Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/crypto/dist/heimdal/lib/gssapi Pull up revision 1.2 (re...
details: https://anonhg.NetBSD.org/src/rev/2841f5935133
branches: netbsd-1-5
changeset: 490483:2841f5935133
user: jhawk <jhawk%NetBSD.org@localhost>
date: Thu Jan 25 07:33:42 2001 +0000
description:
Pull up revision 1.2 (requested by fvdl):
Make gss_acquire_cred() work for cases other than GSS_C_NO_CREDENTIAL
(i.e 'get current, default credentials'). This is needed to support
things like gss-api authentication with IKE, as currently implemented
in racoon.
diffstat:
crypto/dist/heimdal/lib/gssapi/gssapi.h | 42 +++-
crypto/dist/heimdal/lib/gssapi/init_sec_context.c | 202 ++++++++++++++++++---
crypto/dist/heimdal/lib/gssapi/release_cred.c | 4 +-
3 files changed, 208 insertions(+), 40 deletions(-)
diffs (truncated from 361 to 300 lines):
diff -r 8819cdac3be5 -r 2841f5935133 crypto/dist/heimdal/lib/gssapi/gssapi.h
--- a/crypto/dist/heimdal/lib/gssapi/gssapi.h Thu Jan 25 07:33:37 2001 +0000
+++ b/crypto/dist/heimdal/lib/gssapi/gssapi.h Thu Jan 25 07:33:42 2001 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gssapi.h,v 1.1.1.1 2000/06/16 18:32:46 thorpej Exp $ */
+/* $Id: gssapi.h,v 1.1.1.1.2.1 2001/01/25 07:33:42 jhawk Exp $ */
#ifndef GSSAPI_H_
#define GSSAPI_H_
@@ -55,6 +55,8 @@
typedef u_int32_t OM_uint32;
+typedef u_int32_t gss_uint32;
+
/*
* This is to avoid having to include <krb5.h>
*/
@@ -88,6 +90,9 @@
} gss_OID_set_desc, *gss_OID_set;
struct krb5_keytab_data;
+struct krb5_ccache_data;
+
+struct krb5_ccache_data;
typedef int gss_cred_usage_t;
@@ -97,6 +102,7 @@
OM_uint32 lifetime;
gss_cred_usage_t usage;
gss_OID_set mechanisms;
+ struct krb5_ccache_data *ccache;
} gss_cred_id_t_desc;
typedef gss_cred_id_t_desc *gss_cred_id_t;
@@ -253,10 +259,30 @@
* gss_OID_desc object containing the value
* {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
* corresponding to an object-identifier value of
- * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
- * 6(nametypes), 2(gss-host-based-services)}. The constant
- * GSS_C_NT_HOSTBASED_SERVICE should be initialized to point
- * to that gss_OID_desc.
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)). The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc. This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
+ */
+extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ * "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}. The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
*/
extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
@@ -295,6 +321,10 @@
extern gss_OID GSS_KRB5_MECHANISM;
+/* for compatibility with MIT api */
+
+#define gss_mech_krb5 GSS_KRB5_MECHANISM
+
/* Major status codes */
#define GSS_S_COMPLETE 0
diff -r 8819cdac3be5 -r 2841f5935133 crypto/dist/heimdal/lib/gssapi/init_sec_context.c
--- a/crypto/dist/heimdal/lib/gssapi/init_sec_context.c Thu Jan 25 07:33:37 2001 +0000
+++ b/crypto/dist/heimdal/lib/gssapi/init_sec_context.c Thu Jan 25 07:33:42 2001 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: init_sec_context.c,v 1.1.1.1 2000/06/16 18:32:46 thorpej Exp $");
+RCSID("$Id: init_sec_context.c,v 1.1.1.1.2.1 2001/01/25 07:33:46 jhawk Exp $");
static OM_uint32
init_auth
@@ -63,7 +63,9 @@
krb5_data authenticator;
Checksum cksum;
krb5_enctype enctype;
+ krb5_data fwd_data;
+ krb5_data_zero (&fwd_data);
output_token->length = 0;
output_token->value = NULL;
@@ -93,7 +95,66 @@
goto failure;
}
- {
+ if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS &&
+ input_chan_bindings->application_data.length ==
+ 2 * sizeof((*context_handle)->auth_context->local_port)) {
+ /* Port numbers are expected to be in application_data.value,
+ * initator's port first */
+
+ krb5_address initiator_addr, acceptor_addr;
+
+ memset(&initiator_addr, 0, sizeof(initiator_addr));
+ memset(&acceptor_addr, 0, sizeof(acceptor_addr));
+
+ (*context_handle)->auth_context->local_port =
+ *(int16_t *) input_chan_bindings->application_data.value;
+
+ (*context_handle)->auth_context->remote_port =
+ *((int16_t *) input_chan_bindings->application_data.value + 1);
+
+ kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
+ &input_chan_bindings->acceptor_address,
+ (*context_handle)->auth_context->remote_port,
+ &acceptor_addr);
+ if (kret) {
+ *minor_status = kret;
+ ret = GSS_S_BAD_BINDINGS;
+ goto failure;
+ }
+
+ kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
+ &input_chan_bindings->initiator_address,
+ (*context_handle)->auth_context->local_port,
+ &initiator_addr);
+ if (kret) {
+ krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+ *minor_status = kret;
+ ret = GSS_S_BAD_BINDINGS;
+ goto failure;
+ }
+
+ kret = krb5_auth_con_setaddrs(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ &initiator_addr, /* local address */
+ &acceptor_addr); /* remote address */
+
+ krb5_free_address (gssapi_krb5_context, &initiator_addr);
+ krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+
+#if 0
+ free(input_chan_bindings->application_data.value);
+ input_chan_bindings->application_data.value = NULL;
+ input_chan_bindings->application_data.length = 0;
+#endif
+
+ if (kret) {
+ *minor_status = kret;
+ ret = GSS_S_BAD_BINDINGS;
+ goto failure;
+ }
+ }
+
+ {
int32_t tmp;
krb5_auth_con_getflags(gssapi_krb5_context,
@@ -108,36 +169,15 @@
if (actual_mech_type)
*actual_mech_type = GSS_KRB5_MECHANISM;
- flags = 0;
- ap_options = 0;
- if (req_flags & GSS_C_DELEG_FLAG)
- ; /* XXX */
- if (req_flags & GSS_C_MUTUAL_FLAG) {
- flags |= GSS_C_MUTUAL_FLAG;
- ap_options |= AP_OPTS_MUTUAL_REQUIRED;
- }
- if (req_flags & GSS_C_REPLAY_FLAG)
- ; /* XXX */
- if (req_flags & GSS_C_SEQUENCE_FLAG)
- ; /* XXX */
- if (req_flags & GSS_C_ANON_FLAG)
- ; /* XXX */
- flags |= GSS_C_CONF_FLAG;
- flags |= GSS_C_INTEG_FLAG;
- flags |= GSS_C_SEQUENCE_FLAG;
- flags |= GSS_C_TRANS_FLAG;
-
- if (ret_flags)
- *ret_flags = flags;
- (*context_handle)->flags = flags;
- (*context_handle)->more_flags = LOCAL;
-
- kret = krb5_cc_default (gssapi_krb5_context, &ccache);
- if (kret) {
- *minor_status = kret;
- ret = GSS_S_FAILURE;
- goto failure;
- }
+ if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
+ kret = krb5_cc_default (gssapi_krb5_context, &ccache);
+ if (kret) {
+ *minor_status = kret;
+ ret = GSS_S_FAILURE;
+ goto failure;
+ }
+ } else
+ ccache = initiator_cred_handle->ccache;
kret = krb5_cc_get_principal (gssapi_krb5_context,
ccache,
@@ -179,8 +219,104 @@
(*context_handle)->auth_context,
&cred->session);
+ flags = 0;
+ ap_options = 0;
+ if (req_flags & GSS_C_DELEG_FLAG) {
+ krb5_creds creds;
+ krb5_kdc_flags fwd_flags;
+ krb5_keyblock *subkey;
+
+ memset ((char *)&creds, 0, sizeof(creds));
+
+ subkey = (krb5_keyblock *) malloc(sizeof(subkey));
+ if (subkey == NULL) {
+ *minor_status = ENOMEM;
+ ret = GSS_S_FAILURE;
+ goto failure;
+ }
+
+ krb5_generate_subkey (gssapi_krb5_context,
+ &cred->session,
+ &subkey);
+ if (kret)
+ goto end_fwd;
+
+ kret = krb5_auth_con_setlocalsubkey(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ subkey);
+ if (kret)
+ goto end_fwd;
+
+ kret = krb5_cc_get_principal(gssapi_krb5_context,
+ ccache,
+ &creds.client);
+ if (kret)
+ goto end_fwd;
+
+ kret = krb5_build_principal(gssapi_krb5_context,
+ &creds.server,
+ strlen(creds.client->realm),
+ creds.client->realm,
+ KRB5_TGS_NAME,
+ creds.client->realm,
+ NULL);
+ if (kret)
+ goto end_fwd;
+
+ creds.times.endtime = 0;
+
+ fwd_flags.i = 0;
+ fwd_flags.b.forwarded = 1;
+ fwd_flags.b.forwardable = 1;
+
+ if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/
+ target_name->name.name_string.len < 2)
+ goto end_fwd;
+
+ kret = krb5_get_forwarded_creds(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ ccache,
+ fwd_flags.i,
+ target_name->name.name_string.val[1],
+ &creds,
+ &fwd_data);
Home |
Main Index |
Thread Index |
Old Index