >> 0) & 0xFF; /* Dlgth */ - *p++ = (fwd_data->length >> 8) & 0xFF; /* Dlgth */ - memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length); - - p += fwd_data->length; - } - - return GSS_S_COMPLETE; -} - -/* - * verify the checksum in `cksum' over `input_chan_bindings' - * returning `flags' and `fwd_data' - */ - -OM_uint32 -gssapi_krb5_verify_8003_checksum( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data) -{ - unsigned char hash[16]; - unsigned char *p; - OM_uint32 length; - int DlgOpt; - static unsigned char zeros[16]; - - /* XXX should handle checksums > 24 bytes */ - if(cksum->cksumtype != 0x8003 || cksum->checksum.length < 24) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p = cksum->checksum.data; - gssapi_decode_om_uint32(p, &length); - if(length != sizeof(hash)) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p += 4; - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && memcmp(p, zeros, sizeof(zeros)) != 0) { - if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - if(memcmp(hash, p, sizeof(hash)) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - } - - p += sizeof(hash); - - gssapi_decode_om_uint32(p, flags); - p += 4; - - if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { - if(cksum->checksum.length < 28) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - DlgOpt = (p[0] << 0) | (p[1] << 8); - p += 2; - if (DlgOpt != 1) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - fwd_data->length = (p[0] << 0) | (p[1] << 8); - p += 2; - if(cksum->checksum.length < 28 + fwd_data->length) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - fwd_data->data = malloc(fwd_data->length); - if (fwd_data->data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(fwd_data->data, p, fwd_data->length); - } - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/accept_sec_context.c b/crypto/heimdal/lib/gssapi/accept_sec_context.c deleted file mode 100644 index d923c36fd574..000000000000 --- a/crypto/heimdal/lib/gssapi/accept_sec_context.c +++ /dev/null @@ -1,445 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: accept_sec_context.c,v 1.33.2.2 2003/12/19 00:37:06 lha Exp $"); - -krb5_keytab gssapi_krb5_keytab; - -OM_uint32 -gsskrb5_register_acceptor_identity (const char *identity) -{ - krb5_error_code ret; - char *p; - - ret = gssapi_krb5_init(); - if(ret) - return GSS_S_FAILURE; - - if(gssapi_krb5_keytab != NULL) { - krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab); - gssapi_krb5_keytab = NULL; - } - asprintf(&p, "FILE:%s", identity); - if(p == NULL) - return GSS_S_FAILURE; - ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab); - free(p); - if(ret) - return GSS_S_FAILURE; - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - krb5_error_code kret; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data indata; - krb5_flags ap_options; - OM_uint32 flags; - krb5_ticket *ticket = NULL; - krb5_keytab keytab = NULL; - krb5_data fwd_data; - OM_uint32 minor; - - GSSAPI_KRB5_INIT(); - - krb5_data_zero (&fwd_data); - output_token->length = 0; - output_token->value = NULL; - - if (src_name != NULL) - *src_name = NULL; - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (*context_handle == GSS_C_NO_CONTEXT) { - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == GSS_C_NO_CONTEXT) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - } - - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && input_chan_bindings->application_data.length == - 2 * sizeof((*context_handle)->auth_context->local_port) - ) { - - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - (*context_handle)->auth_context->remote_port = - *(int16_t *) input_chan_bindings->application_data.value; - - (*context_handle)->auth_context->local_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - (*context_handle)->auth_context->local_port, - &acceptor_addr); - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - (*context_handle)->auth_context->remote_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - (*context_handle)->auth_context, - &acceptor_addr, /* local address */ - &initiator_addr); /* remote address */ - - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - } - - - - { - int32_t tmp; - - krb5_auth_con_getflags(gssapi_krb5_context, - (*context_handle)->auth_context, - &tmp); - tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - tmp); - } - - ret = gssapi_krb5_decapsulate (minor_status, - input_token_buffer, - &indata, - "\x01\x00"); - if (ret) - goto failure; - - if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { - if (gssapi_krb5_keytab != NULL) { - keytab = gssapi_krb5_keytab; - } - } else if (acceptor_cred_handle->keytab != NULL) { - keytab = acceptor_cred_handle->keytab; - } - - kret = krb5_rd_req (gssapi_krb5_context, - &(*context_handle)->auth_context, - &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL - : acceptor_cred_handle->principal, - keytab, - &ap_options, - &ticket); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - &(*context_handle)->source); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->server, - &(*context_handle)->target); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) - goto failure; - - if (src_name != NULL) { - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - src_name); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - } - - { - krb5_authenticator authenticator; - - kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, - (*context_handle)->auth_context, - &authenticator); - if(kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - ret = gssapi_krb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &flags, - &fwd_data); - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) - goto failure; - } - - if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { - krb5_ccache ccache; - int32_t ac_flags; - - if (delegated_cred_handle == NULL) - /* XXX Create a new delegated_cred_handle? */ - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - else if (*delegated_cred_handle == NULL) { - if ((*delegated_cred_handle = - calloc(1, sizeof(**delegated_cred_handle))) == NULL) { - ret = GSS_S_FAILURE; - *minor_status = ENOMEM; - krb5_set_error_string(gssapi_krb5_context, "out of memory"); - gssapi_krb5_set_error_string(); - goto failure; - } - if ((ret = gss_duplicate_name(minor_status, ticket->client, - &(*delegated_cred_handle)->principal)) != 0) { - flags &= ~GSS_C_DELEG_FLAG; - free(*delegated_cred_handle); - *delegated_cred_handle = NULL; - goto end_fwd; - } - } - if (delegated_cred_handle != NULL && - (*delegated_cred_handle)->ccache == NULL) { - kret = krb5_cc_gen_new (gssapi_krb5_context, - &krb5_mcc_ops, - &(*delegated_cred_handle)->ccache); - ccache = (*delegated_cred_handle)->ccache; - } - if (delegated_cred_handle != NULL && - (*delegated_cred_handle)->mechanisms == NULL) { - ret = gss_create_empty_oid_set(minor_status, - &(*delegated_cred_handle)->mechanisms); - if (ret) - goto failure; - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &(*delegated_cred_handle)->mechanisms); - if (ret) - goto failure; - } - - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - - kret = krb5_cc_initialize(gssapi_krb5_context, - ccache, - *src_name); - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - - krb5_auth_con_getflags(gssapi_krb5_context, - (*context_handle)->auth_context, - &ac_flags); - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); - kret = krb5_rd_cred2(gssapi_krb5_context, - (*context_handle)->auth_context, - ccache, - &fwd_data); - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - ac_flags); - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - - end_fwd: - free(fwd_data.data); - } - - - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) - *ret_flags = flags; - (*context_handle)->lifetime = ticket->ticket.endtime; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= OPEN; - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - time_rec); - if (ret) - goto failure; - } - - if(flags & GSS_C_MUTUAL_FLAG) { - krb5_data outbuf; - - kret = krb5_mk_rep (gssapi_krb5_context, - (*context_handle)->auth_context, - &outbuf); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - ret = gssapi_krb5_encapsulate (minor_status, - &outbuf, - output_token, - "\x02\x00"); - krb5_data_free (&outbuf); - if (ret) - goto failure; - } else { - output_token->length = 0; - output_token->value = NULL; - } - - (*context_handle)->ticket = ticket; - ticket = NULL; - -#if 0 - krb5_free_ticket (context, ticket); -#endif - - *minor_status = 0; - return GSS_S_COMPLETE; - - failure: - if (fwd_data.length > 0) - free(fwd_data.data); - if (ticket != NULL) - krb5_free_ticket (gssapi_krb5_context, ticket); - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - free (*context_handle); - if (src_name != NULL) { - gss_release_name (&minor, src_name); - *src_name = NULL; - } - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/acquire_cred.c b/crypto/heimdal/lib/gssapi/acquire_cred.c deleted file mode 100644 index dfe2b4cca5cb..000000000000 --- a/crypto/heimdal/lib/gssapi/acquire_cred.c +++ /dev/null @@ -1,309 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: acquire_cred.c,v 1.13.2.1 2003/08/15 14:18:24 lha Exp $"); - -static krb5_error_code -get_keytab(krb5_keytab *keytab) -{ - char kt_name[256]; - krb5_error_code kret; - - if (gssapi_krb5_keytab != NULL) { - kret = krb5_kt_get_name(gssapi_krb5_context, - gssapi_krb5_keytab, - kt_name, sizeof(kt_name)); - if (kret == 0) - kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab); - } else - kret = krb5_kt_default(gssapi_krb5_context, keytab); - return (kret); -} - -static OM_uint32 acquire_initiator_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_creds cred; - krb5_principal def_princ; - krb5_get_init_creds_opt opt; - krb5_ccache ccache; - krb5_keytab keytab; - krb5_error_code kret; - - keytab = NULL; - ccache = NULL; - def_princ = NULL; - ret = GSS_S_FAILURE; - memset(&cred, 0, sizeof(cred)); - - kret = krb5_cc_default(gssapi_krb5_context, &ccache); - if (kret) - goto end; - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, - &def_princ); - if (kret != 0) { - /* we'll try to use a keytab below */ - krb5_cc_destroy(gssapi_krb5_context, ccache); - ccache = NULL; - kret = 0; - } else if (handle->principal == NULL) { - kret = krb5_copy_principal(gssapi_krb5_context, def_princ, - &handle->principal); - if (kret) - goto end; - } else if (handle->principal != NULL && - krb5_principal_compare(gssapi_krb5_context, handle->principal, - def_princ) == FALSE) { - /* Before failing, lets check the keytab */ - krb5_free_principal(gssapi_krb5_context, def_princ); - def_princ = NULL; - } - if (def_princ == NULL) { - /* We have no existing credentials cache, - * so attempt to get a TGT using a keytab. - */ - if (handle->principal == NULL) { - kret = krb5_get_default_principal(gssapi_krb5_context, - &handle->principal); - if (kret) - goto end; - } - kret = get_keytab(&keytab); - if (kret) - goto end; - krb5_get_init_creds_opt_init(&opt); - kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred, - handle->principal, keytab, 0, NULL, &opt); - if (kret) - goto end; - kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, - &ccache); - if (kret) - goto end; - kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client); - if (kret) - goto end; - kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred); - if (kret) - goto end; - handle->lifetime = cred.times.endtime; - } else { - krb5_creds in_cred, *out_cred; - krb5_const_realm realm; - - memset(&in_cred, 0, sizeof(in_cred)); - in_cred.client = handle->principal; - - realm = krb5_principal_get_realm(gssapi_krb5_context, - handle->principal); - if (realm == NULL) { - kret = KRB5_PRINC_NOMATCH; /* XXX */ - goto end; - } - - kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server, - realm, KRB5_TGS_NAME, realm, NULL); - if (kret) - goto end; - - kret = krb5_get_credentials(gssapi_krb5_context, 0, - ccache, &in_cred, &out_cred); - krb5_free_principal(gssapi_krb5_context, in_cred.server); - if (kret) - goto end; - - handle->lifetime = out_cred->times.endtime; - krb5_free_creds(gssapi_krb5_context, out_cred); - } - - handle->ccache = ccache; - ret = GSS_S_COMPLETE; - -end: - if (cred.client != NULL) - krb5_free_creds_contents(gssapi_krb5_context, &cred); - if (def_princ != NULL) - krb5_free_principal(gssapi_krb5_context, def_princ); - if (keytab != NULL) - krb5_kt_close(gssapi_krb5_context, keytab); - if (ret != GSS_S_COMPLETE) { - if (ccache != NULL) - krb5_cc_close(gssapi_krb5_context, ccache); - if (kret != 0) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - } - } - return (ret); -} - -static OM_uint32 acquire_acceptor_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - - kret = 0; - ret = GSS_S_FAILURE; - kret = get_keytab(&handle->keytab); - if (kret) - goto end; - ret = GSS_S_COMPLETE; - -end: - if (ret != GSS_S_COMPLETE) { - if (handle->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, handle->keytab); - if (kret != 0) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - } - } - return (ret); -} - -OM_uint32 gss_acquire_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - gss_cred_id_t handle; - OM_uint32 ret; - - GSSAPI_KRB5_INIT (); - - *output_cred_handle = NULL; - if (time_rec) - *time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - - if (desired_mechs) { - OM_uint32 present = 0; - - ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - desired_mechs, &present); - if (ret) - return ret; - if (!present) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - } - - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - memset(handle, 0, sizeof (*handle)); - - if (desired_name != GSS_C_NO_NAME) { - ret = gss_duplicate_name(minor_status, desired_name, - &handle->principal); - if (ret != GSS_S_COMPLETE) { - free(handle); - return (ret); - } - } - if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { - ret = acquire_initiator_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - free(handle); - return (ret); - } - } else if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { - ret = acquire_acceptor_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - free(handle); - return (ret); - } - } else { - free(handle); - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return GSS_S_FAILURE; - } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL, - actual_mechs); - if (ret != GSS_S_COMPLETE) { - if (handle->mechanisms != NULL) - gss_release_oid_set(NULL, &handle->mechanisms); - free(handle); - return (ret); - } - *minor_status = 0; - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - handle->lifetime, - time_rec); - - if (ret) - return ret; - } - handle->usage = cred_usage; - *output_cred_handle = handle; - return (GSS_S_COMPLETE); -} diff --git a/crypto/heimdal/lib/gssapi/add_cred.c b/crypto/heimdal/lib/gssapi/add_cred.c deleted file mode 100644 index 53d4f3370696..000000000000 --- a/crypto/heimdal/lib/gssapi/add_cred.c +++ /dev/null @@ -1,234 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: add_cred.c,v 1.2.2.1 2003/10/21 21:00:47 lha Exp $"); - -OM_uint32 gss_add_cred ( - OM_uint32 *minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *initiator_time_rec, - OM_uint32 *acceptor_time_rec) -{ - OM_uint32 ret, lifetime; - gss_cred_id_t cred, handle; - - handle = NULL; - cred = input_cred_handle; - - if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - - if (cred == GSS_C_NO_CREDENTIAL && output_cred_handle == NULL) { - *minor_status = 0; - return GSS_S_NO_CRED; - } - - /* check if requested output usage is compatible with output usage */ - if (output_cred_handle != NULL && - (cred->usage != cred_usage && cred->usage != GSS_C_BOTH)) { - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return(GSS_S_FAILURE); - } - - /* check that we have the same name */ - if (desired_name != GSS_C_NO_NAME && - krb5_principal_compare(gssapi_krb5_context, desired_name, - cred->principal) != FALSE) { - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - /* make a copy */ - if (output_cred_handle) { - - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - memset(handle, 0, sizeof (*handle)); - - handle->usage = cred_usage; - handle->lifetime = cred->lifetime; - handle->principal = NULL; - handle->keytab = NULL; - handle->ccache = NULL; - handle->mechanisms = NULL; - - ret = GSS_S_FAILURE; - - ret = gss_duplicate_name(minor_status, cred->principal, - &handle->principal); - if (ret) { - free(handle); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - if (cred->keytab) { - krb5_error_code kret; - char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; - int len; - - ret = GSS_S_FAILURE; - - kret = krb5_kt_get_type(gssapi_krb5_context, cred->keytab, - name, KRB5_KT_PREFIX_MAX_LEN); - if (kret) { - *minor_status = kret; - goto failure; - } - len = strlen(name); - name[len++] = ':'; - - kret = krb5_kt_get_name(gssapi_krb5_context, cred->keytab, - name + len, - sizeof(name) - len); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_kt_resolve(gssapi_krb5_context, name, - &handle->keytab); - if (kret){ - *minor_status = kret; - goto failure; - } - } - - if (cred->ccache) { - krb5_error_code kret; - const char *type, *name; - char *type_name; - - ret = GSS_S_FAILURE; - - type = krb5_cc_get_type(gssapi_krb5_context, cred->ccache); - if (type == NULL){ - *minor_status = ENOMEM; - goto failure; - } - - if (strcmp(type, "MEMORY") == 0) { - ret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, - &handle->ccache); - if (ret) { - *minor_status = ret; - goto failure; - } - - ret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, - handle->ccache); - if (ret) { - *minor_status = ret; - goto failure; - } - - } else { - - name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); - if (name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - asprintf(&type_name, "%s:%s", type, name); - if (type_name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - kret = krb5_cc_resolve(gssapi_krb5_context, type_name, - &handle->ccache); - free(type_name); - if (kret) { - *minor_status = kret; - goto failure; - } - } - } - - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret) - goto failure; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret) - goto failure; - } - - ret = gss_inquire_cred(minor_status, cred, NULL, &lifetime, - NULL, actual_mechs); - if (ret) - goto failure; - - if (initiator_time_rec) - *initiator_time_rec = lifetime; - if (acceptor_time_rec) - *acceptor_time_rec = lifetime; - - if (output_cred_handle) - *output_cred_handle = handle; - - *minor_status = 0; - return ret; - - failure: - - if (handle) { - if (handle->principal) - gss_release_name(NULL, &handle->principal); - if (handle->keytab) - krb5_kt_close(gssapi_krb5_context, handle->keytab); - if (handle->ccache) - krb5_cc_destroy(gssapi_krb5_context, handle->ccache); - if (handle->mechanisms) - gss_release_oid_set(NULL, &handle->mechanisms); - free(handle); - } - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/add_oid_set_member.c b/crypto/heimdal/lib/gssapi/add_oid_set_member.c deleted file mode 100644 index ed654fc8c5b8..000000000000 --- a/crypto/heimdal/lib/gssapi/add_oid_set_member.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: add_oid_set_member.c,v 1.8 2003/03/16 17:50:49 lha Exp $"); - -OM_uint32 gss_add_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member_oid, - gss_OID_set * oid_set - ) -{ - gss_OID tmp; - size_t n; - OM_uint32 res; - int present; - - res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present); - if (res != GSS_S_COMPLETE) - return res; - - if (present) { - *minor_status = 0; - return GSS_S_COMPLETE; - } - - n = (*oid_set)->count + 1; - tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc)); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*oid_set)->elements = tmp; - (*oid_set)->count = n; - (*oid_set)->elements[n-1] = *member_oid; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/address_to_krb5addr.c b/crypto/heimdal/lib/gssapi/address_to_krb5addr.c deleted file mode 100644 index c8041aa93626..000000000000 --- a/crypto/heimdal/lib/gssapi/address_to_krb5addr.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -#include - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address) -{ - int addr_type; - struct sockaddr sa; - int sa_size = sizeof(sa); - krb5_error_code problem; - - if (gss_addr == NULL) - return GSS_S_FAILURE; - - switch (gss_addr_type) { -#ifdef HAVE_IPV6 - case GSS_C_AF_INET6: addr_type = AF_INET6; - break; -#endif /* HAVE_IPV6 */ - - case GSS_C_AF_INET: addr_type = AF_INET; - break; - default: - return GSS_S_FAILURE; - } - - problem = krb5_h_addr2sockaddr (gssapi_krb5_context, - addr_type, - gss_addr->value, - &sa, - &sa_size, - port); - if (problem) - return GSS_S_FAILURE; - - problem = krb5_sockaddr2address (gssapi_krb5_context, &sa, address); - - return problem; -} diff --git a/crypto/heimdal/lib/gssapi/arcfour.c b/crypto/heimdal/lib/gssapi/arcfour.c deleted file mode 100644 index 66d688ca0b58..000000000000 --- a/crypto/heimdal/lib/gssapi/arcfour.c +++ /dev/null @@ -1,623 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -/* - * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt - */ - -RCSID("$Id: arcfour.c,v 1.12.2.3 2003/09/19 15:15:11 lha Exp $"); - -static krb5_error_code -arcfour_mic_key(krb5_context context, krb5_keyblock *key, - void *cksum_data, size_t cksum_size, - void *key6_data, size_t key6_size) -{ - krb5_error_code ret; - - Checksum cksum_k5; - krb5_keyblock key5; - char k5_data[16]; - - Checksum cksum_k6; - - char T[4]; - - memset(T, 0, 4); - cksum_k5.checksum.data = k5_data; - cksum_k5.checksum.length = sizeof(k5_data); - - if (key->keytype == KEYTYPE_ARCFOUR_56) { - char L40[14] = "fortybits"; - - memcpy(L40 + 10, T, sizeof(T)); - ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, - L40, 14, 0, key, &cksum_k5); - memset(&k5_data[7], 0xAB, 9); - } else { - ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, - T, 4, 0, key, &cksum_k5); - } - if (ret) - return ret; - - key5.keytype = KEYTYPE_ARCFOUR; - key5.keyvalue = cksum_k5.checksum; - - cksum_k6.checksum.data = key6_data; - cksum_k6.checksum.length = key6_size; - - return krb5_hmac(context, CKSUMTYPE_RSA_MD5, - cksum_data, cksum_size, 0, &key5, &cksum_k6); -} - - -static krb5_error_code -arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, - u_char *sgn_cksum, size_t sgn_cksum_sz, - const char *v1, size_t l1, - const void *v2, size_t l2, - const void *v3, size_t l3) -{ - Checksum CKSUM; - u_char *ptr; - size_t len; - krb5_crypto crypto; - krb5_error_code ret; - - assert(sgn_cksum_sz == 8); - - len = l1 + l2 + l3; - - ptr = malloc(len); - if (ptr == NULL) - return ENOMEM; - - memcpy(ptr, v1, l1); - memcpy(ptr + l1, v2, l2); - memcpy(ptr + l1 + l2, v3, l3); - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - free(ptr); - return ret; - } - - ret = krb5_create_checksum(gssapi_krb5_context, - crypto, - usage, - 0, - ptr, len, - &CKSUM); - free(ptr); - if (ret == 0) { - memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz); - free_Checksum(&CKSUM); - } - krb5_crypto_destroy(gssapi_krb5_context, crypto); - - return ret; -} - - -OM_uint32 -_gssapi_get_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key) -{ - krb5_error_code ret; - int32_t seq_number; - size_t len, total_len; - u_char k6_data[16], *p0, *p; - RC4_KEY rc4_key; - - gssapi_krb5_encap_length (22, &len, &total_len); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p0 = _gssapi_make_mech_header(message_token->value, - len); - p = p0; - - *p++ = 0x01; /* TOK_ID */ - *p++ = 0x01; - *p++ = 0x11; /* SGN_ALG */ - *p++ = 0x00; - *p++ = 0xff; /* Filler */ - *p++ = 0xff; - *p++ = 0xff; - *p++ = 0xff; - - p = NULL; - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, - p0 + 16, 8, /* SGN_CKSUM */ - p0, 8, /* TOK_ID, SGN_ALG, Filer */ - message_buffer->value, message_buffer->length, - NULL, 0); - if (ret) { - gss_release_buffer(minor_status, message_token); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = arcfour_mic_key(gssapi_krb5_context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - gss_release_buffer(minor_status, message_token); - *minor_status = ret; - return GSS_S_FAILURE; - } - - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - p = p0 + 8; /* SND_SEQ */ - gssapi_encode_be_om_uint32(seq_number, p); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4); - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p, p); - - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - - -OM_uint32 -_gssapi_verify_mic_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type) -{ - krb5_error_code ret; - int32_t seq_number, seq_number2; - OM_uint32 omret; - char cksum_data[8], k6_data[16], SND_SEQ[8]; - u_char *p; - int cmp; - - if (qop_state) - *qop_state = 0; - - p = token_buffer->value; - omret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type); - if (omret) - return omret; - - if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, - cksum_data, sizeof(cksum_data), - p - 8, 8, - message_buffer->value, message_buffer->length, - NULL, 0); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = arcfour_mic_key(gssapi_krb5_context, key, - cksum_data, sizeof(cksum_data), - k6_data, sizeof(k6_data)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - cmp = memcmp(cksum_data, p + 8, 8); - if (cmp) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p, SND_SEQ); - - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - memset(SND_SEQ, 0, sizeof(SND_SEQ)); - if (cmp != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number2); - - if (seq_number != seq_number2) { - *minor_status = 0; - return GSS_S_UNSEQ_TOKEN; - } - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number2); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 -_gssapi_wrap_arcfour(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key) -{ - u_char Klocaldata[16], k6_data[16], *p, *p0; - size_t len, total_len, datalen; - krb5_keyblock Klocal; - krb5_error_code ret; - int32_t seq_number; - - if (conf_state) - *conf_state = 0; - - datalen = input_message_buffer->length + 1 /* padding */; - len = datalen + 30; - gssapi_krb5_encap_length (len, &len, &total_len); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p0 = _gssapi_make_mech_header(output_message_buffer->value, - len); - p = p0; - - *p++ = 0x02; /* TOK_ID */ - *p++ = 0x01; - *p++ = 0x11; /* SGN_ALG */ - *p++ = 0x00; - if (conf_req_flag) { - *p++ = 0x10; /* SEAL_ALG */ - *p++ = 0x00; - } else { - *p++ = 0xff; /* SEAL_ALG */ - *p++ = 0xff; - } - *p++ = 0xff; /* Filler */ - *p++ = 0xff; - - p = NULL; - - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - gssapi_encode_be_om_uint32(seq_number, p0 + 8); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - memset (p0 + 8 + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xff, - 4); - - krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */ - - /* p points to data */ - p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE; - memcpy(p, input_message_buffer->value, input_message_buffer->length); - p[input_message_buffer->length] = 1; /* PADDING */ - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, - p0 + 16, 8, /* SGN_CKSUM */ - p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */ - p0 + 24, 8, /* Confounder */ - p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - datalen); - if (ret) { - *minor_status = ret; - gss_release_buffer(minor_status, output_message_buffer); - return GSS_S_FAILURE; - } - - { - int i; - - Klocal.keytype = key->keytype; - Klocal.keyvalue.data = Klocaldata; - Klocal.keyvalue.length = sizeof(Klocaldata); - - for (i = 0; i < 16; i++) - Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; - } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, - p0 + 8, 4, /* SND_SEQ */ - k6_data, sizeof(k6_data)); - memset(Klocaldata, 0, sizeof(Klocaldata)); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - - if(conf_req_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - /* XXX ? */ - RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */ - memset(&rc4_key, 0, sizeof(rc4_key)); - } - memset(k6_data, 0, sizeof(k6_data)); - - ret = arcfour_mic_key(gssapi_krb5_context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - if (conf_state) - *conf_state = conf_req_flag; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key) -{ - u_char Klocaldata[16]; - krb5_keyblock Klocal; - krb5_error_code ret; - int32_t seq_number, seq_number2; - size_t datalen; - OM_uint32 omret; - char k6_data[16], SND_SEQ[8], Confounder[8]; - char cksum_data[8]; - u_char *p, *p0; - int cmp; - int conf_flag; - size_t padlen; - - if (conf_state) - *conf_state = 0; - if (qop_state) - *qop_state = 0; - - p0 = input_message_buffer->value; - omret = _gssapi_verify_mech_header(&p0, - input_message_buffer->length); - if (omret) - return omret; - p = p0; - - datalen = input_message_buffer->length - - (p - ((u_char *)input_message_buffer->value)) - - GSS_ARCFOUR_WRAP_TOKEN_SIZE; - - if (memcmp(p, "\x02\x01", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ - return GSS_S_BAD_SIG; - p += 2; - - if (memcmp (p, "\x10\x00", 2) == 0) - conf_flag = 1; - else if (memcmp (p, "\xff\xff", 2) == 0) - conf_flag = 0; - else - return GSS_S_BAD_SIG; - - p += 2; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_BAD_MIC; - p = NULL; - - ret = arcfour_mic_key(gssapi_krb5_context, key, - p0 + 16, 8, /* SGN_CKSUM */ - k6_data, sizeof(k6_data)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */ - memset(&rc4_key, 0, sizeof(rc4_key)); - memset(k6_data, 0, sizeof(k6_data)); - } - - gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) - cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else - cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - if (cmp != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - { - int i; - - Klocal.keytype = key->keytype; - Klocal.keyvalue.data = Klocaldata; - Klocal.keyvalue.length = sizeof(Klocaldata); - - for (i = 0; i < 16; i++) - Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; - } - ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, - SND_SEQ, 4, - k6_data, sizeof(k6_data)); - memset(Klocaldata, 0, sizeof(Klocaldata)); - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - output_message_buffer->value = malloc(datalen); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - output_message_buffer->length = datalen; - - if(conf_flag) { - RC4_KEY rc4_key; - - RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); - RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */ - RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - output_message_buffer->value); - memset(&rc4_key, 0, sizeof(rc4_key)); - } else { - memcpy(Confounder, p0 + 24, 8); /* Confounder */ - memcpy(output_message_buffer->value, - p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, - datalen); - } - memset(k6_data, 0, sizeof(k6_data)); - - ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = 0; - return ret; - } - output_message_buffer->length -= padlen; - - ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, - cksum_data, sizeof(cksum_data), - p0, 8, - Confounder, sizeof(Confounder), - output_message_buffer->value, - output_message_buffer->length + padlen); - if (ret) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = ret; - return GSS_S_FAILURE; - } - - cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ - if (cmp) { - gss_release_buffer(minor_status, output_message_buffer); - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number2); - - if (seq_number != seq_number2) { - *minor_status = 0; - return GSS_S_UNSEQ_TOKEN; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number2); - - if (conf_state) - *conf_state = conf_flag; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/arcfour.h b/crypto/heimdal/lib/gssapi/arcfour.h deleted file mode 100644 index 88bdfb119f44..000000000000 --- a/crypto/heimdal/lib/gssapi/arcfour.h +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: arcfour.h,v 1.3.2.2 2003/09/19 15:14:14 lha Exp $ */ - -#ifndef GSSAPI_ARCFOUR_H_ -#define GSSAPI_ARCFOUR_H_ 1 - -/* - * The arcfour message have the following formats, these are only here - * for reference and is not used. - */ - -#if 0 -typedef struct gss_arcfour_mic_token { - u_char TOK_ID[2]; /* 01 01 */ - u_char SGN_ALG[2]; /* 11 00 */ - u_char Filler[4]; - u_char SND_SEQ[8]; - u_char SGN_CKSUM[8]; -} gss_arcfour_mic_token_desc, *gss_arcfour_mic_token; - -typedef struct gss_arcfour_wrap_token { - u_char TOK_ID[2]; /* 02 01 */ - u_char SGN_ALG[2]; - u_char SEAL_ALG[2]; - u_char Filler[2]; - u_char SND_SEQ[8]; - u_char SGN_CKSUM[8]; - u_char Confounder[8]; -} gss_arcfour_wrap_token_desc, *gss_arcfour_wrap_token; -#endif - -#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 - -OM_uint32 _gssapi_wrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key); - -OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state, - krb5_keyblock *key); - -OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key); - -OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state, - krb5_keyblock *key, - char *type); - -#endif /* GSSAPI_ARCFOUR_H_ */ diff --git a/crypto/heimdal/lib/gssapi/canonicalize_name.c b/crypto/heimdal/lib/gssapi/canonicalize_name.c deleted file mode 100644 index afa39f3a4f96..000000000000 --- a/crypto/heimdal/lib/gssapi/canonicalize_name.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: canonicalize_name.c,v 1.2 1999/12/02 17:05:03 joda Exp $"); - -OM_uint32 gss_canonicalize_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t * output_name - ) -{ - return gss_duplicate_name (minor_status, input_name, output_name); -} diff --git a/crypto/heimdal/lib/gssapi/compat.c b/crypto/heimdal/lib/gssapi/compat.c deleted file mode 100644 index 311b1cb71a1e..000000000000 --- a/crypto/heimdal/lib/gssapi/compat.c +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: compat.c,v 1.2.2.2 2003/04/28 13:58:09 lha Exp $"); - - -static krb5_error_code -check_compat(OM_uint32 *minor_status, gss_name_t name, - const char *option, krb5_boolean *compat, - krb5_boolean match_val) -{ - krb5_error_code ret = 0; - char **p, **q; - krb5_principal match; - - - p = krb5_config_get_strings(gssapi_krb5_context, NULL, "gssapi", - option, NULL); - if(p == NULL) - return 0; - - for(q = p; *q; q++) { - - ret = krb5_parse_name(gssapi_krb5_context, *q, &match); - if (ret) - break; - - if (krb5_principal_match(gssapi_krb5_context, name, match)) { - *compat = match_val; - break; - } - - krb5_free_principal(gssapi_krb5_context, match); - } - krb5_config_free_strings(p); - - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - return 0; -} - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) -{ - krb5_boolean use_compat = TRUE; - OM_uint32 ret; - - if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) { - ret = check_compat(minor_status, ctx->target, - "broken_des3_mic", &use_compat, TRUE); - if (ret) - return ret; - ret = check_compat(minor_status, ctx->target, - "correct_des3_mic", &use_compat, FALSE); - if (ret) - return ret; - - if (use_compat) - ctx->more_flags |= COMPAT_OLD_DES3; - ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; - } - return 0; -} - -OM_uint32 -gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) -{ - *minor_status = 0; - - if (on) { - ctx->more_flags |= COMPAT_OLD_DES3; - } else { - ctx->more_flags &= ~COMPAT_OLD_DES3; - } - ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; - - return 0; -} diff --git a/crypto/heimdal/lib/gssapi/context_time.c b/crypto/heimdal/lib/gssapi/context_time.c deleted file mode 100644 index daeb25f26d00..000000000000 --- a/crypto/heimdal/lib/gssapi/context_time.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: context_time.c,v 1.7.2.1 2003/08/15 14:25:50 lha Exp $"); - -OM_uint32 -gssapi_lifetime_left(OM_uint32 *minor_status, - OM_uint32 lifetime, - OM_uint32 *lifetime_rec) -{ - krb5_timestamp timeret; - krb5_error_code kret; - - kret = krb5_timeofday(gssapi_krb5_context, &timeret); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - - if (lifetime < timeret) - *lifetime_rec = 0; - else - *lifetime_rec = lifetime - timeret; - - return GSS_S_COMPLETE; -} - - -OM_uint32 gss_context_time - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - OM_uint32 * time_rec - ) -{ - OM_uint32 lifetime; - OM_uint32 major_status; - - GSSAPI_KRB5_INIT (); - - lifetime = context_handle->lifetime; - - major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec); - if (major_status != GSS_S_COMPLETE) - return major_status; - - *minor_status = 0; - - if (*time_rec == 0) - return GSS_S_CONTEXT_EXPIRED; - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c b/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c deleted file mode 100644 index 1a25e0d7815e..000000000000 --- a/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: create_emtpy_oid_set.c,v 1.5 2003/03/16 17:47:07 lha Exp $"); - -OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * minor_status, - gss_OID_set * oid_set - ) -{ - *oid_set = malloc(sizeof(**oid_set)); - if (*oid_set == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*oid_set)->count = 0; - (*oid_set)->elements = NULL; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/decapsulate.c b/crypto/heimdal/lib/gssapi/decapsulate.c deleted file mode 100644 index 242545352880..000000000000 --- a/crypto/heimdal/lib/gssapi/decapsulate.c +++ /dev/null @@ -1,184 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: decapsulate.c,v 1.7.6.1 2003/09/18 22:00:41 lha Exp $"); - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - char *type) -{ - size_t len, len_len, mech_len, foo; - int e; - u_char *p = *str; - - if (total_len < 1) - return GSS_S_DEFECTIVE_TOKEN; - if (*p++ != 0x60) - return GSS_S_DEFECTIVE_TOKEN; - e = der_get_length (p, total_len - 1, &len, &len_len); - if (e || 1 + len_len + len != total_len) - return GSS_S_DEFECTIVE_TOKEN; - p += len_len; - if (*p++ != 0x06) - return GSS_S_DEFECTIVE_TOKEN; - e = der_get_length (p, total_len - 1 - len_len - 1, - &mech_len, &foo); - if (e) - return GSS_S_DEFECTIVE_TOKEN; - p += foo; - if (mech_len != GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_MECH; - if (memcmp(p, - GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_MECH; - p += mech_len; - if (memcmp (p, type, 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - *str = p; - return GSS_S_COMPLETE; -} - -static ssize_t -gssapi_krb5_get_mech (const u_char *ptr, - size_t total_len, - const u_char **mech_ret) -{ - size_t len, len_len, mech_len, foo; - const u_char *p = ptr; - int e; - - if (total_len < 1) - return -1; - if (*p++ != 0x60) - return -1; - e = der_get_length (p, total_len - 1, &len, &len_len); - if (e || 1 + len_len + len != total_len) - return -1; - p += len_len; - if (*p++ != 0x06) - return -1; - e = der_get_length (p, total_len - 1 - len_len - 1, - &mech_len, &foo); - if (e) - return -1; - p += foo; - *mech_ret = p; - return mech_len; -} - -OM_uint32 -_gssapi_verify_mech_header(u_char **str, - size_t total_len) -{ - const u_char *p; - ssize_t mech_len; - - mech_len = gssapi_krb5_get_mech (*str, total_len, &p); - if (mech_len < 0) - return GSS_S_DEFECTIVE_TOKEN; - - if (mech_len != GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_MECH; - if (memcmp(p, - GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_MECH; - p += mech_len; - *str = (char *)p; - return GSS_S_COMPLETE; -} - -/* - * Remove the GSS-API wrapping from `in_token' giving `out_data. - * Does not copy data, so just free `in_token'. - */ - -OM_uint32 -gssapi_krb5_decapsulate( - OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - char *type -) -{ - u_char *p; - OM_uint32 ret; - - p = input_token_buffer->value; - ret = gssapi_krb5_verify_header(&p, - input_token_buffer->length, - type); - if (ret) { - *minor_status = 0; - return ret; - } - - out_data->length = input_token_buffer->length - - (p - (u_char *)input_token_buffer->value); - out_data->data = p; - return GSS_S_COMPLETE; -} - -/* - * Verify padding of a gss wrapped message and return its length. - */ - -OM_uint32 -_gssapi_verify_pad(gss_buffer_t wrapped_token, - size_t datalen, - size_t *padlen) -{ - u_char *pad; - size_t padlength; - int i; - - pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; - padlength = *pad; - - if (padlength > datalen) - return GSS_S_BAD_MECH; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - *padlen = padlength; - - return 0; -} diff --git a/crypto/heimdal/lib/gssapi/delete_sec_context.c b/crypto/heimdal/lib/gssapi/delete_sec_context.c deleted file mode 100644 index 2df1f39749c8..000000000000 --- a/crypto/heimdal/lib/gssapi/delete_sec_context.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: delete_sec_context.c,v 1.11 2003/03/16 17:46:40 lha Exp $"); - -OM_uint32 gss_delete_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token - ) -{ - GSSAPI_KRB5_INIT (); - - if (output_token) { - output_token->length = 0; - output_token->value = NULL; - } - - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if ((*context_handle)->ticket) { - krb5_free_ticket (gssapi_krb5_context, - (*context_handle)->ticket); - free((*context_handle)->ticket); - } - - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/display_name.c b/crypto/heimdal/lib/gssapi/display_name.c deleted file mode 100644 index 27a232fd3cf6..000000000000 --- a/crypto/heimdal/lib/gssapi/display_name.c +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: display_name.c,v 1.9 2003/03/16 17:46:11 lha Exp $"); - -OM_uint32 gss_display_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID * output_name_type - ) -{ - krb5_error_code kret; - char *buf; - size_t len; - - GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &buf); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - len = strlen (buf); - output_name_buffer->length = len; - output_name_buffer->value = malloc(len + 1); - if (output_name_buffer->value == NULL) { - free (buf); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (output_name_buffer->value, buf, len); - ((char *)output_name_buffer->value)[len] = '\0'; - free (buf); - if (output_name_type) - *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/display_status.c b/crypto/heimdal/lib/gssapi/display_status.c deleted file mode 100644 index d266fa46bf93..000000000000 --- a/crypto/heimdal/lib/gssapi/display_status.c +++ /dev/null @@ -1,187 +0,0 @@ -/* - * Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: display_status.c,v 1.9 2003/03/16 17:45:36 lha Exp $"); - -static char *krb5_error_string; - -static char * -calling_error(OM_uint32 v) -{ - static char *msgs[] = { - NULL, /* 0 */ - "A required input parameter could not be read.", /* */ - "A required output parameter could not be written.", /* */ - "A parameter was malformed" - }; - - v >>= GSS_C_CALLING_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown calling error"; - else - return msgs[v]; -} - -static char * -routine_error(OM_uint32 v) -{ - static char *msgs[] = { - NULL, /* 0 */ - "An unsupported mechanism was requested", - "An invalid name was supplied", - "A supplied name was of an unsupported type", - "Incorrect channel bindings were supplied", - "An invalid status code was supplied", - "A token had an invalid MIC", - "No credentials were supplied, " - "or the credentials were unavailable or inaccessible.", - "No context has been established", - "A token was invalid", - "A credential was invalid", - "The referenced credentials have expired", - "The context has expired", - "Miscellaneous failure (see text)", - "The quality-of-protection requested could not be provide", - "The operation is forbidden by local security policy", - "The operation or option is not available", - "The requested credential element already exists", - "The provided name was not a mechanism name.", - }; - - v >>= GSS_C_ROUTINE_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -static char * -supplementary_error(OM_uint32 v) -{ - static char *msgs[] = { - "normal completion", - "continuation call to routine required", - "duplicate per-message token detected", - "timed-out per-message token detected", - "reordered (early) per-message token detected", - "skipped predecessor token(s) detected" - }; - - v >>= GSS_C_SUPPLEMENTARY_OFFSET; - - if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -void -gssapi_krb5_set_error_string (void) -{ - krb5_error_string = krb5_get_error_string(gssapi_krb5_context); -} - -char * -gssapi_krb5_get_error_string (void) -{ - char *ret = krb5_error_string; - krb5_error_string = NULL; - return ret; -} - -OM_uint32 gss_display_status - (OM_uint32 *minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 *message_context, - gss_buffer_t status_string) -{ - char *buf; - - GSSAPI_KRB5_INIT (); - - status_string->length = 0; - status_string->value = NULL; - - if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_C_GSS_CODE; - } - - if (status_type == GSS_C_GSS_CODE) { - if (GSS_SUPPLEMENTARY_INFO(status_value)) - asprintf(&buf, "%s", - supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value))); - else - asprintf (&buf, "%s %s", - calling_error(GSS_CALLING_ERROR(status_value)), - routine_error(GSS_ROUTINE_ERROR(status_value))); - } else if (status_type == GSS_C_MECH_CODE) { - buf = gssapi_krb5_get_error_string (); - if (buf == NULL) { - const char *tmp = krb5_get_err_text (gssapi_krb5_context, - status_value); - if (tmp == NULL) - asprintf(&buf, "unknown mech error-code %u", - (unsigned)status_value); - else - buf = strdup(tmp); - } - } else { - *minor_status = EINVAL; - return GSS_S_BAD_STATUS; - } - - if (buf == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *message_context = 0; - *minor_status = 0; - - status_string->length = strlen(buf); - status_string->value = buf; - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/duplicate_name.c b/crypto/heimdal/lib/gssapi/duplicate_name.c deleted file mode 100644 index 2b54e90ec89d..000000000000 --- a/crypto/heimdal/lib/gssapi/duplicate_name.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: duplicate_name.c,v 1.7 2003/03/16 17:44:26 lha Exp $"); - -OM_uint32 gss_duplicate_name ( - OM_uint32 * minor_status, - const gss_name_t src_name, - gss_name_t * dest_name - ) -{ - krb5_error_code kret; - - GSSAPI_KRB5_INIT (); - - kret = krb5_copy_principal (gssapi_krb5_context, - src_name, - dest_name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } else { - *minor_status = 0; - return GSS_S_COMPLETE; - } -} diff --git a/crypto/heimdal/lib/gssapi/encapsulate.c b/crypto/heimdal/lib/gssapi/encapsulate.c deleted file mode 100644 index f3cd1e49f42b..000000000000 --- a/crypto/heimdal/lib/gssapi/encapsulate.c +++ /dev/null @@ -1,122 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: encapsulate.c,v 1.6.6.1 2003/09/18 21:47:44 lha Exp $"); - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len) -{ - size_t len_len; - - *len = 1 + 1 + GSS_KRB5_MECHANISM->length + 2 + data_len; - - len_len = length_len(*len); - - *total_len = 1 + len_len + *len; -} - -u_char * -gssapi_krb5_make_header (u_char *p, - size_t len, - u_char *type) -{ - int e; - size_t len_len, foo; - - *p++ = 0x60; - len_len = length_len(len); - e = der_put_length (p + len_len - 1, len_len, len, &foo); - if(e || foo != len_len) - abort (); - p += len_len; - *p++ = 0x06; - *p++ = GSS_KRB5_MECHANISM->length; - memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - p += GSS_KRB5_MECHANISM->length; - memcpy (p, type, 2); - p += 2; - return p; -} - -u_char * -_gssapi_make_mech_header(u_char *p, - size_t len) -{ - int e; - size_t len_len, foo; - - *p++ = 0x60; - len_len = length_len(len); - e = der_put_length (p + len_len - 1, len_len, len, &foo); - if(e || foo != len_len) - abort (); - p += len_len; - *p++ = 0x06; - *p++ = GSS_KRB5_MECHANISM->length; - memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - p += GSS_KRB5_MECHANISM->length; - return p; -} - -/* - * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings. - */ - -OM_uint32 -gssapi_krb5_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - u_char *type -) -{ - size_t len, outer_len; - u_char *p; - - gssapi_krb5_encap_length (in_data->length, &len, &outer_len); - - output_token->length = outer_len; - output_token->value = malloc (outer_len); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header (output_token->value, len, type); - memcpy (p, in_data->data, in_data->length); - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/export_name.c b/crypto/heimdal/lib/gssapi/export_name.c deleted file mode 100644 index c5fcbd4fd0cf..000000000000 --- a/crypto/heimdal/lib/gssapi/export_name.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: export_name.c,v 1.5 2003/03/16 17:34:46 lha Exp $"); - -OM_uint32 gss_export_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name - ) -{ - krb5_error_code kret; - char *buf, *name; - size_t len; - - GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - len = strlen (name); - - exported_name->length = 10 + len + GSS_KRB5_MECHANISM->length; - exported_name->value = malloc(exported_name->length); - if (exported_name->value == NULL) { - free (name); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - buf = exported_name->value; - memcpy(buf, "\x04\x01", 2); - buf += 2; - buf[0] = ((GSS_KRB5_MECHANISM->length + 2) >> 8) & 0xff; - buf[1] = (GSS_KRB5_MECHANISM->length + 2) & 0xff; - buf+= 2; - buf[0] = 0x06; - buf[1] = (GSS_KRB5_MECHANISM->length) & 0xFF; - buf+= 2; - - memcpy(buf, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - buf += GSS_KRB5_MECHANISM->length; - - buf[0] = (len >> 24) & 0xff; - buf[1] = (len >> 16) & 0xff; - buf[2] = (len >> 8) & 0xff; - buf[3] = (len) & 0xff; - buf += 4; - - memcpy (buf, name, len); - - free (name); - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/export_sec_context.c b/crypto/heimdal/lib/gssapi/export_sec_context.c deleted file mode 100644 index c7e626524282..000000000000 --- a/crypto/heimdal/lib/gssapi/export_sec_context.c +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: export_sec_context.c,v 1.6 2003/03/16 18:02:52 lha Exp $"); - -OM_uint32 -gss_export_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t interprocess_token - ) -{ - krb5_storage *sp; - krb5_auth_context ac; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data data; - gss_buffer_desc buffer; - int flags; - OM_uint32 minor; - krb5_error_code kret; - - GSSAPI_KRB5_INIT (); - if (!((*context_handle)->flags & GSS_C_TRANS_FLAG)) { - *minor_status = 0; - return GSS_S_UNAVAILABLE; - } - - sp = krb5_storage_emem (); - if (sp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ac = (*context_handle)->auth_context; - - /* flagging included fields */ - - flags = 0; - if (ac->local_address) - flags |= SC_LOCAL_ADDRESS; - if (ac->remote_address) - flags |= SC_REMOTE_ADDRESS; - if (ac->keyblock) - flags |= SC_KEYBLOCK; - if (ac->local_subkey) - flags |= SC_LOCAL_SUBKEY; - if (ac->remote_subkey) - flags |= SC_REMOTE_SUBKEY; - - kret = krb5_store_int32 (sp, flags); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* marshall auth context */ - - kret = krb5_store_int32 (sp, ac->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->local_address) { - kret = krb5_store_address (sp, *ac->local_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_address) { - kret = krb5_store_address (sp, *ac->remote_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int16 (sp, ac->local_port); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int16 (sp, ac->remote_port); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->keyblock) { - kret = krb5_store_keyblock (sp, *ac->keyblock); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->local_subkey) { - kret = krb5_store_keyblock (sp, *ac->local_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_subkey) { - kret = krb5_store_keyblock (sp, *ac->remote_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int32 (sp, ac->local_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->remote_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, ac->keytype); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->cksumtype); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* names */ - - ret = gss_export_name (minor_status, (*context_handle)->source, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - ret = gss_export_name (minor_status, (*context_handle)->target, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - - ret = GSS_S_FAILURE; - - kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, (*context_handle)->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, (*context_handle)->more_flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, (*context_handle)->lifetime); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_storage_to_data (sp, &data); - krb5_storage_free (sp); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - interprocess_token->length = data.length; - interprocess_token->value = data.data; - ret = gss_delete_sec_context (minor_status, context_handle, - GSS_C_NO_BUFFER); - if (ret != GSS_S_COMPLETE) - gss_release_buffer (NULL, interprocess_token); - *minor_status = 0; - return ret; - failure: - krb5_storage_free (sp); - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/external.c b/crypto/heimdal/lib/gssapi/external.c deleted file mode 100644 index dca35ea94318..000000000000 --- a/crypto/heimdal/lib/gssapi/external.c +++ /dev/null @@ -1,235 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: external.c,v 1.5 2000/07/22 03:45:28 assar Exp $"); - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_user_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x01"}; - -gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x02"}; - -gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_string_uid_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x03"}; - -gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ - -static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc = -{6, (void *)"\x2b\x06\x01\x05\x06\x02"}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -static gss_OID_desc gss_c_nt_hostbased_service_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04"}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_anonymous_oid_desc = -{6, (void *)"\x2b\x06\01\x05\x06\x03"}; - -gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_export_name_oid_desc = -{6, (void *)"\x2b\x06\x01\x05\x06\x04"}; - -gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * krb5(2) krb5_name(1)}. The recommended symbolic name for this type - * is "GSS_KRB5_NT_PRINCIPAL_NAME". - */ - -static gss_OID_desc gss_krb5_nt_principal_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"}; - -gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) user_name(1)}. The recommended symbolic name for this - * type is "GSS_KRB5_NT_USER_NAME". - */ - -gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) machine_uid_name(2)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) string_uid_name(3)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_STRING_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * To support ongoing experimentation, testing, and evolution of the - * specification, the Kerberos V5 GSS-API mechanism as defined in this - * and any successor memos will be identified with the following Object - * Identifier, as defined in RFC-1510, until the specification is - * advanced to the level of Proposed Standard RFC: - * - * {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)} - * - * Upon advancement to the level of Proposed Standard RFC, the Kerberos - * V5 GSS-API mechanism will be identified by an Object Identifier - * having the value: - * - * {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - * gssapi(2) krb5(2)} - */ - -#if 0 /* This is the old OID */ - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{5, (void *)"\x2b\x05\x01\x05\x02"}; - -#endif - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; - -gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; - -/* - * Context for krb5 calls. - */ - -krb5_context gssapi_krb5_context; diff --git a/crypto/heimdal/lib/gssapi/get_mic.c b/crypto/heimdal/lib/gssapi/get_mic.c deleted file mode 100644 index 7f5b37e02572..000000000000 --- a/crypto/heimdal/lib/gssapi/get_mic.c +++ /dev/null @@ -1,295 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: get_mic.c,v 1.21.2.1 2003/09/18 22:05:12 lha Exp $"); - -static OM_uint32 -mic_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - des_key_schedule schedule; - des_cblock deskey; - des_cblock zero; - int32_t seq_number; - size_t len, total_len; - - gssapi_krb5_encap_length (22, &len, &total_len); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(message_token->value, - len, - "\x01\x01"); /* TOK_ID */ - - memcpy (p, "\x00\x00", 2); /* SGN_ALG = DES MAC MD5 */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* Filler */ - p += 4; - - /* Fill in later (SND-SEQ) */ - memset (p, 0, 16); - p += 16; - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - memcpy (p - 8, hash, 8); /* SGN_CKSUM */ - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - p -= 16; /* SND_SEQ */ - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -mic_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - Checksum cksum; - u_char seq[8]; - - int32_t seq_number; - size_t len, total_len; - - krb5_crypto crypto; - krb5_error_code kret; - krb5_data encdata; - char *tmp; - char ivec[8]; - - gssapi_krb5_encap_length (36, &len, &total_len); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(message_token->value, - len, - "\x01\x01"); /* TOK-ID */ - - memcpy (p, "\x04\x00", 2); /* SGN_ALG = HMAC SHA1 DES3-KD */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* filler */ - p += 4; - - /* this should be done in parts */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - free (message_token->value); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (kret) { - free (message_token->value); - free (tmp); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_create_checksum (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - tmp, - message_buffer->length + 8, - &cksum); - free (tmp); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - kret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - if (context_handle->more_flags & COMPAT_OLD_DES3) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - kret = krb5_encrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, ivec); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - free_Checksum (&cksum); - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 gss_get_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_localkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = mic_des (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - case KEYTYPE_DES3 : - ret = mic_des3 (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - case KEYTYPE_ARCFOUR: - ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/gssapi_locl.h b/crypto/heimdal/lib/gssapi/gssapi_locl.h deleted file mode 100644 index 5b2274fc9add..000000000000 --- a/crypto/heimdal/lib/gssapi/gssapi_locl.h +++ /dev/null @@ -1,180 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: gssapi_locl.h,v 1.24.2.5 2003/09/18 22:01:52 lha Exp $ */ -/* $FreeBSD$ */ - -#ifndef GSSAPI_LOCL_H -#define GSSAPI_LOCL_H - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include "gssapi.h" -#include - -#include "arcfour.h" - -extern krb5_context gssapi_krb5_context; - -extern krb5_keytab gssapi_krb5_keytab; - -krb5_error_code gssapi_krb5_init (void); - -#define GSSAPI_KRB5_INIT() do { \ - krb5_error_code kret; \ - if((kret = gssapi_krb5_init ()) != 0) { \ - *minor_status = kret; \ - return GSS_S_FAILURE; \ - } \ -} while (0) - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result); - -OM_uint32 -gssapi_krb5_verify_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data); - -OM_uint32 -gssapi_krb5_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - u_char *type); - -u_char * -_gssapi_make_mech_header(u_char *p, - size_t len); - -OM_uint32 -gssapi_krb5_decapsulate( - OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - char *type); - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len); - -u_char * -gssapi_krb5_make_header (u_char *p, - size_t len, - u_char *type); - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - char *type); - - -OM_uint32 -_gssapi_verify_mech_header(u_char **str, - size_t total_len); - -OM_uint32 -_gssapi_verify_pad(gss_buffer_t, size_t, size_t *); - -OM_uint32 -gss_verify_mic_internal(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type); - -OM_uint32 -gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); - -OM_uint32 -gss_krb5_get_localkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address); - -/* sec_context flags */ - -#define SC_LOCAL_ADDRESS 0x01 -#define SC_REMOTE_ADDRESS 0x02 -#define SC_KEYBLOCK 0x04 -#define SC_LOCAL_SUBKEY 0x08 -#define SC_REMOTE_SUBKEY 0x10 - -int -gss_oid_equal(const gss_OID a, const gss_OID b); - -void -gssapi_krb5_set_error_string (void); - -char * -gssapi_krb5_get_error_string (void); - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx); - -OM_uint32 -gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *); - -/* 8003 */ - -krb5_error_code -gssapi_encode_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_encode_be_om_uint32(OM_uint32, u_char *); - -krb5_error_code -gssapi_decode_om_uint32(u_char *, OM_uint32 *); - -krb5_error_code -gssapi_decode_be_om_uint32(u_char *, OM_uint32 *); - -#endif diff --git a/crypto/heimdal/lib/gssapi/import_name.c b/crypto/heimdal/lib/gssapi/import_name.c deleted file mode 100644 index 423e75714664..000000000000 --- a/crypto/heimdal/lib/gssapi/import_name.c +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: import_name.c,v 1.13 2003/03/16 17:33:31 lha Exp $"); - -static OM_uint32 -parse_krb5_name (OM_uint32 *minor_status, - const char *name, - gss_name_t *output_name) -{ - krb5_error_code kerr; - - kerr = krb5_parse_name (gssapi_krb5_context, name, output_name); - - if (kerr == 0) - return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } -} - -static OM_uint32 -import_krb5_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - OM_uint32 ret; - char *tmp; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - ret = parse_krb5_name(minor_status, tmp, output_name); - free(tmp); - - return ret; -} - -static OM_uint32 -import_hostbased_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - krb5_error_code kerr; - char *tmp; - char *p; - char *host; - char local_hostname[MAXHOSTNAMELEN]; - - *output_name = NULL; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - p = strchr (tmp, '@'); - if (p != NULL) { - *p = '\0'; - host = p + 1; - } else { - if (gethostname(local_hostname, sizeof(local_hostname)) < 0) { - *minor_status = errno; - free (tmp); - return GSS_S_FAILURE; - } - host = local_hostname; - } - - kerr = krb5_sname_to_principal (gssapi_krb5_context, - host, - tmp, - KRB5_NT_SRV_HST, - output_name); - free (tmp); - *minor_status = kerr; - if (kerr == 0) - return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } -} - -static OM_uint32 -import_export_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - unsigned char *p; - uint32_t length; - OM_uint32 ret; - char *name; - - if (input_name_buffer->length < 10 + GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - p = input_name_buffer->value; - - if (memcmp(&p[0], "\x04\x01\x00", 3) != 0 || - p[3] != GSS_KRB5_MECHANISM->length + 2 || - p[4] != 0x06 || - p[5] != GSS_KRB5_MECHANISM->length || - memcmp(&p[6], GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_NAME; - - p += 6 + GSS_KRB5_MECHANISM->length; - - length = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; - p += 4; - - if (length > input_name_buffer->length - 10 - GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - name = malloc(length + 1); - if (name == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(name, p, length); - name[length] = '\0'; - - ret = parse_krb5_name(minor_status, name, output_name); - free(name); - - return ret; -} - -int -gss_oid_equal(const gss_OID a, const gss_OID b) -{ - if (a == b) - return 1; - else if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length) - return 0; - else - return memcmp(a->elements, b->elements, a->length) == 0; -} - -OM_uint32 gss_import_name - (OM_uint32 * minor_status, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t * output_name - ) -{ - GSSAPI_KRB5_INIT (); - - *minor_status = 0; - *output_name = GSS_C_NO_NAME; - - if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE)) - return import_hostbased_name (minor_status, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NO_OID) - || gss_oid_equal(input_name_type, GSS_C_NT_USER_NAME) - || gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) - /* default printable syntax */ - return import_krb5_name (minor_status, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) { - return import_export_name(minor_status, - input_name_buffer, - output_name); - } else { - *minor_status = 0; - return GSS_S_BAD_NAMETYPE; - } -} diff --git a/crypto/heimdal/lib/gssapi/import_sec_context.c b/crypto/heimdal/lib/gssapi/import_sec_context.c deleted file mode 100644 index 2daa5736ca8d..000000000000 --- a/crypto/heimdal/lib/gssapi/import_sec_context.c +++ /dev/null @@ -1,212 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: import_sec_context.c,v 1.7 2003/03/16 18:01:32 lha Exp $"); - -OM_uint32 -gss_import_sec_context ( - OM_uint32 * minor_status, - const gss_buffer_t interprocess_token, - gss_ctx_id_t * context_handle - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_storage *sp; - krb5_auth_context ac; - krb5_address local, remote; - krb5_address *localp, *remotep; - krb5_data data; - gss_buffer_desc buffer; - krb5_keyblock keyblock; - int32_t tmp; - int32_t flags; - OM_uint32 minor; - - GSSAPI_KRB5_INIT (); - - localp = remotep = NULL; - - sp = krb5_storage_from_mem (interprocess_token->value, - interprocess_token->length); - if (sp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { - *minor_status = ENOMEM; - krb5_storage_free (sp); - return GSS_S_FAILURE; - } - memset (*context_handle, 0, sizeof(**context_handle)); - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - /* flags */ - - *minor_status = 0; - - if (krb5_ret_int32 (sp, &flags) != 0) - goto failure; - - /* retrieve the auth context */ - - ac = (*context_handle)->auth_context; - krb5_ret_int32 (sp, &ac->flags); - if (flags & SC_LOCAL_ADDRESS) { - if (krb5_ret_address (sp, localp = &local) != 0) - goto failure; - } - - if (flags & SC_REMOTE_ADDRESS) { - if (krb5_ret_address (sp, remotep = &remote) != 0) - goto failure; - } - - krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep); - if (localp) - krb5_free_address (gssapi_krb5_context, localp); - if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); - localp = remotep = NULL; - - if (krb5_ret_int16 (sp, &ac->local_port) != 0) - goto failure; - - if (krb5_ret_int16 (sp, &ac->remote_port) != 0) - goto failure; - if (flags & SC_KEYBLOCK) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (flags & SC_LOCAL_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (flags & SC_REMOTE_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (krb5_ret_int32 (sp, &ac->local_seqnumber)) - goto failure; - if (krb5_ret_int32 (sp, &ac->remote_seqnumber)) - goto failure; - - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->keytype = tmp; - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->cksumtype = tmp; - - /* names */ - - if (krb5_ret_data (sp, &data)) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->source); - if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->source); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - krb5_data_free (&data); - - if (krb5_ret_data (sp, &data) != 0) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->target); - if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->target); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - krb5_data_free (&data); - - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - (*context_handle)->flags = tmp; - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - (*context_handle)->more_flags = tmp; - if (krb5_ret_int32 (sp, &tmp) == 0) - (*context_handle)->lifetime = tmp; - else - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - return GSS_S_COMPLETE; - -failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if ((*context_handle)->source != NULL) - gss_release_name(&minor, &(*context_handle)->source); - if ((*context_handle)->target != NULL) - gss_release_name(&minor, &(*context_handle)->target); - if (localp) - krb5_free_address (gssapi_krb5_context, localp); - if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/indicate_mechs.c b/crypto/heimdal/lib/gssapi/indicate_mechs.c deleted file mode 100644 index 89191bb93514..000000000000 --- a/crypto/heimdal/lib/gssapi/indicate_mechs.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: indicate_mechs.c,v 1.5 2003/03/16 17:38:20 lha Exp $"); - -OM_uint32 gss_indicate_mechs - (OM_uint32 * minor_status, - gss_OID_set * mech_set - ) -{ - OM_uint32 ret; - - ret = gss_create_empty_oid_set(minor_status, mech_set); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, mech_set); - if (ret) - return ret; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/init.c b/crypto/heimdal/lib/gssapi/init.c deleted file mode 100644 index ddc0d7090a92..000000000000 --- a/crypto/heimdal/lib/gssapi/init.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: init.c,v 1.6 2001/08/13 13:14:07 joda Exp $"); - -krb5_error_code -gssapi_krb5_init (void) -{ - if(gssapi_krb5_context == NULL) - return krb5_init_context (&gssapi_krb5_context); - return 0; -} diff --git a/crypto/heimdal/lib/gssapi/init_sec_context.c b/crypto/heimdal/lib/gssapi/init_sec_context.c deleted file mode 100644 index 72286a399fbf..000000000000 --- a/crypto/heimdal/lib/gssapi/init_sec_context.c +++ /dev/null @@ -1,578 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: init_sec_context.c,v 1.36.2.1 2003/08/15 14:21:18 lha Exp $"); - -/* - * copy the addresses from `input_chan_bindings' (if any) to - * the auth context `ac' - */ - -static OM_uint32 -set_addresses (krb5_auth_context ac, - const gss_channel_bindings_t input_chan_bindings) -{ - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - krb5_error_code kret; - - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS - || input_chan_bindings->application_data.length != - 2 * sizeof(ac->local_port)) - return 0; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - ac->local_port = - *(int16_t *) input_chan_bindings->application_data.value; - - ac->remote_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - ac->remote_port, - &acceptor_addr); - if (kret) - return kret; - - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - ac->local_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - return kret; - } - - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - ac, - &initiator_addr, /* local address */ - &acceptor_addr); /* remote address */ - - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - return kret; -} - -/* - * handle delegated creds in init-sec-context - */ - -static void -do_delegation (krb5_auth_context ac, - krb5_ccache ccache, - krb5_creds *cred, - const gss_name_t target_name, - krb5_data *fwd_data, - int *flags) -{ - krb5_creds creds; - krb5_kdc_flags fwd_flags; - krb5_error_code kret; - - memset (&creds, 0, sizeof(creds)); - krb5_data_zero (fwd_data); - - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client); - if (kret) - goto out; - - kret = krb5_build_principal(gssapi_krb5_context, - &creds.server, - strlen(creds.client->realm), - creds.client->realm, - KRB5_TGS_NAME, - creds.client->realm, - NULL); - if (kret) - goto out; - - creds.times.endtime = 0; - - fwd_flags.i = 0; - fwd_flags.b.forwarded = 1; - fwd_flags.b.forwardable = 1; - - if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/ - target_name->name.name_string.len < 2) - goto out; - - kret = krb5_get_forwarded_creds(gssapi_krb5_context, - ac, - ccache, - fwd_flags.i, - target_name->name.name_string.val[1], - &creds, - fwd_data); - - out: - if (kret) - *flags &= ~GSS_C_DELEG_FLAG; - else - *flags |= GSS_C_DELEG_FLAG; - - if (creds.client) - krb5_free_principal(gssapi_krb5_context, creds.client); - if (creds.server) - krb5_free_principal(gssapi_krb5_context, creds.server); -} - -/* - * first stage of init-sec-context - */ - -static OM_uint32 -init_auth -(OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_flags ap_options; - krb5_creds this_cred, *cred; - krb5_data outbuf; - krb5_ccache ccache; - u_int32_t flags; - Authenticator *auth; - krb5_data authenticator; - Checksum cksum; - krb5_enctype enctype; - krb5_data fwd_data; - OM_uint32 lifetime_rec; - - krb5_data_zero(&outbuf); - krb5_data_zero(&fwd_data); - - *minor_status = 0; - - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = set_addresses ((*context_handle)->auth_context, - input_chan_bindings); - if (kret) { - *minor_status = kret; - ret = GSS_S_BAD_BINDINGS; - goto failure; - } - - { - int32_t tmp; - - krb5_auth_con_getflags(gssapi_krb5_context, - (*context_handle)->auth_context, - &tmp); - tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - tmp); - } - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - } else - ccache = initiator_cred_handle->ccache; - - kret = krb5_cc_get_principal (gssapi_krb5_context, - ccache, - &(*context_handle)->source); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - target_name, - &(*context_handle)->target); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) - goto failure; - - - memset(&this_cred, 0, sizeof(this_cred)); - this_cred.client = (*context_handle)->source; - this_cred.server = (*context_handle)->target; - if (time_req && time_req != GSS_C_INDEFINITE) { - krb5_timestamp ts; - - krb5_timeofday (gssapi_krb5_context, &ts); - this_cred.times.endtime = ts + time_req; - } else - this_cred.times.endtime = 0; - this_cred.session.keytype = 0; - - kret = krb5_get_credentials (gssapi_krb5_context, - KRB5_TC_MATCH_KEYTYPE, - ccache, - &this_cred, - &cred); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - (*context_handle)->lifetime = cred->times.endtime; - - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - &lifetime_rec); - if (ret) { - goto failure; - } - - if (lifetime_rec == 0) { - *minor_status = 0; - ret = GSS_S_CONTEXT_EXPIRED; - goto failure; - } - - krb5_auth_con_setkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - - kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - if(kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - flags = 0; - ap_options = 0; - if (req_flags & GSS_C_DELEG_FLAG) - do_delegation ((*context_handle)->auth_context, - ccache, cred, target_name, &fwd_data, &flags); - - if (req_flags & GSS_C_MUTUAL_FLAG) { - flags |= GSS_C_MUTUAL_FLAG; - ap_options |= AP_OPTS_MUTUAL_REQUIRED; - } - - if (req_flags & GSS_C_REPLAY_FLAG) - ; /* XXX */ - if (req_flags & GSS_C_SEQUENCE_FLAG) - ; /* XXX */ - if (req_flags & GSS_C_ANON_FLAG) - ; /* XXX */ - flags |= GSS_C_CONF_FLAG; - flags |= GSS_C_INTEG_FLAG; - flags |= GSS_C_SEQUENCE_FLAG; - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) - *ret_flags = flags; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= LOCAL; - - ret = gssapi_krb5_create_8003_checksum (minor_status, - input_chan_bindings, - flags, - &fwd_data, - &cksum); - krb5_data_free (&fwd_data); - if (ret) - goto failure; - -#if 1 - enctype = (*context_handle)->auth_context->keyblock->keytype; -#else - if ((*context_handle)->auth_context->enctype) - enctype = (*context_handle)->auth_context->enctype; - else { - kret = krb5_keytype_to_enctype(gssapi_krb5_context, - (*context_handle)->auth_context->keyblock->keytype, - &enctype); - if (kret) - return kret; - } -#endif - - kret = krb5_build_authenticator (gssapi_krb5_context, - (*context_handle)->auth_context, - enctype, - cred, - &cksum, - &auth, - &authenticator, - KRB5_KU_AP_REQ_AUTH); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_build_ap_req (gssapi_krb5_context, - enctype, - cred, - ap_options, - authenticator, - &outbuf); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = gssapi_krb5_encapsulate (minor_status, &outbuf, output_token, - "\x01\x00"); - if (ret) - goto failure; - - krb5_data_free (&outbuf); - - if (flags & GSS_C_MUTUAL_FLAG) { - return GSS_S_CONTINUE_NEEDED; - } else { - if (time_rec) - *time_rec = lifetime_rec; - - (*context_handle)->more_flags |= OPEN; - return GSS_S_COMPLETE; - } - - failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - free (*context_handle); - krb5_data_free (&outbuf); - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} - -static OM_uint32 -repl_mutual - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_data indata; - krb5_ap_rep_enc_part *repl; - - output_token->length = 0; - output_token->value = NULL; - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - ret = gssapi_krb5_decapsulate (minor_status, input_token, &indata, - "\x02\x00"); - if (ret) - /* XXX - Handle AP_ERROR */ - return ret; - - kret = krb5_rd_rep (gssapi_krb5_context, - (*context_handle)->auth_context, - &indata, - &repl); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - krb5_free_ap_rep_enc_part (gssapi_krb5_context, - repl); - - (*context_handle)->more_flags |= OPEN; - - *minor_status = 0; - if (time_rec) { - ret = gssapi_lifetime_left(minor_status, - (*context_handle)->lifetime, - time_rec); - } else { - ret = GSS_S_COMPLETE; - } - if (ret_flags) - *ret_flags = (*context_handle)->flags; - - return ret; -} - -/* - * gss_init_sec_context - */ - -OM_uint32 gss_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - GSSAPI_KRB5_INIT (); - - output_token->length = 0; - output_token->value = NULL; - - if (ret_flags) - *ret_flags = 0; - if (time_rec) - *time_rec = 0; - - if (target_name == GSS_C_NO_NAME) { - if (actual_mech_type) - *actual_mech_type = GSS_C_NO_OID; - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) - return init_auth (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return repl_mutual(minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); -} diff --git a/crypto/heimdal/lib/gssapi/inquire_context.c b/crypto/heimdal/lib/gssapi/inquire_context.c deleted file mode 100644 index 95cd2c576e6b..000000000000 --- a/crypto/heimdal/lib/gssapi/inquire_context.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_context.c,v 1.5 2003/03/16 17:43:30 lha Exp $"); - -OM_uint32 gss_inquire_context ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_name_t * src_name, - gss_name_t * targ_name, - OM_uint32 * lifetime_rec, - gss_OID * mech_type, - OM_uint32 * ctx_flags, - int * locally_initiated, - int * open_context - ) -{ - OM_uint32 ret; - - if (src_name) { - ret = gss_duplicate_name (minor_status, - context_handle->source, - src_name); - if (ret) - return ret; - } - - if (targ_name) { - ret = gss_duplicate_name (minor_status, - context_handle->target, - targ_name); - if (ret) - return ret; - } - - if (lifetime_rec) - *lifetime_rec = context_handle->lifetime; - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (ctx_flags) - *ctx_flags = context_handle->flags; - - if (locally_initiated) - *locally_initiated = context_handle->more_flags & LOCAL; - - if (open_context) - *open_context = context_handle->more_flags & OPEN; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/inquire_cred.c b/crypto/heimdal/lib/gssapi/inquire_cred.c deleted file mode 100644 index 4938d564e587..000000000000 --- a/crypto/heimdal/lib/gssapi/inquire_cred.c +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_cred.c,v 1.4 2003/03/16 17:42:14 lha Exp $"); - -OM_uint32 gss_inquire_cred - (OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - gss_cred_usage_t * cred_usage, - gss_OID_set * mechanisms - ) -{ - OM_uint32 ret; - - *minor_status = 0; - - if (name) - *name = NULL; - if (mechanisms) - *mechanisms = GSS_C_NO_OID_SET; - - if (cred_handle == GSS_C_NO_CREDENTIAL) { - return GSS_S_FAILURE; - } - - if (name != NULL) { - if (cred_handle->principal != NULL) { - ret = gss_duplicate_name(minor_status, cred_handle->principal, - name); - if (ret) - return ret; - } else if (cred_handle->usage == GSS_C_ACCEPT) { - *minor_status = krb5_sname_to_principal(gssapi_krb5_context, NULL, - NULL, KRB5_NT_SRV_HST, name); - if (*minor_status) - return GSS_S_FAILURE; - } else { - *minor_status = krb5_get_default_principal(gssapi_krb5_context, - name); - if (*minor_status) - return GSS_S_FAILURE; - } - } - if (lifetime != NULL) { - *lifetime = cred_handle->lifetime; - } - if (cred_usage != NULL) { - *cred_usage = cred_handle->usage; - } - if (mechanisms != NULL) { - ret = gss_create_empty_oid_set(minor_status, mechanisms); - if (ret) { - return ret; - } - ret = gss_add_oid_set_member(minor_status, - &cred_handle->mechanisms->elements[0], - mechanisms); - if (ret) { - return ret; - } - } - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/inquire_cred_by_mech.c b/crypto/heimdal/lib/gssapi/inquire_cred_by_mech.c deleted file mode 100644 index b09d1e1d5f6c..000000000000 --- a/crypto/heimdal/lib/gssapi/inquire_cred_by_mech.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_cred_by_mech.c,v 1.1 2003/03/16 18:11:16 lha Exp $"); - -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t * name, - OM_uint32 * initiator_lifetime, - OM_uint32 * acceptor_lifetime, - gss_cred_usage_t * cred_usage - ) -{ - OM_uint32 ret; - OM_uint32 lifetime; - - if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { - *minor_status = EINVAL; - return GSS_S_BAD_MECH; - } - - ret = gss_inquire_cred (minor_status, - cred_handle, - name, - &lifetime, - cred_usage, - NULL); - - if (ret == 0 && cred_handle != GSS_C_NO_CREDENTIAL) { - gss_cred_usage_t usage; - - usage = cred_handle->usage; - - if (initiator_lifetime) { - if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH) - *initiator_lifetime = lifetime; - } - if (acceptor_lifetime) { - if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH) - *acceptor_lifetime = lifetime; - } - } - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/inquire_mechs_for_name.c b/crypto/heimdal/lib/gssapi/inquire_mechs_for_name.c deleted file mode 100644 index 67ebb04db4de..000000000000 --- a/crypto/heimdal/lib/gssapi/inquire_mechs_for_name.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_mechs_for_name.c,v 1.1 2003/03/16 18:12:33 lha Exp $"); - -OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - gss_OID_set * mech_types - ) -{ - OM_uint32 ret; - - ret = gss_create_empty_oid_set(minor_status, mech_types); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, - GSS_KRB5_MECHANISM, - mech_types); - if (ret) - gss_release_oid_set(NULL, mech_types); - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/inquire_names_for_mech.c b/crypto/heimdal/lib/gssapi/inquire_names_for_mech.c deleted file mode 100644 index 0e93de685444..000000000000 --- a/crypto/heimdal/lib/gssapi/inquire_names_for_mech.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: inquire_names_for_mech.c,v 1.1 2003/03/16 18:15:29 lha Exp $"); - - -static gss_OID *name_list[] = { - &GSS_C_NT_HOSTBASED_SERVICE, - &GSS_C_NT_USER_NAME, - &GSS_KRB5_NT_PRINCIPAL_NAME, - &GSS_C_NT_EXPORT_NAME, - NULL -}; - -OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * minor_status, - const gss_OID mechanism, - gss_OID_set * name_types - ) -{ - OM_uint32 ret; - int i; - - *minor_status = 0; - - if (gss_oid_equal(mechanism, GSS_KRB5_MECHANISM) == 0 && - gss_oid_equal(mechanism, GSS_C_NULL_OID) == 0) { - *name_types = GSS_C_NO_OID_SET; - return GSS_S_BAD_MECH; - } - - ret = gss_create_empty_oid_set(minor_status, name_types); - if (ret != GSS_S_COMPLETE) - return ret; - - for (i = 0; name_list[i] != NULL; i++) { - ret = gss_add_oid_set_member(minor_status, - *(name_list[i]), - name_types); - if (ret != GSS_S_COMPLETE) - break; - } - - if (ret != GSS_S_COMPLETE) - gss_release_oid_set(NULL, name_types); - - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/process_context_token.c b/crypto/heimdal/lib/gssapi/process_context_token.c deleted file mode 100644 index 0cec33cc3e6f..000000000000 --- a/crypto/heimdal/lib/gssapi/process_context_token.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: process_context_token.c,v 1.1 2003/03/16 18:19:05 lha Exp $"); - -OM_uint32 gss_process_context_token ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_buffer - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - gss_buffer_desc empty_buffer; - gss_qop_t qop_state; - - empty_buffer.length = 0; - empty_buffer.value = NULL; - - qop_state = GSS_C_QOP_DEFAULT; - - ret = gss_verify_mic_internal(minor_status, context_handle, - token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); - - if (ret == GSS_S_COMPLETE) - ret = gss_delete_sec_context(minor_status, - (gss_ctx_id_t *)&context_handle, - GSS_C_NO_BUFFER); - if (ret == GSS_S_COMPLETE) - *minor_status = 0; - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/release_buffer.c b/crypto/heimdal/lib/gssapi/release_buffer.c deleted file mode 100644 index 258b76f62768..000000000000 --- a/crypto/heimdal/lib/gssapi/release_buffer.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: release_buffer.c,v 1.5 2003/03/16 17:58:20 lha Exp $"); - -OM_uint32 gss_release_buffer - (OM_uint32 * minor_status, - gss_buffer_t buffer - ) -{ - *minor_status = 0; - free (buffer->value); - buffer->value = NULL; - buffer->length = 0; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/release_cred.c b/crypto/heimdal/lib/gssapi/release_cred.c deleted file mode 100644 index 01cbb6a0f9d9..000000000000 --- a/crypto/heimdal/lib/gssapi/release_cred.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: release_cred.c,v 1.8.2.1 2003/10/07 01:08:21 lha Exp $"); - -OM_uint32 gss_release_cred - (OM_uint32 * minor_status, - gss_cred_id_t * cred_handle - ) -{ - *minor_status = 0; - - if (*cred_handle == GSS_C_NO_CREDENTIAL) { - return GSS_S_COMPLETE; - } - - GSSAPI_KRB5_INIT (); - - if ((*cred_handle)->principal != NULL) - krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); - if ((*cred_handle)->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); - if ((*cred_handle)->ccache != NULL) { - const krb5_cc_ops *ops; - ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache); - if (ops == &krb5_mcc_ops) - krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache); - else - krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); - } - gss_release_oid_set(NULL, &(*cred_handle)->mechanisms); - free(*cred_handle); - *cred_handle = GSS_C_NO_CREDENTIAL; - return GSS_S_COMPLETE; -} - diff --git a/crypto/heimdal/lib/gssapi/release_name.c b/crypto/heimdal/lib/gssapi/release_name.c deleted file mode 100644 index 6894ffae49c2..000000000000 --- a/crypto/heimdal/lib/gssapi/release_name.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: release_name.c,v 1.7 2003/03/16 17:52:48 lha Exp $"); - -OM_uint32 gss_release_name - (OM_uint32 * minor_status, - gss_name_t * input_name - ) -{ - GSSAPI_KRB5_INIT (); - if (minor_status) - *minor_status = 0; - krb5_free_principal(gssapi_krb5_context, - *input_name); - *input_name = GSS_C_NO_NAME; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/release_oid_set.c b/crypto/heimdal/lib/gssapi/release_oid_set.c deleted file mode 100644 index 04eb01565f79..000000000000 --- a/crypto/heimdal/lib/gssapi/release_oid_set.c +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: release_oid_set.c,v 1.5 2003/03/16 17:53:25 lha Exp $"); - -OM_uint32 gss_release_oid_set - (OM_uint32 * minor_status, - gss_OID_set * set - ) -{ - if (minor_status) - *minor_status = 0; - free ((*set)->elements); - free (*set); - *set = GSS_C_NO_OID_SET; - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c index 1afe26f1e39d..34e58a38bb3b 100644 --- a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -34,6 +34,7 @@ #include "spnego/spnego_locl.h" RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $"); +/* $FreeBSD$ */ static OM_uint32 send_reject (OM_uint32 *minor_status, @@ -376,6 +377,9 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, char mechbuf[64]; size_t mech_len; gss_OID_desc oid; + gss_OID oidp; + gss_OID_set mechs; + int i; OM_uint32 ret, junk; ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1, @@ -396,27 +400,29 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, *minor_status = 0; /* Translate broken MS Kebreros OID */ - if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc)) { - gssapi_mech_interface mech; + if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc)) + oidp = &_gss_spnego_krb5_mechanism_oid_desc; + else + oidp = &oid; - mech = __gss_get_mechanism(&_gss_spnego_krb5_mechanism_oid_desc); - if (mech == NULL) + + ret = gss_indicate_mechs(&junk, &mechs); + if (ret) + return (ret); + + for (i = 0; i < mechs->count; i++) + if (gss_oid_equal(&mechs->elements[i], oidp)) + break; + + if (i == mechs->count) { + gss_release_oid_set(&junk, &mechs); return GSS_S_BAD_MECH; - - ret = gss_duplicate_oid(minor_status, - &_gss_spnego_mskrb_mechanism_oid_desc, - mech_p); - } else { - gssapi_mech_interface mech; - - mech = __gss_get_mechanism(&oid); - if (mech == NULL) - return GSS_S_BAD_MECH; - - ret = gss_duplicate_oid(minor_status, - &mech->gm_mech_oid, - mech_p); } + gss_release_oid_set(&junk, &mechs); + + ret = gss_duplicate_oid(minor_status, + &oid, /* possibly this should be oidp */ + mech_p); if (verify_p) { gss_name_t name = GSS_C_NO_NAME; diff --git a/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h b/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h index 44b24688e18f..1ec1704776f0 100644 --- a/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h +++ b/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h @@ -31,6 +31,7 @@ */ /* $Id: spnego_locl.h 19411 2006-12-18 15:42:03Z lha $ */ +/* $FreeBSD$ */ #ifndef SPNEGO_LOCL_H #define SPNEGO_LOCL_H @@ -67,7 +68,6 @@ #include #include "spnego_asn1.h" -#include "mech/utils.h" #include #include diff --git a/crypto/heimdal/lib/gssapi/test_oid_set_member.c b/crypto/heimdal/lib/gssapi/test_oid_set_member.c deleted file mode 100644 index e747c5acc108..000000000000 --- a/crypto/heimdal/lib/gssapi/test_oid_set_member.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: test_oid_set_member.c,v 1.5 2003/03/16 17:54:06 lha Exp $"); - -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member, - const gss_OID_set set, - int * present - ) -{ - size_t i; - - *minor_status = 0; - *present = 0; - for (i = 0; i < set->count; ++i) - if (gss_oid_equal(member, &set->elements[i]) != 0) { - *present = 1; - break; - } - return GSS_S_COMPLETE; -} diff --git a/crypto/heimdal/lib/gssapi/unwrap.c b/crypto/heimdal/lib/gssapi/unwrap.c deleted file mode 100644 index b798438dc614..000000000000 --- a/crypto/heimdal/lib/gssapi/unwrap.c +++ /dev/null @@ -1,422 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: unwrap.c,v 1.22.2.1 2003/09/18 22:05:22 lha Exp $"); - -OM_uint32 -gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, - krb5_keyblock **key) -{ - krb5_keyblock *skey; - - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ - *key = skey; - return 0; -} - -static OM_uint32 -unwrap_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p, *pad; - size_t len; - MD5_CTX md5; - u_char hash[16], seq_data[8]; - des_key_schedule schedule; - des_cblock deskey; - des_cblock zero; - int i; - int32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - - p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01"); - if (ret) - return ret; - - if (memcmp (p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x00\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xFF\xFF", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 16; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - des_set_key (&deskey, schedule); - memset (&zero, 0, sizeof(zero)); - des_cbc_encrypt ((void *)p, - (void *)p, - input_message_buffer->length - len, - schedule, - &zero, - DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - } - /* check pad */ - - pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1; - padlength = *pad; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, input_message_buffer->length - len); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) - return GSS_S_BAD_MIC; - - /* verify sequence number */ - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq_data[0] = (seq_number >> 0) & 0xFF; - seq_data[1] = (seq_number >> 8) & 0xFF; - seq_data[2] = (seq_number >> 16) & 0xFF; - seq_data[3] = (seq_number >> 24) & 0xFF; - memset (seq_data + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - - p -= 16; - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - - if (memcmp (p, seq_data, 8) != 0) { - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 24, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -static OM_uint32 -unwrap_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p, *pad; - size_t len; - u_char seq[8]; - krb5_data seq_data; - u_char cksum[20]; - int i; - int32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - krb5_crypto crypto; - Checksum csum; - int cmp; - - p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01"); - if (ret) - return ret; - - if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x02\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xff\xff", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 28; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - krb5_data tmp; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, - p, input_message_buffer->length - len, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == input_message_buffer->length - len); - - memcpy (p, tmp.data, tmp.length); - krb5_data_free(&tmp); - } - /* check pad */ - - pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1; - padlength = *pad; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - /* verify sequence number */ - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - - p -= 28; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - { - des_cblock ivec; - - memcpy(&ivec, p + 8, 8); - ret = krb5_decrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, - &ivec); - } - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - if (seq_data.length != 8) { - krb5_data_free (&seq_data); - return GSS_S_BAD_MIC; - } - - cmp = memcmp (seq, seq_data.data, seq_data.length); - krb5_data_free (&seq_data); - if (cmp != 0) { - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* verify checksum */ - - memcpy (cksum, p + 8, 20); - - memcpy (p + 20, p - 8, 8); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = cksum; - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, - KRB5_KU_USAGE_SIGN, - p + 20, - input_message_buffer->length - len + 8, - &csum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 36, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -OM_uint32 gss_unwrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - ret = gss_krb5_get_remotekey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - *minor_status = 0; - - switch (keytype) { - case KEYTYPE_DES : - ret = unwrap_des (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - case KEYTYPE_DES3 : - ret = unwrap_des3 (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - case KEYTYPE_ARCFOUR: - ret = _gssapi_unwrap_arcfour (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/v1.c b/crypto/heimdal/lib/gssapi/v1.c deleted file mode 100644 index 34091ea71572..000000000000 --- a/crypto/heimdal/lib/gssapi/v1.c +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: v1.c,v 1.2 1999/12/02 17:05:04 joda Exp $"); - -/* These functions are for V1 compatibility */ - -OM_uint32 gss_sign - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - return gss_get_mic(minor_status, - context_handle, - (gss_qop_t)qop_req, - message_buffer, - message_token); -} - -OM_uint32 gss_verify - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state - ) -{ - return gss_verify_mic(minor_status, - context_handle, - message_buffer, - token_buffer, - (gss_qop_t *)qop_state); -} - -OM_uint32 gss_seal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - return gss_wrap(minor_status, - context_handle, - conf_req_flag, - (gss_qop_t)qop_req, - input_message_buffer, - conf_state, - output_message_buffer); -} - -OM_uint32 gss_unseal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state - ) -{ - return gss_unwrap(minor_status, - context_handle, - input_message_buffer, - output_message_buffer, - conf_state, - (gss_qop_t *)qop_state); -} diff --git a/crypto/heimdal/lib/gssapi/verify_mic.c b/crypto/heimdal/lib/gssapi/verify_mic.c deleted file mode 100644 index aef2d07da6bf..000000000000 --- a/crypto/heimdal/lib/gssapi/verify_mic.c +++ /dev/null @@ -1,322 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: verify_mic.c,v 1.18.2.4 2003/09/18 22:05:34 lha Exp $"); - -static OM_uint32 -verify_mic_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16], seq_data[8]; - des_key_schedule schedule; - des_cblock zero; - des_cblock deskey; - int32_t seq_number; - OM_uint32 ret; - - p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type); - if (ret) - return ret; - - if (memcmp(p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - p += 16; - - /* verify checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, - message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) { - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - return GSS_S_BAD_MIC; - } - - /* verify sequence number */ - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq_data[0] = (seq_number >> 0) & 0xFF; - seq_data[1] = (seq_number >> 8) & 0xFF; - seq_data[2] = (seq_number >> 16) & 0xFF; - seq_data[3] = (seq_number >> 24) & 0xFF; - memset (seq_data + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - - p -= 16; - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - - if (memcmp (p, seq_data, 8) != 0) { - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -verify_mic_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - u_char seq[8]; - int32_t seq_number; - OM_uint32 ret; - krb5_crypto crypto; - krb5_data seq_data; - int cmp, docompat; - Checksum csum; - char *tmp; - char ivec[8]; - - p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type); - if (ret) - return ret; - - if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret){ - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* verify sequence number */ - docompat = 0; -retry: - if (docompat) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - ret = krb5_decrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, ivec); - if (ret) { - if (docompat++) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_FAILURE; - } else - goto retry; - } - - if (seq_data.length != 8) { - krb5_data_free (&seq_data); - if (docompat++) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; - } else - goto retry; - } - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - cmp = memcmp (seq, seq_data.data, seq_data.length); - krb5_data_free (&seq_data); - if (cmp != 0) { - if (docompat++) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; - } else - goto retry; - } - - /* verify checksum */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = p + 8; - - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, - KRB5_KU_USAGE_SIGN, - tmp, message_buffer->length + 8, - &csum); - free (tmp); - if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_verify_mic_internal - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_remotekey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - *minor_status = 0; - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - switch (keytype) { - case KEYTYPE_DES : - ret = verify_mic_des (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key, - type); - break; - case KEYTYPE_DES3 : - ret = verify_mic_des3 (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key, - type); - break; - case KEYTYPE_ARCFOUR : - ret = _gssapi_verify_mic_arcfour (minor_status, context_handle, - message_buffer, token_buffer, - qop_state, key, type); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - - return ret; -} - -OM_uint32 -gss_verify_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state - ) -{ - OM_uint32 ret; - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - - ret = gss_verify_mic_internal(minor_status, context_handle, - message_buffer, token_buffer, - qop_state, "\x01\x01"); - - return ret; -} diff --git a/crypto/heimdal/lib/gssapi/wrap.c b/crypto/heimdal/lib/gssapi/wrap.c deleted file mode 100644 index a0f9d2ff52ea..000000000000 --- a/crypto/heimdal/lib/gssapi/wrap.c +++ /dev/null @@ -1,454 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id: wrap.c,v 1.21.2.1 2003/09/18 22:05:45 lha Exp $"); - -OM_uint32 -gss_krb5_get_localkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key) -{ - krb5_keyblock *skey; - - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - return GSS_S_FAILURE; - *key = skey; - return 0; -} - -static OM_uint32 -sub_wrap_size ( - OM_uint32 req_output_size, - OM_uint32 * max_input_size, - int blocksize, - int extrasize - ) -{ - size_t len, total_len, padlength; - padlength = blocksize - (req_output_size % blocksize); - len = req_output_size + 8 + padlength + extrasize; - gssapi_krb5_encap_length(len, &len, &total_len); - *max_input_size = (OM_uint32)total_len; - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_wrap_size_limit ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 * max_input_size - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_localkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - case KEYTYPE_ARCFOUR: - ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); - break; - case KEYTYPE_DES3 : - ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - *minor_status = 0; - return ret; -} - -static OM_uint32 -wrap_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - des_key_schedule schedule; - des_cblock deskey; - des_cblock zero; - int i; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 22; - gssapi_krb5_encap_length (len, &len, &total_len); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(output_message_buffer->value, - len, - "\x02\x01"); /* TOK_ID */ - - /* SGN_ALG */ - memcpy (p, "\x00\x00", 2); - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x00\x00", 2); - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* fill in later */ - memset (p, 0, 16); - p += 16; - - /* confounder + data + pad */ - krb5_generate_random_block(p, 8); - memcpy (p + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 8 + input_message_buffer->length, padlength, padlength); - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, datalen); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - memcpy (p - 8, hash, 8); - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - p -= 16; - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* encrypt the data */ - p += 16; - - if(conf_req_flag) { - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - des_set_key (&deskey, schedule); - memset (&zero, 0, sizeof(zero)); - des_cbc_encrypt ((void *)p, - (void *)p, - datalen, - schedule, - &zero, - DES_ENCRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - } - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -wrap_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - u_char seq[8]; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - u_int32_t ret; - krb5_crypto crypto; - Checksum cksum; - krb5_data encdata; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 34; - gssapi_krb5_encap_length (len, &len, &total_len); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(output_message_buffer->value, - len, - "\x02\x01"); /* TOK_ID */ - - /* SGN_ALG */ - memcpy (p, "\x04\x00", 2); /* HMAC SHA1 DES3-KD */ - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x02\x00", 2); /* DES3-KD */ - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* calculate checksum (the above + confounder + data + pad) */ - - memcpy (p + 20, p - 8, 8); - krb5_generate_random_block(p + 28, 8); - memcpy (p + 28 + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength); - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_create_checksum (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - p + 20, - datalen + 8, - &cksum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* zero out SND_SEQ + SGN_CKSUM in case */ - memset (p, 0, 28); - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - free_Checksum (&cksum); - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - - ret = krb5_crypto_init(gssapi_krb5_context, key, ETYPE_DES3_CBC_NONE, - &crypto); - if (ret) { - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - des_cblock ivec; - - memcpy (&ivec, p + 8, 8); - ret = krb5_encrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, - &ivec); - } - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* encrypt the data */ - p += 28; - - if(conf_req_flag) { - krb5_data tmp; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_encrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, - p, datalen, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == datalen); - - memcpy (p, tmp.data, datalen); - krb5_data_free(&tmp); - } - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 gss_wrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_localkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = wrap_des (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - case KEYTYPE_DES3 : - ret = wrap_des3 (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - case KEYTYPE_ARCFOUR: - ret = _gssapi_wrap_arcfour (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/crypto/heimdal/lib/hdb/convert_db.c b/crypto/heimdal/lib/hdb/convert_db.c deleted file mode 100644 index 0b300a55fcce..000000000000 --- a/crypto/heimdal/lib/hdb/convert_db.c +++ /dev/null @@ -1,213 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -/* Converts a database from version 0.0* to 0.1. This is done by - * making three copies of each DES key (DES-CBC-CRC, DES-CBC-MD4, and - * DES-CBC-MD5). - * - * Use with care. - */ - -#include "hdb_locl.h" -#include -#include - -RCSID("$Id: convert_db.c,v 1.12 2001/02/20 01:44:53 assar Exp $"); - -static krb5_error_code -update_keytypes(krb5_context context, HDB *db, hdb_entry *entry, void *data) -{ - int i; - int n = 0; - Key *k; - int save_len; - Key *save_val; - HDB *new = data; - krb5_error_code ret; - - for(i = 0; i < entry->keys.len; i++) - if(entry->keys.val[i].key.keytype == KEYTYPE_DES) - n += 2; - else if(entry->keys.val[i].key.keytype == KEYTYPE_DES3) - n += 1; - k = malloc(sizeof(*k) * (entry->keys.len + n)); - n = 0; - for(i = 0; i < entry->keys.len; i++) { - copy_Key(&entry->keys.val[i], &k[n]); - if(entry->keys.val[i].key.keytype == KEYTYPE_DES) { - copy_Key(&entry->keys.val[i], &k[n+1]); - k[n+1].key.keytype = ETYPE_DES_CBC_MD4; - copy_Key(&entry->keys.val[i], &k[n+2]); - k[n+2].key.keytype = ETYPE_DES_CBC_MD5; - n += 2; - } - else if(entry->keys.val[i].key.keytype == KEYTYPE_DES3) { - copy_Key(&entry->keys.val[i], &k[n+1]); - k[n+1].key.keytype = ETYPE_DES3_CBC_MD5; - n += 1; - } - n++; - } - save_len = entry->keys.len; - save_val = entry->keys.val; - entry->keys.len = n; - entry->keys.val = k; - ret = new->store(context, new, HDB_F_REPLACE, entry); - entry->keys.len = save_len; - entry->keys.val = save_val; - for(i = 0; i < n; i++) - free_Key(&k[i]); - free(k); - return 0; -} - -static krb5_error_code -update_version2(krb5_context context, HDB *db, hdb_entry *entry, void *data) -{ - HDB *new = data; - if(!db->master_key_set) { - int i; - for(i = 0; i < entry->keys.len; i++) { - free(entry->keys.val[i].mkvno); - entry->keys.val[i].mkvno = NULL; - } - } - new->store(context, new, HDB_F_REPLACE, entry); - return 0; -} - -char *old_database = HDB_DEFAULT_DB; -char *new_database = HDB_DEFAULT_DB ".new"; -char *mkeyfile; -int update_version; -int help_flag; -int version_flag; - -struct getargs args[] = { - { "old-database", 0, arg_string, &old_database, - "name of database to convert", "file" }, - { "new-database", 0, arg_string, &new_database, - "name of converted database", "file" }, - { "master-key", 0, arg_string, &mkeyfile, - "v5 master key file", "file" }, - { "update-version", 0, arg_flag, &update_version, - "update the database to the current version" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 0, arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - krb5_error_code ret; - krb5_context context; - HDB *db, *new; - int optind = 0; - int master_key_set = 0; - - setprogname(argv[0]); - - if(getarg(args, num_args, argc, argv, &optind)) - krb5_std_usage(1, args, num_args); - - if(help_flag) - krb5_std_usage(0, args, num_args); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - ret = krb5_init_context(&context); - if(ret != 0) - errx(1, "krb5_init_context failed: %d", ret); - - ret = hdb_create(context, &db, old_database); - if(ret != 0) - krb5_err(context, 1, ret, "hdb_create"); - - ret = hdb_set_master_keyfile(context, db, mkeyfile); - if (ret) - krb5_err(context, 1, ret, "hdb_set_master_keyfile"); - master_key_set = 1; - ret = hdb_create(context, &new, new_database); - if(ret != 0) - krb5_err(context, 1, ret, "hdb_create"); - if (master_key_set) { - ret = hdb_set_master_keyfile(context, new, mkeyfile); - if (ret) - krb5_err(context, 1, ret, "hdb_set_master_keyfile"); - } - ret = db->open(context, db, O_RDONLY, 0); - if(ret == HDB_ERR_BADVERSION) { - krb5_data tag; - krb5_data version; - int foo; - unsigned ver; - tag.data = HDB_DB_FORMAT_ENTRY; - tag.length = strlen(tag.data); - ret = (*db->_get)(context, db, tag, &version); - if(ret) - krb5_errx(context, 1, "database is wrong version, " - "but couldn't find version key (%s)", - HDB_DB_FORMAT_ENTRY); - foo = sscanf(version.data, "%u", &ver); - krb5_data_free (&version); - if(foo != 1) - krb5_errx(context, 1, "database version is not a number"); - if(ver == 1 && HDB_DB_FORMAT == 2) { - krb5_warnx(context, "will upgrade database from version %d to %d", - ver, HDB_DB_FORMAT); - krb5_warnx(context, "rerun to do other conversions"); - update_version = 1; - } else - krb5_errx(context, 1, - "don't know how to upgrade from version %d to %d", - ver, HDB_DB_FORMAT); - } else if(ret) - krb5_err(context, 1, ret, "%s", old_database); - ret = new->open(context, new, O_CREAT|O_EXCL|O_RDWR, 0600); - if(ret) - krb5_err(context, 1, ret, "%s", new_database); - if(update_version) - ret = hdb_foreach(context, db, 0, update_version2, new); - else - ret = hdb_foreach(context, db, 0, update_keytypes, new); - if(ret != 0) - krb5_err(context, 1, ret, "hdb_foreach"); - db->close(context, db); - new->close(context, new); - krb5_warnx(context, "wrote converted database to `%s'", new_database); - return 0; -} diff --git a/crypto/heimdal/lib/hdb/hdb_locl.h b/crypto/heimdal/lib/hdb/hdb_locl.h index c4f1ea2d30f1..0a67e5485d99 100644 --- a/crypto/heimdal/lib/hdb/hdb_locl.h +++ b/crypto/heimdal/lib/hdb/hdb_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: hdb_locl.h,v 1.18.4.1 2003/09/10 22:04:39 lha Exp $ */ +/* $Id: hdb_locl.h 22209 2007-12-07 19:03:41Z lha $ */ /* $FreeBSD$ */ #ifndef __HDB_LOCL_H__ @@ -65,4 +65,7 @@ #include #include +#define HDB_DEFAULT_DB HDB_DB_DIR "/heimdal" +#define HDB_DB_FORMAT_ENTRY "hdb/db-format" + #endif /* __HDB_LOCL_H__ */ diff --git a/crypto/heimdal/lib/kadm5/dump_log.c b/crypto/heimdal/lib/kadm5/dump_log.c deleted file mode 100644 index f8309fb5acfe..000000000000 --- a/crypto/heimdal/lib/kadm5/dump_log.c +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "iprop.h" -#include "parse_time.h" - -RCSID("$Id: dump_log.c,v 1.13 2003/04/16 17:56:02 lha Exp $"); - -static char *op_names[] = { - "get", - "delete", - "create", - "rename", - "chpass", - "modify", - "randkey", - "get_privs", - "get_princs", - "chpass_with_key", - "nop" -}; - -static void -print_entry(kadm5_server_context *server_context, - u_int32_t ver, - time_t timestamp, - enum kadm_ops op, - u_int32_t len, - krb5_storage *sp) -{ - char t[256]; - int32_t mask; - hdb_entry ent; - krb5_principal source; - char *name1, *name2; - krb5_data data; - krb5_context context = server_context->context; - - off_t end = krb5_storage_seek(sp, 0, SEEK_CUR) + len; - - krb5_error_code ret; - - strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", localtime(×tamp)); - - if(op < kadm_get || op > kadm_nop) { - printf("unknown op: %d\n", op); - krb5_storage_seek(sp, end, SEEK_SET); - return; - } - - printf ("%s: ver = %u, timestamp = %s, len = %u\n", - op_names[op], ver, t, len); - switch(op) { - case kadm_delete: - krb5_ret_principal(sp, &source); - krb5_unparse_name(context, source, &name1); - printf(" %s\n", name1); - free(name1); - krb5_free_principal(context, source); - break; - case kadm_rename: - ret = krb5_data_alloc(&data, len); - if (ret) - krb5_err (context, 1, ret, "kadm_rename: data alloc: %d", len); - krb5_ret_principal(sp, &source); - krb5_storage_read(sp, data.data, data.length); - hdb_value2entry(context, &data, &ent); - krb5_unparse_name(context, source, &name1); - krb5_unparse_name(context, ent.principal, &name2); - printf(" %s -> %s\n", name1, name2); - free(name1); - free(name2); - krb5_free_principal(context, source); - hdb_free_entry(context, &ent); - break; - case kadm_create: - ret = krb5_data_alloc(&data, len); - if (ret) - krb5_err (context, 1, ret, "kadm_create: data alloc: %d", len); - krb5_storage_read(sp, data.data, data.length); - ret = hdb_value2entry(context, &data, &ent); - if(ret) - abort(); - mask = ~0; - goto foo; - case kadm_modify: - ret = krb5_data_alloc(&data, len); - if (ret) - krb5_err (context, 1, ret, "kadm_modify: data alloc: %d", len); - krb5_ret_int32(sp, &mask); - krb5_storage_read(sp, data.data, data.length); - ret = hdb_value2entry(context, &data, &ent); - if(ret) - abort(); - foo: - if(ent.principal /* mask & KADM5_PRINCIPAL */) { - krb5_unparse_name(context, ent.principal, &name1); - printf(" principal = %s\n", name1); - free(name1); - } - if(mask & KADM5_PRINC_EXPIRE_TIME) { - if(ent.valid_end == NULL) { - strcpy(t, "never"); - } else { - strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", - localtime(ent.valid_end)); - } - printf(" expires = %s\n", t); - } - if(mask & KADM5_PW_EXPIRATION) { - if(ent.pw_end == NULL) { - strcpy(t, "never"); - } else { - strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", - localtime(ent.pw_end)); - } - printf(" password exp = %s\n", t); - } - if(mask & KADM5_LAST_PWD_CHANGE) { - } - if(mask & KADM5_ATTRIBUTES) { - unparse_flags(HDBFlags2int(ent.flags), - HDBFlags_units, t, sizeof(t)); - printf(" attributes = %s\n", t); - } - if(mask & KADM5_MAX_LIFE) { - if(ent.max_life == NULL) - strcpy(t, "for ever"); - else - unparse_time(*ent.max_life, t, sizeof(t)); - printf(" max life = %s\n", t); - } - if(mask & KADM5_MAX_RLIFE) { - if(ent.max_renew == NULL) - strcpy(t, "for ever"); - else - unparse_time(*ent.max_renew, t, sizeof(t)); - printf(" max rlife = %s\n", t); - } - if(mask & KADM5_MOD_TIME) { - printf(" mod time\n"); - } - if(mask & KADM5_MOD_NAME) { - printf(" mod name\n"); - } - if(mask & KADM5_KVNO) { - printf(" kvno = %d\n", ent.kvno); - } - if(mask & KADM5_MKVNO) { - printf(" mkvno\n"); - } - if(mask & KADM5_AUX_ATTRIBUTES) { - printf(" aux attributes\n"); - } - if(mask & KADM5_POLICY) { - printf(" policy\n"); - } - if(mask & KADM5_POLICY_CLR) { - printf(" mod time\n"); - } - if(mask & KADM5_LAST_SUCCESS) { - printf(" last success\n"); - } - if(mask & KADM5_LAST_FAILED) { - printf(" last failed\n"); - } - if(mask & KADM5_FAIL_AUTH_COUNT) { - printf(" fail auth count\n"); - } - if(mask & KADM5_KEY_DATA) { - printf(" key data\n"); - } - if(mask & KADM5_TL_DATA) { - printf(" tl data\n"); - } - hdb_free_entry(context, &ent); - break; - case kadm_nop : - break; - default: - abort(); - } - krb5_storage_seek(sp, end, SEEK_SET); -} - -static char *realm; -static int version_flag; -static int help_flag; - -static struct getargs args[] = { - { "realm", 'r', arg_string, &realm }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - void *kadm_handle; - kadm5_server_context *server_context; - kadm5_config_params conf; - - krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help_flag) - krb5_std_usage(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - memset(&conf, 0, sizeof(conf)); - if(realm) { - conf.mask |= KADM5_CONFIG_REALM; - conf.realm = realm; - } - ret = kadm5_init_with_password_ctx (context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - if (ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - - server_context = (kadm5_server_context *)kadm_handle; - - ret = kadm5_log_init (server_context); - if (ret) - krb5_err (context, 1, ret, "kadm5_log_init"); - - ret = kadm5_log_foreach (server_context, print_entry); - if(ret) - krb5_warn(context, ret, "kadm5_log_foreach"); - - ret = kadm5_log_end (server_context); - if (ret) - krb5_warn(context, ret, "kadm5_log_end"); - return 0; -} diff --git a/crypto/heimdal/lib/kadm5/replay_log.c b/crypto/heimdal/lib/kadm5/replay_log.c deleted file mode 100644 index 1b2d71635f49..000000000000 --- a/crypto/heimdal/lib/kadm5/replay_log.c +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "iprop.h" - -RCSID("$Id: replay_log.c,v 1.9 2002/05/24 15:19:22 joda Exp $"); - -int start_version = -1; -int end_version = -1; - -static void -apply_entry(kadm5_server_context *server_context, - u_int32_t ver, - time_t timestamp, - enum kadm_ops op, - u_int32_t len, - krb5_storage *sp) -{ - krb5_error_code ret; - - if((start_version != -1 && ver < start_version) || - (end_version != -1 && ver > end_version)) { - /* XXX skip this entry */ - krb5_storage_seek(sp, len, SEEK_CUR); - return; - } - printf ("ver %u... ", ver); - fflush (stdout); - - ret = kadm5_log_replay (server_context, - op, ver, len, sp); - if (ret) - krb5_warn (server_context->context, ret, "kadm5_log_replay"); - - - printf ("done\n"); -} - -int version_flag; -int help_flag; -struct getargs args[] = { - { "start-version", 0, arg_integer, &start_version, "start replay with this version" }, - { "end-version", 0, arg_integer, &end_version, "end replay with this version" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - void *kadm_handle; - kadm5_config_params conf; - kadm5_server_context *server_context; - - krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help_flag) - krb5_std_usage(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - memset(&conf, 0, sizeof(conf)); - ret = kadm5_init_with_password_ctx (context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - if (ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - - server_context = (kadm5_server_context *)kadm_handle; - - ret = server_context->db->open(context, - server_context->db, - O_RDWR | O_CREAT, 0); - if (ret) - krb5_err (context, 1, ret, "db->open"); - - ret = kadm5_log_init (server_context); - if (ret) - krb5_err (context, 1, ret, "kadm5_log_init"); - - ret = kadm5_log_foreach (server_context, apply_entry); - if(ret) - krb5_warn(context, ret, "kadm5_log_foreach"); - ret = kadm5_log_end (server_context); - if (ret) - krb5_warn(context, ret, "kadm5_log_end"); - ret = server_context->db->close (context, server_context->db); - if (ret) - krb5_err (context, 1, ret, "db->close"); - return 0; -} diff --git a/crypto/heimdal/lib/kadm5/truncate_log.c b/crypto/heimdal/lib/kadm5/truncate_log.c deleted file mode 100644 index cf4af26e7300..000000000000 --- a/crypto/heimdal/lib/kadm5/truncate_log.c +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright (c) 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "iprop.h" - -RCSID("$Id: truncate_log.c,v 1.1.8.1 2003/10/14 15:58:46 joda Exp $"); - -static char *realm; -static int version_flag; -static int help_flag; - -static struct getargs args[] = { - { "realm", 'r', arg_string, &realm }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret; - void *kadm_handle; - kadm5_server_context *server_context; - kadm5_config_params conf; - - krb5_program_setup(&context, argc, argv, args, num_args, NULL); - - if(help_flag) - krb5_std_usage(0, args, num_args); - if(version_flag) { - print_version(NULL); - exit(0); - } - - memset(&conf, 0, sizeof(conf)); - if(realm) { - conf.mask |= KADM5_CONFIG_REALM; - conf.realm = realm; - } - - ret = kadm5_init_with_password_ctx (context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, - &kadm_handle); - if (ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - - server_context = (kadm5_server_context *)kadm_handle; - - ret = kadm5_log_truncate (server_context); - if(ret) - krb5_err (context, 1, ret, "kadm5_log_truncate"); - return 0; -} diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index d1c1c9d3d79f..21d10261bd7d 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.73.2.4 2004/03/06 16:38:00 lha Exp $"); +RCSID("$Id: crypto.c 22200 2007-12-07 13:48:01Z lha $"); /* RCSID("$FreeBSD$"); */ #undef CRYPTO_DEBUG @@ -67,6 +67,7 @@ struct krb5_crypto_data { #define F_VARIANT 8 /* uses `variant' keys (6.4.3) */ #define F_PSEUDO 16 /* not a real protocol type */ #define F_SPECIAL 32 /* backwards */ +#define F_DISABLED 64 /* enctype/checksum disabled */ struct salt_type { krb5_salttype type; @@ -87,6 +88,7 @@ struct key_type { void (*random_key)(krb5_context, krb5_keyblock*); void (*schedule)(krb5_context, struct key_data *); struct salt_type *string_to_key; + void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t); }; struct checksum_type { @@ -110,6 +112,7 @@ struct checksum_type { struct encryption_type { krb5_enctype type; const char *name; + heim_oid *oid; size_t blocksize; size_t padsize; size_t confoundersize; @@ -120,9 +123,12 @@ struct encryption_type { krb5_error_code (*encrypt)(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec); + size_t prf_length; + krb5_error_code (*prf)(krb5_context, + krb5_crypto, const krb5_data *, krb5_data *); }; #define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA) @@ -148,34 +154,137 @@ static krb5_error_code hmac(krb5_context context, struct key_data *keyblock, Checksum *result); static void free_key_data(krb5_context context, struct key_data *key); -static krb5_error_code usage2arcfour (krb5_context, int *); +static krb5_error_code usage2arcfour (krb5_context, unsigned *); +static void xor (DES_cblock *, const unsigned char *); /************************************************************ * * ************************************************************/ +static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER; + + static void krb5_DES_random_key(krb5_context context, krb5_keyblock *key) { - des_cblock *k = key->keyvalue.data; + DES_cblock *k = key->keyvalue.data; do { - krb5_generate_random_block(k, sizeof(des_cblock)); - des_set_odd_parity(k); - } while(des_is_weak_key(k)); + krb5_generate_random_block(k, sizeof(DES_cblock)); + DES_set_odd_parity(k); + } while(DES_is_weak_key(k)); } static void krb5_DES_schedule(krb5_context context, - struct key_data *key) + struct key_data *key) { - des_set_key(key->key->keyvalue.data, key->schedule->data); + DES_set_key(key->key->keyvalue.data, key->schedule->data); } +#ifdef ENABLE_AFS_STRING_TO_KEY + +/* This defines the Andrew string_to_key function. It accepts a password + * string as input and converts it via a one-way encryption algorithm to a DES + * encryption key. It is compatible with the original Andrew authentication + * service password database. + */ + +/* + * Short passwords, i.e 8 characters or less. + */ static void -DES_string_to_key_int(unsigned char *data, size_t length, des_cblock *key) +krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, + krb5_data cell, + DES_cblock *key) { - des_key_schedule schedule; + char password[8+1]; /* crypt is limited to 8 chars anyway */ + int i; + + for(i = 0; i < 8; i++) { + char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^ + ((i < cell.length) ? + tolower(((unsigned char*)cell.data)[i]) : 0); + password[i] = c ? c : 'X'; + } + password[8] = '\0'; + + memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock)); + + /* parity is inserted into the LSB so left shift each byte up one + bit. This allows ascii characters with a zero MSB to retain as + much significance as possible. */ + for (i = 0; i < sizeof(DES_cblock); i++) + ((unsigned char*)key)[i] <<= 1; + DES_set_odd_parity (key); +} + +/* + * Long passwords, i.e 9 characters or more. + */ +static void +krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, + krb5_data cell, + DES_cblock *key) +{ + DES_key_schedule schedule; + DES_cblock temp_key; + DES_cblock ivec; + char password[512]; + size_t passlen; + + memcpy(password, pw.data, min(pw.length, sizeof(password))); + if(pw.length < sizeof(password)) { + int len = min(cell.length, sizeof(password) - pw.length); + int i; + + memcpy(password + pw.length, cell.data, len); + for (i = pw.length; i < pw.length + len; ++i) + password[i] = tolower((unsigned char)password[i]); + } + passlen = min(sizeof(password), pw.length + cell.length); + memcpy(&ivec, "kerberos", 8); + memcpy(&temp_key, "kerberos", 8); + DES_set_odd_parity (&temp_key); + DES_set_key (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec); + + memcpy(&temp_key, &ivec, 8); + DES_set_odd_parity (&temp_key); + DES_set_key (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec); + memset(&schedule, 0, sizeof(schedule)); + memset(&temp_key, 0, sizeof(temp_key)); + memset(&ivec, 0, sizeof(ivec)); + memset(password, 0, sizeof(password)); + + DES_set_odd_parity (key); +} + +static krb5_error_code +DES_AFS3_string_to_key(krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + DES_cblock tmp; + if(password.length > 8) + krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp); + else + krb5_DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp); + key->keytype = enctype; + krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); + memset(&key, 0, sizeof(key)); + return 0; +} +#endif /* ENABLE_AFS_STRING_TO_KEY */ + +static void +DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key) +{ + DES_key_schedule schedule; int i; int reverse = 0; unsigned char *p; @@ -194,13 +303,15 @@ DES_string_to_key_int(unsigned char *data, size_t length, des_cblock *key) if((i % 8) == 7) reverse = !reverse; } - des_set_odd_parity(key); - if(des_is_weak_key(key)) + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) + (*key)[7] ^= 0xF0; + DES_set_key(key, &schedule); + DES_cbc_cksum((void*)data, key, length, &schedule, key); + memset(&schedule, 0, sizeof(schedule)); + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) (*key)[7] ^= 0xF0; - des_set_key(key, schedule); - des_cbc_cksum((void*)data, key, length, schedule, key); - memset(schedule, 0, sizeof(schedule)); - des_set_odd_parity(key); } static krb5_error_code @@ -213,7 +324,17 @@ krb5_DES_string_to_key(krb5_context context, { unsigned char *s; size_t len; - des_cblock tmp; + DES_cblock tmp; + +#ifdef ENABLE_AFS_STRING_TO_KEY + if (opaque.length == 1) { + unsigned long v; + _krb5_get_int(opaque.data, &v, 1); + if (v == 1) + return DES_AFS3_string_to_key(context, enctype, password, + salt, opaque, key); + } +#endif len = password.length + salt.saltvalue.length; s = malloc(len); @@ -232,126 +353,47 @@ krb5_DES_string_to_key(krb5_context context, return 0; } -/* This defines the Andrew string_to_key function. It accepts a password - * string as input and converts its via a one-way encryption algorithm to a DES - * encryption key. It is compatible with the original Andrew authentication - * service password database. - */ - -/* - * Short passwords, i.e 8 characters or less. - */ static void -krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, - krb5_data cell, - des_cblock *key) +krb5_DES_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) { - char password[8+1]; /* crypt is limited to 8 chars anyway */ - int i; - - for(i = 0; i < 8; i++) { - char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^ - ((i < cell.length) ? - tolower(((unsigned char*)cell.data)[i]) : 0); - password[i] = c ? c : 'X'; - } - password[8] = '\0'; - - memcpy(key, crypt(password, "p1") + 2, sizeof(des_cblock)); - - /* parity is inserted into the LSB so left shift each byte up one - bit. This allows ascii characters with a zero MSB to retain as - much significance as possible. */ - for (i = 0; i < sizeof(des_cblock); i++) - ((unsigned char*)key)[i] <<= 1; - des_set_odd_parity (key); + DES_cblock *k = key->keyvalue.data; + memcpy(k, data, key->keyvalue.length); + DES_set_odd_parity(k); + if(DES_is_weak_key(k)) + xor(k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } /* - * Long passwords, i.e 9 characters or more. + * */ -static void -krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, - krb5_data cell, - des_cblock *key) -{ - des_key_schedule schedule; - des_cblock temp_key; - des_cblock ivec; - char password[512]; - size_t passlen; - - memcpy(password, pw.data, min(pw.length, sizeof(password))); - if(pw.length < sizeof(password)) { - int len = min(cell.length, sizeof(password) - pw.length); - int i; - - memcpy(password + pw.length, cell.data, len); - for (i = pw.length; i < pw.length + len; ++i) - password[i] = tolower((unsigned char)password[i]); - } - passlen = min(sizeof(password), pw.length + cell.length); - memcpy(&ivec, "kerberos", 8); - memcpy(&temp_key, "kerberos", 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum (password, &ivec, passlen, schedule, &ivec); - - memcpy(&temp_key, &ivec, 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum (password, key, passlen, schedule, &ivec); - memset(&schedule, 0, sizeof(schedule)); - memset(&temp_key, 0, sizeof(temp_key)); - memset(&ivec, 0, sizeof(ivec)); - memset(password, 0, sizeof(password)); - - des_set_odd_parity (key); -} - -static krb5_error_code -DES_AFS3_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - des_cblock tmp; - if(password.length > 8) - krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp); - else - krb5_DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp); - key->keytype = enctype; - krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); - memset(&key, 0, sizeof(key)); - return 0; -} static void DES3_random_key(krb5_context context, krb5_keyblock *key) { - des_cblock *k = key->keyvalue.data; + DES_cblock *k = key->keyvalue.data; do { - krb5_generate_random_block(k, 3 * sizeof(des_cblock)); - des_set_odd_parity(&k[0]); - des_set_odd_parity(&k[1]); - des_set_odd_parity(&k[2]); - } while(des_is_weak_key(&k[0]) || - des_is_weak_key(&k[1]) || - des_is_weak_key(&k[2])); + krb5_generate_random_block(k, 3 * sizeof(DES_cblock)); + DES_set_odd_parity(&k[0]); + DES_set_odd_parity(&k[1]); + DES_set_odd_parity(&k[2]); + } while(DES_is_weak_key(&k[0]) || + DES_is_weak_key(&k[1]) || + DES_is_weak_key(&k[2])); } static void DES3_schedule(krb5_context context, struct key_data *key) { - des_cblock *k = key->key->keyvalue.data; - des_key_schedule *s = key->schedule->data; - des_set_key(&k[0], s[0]); - des_set_key(&k[1], s[1]); - des_set_key(&k[2], s[2]); + DES_cblock *k = key->key->keyvalue.data; + DES_key_schedule *s = key->schedule->data; + DES_set_key(&k[0], &s[0]); + DES_set_key(&k[1], &s[1]); + DES_set_key(&k[2], &s[2]); } /* @@ -359,7 +401,7 @@ DES3_schedule(krb5_context context, */ static void -xor (des_cblock *key, const unsigned char *b) +xor (DES_cblock *key, const unsigned char *b) { unsigned char *a = (unsigned char*)key; a[0] ^= b[0]; @@ -383,7 +425,8 @@ DES3_string_to_key(krb5_context context, char *str; size_t len; unsigned char tmp[24]; - des_cblock keys[3]; + DES_cblock keys[3]; + krb5_error_code ret; len = password.length + salt.saltvalue.length; str = malloc(len); @@ -394,29 +437,35 @@ DES3_string_to_key(krb5_context context, memcpy(str, password.data, password.length); memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length); { - des_cblock ivec; - des_key_schedule s[3]; + DES_cblock ivec; + DES_key_schedule s[3]; int i; - _krb5_n_fold(str, len, tmp, 24); + ret = _krb5_n_fold(str, len, tmp, 24); + if (ret) { + memset(str, 0, len); + free(str); + krb5_set_error_string(context, "out of memory"); + return ret; + } for(i = 0; i < 3; i++){ memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); - des_set_key(keys + i, s[i]); + DES_set_key(keys + i, &s[i]); } memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(tmp, + DES_ede3_cbc_encrypt(tmp, tmp, sizeof(tmp), - s[0], s[1], s[2], &ivec, DES_ENCRYPT); + &s[0], &s[1], &s[2], &ivec, DES_ENCRYPT); memset(s, 0, sizeof(s)); memset(&ivec, 0, sizeof(ivec)); for(i = 0; i < 3; i++){ memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } memset(tmp, 0, sizeof(tmp)); @@ -458,19 +507,47 @@ DES3_string_to_key_derived(krb5_context context, return ret; } +static void +DES3_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) +{ + unsigned char *x = key->keyvalue.data; + const u_char *q = data; + DES_cblock *k; + int i, j; + + memset(x, 0, sizeof(x)); + for (i = 0; i < 3; ++i) { + unsigned char foo; + for (j = 0; j < 7; ++j) { + unsigned char b = q[7 * i + j]; + + x[8 * i + j] = b; + } + foo = 0; + for (j = 6; j >= 0; --j) { + foo |= q[7 * i + j] & 1; + foo <<= 1; + } + x[8 * i + 7] = foo; + } + k = key->keyvalue.data; + for (i = 0; i < 3; i++) { + DES_set_odd_parity(&k[i]); + if(DES_is_weak_key(&k[i])) + xor(&k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + } +} + /* * ARCFOUR */ static void -ARCFOUR_random_key(krb5_context context, krb5_keyblock *key) -{ - krb5_generate_random_block (key->keyvalue.data, - key->keyvalue.length); -} - -static void -ARCFOUR_schedule(krb5_context context, struct key_data *kd) +ARCFOUR_schedule(krb5_context context, + struct key_data *kd) { RC4_set_key (kd->schedule->data, kd->key->keyvalue.length, kd->key->keyvalue.data); @@ -488,12 +565,14 @@ ARCFOUR_string_to_key(krb5_context context, size_t len; int i; MD4_CTX m; + krb5_error_code ret; len = 2 * password.length; s = malloc (len); if (len != 0 && s == NULL) { krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + ret = ENOMEM; + goto out; } for (p = s, i = 0; i < password.length; ++i) { *p++ = ((char *)password.data)[i]; @@ -502,125 +581,24 @@ ARCFOUR_string_to_key(krb5_context context, MD4_Init (&m); MD4_Update (&m, s, len); key->keytype = enctype; - krb5_data_alloc (&key->keyvalue, 16); + ret = krb5_data_alloc (&key->keyvalue, 16); + if (ret) { + krb5_set_error_string(context, "malloc: out of memory"); + goto out; + } MD4_Final (key->keyvalue.data, &m); memset (s, 0, len); + ret = 0; +out: free (s); - return 0; + return ret; } -#ifdef ENABLE_AES /* * AES */ -/* iter is really 1 based, so iter == 0 will be 1 iteration */ - -krb5_error_code -krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, - krb5_data password, krb5_salt salt, u_int32_t iter, - krb5_keytype type, krb5_keyblock *key) -{ - struct checksum_type *c = _find_checksum(cktype); - struct key_type *kt; - size_t datalen, leftofkey; - krb5_error_code ret; - u_int32_t keypart; - struct key_data ksign; - krb5_keyblock kb; - Checksum result; - char *data, *tmpcksum; - int i, j; - char *p; - - if (c == NULL) { - krb5_set_error_string(context, "checksum %d not supported", cktype); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - - kt = _find_keytype(type); - if (kt == NULL) { - krb5_set_error_string(context, "key type %d not supported", type); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - - key->keytype = type; - ret = krb5_data_alloc (&key->keyvalue, kt->bits / 8); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - return ret; - } - - ret = krb5_data_alloc (&result.checksum, c->checksumsize); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - krb5_data_free (&key->keyvalue); - return ret; - } - - tmpcksum = malloc(c->checksumsize); - if (tmpcksum == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - krb5_data_free (&key->keyvalue); - krb5_data_free (&result.checksum); - return ENOMEM; - } - - datalen = salt.saltvalue.length + 4; - data = malloc(datalen); - if (data == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - free(tmpcksum); - krb5_data_free (&key->keyvalue); - krb5_data_free (&result.checksum); - return ENOMEM; - } - - kb.keyvalue = password; - ksign.key = &kb; - - memcpy(data, salt.saltvalue.data, salt.saltvalue.length); - - keypart = 1; - leftofkey = key->keyvalue.length; - p = key->keyvalue.data; - - while (leftofkey) { - int len; - - if (leftofkey > c->checksumsize) - len = c->checksumsize; - else - len = leftofkey; - - _krb5_put_int(data + datalen - 4, keypart, 4); - - ret = hmac(context, c, data, datalen, 0, &ksign, &result); - if (ret) - krb5_abortx(context, "hmac failed"); - memcpy(p, result.checksum.data, len); - memcpy(tmpcksum, result.checksum.data, result.checksum.length); - for (i = 0; i < iter; i++) { - ret = hmac(context, c, tmpcksum, result.checksum.length, - 0, &ksign, &result); - if (ret) - krb5_abortx(context, "hmac failed"); - memcpy(tmpcksum, result.checksum.data, result.checksum.length); - for (j = 0; j < len; j++) - p[j] ^= tmpcksum[j]; - } - - p += len; - leftofkey -= len; - keypart++; - } - - free(data); - free(tmpcksum); - krb5_data_free (&result.checksum); - - return 0; -} +int _krb5_AES_string_to_default_iterator = 4096; static krb5_error_code AES_string_to_key(krb5_context context, @@ -631,66 +609,132 @@ AES_string_to_key(krb5_context context, krb5_keyblock *key) { krb5_error_code ret; - u_int32_t iter; + uint32_t iter; struct encryption_type *et; struct key_data kd; if (opaque.length == 0) - iter = 45056 - 1; + iter = _krb5_AES_string_to_default_iterator; else if (opaque.length == 4) { unsigned long v; _krb5_get_int(opaque.data, &v, 4); - iter = ((u_int32_t)v) - 1; + iter = ((uint32_t)v); } else return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */ - et = _find_enctype(enctype); if (et == NULL) return KRB5_PROG_KEYTYPE_NOSUPP; - ret = krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, - iter, enctype, key); - if (ret) - return ret; - - ret = krb5_copy_keyblock(context, key, &kd.key); kd.schedule = NULL; + ALLOC(kd.key, 1); + if(kd.key == NULL) { + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + kd.key->keytype = enctype; + ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); + if (ret) { + krb5_set_error_string(context, "Failed to allocate pkcs5 key"); + return ret; + } + + ret = PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length, + salt.saltvalue.data, salt.saltvalue.length, + iter, + et->keytype->size, kd.key->keyvalue.data); + if (ret != 1) { + free_key_data(context, &kd); + krb5_set_error_string(context, "Error calculating s2k"); + return KRB5_PROG_KEYTYPE_NOSUPP; + } ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos")); - - if (ret) { - krb5_data_free(&key->keyvalue); - } else { + if (ret == 0) ret = krb5_copy_keyblock_contents(context, kd.key, key); - free_key_data(context, &kd); - } + free_key_data(context, &kd); return ret; } +struct krb5_aes_schedule { + AES_KEY ekey; + AES_KEY dkey; +}; + static void -AES_schedule(krb5_context context, struct key_data *kd) +AES_schedule(krb5_context context, + struct key_data *kd) { - AES_KEY *key = kd->schedule->data; + struct krb5_aes_schedule *key = kd->schedule->data; int bits = kd->key->keyvalue.length * 8; - - AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key[0]); - AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key[1]); + + memset(key, 0, sizeof(*key)); + AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key->ekey); + AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key->dkey); } /* * */ -extern struct salt_type AES_salt[]; +static struct salt_type des_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + krb5_DES_string_to_key + }, +#ifdef ENABLE_AFS_STRING_TO_KEY + { + KRB5_AFS3_SALT, + "afs3-salt", + DES_AFS3_string_to_key + }, +#endif + { 0 } +}; -#endif /* ENABLE_AES */ +static struct salt_type des3_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key + }, + { 0 } +}; -extern struct salt_type des_salt[], - des3_salt[], des3_salt_derived[], arcfour_salt[]; +static struct salt_type des3_salt_derived[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key_derived + }, + { 0 } +}; -struct key_type keytype_null = { +static struct salt_type AES_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + AES_string_to_key + }, + { 0 } +}; + +static struct salt_type arcfour_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + ARCFOUR_string_to_key + }, + { 0 } +}; + +/* + * + */ + +static struct key_type keytype_null = { KEYTYPE_NULL, "null", 0, @@ -701,83 +745,82 @@ struct key_type keytype_null = { NULL }; -struct key_type keytype_des = { +static struct key_type keytype_des = { KEYTYPE_DES, "des", 56, - sizeof(des_cblock), - sizeof(des_key_schedule), + sizeof(DES_cblock), + sizeof(DES_key_schedule), krb5_DES_random_key, krb5_DES_schedule, - des_salt + des_salt, + krb5_DES_random_to_key }; -struct key_type keytype_des3 = { +static struct key_type keytype_des3 = { KEYTYPE_DES3, "des3", 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_key_schedule), DES3_random_key, DES3_schedule, - des3_salt + des3_salt, + DES3_random_to_key }; -struct key_type keytype_des3_derived = { +static struct key_type keytype_des3_derived = { KEYTYPE_DES3, "des3", 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_key_schedule), DES3_random_key, DES3_schedule, - des3_salt_derived + des3_salt_derived, + DES3_random_to_key }; -#ifdef ENABLE_AES -struct key_type keytype_aes128 = { +static struct key_type keytype_aes128 = { KEYTYPE_AES128, "aes-128", 128, 16, - sizeof(AES_KEY) * 2, + sizeof(struct krb5_aes_schedule), NULL, AES_schedule, AES_salt }; -struct key_type keytype_aes256 = { +static struct key_type keytype_aes256 = { KEYTYPE_AES256, "aes-256", 256, - 16, - sizeof(AES_KEY) * 2, + 32, + sizeof(struct krb5_aes_schedule), NULL, AES_schedule, AES_salt }; -#endif /* ENABLE_AES */ -struct key_type keytype_arcfour = { +static struct key_type keytype_arcfour = { KEYTYPE_ARCFOUR, "arcfour", 128, 16, sizeof(RC4_KEY), - ARCFOUR_random_key, + NULL, ARCFOUR_schedule, arcfour_salt }; -struct key_type *keytypes[] = { +static struct key_type *keytypes[] = { &keytype_null, &keytype_des, &keytype_des3_derived, &keytype_des3, -#ifdef ENABLE_AES &keytype_aes128, &keytype_aes256, -#endif /* ENABLE_AES */ &keytype_arcfour }; @@ -794,59 +837,7 @@ _find_keytype(krb5_keytype type) } -struct salt_type des_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - krb5_DES_string_to_key - }, - { - KRB5_AFS3_SALT, - "afs3-salt", - DES_AFS3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt_derived[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key_derived - }, - { 0 } -}; - -#ifdef ENABLE_AES -struct salt_type AES_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - AES_string_to_key - }, - { 0 } -}; -#endif /* ENABLE_AES */ - -struct salt_type arcfour_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - ARCFOUR_string_to_key - }, - { 0 } -}; - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_salttype_to_string (krb5_context context, krb5_enctype etype, krb5_salttype stype, @@ -875,7 +866,7 @@ krb5_salttype_to_string (krb5_context context, return HEIM_ERR_SALTTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_salttype (krb5_context context, krb5_enctype etype, const char *string, @@ -900,7 +891,7 @@ krb5_string_to_salttype (krb5_context context, return HEIM_ERR_SALTTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_pw_salt(krb5_context context, krb5_const_principal principal, krb5_salt *salt) @@ -929,7 +920,7 @@ krb5_get_pw_salt(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_salt(krb5_context context, krb5_salt salt) { @@ -937,7 +928,7 @@ krb5_free_salt(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -955,7 +946,7 @@ krb5_string_to_key_data (krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key (krb5_context context, krb5_enctype enctype, const char *password, @@ -963,12 +954,12 @@ krb5_string_to_key (krb5_context context, krb5_keyblock *key) { krb5_data pw; - pw.data = (void*)password; + pw.data = rk_UNCONST(password); pw.length = strlen(password); return krb5_string_to_key_data(context, enctype, pw, principal, key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -987,7 +978,7 @@ krb5_string_to_key_data_salt (krb5_context context, * `opaque'), returning the resulting key in `key' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt_opaque (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -1017,7 +1008,7 @@ krb5_string_to_key_data_salt_opaque (krb5_context context, * in `key' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_salt (krb5_context context, krb5_enctype enctype, const char *password, @@ -1025,12 +1016,27 @@ krb5_string_to_key_salt (krb5_context context, krb5_keyblock *key) { krb5_data pw; - pw.data = (void*)password; + pw.data = rk_UNCONST(password); pw.length = strlen(password); return krb5_string_to_key_data_salt(context, enctype, pw, salt, key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_string_to_key_salt_opaque (krb5_context context, + krb5_enctype enctype, + const char *password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + krb5_data pw; + pw.data = rk_UNCONST(password); + pw.length = strlen(password); + return krb5_string_to_key_data_salt_opaque(context, enctype, + pw, salt, opaque, key); +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_string(krb5_context context, krb5_keytype keytype, char **string) @@ -1048,7 +1054,7 @@ krb5_keytype_to_string(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_keytype(krb5_context context, const char *string, krb5_keytype *keytype) @@ -1063,7 +1069,7 @@ krb5_string_to_keytype(krb5_context context, return KRB5_PROG_KEYTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_keysize(krb5_context context, krb5_enctype type, size_t *keysize) @@ -1078,7 +1084,22 @@ krb5_enctype_keysize(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_keybits(krb5_context context, + krb5_enctype type, + size_t *keybits) +{ + struct encryption_type *et = _find_enctype(type); + if(et == NULL) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + *keybits = et->keytype->bits; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_random_keyblock(krb5_context context, krb5_enctype type, krb5_keyblock *key) @@ -1151,7 +1172,7 @@ CRC32_checksum(krb5_context context, unsigned usage, Checksum *C) { - u_int32_t crc; + uint32_t crc; unsigned char *r = C->checksum.data; _krb5_crc_init_table (); crc = _krb5_crc_update (data, len, 0); @@ -1185,7 +1206,7 @@ RSA_MD4_DES_checksum(krb5_context context, Checksum *cksum) { MD4_CTX md4; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = cksum->checksum.data; krb5_generate_random_block(p, 8); @@ -1194,7 +1215,7 @@ RSA_MD4_DES_checksum(krb5_context context, MD4_Update (&md4, data, len); MD4_Final (p + 8, &md4); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(p, + DES_cbc_encrypt(p, p, 24, key->schedule->data, @@ -1213,11 +1234,11 @@ RSA_MD4_DES_verify(krb5_context context, MD4_CTX md4; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; + DES_cblock ivec; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, + DES_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, key->schedule->data, @@ -1260,7 +1281,7 @@ RSA_MD5_DES_checksum(krb5_context context, Checksum *C) { MD5_CTX md5; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = C->checksum.data; krb5_generate_random_block(p, 8); @@ -1269,7 +1290,7 @@ RSA_MD5_DES_checksum(krb5_context context, MD5_Update (&md5, data, len); MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(p, + DES_cbc_encrypt(p, p, 24, key->schedule->data, @@ -1288,15 +1309,15 @@ RSA_MD5_DES_verify(krb5_context context, MD5_CTX md5; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *sched = key->schedule->data; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, + DES_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, - sched[0], + &sched[0], &ivec, DES_DECRYPT); MD5_Init (&md5); @@ -1321,9 +1342,9 @@ RSA_MD5_DES3_checksum(krb5_context context, Checksum *C) { MD5_CTX md5; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = C->checksum.data; - des_key_schedule *sched = key->schedule->data; + DES_key_schedule *sched = key->schedule->data; krb5_generate_random_block(p, 8); MD5_Init (&md5); @@ -1331,10 +1352,10 @@ RSA_MD5_DES3_checksum(krb5_context context, MD5_Update (&md5, data, len); MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(p, + DES_ede3_cbc_encrypt(p, p, 24, - sched[0], sched[1], sched[2], + &sched[0], &sched[1], &sched[2], &ivec, DES_ENCRYPT); } @@ -1350,15 +1371,15 @@ RSA_MD5_DES3_verify(krb5_context context, MD5_CTX md5; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *sched = key->schedule->data; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(C->checksum.data, + DES_ede3_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, - sched[0], sched[1], sched[2], + &sched[0], &sched[1], &sched[2], &ivec, DES_DECRYPT); MD5_Init (&md5); @@ -1447,7 +1468,7 @@ hmac(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_hmac(krb5_context context, krb5_cksumtype cktype, const void *data, @@ -1579,16 +1600,16 @@ HMAC_MD5_checksum_enc(krb5_context context, krb5_abortx(context, "hmac failed"); } -struct checksum_type checksum_none = { +static struct checksum_type checksum_none = { CKSUMTYPE_NONE, "none", 1, 0, - 0, + 0, NONE_checksum, NULL }; -struct checksum_type checksum_crc32 = { +static struct checksum_type checksum_crc32 = { CKSUMTYPE_CRC32, "crc32", 1, @@ -1597,7 +1618,7 @@ struct checksum_type checksum_crc32 = { CRC32_checksum, NULL }; -struct checksum_type checksum_rsa_md4 = { +static struct checksum_type checksum_rsa_md4 = { CKSUMTYPE_RSA_MD4, "rsa-md4", 64, @@ -1606,7 +1627,7 @@ struct checksum_type checksum_rsa_md4 = { RSA_MD4_checksum, NULL }; -struct checksum_type checksum_rsa_md4_des = { +static struct checksum_type checksum_rsa_md4_des = { CKSUMTYPE_RSA_MD4_DES, "rsa-md4-des", 64, @@ -1616,7 +1637,7 @@ struct checksum_type checksum_rsa_md4_des = { RSA_MD4_DES_verify }; #if 0 -struct checksum_type checksum_des_mac = { +static struct checksum_type checksum_des_mac = { CKSUMTYPE_DES_MAC, "des-mac", 0, @@ -1624,7 +1645,7 @@ struct checksum_type checksum_des_mac = { 0, DES_MAC_checksum }; -struct checksum_type checksum_des_mac_k = { +static struct checksum_type checksum_des_mac_k = { CKSUMTYPE_DES_MAC_K, "des-mac-k", 0, @@ -1632,7 +1653,7 @@ struct checksum_type checksum_des_mac_k = { 0, DES_MAC_K_checksum }; -struct checksum_type checksum_rsa_md4_des_k = { +static struct checksum_type checksum_rsa_md4_des_k = { CKSUMTYPE_RSA_MD4_DES_K, "rsa-md4-des-k", 0, @@ -1642,7 +1663,7 @@ struct checksum_type checksum_rsa_md4_des_k = { RSA_MD4_DES_K_verify }; #endif -struct checksum_type checksum_rsa_md5 = { +static struct checksum_type checksum_rsa_md5 = { CKSUMTYPE_RSA_MD5, "rsa-md5", 64, @@ -1651,7 +1672,7 @@ struct checksum_type checksum_rsa_md5 = { RSA_MD5_checksum, NULL }; -struct checksum_type checksum_rsa_md5_des = { +static struct checksum_type checksum_rsa_md5_des = { CKSUMTYPE_RSA_MD5_DES, "rsa-md5-des", 64, @@ -1660,7 +1681,7 @@ struct checksum_type checksum_rsa_md5_des = { RSA_MD5_DES_checksum, RSA_MD5_DES_verify }; -struct checksum_type checksum_rsa_md5_des3 = { +static struct checksum_type checksum_rsa_md5_des3 = { CKSUMTYPE_RSA_MD5_DES3, "rsa-md5-des3", 64, @@ -1669,7 +1690,7 @@ struct checksum_type checksum_rsa_md5_des3 = { RSA_MD5_DES3_checksum, RSA_MD5_DES3_verify }; -struct checksum_type checksum_sha1 = { +static struct checksum_type checksum_sha1 = { CKSUMTYPE_SHA1, "sha1", 64, @@ -1678,7 +1699,7 @@ struct checksum_type checksum_sha1 = { SHA1_checksum, NULL }; -struct checksum_type checksum_hmac_sha1_des3 = { +static struct checksum_type checksum_hmac_sha1_des3 = { CKSUMTYPE_HMAC_SHA1_DES3, "hmac-sha1-des3", 64, @@ -1688,8 +1709,7 @@ struct checksum_type checksum_hmac_sha1_des3 = { NULL }; -#ifdef ENABLE_AES -struct checksum_type checksum_hmac_sha1_aes128 = { +static struct checksum_type checksum_hmac_sha1_aes128 = { CKSUMTYPE_HMAC_SHA1_96_AES_128, "hmac-sha1-96-aes128", 64, @@ -1699,7 +1719,7 @@ struct checksum_type checksum_hmac_sha1_aes128 = { NULL }; -struct checksum_type checksum_hmac_sha1_aes256 = { +static struct checksum_type checksum_hmac_sha1_aes256 = { CKSUMTYPE_HMAC_SHA1_96_AES_256, "hmac-sha1-96-aes256", 64, @@ -1708,9 +1728,8 @@ struct checksum_type checksum_hmac_sha1_aes256 = { SP_HMAC_SHA1_checksum, NULL }; -#endif /* ENABLE_AES */ -struct checksum_type checksum_hmac_md5 = { +static struct checksum_type checksum_hmac_md5 = { CKSUMTYPE_HMAC_MD5, "hmac-md5", 64, @@ -1720,7 +1739,7 @@ struct checksum_type checksum_hmac_md5 = { NULL }; -struct checksum_type checksum_hmac_md5_enc = { +static struct checksum_type checksum_hmac_md5_enc = { CKSUMTYPE_HMAC_MD5_ENC, "hmac-md5-enc", 64, @@ -1730,7 +1749,7 @@ struct checksum_type checksum_hmac_md5_enc = { NULL }; -struct checksum_type *checksum_types[] = { +static struct checksum_type *checksum_types[] = { &checksum_none, &checksum_crc32, &checksum_rsa_md4, @@ -1745,10 +1764,8 @@ struct checksum_type *checksum_types[] = { &checksum_rsa_md5_des3, &checksum_sha1, &checksum_hmac_sha1_des3, -#ifdef ENABLE_AES &checksum_hmac_sha1_aes128, &checksum_hmac_sha1_aes256, -#endif &checksum_hmac_md5, &checksum_hmac_md5_enc }; @@ -1810,9 +1827,15 @@ create_checksum (krb5_context context, struct key_data *dkey; int keyed_checksum; + if (ct->flags & F_DISABLED) { + krb5_clear_error_string (context); + return KRB5_PROG_SUMTYPE_NOSUPP; + } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); + krb5_set_error_string (context, "Checksum type %s is keyed " + "but no crypto context (key) was passed in", + ct->name); return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } if(keyed_checksum) { @@ -1822,7 +1845,9 @@ create_checksum (krb5_context context, } else dkey = NULL; result->cksumtype = ct->type; - krb5_data_alloc(&result->checksum, ct->checksumsize); + ret = krb5_data_alloc(&result->checksum, ct->checksumsize); + if (ret) + return (ret); (*ct->checksum)(context, dkey, data, len, usage, result); return 0; } @@ -1834,7 +1859,7 @@ arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto) (crypto->key.key->keytype == KEYTYPE_ARCFOUR); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_create_checksum(krb5_context context, krb5_crypto crypto, krb5_key_usage usage, @@ -1886,7 +1911,7 @@ verify_checksum(krb5_context context, struct checksum_type *ct; ct = _find_checksum(cksum->cksumtype); - if (ct == NULL) { + if (ct == NULL || (ct->flags & F_DISABLED)) { krb5_set_error_string (context, "checksum type %d not supported", cksum->cksumtype); return KRB5_PROG_SUMTYPE_NOSUPP; @@ -1897,7 +1922,9 @@ verify_checksum(krb5_context context, } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); + krb5_set_error_string (context, "Checksum type %s is keyed " + "but no crypto context (key) was passed in", + ct->name); return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } if(keyed_checksum) @@ -1924,7 +1951,7 @@ verify_checksum(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_checksum(krb5_context context, krb5_crypto crypto, krb5_key_usage usage, @@ -1952,7 +1979,31 @@ krb5_verify_checksum(krb5_context context, data, len, cksum); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_checksum_type(krb5_context context, + krb5_crypto crypto, + krb5_cksumtype *type) +{ + struct checksum_type *ct = NULL; + + if (crypto != NULL) { + ct = crypto->et->keyed_checksum; + if (ct == NULL) + ct = crypto->et->checksum; + } + + if (ct == NULL) { + krb5_set_error_string (context, "checksum type not found"); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + + *type = ct->type; + + return 0; +} + + +krb5_error_code KRB5_LIB_FUNCTION krb5_checksumsize(krb5_context context, krb5_cksumtype type, size_t *size) @@ -1967,32 +2018,49 @@ krb5_checksumsize(krb5_context context, return 0; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_keyed(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_KEYED; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_collision_proof(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_CPROOF; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_checksum_disable(krb5_context context, + krb5_cksumtype type) +{ + struct checksum_type *ct = _find_checksum(type); + if(ct == NULL) { + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + ct->flags |= F_DISABLED; + return 0; +} + /************************************************************ * * ************************************************************/ @@ -2002,7 +2070,7 @@ NULL_encrypt(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec) { @@ -2014,14 +2082,14 @@ DES_CBC_encrypt_null_ivec(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_cbc_encrypt(data, data, len, s, &ivec, encryptp); return 0; } @@ -2030,14 +2098,14 @@ DES_CBC_encrypt_key_ivec(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_cbc_encrypt(data, data, len, s, &ivec, encryptp); return 0; } @@ -2046,17 +2114,17 @@ DES3_CBC_encrypt(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec) { - des_cblock local_ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock local_ivec; + DES_key_schedule *s = key->schedule->data; if(ivec == NULL) { ivec = &local_ivec; memset(local_ivec, 0, sizeof(local_ivec)); } - des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], ivec, encrypt); + DES_ede3_cbc_encrypt(data, data, len, &s[0], &s[1], &s[2], ivec, encryptp); return 0; } @@ -2065,16 +2133,16 @@ DES_CFB64_encrypt_null_ivec(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ignore_ivec) { - des_cblock ivec; + DES_cblock ivec; int num = 0; - des_key_schedule *s = key->schedule->data; + DES_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); - des_cfb64_encrypt(data, data, len, *s, &ivec, &num, encrypt); + DES_cfb64_encrypt(data, data, len, s, &ivec, &num, encryptp); return 0; } @@ -2083,31 +2151,28 @@ DES_PCBC_encrypt_key_ivec(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - des_pcbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_pcbc_encrypt(data, data, len, s, &ivec, encryptp); return 0; } -#ifdef ENABLE_AES - /* * AES draft-raeburn-krb-rijndael-krb-02 */ -void +void KRB5_LIB_FUNCTION _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const void *aes_key, - unsigned char *ivec, const int enc) + size_t len, const AES_KEY *key, + unsigned char *ivec, const int encryptp) { unsigned char tmp[AES_BLOCK_SIZE]; - const AES_KEY *key = aes_key; /* XXX remove this when we always have AES */ int i; /* @@ -2115,7 +2180,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, * then at least one blocksize. */ - if (enc == AES_ENCRYPT) { + if (encryptp) { while(len > AES_BLOCK_SIZE) { for (i = 0; i < AES_BLOCK_SIZE; i++) @@ -2135,10 +2200,11 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, AES_encrypt(tmp, out - AES_BLOCK_SIZE, key); memcpy(out, ivec, len); + memcpy(ivec, out - AES_BLOCK_SIZE, AES_BLOCK_SIZE); } else { - char tmp2[AES_BLOCK_SIZE]; - char tmp3[AES_BLOCK_SIZE]; + unsigned char tmp2[AES_BLOCK_SIZE]; + unsigned char tmp3[AES_BLOCK_SIZE]; while(len > AES_BLOCK_SIZE * 2) { memcpy(tmp, in, AES_BLOCK_SIZE); @@ -2153,6 +2219,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, len -= AES_BLOCK_SIZE; + memcpy(tmp, in, AES_BLOCK_SIZE); /* save last iv */ AES_decrypt(in, tmp2, key); memcpy(tmp3, in + AES_BLOCK_SIZE, len); @@ -2164,6 +2231,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, AES_decrypt(tmp3, out, key); for (i = 0; i < AES_BLOCK_SIZE; i++) out[i] ^= ivec[i]; + memcpy(ivec, tmp, AES_BLOCK_SIZE); } } @@ -2172,22 +2240,23 @@ AES_CTS_encrypt(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec) { - AES_KEY *k = key->schedule->data; + struct krb5_aes_schedule *aeskey = key->schedule->data; char local_ivec[AES_BLOCK_SIZE]; + AES_KEY *k; - if (encrypt) - k = &k[0]; + if (encryptp) + k = &aeskey->ekey; else - k = &k[1]; + k = &aeskey->dkey; if (len < AES_BLOCK_SIZE) krb5_abortx(context, "invalid use of AES_CTS_encrypt"); if (len == AES_BLOCK_SIZE) { - if (encrypt) + if (encryptp) AES_encrypt(data, data, k); else AES_decrypt(data, data, k); @@ -2196,12 +2265,11 @@ AES_CTS_encrypt(krb5_context context, memset(local_ivec, 0, sizeof(local_ivec)); ivec = local_ivec; } - _krb5_aes_cts_encrypt(data, data, len, k, ivec, encrypt); + _krb5_aes_cts_encrypt(data, data, len, k, ivec, encryptp); } return 0; } -#endif /* ENABLE_AES */ /* * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 @@ -2214,7 +2282,7 @@ ARCFOUR_subencrypt(krb5_context context, struct key_data *key, void *data, size_t len, - int usage, + unsigned usage, void *ivec) { struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); @@ -2277,7 +2345,7 @@ ARCFOUR_subdecrypt(krb5_context context, struct key_data *key, void *data, size_t len, - int usage, + unsigned usage, void *ivec) { struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); @@ -2350,7 +2418,7 @@ ARCFOUR_subdecrypt(krb5_context context, */ static krb5_error_code -usage2arcfour (krb5_context context, int *usage) +usage2arcfour (krb5_context context, unsigned *usage) { switch (*usage) { case KRB5_KU_AS_REP_ENC_PART : /* 3 */ @@ -2376,21 +2444,75 @@ ARCFOUR_encrypt(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec) { krb5_error_code ret; - if((ret = usage2arcfour (context, &usage)) != 0) + unsigned keyusage = usage; + + if((ret = usage2arcfour (context, &keyusage)) != 0) return ret; - if (encrypt) - return ARCFOUR_subencrypt (context, key, data, len, usage, ivec); + if (encryptp) + return ARCFOUR_subencrypt (context, key, data, len, keyusage, ivec); else - return ARCFOUR_subdecrypt (context, key, data, len, usage, ivec); + return ARCFOUR_subdecrypt (context, key, data, len, keyusage, ivec); } +/* + * + */ + +static krb5_error_code +AES_PRF(krb5_context context, + krb5_crypto crypto, + const krb5_data *in, + krb5_data *out) +{ + struct checksum_type *ct = crypto->et->checksum; + krb5_error_code ret; + Checksum result; + krb5_keyblock *derived; + + result.cksumtype = ct->type; + ret = krb5_data_alloc(&result.checksum, ct->checksumsize); + if (ret) { + krb5_set_error_string(context, "out memory"); + return ret; + } + + (*ct->checksum)(context, NULL, in->data, in->length, 0, &result); + + if (result.checksum.length < crypto->et->blocksize) + krb5_abortx(context, "internal prf error"); + + derived = NULL; + ret = krb5_derive_key(context, crypto->key.key, + crypto->et->type, "prf", 3, &derived); + if (ret) + krb5_abortx(context, "krb5_derive_key"); + + ret = krb5_data_alloc(out, crypto->et->blocksize); + if (ret) + krb5_abortx(context, "malloc failed"); + + { + AES_KEY key; + + AES_set_encrypt_key(derived->keyvalue.data, + crypto->et->keytype->bits, &key); + AES_encrypt(result.checksum.data, out->data, &key); + memset(&key, 0, sizeof(key)); + } + + krb5_data_free(&result.checksum); + krb5_free_keyblock(context, derived); + + return ret; +} + /* * these should currently be in reverse preference order. * (only relevant for !F_PSEUDO) */ @@ -2398,18 +2520,22 @@ ARCFOUR_encrypt(krb5_context context, static struct encryption_type enctype_null = { ETYPE_NULL, "null", + NULL, 1, 1, 0, &keytype_null, &checksum_none, NULL, - 0, + F_DISABLED, NULL_encrypt, + 0, + NULL }; static struct encryption_type enctype_des_cbc_crc = { ETYPE_DES_CBC_CRC, "des-cbc-crc", + NULL, 8, 8, 8, @@ -2418,10 +2544,13 @@ static struct encryption_type enctype_des_cbc_crc = { NULL, 0, DES_CBC_encrypt_key_ivec, + 0, + NULL }; static struct encryption_type enctype_des_cbc_md4 = { ETYPE_DES_CBC_MD4, "des-cbc-md4", + NULL, 8, 8, 8, @@ -2430,10 +2559,13 @@ static struct encryption_type enctype_des_cbc_md4 = { &checksum_rsa_md4_des, 0, DES_CBC_encrypt_null_ivec, + 0, + NULL }; static struct encryption_type enctype_des_cbc_md5 = { ETYPE_DES_CBC_MD5, "des-cbc-md5", + NULL, 8, 8, 8, @@ -2442,22 +2574,28 @@ static struct encryption_type enctype_des_cbc_md5 = { &checksum_rsa_md5_des, 0, DES_CBC_encrypt_null_ivec, + 0, + NULL }; static struct encryption_type enctype_arcfour_hmac_md5 = { ETYPE_ARCFOUR_HMAC_MD5, "arcfour-hmac-md5", + NULL, 1, 1, 8, &keytype_arcfour, &checksum_hmac_md5, - /* &checksum_hmac_md5_enc */ NULL, + NULL, F_SPECIAL, - ARCFOUR_encrypt + ARCFOUR_encrypt, + 0, + NULL }; static struct encryption_type enctype_des3_cbc_md5 = { ETYPE_DES3_CBC_MD5, "des3-cbc-md5", + NULL, 8, 8, 8, @@ -2466,10 +2604,13 @@ static struct encryption_type enctype_des3_cbc_md5 = { &checksum_rsa_md5_des3, 0, DES3_CBC_encrypt, + 0, + NULL }; static struct encryption_type enctype_des3_cbc_sha1 = { ETYPE_DES3_CBC_SHA1, "des3-cbc-sha1", + NULL, 8, 8, 8, @@ -2478,10 +2619,13 @@ static struct encryption_type enctype_des3_cbc_sha1 = { &checksum_hmac_sha1_des3, F_DERIVED, DES3_CBC_encrypt, + 0, + NULL }; static struct encryption_type enctype_old_des3_cbc_sha1 = { ETYPE_OLD_DES3_CBC_SHA1, "old-des3-cbc-sha1", + NULL, 8, 8, 8, @@ -2490,36 +2634,43 @@ static struct encryption_type enctype_old_des3_cbc_sha1 = { &checksum_hmac_sha1_des3, 0, DES3_CBC_encrypt, + 0, + NULL }; -#ifdef ENABLE_AES static struct encryption_type enctype_aes128_cts_hmac_sha1 = { ETYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", + NULL, 16, 1, 16, &keytype_aes128, &checksum_sha1, &checksum_hmac_sha1_aes128, - 0, + F_DERIVED, AES_CTS_encrypt, + 16, + AES_PRF }; static struct encryption_type enctype_aes256_cts_hmac_sha1 = { ETYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", + NULL, 16, 1, 16, &keytype_aes256, &checksum_sha1, &checksum_hmac_sha1_aes256, - 0, + F_DERIVED, AES_CTS_encrypt, + 16, + AES_PRF }; -#endif /* ENABLE_AES */ static struct encryption_type enctype_des_cbc_none = { ETYPE_DES_CBC_NONE, "des-cbc-none", + NULL, 8, 8, 0, @@ -2528,10 +2679,13 @@ static struct encryption_type enctype_des_cbc_none = { NULL, F_PSEUDO, DES_CBC_encrypt_null_ivec, + 0, + NULL }; static struct encryption_type enctype_des_cfb64_none = { ETYPE_DES_CFB64_NONE, "des-cfb64-none", + NULL, 1, 1, 0, @@ -2540,10 +2694,13 @@ static struct encryption_type enctype_des_cfb64_none = { NULL, F_PSEUDO, DES_CFB64_encrypt_null_ivec, + 0, + NULL }; static struct encryption_type enctype_des_pcbc_none = { ETYPE_DES_PCBC_NONE, "des-pcbc-none", + NULL, 8, 8, 0, @@ -2552,10 +2709,13 @@ static struct encryption_type enctype_des_pcbc_none = { NULL, F_PSEUDO, DES_PCBC_encrypt_key_ivec, + 0, + NULL }; static struct encryption_type enctype_des3_cbc_none = { ETYPE_DES3_CBC_NONE, "des3-cbc-none", + NULL, 8, 8, 0, @@ -2564,6 +2724,8 @@ static struct encryption_type enctype_des3_cbc_none = { NULL, F_PSEUDO, DES3_CBC_encrypt, + 0, + NULL }; static struct encryption_type *etypes[] = { @@ -2575,10 +2737,8 @@ static struct encryption_type *etypes[] = { &enctype_des3_cbc_md5, &enctype_des3_cbc_sha1, &enctype_old_des3_cbc_sha1, -#ifdef ENABLE_AES &enctype_aes128_cts_hmac_sha1, &enctype_aes256_cts_hmac_sha1, -#endif &enctype_des_cbc_none, &enctype_des_cfb64_none, &enctype_des_pcbc_none, @@ -2599,7 +2759,7 @@ _find_enctype(krb5_enctype type) } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_string(krb5_context context, krb5_enctype etype, char **string) @@ -2609,6 +2769,7 @@ krb5_enctype_to_string(krb5_context context, if(e == NULL) { krb5_set_error_string (context, "encryption type %d not supported", etype); + *string = NULL; return KRB5_PROG_ETYPE_NOSUPP; } *string = strdup(e->name); @@ -2619,7 +2780,7 @@ krb5_enctype_to_string(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_enctype(krb5_context context, const char *string, krb5_enctype *etype) @@ -2635,7 +2796,42 @@ krb5_string_to_enctype(krb5_context context, return KRB5_PROG_ETYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +_krb5_enctype_to_oid(krb5_context context, + krb5_enctype etype, + heim_oid *oid) +{ + struct encryption_type *et = _find_enctype(etype); + if(et == NULL) { + krb5_set_error_string (context, "encryption type %d not supported", + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + if(et->oid == NULL) { + krb5_set_error_string (context, "%s have not oid", et->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + krb5_clear_error_string(context); + return der_copy_oid(et->oid, oid); +} + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_oid_to_enctype(krb5_context context, + const heim_oid *oid, + krb5_enctype *etype) +{ + int i; + for(i = 0; i < num_etypes; i++) { + if(etypes[i]->oid && der_heim_oid_cmp(etypes[i]->oid, oid) == 0) { + *etype = etypes[i]->type; + return 0; + } + } + krb5_set_error_string(context, "enctype for oid not supported"); + return KRB5_PROG_ETYPE_NOSUPP; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_keytype(krb5_context context, krb5_enctype etype, krb5_keytype *keytype) @@ -2651,7 +2847,7 @@ krb5_enctype_to_keytype(krb5_context context, } #if 0 -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctype(krb5_context context, krb5_keytype keytype, krb5_enctype *etype) @@ -2665,7 +2861,7 @@ krb5_keytype_to_enctype(krb5_context context, } #endif -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes (krb5_context context, krb5_keytype keytype, unsigned *len, @@ -2701,7 +2897,7 @@ krb5_keytype_to_enctypes (krb5_context context, * else, do `krb5_keytype_to_enctypes'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes_default (krb5_context context, krb5_keytype keytype, unsigned *len, @@ -2727,15 +2923,45 @@ krb5_keytype_to_enctypes_default (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_valid(krb5_context context, krb5_enctype etype) { - return _find_enctype(etype) != NULL; + struct encryption_type *e = _find_enctype(etype); + if(e == NULL) { + krb5_set_error_string (context, "encryption type %d not supported", + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + if (e->flags & F_DISABLED) { + krb5_set_error_string (context, "encryption type %s is disabled", + e->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + return 0; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_cksumtype_valid(krb5_context context, + krb5_cksumtype ctype) +{ + struct checksum_type *c = _find_checksum(ctype); + if (c == NULL) { + krb5_set_error_string (context, "checksum type %d not supported", + ctype); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + if (c->flags & F_DISABLED) { + krb5_set_error_string (context, "checksum type %s is disabled", + c->name); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + return 0; +} + + /* if two enctypes have compatible keys */ -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_enctypes_compatible_keys(krb5_context context, krb5_enctype etype1, krb5_enctype etype2) @@ -2766,7 +2992,7 @@ static krb5_error_code encrypt_internal_derived(krb5_context context, krb5_crypto crypto, unsigned usage, - void *data, + const void *data, size_t len, krb5_data *result, void *ivec) @@ -2835,7 +3061,7 @@ encrypt_internal_derived(krb5_context context, static krb5_error_code encrypt_internal(krb5_context context, krb5_crypto crypto, - void *data, + const void *data, size_t len, krb5_data *result, void *ivec) @@ -2904,7 +3130,7 @@ static krb5_error_code encrypt_internal_special(krb5_context context, krb5_crypto crypto, int usage, - void *data, + const void *data, size_t len, krb5_data *result, void *ivec) @@ -2955,9 +3181,10 @@ decrypt_internal_derived(krb5_context context, unsigned long l; checksum_sz = CHECKSUMSIZE(et->keyed_checksum); - if (len < checksum_sz) { - krb5_clear_error_string (context); - return EINVAL; /* XXX - better error code? */ + if (len < checksum_sz + et->confoundersize) { + krb5_set_error_string(context, "Encrypted data shorter then " + "checksum + confunder"); + return KRB5_BAD_MSIZE; } if (((len - checksum_sz) % et->padsize) != 0) { @@ -3010,7 +3237,7 @@ decrypt_internal_derived(krb5_context context, l = len - et->confoundersize; memmove(p, p + et->confoundersize, l); result->data = realloc(p, l); - if(result->data == NULL) { + if(result->data == NULL && l != 0) { free(p); krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; @@ -3075,7 +3302,7 @@ decrypt_internal(krb5_context context, l = len - et->confoundersize - checksum_sz; memmove(p, p + et->confoundersize + checksum_sz, l); result->data = realloc(p, l); - if(result->data == NULL) { + if(result->data == NULL && l != 0) { free(p); krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; @@ -3119,7 +3346,7 @@ decrypt_internal_special(krb5_context context, memmove (p, p + cksum_sz + et->confoundersize, sz); result->data = realloc(p, sz); - if(result->data == NULL) { + if(result->data == NULL && sz != 0) { free(p); krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; @@ -3129,11 +3356,11 @@ decrypt_internal_special(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, - void *data, + const void *data, size_t len, krb5_data *result, void *ivec) @@ -3148,18 +3375,18 @@ krb5_encrypt_ivec(krb5_context context, return encrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt(krb5_context context, krb5_crypto crypto, unsigned usage, - void *data, + const void *data, size_t len, krb5_data *result) { return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3177,7 +3404,7 @@ krb5_encrypt_EncryptedData(krb5_context context, return krb5_encrypt(context, crypto, usage, data, len, &result->cipher); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3196,7 +3423,7 @@ krb5_decrypt_ivec(krb5_context context, return decrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3208,7 +3435,7 @@ krb5_decrypt(krb5_context context, NULL); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3223,25 +3450,24 @@ krb5_decrypt_EncryptedData(krb5_context context, * * ************************************************************/ -#ifdef HAVE_OPENSSL -#include +#define ENTROPY_NEEDED 128 -/* From openssl/crypto/rand/rand_lcl.h */ -#define ENTROPY_NEEDED 20 static int seed_something(void) { - int fd = -1; char buf[1024], seedfile[256]; /* If there is a seed file, load it. But such a file cannot be trusted, so use 0 for the entropy estimate */ if (RAND_file_name(seedfile, sizeof(seedfile))) { + int fd; fd = open(seedfile, O_RDONLY); if (fd >= 0) { - read(fd, buf, sizeof(buf)); - /* Use the full buffer anyway */ - RAND_add(buf, sizeof(buf), 0.0); + ssize_t ret; + ret = read(fd, buf, sizeof(buf)); + if (ret > 0) + RAND_add(buf, ret, 0.0); + close(fd); } else seedfile[0] = '\0'; } else @@ -3273,82 +3499,34 @@ seed_something(void) return -1; } -void +void KRB5_LIB_FUNCTION krb5_generate_random_block(void *buf, size_t len) { static int rng_initialized = 0; + HEIMDAL_MUTEX_lock(&crypto_mutex); if (!rng_initialized) { if (seed_something()) - krb5_abortx(NULL, "Fatal: could not seed the random number generator"); + krb5_abortx(NULL, "Fatal: could not seed the " + "random number generator"); rng_initialized = 1; } - RAND_bytes(buf, len); + HEIMDAL_MUTEX_unlock(&crypto_mutex); + if (RAND_bytes(buf, len) != 1) + krb5_abortx(NULL, "Failed to generate random block"); } -#else - -void -krb5_generate_random_block(void *buf, size_t len) -{ - des_cblock key, out; - static des_cblock counter; - static des_key_schedule schedule; - int i; - static int initialized = 0; - - if(!initialized) { - des_new_random_key(&key); - des_set_key(&key, schedule); - memset(&key, 0, sizeof(key)); - des_new_random_key(&counter); - } - while(len > 0) { - des_ecb_encrypt(&counter, &out, schedule, DES_ENCRYPT); - for(i = 7; i >=0; i--) - if(counter[i]++) - break; - memcpy(buf, out, min(len, sizeof(out))); - len -= min(len, sizeof(out)); - buf = (char*)buf + sizeof(out); - } -} -#endif - static void DES3_postproc(krb5_context context, unsigned char *k, size_t len, struct key_data *key) { - unsigned char x[24]; - int i, j; + DES3_random_to_key(context, key->key, k, len); - memset(x, 0, sizeof(x)); - for (i = 0; i < 3; ++i) { - unsigned char foo; - - for (j = 0; j < 7; ++j) { - unsigned char b = k[7 * i + j]; - - x[8 * i + j] = b; - } - foo = 0; - for (j = 6; j >= 0; --j) { - foo |= k[7 * i + j] & 1; - foo <<= 1; - } - x[8 * i + 7] = foo; - } - k = key->key->keyvalue.data; - memcpy(k, x, 24); - memset(x, 0, sizeof(x)); if (key->schedule) { krb5_free_data(context, key->schedule); key->schedule = NULL; } - des_set_odd_parity((des_cblock*)k); - des_set_odd_parity((des_cblock*)(k + 8)); - des_set_odd_parity((des_cblock*)(k + 16)); } static krb5_error_code @@ -3361,20 +3539,24 @@ derive_key(krb5_context context, unsigned char *k; unsigned int nblocks = 0, i; krb5_error_code ret = 0; - struct key_type *kt = et->keytype; + ret = _key_schedule(context, key); if(ret) return ret; - if(et->blocksize * 8 < kt->bits || - len != et->blocksize) { + if(et->blocksize * 8 < kt->bits || len != et->blocksize) { nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8); k = malloc(nblocks * et->blocksize); if(k == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - _krb5_n_fold(constant, len, k, et->blocksize); + ret = _krb5_n_fold(constant, len, k, et->blocksize); + if (ret) { + free(k); + krb5_set_error_string(context, "out of memory"); + return ret; + } for(i = 0; i < nblocks; i++) { if(i > 0) memcpy(k + i * et->blocksize, @@ -3400,7 +3582,12 @@ derive_key(krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - _krb5_n_fold(c, len, k, res_len); + ret = _krb5_n_fold(c, len, k, res_len); + if (ret) { + free(k); + krb5_set_error_string(context, "out of memory"); + return ret; + } free(c); } @@ -3409,12 +3596,10 @@ derive_key(krb5_context context, case KEYTYPE_DES3: DES3_postproc(context, k, nblocks * et->blocksize, key); break; -#ifdef ENABLE_AES case KEYTYPE_AES128: case KEYTYPE_AES256: memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length); break; -#endif /* ENABLE_AES */ default: krb5_set_error_string(context, "derive_key() called with unknown keytype (%u)", @@ -3422,6 +3607,10 @@ derive_key(krb5_context context, ret = KRB5_CRYPTO_INTERNAL; break; } + if (key->schedule) { + krb5_free_data(context, key->schedule); + key->schedule = NULL; + } memset(k, 0, nblocks * et->blocksize); free(k); return ret; @@ -3441,7 +3630,7 @@ _new_derived_key(krb5_crypto crypto, unsigned usage) return &d->key; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_derive_key(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3453,6 +3642,8 @@ krb5_derive_key(krb5_context context, struct encryption_type *et; struct key_data d; + *derived_key = NULL; + et = _find_enctype (etype); if (et == NULL) { krb5_set_error_string(context, "encryption type %d not supported", @@ -3460,16 +3651,15 @@ krb5_derive_key(krb5_context context, return KRB5_PROG_ETYPE_NOSUPP; } - ret = krb5_copy_keyblock(context, key, derived_key); + ret = krb5_copy_keyblock(context, key, &d.key); if (ret) return ret; - d.key = *derived_key; d.schedule = NULL; ret = derive_key(context, et, &d, constant, constant_len); - if (ret) - return ret; - ret = krb5_copy_keyblock(context, d.key, derived_key); + if (ret == 0) + ret = krb5_copy_keyblock(context, d.key, derived_key); + free_key_data(context, &d); return ret; } @@ -3501,7 +3691,7 @@ _get_derived_key(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_init(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3516,20 +3706,23 @@ krb5_crypto_init(krb5_context context, if(etype == ETYPE_NULL) etype = key->keytype; (*crypto)->et = _find_enctype(etype); - if((*crypto)->et == NULL) { + if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) { free(*crypto); + *crypto = NULL; krb5_set_error_string (context, "encryption type %d not supported", etype); return KRB5_PROG_ETYPE_NOSUPP; } if((*crypto)->et->keytype->size != key->keyvalue.length) { free(*crypto); + *crypto = NULL; krb5_set_error_string (context, "encryption key has bad length"); return KRB5_BAD_KEYSIZE; } ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key); if(ret) { free(*crypto); + *crypto = NULL; return ret; } (*crypto)->key.schedule = NULL; @@ -3554,7 +3747,7 @@ free_key_usage(krb5_context context, struct key_usage *ku) free_key_data(context, &ku->key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_destroy(krb5_context context, krb5_crypto crypto) { @@ -3568,7 +3761,7 @@ krb5_crypto_destroy(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_getblocksize(krb5_context context, krb5_crypto crypto, size_t *blocksize) @@ -3577,7 +3770,49 @@ krb5_crypto_getblocksize(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getenctype(krb5_context context, + krb5_crypto crypto, + krb5_enctype *enctype) +{ + *enctype = crypto->et->type; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getpadsize(krb5_context context, + krb5_crypto crypto, + size_t *padsize) +{ + *padsize = crypto->et->padsize; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getconfoundersize(krb5_context context, + krb5_crypto crypto, + size_t *confoundersize) +{ + *confoundersize = crypto->et->confoundersize; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_disable(krb5_context context, + krb5_enctype enctype) +{ + struct encryption_type *et = _find_enctype(enctype); + if(et == NULL) { + if (context) + krb5_set_error_string (context, "encryption type %d not supported", + enctype); + return KRB5_PROG_ETYPE_NOSUPP; + } + et->flags |= F_DISABLED; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_derived(krb5_context context, const void *str, size_t len, @@ -3587,7 +3822,7 @@ krb5_string_to_key_derived(krb5_context context, struct encryption_type *et = _find_enctype(etype); krb5_error_code ret; struct key_data kd; - size_t keylen = et->keytype->bits / 8; + size_t keylen; u_char *tmp; if(et == NULL) { @@ -3595,6 +3830,8 @@ krb5_string_to_key_derived(krb5_context context, etype); return KRB5_PROG_ETYPE_NOSUPP; } + keylen = et->keytype->bits / 8; + ALLOC(kd.key, 1); if(kd.key == NULL) { krb5_set_error_string (context, "malloc: out of memory"); @@ -3612,7 +3849,12 @@ krb5_string_to_key_derived(krb5_context context, krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } - _krb5_n_fold(str, len, tmp, keylen); + ret = _krb5_n_fold(str, len, tmp, keylen); + if (ret) { + free(tmp); + krb5_set_error_string(context, "out of memory"); + return ret; + } kd.schedule = NULL; DES3_postproc (context, tmp, keylen, &kd); /* XXX */ memset(tmp, 0, keylen); @@ -3634,9 +3876,10 @@ wrapped_length (krb5_context context, { struct encryption_type *et = crypto->et; size_t padsize = et->padsize; + size_t checksumsize = CHECKSUMSIZE(et->checksum); size_t res; - res = et->confoundersize + et->checksum->checksumsize + data_len; + res = et->confoundersize + checksumsize + data_len; res = (res + padsize - 1) / padsize * padsize; return res; } @@ -3652,7 +3895,10 @@ wrapped_length_dervied (krb5_context context, res = et->confoundersize + data_len; res = (res + padsize - 1) / padsize * padsize; - res += et->checksum->checksumsize; + if (et->keyed_checksum) + res += et->keyed_checksum->checksumsize; + else + res += et->checksum->checksumsize; return res; } @@ -3671,12 +3917,185 @@ krb5_get_wrapped_length (krb5_context context, return wrapped_length (context, crypto, data_len); } +/* + * Return the size of an encrypted packet of length `data_len' + */ + +static size_t +crypto_overhead (krb5_context context, + krb5_crypto crypto) +{ + struct encryption_type *et = crypto->et; + size_t res; + + res = CHECKSUMSIZE(et->checksum); + res += et->confoundersize; + if (et->padsize > 1) + res += et->padsize; + return res; +} + +static size_t +crypto_overhead_dervied (krb5_context context, + krb5_crypto crypto) +{ + struct encryption_type *et = crypto->et; + size_t res; + + if (et->keyed_checksum) + res = CHECKSUMSIZE(et->keyed_checksum); + else + res = CHECKSUMSIZE(et->checksum); + res += et->confoundersize; + if (et->padsize > 1) + res += et->padsize; + return res; +} + +size_t +krb5_crypto_overhead (krb5_context context, krb5_crypto crypto) +{ + if (derived_crypto (context, crypto)) + return crypto_overhead_dervied (context, crypto); + else + return crypto_overhead (context, crypto); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_random_to_key(krb5_context context, + krb5_enctype type, + const void *data, + size_t size, + krb5_keyblock *key) +{ + krb5_error_code ret; + struct encryption_type *et = _find_enctype(type); + if(et == NULL) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + if ((et->keytype->bits + 7) / 8 > size) { + krb5_set_error_string(context, "encryption key %s needs %d bytes " + "of random to make an encryption key out of it", + et->name, (int)et->keytype->size); + return KRB5_PROG_ETYPE_NOSUPP; + } + ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); + if(ret) + return ret; + key->keytype = type; + if (et->keytype->random_to_key) + (*et->keytype->random_to_key)(context, key, data, size); + else + memcpy(key->keyvalue.data, data, et->keytype->size); + + return 0; +} + +krb5_error_code +_krb5_pk_octetstring2key(krb5_context context, + krb5_enctype type, + const void *dhdata, + size_t dhsize, + const heim_octet_string *c_n, + const heim_octet_string *k_n, + krb5_keyblock *key) +{ + struct encryption_type *et = _find_enctype(type); + krb5_error_code ret; + size_t keylen, offset; + void *keydata; + unsigned char counter; + unsigned char shaoutput[20]; + + if(et == NULL) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + keylen = (et->keytype->bits + 7) / 8; + + keydata = malloc(keylen); + if (keydata == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + counter = 0; + offset = 0; + do { + SHA_CTX m; + + SHA1_Init(&m); + SHA1_Update(&m, &counter, 1); + SHA1_Update(&m, dhdata, dhsize); + if (c_n) + SHA1_Update(&m, c_n->data, c_n->length); + if (k_n) + SHA1_Update(&m, k_n->data, k_n->length); + SHA1_Final(shaoutput, &m); + + memcpy((unsigned char *)keydata + offset, + shaoutput, + min(keylen - offset, sizeof(shaoutput))); + + offset += sizeof(shaoutput); + counter++; + } while(offset < keylen); + memset(shaoutput, 0, sizeof(shaoutput)); + + ret = krb5_random_to_key(context, type, keydata, keylen, key); + memset(keydata, 0, sizeof(keylen)); + free(keydata); + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_prf_length(krb5_context context, + krb5_enctype type, + size_t *length) +{ + struct encryption_type *et = _find_enctype(type); + + if(et == NULL || et->prf_length == 0) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + + *length = et->prf_length; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_prf(krb5_context context, + const krb5_crypto crypto, + const krb5_data *input, + krb5_data *output) +{ + struct encryption_type *et = crypto->et; + + krb5_data_zero(output); + + if(et->prf == NULL) { + krb5_set_error_string(context, "kerberos prf for %s not supported", + et->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + + return (*et->prf)(context, crypto, input, output); +} + + + + #ifdef CRYPTO_DEBUG static krb5_error_code krb5_get_keyid(krb5_context context, krb5_keyblock *key, - u_int32_t *keyid) + uint32_t *keyid) { MD5_CTX md5; unsigned char tmp[16]; @@ -3690,16 +4109,16 @@ krb5_get_keyid(krb5_context context, static void krb5_crypto_debug(krb5_context context, - int encrypt, + int encryptp, size_t len, krb5_keyblock *key) { - u_int32_t keyid; + uint32_t keyid; char *kt; krb5_get_keyid(context, key, &keyid); krb5_enctype_to_string(context, key->keytype, &kt); krb5_warnx(context, "%s %lu bytes with key-id %#x (%s)", - encrypt ? "encrypting" : "decrypting", + encryptp ? "encrypting" : "decrypting", (unsigned long)len, keyid, kt); @@ -3736,7 +4155,7 @@ main() d = _new_derived_key(crypto, usage); if(d == NULL) - return ENOMEM; + krb5_errx(context, 1, "_new_derived_key failed"); krb5_copy_keyblock(context, crypto->key.key, &d->key); _krb5_put_int(constant, usage, 4); derive_key(context, crypto->et, d, constant, sizeof(constant)); @@ -3762,11 +4181,10 @@ main() "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"; */ key.keyvalue.length = 4; - d = calloc(1, sizeof(*d)); - + d = ecalloc(1, sizeof(*d)); d->key = &key; res.checksum.length = 20; - res.checksum.data = malloc(res.checksum.length); + res.checksum.data = emalloc(res.checksum.length); SP_HMAC_SHA1_checksum(context, d, data, 28, &res); return 0; diff --git a/crypto/heimdal/lib/krb5/dump_config.c b/crypto/heimdal/lib/krb5/dump_config.c deleted file mode 100644 index 074595e2139c..000000000000 --- a/crypto/heimdal/lib/krb5/dump_config.c +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "krb5_locl.h" - -RCSID("$Id: dump_config.c,v 1.2 1999/10/28 23:22:41 assar Exp $"); - -/* print contents of krb5.conf */ - -static void -print_tree(struct krb5_config_binding *b, int level) -{ - if (b == NULL) - return; - - printf("%*s%s%s%s", level * 4, "", - (level == 0) ? "[" : "", b->name, (level == 0) ? "]" : ""); - if(b->type == krb5_config_list) { - if(level > 0) - printf(" = {"); - printf("\n"); - print_tree(b->u.list, level + 1); - if(level > 0) - printf("%*s}\n", level * 4, ""); - } else if(b->type == krb5_config_string) { - printf(" = %s\n", b->u.string); - } - if(b->next) - print_tree(b->next, level); -} - -int -main(int argc, char **argv) -{ - krb5_context context; - krb5_error_code ret = krb5_init_context(&context); - if(ret == 0) { - print_tree(context->cf, 0); - return 0; - } - return 1; -} diff --git a/crypto/heimdal/lib/krb5/krb5_build_principal.3 b/crypto/heimdal/lib/krb5/krb5_build_principal.3 deleted file mode 100644 index e74c7543bd74..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_build_principal.3 +++ /dev/null @@ -1,101 +0,0 @@ -.\" Copyright (c) 1997, 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_build_principal.3,v 1.7 2003/04/16 13:58:14 lha Exp $ -.\" -.Dd August 8, 1997 -.Dt KRB5_BUILD_PRINCIPAL 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_build_principal , -.Nm krb5_build_principal_ext , -.Nm krb5_build_principal_va , -.Nm krb5_build_principal_va_ext , -.Nm krb5_make_principal -.Nd principal creation functions -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_build_principal "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..." -.Ft krb5_error_code -.Fn krb5_build_principal_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..." -.Ft krb5_error_code -.Fn krb5_build_principal_va "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap" -.Ft krb5_error_code -.Fn krb5_build_principal_va_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap" -.Ft krb5_error_code -.Fn krb5_make_principal "krb5_context context" "krb5_principal *principal" "krb5_const_realm realm" "..." -.Sh DESCRIPTION -These functions create a Kerberos 5 principal from a realm and a list -of components. -All of these functions return an allocated principal in the -.Fa principal -parameter, this should be freed with -.Fn krb5_free_principal -after use. -.Pp -The -.Dq build -functions take a -.Fa realm -and the length of the realm. The -.Fn krb5_build_principal -and -.Fn krb5_build_principal_va -also takes a list of components (zero-terminated strings), terminated -with -.Dv NULL . -The -.Fn krb5_build_principal_ext -and -.Fn krb5_build_principal_va_ext -takes a list of length-value pairs, the list is terminated with a zero -length. -.Pp -The -.Fn krb5_make_principal -is a wrapper around -.Fn krb5_build_principal . -If the realm is -.Dv NULL , -the default realm will be used. -.Sh BUGS -You can not have a NUL in a component. Until someone can give a good -example of where it would be a good idea to have NUL's in a component, -this will not be fixed. -.Sh SEE ALSO -.Xr krb5_425_conv_principal 3 , -.Xr krb5_free_principal 3 , -.Xr krb5_parse_name 3 , -.Xr krb5_sname_to_principal 3 , -.Xr krb5_unparse_name 3 diff --git a/crypto/heimdal/lib/krb5/krb5_free_addresses.3 b/crypto/heimdal/lib/krb5/krb5_free_addresses.3 deleted file mode 100644 index 6ac46d44f3b3..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_free_addresses.3 +++ /dev/null @@ -1,53 +0,0 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_free_addresses.3,v 1.5 2003/04/16 13:58:15 lha Exp $ -.\" -.Dd November 20, 2001 -.Dt KRB5_FREE_ADDRESSES 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_free_addresses -.Nd free list of addresses -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft void -.Fn krb5_free_addresses "krb5_context context" "krb5_addresses *addresses" -.Sh DESCRIPTION -The -.Fn krb5_free_addresses -will free a list of addresses that has been created with -.Fn krb5_get_all_client_addrs -or with some other function. -.Sh SEE ALSO -.Xr krb5_get_all_client_addrs 3 diff --git a/crypto/heimdal/lib/krb5/krb5_free_principal.3 b/crypto/heimdal/lib/krb5/krb5_free_principal.3 deleted file mode 100644 index e9900a7981cc..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_free_principal.3 +++ /dev/null @@ -1,58 +0,0 @@ -.\" Copyright (c) 1997, 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_free_principal.3,v 1.7 2003/04/16 13:58:11 lha Exp $ -.Dd August 8, 1997 -.Dt KRB5_FREE_PRINCIPAL 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_free_principal -.Nd principal free function -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft void -.Fn krb5_free_principal "krb5_context context" "krb5_principal principal" -.Sh DESCRIPTION -The -.Fn krb5_free_principal -will free a principal that has been created with -.Fn krb5_build_principal , -.Fn krb5_parse_name , -or with some other function. -.Sh SEE ALSO -.Xr krb5_425_conv_principal 3 , -.Xr krb5_build_principal 3 , -.Xr krb5_parse_name 3 , -.Xr krb5_sname_to_principal 3 , -.Xr krb5_unparse_name 3 diff --git a/crypto/heimdal/lib/krb5/krb5_locl.h b/crypto/heimdal/lib/krb5/krb5_locl.h index be7997e28c90..ef812dae7c95 100644 --- a/crypto/heimdal/lib/krb5/krb5_locl.h +++ b/crypto/heimdal/lib/krb5/krb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5_locl.h,v 1.71 2002/09/10 20:10:45 joda Exp $ */ +/* $Id: krb5_locl.h 22226 2007-12-08 21:31:53Z lha $ */ /* $FreeBSD$ */ #ifndef __KRB5_LOCL_H__ @@ -51,6 +51,9 @@ #ifdef HAVE_SYS_TYPES_H #include #endif +#ifdef HAVE_SYS_MMAN_H +#include +#endif #ifdef HAVE_UNISTD_H #include #endif @@ -62,6 +65,9 @@ #include #endif #ifdef HAVE_PWD_H +#undef _POSIX_PTHREAD_SEMANTICS +/* This gets us the 5-arg getpwnam_r on Solaris 9. */ +#define _POSIX_PTHREAD_SEMANTICS #include #endif @@ -110,20 +116,51 @@ struct sockaddr_dl; #ifdef HAVE_SYS_FILE_H #include #endif + +#ifdef HAVE_CRYPT_H +#undef des_encrypt +#define des_encrypt wingless_pigs_mostly_fail_to_fly +#include +#undef des_encrypt +#endif + +#ifdef HAVE_DOOR_CREATE +#include +#endif + #include #include #include #include "crypto-headers.h" + #include + +struct send_to_kdc; + +/* XXX glue for pkinit */ +struct krb5_pk_identity; +struct krb5_pk_cert; +struct ContentInfo; +typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx; +struct krb5_dh_moduli; + +/* v4 glue */ +struct _krb5_krb_auth_data; + #include #include #include #include +#ifdef PKINIT +#include +#endif #include +#include "heim_threads.h" + #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) @@ -131,8 +168,101 @@ struct sockaddr_dl; #define KEYTAB_DEFAULT "ANY:FILE:" SYSCONFDIR "/krb5.keytab,krb4:" SYSCONFDIR "/srvtab" #define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab" +#define MODULI_FILE SYSCONFDIR "/krb5.moduli" + #ifndef O_BINARY #define O_BINARY 0 #endif +#define KRB5_BUFSIZ 1024 + +typedef enum { + KRB5_INIT_CREDS_TRISTATE_UNSET = 0, + KRB5_INIT_CREDS_TRISTATE_TRUE, + KRB5_INIT_CREDS_TRISTATE_FALSE +} krb5_get_init_creds_tristate; + +struct _krb5_get_init_creds_opt_private { + int refcount; + /* ENC_TIMESTAMP */ + const char *password; + krb5_s2k_proc key_proc; + /* PA_PAC_REQUEST */ + krb5_get_init_creds_tristate req_pac; + /* PKINIT */ + krb5_pk_init_ctx pk_init_ctx; + KRB_ERROR *error; + krb5_get_init_creds_tristate addressless; + int flags; +#define KRB5_INIT_CREDS_CANONICALIZE 1 +#define KRB5_INIT_CREDS_NO_C_CANON_CHECK 2 +}; + +typedef struct krb5_context_data { + krb5_enctype *etypes; + krb5_enctype *etypes_des; + char **default_realms; + time_t max_skew; + time_t kdc_timeout; + unsigned max_retries; + int32_t kdc_sec_offset; + int32_t kdc_usec_offset; + krb5_config_section *cf; + struct et_list *et_list; + struct krb5_log_facility *warn_dest; + krb5_cc_ops *cc_ops; + int num_cc_ops; + const char *http_proxy; + const char *time_fmt; + krb5_boolean log_utc; + const char *default_keytab; + const char *default_keytab_modify; + krb5_boolean use_admin_kdc; + krb5_addresses *extra_addresses; + krb5_boolean scan_interfaces; /* `ifconfig -a' */ + krb5_boolean srv_lookup; /* do SRV lookups */ + krb5_boolean srv_try_txt; /* try TXT records also */ + int32_t fcache_vno; /* create cache files w/ this + version */ + int num_kt_types; /* # of registered keytab types */ + struct krb5_keytab_data *kt_types; /* registered keytab types */ + const char *date_fmt; + char *error_string; + char error_buf[256]; + krb5_addresses *ignore_addresses; + char *default_cc_name; + char *default_cc_name_env; + int default_cc_name_set; + void *mutex; /* protects error_string/error_buf */ + int large_msg_size; + int flags; +#define KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME 1 +#define KRB5_CTX_F_CHECK_PAC 2 + struct send_to_kdc *send_to_kdc; +} krb5_context_data; + +#define KRB5_DEFAULT_CCNAME_FILE "FILE:/tmp/krb5cc_%{uid}" +#define KRB5_DEFAULT_CCNAME_API "API:" +#define KRB5_DEFAULT_CCNAME_KCM "KCM:%{uid}" + +#define EXTRACT_TICKET_ALLOW_CNAME_MISMATCH 1 +#define EXTRACT_TICKET_ALLOW_SERVER_MISMATCH 2 +#define EXTRACT_TICKET_MATCH_REALM 4 + +/* + * Configurable options + */ + +#ifndef KRB5_DEFAULT_CCTYPE +#ifdef __APPLE__ +#define KRB5_DEFAULT_CCTYPE (&krb5_acc_ops) +#else +#define KRB5_DEFAULT_CCTYPE (&krb5_fcc_ops) +#endif +#endif + +#ifndef KRB5_ADDRESSLESS_DEFAULT +#define KRB5_ADDRESSLESS_DEFAULT TRUE +#endif + #endif /* __KRB5_LOCL_H__ */ diff --git a/crypto/heimdal/lib/krb5/krb5_principal_get_realm.3 b/crypto/heimdal/lib/krb5/krb5_principal_get_realm.3 deleted file mode 100644 index 1ece7986adc7..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_principal_get_realm.3 +++ /dev/null @@ -1,81 +0,0 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_principal_get_realm.3,v 1.6 2003/04/16 13:58:17 lha Exp $ -.\" -.Dd June 20, 2001 -.Dt KRB5_PRINCIPAL_GET_REALM 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_principal_get_realm , -.Nm krb5_principal_get_comp_string -.Nd decompose a principal -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft "const char *" -.Fn krb5_principal_get_realm "krb5_context context" "krb5_principal principal" -.Ft "const char *" -.Fn krb5_principal_get_comp_string "krb5_context context" "krb5_principal principal" "unsigned int component" -.Sh DESCRIPTION -These functions return parts of the -.Fa principal , -either the realm or a specific component. The returned string points -to data inside the principal, so they are valid only as long as the -principal exists. -.Pp -The -.Fa component -argument to -.Fn krb5_principal_get_comp_string -is the component number to return, from zero to the total number of -components minus one. If a the requested component number is out of range, -.Dv NULL -is returned. -.Pp -These functions can be seen as a replacement for the -.Fn krb5_princ_realm , -.Fn krb5_princ_component -and related macros, described as intermal in the MIT API -specification. A difference is that these functions return strings, -not -.Dv krb5_data . -A reason to return -.Dv krb5_data -was that it was believed that principal components could contain -binary data, but this belief was unfounded, and it has been decided -that principal components are infact UTF8, so it's safe to use zero -terminated strings. -.Pp -It's generally not necessary to look at the components of a principal. -.Sh SEE ALSO -.Xr krb5_unparse_name 3 diff --git a/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 b/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 deleted file mode 100644 index 5724ce1876c8..000000000000 --- a/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 +++ /dev/null @@ -1,85 +0,0 @@ -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_sname_to_principal.3,v 1.7 2003/04/16 13:58:17 lha Exp $ -.\" -.Dd August 8, 1997 -.Dt KRB5_PRINCIPAL 3 -.Os HEIMDAL -.Sh NAME -.Nm krb5_sname_to_principal , -.Nm krb5_sock_to_principal -.Nd create a service principal -.Sh LIBRARY -Kerberos 5 Library (libkrb5, -lkrb5) -.Sh SYNOPSIS -.In krb5.h -.Ft krb5_error_code -.Fn krb5_sname_to_principal "krb5_context context" "const char *hostname" "const char *sname" "int32_t type" "krb5_principal *principal" -.Ft krb5_error_code -.Fn krb5_sock_to_principal "krb5_context context" "int socket" "const char *sname" "int32_t type" "krb5_principal *principal" -.Sh DESCRIPTION -These functions create a -.Dq service -principal that can, for instance, be used to lookup a key in a keytab. For both these function the -.Fa sname -parameter will be used for the first component of the created principal. If -.Fa sname -is -.Dv NULL , -.Dq host -will be used instead. -.Fn krb5_sname_to_principal -will use the passed -.Fa hostname -for the second component. If type -.Dv KRB5_NT_SRV_HST -this name will be looked up with -.Fn gethostbyname . -If -.Fa hostname is -.Dv NULL , -the local hostname will be used. -.Pp -.Fn krb5_sock_to_principal -will use the -.Dq sockname -of the passed -.Fa socket , -which should be a bound -.Dv AF_INET -socket. -.Sh SEE ALSO -.Xr krb5_425_conv_principal 3 , -.Xr krb5_build_principal 3 , -.Xr krb5_free_principal 3 , -.Xr krb5_parse_name 3 , -.Xr krb5_unparse_name 3 diff --git a/crypto/heimdal/lib/roken/acconfig.h b/crypto/heimdal/lib/roken/acconfig.h deleted file mode 100644 index 5fbe685ce386..000000000000 --- a/crypto/heimdal/lib/roken/acconfig.h +++ /dev/null @@ -1,36 +0,0 @@ -@BOTTOM@ - -#ifdef BROKEN_REALLOC -#define realloc(X, Y) isoc_realloc((X), (Y)) -#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y)) -#endif - -#ifdef VOID_RETSIGTYPE -#define SIGRETURN(x) return -#else -#define SIGRETURN(x) return (RETSIGTYPE)(x) -#endif - -#define RCSID(msg) \ -static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg } - -#undef PROTOTYPES - -/* Maximum values on all known systems */ -#define MaxHostNameLen (64+4) -#define MaxPathLen (1024+4) - -/* - * Define NDBM if you are using the 4.3 ndbm library (which is part of - * libc). If not defined, 4.2 dbm will be assumed. - */ -#if defined(HAVE_DBM_FIRSTKEY) -#define NDBM -#endif - -/* - * Defining this enables lots of useful (and used) extensions on - * glibc-based systems such as Linux - */ - -#define _GNU_SOURCE diff --git a/crypto/heimdal/lib/roken/acinclude.m4 b/crypto/heimdal/lib/roken/acinclude.m4 deleted file mode 100644 index 1d0197c5ce37..000000000000 --- a/crypto/heimdal/lib/roken/acinclude.m4 +++ /dev/null @@ -1,9 +0,0 @@ -dnl $Id$ -dnl -dnl Only put things that for some reason can't live in the `cf' -dnl directory in this file. -dnl - -dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $ -dnl -define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl diff --git a/crypto/heimdal/lib/roken/print_version.c b/crypto/heimdal/lib/roken/print_version.c deleted file mode 100644 index b5ce816eb604..000000000000 --- a/crypto/heimdal/lib/roken/print_version.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: print_version.c,v 1.8 2001/02/20 01:44:55 assar Exp $"); -#endif -#include "roken.h" - -#include "print_version.h" - -void -print_version(const char *progname) -{ - const char *arg[] = VERSIONLIST; - const int num_args = sizeof(arg) / sizeof(arg[0]); - char *msg; - size_t len = 0; - int i; - - if(progname == NULL) - progname = getprogname(); - - if(num_args == 0) - msg = "no version information"; - else { - for(i = 0; i < num_args; i++) { - if(i > 0) - len += 2; - len += strlen(arg[i]); - } - msg = malloc(len + 1); - if(msg == NULL) { - fprintf(stderr, "%s: out of memory\n", progname); - return; - } - msg[0] = '\0'; - for(i = 0; i < num_args; i++) { - if(i > 0) - strcat(msg, ", "); - strcat(msg, arg[i]); - } - } - fprintf(stderr, "%s (%s)\n", progname, msg); - fprintf(stderr, "Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan\n"); - if(num_args != 0) - free(msg); -} diff --git a/crypto/heimdal/lib/roken/resource.h b/crypto/heimdal/lib/roken/resource.h deleted file mode 100644 index 01cd01d76c8c..000000000000 --- a/crypto/heimdal/lib/roken/resource.h +++ /dev/null @@ -1,15 +0,0 @@ -//{{NO_DEPENDENCIES}} -// Microsoft Developer Studio generated include file. -// Used by roken.rc -// - -// Next default values for new objects -// -#ifdef APSTUDIO_INVOKED -#ifndef APSTUDIO_READONLY_SYMBOLS -#define _APS_NEXT_RESOURCE_VALUE 101 -#define _APS_NEXT_COMMAND_VALUE 40001 -#define _APS_NEXT_CONTROL_VALUE 1000 -#define _APS_NEXT_SYMED_VALUE 101 -#endif -#endif diff --git a/crypto/heimdal/ltconfig b/crypto/heimdal/ltconfig deleted file mode 100755 index 91907462a058..000000000000 --- a/crypto/heimdal/ltconfig +++ /dev/null @@ -1,2797 +0,0 @@ -#! /bin/sh - -# ltconfig - Create a system-specific libtool. -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. -# Originally by Gordon Matzigkeit , 1996 -# -# This file is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# A lot of this script is taken from autoconf-2.10. - -# Check that we are running under the correct shell. -SHELL=${CONFIG_SHELL-/bin/sh} -echo=echo -if test "X$1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X$1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then - # Yippee, $echo works! - : -else - # Restart under the correct shell. - exec "$SHELL" "$0" --no-reexec ${1+"$@"} -fi - -if test "X$1" = X--fallback-echo; then - # used as fallback echo - shift - cat </dev/null`} - case X$UNAME in - *-DOS) PATH_SEPARATOR=';' ;; - *) PATH_SEPARATOR=':' ;; - esac -fi - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi - -if test "X${echo_test_string+set}" != Xset; then - # find a string as large as possible, as long as the shell can cope with it - for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do - # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ... - if (echo_test_string="`eval $cmd`") 2>/dev/null && - echo_test_string="`eval $cmd`" && - (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null; then - break - fi - done -fi - -if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - : -else - # The Solaris, AIX, and Digital Unix default echo programs unquote - # backslashes. This makes it impossible to quote backslashes using - # echo "$something" | sed 's/\\/\\\\/g' - # - # So, first we look for a working echo in the user's PATH. - - IFS="${IFS= }"; save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR}" - for dir in $PATH /usr/ucb; do - if (test -f $dir/echo || test -f $dir/echo$ac_exeext) && - test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$dir/echo" - break - fi - done - IFS="$save_ifs" - - if test "X$echo" = Xecho; then - # We didn't find a better echo, so look for alternatives. - if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # This shell has a builtin print -r that does the trick. - echo='print -r' - elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) && - test "X$CONFIG_SHELL" != X/bin/ksh; then - # If we have ksh, try running ltconfig again with it. - ORIGINAL_CONFIG_SHELL="${CONFIG_SHELL-/bin/sh}" - export ORIGINAL_CONFIG_SHELL - CONFIG_SHELL=/bin/ksh - export CONFIG_SHELL - exec "$CONFIG_SHELL" "$0" --no-reexec ${1+"$@"} - else - # Try using printf. - echo='printf %s\n' - if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # Cool, printf works - : - elif echo_testing_string=`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - CONFIG_SHELL="$ORIGINAL_CONFIG_SHELL" - export CONFIG_SHELL - SHELL="$CONFIG_SHELL" - export SHELL - echo="$CONFIG_SHELL $0 --fallback-echo" - elif echo_testing_string=`("$CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`("$CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$CONFIG_SHELL $0 --fallback-echo" - else - # maybe with a smaller string... - prev=: - - for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do - if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null; then - break - fi - prev="$cmd" - done - - if test "$prev" != 'sed 50q "$0"'; then - echo_test_string=`eval $prev` - - export echo_test_string - exec "${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}}" "$0" ${1+"$@"} - else - # Oops. We lost completely, so just stick with echo. - echo=echo - fi - fi - fi - fi -fi - -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed='sed -e s/^X//' -sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g' - -# Same as above, but do not quote variable references. -double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g' - -# Sed substitution to delay expansion of an escaped shell variable in a -# double_quote_subst'ed string. -delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' - -# The name of this program. -progname=`$echo "X$0" | $Xsed -e 's%^.*/%%'` - -# Constants: -PROGRAM=ltconfig -PACKAGE=libtool -VERSION=1.4a -TIMESTAMP=" (1.641.2.255 2001/05/22 10:39:30)" -ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' -ac_link='${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' -rm="rm -f" - -help="Try \`$progname --help' for more information." - -# Global variables: -default_ofile=libtool -can_build_shared=yes -enable_shared=yes -# All known linkers require a `.a' archive for static linking (except M$VC, -# which needs '.lib'). -enable_static=yes -enable_fast_install=yes -enable_dlopen=unknown -enable_win32_dll=no -pic_mode=default -ltmain= -silent= -srcdir= -ac_config_guess= -ac_config_sub= -host= -build=NONE -nonopt=NONE -ofile="$default_ofile" -verify_host=yes -tagname= -with_gcc=no -with_gnu_ld=no -need_locks=yes -ac_ext=c -libext=a -cache_file= -max_cmd_len= - -## Dependencies to place before and after the object being linked: -predep_objects= -postdep_objects= -predeps= -postdeps= -compiler_lib_search_path= - -## Link characteristics: -allow_undefined_flag= -no_undefined_flag= -need_lib_prefix=unknown -need_version=unknown -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -archive_cmds= -archive_expsym_cmds= -old_archive_from_new_cmds= -old_archive_from_expsyms_cmds= -striplib= -old_striplib= -export_dynamic_flag_spec= -whole_archive_flag_spec= -thread_safe_flag_spec= -hardcode_into_libs=no -hardcode_libdir_flag_spec= -hardcode_libdir_separator= -hardcode_direct=no -hardcode_minus_L=no -hardcode_shlibpath_var=unsupported -runpath_var= -link_all_deplibs=unknown -always_export_symbols=no -export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | sed '\''s/.* //'\'' | sort | uniq > $export_symbols' -# include_expsyms should be a list of space-separated symbols to be *always* -# included in the symbol list -include_expsyms= -# exclude_expsyms can be an egrep regular expression of symbols to exclude -# it will be wrapped by ` (' and `)$', so one must not match beginning or -# end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', -# as well as any symbol that contains `d'. -exclude_expsyms="_GLOBAL_OFFSET_TABLE_" -# Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out -# platforms (ab)use it in PIC code, but their linkers get confused if -# the symbol is explicitly referenced. Since portable code cannot -# rely on this symbol name, it's probably fine to never include it in -# preloaded symbol tables. -extract_expsyms_cmds= - -## Tools: -old_AR="$AR" -old_AR_FLAGS="$AR_FLAGS" -old_CC="$CC" -old_CFLAGS="$CFLAGS" -old_CPPFLAGS="$CPPFLAGS" -old_LDFLAGS="$LDFLAGS" -old_LIBS="$LIBS" -old_MAGIC_CMD="$MAGIC_CMD" -old_LD="$LD" -old_LN_S="$LN_S" -old_LTCC="$LTCC" -old_NM="$NM" -old_RANLIB="$RANLIB" -old_STRIP="$STRIP" -old_AS="$AS" -old_DLLTOOL="$DLLTOOL" -old_OBJDUMP="$OBJDUMP" -old_OBJEXT="$OBJEXT" -old_EXEEXT="$EXEEXT" -old_reload_flag="$reload_flag" -old_deplibs_check_method="$deplibs_check_method" -old_file_magic_cmd="$file_magic_cmd" - -# Parse the command line options. -args= -prev= -for option -do - case $option in - -*=*) optarg=`echo "$option" | sed 's/[-_a-zA-Z0-9]*=//'` ;; - *) optarg= ;; - esac - - # If the previous option needs an argument, assign it. - if test -n "$prev"; then - eval "$prev=\$option" - prev= - continue - fi - - case $option in - --help) cat <&2 - echo "$help" 1>&2 - exit 1 - ;; - - *) - if test -z "$ltmain"; then - ltmain="$option" - elif test -z "$host"; then -# This generates an unnecessary warning for sparc-sun-solaris4.1.3_U1 -# if test -n "`echo $option| sed 's/[-a-z0-9.]//g'`"; then -# echo "$progname: warning \`$option' is not a valid host type" 1>&2 -# fi - host="$option" - else - echo "$progname: too many arguments" 1>&2 - echo "$help" 1>&2 - exit 1 - fi ;; - esac -done - -if test -z "$ltmain"; then - echo "$progname: you must specify a LTMAIN file" 1>&2 - echo "$help" 1>&2 - exit 1 -fi - -if test ! -f "$ltmain"; then - echo "$progname: \`$ltmain' does not exist" 1>&2 - echo "$help" 1>&2 - exit 1 -fi - -if test -n "$tagname"; then - # Check whether tagname contains only valid characters - case `$echo "X$tagname" | $Xsed -e 's/[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]//g'` in - "") ;; - *) - echo "$progname: invalid tag name: $tagname" 1>&2 - exit 1 - ;; - esac - - if grep "^### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$ofile" > /dev/null; then - echo "$progname: tag name $tagname already exists" 1>&2 - exit 1 - fi - - if test ! -f "$ofile"; then - echo "$progname: warning: output file \`$ofile' does not exist" 1>&2 - fi - - if test -z "$LTCC"; then - eval "`$SHELL $ofile --config | grep '^LTCC='`" - if test -z "$LTCC"; then - echo "$progname: warning: output file \`$ofile' does not look like a libtool script" 1>&2 - else - echo "$progname: warning: using \`LTCC=$LTCC', extracted from \`$ofile'" 1>&2 - fi - fi -fi - -# Quote any args containing shell metacharacters. -ltconfig_args= -for arg -do - case $arg in - *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*) - ltconfig_args="$ltconfig_args '$arg'" ;; - *) ltconfig_args="$ltconfig_args $arg" ;; - esac -done - -# A relevant subset of AC_INIT. - -# File descriptor usage: -# 0 standard input -# 1 file creation -# 2 errors and warnings -# 3 some systems may open it to /dev/tty -# 4 used on the Kubota Titan -# 5 compiler messages saved in config.log -# 6 checking for... messages and results -if test "$silent" = yes; then - exec 6>/dev/null -else - exec 6>&1 -fi -exec 5>>./config.log - -# NLS nuisances. -# Only set LANG and LC_ALL to C if already set. -# These must not be set unconditionally because not all systems understand -# e.g. LANG=C (notably SCO). -if test "X${LC_ALL+set}" = Xset; then LC_ALL=C; export LC_ALL; fi -if test "X${LANG+set}" = Xset; then LANG=C; export LANG; fi - -if test -n "$cache_file" && test -r "$cache_file" && test -f "$cache_file"; then - echo "loading cache $cache_file within ltconfig" - . $cache_file -fi - -if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then - # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu. - if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then - ac_n= ac_c=' -' ac_t=' ' - else - ac_n=-n ac_c= ac_t= - fi -else - ac_n= ac_c='\c' ac_t= -fi - -if test -z "$srcdir"; then - # Assume the source directory is the same one as the path to LTMAIN. - srcdir=`$echo "X$ltmain" | $Xsed -e 's%/[^/]*$%%'` - test "$srcdir" = "$ltmain" && srcdir=. -fi - -trap "$rm conftest*; exit 1" 1 2 15 -if test "$verify_host" = yes; then - # Check for config.guess and config.sub. - ac_aux_dir= - for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do - if test -f $ac_dir/config.guess; then - ac_aux_dir=$ac_dir - break - fi - done - if test -z "$ac_aux_dir"; then - echo "$progname: cannot find config.guess in $srcdir $srcdir/.. $srcdir/../.." 1>&2 - echo "$help" 1>&2 - exit 1 - fi - ac_config_guess=$ac_aux_dir/config.guess - ac_config_sub=$ac_aux_dir/config.sub - - # Make sure we can run config.sub. - if $SHELL $ac_config_sub sun4 >/dev/null 2>&1; then : - else - echo "$progname: cannot run $ac_config_sub" 1>&2 - echo "$help" 1>&2 - exit 1 - fi - - echo $ac_n "checking host system type""... $ac_c" 1>&6 - - host_alias=$host - case $host_alias in - "") - # Force config.guess to use the C compiler. - # CC_FOR_BUILD overrides the CC variable in config.guess but I had - # problems with it so do it this way for now. - CC="$LTCC" - - if host_alias=`$SHELL $ac_config_guess`; then : - else - echo "$progname: cannot guess host type; you must specify one" 1>&2 - echo "$help" 1>&2 - exit 1 - fi - - # Restore the C compiler. - CC="$old_CC" - ;; - esac - host=`$SHELL $ac_config_sub $host_alias` - echo "$ac_t$host" 1>&6 - - # Make sure the host verified. - test -z "$host" && exit 1 - - # Check for the build system type - echo $ac_n "checking build system type... $ac_c" 1>&6 - - build_alias=$build - case $build_alias in - NONE) - case $nonopt in - NONE) build_alias=$host_alias ;; - *) build_alias=$nonopt ;; - esac ;; - esac - - build=`$SHELL $ac_config_sub $build_alias` - build_cpu=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` - build_vendor=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` - build_os=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` - echo "$ac_t""$build" 1>&6 - -elif test -z "$host"; then - echo "$progname: you must specify a host type if you use \`--no-verify'" 1>&2 - echo "$help" 1>&2 - exit 1 -else - host_alias=$host - build_alias=$host_alias - build=$host -fi - -if test x"$host" != x"$build"; then - ac_tool_prefix=${host_alias}- -else - ac_tool_prefix= -fi - -host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` -host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` -host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` - -# Transform linux* to *-*-linux-gnu*, to support old configure scripts. -case $host_os in -linux-gnu*) ;; -linux*) host=`echo $host | sed 's/^\(.*-.*-linux\)\(.*\)$/\1-gnu\2/'` -esac - -case $host_os in -aix3*) - # AIX sometimes has problems with the GCC collect2 program. For some - # reason, if we set the COLLECT_NAMES environment variable, the problems - # vanish in a puff of smoke. - if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES - fi - ;; -esac - -# Determine commands to create old-style static archives. -old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs' -old_postinstall_cmds='chmod 644 $oldlib' -old_postuninstall_cmds= - -if test -n "$RANLIB"; then - old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" - old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds" -fi - -# Source the script associated with the $tagname tag configuration. -if test -n "$tagname"; then - . $ltmain -else - # FIXME: We should use a variable here - # Configure for a C compiler - . $srcdir/ltcf-c.sh -fi - -# Set sane defaults for various variables -test -z "$AR" && AR=ar -test -z "$AR_FLAGS" && AR_FLAGS=cru -test -z "$AS" && AS=as -test -z "$CC" && CC=cc -test -z "$DLLTOOL" && DLLTOOL=dlltool -test -z "$MAGIC_CMD" && MAGIC_CMD=file -test -z "$LD" && LD=ld -test -z "$LN_S" && LN_S="ln -s" -test -z "$NM" && NM=nm -test -z "$OBJDUMP" && OBJDUMP=objdump -test -z "$RANLIB" && RANLIB=: -test -z "$STRIP" && STRIP=: -test -z "$objext" && objext=o - -echo $ac_n "checking for objdir... $ac_c" 1>&6 -rm -f .libs 2>/dev/null -mkdir .libs 2>/dev/null -if test -d .libs; then - objdir=.libs -else - # MS-DOS does not allow filenames that begin with a dot. - objdir=_libs -fi -rmdir .libs 2>/dev/null -echo "$ac_t$objdir" 1>&6 - -# If no C compiler was specified, use CC. -LTCC=${LTCC-"$CC"} - -# Allow CC to be a program name with arguments. -set dummy $CC -compiler="$2" - -# We assume here that the value for ac_cv_prog_cc_pic will not be cached -# in isolation, and that seeing it set (from the cache) indicates that -# the associated values are set (in the cache) correctly too. -echo $ac_n "checking for $compiler option to produce PIC... $ac_c" 1>&6 -echo "$progname:678:checking for $compiler option to produce PIC" 1>&5 - -if test -z "$ac_cv_prog_cc_pic"; then - echo "$ac_t"none 1>&6 -else - echo "$ac_t""$ac_cv_prog_cc_pic" 1>&6 - - # Check to make sure the pic_flag actually works. - echo $ac_n "checking if $compiler PIC flag $ac_cv_prog_cc_pic works... $ac_c" 1>&6 - echo "$progname:687:checking that $compiler PIC flag $ac_cv_prog_cc_pic works." 1>&5 - if test "X${ac_cv_prog_cc_pic_works+set}" = Xset && \ - test "X${ac_cv_prog_cc_pic_works}" != X; then - echo $ac_n "(cached) $ac_c" 1>&6 - else - ac_cv_prog_cc_pic_works=yes - $rm conftest* - echo $lt_simple_compile_test_code > conftest.$ac_ext - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $ac_cv_prog_cc_pic -DPIC" - if { (eval echo $progname:697: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then - # Append any warnings to the config.log. - cat conftest.err 1>&5 - - case $host_os in - hpux9* | hpux10* | hpux11*) - # On HP-UX, both CC and GCC only warn that PIC is supported... then - # they create non-PIC objects. So, if there were any warnings, we - # assume that PIC is not supported. - if test -s conftest.err; then - ac_cv_prog_cc_pic_works=no - ac_cv_prog_cc_can_build_shared=no - ac_cv_prog_cc_pic= - else - ac_cv_prog_cc_pic_works=yes - ac_cv_prog_cc_pic=" $ac_cv_prog_cc_pic" - fi - ;; - *) - ac_cv_prog_cc_pic_works=yes - ac_cv_prog_cc_pic=" $ac_cv_prog_cc_pic" - ;; - esac - else - # Append any errors to the config.log. - cat conftest.err 1>&5 - ac_cv_prog_cc_pic_works=no - ac_cv_prog_cc_can_build_shared=no - ac_cv_prog_cc_pic= - fi - CFLAGS="$save_CFLAGS" - $rm conftest* - fi - # Belt *and* braces to stop my trousers falling down: - if test "X$ac_cv_prog_cc_pic_works" = Xno; then - ac_cv_prog_cc_pic= - ac_cv_prog_cc_can_build_shared=no - fi - echo "$ac_t""$ac_cv_prog_cc_pic_works" 1>&6 -fi - -# Check for any special shared library compilation flags. -if test -n "$ac_cv_prog_cc_shlib"; then - echo "$progname: warning: \`$CC' requires \`$ac_cv_prog_cc_shlib' to build shared libraries" 1>&2 - if echo "$old_CC $old_CFLAGS " | egrep -e "[ ]$ac_cv_prog_cc_shlib[ ]" >/dev/null; then : - else - echo "$progname: add \`$ac_cv_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" 1>&2 - ac_cv_prog_cc_can_build_shared=no - fi -fi - -echo $ac_n "checking if $compiler static flag $ac_cv_prog_cc_static works... $ac_c" 1>&6 -echo "$progname:749: checking if $compiler static flag $ac_cv_prog_cc_static works" >&5 -if test "X${ac_cv_prog_cc_static_works+set}" = Xset && \ - test "X${ac_cv_prog_cc_static_works}" != X; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - $rm conftest* - echo $lt_simple_link_test_code > conftest.$ac_ext - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $ac_cv_prog_cc_static" - if { (eval echo $progname:758: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then - ac_cv_prog_cc_static_works=yes - else - ac_cv_prog_cc_static_works=no - ac_cv_prog_cc_static= - fi - LDFLAGS="$save_LDFLAGS" - $rm conftest* -fi -# Belt *and* braces to stop my trousers falling down: -if test "X$ac_cv_prog_cc_static_works" = Xno; then - ac_cv_prog_cc_static= -fi -echo "$ac_t""$ac_cv_prog_cc_static_works" 1>&6 -pic_flag="$ac_cv_prog_cc_pic" -special_shlib_compile_flags="$ac_cv_prog_cc_shlib" -wl="$ac_cv_prog_cc_wl" -link_static_flag="$ac_cv_prog_cc_static" -no_builtin_flag="$ac_cv_prog_cc_no_builtin" -can_build_shared="$ac_cv_prog_cc_can_build_shared" - -# find the maximum length of command line arguments -echo "$progname:780: finding the maximum length of command line arguments" 1>&5 -echo $ac_n "finding the maximum length of command line arguments... $ac_c" 1>&6 -if test "${lt_cv_sys_max_cmd_len+set}" = set; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - i=0 - testring="ABCD" - # If test is not a shell built-in, we'll probably end up computing a - # maximum length that is only half of the actual maximum length, but - # we can't tell. - while test "X"`$CONFIG_SHELL $0 --fallback-echo "X$testring" 2>/dev/null` \ - = "XX$testring" && - new_result=`expr "X$testring" : ".*" 2>&1` && - lt_cv_sys_max_cmd_len=$new_result && - test $i != 18 # 1 MB should be enough - do - i=`expr $i + 1` - testring=$testring$testring - done - testring= - # add a significant safety factor because C++ compilers can tack on massive amounts - # of additional arguments before passing them to the linker. 1/4 should be good. - len=`expr $lt_cv_sys_max_cmd_len \/ 4` - lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len - $len` -fi -echo "$progname:@lineno@: result: $lt_cv_sys_max_cmd_len" 1>&5 -echo "${ac_t}$lt_cv_sys_max_cmd_len" 1>&6 - -if test -n $lt_cv_sys_max_cmd_len ; then - max_cmd_len=$lt_cv_sys_max_cmd_len -else - max_cmd_len=none -fi - -# Check to see if options -o and -c are simultaneously supported by compiler -echo $ac_n "checking if $compiler supports -c -o file.$objext... $ac_c" 1>&6 -if test "${lt_cv_compiler_c_o+set}" = set; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - $rm -r conftest 2>/dev/null - mkdir conftest - cd conftest - $rm conftest* - echo $lt_simple_compile_test_code > conftest.$ac_ext - mkdir out - # According to Tom Tromey, Ian Lance Taylor reported there are C compilers - # that will create temporary files in the current directory regardless of - # the output directory. Thus, making CWD read-only will cause this test - # to fail, enabling locking or at least warning the user not to do parallel - # builds. - chmod -w . - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -o out/conftest2.$objext" - echo "$progname:833: checking if $compiler supports -c -o file.$objext" >&5 - if { (eval echo $progname:834: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.$objext; then - - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s out/conftest.err; then - lt_cv_compiler_c_o=no - else - lt_cv_compiler_c_o=yes - fi - else - # Append any errors to the config.log. - cat out/conftest.err 1>&5 - lt_cv_compiler_c_o=no - fi - CFLAGS="$save_CFLAGS" - chmod u+w . - $rm conftest* out/* - rmdir out - cd .. - rmdir conftest - $rm -r conftest 2>/dev/null -fi -compiler_c_o=$lt_cv_compiler_c_o -echo "${ac_t}$compiler_c_o" 1>&6 - -# Check to see if we can do hard links to lock some files if needed -hard_links="nottested" -if test "$compiler_c_o" = no && test "$need_locks" != no; then - # do not overwrite the value of need_locks provided by the user - echo $ac_n "checking if we can lock with hard links... $ac_c" 1>&6 - hard_links=yes - $rm conftest* - ln conftest.a conftest.b 2>/dev/null && hard_links=no - touch conftest.a - ln conftest.a conftest.b 2>&5 || hard_links=no - ln conftest.a conftest.b 2>/dev/null && hard_links=no - echo "$ac_t$hard_links" 1>&6 - $rm conftest* - if test "$hard_links" = no; then - echo "*** WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2 - need_locks=warn - fi -else - need_locks=no -fi - -if test "$with_gcc" = yes; then - # Check to see if options -fno-rtti -fno-exceptions are supported by compiler - echo $ac_n "checking if $compiler supports -fno-rtti -fno-exceptions ... $ac_c" 1>&6 - $rm conftest* - echo $lt_simple_compile_test_code > conftest.$ac_ext - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-rtti -fno-exceptions -c conftest.$ac_ext" - echo "$progname:887: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 - if { (eval echo $progname:888: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then - - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - echo "$ac_t"no 1>&6 - compiler_rtti_exceptions=no - else - echo "$ac_t"yes 1>&6 - compiler_rtti_exceptions=yes - fi - else - # Append any errors to the config.log. - cat conftest.err 1>&5 - compiler_rtti_exceptions=no - echo "$ac_t"no 1>&6 - fi - CFLAGS="$save_CFLAGS" - $rm conftest* - - if test "$compiler_rtti_exceptions" = "yes"; then - no_builtin_flag=' -fno-builtin -fno-rtti -fno-exceptions' - else - no_builtin_flag=' -fno-builtin' - fi - -fi - -# See if the linker supports building shared libraries. -echo $ac_n "checking whether the linker ($LD) supports shared libraries... $ac_c" 1>&6 - -echo "$ac_t$ld_shlibs" 1>&6 -test "$ld_shlibs" = no && can_build_shared=no - -# Check hardcoding attributes. -echo $ac_n "checking how to hardcode library paths into programs... $ac_c" 1>&6 -hardcode_action= -if test -n "$hardcode_libdir_flag_spec" || \ - test -n "$runpath_var"; then - - # We can hardcode non-existant directories. - if test "$hardcode_direct" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$hardcode_shlibpath_var" != no && - test "$hardcode_minus_L" != no; then - # Linking always hardcodes the temporary library directory. - hardcode_action=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - hardcode_action=immediate - fi -else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - hardcode_action=unsupported -fi -echo "$ac_t$hardcode_action" 1>&6 - -echo $ac_n "checking whether stripping libraries is possible... $ac_c" 1>&6 -if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then - test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" - test -z "$striplib" && striplib="$STRIP --strip-unneeded" - echo "${ac_t}yes" 1>&6 -else - echo "${ac_t}no" 1>&6 -fi - -case $reload_flag in -"" | " "*) ;; -*) reload_flag=" $reload_flag" ;; -esac -reload_cmds='$LD$reload_flag -o $output$reload_objs' -test -z "$deplibs_check_method" && deplibs_check_method=unknown - -# PORTME Fill in your ld.so characteristics -library_names_spec= -libname_spec='lib$name' -soname_spec= -postinstall_cmds= -postuninstall_cmds= -finish_cmds= -finish_eval= -shlibpath_var= -shlibpath_overrides_runpath=unknown -version_type=none -dynamic_linker="$host_os ld.so" -sys_lib_dlsearch_path_spec="/lib /usr/lib" -sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" - -echo $ac_n "checking dynamic linker characteristics... $ac_c" 1>&6 -case $host_os in -aix3*) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix $libname.a' - shlibpath_var=LIBPATH - - # AIX 3 has no versioning support, so we append a major version to the name. - soname_spec='${libname}${release}.so$major' - ;; - -aix4* | aix5*) - if test "$host_cpu" = ia64; then - # AIX 5 supports IA64 - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - shlibpath_var=LD_LIBRARY_PATH - else - # AIX (on Power*) has no versioning support, so currently we can not hardcode correct - # soname into executable. Probably we can add versioning support to - # collect2, so additional links can be useful in future. - # We preserve .a as extension for shared libraries though AIX4.2 - # and later linker supports .so - if test "$aix_use_runtimelinking" = yes; then - # If using run time linking (on AIX 4.2 or later) use lib.so instead of - # lib.a to let people know that these are not typical AIX shared libraries. - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - else - # We preserve .a as extension for shared libraries though AIX4.2 - # and later when we are not doing run time linking. - library_names_spec='${libname}${release}.a $libname.a' - soname_spec='${libname}${release}.so$major.o' - fi - # If we're using GNU nm, then we don't want the "-C" option. - # -C means demangle to AIX nm, but means don't demangle with GNU nm - if $NM -V 2>&1 | egrep '(GNU)' > /dev/null; then - export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - else - export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' - fi - shlibpath_var=LIBPATH - deplibs_check_method=pass_all - case $host_os in - aix4 | aix4.[01] | aix4.[01].*) - if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' - echo ' yes ' - echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then - : - else - # With GCC up to 2.95.x, collect2 would create an import file - # for dependence libraries. The import file would start with - # the line `#! .'. This would cause the generated library to - # depend on `.', always an invalid library. This was fixed in - # development snapshots of GCC prior to 3.0. - can_build_shared=no - fi - ;; - esac - fi - ;; - -amigaos*) - library_names_spec='$libname.ixlibrary $libname.a' - # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "(cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a)"; (cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a) || exit 1; done' - ;; - -beos*) - library_names_spec='${libname}.so' - dynamic_linker="$host_os ld.so" - shlibpath_var=LIBRARY_PATH - lt_cv_dlopen="load_add_on" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes - ;; - -bsdi4*) - version_type=linux - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" - sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" - export_dynamic_flag_spec=-rdynamic - # the default ld.so.conf also contains /usr/contrib/lib and - # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow - # libtool to hard-code these into programs - ;; - -cygwin* | mingw* | pw32*) - version_type=windows - need_version=no - need_lib_prefix=no - case $with_gcc,$host_os in - yes,cygwin*) - library_names_spec='$libname.dll.a' - soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | [sed -e 's/[.]/-/g']`${versuffix}.dll' - postinstall_cmds='dlpath=`bash 2>&1 -c '\''. $dir/${file}i; echo \$dlname'\''`~ - dldir=$destdir/`dirname \$dlpath`~ - test -d \$dldir || mkdir -p \$dldir~ - $install_prog .libs/$dlname \$dldir/$dlname' - postuninstall_cmds='dldll=`bash 2>&1 -c '\''. $file; echo \$dlname'\''`~ - dlpath=$dir/\$dldll; $rm \$dlpath' - ;; - yes,mingw*) - library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll' - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | sed -e "s/^libraries://" -e "s/;/ /g"` - ;; - yes,pw32*) - library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll' -;; - *) - library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll $libname.lib' - ;; - esac - dynamic_linker='Win32 ld.exe' - # FIXME: first we should search . and the directory the executable is in - shlibpath_var=PATH - lt_cv_dlopen="LoadLibrary" - lt_cv_dlopen_libs= - ;; - -darwin* | rhapsody*) - dynamic_linker="$host_os dyld" - version_type=darwin - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${versuffix}.`test .$module = .yes && echo so || echo dylib` ${libname}${release}${major}.`test .$module = .yes && echo so || echo dylib` ${libname}.`test .$module = .yes && echo so || echo dylib`' - soname_spec='${libname}${release}${major}.`test .$module = .yes && echo so || echo dylib`' - shlibpath_overrides_runpath=yes - shlibpath_var=DYLD_LIBRARY_PATH - ;; - -freebsd1*) - dynamic_linker=no - ;; - -freebsd*) - objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout` - version_type=sunos - case $objformat in - elf*) - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - need_version=no - need_lc=no - need_lib_prefix=no - ;; - *) - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - need_version=yes - ;; - esac - shlibpath_var=LD_LIBRARY_PATH - case $host_os in - freebsd2*) - shlibpath_overrides_runpath=yes - ;; - *) - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - esac - ;; - -gnu*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so${major} ${libname}.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - ;; - -hpux9* | hpux10* | hpux11*) - # Give a soname corresponding to the major version so that dld.sl refuses to - # link against other versions. - dynamic_linker="$host_os dld.sl" - version_type=sunos - need_lib_prefix=no - need_version=no - shlibpath_var=SHLIB_PATH - shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH - library_names_spec='${libname}${release}.sl$versuffix ${libname}${release}.sl$major $libname.sl' - soname_spec='${libname}${release}.sl$major' - # HP-UX runs *really* slowly unless shared libraries are mode 555. - postinstall_cmds='chmod 555 $lib' - ;; - -irix5* | irix6*) - version_type=sunos - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}.so$major' - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major ${libname}${release}.so $libname.so' - case $host_os in - irix5*) - libsuff= shlibsuff= - ;; - *) - case $LD in # libtool.m4 will add one of these switches to LD - *-32|*"-32 ") libsuff= shlibsuff= libmagic=32-bit;; - *-n32|*"-n32 ") libsuff=32 shlibsuff=N32 libmagic=N32;; - *-64|*"-64 ") libsuff=64 shlibsuff=64 libmagic=64-bit;; - *) libsuff= shlibsuff= libmagic=never-match;; - esac - ;; - esac - shlibpath_var=LD_LIBRARY${shlibsuff}_PATH - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" - sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" - ;; - -# No shared lib support for Linux oldld, aout, or coff. -linux-gnuoldld* | linux-gnuaout* | linux-gnucoff*) - dynamic_linker=no - ;; - -# This must be Linux ELF. -linux-gnu*) - version_type=sunos - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. - hardcode_into_libs=yes - - # We used to test for /lib/ld.so.1 and disable shared libraries on - # powerpc, because MkLinux only supported shared libraries with the - # GNU dynamic linker. Since this was broken with cross compilers, - # most powerpc-linux boxes support dynamic linking these days and - # people can always --disable-shared, the test was removed, and we - # assume the GNU/Linux dynamic linker is in use. - dynamic_linker='GNU/Linux ld.so' - ;; - -netbsd*) - need_lib_prefix=no - need_version=no - version_type=sunos - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - dynamic_linker='NetBSD (a.out) ld.so' - else - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major ${libname}${release}.so ${libname}.so' - soname_spec='${libname}${release}.so$major' - dynamic_linker='NetBSD ld.elf_so' - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - sys_lib_dlsearch_path_spec="/usr/lib" - sys_lib_search_path_spec="/usr/lib" - ;; - -newsos6) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; - -openbsd*) - version_type=sunos - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - need_version=no - fi - library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - shlibpath_var=LD_LIBRARY_PATH - ;; - -os2*) - libname_spec='$name' - need_lib_prefix=no - library_names_spec='$libname.dll $libname.a' - dynamic_linker='OS/2 ld.exe' - shlibpath_var=LIBPATH - ;; - -osf3* | osf4* | osf5*) - version_type=osf - need_version=no - soname_spec='${libname}${release}.so' - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so $libname.so' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" - sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" - ;; - -sco3.2v5*) - version_type=osf - soname_spec='${libname}${release}.so$major' - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - shlibpath_var=LD_LIBRARY_PATH - ;; - -solaris*) - version_type=sunos - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; - -sunos4*) - version_type=sunos - library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' - finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - fi - need_version=yes - ;; - -sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - case $host_vendor in - motorola) - need_lib_prefix=no - need_version=no - shlibpath_overrides_runpath=no - sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' - ;; - esac - ;; - -uts4*) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -dgux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -sysv4*MP*) - if test -d /usr/nec ;then - version_type=linux - library_names_spec='$libname.so.$versuffix $libname.so.$major $libname.so' - soname_spec='$libname.so.$major' - shlibpath_var=LD_LIBRARY_PATH - fi - ;; - -*) - dynamic_linker=no - ;; -esac -echo "$ac_t$dynamic_linker" 1>&6 -test "$dynamic_linker" = no && can_build_shared=no - -# Check for command to grab the raw symbol name followed by C symbol from nm. -echo $ac_n "checking command to parse $NM output... $ac_c" 1>&6 - -# These are sane defaults that work on at least a few old systems. -# [They come from Ultrix. What could be older than Ultrix?!! ;)] - -# Character class describing NM global symbol codes. -symcode='[BCDEGRST]' - -# Regexp to match symbols that can be accessed directly from C. -sympat='\([_A-Za-z][_A-Za-z0-9]*\)' - -# Transform the above into a raw symbol and a C symbol. -symxfrm='\1 \2\3 \3' - -# Transform an extracted symbol line into a proper C declaration -global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern char \1;/p'" - -# Define system-specific variables. -case $host_os in -aix*) - symcode='[BCDT]' - ;; -cygwin* | mingw* | pw32*) - symcode='[ABCDGISTW]' - ;; -hpux*) # Its linker distinguishes data from code symbols - global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern char \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" - ;; -irix*) - symcode='[BCDEGRST]' - ;; -solaris* | sysv5*) - symcode='[BDT]' - ;; -sysv4) - symcode='[DFNSTU]' - ;; -esac - -# Handle CRLF in mingw tool chain -opt_cr= -case $host_os in -mingw*) - opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp - ;; -esac - -# If we're using GNU nm, then use its standard symbol codes. -if $NM -V 2>&1 | egrep '(GNU|with BFD)' > /dev/null; then - symcode='[ABCDGISTW]' -fi - -# Try without a prefix undercore, then with it. -for ac_symprfx in "" "_"; do - - # Write the raw and C identifiers. - global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode$symcode*\)[ ][ ]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'" - - # Check to see that the pipe works correctly. - pipe_works=no - $rm conftest* - cat > conftest.$ac_ext <&5 - if { (eval echo $progname:1434: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; } && test -s conftest.$objext; then - # Now try to grab the symbols. - nlist=conftest.nm - if { echo "$progname:1437: eval \"$NM conftest.$objext | $global_symbol_pipe > $nlist\"" >&5; eval "$NM conftest.$objext | $global_symbol_pipe > $nlist 2>&5"; } && test -s "$nlist"; then - - # Try sorting and uniquifying the output. - if sort "$nlist" | uniq > "$nlist"T; then - mv -f "$nlist"T "$nlist" - else - rm -f "$nlist"T - fi - - # Make sure that we snagged all the symbols we need. - if egrep ' nm_test_var$' "$nlist" >/dev/null; then - if egrep ' nm_test_func$' "$nlist" >/dev/null; then - cat < conftest.$ac_ext -#ifdef __cplusplus -extern "C" { -#endif - -EOF - # Now generate the symbol file. - eval "$global_symbol_to_cdecl"' < "$nlist" >> conftest.$ac_ext' - - cat <> conftest.$ac_ext -#if defined (__STDC__) && __STDC__ -# define lt_ptr_t void * -#else -# define lt_ptr_t char * -# define const -#endif - -/* The mapping between symbol names and symbols. */ -const struct { - const char *name; - lt_ptr_t address; -} -lt_preloaded_symbols[] = -{ -EOF - sed "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" >> conftest.$ac_ext - cat <<\EOF >> conftest.$ac_ext - {0, (lt_ptr_t) 0} -}; - -#ifdef __cplusplus -} -#endif -EOF - # Now try linking the two files. - mv conftest.$objext conftstm.$objext - save_LIBS="$LIBS" - save_CFLAGS="$CFLAGS" - LIBS="conftstm.$objext" - CFLAGS="$CFLAGS$no_builtin_flag" - if { (eval echo $progname:1489: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then - pipe_works=yes - else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - fi - LIBS="$save_LIBS" - else - echo "cannot find nm_test_func in $nlist" >&5 - fi - else - echo "cannot find nm_test_var in $nlist" >&5 - fi - else - echo "cannot run $global_symbol_pipe" >&5 - fi - else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - fi - $rm conftest* conftst* - - # Do not use the global_symbol_pipe unless it works. - if test "$pipe_works" = yes; then - break - else - global_symbol_pipe= - fi -done -if test "$pipe_works" = yes; then - echo "${ac_t}ok" 1>&6 -else - echo "${ac_t}failed" 1>&6 -fi - -if test -z "$global_symbol_pipe"; then - global_symbol_to_cdecl= -fi - -# Report the final consequences. -echo "checking if libtool supports shared libraries... $can_build_shared" 1>&6 - -# Only try to build win32 dlls if AC_LIBTOOL_WIN32_DLL was used in -# configure.in, otherwise build static only libraries. -case $host_os in -cygwin* | mingw* | pw32* | os2*) - if test x$can_build_shared = xyes; then - test x$enable_win32_dll = xno && can_build_shared=no - echo "checking if package supports dlls... $can_build_shared" 1>&6 - fi -;; -esac - -echo $ac_n "checking whether to build shared libraries... $ac_c" 1>&6 -test "$can_build_shared" = "no" && enable_shared=no - -# On AIX, shared libraries and static libraries use the same namespace, and -# are all built from PIC. -case $host_os in -aix3*) - test "$enable_shared" = yes && enable_static=no - if test -n "$RANLIB"; then - archive_cmds="$archive_cmds~\$RANLIB \$lib" - postinstall_cmds='$RANLIB $lib' - fi - ;; - -aix4*) - test "$enable_shared" = yes && enable_static=no - ;; -esac - -echo "$ac_t$enable_shared" 1>&6 - -# Make sure either enable_shared or enable_static is yes. -test "$enable_shared" = yes || enable_static=yes - -echo "checking whether to build static libraries... $enable_static" 1>&6 - -if test "$hardcode_action" = relink; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless -fi - -variables_saved_for_relink="PATH $shlibpath_var $runpath_var" -if test "$with_gcc" = yes; then - variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" -fi - -# Check whether we must set pic_mode to default -test -z "$pic_flag" && pic_mode=default - -if test "x$enable_dlopen" != xyes; then - enable_dlopen=unknown - enable_dlopen_self=unknown - enable_dlopen_self_static=unknown -else -if test "X${lt_cv_dlopen+set}" != Xset; then - lt_cv_dlopen=no lt_cv_dlopen_libs= -echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 -echo "$progname:1593: checking for dlopen in -ldl" >&5 -if test "X${ac_cv_lib_dl_dlopen+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-ldl $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_lib_dl_dlopen=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_lib_dl_dlopen=no -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if test "X$ac_cv_lib_dl_dlopen" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for dlopen""... $ac_c" 1>&6 -echo "$progname:1632: checking for dlopen" >&5 -if test "X${ac_cv_func_dlopen+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_dlopen) || defined (__stub___dlopen) -choke me -#else -dlopen(); -#endif - -; return 0; } -EOF -if { (eval echo $progname:1662: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_func_dlopen=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_func_dlopen=no -fi -rm -f conftest* -fi -if test "X$ac_cv_func_dlopen" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="dlopen" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for dlopen in -lsvld""... $ac_c" 1>&6 -echo "$progname:1679: checking for dlopen in -lsvld" >&5 -if test "X${ac_cv_lib_svld_dlopen+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-lsvld $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_lib_svld_dlopen=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_lib_svld_dlopen=no -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if test "X$ac_cv_lib_svld_dlopen" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for dld_link in -ldld""... $ac_c" 1>&6 -echo "$progname:1718: checking for dld_link in -ldld" >&5 -if test "X${ac_cv_lib_dld_dld_link+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-ldld $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_lib_dld_dld_link=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_lib_dld_dld_link=no -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if test "X$ac_cv_lib_dld_dld_link" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for shl_load""... $ac_c" 1>&6 -echo "$progname:1757: checking for shl_load" >&5 -if test "X${ac_cv_func_shl_load+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char shl_load(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_shl_load) || defined (__stub___shl_load) -choke me -#else -shl_load(); -#endif - -; return 0; } -EOF -if { (eval echo $progname:1787: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_func_shl_load=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_func_shl_load=no -fi -rm -f conftest* -fi - -if test "X$ac_cv_func_shl_load" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="shl_load" -else - echo "$ac_t""no" 1>&6 -echo $ac_n "checking for shl_load in -ldld""... $ac_c" 1>&6 -echo "$progname:1805: checking for shl_load in -ldld" >&5 -if test "X${ac_cv_lib_dld_shl_load+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-ldld $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_lib_dld_shl_load=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_lib_dld_shl_load=no -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if test "X$ac_cv_lib_dld_shl_load" = Xyes; then - echo "$ac_t""yes" 1>&6 - lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" -else - echo "$ac_t""no" 1>&6 -fi - - -fi - - -fi - - -fi - - -fi - -fi - -fi - - if test "x$lt_cv_dlopen" != xno; then - enable_dlopen=yes - else - enable_dlopen=no - fi - - case $lt_cv_dlopen in - dlopen) -for ac_hdr in dlfcn.h; do -ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "$progname:1873: checking for $ac_hdr" >&5 -if eval "test \"`echo 'X$''{'ac_cv_header_$ac_safe'+set}'`\" = Xset"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -int fnord = 0; -int main () { return(0); } -EOF -ac_try="$ac_compile >/dev/null 2>conftest.out" -{ (eval echo $progname:1884: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" -else - echo "$ac_err" >&5 - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" -fi -rm -f conftest* -fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi -done - - if test "x$ac_cv_header_dlfcn_h" = xyes; then - CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" - fi - eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" - LIBS="$lt_cv_dlopen_libs $LIBS" - - echo $ac_n "checking whether a program can dlopen itself""... $ac_c" 1>&6 -echo "$progname:1912: checking whether a program can dlopen itself" >&5 -if test "X${lt_cv_dlopen_self+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - if test "$cross_compiling" = yes; then - lt_cv_dlopen_self=cross - else - cat > conftest.$ac_ext < -#endif - -#include - -#ifdef RTLD_GLOBAL -# define LTDL_GLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LTDL_GLOBAL DL_GLOBAL -# else -# define LTDL_GLOBAL 0 -# endif -#endif - -/* We may have to define LTDL_LAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LTDL_LAZY_OR_NOW -# ifdef RTLD_LAZY -# define LTDL_LAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LTDL_LAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LTDL_LAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LTDL_LAZY_OR_NOW DL_NOW -# else -# define LTDL_LAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif - -void fnord() { int i=42; } -int main() { - void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW); - if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord"); - if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); } - -EOF -if { (eval echo $progname:1967: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null -then - lt_cv_dlopen_self=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -fr conftest* - lt_cv_dlopen_self=no -fi -rm -fr conftest* -fi - -fi - -echo "$ac_t""$lt_cv_dlopen_self" 1>&6 - - if test "$lt_cv_dlopen_self" = yes; then - LDFLAGS="$LDFLAGS $link_static_flag" - echo $ac_n "checking whether a statically linked program can dlopen itself""... $ac_c" 1>&6 -echo "$progname:1986: checking whether a statically linked program can dlopen itself" >&5 -if test "X${lt_cv_dlopen_self_static+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - if test "$cross_compiling" = yes; then - lt_cv_dlopen_self_static=cross - else - cat > conftest.$ac_ext < -#endif - -#include - -#ifdef RTLD_GLOBAL -# define LTDL_GLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LTDL_GLOBAL DL_GLOBAL -# else -# define LTDL_GLOBAL 0 -# endif -#endif - -/* We may have to define LTDL_LAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LTDL_LAZY_OR_NOW -# ifdef RTLD_LAZY -# define LTDL_LAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LTDL_LAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LTDL_LAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LTDL_LAZY_OR_NOW DL_NOW -# else -# define LTDL_LAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif - -void fnord() { int i=42; } -int main() { - void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW); - if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord"); - if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); } - -EOF -if { (eval echo $progname:2041: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null -then - lt_cv_dlopen_self_static=yes -else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -fr conftest* - lt_cv_dlopen_self_static=no -fi -rm -fr conftest* -fi - -fi - -echo "$ac_t""$lt_cv_dlopen_self_static" 1>&6 -fi - ;; - esac - - case $lt_cv_dlopen_self in - yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; - *) enable_dlopen_self=unknown ;; - esac - - case $lt_cv_dlopen_self_static in - yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; - *) enable_dlopen_self_static=unknown ;; - esac -fi - -# Copy echo and quote the copy, instead of the original, because it is -# used later. -ltecho="$echo" -if test "X$ltecho" = "X$CONFIG_SHELL $0 --fallback-echo"; then - ltecho="$CONFIG_SHELL \$0 --fallback-echo" -fi -LTSHELL="$SHELL" - -LTCONFIG_VERSION="$VERSION" - -# Only quote variables if we're using ltmain.sh. -case $ltmain in -*.sh) - # Now quote all the things that may contain metacharacters. - for var in ltecho old_AR old_AR_FLAGS old_CC old_LTCC old_CFLAGS old_CPPFLAGS \ - old_MAGIC_CMD old_LD old_LDFLAGS old_LIBS \ - old_LN_S old_NM old_RANLIB old_STRIP \ - old_AS old_DLLTOOL old_OBJDUMP \ - old_OBJEXT old_EXEEXT old_reload_flag \ - old_deplibs_check_method old_file_magic_cmd \ - AR AR_FLAGS CC LTCC LD LN_S NM LTSHELL LTCONFIG_VERSION \ - reload_flag reload_cmds wl \ - pic_flag link_static_flag no_builtin_flag export_dynamic_flag_spec \ - thread_safe_flag_spec whole_archive_flag_spec libname_spec \ - library_names_spec soname_spec \ - RANLIB old_archive_cmds old_archive_from_new_cmds old_postinstall_cmds \ - old_postuninstall_cmds archive_cmds archive_expsym_cmds postinstall_cmds \ - postuninstall_cmds extract_expsyms_cmds old_archive_from_expsyms_cmds \ - predep_objects postdep_objects predeps postdeps compiler_lib_search_path \ - old_striplib striplib file_magic_cmd export_symbols_cmds \ - deplibs_check_method allow_undefined_flag no_undefined_flag \ - finish_cmds finish_eval global_symbol_pipe global_symbol_to_cdecl \ - hardcode_libdir_flag_spec hardcode_libdir_separator \ - sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - compiler_c_o need_locks exclude_expsyms include_expsyms; do - - case $var in - reload_cmds | old_archive_cmds | old_archive_from_new_cmds | \ - old_postinstall_cmds | old_postuninstall_cmds | \ - export_symbols_cmds | archive_cmds | archive_expsym_cmds | \ - extract_expsyms_cmds | old_archive_from_expsyms_cmds | \ - postinstall_cmds | postuninstall_cmds | \ - finish_cmds | sys_lib_search_path_spec | sys_lib_dlsearch_path_spec) - # Double-quote double-evaled strings. - eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" ### testsuite: skip nested quoting test - ;; - *) - eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" ### testsuite: skip nested quoting test - ;; - esac - done - - case $ltecho in - *'\$0 --fallback-echo"') - ltecho=`$echo "X$ltecho" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'` - ;; - esac - - if test -z "$tagname"; then - trap "$rm \"$ofile\"; exit 1" 1 2 15 - echo "creating $ofile" - $rm "$ofile" - cat < "$ofile" -#! $SHELL - -# `$echo "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services. -# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) -# NOTE: Changes made to this file will be lost: look at ltconfig or ltmain.sh. -# -# Copyright (C) 1996-2000 Free Software Foundation, Inc. -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Sed that helps us avoid accidentally triggering echo(1) options like -n. -Xsed="sed -e s/^X//" - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi - -# The names of the tagged configurations supported by this script. -available_tags= - -### BEGIN LIBTOOL CONFIG -EOF - else - echo "appending configuration tag \"$tagname\" to $ofile" - echo "### BEGIN LIBTOOL TAG CONFIG: $tagname" >> "$ofile" - fi - cfgfile="$ofile" - ;; - -*) - # Double-quote the variables that need it (for aesthetics). - for var in old_AR old_AR_FLAGS old_CC old_LTCC old_CFLAGS old_CPPFLAGS \ - old_MAGIC_CMD old_LD old_LDFLAGS old_LIBS \ - old_LN_S old_NM old_RANLIB old_STRIP \ - old_AS old_DLLTOOL old_OBJDUMP \ - old_OBJEXT old_EXEEXT old_reload_flag \ - old_deplibs_check_method old_file_magic_cmd; do - eval "$var=\\\"\$var\\\"" - done - - # Just create a config file. - cfgfile="$ofile.cfg" - if test -z "$tagname"; then - trap "$rm \"$cfgfile\"; exit 1" 1 2 15 - echo "creating $cfgfile" - $rm "$cfgfile" - cat < "$cfgfile" -# `$echo "$cfgfile" | sed 's%^.*/%%'` - Libtool configuration file. -# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) - -### BEGIN LIBTOOL CONFIG -EOF - else - echo "appending to $cfgfile" - echo "### BEGIN LIBTOOL TAG CONFIG: $tagname" >> "$ofile" - fi - ;; -esac - -cat <> "$cfgfile" -# Libtool was configured as follows, on host `(hostname || uname -n) 2>/dev/null | sed 1q`: -# -# AR=$old_AR AR_FLAGS=$old_AR_FLAGS LTCC=$old_LTCC CC=$old_CC \\ -# CFLAGS=$old_CFLAGS CPPFLAGS=$old_CPPFLAGS \\ -# MAGIC_CMD=$old_MAGIC_CMD LD=$old_LD LDFLAGS=$old_LDFLAGS LIBS=$old_LIBS \\ -# LN_S=$old_LN_S NM=$old_NM RANLIB=$old_RANLIB STRIP=$old_STRIP \\ -# AS=$old_AS DLLTOOL=$old_DLLTOOL OBJDUMP=$old_OBJDUMP \\ -# objext=$old_OBJEXT exeext=$old_EXEEXT reload_flag=$old_reload_flag \\ -# deplibs_check_method=$old_deplibs_check_method \\ -# file_magic_cmd=$old_file_magic_cmd \\ -# $0$ltconfig_args -# -# Compiler and other test output produced by $progname, useful for -# debugging $progname, is in ./config.log if it exists. - -# The version of $progname that generated this script. -LTCONFIG_VERSION=$LTCONFIG_VERSION - -# Shell to use when invoking shell scripts. -SHELL=$LTSHELL - -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared - -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$need_lc - -# Whether or not to build static libraries. -build_old_libs=$enable_static - -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install - -# The host system. -host_alias=$host_alias -host=$host - -# An echo program that does not interpret backslashes. -echo=$ltecho - -# The archiver. -AR=$AR -AR_FLAGS=$AR_FLAGS - -# A C compiler. -LTCC=$LTCC - -# A language-specific compiler. -CC=$CC - -# Is the compiler the GNU C compiler? -with_gcc=$with_gcc - -# The linker used to build libraries. -LD=$LD - -# Whether we need hard or soft links. -LN_S=$LN_S - -# A BSD-compatible nm program. -NM=$NM - -# A symbol stripping program -STRIP=$STRIP - -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD - -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" - -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" - -# Used on cygwin: assembler. -AS="$AS" - -# The name of the directory that contains temporary libtool files. -objdir=$objdir - -# How to create reloadable object files. -reload_flag=$reload_flag -reload_cmds=$reload_cmds - -# How to pass a linker flag through the compiler. -wl=$wl - -# Object file suffix (normally "o"). -objext="$objext" - -# Old archive suffix (normally "a"). -libext="$libext" - -# Executable file suffix (normally ""). -exeext="$exeext" - -# Additional compiler flags for building library objects. -pic_flag=$pic_flag -pic_mode=$pic_mode - -# What is the maximum length of a command? -max_cmd_len=$max_cmd_len - -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$compiler_c_o - -# Must we lock files when doing compilation ? -need_locks=$need_locks - -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix - -# Do we need a version for libraries? -need_version=$need_version - -# Whether dlopen is supported. -dlopen_support=$enable_dlopen - -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self - -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static - -# Compiler flag to prevent dynamic linking. -link_static_flag=$link_static_flag - -# Compiler flag to turn off builtin functions. -no_builtin_flag=$no_builtin_flag - -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$export_dynamic_flag_spec - -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$whole_archive_flag_spec - -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$thread_safe_flag_spec - -# Library versioning type. -version_type=$version_type - -# Format of library name prefix. -libname_spec=$libname_spec - -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$library_names_spec - -# The coded name of the library, if different from the real name. -soname_spec=$soname_spec - -# Commands used to build and install an old-style archive. -RANLIB=$RANLIB -old_archive_cmds=$old_archive_cmds -old_postinstall_cmds=$old_postinstall_cmds -old_postuninstall_cmds=$old_postuninstall_cmds - -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$old_archive_from_new_cmds - -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$old_archive_from_expsyms_cmds - -# Commands used to build and install a shared archive. -archive_cmds=$archive_cmds -archive_expsym_cmds=$archive_expsym_cmds -postinstall_cmds=$postinstall_cmds -postuninstall_cmds=$postuninstall_cmds - -# Commands to strip libraries. -old_striplib=$old_striplib -striplib=$striplib - -# Dependencies to place before the objects being linked to create a -# shared library. -predep_objects=$predep_objects - -# Dependencies to place after the objects being linked to create a -# shared library. -postdep_objects=$postdep_objects - -# Dependencies to place before the objects being linked to create a -# shared library. -predeps=$predeps - -# Dependencies to place after the objects being linked to create a -# shared library. -postdeps=$postdeps - -# The library search path used internally by the compiler when linking -# a shared library. -compiler_lib_search_path=$compiler_lib_search_path - -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$deplibs_check_method - -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$file_magic_cmd - -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$allow_undefined_flag - -# Flag that forces no undefined symbols. -no_undefined_flag=$no_undefined_flag - -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$finish_cmds - -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$finish_eval - -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$global_symbol_pipe - -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$global_symbol_to_cdecl - -# This is the shared library runtime path variable. -runpath_var=$runpath_var - -# This is the shared library path variable. -shlibpath_var=$shlibpath_var - -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath - -# How to hardcode a shared library path into an executable. -hardcode_action=$hardcode_action - -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs - -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$hardcode_libdir_flag_spec - -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$hardcode_libdir_separator - -# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$hardcode_direct - -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$hardcode_minus_L - -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$hardcode_shlibpath_var - -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" - -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$link_all_deplibs - -# Compile-time system search path for libraries -sys_lib_search_path_spec=$sys_lib_search_path_spec - -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$sys_lib_dlsearch_path_spec - -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$fix_srcfile_path" - -# Set to yes if exported symbols are required. -always_export_symbols=$always_export_symbols - -# The commands to list exported symbols. -export_symbols_cmds=$export_symbols_cmds - -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$extract_expsyms_cmds - -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$exclude_expsyms - -# Symbols that must always be exported. -include_expsyms=$include_expsyms - -EOF - -if test -z "$tagname"; then - echo '### END LIBTOOL CONFIG' >> "$ofile" -else - echo "### END LIBTOOL TAG CONFIG: $tagname" >> "$ofile" -fi - -case $ltmain in -*.sh) - echo >> "$ofile" - if test -z "$tagname"; then - case $host_os in - aix3*) - cat <<\EOF >> "$ofile" - -# AIX sometimes has problems with the GCC collect2 program. For some -# reason, if we set the COLLECT_NAMES environment variable, the problems -# vanish in a puff of smoke. -if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES -fi -EOF - ;; - esac - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - cat <<'EOF' >> "$ofile" - # This is a source program that is used to create dlls on Windows - # Don't remove nor modify the starting and closing comments -# /* ltdll.c starts here */ -# #define WIN32_LEAN_AND_MEAN -# #include -# #undef WIN32_LEAN_AND_MEAN -# #include -# -# #ifndef __CYGWIN__ -# # ifdef __CYGWIN32__ -# # define __CYGWIN__ __CYGWIN32__ -# # endif -# #endif -# -# #ifdef __cplusplus -# extern "C" { -# #endif -# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved); -# #ifdef __cplusplus -# } -# #endif -# -# #ifdef __CYGWIN__ -# #include -# DECLARE_CYGWIN_DLL( DllMain ); -# #endif -# HINSTANCE __hDllInstance_base; -# -# BOOL APIENTRY -# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved) -# { -# __hDllInstance_base = hInst; -# return TRUE; -# } -# /* ltdll.c ends here */ - # This is a source program that is used to create import libraries - # on Windows for dlls which lack them. Don't remove nor modify the - # starting and closing comments -# /* impgen.c starts here */ -# /* Copyright (C) 1999-2000 Free Software Foundation, Inc. -# -# This file is part of GNU libtool. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# */ -# -# #include /* for printf() */ -# #include /* for open(), lseek(), read() */ -# #include /* for O_RDONLY, O_BINARY */ -# #include /* for strdup() */ -# -# /* O_BINARY isn't required (or even defined sometimes) under Unix */ -# #ifndef O_BINARY -# #define O_BINARY 0 -# #endif -# -# static unsigned int -# pe_get16 (fd, offset) -# int fd; -# int offset; -# { -# unsigned char b[2]; -# lseek (fd, offset, SEEK_SET); -# read (fd, b, 2); -# return b[0] + (b[1]<<8); -# } -# -# static unsigned int -# pe_get32 (fd, offset) -# int fd; -# int offset; -# { -# unsigned char b[4]; -# lseek (fd, offset, SEEK_SET); -# read (fd, b, 4); -# return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24); -# } -# -# static unsigned int -# pe_as32 (ptr) -# void *ptr; -# { -# unsigned char *b = ptr; -# return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24); -# } -# -# int -# main (argc, argv) -# int argc; -# char *argv[]; -# { -# int dll; -# unsigned long pe_header_offset, opthdr_ofs, num_entries, i; -# unsigned long export_rva, export_size, nsections, secptr, expptr; -# unsigned long name_rvas, nexp; -# unsigned char *expdata, *erva; -# char *filename, *dll_name; -# -# filename = argv[1]; -# -# dll = open(filename, O_RDONLY|O_BINARY); -# if (dll < 1) -# return 1; -# -# dll_name = filename; -# -# for (i=0; filename[i]; i++) -# if (filename[i] == '/' || filename[i] == '\\' || filename[i] == ':') -# dll_name = filename + i +1; -# -# pe_header_offset = pe_get32 (dll, 0x3c); -# opthdr_ofs = pe_header_offset + 4 + 20; -# num_entries = pe_get32 (dll, opthdr_ofs + 92); -# -# if (num_entries < 1) /* no exports */ -# return 1; -# -# export_rva = pe_get32 (dll, opthdr_ofs + 96); -# export_size = pe_get32 (dll, opthdr_ofs + 100); -# nsections = pe_get16 (dll, pe_header_offset + 4 +2); -# secptr = (pe_header_offset + 4 + 20 + -# pe_get16 (dll, pe_header_offset + 4 + 16)); -# -# expptr = 0; -# for (i = 0; i < nsections; i++) -# { -# char sname[8]; -# unsigned long secptr1 = secptr + 40 * i; -# unsigned long vaddr = pe_get32 (dll, secptr1 + 12); -# unsigned long vsize = pe_get32 (dll, secptr1 + 16); -# unsigned long fptr = pe_get32 (dll, secptr1 + 20); -# lseek(dll, secptr1, SEEK_SET); -# read(dll, sname, 8); -# if (vaddr <= export_rva && vaddr+vsize > export_rva) -# { -# expptr = fptr + (export_rva - vaddr); -# if (export_rva + export_size > vaddr + vsize) -# export_size = vsize - (export_rva - vaddr); -# break; -# } -# } -# -# expdata = (unsigned char*)malloc(export_size); -# lseek (dll, expptr, SEEK_SET); -# read (dll, expdata, export_size); -# erva = expdata - export_rva; -# -# nexp = pe_as32 (expdata+24); -# name_rvas = pe_as32 (expdata+32); -# -# printf ("EXPORTS\n"); -# for (i = 0; i> "$ofile" || (rm -f "$ofile"; exit 1) - # We use sed instead of cat because bash on DJGPP gets confused if - # if finds mixed CR/LF and LF-only lines. Since sed operates in - # text mode, it properly converts lines to CR/LF. This bash problem - # is reportedly fixed, but why not run on old versions too? - - chmod +x "$ofile" - fi - ;; - -*) - # Compile the libtool program. - echo "FIXME: would compile $ltmain" - ;; -esac - -# Update the list of available tags. -if test -n "$tagname"; then - - # Extract list of available tagged configurations in $ofile. - # Note that this assumes the entire list is on one line. - available_tags=`grep "^available_tags=" $ofile | sed -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'` - - # Append the new tag name to the list of available tags. - available_tags="$available_tags $tagname" - - # Now substitute the updated of available tags. - if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' ${ofile} > ${ofile}.new"; then - mv ${ofile}.new ${ofile} - chmod +x "$ofile" - else - rm -f ${ofile}.new - echo "$progname: unable to update list of available tagged configurations." - exit 1 - fi -fi - -# Don't cache tagged configuration! -test -n "$cache_file" && test -z "$tagname" || exit 0 - -# AC_CACHE_SAVE -trap '' 1 2 15 -cat > confcache <<\EOF -# This file is a shell script that caches the results of configure -# tests run on this system so they can be shared between configure -# scripts and configure runs. It is not useful on other systems. -# If it contains results you don't want to keep, you may remove or edit it. -# -# By default, configure uses ./config.cache as the cache file, -# creating it if it does not exist already. You can give configure -# the --cache-file=FILE option to use a different cache file; that is -# what configure does when it calls configure scripts in -# subdirectories, so they share the cache. -# Giving --cache-file=/dev/null disables caching, for debugging configure. -# config.status only pays attention to the cache file if you give it the -# --recheck option to rerun configure. -# -EOF -# The following way of writing the cache mishandles newlines in values, -# but we know of no workaround that is simple, portable, and efficient. -# So, don't put newlines in cache variables' values. -# Ultrix sh set writes to stderr and can't be redirected directly, -# and sets the high bit in the cache file unless we assign to the vars. -(set) 2>&1 | - case `(ac_space=' '; set | grep ac_space) 2>&1` in - *ac_space=\ *) - # `set' does not quote correctly, so add quotes (double-quote substitution - # turns \\\\ into \\, and sed turns \\ into \). - sed -n \ - -e "s/'/'\\\\''/g" \ - -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p" - ;; - *) - # `set' quotes correctly as required by POSIX, so do not add quotes. - sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p' - ;; - esac >> confcache -if cmp -s $cache_file confcache; then - : -else - if test -w $cache_file; then - echo "updating cache $cache_file" - cat confcache > $cache_file - else - echo "not updating unwritable cache $cache_file" - fi -fi -rm -f confcache - -exit 0 - -# Local Variables: -# mode:shell-script -# sh-indentation:2 -# End: diff --git a/crypto/heimdal/mkinstalldirs b/crypto/heimdal/mkinstalldirs deleted file mode 100755 index 6fbe5e117629..000000000000 --- a/crypto/heimdal/mkinstalldirs +++ /dev/null @@ -1,150 +0,0 @@ -#! /bin/sh -# mkinstalldirs --- make directory hierarchy - -scriptversion=2004-02-15.20 - -# Original author: Noah Friedman -# Created: 1993-05-16 -# Public domain. -# -# This file is maintained in Automake, please report -# bugs to or send patches to -# . - -errstatus=0 -dirmode="" - -usage="\ -Usage: mkinstalldirs [-h] [--help] [--version] [-m MODE] DIR ... - -Create each directory DIR (with mode MODE, if specified), including all -leading file name components. - -Report bugs to ." - -# process command line arguments -while test $# -gt 0 ; do - case $1 in - -h | --help | --h*) # -h for help - echo "$usage" - exit 0 - ;; - -m) # -m PERM arg - shift - test $# -eq 0 && { echo "$usage" 1>&2; exit 1; } - dirmode=$1 - shift - ;; - --version) - echo "$0 $scriptversion" - exit 0 - ;; - --) # stop option processing - shift - break - ;; - -*) # unknown option - echo "$usage" 1>&2 - exit 1 - ;; - *) # first non-opt arg - break - ;; - esac -done - -for file -do - if test -d "$file"; then - shift - else - break - fi -done - -case $# in - 0) exit 0 ;; -esac - -# Solaris 8's mkdir -p isn't thread-safe. If you mkdir -p a/b and -# mkdir -p a/c at the same time, both will detect that a is missing, -# one will create a, then the other will try to create a and die with -# a "File exists" error. This is a problem when calling mkinstalldirs -# from a parallel make. We use --version in the probe to restrict -# ourselves to GNU mkdir, which is thread-safe. -case $dirmode in - '') - if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then - echo "mkdir -p -- $*" - exec mkdir -p -- "$@" - else - # On NextStep and OpenStep, the `mkdir' command does not - # recognize any option. It will interpret all options as - # directories to create, and then abort because `.' already - # exists. - test -d ./-p && rmdir ./-p - test -d ./--version && rmdir ./--version - fi - ;; - *) - if mkdir -m "$dirmode" -p --version . >/dev/null 2>&1 && - test ! -d ./--version; then - echo "mkdir -m $dirmode -p -- $*" - exec mkdir -m "$dirmode" -p -- "$@" - else - # Clean up after NextStep and OpenStep mkdir. - for d in ./-m ./-p ./--version "./$dirmode"; - do - test -d $d && rmdir $d - done - fi - ;; -esac - -for file -do - set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'` - shift - - pathcomp= - for d - do - pathcomp="$pathcomp$d" - case $pathcomp in - -*) pathcomp=./$pathcomp ;; - esac - - if test ! -d "$pathcomp"; then - echo "mkdir $pathcomp" - - mkdir "$pathcomp" || lasterr=$? - - if test ! -d "$pathcomp"; then - errstatus=$lasterr - else - if test ! -z "$dirmode"; then - echo "chmod $dirmode $pathcomp" - lasterr="" - chmod "$dirmode" "$pathcomp" || lasterr=$? - - if test ! -z "$lasterr"; then - errstatus=$lasterr - fi - fi - fi - fi - - pathcomp="$pathcomp/" - done -done - -exit $errstatus - -# Local Variables: -# mode: shell-script -# sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "scriptversion=" -# time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" -# End: diff --git a/crypto/heimdal/tools/build.sh b/crypto/heimdal/tools/build.sh deleted file mode 100755 index fad860836dbb..000000000000 --- a/crypto/heimdal/tools/build.sh +++ /dev/null @@ -1,212 +0,0 @@ -#!/bin/sh -# -# Build many combinations of kth-krb/heimdal/openssl -# -# $Id: build.sh,v 1.8 2003/04/17 12:55:02 lha Exp $ - -opt_n= #: -make_f= #-j - -heimdal_versions="0.5.2 0.6pre4" -krb4_versions="1.2.2" -openssl_versions="0.9.6i 0.9.7a 0.9.7b" - -make_check_version=".*heimdal-0.6.*" - -# 0.5 dont eat 0.9.7 -dont_build="openssl-0.9.7.*heimdal-0.5.*" -# 1.2 dont eat 0.9.7 -dont_build="openssl-0.9.7.*krb4-1.2.* ${dont_build}" -#yacc problems -dont_build="openssl-0.9.6.*heimdal-0.5.*osf4.* ${dont_build}" -#local openssl 09.7 and broken kuser/Makefile.am -dont_build="openssl-0.9.6.*heimdal-0.5.*freebsd4.8.* ${dont_build}" -failed= - -# Allow override -for a in $HOME . /etc ; do - [ -f $a/.heimdal-build ] && . $a/.heimdal-build -done - -targetdir=${targetdir:-/scratch/heimdal-test} -logfile="${targetdir}/buildlog" - -distdirs="${distdirs} /afs/su.se/home/l/h/lha/Public/openssl" -distdirs="${distdirs} /afs/pdc.kth.se/public/ftp/pub/heimdal/src" -distdirs="${distdirs} /afs/pdc.kth.se/public/ftp/pub/heimdal/src/snapshots" -distdirs="${distdirs} /afs/pdc.kth.se/public/ftp/pub/krb/src" - - -logprint () { - d=`date '+%Y-%m-%d %H:%M:%S'` - echo "${d}: $*" - echo "${d}: --- $*" >> ${logfile} -} - -logerror () { - echo "$*" - exit 1 -} - -find_unzip_prog () { - unzip_prog= - oldIFS="$IFS" - IFS=: - set -- $PATH - IFS="$oldIFS" - for a in $* ; do - if [ -x $a/gzip ] ; then - unzip_prog="$a/gzip -dc" - break - elif [ -x $a/gunzip ] ; then - unzip_prog="$a/gunzip -c" - break - fi - done - [ "$unzip_prog" = "" ] && logerror failed to find unzip program -} - -find_canon_name () { - canon_name= - for a in ${distdirs} ; do - if [ -f $a/config.guess ] ; then - canon_name=`$a/config.guess` - fi - if [ "${canon_name}" != "" ] ; then - break - fi - done - [ "${canon_name}" = "" ] && logerror "cant find config.guess" -} - -do_check_p () { - eval check_var=\$"$1" - for a in ${check_var} ; do - expr "$2${canon_name}" : "${a}" > /dev/null 2>&1 && return 1 - done - return 0 -} - -unpack_tar () { - for a in ${distdirs} ; do - if [ -f $a/$1 ] ; then - ${opt_n} ${unzip_prog} ${a}/$1 | ${opt_n} tar xf - - return 0 - fi - done - logerror "did not find $1" -} - -build () { - real_ver=$1 - prog=$2 - ver=$3 - confprog=$4 - checks=$5 - pv=${prog}-${ver} - mkdir tmp || logerror "failed to build tmpdir" - cd tmp || logerror "failed to change dir to tmpdir" - do_check_p dont_build ${real_ver} || \ - { cd .. ; rmdir tmp ; logprint "not building $1" && return 0 ; } - cd .. || logerror "failed to change back from tmpdir" - rmdir tmp || logerror "failed to remove tmpdir" - logprint "preparing for ${pv}" - ${opt_n} rm -rf ${targetdir}/${prog}-${ver} - ${opt_n} rm -rf ${prog}-${ver} - unpack_tar ${pv}.tar.gz - ${opt_n} cd ${pv} || logerror directory ${pv} not there - logprint "configure ${prog} ${ver} (${confprog})" - ${opt_n} ./${confprog} \ - --prefix=${targetdir}/${pv} >> ${logfile} 2>&1 || \ - { logprint failed to configure ${pv} ; return 1 ; } - logprint "make ${prog} ${ver}" - ${opt_n} make ${make_f} >> ${logfile} 2>&1 || \ - { logprint failed to make ${pv} ; return 1 ; } - ${opt_n} make install >> ${logfile} 2>&1 || \ - { logprint failed to install ${pv} ; return 1 ; } - do_check_p make_check_version ${real_ver} || \ - { ${opt_n} make check >> ${logfile} 2>&1 || return 1 ; } - ${opt_n} cd .. - [ "${checks}" != "" ] && ${opt_n} ${checks} >> ${logfile} 2>&1 - return 0 -} - -find_canon_name - -logprint using host `hostname` -logprint `uname -a` -logprint canonical name ${canon_name} - -logprint clearing logfile -> ${logfile} - -find_unzip_prog - -logprint using target dir ${targetdir} -mkdir -p ${targetdir}/src -cd ${targetdir}/src || exit 1 -rm -rf heimdal* openssl* krb4* - -logprint === building openssl versions -for vo in ${openssl_versions} ; do - build openssl-${vo} openssl $vo config -done - -wssl="--with-openssl=${targetdir}/openssl" -wssli="--with-openssl-include=${targetdir}/openssl" #this is a hack for broken heimdal 0.5.x autoconf test -wossl="--without-openssl" -wk4c="--with-krb4-config=${targetdir}/krb4" -bk4c="/bin/krb4-config" -wok4="--without-krb4" - -logprint === building heimdal w/o krb4 versions -for vo in ${openssl_versions} ; do - for vh in ${heimdal_versions} ; do - v="openssl-${vo}-heimdal-${vh}" - build "${v}" \ - heimdal ${vh} \ - "configure ${wok4} ${wssl}-${vo} ${wssli}-${vo}/include" \ - "${targetdir}/heimdal-${vh}/bin/krb5-config --libs | grep lcrypto" \ || \ - { failed="${failed} ${v}" ; logprint ${v} failed ; } - done -done - -logprint === building krb4 -for vo in ${openssl_versions} ; do - for vk in ${krb4_versions} ; do - v="openssl-${vo}-krb4-${vk}" - build "${v}" \ - krb4 ${vk} \ - "configure ${wssl}-${vo}" \ - "${targetdir}/krb4-${vk}/bin/krb4-config --libs | grep lcrypto"|| \ - { failed="${failed} ${v}" ; logprint ${v} failed ; } - done -done - -logprint === building heimdal with krb4 versions -for vo in ${openssl_versions} ; do - for vk in ${krb4_versions} ; do - for vh in ${heimdal_versions} ; do - v="openssl-${vo}-krb4-${vk}-heimdal-${vh}" - build "${v}" \ - heimdal ${vh} \ - "configure ${wk4c}-${vk}${bk4c} ${wssl}-${vo} ${wssli}-${vo}/include" \ - "${targetdir}/heimdal-${vh}/bin/krb5-config --libs | grep lcrypto && ${targetdir}/heimdal-${vh}/bin/krb5-config --libs | grep krb4" \ - || \ - { failed="${failed} ${v}" ; logprint ${v} failed ; } - done - done -done - -logprint === building heimdal without krb4 and openssl versions -for vh in ${heimdal_versions} ; do - v="des-heimdal-${vh}" - build "${v}" \ - heimdal ${vh} \ - "configure ${wok4} ${wossl}" || \ - { failed="${failed} ${v}" ; logprint ${v} failed ; } -done - -logprint all done -[ "${failed}" != "" ] && logprint "failed: ${failed}" -exit 0 diff --git a/etc/gss/mech b/etc/gss/mech index b77f7914a7a1..d2eaa4cfb205 100644 --- a/etc/gss/mech +++ b/etc/gss/mech @@ -1,4 +1,6 @@ # $FreeBSD$ # # Name OID Library name Kernel module -kerberosv5 1.2.840.113554.1.2.2 /usr/lib/libgssapi_krb5.so.9 - +kerberosv5 1.2.840.113554.1.2.2 /usr/lib/libgssapi_krb5.so.10 - +spnego 1.3.6.1.5.5.2 /usr/lib/libgssapi_spnego.so.10 - +#ntlm 1.3.6.1.4.1.311.2.2.10 /usr/lib/libgssapi_ntlm.so.10 - diff --git a/gnu/usr.bin/cvs/cvs/Makefile b/gnu/usr.bin/cvs/cvs/Makefile index c5e2ff1f32d8..f2b166658d26 100644 --- a/gnu/usr.bin/cvs/cvs/Makefile +++ b/gnu/usr.bin/cvs/cvs/Makefile @@ -34,8 +34,8 @@ LDADD= ${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -DHAVE_GSSAPI -DENCRYPTION -LDADD+= -lgssapi -lkrb5 -lasn1 -lcrypto -lroken -lcrypt -lcom_err -DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1} ${LIBCRYPTO} ${LIBROKEN} +LDADD+= -lgssapi -lkrb5 -lhx509 -lasn1 -lcrypto -lroken -lcrypt -lcom_err +DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBCRYPTO} ${LIBROKEN} DPADD+= ${LIBCRYPT} ${LIBCOM_ERR} .endif diff --git a/include/gssapi/gssapi.h b/include/gssapi/gssapi.h index 7509b0481209..84ba83ac09d9 100644 --- a/include/gssapi/gssapi.h +++ b/include/gssapi/gssapi.h @@ -41,6 +41,11 @@ */ #include +#ifndef _SSIZE_T_DECLARED +typedef __ssize_t ssize_t; +#define _SSIZE_T_DECLARED +#endif + #if 0 /* * If the platform supports the xom.h header file, it should be @@ -732,25 +737,101 @@ OM_uint32 gss_unseal ); /* - * kerberos mechanism specific functions + * Other extensions and helper functions. */ -struct krb5_ccache_data; -#define GSS_C_KRB5_COMPAT_DES3_MIC 1 -OM_uint32 gsskrb5_register_acceptor_identity - (const char * /* identity */ +int gss_oid_equal + (const gss_OID, /* first OID to compare */ + const gss_OID /* second OID to compare */ ); -OM_uint32 gss_krb5_copy_ccache - (OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - struct krb5_ccache_data * /* out */ +OM_uint32 gss_release_oid + (OM_uint32 *, /* minor status */ + gss_OID * /* oid to free */ ); -OM_uint32 gss_krb5_compat_des3_mic - (OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int /* flag */ +OM_uint32 gss_decapsulate_token + (const gss_buffer_t, /* mechanism independent token */ + gss_OID, /* desired mechanism */ + gss_buffer_t /* decapsulated mechanism dependant token */ + ); + +OM_uint32 gss_encapsulate_token + (const gss_buffer_t, /* mechanism dependant token */ + gss_OID, /* desired mechanism */ + gss_buffer_t /* encapsulated mechanism independent token */ + ); + +OM_uint32 gss_duplicate_oid + (OM_uint32 *, /* minor status */ + const gss_OID, /* oid to copy */ + gss_OID * /* result */ + ); + +OM_uint32 gss_oid_to_str + (OM_uint32 *, /* minor status */ + gss_OID, /* oid to convert */ + gss_buffer_t /* buffer to contain string */ + ); + +typedef struct gss_buffer_set_desc_struct { + size_t count; + gss_buffer_desc *elements; +} gss_buffer_set_desc, *gss_buffer_set_t; + +#define GSS_C_NO_BUFFER_SET ((gss_buffer_set_t) 0) + +OM_uint32 gss_create_empty_buffer_set + (OM_uint32 *, /* minor status */ + gss_buffer_set_t * /* location for new buffer set */ + ); + +OM_uint32 gss_add_buffer_set_member + (OM_uint32 *, /* minor status */ + gss_buffer_t, /* buffer to add */ + gss_buffer_set_t * /* set to add to */ + ); + +OM_uint32 gss_release_buffer_set + (OM_uint32 *, /* minor status */ + gss_buffer_set_t * /* set to release */ + ); + +OM_uint32 gss_inquire_sec_context_by_oid + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_OID, /* desired_object */ + gss_buffer_set_t * /* result */ + ); + +OM_uint32 gss_inquire_cred_by_oid + (OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* cred_handle */ + const gss_OID, /* desired_object */ + gss_buffer_set_t * /* result */ + ); + +OM_uint32 gss_set_sec_context_option + (OM_uint32 *, /* minor status */ + gss_ctx_id_t *, /* context */ + const gss_OID, /* option to set */ + const gss_buffer_t /* option value */ + ); + +OM_uint32 gss_set_cred_option + (OM_uint32 *, /* minor status */ + gss_cred_id_t *, /* cred */ + const gss_OID, /* option to set */ + const gss_buffer_t /* option value */ + ); + +OM_uint32 gss_pseudo_random + (OM_uint32 *, /* minor status */ + gss_ctx_id_t, /* context handle */ + int prf_key, /* XXX */ + const gss_buffer_t, /* data to seed generator */ + ssize_t, /* amount of data required */ + gss_buffer_t /* buffer for result */ ); #endif /* _GSSAPI_GSSAPI_H_ */ diff --git a/kerberos5/Makefile.inc b/kerberos5/Makefile.inc index 2dc673904a47..2330979a5e35 100644 --- a/kerberos5/Makefile.inc +++ b/kerberos5/Makefile.inc @@ -25,7 +25,10 @@ ETSRCS= \ ${KRB5DIR}/lib/kadm5/kadm5_err.et \ ${KRB5DIR}/lib/krb5/heim_err.et \ ${KRB5DIR}/lib/krb5/k524_err.et \ - ${KRB5DIR}/lib/krb5/krb5_err.et + ${KRB5DIR}/lib/krb5/krb5_err.et \ + ${KRB5DIR}/lib/krb5/krb_err.et \ + ${KRB5DIR}/lib/gssapi/krb5/gkrb5_err.et \ + ${KRB5DIR}/lib/hx509/hx509_err.et .for ET in ${ETSRCS} .for _ET in ${ET:T:R} diff --git a/kerberos5/include/config.h b/kerberos5/include/config.h index fd7ad2601209..4484060d3c1a 100644 --- a/kerberos5/include/config.h +++ b/kerberos5/include/config.h @@ -1,5 +1,5 @@ -/* include/config.h. Generated automatically by configure. */ -/* include/config.h.in. Generated automatically from configure.in by autoheader. */ +/* include/config.h. Generated from config.h.in by configure. */ +/* include/config.h.in. Generated from configure.in by autoheader. */ /* $FreeBSD$ */ @@ -10,34 +10,40 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } #endif -#define BINDIR "/usr/bin" -#define LIBDIR "/usr/lib" -#define LIBEXECDIR "/usr/libexec" -#define SBINDIR "/usr/sbin" -#define SYSCONFDIR "/etc" - -#define HAVE_INT8_T 1 -#define HAVE_INT16_T 1 -#define HAVE_INT32_T 1 -#define HAVE_INT64_T 1 -#define HAVE_U_INT8_T 1 -#define HAVE_U_INT16_T 1 -#define HAVE_U_INT32_T 1 -#define HAVE_U_INT64_T 1 -#define HAVE_UINT8_T 1 -#define HAVE_UINT16_T 1 -#define HAVE_UINT32_T 1 -#define HAVE_UINT64_T 1 - /* Maximum values on all known systems */ #define MaxHostNameLen (64+4) #define MaxPathLen (1024+4) +#ifdef BUILD_KRB5_LIB +#ifndef KRB5_LIB_FUNCTION +#ifdef _WIN32_ +#define KRB5_LIB_FUNCTION _export _stdcall +#else +#define KRB5_LIB_FUNCTION +#endif +#endif +#endif + + +#ifdef BUILD_ROKEN_LIB +#ifndef ROKEN_LIB_FUNCTION +#ifdef _WIN32_ +#define ROKEN_LIB_FUNCTION _export _stdcall +#else +#define ROKEN_LIB_FUNCTION +#endif +#endif +#endif + + /* Define if you want authentication support in telnet. */ #define AUTHENTICATION 1 +/* path to bin */ +#define BINDIR "/usr/bin" + /* Define if realloc(NULL) doesn't work. */ /* #undef BROKEN_REALLOC */ @@ -50,6 +56,12 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define this to enable diagnostics in telnet. */ #define DIAGNOSTICS 1 +/* Define if want to use the weak AFS string to key functions. */ +#define ENABLE_AFS_STRING_TO_KEY 1 + +/* Define if you want have a thread safe libraries */ +/* #undef ENABLE_PTHREAD_SUPPORT */ + /* Define if you want encryption support in telnet. */ #define ENCRYPTION 1 @@ -61,7 +73,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* define if prototype of gethostbyaddr is compatible with struct hostent *gethostbyaddr(const void *, size_t, int) */ -/* #undef GETHOSTBYADDR_PROTO_COMPATIBLE */ +#define GETHOSTBYADDR_PROTO_COMPATIBLE 1 /* define if prototype of gethostbyname is compatible with struct hostent *gethostbyname(const char *) */ @@ -78,8 +90,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if you have the `altzone' variable. */ /* #undef HAVE_ALTZONE */ -/* define if your system declares altzone */ -/* #undef HAVE_ALTZONE_DECLARATION */ +/* Define to 1 if you have the `arc4random' function. */ +#define HAVE_ARC4RANDOM 1 /* Define to 1 if you have the header file. */ #define HAVE_ARPA_FTP_H 1 @@ -126,6 +138,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if you have the function `chown'. */ #define HAVE_CHOWN 1 +/* Define if you have the function `closefrom'. */ +/* #undef HAVE_CLOSEFROM */ + /* Define to 1 if you have the header file. */ /* #undef HAVE_CONFIG_H */ @@ -177,6 +192,54 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* define if you have ndbm compat in db */ /* #undef HAVE_DB_NDBM */ +/* Define to 1 if you have the declaration of `altzone', and to 0 if you + don't. */ +/* #undef HAVE_DECL_ALTZONE */ + +/* Define to 1 if you have the declaration of `environ', and to 0 if you + don't. */ +#define HAVE_DECL_ENVIRON 0 + +/* Define to 1 if you have the declaration of `h_errlist', and to 0 if you + don't. */ +#define HAVE_DECL_H_ERRLIST 0 + +/* Define to 1 if you have the declaration of `h_errno', and to 0 if you + don't. */ +#define HAVE_DECL_H_ERRNO 1 + +/* Define to 1 if you have the declaration of `h_nerr', and to 0 if you don't. + */ +/* #undef HAVE_DECL_H_NERR */ + +/* Define to 1 if you have the declaration of `optarg', and to 0 if you don't. + */ +#define HAVE_DECL_OPTARG 1 + +/* Define to 1 if you have the declaration of `opterr', and to 0 if you don't. + */ +#define HAVE_DECL_OPTERR 1 + +/* Define to 1 if you have the declaration of `optind', and to 0 if you don't. + */ +#define HAVE_DECL_OPTIND 1 + +/* Define to 1 if you have the declaration of `optopt', and to 0 if you don't. + */ +#define HAVE_DECL_OPTOPT 1 + +/* Define to 1 if you have the declaration of `timezone', and to 0 if you + don't. */ +#define HAVE_DECL_TIMEZONE 1 + +/* Define to 1 if you have the declaration of `_res', and to 0 if you don't. + */ +#define HAVE_DECL__RES 1 + +/* Define to 1 if you have the declaration of `__progname', and to 0 if you + don't. */ +#define HAVE_DECL___PROGNAME 0 + /* Define to 1 if you have the header file. */ #define HAVE_DIRENT_H 1 @@ -189,6 +252,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to 1 if you have the `dn_expand' function. */ #define HAVE_DN_EXPAND 1 +/* Define to 1 if you have the `door_create' function. */ +/* #undef HAVE_DOOR_CREATE */ + /* Define if you have the function `ecalloc'. */ /* #undef HAVE_ECALLOC */ @@ -198,9 +264,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if you have the function `emalloc'. */ /* #undef HAVE_EMALLOC */ -/* define if your system declares environ */ -/* #undef HAVE_ENVIRON_DECLARATION */ - /* Define if you have the function `erealloc'. */ /* #undef HAVE_EREALLOC */ @@ -238,12 +301,10 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } #define HAVE_FNMATCH_H 1 /* Define if el_init takes four arguments. */ -#if __FreeBSD_version >= 500024 #define HAVE_FOUR_VALUED_EL_INIT 1 -#endif -/* define if krb_put_int takes four arguments. */ -#define HAVE_FOUR_VALUED_KRB_PUT_INT 1 +/* Have -framework Security */ +/* #undef HAVE_FRAMEWORK_SECURITY */ /* Define to 1 if you have the `freeaddrinfo' function. */ #define HAVE_FREEADDRINFO 1 @@ -311,16 +372,17 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to 1 if you have the `getpagesize' function. */ #define HAVE_GETPAGESIZE 1 +/* Define to 1 if you have the `getpeereid' function. */ +#define HAVE_GETPEEREID 1 + +/* Define to 1 if you have the `getpeerucred' function. */ +/* #undef HAVE_GETPEERUCRED */ + /* Define to 1 if you have the `getprogname' function. */ -#if (__FreeBSD_version >= 430002 && __FreeBSD_version < 500000) || \ - __FreeBSD_version >= 500019 #define HAVE_GETPROGNAME 1 -#endif /* Define to 1 if you have the `getpwnam_r' function. */ -#if __FreeBSD_version >= 500112 #define HAVE_GETPWNAM_R 1 -#endif /* Define to 1 if you have the `getrlimit' function. */ #define HAVE_GETRLIMIT 1 @@ -348,9 +410,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } #define HAVE_GLOB 1 /* Define to 1 if you have the `grantpt' function. */ -#if __FreeBSD_version >= 500100 #define HAVE_GRANTPT 1 -#endif /* Define to 1 if you have the header file. */ #define HAVE_GRP_H 1 @@ -361,20 +421,11 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if you have the `h_errlist' variable. */ #define HAVE_H_ERRLIST 1 -/* define if your system declares h_errlist */ -/* #undef HAVE_H_ERRLIST_DECLARATION */ - /* Define if you have the `h_errno' variable. */ #define HAVE_H_ERRNO 1 -/* define if your system declares h_errno */ -#define HAVE_H_ERRNO_DECLARATION 1 - /* Define if you have the `h_nerr' variable. */ -#define HAVE_H_NERR 1 - -/* define if your system declares h_nerr */ -/* #undef HAVE_H_NERR_DECLARATION */ +/* #undef HAVE_H_NERR */ /* Define to 1 if you have the header file. */ #define HAVE_IFADDRS_H 1 @@ -400,6 +451,18 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if you have the function `innetgr'. */ #define HAVE_INNETGR 1 +/* Define to 1 if the system has the type `int16_t'. */ +#define HAVE_INT16_T 1 + +/* Define to 1 if the system has the type `int32_t'. */ +#define HAVE_INT32_T 1 + +/* Define to 1 if the system has the type `int64_t'. */ +#define HAVE_INT64_T 1 + +/* Define to 1 if the system has the type `int8_t'. */ +#define HAVE_INT8_T 1 + /* Define to 1 if you have the header file. */ #define HAVE_INTTYPES_H 1 @@ -415,20 +478,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to 1 if you have the `issetugid' function. */ #define HAVE_ISSETUGID 1 -/* Define to 1 if you have the `krb_disable_debug' function. */ -/* #undef HAVE_KRB_DISABLE_DEBUG */ - -/* Define to 1 if you have the `krb_enable_debug' function. */ -/* #undef HAVE_KRB_ENABLE_DEBUG */ - -/* Define to 1 if you have the `krb_get_kdc_time_diff' function. */ -/* #undef HAVE_KRB_GET_KDC_TIME_DIFF */ - -/* Define to 1 if you have the `krb_get_our_ip_for_realm' function. */ -/* #undef HAVE_KRB_GET_OUR_IP_FOR_REALM */ - -/* Define to 1 if you have the `krb_kdctimeofday' function. */ -/* #undef HAVE_KRB_KDCTIMEOFDAY */ +/* Define if you want to use the Kerberos Credentials Manager. */ +#define HAVE_KCM 1 /* Define to 1 if you have the header file. */ #define HAVE_LIBUTIL_H 1 @@ -488,7 +539,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* #undef HAVE_NETINET6_IN6_H */ /* Define to 1 if you have the header file. */ -#define HAVE_NETINET6_IN6_VAR_H 1 +/* #undef HAVE_NETINET6_IN6_VAR_H */ /* Define to 1 if you have the header file. */ /* #undef HAVE_NETINET_IN6_H */ @@ -520,9 +571,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if NDBM really is DB (creates files *.db) */ #define HAVE_NEW_DB 1 -/* define if you have hash functions like md4_finito() */ -/* #undef HAVE_OLD_HASH_NAMES */ - /* Define to 1 if you have the `on_exit' function. */ /* #undef HAVE_ON_EXIT */ @@ -532,18 +580,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* define to use openssl's libcrypto */ #define HAVE_OPENSSL 1 -/* define if your system declares optarg */ -#define HAVE_OPTARG_DECLARATION 1 - -/* define if your system declares opterr */ -#define HAVE_OPTERR_DECLARATION 1 - -/* define if your system declares optind */ -#define HAVE_OPTIND_DECLARATION 1 - -/* define if your system declares optopt */ -#define HAVE_OPTOPT_DECLARATION 1 - /* Define to enable basic OSF C2 support. */ /* #undef HAVE_OSFC2 */ @@ -553,13 +589,17 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to 1 if you have the `pidfile' function. */ /* #undef HAVE_PIDFILE */ +/* Define to 1 if you have the `poll' function. */ +#define HAVE_POLL 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_POLL_H 1 + /* Define to 1 if you have the header file. */ #define HAVE_PTHREAD_H 1 /* Define to 1 if you have the `ptsname' function. */ -#if __FreeBSD_version >= 500100 #define HAVE_PTSNAME 1 -#endif /* Define to 1 if you have the header file. */ /* #undef HAVE_PTY_H */ @@ -591,8 +631,11 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to 1 if you have the header file. */ #define HAVE_RESOLV_H 1 +/* Define to 1 if you have the `res_ndestroy' function. */ +#define HAVE_RES_NDESTROY 1 + /* Define to 1 if you have the `res_nsearch' function. */ -/* #undef HAVE_RES_NSEARCH */ +#define HAVE_RES_NSEARCH 1 /* Define to 1 if you have the `res_search' function. */ #define HAVE_RES_SEARCH 1 @@ -646,10 +689,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } #define HAVE_SETPROCTITLE 1 /* Define to 1 if you have the `setprogname' function. */ -#if (__FreeBSD_version >= 430002 && __FreeBSD_version < 500000) || \ - __FreeBSD_version >= 500019 #define HAVE_SETPROGNAME 1 -#endif /* Define to 1 if you have the `setregid' function. */ #define HAVE_SETREGID 1 @@ -709,9 +749,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* #undef HAVE_STANDARDS_H */ /* Define to 1 if you have the header file. */ -#if __FreeBSD_version >= 500028 #define HAVE_STDINT_H 1 -#endif /* Define to 1 if you have the header file. */ #define HAVE_STDLIB_H 1 @@ -953,6 +991,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to 1 if you have the header file. */ #define HAVE_SYS_TYPES_H 1 +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_UCRED_H 1 + /* Define to 1 if you have the header file. */ #define HAVE_SYS_UIO_H 1 @@ -980,15 +1021,12 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to 1 if you have the `tgetent' function. */ #define HAVE_TGETENT 1 -/* Define to 1 if you have the `timegm' function. */ +/* Define if you have the function `timegm'. */ #define HAVE_TIMEGM 1 /* Define if you have the `timezone' variable. */ #define HAVE_TIMEZONE 1 -/* define if your system declares timezone */ -#define HAVE_TIMEZONE_DECLARATION 1 - /* Define to 1 if you have the header file. */ #define HAVE_TIME_H 1 @@ -1004,6 +1042,21 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to 1 if you have the header file. */ /* #undef HAVE_UDB_H */ +/* Define to 1 if the system has the type `uint16_t'. */ +#define HAVE_UINT16_T 1 + +/* Define to 1 if the system has the type `uint32_t'. */ +#define HAVE_UINT32_T 1 + +/* Define to 1 if the system has the type `uint64_t'. */ +#define HAVE_UINT64_T 1 + +/* Define to 1 if the system has the type `uint8_t'. */ +#define HAVE_UINT8_T 1 + +/* Define to 1 if the system has the type `uintptr_t'. */ +#define HAVE_UINTPTR_T 1 + /* Define to 1 if you have the `umask' function. */ #define HAVE_UMASK 1 @@ -1014,9 +1067,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } #define HAVE_UNISTD_H 1 /* Define to 1 if you have the `unlockpt' function. */ -#if __FreeBSD_version >= 500100 #define HAVE_UNLOCKPT 1 -#endif /* Define if you have the function `unsetenv'. */ #define HAVE_UNSETENV 1 @@ -1039,6 +1090,18 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to 1 if you have the header file. */ #define HAVE_UTMP_H 1 +/* Define to 1 if the system has the type `u_int16_t'. */ +#define HAVE_U_INT16_T 1 + +/* Define to 1 if the system has the type `u_int32_t'. */ +#define HAVE_U_INT32_T 1 + +/* Define to 1 if the system has the type `u_int64_t'. */ +#define HAVE_U_INT64_T 1 + +/* Define to 1 if the system has the type `u_int8_t'. */ +#define HAVE_U_INT8_T 1 + /* Define to 1 if you have the `vasnprintf' function. */ /* #undef HAVE_VASNPRINTF */ @@ -1105,9 +1168,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if you have the `_res' variable. */ #define HAVE__RES 1 -/* define if your system declares _res */ -#define HAVE__RES_DECLARATION 1 - /* Define to 1 if you have the `_scrsize' function. */ /* #undef HAVE__SCRSIZE */ @@ -1117,9 +1177,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if you have the `__progname' variable. */ #define HAVE___PROGNAME 1 -/* define if your system declares __progname */ -/* #undef HAVE___PROGNAME_DECLARATION */ - /* Define if you have the hesiod package. */ /* #undef HESIOD */ @@ -1129,20 +1186,14 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Enable Kerberos 5 support in applications. */ #define KRB5 1 -/* Define if krb_mk_req takes const char * */ -/* #undef KRB_MK_REQ_CONST */ +/* path to lib */ +#define LIBDIR "/usr/lib" -/* This is the krb4 sendauth version. */ -/* #undef KRB_SENDAUTH_VERS */ +/* path to libexec */ +#define LIBEXECDIR "/usr/libexec" -/* Define to zero if your krb.h doesn't */ -/* #undef KRB_VERIFY_NOT_SECURE */ - -/* Define to one if your krb.h doesn't */ -/* #undef KRB_VERIFY_SECURE */ - -/* Define to two if your krb.h doesn't */ -/* #undef KRB_VERIFY_SECURE_FAIL */ +/* path to localstate */ +#define LOCALSTATEDIR "/var/heimdal" /* define if the system is missing a prototype for asnprintf() */ #define NEED_ASNPRINTF_PROTO 1 @@ -1153,6 +1204,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* define if the system is missing a prototype for crypt() */ /* #undef NEED_CRYPT_PROTO */ +/* define if the system is missing a prototype for daemon() */ +#define NEED_DAEMON_PROTO 1 + /* define if the system is missing a prototype for gethostname() */ /* #undef NEED_GETHOSTNAME_PROTO */ @@ -1168,9 +1222,15 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* define if the system is missing a prototype for inet_aton() */ /* #undef NEED_INET_ATON_PROTO */ +/* define if the system is missing a prototype for iruserok() */ +/* #undef NEED_IRUSEROK_PROTO */ + /* define if the system is missing a prototype for mkstemp() */ /* #undef NEED_MKSTEMP_PROTO */ +/* define if the system is missing a prototype for SecKeyGetCSPHandle() */ +/* #undef NEED_SECKEYGETCSPHANDLE_PROTO */ + /* define if the system is missing a prototype for setenv() */ /* #undef NEED_SETENV_PROTO */ @@ -1219,6 +1279,12 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* define if the system is missing a prototype for vsnprintf() */ /* #undef NEED_VSNPRINTF_PROTO */ +/* Define if you don't wan't support for AFS. */ +/* #undef NO_AFS */ + +/* Define to 1 if your C compiler doesn't accept -c and -o together. */ +/* #undef NO_MINUS_C_MINUS_O */ + /* Define if you don't want to use mmap. */ /* #undef NO_MMAP */ @@ -1228,30 +1294,36 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define if you have the openldap package. */ /* #undef OPENLDAP */ +/* Define if you want support for hdb ldap module */ +/* #undef OPENLDAP_MODULE */ + /* define if prototype of openlog is compatible with void openlog(const char *, int, int) */ #define OPENLOG_PROTO_COMPATIBLE 1 /* Define if you want OTP support in applications. */ -/* #undef OTP */ +#define OTP 1 /* Name of package */ #define PACKAGE "heimdal" /* Define to the address where bug reports for this package should be sent. */ -#define PACKAGE_BUGREPORT "heimdal-bugs@pdc.kth.se" +#define PACKAGE_BUGREPORT "heimdal-bugs@h5l.org" /* Define to the full name of this package. */ #define PACKAGE_NAME "Heimdal" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "Heimdal 0.6.3 (FreeBSD)" +#define PACKAGE_STRING "Heimdal 1.1" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "heimdal" /* Define to the version of this package. */ -#define PACKAGE_VERSION "0.6.3" +#define PACKAGE_VERSION "1.1" + +/* Define to enable PKINIT. */ +#define PKINIT 1 /* Define if getlogin has POSIX flavour (and not BSD). */ /* #undef POSIX_GETLOGIN */ @@ -1265,12 +1337,21 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define as the return type of signal handlers (`int' or `void'). */ #define RETSIGTYPE void +/* path to sbin */ +#define SBINDIR "/usr/sbin" + +/* Define if you want to use samba socket wrappers. */ +/* #undef SOCKET_WRAPPER_REPLACE */ + /* Define to 1 if you have the ANSI C header files. */ #define STDC_HEADERS 1 /* Define if you have streams ptys. */ /* #undef STREAMSPTY */ +/* path to sysconf */ +#define SYSCONFDIR "/etc" + /* Define to what version of SunOS you are running. */ /* #undef SunOS */ @@ -1281,7 +1362,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* #undef TM_IN_SYS_TIME */ /* Version number of package */ -#define VERSION "0.6.3" +#define VERSION "1.1" /* Define if signal handlers return void. */ #define VOID_RETSIGTYPE 1 @@ -1290,7 +1371,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* #undef WORDS_BIGENDIAN */ /* Define to 1 if the X Window System is missing or not being used. */ -/* #undef X_DISPLAY_MISSING */ +#define X_DISPLAY_MISSING 1 /* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a `char[]'. */ @@ -1311,14 +1392,16 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define to `int' if doesn't define. */ /* #undef gid_t */ -/* Define as `__inline' if that's what the C compiler calls it, or to nothing - if it is not supported. */ +/* Define to `__inline__' or `__inline' if that's what the C compiler + calls it, or to nothing if 'inline' is not supported under any name. */ +#ifndef __cplusplus /* #undef inline */ +#endif /* Define this to what the type mode_t should be. */ /* #undef mode_t */ -/* Define to `long' if does not define. */ +/* Define to `long int' if does not define. */ /* #undef off_t */ /* Define to `int' if does not define. */ @@ -1327,45 +1410,16 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } /* Define this to what the type sig_atomic_t should be. */ /* #undef sig_atomic_t */ -/* Define to `unsigned' if does not define. */ +/* Define to `unsigned int' if does not define. */ /* #undef size_t */ /* Define to `int' if doesn't define. */ /* #undef uid_t */ -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S)) - -#if defined(ENCRYPTION) && !defined(AUTHENTICATION) -#define AUTHENTICATION 1 -#endif - -/* Set this to the default system lead string for telnetd - * can contain %-escapes: %s=sysname, %m=machine, %r=os-release - * %v=os-version, %t=tty, %h=hostname, %d=date and time - */ -/* #undef USE_IM */ - -/* Used with login -p */ -/* #undef LOGIN_ARGS */ - -/* set this to a sensible login */ -#ifndef LOGIN_PATH -#define LOGIN_PATH BINDIR "/login" -#endif - - #ifdef ROKEN_RENAME #include "roken_rename.h" #endif -#ifndef HAVE_KRB_KDCTIMEOFDAY -#define krb_kdctimeofday(X) gettimeofday((X), NULL) -#endif - -#ifndef HAVE_KRB_GET_KDC_TIME_DIFF -#define krb_get_kdc_time_diff() (0) -#endif - #ifdef VOID_RETSIGTYPE #define SIGRETURN(x) return #else @@ -1373,8 +1427,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } #endif #ifdef BROKEN_REALLOC -#define realloc(X, Y) isoc_realloc((X), (Y)) -#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y)) +#define realloc(X, Y) rk_realloc((X), (Y)) #endif @@ -1402,3 +1455,23 @@ struct sockaddr_in; #define __STDC__ 0 #endif + + +#if defined(ENCRYPTION) && !defined(AUTHENTICATION) +#define AUTHENTICATION 1 +#endif + +/* Set this to the default system lead string for telnetd + * can contain %-escapes: %s=sysname, %m=machine, %r=os-release + * %v=os-version, %t=tty, %h=hostname, %d=date and time + */ +/* #undef USE_IM */ + +/* Used with login -p */ +/* #undef LOGIN_ARGS */ + +/* set this to a sensible login */ +#ifndef LOGIN_PATH +#define LOGIN_PATH BINDIR "/login" +#endif + diff --git a/kerberos5/include/crypto-headers.h b/kerberos5/include/crypto-headers.h index b224364140f0..d84a5e47d078 100644 --- a/kerberos5/include/crypto-headers.h +++ b/kerberos5/include/crypto-headers.h @@ -2,9 +2,17 @@ #ifndef __crypto_headers_h__ #define __crypto_headers_h__ #define OPENSSL_DES_LIBDES_COMPATIBILITY +#include #include #include +#include #include #include #include +#include +#include +#include +#include +#include +#include #endif /* __crypto_headers_h__ */ diff --git a/kerberos5/lib/Makefile b/kerberos5/lib/Makefile index 1d07e0b47cfd..c629f248839e 100644 --- a/kerberos5/lib/Makefile +++ b/kerberos5/lib/Makefile @@ -1,6 +1,8 @@ + # $FreeBSD$ -SUBDIR= libasn1 libgssapi libhdb libkadm5clnt libkadm5srv \ - libkafs5 libkrb5 libroken libsl libvers +SUBDIR= libasn1 libgssapi_krb5 libgssapi_ntlm libgssapi_spnego libhdb \ + libheimntlm libhx509 libkadm5clnt libkadm5srv libkafs5 libkrb5 \ + libroken libsl libvers .include diff --git a/kerberos5/lib/Makefile.inc b/kerberos5/lib/Makefile.inc index 441a0ec00e22..dc0738379b88 100644 --- a/kerberos5/lib/Makefile.inc +++ b/kerberos5/lib/Makefile.inc @@ -1,5 +1,5 @@ # $FreeBSD$ -SHLIB_MAJOR?= 9 +SHLIB_MAJOR?= 10 .include "../Makefile.inc" diff --git a/kerberos5/lib/libasn1/Makefile b/kerberos5/lib/libasn1/Makefile index b42f8025cc88..4a9c21ebfd2a 100644 --- a/kerberos5/lib/libasn1/Makefile +++ b/kerberos5/lib/libasn1/Makefile @@ -1,33 +1,247 @@ # $FreeBSD$ LIB= asn1 -INCS= asn1_err.h krb5_asn1.h +INCS= asn1_err.h heim_asn1.h SRCS= asn1_err.c \ asn1_err.h \ der_copy.c \ + der_cmp.c \ der_free.c \ + der_format.c \ der_get.c \ der_length.c \ der_put.c \ - krb5_asn1.h \ + extra.c \ timegm.c \ ${GEN:S/.x$/.c/} CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I. -GEN= asn1_APOptions.x \ +GEN_RFC2459 = \ + asn1_Version.x \ + asn1_id_pkcs_1.x \ + asn1_id_pkcs1_rsaEncryption.x \ + asn1_id_pkcs1_md2WithRSAEncryption.x \ + asn1_id_pkcs1_md5WithRSAEncryption.x \ + asn1_id_pkcs1_sha1WithRSAEncryption.x \ + asn1_id_pkcs1_sha256WithRSAEncryption.x \ + asn1_id_pkcs1_sha384WithRSAEncryption.x \ + asn1_id_pkcs1_sha512WithRSAEncryption.x \ + asn1_id_heim_rsa_pkcs1_x509.x \ + asn1_id_pkcs_2.x \ + asn1_id_pkcs2_md2.x \ + asn1_id_pkcs2_md4.x \ + asn1_id_pkcs2_md5.x \ + asn1_id_rsa_digestAlgorithm.x \ + asn1_id_rsa_digest_md2.x \ + asn1_id_rsa_digest_md4.x \ + asn1_id_rsa_digest_md5.x \ + asn1_id_pkcs_3.x \ + asn1_id_pkcs3_rc2_cbc.x \ + asn1_id_pkcs3_rc4.x \ + asn1_id_pkcs3_des_ede3_cbc.x \ + asn1_id_rsadsi_encalg.x \ + asn1_id_rsadsi_rc2_cbc.x \ + asn1_id_rsadsi_des_ede3_cbc.x \ + asn1_id_secsig_sha_1.x \ + asn1_id_nistAlgorithm.x \ + asn1_id_nist_aes_algs.x \ + asn1_id_aes_128_cbc.x \ + asn1_id_aes_192_cbc.x \ + asn1_id_aes_256_cbc.x \ + asn1_id_nist_sha_algs.x \ + asn1_id_sha256.x \ + asn1_id_sha224.x \ + asn1_id_sha384.x \ + asn1_id_sha512.x \ + asn1_id_dhpublicnumber.x \ + asn1_id_x9_57.x \ + asn1_id_dsa.x \ + asn1_id_dsa_with_sha1.x \ + asn1_id_x520_at.x \ + asn1_id_at_commonName.x \ + asn1_id_at_surname.x \ + asn1_id_at_serialNumber.x \ + asn1_id_at_countryName.x \ + asn1_id_at_localityName.x \ + asn1_id_at_streetAddress.x \ + asn1_id_at_stateOrProvinceName.x \ + asn1_id_at_organizationName.x \ + asn1_id_at_organizationalUnitName.x \ + asn1_id_at_name.x \ + asn1_id_at_givenName.x \ + asn1_id_at_initials.x \ + asn1_id_at_generationQualifier.x \ + asn1_id_at_pseudonym.x \ + asn1_id_Userid.x \ + asn1_id_domainComponent.x \ + asn1_id_x509_ce.x \ + asn1_id_uspkicommon_card_id.x \ + asn1_id_uspkicommon_piv_interim.x \ + asn1_id_netscape.x \ + asn1_id_netscape_cert_comment.x \ + asn1_id_ms_cert_enroll_domaincontroller.x \ + asn1_id_ms_client_authentication.x \ + asn1_AlgorithmIdentifier.x \ + asn1_AttributeType.x \ + asn1_AttributeValue.x \ + asn1_TeletexStringx.x \ + asn1_DirectoryString.x \ + asn1_Attribute.x \ + asn1_AttributeTypeAndValue.x \ + asn1_AuthorityInfoAccessSyntax.x \ + asn1_AccessDescription.x \ + asn1_RelativeDistinguishedName.x \ + asn1_RDNSequence.x \ + asn1_Name.x \ + asn1_CertificateSerialNumber.x \ + asn1_Time.x \ + asn1_Validity.x \ + asn1_UniqueIdentifier.x \ + asn1_SubjectPublicKeyInfo.x \ + asn1_Extension.x \ + asn1_Extensions.x \ + asn1_TBSCertificate.x \ + asn1_Certificate.x \ + asn1_Certificates.x \ + asn1_ValidationParms.x \ + asn1_DomainParameters.x \ + asn1_DHPublicKey.x \ + asn1_OtherName.x \ + asn1_GeneralName.x \ + asn1_GeneralNames.x \ + asn1_id_x509_ce_keyUsage.x \ + asn1_KeyUsage.x \ + asn1_id_x509_ce_authorityKeyIdentifier.x \ + asn1_KeyIdentifier.x \ + asn1_AuthorityKeyIdentifier.x \ + asn1_id_x509_ce_subjectKeyIdentifier.x \ + asn1_SubjectKeyIdentifier.x \ + asn1_id_x509_ce_basicConstraints.x \ + asn1_BasicConstraints.x \ + asn1_id_x509_ce_nameConstraints.x \ + asn1_BaseDistance.x \ + asn1_GeneralSubtree.x \ + asn1_GeneralSubtrees.x \ + asn1_NameConstraints.x \ + asn1_id_x509_ce_privateKeyUsagePeriod.x \ + asn1_id_x509_ce_certificatePolicies.x \ + asn1_id_x509_ce_policyMappings.x \ + asn1_id_x509_ce_subjectAltName.x \ + asn1_id_x509_ce_issuerAltName.x \ + asn1_id_x509_ce_subjectDirectoryAttributes.x \ + asn1_id_x509_ce_policyConstraints.x \ + asn1_id_x509_ce_extKeyUsage.x \ + asn1_ExtKeyUsage.x \ + asn1_id_x509_ce_cRLDistributionPoints.x \ + asn1_id_x509_ce_deltaCRLIndicator.x \ + asn1_id_x509_ce_issuingDistributionPoint.x \ + asn1_id_x509_ce_holdInstructionCode.x \ + asn1_id_x509_ce_invalidityDate.x \ + asn1_id_x509_ce_certificateIssuer.x \ + asn1_id_x509_ce_inhibitAnyPolicy.x \ + asn1_DistributionPointReasonFlags.x \ + asn1_DistributionPointName.x \ + asn1_DistributionPoint.x \ + asn1_CRLDistributionPoints.x \ + asn1_DSASigValue.x \ + asn1_DSAPublicKey.x \ + asn1_DSAParams.x \ + asn1_RSAPublicKey.x \ + asn1_RSAPrivateKey.x \ + asn1_DigestInfo.x \ + asn1_TBSCRLCertList.x \ + asn1_CRLCertificateList.x \ + asn1_id_x509_ce_cRLNumber.x \ + asn1_id_x509_ce_freshestCRL.x \ + asn1_id_x509_ce_cRLReason.x \ + asn1_CRLReason.x \ + asn1_PKIXXmppAddr.x \ + asn1_id_pkix.x \ + asn1_id_pkix_on.x \ + asn1_id_pkix_on_dnsSRV.x \ + asn1_id_pkix_on_xmppAddr.x \ + asn1_id_pkix_kp.x \ + asn1_id_pkix_kp_serverAuth.x \ + asn1_id_pkix_kp_clientAuth.x \ + asn1_id_pkix_kp_emailProtection.x \ + asn1_id_pkix_kp_timeStamping.x \ + asn1_id_pkix_kp_OCSPSigning.x \ + asn1_id_pkix_pe.x \ + asn1_id_pkix_pe_authorityInfoAccess.x \ + asn1_id_pkix_pe_proxyCertInfo.x \ + asn1_id_pkix_ppl.x \ + asn1_id_pkix_ppl_anyLanguage.x \ + asn1_id_pkix_ppl_inheritAll.x \ + asn1_id_pkix_ppl_independent.x \ + asn1_ProxyPolicy.x \ + asn1_ProxyCertInfo.x + +GEN_CMS = \ + asn1_CMSAttributes.x \ + asn1_CMSCBCParameter.x \ + asn1_CMSEncryptedData.x \ + asn1_CMSIdentifier.x \ + asn1_CMSRC2CBCParameter.x \ + asn1_CMSVersion.x \ + asn1_CertificateList.x \ + asn1_CertificateRevocationLists.x \ + asn1_CertificateSet.x \ + asn1_ContentEncryptionAlgorithmIdentifier.x \ + asn1_ContentInfo.x \ + asn1_ContentType.x \ + asn1_DigestAlgorithmIdentifier.x \ + asn1_DigestAlgorithmIdentifiers.x \ + asn1_EncapsulatedContentInfo.x \ + asn1_EncryptedContent.x \ + asn1_EncryptedContentInfo.x \ + asn1_EncryptedKey.x \ + asn1_EnvelopedData.x \ + asn1_IssuerAndSerialNumber.x \ + asn1_KeyEncryptionAlgorithmIdentifier.x \ + asn1_KeyTransRecipientInfo.x \ + asn1_MessageDigest.x \ + asn1_OriginatorInfo.x \ + asn1_RecipientIdentifier.x \ + asn1_RecipientInfo.x \ + asn1_RecipientInfos.x \ + asn1_SignatureAlgorithmIdentifier.x \ + asn1_SignatureValue.x \ + asn1_SignedData.x \ + asn1_SignerIdentifier.x \ + asn1_SignerInfo.x \ + asn1_SignerInfos.x \ + asn1_id_pkcs7.x \ + asn1_id_pkcs7_data.x \ + asn1_id_pkcs7_digestedData.x \ + asn1_id_pkcs7_encryptedData.x \ + asn1_id_pkcs7_envelopedData.x \ + asn1_id_pkcs7_signedAndEnvelopedData.x \ + asn1_id_pkcs7_signedData.x \ + asn1_UnprotectedAttributes.x + +GEN_K5= asn1_AD_AND_OR.x \ + asn1_AD_IF_RELEVANT.x \ + asn1_AD_KDCIssued.x \ + asn1_AD_MANDATORY_FOR_KDC.x \ + asn1_AD_LoginAlias.x \ + asn1_APOptions.x \ asn1_AP_REP.x \ asn1_AP_REQ.x \ asn1_AS_REP.x \ asn1_AS_REQ.x \ + asn1_AUTHDATA_TYPE.x \ asn1_Authenticator.x \ asn1_AuthorizationData.x \ + asn1_AuthorizationDataElement.x \ asn1_CKSUMTYPE.x \ - asn1_Checksum.x \ asn1_ChangePasswdDataMS.x \ + asn1_Checksum.x \ asn1_ENCTYPE.x \ asn1_ETYPE_INFO.x \ + asn1_ETYPE_INFO2.x \ + asn1_ETYPE_INFO2_ENTRY.x \ asn1_ETYPE_INFO_ENTRY.x \ asn1_EncAPRepPart.x \ asn1_EncASRepPart.x \ @@ -38,6 +252,7 @@ GEN= asn1_APOptions.x \ asn1_EncTicketPart.x \ asn1_EncryptedData.x \ asn1_EncryptionKey.x \ + asn1_EtypeList.x \ asn1_HostAddress.x \ asn1_HostAddresses.x \ asn1_KDCOptions.x \ @@ -49,6 +264,7 @@ GEN= asn1_APOptions.x \ asn1_KRB_PRIV.x \ asn1_KRB_SAFE.x \ asn1_KRB_SAFE_BODY.x \ + asn1_KerberosString.x \ asn1_KerberosTime.x \ asn1_KrbCredInfo.x \ asn1_LR_TYPE.x \ @@ -58,22 +274,199 @@ GEN= asn1_APOptions.x \ asn1_NAME_TYPE.x \ asn1_PADATA_TYPE.x \ asn1_PA_DATA.x \ + asn1_PA_ENC_SAM_RESPONSE_ENC.x \ asn1_PA_ENC_TS_ENC.x \ + asn1_PA_PAC_REQUEST.x \ + asn1_PA_S4U2Self.x \ + asn1_PA_SAM_CHALLENGE_2.x \ + asn1_PA_SAM_CHALLENGE_2_BODY.x \ + asn1_PA_SAM_REDIRECT.x \ + asn1_PA_SAM_RESPONSE_2.x \ + asn1_PA_SAM_TYPE.x \ + asn1_PA_ClientCanonicalized.x \ + asn1_PA_ClientCanonicalizedNames.x \ + asn1_PA_SvrReferralData.x \ + asn1_PROV_SRV_LOCATION.x \ asn1_Principal.x \ asn1_PrincipalName.x \ asn1_Realm.x \ + asn1_SAMFlags.x \ asn1_TGS_REP.x \ asn1_TGS_REQ.x \ + asn1_TYPED_DATA.x \ asn1_Ticket.x \ asn1_TicketFlags.x \ asn1_TransitedEncoding.x \ - asn1_UNSIGNED.x + asn1_TypedData.x \ + asn1_krb5int32.x \ + asn1_krb5uint32.x \ + asn1_KRB5SignedPathData.x \ + asn1_KRB5SignedPathPrincipals.x \ + asn1_KRB5SignedPath.x -CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} krb5_asn1.h asn1_files +GEN_PKINIT = \ + asn1_id_pkinit.x \ + asn1_id_pkauthdata.x \ + asn1_id_pkdhkeydata.x \ + asn1_id_pkrkeydata.x \ + asn1_id_pkekuoid.x \ + asn1_id_pkkdcekuoid.x \ + asn1_id_pkinit_san.x \ + asn1_id_pkinit_ms_eku.x \ + asn1_id_pkinit_ms_san.x \ + asn1_MS_UPN_SAN.x \ + asn1_DHNonce.x \ + asn1_KDFAlgorithmId.x \ + asn1_TrustedCA.x \ + asn1_ExternalPrincipalIdentifier.x \ + asn1_ExternalPrincipalIdentifiers.x \ + asn1_PA_PK_AS_REQ.x \ + asn1_PKAuthenticator.x \ + asn1_AuthPack.x \ + asn1_TD_TRUSTED_CERTIFIERS.x \ + asn1_TD_INVALID_CERTIFICATES.x \ + asn1_KRB5PrincipalName.x \ + asn1_AD_INITIAL_VERIFIED_CAS.x \ + asn1_DHRepInfo.x \ + asn1_PA_PK_AS_REP.x \ + asn1_KDCDHKeyInfo.x \ + asn1_ReplyKeyPack.x \ + asn1_TD_DH_PARAMETERS.x \ + asn1_PKAuthenticator_Win2k.x \ + asn1_AuthPack_Win2k.x \ + asn1_TrustedCA_Win2k.x \ + asn1_PA_PK_AS_REQ_Win2k.x \ + asn1_PA_PK_AS_REP_Win2k.x \ + asn1_KDCDHKeyInfo_Win2k.x \ + asn1_ReplyKeyPack_Win2k.x \ + asn1_PkinitSuppPubInfo.x -.ORDER: ${GEN} krb5_asn1.h -${GEN} krb5_asn1.h: k5.asn1 ../../tools/asn1_compile/asn1_compile - ../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} krb5_asn1 +GEN_PKCS8 = \ + asn1_PKCS8PrivateKeyAlgorithmIdentifier.x \ + asn1_PKCS8PrivateKey.x \ + asn1_PKCS8PrivateKeyInfo.x \ + asn1_PKCS8Attributes.x \ + asn1_PKCS8EncryptedPrivateKeyInfo.x \ + asn1_PKCS8EncryptedData.x + +GEN_PKCS9 = \ + asn1_id_pkcs_9.x \ + asn1_id_pkcs9_contentType.x \ + asn1_id_pkcs9_emailAddress.x \ + asn1_id_pkcs9_messageDigest.x \ + asn1_id_pkcs9_signingTime.x \ + asn1_id_pkcs9_countersignature.x \ + asn1_id_pkcs_9_at_friendlyName.x \ + asn1_id_pkcs_9_at_localKeyId.x \ + asn1_id_pkcs_9_at_certTypes.x \ + asn1_id_pkcs_9_at_certTypes_x509.x \ + asn1_PKCS9_BMPString.x \ + asn1_PKCS9_friendlyName.x + +GEN_PKCS12 = \ + asn1_id_pkcs_12.x \ + asn1_id_pkcs_12PbeIds.x \ + asn1_id_pbeWithSHAAnd128BitRC4.x \ + asn1_id_pbeWithSHAAnd40BitRC4.x \ + asn1_id_pbeWithSHAAnd3_KeyTripleDES_CBC.x \ + asn1_id_pbeWithSHAAnd2_KeyTripleDES_CBC.x \ + asn1_id_pbeWithSHAAnd128BitRC2_CBC.x \ + asn1_id_pbewithSHAAnd40BitRC2_CBC.x \ + asn1_id_pkcs12_bagtypes.x \ + asn1_id_pkcs12_keyBag.x \ + asn1_id_pkcs12_pkcs8ShroudedKeyBag.x \ + asn1_id_pkcs12_certBag.x \ + asn1_id_pkcs12_crlBag.x \ + asn1_id_pkcs12_secretBag.x \ + asn1_id_pkcs12_safeContentsBag.x \ + asn1_PKCS12_MacData.x \ + asn1_PKCS12_PFX.x \ + asn1_PKCS12_AuthenticatedSafe.x \ + asn1_PKCS12_CertBag.x \ + asn1_PKCS12_Attribute.x \ + asn1_PKCS12_Attributes.x \ + asn1_PKCS12_SafeBag.x \ + asn1_PKCS12_SafeContents.x \ + asn1_PKCS12_OctetString.x \ + asn1_PKCS12_PBEParams.x + +GEN_DIGEST= asn1_DigestError.x \ + asn1_DigestInit.x \ + asn1_DigestInitReply.x \ + asn1_DigestREP.x \ + asn1_DigestREQ.x \ + asn1_DigestRepInner.x \ + asn1_DigestReqInner.x \ + asn1_DigestRequest.x \ + asn1_DigestResponse.x \ + asn1_DigestTypes.x \ + asn1_NTLMInit.x \ + asn1_NTLMInitReply.x \ + asn1_NTLMRequest.x \ + asn1_NTLMResponse.x + +GEN_KX509 = \ + asn1_Kx509Response.x \ + asn1_Kx509Request.x + +GEN+= ${GEN_RFC2459} +GEN+= ${GEN_CMS} +GEN+= ${GEN_K5} +GEN+= ${GEN_PKINIT} +GEN+= ${GEN_PKCS8} +GEN+= ${GEN_PKCS9} +GEN+= ${GEN_PKCS12} +GEN+= ${GEN_DIGEST} +GEN+= ${GEN_KX509} + +CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} *_asn1_files + +GEN_ASN1=cms_asn1.h rfc2459_asn1.h krb5_asn1.h pkinit_asn1.h +GEN_ASN1+=pkcs8_asn1.h pkcs9_asn1.h pkcs12_asn1.h digest_asn1.h kx509_asn1.h +SRCS+= ${GEN_ASN1} +INCS+= ${GEN_ASN1} +CLEANFILES+=${GEN_ASN1} + +.ORDER: ${GEN} ${GEN_ASN1} + +${GEN_CMS} cms_asn1.h: CMS.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} cms_asn1 + +${GEN_RFC2459} rfc2459_asn1.h: rfc2459.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile \ + --preserve-binary=TBSCertificate \ + --preserve-binary=TBSCRLCertList \ + --preserve-binary=Name \ + --sequence=GeneralNames \ + --sequence=Extensions \ + --sequence=CRLDistributionPoints ${.ALLSRC:M*.asn1} rfc2459_asn1 + +${GEN_K5} krb5_asn1.h: k5.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile \ + --encode-rfc1510-bit-string \ + --sequence=KRB5SignedPathPrincipals \ + --sequence=AuthorizationData \ + --sequence=METHOD-DATA \ + --sequence=ETYPE-INFO \ + --sequence=ETYPE-INFO2 ${.ALLSRC:M*.asn1} krb5_asn1 + +${GEN_PKINIT} pkinit_asn1.h: pkinit.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkinit_asn1 + +${GEN_PKCS8} pkcs8_asn1.h: pkcs8.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkcs8_asn1 + +${GEN_PKCS9} pkcs9_asn1.h: pkcs9.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkcs9_asn1 + +${GEN_PKCS12} pkcs12_asn1.h: pkcs12.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkcs12_asn1 + +${GEN_DIGEST} digest_asn1.h: digest.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} digest_asn1 + +${GEN_KX509} kx509_asn1.h: kx509.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} kx509_asn1 ../../tools/asn1_compile/asn1_compile: cd ${.CURDIR}/../../tools/asn1_compile && ${MAKE} diff --git a/kerberos5/lib/libgssapi/Makefile b/kerberos5/lib/libgssapi/Makefile deleted file mode 100644 index 518b445a0aa9..000000000000 --- a/kerberos5/lib/libgssapi/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# $FreeBSD$ - -LIB= gssapi_krb5 -LDFLAGS= -Wl,-Bsymbolic -LDADD= -lkrb5 -lcrypto -lroken -lasn1 -lcom_err -lcrypt -DPADD= ${LIBKRB5} ${LIBCRYPTO} ${LIBROKEN} ${LIBASN1} ${LIBCOM_ERR} \ - ${LIBCRYPT} - -SRCS= 8003.c \ - accept_sec_context.c \ - acquire_cred.c \ - add_cred.c \ - add_oid_set_member.c \ - address_to_krb5addr.c \ - arcfour.c \ - canonicalize_name.c \ - compare_name.c \ - compat.c \ - context_time.c \ - copy_ccache.c \ - create_emtpy_oid_set.c \ - decapsulate.c \ - delete_sec_context.c \ - display_name.c \ - display_status.c \ - duplicate_name.c \ - encapsulate.c \ - export_name.c \ - export_sec_context.c \ - external.c \ - get_mic.c \ - import_name.c \ - import_sec_context.c \ - indicate_mechs.c \ - init.c \ - init_sec_context.c \ - inquire_context.c \ - inquire_cred.c \ - inquire_cred_by_mech.c \ - inquire_mechs_for_name.c \ - inquire_names_for_mech.c \ - process_context_token.c \ - release_buffer.c \ - release_cred.c \ - release_name.c \ - release_oid_set.c \ - test_oid_set_member.c \ - unwrap.c \ - v1.c \ - verify_mic.c \ - wrap.c - -CFLAGS+=-I${KRB5DIR}/lib/gssapi -I${KRB5DIR}/lib/krb5 \ - -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I. - -.include - -.PATH: ${KRB5DIR}/lib/gssapi diff --git a/kerberos5/lib/libgssapi_krb5/Makefile b/kerberos5/lib/libgssapi_krb5/Makefile new file mode 100644 index 000000000000..b866d1b3bb71 --- /dev/null +++ b/kerberos5/lib/libgssapi_krb5/Makefile @@ -0,0 +1,79 @@ +# $FreeBSD$ + +LIB= gssapi_krb5 +LDFLAGS= -Wl,-Bsymbolic +LDADD= -lkrb5 -lhx509 -lcrypto -lroken -lasn1 -lcom_err -lcrypt +DPADD= ${LIBKRB5} ${LIBHX509} ${LIBCRYPTO} ${LIBROKEN} ${LIBASN1} \ + ${LIBCOM_ERR} ${LIBCRYPT} + +INCS= ${KRB5DIR}/lib/gssapi/gssapi/gssapi_krb5.h +INCSDIR= ${INCLUDEDIR}/gssapi + +SRCS= 8003.c \ + accept_sec_context.c \ + acquire_cred.c \ + add_cred.c \ + address_to_krb5addr.c \ + arcfour.c \ + canonicalize_name.c \ + ccache_name.c \ + cfx.c \ + compare_name.c \ + compat.c \ + context_time.c \ + copy_ccache.c \ + decapsulate.c \ + delete_sec_context.c \ + display_name.c \ + display_status.c \ + duplicate_name.c \ + encapsulate.c \ + export_name.c \ + export_sec_context.c \ + external.c \ + get_mic.c \ + gkrb5_err.c \ + gkrb5_err.h \ + import_name.c \ + import_sec_context.c \ + indicate_mechs.c \ + init.c \ + init_sec_context.c \ + inquire_context.c \ + inquire_cred.c \ + inquire_cred_by_mech.c \ + inquire_cred_by_oid.c \ + inquire_mechs_for_name.c \ + inquire_names_for_mech.c \ + inquire_sec_context_by_oid.c \ + prefix.c \ + prf.c \ + process_context_token.c \ + release_buffer.c \ + release_cred.c \ + release_name.c \ + sequence.c \ + set_cred_option.c \ + set_sec_context_option.c \ + unwrap.c \ + v1.c \ + verify_mic.c \ + wrap.c \ + gss_krb5.c + +#SRCS+= gss_add_oid_set_member.c \ +# gss_create_empty_oid_set.c \ +# gss_release_buffer.c \ +# gss_release_oid_set.c \ +# gss_test_oid_set_member.c \ +# gss_utils.c + +CFLAGS+=-I${KRB5DIR}/lib/gssapi +CFLAGS+=-I${KRB5DIR}/lib/gssapi/krb5 +CFLAGS+=-I${KRB5DIR}/lib/krb5 +CFLAGS+=-I${KRB5DIR}/lib/asn1 +CFLAGS+=-I${KRB5DIR}/lib/roken -I. + +.include + +.PATH: ${KRB5DIR}/lib/gssapi/krb5 ${.CURDIR}/../../../lib/libgssapi diff --git a/kerberos5/lib/libgssapi_krb5/gss_krb5.c b/kerberos5/lib/libgssapi_krb5/gss_krb5.c new file mode 100644 index 000000000000..308efd7ee204 --- /dev/null +++ b/kerberos5/lib/libgssapi_krb5/gss_krb5.c @@ -0,0 +1,831 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include + +/* RCSID("$Id: gss_krb5.c 21889 2007-08-09 07:43:24Z lha $"); */ + +#include +#include + +OM_uint32 +gss_krb5_copy_ccache(OM_uint32 *minor_status, + gss_cred_id_t cred, + krb5_ccache out) +{ + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + krb5_context context; + krb5_error_code kret; + krb5_ccache id; + OM_uint32 ret; + char *str; + + ret = gss_inquire_cred_by_oid(minor_status, + cred, + GSS_KRB5_COPY_CCACHE_X, + &data_set); + if (ret) + return ret; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + kret = krb5_init_context(&context); + if (kret) { + *minor_status = kret; + gss_release_buffer_set(minor_status, &data_set); + return GSS_S_FAILURE; + } + + kret = asprintf(&str, "%.*s", (int)data_set->elements[0].length, + (char *)data_set->elements[0].value); + gss_release_buffer_set(minor_status, &data_set); + if (kret == -1) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + kret = krb5_cc_resolve(context, str, &id); + free(str); + if (kret) { + *minor_status = kret; + return GSS_S_FAILURE; + } + + kret = krb5_cc_copy_cache(context, id, out); + krb5_cc_close(context, id); + krb5_free_context(context); + if (kret) { + *minor_status = kret; + return GSS_S_FAILURE; + } + + return ret; +} + +OM_uint32 +gss_krb5_import_cred(OM_uint32 *minor_status, + krb5_ccache id, + krb5_principal keytab_principal, + krb5_keytab keytab, + gss_cred_id_t *cred) +{ + gss_buffer_desc buffer; + OM_uint32 major_status; + krb5_context context; + krb5_error_code ret; + krb5_storage *sp; + krb5_data data; + char *str; + + *cred = GSS_C_NO_CREDENTIAL; + + ret = krb5_init_context(&context); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + sp = krb5_storage_emem(); + if (sp == NULL) { + *minor_status = ENOMEM; + major_status = GSS_S_FAILURE; + goto out; + } + + if (id) { + ret = krb5_cc_get_full_name(context, id, &str); + if (ret == 0) { + ret = krb5_store_string(sp, str); + free(str); + } + } else + ret = krb5_store_string(sp, ""); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + if (keytab_principal) { + ret = krb5_unparse_name(context, keytab_principal, &str); + if (ret == 0) { + ret = krb5_store_string(sp, str); + free(str); + } + } else + krb5_store_string(sp, ""); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + + if (keytab) { + ret = krb5_kt_get_full_name(context, keytab, &str); + if (ret == 0) { + ret = krb5_store_string(sp, str); + free(str); + } + } else + krb5_store_string(sp, ""); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + ret = krb5_storage_to_data(sp, &data); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto out; + } + + buffer.value = data.data; + buffer.length = data.length; + + major_status = gss_set_cred_option(minor_status, + cred, + GSS_KRB5_IMPORT_CRED_X, + &buffer); + krb5_data_free(&data); +out: + if (sp) + krb5_storage_free(sp); + krb5_free_context(context); + return major_status; +} + +OM_uint32 +gsskrb5_register_acceptor_identity(const char *identity) +{ + gss_buffer_desc buffer; + OM_uint32 junk; + + buffer.value = rk_UNCONST(identity); + buffer.length = strlen(identity); + + gss_set_sec_context_option(&junk, NULL, + GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer); + + return (GSS_S_COMPLETE); +} + +OM_uint32 +gsskrb5_set_dns_canonicalize(int flag) +{ + gss_buffer_desc buffer; + OM_uint32 junk; + char b = (flag != 0); + + buffer.value = &b; + buffer.length = sizeof(b); + + gss_set_sec_context_option(&junk, NULL, + GSS_KRB5_SET_DNS_CANONICALIZE_X, &buffer); + + return (GSS_S_COMPLETE); +} + + + +static krb5_error_code +set_key(krb5_keyblock *keyblock, gss_krb5_lucid_key_t *key) +{ + key->type = keyblock->keytype; + key->length = keyblock->keyvalue.length; + key->data = malloc(key->length); + if (key->data == NULL && key->length != 0) + return ENOMEM; + memcpy(key->data, keyblock->keyvalue.data, key->length); + return 0; +} + +static void +free_key(gss_krb5_lucid_key_t *key) +{ + memset(key->data, 0, key->length); + free(key->data); + memset(key, 0, sizeof(*key)); +} + +OM_uint32 +gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **rctx) +{ + krb5_context context = NULL; + krb5_error_code ret; + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 major_status; + gss_krb5_lucid_context_v1_t *ctx = NULL; + krb5_storage *sp = NULL; + uint32_t num; + + if (context_handle == NULL + || *context_handle == GSS_C_NO_CONTEXT + || version != 1) + { + ret = EINVAL; + return GSS_S_FAILURE; + } + + major_status = + gss_inquire_sec_context_by_oid (minor_status, + *context_handle, + GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X, + &data_set); + if (major_status) + return major_status; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ret = krb5_init_context(&context); + if (ret) + goto out; + + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + ret = ENOMEM; + goto out; + } + + sp = krb5_storage_from_mem(data_set->elements[0].value, + data_set->elements[0].length); + if (sp == NULL) { + ret = ENOMEM; + goto out; + } + + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + if (num != 1) { + ret = EINVAL; + goto out; + } + ctx->version = 1; + /* initiator */ + ret = krb5_ret_uint32(sp, &ctx->initiate); + if (ret) goto out; + /* endtime */ + ret = krb5_ret_uint32(sp, &ctx->endtime); + if (ret) goto out; + /* send_seq */ + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->send_seq = ((uint64_t)num) << 32; + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->send_seq |= num; + /* recv_seq */ + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->recv_seq = ((uint64_t)num) << 32; + ret = krb5_ret_uint32(sp, &num); + if (ret) goto out; + ctx->recv_seq |= num; + /* protocol */ + ret = krb5_ret_uint32(sp, &ctx->protocol); + if (ret) goto out; + if (ctx->protocol == 0) { + krb5_keyblock key; + + /* sign_alg */ + ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.sign_alg); + if (ret) goto out; + /* seal_alg */ + ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.seal_alg); + if (ret) goto out; + /* ctx_key */ + ret = krb5_ret_keyblock(sp, &key); + if (ret) goto out; + ret = set_key(&key, &ctx->rfc1964_kd.ctx_key); + krb5_free_keyblock_contents(context, &key); + if (ret) goto out; + } else if (ctx->protocol == 1) { + krb5_keyblock key; + + /* acceptor_subkey */ + ret = krb5_ret_uint32(sp, &ctx->cfx_kd.have_acceptor_subkey); + if (ret) goto out; + /* ctx_key */ + ret = krb5_ret_keyblock(sp, &key); + if (ret) goto out; + ret = set_key(&key, &ctx->cfx_kd.ctx_key); + krb5_free_keyblock_contents(context, &key); + if (ret) goto out; + /* acceptor_subkey */ + if (ctx->cfx_kd.have_acceptor_subkey) { + ret = krb5_ret_keyblock(sp, &key); + if (ret) goto out; + ret = set_key(&key, &ctx->cfx_kd.acceptor_subkey); + krb5_free_keyblock_contents(context, &key); + if (ret) goto out; + } + } else { + ret = EINVAL; + goto out; + } + + *rctx = ctx; + +out: + gss_release_buffer_set(minor_status, &data_set); + if (sp) + krb5_storage_free(sp); + if (context) + krb5_free_context(context); + + if (ret) { + if (ctx) + gss_krb5_free_lucid_sec_context(NULL, ctx); + + *minor_status = ret; + return GSS_S_FAILURE; + } + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c) +{ + gss_krb5_lucid_context_v1_t *ctx = c; + + if (ctx->version != 1) { + if (minor_status) + *minor_status = 0; + return GSS_S_FAILURE; + } + + if (ctx->protocol == 0) { + free_key(&ctx->rfc1964_kd.ctx_key); + } else if (ctx->protocol == 1) { + free_key(&ctx->cfx_kd.ctx_key); + if (ctx->cfx_kd.have_acceptor_subkey) + free_key(&ctx->cfx_kd.acceptor_subkey); + } + free(ctx); + if (minor_status) + *minor_status = 0; + return GSS_S_COMPLETE; +} + +/* + * + */ + +OM_uint32 +gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, + gss_cred_id_t cred, + OM_uint32 num_enctypes, + int32_t *enctypes) +{ + krb5_error_code ret; + OM_uint32 maj_status; + gss_buffer_desc buffer; + krb5_storage *sp; + krb5_data data; + int i; + + sp = krb5_storage_emem(); + if (sp == NULL) { + *minor_status = ENOMEM; + maj_status = GSS_S_FAILURE; + goto out; + } + + for (i = 0; i < num_enctypes; i++) { + ret = krb5_store_int32(sp, enctypes[i]); + if (ret) { + *minor_status = ret; + maj_status = GSS_S_FAILURE; + goto out; + } + } + + ret = krb5_storage_to_data(sp, &data); + if (ret) { + *minor_status = ret; + maj_status = GSS_S_FAILURE; + goto out; + } + + buffer.value = data.data; + buffer.length = data.length; + + maj_status = gss_set_cred_option(minor_status, + &cred, + GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X, + &buffer); + krb5_data_free(&data); +out: + if (sp) + krb5_storage_free(sp); + return maj_status; +} + +/* + * + */ + +OM_uint32 +gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c) +{ + gss_buffer_desc buffer; + OM_uint32 junk; + + if (c) { + buffer.value = c; + buffer.length = sizeof(*c); + } else { + buffer.value = NULL; + buffer.length = 0; + } + + gss_set_sec_context_option(&junk, NULL, + GSS_KRB5_SEND_TO_KDC_X, &buffer); + + return (GSS_S_COMPLETE); +} + +/* + * + */ + +OM_uint32 +gss_krb5_ccache_name(OM_uint32 *minor_status, + const char *name, + const char **out_name) +{ + gss_buffer_desc buffer; + OM_uint32 junk; + + if (out_name) + *out_name = NULL; + + buffer.value = rk_UNCONST(name); + buffer.length = strlen(name); + + gss_set_sec_context_option(&junk, NULL, + GSS_KRB5_CCACHE_NAME_X, &buffer); + + return (GSS_S_COMPLETE); +} + + +/* + * + */ + +OM_uint32 +gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + time_t *authtime) +{ + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 maj_stat; + + if (context_handle == GSS_C_NO_CONTEXT) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + maj_stat = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + GSS_KRB5_GET_AUTHTIME_X, + &data_set); + if (maj_stat) + return maj_stat; + + if (data_set == GSS_C_NO_BUFFER_SET) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (data_set->elements[0].length != 4) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + { + unsigned char *buf = data_set->elements[0].value; + *authtime = (buf[3] <<24) | (buf[2] << 16) | + (buf[1] << 8) | (buf[0] << 0); + } + + gss_release_buffer_set(minor_status, &data_set); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +/* + * + */ + +OM_uint32 +gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int ad_type, + gss_buffer_t ad_data) +{ + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 maj_stat; + gss_OID_desc oid_flat; + heim_oid baseoid, oid; + size_t size; + + if (context_handle == GSS_C_NO_CONTEXT) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + /* All this to append an integer to an oid... */ + + if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length, + &baseoid, NULL) != 0) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + oid.length = baseoid.length + 1; + oid.components = calloc(oid.length, sizeof(*oid.components)); + if (oid.components == NULL) { + der_free_oid(&baseoid); + + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + memcpy(oid.components, baseoid.components, + baseoid.length * sizeof(*baseoid.components)); + + der_free_oid(&baseoid); + + oid.components[oid.length - 1] = ad_type; + + oid_flat.length = der_length_oid(&oid); + oid_flat.elements = malloc(oid_flat.length); + if (oid_flat.elements == NULL) { + free(oid.components); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + if (der_put_oid((unsigned char *)oid_flat.elements + oid_flat.length - 1, + oid_flat.length, &oid, &size) != 0) { + free(oid.components); + free(oid_flat.elements); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + if (oid_flat.length != size) + abort(); + + free(oid.components); + + /* FINALLY, we have the OID */ + + maj_stat = gss_inquire_sec_context_by_oid (minor_status, + context_handle, + &oid_flat, + &data_set); + + free(oid_flat.elements); + + if (maj_stat) + return maj_stat; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ad_data->value = malloc(data_set->elements[0].length); + if (ad_data->value == NULL) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + ad_data->length = data_set->elements[0].length; + memcpy(ad_data->value, data_set->elements[0].value, ad_data->length); + gss_release_buffer_set(minor_status, &data_set); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +/* + * + */ + +static OM_uint32 +gsskrb5_extract_key(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + const gss_OID oid, + krb5_keyblock **keyblock) +{ + krb5_error_code ret; + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + OM_uint32 major_status; + krb5_context context = NULL; + krb5_storage *sp = NULL; + + if (context_handle == GSS_C_NO_CONTEXT) { + ret = EINVAL; + return GSS_S_FAILURE; + } + + ret = krb5_init_context(&context); + if(ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + major_status = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + oid, + &data_set); + if (major_status) + return major_status; + + if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + sp = krb5_storage_from_mem(data_set->elements[0].value, + data_set->elements[0].length); + if (sp == NULL) { + ret = ENOMEM; + goto out; + } + + *keyblock = calloc(1, sizeof(**keyblock)); + if (keyblock == NULL) { + ret = ENOMEM; + goto out; + } + + ret = krb5_ret_keyblock(sp, *keyblock); + +out: + gss_release_buffer_set(minor_status, &data_set); + if (sp) + krb5_storage_free(sp); + if (ret && keyblock) { + krb5_free_keyblock(context, *keyblock); + *keyblock = NULL; + } + if (context) + krb5_free_context(context); + + *minor_status = ret; + if (ret) + return GSS_S_FAILURE; + + return GSS_S_COMPLETE; +} + +/* + * + */ + +OM_uint32 +gsskrb5_extract_service_keyblock(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_keyblock **keyblock) +{ + return gsskrb5_extract_key(minor_status, + context_handle, + GSS_KRB5_GET_SERVICE_KEYBLOCK_X, + keyblock); +} + +OM_uint32 +gsskrb5_get_initiator_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_keyblock **keyblock) +{ + return gsskrb5_extract_key(minor_status, + context_handle, + GSS_KRB5_GET_INITIATOR_SUBKEY_X, + keyblock); +} + +OM_uint32 +gsskrb5_get_subkey(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_keyblock **keyblock) +{ + return gsskrb5_extract_key(minor_status, + context_handle, + GSS_KRB5_GET_SUBKEY_X, + keyblock); +} + +OM_uint32 +gsskrb5_set_default_realm(const char *realm) +{ + gss_buffer_desc buffer; + OM_uint32 junk; + + buffer.value = rk_UNCONST(realm); + buffer.length = strlen(realm); + + gss_set_sec_context_option(&junk, NULL, + GSS_KRB5_SET_DEFAULT_REALM_X, &buffer); + + return (GSS_S_COMPLETE); +} + +OM_uint32 +gss_krb5_get_tkt_flags(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + OM_uint32 *tkt_flags) +{ + + OM_uint32 major_status; + gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; + + if (context_handle == GSS_C_NO_CONTEXT) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + major_status = + gss_inquire_sec_context_by_oid (minor_status, + context_handle, + GSS_KRB5_GET_TKT_FLAGS_X, + &data_set); + if (major_status) + return major_status; + + if (data_set == GSS_C_NO_BUFFER_SET || + data_set->count != 1 || + data_set->elements[0].length < 4) { + gss_release_buffer_set(minor_status, &data_set); + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + { + const u_char *p = data_set->elements[0].value; + *tkt_flags = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); + } + + gss_release_buffer_set(minor_status, &data_set); + return GSS_S_COMPLETE; +} + diff --git a/crypto/heimdal/lib/asn1/gen.h b/kerberos5/lib/libgssapi_krb5/prefix.c similarity index 55% rename from crypto/heimdal/lib/asn1/gen.h rename to kerberos5/lib/libgssapi_krb5/prefix.c index 369b6e392acd..086b7447ed00 100644 --- a/crypto/heimdal/lib/asn1/gen.h +++ b/kerberos5/lib/libgssapi_krb5/prefix.c @@ -1,38 +1,33 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. +/*- + * Copyright (c) 2008 Doug Rabson + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * $FreeBSD$ */ -/* $Id: gen.h,v 1.4 1999/12/02 17:05:02 joda Exp $ */ - -#include -#include "symbol.h" - +const char * +_gss_name_prefix(void) +{ + return "_gsskrb5"; +} diff --git a/kerberos5/lib/libgssapi_ntlm/Makefile b/kerberos5/lib/libgssapi_ntlm/Makefile new file mode 100644 index 000000000000..cbecc2d5ee93 --- /dev/null +++ b/kerberos5/lib/libgssapi_ntlm/Makefile @@ -0,0 +1,44 @@ +# $FreeBSD$ + +LIB= gssapi_ntlm +LDFLAGS= -Wl,-Bsymbolic +LDADD= -lkrb5 -lhx509 -lheimntlm -lroken +DPADD= ${LIBKRB5} ${LIBHX509} ${LIBHEIMNTLM} ${LIBROKEN} + +SRCS= accept_sec_context.c \ + acquire_cred.c \ + add_cred.c \ + canonicalize_name.c \ + compare_name.c \ + context_time.c \ + crypto.c \ + delete_sec_context.c \ + display_name.c \ + display_status.c \ + duplicate_name.c \ + export_name.c \ + export_sec_context.c \ + external.c \ + ntlm.h \ + ntlm-private.h \ + import_name.c \ + import_sec_context.c \ + indicate_mechs.c \ + init_sec_context.c \ + inquire_context.c \ + inquire_cred.c \ + inquire_cred_by_mech.c \ + inquire_mechs_for_name.c \ + inquire_names_for_mech.c \ + prefix.c \ + process_context_token.c \ + release_cred.c \ + release_name.c \ + digest.c + +CFLAGS+=-I${KRB5DIR}/lib/gssapi +CFLAGS+=-I${KRB5DIR}/lib/ntlm + +.include + +.PATH: ${KRB5DIR}/lib/gssapi/ntlm ${.CURDIR}/../../../lib/libgssapi diff --git a/crypto/heimdal/kuser/kinit_options.c b/kerberos5/lib/libgssapi_ntlm/prefix.c similarity index 53% rename from crypto/heimdal/kuser/kinit_options.c rename to kerberos5/lib/libgssapi_ntlm/prefix.c index 5a7dcd98753d..68db6415c5c0 100644 --- a/crypto/heimdal/kuser/kinit_options.c +++ b/kerberos5/lib/libgssapi_ntlm/prefix.c @@ -1,40 +1,33 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. +/*- + * Copyright (c) 2008 Doug Rabson + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * $FreeBSD$ */ -#include "kuser_locl.h" -RCSID("$Id: kinit_options.c,v 1.2 1999/12/02 17:05:01 joda Exp $"); - -#ifdef KRB4 -int do_afslog = 0; -int get_v4_tgt = 0; -#endif +const char * +_gss_name_prefix(void) +{ + return "_gss_ntlm"; +} diff --git a/kerberos5/lib/libgssapi_spnego/Makefile b/kerberos5/lib/libgssapi_spnego/Makefile new file mode 100644 index 000000000000..af98880a6388 --- /dev/null +++ b/kerberos5/lib/libgssapi_spnego/Makefile @@ -0,0 +1,48 @@ +# $FreeBSD$ + +LIB= gssapi_spnego +LDFLAGS= -Wl,-Bsymbolic +LDADD= -lasn1 +DPADD= ${LIBASN1} + +SRCS= accept_sec_context.c \ + compat.c \ + context_stubs.c \ + cred_stubs.c \ + external.c \ + init_sec_context.c \ + prefix.c \ + spnego_asn1.h \ + ${GEN:S/.x$/.c/} + +GEN= asn1_ContextFlags.x \ + asn1_MechType.x \ + asn1_MechTypeList.x \ + asn1_NegotiationToken.x \ + asn1_NegotiationTokenWin.x \ + asn1_NegHints.x \ + asn1_NegTokenInit.x \ + asn1_NegTokenInitWin.x \ + asn1_NegTokenResp.x + +CFLAGS+=-I${KRB5DIR}/lib/gssapi +CFLAGS+=-I${KRB5DIR}/lib/asn1 +CFLAGS+=-I${KRB5DIR}/lib/roken -I. + +CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} spnego_asn1.h asn1_files + +.ORDER: ${GEN} spnego_asn1.h +${GEN} spnego_asn1.h: spnego.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile --sequence=MechTypeList ${.ALLSRC:M*.asn1} spnego_asn1 + +../../tools/asn1_compile/asn1_compile: + cd ${.CURDIR}/../../tools/asn1_compile && ${MAKE} + +.for I in ${GEN} +${I:R}.c: ${I} + cat ${.ALLSRC} > ${.TARGET} +.endfor + +.include + +.PATH: ${KRB5DIR}/lib/gssapi/spnego ${.CURDIR}/../../../lib/libgssapi diff --git a/crypto/heimdal/kuser/kauth_options.c b/kerberos5/lib/libgssapi_spnego/prefix.c similarity index 53% rename from crypto/heimdal/kuser/kauth_options.c rename to kerberos5/lib/libgssapi_spnego/prefix.c index c432d32ac14a..575c951d0fbd 100644 --- a/crypto/heimdal/kuser/kauth_options.c +++ b/kerberos5/lib/libgssapi_spnego/prefix.c @@ -1,40 +1,45 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. +/*- + * Copyright (c) 2008 Doug Rabson + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * $FreeBSD$ */ -#include "kuser_locl.h" -RCSID("$Id: kauth_options.c,v 1.2 1999/12/02 17:05:00 joda Exp $"); +#include -#ifdef KRB4 -int do_afslog = 1; -int get_v4_tgt = 1; -#endif +static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc = +{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}; + +gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc; + +static gss_OID_desc gss_krb5_mechanism_oid_desc = +{9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; + +gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; + +const char * +_gss_name_prefix(void) +{ + return "_gss_spnego"; +} diff --git a/kerberos5/lib/libhdb/Makefile b/kerberos5/lib/libhdb/Makefile index eef619f4a9e0..75465d3768d5 100644 --- a/kerberos5/lib/libhdb/Makefile +++ b/kerberos5/lib/libhdb/Makefile @@ -11,11 +11,14 @@ INCS= hdb-private.h \ SRCS= common.c \ db.c \ db3.c \ + dbinfo.c \ + ext.c \ hdb-ldap.c \ hdb.c \ hdb_asn1.h \ hdb_err.c \ hdb_err.h \ + keys.c \ keytab.c \ mkey.c \ ndbm.c \ @@ -24,13 +27,23 @@ SRCS= common.c \ CFLAGS+=-I${KRB5DIR}/lib/hdb -I${KRB5DIR}/lib/asn1 \ -I${KRB5DIR}/lib/roken -I. ${LDAPCFLAGS} +CFLAGS+=-DHDB_DB_DIR="\"/var/heimdal\"" -GEN= asn1_Event.x \ - asn1_GENERATION.x \ - asn1_HDBFlags.x \ +GEN= asn1_Salt.x \ asn1_Key.x \ - asn1_Salt.x \ - asn1_hdb_entry.x + asn1_Event.x \ + asn1_HDBFlags.x \ + asn1_GENERATION.x \ + asn1_HDB_Ext_PKINIT_acl.x \ + asn1_HDB_Ext_PKINIT_hash.x \ + asn1_HDB_Ext_Constrained_delegation_acl.x \ + asn1_HDB_Ext_Lan_Manager_OWF.x \ + asn1_HDB_Ext_Password.x \ + asn1_HDB_Ext_Aliases.x \ + asn1_HDB_extension.x \ + asn1_HDB_extensions.x \ + asn1_hdb_entry.x \ + asn1_hdb_entry_alias.x CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} hdb_asn1.h asn1_files diff --git a/kerberos5/lib/libheimntlm/Makefile b/kerberos5/lib/libheimntlm/Makefile new file mode 100644 index 000000000000..e223258a50fa --- /dev/null +++ b/kerberos5/lib/libheimntlm/Makefile @@ -0,0 +1,11 @@ +# $FreeBSD$ + +LIB= heimntlm +SRCS= ntlm.c +INCS= heimntlm.h heimntlm-protos.h +CFLAGS+=-I${KRB5DIR}/lib/ntlm +VERSION_MAP= ${KRB5DIR}/lib/ntlm/version-script.map + +.include + +.PATH: ${KRB5DIR}/lib/ntlm diff --git a/kerberos5/lib/libhx509/Makefile b/kerberos5/lib/libhx509/Makefile new file mode 100644 index 000000000000..e94831aaca73 --- /dev/null +++ b/kerberos5/lib/libhx509/Makefile @@ -0,0 +1,103 @@ +# $FreeBSD$ + +LIB= hx509 +VERSION_MAP= ${KRB5DIR}/lib/hx509/version-script.map + +INCS= hx509-private.h \ + hx509-protos.h \ + hx509.h \ + hx509_err.h + +SRCS= ca.c \ + cert.c \ + cms.c \ + collector.c \ + crypto.c \ + doxygen.c \ + error.c \ + env.c \ + file.c \ + hx509-private.h \ + hx509-protos.h \ + hx509.h \ + hx_locl.h \ + keyset.c \ + ks_dir.c \ + ks_file.c \ + ks_mem.c \ + ks_null.c \ + ks_p11.c \ + ks_p12.c \ + ks_keychain.c \ + lock.c \ + name.c \ + peer.c \ + print.c \ + softp11.c \ + ref/pkcs11.h \ + req.c \ + revoke.c + +SRCS+= hx509_err.c \ + hx509_err.h + +SRCS+= ${GEN:S/.x$/.c/} + +CFLAGS+=-I${KRB5DIR}/lib/hx509 +CFLAGS+=-I${KRB5DIR}/lib/hx509/ref +CFLAGS+=-I${KRB5DIR}/lib/asn1 +CFLAGS+=-I${KRB5DIR}/lib/roken -I. + +GEN_OCSP= \ + asn1_OCSPBasicOCSPResponse.x \ + asn1_OCSPCertID.x \ + asn1_OCSPCertStatus.x \ + asn1_OCSPInnerRequest.x \ + asn1_OCSPKeyHash.x \ + asn1_OCSPRequest.x \ + asn1_OCSPResponderID.x \ + asn1_OCSPResponse.x \ + asn1_OCSPResponseBytes.x \ + asn1_OCSPResponseData.x \ + asn1_OCSPResponseStatus.x \ + asn1_OCSPSignature.x \ + asn1_OCSPSingleResponse.x \ + asn1_OCSPTBSRequest.x \ + asn1_OCSPVersion.x \ + asn1_id_pkix_ocsp.x \ + asn1_id_pkix_ocsp_basic.x \ + asn1_id_pkix_ocsp_nonce.x + +GEN_PKCS10= \ + asn1_CertificationRequestInfo.x \ + asn1_CertificationRequest.x + +GEN+= ${GEN_OCSP} +GEN+= ${GEN_PKCS10} + +CLEANFILES= ${GEN} ${GEN:S/.x$/.c/} asn1_files + +GEN_ASN1=ocsp_asn1.h pkcs10_asn1.h +CLEANFILES+=${GEN_ASN1} +SRCS+=${GEN_ASN1} +INCS+=${GEN_ASN1} + +.ORDER: ${GEN} ${GEN_ASN1} + +${GEN_OCSP} ocsp_asn1.h: ocsp.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile --preserve-binary=OCSPTBSRequest --preserve-binary=OCSPResponseData ${.ALLSRC:M*.asn1} ocsp_asn1 + +${GEN_PKCS10} pkcs10_asn1.h: pkcs10.asn1 ../../tools/asn1_compile/asn1_compile + ../../tools/asn1_compile/asn1_compile ${.ALLSRC:M*.asn1} pkcs10_asn1 + +../../tools/asn1_compile/asn1_compile: + cd ${.CURDIR}/../../tools/asn1_compile && ${MAKE} + +.for I in ${GEN} +${I:R}.c: ${I} + cat ${.ALLSRC} > ${.TARGET} +.endfor + +.include + +.PATH: ${KRB5DIR}/lib/hx509 ${KRB5DIR}/lib/asn1 diff --git a/kerberos5/lib/libkadm5clnt/Makefile b/kerberos5/lib/libkadm5clnt/Makefile index 32cc80b3b004..339086686613 100644 --- a/kerberos5/lib/libkadm5clnt/Makefile +++ b/kerberos5/lib/libkadm5clnt/Makefile @@ -10,7 +10,8 @@ INCS= admin.h \ INCSDIR=${INCLUDEDIR}/kadm5 -SRCS= chpass_c.c \ +SRCS= ad.c \ + chpass_c.c \ client_glue.c \ common_glue.c \ create_c.c \ diff --git a/kerberos5/lib/libkadm5srv/Makefile b/kerberos5/lib/libkadm5srv/Makefile index 086cb8f63178..c0be47763673 100644 --- a/kerberos5/lib/libkadm5srv/Makefile +++ b/kerberos5/lib/libkadm5srv/Makefile @@ -1,6 +1,7 @@ # $FreeBSD$ LIB= kadm5srv +VERSION_MAP= ${KRB5DIR}/lib/kadm5/version-script.map SRCS= acl.c \ bump_pw_expire.c \ diff --git a/kerberos5/lib/libkafs5/Makefile b/kerberos5/lib/libkafs5/Makefile index 337c642be9dd..e0e0b3036a5e 100644 --- a/kerberos5/lib/libkafs5/Makefile +++ b/kerberos5/lib/libkafs5/Makefile @@ -19,7 +19,7 @@ MLINKS= kafs5.3 k_afs_cell_of_file.3 \ kafs5.3 krb_afslog.3 \ kafs5.3 krb_afslog_uid.3 -SRCS= afssys.c afskrb5.c common.c +SRCS= afssys.c afskrb5.c common.c krb5_err.h CFLAGS+=-I${KRB5DIR}/lib/kafs -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/roken CLEANFILES= kafs5.3 diff --git a/kerberos5/lib/libkrb5/Makefile b/kerberos5/lib/libkrb5/Makefile index 40cddc361d79..5ba011bf5adb 100644 --- a/kerberos5/lib/libkrb5/Makefile +++ b/kerberos5/lib/libkrb5/Makefile @@ -1,45 +1,76 @@ # $FreeBSD$ LIB= krb5 +VERSION_MAP= ${KRB5DIR}/lib/krb5/version-script.map INCS= heim_err.h \ + heim_threads.h \ k524_err.h \ krb5-protos.h \ krb5-types.h \ krb5.h \ - krb5_err.h + krb5_err.h \ + krb5-v4compat.h \ + krb_err.h MAN= krb5.3 \ + krb524_convert_creds_kdc.3 \ krb5_425_conv_principal.3 \ + krb5_acl_match_file.3 \ krb5_address.3 \ krb5_aname_to_localname.3 \ krb5_appdefault.3 \ krb5_auth_context.3 \ - krb5_build_principal.3 \ + krb5_c_make_checksum.3 \ krb5_ccache.3 \ + krb5_check_transited.3 \ + krb5_compare_creds.3 \ krb5_config.3 \ krb5_context.3 \ krb5_create_checksum.3 \ + krb5_creds.3 \ krb5_crypto_init.3 \ krb5_data.3 \ + krb5_digest.3 \ + krb5_eai_to_heim_errno.3 \ krb5_encrypt.3 \ - krb5_free_addresses.3 \ - krb5_free_principal.3 \ + krb5_expand_hostname.3 \ + krb5_find_padata.3 \ + krb5_generate_random_block.3 \ krb5_get_all_client_addrs.3 \ + krb5_get_credentials.3 \ + krb5_get_creds.3 \ + krb5_get_forwarded_creds.3 \ + krb5_get_in_cred.3 \ + krb5_get_init_creds.3 \ krb5_get_krbhst.3 \ + krb5_getportbyname.3 \ krb5_init_context.3 \ + krb5_is_thread_safe.3 \ + krb5_keyblock.3 \ krb5_keytab.3 \ krb5_krbhst_init.3 \ krb5_kuserok.3 \ + krb5_mk_req.3 \ + krb5_mk_safe.3 \ krb5_openlog.3 \ krb5_parse_name.3 \ - krb5_principal_get_realm.3 \ + krb5_principal.3 \ + krb5_rcache.3 \ + krb5_rd_error.3 \ + krb5_rd_safe.3 \ krb5_set_default_realm.3 \ - krb5_sname_to_principal.3 \ + krb5_set_password.3 \ + krb5_storage.3 \ + krb5_string_to_key.3 \ + krb5_ticket.3 \ krb5_timeofday.3 \ krb5_unparse_name.3 \ + krb5_verify_init_creds.3 \ krb5_verify_user.3 \ - krb5_warn.3 + krb5_warn.3 \ + verify_krb5_conf.8 + MAN+= krb5.conf.5 MAN+= kerberos.8 @@ -209,7 +240,8 @@ MLINKS= krb5_425_conv_principal.3 krb5_425_conv_principal_ext.3 \ krb5_warn.3 krb5_vwarnx.3 \ krb5_warn.3 krb5_warnx.3 -SRCS= acl.c \ +SRCS= acache.c \ + acl.c \ add_et_list.c \ addr_families.c \ aname_to_localname.c \ @@ -231,6 +263,7 @@ SRCS= acl.c \ creds.c \ crypto.c \ data.c \ + digest.c \ eai_to_heim_errno.c \ error_string.c \ expand_hostname.c \ @@ -250,12 +283,11 @@ SRCS= acl.c \ get_in_tkt_with_keytab.c \ get_in_tkt_with_skey.c \ get_port.c \ - heim_err.c \ - heim_err.h \ + heim_threads.h \ init_creds.c \ init_creds_pw.c \ - k524_err.c \ - k524_err.h \ + kcm.c \ + kcm.h \ keyblock.c \ keytab.c \ keytab_any.c \ @@ -263,8 +295,8 @@ SRCS= acl.c \ keytab_keyfile.c \ keytab_krb4.c \ keytab_memory.c \ - krb5_err.c \ - krb5_err.h \ + krb5_locl.h \ + krb5-v4compat.h \ krbhst.c \ kuserok.c \ log.c \ @@ -276,10 +308,13 @@ SRCS= acl.c \ mk_req.c \ mk_req_ext.c \ mk_safe.c \ + mit_glue.c \ n-fold.c \ net_read.c \ net_write.c \ + pac.c \ padata.c \ + pkinit.c \ principal.c \ prog_setup.c \ prompter_posix.c \ @@ -297,20 +332,32 @@ SRCS= acl.c \ set_default_realm.c \ sock_principal.c \ store.c \ + store-int.h \ store_emem.c \ store_fd.c \ store_mem.c \ + plugin.c \ ticket.c \ time.c \ transited.c \ + v4_glue.c \ verify_init.c \ verify_user.c \ version.c \ warn.c \ write_message.c +SRCS+= heim_err.c \ + heim_err.h \ + k524_err.c \ + k524_err.h \ + krb5_err.c \ + krb5_err.h \ + krb_err.c \ + krb_err.h + CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken -I. .include -.PATH: ${KRB5DIR}/lib/krb5 ${.CURDIR}/../../include +.PATH: ${KRB5DIR}/lib/krb5 ${KRB5DIR}/lib/asn1 ${.CURDIR}/../../include diff --git a/kerberos5/lib/libroken/Makefile b/kerberos5/lib/libroken/Makefile index fceb6ec71cb7..952740e168e7 100644 --- a/kerberos5/lib/libroken/Makefile +++ b/kerberos5/lib/libroken/Makefile @@ -1,13 +1,14 @@ # $FreeBSD$ LIB= roken -SHLIB_MAJOR= 9 INCS= roken.h roken-common.h SRCS= base64.c \ bswap.c \ + closefrom.c \ concat.c \ copyhostent.c \ + dumpdata.c \ ecalloc.c \ emalloc.c \ environment.c \ @@ -21,6 +22,7 @@ SRCS= base64.c \ getaddrinfo_hostspec.c \ getarg.c \ getnameinfo_verified.c \ + hex.c \ hostent_find_fqdn.c \ issuid.c \ k_getpwnam.c \ @@ -43,6 +45,7 @@ SRCS= base64.c \ strlwr.c \ strndup.c \ strnlen.c \ + strpool.c \ strsep_copy.c \ strupr.c \ timeval.c \ diff --git a/kerberos5/libexec/Makefile b/kerberos5/libexec/Makefile index 89baf6daad57..b61f99b63baa 100644 --- a/kerberos5/libexec/Makefile +++ b/kerberos5/libexec/Makefile @@ -1,5 +1,5 @@ # $FreeBSD$ -SUBDIR= ipropd-master ipropd-slave hprop hpropd kadmind kdc kpasswdd +SUBDIR= ipropd-master ipropd-slave hprop hpropd kadmind kdc kpasswdd kcm .include diff --git a/kerberos5/libexec/hprop/Makefile b/kerberos5/libexec/hprop/Makefile index 84523cfac15d..06398395c082 100644 --- a/kerberos5/libexec/hprop/Makefile +++ b/kerberos5/libexec/hprop/Makefile @@ -3,10 +3,16 @@ PROG= hprop MAN= hprop.8 SRCS= hprop.c mit_dump.c v4_dump.c -CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -DPADD= ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +CFLAGS+=-I${KRB5DIR}/lib/roken +CFLAGS+=-I${KRB5DIR}/lib/krb5 +CFLAGS+=-I${KRB5DIR}/lib/asn1 +CFLAGS+=-I${KRB5DIR}/lib/hx509 +CFLAGS+=-I${KRB5DIR}/lib/ntlm +CFLAGS+=-I${KRB5DIR}/kdc +CFLAGS+=-I${.OBJDIR}/../../lib/libkrb5 +DPADD= ${LIBHDB} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lhdb -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lhdb -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} LDFLAGS=${LDAPLDFLAGS} diff --git a/kerberos5/libexec/hpropd/Makefile b/kerberos5/libexec/hpropd/Makefile index 4db38fb4bb1b..e0722bd38640 100644 --- a/kerberos5/libexec/hpropd/Makefile +++ b/kerberos5/libexec/hpropd/Makefile @@ -3,10 +3,10 @@ PROG= hpropd MAN= hpropd.8 CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 \ - ${LDAPCFLAGS} -DPADD= ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ + -I${KRB5DIR}/kdc ${LDAPCFLAGS} +DPADD= ${LIBHDB} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lhdb -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lhdb -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} LDFLAGS=${LDAPLDFLAGS} diff --git a/kerberos5/libexec/ipropd-master/Makefile b/kerberos5/libexec/ipropd-master/Makefile index 6cfa99d9e789..bc1c19cbf02b 100644 --- a/kerberos5/libexec/ipropd-master/Makefile +++ b/kerberos5/libexec/ipropd-master/Makefile @@ -2,15 +2,18 @@ PROG= ipropd-master NO_MAN= -SRCS= ipropd_master.c kadm5_err.h +SRCS= ipropd_common.c ipropd_master.c kadm5_err.h CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ -I. ${LDAPCFLAGS} -DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lkadm5srv -lhdb -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkadm5srv -lhdb -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} LDFLAGS=${LDAPLDFLAGS} +foo:: + echo ${LIBHX509} + .include .PATH: ${KRB5DIR}/lib/kadm5 diff --git a/kerberos5/libexec/ipropd-slave/Makefile b/kerberos5/libexec/ipropd-slave/Makefile index 11e2bc3761b0..e2141e739191 100644 --- a/kerberos5/libexec/ipropd-slave/Makefile +++ b/kerberos5/libexec/ipropd-slave/Makefile @@ -2,12 +2,12 @@ PROG= ipropd-slave NO_MAN= -SRCS= ipropd_slave.c kadm5_err.h +SRCS= ipropd_common.c ipropd_slave.c kadm5_err.h CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ -I. ${LDAPCFLAGS} -DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lkadm5srv -lhdb -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkadm5srv -lhdb -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} LDFLAGS=${LDAPLDFLAGS} diff --git a/kerberos5/libexec/kadmind/Makefile b/kerberos5/libexec/kadmind/Makefile index d0514a01342c..1ab201004a08 100644 --- a/kerberos5/libexec/kadmind/Makefile +++ b/kerberos5/libexec/kadmind/Makefile @@ -5,9 +5,9 @@ MAN= kadmind.8 SRCS= kadm_conn.c kadmind.c server.c CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ ${LDAPCFLAGS} -DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lkadm5srv -lhdb -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkadm5srv -lhdb -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} LDFLAGS=${LDAPLDFLAGS} diff --git a/kerberos5/libexec/kcm/Makefile b/kerberos5/libexec/kcm/Makefile new file mode 100644 index 000000000000..7961589af170 --- /dev/null +++ b/kerberos5/libexec/kcm/Makefile @@ -0,0 +1,33 @@ +# $FreeBSD$ + +PROG= kcm +MAN= kcm.8 + +SRCS= acl.c \ + acquire.c \ + cache.c \ + client.c \ + config.c \ + connect.c \ + cursor.c \ + events.c \ + glue.c \ + headers.h \ + kcm_locl.h \ + kcm_protos.h \ + log.c \ + main.c \ + protocol.c \ + renew.c + +CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ + -I${KRB5DIR}/kcm ${LDAPCFLAGS} +DPADD= ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ + ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} +LDADD= -lkrb5 -lhx509 -lroken ${LIBVERS} \ + -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} +LDFLAGS=${LDAPLDFLAGS} + +.include + +.PATH: ${KRB5DIR}/kcm diff --git a/kerberos5/libexec/kdc/Makefile b/kerberos5/libexec/kdc/Makefile index 73a1efcbf853..f94e88ac31b9 100644 --- a/kerberos5/libexec/kdc/Makefile +++ b/kerberos5/libexec/kdc/Makefile @@ -6,17 +6,26 @@ MAN= kdc.8 SRCS= 524.c \ config.c \ connect.c \ + default_config.c \ + digest.c \ + kaserver.c \ kerberos4.c \ kerberos5.c \ + krb5tgs.c \ + kx509.c \ log.c \ main.c \ - misc.c + misc.c \ + pkinit.c \ + process.c \ + set_dbinfo.c \ + windc.c CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ - ${LDAPCFLAGS} -DPADD= ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ + -I${KRB5DIR}/kdc ${LDAPCFLAGS} +DPADD= ${LIBHDB} ${LIBKRB5} ${LIBHX509} ${LIBHEIMNTLM} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lhdb -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lhdb -lkrb5 -lhx509 -lheimntlm -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} LDFLAGS=${LDAPLDFLAGS} diff --git a/kerberos5/libexec/kpasswdd/Makefile b/kerberos5/libexec/kpasswdd/Makefile index c0e6a1ea1aa1..22876861edaa 100644 --- a/kerberos5/libexec/kpasswdd/Makefile +++ b/kerberos5/libexec/kpasswdd/Makefile @@ -2,10 +2,10 @@ PROG= kpasswdd MAN= kpasswdd.8 -CFLAGS+=-I${KRB5DIR}/lib/roken ${LDAPCFLAGS} -DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +CFLAGS+=-I${KRB5DIR}/lib/roken -I../../lib/libhdb ${LDAPCFLAGS} +DPADD= ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lkadm5srv -lhdb -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkadm5srv -lhdb -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} LDFLAGS=${LDAPLDFLAGS} diff --git a/kerberos5/tools/Makefile b/kerberos5/tools/Makefile index ed8d30a03019..271f511d0d7a 100644 --- a/kerberos5/tools/Makefile +++ b/kerberos5/tools/Makefile @@ -1,5 +1,5 @@ # $FreeBSD$ -SUBDIR= make-print-version make-roken asn1_compile +SUBDIR= make-print-version make-roken asn1_compile slc .include diff --git a/kerberos5/tools/asn1_compile/Makefile b/kerberos5/tools/asn1_compile/Makefile index a8ffa3283c73..8fc7b01573b3 100644 --- a/kerberos5/tools/asn1_compile/Makefile +++ b/kerberos5/tools/asn1_compile/Makefile @@ -10,8 +10,11 @@ SRCS= gen.c \ gen_free.c \ gen_glue-fixed.c \ gen_length.c \ + gen_seq.c \ hash.c \ + ecalloc.c \ emalloc.c \ + estrdup.c \ main.c \ symbol.c \ getarg.c \ @@ -41,8 +44,8 @@ roken.h: ../make-roken/make-roken cd ${.CURDIR}/../make-roken && ${MAKE} gen_glue-fixed.c: gen_glue.c - sed -e '106s/"/"#ifdef __PARSE_UNITS_H__\\n/;'\ - -e '106s/",/\\n#endif\\n",/' ${.ALLSRC} > ${.TARGET} + sed -e '96s/"/"#ifdef __PARSE_UNITS_H__\\n/;'\ + -e '96s/",/\\n#endif\\n",/' ${.ALLSRC} > ${.TARGET} CLEANFILES+= gen_glue-fixed.c .include diff --git a/kerberos5/tools/slc/Makefile b/kerberos5/tools/slc/Makefile new file mode 100644 index 000000000000..638862842793 --- /dev/null +++ b/kerberos5/tools/slc/Makefile @@ -0,0 +1,34 @@ +# $FreeBSD$ + +PROG= slc +NO_MAN= + +SRCS= get_window_size.c \ + getarg.c \ + slc-gram.y \ + slc-lex.l \ + slc.h \ + strupr.c + +SRCS+= print_version.c \ + print_version.h + +CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/sl -I${KRB5DIR}/lib/vers -I. + +CLEANFILES= print_version.h roken.h + +print_version.h: ../make-print-version/make-print-version + ../make-print-version/make-print-version ${.TARGET} + +../make-print-version/make-print-version: .PHONY + cd ${.CURDIR}/../make-print-version && ${MAKE} + +roken.h: ../make-roken/make-roken + ../make-roken/make-roken > ${.TARGET} + +../make-roken/make-roken: .PHONY + cd ${.CURDIR}/../make-roken && ${MAKE} + +.include + +.PATH: ${KRB5DIR}/lib/vers ${KRB5DIR}/lib/roken ${KRB5DIR}/lib/sl diff --git a/kerberos5/usr.bin/kadmin/Makefile b/kerberos5/usr.bin/kadmin/Makefile index b646c986eb94..0c5e1a2d916d 100644 --- a/kerberos5/usr.bin/kadmin/Makefile +++ b/kerberos5/usr.bin/kadmin/Makefile @@ -3,7 +3,9 @@ PROG= kadmin MAN= kadmin.8 -SRCS= ank.c \ +SRCS= add_enctype.c \ + ank.c \ + check.c \ cpw.c \ del.c \ del_enctype.c \ @@ -12,19 +14,23 @@ SRCS= ank.c \ get.c \ init.c \ kadmin.c \ + kadmin-commands.c \ + kadmin-commands.h \ load.c \ mod.c \ + pw_quality.c \ random_password.c \ rename.c \ + stash.c \ util.c CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/roken \ - -I${KRB5DIR}/lib/sl ${LDAPCFLAGS} -DPADD= ${LIBKADM5CLNT} ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} \ + -I${KRB5DIR}/lib/sl -I. ${LDAPCFLAGS} +DPADD= ${LIBKADM5CLNT} ${LIBKADM5SRV} ${LIBHDB} ${LIBKRB5} ${LIBHX509} \ ${LIBSL} ${LIBROKEN} ${LIBVERS} ${LIBASN1} \ ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} \ ${LIBREADLINE} ${LIBNCURSES} ${LDAPDPADD} -LDADD= -lkadm5clnt -lkadm5srv -lhdb -lkrb5 \ +LDADD= -lkadm5clnt -lkadm5srv -lhdb -lkrb5 -lhx509 \ ${LIBSL} -lroken ${LIBVERS} -lasn1 \ -lcrypto -lcrypt -lcom_err \ -lreadline -lncurses ${LDAPLDADD} @@ -32,4 +38,11 @@ LDFLAGS=${LDAPLDFLAGS} .include +kadmin-commands.c kadmin-commands.h: ${KRB5DIR}/kadmin/kadmin-commands.in ../../tools/slc/slc + ../../tools/slc/slc ${.ALLSRC:M*.in} + +../../tools/slc/slc: + cd ${.CURDIR}/../../tools/slc && ${MAKE} + .PATH: ${KRB5DIR}/kadmin + diff --git a/kerberos5/usr.bin/kdestroy/Makefile b/kerberos5/usr.bin/kdestroy/Makefile index 60bc792780d1..8ebb201cee4d 100644 --- a/kerberos5/usr.bin/kdestroy/Makefile +++ b/kerberos5/usr.bin/kdestroy/Makefile @@ -2,9 +2,9 @@ PROG= kdestroy CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBHX509) ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkafs5 -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err .include diff --git a/kerberos5/usr.bin/kinit/Makefile b/kerberos5/usr.bin/kinit/Makefile index 172ad985a84a..e80f06d1235e 100644 --- a/kerberos5/usr.bin/kinit/Makefile +++ b/kerberos5/usr.bin/kinit/Makefile @@ -2,9 +2,9 @@ PROG= kinit CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBHX509} ${LIBHEIMNTLM} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkafs5 -lkrb5 -lhx509 -lheimntlm -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err .include diff --git a/kerberos5/usr.bin/klist/Makefile b/kerberos5/usr.bin/klist/Makefile index c97d65fc2ef6..a76cc0ac054e 100644 --- a/kerberos5/usr.bin/klist/Makefile +++ b/kerberos5/usr.bin/klist/Makefile @@ -2,9 +2,9 @@ PROG= klist CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkafs5 -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err .include diff --git a/kerberos5/usr.bin/kpasswd/Makefile b/kerberos5/usr.bin/kpasswd/Makefile index 686c299ccdca..e4da7695574b 100644 --- a/kerberos5/usr.bin/kpasswd/Makefile +++ b/kerberos5/usr.bin/kpasswd/Makefile @@ -2,9 +2,9 @@ PROG= kpasswd CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +DPADD= ${LIBKRB5} ${LIBHX509 ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err .include diff --git a/kerberos5/usr.bin/ksu/Makefile b/kerberos5/usr.bin/ksu/Makefile index cca520e4e3c6..c6a029090cfc 100644 --- a/kerberos5/usr.bin/ksu/Makefile +++ b/kerberos5/usr.bin/ksu/Makefile @@ -8,9 +8,9 @@ PRECIOUSPROG= NO_MAN= SRCS= su.c CFLAGS+=-I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkafs5 -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err .include diff --git a/kerberos5/usr.bin/verify_krb5_conf/Makefile b/kerberos5/usr.bin/verify_krb5_conf/Makefile index 7acce0eb7cad..830e66a29115 100644 --- a/kerberos5/usr.bin/verify_krb5_conf/Makefile +++ b/kerberos5/usr.bin/verify_krb5_conf/Makefile @@ -3,9 +3,9 @@ PROG= verify_krb5_conf MAN= verify_krb5_conf.8 CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/roken -DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ +DPADD= ${LIBKAFS5} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} -LDADD= -lkafs5 -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lkafs5 -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err .include diff --git a/kerberos5/usr.sbin/kstash/Makefile b/kerberos5/usr.sbin/kstash/Makefile index d9c6d8d9461d..ef85069fcae8 100644 --- a/kerberos5/usr.sbin/kstash/Makefile +++ b/kerberos5/usr.sbin/kstash/Makefile @@ -3,10 +3,10 @@ PROG= kstash MAN= kstash.8 CFLAGS+=-I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/roken \ - ${LDAPCFLAGS} -DPADD= ${LIBHDB} ${LIBKRB5} ${LIBROKEN} ${LIBVERS} \ + -I${KRB5DIR}/kdc ${LDAPCFLAGS} +DPADD= ${LIBHDB} ${LIBKRB5} ${LIBHX509} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} ${LDAPDPADD} -LDADD= -lhdb -lkrb5 -lroken ${LIBVERS} \ +LDADD= -lhdb -lkrb5 -lhx509 -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err ${LDAPLDADD} LDFLAGS=${LDAPLDFLAGS} diff --git a/kerberos5/usr.sbin/ktutil/Makefile b/kerberos5/usr.sbin/ktutil/Makefile index e134cce942eb..4320fb26a01c 100644 --- a/kerberos5/usr.sbin/ktutil/Makefile +++ b/kerberos5/usr.sbin/ktutil/Makefile @@ -8,19 +8,27 @@ SRCS= add.c \ copy.c \ get.c \ ktutil.c \ + ktutil-commands.c \ + ktutil-commands.h \ list.c \ purge.c \ remove.c \ rename.c -CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/sl -DPADD= ${LIBKADM5CLNT} ${LIBKRB5} ${LIBSL} ${LIBROKEN} ${LIBVERS} \ +CFLAGS+=-I${KRB5DIR}/lib/roken -I${KRB5DIR}/lib/sl -I. +DPADD= ${LIBKADM5CLNT} ${LIBKRB5} ${LIBHX509} ${LIBSL} ${LIBROKEN} ${LIBVERS} \ ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} ${LIBCOM_ERR} \ ${LIBREADLINE} ${LIBNCURSES} -LDADD= -lkadm5clnt -lkrb5 ${LIBSL} -lroken ${LIBVERS} \ +LDADD= -lkadm5clnt -lkrb5 -lhx509 ${LIBSL} -lroken ${LIBVERS} \ -lasn1 -lcrypto -lcrypt -lcom_err \ -lreadline -lncurses .include +ktutil-commands.c ktutil-commands.h: ${KRB5DIR}/admin/ktutil-commands.in ../../tools/slc/slc + ../../tools/slc/slc ${.ALLSRC:M*.in} + +../../tools/slc/slc: + cd ${.CURDIR}/../../tools/slc && ${MAKE} + .PATH: ${KRB5DIR}/admin diff --git a/lib/libgssapi/Makefile b/lib/libgssapi/Makefile index cedc4243576f..5d4fef39e3ec 100644 --- a/lib/libgssapi/Makefile +++ b/lib/libgssapi/Makefile @@ -1,51 +1,64 @@ # $FreeBSD$ LIB= gssapi -SHLIB_MAJOR= 9 +SHLIB_MAJOR= 10 +WARNS= 6 +VERSION_DEF= ${.CURDIR}/../libc/Versions.def +SYMBOL_MAPS= ${.CURDIR}/Symbol.map SRCS= -SRCS+= gss_utils.c +SRCS+= gss_accept_sec_context.c +SRCS+= gss_acquire_cred.c +SRCS+= gss_add_cred.c +SRCS+= gss_add_oid_set_member.c +SRCS+= gss_buffer_set.c +SRCS+= gss_canonicalize_name.c +SRCS+= gss_compare_name.c +SRCS+= gss_context_time.c +SRCS+= gss_create_empty_oid_set.c +SRCS+= gss_decapsulate_token.c +SRCS+= gss_delete_sec_context.c +SRCS+= gss_display_name.c +SRCS+= gss_display_status.c +SRCS+= gss_duplicate_name.c +SRCS+= gss_duplicate_oid.c +SRCS+= gss_encapsulate_token.c +SRCS+= gss_export_name.c +SRCS+= gss_export_sec_context.c +SRCS+= gss_get_mic.c +SRCS+= gss_import_name.c +SRCS+= gss_import_sec_context.c +SRCS+= gss_indicate_mechs.c +SRCS+= gss_init_sec_context.c +SRCS+= gss_inquire_context.c +SRCS+= gss_inquire_cred.c +SRCS+= gss_inquire_cred_by_mech.c +SRCS+= gss_inquire_cred_by_oid.c +SRCS+= gss_inquire_mechs_for_name.c +SRCS+= gss_inquire_names_for_mech.c +SRCS+= gss_inquire_sec_context_by_oid.c SRCS+= gss_mech_switch.c SRCS+= gss_names.c -SRCS+= gss_acquire_cred.c -SRCS+= gss_release_cred.c -SRCS+= gss_init_sec_context.c -SRCS+= gss_accept_sec_context.c +SRCS+= gss_oid_to_str.c SRCS+= gss_process_context_token.c -SRCS+= gss_delete_sec_context.c -SRCS+= gss_context_time.c -SRCS+= gss_get_mic.c +SRCS+= gss_pseudo_random.c +SRCS+= gss_release_buffer.c +SRCS+= gss_release_cred.c +SRCS+= gss_release_name.c +SRCS+= gss_release_oid.c +SRCS+= gss_release_oid_set.c +SRCS+= gss_seal.c +SRCS+= gss_set_cred_option.c +SRCS+= gss_set_sec_context_option.c +SRCS+= gss_sign.c +SRCS+= gss_test_oid_set_member.c +SRCS+= gss_unseal.c +SRCS+= gss_unwrap.c +SRCS+= gss_utils.c +SRCS+= gss_verify.c SRCS+= gss_verify_mic.c SRCS+= gss_wrap.c -SRCS+= gss_unwrap.c -SRCS+= gss_display_status.c -SRCS+= gss_indicate_mechs.c -SRCS+= gss_compare_name.c -SRCS+= gss_display_name.c -SRCS+= gss_import_name.c -SRCS+= gss_export_name.c -SRCS+= gss_release_name.c -SRCS+= gss_inquire_cred.c -SRCS+= gss_inquire_context.c SRCS+= gss_wrap_size_limit.c -SRCS+= gss_add_cred.c -SRCS+= gss_inquire_cred_by_mech.c -SRCS+= gss_export_sec_context.c -SRCS+= gss_import_sec_context.c -SRCS+= gss_inquire_names_for_mech.c -SRCS+= gss_inquire_mechs_for_name.c -SRCS+= gss_canonicalize_name.c -SRCS+= gss_duplicate_name.c -SRCS+= gss_sign.c -SRCS+= gss_verify.c -SRCS+= gss_seal.c -SRCS+= gss_unseal.c -SRCS+= gss_krb5.c -SRCS+= gss_create_empty_oid_set.c -SRCS+= gss_add_oid_set_member.c -SRCS+= gss_test_oid_set_member.c -SRCS+= gss_release_oid_set.c -SRCS+= gss_release_buffer.c MAN= MAN+= gssapi.3 diff --git a/lib/libgssapi/Symbol.map b/lib/libgssapi/Symbol.map new file mode 100644 index 000000000000..d2746da3653d --- /dev/null +++ b/lib/libgssapi/Symbol.map @@ -0,0 +1,69 @@ +/* + * $FreeBSD$ + */ + +FBSD_1.1 { + GSS_C_NT_ANONYMOUS; + GSS_C_NT_EXPORT_NAME; + GSS_C_NT_HOSTBASED_SERVICE; + GSS_C_NT_HOSTBASED_SERVICE_X; + GSS_C_NT_MACHINE_UID_NAME; + GSS_C_NT_STRING_UID_NAME; + GSS_C_NT_USER_NAME; + GSS_KRB5_NT_MACHINE_UID_NAME; + GSS_KRB5_NT_PRINCIPAL_NAME; + GSS_KRB5_NT_STRING_UID_NAME; + GSS_KRB5_NT_USER_NAME; + gss_accept_sec_context; + gss_acquire_cred; + gss_add_buffer_set_member; + gss_add_cred; + gss_add_oid_set_member; + gss_canonicalize_name; + gss_compare_name; + gss_context_time; + gss_create_empty_buffer_set; + gss_create_empty_oid_set; + gss_decapsulate_token; + gss_delete_sec_context; + gss_display_name; + gss_display_status; + gss_duplicate_name; + gss_duplicate_oid; + gss_encapsulate_token; + gss_export_name; + gss_export_sec_context; + gss_get_mic; + gss_import_name; + gss_import_sec_context; + gss_indicate_mechs; + gss_init_sec_context; + gss_inquire_context; + gss_inquire_cred; + gss_inquire_cred_by_mech; + gss_inquire_cred_by_oid; + gss_inquire_mechs_for_name; + gss_inquire_names_for_mech; + gss_inquire_sec_context_by_oid; + gss_oid_equal; + gss_oid_to_str; + gss_process_context_token; + gss_pseudo_random; + gss_release_buffer; + gss_release_buffer_set; + gss_release_cred; + gss_release_name; + gss_release_oid; + gss_release_oid_set; + gss_seal; + gss_set_cred_option; + gss_set_sec_context_option; + gss_sign; + gss_test_oid_set_member; + gss_unseal; + gss_unwrap; + gss_verify; + gss_verify_mic; + gss_wrap; + gss_wrap_size_limit; +}; diff --git a/lib/libgssapi/context.h b/lib/libgssapi/context.h index 403b3909ca9f..ac162aa1d6ac 100644 --- a/lib/libgssapi/context.h +++ b/lib/libgssapi/context.h @@ -30,3 +30,4 @@ struct _gss_context { struct _gss_mech_switch *gc_mech; gss_ctx_id_t gc_ctx; }; + diff --git a/lib/libgssapi/cred.h b/lib/libgssapi/cred.h index 6301b895b59c..e6fed6f88b93 100644 --- a/lib/libgssapi/cred.h +++ b/lib/libgssapi/cred.h @@ -37,7 +37,6 @@ struct _gss_mechanism_cred { SLIST_HEAD(_gss_mechanism_cred_list, _gss_mechanism_cred); struct _gss_cred { - gss_cred_usage_t gc_usage; struct _gss_mechanism_cred_list gc_mc; }; diff --git a/lib/libgssapi/gss_accept_sec_context.c b/lib/libgssapi/gss_accept_sec_context.c index 62a3bdadfa89..b4240920c59e 100644 --- a/lib/libgssapi/gss_accept_sec_context.c +++ b/lib/libgssapi/gss_accept_sec_context.c @@ -35,6 +35,116 @@ #include "context.h" #include "cred.h" #include "name.h" +#include "utils.h" + +static OM_uint32 +parse_header(const gss_buffer_t input_token, gss_OID mech_oid) +{ + unsigned char *p = input_token->value; + size_t len = input_token->length; + size_t a, b; + + /* + * Token must start with [APPLICATION 0] SEQUENCE. + * But if it doesn't assume it is DCE-STYLE Kerberos! + */ + if (len == 0) + return (GSS_S_DEFECTIVE_TOKEN); + + p++; + len--; + + /* + * Decode the length and make sure it agrees with the + * token length. + */ + if (len == 0) + return (GSS_S_DEFECTIVE_TOKEN); + if ((*p & 0x80) == 0) { + a = *p; + p++; + len--; + } else { + b = *p & 0x7f; + p++; + len--; + if (len < b) + return (GSS_S_DEFECTIVE_TOKEN); + a = 0; + while (b) { + a = (a << 8) | *p; + p++; + len--; + b--; + } + } + if (a != len) + return (GSS_S_DEFECTIVE_TOKEN); + + /* + * Decode the OID for the mechanism. Simplify life by + * assuming that the OID length is less than 128 bytes. + */ + if (len < 2 || *p != 0x06) + return (GSS_S_DEFECTIVE_TOKEN); + if ((p[1] & 0x80) || p[1] > (len - 2)) + return (GSS_S_DEFECTIVE_TOKEN); + mech_oid->length = p[1]; + p += 2; + len -= 2; + mech_oid->elements = p; + + return (GSS_S_COMPLETE); +} + +static gss_OID_desc krb5_mechanism = +{9, (void *)(uintptr_t) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; +static gss_OID_desc ntlm_mechanism = +{10, (void *)(uintptr_t) "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"}; +static gss_OID_desc spnego_mechanism = +{6, (void *)(uintptr_t) "\x2b\x06\x01\x05\x05\x02"}; + +static OM_uint32 +choose_mech(const gss_buffer_t input, gss_OID mech_oid) +{ + OM_uint32 status; + + /* + * First try to parse the gssapi token header and see if it's a + * correct header, use that in the first hand. + */ + + status = parse_header(input, mech_oid); + if (status == GSS_S_COMPLETE) + return (GSS_S_COMPLETE); + + /* + * Lets guess what mech is really is, callback function to mech ?? + */ + + if (input->length > 8 && + memcmp((const char *)input->value, "NTLMSSP\x00", 8) == 0) + { + *mech_oid = ntlm_mechanism; + return (GSS_S_COMPLETE); + } else if (input->length != 0 && + ((const char *)input->value)[0] == 0x6E) + { + /* Could be a raw AP-REQ (check for APPLICATION tag) */ + *mech_oid = krb5_mechanism; + return (GSS_S_COMPLETE); + } else if (input->length == 0) { + /* + * There is the a wierd mode of SPNEGO (in CIFS and + * SASL GSS-SPENGO where the first token is zero + * length and the acceptor returns a mech_list, lets + * hope that is what is happening now. + */ + *mech_oid = spnego_mechanism; + return (GSS_S_COMPLETE); + } + return (status); +} OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, @@ -58,71 +168,28 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, int allocated_ctx; *minor_status = 0; - if (src_name) *src_name = 0; - if (mech_type) *mech_type = 0; - if (ret_flags) *ret_flags = 0; - if (time_rec) *time_rec = 0; - if (delegated_cred_handle) *delegated_cred_handle = 0; - output_token->length = 0; - output_token->value = 0; + if (src_name) + *src_name = GSS_C_NO_NAME; + if (mech_type) + *mech_type = GSS_C_NO_OID; + if (ret_flags) + *ret_flags = 0; + if (time_rec) + *time_rec = 0; + if (delegated_cred_handle) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + _gss_buffer_zero(output_token); /* * If this is the first call (*context_handle is NULL), we must * parse the input token to figure out the mechanism to use. */ if (*context_handle == GSS_C_NO_CONTEXT) { - unsigned char *p = input_token->value; - size_t len = input_token->length; - size_t a, b; gss_OID_desc mech_oid; - /* - * Token must start with [APPLICATION 0] SEQUENCE. - */ - if (len == 0 || *p != 0x60) - return (GSS_S_DEFECTIVE_TOKEN); - p++; - len--; - - /* - * Decode the length and make sure it agrees with the - * token length. - */ - if (len == 0) - return (GSS_S_DEFECTIVE_TOKEN); - if ((*p & 0x80) == 0) { - a = *p; - p++; - len--; - } else { - b = *p & 0x7f; - p++; - len--; - if (len < b) - return (GSS_S_DEFECTIVE_TOKEN); - a = 0; - while (b) { - a = (a << 8) | *p; - p++; - len--; - b--; - } - } - if (a != len) - return (GSS_S_DEFECTIVE_TOKEN); - - /* - * Decode the OID for the mechanism. Simplify life by - * assuming that the OID length is less than 128 bytes. - */ - if (len < 2 || *p != 0x06) - return (GSS_S_DEFECTIVE_TOKEN); - if ((p[1] & 0x80) || p[1] > (len - 2)) - return (GSS_S_DEFECTIVE_TOKEN); - mech_oid.length = p[1]; - p += 2; - len -= 2; - mech_oid.elements = p; + major_status = choose_mech(input_token, &mech_oid); + if (major_status != GSS_S_COMPLETE) + return (major_status); /* * Now that we have a mechanism, we can find the @@ -157,6 +224,7 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, } delegated_mc = GSS_C_NO_CREDENTIAL; + mech_ret_flags = 0; major_status = m->gm_accept_sec_context(minor_status, &ctx->gc_ctx, acceptor_mc, @@ -169,12 +237,12 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, time_rec, &delegated_mc); if (major_status != GSS_S_COMPLETE && - major_status != GSS_S_CONTINUE_NEEDED) + major_status != GSS_S_CONTINUE_NEEDED) { + _gss_mg_error(m, major_status, *minor_status); return (major_status); + } - if (!src_name) { - m->gm_release_name(minor_status, &src_mn); - } else { + if (src_name && src_mn) { /* * Make a new name and mark it as an MN. */ @@ -185,6 +253,8 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, return (GSS_S_FAILURE); } *src_name = (gss_name_t) name; + } else if (src_mn) { + m->gm_release_name(minor_status, &src_mn); } if (delegated_mc == GSS_C_NO_CREDENTIAL) @@ -195,29 +265,27 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, m->gm_release_cred(minor_status, &delegated_mc); mech_ret_flags &= ~GSS_C_DELEG_FLAG; } else { - struct _gss_cred *cred; - struct _gss_mechanism_cred *mc; + struct _gss_cred *dcred; + struct _gss_mechanism_cred *dmc; - cred = malloc(sizeof(struct _gss_cred)); - if (!cred) { + dcred = malloc(sizeof(struct _gss_cred)); + if (!dcred) { *minor_status = ENOMEM; return (GSS_S_FAILURE); } - SLIST_INIT(&cred->gc_mc); - mc = malloc(sizeof(struct _gss_mechanism_cred)); - if (!mc) { - free(cred); + SLIST_INIT(&dcred->gc_mc); + dmc = malloc(sizeof(struct _gss_mechanism_cred)); + if (!dmc) { + free(dcred); *minor_status = ENOMEM; return (GSS_S_FAILURE); } - m->gm_inquire_cred(minor_status, delegated_mc, - 0, 0, &cred->gc_usage, 0); - mc->gmc_mech = m; - mc->gmc_mech_oid = &m->gm_mech_oid; - mc->gmc_cred = delegated_mc; - SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link); + dmc->gmc_mech = m; + dmc->gmc_mech_oid = &m->gm_mech_oid; + dmc->gmc_cred = delegated_mc; + SLIST_INSERT_HEAD(&dcred->gc_mc, dmc, gmc_link); - *delegated_cred_handle = (gss_cred_id_t) cred; + *delegated_cred_handle = (gss_cred_id_t) dcred; } } diff --git a/lib/libgssapi/gss_acquire_cred.c b/lib/libgssapi/gss_acquire_cred.c index ba8b8b1e4c49..f6ae4d1f700c 100644 --- a/lib/libgssapi/gss_acquire_cred.c +++ b/lib/libgssapi/gss_acquire_cred.c @@ -52,14 +52,23 @@ gss_acquire_cred(OM_uint32 *minor_status, struct _gss_cred *cred; struct _gss_mechanism_cred *mc; struct _gss_mechanism_name *mn; - OM_uint32 min_time, time; - int i; + OM_uint32 min_time, cred_time; + size_t i; + + *minor_status = 0; + if (output_cred_handle) + *output_cred_handle = GSS_C_NO_CREDENTIAL; + if (actual_mechs) + *actual_mechs = GSS_C_NO_OID_SET; + if (time_rec) + *time_rec = 0; + + _gss_load_mech(); /* * First make sure that at least one of the requested * mechanisms is one that we support. */ - _gss_load_mech(); if (mechs) { for (i = 0; i < mechs->count; i++) { int t; @@ -69,7 +78,6 @@ gss_acquire_cred(OM_uint32 *minor_status, break; } if (i == mechs->count) { - *output_cred_handle = 0; *minor_status = 0; return (GSS_S_BAD_MECH); } @@ -91,7 +99,6 @@ gss_acquire_cred(OM_uint32 *minor_status, *minor_status = ENOMEM; return (GSS_S_FAILURE); } - cred->gc_usage = cred_usage; SLIST_INIT(&cred->gc_mc); set.count = 1; @@ -102,8 +109,9 @@ gss_acquire_cred(OM_uint32 *minor_status, continue; if (desired_name != GSS_C_NO_NAME) { - mn = _gss_find_mn(name, &mechs->elements[i]); - if (!mn) + major_status = _gss_find_mn(minor_status, name, + &mechs->elements[i], &mn); + if (major_status != GSS_S_COMPLETE) continue; } @@ -122,13 +130,13 @@ gss_acquire_cred(OM_uint32 *minor_status, (desired_name != GSS_C_NO_NAME ? mn->gmn_name : GSS_C_NO_NAME), time_req, &set, cred_usage, - &mc->gmc_cred, NULL, &time); + &mc->gmc_cred, NULL, &cred_time); if (major_status) { free(mc); continue; } - if (time < min_time) - min_time = time; + if (cred_time < min_time) + min_time = cred_time; if (actual_mechs) { major_status = gss_add_oid_set_member(minor_status, @@ -152,7 +160,6 @@ gss_acquire_cred(OM_uint32 *minor_status, free(cred); if (actual_mechs) gss_release_oid_set(minor_status, actual_mechs); - *output_cred_handle = 0; *minor_status = 0; return (GSS_S_NO_CRED); } diff --git a/lib/libgssapi/gss_add_cred.c b/lib/libgssapi/gss_add_cred.c index 61756078c0e7..4dcca18a3251 100644 --- a/lib/libgssapi/gss_add_cred.c +++ b/lib/libgssapi/gss_add_cred.c @@ -33,6 +33,7 @@ #include "mech_switch.h" #include "cred.h" #include "name.h" +#include "utils.h" static struct _gss_mechanism_cred * _gss_copy_cred(struct _gss_mechanism_cred *mc) @@ -48,8 +49,10 @@ _gss_copy_cred(struct _gss_mechanism_cred *mc) major_status = m->gm_inquire_cred_by_mech(&minor_status, mc->gmc_cred, mc->gmc_mech_oid, &name, &initiator_lifetime, &acceptor_lifetime, &cred_usage); - if (major_status) + if (major_status) { + _gss_mg_error(m, major_status, minor_status); return (0); + } major_status = m->gm_add_cred(&minor_status, GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid, @@ -57,8 +60,10 @@ _gss_copy_cred(struct _gss_mechanism_cred *mc) &cred, 0, 0, 0); m->gm_release_name(&minor_status, &name); - if (major_status) + if (major_status) { + _gss_mg_error(m, major_status, minor_status); return (0); + } new_mc = malloc(sizeof(struct _gss_mechanism_cred)); if (!new_mc) { @@ -87,24 +92,27 @@ gss_add_cred(OM_uint32 *minor_status, { OM_uint32 major_status; struct _gss_mech_switch *m; - gss_OID_set_desc set; - struct _gss_name *name = (struct _gss_name *) desired_name; struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle; struct _gss_cred *new_cred; + gss_cred_id_t release_cred; struct _gss_mechanism_cred *mc, *target_mc, *copy_mc; struct _gss_mechanism_name *mn; - OM_uint32 min_time, time, junk; - int i; + OM_uint32 junk; - *output_cred_handle = 0; *minor_status = 0; + *output_cred_handle = GSS_C_NO_CREDENTIAL; + if (initiator_time_rec) + *initiator_time_rec = 0; + if (acceptor_time_rec) + *acceptor_time_rec = 0; + if (actual_mechs) + *actual_mechs = GSS_C_NO_OID_SET; new_cred = malloc(sizeof(struct _gss_cred)); if (!new_cred) { *minor_status = ENOMEM; return (GSS_S_FAILURE); } - new_cred->gc_usage = cred_usage; SLIST_INIT(&new_cred->gc_mc); /* @@ -116,12 +124,13 @@ gss_add_cred(OM_uint32 *minor_status, target_mc = 0; if (cred) { SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { - if (_gss_oid_equal(mc->gmc_mech, desired_mech)) { + if (gss_oid_equal(mc->gmc_mech_oid, desired_mech)) { target_mc = mc; } copy_mc = _gss_copy_cred(mc); if (!copy_mc) { - gss_release_cred(&junk, (gss_cred_id_t*) &new_cred); + release_cred = (gss_cred_id_t) new_cred; + gss_release_cred(&junk, &release_cred); *minor_status = ENOMEM; return (GSS_S_FAILURE); } @@ -133,11 +142,13 @@ gss_add_cred(OM_uint32 *minor_status, * Figure out a suitable mn, if any. */ if (desired_name) { - mn = _gss_find_mn((struct _gss_name *) desired_name, - desired_mech); - if (!mn) { + major_status = _gss_find_mn(minor_status, + (struct _gss_name *) desired_name, + desired_mech, + &mn); + if (major_status != GSS_S_COMPLETE) { free(new_cred); - return (GSS_S_BAD_NAME); + return (major_status); } } else { mn = 0; @@ -147,7 +158,8 @@ gss_add_cred(OM_uint32 *minor_status, mc = malloc(sizeof(struct _gss_mechanism_cred)); if (!mc) { - gss_release_cred(&junk, (gss_cred_id_t*) &new_cred); + release_cred = (gss_cred_id_t) new_cred; + gss_release_cred(&junk, &release_cred); *minor_status = ENOMEM; return (GSS_S_FAILURE); } @@ -167,7 +179,9 @@ gss_add_cred(OM_uint32 *minor_status, acceptor_time_rec); if (major_status) { - gss_release_cred(&junk, (gss_cred_id_t*) &new_cred); + _gss_mg_error(m, major_status, *minor_status); + release_cred = (gss_cred_id_t) new_cred; + gss_release_cred(&junk, &release_cred); free(mc); return (major_status); } diff --git a/lib/libgssapi/gss_buffer_set.c b/lib/libgssapi/gss_buffer_set.c new file mode 100644 index 000000000000..af62e5c29596 --- /dev/null +++ b/lib/libgssapi/gss_buffer_set.c @@ -0,0 +1,126 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ +/* $FreeBSD$ */ + +#include +#include +#include +#include + +/* RCSID("$Id: gss_buffer_set.c 18885 2006-10-24 21:53:02Z lha $"); */ + +OM_uint32 +gss_create_empty_buffer_set(OM_uint32 * minor_status, + gss_buffer_set_t *buffer_set) +{ + gss_buffer_set_t set; + + set = (gss_buffer_set_desc *) malloc(sizeof(*set)); + if (set == GSS_C_NO_BUFFER_SET) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + set->count = 0; + set->elements = NULL; + + *buffer_set = set; + + *minor_status = 0; + return (GSS_S_COMPLETE); +} + +OM_uint32 +gss_add_buffer_set_member(OM_uint32 * minor_status, + const gss_buffer_t member_buffer, gss_buffer_set_t *buffer_set) +{ + gss_buffer_set_t set; + gss_buffer_t p; + OM_uint32 ret; + + if (*buffer_set == GSS_C_NO_BUFFER_SET) { + ret = gss_create_empty_buffer_set(minor_status, + buffer_set); + if (ret) { + return (ret); + } + } + + set = *buffer_set; + set->elements = realloc(set->elements, + (set->count + 1) * sizeof(set->elements[0])); + if (set->elements == NULL) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + p = &set->elements[set->count]; + + p->value = malloc(member_buffer->length); + if (p->value == NULL) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memcpy(p->value, member_buffer->value, member_buffer->length); + p->length = member_buffer->length; + + set->count++; + + *minor_status = 0; + return (GSS_S_COMPLETE); +} + +OM_uint32 +gss_release_buffer_set(OM_uint32 * minor_status, gss_buffer_set_t *buffer_set) +{ + size_t i; + OM_uint32 minor; + + *minor_status = 0; + + if (*buffer_set == GSS_C_NO_BUFFER_SET) + return (GSS_S_COMPLETE); + + for (i = 0; i < (*buffer_set)->count; i++) + gss_release_buffer(&minor, &((*buffer_set)->elements[i])); + + free((*buffer_set)->elements); + + (*buffer_set)->elements = NULL; + (*buffer_set)->count = 0; + + free(*buffer_set); + *buffer_set = GSS_C_NO_BUFFER_SET; + + return (GSS_S_COMPLETE); +} + diff --git a/lib/libgssapi/gss_canonicalize_name.c b/lib/libgssapi/gss_canonicalize_name.c index 098362219769..28940b9dbbba 100644 --- a/lib/libgssapi/gss_canonicalize_name.c +++ b/lib/libgssapi/gss_canonicalize_name.c @@ -49,16 +49,17 @@ gss_canonicalize_name(OM_uint32 *minor_status, *minor_status = 0; *output_name = 0; - mn = _gss_find_mn(name, mech_type); - if (!mn) { - return (GSS_S_BAD_MECH); - } + major_status = _gss_find_mn(minor_status, name, mech_type, &mn); + if (major_status) + return (major_status); m = mn->gmn_mech; major_status = m->gm_canonicalize_name(minor_status, mn->gmn_name, mech_type, &new_canonical_name); - if (major_status) + if (major_status) { + _gss_mg_error(m, major_status, *minor_status); return (major_status); + } /* * Now we make a new name and mark it as an MN. diff --git a/lib/libgssapi/gss_compare_name.c b/lib/libgssapi/gss_compare_name.c index 644b4a6ff5ab..05b28f600ac6 100644 --- a/lib/libgssapi/gss_compare_name.c +++ b/lib/libgssapi/gss_compare_name.c @@ -27,9 +27,11 @@ */ #include +#include #include "mech_switch.h" #include "name.h" +#include "utils.h" OM_uint32 gss_compare_name(OM_uint32 *minor_status, @@ -47,7 +49,7 @@ gss_compare_name(OM_uint32 *minor_status, */ if (name1->gn_value.value && name2->gn_value.value) { *name_equal = 1; - if (!_gss_oid_equal(name1->gn_type, name2->gn_type)) { + if (!gss_oid_equal(&name1->gn_type, &name2->gn_type)) { *name_equal = 0; } else if (name1->gn_value.length != name2->gn_value.length || memcmp(name1->gn_value.value, name1->gn_value.value, @@ -59,8 +61,11 @@ gss_compare_name(OM_uint32 *minor_status, struct _gss_mechanism_name *mn2; SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) { - mn2 = _gss_find_mn(name2, mn1->gmn_mech_oid); - if (mn2) { + OM_uint32 major_status; + + major_status = _gss_find_mn(minor_status, name2, + mn1->gmn_mech_oid, &mn2); + if (major_status == GSS_S_COMPLETE) { return (mn1->gmn_mech->gm_compare_name( minor_status, mn1->gmn_name, diff --git a/lib/libgssapi/gss_create_empty_oid_set.c b/lib/libgssapi/gss_create_empty_oid_set.c index 0412817a280f..c35f99f3120d 100644 --- a/lib/libgssapi/gss_create_empty_oid_set.c +++ b/lib/libgssapi/gss_create_empty_oid_set.c @@ -37,7 +37,7 @@ gss_create_empty_oid_set(OM_uint32 *minor_status, gss_OID_set set; *minor_status = 0; - *oid_set = 0; + *oid_set = GSS_C_NO_OID_SET; set = malloc(sizeof(gss_OID_set_desc)); if (!set) { diff --git a/lib/libgssapi/gss_decapsulate_token.c b/lib/libgssapi/gss_decapsulate_token.c new file mode 100644 index 000000000000..65ff46ab3c1a --- /dev/null +++ b/lib/libgssapi/gss_decapsulate_token.c @@ -0,0 +1,107 @@ +/*- + * Copyright (c) 2008 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "utils.h" + +OM_uint32 +gss_decapsulate_token(const gss_buffer_t input_token, gss_OID oid, + gss_buffer_t output_token) +{ + unsigned char *p = input_token->value; + size_t len = input_token->length; + size_t a, b; + gss_OID_desc mech_oid; + + _gss_buffer_zero(output_token); + + /* + * Token must start with [APPLICATION 0] SEQUENCE. + */ + if (len == 0 || *p != 0x60) + return (GSS_S_DEFECTIVE_TOKEN); + p++; + len--; + + /* + * Decode the length and make sure it agrees with the + * token length. + */ + if (len == 0) + return (GSS_S_DEFECTIVE_TOKEN); + if ((*p & 0x80) == 0) { + a = *p; + p++; + len--; + } else { + b = *p & 0x7f; + p++; + len--; + if (len < b) + return (GSS_S_DEFECTIVE_TOKEN); + a = 0; + while (b) { + a = (a << 8) | *p; + p++; + len--; + b--; + } + } + if (a != len) + return (GSS_S_DEFECTIVE_TOKEN); + + /* + * Decode the OID for the mechanism. Simplify life by + * assuming that the OID length is less than 128 bytes. + */ + if (len < 2 || *p != 0x06) + return (GSS_S_DEFECTIVE_TOKEN); + if ((p[1] & 0x80) || p[1] > (len - 2)) + return (GSS_S_DEFECTIVE_TOKEN); + mech_oid.length = p[1]; + p += 2; + len -= 2; + mech_oid.elements = p; + + if (!gss_oid_equal(&mech_oid, oid)) + return (GSS_S_FAILURE); + + p += mech_oid.length; + len -= mech_oid.length; + + output_token->length = len; + output_token->value = malloc(len); + if (!output_token->value) + return (GSS_S_DEFECTIVE_TOKEN); + memcpy(output_token->value, p, len); + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_delete_sec_context.c b/lib/libgssapi/gss_delete_sec_context.c index b1f39c24c0fd..b4b087f93142 100644 --- a/lib/libgssapi/gss_delete_sec_context.c +++ b/lib/libgssapi/gss_delete_sec_context.c @@ -32,6 +32,7 @@ #include "mech_switch.h" #include "context.h" +#include "utils.h" OM_uint32 gss_delete_sec_context(OM_uint32 *minor_status, @@ -41,6 +42,9 @@ gss_delete_sec_context(OM_uint32 *minor_status, OM_uint32 major_status; struct _gss_context *ctx = (struct _gss_context *) *context_handle; + if (output_token) + _gss_buffer_zero(output_token); + *minor_status = 0; if (ctx) { /* @@ -50,12 +54,9 @@ gss_delete_sec_context(OM_uint32 *minor_status, if (ctx->gc_ctx) { major_status = ctx->gc_mech->gm_delete_sec_context( minor_status, &ctx->gc_ctx, output_token); - } else if (output_token != GSS_C_NO_BUFFER) { - output_token->length = 0; - output_token->value = 0; } free(ctx); - *context_handle = 0; + *context_handle = GSS_C_NO_CONTEXT; } return (GSS_S_COMPLETE); diff --git a/lib/libgssapi/gss_display_name.c b/lib/libgssapi/gss_display_name.c index 5fe4f1d4b351..61faabac907e 100644 --- a/lib/libgssapi/gss_display_name.c +++ b/lib/libgssapi/gss_display_name.c @@ -33,6 +33,7 @@ #include "mech_switch.h" #include "name.h" +#include "utils.h" OM_uint32 gss_display_name(OM_uint32 *minor_status, @@ -44,6 +45,15 @@ gss_display_name(OM_uint32 *minor_status, struct _gss_name *name = (struct _gss_name *) input_name; struct _gss_mechanism_name *mn; + _gss_buffer_zero(output_name_buffer); + if (output_name_type) + *output_name_type = GSS_C_NO_OID; + + if (name == NULL) { + *minor_status = 0; + return (GSS_S_BAD_NAME); + } + /* * If we know it, copy the buffer used to import the name in * the first place. Otherwise, ask all the MNs in turn if diff --git a/lib/libgssapi/gss_display_status.c b/lib/libgssapi/gss_display_status.c index f87cc9eeade7..0374fbd8053d 100644 --- a/lib/libgssapi/gss_display_status.c +++ b/lib/libgssapi/gss_display_status.c @@ -57,12 +57,47 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ +/* + * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ #include +#include #include +#include #include #include "mech_switch.h" +#include "utils.h" static const char * calling_error(OM_uint32 v) @@ -88,7 +123,7 @@ static const char * routine_error(OM_uint32 v) { static const char *msgs[] = { - NULL, /* 0 */ + "Function completed successfully", /* 0 */ "An unsupported mechanism was requested", "An invalid name was supplied", "A supplied name was of an unsupported type", @@ -112,9 +147,7 @@ routine_error(OM_uint32 v) v >>= GSS_C_ROUTINE_ERROR_OFFSET; - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) + if (v >= sizeof(msgs)/sizeof(*msgs)) return "unknown routine error"; else return msgs[v]; @@ -140,23 +173,119 @@ supplementary_error(OM_uint32 v) return msgs[v]; } +#if defined(__sparc64__) || defined(__arm__) || defined(__mips__) + +/* + * These platforms don't support TLS on FreeBSD - threads will just + * have to step on each other's error values for now. + */ +#define __thread + +#endif + +struct mg_thread_ctx { + gss_OID mech; + OM_uint32 maj_stat; + OM_uint32 min_stat; + gss_buffer_desc maj_error; + gss_buffer_desc min_error; +}; +static __thread struct mg_thread_ctx last_error_context; + +static OM_uint32 +_gss_mg_get_error(const gss_OID mech, OM_uint32 type, + OM_uint32 value, gss_buffer_t string) +{ + struct mg_thread_ctx *mg; + + mg = &last_error_context; + + if (mech != NULL && gss_oid_equal(mg->mech, mech) == 0) + return (GSS_S_BAD_STATUS); + + switch (type) { + case GSS_C_GSS_CODE: { + if (value != mg->maj_stat || mg->maj_error.length == 0) + break; + string->value = malloc(mg->maj_error.length); + string->length = mg->maj_error.length; + memcpy(string->value, mg->maj_error.value, + mg->maj_error.length); + return (GSS_S_COMPLETE); + } + case GSS_C_MECH_CODE: { + if (value != mg->min_stat || mg->min_error.length == 0) + break; + string->value = malloc(mg->min_error.length); + string->length = mg->min_error.length; + memcpy(string->value, mg->min_error.value, + mg->min_error.length); + return (GSS_S_COMPLETE); + } + } + string->value = NULL; + string->length = 0; + return (GSS_S_BAD_STATUS); +} + +void +_gss_mg_error(struct _gss_mech_switch *m, OM_uint32 maj, OM_uint32 min) +{ + OM_uint32 major_status, minor_status; + OM_uint32 message_content; + struct mg_thread_ctx *mg; + + mg = &last_error_context; + + gss_release_buffer(&minor_status, &mg->maj_error); + gss_release_buffer(&minor_status, &mg->min_error); + + mg->mech = &m->gm_mech_oid; + mg->maj_stat = maj; + mg->min_stat = min; + + major_status = m->gm_display_status(&minor_status, + maj, + GSS_C_GSS_CODE, + &m->gm_mech_oid, + &message_content, + &mg->maj_error); + if (GSS_ERROR(major_status)) { + mg->maj_error.value = NULL; + mg->maj_error.length = 0; + } + major_status = m->gm_display_status(&minor_status, + min, + GSS_C_MECH_CODE, + &m->gm_mech_oid, + &message_content, + &mg->min_error); + if (GSS_ERROR(major_status)) { + mg->min_error.value = NULL; + mg->min_error.length = 0; + } +} + OM_uint32 gss_display_status(OM_uint32 *minor_status, OM_uint32 status_value, int status_type, - const gss_OID input_mech_type, + const gss_OID mech_type, OM_uint32 *message_content, gss_buffer_t status_string) { OM_uint32 major_status; - gss_OID mech_type; - mech_type = input_mech_type; - if (mech_type == GSS_C_NO_OID) { - _gss_load_mech(); - mech_type = &SLIST_FIRST(&_gss_mechs)->gm_mech_oid; - if (mech_type == NULL) - return (GSS_S_BAD_MECH); + _gss_buffer_zero(status_string); + *message_content = 0; + + major_status = _gss_mg_get_error(mech_type, status_type, + status_value, status_string); + if (major_status == GSS_S_COMPLETE) { + + *message_content = 0; + *minor_status = 0; + return (GSS_S_COMPLETE); } *minor_status = 0; @@ -172,24 +301,40 @@ gss_display_status(OM_uint32 *minor_status, calling_error(GSS_CALLING_ERROR(status_value)), routine_error(GSS_ROUTINE_ERROR(status_value))); + if (buf == NULL) + break; + status_string->length = strlen(buf); status_string->value = buf; - return GSS_S_COMPLETE; + return (GSS_S_COMPLETE); } case GSS_C_MECH_CODE: { - struct _gss_mech_switch *m; - m = _gss_find_mech_switch(mech_type); - if (m) { - major_status = m->gm_display_status(minor_status, - status_value, status_type, mech_type, - message_content, status_string); - if (major_status == GSS_S_COMPLETE) - return (GSS_S_COMPLETE); + OM_uint32 maj_junk, min_junk; + gss_buffer_desc oid; + char *buf; + + maj_junk = gss_oid_to_str(&min_junk, mech_type, &oid); + if (maj_junk != GSS_S_COMPLETE) { + oid.value = strdup("unknown"); + oid.length = 7; } + + asprintf (&buf, "unknown mech-code %lu for mech %.*s", + (unsigned long)status_value, + (int)oid.length, (char *)oid.value); + if (maj_junk == GSS_S_COMPLETE) + gss_release_buffer(&min_junk, &oid); + + if (buf == NULL) + break; + + status_string->length = strlen(buf); + status_string->value = buf; + + return (GSS_S_COMPLETE); } } - status_string->value = NULL; - status_string->length = 0; + _gss_buffer_zero(status_string); return (GSS_S_BAD_STATUS); } diff --git a/lib/libgssapi/gss_duplicate_name.c b/lib/libgssapi/gss_duplicate_name.c index f0ce4173d4f7..c6d07ac4e2b4 100644 --- a/lib/libgssapi/gss_duplicate_name.c +++ b/lib/libgssapi/gss_duplicate_name.c @@ -44,11 +44,12 @@ OM_uint32 gss_duplicate_name(OM_uint32 *minor_status, struct _gss_mechanism_name *mn; *minor_status = 0; + *dest_name = GSS_C_NO_NAME; /* * If this name has a value (i.e. it didn't come from * gss_canonicalize_name(), we re-import the thing. Otherwise, - * we make an empty name to hold the MN copy. + * we make a copy of the mechanism names. */ if (name->gn_value.value) { major_status = gss_import_name(minor_status, @@ -56,6 +57,12 @@ OM_uint32 gss_duplicate_name(OM_uint32 *minor_status, if (major_status != GSS_S_COMPLETE) return (major_status); new_name = (struct _gss_name *) *dest_name; + + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { + struct _gss_mechanism_name *mn2; + _gss_find_mn(minor_status, new_name, + mn->gmn_mech_oid, &mn2); + } } else { new_name = malloc(sizeof(struct _gss_name)); if (!new_name) { @@ -63,17 +70,30 @@ OM_uint32 gss_duplicate_name(OM_uint32 *minor_status, return (GSS_S_FAILURE); } memset(new_name, 0, sizeof(struct _gss_name)); - SLIST_INIT(&name->gn_mn); + SLIST_INIT(&new_name->gn_mn); *dest_name = (gss_name_t) new_name; - } - /* - * Import the new name into any mechanisms listed in the - * original name. We could probably get away with only doing - * this if the original was canonical. - */ - SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { - _gss_find_mn(new_name, mn->gmn_mech_oid); + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { + struct _gss_mechanism_name *new_mn; + + new_mn = malloc(sizeof(*new_mn)); + if (!new_mn) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + new_mn->gmn_mech = mn->gmn_mech; + new_mn->gmn_mech_oid = mn->gmn_mech_oid; + + major_status = + mn->gmn_mech->gm_duplicate_name(minor_status, + mn->gmn_name, &new_mn->gmn_name); + if (major_status != GSS_S_COMPLETE) { + free(new_mn); + continue; + } + SLIST_INSERT_HEAD(&new_name->gn_mn, new_mn, gmn_link); + } + } return (GSS_S_COMPLETE); diff --git a/lib/libgssapi/gss_duplicate_oid.c b/lib/libgssapi/gss_duplicate_oid.c new file mode 100644 index 000000000000..591508d8fa58 --- /dev/null +++ b/lib/libgssapi/gss_duplicate_oid.c @@ -0,0 +1,65 @@ +/*- + * Copyright (c) 2008 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include +#include + +OM_uint32 gss_duplicate_oid(OM_uint32 *minor_status, + const gss_OID src_oid, + gss_OID *dest_oid_p) +{ + gss_OID dest_oid; + + *minor_status = 0; + *dest_oid_p = GSS_C_NO_OID; + + if (src_oid == GSS_C_NO_OID) + return (GSS_S_COMPLETE); + + dest_oid = malloc(sizeof(gss_OID_desc)); + if (!dest_oid) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + dest_oid->elements = malloc(src_oid->length); + if (!dest_oid->elements) { + free(dest_oid); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + memcpy(dest_oid->elements, src_oid->elements, src_oid->length); + dest_oid->length = src_oid->length; + + *dest_oid_p = dest_oid; + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_encapsulate_token.c b/lib/libgssapi/gss_encapsulate_token.c new file mode 100644 index 000000000000..ed0e217d65be --- /dev/null +++ b/lib/libgssapi/gss_encapsulate_token.c @@ -0,0 +1,131 @@ +/*- + * Copyright (c) 2008 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "utils.h" + +OM_uint32 +gss_encapsulate_token(const gss_buffer_t input_token, gss_OID oid, + gss_buffer_t output_token) +{ + unsigned char *p; + size_t len, inside_len; + size_t a, b; + int i; + + _gss_buffer_zero(output_token); + + /* + * First time around, we calculate the size, second time, we + * encode the token. + */ + p = 0; + for (i = 0; i < 2; i++) { + len = 0; + + /* + * Token starts with [APPLICATION 0] SEQUENCE. + */ + if (p) + *p++ = 0x60; + len++; + + /* + * The length embedded in the token is the space + * needed for the encapsulated oid plus the length of + * the inner token. + */ + if (oid->length > 127) + return (GSS_S_DEFECTIVE_TOKEN); + + inside_len = 2 + oid->length + input_token->length; + + /* + * Figure out how to encode the length + */ + if (inside_len < 128) { + if (p) + *p++ = inside_len; + len++; + } else { + b = 1; + if (inside_len >= 0x100) + b++; + if (inside_len >= 0x10000) + b++; + if (inside_len >= 0x1000000) + b++; + if (p) + *p++ = b | 0x80; + len++; + a = inside_len << 8*(4 - b); + while (b) { + if (p) + *p++ = (a >> 24); + a <<= 8; + len++; + b--; + } + } + + /* + * Encode the OID for the mechanism. Simplify life by + * assuming that the OID length is less than 128 bytes. + */ + if (p) + *p++ = 0x06; + len++; + if (p) + *p++ = oid->length; + len++; + if (p) { + memcpy(p, oid->elements, oid->length); + p += oid->length; + } + len += oid->length; + + if (p) { + memcpy(p, input_token->value, input_token->length); + p += input_token->length; + } + len += input_token->length; + + if (i == 0) { + output_token->length = len; + output_token->value = malloc(len); + if (!output_token->value) + return (GSS_S_DEFECTIVE_TOKEN); + p = output_token->value; + } + } + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_export_name.c b/lib/libgssapi/gss_export_name.c index 6cba2f8c380b..49174bbcafd0 100644 --- a/lib/libgssapi/gss_export_name.c +++ b/lib/libgssapi/gss_export_name.c @@ -30,6 +30,7 @@ #include "mech_switch.h" #include "name.h" +#include "utils.h" OM_uint32 gss_export_name(OM_uint32 *minor_status, @@ -39,8 +40,7 @@ gss_export_name(OM_uint32 *minor_status, struct _gss_name *name = (struct _gss_name *) input_name; struct _gss_mechanism_name *mn; - exported_name->value = NULL; - exported_name->length = 0; + _gss_buffer_zero(exported_name); /* * If this name already has any attached MNs, export the first @@ -48,12 +48,9 @@ gss_export_name(OM_uint32 *minor_status, * list. */ mn = SLIST_FIRST(&name->gn_mn); - if (!mn) - mn = _gss_find_mn(name, - &SLIST_FIRST(&_gss_mechs)->gm_mech_oid); if (!mn) { *minor_status = 0; - return (GSS_S_BAD_MECH); + return (GSS_S_NAME_NOT_MN); } return mn->gmn_mech->gm_export_name(minor_status, diff --git a/lib/libgssapi/gss_export_sec_context.c b/lib/libgssapi/gss_export_sec_context.c index 71c6874e963d..a600f280048f 100644 --- a/lib/libgssapi/gss_export_sec_context.c +++ b/lib/libgssapi/gss_export_sec_context.c @@ -33,6 +33,7 @@ #include "mech_switch.h" #include "context.h" +#include "utils.h" OM_uint32 gss_export_sec_context(OM_uint32 *minor_status, @@ -44,6 +45,8 @@ gss_export_sec_context(OM_uint32 *minor_status, struct _gss_mech_switch *m = ctx->gc_mech; gss_buffer_desc buf; + _gss_buffer_zero(interprocess_token); + major_status = m->gm_export_sec_context(minor_status, &ctx->gc_ctx, &buf); @@ -63,6 +66,7 @@ gss_export_sec_context(OM_uint32 *minor_status, * GSS_C_NO_CONTEXT, which we did above. * Return GSS_S_FAILURE. */ + _gss_buffer_zero(interprocess_token); *minor_status = ENOMEM; return (GSS_S_FAILURE); } @@ -72,6 +76,8 @@ gss_export_sec_context(OM_uint32 *minor_status, memcpy(p + 2, m->gm_mech_oid.elements, m->gm_mech_oid.length); memcpy(p + 2 + m->gm_mech_oid.length, buf.value, buf.length); gss_release_buffer(minor_status, &buf); + } else { + _gss_mg_error(m, major_status, *minor_status); } return (major_status); diff --git a/lib/libgssapi/gss_get_mic.c b/lib/libgssapi/gss_get_mic.c index a3495ecfe794..dff3b545f78f 100644 --- a/lib/libgssapi/gss_get_mic.c +++ b/lib/libgssapi/gss_get_mic.c @@ -30,6 +30,7 @@ #include "mech_switch.h" #include "context.h" +#include "utils.h" OM_uint32 gss_get_mic(OM_uint32 *minor_status, @@ -41,6 +42,12 @@ gss_get_mic(OM_uint32 *minor_status, struct _gss_context *ctx = (struct _gss_context *) context_handle; struct _gss_mech_switch *m = ctx->gc_mech; + _gss_buffer_zero(message_token); + if (ctx == NULL) { + *minor_status = 0; + return (GSS_S_NO_CONTEXT); + } + return (m->gm_get_mic(minor_status, ctx->gc_ctx, qop_req, message_buffer, message_token)); } diff --git a/lib/libgssapi/gss_import_name.c b/lib/libgssapi/gss_import_name.c index 65820b12874d..3d8079d2dea9 100644 --- a/lib/libgssapi/gss_import_name.c +++ b/lib/libgssapi/gss_import_name.c @@ -47,7 +47,6 @@ _gss_import_export_name(OM_uint32 *minor_status, gss_OID_desc mech_oid; struct _gss_mech_switch *m; struct _gss_name *name; - struct _gss_mechanism_name *mn; gss_name_t new_canonical_name; *minor_status = 0; @@ -126,6 +125,10 @@ _gss_import_export_name(OM_uint32 *minor_status, */ major_status = m->gm_import_name(minor_status, input_name_buffer, GSS_C_NT_EXPORT_NAME, &new_canonical_name); + if (major_status != GSS_S_COMPLETE) { + _gss_mg_error(m, major_status, *minor_status); + return (major_status); + } /* * Now we make a new name and mark it as an MN. @@ -152,9 +155,10 @@ gss_import_name(OM_uint32 *minor_status, OM_uint32 major_status; struct _gss_name *name; + *output_name = GSS_C_NO_NAME; + if (input_name_buffer->length == 0) { *minor_status = 0; - *output_name = 0; return (GSS_S_BAD_NAME); } @@ -169,7 +173,7 @@ gss_import_name(OM_uint32 *minor_status, * the mechanism and then import it as an MN. See RFC 2743 * section 3.2 for a description of the format. */ - if (_gss_oid_equal(name_type, GSS_C_NT_EXPORT_NAME)) { + if (gss_oid_equal(name_type, GSS_C_NT_EXPORT_NAME)) { return _gss_import_export_name(minor_status, input_name_buffer, output_name); } @@ -179,15 +183,14 @@ gss_import_name(OM_uint32 *minor_status, * should figure out the list of supported name types using * gss_inquire_names_for_mech. */ - if (!_gss_oid_equal(name_type, GSS_C_NT_USER_NAME) - && !_gss_oid_equal(name_type, GSS_C_NT_MACHINE_UID_NAME) - && !_gss_oid_equal(name_type, GSS_C_NT_STRING_UID_NAME) - && !_gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE_X) - && !_gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE) - && !_gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS) - && !_gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) { + if (!gss_oid_equal(name_type, GSS_C_NT_USER_NAME) + && !gss_oid_equal(name_type, GSS_C_NT_MACHINE_UID_NAME) + && !gss_oid_equal(name_type, GSS_C_NT_STRING_UID_NAME) + && !gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE_X) + && !gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE) + && !gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS) + && !gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) { *minor_status = 0; - *output_name = 0; return (GSS_S_BAD_NAMETYPE); } @@ -209,7 +212,8 @@ gss_import_name(OM_uint32 *minor_status, major_status = _gss_copy_buffer(minor_status, input_name_buffer, &name->gn_value); if (major_status) { - gss_release_name(minor_status, (gss_name_t*) &name); + gss_name_t rname = (gss_name_t)name; + gss_release_name(minor_status, &rname); return (GSS_S_FAILURE); } diff --git a/lib/libgssapi/gss_import_sec_context.c b/lib/libgssapi/gss_import_sec_context.c index ce3ddd10c3f3..0ab138ecae98 100644 --- a/lib/libgssapi/gss_import_sec_context.c +++ b/lib/libgssapi/gss_import_sec_context.c @@ -47,7 +47,7 @@ gss_import_sec_context(OM_uint32 *minor_status, size_t len; *minor_status = 0; - *context_handle = 0; + *context_handle = GSS_C_NO_CONTEXT; /* * We added an oid to the front of the token in @@ -77,6 +77,7 @@ gss_import_sec_context(OM_uint32 *minor_status, major_status = m->gm_import_sec_context(minor_status, &buf, &ctx->gc_ctx); if (major_status != GSS_S_COMPLETE) { + _gss_mg_error(m, major_status, *minor_status); free(ctx); } else { *context_handle = (gss_ctx_id_t) ctx; diff --git a/lib/libgssapi/gss_indicate_mechs.c b/lib/libgssapi/gss_indicate_mechs.c index 87a34f4e6dbe..ec4350f8eeb1 100644 --- a/lib/libgssapi/gss_indicate_mechs.c +++ b/lib/libgssapi/gss_indicate_mechs.c @@ -37,7 +37,7 @@ gss_indicate_mechs(OM_uint32 *minor_status, struct _gss_mech_switch *m; OM_uint32 major_status; gss_OID_set set; - int i; + size_t i; _gss_load_mech(); @@ -50,6 +50,12 @@ gss_indicate_mechs(OM_uint32 *minor_status, major_status = m->gm_indicate_mechs(minor_status, &set); if (major_status) continue; + if (set == GSS_C_NO_OID_SET) { + major_status = gss_add_oid_set_member( + minor_status, + &m->gm_mech_oid, mech_set); + continue; + } for (i = 0; i < set->count; i++) major_status = gss_add_oid_set_member(minor_status, &set->elements[i], mech_set); diff --git a/lib/libgssapi/gss_init_sec_context.c b/lib/libgssapi/gss_init_sec_context.c index 8b596f3ba892..d8f06ab3e819 100644 --- a/lib/libgssapi/gss_init_sec_context.c +++ b/lib/libgssapi/gss_init_sec_context.c @@ -35,13 +35,30 @@ #include "name.h" #include "cred.h" #include "context.h" +#include "utils.h" + +static gss_cred_id_t +_gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type) +{ + struct _gss_cred *cred = (struct _gss_cred *)cred_handle; + struct _gss_mechanism_cred *mc; + + if (cred == NULL) + return GSS_C_NO_CREDENTIAL; + + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + if (gss_oid_equal(mech_type, mc->gmc_mech_oid)) + return mc->gmc_cred; + } + return GSS_C_NO_CREDENTIAL; +} OM_uint32 gss_init_sec_context(OM_uint32 * minor_status, const gss_cred_id_t initiator_cred_handle, gss_ctx_id_t * context_handle, const gss_name_t target_name, - const gss_OID imech_type, + const gss_OID input_mech_type, OM_uint32 req_flags, OM_uint32 time_req, const gss_channel_bindings_t input_chan_bindings, @@ -52,24 +69,23 @@ gss_init_sec_context(OM_uint32 * minor_status, OM_uint32 * time_rec) { OM_uint32 major_status; - gss_OID mech_type; struct _gss_mech_switch *m; struct _gss_name *name = (struct _gss_name *) target_name; struct _gss_mechanism_name *mn; struct _gss_context *ctx = (struct _gss_context *) *context_handle; - struct _gss_cred *cred = (struct _gss_cred *) initiator_cred_handle; - struct _gss_mechanism_cred *mc; gss_cred_id_t cred_handle; int allocated_ctx; + gss_OID mech_type = input_mech_type; *minor_status = 0; - if ((mech_type = imech_type) == GSS_C_NO_OID) { - _gss_load_mech(); - mech_type = &SLIST_FIRST(&_gss_mechs)->gm_mech_oid; - if (mech_type == NULL) - return (GSS_S_BAD_MECH); - } + _gss_buffer_zero(output_token); + if (actual_mech_type) + *actual_mech_type = GSS_C_NO_OID; + if (ret_flags) + *ret_flags = 0; + if (time_rec) + *time_rec = 0; /* * If we haven't allocated a context yet, do so now and lookup @@ -77,6 +93,14 @@ gss_init_sec_context(OM_uint32 * minor_status, * sure we use the same mechanism switch as before. */ if (!ctx) { + if (mech_type == GSS_C_NO_OID) { + _gss_load_mech(); + if (_gss_mech_oids == GSS_C_NO_OID_SET + || _gss_mech_oids->count == 0) + return (GSS_S_BAD_MECH); + mech_type = &_gss_mech_oids->elements[0]; + } + ctx = malloc(sizeof(struct _gss_context)); if (!ctx) { *minor_status = ENOMEM; @@ -91,31 +115,24 @@ gss_init_sec_context(OM_uint32 * minor_status, allocated_ctx = 1; } else { m = ctx->gc_mech; + mech_type = &ctx->gc_mech->gm_mech_oid; allocated_ctx = 0; } /* * Find the MN for this mechanism. */ - mn = _gss_find_mn(name, mech_type); - if (mn == NULL) { + major_status = _gss_find_mn(minor_status, name, mech_type, &mn); + if (major_status != GSS_S_COMPLETE) { if (allocated_ctx) free(ctx); - return GSS_S_BAD_NAME; + return (major_status); } /* * If we have a cred, find the cred for this mechanism. */ - cred_handle = GSS_C_NO_CREDENTIAL; - if (cred) { - SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { - if (_gss_oid_equal(mech_type, mc->gmc_mech_oid)) { - cred_handle = mc->gmc_cred; - break; - } - } - } + cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type); major_status = m->gm_init_sec_context(minor_status, cred_handle, @@ -135,6 +152,8 @@ gss_init_sec_context(OM_uint32 * minor_status, && major_status != GSS_S_CONTINUE_NEEDED) { if (allocated_ctx) free(ctx); + _gss_buffer_zero(output_token); + _gss_mg_error(m, major_status, *minor_status); } else { *context_handle = (gss_ctx_id_t) ctx; } diff --git a/lib/libgssapi/gss_inquire_context.c b/lib/libgssapi/gss_inquire_context.c index 3f4531d2c428..c9f2a0c545ef 100644 --- a/lib/libgssapi/gss_inquire_context.c +++ b/lib/libgssapi/gss_inquire_context.c @@ -49,27 +49,43 @@ gss_inquire_context(OM_uint32 *minor_status, struct _gss_name *name; gss_name_t src_mn, targ_mn; + if (locally_initiated) + *locally_initiated = 0; + if (open) + *open = 0; + if (lifetime_rec) + *lifetime_rec = 0; + + if (src_name) + *src_name = GSS_C_NO_NAME; + if (targ_name) + *targ_name = GSS_C_NO_NAME; + if (mech_type) + *mech_type = GSS_C_NO_OID; + src_mn = targ_mn = GSS_C_NO_NAME; + major_status = m->gm_inquire_context(minor_status, ctx->gc_ctx, - src_name ? &src_mn : 0, - targ_name ? &targ_mn : 0, + src_name ? &src_mn : NULL, + targ_name ? &targ_mn : NULL, lifetime_rec, mech_type, ctx_flags, locally_initiated, open); - if (src_name) *src_name = 0; - if (targ_name) *targ_name = 0; - if (major_status != GSS_S_COMPLETE) { + _gss_mg_error(m, major_status, *minor_status); return (major_status); } if (src_name) { name = _gss_make_name(m, src_mn); if (!name) { - minor_status = 0; + if (mech_type) + *mech_type = GSS_C_NO_OID; + m->gm_release_name(minor_status, &src_mn); + *minor_status = 0; return (GSS_S_FAILURE); } *src_name = (gss_name_t) name; @@ -78,6 +94,11 @@ gss_inquire_context(OM_uint32 *minor_status, if (targ_name) { name = _gss_make_name(m, targ_mn); if (!name) { + if (mech_type) + *mech_type = GSS_C_NO_OID; + if (src_name) + gss_release_name(minor_status, src_name); + m->gm_release_name(minor_status, &src_mn); minor_status = 0; return (GSS_S_FAILURE); } diff --git a/lib/libgssapi/gss_inquire_cred.c b/lib/libgssapi/gss_inquire_cred.c index 60b746f53f6f..c51f07e55841 100644 --- a/lib/libgssapi/gss_inquire_cred.c +++ b/lib/libgssapi/gss_inquire_cred.c @@ -35,6 +35,20 @@ #include "name.h" #include "cred.h" +#define AUSAGE 1 +#define IUSAGE 2 + +static void +updateusage(gss_cred_usage_t usage, int *usagemask) +{ + if (usage == GSS_C_BOTH) + *usagemask |= AUSAGE | IUSAGE; + else if (usage == GSS_C_ACCEPT) + *usagemask |= AUSAGE; + else if (usage == GSS_C_INITIATE) + *usagemask |= IUSAGE; +} + OM_uint32 gss_inquire_cred(OM_uint32 *minor_status, const gss_cred_id_t cred_handle, @@ -46,29 +60,35 @@ gss_inquire_cred(OM_uint32 *minor_status, OM_uint32 major_status; struct _gss_mech_switch *m; struct _gss_cred *cred = (struct _gss_cred *) cred_handle; - struct _gss_mechanism_cred *mc; struct _gss_name *name; struct _gss_mechanism_name *mn; OM_uint32 min_lifetime; + int found = 0; + int usagemask = 0; + gss_cred_usage_t usage; + + _gss_load_mech(); *minor_status = 0; if (name_ret) - *name_ret = 0; + *name_ret = GSS_C_NO_NAME; if (lifetime) *lifetime = 0; if (cred_usage) *cred_usage = 0; + if (mechanisms) + *mechanisms = GSS_C_NO_OID_SET; if (name_ret) { name = malloc(sizeof(struct _gss_name)); - if (!name) { + if (name == NULL) { *minor_status = ENOMEM; return (GSS_S_FAILURE); } memset(name, 0, sizeof(struct _gss_name)); SLIST_INIT(&name->gn_mn); } else { - name = 0; + name = NULL; } if (mechanisms) { @@ -82,16 +102,19 @@ gss_inquire_cred(OM_uint32 *minor_status, min_lifetime = GSS_C_INDEFINITE; if (cred) { + struct _gss_mechanism_cred *mc; + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { gss_name_t mc_name; OM_uint32 mc_lifetime; major_status = mc->gmc_mech->gm_inquire_cred(minor_status, - mc->gmc_cred, &mc_name, &mc_lifetime, NULL, NULL); + mc->gmc_cred, &mc_name, &mc_lifetime, &usage, NULL); if (major_status) continue; - if (name) { + updateusage(usage, &usagemask); + if (name && mc_name) { mn = malloc(sizeof(struct _gss_mechanism_name)); if (!mn) { mc->gmc_mech->gm_release_name(minor_status, @@ -102,41 +125,6 @@ gss_inquire_cred(OM_uint32 *minor_status, mn->gmn_mech_oid = mc->gmc_mech_oid; mn->gmn_name = mc_name; SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); - } else { - mc->gmc_mech->gm_release_name(minor_status, - &mc_name); - } - - if (mc_lifetime < min_lifetime) - min_lifetime = mc_lifetime; - - if (mechanisms) - gss_add_oid_set_member(minor_status, - mc->gmc_mech_oid, mechanisms); - } - } else { - SLIST_FOREACH(m, &_gss_mechs, gm_link) { - gss_name_t mc_name; - OM_uint32 mc_lifetime; - - major_status = m->gm_inquire_cred(minor_status, - GSS_C_NO_CREDENTIAL, &mc_name, &mc_lifetime, - cred_usage, NULL); - if (major_status) - continue; - - if (name && mc_name) { - mn = malloc( - sizeof(struct _gss_mechanism_name)); - if (!mn) { - mc->gmc_mech->gm_release_name( - minor_status, &mc_name); - continue; - } - mn->gmn_mech = mc->gmc_mech; - mn->gmn_mech_oid = mc->gmc_mech_oid; - mn->gmn_name = mc_name; - SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); } else if (mc_name) { mc->gmc_mech->gm_release_name(minor_status, &mc_name); @@ -147,22 +135,69 @@ gss_inquire_cred(OM_uint32 *minor_status, if (mechanisms) gss_add_oid_set_member(minor_status, - &m->gm_mech_oid, mechanisms); + mc->gmc_mech_oid, mechanisms); + found++; } + } else { + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + gss_name_t mc_name; + OM_uint32 mc_lifetime; - if ((*mechanisms)->count == 0) { - gss_release_oid_set(minor_status, mechanisms); - *minor_status = 0; - return (GSS_S_NO_CRED); + major_status = m->gm_inquire_cred(minor_status, + GSS_C_NO_CREDENTIAL, &mc_name, &mc_lifetime, + &usage, NULL); + if (major_status) + continue; + + updateusage(usage, &usagemask); + if (name && mc_name) { + mn = malloc( + sizeof(struct _gss_mechanism_name)); + if (!mn) { + m->gm_release_name( + minor_status, &mc_name); + continue; + } + mn->gmn_mech = m; + mn->gmn_mech_oid = &m->gm_mech_oid; + mn->gmn_name = mc_name; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + } else if (mc_name) { + m->gm_release_name(minor_status, + &mc_name); + } + + if (mc_lifetime < min_lifetime) + min_lifetime = mc_lifetime; + + if (mechanisms) + gss_add_oid_set_member(minor_status, + &m->gm_mech_oid, mechanisms); + found++; } } + if (found == 0) { + gss_name_t n = (gss_name_t)name; + if (n) + gss_release_name(minor_status, &n); + gss_release_oid_set(minor_status, mechanisms); + *minor_status = 0; + return (GSS_S_NO_CRED); + } + *minor_status = 0; if (name_ret) *name_ret = (gss_name_t) name; if (lifetime) *lifetime = min_lifetime; - if (cred && cred_usage) - *cred_usage = cred->gc_usage; + if (cred_usage) { + if ((usagemask & (AUSAGE|IUSAGE)) == (AUSAGE|IUSAGE)) + *cred_usage = GSS_C_BOTH; + else if (usagemask & IUSAGE) + *cred_usage = GSS_C_INITIATE; + else if (usagemask & AUSAGE) + *cred_usage = GSS_C_ACCEPT; + } return (GSS_S_COMPLETE); } diff --git a/lib/libgssapi/gss_inquire_cred_by_mech.c b/lib/libgssapi/gss_inquire_cred_by_mech.c index 2896f77c1e74..d9c21bac2156 100644 --- a/lib/libgssapi/gss_inquire_cred_by_mech.c +++ b/lib/libgssapi/gss_inquire_cred_by_mech.c @@ -49,6 +49,14 @@ gss_inquire_cred_by_mech(OM_uint32 *minor_status, struct _gss_name *name; *minor_status = 0; + if (cred_name) + *cred_name = GSS_C_NO_NAME; + if (initiator_lifetime) + *initiator_lifetime = 0; + if (acceptor_lifetime) + *acceptor_lifetime = 0; + if (cred_usage) + *cred_usage = 0; m = _gss_find_mech_switch(mech_type); if (!m) @@ -68,15 +76,21 @@ gss_inquire_cred_by_mech(OM_uint32 *minor_status, major_status = m->gm_inquire_cred_by_mech(minor_status, mc, mech_type, &mn, initiator_lifetime, acceptor_lifetime, cred_usage); - if (major_status != GSS_S_COMPLETE) + if (major_status != GSS_S_COMPLETE) { + _gss_mg_error(m, major_status, *minor_status); return (major_status); - - name = _gss_make_name(m, mn); - if (!name) { - m->gm_release_name(minor_status, &mn); - return (GSS_S_NO_CRED); } - *cred_name = (gss_name_t) name; + if (cred_name) { + name = _gss_make_name(m, mn); + if (!name) { + m->gm_release_name(minor_status, &mn); + return (GSS_S_NO_CRED); + } + *cred_name = (gss_name_t) name; + } else { + m->gm_release_name(minor_status, &mn); + } + return (GSS_S_COMPLETE); } diff --git a/lib/libgssapi/gss_inquire_cred_by_oid.c b/lib/libgssapi/gss_inquire_cred_by_oid.c new file mode 100644 index 000000000000..fcb54a1d95bd --- /dev/null +++ b/lib/libgssapi/gss_inquire_cred_by_oid.c @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ +/* $FreeBSD$ */ + +#include + +#include "mech_switch.h" +#include "cred.h" +#include "name.h" + +/* RCSID("$Id: gss_inquire_cred_by_oid.c 19960 2007-01-17 15:09:24Z lha $"); */ + +OM_uint32 +gss_inquire_cred_by_oid (OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + struct _gss_cred *cred = (struct _gss_cred *) cred_handle; + OM_uint32 status = GSS_S_COMPLETE; + struct _gss_mechanism_cred *mc; + struct _gss_mech_switch *m; + gss_buffer_set_t set = GSS_C_NO_BUFFER_SET; + + *minor_status = 0; + *data_set = GSS_C_NO_BUFFER_SET; + + if (cred == NULL) + return GSS_S_NO_CRED; + + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET; + size_t i; + + m = mc->gmc_mech; + if (m == NULL) { + gss_release_buffer_set(minor_status, &set); + *minor_status = 0; + return GSS_S_BAD_MECH; + } + + if (m->gm_inquire_cred_by_oid == NULL) + continue; + + status = m->gm_inquire_cred_by_oid(minor_status, + mc->gmc_cred, desired_object, &rset); + if (status != GSS_S_COMPLETE) + continue; + + for (i = 0; i < rset->count; i++) { + status = gss_add_buffer_set_member(minor_status, + &rset->elements[i], &set); + if (status != GSS_S_COMPLETE) + break; + } + gss_release_buffer_set(minor_status, &rset); + } + if (set == GSS_C_NO_BUFFER_SET) + status = GSS_S_FAILURE; + *data_set = set; + *minor_status = 0; + return status; +} + diff --git a/lib/libgssapi/gss_inquire_mechs_for_name.c b/lib/libgssapi/gss_inquire_mechs_for_name.c index 10bdd7fd6314..68918df7fd54 100644 --- a/lib/libgssapi/gss_inquire_mechs_for_name.c +++ b/lib/libgssapi/gss_inquire_mechs_for_name.c @@ -44,6 +44,8 @@ gss_inquire_mechs_for_name(OM_uint32 *minor_status, *minor_status = 0; + _gss_load_mech(); + major_status = gss_create_empty_oid_set(minor_status, mech_types); if (major_status) return (major_status); diff --git a/lib/libgssapi/gss_inquire_names_for_mech.c b/lib/libgssapi/gss_inquire_names_for_mech.c index 3ebb6328ff69..21f03afb648b 100644 --- a/lib/libgssapi/gss_inquire_names_for_mech.c +++ b/lib/libgssapi/gss_inquire_names_for_mech.c @@ -39,6 +39,7 @@ gss_inquire_names_for_mech(OM_uint32 *minor_status, struct _gss_mech_switch *m = _gss_find_mech_switch(mechanism); *minor_status = 0; + *name_types = GSS_C_NO_OID_SET; if (!m) return (GSS_S_BAD_MECH); @@ -57,15 +58,15 @@ gss_inquire_names_for_mech(OM_uint32 *minor_status, major_status = gss_add_oid_set_member(minor_status, GSS_C_NT_HOSTBASED_SERVICE, name_types); if (major_status) { - OM_uint32 ms; - gss_release_oid_set(&ms, name_types); + OM_uint32 junk; + gss_release_oid_set(&junk, name_types); return (major_status); } major_status = gss_add_oid_set_member(minor_status, GSS_C_NT_USER_NAME, name_types); if (major_status) { - OM_uint32 ms; - gss_release_oid_set(&ms, name_types); + OM_uint32 junk; + gss_release_oid_set(&junk, name_types); return (major_status); } } diff --git a/lib/libgssapi/gss_inquire_sec_context_by_oid.c b/lib/libgssapi/gss_inquire_sec_context_by_oid.c new file mode 100644 index 000000000000..5a9014210d1b --- /dev/null +++ b/lib/libgssapi/gss_inquire_sec_context_by_oid.c @@ -0,0 +1,60 @@ +/*- + * Copyright (c) 2008 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *result) +{ + OM_uint32 major_status; + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m; + + *minor_status = 0; + *result = GSS_C_NO_BUFFER_SET; + if (!ctx) + return (GSS_S_NO_CONTEXT); + + m = ctx->gc_mech; + if (m->gm_inquire_sec_context_by_oid) { + major_status = m->gm_inquire_sec_context_by_oid( + minor_status, ctx->gc_ctx, desired_object, result); + if (major_status != GSS_S_COMPLETE) + _gss_mg_error(m, major_status, *minor_status); + } else { + major_status = GSS_S_BAD_MECH; + } + + return (major_status); +} diff --git a/lib/libgssapi/gss_mech_switch.c b/lib/libgssapi/gss_mech_switch.c index a7528a406e42..f5808c5e411b 100644 --- a/lib/libgssapi/gss_mech_switch.c +++ b/lib/libgssapi/gss_mech_switch.c @@ -27,6 +27,7 @@ */ #include +#include #include #include #include @@ -56,6 +57,9 @@ _gss_string_to_oid(const char* s, gss_OID oid) const char *p, *q; char *res; + oid->length = 0; + oid->elements = NULL; + /* * First figure out how many numbers in the oid, then * calculate the compiled oid size. @@ -153,23 +157,23 @@ _gss_string_to_oid(const char* s, gss_OID oid) return (0); } -#define SYM(name) \ -do { \ - m->gm_ ## name = dlsym(so, "gss_" #name); \ - if (!m->gm_ ## name) { \ - fprintf(stderr, "can't find symbol gss_" #name "\n"); \ - goto bad; \ - } \ + +#define SYM(name) \ +do { \ + snprintf(buf, sizeof(buf), "%s_%s", \ + m->gm_name_prefix, #name); \ + m->gm_ ## name = dlsym(so, buf); \ + if (!m->gm_ ## name) { \ + fprintf(stderr, "can't find symbol %s\n", buf); \ + goto bad; \ + } \ } while (0) -#define OPTSYM(name) \ -do { \ - m->gm_ ## name = dlsym(so, "gss_" #name); \ -} while (0) - -#define OPTSYM2(symname, ourname) \ -do { \ - m->ourname = dlsym(so, #symname); \ +#define OPTSYM(name) \ +do { \ + snprintf(buf, sizeof(buf), "%s_%s", \ + m->gm_name_prefix, #name); \ + m->gm_ ## name = dlsym(so, buf); \ } while (0) /* @@ -185,8 +189,8 @@ _gss_load_mech(void) char *name, *oid, *lib, *kobj; struct _gss_mech_switch *m; int count; - char **pp; void *so; + const char *(*prefix_fn)(void); if (SLIST_FIRST(&_gss_mechs)) return; @@ -232,6 +236,13 @@ _gss_load_mech(void) continue; } + prefix_fn = (const char *(*)(void)) + dlsym(so, "_gss_name_prefix"); + if (prefix_fn) + m->gm_name_prefix = prefix_fn(); + else + m->gm_name_prefix = "gss"; + major_status = gss_add_oid_set_member(&minor_status, &m->gm_mech_oid, &_gss_mech_oids); if (major_status) { @@ -252,7 +263,7 @@ _gss_load_mech(void) SYM(wrap); SYM(unwrap); SYM(display_status); - SYM(indicate_mechs); + OPTSYM(indicate_mechs); SYM(compare_name); SYM(display_name); SYM(import_name); @@ -269,10 +280,11 @@ _gss_load_mech(void) SYM(inquire_mechs_for_name); SYM(canonicalize_name); SYM(duplicate_name); - OPTSYM2(gsskrb5_register_acceptor_identity, - gm_krb5_register_acceptor_identity); - OPTSYM(krb5_copy_ccache); - OPTSYM(krb5_compat_des3_mic); + OPTSYM(inquire_sec_context_by_oid); + OPTSYM(inquire_cred_by_oid); + OPTSYM(set_sec_context_option); + OPTSYM(set_cred_option); + OPTSYM(pseudo_random); SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link); count++; @@ -294,7 +306,7 @@ _gss_find_mech_switch(gss_OID mech) _gss_load_mech(); SLIST_FOREACH(m, &_gss_mechs, gm_link) { - if (_gss_oid_equal(&m->gm_mech_oid, mech)) + if (gss_oid_equal(&m->gm_mech_oid, mech)) return m; } return (0); diff --git a/lib/libgssapi/gss_names.c b/lib/libgssapi/gss_names.c index d10350a9541a..02775ec72db3 100644 --- a/lib/libgssapi/gss_names.c +++ b/lib/libgssapi/gss_names.c @@ -33,6 +33,7 @@ #include "mech_switch.h" #include "name.h" +#include "utils.h" /* * The implementation must reserve static storage for a @@ -46,7 +47,7 @@ * to that gss_OID_desc. */ static gss_OID_desc GSS_C_NT_USER_NAME_storage = - {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"}; + {10, (void *)(uintptr_t)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"}; gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage; /* @@ -61,7 +62,7 @@ gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage; * initialized to point to that gss_OID_desc. */ static gss_OID_desc GSS_C_NT_MACHINE_UID_NAME_storage = - {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"}; + {10, (void *)(uintptr_t)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"}; gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage; /* @@ -76,7 +77,7 @@ gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage; * initialized to point to that gss_OID_desc. */ static gss_OID_desc GSS_C_NT_STRING_UID_NAME_storage = - {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"}; + {10, (void *)(uintptr_t)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"}; gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage; /* @@ -97,7 +98,7 @@ gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage; * implementations */ static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X_storage = - {6, (void *)"\x2b\x06\x01\x05\x06\x02"}; + {6, (void *)(uintptr_t)"\x2b\x06\x01\x05\x06\x02"}; gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_storage; /* @@ -112,7 +113,7 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_storage; * to point to that gss_OID_desc. */ static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_storage = - {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"}; + {10, (void *)(uintptr_t)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"}; gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_storage; /* @@ -126,7 +127,7 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_storage; * to that gss_OID_desc. */ static gss_OID_desc GSS_C_NT_ANONYMOUS_storage = - {6, (void *)"\x2b\x06\01\x05\x06\x03"}; + {6, (void *)(uintptr_t)"\x2b\x06\01\x05\x06\x03"}; gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_storage; /* @@ -140,7 +141,7 @@ gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_storage; * to that gss_OID_desc. */ static gss_OID_desc GSS_C_NT_EXPORT_NAME_storage = - {6, (void *)"\x2b\x06\x01\x05\x06\x04"}; + {6, (void *)(uintptr_t)"\x2b\x06\x01\x05\x06\x04"}; gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_storage; /* @@ -150,7 +151,7 @@ gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_storage; * is "GSS_KRB5_NT_PRINCIPAL_NAME". */ static gss_OID_desc GSS_KRB5_NT_PRINCIPAL_NAME_storage = - {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"}; + {10, (void *)(uintptr_t)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"}; gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &GSS_KRB5_NT_PRINCIPAL_NAME_storage; /* @@ -177,15 +178,18 @@ gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage; */ gss_OID GSS_KRB5_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage; -struct _gss_mechanism_name * -_gss_find_mn(struct _gss_name *name, gss_OID mech) +OM_uint32 +_gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech, + struct _gss_mechanism_name **output_mn) { - OM_uint32 major_status, minor_status; + OM_uint32 major_status; struct _gss_mech_switch *m; struct _gss_mechanism_name *mn; + *output_mn = NULL; + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { - if (_gss_oid_equal(mech, mn->gmn_mech_oid)) + if (gss_oid_equal(mech, mn->gmn_mech_oid)) break; } @@ -195,40 +199,42 @@ _gss_find_mn(struct _gss_name *name, gss_OID mech) * MN but it is from a different mech), give up now. */ if (!name->gn_value.value) - return (0); + return (GSS_S_BAD_NAME); m = _gss_find_mech_switch(mech); if (!m) - return (0); + return (GSS_S_BAD_MECH); mn = malloc(sizeof(struct _gss_mechanism_name)); if (!mn) - return (0); + return (GSS_S_FAILURE); - major_status = m->gm_import_name(&minor_status, + major_status = m->gm_import_name(minor_status, &name->gn_value, (name->gn_type.elements ? &name->gn_type : GSS_C_NO_OID), &mn->gmn_name); - if (major_status) { + if (major_status != GSS_S_COMPLETE) { + _gss_mg_error(m, major_status, *minor_status); free(mn); - return (0); + return (major_status); } mn->gmn_mech = m; mn->gmn_mech_oid = &m->gm_mech_oid; SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); } - return (mn); + *output_mn = mn; + return (GSS_S_COMPLETE); } + /* * Make a name from an MN. */ struct _gss_name * _gss_make_name(struct _gss_mech_switch *m, gss_name_t new_mn) { - OM_uint32 minor_status; struct _gss_name *name; struct _gss_mechanism_name *mn; diff --git a/lib/libgssapi/gss_oid_to_str.c b/lib/libgssapi/gss_oid_to_str.c new file mode 100644 index 000000000000..05e0d73887d8 --- /dev/null +++ b/lib/libgssapi/gss_oid_to_str.c @@ -0,0 +1,118 @@ +/*- + * Copyright (c) 2000 The Regents of the University of Michigan. + * All rights reserved. + * + * Copyright (c) 2000 Dug Song . + * All rights reserved, all wrongs reversed. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +/* $FreeBSD$ */ + +#include +#include +#include +#include +#include + +#include "utils.h" + +OM_uint32 +gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str) +{ + char numstr[128]; + unsigned long number; + int numshift; + size_t string_length; + size_t i; + unsigned char *cp; + char *bp; + + *minor_status = 0; + _gss_buffer_zero(oid_str); + + if (oid == GSS_C_NULL_OID) + return (GSS_S_FAILURE); + + /* Decoded according to krb5/gssapi_krb5.c */ + + /* First determine the size of the string */ + string_length = 0; + number = 0; + numshift = 0; + cp = (unsigned char *) oid->elements; + number = (unsigned long) cp[0]; + sprintf(numstr, "%ld ", number/40); + string_length += strlen(numstr); + sprintf(numstr, "%ld ", number%40); + string_length += strlen(numstr); + for (i=1; ilength; i++) { + if ( (size_t) (numshift+7) < (sizeof(unsigned long)*8)) { + number = (number << 7) | (cp[i] & 0x7f); + numshift += 7; + } + else { + *minor_status = 0; + return(GSS_S_FAILURE); + } + if ((cp[i] & 0x80) == 0) { + sprintf(numstr, "%ld ", number); + string_length += strlen(numstr); + number = 0; + numshift = 0; + } + } + /* + * If we get here, we've calculated the length of "n n n ... n ". + * Add 4 here for "{ " and "}\0". + */ + string_length += 4; + if ((bp = (char *) malloc(string_length))) { + strcpy(bp, "{ "); + number = (unsigned long) cp[0]; + sprintf(numstr, "%ld ", number/40); + strcat(bp, numstr); + sprintf(numstr, "%ld ", number%40); + strcat(bp, numstr); + number = 0; + cp = (unsigned char *) oid->elements; + for (i=1; ilength; i++) { + number = (number << 7) | (cp[i] & 0x7f); + if ((cp[i] & 0x80) == 0) { + sprintf(numstr, "%ld ", number); + strcat(bp, numstr); + number = 0; + } + } + strcat(bp, "}"); + oid_str->length = strlen(bp)+1; + oid_str->value = (void *) bp; + *minor_status = 0; + return(GSS_S_COMPLETE); + } + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +} diff --git a/crypto/heimdal/lib/gssapi/copy_ccache.c b/lib/libgssapi/gss_pseudo_random.c similarity index 63% rename from crypto/heimdal/lib/gssapi/copy_ccache.c rename to lib/libgssapi/gss_pseudo_random.c index 2ffe0656d8cb..72166099512a 100644 --- a/crypto/heimdal/lib/gssapi/copy_ccache.c +++ b/lib/libgssapi/gss_pseudo_random.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan + * Copyright (c) 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -30,29 +30,43 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ +/* $FreeBSD$ */ +/* $Id: gss_pseudo_random.c 20053 2007-01-24 01:31:35Z lha $ */ -#include "gssapi_locl.h" +#include -RCSID("$Id: copy_ccache.c,v 1.3 2003/03/16 17:47:44 lha Exp $"); +#include "mech_switch.h" +#include "context.h" +#include "utils.h" OM_uint32 -gss_krb5_copy_ccache(OM_uint32 *minor_status, - gss_cred_id_t cred, - krb5_ccache out) +gss_pseudo_random(OM_uint32 *minor_status, + gss_ctx_id_t context, + int prf_key, + const gss_buffer_t prf_in, + ssize_t desired_output_len, + gss_buffer_t prf_out) { - krb5_error_code kret; + struct _gss_context *ctx = (struct _gss_context *) context; + struct _gss_mech_switch *m = ctx->gc_mech; + OM_uint32 major_status; - if (cred->ccache == NULL) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } + _gss_buffer_zero(prf_out); *minor_status = 0; - return GSS_S_COMPLETE; + + if (ctx == NULL) { + *minor_status = 0; + return GSS_S_NO_CONTEXT; + } + + if (m->gm_pseudo_random == NULL) + return GSS_S_UNAVAILABLE; + + major_status = (*m->gm_pseudo_random)(minor_status, ctx->gc_ctx, + prf_key, prf_in, desired_output_len, + prf_out); + if (major_status != GSS_S_COMPLETE) + _gss_mg_error(m, major_status, *minor_status); + + return major_status; } diff --git a/lib/libgssapi/gss_release_buffer.c b/lib/libgssapi/gss_release_buffer.c index 8e7fa60e5471..7a85745abc5b 100644 --- a/lib/libgssapi/gss_release_buffer.c +++ b/lib/libgssapi/gss_release_buffer.c @@ -27,6 +27,9 @@ */ #include +#include + +#include "utils.h" OM_uint32 gss_release_buffer(OM_uint32 *minor_status, @@ -36,8 +39,7 @@ gss_release_buffer(OM_uint32 *minor_status, *minor_status = 0; if (buffer->value) free(buffer->value); - buffer->length = 0; - buffer->value = 0; + _gss_buffer_zero(buffer); return (GSS_S_COMPLETE); } diff --git a/lib/libgssapi/gss_release_cred.c b/lib/libgssapi/gss_release_cred.c index cec814c66291..6093acd8f3b7 100644 --- a/lib/libgssapi/gss_release_cred.c +++ b/lib/libgssapi/gss_release_cred.c @@ -51,6 +51,6 @@ gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) free(cred); *minor_status = 0; - *cred_handle = 0; + *cred_handle = GSS_C_NO_CREDENTIAL; return (GSS_S_COMPLETE); } diff --git a/lib/libgssapi/gss_release_name.c b/lib/libgssapi/gss_release_name.c index 4294ad7c4b48..08ae10a26ec3 100644 --- a/lib/libgssapi/gss_release_name.c +++ b/lib/libgssapi/gss_release_name.c @@ -38,7 +38,6 @@ gss_release_name(OM_uint32 *minor_status, gss_name_t *input_name) { struct _gss_name *name = (struct _gss_name *) *input_name; - struct _gss_mech_switch *m; *minor_status = 0; if (name) { @@ -53,7 +52,8 @@ gss_release_name(OM_uint32 *minor_status, free(mn); } gss_release_buffer(minor_status, &name->gn_value); - *input_name = 0; + free(name); + *input_name = GSS_C_NO_NAME; } return (GSS_S_COMPLETE); } diff --git a/crypto/heimdal/lib/gssapi/compare_name.c b/lib/libgssapi/gss_release_oid.c similarity index 75% rename from crypto/heimdal/lib/gssapi/compare_name.c rename to lib/libgssapi/gss_release_oid.c index da494b0d10b4..a2e7a61a6678 100644 --- a/crypto/heimdal/lib/gssapi/compare_name.c +++ b/lib/libgssapi/gss_release_oid.c @@ -1,5 +1,5 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan +/*- + * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -30,22 +30,32 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ +/* $FreeBSD$ */ -#include "gssapi_locl.h" +#include +#include -RCSID("$Id: compare_name.c,v 1.4 2003/03/16 17:50:07 lha Exp $"); +/* RCSID("$Id: gss_release_oid.c 17747 2006-06-30 09:34:54Z lha $"); */ -OM_uint32 gss_compare_name - (OM_uint32 * minor_status, - const gss_name_t name1, - const gss_name_t name2, - int * name_equal - ) +OM_uint32 +gss_release_oid(OM_uint32 *minor_status, gss_OID *oid) { - GSSAPI_KRB5_INIT(); + gss_OID o = *oid; - *name_equal = krb5_principal_compare (gssapi_krb5_context, - name1, name2); - *minor_status = 0; - return GSS_S_COMPLETE; + *oid = GSS_C_NO_OID; + + if (minor_status != NULL) + *minor_status = 0; + + if (o == GSS_C_NO_OID) + return (GSS_S_COMPLETE); + + if (o->elements != NULL) { + free(o->elements); + o->elements = NULL; + } + o->length = 0; + free(o); + + return (GSS_S_COMPLETE); } diff --git a/lib/libgssapi/gss_release_oid_set.c b/lib/libgssapi/gss_release_oid_set.c index 49c17ab8326a..bedb90ba8439 100644 --- a/lib/libgssapi/gss_release_oid_set.c +++ b/lib/libgssapi/gss_release_oid_set.c @@ -36,11 +36,11 @@ gss_release_oid_set(OM_uint32 *minor_status, { *minor_status = 0; - if (*set) { + if (set && *set) { if ((*set)->elements) free((*set)->elements); free(*set); - *set = 0; + *set = GSS_C_NO_OID_SET; } return (GSS_S_COMPLETE); } diff --git a/lib/libgssapi/gss_set_cred_option.c b/lib/libgssapi/gss_set_cred_option.c new file mode 100644 index 000000000000..93b221294651 --- /dev/null +++ b/lib/libgssapi/gss_set_cred_option.c @@ -0,0 +1,125 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ +/* $FreeBSD$ */ +/* RCSID("$Id: gss_set_cred_option.c 21126 2007-06-18 20:19:59Z lha $"); */ + +#include +#include +#include + +#include "mech_switch.h" +#include "cred.h" + +OM_uint32 +gss_set_cred_option (OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_OID object, + const gss_buffer_t value) +{ + struct _gss_cred *cred = (struct _gss_cred *) *cred_handle; + OM_uint32 major_status = GSS_S_COMPLETE; + struct _gss_mechanism_cred *mc; + int one_ok = 0; + + *minor_status = 0; + + _gss_load_mech(); + + if (cred == NULL) { + struct _gss_mech_switch *m; + + cred = malloc(sizeof(*cred)); + if (cred == NULL) + return GSS_S_FAILURE; + + SLIST_INIT(&cred->gc_mc); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + + if (m->gm_set_cred_option == NULL) + continue; + + mc = malloc(sizeof(*mc)); + if (mc == NULL) { + *cred_handle = (gss_cred_id_t)cred; + gss_release_cred(minor_status, cred_handle); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + mc->gmc_mech = m; + mc->gmc_mech_oid = &m->gm_mech_oid; + mc->gmc_cred = GSS_C_NO_CREDENTIAL; + + major_status = m->gm_set_cred_option( + minor_status, &mc->gmc_cred, object, value); + + if (major_status) { + free(mc); + continue; + } + one_ok = 1; + SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link); + } + *cred_handle = (gss_cred_id_t)cred; + if (!one_ok) { + OM_uint32 junk; + gss_release_cred(&junk, cred_handle); + } + } else { + struct _gss_mech_switch *m; + + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + m = mc->gmc_mech; + + if (m == NULL) + return GSS_S_BAD_MECH; + + if (m->gm_set_cred_option == NULL) + continue; + + major_status = m->gm_set_cred_option(minor_status, + &mc->gmc_cred, object, value); + if (major_status == GSS_S_COMPLETE) + one_ok = 1; + else + _gss_mg_error(m, major_status, *minor_status); + + } + } + if (one_ok) { + *minor_status = 0; + return (GSS_S_COMPLETE); + } + return (major_status); +} + diff --git a/lib/libgssapi/gss_set_sec_context_option.c b/lib/libgssapi/gss_set_sec_context_option.c new file mode 100644 index 000000000000..4b6bf1bda269 --- /dev/null +++ b/lib/libgssapi/gss_set_sec_context_option.c @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2004, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ +/* $FreeBSD$ */ +/* RCSID("$Id: gss_set_sec_context_option.c 19928 2007-01-16 10:37:54Z lha $"); */ + +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_set_sec_context_option (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID object, + const gss_buffer_t value) +{ + struct _gss_context *ctx; + OM_uint32 major_status; + struct _gss_mech_switch *m; + int one_ok = 0; + + *minor_status = 0; + + if (context_handle == NULL) { + _gss_load_mech(); + major_status = GSS_S_BAD_MECH; + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (!m->gm_set_sec_context_option) + continue; + major_status = m->gm_set_sec_context_option( + minor_status, + NULL, object, value); + if (major_status == GSS_S_COMPLETE) + one_ok = 1; + } + if (one_ok) { + *minor_status = 0; + return (GSS_S_COMPLETE); + } + return (major_status); + } + + ctx = (struct _gss_context *) *context_handle; + + if (ctx == NULL) + return (GSS_S_NO_CONTEXT); + + m = ctx->gc_mech; + + if (m == NULL) + return (GSS_S_BAD_MECH); + + if (m->gm_set_sec_context_option != NULL) { + major_status = m->gm_set_sec_context_option(minor_status, + &ctx->gc_ctx, object, value); + if (major_status != GSS_S_COMPLETE) + _gss_mg_error(m, major_status, *minor_status); + } else + major_status = (GSS_S_BAD_MECH); + + return (major_status); +} + diff --git a/lib/libgssapi/gss_test_oid_set_member.c b/lib/libgssapi/gss_test_oid_set_member.c index 62175ca9d365..0421319eb149 100644 --- a/lib/libgssapi/gss_test_oid_set_member.c +++ b/lib/libgssapi/gss_test_oid_set_member.c @@ -36,11 +36,11 @@ gss_test_oid_set_member(OM_uint32 *minor_status, const gss_OID_set set, int *present) { - int i; + size_t i; *present = 0; for (i = 0; i < set->count; i++) - if (_gss_oid_equal(member, &set->elements[i])) + if (gss_oid_equal(member, &set->elements[i])) *present = 1; *minor_status = 0; diff --git a/lib/libgssapi/gss_unseal.c b/lib/libgssapi/gss_unseal.c index bc7dc26111c0..c3775103ce4f 100644 --- a/lib/libgssapi/gss_unseal.c +++ b/lib/libgssapi/gss_unseal.c @@ -39,5 +39,5 @@ gss_unseal(OM_uint32 *minor_status, return (gss_unwrap(minor_status, context_handle, input_message_buffer, - output_message_buffer, conf_state, qop_state)); + output_message_buffer, conf_state, (gss_qop_t *)qop_state)); } diff --git a/lib/libgssapi/gss_utils.c b/lib/libgssapi/gss_utils.c index 1f8dfab9fe6d..ec582a9bd1a4 100644 --- a/lib/libgssapi/gss_utils.c +++ b/lib/libgssapi/gss_utils.c @@ -34,7 +34,7 @@ #include "utils.h" int -_gss_oid_equal(const gss_OID oid1, const gss_OID oid2) +gss_oid_equal(const gss_OID oid1, const gss_OID oid2) { if (oid1 == oid2) @@ -57,6 +57,7 @@ _gss_copy_oid(OM_uint32 *minor_status, *minor_status = 0; to_oid->elements = malloc(len); if (!to_oid->elements) { + to_oid->length = 0; *minor_status = ENOMEM; return GSS_S_FAILURE; } @@ -76,6 +77,7 @@ _gss_copy_buffer(OM_uint32 *minor_status, to_buf->value = malloc(len); if (!to_buf->value) { *minor_status = ENOMEM; + to_buf->length = 0; return GSS_S_FAILURE; } to_buf->length = len; diff --git a/lib/libgssapi/gss_verify.c b/lib/libgssapi/gss_verify.c index 31108750e3dd..0aa3fd67e28b 100644 --- a/lib/libgssapi/gss_verify.c +++ b/lib/libgssapi/gss_verify.c @@ -37,5 +37,6 @@ gss_verify(OM_uint32 *minor_status, { return (gss_verify_mic(minor_status, - context_handle, message_buffer, token_buffer, qop_state)); + context_handle, message_buffer, token_buffer, + (gss_qop_t *)qop_state)); } diff --git a/lib/libgssapi/gss_verify_mic.c b/lib/libgssapi/gss_verify_mic.c index 4e11ab1e08fc..fa3d68d035fe 100644 --- a/lib/libgssapi/gss_verify_mic.c +++ b/lib/libgssapi/gss_verify_mic.c @@ -41,6 +41,13 @@ gss_verify_mic(OM_uint32 *minor_status, struct _gss_context *ctx = (struct _gss_context *) context_handle; struct _gss_mech_switch *m = ctx->gc_mech; + if (qop_state) + *qop_state = 0; + if (ctx == NULL) { + *minor_status = 0; + return (GSS_S_NO_CONTEXT); + } + return (m->gm_verify_mic(minor_status, ctx->gc_ctx, message_buffer, token_buffer, qop_state)); } diff --git a/lib/libgssapi/gss_wrap.c b/lib/libgssapi/gss_wrap.c index 0d7c74933c31..2f9431694a5f 100644 --- a/lib/libgssapi/gss_wrap.c +++ b/lib/libgssapi/gss_wrap.c @@ -30,6 +30,7 @@ #include "mech_switch.h" #include "context.h" +#include "utils.h" OM_uint32 gss_wrap(OM_uint32 *minor_status, @@ -43,6 +44,14 @@ gss_wrap(OM_uint32 *minor_status, struct _gss_context *ctx = (struct _gss_context *) context_handle; struct _gss_mech_switch *m = ctx->gc_mech; + if (conf_state) + *conf_state = 0; + _gss_buffer_zero(output_message_buffer); + if (ctx == NULL) { + *minor_status = 0; + return (GSS_S_NO_CONTEXT); + } + return (m->gm_wrap(minor_status, ctx->gc_ctx, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer)); diff --git a/lib/libgssapi/gss_wrap_size_limit.c b/lib/libgssapi/gss_wrap_size_limit.c index 8abd52a12094..15a870676da4 100644 --- a/lib/libgssapi/gss_wrap_size_limit.c +++ b/lib/libgssapi/gss_wrap_size_limit.c @@ -42,6 +42,12 @@ gss_wrap_size_limit(OM_uint32 *minor_status, struct _gss_context *ctx = (struct _gss_context *) context_handle; struct _gss_mech_switch *m = ctx->gc_mech; + *max_input_size = 0; + if (ctx == NULL) { + *minor_status = 0; + return (GSS_S_NO_CONTEXT); + } + return (m->gm_wrap_size_limit(minor_status, ctx->gc_ctx, conf_req_flag, qop_req, req_output_size, max_input_size)); } diff --git a/lib/libgssapi/mech.5 b/lib/libgssapi/mech.5 index 1edcc1a846df..fd17e3a21b04 100644 --- a/lib/libgssapi/mech.5 +++ b/lib/libgssapi/mech.5 @@ -50,11 +50,18 @@ A shared library containing the implementation of this mechanism. A kernel module containing the implementation of this mechanism (not yet supported in FreeBSD). .It Library options (optional) -Optionsal parameters interpreted by the mechanism. Library options +Optional parameters interpreted by the mechanism. Library options must be enclosed in brackets ([ ]) to differentiate them from the optional kernel module entry. .El .Pp +The first mechanism listed in +.Pa "/etc/gss/mech" +is the default mechanism. +This mechanism will be used by +.Xr gss_init_sec_context 3 +if the user doesn't specify a specific mechanism. +.Pp The .Pa "/etc/gss/qop" file contains a list of Quality of Protection values for use with diff --git a/lib/libgssapi/mech_switch.h b/lib/libgssapi/mech_switch.h index 4add12d8af10..876adcda9e64 100644 --- a/lib/libgssapi/mech_switch.h +++ b/lib/libgssapi/mech_switch.h @@ -26,6 +26,7 @@ * $FreeBSD$ */ +#include #include typedef OM_uint32 _gss_acquire_cred_t @@ -266,24 +267,46 @@ typedef OM_uint32 _gss_duplicate_name_t ( gss_name_t * /* dest_name */ ); -typedef OM_uint32 _gsskrb5_register_acceptor_identity ( - const char * /* identity */ +typedef OM_uint32 _gss_inquire_sec_context_by_oid + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_OID, /* desired_object */ + gss_buffer_set_t * /* result */ ); -typedef OM_uint32 _gss_krb5_copy_ccache ( - OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - struct krb5_ccache_data * /* out */ +typedef OM_uint32 _gss_inquire_cred_by_oid + (OM_uint32 *, /* bminor_status */ + const gss_cred_id_t, /* cred_handle, */ + const gss_OID, /* desired_object */ + gss_buffer_set_t * /* data_set */ ); -typedef OM_uint32 _gss_krb5_compat_des3_mic ( - OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int /* flag */ +typedef OM_uint32 _gss_set_sec_context_option + (OM_uint32 *, /* minor status */ + gss_ctx_id_t *, /* context */ + const gss_OID, /* option to set */ + const gss_buffer_t /* option value */ + ); + +typedef OM_uint32 _gss_set_cred_option + (OM_uint32 *, /* minor status */ + gss_cred_id_t *, /* cred */ + const gss_OID, /* option to set */ + const gss_buffer_t /* option value */ + ); + +typedef OM_uint32 _gss_pseudo_random + (OM_uint32 *, /* minor status */ + gss_ctx_id_t, /* context */ + int, /* PRF key */ + const gss_buffer_t, /* PRF input */ + ssize_t, /* desired output length */ + gss_buffer_t /* PRF output */ ); struct _gss_mech_switch { SLIST_ENTRY(_gss_mech_switch) gm_link; + const char *gm_name_prefix; gss_OID_desc gm_mech_oid; void *gm_so; _gss_acquire_cred_t *gm_acquire_cred; @@ -315,9 +338,11 @@ struct _gss_mech_switch { _gss_inquire_mechs_for_name_t *gm_inquire_mechs_for_name; _gss_canonicalize_name_t *gm_canonicalize_name; _gss_duplicate_name_t *gm_duplicate_name; - _gsskrb5_register_acceptor_identity *gm_krb5_register_acceptor_identity; - _gss_krb5_copy_ccache *gm_krb5_copy_ccache; - _gss_krb5_compat_des3_mic *gm_krb5_compat_des3_mic; + _gss_inquire_sec_context_by_oid *gm_inquire_sec_context_by_oid; + _gss_inquire_cred_by_oid *gm_inquire_cred_by_oid; + _gss_set_sec_context_option *gm_set_sec_context_option; + _gss_set_cred_option *gm_set_cred_option; + _gss_pseudo_random *gm_pseudo_random; }; SLIST_HEAD(_gss_mech_switch_list, _gss_mech_switch); extern struct _gss_mech_switch_list _gss_mechs; @@ -325,3 +350,5 @@ extern gss_OID_set _gss_mech_oids; extern void _gss_load_mech(void); extern struct _gss_mech_switch *_gss_find_mech_switch(gss_OID); +extern void _gss_mg_error(struct _gss_mech_switch *m, OM_uint32 maj, + OM_uint32 min); diff --git a/lib/libgssapi/name.h b/lib/libgssapi/name.h index a64d5d91e728..7f54359dc003 100644 --- a/lib/libgssapi/name.h +++ b/lib/libgssapi/name.h @@ -42,7 +42,8 @@ struct _gss_name { struct _gss_mechanism_name_list gn_mn; /* list of MNs */ }; -extern struct _gss_mechanism_name * - _gss_find_mn(struct _gss_name *name, gss_OID mech); -struct _gss_name * +extern OM_uint32 + _gss_find_mn(OM_uint32 *, struct _gss_name *, gss_OID, + struct _gss_mechanism_name **); +extern struct _gss_name * _gss_make_name(struct _gss_mech_switch *m, gss_name_t new_mn); diff --git a/lib/libgssapi/utils.h b/lib/libgssapi/utils.h index 46edb9d4a25a..a54cb5089c03 100644 --- a/lib/libgssapi/utils.h +++ b/lib/libgssapi/utils.h @@ -26,6 +26,8 @@ * $FreeBSD$ */ +#define _gss_buffer_zero(buffer) \ + do { (buffer)->value = NULL; (buffer)->length = 0; } while(0) extern int _gss_oid_equal(const gss_OID, const gss_OID); extern OM_uint32 _gss_copy_oid(OM_uint32 *, const gss_OID, gss_OID); extern OM_uint32 _gss_copy_buffer(OM_uint32 *minor_status, diff --git a/lib/libpam/modules/pam_krb5/Makefile b/lib/libpam/modules/pam_krb5/Makefile index a90236c6aca4..a376f7e2bcee 100644 --- a/lib/libpam/modules/pam_krb5/Makefile +++ b/lib/libpam/modules/pam_krb5/Makefile @@ -32,7 +32,7 @@ CFLAGS+=-D_FREEFALL_CONFIG WARNS= 0 .endif -DPADD= ${LIBKRB5} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO} -LDADD= -lkrb5 -lasn1 -lroken -lcom_err -lcrypt -lcrypto +DPADD= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO} +LDADD= -lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lcrypt -lcrypto .include diff --git a/libexec/telnetd/Makefile b/libexec/telnetd/Makefile index 9a4adca83c28..3ad8a4e4a94a 100644 --- a/libexec/telnetd/Makefile +++ b/libexec/telnetd/Makefile @@ -41,8 +41,8 @@ LDADD+= -lmp -lcrypto -lcrypt ${MINUSLPAM} .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -DKRB5 -DFORWARD -Dnet_write=telnet_net_write -DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} -LDADD+= -lkrb5 -lasn1 -lroken -lcom_err +DPADD+= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} +LDADD+= -lkrb5 -lhx509 -lasn1 -lroken -lcom_err .endif .endif diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile index ec65f68361c4..e2bdcc5939e1 100644 --- a/secure/lib/libssh/Makefile +++ b/secure/lib/libssh/Makefile @@ -34,8 +34,8 @@ LDADD= -lz .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL -DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBMD} ${LIBROKEN} -LDADD+= -lgssapi -lkrb5 -lasn1 -lcom_err -lmd -lroken +DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBCOM_ERR} ${LIBMD} ${LIBROKEN} +LDADD+= -lgssapi -lkrb5 -lhx509 -lasn1 -lcom_err -lmd -lroken .endif NO_LINT= diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index 9a9ddaee368c..66d122d9fee6 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -32,9 +32,9 @@ LDADD+= -lbsm .endif .if ${MK_KERBEROS_SUPPORT} != "no" -CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL -DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN} -LDADD+= -lgssapi -lkrb5 -lasn1 -lcom_err -lroken +CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1 -DKRB5 -DHEIMDAL +DPADD+= ${LIBGSSAPI} ${LIBGSSAPI_KRB5} +LDADD+= -lgssapi -lgssapi_krb5 .endif .if defined(X11BASE) diff --git a/share/mk/bsd.libnames.mk b/share/mk/bsd.libnames.mk index b6fa6766360e..f98cbfe0e41b 100644 --- a/share/mk/bsd.libnames.mk +++ b/share/mk/bsd.libnames.mk @@ -51,8 +51,11 @@ LIBGCC_PIC?= ${DESTDIR}${LIBDIR}/libgcc_pic.a LIBGEOM?= ${DESTDIR}${LIBDIR}/libgeom.a LIBGNUREGEX?= ${DESTDIR}${LIBDIR}/libgnuregex.a LIBGSSAPI?= ${DESTDIR}${LIBDIR}/libgssapi.a +LIBGSSAPI_KRB5?= ${DESTDIR}${LIBDIR}/libgssapi_krb5.a LIBHDB?= ${DESTDIR}${LIBDIR}/libhdb.a LIBHISTORY?= ${DESTDIR}${LIBDIR}/libhistory.a +LIBHEIMNTLM?= ${DESTDIR}${LIBDIR}/libheimntlm.a +LIBHX509?= ${DESTDIR}${LIBDIR}/libhx509.a LIBIPSEC?= ${DESTDIR}${LIBDIR}/libipsec.a .if ${MK_IPX} != "no" LIBIPX?= ${DESTDIR}${LIBDIR}/libipx.a @@ -100,9 +103,9 @@ LIBPAM?= ${DESTDIR}${LIBDIR}/libpam.a MINUSLPAM= -lpam .if defined(LDFLAGS) && !empty(LDFLAGS:M-static) .if ${MK_KERBEROS} != "no" -LIBPAM+= ${LIBKRB5} ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} \ +LIBPAM+= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} \ ${LIBROKEN} ${LIBCOM_ERR} -MINUSLPAM+= -lkrb5 -lasn1 -lcrypto -lcrypt -lroken -lcom_err +MINUSLPAM+= -lkrb5 -lhx509 -lasn1 -lcrypto -lcrypt -lroken -lcom_err .endif LIBPAM+= ${LIBRADIUS} ${LIBTACPLUS} ${LIBCRYPT} \ ${LIBUTIL} ${LIBOPIE} ${LIBMD} diff --git a/usr.bin/telnet/Makefile b/usr.bin/telnet/Makefile index c5525b3c20d1..ee112ffa06c8 100644 --- a/usr.bin/telnet/Makefile +++ b/usr.bin/telnet/Makefile @@ -42,8 +42,8 @@ LDADD+= -lmp -lcrypto -lcrypt -lipsec ${MINUSLPAM} .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -DKRB5 -DFORWARD -Dnet_write=telnet_net_write -DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN} -LDADD+= -lkrb5 -lasn1 -lcom_err -lroken +DPADD+= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN} +LDADD+= -lkrb5 -lhx509 -lasn1 -lcom_err -lroken .endif .endif