aboutsummaryrefslogtreecommitdiffstats
path: root/lib/gssapi/mech
diff options
context:
space:
mode:
authorHiroki Sato <hrs@FreeBSD.org>2018-04-04 04:21:19 +0000
committerHiroki Sato <hrs@FreeBSD.org>2018-04-04 04:21:19 +0000
commitd684f11da759490a8d98d7b790796106285f4084 (patch)
tree27b7356df710fdf1440fe2c23154b8121e99f2ab /lib/gssapi/mech
parentf52d4664e3f68828c06f85bfc1afa271e3e04713 (diff)
downloadsrc-vendor/heimdal.tar.gz
src-vendor/heimdal.zip
Notes
Notes: svn path=/vendor-crypto/heimdal/dist/; revision=331978 svn path=/vendor-crypto/heimdal/7.5.0/; revision=331979; tag=vendor/heimdal/7.5.0
Diffstat (limited to 'lib/gssapi/mech')
-rw-r--r--lib/gssapi/mech/compat.h6
-rw-r--r--lib/gssapi/mech/doxygen.c23
-rw-r--r--lib/gssapi/mech/gss_accept_sec_context.c2
-rw-r--r--lib/gssapi/mech/gss_acquire_cred.c2
-rw-r--r--lib/gssapi/mech/gss_acquire_cred_ext.c24
-rw-r--r--lib/gssapi/mech/gss_acquire_cred_with_password.c5
-rw-r--r--lib/gssapi/mech/gss_add_cred.c4
-rw-r--r--lib/gssapi/mech/gss_add_cred_with_password.c4
-rw-r--r--lib/gssapi/mech/gss_aeap.c120
-rw-r--r--lib/gssapi/mech/gss_authorize_localname.c6
-rw-r--r--lib/gssapi/mech/gss_canonicalize_name.c2
-rw-r--r--lib/gssapi/mech/gss_compare_name.c6
-rw-r--r--lib/gssapi/mech/gss_context_time.c2
-rw-r--r--lib/gssapi/mech/gss_delete_sec_context.c4
-rw-r--r--lib/gssapi/mech/gss_display_name.c2
-rw-r--r--lib/gssapi/mech/gss_display_status.c26
-rw-r--r--lib/gssapi/mech/gss_duplicate_name.c2
-rw-r--r--lib/gssapi/mech/gss_export_name.c16
-rw-r--r--lib/gssapi/mech/gss_get_mic.c2
-rw-r--r--lib/gssapi/mech/gss_import_name.c12
-rw-r--r--lib/gssapi/mech/gss_indicate_mechs.c5
-rw-r--r--lib/gssapi/mech/gss_init_sec_context.c17
-rw-r--r--lib/gssapi/mech/gss_inquire_context.c2
-rw-r--r--lib/gssapi/mech/gss_inquire_cred.c2
-rw-r--r--lib/gssapi/mech/gss_inquire_cred_by_mech.c2
-rw-r--r--lib/gssapi/mech/gss_inquire_cred_by_oid.c2
-rw-r--r--lib/gssapi/mech/gss_inquire_mechs_for_name.c2
-rw-r--r--lib/gssapi/mech/gss_inquire_sec_context_by_oid.c2
-rw-r--r--lib/gssapi/mech/gss_mech_switch.c5
-rw-r--r--lib/gssapi/mech/gss_mo.c1
-rw-r--r--lib/gssapi/mech/gss_oid.c56
-rw-r--r--lib/gssapi/mech/gss_pname_to_uid.c174
-rw-r--r--lib/gssapi/mech/gss_process_context_token.c2
-rw-r--r--lib/gssapi/mech/gss_store_cred.c36
-rw-r--r--lib/gssapi/mech/gss_unwrap.c2
-rw-r--r--lib/gssapi/mech/gss_verify_mic.c2
-rw-r--r--lib/gssapi/mech/gss_wrap.c2
-rw-r--r--lib/gssapi/mech/gss_wrap_size_limit.c2
-rw-r--r--lib/gssapi/mech/mech.52
-rw-r--r--lib/gssapi/mech/mech.cat52
40 files changed, 398 insertions, 192 deletions
diff --git a/lib/gssapi/mech/compat.h b/lib/gssapi/mech/compat.h
index e63f1e534306..d23a6e916a57 100644
--- a/lib/gssapi/mech/compat.h
+++ b/lib/gssapi/mech/compat.h
@@ -53,7 +53,7 @@ typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_attrs_for_mech_t (
typedef OM_uint32 GSSAPI_CALLCONV _gss_acquire_cred_with_password_t
(OM_uint32 *, /* minor_status */
- const gss_name_t, /* desired_name */
+ gss_const_name_t, /* desired_name */
const gss_buffer_t, /* password */
OM_uint32, /* time_req */
const gss_OID_set, /* desired_mechs */
@@ -65,8 +65,8 @@ typedef OM_uint32 GSSAPI_CALLCONV _gss_acquire_cred_with_password_t
typedef OM_uint32 GSSAPI_CALLCONV _gss_add_cred_with_password_t (
OM_uint32 *, /* minor_status */
- const gss_cred_id_t, /* input_cred_handle */
- const gss_name_t, /* desired_name */
+ gss_const_cred_id_t, /* input_cred_handle */
+ gss_const_name_t, /* desired_name */
const gss_OID, /* desired_mech */
const gss_buffer_t, /* password */
gss_cred_usage_t, /* cred_usage */
diff --git a/lib/gssapi/mech/doxygen.c b/lib/gssapi/mech/doxygen.c
index a341cba2dac1..4ead9f17e93a 100644
--- a/lib/gssapi/mech/doxygen.c
+++ b/lib/gssapi/mech/doxygen.c
@@ -39,13 +39,12 @@
* - SPNEGO
* - NTLM
*
- * See @ref gssapi_mechs for more describtion about these mechanisms.
- *
- * The project web page: http://www.h5l.org/
+ * @sa
*
* - @ref gssapi_services_intro
* - @ref gssapi_mechs
* - @ref gssapi_api_INvsMN
+ * - The project web page: http://www.h5l.org/
*/
/**
@@ -105,28 +104,30 @@
* @page internalVSmechname Internal names and mechanism names
* @section gssapi_api_INvsMN Name forms
*
- * There are two forms of name in GSS-API, Internal form and
- * Contiguous string ("flat") form. gss_export_name() and
+ * There are two name representations in GSS-API: Internal form and
+ * Contiguous string ("flat") form. Functions gss_export_name() and
* gss_import_name() can be used to convert between the two forms.
*
* - The contiguous string form is described by an oid specificing the
* type and an octet string. A special form of the contiguous
* string form is the exported name object. The exported name
* defined for each mechanism, is something that can be stored and
- * complared later. The exported name is what should be used for
+ * compared later. The exported name is what should be used for
* ACLs comparisons.
*
- * - The Internal form
+ * - The Internal form is opaque to the application programmer and
+ * is implementation-dependent.
*
- * There is also special form of the Internal Name (IN), and that is
+ * - There is also a special form of the Internal Name (IN), and that is
* the Mechanism Name (MN). In the mechanism name all the generic
* information is stripped of and only contain the information for
* one mechanism. In GSS-API some function return MN and some
* require MN as input. Each of these function is marked up as such.
*
- *
- * Describe relationship between import_name, canonicalize_name,
- * export_name and friends.
+ * @FIXME Describe relationship between import_name, canonicalize_name,
+ * export_name and friends. Also, update for RFC2743 language
+ * ("contiguous" and "flat" are gone, leaving just "exported name
+ * token", "internal", and "MN").
*/
/** @defgroup gssapi Heimdal GSS-API functions */
diff --git a/lib/gssapi/mech/gss_accept_sec_context.c b/lib/gssapi/mech/gss_accept_sec_context.c
index bf7ea03f72e4..25205f437acf 100644
--- a/lib/gssapi/mech/gss_accept_sec_context.c
+++ b/lib/gssapi/mech/gss_accept_sec_context.c
@@ -144,7 +144,7 @@ choose_mech(const gss_buffer_t input, gss_OID mech_oid)
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_accept_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
- const gss_cred_id_t acceptor_cred_handle,
+ gss_const_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token,
const gss_channel_bindings_t input_chan_bindings,
gss_name_t *src_name,
diff --git a/lib/gssapi/mech/gss_acquire_cred.c b/lib/gssapi/mech/gss_acquire_cred.c
index ade65df8ec86..095f9056ca69 100644
--- a/lib/gssapi/mech/gss_acquire_cred.c
+++ b/lib/gssapi/mech/gss_acquire_cred.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_acquire_cred(OM_uint32 *minor_status,
- const gss_name_t desired_name,
+ gss_const_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
diff --git a/lib/gssapi/mech/gss_acquire_cred_ext.c b/lib/gssapi/mech/gss_acquire_cred_ext.c
index 1cbb29f141f3..9f2674c26ecc 100644
--- a/lib/gssapi/mech/gss_acquire_cred_ext.c
+++ b/lib/gssapi/mech/gss_acquire_cred_ext.c
@@ -100,13 +100,22 @@ _gss_acquire_mech_cred(OM_uint32 *minor_status,
mc= NULL;
}
- *output_cred_handle = mc;
+ if (major_status != GSS_S_COMPLETE)
+ free(mc);
+ else
+ *output_cred_handle = mc;
return major_status;
}
+/**
+ * This function is not a public interface and is deprecated anyways, do
+ * not use. Use gss_acquire_cred_with_password() instead for now.
+ *
+ * @deprecated
+ */
OM_uint32
_gss_acquire_cred_ext(OM_uint32 *minor_status,
- const gss_name_t desired_name,
+ gss_const_name_t desired_name,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
@@ -152,7 +161,6 @@ _gss_acquire_cred_ext(OM_uint32 *minor_status,
for (i = 0; i < mechs->count; i++) {
struct _gss_mechanism_name *mn = NULL;
struct _gss_mechanism_cred *mc = NULL;
- gss_name_t desired_mech_name = GSS_C_NO_NAME;
m = __gss_get_mechanism(&mechs->elements[i]);
if (!m)
@@ -163,16 +171,17 @@ _gss_acquire_cred_ext(OM_uint32 *minor_status,
&mechs->elements[i], &mn);
if (major_status != GSS_S_COMPLETE)
continue;
-
- desired_mech_name = mn->gmn_name;
}
major_status = _gss_acquire_mech_cred(minor_status, m, mn,
credential_type, credential_data,
time_req, desired_mech, cred_usage,
&mc);
- if (GSS_ERROR(major_status))
+ if (GSS_ERROR(major_status)) {
+ if (mechs->count == 1)
+ _gss_mg_error(m, major_status, *minor_status);
continue;
+ }
HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
}
@@ -183,7 +192,8 @@ _gss_acquire_cred_ext(OM_uint32 *minor_status,
*/
if (!HEIM_SLIST_FIRST(&cred->gc_mc)) {
free(cred);
- *minor_status = 0;
+ if (mechs->count > 1)
+ *minor_status = 0;
return GSS_S_NO_CRED;
}
diff --git a/lib/gssapi/mech/gss_acquire_cred_with_password.c b/lib/gssapi/mech/gss_acquire_cred_with_password.c
index 8c2a6488f8ad..2f41f8906dc2 100644
--- a/lib/gssapi/mech/gss_acquire_cred_with_password.c
+++ b/lib/gssapi/mech/gss_acquire_cred_with_password.c
@@ -34,7 +34,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_acquire_cred_with_password(OM_uint32 *minor_status,
- const gss_name_t desired_name,
+ gss_const_name_t desired_name,
const gss_buffer_t password,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -93,7 +93,8 @@ gss_acquire_cred_with_password(OM_uint32 *minor_status,
if (!HEIM_SLIST_FIRST(&new_cred->gc_mc)) {
free(new_cred);
- *minor_status = 0;
+ if (desired_mechs->count > 1)
+ *minor_status = 0;
return GSS_S_NO_CRED;
}
diff --git a/lib/gssapi/mech/gss_add_cred.c b/lib/gssapi/mech/gss_add_cred.c
index a998bc60ff80..b56e3d760824 100644
--- a/lib/gssapi/mech/gss_add_cred.c
+++ b/lib/gssapi/mech/gss_add_cred.c
@@ -72,8 +72,8 @@ _gss_copy_cred(struct _gss_mechanism_cred *mc)
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_add_cred(OM_uint32 *minor_status,
- const gss_cred_id_t input_cred_handle,
- const gss_name_t desired_name,
+ gss_const_cred_id_t input_cred_handle,
+ gss_const_name_t desired_name,
const gss_OID desired_mech,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
diff --git a/lib/gssapi/mech/gss_add_cred_with_password.c b/lib/gssapi/mech/gss_add_cred_with_password.c
index f966305cfb16..b20f64f774b6 100644
--- a/lib/gssapi/mech/gss_add_cred_with_password.c
+++ b/lib/gssapi/mech/gss_add_cred_with_password.c
@@ -30,8 +30,8 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_add_cred_with_password(OM_uint32 *minor_status,
- const gss_cred_id_t input_cred_handle,
- const gss_name_t desired_name,
+ gss_const_cred_id_t input_cred_handle,
+ gss_const_name_t desired_name,
const gss_OID desired_mech,
const gss_buffer_t password,
gss_cred_usage_t cred_usage,
diff --git a/lib/gssapi/mech/gss_aeap.c b/lib/gssapi/mech/gss_aeap.c
index 3008c0d34484..6395d8442b8c 100644
--- a/lib/gssapi/mech/gss_aeap.c
+++ b/lib/gssapi/mech/gss_aeap.c
@@ -199,7 +199,7 @@ gss_OID_desc GSSAPI_LIB_FUNCTION __gss_c_attr_stream_sizes_oid_desc =
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_context_query_attributes(OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
const gss_OID attribute,
void *data,
size_t len)
@@ -214,3 +214,121 @@ gss_context_query_attributes(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
+
+/*
+ * AEAD wrap API for a single piece of associated data, for compatibility
+ * with MIT and as specified by draft-howard-gssapi-aead-00.txt.
+ *
+ * @ingroup gssapi
+ */
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_wrap_aead(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ gss_buffer_t input_assoc_buffer,
+ gss_buffer_t input_payload_buffer,
+ int *conf_state,
+ gss_buffer_t output_message_buffer)
+{
+ OM_uint32 major_status, tmp, flags = 0;
+ gss_iov_buffer_desc iov[5];
+ size_t i;
+ unsigned char *p;
+
+ memset(iov, 0, sizeof(iov));
+
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+
+ iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ if (input_assoc_buffer)
+ iov[1].buffer = *input_assoc_buffer;
+
+ iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
+ if (input_payload_buffer)
+ iov[2].buffer.length = input_payload_buffer->length;
+
+ gss_inquire_context(minor_status, context_handle, NULL, NULL,
+ NULL, NULL, &flags, NULL, NULL);
+
+ /* krb5 mech rejects padding/trailer if DCE-style is set */
+ iov[3].type = (flags & GSS_C_DCE_STYLE) ? GSS_IOV_BUFFER_TYPE_EMPTY
+ : GSS_IOV_BUFFER_TYPE_PADDING;
+ iov[4].type = (flags & GSS_C_DCE_STYLE) ? GSS_IOV_BUFFER_TYPE_EMPTY
+ : GSS_IOV_BUFFER_TYPE_TRAILER;
+
+ major_status = gss_wrap_iov_length(minor_status, context_handle,
+ conf_req_flag, qop_req, conf_state,
+ iov, 5);
+ if (GSS_ERROR(major_status))
+ return major_status;
+
+ for (i = 0, output_message_buffer->length = 0; i < 5; i++) {
+ if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
+ continue;
+
+ output_message_buffer->length += iov[i].buffer.length;
+ }
+
+ output_message_buffer->value = malloc(output_message_buffer->length);
+ if (output_message_buffer->value == NULL) {
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ for (i = 0, p = output_message_buffer->value; i < 5; i++) {
+ if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
+ continue;
+ else if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA)
+ memcpy(p, input_payload_buffer->value, input_payload_buffer->length);
+
+ iov[i].buffer.value = p;
+ p += iov[i].buffer.length;
+ }
+
+ major_status = gss_wrap_iov(minor_status, context_handle, conf_req_flag,
+ qop_req, conf_state, iov, 5);
+ if (GSS_ERROR(major_status))
+ gss_release_buffer(&tmp, output_message_buffer);
+
+ return major_status;
+}
+
+/*
+ * AEAD unwrap for a single piece of associated data, for compatibility
+ * with MIT and as specified by draft-howard-gssapi-aead-00.txt.
+ *
+ * @ingroup gssapi
+ */
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_unwrap_aead(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ gss_buffer_t input_message_buffer,
+ gss_buffer_t input_assoc_buffer,
+ gss_buffer_t output_payload_buffer,
+ int *conf_state,
+ gss_qop_t *qop_state)
+{
+ OM_uint32 major_status, tmp;
+ gss_iov_buffer_desc iov[3];
+
+ memset(iov, 0, sizeof(iov));
+
+ iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
+ iov[0].buffer = *input_message_buffer;
+
+ iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ if (input_assoc_buffer)
+ iov[1].buffer = *input_assoc_buffer;
+
+ iov[2].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE;
+
+ major_status = gss_unwrap_iov(minor_status, context_handle, conf_state,
+ qop_state, iov, 3);
+ if (GSS_ERROR(major_status))
+ gss_release_iov_buffer(&tmp, &iov[2], 1);
+ else
+ *output_payload_buffer = iov[2].buffer;
+
+ return major_status;
+}
diff --git a/lib/gssapi/mech/gss_authorize_localname.c b/lib/gssapi/mech/gss_authorize_localname.c
index a0ad065da887..c04cfe01879e 100644
--- a/lib/gssapi/mech/gss_authorize_localname.c
+++ b/lib/gssapi/mech/gss_authorize_localname.c
@@ -114,8 +114,8 @@ attr_authorize_localname(OM_uint32 *minor_status,
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_authorize_localname(OM_uint32 *minor_status,
- const gss_name_t gss_name,
- const gss_name_t gss_user)
+ gss_const_name_t gss_name,
+ gss_const_name_t gss_user)
{
OM_uint32 major_status;
@@ -164,7 +164,7 @@ gss_authorize_localname(OM_uint32 *minor_status,
}
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
-gss_userok(const gss_name_t name,
+gss_userok(gss_const_name_t name,
const char *user)
{
OM_uint32 major_status, minor_status;
diff --git a/lib/gssapi/mech/gss_canonicalize_name.c b/lib/gssapi/mech/gss_canonicalize_name.c
index bd8ff5212071..4918e5e0034e 100644
--- a/lib/gssapi/mech/gss_canonicalize_name.c
+++ b/lib/gssapi/mech/gss_canonicalize_name.c
@@ -54,7 +54,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_canonicalize_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
+ gss_const_name_t input_name,
const gss_OID mech_type,
gss_name_t *output_name)
{
diff --git a/lib/gssapi/mech/gss_compare_name.c b/lib/gssapi/mech/gss_compare_name.c
index 70b4b1c20673..18a8536ab4fa 100644
--- a/lib/gssapi/mech/gss_compare_name.c
+++ b/lib/gssapi/mech/gss_compare_name.c
@@ -30,8 +30,8 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_compare_name(OM_uint32 *minor_status,
- const gss_name_t name1_arg,
- const gss_name_t name2_arg,
+ gss_const_name_t name1_arg,
+ gss_const_name_t name2_arg,
int *name_equal)
{
struct _gss_name *name1 = (struct _gss_name *) name1_arg;
@@ -47,7 +47,7 @@ gss_compare_name(OM_uint32 *minor_status,
if (!gss_oid_equal(&name1->gn_type, &name2->gn_type)) {
*name_equal = 0;
} else if (name1->gn_value.length != name2->gn_value.length ||
- memcmp(name1->gn_value.value, name1->gn_value.value,
+ memcmp(name1->gn_value.value, name2->gn_value.value,
name1->gn_value.length)) {
*name_equal = 0;
}
diff --git a/lib/gssapi/mech/gss_context_time.c b/lib/gssapi/mech/gss_context_time.c
index 69434ee898e5..a5b646cf6625 100644
--- a/lib/gssapi/mech/gss_context_time.c
+++ b/lib/gssapi/mech/gss_context_time.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_context_time(OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
OM_uint32 *time_rec)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
diff --git a/lib/gssapi/mech/gss_delete_sec_context.c b/lib/gssapi/mech/gss_delete_sec_context.c
index ce57a76682ab..69d9cb6a07d7 100644
--- a/lib/gssapi/mech/gss_delete_sec_context.c
+++ b/lib/gssapi/mech/gss_delete_sec_context.c
@@ -33,7 +33,7 @@ gss_delete_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t output_token)
{
- OM_uint32 major_status;
+ OM_uint32 major_status = GSS_S_COMPLETE;
struct _gss_context *ctx = (struct _gss_context *) *context_handle;
if (output_token)
@@ -53,5 +53,5 @@ gss_delete_sec_context(OM_uint32 *minor_status,
*context_handle = GSS_C_NO_CONTEXT;
}
- return (GSS_S_COMPLETE);
+ return (major_status);
}
diff --git a/lib/gssapi/mech/gss_display_name.c b/lib/gssapi/mech/gss_display_name.c
index 524a586fbef8..a4af66a90474 100644
--- a/lib/gssapi/mech/gss_display_name.c
+++ b/lib/gssapi/mech/gss_display_name.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_display_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
+ gss_const_name_t input_name,
gss_buffer_t output_name_buffer,
gss_OID *output_name_type)
{
diff --git a/lib/gssapi/mech/gss_display_status.c b/lib/gssapi/mech/gss_display_status.c
index 1e508caa9baf..a79ef350dc93 100644
--- a/lib/gssapi/mech/gss_display_status.c
+++ b/lib/gssapi/mech/gss_display_status.c
@@ -134,25 +134,43 @@ supplementary_error(OM_uint32 v)
return msgs[v];
}
-
+/**
+ * Convert a GSS-API status code to text
+ *
+ * @param minor_status minor status code
+ * @param status_value status value to convert
+ * @param status_type One of:
+ * GSS_C_GSS_CODE - status_value is a GSS status code,
+ * GSS_C_MECH_CODE - status_value is a mechanism status code
+ * @param mech_type underlying mechanism. Use GSS_C_NO_OID to obtain the
+ * system default.
+ * @param message_context state information to extract further messages from the
+ * status_value
+ * @param status_string the allocated text representation. Release with
+ * gss_release_buffer()
+ *
+ * @returns a gss_error code.
+ *
+ * @ingroup gssapi
+ */
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_display_status(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
- OM_uint32 *message_content,
+ OM_uint32 *message_context,
gss_buffer_t status_string)
{
OM_uint32 major_status;
_mg_buffer_zero(status_string);
- *message_content = 0;
+ *message_context = 0;
major_status = _gss_mg_get_error(mech_type, status_type,
status_value, status_string);
if (major_status == GSS_S_COMPLETE) {
- *message_content = 0;
+ *message_context = 0;
*minor_status = 0;
return GSS_S_COMPLETE;
}
diff --git a/lib/gssapi/mech/gss_duplicate_name.c b/lib/gssapi/mech/gss_duplicate_name.c
index a76c87cb852a..d6aaf49233fe 100644
--- a/lib/gssapi/mech/gss_duplicate_name.c
+++ b/lib/gssapi/mech/gss_duplicate_name.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_duplicate_name(OM_uint32 *minor_status,
- const gss_name_t src_name,
+ gss_const_name_t src_name,
gss_name_t *dest_name)
{
OM_uint32 major_status;
diff --git a/lib/gssapi/mech/gss_export_name.c b/lib/gssapi/mech/gss_export_name.c
index 3e6e62681913..7365c720d28e 100644
--- a/lib/gssapi/mech/gss_export_name.c
+++ b/lib/gssapi/mech/gss_export_name.c
@@ -28,9 +28,23 @@
#include "mech_locl.h"
+/**
+ * Convert a GGS-API name from internal form to contiguous string.
+ *
+ * @sa gss_import_name(), @ref internalVSmechname.
+ *
+ * @param minor_status minor status code
+ * @param input_name input name in internal name form
+ * @param exported_name output name in contiguos string form
+ *
+ * @returns a gss_error code, see gss_display_status() about printing
+ * the error code.
+ *
+ * @ingroup gssapi
+ */
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_export_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
+ gss_const_name_t input_name,
gss_buffer_t exported_name)
{
struct _gss_name *name = (struct _gss_name *) input_name;
diff --git a/lib/gssapi/mech/gss_get_mic.c b/lib/gssapi/mech/gss_get_mic.c
index 6eebfe0bbb03..8663053d48e7 100644
--- a/lib/gssapi/mech/gss_get_mic.c
+++ b/lib/gssapi/mech/gss_get_mic.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_get_mic(OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token)
diff --git a/lib/gssapi/mech/gss_import_name.c b/lib/gssapi/mech/gss_import_name.c
index d1b3dc95b4a4..4c1d940d9af8 100644
--- a/lib/gssapi/mech/gss_import_name.c
+++ b/lib/gssapi/mech/gss_import_name.c
@@ -149,7 +149,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
}
/**
- * Import a name internal or mechanism name
+ * Convert a GGS-API name from contiguous string to internal form.
*
* Type of name and their format:
* - GSS_C_NO_OID
@@ -159,12 +159,12 @@ _gss_import_export_name(OM_uint32 *minor_status,
* - GSS_C_NT_ANONYMOUS
* - GSS_KRB5_NT_PRINCIPAL_NAME
*
- * For more information about @ref internalVSmechname.
+ * @sa gss_export_name(), @ref internalVSmechname.
*
- * @param minor_status minor status code
- * @param input_name_buffer import name buffer
- * @param input_name_type type of the import name buffer
- * @param output_name the resulting type, release with
+ * @param minor_status minor status code
+ * @param input_name_buffer import name buffer
+ * @param input_name_type type of the import name buffer
+ * @param output_name the resulting type, release with
* gss_release_name(), independent of input_name
*
* @returns a gss_error code, see gss_display_status() about printing
diff --git a/lib/gssapi/mech/gss_indicate_mechs.c b/lib/gssapi/mech/gss_indicate_mechs.c
index 8fd53d956d58..12d7f1ae300e 100644
--- a/lib/gssapi/mech/gss_indicate_mechs.c
+++ b/lib/gssapi/mech/gss_indicate_mechs.c
@@ -43,6 +43,7 @@ gss_indicate_mechs(OM_uint32 *minor_status,
if (major_status)
return (major_status);
+ /* XXX We ignore ENOMEM from gss_add_oid_set_member() */
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (m->gm_mech.gm_indicate_mechs) {
major_status = m->gm_mech.gm_indicate_mechs(
@@ -50,11 +51,11 @@ gss_indicate_mechs(OM_uint32 *minor_status,
if (major_status)
continue;
for (i = 0; i < set->count; i++)
- major_status = gss_add_oid_set_member(
+ gss_add_oid_set_member(
minor_status, &set->elements[i], mech_set);
gss_release_oid_set(minor_status, &set);
} else {
- major_status = gss_add_oid_set_member(
+ gss_add_oid_set_member(
minor_status, &m->gm_mech_oid, mech_set);
}
}
diff --git a/lib/gssapi/mech/gss_init_sec_context.c b/lib/gssapi/mech/gss_init_sec_context.c
index af0170a50a51..21e02aea6972 100644
--- a/lib/gssapi/mech/gss_init_sec_context.c
+++ b/lib/gssapi/mech/gss_init_sec_context.c
@@ -29,7 +29,7 @@
#include "mech_locl.h"
static gss_cred_id_t
-_gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
+_gss_mech_cred_find(gss_const_cred_id_t cred_handle, gss_OID mech_type)
{
struct _gss_cred *cred = (struct _gss_cred *)cred_handle;
struct _gss_mechanism_cred *mc;
@@ -107,9 +107,9 @@ _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_init_sec_context(OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ gss_const_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle,
- const gss_name_t target_name,
+ gss_const_name_t target_name,
const gss_OID input_mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
@@ -125,7 +125,7 @@ gss_init_sec_context(OM_uint32 * minor_status,
struct _gss_name *name = (struct _gss_name *) target_name;
struct _gss_mechanism_name *mn;
struct _gss_context *ctx = (struct _gss_context *) *context_handle;
- gss_cred_id_t cred_handle;
+ gss_const_cred_id_t cred_handle;
int allocated_ctx;
gss_OID mech_type = input_mech_type;
@@ -172,7 +172,7 @@ gss_init_sec_context(OM_uint32 * minor_status,
major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
if (major_status != GSS_S_COMPLETE) {
if (allocated_ctx)
- free(ctx);
+ free(ctx);
return major_status;
}
@@ -184,6 +184,13 @@ gss_init_sec_context(OM_uint32 * minor_status,
else
cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type);
+ if (initiator_cred_handle != GSS_C_NO_CREDENTIAL &&
+ cred_handle == NULL) {
+ if (allocated_ctx)
+ free(ctx);
+ return GSS_S_NO_CRED;
+ }
+
major_status = m->gm_init_sec_context(minor_status,
cred_handle,
&ctx->gc_ctx,
diff --git a/lib/gssapi/mech/gss_inquire_context.c b/lib/gssapi/mech/gss_inquire_context.c
index 2568075988f1..aedaa6cb9ff4 100644
--- a/lib/gssapi/mech/gss_inquire_context.c
+++ b/lib/gssapi/mech/gss_inquire_context.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_inquire_context(OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
gss_name_t *src_name,
gss_name_t *targ_name,
OM_uint32 *lifetime_rec,
diff --git a/lib/gssapi/mech/gss_inquire_cred.c b/lib/gssapi/mech/gss_inquire_cred.c
index 1db0f233033c..992514a9acdf 100644
--- a/lib/gssapi/mech/gss_inquire_cred.c
+++ b/lib/gssapi/mech/gss_inquire_cred.c
@@ -44,7 +44,7 @@ updateusage(gss_cred_usage_t usage, int *usagemask)
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_inquire_cred(OM_uint32 *minor_status,
- const gss_cred_id_t cred_handle,
+ gss_const_cred_id_t cred_handle,
gss_name_t *name_ret,
OM_uint32 *lifetime,
gss_cred_usage_t *cred_usage,
diff --git a/lib/gssapi/mech/gss_inquire_cred_by_mech.c b/lib/gssapi/mech/gss_inquire_cred_by_mech.c
index e7746e46578d..7bd0bfaad90a 100644
--- a/lib/gssapi/mech/gss_inquire_cred_by_mech.c
+++ b/lib/gssapi/mech/gss_inquire_cred_by_mech.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_inquire_cred_by_mech(OM_uint32 *minor_status,
- const gss_cred_id_t cred_handle,
+ gss_const_cred_id_t cred_handle,
const gss_OID mech_type,
gss_name_t *cred_name,
OM_uint32 *initiator_lifetime,
diff --git a/lib/gssapi/mech/gss_inquire_cred_by_oid.c b/lib/gssapi/mech/gss_inquire_cred_by_oid.c
index e674dd48f3e4..8836a09ffe47 100644
--- a/lib/gssapi/mech/gss_inquire_cred_by_oid.c
+++ b/lib/gssapi/mech/gss_inquire_cred_by_oid.c
@@ -34,7 +34,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_inquire_cred_by_oid (OM_uint32 *minor_status,
- const gss_cred_id_t cred_handle,
+ gss_const_cred_id_t cred_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
diff --git a/lib/gssapi/mech/gss_inquire_mechs_for_name.c b/lib/gssapi/mech/gss_inquire_mechs_for_name.c
index f8eab82dc1cd..8fd2286ea7c3 100644
--- a/lib/gssapi/mech/gss_inquire_mechs_for_name.c
+++ b/lib/gssapi/mech/gss_inquire_mechs_for_name.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_inquire_mechs_for_name(OM_uint32 *minor_status,
- const gss_name_t input_name,
+ gss_const_name_t input_name,
gss_OID_set *mech_types)
{
OM_uint32 major_status;
diff --git a/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c b/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c
index cc6e5c9cb6e2..ac45265b3ed1 100644
--- a/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c
+++ b/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c
@@ -34,7 +34,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
diff --git a/lib/gssapi/mech/gss_mech_switch.c b/lib/gssapi/mech/gss_mech_switch.c
index 55e01094ff91..58b187eda296 100644
--- a/lib/gssapi/mech/gss_mech_switch.c
+++ b/lib/gssapi/mech/gss_mech_switch.c
@@ -315,6 +315,8 @@ _gss_load_mech(void)
goto bad;
m->gm_so = so;
+ m->gm_mech_oid = mech_oid;
+ m->gm_mech.gm_name = strdup(name);
m->gm_mech.gm_mech_oid = mech_oid;
m->gm_mech.gm_flags = 0;
m->gm_mech.gm_compat = calloc(1, sizeof(struct gss_mech_compat_desc_struct));
@@ -381,7 +383,7 @@ _gss_load_mech(void)
OPTSYM(set_name_attribute);
OPTSYM(delete_name_attribute);
OPTSYM(export_name_composite);
- OPTSYM(pname_to_uid);
+ OPTSYM(localname);
OPTSPISYM(authorize_localname);
mi = dlsym(so, "gss_mo_init");
@@ -414,6 +416,7 @@ _gss_load_mech(void)
if (m != NULL) {
free(m->gm_mech.gm_compat);
free(m->gm_mech.gm_mech_oid.elements);
+ free((char *)m->gm_mech.gm_name);
free(m);
}
dlclose(so);
diff --git a/lib/gssapi/mech/gss_mo.c b/lib/gssapi/mech/gss_mo.c
index ad74d9237a2d..d0cde08ef1b8 100644
--- a/lib/gssapi/mech/gss_mo.c
+++ b/lib/gssapi/mech/gss_mo.c
@@ -203,6 +203,7 @@ make_sasl_name(OM_uint32 *minor, const gss_OID mech, char sasl_name[16])
EVP_DigestUpdate(ctx, hdr, 2);
EVP_DigestUpdate(ctx, mech->elements, mech->length);
EVP_DigestFinal_ex(ctx, hash, NULL);
+ EVP_MD_CTX_destroy(ctx);
memcpy(p, "GS2-", 4);
p += 4;
diff --git a/lib/gssapi/mech/gss_oid.c b/lib/gssapi/mech/gss_oid.c
index 916d1e4dda5e..fe9686d53638 100644
--- a/lib/gssapi/mech/gss_oid.c
+++ b/lib/gssapi/mech/gss_oid.c
@@ -104,10 +104,10 @@ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") };
/* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x81\x48") };
/* GSS_C_CRED_CERTIFICATE - 1.2.752.43.13.201 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x49" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x81\x49") };
/* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
@@ -139,8 +139,8 @@ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, rk_UNCONS
/* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") };
-/* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xca\x29\x13\x05") };
+/* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.5322.19.5 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05") };
/* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x01") };
@@ -224,43 +224,43 @@ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, rk_UNCONST(
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1b") };
struct _gss_oid_name_table _gss_ont_ma[] = {
- { GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" },
+ { GSS_C_MA_AUTH_INIT, "GSS_C_MA_AUTH_INIT", "auth-init-princ", "" },
+ { GSS_C_MA_AUTH_INIT_ANON, "GSS_C_MA_AUTH_INIT_ANON", "auth-init-princ-anon", "" },
+ { GSS_C_MA_AUTH_INIT_INIT, "GSS_C_MA_AUTH_INIT_INIT", "auth-init-princ-initial", "" },
+ { GSS_C_MA_AUTH_TARG, "GSS_C_MA_AUTH_TARG", "auth-targ-princ", "" },
+ { GSS_C_MA_AUTH_TARG_ANON, "GSS_C_MA_AUTH_TARG_ANON", "auth-targ-princ-anon", "" },
{ GSS_C_MA_AUTH_TARG_INIT, "GSS_C_MA_AUTH_TARG_INIT", "auth-targ-princ-initial", "" },
{ GSS_C_MA_CBINDINGS, "GSS_C_MA_CBINDINGS", "channel-bindings", "" },
- { GSS_C_MA_WRAP, "GSS_C_MA_WRAP", "wrap", "" },
+ { GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" },
+ { GSS_C_MA_CONF_PROT, "GSS_C_MA_CONF_PROT", "conf-prot", "" },
+ { GSS_C_MA_CTX_TRANS, "GSS_C_MA_CTX_TRANS", "context-transfer", "" },
+ { GSS_C_MA_DELEG_CRED, "GSS_C_MA_DELEG_CRED", "deleg-cred", "" },
+ { GSS_C_MA_DEPRECATED, "GSS_C_MA_DEPRECATED", "mech-deprecated", "" },
+ { GSS_C_MA_INTEG_PROT, "GSS_C_MA_INTEG_PROT", "integ-prot", "" },
{ GSS_C_MA_ITOK_FRAMED, "GSS_C_MA_ITOK_FRAMED", "initial-is-framed", "" },
- { GSS_C_MA_MECH_NEGO, "GSS_C_MA_MECH_NEGO", "mech-negotiation-mech", "" },
{ GSS_C_MA_MECH_COMPOSITE, "GSS_C_MA_MECH_COMPOSITE", "composite-mech", "" },
- { GSS_C_MA_REPLAY_DET, "GSS_C_MA_REPLAY_DET", "replay-detection", "" },
- { GSS_C_MA_AUTH_INIT_ANON, "GSS_C_MA_AUTH_INIT_ANON", "auth-init-princ-anon", "" },
- { GSS_C_MA_PROT_READY, "GSS_C_MA_PROT_READY", "prot-ready", "" },
- { GSS_C_MA_AUTH_INIT, "GSS_C_MA_AUTH_INIT", "auth-init-princ", "" },
- { GSS_C_MA_PFS, "GSS_C_MA_PFS", "pfs", "" },
- { GSS_C_MA_CONF_PROT, "GSS_C_MA_CONF_PROT", "conf-prot", "" },
- { GSS_C_MA_MECH_PSEUDO, "GSS_C_MA_MECH_PSEUDO", "pseudo-mech", "" },
- { GSS_C_MA_AUTH_TARG, "GSS_C_MA_AUTH_TARG", "auth-targ-princ", "" },
+ { GSS_C_MA_MECH_CONCRETE, "GSS_C_MA_MECH_CONCRETE", "concrete-mech", "Indicates that a mech is neither a pseudo-mechanism nor a composite mechanism" },
+ { GSS_C_MA_MECH_DESCRIPTION, "GSS_C_MA_MECH_DESCRIPTION", "Mech description", "The long description of the mechanism" },
+ { GSS_C_MA_MECH_GLUE, "GSS_C_MA_MECH_GLUE", "mech-glue", "" },
{ GSS_C_MA_MECH_NAME, "GSS_C_MA_MECH_NAME", "GSS mech name", "The name of the GSS-API mechanism" },
- { GSS_C_MA_NOT_MECH, "GSS_C_MA_NOT_MECH", "not-mech", "" },
+ { GSS_C_MA_MECH_NEGO, "GSS_C_MA_MECH_NEGO", "mech-negotiation-mech", "" },
+ { GSS_C_MA_MECH_PSEUDO, "GSS_C_MA_MECH_PSEUDO", "pseudo-mech", "" },
{ GSS_C_MA_MIC, "GSS_C_MA_MIC", "mic", "" },
- { GSS_C_MA_DEPRECATED, "GSS_C_MA_DEPRECATED", "mech-deprecated", "" },
- { GSS_C_MA_MECH_GLUE, "GSS_C_MA_MECH_GLUE", "mech-glue", "" },
- { GSS_C_MA_DELEG_CRED, "GSS_C_MA_DELEG_CRED", "deleg-cred", "" },
{ GSS_C_MA_NOT_DFLT_MECH, "GSS_C_MA_NOT_DFLT_MECH", "mech-not-default", "" },
- { GSS_C_MA_AUTH_TARG_ANON, "GSS_C_MA_AUTH_TARG_ANON", "auth-targ-princ-anon", "" },
- { GSS_C_MA_INTEG_PROT, "GSS_C_MA_INTEG_PROT", "integ-prot", "" },
- { GSS_C_MA_CTX_TRANS, "GSS_C_MA_CTX_TRANS", "context-transfer", "" },
- { GSS_C_MA_MECH_DESCRIPTION, "GSS_C_MA_MECH_DESCRIPTION", "Mech description", "The long description of the mechanism" },
+ { GSS_C_MA_NOT_MECH, "GSS_C_MA_NOT_MECH", "not-mech", "" },
{ GSS_C_MA_OOS_DET, "GSS_C_MA_OOS_DET", "oos-detection", "" },
- { GSS_C_MA_AUTH_INIT_INIT, "GSS_C_MA_AUTH_INIT_INIT", "auth-init-princ-initial", "" },
- { GSS_C_MA_MECH_CONCRETE, "GSS_C_MA_MECH_CONCRETE", "concrete-mech", "Indicates that a mech is neither a pseudo-mechanism nor a composite mechanism" },
+ { GSS_C_MA_PFS, "GSS_C_MA_PFS", "pfs", "" },
+ { GSS_C_MA_PROT_READY, "GSS_C_MA_PROT_READY", "prot-ready", "" },
+ { GSS_C_MA_REPLAY_DET, "GSS_C_MA_REPLAY_DET", "replay-detection", "" },
{ GSS_C_MA_SASL_MECH_NAME, "GSS_C_MA_SASL_MECH_NAME", "SASL mechanism name", "The name of the SASL mechanism" },
- { NULL }
+ { GSS_C_MA_WRAP, "GSS_C_MA_WRAP", "wrap", "" },
+ { NULL, NULL, NULL, NULL }
};
struct _gss_oid_name_table _gss_ont_mech[] = {
{ GSS_KRB5_MECHANISM, "GSS_KRB5_MECHANISM", "Kerberos 5", "Heimdal Kerberos 5 mechanism" },
- { GSS_SPNEGO_MECHANISM, "GSS_SPNEGO_MECHANISM", "SPNEGO", "Heimdal SPNEGO mechanism" },
{ GSS_NTLM_MECHANISM, "GSS_NTLM_MECHANISM", "NTLM", "Heimdal NTLM mechanism" },
- { NULL }
+ { GSS_SPNEGO_MECHANISM, "GSS_SPNEGO_MECHANISM", "SPNEGO", "Heimdal SPNEGO mechanism" },
+ { NULL, NULL, NULL, NULL }
};
diff --git a/lib/gssapi/mech/gss_pname_to_uid.c b/lib/gssapi/mech/gss_pname_to_uid.c
index c5f26949f2ae..315f0e0d8147 100644
--- a/lib/gssapi/mech/gss_pname_to_uid.c
+++ b/lib/gssapi/mech/gss_pname_to_uid.c
@@ -33,21 +33,21 @@
#include "mech_locl.h"
static OM_uint32
-mech_pname_to_uid(OM_uint32 *minor_status,
- struct _gss_mechanism_name *mn,
- uid_t *uidp)
+mech_localname(OM_uint32 *minor_status,
+ struct _gss_mechanism_name *mn,
+ gss_buffer_t localname)
{
OM_uint32 major_status = GSS_S_UNAVAILABLE;
*minor_status = 0;
- if (mn->gmn_mech->gm_pname_to_uid == NULL)
+ if (mn->gmn_mech->gm_localname == NULL)
return GSS_S_UNAVAILABLE;
- major_status = mn->gmn_mech->gm_pname_to_uid(minor_status,
- mn->gmn_name,
- mn->gmn_mech_oid,
- uidp);
+ major_status = mn->gmn_mech->gm_localname(minor_status,
+ mn->gmn_name,
+ mn->gmn_mech_oid,
+ localname);
if (GSS_ERROR(major_status))
_gss_mg_error(mn->gmn_mech, major_status, *minor_status);
@@ -55,86 +55,55 @@ mech_pname_to_uid(OM_uint32 *minor_status,
}
static OM_uint32
-attr_pname_to_uid(OM_uint32 *minor_status,
- struct _gss_mechanism_name *mn,
- uid_t *uidp)
+attr_localname(OM_uint32 *minor_status,
+ struct _gss_mechanism_name *mn,
+ gss_buffer_t localname)
{
-#ifdef NO_LOCALNAME
- return GSS_S_UNAVAILABLE;
-#else
OM_uint32 major_status = GSS_S_UNAVAILABLE;
OM_uint32 tmpMinor;
+ gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc display_value = GSS_C_EMPTY_BUFFER;
+ int authenticated = 0, complete = 0;
int more = -1;
*minor_status = 0;
+ localname->length = 0;
+ localname->value = NULL;
+
if (mn->gmn_mech->gm_get_name_attribute == NULL)
return GSS_S_UNAVAILABLE;
- while (more != 0) {
- gss_buffer_desc value;
- gss_buffer_desc display_value;
- int authenticated = 0, complete = 0;
-#ifdef POSIX_GETPWNAM_R
- char pwbuf[2048];
- struct passwd pw, *pwd;
-#else
- struct passwd *pwd;
-#endif
- char *localname;
-
- major_status = mn->gmn_mech->gm_get_name_attribute(minor_status,
- mn->gmn_name,
- GSS_C_ATTR_LOCAL_LOGIN_USER,
- &authenticated,
- &complete,
- &value,
- &display_value,
- &more);
- if (GSS_ERROR(major_status)) {
- _gss_mg_error(mn->gmn_mech, major_status, *minor_status);
- break;
- }
-
- localname = malloc(value.length + 1);
- if (localname == NULL) {
- major_status = GSS_S_FAILURE;
- *minor_status = ENOMEM;
- break;
- }
-
- memcpy(localname, value.value, value.length);
- localname[value.length] = '\0';
-
-#ifdef POSIX_GETPWNAM_R
- if (getpwnam_r(localname, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0)
- pwd = NULL;
-#else
- pwd = getpwnam(localname);
-#endif
+ major_status = mn->gmn_mech->gm_get_name_attribute(minor_status,
+ mn->gmn_name,
+ GSS_C_ATTR_LOCAL_LOGIN_USER,
+ &authenticated,
+ &complete,
+ &value,
+ &display_value,
+ &more);
+ if (GSS_ERROR(major_status)) {
+ _gss_mg_error(mn->gmn_mech, major_status, *minor_status);
+ return major_status;
+ }
- free(localname);
+ if (authenticated) {
+ *localname = value;
+ } else {
+ major_status = GSS_S_UNAVAILABLE;
gss_release_buffer(&tmpMinor, &value);
- gss_release_buffer(&tmpMinor, &display_value);
-
- if (pwd != NULL) {
- *uidp = pwd->pw_uid;
- major_status = GSS_S_COMPLETE;
- *minor_status = 0;
- break;
- } else
- major_status = GSS_S_UNAVAILABLE;
}
+ gss_release_buffer(&tmpMinor, &display_value);
+
return major_status;
-#endif /* NO_LOCALNAME */
}
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_pname_to_uid(OM_uint32 *minor_status,
- const gss_name_t pname,
- const gss_OID mech_type,
- uid_t *uidp)
+gss_localname(OM_uint32 *minor_status,
+ gss_const_name_t pname,
+ const gss_OID mech_type,
+ gss_buffer_t localname)
{
OM_uint32 major_status = GSS_S_UNAVAILABLE;
struct _gss_name *name = (struct _gss_name *) pname;
@@ -147,14 +116,14 @@ gss_pname_to_uid(OM_uint32 *minor_status,
if (GSS_ERROR(major_status))
return major_status;
- major_status = mech_pname_to_uid(minor_status, mn, uidp);
+ major_status = mech_localname(minor_status, mn, localname);
if (major_status != GSS_S_COMPLETE)
- major_status = attr_pname_to_uid(minor_status, mn, uidp);
+ major_status = attr_localname(minor_status, mn, localname);
} else {
HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
- major_status = mech_pname_to_uid(minor_status, mn, uidp);
+ major_status = mech_localname(minor_status, mn, localname);
if (major_status != GSS_S_COMPLETE)
- major_status = attr_pname_to_uid(minor_status, mn, uidp);
+ major_status = attr_localname(minor_status, mn, localname);
if (major_status != GSS_S_UNAVAILABLE)
break;
}
@@ -165,3 +134,60 @@ gss_pname_to_uid(OM_uint32 *minor_status,
return major_status;
}
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_pname_to_uid(OM_uint32 *minor_status,
+ gss_const_name_t pname,
+ const gss_OID mech_type,
+ uid_t *uidp)
+{
+#ifdef NO_LOCALNAME
+ return GSS_S_UNAVAILABLE;
+#else
+ OM_uint32 major, tmpMinor;
+ gss_buffer_desc localname = GSS_C_EMPTY_BUFFER;
+ char *szLocalname;
+#ifdef POSIX_GETPWNAM_R
+ char pwbuf[2048];
+ struct passwd pw, *pwd;
+#else
+ struct passwd *pwd;
+#endif
+
+ major = gss_localname(minor_status, pname, mech_type, &localname);
+ if (GSS_ERROR(major))
+ return major;
+
+ szLocalname = malloc(localname.length + 1);
+ if (szLocalname == NULL) {
+ gss_release_buffer(&tmpMinor, &localname);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ memcpy(szLocalname, localname.value, localname.length);
+ szLocalname[localname.length] = '\0';
+
+#ifdef POSIX_GETPWNAM_R
+ if (getpwnam_r(szLocalname, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0)
+ pwd = NULL;
+#else
+ pwd = getpwnam(szLocalname);
+#endif
+
+ gss_release_buffer(&tmpMinor, &localname);
+ free(szLocalname);
+
+ *minor_status = 0;
+
+ if (pwd != NULL) {
+ *uidp = pwd->pw_uid;
+ major = GSS_S_COMPLETE;
+ } else {
+ major = GSS_S_UNAVAILABLE;
+ }
+
+ return major;
+#endif
+}
diff --git a/lib/gssapi/mech/gss_process_context_token.c b/lib/gssapi/mech/gss_process_context_token.c
index e8e9b56cdc7f..d10eb47dbae3 100644
--- a/lib/gssapi/mech/gss_process_context_token.c
+++ b/lib/gssapi/mech/gss_process_context_token.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_process_context_token(OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
const gss_buffer_t token_buffer)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
diff --git a/lib/gssapi/mech/gss_store_cred.c b/lib/gssapi/mech/gss_store_cred.c
index 4d2bfdec8b1a..a92611570eb6 100644
--- a/lib/gssapi/mech/gss_store_cred.c
+++ b/lib/gssapi/mech/gss_store_cred.c
@@ -45,7 +45,9 @@ gss_store_cred(OM_uint32 *minor_status,
{
struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
struct _gss_mechanism_cred *mc;
- OM_uint32 maj, junk;
+ OM_uint32 maj = GSS_S_FAILURE;
+ OM_uint32 junk;
+ size_t successes = 0;
if (minor_status == NULL)
return GSS_S_FAILURE;
@@ -69,26 +71,30 @@ gss_store_cred(OM_uint32 *minor_status,
if (m == NULL || m->gm_store_cred == NULL)
continue;
- if (desired_mech) {
- maj = gss_oid_equal(&m->gm_mech_oid, desired_mech);
- if (maj != 0)
- continue;
- }
+ if (desired_mech != GSS_C_NO_OID &&
+ !gss_oid_equal(&m->gm_mech_oid, desired_mech))
+ continue;
maj = (m->gm_store_cred)(minor_status, mc->gmc_cred,
cred_usage, desired_mech, overwrite_cred,
default_cred, NULL, cred_usage_stored);
- if (maj != GSS_S_COMPLETE) {
- gss_release_oid_set(&junk, elements_stored);
- return maj;
- }
+ if (maj == GSS_S_COMPLETE) {
+ if (elements_stored)
+ gss_add_oid_set_member(&junk, desired_mech, elements_stored);
+ successes++;
+ } else if (desired_mech != GSS_C_NO_OID) {
+ gss_release_oid_set(&junk, elements_stored);
+ return maj;
+ }
- if (elements_stored) {
- gss_add_oid_set_member(&junk,
- &m->gm_mech_oid,
- elements_stored);
- }
+ }
+ if (successes == 0) {
+ if (maj != GSS_S_COMPLETE)
+ return maj; /* last failure */
+ return GSS_S_FAILURE;
}
+
+ *minor_status = 0;
return GSS_S_COMPLETE;
}
diff --git a/lib/gssapi/mech/gss_unwrap.c b/lib/gssapi/mech/gss_unwrap.c
index d0d18aca25b1..6bf6088f37dd 100644
--- a/lib/gssapi/mech/gss_unwrap.c
+++ b/lib/gssapi/mech/gss_unwrap.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_unwrap(OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
diff --git a/lib/gssapi/mech/gss_verify_mic.c b/lib/gssapi/mech/gss_verify_mic.c
index a791dc732761..ae3b52f72af5 100644
--- a/lib/gssapi/mech/gss_verify_mic.c
+++ b/lib/gssapi/mech/gss_verify_mic.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_verify_mic(OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state)
diff --git a/lib/gssapi/mech/gss_wrap.c b/lib/gssapi/mech/gss_wrap.c
index d9864b36ccb4..82378d3d0d05 100644
--- a/lib/gssapi/mech/gss_wrap.c
+++ b/lib/gssapi/mech/gss_wrap.c
@@ -45,7 +45,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_wrap(OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
diff --git a/lib/gssapi/mech/gss_wrap_size_limit.c b/lib/gssapi/mech/gss_wrap_size_limit.c
index 9bebcf6cf08e..3bcd9eceeda2 100644
--- a/lib/gssapi/mech/gss_wrap_size_limit.c
+++ b/lib/gssapi/mech/gss_wrap_size_limit.c
@@ -30,7 +30,7 @@
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_wrap_size_limit(OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
+ gss_const_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
diff --git a/lib/gssapi/mech/mech.5 b/lib/gssapi/mech/mech.5
index e7b083d3158a..56e916e3aea3 100644
--- a/lib/gssapi/mech/mech.5
+++ b/lib/gssapi/mech/mech.5
@@ -91,4 +91,4 @@ manual page example first appeared in
.Sh AUTHORS
This
manual page was written by
-.An Doug Rabson Aq dfr@FreeBSD.org .
+.An Doug Rabson Aq Mt dfr@FreeBSD.org .
diff --git a/lib/gssapi/mech/mech.cat5 b/lib/gssapi/mech/mech.cat5
index 821a193df6e1..998079f2959c 100644
--- a/lib/gssapi/mech/mech.cat5
+++ b/lib/gssapi/mech/mech.cat5
@@ -56,6 +56,6 @@ HHIISSTTOORRYY
The mmeecchh manual page example first appeared in FreeBSD 7.0.
AAUUTTHHOORRSS
- This manual page was written by Doug Rabson <dfr@FreeBSD.org>.
+ This manual page was written by Doug Rabson <_d_f_r_@_F_r_e_e_B_S_D_._o_r_g>.
BSD November 14, 2005 BSD