1 /* 2 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. 3 */ 4 /* 5 * Copyright 1993 by OpenVision Technologies, Inc. 6 * 7 * Permission to use, copy, modify, distribute, and sell this software 8 * and its documentation for any purpose is hereby granted without fee, 9 * provided that the above copyright notice appears in all copies and 10 * that both that copyright notice and this permission notice appear in 11 * supporting documentation, and that the name of OpenVision not be used 12 * in advertising or publicity pertaining to distribution of the software 13 * without specific, written prior permission. OpenVision makes no 14 * representations about the suitability of this software for any 15 * purpose. It is provided "as is" without express or implied warranty. 16 * 17 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 18 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 19 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 20 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 21 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 22 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 23 * PERFORMANCE OF THIS SOFTWARE. 24 */ 25 26 /* 27 * $Id: krb5_gss_glue.c 18262 2006-06-29 04:38:48Z tlyu $ 28 */ 29 30 #include "gssapiP_krb5.h" 31 #include "mglueP.h" 32 #include <syslog.h> 33 34 /** mechglue wrappers **/ 35 36 static OM_uint32 k5glue_acquire_cred 37 (void *, OM_uint32*, /* minor_status */ 38 gss_name_t, /* desired_name */ 39 OM_uint32, /* time_req */ 40 gss_OID_set, /* desired_mechs */ 41 gss_cred_usage_t, /* cred_usage */ 42 gss_cred_id_t*, /* output_cred_handle */ 43 gss_OID_set*, /* actual_mechs */ 44 OM_uint32* /* time_rec */ 45 ); 46 47 static OM_uint32 k5glue_release_cred 48 (void *, OM_uint32*, /* minor_status */ 49 gss_cred_id_t* /* cred_handle */ 50 ); 51 52 static OM_uint32 k5glue_init_sec_context 53 (void *, OM_uint32*, /* minor_status */ 54 gss_cred_id_t, /* claimant_cred_handle */ 55 gss_ctx_id_t*, /* context_handle */ 56 gss_name_t, /* target_name */ 57 gss_OID, /* mech_type */ 58 OM_uint32, /* req_flags */ 59 OM_uint32, /* time_req */ 60 gss_channel_bindings_t, 61 /* input_chan_bindings */ 62 gss_buffer_t, /* input_token */ 63 gss_OID*, /* actual_mech_type */ 64 gss_buffer_t, /* output_token */ 65 OM_uint32*, /* ret_flags */ 66 OM_uint32* /* time_rec */ 67 ); 68 69 static OM_uint32 k5glue_accept_sec_context 70 (void *, OM_uint32*, /* minor_status */ 71 gss_ctx_id_t*, /* context_handle */ 72 gss_cred_id_t, /* verifier_cred_handle */ 73 gss_buffer_t, /* input_token_buffer */ 74 gss_channel_bindings_t, 75 /* input_chan_bindings */ 76 gss_name_t*, /* src_name */ 77 gss_OID*, /* mech_type */ 78 gss_buffer_t, /* output_token */ 79 OM_uint32*, /* ret_flags */ 80 OM_uint32*, /* time_rec */ 81 gss_cred_id_t* /* delegated_cred_handle */ 82 ); 83 84 static OM_uint32 k5glue_process_context_token 85 (void *, OM_uint32*, /* minor_status */ 86 gss_ctx_id_t, /* context_handle */ 87 gss_buffer_t /* token_buffer */ 88 ); 89 90 static OM_uint32 k5glue_delete_sec_context 91 (void *, OM_uint32*, /* minor_status */ 92 gss_ctx_id_t*, /* context_handle */ 93 gss_buffer_t /* output_token */ 94 ); 95 96 static OM_uint32 k5glue_context_time 97 (void *, OM_uint32*, /* minor_status */ 98 gss_ctx_id_t, /* context_handle */ 99 OM_uint32* /* time_rec */ 100 ); 101 102 static OM_uint32 k5glue_sign 103 (void *, OM_uint32*, /* minor_status */ 104 gss_ctx_id_t, /* context_handle */ 105 int, /* qop_req */ 106 gss_buffer_t, /* message_buffer */ 107 gss_buffer_t /* message_token */ 108 ); 109 110 static OM_uint32 k5glue_verify 111 (void *, OM_uint32*, /* minor_status */ 112 gss_ctx_id_t, /* context_handle */ 113 gss_buffer_t, /* message_buffer */ 114 gss_buffer_t, /* token_buffer */ 115 int* /* qop_state */ 116 ); 117 118 /* EXPORT DELETE START */ 119 static OM_uint32 k5glue_seal 120 (void *, OM_uint32*, /* minor_status */ 121 gss_ctx_id_t, /* context_handle */ 122 int, /* conf_req_flag */ 123 int, /* qop_req */ 124 gss_buffer_t, /* input_message_buffer */ 125 int*, /* conf_state */ 126 gss_buffer_t /* output_message_buffer */ 127 ); 128 129 static OM_uint32 k5glue_unseal 130 (void *, OM_uint32*, /* minor_status */ 131 gss_ctx_id_t, /* context_handle */ 132 gss_buffer_t, /* input_message_buffer */ 133 gss_buffer_t, /* output_message_buffer */ 134 int*, /* conf_state */ 135 int* /* qop_state */ 136 ); 137 /* EXPORT DELETE END */ 138 139 static OM_uint32 k5glue_display_status 140 (void *, OM_uint32*, /* minor_status */ 141 OM_uint32, /* status_value */ 142 int, /* status_type */ 143 gss_OID, /* mech_type */ 144 OM_uint32*, /* message_context */ 145 gss_buffer_t /* status_string */ 146 ); 147 148 static OM_uint32 k5glue_indicate_mechs 149 (void *, OM_uint32*, /* minor_status */ 150 gss_OID_set* /* mech_set */ 151 ); 152 153 static OM_uint32 k5glue_compare_name 154 (void *, OM_uint32*, /* minor_status */ 155 gss_name_t, /* name1 */ 156 gss_name_t, /* name2 */ 157 int* /* name_equal */ 158 ); 159 160 static OM_uint32 k5glue_display_name 161 (void *, OM_uint32*, /* minor_status */ 162 gss_name_t, /* input_name */ 163 gss_buffer_t, /* output_name_buffer */ 164 gss_OID* /* output_name_type */ 165 ); 166 167 static OM_uint32 k5glue_import_name 168 (void *, OM_uint32*, /* minor_status */ 169 gss_buffer_t, /* input_name_buffer */ 170 gss_OID, /* input_name_type */ 171 gss_name_t* /* output_name */ 172 ); 173 174 static OM_uint32 k5glue_release_name 175 (void *, OM_uint32*, /* minor_status */ 176 gss_name_t* /* input_name */ 177 ); 178 179 static OM_uint32 k5glue_inquire_cred 180 (void *, OM_uint32 *, /* minor_status */ 181 gss_cred_id_t, /* cred_handle */ 182 gss_name_t *, /* name */ 183 OM_uint32 *, /* lifetime */ 184 gss_cred_usage_t*,/* cred_usage */ 185 gss_OID_set * /* mechanisms */ 186 ); 187 188 static OM_uint32 k5glue_inquire_context 189 (void *, OM_uint32*, /* minor_status */ 190 gss_ctx_id_t, /* context_handle */ 191 gss_name_t*, /* initiator_name */ 192 gss_name_t*, /* acceptor_name */ 193 OM_uint32*, /* lifetime_rec */ 194 gss_OID*, /* mech_type */ 195 OM_uint32*, /* ret_flags */ 196 int*, /* locally_initiated */ 197 int* /* open */ 198 ); 199 200 #if 0 201 /* New V2 entry points */ 202 static OM_uint32 k5glue_get_mic 203 (void *, OM_uint32 *, /* minor_status */ 204 gss_ctx_id_t, /* context_handle */ 205 gss_qop_t, /* qop_req */ 206 gss_buffer_t, /* message_buffer */ 207 gss_buffer_t /* message_token */ 208 ); 209 210 static OM_uint32 k5glue_verify_mic 211 (void *, OM_uint32 *, /* minor_status */ 212 gss_ctx_id_t, /* context_handle */ 213 gss_buffer_t, /* message_buffer */ 214 gss_buffer_t, /* message_token */ 215 gss_qop_t * /* qop_state */ 216 ); 217 218 static OM_uint32 k5glue_wrap 219 (void *, OM_uint32 *, /* minor_status */ 220 gss_ctx_id_t, /* context_handle */ 221 int, /* conf_req_flag */ 222 gss_qop_t, /* qop_req */ 223 gss_buffer_t, /* input_message_buffer */ 224 int *, /* conf_state */ 225 gss_buffer_t /* output_message_buffer */ 226 ); 227 228 static OM_uint32 k5glue_unwrap 229 (void *, OM_uint32 *, /* minor_status */ 230 gss_ctx_id_t, /* context_handle */ 231 gss_buffer_t, /* input_message_buffer */ 232 gss_buffer_t, /* output_message_buffer */ 233 int *, /* conf_state */ 234 gss_qop_t * /* qop_state */ 235 ); 236 #endif 237 238 static OM_uint32 k5glue_wrap_size_limit 239 (void *, OM_uint32 *, /* minor_status */ 240 gss_ctx_id_t, /* context_handle */ 241 int, /* conf_req_flag */ 242 gss_qop_t, /* qop_req */ 243 OM_uint32, /* req_output_size */ 244 OM_uint32 * /* max_input_size */ 245 ); 246 247 #if 0 248 static OM_uint32 k5glue_import_name_object 249 (void *, OM_uint32 *, /* minor_status */ 250 void *, /* input_name */ 251 gss_OID, /* input_name_type */ 252 gss_name_t * /* output_name */ 253 ); 254 255 static OM_uint32 k5glue_export_name_object 256 (void *, OM_uint32 *, /* minor_status */ 257 gss_name_t, /* input_name */ 258 gss_OID, /* desired_name_type */ 259 void * * /* output_name */ 260 ); 261 #endif 262 263 static OM_uint32 k5glue_add_cred 264 (void *, OM_uint32 *, /* minor_status */ 265 gss_cred_id_t, /* input_cred_handle */ 266 gss_name_t, /* desired_name */ 267 gss_OID, /* desired_mech */ 268 gss_cred_usage_t, /* cred_usage */ 269 OM_uint32, /* initiator_time_req */ 270 OM_uint32, /* acceptor_time_req */ 271 gss_cred_id_t *, /* output_cred_handle */ 272 gss_OID_set *, /* actual_mechs */ 273 OM_uint32 *, /* initiator_time_rec */ 274 OM_uint32 * /* acceptor_time_rec */ 275 ); 276 277 static OM_uint32 k5glue_inquire_cred_by_mech 278 (void *, OM_uint32 *, /* minor_status */ 279 gss_cred_id_t, /* cred_handle */ 280 gss_OID, /* mech_type */ 281 gss_name_t *, /* name */ 282 OM_uint32 *, /* initiator_lifetime */ 283 OM_uint32 *, /* acceptor_lifetime */ 284 gss_cred_usage_t * /* cred_usage */ 285 ); 286 287 static OM_uint32 k5glue_export_sec_context 288 (void *, OM_uint32 *, /* minor_status */ 289 gss_ctx_id_t *, /* context_handle */ 290 gss_buffer_t /* interprocess_token */ 291 ); 292 293 static OM_uint32 k5glue_import_sec_context 294 (void *, OM_uint32 *, /* minor_status */ 295 gss_buffer_t, /* interprocess_token */ 296 gss_ctx_id_t * /* context_handle */ 297 ); 298 299 krb5_error_code k5glue_ser_init(krb5_context); 300 301 static OM_uint32 k5glue_internal_release_oid 302 (void *, OM_uint32 *, /* minor_status */ 303 gss_OID * /* oid */ 304 ); 305 306 static OM_uint32 k5glue_inquire_names_for_mech 307 (void *, OM_uint32 *, /* minor_status */ 308 gss_OID, /* mechanism */ 309 gss_OID_set * /* name_types */ 310 ); 311 312 #if 0 313 static OM_uint32 k5glue_canonicalize_name 314 (void *, OM_uint32 *, /* minor_status */ 315 const gss_name_t, /* input_name */ 316 const gss_OID, /* mech_type */ 317 gss_name_t * /* output_name */ 318 ); 319 #endif 320 321 static OM_uint32 k5glue_export_name 322 (void *, OM_uint32 *, /* minor_status */ 323 const gss_name_t, /* input_name */ 324 gss_buffer_t /* exported_name */ 325 ); 326 327 /* SUNW15resync - Solaris specific */ 328 static OM_uint32 k5glue_store_cred ( 329 void *, 330 OM_uint32 *, /* minor_status */ 331 const gss_cred_id_t, /* input_cred */ 332 gss_cred_usage_t, /* cred_usage */ 333 const gss_OID, /* desired_mech */ 334 OM_uint32, /* overwrite_cred */ 335 OM_uint32, /* default_cred */ 336 gss_OID_set *, /* elements_stored */ 337 gss_cred_usage_t * /* cred_usage_stored */ 338 ); 339 340 /* SUNW17PACresync - this decl not needed in MIT but is for Sol */ 341 /* Note code is in gsspi_krb5.c */ 342 OM_uint32 krb5_gss_inquire_sec_context_by_oid( 343 OM_uint32 *, 344 const gss_ctx_id_t, 345 const gss_OID, 346 gss_buffer_set_t *); 347 348 static OM_uint32 349 k5glue_userok( 350 void *, /* context */ 351 OM_uint32 *, /* minor_status */ 352 const gss_name_t, /* pname */ 353 const char *, /* local user */ 354 int * /* user ok? */ 355 /* */); 356 357 static OM_uint32 358 k5glue_pname_to_uid( 359 void *, /* context */ 360 OM_uint32 *, /* minor_status */ 361 const gss_name_t, /* pname */ 362 uid_t * /* uid */ 363 /* */); 364 365 366 367 368 #if 0 369 static OM_uint32 k5glue_duplicate_name 370 (void *, OM_uint32 *, /* minor_status */ 371 const gss_name_t, /* input_name */ 372 gss_name_t * /* dest_name */ 373 ); 374 #endif 375 376 #if 0 377 static OM_uint32 k5glue_validate_cred 378 (void *, OM_uint32 *, /* minor_status */ 379 gss_cred_id_t /* cred */ 380 ); 381 #endif 382 383 #if 0 384 /* 385 * SUNW15resync 386 * Solaris can't use the KRB5_GSS_CONFIG_INIT macro because of the src 387 * slicing&dicing needs of the "nightly -SD" build. When it goes away, 388 * we should use it assuming MIT still uses it then. 389 */ 390 391 /* 392 * The krb5 mechanism provides two mech OIDs; use this initializer to 393 * ensure that both dispatch tables contain identical function 394 * pointers. 395 */ 396 #define KRB5_GSS_CONFIG_INIT \ 397 NULL, \ 398 ... 399 #endif 400 401 402 static struct gss_config krb5_mechanism = { 403 #if 0 /* Solaris Kerberos */ 404 100, "kerberos_v5", 405 #endif 406 { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, 407 NULL, 408 k5glue_acquire_cred, 409 k5glue_release_cred, 410 k5glue_init_sec_context, 411 k5glue_accept_sec_context, 412 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 413 k5glue_unseal, 414 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 415 k5glue_process_context_token, 416 k5glue_delete_sec_context, 417 k5glue_context_time, 418 k5glue_display_status, 419 k5glue_indicate_mechs, 420 k5glue_compare_name, 421 k5glue_display_name, 422 k5glue_import_name, 423 k5glue_release_name, 424 k5glue_inquire_cred, 425 k5glue_add_cred, 426 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 427 k5glue_seal, 428 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 429 k5glue_export_sec_context, 430 k5glue_import_sec_context, 431 k5glue_inquire_cred_by_mech, 432 k5glue_inquire_names_for_mech, 433 k5glue_inquire_context, 434 k5glue_internal_release_oid, 435 k5glue_wrap_size_limit, 436 k5glue_pname_to_uid, 437 k5glue_userok, 438 k5glue_export_name, 439 /* EXPORT DELETE START */ 440 /* CRYPT DELETE START */ 441 #if 0 442 /* CRYPT DELETE END */ 443 k5glue_seal, 444 k5glue_unseal, 445 /* CRYPT DELETE START */ 446 #endif 447 /* CRYPT DELETE END */ 448 /* EXPORT DELETE END */ 449 k5glue_sign, 450 k5glue_verify, 451 k5glue_store_cred, 452 krb5_gss_inquire_sec_context_by_oid 453 }; 454 455 static struct gss_config krb5_mechanism_old = { 456 #if 0 /* Solaris Kerberos */ 457 200, "kerberos_v5 (pre-RFC OID)", 458 #endif 459 { GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID }, 460 NULL, 461 k5glue_acquire_cred, 462 k5glue_release_cred, 463 k5glue_init_sec_context, 464 k5glue_accept_sec_context, 465 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 466 k5glue_unseal, 467 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 468 k5glue_process_context_token, 469 k5glue_delete_sec_context, 470 k5glue_context_time, 471 k5glue_display_status, 472 k5glue_indicate_mechs, 473 k5glue_compare_name, 474 k5glue_display_name, 475 k5glue_import_name, 476 k5glue_release_name, 477 k5glue_inquire_cred, 478 k5glue_add_cred, 479 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 480 k5glue_seal, 481 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 482 k5glue_export_sec_context, 483 k5glue_import_sec_context, 484 k5glue_inquire_cred_by_mech, 485 k5glue_inquire_names_for_mech, 486 k5glue_inquire_context, 487 k5glue_internal_release_oid, 488 k5glue_wrap_size_limit, 489 k5glue_pname_to_uid, 490 k5glue_userok, 491 k5glue_export_name, 492 /* EXPORT DELETE START */ 493 /* CRYPT DELETE START */ 494 #if 0 495 /* CRYPT DELETE END */ 496 k5glue_seal, 497 k5glue_unseal, 498 /* CRYPT DELETE START */ 499 #endif 500 /* CRYPT DELETE END */ 501 /* EXPORT DELETE END */ 502 k5glue_sign, 503 k5glue_verify, 504 k5glue_store_cred, 505 krb5_gss_inquire_sec_context_by_oid 506 }; 507 508 static struct gss_config krb5_mechanism_wrong = { 509 #if 0 /* Solaris Kerberos */ 510 300, "kerberos_v5 (wrong OID)", 511 #endif 512 { GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID }, 513 NULL, 514 k5glue_acquire_cred, 515 k5glue_release_cred, 516 k5glue_init_sec_context, 517 k5glue_accept_sec_context, 518 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 519 k5glue_unseal, 520 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 521 k5glue_process_context_token, 522 k5glue_delete_sec_context, 523 k5glue_context_time, 524 k5glue_display_status, 525 k5glue_indicate_mechs, 526 k5glue_compare_name, 527 k5glue_display_name, 528 k5glue_import_name, 529 k5glue_release_name, 530 k5glue_inquire_cred, 531 k5glue_add_cred, 532 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 533 k5glue_seal, 534 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 535 k5glue_export_sec_context, 536 k5glue_import_sec_context, 537 k5glue_inquire_cred_by_mech, 538 k5glue_inquire_names_for_mech, 539 k5glue_inquire_context, 540 k5glue_internal_release_oid, 541 k5glue_wrap_size_limit, 542 k5glue_pname_to_uid, 543 k5glue_userok, 544 k5glue_export_name, 545 /* EXPORT DELETE START */ 546 /* CRYPT DELETE START */ 547 #if 0 548 /* CRYPT DELETE END */ 549 k5glue_seal, 550 k5glue_unseal, 551 /* CRYPT DELETE START */ 552 #endif 553 /* CRYPT DELETE END */ 554 /* EXPORT DELETE END */ 555 k5glue_sign, 556 k5glue_verify, 557 k5glue_store_cred, 558 krb5_gss_inquire_sec_context_by_oid 559 }; 560 561 static gss_mechanism krb5_mech_configs[] = { 562 &krb5_mechanism, &krb5_mechanism_old, &krb5_mechanism_wrong, NULL 563 }; 564 565 #ifdef MS_BUG_TEST 566 static gss_mechanism krb5_mech_configs_hack[] = { 567 &krb5_mechanism, &krb5_mechanism_old, NULL 568 }; 569 #endif 570 571 #if 1 572 #define gssint_get_mech_configs krb5_gss_get_mech_configs 573 #endif 574 575 gss_mechanism * 576 gssint_get_mech_configs(void) 577 { 578 #ifdef MS_BUG_TEST 579 char *envstr = getenv("MS_FORCE_NO_MSOID"); 580 581 if (envstr != NULL && strcmp(envstr, "1") == 0) { 582 return krb5_mech_configs_hack; 583 } 584 #endif 585 return krb5_mech_configs; 586 } 587 588 static OM_uint32 589 k5glue_accept_sec_context(ctx, minor_status, context_handle, verifier_cred_handle, 590 input_token, input_chan_bindings, src_name, mech_type, 591 output_token, ret_flags, time_rec, delegated_cred_handle) 592 void *ctx; 593 OM_uint32 *minor_status; 594 gss_ctx_id_t *context_handle; 595 gss_cred_id_t verifier_cred_handle; 596 gss_buffer_t input_token; 597 gss_channel_bindings_t input_chan_bindings; 598 gss_name_t *src_name; 599 gss_OID *mech_type; 600 gss_buffer_t output_token; 601 OM_uint32 *ret_flags; 602 OM_uint32 *time_rec; 603 gss_cred_id_t *delegated_cred_handle; 604 { 605 return(krb5_gss_accept_sec_context(minor_status, 606 context_handle, 607 verifier_cred_handle, 608 input_token, 609 input_chan_bindings, 610 src_name, 611 mech_type, 612 output_token, 613 ret_flags, 614 time_rec, 615 delegated_cred_handle)); 616 } 617 618 static OM_uint32 619 k5glue_acquire_cred(ctx, minor_status, desired_name, time_req, desired_mechs, 620 cred_usage, output_cred_handle, actual_mechs, time_rec) 621 void *ctx; 622 OM_uint32 *minor_status; 623 gss_name_t desired_name; 624 OM_uint32 time_req; 625 gss_OID_set desired_mechs; 626 gss_cred_usage_t cred_usage; 627 gss_cred_id_t *output_cred_handle; 628 gss_OID_set *actual_mechs; 629 OM_uint32 *time_rec; 630 { 631 return(krb5_gss_acquire_cred(minor_status, 632 desired_name, 633 time_req, 634 desired_mechs, 635 cred_usage, 636 output_cred_handle, 637 actual_mechs, 638 time_rec)); 639 } 640 641 /* V2 */ 642 static OM_uint32 643 k5glue_add_cred(ctx, minor_status, input_cred_handle, desired_name, desired_mech, 644 cred_usage, initiator_time_req, acceptor_time_req, 645 output_cred_handle, actual_mechs, initiator_time_rec, 646 acceptor_time_rec) 647 void *ctx; 648 OM_uint32 *minor_status; 649 gss_cred_id_t input_cred_handle; 650 gss_name_t desired_name; 651 gss_OID desired_mech; 652 gss_cred_usage_t cred_usage; 653 OM_uint32 initiator_time_req; 654 OM_uint32 acceptor_time_req; 655 gss_cred_id_t *output_cred_handle; 656 gss_OID_set *actual_mechs; 657 OM_uint32 *initiator_time_rec; 658 OM_uint32 *acceptor_time_rec; 659 { 660 return(krb5_gss_add_cred(minor_status, input_cred_handle, desired_name, 661 desired_mech, cred_usage, initiator_time_req, 662 acceptor_time_req, output_cred_handle, 663 actual_mechs, initiator_time_rec, 664 acceptor_time_rec)); 665 } 666 667 #if 0 668 /* V2 */ 669 static OM_uint32 670 k5glue_add_oid_set_member(ctx, minor_status, member_oid, oid_set) 671 void *ctx; 672 OM_uint32 *minor_status; 673 gss_OID member_oid; 674 gss_OID_set *oid_set; 675 { 676 return(generic_gss_add_oid_set_member(minor_status, member_oid, oid_set)); 677 } 678 #endif 679 680 static OM_uint32 681 k5glue_compare_name(ctx, minor_status, name1, name2, name_equal) 682 void *ctx; 683 OM_uint32 *minor_status; 684 gss_name_t name1; 685 gss_name_t name2; 686 int *name_equal; 687 { 688 return(krb5_gss_compare_name(minor_status, name1, 689 name2, name_equal)); 690 } 691 692 static OM_uint32 693 k5glue_context_time(ctx, minor_status, context_handle, time_rec) 694 void *ctx; 695 OM_uint32 *minor_status; 696 gss_ctx_id_t context_handle; 697 OM_uint32 *time_rec; 698 { 699 return(krb5_gss_context_time(minor_status, context_handle, 700 time_rec)); 701 } 702 703 #if 0 704 /* V2 */ 705 static OM_uint32 706 k5glue_create_empty_oid_set(ctx, minor_status, oid_set) 707 void *ctx; 708 OM_uint32 *minor_status; 709 gss_OID_set *oid_set; 710 { 711 return(generic_gss_create_empty_oid_set(minor_status, oid_set)); 712 } 713 #endif 714 715 static OM_uint32 716 k5glue_delete_sec_context(ctx, minor_status, context_handle, output_token) 717 void *ctx; 718 OM_uint32 *minor_status; 719 gss_ctx_id_t *context_handle; 720 gss_buffer_t output_token; 721 { 722 return(krb5_gss_delete_sec_context(minor_status, 723 context_handle, output_token)); 724 } 725 726 static OM_uint32 727 k5glue_display_name(ctx, minor_status, input_name, output_name_buffer, output_name_type) 728 void *ctx; 729 OM_uint32 *minor_status; 730 gss_name_t input_name; 731 gss_buffer_t output_name_buffer; 732 gss_OID *output_name_type; 733 { 734 return(krb5_gss_display_name(minor_status, input_name, 735 output_name_buffer, output_name_type)); 736 } 737 738 static OM_uint32 739 k5glue_display_status(ctx, minor_status, status_value, status_type, 740 mech_type, message_context, status_string) 741 void *ctx; 742 OM_uint32 *minor_status; 743 OM_uint32 status_value; 744 int status_type; 745 gss_OID mech_type; 746 OM_uint32 *message_context; 747 gss_buffer_t status_string; 748 { 749 return(krb5_gss_display_status(minor_status, status_value, 750 status_type, mech_type, message_context, 751 status_string)); 752 } 753 754 /* V2 */ 755 static OM_uint32 756 k5glue_export_sec_context(ctx, minor_status, context_handle, interprocess_token) 757 void *ctx; 758 OM_uint32 *minor_status; 759 gss_ctx_id_t *context_handle; 760 gss_buffer_t interprocess_token; 761 { 762 return(krb5_gss_export_sec_context(minor_status, 763 context_handle, 764 interprocess_token)); 765 } 766 767 #if 0 768 /* V2 */ 769 static OM_uint32 770 k5glue_get_mic(ctx, minor_status, context_handle, qop_req, 771 message_buffer, message_token) 772 void *ctx; 773 OM_uint32 *minor_status; 774 gss_ctx_id_t context_handle; 775 gss_qop_t qop_req; 776 gss_buffer_t message_buffer; 777 gss_buffer_t message_token; 778 { 779 return(krb5_gss_get_mic(minor_status, context_handle, 780 qop_req, message_buffer, message_token)); 781 } 782 #endif 783 784 static OM_uint32 785 k5glue_import_name(ctx, minor_status, input_name_buffer, input_name_type, output_name) 786 void *ctx; 787 OM_uint32 *minor_status; 788 gss_buffer_t input_name_buffer; 789 gss_OID input_name_type; 790 gss_name_t *output_name; 791 { 792 #if 0 793 OM_uint32 err; 794 err = gssint_initialize_library(); 795 if (err) { 796 *minor_status = err; 797 return GSS_S_FAILURE; 798 } 799 #endif 800 return(krb5_gss_import_name(minor_status, input_name_buffer, 801 input_name_type, output_name)); 802 } 803 804 /* V2 */ 805 static OM_uint32 806 k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle) 807 void *ctx; 808 OM_uint32 *minor_status; 809 gss_buffer_t interprocess_token; 810 gss_ctx_id_t *context_handle; 811 { 812 return(krb5_gss_import_sec_context(minor_status, 813 interprocess_token, 814 context_handle)); 815 } 816 817 static OM_uint32 818 k5glue_indicate_mechs(ctx, minor_status, mech_set) 819 void *ctx; 820 OM_uint32 *minor_status; 821 gss_OID_set *mech_set; 822 { 823 return(krb5_gss_indicate_mechs(minor_status, mech_set)); 824 } 825 826 static OM_uint32 827 k5glue_init_sec_context(ctx, minor_status, claimant_cred_handle, context_handle, 828 target_name, mech_type, req_flags, time_req, 829 input_chan_bindings, input_token, actual_mech_type, 830 output_token, ret_flags, time_rec) 831 void *ctx; 832 OM_uint32 *minor_status; 833 gss_cred_id_t claimant_cred_handle; 834 gss_ctx_id_t *context_handle; 835 gss_name_t target_name; 836 gss_OID mech_type; 837 OM_uint32 req_flags; 838 OM_uint32 time_req; 839 gss_channel_bindings_t input_chan_bindings; 840 gss_buffer_t input_token; 841 gss_OID *actual_mech_type; 842 gss_buffer_t output_token; 843 OM_uint32 *ret_flags; 844 OM_uint32 *time_rec; 845 { 846 return(krb5_gss_init_sec_context(minor_status, 847 claimant_cred_handle, context_handle, 848 target_name, mech_type, req_flags, 849 time_req, input_chan_bindings, input_token, 850 actual_mech_type, output_token, ret_flags, 851 time_rec)); 852 } 853 854 static OM_uint32 855 k5glue_inquire_context(ctx, minor_status, context_handle, initiator_name, acceptor_name, 856 lifetime_rec, mech_type, ret_flags, 857 locally_initiated, open) 858 void *ctx; 859 OM_uint32 *minor_status; 860 gss_ctx_id_t context_handle; 861 gss_name_t *initiator_name; 862 gss_name_t *acceptor_name; 863 OM_uint32 *lifetime_rec; 864 gss_OID *mech_type; 865 OM_uint32 *ret_flags; 866 int *locally_initiated; 867 int *open; 868 { 869 return(krb5_gss_inquire_context(minor_status, context_handle, 870 initiator_name, acceptor_name, lifetime_rec, 871 mech_type, ret_flags, locally_initiated, 872 open)); 873 } 874 875 static OM_uint32 876 k5glue_inquire_cred(ctx, minor_status, cred_handle, name, lifetime_ret, 877 cred_usage, mechanisms) 878 void *ctx; 879 OM_uint32 *minor_status; 880 gss_cred_id_t cred_handle; 881 gss_name_t *name; 882 OM_uint32 *lifetime_ret; 883 gss_cred_usage_t *cred_usage; 884 gss_OID_set *mechanisms; 885 { 886 return(krb5_gss_inquire_cred(minor_status, cred_handle, 887 name, lifetime_ret, cred_usage, mechanisms)); 888 } 889 890 /* V2 */ 891 static OM_uint32 892 k5glue_inquire_cred_by_mech(ctx, minor_status, cred_handle, mech_type, name, 893 initiator_lifetime, acceptor_lifetime, cred_usage) 894 void *ctx; 895 OM_uint32 *minor_status; 896 gss_cred_id_t cred_handle; 897 gss_OID mech_type; 898 gss_name_t *name; 899 OM_uint32 *initiator_lifetime; 900 OM_uint32 *acceptor_lifetime; 901 gss_cred_usage_t *cred_usage; 902 { 903 return(krb5_gss_inquire_cred_by_mech(minor_status, cred_handle, 904 mech_type, name, initiator_lifetime, 905 acceptor_lifetime, cred_usage)); 906 } 907 908 /* V2 */ 909 static OM_uint32 910 k5glue_inquire_names_for_mech(ctx, minor_status, mechanism, name_types) 911 void *ctx; 912 OM_uint32 *minor_status; 913 gss_OID mechanism; 914 gss_OID_set *name_types; 915 { 916 return(krb5_gss_inquire_names_for_mech(minor_status, 917 mechanism, 918 name_types)); 919 } 920 921 #if 0 922 /* V2 */ 923 static OM_uint32 924 k5glue_oid_to_str(ctx, minor_status, oid, oid_str) 925 void *ctx; 926 OM_uint32 *minor_status; 927 gss_OID oid; 928 gss_buffer_t oid_str; 929 { 930 return(generic_gss_oid_to_str(minor_status, oid, oid_str)); 931 } 932 #endif 933 934 static OM_uint32 935 k5glue_process_context_token(ctx, minor_status, context_handle, token_buffer) 936 void *ctx; 937 OM_uint32 *minor_status; 938 gss_ctx_id_t context_handle; 939 gss_buffer_t token_buffer; 940 { 941 return(krb5_gss_process_context_token(minor_status, 942 context_handle, token_buffer)); 943 } 944 945 static OM_uint32 946 k5glue_release_cred(ctx, minor_status, cred_handle) 947 void *ctx; 948 OM_uint32 *minor_status; 949 gss_cred_id_t *cred_handle; 950 { 951 return(krb5_gss_release_cred(minor_status, cred_handle)); 952 } 953 954 static OM_uint32 955 k5glue_release_name(ctx, minor_status, input_name) 956 void *ctx; 957 OM_uint32 *minor_status; 958 gss_name_t *input_name; 959 { 960 return(krb5_gss_release_name(minor_status, input_name)); 961 } 962 963 #if 0 964 static OM_uint32 965 k5glue_release_buffer(ctx, minor_status, buffer) 966 void *ctx; 967 OM_uint32 *minor_status; 968 gss_buffer_t buffer; 969 { 970 return(generic_gss_release_buffer(minor_status, 971 buffer)); 972 } 973 #endif 974 975 /* V2 */ 976 static OM_uint32 977 k5glue_internal_release_oid(ctx, minor_status, oid) 978 void *ctx; 979 OM_uint32 *minor_status; 980 gss_OID *oid; 981 { 982 return(krb5_gss_internal_release_oid(minor_status, oid)); 983 } 984 985 #if 0 986 static OM_uint32 987 k5glue_release_oid_set(ctx, minor_status, set) 988 void *ctx; 989 OM_uint32 * minor_status; 990 gss_OID_set *set; 991 { 992 return(generic_gss_release_oid_set(minor_status, set)); 993 } 994 #endif 995 996 /* EXPORT DELETE START */ 997 /* V1 only */ 998 static OM_uint32 999 k5glue_seal(ctx, minor_status, context_handle, conf_req_flag, qop_req, 1000 input_message_buffer, conf_state, output_message_buffer) 1001 void *ctx; 1002 OM_uint32 *minor_status; 1003 gss_ctx_id_t context_handle; 1004 int conf_req_flag; 1005 int qop_req; 1006 gss_buffer_t input_message_buffer; 1007 int *conf_state; 1008 gss_buffer_t output_message_buffer; 1009 { 1010 return(krb5_gss_seal(minor_status, context_handle, 1011 conf_req_flag, qop_req, input_message_buffer, 1012 conf_state, output_message_buffer)); 1013 } 1014 /* EXPORT DELETE END */ 1015 1016 static OM_uint32 1017 k5glue_sign(ctx, minor_status, context_handle, 1018 qop_req, message_buffer, 1019 message_token) 1020 void *ctx; 1021 OM_uint32 *minor_status; 1022 gss_ctx_id_t context_handle; 1023 int qop_req; 1024 gss_buffer_t message_buffer; 1025 gss_buffer_t message_token; 1026 { 1027 return(krb5_gss_sign(minor_status, context_handle, 1028 qop_req, message_buffer, message_token)); 1029 } 1030 1031 #if 0 1032 /* V2 */ 1033 static OM_uint32 1034 k5glue_verify_mic(ctx, minor_status, context_handle, 1035 message_buffer, token_buffer, qop_state) 1036 void *ctx; 1037 OM_uint32 *minor_status; 1038 gss_ctx_id_t context_handle; 1039 gss_buffer_t message_buffer; 1040 gss_buffer_t token_buffer; 1041 gss_qop_t *qop_state; 1042 { 1043 return(krb5_gss_verify_mic(minor_status, context_handle, 1044 message_buffer, token_buffer, qop_state)); 1045 } 1046 1047 /* V2 */ 1048 static OM_uint32 1049 k5glue_wrap(ctx, minor_status, context_handle, conf_req_flag, qop_req, 1050 input_message_buffer, conf_state, output_message_buffer) 1051 void *ctx; 1052 OM_uint32 *minor_status; 1053 gss_ctx_id_t context_handle; 1054 int conf_req_flag; 1055 gss_qop_t qop_req; 1056 gss_buffer_t input_message_buffer; 1057 int *conf_state; 1058 gss_buffer_t output_message_buffer; 1059 { 1060 return(krb5_gss_wrap(minor_status, context_handle, conf_req_flag, qop_req, 1061 input_message_buffer, conf_state, 1062 output_message_buffer)); 1063 } 1064 1065 /* V2 */ 1066 static OM_uint32 1067 k5glue_str_to_oid(ctx, minor_status, oid_str, oid) 1068 void *ctx; 1069 OM_uint32 *minor_status; 1070 gss_buffer_t oid_str; 1071 gss_OID *oid; 1072 { 1073 return(generic_gss_str_to_oid(minor_status, oid_str, oid)); 1074 } 1075 1076 /* V2 */ 1077 static OM_uint32 1078 k5glue_test_oid_set_member(ctx, minor_status, member, set, present) 1079 void *ctx; 1080 OM_uint32 *minor_status; 1081 gss_OID member; 1082 gss_OID_set set; 1083 int *present; 1084 { 1085 return(generic_gss_test_oid_set_member(minor_status, member, set, 1086 present)); 1087 } 1088 #endif 1089 1090 /* EXPORT DELETE START */ 1091 /* V1 only */ 1092 static OM_uint32 1093 k5glue_unseal(ctx, minor_status, context_handle, input_message_buffer, 1094 output_message_buffer, conf_state, qop_state) 1095 void *ctx; 1096 OM_uint32 *minor_status; 1097 gss_ctx_id_t context_handle; 1098 gss_buffer_t input_message_buffer; 1099 gss_buffer_t output_message_buffer; 1100 int *conf_state; 1101 int *qop_state; 1102 { 1103 return(krb5_gss_unseal(minor_status, context_handle, 1104 input_message_buffer, output_message_buffer, 1105 conf_state, qop_state)); 1106 } 1107 /* EXPORT DELETE END */ 1108 1109 #if 0 1110 /* V2 */ 1111 static OM_uint32 1112 k5glue_unwrap(ctx, minor_status, context_handle, input_message_buffer, 1113 output_message_buffer, conf_state, qop_state) 1114 void *ctx; 1115 OM_uint32 *minor_status; 1116 gss_ctx_id_t context_handle; 1117 gss_buffer_t input_message_buffer; 1118 gss_buffer_t output_message_buffer; 1119 int *conf_state; 1120 gss_qop_t *qop_state; 1121 { 1122 return(krb5_gss_unwrap(minor_status, context_handle, input_message_buffer, 1123 output_message_buffer, conf_state, qop_state)); 1124 } 1125 #endif 1126 1127 /* V1 only */ 1128 static OM_uint32 1129 k5glue_verify(ctx, minor_status, context_handle, message_buffer, 1130 token_buffer, qop_state) 1131 void *ctx; 1132 OM_uint32 *minor_status; 1133 gss_ctx_id_t context_handle; 1134 gss_buffer_t message_buffer; 1135 gss_buffer_t token_buffer; 1136 int *qop_state; 1137 { 1138 return(krb5_gss_verify(minor_status, 1139 context_handle, 1140 message_buffer, 1141 token_buffer, 1142 qop_state)); 1143 } 1144 1145 /* V2 interface */ 1146 static OM_uint32 1147 k5glue_wrap_size_limit(ctx, minor_status, context_handle, conf_req_flag, 1148 qop_req, req_output_size, max_input_size) 1149 void *ctx; 1150 OM_uint32 *minor_status; 1151 gss_ctx_id_t context_handle; 1152 int conf_req_flag; 1153 gss_qop_t qop_req; 1154 OM_uint32 req_output_size; 1155 OM_uint32 *max_input_size; 1156 { 1157 return(krb5_gss_wrap_size_limit(minor_status, context_handle, 1158 conf_req_flag, qop_req, 1159 req_output_size, max_input_size)); 1160 } 1161 1162 #if 0 1163 /* V2 interface */ 1164 static OM_uint32 1165 k5glue_canonicalize_name(ctx, minor_status, input_name, mech_type, output_name) 1166 void *ctx; 1167 OM_uint32 *minor_status; 1168 const gss_name_t input_name; 1169 const gss_OID mech_type; 1170 gss_name_t *output_name; 1171 { 1172 return krb5_gss_canonicalize_name(minor_status, input_name, 1173 mech_type, output_name); 1174 } 1175 #endif 1176 1177 /* V2 interface */ 1178 static OM_uint32 1179 k5glue_export_name(ctx, minor_status, input_name, exported_name) 1180 void *ctx; 1181 OM_uint32 *minor_status; 1182 const gss_name_t input_name; 1183 gss_buffer_t exported_name; 1184 { 1185 return krb5_gss_export_name(minor_status, input_name, exported_name); 1186 } 1187 1188 /* SUNW15resync - this is not in the MIT mech (lib) yet */ 1189 static OM_uint32 1190 k5glue_store_cred(ctx, minor_status, input_cred, cred_usage, desired_mech, 1191 overwrite_cred, default_cred, elements_stored, 1192 cred_usage_stored) 1193 void *ctx; 1194 OM_uint32 *minor_status; 1195 const gss_cred_id_t input_cred; 1196 gss_cred_usage_t cred_usage; 1197 gss_OID desired_mech; 1198 OM_uint32 overwrite_cred; 1199 OM_uint32 default_cred; 1200 gss_OID_set *elements_stored; 1201 gss_cred_usage_t *cred_usage_stored; 1202 { 1203 return(krb5_gss_store_cred(minor_status, input_cred, 1204 cred_usage, desired_mech, 1205 overwrite_cred, default_cred, elements_stored, 1206 cred_usage_stored)); 1207 } 1208 1209 static OM_uint32 1210 k5glue_userok( 1211 void *ctxt, /* context */ 1212 OM_uint32 *minor, /* minor_status */ 1213 const gss_name_t pname, /* pname */ 1214 const char *user, /* local user */ 1215 int *user_ok /* user ok? */ 1216 /* */) 1217 { 1218 return(krb5_gss_userok(minor, pname, user, user_ok)); 1219 } 1220 1221 static OM_uint32 1222 k5glue_pname_to_uid( 1223 void *ctxt, /* context */ 1224 OM_uint32 *minor, /* minor_status */ 1225 const gss_name_t pname, /* pname */ 1226 uid_t *uidOut /* uid */ 1227 /* */) 1228 { 1229 return (krb5_pname_to_uid(minor, pname, uidOut)); 1230 } 1231 1232 1233 1234 #if 0 1235 /* V2 interface */ 1236 static OM_uint32 1237 k5glue_duplicate_name(ctx, minor_status, input_name, dest_name) 1238 void *ctx; 1239 OM_uint32 *minor_status; 1240 const gss_name_t input_name; 1241 gss_name_t *dest_name; 1242 { 1243 return krb5_gss_duplicate_name(minor_status, input_name, dest_name); 1244 } 1245 #endif 1246 1247 1248 OM_uint32 KRB5_CALLCONV 1249 gss_krb5_copy_ccache( 1250 OM_uint32 *minor_status, 1251 gss_cred_id_t cred_handle, 1252 krb5_ccache out_ccache) 1253 { 1254 gss_union_cred_t ucred; 1255 gss_cred_id_t mcred; 1256 1257 ucred = (gss_union_cred_t)cred_handle; 1258 1259 mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type); 1260 if (mcred != GSS_C_NO_CREDENTIAL) 1261 return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache); 1262 1263 mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type); 1264 if (mcred != GSS_C_NO_CREDENTIAL) 1265 return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache); 1266 1267 return GSS_S_DEFECTIVE_CREDENTIAL; 1268 } 1269 1270 OM_uint32 KRB5_CALLCONV 1271 gss_krb5_set_allowable_enctypes( 1272 OM_uint32 *minor_status, 1273 gss_cred_id_t cred, 1274 OM_uint32 num_ktypes, 1275 krb5_enctype *ktypes) 1276 { 1277 gss_union_cred_t ucred; 1278 gss_cred_id_t mcred; 1279 1280 ucred = (gss_union_cred_t)cred; 1281 mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type); 1282 if (mcred != GSS_C_NO_CREDENTIAL) 1283 return gss_krb5int_set_allowable_enctypes(minor_status, mcred, 1284 num_ktypes, ktypes); 1285 1286 mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type); 1287 if (mcred != GSS_C_NO_CREDENTIAL) 1288 return gss_krb5int_set_allowable_enctypes(minor_status, mcred, 1289 num_ktypes, ktypes); 1290 1291 return GSS_S_DEFECTIVE_CREDENTIAL; 1292 } 1293 1294 /* 1295 * Glue routine for returning the mechanism-specific credential from a 1296 * external union credential. 1297 */ 1298 /* SUNW15resync - in MIT 1.5, it's in g_glue.c (libgss) but we don't 1299 want to link against libgss so we put it here since we need it in the mech */ 1300 gss_cred_id_t 1301 gssint_get_mechanism_cred(union_cred, mech_type) 1302 gss_union_cred_t union_cred; 1303 gss_OID mech_type; 1304 { 1305 int i; 1306 1307 if (union_cred == (gss_union_cred_t) GSS_C_NO_CREDENTIAL) 1308 return GSS_C_NO_CREDENTIAL; 1309 1310 for (i=0; i < union_cred->count; i++) { 1311 if (g_OID_equal(mech_type, &union_cred->mechs_array[i])) 1312 return union_cred->cred_array[i]; 1313 } 1314 return GSS_C_NO_CREDENTIAL; 1315 } 1316 1317 1318 1319 /* 1320 * entry point for the gss layer, 1321 * called "krb5_gss_initialize()" in MIT 1.2.1 1322 */ 1323 /* SUNW15resync - this used to be in k5mech.c */ 1324 gss_mechanism 1325 gss_mech_initialize(oid) 1326 const gss_OID oid; 1327 { 1328 /* 1329 * Solaris Kerberos: We also want to use the same functions for KRB5 as 1330 * we do for the MS KRB5 (krb5_mechanism_wrong). So both are valid. 1331 */ 1332 /* ensure that the requested oid matches our oid */ 1333 if (oid == NULL || (!g_OID_equal(oid, &krb5_mechanism.mech_type) && 1334 !g_OID_equal(oid, &krb5_mechanism_wrong.mech_type))) { 1335 (void) syslog(LOG_INFO, "krb5mech: gss_mech_initialize: bad oid"); 1336 return (NULL); 1337 } 1338 1339 #if 0 /* SUNW15resync - no longer needed(?) */ 1340 if (krb5_gss_get_context(&(krb5_mechanism.context)) != 1341 GSS_S_COMPLETE) 1342 return (NULL); 1343 #endif 1344 1345 return (&krb5_mechanism); 1346 } 1347 1348 /* 1349 * This API should go away and be replaced with an accessor 1350 * into a gss_name_t. 1351 */ 1352 OM_uint32 KRB5_CALLCONV 1353 gsskrb5_extract_authz_data_from_sec_context( 1354 OM_uint32 *minor_status, 1355 gss_ctx_id_t context_handle, 1356 int ad_type, 1357 gss_buffer_t ad_data) 1358 { 1359 gss_OID_desc req_oid; 1360 unsigned char oid_buf[GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH + 6]; 1361 OM_uint32 major_status; 1362 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; 1363 1364 if (ad_data == NULL) 1365 return GSS_S_CALL_INACCESSIBLE_WRITE; 1366 1367 req_oid.elements = oid_buf; 1368 req_oid.length = sizeof(oid_buf); 1369 1370 major_status = generic_gss_oid_compose(minor_status, 1371 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID, 1372 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH, 1373 ad_type, 1374 &req_oid); 1375 if (GSS_ERROR(major_status)) 1376 return major_status; 1377 1378 major_status = gss_inquire_sec_context_by_oid(minor_status, 1379 context_handle, 1380 (gss_OID)&req_oid, 1381 &data_set); 1382 if (major_status != GSS_S_COMPLETE) { 1383 return major_status; 1384 } 1385 1386 /* 1387 * SUNW17PACresync / Solaris Kerberos 1388 * MIT17 allows only count==1 which is correct for pre-Win2008 but 1389 * our testing with Win2008 shows count==2 and Win7 count==3. 1390 */ 1391 if ((data_set == GSS_C_NO_BUFFER_SET) || (data_set->count == 0)) { 1392 gss_release_buffer_set(minor_status, &data_set); 1393 *minor_status = EINVAL; 1394 return GSS_S_FAILURE; 1395 } 1396 1397 ad_data->length = data_set->elements[0].length; 1398 ad_data->value = malloc(ad_data->length); 1399 if (!ad_data->value) { 1400 gss_release_buffer_set(minor_status, &data_set); 1401 return ENOMEM; 1402 } 1403 bcopy(data_set->elements[0].value, ad_data->value, ad_data->length); 1404 1405 gss_release_buffer_set(minor_status, &data_set); 1406 1407 return GSS_S_COMPLETE; 1408 } 1409 1410 1411 OM_uint32 KRB5_CALLCONV 1412 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, 1413 gss_ctx_id_t context_handle, 1414 krb5_timestamp *authtime) 1415 { 1416 static const gss_OID_desc req_oid = { 1417 GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH, 1418 GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID }; 1419 OM_uint32 major_status; 1420 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; 1421 1422 if (authtime == NULL) 1423 return GSS_S_CALL_INACCESSIBLE_WRITE; 1424 1425 major_status = gss_inquire_sec_context_by_oid(minor_status, 1426 context_handle, 1427 (gss_OID)&req_oid, 1428 &data_set); 1429 if (major_status != GSS_S_COMPLETE) 1430 return major_status; 1431 1432 if (data_set == GSS_C_NO_BUFFER_SET || 1433 data_set->count != 1 || 1434 data_set->elements[0].length != sizeof(*authtime)) { 1435 *minor_status = EINVAL; 1436 return GSS_S_FAILURE; 1437 } 1438 1439 *authtime = *((krb5_timestamp *)data_set->elements[0].value); 1440 1441 gss_release_buffer_set(minor_status, &data_set); 1442 1443 *minor_status = 0; 1444 1445 return GSS_S_COMPLETE; 1446 } 1447