diff --git a/Makefile.inc1 b/Makefile.inc1 index 1d7ffe5a3a5a..8d6f327bae09 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -966,7 +966,6 @@ _generic_libs= gnu/lib .if !defined(NO_KERBEROS) && !defined(NO_CRYPT) && !defined(NO_OPENSSL) _prebuild_libs+= kerberos5/lib/libasn1 -_prebuild_libs+= kerberos5/lib/libgssapi _prebuild_libs+= kerberos5/lib/libkrb5 _prebuild_libs+= kerberos5/lib/libroken _generic_libs+= kerberos5/lib @@ -977,7 +976,7 @@ _prebuild_libs+= lib/libbz2 lib/libcom_err lib/libcrypt lib/libexpat \ lib/libncurses lib/libnetgraph lib/libopie lib/libpam \ lib/libradius \ lib/libsbuf lib/libtacplus lib/libutil \ - lib/libz lib/msun + lib/libz lib/msun lib/libgssapi lib/libopie__L lib/libtacplus__L: lib/libmd__L @@ -991,9 +990,7 @@ lib/libradius__L secure/lib/libssl__L: secure/lib/libcrypto__L _prebuild_libs+= secure/lib/libssh secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L .if !defined(NO_KERBEROS) -secure/lib/libssh__L: kerberos5/lib/libgssapi__L kerberos5/lib/libkrb5__L \ - kerberos5/lib/libasn1__L lib/libcom_err__L lib/libmd__L \ - kerberos5/lib/libroken__L +secure/lib/libssh__L: lib/libgssapi__L .endif .endif .endif diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index cf30bd6cb616..7e5e386bdb4e 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -56,6 +56,9 @@ RCSID("$FreeBSD$"); #ifdef __FreeBSD__ #include +#ifdef GSSAPI +#include +#endif #endif #include "ssh.h" @@ -1636,6 +1639,18 @@ main(int ac, char **av) debug("res_init()"); res_init(); } +#ifdef GSSAPI + /* + * Force GSS-API to parse its configuration and load any + * mechanism plugins. + */ + { + gss_OID_set mechs; + OM_uint32 minor_status; + gss_indicate_mechs(&minor_status, &mechs); + gss_release_oid_set(&minor_status, &mechs); + } +#endif #endif /* diff --git a/etc/Makefile b/etc/Makefile index 5285d458e228..9826a9c658cd 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -103,6 +103,7 @@ distribution: ${DESTDIR}/etc/master.passwd cd ${.CURDIR}/bluetooth; ${MAKE} install cd ${.CURDIR}/defaults; ${MAKE} install + cd ${.CURDIR}/gss; ${MAKE} install cd ${.CURDIR}/periodic; ${MAKE} install cd ${.CURDIR}/rc.d; ${MAKE} install cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall diff --git a/etc/gss/Makefile b/etc/gss/Makefile new file mode 100644 index 000000000000..479fd2f93647 --- /dev/null +++ b/etc/gss/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +FILES= mech qop +NO_OBJ= +FILESDIR= /etc/gss + +.include diff --git a/etc/gss/mech b/etc/gss/mech new file mode 100644 index 000000000000..e6d72998dd4b --- /dev/null +++ b/etc/gss/mech @@ -0,0 +1,4 @@ +# $FreeBSD$ +# +# Name OID Library name Kernel module +kerberosv5 1.2.840.113554.1.2.2 /usr/lib/libgssapi_krb5.so.8 - diff --git a/etc/gss/qop b/etc/gss/qop new file mode 100644 index 000000000000..f975dbf379d8 --- /dev/null +++ b/etc/gss/qop @@ -0,0 +1,3 @@ +# $FreeBSD$ +GSS_KRB5_CONF_C_QOP_DES 0x0100 kerberosv5 +GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 kerberosv5 diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist index 421861947eab..81c20b28f67a 100644 --- a/etc/mtree/BSD.include.dist +++ b/etc/mtree/BSD.include.dist @@ -121,6 +121,8 @@ .. gpib .. + gssapi + .. isofs cd9660 .. diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist index 6d2d98f4408d..07ff221978c0 100644 --- a/etc/mtree/BSD.root.dist +++ b/etc/mtree/BSD.root.dist @@ -28,6 +28,8 @@ .. gnats .. + gss + .. isdn mode=0700 .. mail diff --git a/gnu/usr.bin/cvs/cvs/Makefile b/gnu/usr.bin/cvs/cvs/Makefile index 62ad55453b5a..fa60444f6548 100644 --- a/gnu/usr.bin/cvs/cvs/Makefile +++ b/gnu/usr.bin/cvs/cvs/Makefile @@ -32,7 +32,7 @@ DPADD= ${LIBCVS} ${LIBDIFF} ${LIBGNUREGEX} ${LIBMD} ${LIBCRYPT} ${LIBZ} LDADD= ${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz .if !defined(NO_KERBEROS) && !defined(NO_OPENSSL) && !defined(NO_CRYPT) -CFLAGS+= -DHAVE_GSSAPI -DHAVE_GSSAPI_H -DENCRYPTION +CFLAGS+= -DHAVE_GSSAPI -DENCRYPTION LDADD+= -lgssapi -lkrb5 -lasn1 -lcrypto -lroken -lcrypt -lcom_err DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1} ${LIBCRYPTO} ${LIBROKEN} DPADD+= ${LIBCRYPT} ${LIBCOM_ERR} diff --git a/include/Makefile b/include/Makefile index e48878836b74..976137252e14 100644 --- a/include/Makefile +++ b/include/Makefile @@ -4,11 +4,11 @@ # Doing a "make install" builds /usr/include. CLEANFILES= osreldate.h version vers.c -SUBDIR= arpa protocols rpcsvc rpc +SUBDIR= arpa gssapi protocols rpcsvc rpc INCS= a.out.h ar.h assert.h bitstring.h complex.h cpio.h _ctype.h ctype.h \ db.h \ dirent.h dlfcn.h elf.h elf-hints.h err.h fmtmsg.h fnmatch.h fstab.h \ - fts.h ftw.h getopt.h glob.h grp.h \ + fts.h ftw.h getopt.h glob.h grp.h gssapi.h \ histedit.h ieeefp.h ifaddrs.h \ inttypes.h iso646.h kenv.h langinfo.h libgen.h limits.h link.h \ locale.h malloc.h memory.h monetary.h mpool.h mqueue.h \ diff --git a/include/gssapi.h b/include/gssapi.h new file mode 100644 index 000000000000..5557de8f7356 --- /dev/null +++ b/include/gssapi.h @@ -0,0 +1,5 @@ +/* $FreeBSD$ */ +#ifdef __GNUC__ +#warning "this file includes which is deprecated, use instead" +#endif +#include diff --git a/include/gssapi/Makefile b/include/gssapi/Makefile new file mode 100644 index 000000000000..8fb643fb3b56 --- /dev/null +++ b/include/gssapi/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +NO_OBJ= +INCS= gssapi.h +INCSDIR= ${INCLUDEDIR}/gssapi + +.include diff --git a/include/gssapi/gssapi.h b/include/gssapi/gssapi.h new file mode 100644 index 000000000000..7509b0481209 --- /dev/null +++ b/include/gssapi/gssapi.h @@ -0,0 +1,756 @@ +/* + * Copyright (C) The Internet Society (2000). All Rights Reserved. + * + * This document and translations of it may be copied and furnished to + * others, and derivative works that comment on or otherwise explain it + * or assist in its implementation may be prepared, copied, published + * and distributed, in whole or in part, without restriction of any + * kind, provided that the above copyright notice and this paragraph are + * included on all such copies and derivative works. However, this + * document itself may not be modified in any way, such as by removing + * the copyright notice or references to the Internet Society or other + * Internet organizations, except as needed for the purpose of + * developing Internet standards in which case the procedures for + * copyrights defined in the Internet Standards process must be + * followed, or as required to translate it into languages other than + * English. + * + * The limited permissions granted above are perpetual and will not be + * revoked by the Internet Society or its successors or assigns. + * + * This document and the information contained herein is provided on an + * "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + * TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + * BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + * HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * $FreeBSD$ + */ + +#ifndef _GSSAPI_GSSAPI_H_ +#define _GSSAPI_GSSAPI_H_ + +/* + * First, include stddef.h to get size_t defined. + */ +#include + +/* + * Include stdint.h to get explicitly sized data types. + */ +#include + +#if 0 +/* + * If the platform supports the xom.h header file, it should be + * included here. + */ +#include +#endif + + +/* + * Now define the three implementation-dependent types. + */ +typedef struct _gss_ctx_id_t *gss_ctx_id_t; +typedef struct _gss_cred_id_t *gss_cred_id_t; +typedef struct _gss_name_t *gss_name_t; + +/* + * The following type must be defined as the smallest natural + * unsigned integer supported by the platform that has at least + * 32 bits of precision. + */ +typedef uint32_t gss_uint32; + + +#ifdef OM_STRING +/* + * We have included the xom.h header file. Verify that OM_uint32 + * is defined correctly. + */ + +#if sizeof(gss_uint32) != sizeof(OM_uint32) +#error Incompatible definition of OM_uint32 from xom.h +#endif + +typedef OM_object_identifier gss_OID_desc, *gss_OID; + +#else + +/* + * We can't use X/Open definitions, so roll our own. + */ + +typedef gss_uint32 OM_uint32; + +typedef struct gss_OID_desc_struct { + OM_uint32 length; + void *elements; +} gss_OID_desc, *gss_OID; + +#endif + +typedef struct gss_OID_set_desc_struct { + size_t count; + gss_OID elements; +} gss_OID_set_desc, *gss_OID_set; + +typedef struct gss_buffer_desc_struct { + size_t length; + void *value; +} gss_buffer_desc, *gss_buffer_t; + +typedef struct gss_channel_bindings_struct { + OM_uint32 initiator_addrtype; + gss_buffer_desc initiator_address; + OM_uint32 acceptor_addrtype; + gss_buffer_desc acceptor_address; + gss_buffer_desc application_data; +} *gss_channel_bindings_t; + +/* + * For now, define a QOP-type as an OM_uint32 + */ +typedef OM_uint32 gss_qop_t; + +typedef int gss_cred_usage_t; + +/* + * Flag bits for context-level services. + */ +#define GSS_C_DELEG_FLAG 1 +#define GSS_C_MUTUAL_FLAG 2 +#define GSS_C_REPLAY_FLAG 4 +#define GSS_C_SEQUENCE_FLAG 8 +#define GSS_C_CONF_FLAG 16 +#define GSS_C_INTEG_FLAG 32 +#define GSS_C_ANON_FLAG 64 +#define GSS_C_PROT_READY_FLAG 128 +#define GSS_C_TRANS_FLAG 256 + +/* + * Credential usage options + */ +#define GSS_C_BOTH 0 +#define GSS_C_INITIATE 1 +#define GSS_C_ACCEPT 2 + +/* + * Status code types for gss_display_status + */ +#define GSS_C_GSS_CODE 1 +#define GSS_C_MECH_CODE 2 + +/* + * The constant definitions for channel-bindings address families + */ +#define GSS_C_AF_UNSPEC 0 +#define GSS_C_AF_LOCAL 1 +#define GSS_C_AF_INET 2 +#define GSS_C_AF_IMPLINK 3 +#define GSS_C_AF_PUP 4 +#define GSS_C_AF_CHAOS 5 +#define GSS_C_AF_NS 6 +#define GSS_C_AF_NBS 7 +#define GSS_C_AF_ECMA 8 +#define GSS_C_AF_DATAKIT 9 +#define GSS_C_AF_CCITT 10 +#define GSS_C_AF_SNA 11 +#define GSS_C_AF_DECnet 12 +#define GSS_C_AF_DLI 13 +#define GSS_C_AF_LAT 14 +#define GSS_C_AF_HYLINK 15 +#define GSS_C_AF_APPLETALK 16 +#define GSS_C_AF_BSC 17 +#define GSS_C_AF_DSS 18 +#define GSS_C_AF_OSI 19 +#define GSS_C_AF_X25 21 +#define GSS_C_AF_NULLADDR 255 + +/* + * Various Null values + */ +#define GSS_C_NO_NAME ((gss_name_t) 0) +#define GSS_C_NO_BUFFER ((gss_buffer_t) 0) +#define GSS_C_NO_OID ((gss_OID) 0) +#define GSS_C_NO_OID_SET ((gss_OID_set) 0) +#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) +#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) +#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) +#define GSS_C_EMPTY_BUFFER {0, NULL} + +/* + * Some alternate names for a couple of the above + * values. These are defined for V1 compatibility. + */ +#define GSS_C_NULL_OID GSS_C_NO_OID +#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET + +/* + * Define the default Quality of Protection for per-message + * services. Note that an implementation that offers multiple + * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero + * (as done here) to mean "default protection", or to a specific + * explicit QOP value. However, a value of 0 should always be + * interpreted by a GSS-API implementation as a request for the + * default protection level. + */ +#define GSS_C_QOP_DEFAULT 0 + +/* + * Expiration time of 2^32-1 seconds means infinite lifetime for a + * credential or security context + */ +#define GSS_C_INDEFINITE 0xfffffffful + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x01"}, + * corresponding to an object-identifier value of + * {iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant + * GSS_C_NT_USER_NAME should be initialized to point + * to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_USER_NAME; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x02"}, + * corresponding to an object-identifier value of + * {iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. + * The constant GSS_C_NT_MACHINE_UID_NAME should be + * initialized to point to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_MACHINE_UID_NAME; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x03"}, + * corresponding to an object-identifier value of + * {iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. + * The constant GSS_C_NT_STRING_UID_NAME should be + * initialized to point to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_STRING_UID_NAME; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, + * corresponding to an object-identifier value of + * {iso(1) org(3) dod(6) internet(1) security(5) + * nametypes(6) gss-host-based-services(2)). The constant + * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point + * to that gss_OID_desc. This is a deprecated OID value, and + * implementations wishing to support hostbased-service names + * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, + * defined below, to identify such names; + * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym + * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input + * parameter, but should not be emitted by GSS-API + * implementations + */ +extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x04"}, corresponding to an + * object-identifier value of {iso(1) member-body(2) + * Unites States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) service_name(4)}. The constant + * GSS_C_NT_HOSTBASED_SERVICE should be initialized + * to point to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, + * corresponding to an object identifier value of + * {1(iso), 3(org), 6(dod), 1(internet), 5(security), + * 6(nametypes), 3(gss-anonymous-name)}. The constant + * and GSS_C_NT_ANONYMOUS should be initialized to point + * to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_ANONYMOUS; + + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, + * corresponding to an object-identifier value of + * {1(iso), 3(org), 6(dod), 1(internet), 5(security), + * 6(nametypes), 4(gss-api-exported-name)}. The constant + * GSS_C_NT_EXPORT_NAME should be initialized to point + * to that gss_OID_desc. + */ +extern gss_OID GSS_C_NT_EXPORT_NAME; + +/* + * This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) krb5_name(1)}. The recommended symbolic name for this type + * is "GSS_KRB5_NT_PRINCIPAL_NAME". + */ +extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; + +/* + * This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) user_name(1)}. The recommended symbolic name for this + * type is "GSS_KRB5_NT_USER_NAME". + */ +extern gss_OID GSS_KRB5_NT_USER_NAME; + +/* + * This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) machine_uid_name(2)}. The recommended symbolic name for + * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". + */ +extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME; + +/* + * This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) string_uid_name(3)}. The recommended symbolic name for + * this type is "GSS_KRB5_NT_STRING_UID_NAME". + */ +extern gss_OID GSS_KRB5_NT_STRING_UID_NAME; + +/* Major status codes */ + +#define GSS_S_COMPLETE 0 + +/* + * Some "helper" definitions to make the status code macros obvious. + */ +#define GSS_C_CALLING_ERROR_OFFSET 24 +#define GSS_C_ROUTINE_ERROR_OFFSET 16 +#define GSS_C_SUPPLEMENTARY_OFFSET 0 +#define GSS_C_CALLING_ERROR_MASK 0377ul +#define GSS_C_ROUTINE_ERROR_MASK 0377ul +#define GSS_C_SUPPLEMENTARY_MASK 0177777ul + +/* + * The macros that test status codes for error conditions. + * Note that the GSS_ERROR() macro has changed slightly from + * the V1 GSS-API so that it now evaluates its argument + * only once. + */ +#define GSS_CALLING_ERROR(x) \ + (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) +#define GSS_ROUTINE_ERROR(x) \ + (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) +#define GSS_SUPPLEMENTARY_INFO(x) \ + (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) +#define GSS_ERROR(x) \ + (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ + (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) + +/* + * Now the actual status code definitions + */ + +/* + * Calling errors: + */ +#define GSS_S_CALL_INACCESSIBLE_READ \ +(1ul << GSS_C_CALLING_ERROR_OFFSET) +#define GSS_S_CALL_INACCESSIBLE_WRITE \ +(2ul << GSS_C_CALLING_ERROR_OFFSET) +#define GSS_S_CALL_BAD_STRUCTURE \ +(3ul << GSS_C_CALLING_ERROR_OFFSET) + +/* + * Routine errors: + */ +#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_MIC GSS_S_BAD_SIG +#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET) +#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET) + +/* + * Supplementary info bits: + */ +#define GSS_S_CONTINUE_NEEDED \ + (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) +#define GSS_S_DUPLICATE_TOKEN \ + (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) +#define GSS_S_OLD_TOKEN \ + (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) +#define GSS_S_UNSEQ_TOKEN \ + (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) +#define GSS_S_GAP_TOKEN \ + (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) + +/* + * Finally, function prototypes for the GSS-API routines. + */ +OM_uint32 gss_acquire_cred + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* desired_name */ + OM_uint32, /* time_req */ + const gss_OID_set, /* desired_mechs */ + gss_cred_usage_t, /* cred_usage */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 * /* time_rec */ + ); + +OM_uint32 gss_release_cred + (OM_uint32 *, /* minor_status */ + gss_cred_id_t * /* cred_handle */ + ); + +OM_uint32 gss_init_sec_context + (OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* initiator_cred_handle */ + gss_ctx_id_t *, /* context_handle */ + const gss_name_t, /* target_name */ + const gss_OID, /* mech_type */ + OM_uint32, /* req_flags */ + OM_uint32, /* time_req */ + const gss_channel_bindings_t, + /* input_chan_bindings */ + const gss_buffer_t, /* input_token */ + gss_OID *, /* actual_mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32 *, /* ret_flags */ + OM_uint32 * /* time_rec */ + ); + +OM_uint32 gss_accept_sec_context + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + const gss_cred_id_t, /* acceptor_cred_handle */ + const gss_buffer_t, /* input_token_buffer */ + const gss_channel_bindings_t, + /* input_chan_bindings */ + gss_name_t *, /* src_name */ + gss_OID *, /* mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32 *, /* ret_flags */ + OM_uint32 *, /* time_rec */ + gss_cred_id_t * /* delegated_cred_handle */ + ); + +OM_uint32 gss_process_context_token + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_buffer_t /* token_buffer */ + ); + +OM_uint32 gss_delete_sec_context + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* output_token */ + ); + +OM_uint32 gss_context_time + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + OM_uint32 * /* time_rec */ + ); + +OM_uint32 gss_get_mic + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + gss_qop_t, /* qop_req */ + const gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ + ); + +OM_uint32 gss_verify_mic + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_buffer_t, /* message_buffer */ + const gss_buffer_t, /* token_buffer */ + gss_qop_t * /* qop_state */ + ); + +OM_uint32 gss_wrap + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + const gss_buffer_t, /* input_message_buffer */ + int *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ + ); + +OM_uint32 gss_unwrap + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int *, /* conf_state */ + gss_qop_t * /* qop_state */ + ); + +OM_uint32 gss_display_status + (OM_uint32 *, /* minor_status */ + OM_uint32, /* status_value */ + int, /* status_type */ + const gss_OID, /* mech_type */ + OM_uint32 *, /* message_context */ + gss_buffer_t /* status_string */ + ); + +OM_uint32 gss_indicate_mechs + (OM_uint32 *, /* minor_status */ + gss_OID_set * /* mech_set */ + ); + +OM_uint32 gss_compare_name + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* name1 */ + const gss_name_t, /* name2 */ + int * /* name_equal */ + ); + +OM_uint32 gss_display_name + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_buffer_t, /* output_name_buffer */ + gss_OID * /* output_name_type */ + ); + +OM_uint32 gss_import_name + (OM_uint32 *, /* minor_status */ + const gss_buffer_t, /* input_name_buffer */ + const gss_OID, /* input_name_type */ + gss_name_t * /* output_name */ + ); + +OM_uint32 gss_export_name + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_buffer_t /* exported_name */ + ); + +OM_uint32 gss_release_name + (OM_uint32 *, /* minor_status */ + gss_name_t * /* input_name */ + ); + +OM_uint32 gss_release_buffer + (OM_uint32 *, /* minor_status */ + gss_buffer_t /* buffer */ + ); + +OM_uint32 gss_release_oid_set + (OM_uint32 *, /* minor_status */ + gss_OID_set * /* set */ + ); + +OM_uint32 gss_inquire_cred + (OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* cred_handle */ + gss_name_t *, /* name */ + OM_uint32 *, /* lifetime */ + gss_cred_usage_t *, /* cred_usage */ + gss_OID_set * /* mechanisms */ + ); + +OM_uint32 gss_inquire_context ( + OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + gss_name_t *, /* src_name */ + gss_name_t *, /* targ_name */ + OM_uint32 *, /* lifetime_rec */ + gss_OID *, /* mech_type */ + OM_uint32 *, /* ctx_flags */ + int *, /* locally_initiated */ + int * /* open */ + ); + +OM_uint32 gss_wrap_size_limit ( + OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + OM_uint32, /* req_output_size */ + OM_uint32 * /* max_input_size */ + ); + +OM_uint32 gss_add_cred ( + OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* input_cred_handle */ + const gss_name_t, /* desired_name */ + const gss_OID, /* desired_mech */ + gss_cred_usage_t, /* cred_usage */ + OM_uint32, /* initiator_time_req */ + OM_uint32, /* acceptor_time_req */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 *, /* initiator_time_rec */ + OM_uint32 * /* acceptor_time_rec */ + ); + +OM_uint32 gss_inquire_cred_by_mech ( + OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* cred_handle */ + const gss_OID, /* mech_type */ + gss_name_t *, /* name */ + OM_uint32 *, /* initiator_lifetime */ + OM_uint32 *, /* acceptor_lifetime */ + gss_cred_usage_t * /* cred_usage */ + ); + +OM_uint32 gss_export_sec_context ( + OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* interprocess_token */ + ); + +OM_uint32 gss_import_sec_context ( + OM_uint32 *, /* minor_status */ + const gss_buffer_t, /* interprocess_token */ + gss_ctx_id_t * /* context_handle */ + ); + +OM_uint32 gss_create_empty_oid_set ( + OM_uint32 *, /* minor_status */ + gss_OID_set * /* oid_set */ + ); + +OM_uint32 gss_add_oid_set_member ( + OM_uint32 *, /* minor_status */ + const gss_OID, /* member_oid */ + gss_OID_set * /* oid_set */ + ); + +OM_uint32 gss_test_oid_set_member ( + OM_uint32 *, /* minor_status */ + const gss_OID, /* member */ + const gss_OID_set, /* set */ + int * /* present */ + ); + +OM_uint32 gss_inquire_names_for_mech ( + OM_uint32 *, /* minor_status */ + const gss_OID, /* mechanism */ + gss_OID_set * /* name_types */ + ); + +OM_uint32 gss_inquire_mechs_for_name ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_OID_set * /* mech_types */ + ); + +OM_uint32 gss_canonicalize_name ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + const gss_OID, /* mech_type */ + gss_name_t * /* output_name */ + ); + +OM_uint32 gss_duplicate_name ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* src_name */ + gss_name_t * /* dest_name */ + ); + +/* + * The following routines are obsolete variants of gss_get_mic, + * gss_verify_mic, gss_wrap and gss_unwrap. They should be + * provided by GSS-API V2 implementations for backwards + * compatibility with V1 applications. Distinct entrypoints + * (as opposed to #defines) should be provided, both to allow + * GSS-API V1 applications to link against GSS-API V2 implementations, + * and to retain the slight parameter type differences between the + * obsolete versions of these routines and their current forms. + */ + +OM_uint32 gss_sign + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* qop_req */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ + ); + + +OM_uint32 gss_verify + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* message_buffer */ + gss_buffer_t, /* token_buffer */ + int * /* qop_state */ + ); + +OM_uint32 gss_seal + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + int, /* qop_req */ + gss_buffer_t, /* input_message_buffer */ + int *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ + ); + + +OM_uint32 gss_unseal + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int *, /* conf_state */ + int * /* qop_state */ + ); + +/* + * kerberos mechanism specific functions + */ +struct krb5_ccache_data; +#define GSS_C_KRB5_COMPAT_DES3_MIC 1 + +OM_uint32 gsskrb5_register_acceptor_identity + (const char * /* identity */ + ); + +OM_uint32 gss_krb5_copy_ccache + (OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + struct krb5_ccache_data * /* out */ + ); + +OM_uint32 gss_krb5_compat_des3_mic + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int /* flag */ + ); + +#endif /* _GSSAPI_GSSAPI_H_ */ diff --git a/kerberos5/lib/libgssapi/Makefile b/kerberos5/lib/libgssapi/Makefile index 68424a66dfc5..59e6e57589b6 100644 --- a/kerberos5/lib/libgssapi/Makefile +++ b/kerberos5/lib/libgssapi/Makefile @@ -1,48 +1,11 @@ # $FreeBSD$ -LIB= gssapi -INCS= gssapi.h -MAN= gss_acquire_cred.3 gssapi.3 - -MLINKS= gss_acquire_cred.3 gss_accept_sec_context.3 \ - gss_acquire_cred.3 gss_add_cred.3 \ - gss_acquire_cred.3 gss_add_oid_set_member.3 \ - gss_acquire_cred.3 gss_canonicalize_name.3 \ - gss_acquire_cred.3 gss_compare_name.3 \ - gss_acquire_cred.3 gss_context_time.3 \ - gss_acquire_cred.3 gss_create_empty_oid_set.3 \ - gss_acquire_cred.3 gss_delete_sec_context.3 \ - gss_acquire_cred.3 gss_display_name.3 \ - gss_acquire_cred.3 gss_display_status.3 \ - gss_acquire_cred.3 gss_duplicate_name.3 \ - gss_acquire_cred.3 gss_export_name.3 \ - gss_acquire_cred.3 gss_export_sec_context.3 \ - gss_acquire_cred.3 gss_get_mic.3 \ - gss_acquire_cred.3 gss_import_name.3 \ - gss_acquire_cred.3 gss_import_sec_context.3 \ - gss_acquire_cred.3 gss_indicate_mechs.3 \ - gss_acquire_cred.3 gss_init_sec_context.3 \ - gss_acquire_cred.3 gss_inquire_context.3 \ - gss_acquire_cred.3 gss_inquire_cred.3 \ - gss_acquire_cred.3 gss_inquire_cred_by_mech.3 \ - gss_acquire_cred.3 gss_inquire_mechs_for_name.3 \ - gss_acquire_cred.3 gss_inquire_names_for_mech.3 \ - gss_acquire_cred.3 gss_krb5_compat_des3_mic.3 \ - gss_acquire_cred.3 gss_krb5_copy_ccache.3 \ - gss_acquire_cred.3 gss_process_context_token.3 \ - gss_acquire_cred.3 gss_release_buffer.3 \ - gss_acquire_cred.3 gss_release_cred.3 \ - gss_acquire_cred.3 gss_release_name.3 \ - gss_acquire_cred.3 gss_release_oid_set.3 \ - gss_acquire_cred.3 gss_seal.3 \ - gss_acquire_cred.3 gss_sign.3 \ - gss_acquire_cred.3 gss_test_oid_set_member.3 \ - gss_acquire_cred.3 gss_unseal.3 \ - gss_acquire_cred.3 gss_unwrap.3 \ - gss_acquire_cred.3 gss_verify.3 \ - gss_acquire_cred.3 gss_verify_mic.3 \ - gss_acquire_cred.3 gss_wrap.3 \ - gss_acquire_cred.3 gss_wrap_size_limit.3 +LIB= gssapi_krb5 +LDFLAGS= -Wl,-Bsymbolic +LDADD= -lkrb5 -lcrypto -lroken -lasn1 -lcom_err -lcrypt +DPADD= ${LIBKRB5} ${LIBCRYPTO} ${LIBROKEN} ${LIBASN1} ${LIBCOM_ERR} \ + ${LIBCRYPT} +NO_MAN= SRCS= 8003.c \ accept_sec_context.c \ @@ -67,7 +30,6 @@ SRCS= 8003.c \ export_sec_context.c \ external.c \ get_mic.c \ - gssapi.h \ import_name.c \ import_sec_context.c \ indicate_mechs.c \ diff --git a/lib/Makefile b/lib/Makefile index 281f61cd58c3..8dfa3b4fc1e8 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -28,7 +28,7 @@ SUBDIR= ${_csu} libcom_err libcrypt libkvm msun libmd libncurses \ libbegemot ${_libbluetooth} libbsnmp libbz2 libc ${_libc_r} \ libcalendar libcam libcompat libdevinfo libdevstat ${_libdisk} \ libedit libexpat libfetch libform libftpio libgeom ${_libgpib} \ - ${_libio} libipsec \ + libgssapi ${_libio} libipsec \ libipx libkiconv libmagic libmemstat libmenu ${_libmilter} ${_libmp} \ ${_libncp} ${_libngatm} libopie libpam libpanel libpcap \ libpmc ${_libpthread} ${_libsdp} ${_libsm} ${_libsmb} ${_libsmdb} \ diff --git a/lib/libgssapi/Makefile b/lib/libgssapi/Makefile new file mode 100644 index 000000000000..5c274144a791 --- /dev/null +++ b/lib/libgssapi/Makefile @@ -0,0 +1,95 @@ +# $FreeBSD$ + +LIB= gssapi +SHLIB_MAJOR= 7 + +SRCS= +SRCS+= gss_utils.c +SRCS+= gss_mech_switch.c +SRCS+= gss_names.c +SRCS+= gss_acquire_cred.c +SRCS+= gss_release_cred.c +SRCS+= gss_init_sec_context.c +SRCS+= gss_accept_sec_context.c +SRCS+= gss_process_context_token.c +SRCS+= gss_delete_sec_context.c +SRCS+= gss_context_time.c +SRCS+= gss_get_mic.c +SRCS+= gss_verify_mic.c +SRCS+= gss_wrap.c +SRCS+= gss_unwrap.c +SRCS+= gss_display_status.c +SRCS+= gss_indicate_mechs.c +SRCS+= gss_compare_name.c +SRCS+= gss_display_name.c +SRCS+= gss_import_name.c +SRCS+= gss_export_name.c +SRCS+= gss_release_name.c +SRCS+= gss_inquire_cred.c +SRCS+= gss_inquire_context.c +SRCS+= gss_wrap_size_limit.c +SRCS+= gss_add_cred.c +SRCS+= gss_inquire_cred_by_mech.c +SRCS+= gss_export_sec_context.c +SRCS+= gss_import_sec_context.c +SRCS+= gss_inquire_names_for_mech.c +SRCS+= gss_inquire_mechs_for_name.c +SRCS+= gss_canonicalize_name.c +SRCS+= gss_duplicate_name.c +SRCS+= gss_sign.c +SRCS+= gss_verify.c +SRCS+= gss_seal.c +SRCS+= gss_unseal.c +SRCS+= gss_krb5.c +SRCS+= gss_create_empty_oid_set.c +SRCS+= gss_add_oid_set_member.c +SRCS+= gss_test_oid_set_member.c +SRCS+= gss_release_oid_set.c +SRCS+= gss_release_buffer.c + +MAN= +MAN+= gssapi.3 +MAN+= gss_accept_sec_context.3 +MAN+= gss_acquire_cred.3 +MAN+= gss_add_cred.3 +MAN+= gss_add_oid_set_member.3 +MAN+= gss_canonicalize_name.3 +MAN+= gss_compare_name.3 +MAN+= gss_context_time.3 +MAN+= gss_create_empty_oid_set.3 +MAN+= gss_delete_sec_context.3 +MAN+= gss_display_name.3 +MAN+= gss_display_status.3 +MAN+= gss_duplicate_name.3 +MAN+= gss_export_name.3 +MAN+= gss_export_sec_context.3 +MAN+= gss_get_mic.3 +MAN+= gss_import_name.3 +MAN+= gss_import_sec_context.3 +MAN+= gss_indicate_mechs.3 +MAN+= gss_init_sec_context.3 +MAN+= gss_inquire_context.3 +MAN+= gss_inquire_cred.3 +MAN+= gss_inquire_cred_by_mech.3 +MAN+= gss_inquire_mechs_for_name.3 +MAN+= gss_inquire_names_for_mech.3 +MAN+= gss_process_context_token.3 +MAN+= gss_release_buffer.3 +MAN+= gss_release_cred.3 +MAN+= gss_release_name.3 +MAN+= gss_release_oid_set.3 +MAN+= gss_test_oid_set_member.3 +MAN+= gss_unwrap.3 +MAN+= gss_verify_mic.3 +MAN+= gss_wrap.3 +MAN+= gss_wrap_size_limit.3 +MAN+= mech.5 + +MLINKS= +MLINKS+= gss_get_mic.3 gss_sign.3 +MLINKS+= gss_unwrap.3 gss_unseal.3 +MLINKS+= gss_verify_mic.3 gss_verify.3 +MLINKS+= gss_wrap.3 gss_seal.3 +MLINKS+= mech.5 qop.5 + +.include diff --git a/lib/libgssapi/context.h b/lib/libgssapi/context.h new file mode 100644 index 000000000000..403b3909ca9f --- /dev/null +++ b/lib/libgssapi/context.h @@ -0,0 +1,32 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +struct _gss_context { + struct _gss_mech_switch *gc_mech; + gss_ctx_id_t gc_ctx; +}; diff --git a/lib/libgssapi/cred.h b/lib/libgssapi/cred.h new file mode 100644 index 000000000000..6301b895b59c --- /dev/null +++ b/lib/libgssapi/cred.h @@ -0,0 +1,43 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +struct _gss_mechanism_cred { + SLIST_ENTRY(_gss_mechanism_cred) gmc_link; + struct _gss_mech_switch *gmc_mech; /* mechanism ops for MC */ + gss_OID gmc_mech_oid; /* mechanism oid for MC */ + gss_cred_id_t gmc_cred; /* underlying MC */ +}; +SLIST_HEAD(_gss_mechanism_cred_list, _gss_mechanism_cred); + +struct _gss_cred { + gss_cred_usage_t gc_usage; + struct _gss_mechanism_cred_list gc_mc; +}; + diff --git a/lib/libgssapi/gss_accept_sec_context.3 b/lib/libgssapi/gss_accept_sec_context.3 new file mode 100644 index 000000000000..679eb152fdef --- /dev/null +++ b/lib/libgssapi/gss_accept_sec_context.3 @@ -0,0 +1,484 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_ACCEPT_SEC_CONTEXT 3 PRM +.Sh NAME +.Nm gss_accept_sec_context +.Nd Accept a security context initiated by a peer application +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_accept_sec_context +.Fa "OM_uint32 *minor_status +.Fa "gss_ctx_id_t *context_handle" +.Fa "const gss_cred_id_t acceptor_cred_handle" +.Fa "const gss_buffer_t input_token_buffer" +.Fa "const gss_channel_bindings_t input_chan_bindings" +.Fa "const gss_name_t *src_name" +.Fa "gss_OID *mech_type" +.Fa "gss_buffer_t output_token" +.Fa "OM_uint32 *ret_flags" +.Fa "OM_uint32 *time_rec" +.Fa "gss_cred_id_t *delegated_cred_handle" +.Fc +.Sh DESCRIPTION +Allows a remotely initiated security context between the application +and a remote peer to be established. The routine may return a +.Fa output_token +which should be transferred to the peer application, +where the peer application will present it to +.Xr gss_init_sec_context 3 . +If no token need be sent, +.Fn gss_accept_sec_context +will indicate this +by setting the length field of the +.Fa output_token +argument to zero. +To complete the context establishment, one or more reply tokens may be +required from the peer application; if so, +.Fn gss_accept_sec_context +will return a status flag of +.Dv GSS_S_CONTINUE_NEEDED , in which case it +should be called again when the reply token is received from the peer +application, passing the token to +.Fn gss_accept_sec_context +via the +.Fa input_token +parameters. +.Pp +Portable applications should be constructed to use the token length +and return status to determine whether a token needs to be sent or +waited for. Thus a typical portable caller should always invoke +.Fn gss_accept_sec_context +within a loop: +.Bd -literal +gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; + +do { + receive_token_from_peer(input_token); + maj_stat = gss_accept_sec_context(&min_stat, + &context_hdl, + cred_hdl, + input_token, + input_bindings, + &client_name, + &mech_type, + output_token, + &ret_flags, + &time_rec, + &deleg_cred); + if (GSS_ERROR(maj_stat)) { + report_error(maj_stat, min_stat); + }; + if (output_token->length != 0) { + send_token_to_peer(output_token); + + gss_release_buffer(&min_stat, output_token); + }; + if (GSS_ERROR(maj_stat)) { + if (context_hdl != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, + &context_hdl, + GSS_C_NO_BUFFER); + break; + }; +} while (maj_stat & GSS_S_CONTINUE_NEEDED); +.Ed +.Pp +Whenever the routine returns a major status that includes the value +.Dv GSS_S_CONTINUE_NEEDED , the context is not fully established and the +following restrictions apply to the output parameters: +.Pp +The value returned via the +.Fa time_rec +parameter is undefined Unless the +accompanying +.Fa ret_flags +parameter contains the bit +.Dv GSS_C_PROT_READY_FLAG , indicating that per-message services may be +applied in advance of a successful completion status, the value +returned via the +.Fa mech_type +parameter may be undefined until the +routine returns a major status value of +.Dv GSS_S_COMPLETE . +.Pp +The values of the +.Dv GSS_C_DELEG_FLAG , +.Dv GSS_C_MUTUAL_FLAG , +.Dv GSS_C_REPLAY_FLAG , +.Dv GSS_C_SEQUENCE_FLAG , +.Dv GSS_C_CONF_FLAG , +.Dv GSS_C_INTEG_FLAG +and +.Dv GSS_C_ANON_FLAG bits returned +via the +.Fa ret_flags +parameter should contain the values that the +implementation expects would be valid if context establishment were +to succeed. +.Pp +The values of the +.Dv GSS_C_PROT_READY_FLAG +and +.Dv GSS_C_TRANS_FLAG bits +within +.Fa ret_flags +should indicate the actual state at the time +.Fn gss_accept_sec_context +returns, whether or not the context is fully established. +.Pp +Although this requires that GSS-API implementations set the +.Dv GSS_C_PROT_READY_FLAG +in the final +.Fa ret_flags +returned to a caller +(i.e. when accompanied by a +.Dv GSS_S_COMPLETE +status code), applications +should not rely on this behavior as the flag was not defined in +Version 1 of the GSS-API. Instead, applications should be prepared to +use per-message services after a successful context establishment, +according to the +.Dv GSS_C_INTEG_FLAG +and +.Dv GSS_C_CONF_FLAG values. +.Pp +All other bits within the +.Fa ret_flags +argument should be set to zero. +While the routine returns +.Dv GSS_S_CONTINUE_NEEDED , the values returned +via the +.Fa ret_flags +argument indicate the services that the +implementation expects to be available from the established context. +.Pp +If the initial call of +.Fn gss_accept_sec_context +fails, the +implementation should not create a context object, and should leave +the value of the context_handle parameter set to +.Dv GSS_C_NO_CONTEXT to +indicate this. In the event of a failure on a subsequent call, the +implementation is permitted to delete the "half-built" security +context (in which case it should set the +.Fa context_handle +parameter to +.Dv GSS_C_NO_CONTEXT ), but the preferred behavior is to leave the +security context (and the context_handle parameter) untouched for the +application to delete (using +.Xr gss_delete_sec_context 3 ). +.Pp +During context establishment, the informational status bits +.Dv GSS_S_OLD_TOKEN +and +.Dv GSS_S_DUPLICATE_TOKEN +indicate fatal errors, and +GSS-API mechanisms should always return them in association with a +routine error of +.Dv GSS_S_FAILURE . This requirement for pairing did not +exist in version 1 of the GSS-API specification, so applications that +wish to run over version 1 implementations must special-case these +codes. +.Sh PARAMETERS +.Bl -tag +.It context_handle +Context handle for new context. +Supply +.Dv GSS_C_NO_CONTEXT for first +call; use value returned in subsequent calls. +Once +.Fn gss_accept_sec_context +has returned a +value via this parameter, resources have been +assigned to the corresponding context, and must +be freed by the application after use with a +call to +.Xr gss_delete_sec_context 3 . +.It acceptor_cred_handle +Credential handle claimed by context acceptor. +Specify +.Dv GSS_C_NO_CREDENTIAL to accept the context as a +default principal. +If +.Dv GSS_C_NO_CREDENTIAL is +specified, but no default acceptor principal is +defined, +.Dv GSS_S_NO_CRED will be returned. +.It input_token_buffer +Token obtained from remote application. +.It input_chan_bindings +Application-specified bindings. +Allows application to securely bind channel identification information +to the security context. +If channel bindings are not used, specify +.Dv GSS_C_NO_CHANNEL_BINDINGS . +.It src_name +Authenticated name of context initiator. +After use, this name should be deallocated by passing it to +.Xr gss_release_name 3 . +If not required, specify +.Dv NULL . +.It mech_type +Security mechanism used. +The returned OID value will be a pointer into static storage, +and should be treated as read-only by the caller +(in particular, it does not need to be freed). +If not required, specify +.Dv NULL . +.It output_token +Token to be passed to peer application. +If the length field of the returned token buffer is 0, +then no token need be passed to the peer application. +If a non-zero length field is returned, +the associated storage must be freed after use by the +application with a call to +.Xr gss_release_buffer 3 . +.It ret_flags +Contains various independent flags, +each of which indicates that the context supports a specific service option. +If not needed, specify +.Dv NULL . +Symbolic names are provided for each flag, +and the symbolic names corresponding to the required flags should be +logically-ANDed with the +.Fa ret_flags +value to test whether a given option is supported by the context. +The flags are: +.Bl -tag -width "WW" +.It GSS_C_DELEG_FLAG +.Bl -tag -width "False" +.It True +Delegated credentials are available via the delegated_cred_handle parameter +.It False +No credentials were delegated +.El +.It GSS_C_MUTUAL_FLAG +.Bl -tag -width "False" +.It True +Remote peer asked for mutual authentication +.It False +Remote peer did not ask for mutual authentication +.El +.It GSS_C_REPLAY_FLAG +.Bl -tag -width "False" +.It True +Replay of protected messages will be detected +.It False +Replayed messages will not be detected +.El +.It GSS_C_SEQUENCE_FLAG +.Bl -tag -width "False" +.It True +Out-of-sequence protected messages will be detected +.It False +Out-of-sequence messages will not be detected +.El +.It GSS_C_CONF_FLAG +.Bl -tag -width "False" +.It True +Confidentiality service may be invoked by calling the +.Xr gss_wrap 3 +routine +.It False +No confidentiality service (via +.Xr gss_wrap 3 ) +available. +.Xr gss_wrap 3 +will provide message encapsulation, +data-origin authentication and integrity services only. +.El +.It GSS_C_INTEG_FLAG +.Bl -tag -width "False" +.It True +Integrity service may be invoked by calling either +.Xr gss_get_mic 3 +or +.Xr gss_wrap 3 +routines. +.It False +Per-message integrity service unavailable. +.El +.It GSS_C_ANON_FLAG +.Bl -tag -width "False" +.It True +The initiator does not wish to be authenticated; the +.Fa src_name +parameter (if requested) contains an anonymous internal name. +.It False +The initiator has been authenticated normally. +.El +.It GSS_C_PROT_READY_FLAG +.Bl -tag -width "False" +.It True +Protection services (as specified by the states of the +.Dv GSS_C_CONF_FLAG +and +.Dv GSS_C_INTEG_FLAG ) +are available if the accompanying major status return value is either +.Dv GSS_S_COMPLETE +or +.Dv GSS_S_CONTINUE_NEEDED. +.It False +Protection services (as specified by the states of the +.Dv GSS_C_CONF_FLAG +and +.Dv GSS_C_INTEG_FLAG ) +are available only if the accompanying major status return value is +.Dv GSS_S_COMPLETE . +.El +.It GSS_C_TRANS_FLAG +.Bl -tag -width "False" +.It True +The resultant security context may be transferred to other processes +via a call to +.Xr gss_export_sec_context 3 . +.It False +The security context is not transferable. +.El +.El +.Pp +All other bits should be set to zero. +.It time_rec +Number of seconds for which the context will remain valid. +Specify +.Dv NULL +if not required. +.It delegated_cred_handle +Credential +handle for credentials received from context initiator. +Only valid if +.Dv GSS_C_DELEG_FLAG +in +.Fa ret_flags +is true, +in which case an explicit credential handle +(i.e. not +.Dv GSS_C_NO_CREDENTIAL ) +will be returned; if false, +.Fn gss_accept_context +will set this parameter to +.Dv GSS_C_NO_CREDENTIAL . +If a credential handle is returned, +the associated resources must be released by the application after use +with a call to +.Xr gss_release_cred 3 . +Specify +.Dv NULL if not required. +.It minor_status +Mechanism specific status code. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_CONTINUE_NEEDED +Indicates that a token from the peer application is required to +complete the context, +and that gss_accept_sec_context must be called again with that token. +.It GSS_S_DEFECTIVE_TOKEN +Indicates that consistency checks performed on the input_token failed. +.It GSS_S_DEFECTIVE_CREDENTIAL +Indicates that consistency checks performed on the credential failed. +.It GSS_S_NO_CRED +The supplied credentials were not valid for context acceptance, +or the credential handle did not reference any credentials. +.It GSS_S_CREDENTIALS_EXPIRED +The referenced credentials have expired. +.It GSS_S_BAD_BINDINGS +The input_token contains different channel bindings to those specified via the +input_chan_bindings parameter. +.It GSS_S_NO_CONTEXT +Indicates that the supplied context handle did not refer to a valid context. +.It GSS_S_BAD_SIG +The input_token contains an invalid MIC. +.It GSS_S_OLD_TOKEN +The input_token was too old. +This is a fatal error during context establishment. +.It GSS_S_DUPLICATE_TOKEN +The input_token is valid, +but is a duplicate of a token already processed. +This is a fatal error during context establishment. +.It GSS_S_BAD_MECH +The received token specified a mechanism that is not supported by +the implementation or the provided credential. +.El +.Sh SEE ALSO +.Xr gss_delete_sec_context 3 , +.Xr gss_export_sec_context 3 , +.Xr gss_get_mic 3 , +.Xr gss_init_sec_context 3 , +.Xr gss_release_buffer 3 , +.Xr gss_release_cred 3 , +.Xr gss_release_name 3 , +.Xr gss_wrap 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.El +.\" .Sh HISTORY +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_accept_sec_context.c b/lib/libgssapi/gss_accept_sec_context.c new file mode 100644 index 000000000000..9bc57cae9019 --- /dev/null +++ b/lib/libgssapi/gss_accept_sec_context.c @@ -0,0 +1,221 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "context.h" +#include "cred.h" +#include "name.h" + +OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t *src_name, + gss_OID *mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + gss_cred_id_t *delegated_cred_handle) +{ + OM_uint32 major_status; + struct _gss_mech_switch *m; + struct _gss_context *ctx = (struct _gss_context *) *context_handle; + struct _gss_cred *cred = (struct _gss_cred *) acceptor_cred_handle; + struct _gss_mechanism_cred *mc; + gss_cred_id_t acceptor_mc, delegated_mc; + gss_name_t src_mn; + int allocated_ctx; + + *minor_status = 0; + if (src_name) *src_name = 0; + if (mech_type) *mech_type = 0; + if (ret_flags) *ret_flags = 0; + if (time_rec) *time_rec = 0; + if (delegated_cred_handle) *delegated_cred_handle = 0; + output_token->length = 0; + output_token->value = 0; + + /* + * If this is the first call (*context_handle is NULL), we must + * parse the input token to figure out the mechanism to use. + */ + if (*context_handle == GSS_C_NO_CONTEXT) { + unsigned char *p = input_token->value; + size_t len = input_token->length; + size_t a, b; + gss_OID_desc mech_oid; + + /* + * Token must start with [APPLICATION 0] SEQUENCE. + */ + if (len == 0 || *p != 0x60) + return (GSS_S_DEFECTIVE_TOKEN); + p++; + len--; + + /* + * Decode the length and make sure it agrees with the + * token length. + */ + if (len == 0) + return (GSS_S_DEFECTIVE_TOKEN); + if ((*p & 0x80) == 0) { + a = *p; + p++; + len--; + } else { + b = *p & 0x7f; + p++; + len--; + if (len < b) + return (GSS_S_DEFECTIVE_TOKEN); + a = 0; + while (b) { + a = (a << 8) | *p; + p++; + len--; + b--; + } + } + if (a != len) + return (GSS_S_DEFECTIVE_TOKEN); + + /* + * Decode the OID for the mechanism. Simplify life by + * assuming that the OID length is less than 128 bytes. + */ + if (len < 2 || *p != 0x06) + return (GSS_S_DEFECTIVE_TOKEN); + if ((p[1] & 0x80) || p[1] > (len - 2)) + return (GSS_S_DEFECTIVE_TOKEN); + mech_oid.length = p[1]; + p += 2; + len -= 2; + mech_oid.elements = p; + + /* + * Now that we have a mechanism, we can find the + * implementation. + */ + ctx = malloc(sizeof(struct _gss_context)); + if (!ctx) { + *minor_status = ENOMEM; + return (GSS_S_DEFECTIVE_TOKEN); + } + memset(ctx, 0, sizeof(struct _gss_context)); + m = ctx->gc_mech = _gss_find_mech_switch(&mech_oid); + if (!m) { + free(ctx); + return (GSS_S_BAD_MECH); + } + allocated_ctx = 1; + } else { + m = ctx->gc_mech; + allocated_ctx = 0; + } + + if (cred) { + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) + if (mc->gmc_mech == m) + break; + if (!mc) + return (GSS_S_BAD_MECH); + acceptor_mc = mc->gmc_cred; + } else { + acceptor_mc = GSS_C_NO_CREDENTIAL; + } + delegated_mc = GSS_C_NO_CREDENTIAL; + + major_status = m->gm_accept_sec_context(minor_status, + &ctx->gc_ctx, + acceptor_mc, + input_token, + input_chan_bindings, + &src_mn, + mech_type, + output_token, + ret_flags, + time_rec, + &delegated_mc); + if (major_status != GSS_S_COMPLETE && + major_status != GSS_S_CONTINUE_NEEDED) + return (major_status); + + if (!src_name) { + m->gm_release_name(minor_status, &src_mn); + } else { + /* + * Make a new name and mark it as an MN. + */ + struct _gss_name *name = _gss_make_name(m, src_mn); + + if (!name) { + m->gm_release_name(minor_status, &src_mn); + return (GSS_S_FAILURE); + } + *src_name = (gss_name_t) name; + } + + if (*ret_flags & GSS_C_DELEG_FLAG) { + if (!delegated_cred_handle) { + m->gm_release_cred(minor_status, &delegated_mc); + *ret_flags &= ~GSS_C_DELEG_FLAG; + } else { + struct _gss_cred *cred; + struct _gss_mechanism_cred *mc; + + cred = malloc(sizeof(struct _gss_cred)); + if (!cred) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + mc = malloc(sizeof(struct _gss_mechanism_cred)); + if (!mc) { + free(cred); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + m->gm_inquire_cred(minor_status, delegated_mc, + 0, 0, &cred->gc_usage, 0); + mc->gmc_mech = m; + mc->gmc_mech_oid = &m->gm_mech_oid; + mc->gmc_cred = delegated_mc; + SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link); + + *delegated_cred_handle = (gss_cred_id_t) cred; + } + } + + *context_handle = (gss_ctx_id_t) ctx; + return (major_status); +} diff --git a/lib/libgssapi/gss_acquire_cred.3 b/lib/libgssapi/gss_acquire_cred.3 new file mode 100644 index 000000000000..d108875e71ad --- /dev/null +++ b/lib/libgssapi/gss_acquire_cred.3 @@ -0,0 +1,238 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_ACQUIRE_CRED 3 PRM +.Sh NAME +.Nm gss_acquire_cred +.Nd Obtain a GSS-API credential handle for pre-existing credentials +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_acquire_cred +.Fa "OM_uint32 *minor_status" +.Fa "const gss_name_t desired_name" +.Fa "OM_uint32 time_req" +.Fa "const gss_OID_set desired_mechs" +.Fa "gss_cred_usage_t cred_usage" +.Fa "gss_cred_id_t *output_cred_handle" +.Fa "gss_OID_set *actual_mechs" +.Fa "OM_uint32 *time_rec" +.Fc +.Sh DESCRIPTION +Allows an application to acquire a handle for a pre-existing +credential by name. +GSS-API implementations must impose a local +access-control policy on callers of this routine to prevent +unauthorized callers from acquiring credentials to which they are not +entitled. +This routine is not intended to provide a "login to the +network" function, as such a function would involve the creation of +new credentials rather than merely acquiring a handle to existing +credentials. +Such functions, if required, should be defined in +implementation-specific extensions to the API. +.Pp +If desired_name is +.Dv GSS_C_NO_NAME , +the call is interpreted as a +request for a credential handle that will invoke default behavior +when passed to +.Fn gss_init_sec_context +(if cred_usage is +.Dv GSS_C_INITIATE +or +.Dv GSS_C_BOTH ) +or +.Fn gss_accept_sec_context +(if cred_usage is +.Dv GSS_C_ACCEPT +or +.Dv GSS_C_BOTH ). +.Pp +Mechanisms should honor the +.Fa desired_mechs +parameter, +and return a credential that is suitable to use only with the +requested mechanisms. +An exception to this is the case where one underlying credential +element can be shared by multiple mechanisms; +in this case it is permissible for an implementation to indicate all +mechanisms with which the credential element may be used. +If +.Fa desired_mechs +is an empty set, behavior is undefined. +.Pp +This routine is expected to be used primarily by context acceptors, +since implementations are likely to provide mechanism-specific ways +of obtaining GSS-API initiator credentials from the system login +process. +Some implementations may therefore not support the acquisition of +.Dv GSS_C_INITIATE +or +.Dv GSS_C_BOTH +credentials via +.Fn gss_acquire_cred +for any name other than +.Dv GSS_C_NO_NAME , +or a name produced by applying either +.Fn gss_inquire_cred +to a valid credential, or +.Fn gss_inquire_context +to an active context. +.Pp +If credential acquisition is time-consuming for a mechanism, +the mechanism may choose to delay the actual acquisition until the +credential is required +(e.g. by +.Fn gss_init_sec_context +or +.Fn gss_accept_sec_context ). +Such mechanism-specific implementation +decisions should be invisible to the calling application; +thus a call of +.Fn gss_inquire_cred +immediately following the call of +.Fn gss_acquire_cred +must return valid credential data, +and may therefore incur the overhead of a deferred credential acquisition. +.Sh PARAMETERS +.Bl -tag +.It desired_name +Name of principal whose credential should be acquired. +.It time_req +Number of seconds that credentials should remain valid. +Specify +.Dv GSS_C_INDEFINITE +to request that the credentials have the maximum +permitted lifetime. +.It desired_mechs +Set of underlying security mechanisms that may be used. +.Dv GSS_C_NO_OID_SET +may be used to obtain an implementation-specific default. +.It cred_usage +.Bl -tag -width "GSS_C_INITIATE" +.It GSS_C_BOTH +Credentials may be used either to initiate or accept security +contexts. +.It GSS_C_INITIATE +Credentials will only be used to initiate security contexts. +.It GSS_C_ACCEPT +Credentials will only be used to accept security contexts. +.El +.It output_cred_handle +The returned credential handle. +Resources +associated with this credential handle must be released by +the application after use with a call to +.Fn gss_release_cred . +.It actual_mechs +The set of mechanisms for which the credential is valid. +Storage associated with the returned OID-set must be released by the +application after use with a call to +.Fn gss_release_oid_set . +Specify +.Dv NULL if not required. +.It time_rec +Actual number of seconds for which the returned credentials will +remain valid. +If the implementation does not support expiration of credentials, +the value +.Dv GSS_C_INDEFINITE +will be returned. +Specify NULL if not required. +.It minor_status +Mechanism specific status code. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion. +.It GSS_S_BAD_MECH +Unavailable mechanism requested. +.It GSS_S_BAD_NAMETYPE +Type contained within desired_name parameter is not supported. +.It GSS_S_BAD_NAME +Value supplied for desired_name parameter is ill formed. +.It GSS_S_CREDENTIALS_EXPIRED +The credentials could not be acquired Because they have expired. +.It GSS_S_NO_CRED +No credentials were found for the specified name. +.El +.Sh SEE ALSO +.Xr gss_init_sec_context 3 , +.Xr gss_accept_sec_context 3 , +.Xr gss_inquire_cred 3 , +.Xr gss_inquire_context 3 , +.Xr gss_release_cred 3 , +.Xr gss_release_oid_set 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_acquire_cred.c b/lib/libgssapi/gss_acquire_cred.c new file mode 100644 index 000000000000..e65bb27c3eec --- /dev/null +++ b/lib/libgssapi/gss_acquire_cred.c @@ -0,0 +1,166 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "name.h" +#include "cred.h" + +OM_uint32 +gss_acquire_cred(OM_uint32 *minor_status, + const gss_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) +{ + OM_uint32 major_status; + gss_OID_set mechs = desired_mechs; + gss_OID_set_desc set; + struct _gss_name *name = (struct _gss_name *) desired_name; + struct _gss_mech_switch *m; + struct _gss_cred *cred; + struct _gss_mechanism_cred *mc; + struct _gss_mechanism_name *mn; + OM_uint32 min_time, time; + int i; + + /* + * First make sure that at least one of the requested + * mechanisms is one that we support. + */ + if (mechs) { + _gss_load_mech(); + for (i = 0; i < mechs->count; i++) { + int t; + gss_test_oid_set_member(minor_status, + &mechs->elements[i], _gss_mech_oids, &t); + if (t) + break; + } + if (i == mechs->count) { + *output_cred_handle = 0; + *minor_status = 0; + return (GSS_S_BAD_MECH); + } + } + + if (actual_mechs) { + major_status = gss_create_empty_oid_set(minor_status, + actual_mechs); + if (major_status) + return (major_status); + } + + cred = malloc(sizeof(struct _gss_cred)); + if (!cred) { + if (actual_mechs) + gss_release_oid_set(minor_status, actual_mechs); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + cred->gc_usage = cred_usage; + SLIST_INIT(&cred->gc_mc); + + if (mechs == GSS_C_NO_OID_SET) + mechs = _gss_mech_oids; + + set.count = 1; + min_time = GSS_C_INDEFINITE; + for (i = 0; i < mechs->count; i++) { + m = _gss_find_mech_switch(&mechs->elements[i]); + if (!m) + continue; + + if (desired_name != GSS_C_NO_NAME) { + mn = _gss_find_mn(name, &mechs->elements[i]); + if (!mn) + continue; + } + + mc = malloc(sizeof(struct _gss_mechanism_cred)); + if (!mc) { + continue; + } + mc->gmc_mech = m; + mc->gmc_mech_oid = &m->gm_mech_oid; + + /* + * XXX Probably need to do something with actual_mechs. + */ + set.elements = &mechs->elements[i]; + major_status = m->gm_acquire_cred(minor_status, + (desired_name != GSS_C_NO_NAME + ? mn->gmn_name : GSS_C_NO_NAME), + time_req, &set, cred_usage, + &mc->gmc_cred, NULL, &time); + if (major_status) { + free(mc); + continue; + } + if (time < min_time) + min_time = time; + + if (actual_mechs) { + major_status = gss_add_oid_set_member(minor_status, + mc->gmc_mech_oid, actual_mechs); + if (major_status) { + m->gm_release_cred(minor_status, + &mc->gmc_cred); + free(mc); + continue; + } + } + + SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link); + } + + /* + * If we didn't manage to create a single credential, return + * an error. + */ + if (!SLIST_FIRST(&cred->gc_mc)) { + free(cred); + if (actual_mechs) + gss_release_oid_set(minor_status, actual_mechs); + *output_cred_handle = 0; + *minor_status = 0; + return (GSS_S_NO_CRED); + } + + if (time_rec) + *time_rec = min_time; + *output_cred_handle = (gss_cred_id_t) cred; + *minor_status = 0; + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_add_cred.3 b/lib/libgssapi/gss_add_cred.3 new file mode 100644 index 000000000000..98d80523bfad --- /dev/null +++ b/lib/libgssapi/gss_add_cred.3 @@ -0,0 +1,338 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_ADD_CRED 3 PRM +.Sh NAME +.Nm gss_add_cred +.Nd Construct credentials incrementally +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_add_cred +.Fa "OM_uint32 *minor_status" +.Fa "const gss_cred_id_t input_cred_handle" +.Fa "const gss_name_t desired_name" +.Fa "const gss_OID desired_mech" +.Fa "gss_cred_usage_t cred_usage" +.Fa "OM_uint32 initiator_time_req" +.Fa "OM_uint32 acceptor_time_req" +.Fa "gss_cred_id_t *output_cred_handle" +.Fa "gss_OID_set *actual_mechs" +.Fa "OM_uint32 *initiator_time_rec" +.Fa "OM_uint32 *acceptor_time_rec" +.Fc +.Sh DESCRIPTION +Adds a credential-element to a credential. +The credential-element is identified by the name of the principal to +which it refers. +GSS-API implementations must impose a local access-control policy on +callers of this routine to prevent unauthorized callers from acquiring +credential-elements to which they are not entitled. +This routine is not intended to provide a "login to the network" +function, +as such a function would involve the creation of new +mechanism-specific authentication data, +rather than merely acquiring a GSS-API handle to existing data. +Such functions, +if required, +should be defined in implementation-specific extensions to the API. +.Pp +If +.Fa desired_name +is +.Dv GSS_C_NO_NAME , +the call is interpreted as a request to add a credential element that +will invoke default behavior when passed to +.Fn gss_init_sec_context +(if cred_usage is +.Dv GSS_C_INITIATE +or +.Dv GSS_C_BOTH ) +or +.Fn gss_accept_sec_context +(if +.Fa cred_usage +is +.Dv GSS_C_ACCEPT +or +.Dv GSS_C_BOTH ). +.PP +This routine is expected to be used primarily by context acceptors, +since implementations are likely to provide mechanism-specific ways of +obtaining GSS-API initiator credentials from the system login process. +Some implementations may therefore not support the acquisition of +.Dv GSS_C_INITIATE +or +.Dv GSS_C_BOTH +credentials via +.Fn gss_acquire_cred +for any name other than +.Dv GSS_C_NO_NAME , +or a name produced by applying either +.Fn gss_inquire_cred +to a valid credential, +or +.Fn gss_inquire_context +to an active context. +.Pp +If credential acquisition is time-consuming for a mechanism, +the mechanism may choose to delay the actual acquisition until the +credential is required (e.g. by +.Fn gss_init_sec_context +or +.Fn gss_accept_sec_context ). +Such mechanism-specific implementation decisions should be invisible +to the calling application; +thus a call of +.Fn gss_inquire_cred +immediately following the call of +.Fn gss_add_cred +must return valid credential data, +and may therefore incur the overhead of a deferred credential acquisition. +.Pp +This routine can be used to either compose a new credential containing +all credential-elements of the original in addition to the +newly-acquire credential-element, +or to add the new credential-element to an existing credential. +If +.Dv NULL +is specified for the +.Fa output_cred_handle +parameter argument, +the new credential-element will be added to the credential identified +by +.Fa input_cred_handle ; +if a valid pointer is specified for the +.Fa output_cred_handle +parameter, +a new credential handle will be created. +.Pp +If +.Dv GSS_C_NO_CREDENTIAL +is specified as the +.Fa input_cred_handle , +.Fn gss_add_cred +will compose a credential (and set the +.Fa output_cred_handle +parameter accordingly) based on default behavior. +That is, the call will have the same effect as if the application had +first made a call to +.Fn gss_acquire_cred , +specifying the same usage and passing +.Dv GSS_C_NO_NAME +as the +.Fa desired_name +parameter to obtain an explicit credential handle embodying default +behavior, +passed this credential handle to +.Fn gss_add_cred , +and finally called +.Fn gss_release_cred +on the first credential handle. +.Pp +If +.Dv GSS_C_NO_CREDENTIAL +is specified as the +.Fa input_cred_handle +parameter, +a non- +.Dv NULL +.Fa output_cred_handle +must be supplied. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It input_cred_handle +The credential to which a credential-element will be added. +If +.Dv GSS_C_NO_CREDENTIAL +is specified, the routine will compose the new credential based on +default behavior (see description above). +Note that, while the credential-handle is not modified by +.Fn gss_add_cred , +the underlying credential will be modified if +.Fa output_credential_handle +is +.Dv NULL . +.It desired_name +Name of principal whose credential should be acquired. +.It desired_mech +Underlying security mechanism with which the credential may be used. +.It cred_usage +.Bl -tag -width "GSS_C_INITIATE" +.It GSS_C_BOTH +Credential may be used either to initiate or accept security +contexts. +.It GSS_C_INITIATE +Credential will only be used to initiate security contexts. +.It GSS_C_ACCEPT +Credential will only be used to accept security contexts. +.El +.It initiator_time_req +Number of seconds that the credential should remain valid for +initiating security contexts. +This argument is ignored if the composed credentials are of type +.Dv GSS_C_ACCEPT . +Specify +.Dv GSS_C_INDEFINITE +to request that the credentials have the maximum permitted initiator lifetime. +.It acceptor_time_req +Number of seconds that the credential should remain valid for +accepting security contexts. +This argument is ignored if the composed credentials are of type +.Dv GSS_C_INITIATE . +Specify +.Dv GSS_C_INDEFINITE +to request that the credentials have the maximum permitted initiator lifetime. +.It output_cred_handle +The returned credential handle, +containing +the new credential-element and all the credential-elements from +.Fa input_cred_handle . +If a valid pointer to a +.Fa gss_cred_id_t +is supplied for this parameter, +.Fn gss_add_cred +creates a new credential handle containing all credential-elements +from the +.Fa input_cred_handle +and the newly acquired credential-element; +if +.Dv NULL +is specified for this parameter, +the newly acquired credential-element will be added to the credential +identified by +.Fa input_cred_handle . +.Pp +The resources associated with any credential handle returned via this +parameter must be released by the application after use with a call to +.Fn gss_release_cred . +.It actual_mechs +The complete set of mechanisms for which the new credential is valid. +Storage for the returned OID-set must be freed by the application +after use with a call to +.Fn gss_release_oid_set . +Specify +.Dv NULL if not required. +.It initiator_time_rec +Actual number of seconds for which the returned credentials will +remain valid for initiating contexts using the specified mechanism. +If the implementation or mechanism does not support expiration of +credentials, +the value +.Dv GSS_C_INDEFINITE +will be returned. +Specify +.Dv NULL +if not required. +.It acceptor_time_rec +Actual number of seconds for which the returned credentials will +remain valid for accepting security contexts using the specified +mechanism. +If the implementation or mechanism does not support expiration of +credentials, +the value +.Dv GSS_C_INDEFINITE +will be returned. +Specify +.Dv NULL +if not required. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion. +.It GSS_S_BAD_MECH +Unavailable mechanism requested. +.It GSS_S_BAD_NAMETYPE +Type contained within desired_name parameter is not supported +.It GSS_S_BAD_NAME +Value supplied for desired_name parameter is ill-formed. +.It GSS_S_DUPLICATE_ELEMENT +The credential already contains an element for the requested mechanism +with overlapping usage and validity period. +.It GSS_S_CREDENTIALS_EXPIRED +The required credentials could not be added because they have expired. +.It GSS_S_NO_CRED +No credentials were found for the specified name. +.El +.Sh SEE ALSO +.Xr gss_init_sec_context 3 , +.Xr gss_accept_sec_context 3 , +.Xr gss_acquire_cred 3 , +.Xr gss_inquire_cred 3 , +.Xr gss_inquire_context 3 , +.Xr gss_release_cred 3 , +.Xr gss_release_oid_set 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_add_cred.c b/lib/libgssapi/gss_add_cred.c new file mode 100644 index 000000000000..aec4464d34af --- /dev/null +++ b/lib/libgssapi/gss_add_cred.c @@ -0,0 +1,178 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include + +#include "mech_switch.h" +#include "cred.h" +#include "name.h" + +static struct _gss_mechanism_cred * +_gss_copy_cred(struct _gss_mechanism_cred *mc) +{ + struct _gss_mechanism_cred *new_mc; + struct _gss_mech_switch *m = mc->gmc_mech; + OM_uint32 major_status, minor_status; + gss_name_t name; + gss_cred_id_t cred; + OM_uint32 initiator_lifetime, acceptor_lifetime; + gss_cred_usage_t cred_usage; + + major_status = m->gm_inquire_cred_by_mech(&minor_status, + mc->gmc_cred, mc->gmc_mech_oid, + &name, &initiator_lifetime, &acceptor_lifetime, &cred_usage); + if (major_status) + return (0); + + major_status = m->gm_add_cred(&minor_status, + GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid, + cred_usage, initiator_lifetime, acceptor_lifetime, + &cred, 0, 0, 0); + m->gm_release_name(&minor_status, &name); + + if (major_status) + return (0); + + new_mc = malloc(sizeof(struct _gss_mechanism_cred)); + if (!new_mc) { + m->gm_release_cred(&minor_status, &cred); + return (0); + } + new_mc->gmc_mech = m; + new_mc->gmc_mech_oid = &m->gm_mech_oid; + new_mc->gmc_cred = cred; + + return (new_mc); +} + +OM_uint32 +gss_add_cred(OM_uint32 *minor_status, + const gss_cred_id_t input_cred_handle, + const gss_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec) +{ + OM_uint32 major_status; + struct _gss_mech_switch *m; + gss_OID_set_desc set; + struct _gss_name *name = (struct _gss_name *) desired_name; + struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle; + struct _gss_cred *new_cred; + struct _gss_mechanism_cred *mc, *target_mc, *copy_mc; + struct _gss_mechanism_name *mn; + OM_uint32 min_time, time, junk; + int i; + + *output_cred_handle = 0; + *minor_status = 0; + + new_cred = malloc(sizeof(struct _gss_cred)); + if (!new_cred) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + new_cred->gc_usage = cred_usage; + SLIST_INIT(&new_cred->gc_mc); + + /* + * We go through all the mc attached to the input_cred_handle + * and check the mechanism. If it matches, we call + * gss_add_cred for that mechanism, otherwise we copy the mc + * to new_cred. + */ + target_mc = 0; + if (cred) { + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + if (_gss_oid_equal(mc->gmc_mech, desired_mech)) { + target_mc = mc; + } + copy_mc = _gss_copy_cred(mc); + if (!copy_mc) { + gss_release_cred(&junk, (gss_cred_id_t*) &new_cred); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + SLIST_INSERT_HEAD(&new_cred->gc_mc, copy_mc, gmc_link); + } + } + + /* + * Figure out a suitable mn, if any. + */ + if (desired_name) { + mn = _gss_find_mn((struct _gss_name *) desired_name, + desired_mech); + if (!mn) { + free(new_cred); + return (GSS_S_BAD_NAME); + } + } else { + mn = 0; + } + + m = _gss_find_mech_switch(desired_mech); + + mc = malloc(sizeof(struct _gss_mechanism_cred)); + if (!mc) { + gss_release_cred(&junk, (gss_cred_id_t*) &new_cred); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + mc->gmc_mech = m; + mc->gmc_mech_oid = &m->gm_mech_oid; + + major_status = m->gm_add_cred(minor_status, + target_mc ? target_mc->gmc_cred : GSS_C_NO_CREDENTIAL, + desired_name ? mn->gmn_name : GSS_C_NO_NAME, + desired_mech, + cred_usage, + initiator_time_req, + acceptor_time_req, + &mc->gmc_cred, + actual_mechs, + initiator_time_rec, + acceptor_time_rec); + + if (major_status) { + gss_release_cred(&junk, (gss_cred_id_t*) &new_cred); + free(mc); + return (major_status); + } + SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link); + *output_cred_handle = (gss_cred_id_t) new_cred; + + return (GSS_S_COMPLETE); +} + diff --git a/lib/libgssapi/gss_add_oid_set_member.3 b/lib/libgssapi/gss_add_oid_set_member.3 new file mode 100644 index 000000000000..15f661b5041e --- /dev/null +++ b/lib/libgssapi/gss_add_oid_set_member.3 @@ -0,0 +1,130 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_ADD_OID_SET_MEMBER 3 PRM +.Sh NAME +.Nm gss_add_oid_set_member +.Nd Add an object identifier to a set +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_add_oid_set_member +.Fa "OM_uint32 *minor_status" +.Fa "const gss_OID member_oid" +.Fa "gss_OID_set *oid_set" +.Fc +.Sh DESCRIPTION +Add an Object Identifier to an Object Identifier set. +This routine is intended for use in conjunction with +.Fn gss_create_empty_oid_set +when constructing a set of mechanism OIDs for input to +.Fn gss_acquire_cred . +The +.Fa oid_set +parameter must refer to an OID-set that was created by GSS-API +(e.g. a set returned by +.Fn gss_create_empty_oid_set ). +GSS-API creates a copy of the +.Fa member_oid +and inserts this copy into the set, +expanding the storage allocated to the OID-set's elements array if +necessary. +The routine may add the new member OID anywhere within the elements +array, +and implementations should verify that the new +.Fa member_oid +is not already contained within the elements array; +if the +.Fa member_oid +is already present, +the +.Fa oid_set +should remain unchanged. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It member_oid +The object identifier to copied into the set. +.It oid_set +The set in which the object identifier should be inserted. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.El +.Sh SEE ALSO +.Xr gss_create_empty_oid_set 3 , +.Xr gss_acquire_cred 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_add_oid_set_member.c b/lib/libgssapi/gss_add_oid_set_member.c new file mode 100644 index 000000000000..f1f8214878e5 --- /dev/null +++ b/lib/libgssapi/gss_add_oid_set_member.c @@ -0,0 +1,77 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +OM_uint32 +gss_add_oid_set_member(OM_uint32 *minor_status, + const gss_OID member_oid, + gss_OID_set *oid_set) +{ + OM_uint32 major_status; + gss_OID_set set = *oid_set; + gss_OID new_elements; + gss_OID new_oid; + int t; + + *minor_status = 0; + + major_status = gss_test_oid_set_member(minor_status, + member_oid, *oid_set, &t); + if (major_status) + return (major_status); + if (t) + return (GSS_S_COMPLETE); + + new_elements = malloc((set->count + 1) * sizeof(gss_OID_desc)); + if (!new_elements) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + new_oid = &new_elements[set->count]; + new_oid->elements = malloc(member_oid->length); + if (!new_oid->elements) { + free(new_elements); + return (GSS_S_FAILURE); + } + new_oid->length = member_oid->length; + memcpy(new_oid->elements, member_oid->elements, member_oid->length); + + if (set->elements) { + memcpy(new_elements, set->elements, + set->count * sizeof(gss_OID_desc)); + free(set->elements); + } + set->elements = new_elements; + set->count++; + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_canonicalize_name.3 b/lib/libgssapi/gss_canonicalize_name.3 new file mode 100644 index 000000000000..1d7b77230c4b --- /dev/null +++ b/lib/libgssapi/gss_canonicalize_name.3 @@ -0,0 +1,137 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_CANONICALIZE_NAME 3 PRM +.Sh NAME +.Nm gss_canonicalize_name +.Nd Convert an internal name to an MN +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_canonicalize_name +.Fa "OM_uint32 *minor_status" +.Fa "const gss_name_t input_name" +.Fa "const gss_OID mech_type" +.Fa "gss_name_t *output_name" +.Fc +.Sh DESCRIPTION +Generate a canonical mechanism name (MN) from an arbitrary internal +name. +The mechanism name is the name that would be returned to a context +acceptor on successful authentication of a context where the initiator +used the +.Fa input_name +in a successful call to +.Fn gss_acquire_cred , +specifying an OID set containing +.Fa mech_type +as its only member, +followed by a call to +.Fn gss_init_sec_context , +specifying +.Fa mech_type +as the authentication mechanism. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It input_name +The name for which a canonical form is desired. +.It mech_type +The authentication mechanism for which the canonical form of the name +is desired. +The desired mechanism must be specified explicitly; + no default is provided. +.It output_name +The resultant canonical name. +Storage associated with this name must be freed by the application +after use with a call to +.Fn gss_release_name . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion. +.It GSS_S_BAD_MECH +The identified mechanism is not supported. +.It GSS_S_BAD_NAMETYPE +The provided internal name contains no elements that could be +processed by the specified mechanism. +.It GSS_S_BAD_NAME +The provided internal name was ill-formed. +.El +.Sh SEE ALSO +.Xr gss_acquire_cred 3 , +.Xr gss_init_sec_context 3 , +.Xr gss_release_name 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_canonicalize_name.c b/lib/libgssapi/gss_canonicalize_name.c new file mode 100644 index 000000000000..5fbcbe50022f --- /dev/null +++ b/lib/libgssapi/gss_canonicalize_name.c @@ -0,0 +1,91 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "name.h" + +OM_uint32 +gss_canonicalize_name(OM_uint32 *minor_status, + const gss_name_t input_name, + const gss_OID mech_type, + gss_name_t *output_name) +{ + OM_uint32 major_status; + struct _gss_name *name = (struct _gss_name *) input_name; + struct _gss_mechanism_name *mn; + struct _gss_mech_switch *m = _gss_find_mech_switch(mech_type); + gss_name_t new_canonical_name; + + *minor_status = 0; + *output_name = 0; + + mn = _gss_find_mn(name, mech_type); + if (!mn) { + return (GSS_S_BAD_MECH); + } + + m = mn->gmn_mech; + major_status = m->gm_canonicalize_name(minor_status, + mn->gmn_name, mech_type, &new_canonical_name); + if (major_status) + return (major_status); + + /* + * Now we make a new name and mark it as an MN. + */ + *minor_status = 0; + name = malloc(sizeof(struct _gss_name)); + if (!name) { + m->gm_release_name(minor_status, &new_canonical_name); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(name, 0, sizeof(struct _gss_name)); + + mn = malloc(sizeof(struct _gss_mechanism_name)); + if (!mn) { + m->gm_release_name(minor_status, &new_canonical_name); + free(name); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + SLIST_INIT(&name->gn_mn); + mn->gmn_mech = m; + mn->gmn_mech_oid = &m->gm_mech_oid; + mn->gmn_name = new_canonical_name; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + + *output_name = (gss_name_t) name; + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_compare_name.3 b/lib/libgssapi/gss_compare_name.3 new file mode 100644 index 000000000000..06055f8a9771 --- /dev/null +++ b/lib/libgssapi/gss_compare_name.3 @@ -0,0 +1,122 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_COMPARE_NAME PRM +.Sh NAME +.Nm gss_compare_name +.Nd Compare two internal-form names +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_compare_name +.Fa "OM_uint32 *minor_status" +.Fa "const gss_name_t name1" +.Fa "const gss_name_t name2" +.Fa "int *name_equal" +.Fc +.Sh DESCRIPTION +Allows an application to compare two internal-form names to determine +whether they refer to the same entity. +.Pp +If either name presented to +.Fn gss_compare_name +denotes an anonymous principal, +the routines should indicate that the two names do not refer to the +same identity. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It name1 +Internal-form name. +.It name2 +Internal-form name. +.It name_equal +.Bl -tag +.It non-zero +Names refer to same entity +.It zero +Names refer to different entities (strictly, the names are not known +to refer to the same identity). +.El +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_BAD_NAMETYPE +The two names were of incomparable types. +.It GSS_S_BAD_NAME +One or both of name1 or name2 was ill-formed. +.El +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_compare_name.c b/lib/libgssapi/gss_compare_name.c new file mode 100644 index 000000000000..644b4a6ff5ab --- /dev/null +++ b/lib/libgssapi/gss_compare_name.c @@ -0,0 +1,76 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "name.h" + +OM_uint32 +gss_compare_name(OM_uint32 *minor_status, + const gss_name_t name1_arg, + const gss_name_t name2_arg, + int *name_equal) +{ + struct _gss_name *name1 = (struct _gss_name *) name1_arg; + struct _gss_name *name2 = (struct _gss_name *) name2_arg; + + /* + * First check the implementation-independant name if both + * names have one. Otherwise, try to find common mechanism + * names and compare them. + */ + if (name1->gn_value.value && name2->gn_value.value) { + *name_equal = 1; + if (!_gss_oid_equal(name1->gn_type, name2->gn_type)) { + *name_equal = 0; + } else if (name1->gn_value.length != name2->gn_value.length || + memcmp(name1->gn_value.value, name1->gn_value.value, + name1->gn_value.length)) { + *name_equal = 0; + } + } else { + struct _gss_mechanism_name *mn1; + struct _gss_mechanism_name *mn2; + + SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) { + mn2 = _gss_find_mn(name2, mn1->gmn_mech_oid); + if (mn2) { + return (mn1->gmn_mech->gm_compare_name( + minor_status, + mn1->gmn_name, + mn2->gmn_name, + name_equal)); + } + } + *name_equal = 0; + } + + *minor_status = 0; + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_context_time.3 b/lib/libgssapi/gss_context_time.3 new file mode 100644 index 000000000000..7abc900ed5bd --- /dev/null +++ b/lib/libgssapi/gss_context_time.3 @@ -0,0 +1,108 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_CONTEXT_TIME 3 PRM +.Sh NAME +.Nm gss_context_time +.Nd Determine for how long a context will remain valid +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_context_time +.Fa "OM_uint32 *minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "OM_uint32 *time_rec" +.Fc +.Sh DESCRIPTION +Determines the number of seconds for which the specified context will +remain valid. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +Identifies the context to be interrogated. +.It time_rec +Number of seconds that the context will remain valid. +If the context has already expired, zero will be returned. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_CONTEXT_EXPIRED +The context has already expired +.It GSS_S_NO_CONTEXT +The context_handle parameter did not identify a valid context +.El +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_context_time.c b/lib/libgssapi/gss_context_time.c new file mode 100644 index 000000000000..585ebd690875 --- /dev/null +++ b/lib/libgssapi/gss_context_time.c @@ -0,0 +1,43 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_context_time(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + OM_uint32 *time_rec) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + + return (m->gm_context_time(minor_status, ctx->gc_ctx, time_rec)); +} diff --git a/lib/libgssapi/gss_create_empty_oid_set.3 b/lib/libgssapi/gss_create_empty_oid_set.3 new file mode 100644 index 000000000000..47e368b0fd37 --- /dev/null +++ b/lib/libgssapi/gss_create_empty_oid_set.3 @@ -0,0 +1,112 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_CREATE_EMPTY_OID_SET 3 PRM +.Sh NAME +.Nm gss_create_empty_oid_set +.Nd Create a set containing no object identifiers +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_create_empty_oid_set +.Fa "OM_uint32 *minor_status" +.Fa "gss_OID_set *oid_set" +.Fc +.Sh DESCRIPTION +Create an object-identifier set containing no object identifiers, +to which members may be subsequently added using the +.Fn gss_add_oid_set_member +routine. +These routines are intended to be used to construct sets of mechanism +object identifiers for input to +.Fn gss_acquire_cred . +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It oid_set + +The empty object identifier set. +The routine will allocate the gss_OID_set_desc object, +which the application must free after use with a call to +.Fn gss_release_oid_set . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.El +.Sh SEE ALSO +.Xr gss_add_oid_set_member 3 , +.Xr gss_acquire_cred 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_create_empty_oid_set.c b/lib/libgssapi/gss_create_empty_oid_set.c new file mode 100644 index 000000000000..0412817a280f --- /dev/null +++ b/lib/libgssapi/gss_create_empty_oid_set.c @@ -0,0 +1,53 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +OM_uint32 +gss_create_empty_oid_set(OM_uint32 *minor_status, + gss_OID_set *oid_set) +{ + gss_OID_set set; + + *minor_status = 0; + *oid_set = 0; + + set = malloc(sizeof(gss_OID_set_desc)); + if (!set) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + + set->count = 0; + set->elements = 0; + *oid_set = set; + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_delete_sec_context.3 b/lib/libgssapi/gss_delete_sec_context.3 new file mode 100644 index 000000000000..7ecbb2b8af95 --- /dev/null +++ b/lib/libgssapi/gss_delete_sec_context.3 @@ -0,0 +1,163 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_DELETE_SEC_CONTEXT 3 PRM +.Sh NAME +.Nm gss_delete_sec_context +.Nd Discard a security context +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_delete_sec_context +.Fa "OM_uint32 *minor_status" +.Fa "gss_ctx_id_t *context_handle" +.Fa "gss_buffer_t output_token" +.Fc +.Sh DESCRIPTION +Delete a security context. +.Fn gss_delete_sec_context +will delete the local data structures associated with the specified +security context, +and may generate an output_token, +which when passed to the peer +.Fn gss_process_context_token +will instruct it to do likewise. +If no token is required by the mechanism, +the GSS-API should set the length field of the output_token (if +provided) to zero. +No further security services may be obtained using the context +specified by +.Fa context_handle . +.Pp +In addition to deleting established security contexts, +.Fn gss_delete_sec_context +must also be able to delete "half-built" security contexts resulting +from an incomplete sequence of +.Fn gss_init_sec_context +/ +.Fn gss_accept_sec_context +calls. +.Pp +The +.Fa output_token +parameter is retained for compatibility with version 1 of the GSS-API. +It is recommended that both peer applications invoke +.Fn gss_delete_sec_context +passing the value +.Dv GSS_C_NO_BUFFER +for the +.Fa output_token +parameter, +indicating that no token is required, +and that +.Fn gss_delete_sec_context +should simply delete local context data structures. +If the application does pass a valid buffer to +.Fn gss_delete_sec_context , +mechanisms are encouraged to return a zero-length token, +indicating that no peer action is necessary, +and that no token should be transferred by the application. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +Context handle identifying context to delete. +After deleting the context, +the GSS-API will set this context handle to +.Dv GSS_C_NO_CONTEXT . +.It output_token +Token to be sent to remote application to instruct it to also delete +the context. +It is recommended that applications specify +.Dv GSS_C_NO_BUFFER +for this parameter, +requesting local deletion only. +If a buffer parameter is provided by the application, +the mechanism may return a token in it; +mechanisms that implement only local deletion should set the length +field of this token to zero to indicate to the application that no +token is to be sent to the peer. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_NO_CONTEXT +No valid context was supplied +.El +.Sh SEE ALSO +.Xr gss_process_context_token 3 , +.Xr gss_init_sec_context 3 , +.Xr gss_accept_sec_context 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_delete_sec_context.c b/lib/libgssapi/gss_delete_sec_context.c new file mode 100644 index 000000000000..b1f39c24c0fd --- /dev/null +++ b/lib/libgssapi/gss_delete_sec_context.c @@ -0,0 +1,62 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_delete_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token) +{ + OM_uint32 major_status; + struct _gss_context *ctx = (struct _gss_context *) *context_handle; + + *minor_status = 0; + if (ctx) { + /* + * If we have an implementation ctx, delete it, + * otherwise fake an empty token. + */ + if (ctx->gc_ctx) { + major_status = ctx->gc_mech->gm_delete_sec_context( + minor_status, &ctx->gc_ctx, output_token); + } else if (output_token != GSS_C_NO_BUFFER) { + output_token->length = 0; + output_token->value = 0; + } + free(ctx); + *context_handle = 0; + } + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_display_name.3 b/lib/libgssapi/gss_display_name.3 new file mode 100644 index 000000000000..78789533c475 --- /dev/null +++ b/lib/libgssapi/gss_display_name.3 @@ -0,0 +1,151 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_DISPLAY_NAME 3 PRM +.Sh NAME +.Nm gss_display_name +.Nd Convert internal-form name to text +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_display_name +.Fa "OM_uint32 *minor_status" +.Fa "const gss_name_t input_name" +.Fa "gss_buffer_t output_name_buffer" +.Fa "gss_OID *output_name_type" +.Fc +.Sh DESCRIPTION +Allows an application to obtain a textual representation of an opaque +internal-form name for display purposes. +The syntax of a printable name is defined by the GSS-API implementation. +.Pp +If +.Fa input_name +denotes an anonymous principal, +the implementation should return the +.Fa gss_OID +value +.Dv GSS_C_NT_ANONYMOUS +as the +.Fa output_name_type , +and a textual name that is syntactically distinct from all valid +supported printable names in +.Fa output_name_buffer . +.Pp +If +.Fa input_name +was created by a call to +.Fn gss_import_name , +specifying +.Dv GSS_C_NO_OID +as the name-type, +implementations that employ lazy conversion between name types may +return +.Dv GSS_C_NO_OID +via the +.Fa output_name_type +parameter. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It input_name +Name to be displayed. +.It output_name_buffer +Buffer to receive textual name string. +The application must free storage associated with this name after use +with a call to +.Fn gss_release_buffer . +.It output_name_type +The type of the returned name. +The returned +.Fa gss_OID +will be a pointer into static storage, +and should be treated as read-only by the caller +(in particular, the application should not attempt to free it). +Specify +.Dv NULL +if not required. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_BAD_NAME +.Fa input_name +was ill-formed +.El +.Sh SEE ALSO +.Xr gss_import_name 3 , +.Xr gss_release_buffer 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_display_name.c b/lib/libgssapi/gss_display_name.c new file mode 100644 index 000000000000..a5c3e5ec2797 --- /dev/null +++ b/lib/libgssapi/gss_display_name.c @@ -0,0 +1,78 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "name.h" + +OM_uint32 +gss_display_name(OM_uint32 *minor_status, + const gss_name_t input_name, + gss_buffer_t output_name_buffer, + gss_OID *output_name_type) +{ + OM_uint32 major_status; + struct _gss_name *name = (struct _gss_name *) input_name; + struct _gss_mechanism_name *mn; + + /* + * If we know it, copy the buffer used to import the name in + * the first place. Otherwise, ask all the MNs in turn if + * they can display the thing. + */ + if (name->gn_value.value) { + output_name_buffer->value = malloc(name->gn_value.length); + if (!output_name_buffer->value) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + output_name_buffer->length = name->gn_value.length; + memcpy(output_name_buffer->value, name->gn_value.value, + output_name_buffer->length); + if (output_name_type) + *output_name_type = &name->gn_type; + + *minor_status = 0; + return (GSS_S_COMPLETE); + } else { + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { + major_status = mn->gmn_mech->gm_display_name( + minor_status, mn->gmn_name, + output_name_buffer, + output_name_type); + if (major_status == GSS_S_COMPLETE) + return (GSS_S_COMPLETE); + } + } + + *minor_status = 0; + return (GSS_S_FAILURE); +} diff --git a/lib/libgssapi/gss_display_status.3 b/lib/libgssapi/gss_display_status.3 new file mode 100644 index 000000000000..58ded924797b --- /dev/null +++ b/lib/libgssapi/gss_display_status.3 @@ -0,0 +1,210 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_DISPLAY_STATUS 3 PRM +.Sh NAME +.Nm gss_display_status +.Nd Convert a GSS-API status code to text +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_display_status +.Fa "OM_uint32 *minor_status" +.Fa "OM_uint32 status_value" +.Fa "int status_type" +.Fa "const gss_OID mech_type" +.Fa "OM_uint32 *message_context" +.Fa "gss_buffer_t status_string" +.Fc +.Sh DESCRIPTION +Allows an application to obtain a textual representation of a GSS-API +status code, +for display to the user or for logging purposes. +Since some status values may indicate multiple conditions, +applications may need to call +.Fn gss_display_status +multiple times, +each call generating a single text string. +The +.Fa message_context +parameter is used by +.Fn gss_display_status +to store state information about which error messages have already +been extracted from a given +.Fa status_value ; +.Fa message_context +must be initialized to zero by the application prior to the first call, +and +.Fn gss_display_status +will return a non-zero value in this parameter if there are further +messages to extract. +.Pp +The +.Fa message_context +parameter contains all state information required by +.Fn gss_display_status +in order to extract further messages from the +.Fa status_value ; +even when a non-zero value is returned in this parameter, +the application is not required to call +.Fn gss_display_status +again unless subsequent messages are desired. +The following code extracts all messages from a given status code and prints them to stderr: +.Bd -literal +OM_uint32 message_context; +OM_uint32 status_code; +OM_uint32 maj_status; +OM_uint32 min_status; +gss_buffer_desc status_string; + + ... + +message_context = 0; + +do { + + maj_status = gss_display_status ( + &min_status, + status_code, + GSS_C_GSS_CODE, + GSS_C_NO_OID, + &message_context, + &status_string) + + fprintf(stderr, + "%.*s\\n", + (int)status_string.length, + (char *)status_string.value); + + gss_release_buffer(&min_status, &status_string); + +} while (message_context != 0); +.Ed +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It status_value +Status value to be converted +.It status_type +.Bl -tag +.It GSS_C_GSS_CODE +.Fa status_value +is a GSS status code +.It GSS_C_MECH_CODE +.Fa status_value +is a mechanism status code +.El +.It mech_type +Underlying mechanism (used to interpret a minor status value). +Supply +.Dv GSS_C_NO_OID +to obtain the system default. +.It message_context +Should be initialized to zero by the application prior to the first +call. +On return from +.Fn gss_display_status , +a non-zero status_value parameter indicates that additional messages +may be extracted from the status code via subsequent calls to +.Fn gss_display_status , +passing the same +.Fa status_value , +.Fa status_type , +.Fa mech_type , +and +.Fa message_context +parameters. +.It status_string +Textual interpretation of the +.Fa status_value . +Storage associated with this parameter must be freed by the +application after use with a call to +.Fn gss_release_buffer . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_BAD_MECH +Indicates that translation in accordance with an unsupported mechanism +type was requested +.It GSS_S_BAD_STATUS +The status value was not recognized, or the status type was neither +.Dv GSS_C_GSS_CODE +nor +.Dv GSS_C_MECH_CODE . +.El +.Sh SEE ALSO +.Xr gss_release_buffer 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_display_status.c b/lib/libgssapi/gss_display_status.c new file mode 100644 index 000000000000..04cf4c71f14e --- /dev/null +++ b/lib/libgssapi/gss_display_status.c @@ -0,0 +1,110 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include + +#include "mech_switch.h" + +struct _gss_status_desc { + OM_uint32 gs_status; + const char* gs_desc; +}; + +static struct _gss_status_desc _gss_status_descs[] = { + GSS_S_BAD_MECH, "An unsupported mechanism was requested", + GSS_S_BAD_NAME, "An invalid name was supplied", + GSS_S_BAD_NAMETYPE, "A supplied name was of an unsupported type", + GSS_S_BAD_BINDINGS, "Incorrect channel bindings were supplied", + GSS_S_BAD_STATUS, "An invalid status code was supplied", + GSS_S_BAD_MIC, "A token had an invalid MIC", + GSS_S_NO_CRED, "No credentials were supplied, or the " + "credentials were unavailable or inaccessible", + GSS_S_NO_CONTEXT, "No context has been established", + GSS_S_DEFECTIVE_TOKEN, "A token was invalid", + GSS_S_DEFECTIVE_CREDENTIAL, "A credential was invalid", + GSS_S_CREDENTIALS_EXPIRED, "The referenced credentials have expired", + GSS_S_CONTEXT_EXPIRED, "The context has expired", + GSS_S_FAILURE, "Miscellaneous failure", + GSS_S_BAD_QOP, "The quality-of-protection requested could " + "not be provided", + GSS_S_UNAUTHORIZED, "The operation is forbidden by local security " + "policy", + GSS_S_UNAVAILABLE, "The operation or option is unavailable", + GSS_S_DUPLICATE_ELEMENT, "The requested credential element already " + "exists", + GSS_S_NAME_NOT_MN, "The provided name was not a mechanism name" +}; +#define _gss_status_desc_count \ + sizeof(_gss_status_descs) / sizeof(_gss_status_descs[0]) + + +OM_uint32 +gss_display_status(OM_uint32 *minor_status, + OM_uint32 status_value, + int status_type, + const gss_OID mech_type, + OM_uint32 *message_content, + gss_buffer_t status_string) +{ + OM_uint32 major_status; + struct _gss_mech_switch *m; + int i; + const char *message; + + *minor_status = 0; + switch (status_type) { + case GSS_C_GSS_CODE: + for (i = 0; i < _gss_status_desc_count; i++) { + if (_gss_status_descs[i].gs_status == status_value) { + message = _gss_status_descs[i].gs_desc; + status_string->length = strlen(message); + status_string->value = strdup(message); + return (GSS_S_COMPLETE); + } + } + + /* + * Fall through to attempt to get some underlying + * implementation to describe the value. + */ + case GSS_C_MECH_CODE: + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (mech_type && + !_gss_oid_equal(&m->gm_mech_oid, mech_type)) + continue; + major_status = m->gm_display_status(minor_status, + status_value, status_type, mech_type, + message_content, status_string); + if (major_status == GSS_S_COMPLETE) + return (GSS_S_COMPLETE); + } + } + + return (GSS_S_BAD_STATUS); +} diff --git a/lib/libgssapi/gss_duplicate_name.3 b/lib/libgssapi/gss_duplicate_name.3 new file mode 100644 index 000000000000..789c79c9193c --- /dev/null +++ b/lib/libgssapi/gss_duplicate_name.3 @@ -0,0 +1,123 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_DUPLICATE_NAME 3 PRM +.Sh NAME +.Nm gss_duplicate_name +.Nd Create a copy of an internal name +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_duplicate_name +.Fa "OM_uint32 *minor_status" +.Fa "const gss_name_t src_name" +.Fa "gss_name_t *dest_name" +.Fc +.Sh DESCRIPTION +Create an exact duplicate of the existing internal name +.Fa src_name . +The new +.Fa dest_name +will be independent of +.Fa src_name +(i.e. +.Fa src_name +and +.Fa dest_name +must both be released, +and the release of one shall not affect the validity of the other). +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It src_name +Internal name to be duplicated. +.It dest_name +The resultant copy of +.Fa src_name. +Storage associated with this name must be freed by the application +after use with a call to +.Fn gss_release_name . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_BAD_NAME +The +.Fa src_name +parameter was ill-formed +.El +.Sh SEE ALSO +.Xr gss_release_name 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_duplicate_name.c b/lib/libgssapi/gss_duplicate_name.c new file mode 100644 index 000000000000..b7be18299b7b --- /dev/null +++ b/lib/libgssapi/gss_duplicate_name.c @@ -0,0 +1,78 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include + +#include "mech_switch.h" +#include "name.h" + +OM_uint32 gss_duplicate_name(OM_uint32 *minor_status, + const gss_name_t src_name, + gss_name_t *dest_name) +{ + OM_uint32 major_status; + struct _gss_name *name = (struct _gss_name *) src_name; + struct _gss_name *new_name; + struct _gss_mechanism_name *mn; + + *minor_status = 0; + + /* + * If this name has a value (i.e. it didn't come from + * gss_canonicalize_name(), we re-import the thing. Otherwise, + * we make an empty name to hold the MN copy. + */ + if (name->gn_value.value) { + major_status = gss_import_name(minor_status, + &name->gn_value, &name->gn_type, dest_name); + if (major_status != GSS_S_COMPLETE) + return (major_status); + new_name = (struct _gss_name *) *dest_name; + } else { + new_name = malloc(sizeof(struct _gss_name)); + if (!new_name) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(new_name, 0, sizeof(struct _gss_name)); + SLIST_INIT(&name->gn_mn); + *dest_name = (gss_name_t) new_name; + } + + /* + * Import the new name into any mechanisms listed in the + * original name. We could probably get away with only doing + * this if the original was canonical. + */ + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { + _gss_find_mn(new_name, mn->gmn_mech_oid); + } + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_export_name.3 b/lib/libgssapi/gss_export_name.3 new file mode 100644 index 000000000000..e0e6689db6ff --- /dev/null +++ b/lib/libgssapi/gss_export_name.3 @@ -0,0 +1,128 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_EXPORT_NAME 3 PRM +.Sh NAME +.Nm gss_export_name +.Nd Convert an MN to export form +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_export_name +.Fa "OM_uint32 *minor_status" +.Fa "const gss_name_t input_name" +.Fa "gss_buffer_t exported_name" +.Fc +.Sh DESCRIPTION +To produce a canonical contiguous string representation of a mechanism +name (MN), +suitable for direct comparison +(e.g. with memcmp) +for use in authorization functions +(e.g. matching entries in an access-control list). +The +.Fa input_name +parameter must specify a valid MN +(i.e. an internal name generated by +.Fn gss_accept_sec_context +or by +.Fn gss_canonicalize_name ). +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It input_name +The MN to be exported. +.It exported_name +The canonical contiguous string form of +.Fa input_name . +Storage associated with this string must freed by the application +after use with +.Fn gss_release_buffer . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_NAME_NOT_MN +The provided internal name was not a mechanism name. +.It GSS_S_BAD_NAME +The provided internal name was ill-formed. +.It GSS_S_BAD_NAMETYPE +The internal name was of a type not supported by the GSS-API implementation. +.El +.Sh SEE ALSO +.Xr gss_accept_sec_context 3 , +.Xr gss_canonicalize_name 3 , +.Xr gss_release_buffer 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_export_name.c b/lib/libgssapi/gss_export_name.c new file mode 100644 index 000000000000..f5043339dd89 --- /dev/null +++ b/lib/libgssapi/gss_export_name.c @@ -0,0 +1,58 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "name.h" + +OM_uint32 +gss_export_name(OM_uint32 *minor_status, + const gss_name_t input_name, + gss_buffer_t exported_name) +{ + struct _gss_name *name = (struct _gss_name *) input_name; + struct _gss_mechanism_name *mn; + + /* + * If this name already has any attached MNs, export the first + * one, otherwise export based on the first mechanism in our + * list. + */ + mn = SLIST_FIRST(&name->gn_mn); + if (!mn) + mn = _gss_find_mn(name, + &SLIST_FIRST(&_gss_mechs)->gm_mech_oid); + if (!mn) { + *minor_status = 0; + return (GSS_S_BAD_MECH); + } + + return mn->gmn_mech->gm_export_name(minor_status, + mn->gmn_name, exported_name); +} diff --git a/lib/libgssapi/gss_export_sec_context.3 b/lib/libgssapi/gss_export_sec_context.3 new file mode 100644 index 000000000000..f08d229d761a --- /dev/null +++ b/lib/libgssapi/gss_export_sec_context.3 @@ -0,0 +1,168 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_EXPORT_SEC_CONTEXT 3 PRM +.Sh NAME +.Nm gss_export_sec_context +.Nd Transfer a security context to another process +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_export_sec_context +.Fa "OM_uint32 *minor_status" +.Fa "gss_ctx_id_t *context_handle" +.Fa "gss_buffer_t interprocess_token" +.Fc +.Sh DESCRIPTION +Provided to support the sharing of work between multiple processes. +This routine will typically be used by the context-acceptor, +in an application where a single process receives incoming connection +requests and accepts security contexts over them, +then passes the established context to one or more other processes for +message exchange. +.Fn gss_export_sec_context +deactivates the security context for the calling process and creates +an interprocess token which, +when passed to +.Fn gss_import_sec_context +in another process, +will re-activate the context in the second process. +Only a single instantiation of a given context may be active at any +one time; +a subsequent attempt by a context exporter to access the exported security context will fail. +.Pp +The implementation may constrain the set of processes by which the +interprocess token may be imported, +either as a function of local security policy, +or as a result of implementation decisions. +For example, +some implementations may constrain contexts to be passed only between +processes that run under the same account, +or which are part of the same process group. +.Pp +The interprocess token may contain security-sensitive information +(for example cryptographic keys). +While mechanisms are encouraged to either avoid placing such sensitive +information within interprocess tokens, +or to encrypt the token before returning it to the application, +in a typical object-library GSS-API implementation this may not be +possible. +Thus the application must take care to protect the interprocess token, +and ensure that any process to which the token is transferred is +trustworthy. +.Pp +If creation of the interprocess token is successful, +the implementation shall deallocate all process-wide resources +associated with the security context, +and set the context_handle to +.Dv GSS_C_NO_CONTEXT . +In the event of an error that makes it impossible to complete the +export of the security context, +the implementation must not return an interprocess token, +and should strive to leave the security context referenced by the +.Fa context_handle +parameter untouched. +If this is impossible, +it is permissible for the implementation to delete the security +context, +providing it also sets the +.Fa context_handle +parameter to +.Dv GSS_C_NO_CONTEXT . +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +Context handle identifying the context to transfer. +.It interprocess_token +Token to be transferred to target process. +Storage associated with this token must be freed by the application +after use with a call to +.Fn gss_release_buffer . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_CONTEXT_EXPIRED +The context has expired +.It GSS_S_NO_CONTEXT +The context was invalid +.It GSS_S_UNAVAILABLE +The operation is not supported +.El +.Sh SEE ALSO +.Xr gss_import_sec_context 3 , +.Xr gss_release_buffer 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_export_sec_context.c b/lib/libgssapi/gss_export_sec_context.c new file mode 100644 index 000000000000..a7e9b8af72b5 --- /dev/null +++ b/lib/libgssapi/gss_export_sec_context.c @@ -0,0 +1,77 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_export_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t interprocess_token) +{ + OM_uint32 major_status; + struct _gss_context *ctx = (struct _gss_context *) *context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + gss_buffer_desc buf; + + major_status = m->gm_export_sec_context(minor_status, + &ctx->gc_ctx, &buf); + + if (major_status == GSS_S_COMPLETE) { + unsigned char *p; + + free(ctx); + *context_handle = GSS_C_NO_CONTEXT; + interprocess_token->length = buf.length + + 2 + m->gm_mech_oid.length; + interprocess_token->value = malloc(interprocess_token->length); + if (!interprocess_token->value) { + /* + * We are in trouble here - the context is + * already gone. This is allowed as long as we + * set the caller's context_handle to + * GSS_C_NO_CONTEXT, which we did above. + * Return GSS_S_FAILURE. + */ + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + p = interprocess_token->value; + p[0] = m->gm_mech_oid.length >> 8; + p[1] = m->gm_mech_oid.length; + memcpy(p + 2, m->gm_mech_oid.elements, m->gm_mech_oid.length); + memcpy(p + 2 + m->gm_mech_oid.length, buf.value, buf.length); + gss_release_buffer(minor_status, &buf); + } + + return (major_status); +} diff --git a/lib/libgssapi/gss_get_mic.3 b/lib/libgssapi/gss_get_mic.3 new file mode 100644 index 000000000000..75498aeb0289 --- /dev/null +++ b/lib/libgssapi/gss_get_mic.3 @@ -0,0 +1,165 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_GET_MIC 3 PRM +.Sh NAME +.Nm gss_get_mic , +.Nm gss_sign +.Nd Calculate a cryptographic message integrity code (MIC) for a +message; integrity service +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_get_mic +.Fa "OM_uint32 *minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "gss_qop_t qop_req" +.Fa "const gss_buffer_t message_buffer" +.Fa "gss_buffer_t msg_token" +.Fc +.Ft OM_uint32 +.Fo gss_sign +.Fa "OM_uint32 *minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "gss_qop_t qop_req" +.Fa "gss_buffer_t message_buffer" +.Fa "gss_buffer_t msg_token" +.Fc +.Sh DESCRIPTION +Generates a cryptographic MIC for the supplied message, +and places the MIC in a token for transfer to the peer application. +The +.Fa qop_req +parameter allows a choice between several cryptographic algorithms, +if supported by the chosen mechanism. +.Pp +Since some application-level protocols may wish to use tokens emitted +by +.Fn gss_wrap +to provide "secure framing", +implementations must support derivation of MICs from zero-length messages. +.Pp +The +.Fn gss_sign +routine is an obsolete variant of +.Fn gss_get_mic . +It is +provided for backwards +compatibility with applications using the GSS-API V1 interface. +A distinct entrypoint (as opposed to #define) is provided, +both to allow GSS-API V1 applications to link +and to retain the slight parameter type differences between the +obsolete versions of this routine and its current form. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +Identifies the context on which the message will be sent. +.It qop_req +Specifies requested quality of protection. +Callers are encouraged, on portability grounds, +to accept the default quality of protection offered by the chosen +mechanism, +which may be requested by specifying +.Dv GSS_C_QOP_DEFAULT +for this parameter. +If an unsupported protection strength is requested, +.Fn gss_get_mic +will return a +.Fa major_status +of +.Dv GSS_S_BAD_QOP . +.It message_buffer +Message to be protected. +.It msg_token +Buffer to receive token. +The application must free storage associated with this buffer after +use with a call to +.Fn gss_release_buffer . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_CONTEXT_EXPIRED +The context has already expired +.It GSS_S_NO_CONTEXT +The context_handle parameter did not identify a valid context +.It GSS_S_BAD_QOP +The specified QOP is not supported by the mechanism +.El +.Sh SEE ALSO +.Xr gss_wrap 3 , +.Xr gss_release_buffer 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_get_mic.c b/lib/libgssapi/gss_get_mic.c new file mode 100644 index 000000000000..a3495ecfe794 --- /dev/null +++ b/lib/libgssapi/gss_get_mic.c @@ -0,0 +1,46 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_get_mic(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + gss_qop_t qop_req, + const gss_buffer_t message_buffer, + gss_buffer_t message_token) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + + return (m->gm_get_mic(minor_status, ctx->gc_ctx, qop_req, + message_buffer, message_token)); +} diff --git a/lib/libgssapi/gss_import_name.3 b/lib/libgssapi/gss_import_name.3 new file mode 100644 index 000000000000..e356f74ce209 --- /dev/null +++ b/lib/libgssapi/gss_import_name.3 @@ -0,0 +1,139 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_IMPORT_NAME 3 PRM +.Sh NAME +.Nm gss_import_name +.Nd Convert a contiguous string name to internal-form +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_import_name +.Fa "OM_uint32 *minor_status" +.Fa "const gss_buffer_t input_name_buffer" +.Fa "const gss_OID input_name_type" +.Fa "gss_name_t *output_name" +.Fc +.Sh DESCRIPTION +Convert a contiguous string name to internal form. +In general, +the internal name returned (via the +.Fa output_name +parameter) will not be an MN; +the exception to this is if the +.Fa input_name_type +indicates that the contiguous string provided via the +.Fa input_name_buffer +parameter is of type +.Dv GSS_C_NT_EXPORT_NAME , +in which case the returned internal name will be an MN for the +mechanism that exported the name. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It input_name_buffer +Buffer containing contiguous string name to convert. +.It input_name_type +Object ID specifying type of printable name. +Applications may specify either +.Dv GSS_C_NO_OID +to use a mechanism-specific default printable syntax, +or an OID recognized by the GSS-API implementation to name a specific +namespace. +.It output_name +Returned name in internal form. +Storage associated with this name must be freed by the application +after use with a call to +.Fn gss_release_name . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_BAD_NAMETYPE +The +.Fa input_name_type +was unrecognized +.It GSS_S_BAD_NAME +The +.Fa input_name +parameter could not be interpreted as a name of the specified type +.It GSS_S_BAD_MECH +The input name-type was +.Dv GSS_C_NT_EXPORT_NAME , +but the mechanism contained within the input-name is not supported +.El +.Sh SEE ALSO +.Xr gss_release_name 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_import_name.c b/lib/libgssapi/gss_import_name.c new file mode 100644 index 000000000000..638df2510663 --- /dev/null +++ b/lib/libgssapi/gss_import_name.c @@ -0,0 +1,219 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "utils.h" +#include "name.h" + +static OM_uint32 +_gss_import_export_name(OM_uint32 *minor_status, + const gss_buffer_t input_name_buffer, + gss_name_t *output_name) +{ + OM_uint32 major_status; + unsigned char *p = input_name_buffer->value; + size_t len = input_name_buffer->length; + size_t t; + gss_OID_desc mech_oid; + struct _gss_mech_switch *m; + struct _gss_name *name; + struct _gss_mechanism_name *mn; + gss_name_t new_canonical_name; + + *minor_status = 0; + *output_name = 0; + + /* + * Make sure that TOK_ID is {4, 1}. + */ + if (len < 2) + return (GSS_S_BAD_NAME); + if (p[0] != 4 || p[1] != 1) + return (GSS_S_BAD_NAME); + p += 2; + len -= 2; + + /* + * Get the mech length and the name length and sanity + * check the size of of the buffer. + */ + if (len < 2) + return (GSS_S_BAD_NAME); + t = (p[0] << 8) + p[1]; + p += 2; + len -= 2; + + /* + * Check the DER encoded OID to make sure it agrees with the + * length we just decoded. + */ + if (p[0] != 6) /* 6=OID */ + return (GSS_S_BAD_NAME); + p++; + len--; + t--; + if (p[0] & 0x80) { + int digits = p[0]; + p++; + len--; + t--; + mech_oid.length = 0; + while (digits--) { + mech_oid.length = (mech_oid.length << 8) | p[0]; + p++; + len--; + t--; + } + } else { + mech_oid.length = p[0]; + p++; + len--; + t--; + } + if (mech_oid.length != t) + return (GSS_S_BAD_NAME); + + mech_oid.elements = p; + + if (len < t + 4) + return (GSS_S_BAD_NAME); + p += t; + len -= t; + + t = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; + p += 4; + len -= 4; + + if (len != t) + return (GSS_S_BAD_NAME); + + m = _gss_find_mech_switch(&mech_oid); + if (!m) + return (GSS_S_BAD_MECH); + + /* + * Ask the mechanism to import the name. + */ + major_status = m->gm_import_name(minor_status, + input_name_buffer, GSS_C_NT_EXPORT_NAME, &new_canonical_name); + + /* + * Now we make a new name and mark it as an MN. + */ + name = _gss_make_name(m, new_canonical_name); + if (!name) { + m->gm_release_name(minor_status, &new_canonical_name); + return (GSS_S_FAILURE); + } + + *output_name = (gss_name_t) name; + + *minor_status = 0; + return (GSS_S_COMPLETE); +} + +OM_uint32 +gss_import_name(OM_uint32 *minor_status, + const gss_buffer_t input_name_buffer, + const gss_OID input_name_type, + gss_name_t *output_name) +{ + gss_OID name_type = input_name_type; + OM_uint32 major_status; + struct _gss_name *name; + + if (input_name_buffer->length == 0) { + *minor_status = 0; + *output_name = 0; + return (GSS_S_BAD_NAME); + } + + /* + * Use GSS_NT_USER_NAME as default name type. + */ + if (name_type == GSS_C_NO_OID) + name_type = GSS_C_NT_USER_NAME; + + /* + * If this is an exported name, we need to parse it to find + * the mechanism and then import it as an MN. See RFC 2743 + * section 3.2 for a description of the format. + */ + if (_gss_oid_equal(name_type, GSS_C_NT_EXPORT_NAME)) { + return _gss_import_export_name(minor_status, + input_name_buffer, output_name); + } + + /* + * Only allow certain name types. This is pretty bogus - we + * should figure out the list of supported name types using + * gss_inquire_names_for_mech. + */ + if (!_gss_oid_equal(name_type, GSS_C_NT_USER_NAME) + && !_gss_oid_equal(name_type, GSS_C_NT_MACHINE_UID_NAME) + && !_gss_oid_equal(name_type, GSS_C_NT_STRING_UID_NAME) + && !_gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE_X) + && !_gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE) + && !_gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS) + && !_gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) { + *minor_status = 0; + *output_name = 0; + return (GSS_S_BAD_NAMETYPE); + } + + *minor_status = 0; + name = malloc(sizeof(struct _gss_name)); + if (!name) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(name, 0, sizeof(struct _gss_name)); + + major_status = _gss_copy_oid(minor_status, + name_type, &name->gn_type); + if (major_status) { + free(name); + return (GSS_S_FAILURE); + } + + major_status = _gss_copy_buffer(minor_status, + input_name_buffer, &name->gn_value); + if (major_status) { + gss_release_name(minor_status, (gss_name_t*) &name); + return (GSS_S_FAILURE); + } + + SLIST_INIT(&name->gn_mn); + + *output_name = (gss_name_t) name; + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_import_sec_context.3 b/lib/libgssapi/gss_import_sec_context.3 new file mode 100644 index 000000000000..4509c2e18f31 --- /dev/null +++ b/lib/libgssapi/gss_import_sec_context.3 @@ -0,0 +1,120 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_IMPORT_SEC_CONTEXT 3 PRM +.Sh NAME +.Nm gss_import_sec_context +.Nd Import a transferred context +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_import_sec_context +.Fa "OM_uint32 *minor_status" +.Fa "const gss_buffer_t interprocess_token" +.Fa "gss_ctx_id_t *context_handle" +.Fc +.Sh DESCRIPTION +Allows a process to import a security context established by another +process. +A given interprocess token may be imported only once. +See +.Fn gss_export_sec_context . +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It interprocess_token +Token received from exporting process. +.It context_handle +Context handle of newly reactivated context. +Resources associated with this context handle must be released by the +application after use with a call to +.Fn gss_delete_sec_context . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_NO_CONTEXT +The token did not contain a valid context reference +.It GSS_S_DEFECTIVE_TOKEN +The token was invalid +.It GSS_S_UNAVAILABLE +The operation is unavailable +.It GSS_S_UNAUTHORIZED +Local policy prevents the import of this context by the current process +.El +.Sh SEE ALSO +.Xr gss_export_sec_context 3 , +.Xr gss_delete_sec_context 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_import_sec_context.c b/lib/libgssapi/gss_import_sec_context.c new file mode 100644 index 000000000000..ce3ddd10c3f3 --- /dev/null +++ b/lib/libgssapi/gss_import_sec_context.c @@ -0,0 +1,86 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_import_sec_context(OM_uint32 *minor_status, + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) +{ + OM_uint32 major_status; + struct _gss_mech_switch *m; + struct _gss_context *ctx; + gss_OID_desc mech_oid; + gss_buffer_desc buf; + unsigned char *p; + size_t len; + + *minor_status = 0; + *context_handle = 0; + + /* + * We added an oid to the front of the token in + * gss_export_sec_context. + */ + p = interprocess_token->value; + len = interprocess_token->length; + if (len < 2) + return (GSS_S_DEFECTIVE_TOKEN); + mech_oid.length = (p[0] << 8) | p[1]; + if (len < mech_oid.length + 2) + return (GSS_S_DEFECTIVE_TOKEN); + mech_oid.elements = p + 2; + buf.length = len - 2 - mech_oid.length; + buf.value = p + 2 + mech_oid.length; + + m = _gss_find_mech_switch(&mech_oid); + if (!m) + return (GSS_S_DEFECTIVE_TOKEN); + + ctx = malloc(sizeof(struct _gss_context)); + if (!ctx) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + ctx->gc_mech = m; + major_status = m->gm_import_sec_context(minor_status, + &buf, &ctx->gc_ctx); + if (major_status != GSS_S_COMPLETE) { + free(ctx); + } else { + *context_handle = (gss_ctx_id_t) ctx; + } + + return (major_status); +} diff --git a/lib/libgssapi/gss_indicate_mechs.3 b/lib/libgssapi/gss_indicate_mechs.3 new file mode 100644 index 000000000000..efddcecfe26c --- /dev/null +++ b/lib/libgssapi/gss_indicate_mechs.3 @@ -0,0 +1,107 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_INDICATE_MECHS 3 PRM +.Sh NAME +.Nm gss_indicate_mechs +.Nd Determine available underlying authentication mechanisms +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_indicate_mechs +.Fa "OM_uint32 *minor_status" +.Fa "gss_OID_set *mech_set" +.Fc +.Sh DESCRIPTION +Allows an application to determine which underlying security +mechanisms are available. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It mech_set +Set of implementation-supported mechanisms. +The returned +.Fa mech_set +value will be a dynamically-allocated OID set, +that should be released by the caller after use with a call to +.Fn gss_release_oid_set . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.El +.Sh SEE ALSO +.Xr gss_release_oid_set 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_indicate_mechs.c b/lib/libgssapi/gss_indicate_mechs.c new file mode 100644 index 000000000000..7abab20fc548 --- /dev/null +++ b/lib/libgssapi/gss_indicate_mechs.c @@ -0,0 +1,60 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" + +OM_uint32 +gss_indicate_mechs(OM_uint32 *minor_status, + gss_OID_set *mech_set) +{ + struct _gss_mech_switch *m; + OM_uint32 major_status; + gss_OID_set set; + int i; + + _gss_load_mech(); + + major_status = gss_create_empty_oid_set(minor_status, mech_set); + if (major_status) + return (major_status); + + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + major_status = m->gm_indicate_mechs(minor_status, &set); + if (major_status) + continue; + for (i = 0; i < set->count; i++) + major_status = gss_add_oid_set_member(minor_status, + &set->elements[i], mech_set); + gss_release_oid_set(minor_status, &set); + } + + *minor_status = 0; + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_init_sec_context.3 b/lib/libgssapi/gss_init_sec_context.3 new file mode 100644 index 000000000000..a407fba9257c --- /dev/null +++ b/lib/libgssapi/gss_init_sec_context.3 @@ -0,0 +1,571 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_INIT_SEC_CONTEXT 3 PRM +.Sh NAME +.Nm gss_init_sec_context +.Nd Initiate a security context with a peer application +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_init_sec_context +.Fa "OM_uint32 *minor_status" +.Fa "const gss_cred_id_t initiator_cred_handle" +.Fa "gss_ctx_id_t *context_handle" +.Fa "const gss_name_t target_name" +.Fa "const gss_OID mech_type" +.Fa "OM_uint32 req_flags" +.Fa "OM_uint32 time_req" +.Fa "const gss_channel_bindings_t input_chan_bindings" +.Fa "const gss_buffer_t input_token" +.Fa "gss_OID *actual_mech_type" +.Fa "gss_buffer_t output_token" +.Fa "OM_uint32 *ret_flags" +.Fa "OM_uint32 *time_rec" +.Fc +.Sh DESCRIPTION +Initiates the establishment of a security context between the +application and a remote peer. +Initially, the input_token parameter should be specified either as +.Dv GSS_C_NO_BUFFER, or as a pointer to a +gss_buffer_desc object whose length field contains the value zero. +The routine may return a output_token which should be transferred to +the peer application, where the peer application will present it to +.Xr gss_accept_sec_context 3 . If no token need be sent, +.Fn gss_init_sec_context +will indicate this by setting the +.Dv length field +of the output_token argument to zero. To complete the context +establishment, one or more reply tokens may be required from the peer +application; if so, +.Fn gss_init_sec_context +will return a status +containing the supplementary information bit +.Dv GSS_S_CONTINUE_NEEDED. +In this case, +.Fn gss_init_sec_context +should be called again when the reply token is received from the peer +application, passing the reply token to +.Fn gss_init_sec_context +via the input_token parameters. +.Pp +Portable applications should be constructed to use the token length +and return status to determine whether a token needs to be sent or +waited for. Thus a typical portable caller should always invoke +.Fn gss_init_sec_context +within a loop: +.Bd -literal +int context_established = 0; +gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; + ... +input_token->length = 0; + +while (!context_established) { + maj_stat = gss_init_sec_context(&min_stat, + cred_hdl, + &context_hdl, + target_name, + desired_mech, + desired_services, + desired_time, + input_bindings, + input_token, + &actual_mech, + output_token, + &actual_services, + &actual_time); + if (GSS_ERROR(maj_stat)) { + report_error(maj_stat, min_stat); + }; + + if (output_token->length != 0) { + send_token_to_peer(output_token); + gss_release_buffer(&min_stat, output_token) + }; + if (GSS_ERROR(maj_stat)) { + + if (context_hdl != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, + &context_hdl, + GSS_C_NO_BUFFER); + break; + }; + + if (maj_stat & GSS_S_CONTINUE_NEEDED) { + receive_token_from_peer(input_token); + } else { + context_established = 1; + }; +}; +.Ed +.Pp +Whenever the routine returns a major status that includes the value +.Dv GSS_S_CONTINUE_NEEDED, the context is not fully established and the +following restrictions apply to the output parameters: +.Bl -bullet +.It +The value returned via the +.Fa time_rec +parameter is undefined Unless +the accompanying +.Fa ret_flags +parameter contains the bit +.Dv GSS_C_PROT_READY_FLAG, indicating that per-message services may be +applied in advance of a successful completion status, the value +returned via the +.Fa actual_mech_type +parameter is undefined until the +routine returns a major status value of +.Dv GSS_S_COMPLETE. +.It +The values of the +.Dv GSS_C_DELEG_FLAG , +.Dv GSS_C_MUTUAL_FLAG , +.Dv GSS_C_REPLAY_FLAG , +.Dv GSS_C_SEQUENCE_FLAG , +.Fv GSS_C_CONF_FLAG , +.Dv GSS_C_INTEG_FLAG and +.Dv GSS_C_ANON_FLAG bits returned via the +.Fa ret_flags +parameter should contain the values that the +implementation expects would be valid if context establishment +were to succeed. In particular, if the application has requested +a service such as delegation or anonymous authentication via the +.Fa req_flags +argument, and such a service is unavailable from the +underlying mechanism, +.Fn gss_init_sec_context +should generate a token +that will not provide the service, and indicate via the +.Fa ret_flags +argument that the service will not be supported. The application +may choose to abort the context establishment by calling +.Xr gss_delete_sec_context 3 +(if it cannot continue in the absence of +the service), or it may choose to transmit the token and continue +context establishment (if the service was merely desired but not +mandatory). +.It +The values of the +.Dv GSS_C_PROT_READY_FLAG and +.Dv GSS_C_TRANS_FLAG bits +within +.Fa ret_flags +should indicate the actual state at the time +.Fn gss_init_sec_context +returns, whether or not the context is fully established. +.It +GSS-API implementations that support per-message protection are +encouraged to set the +.Dv GSS_C_PROT_READY_FLAG in the final +.Fa ret_flags +returned to a caller (i.e. when accompanied by a +.Dv GSS_S_COMPLETE +status code). However, applications should not rely on this +behavior as the flag was not defined in Version 1 of the GSS-API. +Instead, applications should determine what per-message services +are available after a successful context establishment according +to the +.Dv GSS_C_INTEG_FLAG and +.Dv GSS_C_CONF_FLAG values. +.It +All other bits within the +.Fa ret_flags +argument should be set to +zero. +.El +.Pp +If the initial call of +.Fn gss_init_sec_context +fails, the +implementation should not create a context object, and should leave +the value of the +.Fa context_handle +parameter set to +.Dv GSS_C_NO_CONTEXT to +indicate this. In the event of a failure on a subsequent call, the +implementation is permitted to delete the "half-built" security +context (in which case it should set the +.Fa context_handle +parameter to +.Dv GSS_C_NO_CONTEXT ), but the preferred behavior is to leave the +security context untouched for the application to delete (using +.Xr gss_delete_sec_context 3 ). +.Pp +During context establishment, the informational status bits +.Dv GSS_S_OLD_TOKEN and +.Dv GSS_S_DUPLICATE_TOKEN indicate fatal errors, and +GSS-API mechanisms should always return them in association with a +routine error of +.Dv GSS_S_FAILURE . +This requirement for pairing did not +exist in version 1 of the GSS-API specification, so applications that +wish to run over version 1 implementations must special-case these +codes. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It initiator_cred_handle +handle for credentials claimed. Supply +.Dv GSS_C_NO_CREDENTIAL to act as a default +initiator principal. If no default +initiator is defined, the function will +return +.Dv GSS_S_NO_CRED. +.It context_handle +context handle for new context. Supply +.Dv GSS_C_NO_CONTEXT for first call; use value +returned by first call in continuation calls. +Resources associated with this context-handle +must be released by the application after use +with a call to +.Fn gss_delete_sec_context . +.It target_name +Name of target +.It mech_type +Object ID of desired mechanism. Supply +.Dv GSS_C_NO_OID to obtain an implementation +specific default +.It req_flags +Contains various independent flags, each of +which requests that the context support a +specific service option. Symbolic +names are provided for each flag, and the +symbolic names corresponding to the required +flags should be logically-ORed +together to form the bit-mask value. The +flags are: +.Bl -tag -width "WW" +.It GSS_C_DELEG_FLAG +.Bl -tag -width "False" +.It True +Delegate credentials to remote peer +.It False +Don't delegate +.El +.It GSS_C_MUTUAL_FLAG +.Bl -tag -width "False" +.It True +Request that remote peer authenticate itself +.It False +Authenticate self to remote peer only +.El +.It GSS_C_REPLAY_FLAG +.Bl -tag -width "False" +.It True +Enable replay detection for messages protected with +.Xr gss_wrap 3 +or +.Xr gss_get_mic 3 +.It False +Don't attempt to detect replayed messages +.El +.It GSS_C_SEQUENCE_FLAG +.Bl -tag -width "False" +.It True +Enable detection of out-of-sequence protected messages +.It False +Don't attempt to detect out-of-sequence messages +.El +.It GSS_C_CONF_FLAG +.Bl -tag -width "False" +.It True +Request that confidentiality service be made available (via +.Xr gss_wrap 3 ) +.It False +No per-message confidentiality service is required. +.El +.It GSS_C_INTEG_FLAG +.Bl -tag -width "False" +.It True +Request that integrity service be made available (via +.Xr gss_wrap 3 +or +.Xr gss_get_mic 3 ) +.It False +No per-message integrity service is required. +.El +.It GSS_C_ANON_FLAG +.Bl -tag -width "False" +.It True +Do not reveal the initiator's identity to the acceptor. +.It False +Authenticate normally. +.El +.El +.It time_req +Desired number of seconds for which context +should remain valid. Supply 0 to request a +default validity period. +.It input_chan_bindings +Application-specified bindings. Allows +application to securely bind channel +identification information to the security +context. Specify +.Dv GSS_C_NO_CHANNEL_BINDINGS +if channel bindings are not used. +.It input_token +Token received from peer application. +Supply +.Dv GSS_C_NO_BUFFER, or a pointer to +a buffer containing the value +.Dv GSS_C_EMPTY_BUFFER +on initial call. +.It actual_mech_type +Actual mechanism used. The OID returned via +this parameter will be a pointer to static +storage that should be treated as read-only; +In particular the application should not attempt +to free it. Specify +.Dv NULL if not required. +.It output_token +token to be sent to peer application. If +the length field of the returned buffer is +zero, no token need be sent to the peer +application. Storage associated with this +buffer must be freed by the application +after use with a call to +.Xr gss_release_buffer 3 . +.It ret_flags +Contains various independent flags, each of which +indicates that the context supports a specific +service option. Specify +.Dv NULL if not +required. Symbolic names are provided +for each flag, and the symbolic names +corresponding to the required flags should be +logically-ANDed with the +.Fa ret_flags +value to test +whether a given option is supported by the +context. The flags are: +.Bl -tag -width "WW" +.It GSS_C_DELEG_FLAG +.Bl -tag -width "False" +.It True +Credentials were delegated to the remote peer +.It False +No credentials were delegated +.El +.It GSS_C_MUTUAL_FLAG +.Bl -tag -width "False" +.It True +The remote peer has authenticated itself. +.It False +Remote peer has not authenticated itself. +.El +.It GSS_C_REPLAY_FLAG +.Bl -tag -width "False" +.It True +Replay of protected messages will be detected +.It False +Replayed messages will not be detected +.El +.It GSS_C_SEQUENCE_FLAG +.Bl -tag -width "False" +.It True +Out-of-sequence protected messages will be detected +.It False +Out-of-sequence messages will not be detected +.El +.It GSS_C_CONF_FLAG +.Bl -tag -width "False" +.It True +Confidentiality service may be invoked by calling +.Xr gss_wrap 3 +routine +.It False +No confidentiality service (via +.Xr gss_wrap 3 ) available. +.Xr gss_wrap 3 will +provide message encapsulation, +data-origin authentication and +integrity services only. +.El +.It GSS_C_INTEG_FLAG +.Bl -tag -width "False" +.It True +Integrity service may be invoked by calling either +.Xr gss_get_mic 3 +or +.Xr gss_wrap 3 +routines. +.It False +Per-message integrity service unavailable. +.El +.It GSS_C_ANON_FLAG +.Bl -tag -width "False" +.It True +The initiator's identity has not been +revealed, and will not be revealed if +any emitted token is passed to the +acceptor. +.It False +The initiator's identity has been or will be authenticated normally. +.El +.It GSS_C_PROT_READY_FLAG +.Bl -tag -width "False" +.It True +Protection services (as specified by the states of the +.Dv GSS_C_CONF_FLAG +and +.Dv GSS_C_INTEG_FLAG ) are available for +use if the accompanying major status +return value is either +.Dv GSS_S_COMPLETE +or +.Dv GSS_S_CONTINUE_NEEDED. +.It False +Protection services (as specified by the states of the +.Dv GSS_C_CONF_FLAG +and +.Dv GSS_C_INTEG_FLAG ) are available +only if the accompanying major status +return value is +.Dv GSS_S_COMPLETE. +.El +.It GSS_C_TRANS_FLAG +.Bl -tag -width "False" +.It True +The resultant security context may be transferred to other processes via +a call to +.Fn gss_export_sec_context . +.It False +The security context is not transferable. +.El +.El +.Pp +All other bits should be set to zero. +.It time_rec +Number of seconds for which the context +will remain valid. If the implementation does +not support context expiration, the value +.Dv GSS_C_INDEFINITE will be returned. Specify +.Dv NULL if not required. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_CONTINUE_NEEDED +Indicates that a token from the peer +application is required to complete the +context, and that gss_init_sec_context +must be called again with that token. +.It GSS_S_DEFECTIVE_TOKEN +Indicates that consistency checks performed +on the input_token failed +.It GSS_S_DEFECTIVE_CREDENTIAL +Indicates that consistency checks +performed on the credential failed. +.It GSS_S_NO_CRED +The supplied credentials were not valid for +context initiation, or the credential handle +did not reference any credentials. +.It GSS_S_CREDENTIALS_EXPIRED +The referenced credentials have expired +.It GSS_S_BAD_BINDINGS +The input_token contains different channel +bindings to those specified via the +input_chan_bindings parameter +.It GSS_S_BAD_SIG +The input_token contains an invalid MIC, or a MIC +that could not be verified +.It GSS_S_OLD_TOKEN +The input_token was too old. This is a fatal +error during context establishment +.It GSS_S_DUPLICATE_TOKEN +The input_token is valid, but is a duplicate +of a token already processed. This is a +fatal error during context establishment. +.It GSS_S_NO_CONTEXT +Indicates that the supplied context handle did +not refer to a valid context +.It GSS_S_BAD_NAMETYPE +The provided target_name parameter contained an +invalid or unsupported type of name +.It GSS_S_BAD_NAME +The provided target_name parameter was ill-formed. +.It GSS_S_BAD_MECH +The specified mechanism is not supported by the +provided credential, or is unrecognized by the +implementation. +.El +.Sh SEE ALSO +.Xr gss_accept_sec_context 3 , +.Xr gss_delete_sec_context 3 , +.Xr gss_get_mic 3 , +.Xr gss_release_buffer 3 , +.Xr gss_wrap 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.El +.\" .Sh HISTORY +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_init_sec_context.c b/lib/libgssapi/gss_init_sec_context.c new file mode 100644 index 000000000000..46e3213b6053 --- /dev/null +++ b/lib/libgssapi/gss_init_sec_context.c @@ -0,0 +1,129 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "name.h" +#include "cred.h" +#include "context.h" + +OM_uint32 +gss_init_sec_context(OM_uint32 * minor_status, + const gss_cred_id_t initiator_cred_handle, + gss_ctx_id_t * context_handle, + const gss_name_t target_name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec) +{ + OM_uint32 major_status; + struct _gss_mech_switch *m; + struct _gss_name *name = (struct _gss_name *) target_name; + struct _gss_mechanism_name *mn; + struct _gss_context *ctx = (struct _gss_context *) *context_handle; + struct _gss_cred *cred = (struct _gss_cred *) initiator_cred_handle; + struct _gss_mechanism_cred *mc; + gss_cred_id_t cred_handle; + int allocated_ctx; + + *minor_status = 0; + + /* + * If we haven't allocated a context yet, do so now and lookup + * the mechanism switch table. If we have one already, make + * sure we use the same mechanism switch as before. + */ + if (!ctx) { + ctx = malloc(sizeof(struct _gss_context)); + if (!ctx) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(ctx, 0, sizeof(struct _gss_context)); + m = ctx->gc_mech = _gss_find_mech_switch(mech_type); + if (!m) { + free(ctx); + return (GSS_S_BAD_MECH); + } + allocated_ctx = 1; + } else { + m = ctx->gc_mech; + allocated_ctx = 0; + } + + /* + * Find the MN for this mechanism. + */ + mn = _gss_find_mn(name, mech_type); + + /* + * If we have a cred, find the cred for this mechanism. + */ + cred_handle = GSS_C_NO_CREDENTIAL; + if (cred) { + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + if (_gss_oid_equal(mech_type, mc->gmc_mech_oid)) { + cred_handle = mc->gmc_cred; + break; + } + } + } + + major_status = m->gm_init_sec_context(minor_status, + cred_handle, + &ctx->gc_ctx, + mn->gmn_name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + + if (major_status != GSS_S_COMPLETE + && major_status != GSS_S_CONTINUE_NEEDED) { + if (allocated_ctx) + free(ctx); + } else { + *context_handle = (gss_ctx_id_t) ctx; + } + + return (major_status); +} diff --git a/lib/libgssapi/gss_inquire_context.3 b/lib/libgssapi/gss_inquire_context.3 new file mode 100644 index 000000000000..3c8847c27649 --- /dev/null +++ b/lib/libgssapi/gss_inquire_context.3 @@ -0,0 +1,284 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_INQUIRE_CONTEXT 3 PRM +.Sh NAME +.Nm gss_inquire_context +.Nd Obtain information about a security context +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_inquire_context +.Fa "OM_uint32 *minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "gss_name_t *src_name" +.Fa "gss_name_t *targ_name" +.Fa "OM_uint32 *lifetime_rec" +.Fa "gss_OID *mech_type" +.Fa "OM_uint32 *ctx_flags" +.Fa "int *locally_initiated" +.Fa "int *open" +.Fc +.Sh DESCRIPTION +Obtains information about a security context. +The caller must already have obtained a handle that refers to the +context, +although the context need not be fully established. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +A handle that refers to the security context. +.It src_name +The name of the context initiator. +If the context was established using anonymous authentication, +and if the application invoking +.Fn gss_inquire_context +is the context acceptor, +an anonymous name will be returned. +Storage associated with this name must be freed by the application +after use with a call to +.Fn gss_release_name . +Specify +.Dv NULL +if not required. +.It targ_name +The name of the context acceptor. +Storage associated with this name must be freed by the application +after use with a call to +.Fn gss_release_name . +If the context acceptor did not authenticate itself, +and if the initiator did not specify a target name in its call to +.Fn gss_init_sec_context , +the value +.Dv GSS_C_NO_NAME +will be returned. +Specify +.Dv NULL +if not required. +.It lifetime_rec +The number of seconds for which the context will remain valid. +If the context has expired, +this parameter will be set to zero. +If the implementation does not support context expiration, +the value +.Dv GSS_C_INDEFINITE +will be returned. +Specify +.Dv NULL +if not required. +.It mech_type +The security mechanism providing the context. +The returned OID will be a pointer to static storage that should be +treated as read-only by the application; +in particular the application should not attempt to free it. +Specify +.Dv NULL +if not required. +.It ctx_flags +Contains various independent flags, +each of which indicates that the context supports +(or is expected to support, if +.Fa open +is false) +a specific service option. +If not needed, specify +.Dv NULL . +Symbolic names are provided for each flag, +and the symbolic names corresponding to the required flags should be +logically-ANDed with the +.Fa ctx_flags +value to test whether a given option is supported by the context. +The flags are: +.Bl -tag -width "WW" +.It GSS_C_DELEG_FLAG +.Bl -tag -width "False" +.It True +Credentials were delegated from the initiator to the acceptor. +.It False +No credentials were delegated. +.El +.It GSS_C_MUTUAL_FLAG +.Bl -tag -width "False" +.It True +The acceptor was authenticated to the initiator. +.It False +The acceptor did not authenticate itself. +.El +.It GSS_C_REPLAY_FLAG +.Bl -tag -width "False" +.It True +Replay of protected messages will be detected. +.It False +Replayed messages will not be detected. +.El +.It GSS_C_SEQUENCE_FLAG +.Bl -tag -width "False" +.It True +Out-of-sequence protected messages will be detected. +.It False +Out-of-sequence messages will not be detected. +.El +.It GSS_C_CONF_FLAG +.Bl -tag -width "False" +.It True +Confidentiality service may be invoked by calling +.Fn gss_wrap +routine. +.It False +No confidentiality service +(via +.Fn gss_wrap ) +available. +.Fn gss_wrap +will provide message encapsulation, +data-origin authentication and integrity services only. +.El +.It GSS_C_INTEG_FLAG +.Bl -tag -width "False" +.It True +Integrity service may be invoked by calling either +.Fn gss_get_mic +or +.Fn gss_wrap +routines. +.It False +Per-message integrity service unavailable. +.El +.It GSS_C_ANON_FLAG +.Bl -tag -width "False" +.It True +The initiator's identity will not be revealed to the acceptor. +The +.Fa src_name +parameter (if requested) contains an anonymous internal name. +.It False +The initiator has been authenticated normally. +.El +.It GSS_C_PROT_READY_FLAG +.Bl -tag -width "False" +.It True +Protection services +(as specified by the states of the +.Dv GSS_C_CONF_FLAG +and +.Dv GSS_C_INTEG_FLAG ) +are available for use. +.It False +Protection services +(as specified by the states of the +.Dv GSS_C_CONF_FLAG +and +.Dv GSS_C_INTEG_FLAG ) +are available only if the context is fully established +(i.e. if the +.Fa open +parameter is non-zero). +.El +.It GSS_C_TRANS_FLAG +.Bl -tag -width "False" +.It True +The security context may be transferred to other processes via a call to +.Fn gss_export_sec_context . +.It False +The security context is not transferable. +.El +.El +.It locally_initiated +Non-zero if the invoking application is the context initiator. +Specify +.Dv NULL +if not required. +.It open +Non-zero if the context is fully established; +Zero if a context-establishment token is expected from the peer +application. +Specify +.Dv NULL +if not required. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_NO_CONTEXT +The referenced context could not be accessed +.El +.Sh SEE ALSO +.Xr gss_release_name 3 , +.Xr gss_init_sec_context 3 , +.Xr gss_wrap 3 , +.Xr gss_get_mic 3 , +.Xr gss_export_sec_context 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_inquire_context.c b/lib/libgssapi/gss_inquire_context.c new file mode 100644 index 000000000000..3f4531d2c428 --- /dev/null +++ b/lib/libgssapi/gss_inquire_context.c @@ -0,0 +1,88 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "context.h" +#include "name.h" + +OM_uint32 +gss_inquire_context(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + gss_name_t *src_name, + gss_name_t *targ_name, + OM_uint32 *lifetime_rec, + gss_OID *mech_type, + OM_uint32 *ctx_flags, + int *locally_initiated, + int *open) +{ + OM_uint32 major_status; + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + struct _gss_name *name; + gss_name_t src_mn, targ_mn; + + major_status = m->gm_inquire_context(minor_status, + ctx->gc_ctx, + src_name ? &src_mn : 0, + targ_name ? &targ_mn : 0, + lifetime_rec, + mech_type, + ctx_flags, + locally_initiated, + open); + + if (src_name) *src_name = 0; + if (targ_name) *targ_name = 0; + + if (major_status != GSS_S_COMPLETE) { + return (major_status); + } + + if (src_name) { + name = _gss_make_name(m, src_mn); + if (!name) { + minor_status = 0; + return (GSS_S_FAILURE); + } + *src_name = (gss_name_t) name; + } + + if (targ_name) { + name = _gss_make_name(m, targ_mn); + if (!name) { + minor_status = 0; + return (GSS_S_FAILURE); + } + *targ_name = (gss_name_t) name; + } + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_inquire_cred.3 b/lib/libgssapi/gss_inquire_cred.3 new file mode 100644 index 000000000000..1dd1d92a4ca9 --- /dev/null +++ b/lib/libgssapi/gss_inquire_cred.3 @@ -0,0 +1,158 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_INQUIRE_CRED 3 PRM +.Sh NAME +.Nm gss_inquire_cred +.Nd Obtain information about a credential +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_inquire_cred +.Fa "OM_uint32 *minor_status" +.Fa "const gss_cred_id_t cred_handle" +.Fa "gss_ctx_id_t *context_handle" +.Fa "gss_name_t *name" +.Fa "OM_uint32 *lifetime" +.Fa "gss_cred_usage_t *cred_usage" +.Fa "gss_OID_set *mechanisms" +.Fc +.Sh DESCRIPTION +Obtains information about a credential. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It cred_handle +A handle that refers to the target credential. +Specify +.Dv GSS_C_NO_CREDENTIAL +to inquire about the default initiator principal. +.It name +The name whose identity the credential asserts. +Storage associated with this name should be freed by the application +after use with a call to +.Fn gss_release_name . +Specify +.Dv NULL +if not required. +.It lifetime +The number of seconds for which the credential will remain valid. +If the credential has expired, +this parameter will be set to zero. +If the implementation does not support credential expiration, +the value GSS_C_INDEFINITE will be returned. +Specify +.Dv NULL +if not required. +.It cred_usage +How the credential may be used. +One of the following: +.Bl -item -offset indent -compact +.It +.Dv GSS_C_INITIATE +.It +.Dv GSS_C_ACCEPT +.It +.Dv GSS_C_BOTH +.El +Specify +.Dv NULL +if not required. +.It mechanisms +Set of mechanisms supported by the credential. +Storage associated with this OID set must be freed by the application +after use with a call to +.Fn gss_release_oid_set . +Specify +.Dv NULL +if not required. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_NO_CRED +The referenced credentials could not be accessed +.It GSS_S_DEFECTIVE_CREDENTIAL +The referenced credentials were invalid +.It GSS_S_CREDENTIALS_EXPIRED +The referenced credentials have expired. +If the lifetime parameter was not passed as +.Dv NULL , +it will be set to 0 +.El +.Sh SEE ALSO +.Xr gss_release_name 3 , +.Xr gss_release_oid_set 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_inquire_cred.c b/lib/libgssapi/gss_inquire_cred.c new file mode 100644 index 000000000000..6f598b7fd283 --- /dev/null +++ b/lib/libgssapi/gss_inquire_cred.c @@ -0,0 +1,167 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "name.h" +#include "cred.h" + +OM_uint32 +gss_inquire_cred(OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + gss_name_t *name_ret, + OM_uint32 *lifetime, + gss_cred_usage_t *cred_usage, + gss_OID_set *mechanisms) +{ + OM_uint32 major_status; + struct _gss_mech_switch *m; + struct _gss_cred *cred = (struct _gss_cred *) cred_handle; + struct _gss_mechanism_cred *mc; + struct _gss_name *name; + struct _gss_mechanism_name *mn; + OM_uint32 min_lifetime; + + *minor_status = 0; + if (name_ret) + *name_ret = 0; + if (lifetime) + *lifetime = 0; + if (cred_usage) + *cred_usage = 0; + + if (name_ret) { + name = malloc(sizeof(struct _gss_name)); + if (!name) { + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + memset(name, 0, sizeof(struct _gss_name)); + SLIST_INIT(&name->gn_mn); + } else { + name = 0; + } + + if (mechanisms) { + major_status = gss_create_empty_oid_set(minor_status, + mechanisms); + if (major_status) { + if (name) free(name); + return (major_status); + } + } + + min_lifetime = GSS_C_INDEFINITE; + if (cred) { + SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + gss_name_t mc_name; + OM_uint32 mc_lifetime; + + major_status = mc->gmc_mech->gm_inquire_cred(minor_status, + mc->gmc_cred, &mc_name, &mc_lifetime, NULL, NULL); + if (major_status) + continue; + + if (name) { + mn = malloc(sizeof(struct _gss_mechanism_name)); + if (!mn) { + mc->gmc_mech->gm_release_name(minor_status, + &mc_name); + continue; + } + mn->gmn_mech = mc->gmc_mech; + mn->gmn_mech_oid = mc->gmc_mech_oid; + mn->gmn_name = mc_name; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + } else { + mc->gmc_mech->gm_release_name(minor_status, + &mc_name); + } + + if (mc_lifetime < min_lifetime) + min_lifetime = mc_lifetime; + + if (mechanisms) + gss_add_oid_set_member(minor_status, + mc->gmc_mech_oid, mechanisms); + } + } else { + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + gss_name_t mc_name; + OM_uint32 mc_lifetime; + + major_status = m->gm_inquire_cred(minor_status, + GSS_C_NO_CREDENTIAL, &mc_name, &mc_lifetime, + cred_usage, NULL); + if (major_status) + continue; + + if (name && mc_name) { + mn = malloc( + sizeof(struct _gss_mechanism_name)); + if (!mn) { + mc->gmc_mech->gm_release_name( + minor_status, &mc_name); + continue; + } + mn->gmn_mech = mc->gmc_mech; + mn->gmn_mech_oid = mc->gmc_mech_oid; + mn->gmn_name = mc_name; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + } else if (mc_name) { + mc->gmc_mech->gm_release_name(minor_status, + &mc_name); + } + + if (mc_lifetime < min_lifetime) + min_lifetime = mc_lifetime; + + if (mechanisms) + gss_add_oid_set_member(minor_status, + &m->gm_mech_oid, mechanisms); + } + + if ((*mechanisms)->count == 0) { + gss_release_oid_set(minor_status, mechanisms); + *minor_status = 0; + return (GSS_S_NO_CRED); + } + } + + *minor_status = 0; + if (name_ret) + *name_ret = (gss_name_t) name; + if (lifetime) + *lifetime = min_lifetime; + if (cred && cred_usage) + *cred_usage = cred->gc_usage; + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_inquire_cred_by_mech.3 b/lib/libgssapi/gss_inquire_cred_by_mech.3 new file mode 100644 index 000000000000..380b7ca963c8 --- /dev/null +++ b/lib/libgssapi/gss_inquire_cred_by_mech.3 @@ -0,0 +1,173 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_INQUIRE_CRED_BY_MECH 3 PRM +.Sh NAME +.Nm gss_inquire_cred_by_mech +.Nd Obtain per-mechanism information about a credential +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_inquire_cred_by_mech +.Fa "OM_uint32 *minor_status" +.Fa "const gss_cred_id_t cred_handle" +.Fa "const gss_OID mech_type" +.Fa "gss_name_t *name" +.Fa "OM_uint32 *initiator_lifetime" +.Fa "OM_uint32 *acceptor_lifetime" +.Fa "gss_cred_usage_t *cred_usage" +.Fc +.Sh DESCRIPTION +Obtains per-mechanism information about a credential. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It cred_handle +A handle that refers to the target credential. +Specify +.Dv GSS_C_NO_CREDENTIAL +to inquire about the default initiator principal. +.It mech_type +The mechanism for which information should be returned. +.It name +The name whose identity the credential asserts. +Storage associated with this name must be freed by the application +after use with a call to +.Fn gss_release_name . +Specify +.Dv NULL +if not required. +.It initiator_lifetime + +The number of seconds for which the credential will remain capable of +initiating security contexts under the specified mechanism. +If the credential can no longer be used to initiate contexts, +or if the credential usage for this mechanism is +.Dv GSS_C_ACCEPT , +this parameter will be set to zero. +If the implementation does not support expiration of initiator +credentials, +the value +.Dv GSS_C_INDEFINITE +will be returned. +Specify +.Dv NULL +if not required. +.It acceptor_lifetime +The number of seconds for which the credential will remain capable of +accepting security contexts under the specified mechanism. +If the credential can no longer be used to accept contexts, +or if the credential usage for this mechanism is +.Dv GSS_C_INITIATE , +this parameter will be set to zero. +If the implementation does not support expiration of acceptor +credentials, +the value +.Dv GSS_C_INDEFINITE +will be returned. +Specify +.Dv NULL +if not required. +.It cred_usage +How the credential may be used with the specified mechanism. +One of the following: +.Bl -item -offset indent -compact +.It +.Dv GSS_C_INITIATE +.It +.Dv GSS_C_ACCEPT +.It +.Dv GSS_C_BOTH +.El +Specify +.Dv NULL +if not required. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_NO_CRED +The referenced credentials could not be accessed +.It GSS_S_DEFECTIVE_CREDENTIAL +The referenced credentials were invalid +.It GSS_S_CREDENTIALS_EXPIRED +The referenced credentials have expired. +If the lifetime parameter was not passed as +.Dv NULL , +it will be set to 0. +.El +.Sh SEE ALSO +.Xr gss_release_name 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_inquire_cred_by_mech.c b/lib/libgssapi/gss_inquire_cred_by_mech.c new file mode 100644 index 000000000000..2896f77c1e74 --- /dev/null +++ b/lib/libgssapi/gss_inquire_cred_by_mech.c @@ -0,0 +1,82 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "cred.h" +#include "name.h" + +OM_uint32 +gss_inquire_cred_by_mech(OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + const gss_OID mech_type, + gss_name_t *cred_name, + OM_uint32 *initiator_lifetime, + OM_uint32 *acceptor_lifetime, + gss_cred_usage_t *cred_usage) +{ + OM_uint32 major_status; + struct _gss_mech_switch *m; + struct _gss_mechanism_cred *mcp; + gss_cred_id_t mc; + gss_name_t mn; + struct _gss_name *name; + + *minor_status = 0; + + m = _gss_find_mech_switch(mech_type); + if (!m) + return (GSS_S_NO_CRED); + + if (cred_handle != GSS_C_NO_CREDENTIAL) { + struct _gss_cred *cred = (struct _gss_cred *) cred_handle; + SLIST_FOREACH(mcp, &cred->gc_mc, gmc_link) + if (mcp->gmc_mech == m) + break; + if (!mcp) + return (GSS_S_NO_CRED); + mc = mcp->gmc_cred; + } else { + mc = GSS_C_NO_CREDENTIAL; + } + + major_status = m->gm_inquire_cred_by_mech(minor_status, mc, mech_type, + &mn, initiator_lifetime, acceptor_lifetime, cred_usage); + if (major_status != GSS_S_COMPLETE) + return (major_status); + + name = _gss_make_name(m, mn); + if (!name) { + m->gm_release_name(minor_status, &mn); + return (GSS_S_NO_CRED); + } + + *cred_name = (gss_name_t) name; + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_inquire_mechs_for_name.3 b/lib/libgssapi/gss_inquire_mechs_for_name.3 new file mode 100644 index 000000000000..63ee453998bc --- /dev/null +++ b/lib/libgssapi/gss_inquire_mechs_for_name.3 @@ -0,0 +1,134 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_INQUIRE_MECHS_FOR_NAME 3 PRM +.Sh NAME +.Nm gss_inquire_mechs_for_name +.Nd List mechanisms that support the specified name-type +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_inquire_mechs_for_name +.Fa "OM_uint32 *minor_status" +.Fa "const gss_name_t input_name" +.Fa "gss_OID_set *mech_types" +.Fc +.Sh DESCRIPTION +Returns the set of mechanisms supported by the GSS-API implementation +that may be able to process the specified name. +.Pp + +Each mechanism returned will recognize at least one element within the +name. +It is permissible for this routine to be implemented within a +mechanism-independent GSS-API layer, +using the type information contained within the presented name, +and based on registration information provided by individual mechanism +implementations. +This means that the returned +.Fa mech_types +set may indicate that a particular mechanism will understand the name +when in fact it would refuse to accept the name as input to +.Fn gss_canonicalize_name , +.Fn gss_init_sec_context , +.Fn gss_acquire_cred +or +.Fn gss_add_cred +(due to some property of the specific name, as opposed to the name +type). +Thus this routine should be used only as a pre-filter for a call to a +subsequent mechanism-specific routine. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It input_name +The name to which the inquiry relates. +.It mech_types +Set of mechanisms that may support the specified name. +The returned OID set must be freed by the caller after use with a call +to +.Fn gss_release_oid_set . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_BAD_NAME +The +.Fa input_name +parameter was ill-formed +.El +.Sh SEE ALSO +.Xr gss_release_oid_set 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_inquire_mechs_for_name.c b/lib/libgssapi/gss_inquire_mechs_for_name.c new file mode 100644 index 000000000000..10bdd7fd6314 --- /dev/null +++ b/lib/libgssapi/gss_inquire_mechs_for_name.c @@ -0,0 +1,77 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "name.h" + +OM_uint32 +gss_inquire_mechs_for_name(OM_uint32 *minor_status, + const gss_name_t input_name, + gss_OID_set *mech_types) +{ + OM_uint32 major_status; + struct _gss_name *name = (struct _gss_name *) input_name; + struct _gss_mech_switch *m; + gss_OID_set name_types; + int present; + + *minor_status = 0; + + major_status = gss_create_empty_oid_set(minor_status, mech_types); + if (major_status) + return (major_status); + + /* + * We go through all the loaded mechanisms and see if this + * name's type is supported by the mechanism. If it is, add + * the mechanism to the set. + */ + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + major_status = gss_inquire_names_for_mech(minor_status, + &m->gm_mech_oid, &name_types); + if (major_status) { + gss_release_oid_set(minor_status, mech_types); + return (major_status); + } + gss_test_oid_set_member(minor_status, + &name->gn_type, name_types, &present); + gss_release_oid_set(minor_status, &name_types); + if (present) { + major_status = gss_add_oid_set_member(minor_status, + &m->gm_mech_oid, mech_types); + if (major_status) { + gss_release_oid_set(minor_status, mech_types); + return (major_status); + } + } + } + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_inquire_names_for_mech.3 b/lib/libgssapi/gss_inquire_names_for_mech.3 new file mode 100644 index 000000000000..b4d2d121cf0e --- /dev/null +++ b/lib/libgssapi/gss_inquire_names_for_mech.3 @@ -0,0 +1,107 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_INQUIRE_NAMES_FOR_MECH 3 PRM +.Sh NAME +.Nm gss_inquire_names_for_mech +.Nd List the name-types supported by the specified mechanism +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_inquire_names_for_mech +.Fa "OM_uint32 *minor_status" +.Fa "const gss_OID mechanism" +.Fa "gss_OID_set *name_types" +.Fc +.Sh DESCRIPTION +Returns the set of name-types supported by the specified mechanism. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It mechanism +The mechanism to be interrogated. +.It name_types +Set of name-types supported by the specified mechanism. +The returned OID set must be freed by the application after use with a +call to +.Fn gss_release_oid_set . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.El +.Sh SEE ALSO +.Xr gss_release_oid_set 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_inquire_names_for_mech.c b/lib/libgssapi/gss_inquire_names_for_mech.c new file mode 100644 index 000000000000..3ebb6328ff69 --- /dev/null +++ b/lib/libgssapi/gss_inquire_names_for_mech.c @@ -0,0 +1,74 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" + +OM_uint32 +gss_inquire_names_for_mech(OM_uint32 *minor_status, + const gss_OID mechanism, + gss_OID_set *name_types) +{ + OM_uint32 major_status; + struct _gss_mech_switch *m = _gss_find_mech_switch(mechanism); + + *minor_status = 0; + if (!m) + return (GSS_S_BAD_MECH); + + /* + * If the implementation can do it, ask it for a list of + * names, otherwise fake it. + */ + if (m->gm_inquire_names_for_mech) { + return (m->gm_inquire_names_for_mech(minor_status, + mechanism, name_types)); + } else { + major_status = gss_create_empty_oid_set(minor_status, + name_types); + if (major_status) + return (major_status); + major_status = gss_add_oid_set_member(minor_status, + GSS_C_NT_HOSTBASED_SERVICE, name_types); + if (major_status) { + OM_uint32 ms; + gss_release_oid_set(&ms, name_types); + return (major_status); + } + major_status = gss_add_oid_set_member(minor_status, + GSS_C_NT_USER_NAME, name_types); + if (major_status) { + OM_uint32 ms; + gss_release_oid_set(&ms, name_types); + return (major_status); + } + } + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_krb5.c b/lib/libgssapi/gss_krb5.c new file mode 100644 index 000000000000..5150f8564a04 --- /dev/null +++ b/lib/libgssapi/gss_krb5.c @@ -0,0 +1,87 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "context.h" +#include "cred.h" + +OM_uint32 +gsskrb5_register_acceptor_identity(const char *identity) +{ + struct _gss_mech_switch *m; + + _gss_load_mech(); + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (m->gm_krb5_register_acceptor_identity) + m->gm_krb5_register_acceptor_identity(identity); + } + + return (GSS_S_COMPLETE); +} + +OM_uint32 +gss_krb5_copy_ccache(OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + struct krb5_ccache_data *out) +{ + struct _gss_mechanism_cred *mcp; + struct _gss_cred *cred = (struct _gss_cred *) cred_handle; + struct _gss_mech_switch *m; + + *minor_status = 0; + + SLIST_FOREACH(mcp, &cred->gc_mc, gmc_link) { + m = mcp->gmc_mech; + if (m->gm_krb5_copy_ccache) + return (m->gm_krb5_copy_ccache(minor_status, + mcp->gmc_cred, out)); + } + + return (GSS_S_FAILURE); +} + +OM_uint32 +gss_krb5_compat_des3_mic(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, int flag) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + + *minor_status = 0; + + if (m->gm_krb5_compat_des3_mic) + return (m->gm_krb5_compat_des3_mic(minor_status, + ctx->gc_ctx, flag)); + + return (GSS_S_FAILURE); +} + diff --git a/lib/libgssapi/gss_mech_switch.c b/lib/libgssapi/gss_mech_switch.c new file mode 100644 index 000000000000..4fa52a35c800 --- /dev/null +++ b/lib/libgssapi/gss_mech_switch.c @@ -0,0 +1,301 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include +#include +#include +#include + +#include "mech_switch.h" +#include "utils.h" + +#ifndef _PATH_GSS_MECH +#define _PATH_GSS_MECH "/etc/gss/mech" +#endif + +struct _gss_mech_switch_list _gss_mechs = + SLIST_HEAD_INITIALIZER(&_gss_mechs); +gss_OID_set _gss_mech_oids; + +/* + * Convert a string containing an OID in 'dot' form + * (e.g. 1.2.840.113554.1.2.2) to a gss_OID. + */ +static int +_gss_string_to_oid(const char* s, gss_OID oid) +{ + int number_count, i, j; + int byte_count; + const char *p, *q; + char *res; + + /* + * First figure out how many numbers in the oid, then + * calculate the compiled oid size. + */ + number_count = 0; + for (p = s; p; p = q) { + q = strchr(p, '.'); + if (q) q = q + 1; + number_count++; + } + + /* + * The first two numbers are in the first byte and each + * subsequent number is encoded in a variable byte sequence. + */ + if (number_count < 2) + return (EINVAL); + + /* + * We do this in two passes. The first pass, we just figure + * out the size. Second time around, we actually encode the + * number. + */ + res = 0; + for (i = 0; i < 2; i++) { + byte_count = 0; + for (p = s, j = 0; p; p = q, j++) { + unsigned int number = 0; + + /* + * Find the end of this number. + */ + q = strchr(p, '.'); + if (q) q = q + 1; + + /* + * Read the number of of the string. Don't + * bother with anything except base ten. + */ + while (*p && *p != '.') { + number = 10 * number + (*p - '0'); + p++; + } + + /* + * Encode the number. The first two numbers + * are packed into the first byte. Subsequent + * numbers are encoded in bytes seven bits at + * a time with the last byte having the high + * bit set. + */ + if (j == 0) { + if (res) + *res = number * 40; + } else if (j == 1) { + if (res) { + *res += number; + res++; + } + byte_count++; + } else if (j >= 2) { + /* + * The number is encoded in seven bit chunks. + */ + unsigned int t; + int bytes; + + bytes = 0; + for (t = number; t; t >>= 7) + bytes++; + if (bytes == 0) bytes = 1; + while (bytes) { + if (res) { + int bit = 7*(bytes-1); + + *res = (number >> bit) & 0x7f; + if (bytes != 1) + *res |= 0x80; + res++; + } + byte_count++; + bytes--; + } + } + } + if (!res) { + res = malloc(byte_count); + if (!res) + return (ENOMEM); + oid->length = byte_count; + oid->elements = res; + } + } + + return (0); +} + +#define SYM(name) \ +do { \ + m->gm_ ## name = dlsym(so, "gss_" #name); \ + if (!m->gm_ ## name) { \ + fprintf(stderr, "can't find symbol gss_" #name "\n"); \ + goto bad; \ + } \ +} while (0) + +#define OPTSYM(name) \ +do { \ + m->gm_ ## name = dlsym(so, "gss_" #name); \ +} while (0) + +#define OPTSYM2(symname, ourname) \ +do { \ + m->ourname = dlsym(so, #symname); \ +} while (0) + +/* + * Load the mechanisms file (/etc/gss/mech). + */ +void +_gss_load_mech(void) +{ + OM_uint32 major_status, minor_status; + FILE *fp; + char buf[256]; + char *p; + char *name, *oid, *lib, *kobj; + struct _gss_mech_switch *m; + int count; + char **pp; + void *so; + + if (SLIST_FIRST(&_gss_mechs)) + return; + + major_status = gss_create_empty_oid_set(&minor_status, + &_gss_mech_oids); + if (major_status) + return; + + fp = fopen(_PATH_GSS_MECH, "r"); + if (!fp) { + perror(_PATH_GSS_MECH); + return; + } + + count = 0; + while (fgets(buf, sizeof(buf), fp)) { + if (*buf == '#') + continue; + p = buf; + name = strsep(&p, "\t\n "); + if (p) while (isspace(p)) p++; + oid = strsep(&p, "\t\n "); + if (p) while (isspace(p)) p++; + lib = strsep(&p, "\t\n "); + if (p) while (isspace(p)) p++; + kobj = strsep(&p, "\t\n "); + if (!name || !oid || !lib || !kobj) + continue; + + so = dlopen(lib, RTLD_LOCAL); + if (!so) { + fprintf(stderr, "dlopen: %s\n", dlerror()); + continue; + } + + m = malloc(sizeof(struct _gss_mech_switch)); + if (!m) + break; + m->gm_so = so; + if (_gss_string_to_oid(oid, &m->gm_mech_oid)) { + free(m); + continue; + } + + major_status = gss_add_oid_set_member(&minor_status, + &m->gm_mech_oid, &_gss_mech_oids); + if (major_status) { + free(m->gm_mech_oid.elements); + free(m); + continue; + } + + SYM(acquire_cred); + SYM(release_cred); + SYM(init_sec_context); + SYM(accept_sec_context); + SYM(process_context_token); + SYM(delete_sec_context); + SYM(context_time); + SYM(get_mic); + SYM(verify_mic); + SYM(wrap); + SYM(unwrap); + SYM(display_status); + SYM(indicate_mechs); + SYM(compare_name); + SYM(display_name); + SYM(import_name); + SYM(export_name); + SYM(release_name); + SYM(inquire_cred); + SYM(inquire_context); + SYM(wrap_size_limit); + SYM(add_cred); + SYM(inquire_cred_by_mech); + SYM(export_sec_context); + SYM(import_sec_context); + SYM(inquire_names_for_mech); + SYM(inquire_mechs_for_name); + SYM(canonicalize_name); + SYM(duplicate_name); + OPTSYM2(gsskrb5_register_acceptor_identity, + gm_krb5_register_acceptor_identity); + OPTSYM(krb5_copy_ccache); + OPTSYM(krb5_compat_des3_mic); + + SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link); + count++; + continue; + + bad: + free(m->gm_mech_oid.elements); + free(m); + dlclose(so); + continue; + } + fclose(fp); +} + +struct _gss_mech_switch * +_gss_find_mech_switch(gss_OID mech) +{ + struct _gss_mech_switch *m; + + _gss_load_mech(); + SLIST_FOREACH(m, &_gss_mechs, gm_link) { + if (_gss_oid_equal(&m->gm_mech_oid, mech)) + return m; + } + return (0); +} diff --git a/lib/libgssapi/gss_names.c b/lib/libgssapi/gss_names.c new file mode 100644 index 000000000000..e2fa4ccc8979 --- /dev/null +++ b/lib/libgssapi/gss_names.c @@ -0,0 +1,253 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "name.h" + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x01"}, + * corresponding to an object-identifier value of + * {iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant + * GSS_C_NT_USER_NAME should be initialized to point + * to that gss_OID_desc. + */ +static gss_OID_desc GSS_C_NT_USER_NAME_storage = + {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"}; +gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x02"}, + * corresponding to an object-identifier value of + * {iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. + * The constant GSS_C_NT_MACHINE_UID_NAME should be + * initialized to point to that gss_OID_desc. + */ +static gss_OID_desc GSS_C_NT_MACHINE_UID_NAME_storage = + {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"}; +gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x03"}, + * corresponding to an object-identifier value of + * {iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. + * The constant GSS_C_NT_STRING_UID_NAME should be + * initialized to point to that gss_OID_desc. + */ +static gss_OID_desc GSS_C_NT_STRING_UID_NAME_storage = + {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"}; +gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, + * corresponding to an object-identifier value of + * {iso(1) org(3) dod(6) internet(1) security(5) + * nametypes(6) gss-host-based-services(2)). The constant + * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point + * to that gss_OID_desc. This is a deprecated OID value, and + * implementations wishing to support hostbased-service names + * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, + * defined below, to identify such names; + * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym + * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input + * parameter, but should not be emitted by GSS-API + * implementations + */ +static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X_storage = + {6, (void *)"\x2b\x06\x01\x05\x06\x02"}; +gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_storage; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" + * "\x01\x02\x01\x04"}, corresponding to an + * object-identifier value of {iso(1) member-body(2) + * Unites States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) service_name(4)}. The constant + * GSS_C_NT_HOSTBASED_SERVICE should be initialized + * to point to that gss_OID_desc. + */ +static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_storage = + {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"}; +gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_storage; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, + * corresponding to an object identifier value of + * {1(iso), 3(org), 6(dod), 1(internet), 5(security), + * 6(nametypes), 3(gss-anonymous-name)}. The constant + * and GSS_C_NT_ANONYMOUS should be initialized to point + * to that gss_OID_desc. + */ +static gss_OID_desc GSS_C_NT_ANONYMOUS_storage = + {6, (void *)"\x2b\x06\01\x05\x06\x03"}; +gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_storage; + +/* + * The implementation must reserve static storage for a + * gss_OID_desc object containing the value + * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, + * corresponding to an object-identifier value of + * {1(iso), 3(org), 6(dod), 1(internet), 5(security), + * 6(nametypes), 4(gss-api-exported-name)}. The constant + * GSS_C_NT_EXPORT_NAME should be initialized to point + * to that gss_OID_desc. + */ +static gss_OID_desc GSS_C_NT_EXPORT_NAME_storage = + {6, (void *)"\x2b\x06\x01\x05\x06\x04"}; +gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_storage; + +/* + * This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) krb5_name(1)}. The recommended symbolic name for this type + * is "GSS_KRB5_NT_PRINCIPAL_NAME". + */ +static gss_OID_desc GSS_KRB5_NT_PRINCIPAL_NAME_storage = + {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"}; +gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &GSS_KRB5_NT_PRINCIPAL_NAME_storage; + +/* + * This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) user_name(1)}. The recommended symbolic name for this + * type is "GSS_KRB5_NT_USER_NAME". + */ +gss_OID GSS_KRB5_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage; + +/* + * This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) machine_uid_name(2)}. The recommended symbolic name for + * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". + */ +gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage; + +/* + * This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) string_uid_name(3)}. The recommended symbolic name for + * this type is "GSS_KRB5_NT_STRING_UID_NAME". + */ +gss_OID GSS_KRB5_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage; + +struct _gss_mechanism_name * +_gss_find_mn(struct _gss_name *name, gss_OID mech) +{ + OM_uint32 major_status, minor_status; + struct _gss_mech_switch *m; + struct _gss_mechanism_name *mn; + + SLIST_FOREACH(mn, &name->gn_mn, gmn_link) { + if (_gss_oid_equal(mech, mn->gmn_mech_oid)) + break; + } + + if (!mn) { + /* + * If this name is canonical (i.e. there is only an + * MN but it is from a different mech), give up now. + */ + if (!name->gn_value.value) + return (0); + + m = _gss_find_mech_switch(mech); + if (!m) + return (0); + + mn = malloc(sizeof(struct _gss_mechanism_name)); + if (!mn) + return (0); + + major_status = m->gm_import_name(&minor_status, + &name->gn_value, + (name->gn_type.elements + ? &name->gn_type : GSS_C_NO_OID), + &mn->gmn_name); + if (major_status) { + free(mn); + return (0); + } + + mn->gmn_mech = m; + mn->gmn_mech_oid = &m->gm_mech_oid; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + } + return (mn); +} + +/* + * Make a name from an MN. + */ +struct _gss_name * +_gss_make_name(struct _gss_mech_switch *m, gss_name_t new_mn) +{ + OM_uint32 minor_status; + struct _gss_name *name; + struct _gss_mechanism_name *mn; + + name = malloc(sizeof(struct _gss_name)); + if (!name) + return (0); + memset(name, 0, sizeof(struct _gss_name)); + + mn = malloc(sizeof(struct _gss_mechanism_name)); + if (!mn) { + free(name); + return (0); + } + + SLIST_INIT(&name->gn_mn); + mn->gmn_mech = m; + mn->gmn_mech_oid = &m->gm_mech_oid; + mn->gmn_name = new_mn; + SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link); + + return (name); +} + diff --git a/lib/libgssapi/gss_process_context_token.3 b/lib/libgssapi/gss_process_context_token.3 new file mode 100644 index 000000000000..d9f6863724a2 --- /dev/null +++ b/lib/libgssapi/gss_process_context_token.3 @@ -0,0 +1,136 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_PROCESS_CONTEXT_TOKEN 3 PRM +.Sh NAME +.Nm gss_process_context_token +.Nd Process a token on a security context from a peer application +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_process_context_token +.Fa "OM_uint32 *minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "const gss_buffer_t token_buffer" +.Fc +.Sh DESCRIPTION +Provides a way to pass an asynchronous token to the security service. +Most context-level tokens are emitted and processed synchronously by +.Fn gss_init_sec_context +and +.Fn gss_accept_sec_context , +and the application is informed as to whether further tokens are +expected by the +.Dv GSS_C_CONTINUE_NEEDED +major status bit. +Occasionally, +a mechanism may need to emit a context-level token at a point when the +peer entity is not expecting a token. +For example, +the initiator's final call to +.Fn gss_init_sec_context +may emit a token and return a status of +.Dv GSS_S_COMPLETE , +but the acceptor's call to +.Fn gss_accept_sec_context +may fail. +The acceptor's mechanism may wish to send a token containing an error +indication to the initiator, +but the initiator is not expecting a token at this point, +believing that the context is fully established. +.Fn gss_process_context_token +provides a way to pass such a token to the mechanism at any time. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +Context handle of context on which token is to be processed. +.It token_buffer +Token to process. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_DEFECTIVE_TOKEN +Indicates that consistency checks performed on the token failed +.It GSS_S_NO_CONTEXT +The +.Fa context_handle +did not refer to a valid context +.El +.Sh SEE ALSO +.Xr gss_init_sec_context 3 , +.Xr gss_accept_sec_context 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_process_context_token.c b/lib/libgssapi/gss_process_context_token.c new file mode 100644 index 000000000000..0b4d7ec9bfca --- /dev/null +++ b/lib/libgssapi/gss_process_context_token.c @@ -0,0 +1,44 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_process_context_token(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t token_buffer) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + + return (m->gm_process_context_token(minor_status, ctx->gc_ctx, + token_buffer)); +} diff --git a/lib/libgssapi/gss_release_buffer.3 b/lib/libgssapi/gss_release_buffer.3 new file mode 100644 index 000000000000..3a583f4476e0 --- /dev/null +++ b/lib/libgssapi/gss_release_buffer.3 @@ -0,0 +1,111 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_RELEASE_BUFFER 3 PRM +.Sh NAME +.Nm gss_release_buffer +.Nd Discard a buffer +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_release_buffer +.Fa "OM_uint32 *minor_status" +.Fa "gss_buffer_t buffer" +.Fc +.Sh DESCRIPTION +Free storage associated with a buffer. +The storage must have been allocated by a GSS-API routine. +In addition to freeing the associated storage, +the routine will zero the length field in the descriptor to which the +buffer parameter refers, +and implementations are encouraged to additionally set the pointer +field in the descriptor to +.Dv NULL . +Any buffer object returned by a GSS-API routine may be passed to +.Fn gss_release_buffer +(even if there is no storage associated with the buffer). +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It buffer +The storage associated with the buffer will be deleted. +The gss_buffer_desc object will not be freed, +but its length field will be zeroed. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.El +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_release_buffer.c b/lib/libgssapi/gss_release_buffer.c new file mode 100644 index 000000000000..8e7fa60e5471 --- /dev/null +++ b/lib/libgssapi/gss_release_buffer.c @@ -0,0 +1,43 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +OM_uint32 +gss_release_buffer(OM_uint32 *minor_status, + gss_buffer_t buffer) +{ + + *minor_status = 0; + if (buffer->value) + free(buffer->value); + buffer->length = 0; + buffer->value = 0; + + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_release_cred.3 b/lib/libgssapi/gss_release_cred.3 new file mode 100644 index 000000000000..a4c5b7719fc6 --- /dev/null +++ b/lib/libgssapi/gss_release_cred.3 @@ -0,0 +1,108 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_RELEASE_CRED 3 PRM +.Sh NAME +.Nm gss_release_cred +.Nd Discard a credential handle +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_release_cred +.Fa "OM_uint32 *minor_status" +.Fa "gss_cred_id_t *cred_handle" +.Fc +.Sh DESCRIPTION +Informs GSS-API that the specified credential handle is no longer +required by the application, +and frees associated resources. +Implementations are encouraged to set the cred_handle to +.Dv GSS_C_NO_CREDENTIAL +on successful completion of this call. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It cred_handle +Opaque handle identifying credential to be released. +If GSS_C_NO_CREDENTIAL is supplied, +the routine will complete successfully, but will do nothing. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_NO_CRED +Credentials could not be accessed +.El +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_release_cred.c b/lib/libgssapi/gss_release_cred.c new file mode 100644 index 000000000000..cec814c66291 --- /dev/null +++ b/lib/libgssapi/gss_release_cred.c @@ -0,0 +1,56 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "cred.h" + +OM_uint32 +gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) +{ + struct _gss_cred *cred = (struct _gss_cred *) *cred_handle; + struct _gss_mechanism_cred *mc; + + if (*cred_handle == GSS_C_NO_CREDENTIAL) + return (GSS_S_COMPLETE); + + while (SLIST_FIRST(&cred->gc_mc)) { + mc = SLIST_FIRST(&cred->gc_mc); + SLIST_REMOVE_HEAD(&cred->gc_mc, gmc_link); + mc->gmc_mech->gm_release_cred(minor_status, &mc->gmc_cred); + free(mc); + } + free(cred); + + *minor_status = 0; + *cred_handle = 0; + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_release_name.3 b/lib/libgssapi/gss_release_name.3 new file mode 100644 index 000000000000..7b1390ed5399 --- /dev/null +++ b/lib/libgssapi/gss_release_name.3 @@ -0,0 +1,104 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_RELEASE_NAME 3 PRM +.Sh NAME +.Nm gss_release_name +.Nd Discard an internal-form name +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_release_name +.Fa "OM_uint32 *minor_status" +.Fa "gss_name_t *name" +.Fc +.Sh DESCRIPTION +Free GSS-API allocated storage associated with an internal-form name. +Implementations are encouraged to set the name to +.Dv GSS_C_NO_NAME +on successful completion of this call. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It name +The name to be deleted. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_BAD_NAME +The name parameter did not contain a valid name +.El +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_release_name.c b/lib/libgssapi/gss_release_name.c new file mode 100644 index 000000000000..4294ad7c4b48 --- /dev/null +++ b/lib/libgssapi/gss_release_name.c @@ -0,0 +1,59 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "mech_switch.h" +#include "name.h" + +OM_uint32 +gss_release_name(OM_uint32 *minor_status, + gss_name_t *input_name) +{ + struct _gss_name *name = (struct _gss_name *) *input_name; + struct _gss_mech_switch *m; + + *minor_status = 0; + if (name) { + if (name->gn_type.elements) + free(name->gn_type.elements); + while (SLIST_FIRST(&name->gn_mn)) { + struct _gss_mechanism_name *mn; + mn = SLIST_FIRST(&name->gn_mn); + SLIST_REMOVE_HEAD(&name->gn_mn, gmn_link); + mn->gmn_mech->gm_release_name(minor_status, + &mn->gmn_name); + free(mn); + } + gss_release_buffer(minor_status, &name->gn_value); + *input_name = 0; + } + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_release_oid_set.3 b/lib/libgssapi/gss_release_oid_set.3 new file mode 100644 index 000000000000..48e8f16759ae --- /dev/null +++ b/lib/libgssapi/gss_release_oid_set.3 @@ -0,0 +1,109 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_RELEASE_OID_SET 3 PRM +.Sh NAME +.Nm gss_release_oid_set +.Nd Discard a set of object identifiers +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_release_oid_set +.Fa "OM_uint32 *minor_status" +.Fa "gss_OID_set *set" +.Fc +.Sh DESCRIPTION +Free storage associated with a GSS-API generated gss_OID_set object. +The set parameter must refer to an OID-set that was returned from a +GSS-API routine. +.Fn gss_release_oid_set +will free the storage associated with each individual member OID, +the OID set's elements array, +and the gss_OID_set_desc itself. +.Pp +Implementations are encouraged to set the gss_OID_set parameter to +.Dv GSS_C_NO_OID_SET +on successful completion of this routine. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It set +The storage associated with the gss_OID_set will be deleted. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.El +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_release_oid_set.c b/lib/libgssapi/gss_release_oid_set.c new file mode 100644 index 000000000000..49c17ab8326a --- /dev/null +++ b/lib/libgssapi/gss_release_oid_set.c @@ -0,0 +1,46 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +OM_uint32 +gss_release_oid_set(OM_uint32 *minor_status, + gss_OID_set *set) +{ + + *minor_status = 0; + if (*set) { + if ((*set)->elements) + free((*set)->elements); + free(*set); + *set = 0; + } + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_seal.c b/lib/libgssapi/gss_seal.c new file mode 100644 index 000000000000..c3e3f7a83d66 --- /dev/null +++ b/lib/libgssapi/gss_seal.c @@ -0,0 +1,45 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +OM_uint32 +gss_seal(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + int qop_req, + gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer) +{ + + return (gss_wrap(minor_status, + context_handle, conf_req_flag, qop_req, + input_message_buffer, conf_state, + output_message_buffer)); +} diff --git a/lib/libgssapi/gss_sign.c b/lib/libgssapi/gss_sign.c new file mode 100644 index 000000000000..c521a7e533e6 --- /dev/null +++ b/lib/libgssapi/gss_sign.c @@ -0,0 +1,41 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +OM_uint32 +gss_sign(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int qop_req, + gss_buffer_t message_buffer, + gss_buffer_t message_token) +{ + + return gss_get_mic(minor_status, + context_handle, qop_req, message_buffer, message_token); +} diff --git a/lib/libgssapi/gss_test_oid_set_member.3 b/lib/libgssapi/gss_test_oid_set_member.3 new file mode 100644 index 000000000000..e419d68e88e1 --- /dev/null +++ b/lib/libgssapi/gss_test_oid_set_member.3 @@ -0,0 +1,116 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_TEST_OID_SET_MEMBER 3 PRM +.Sh NAME +.Nm gss_test_oid_set_member +.Nd Determines whether an object identifier is a member of a set +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_test_oid_set_member +.Fa "OM_uint32 *minor_status" +.Fa "const gss_OID member" +.Fa "const gss_OID_set set" +.Fa "int *present" +.Fc +.Sh DESCRIPTION +Interrogate an Object Identifier set to determine whether a specified +Object Identifier is a member. +This routine is intended to be used with OID sets returned by +.Fn gss_indicate_mechs , +.Fn gss_acquire_cred , +and +.Fn gss_inquire_cred , +but will also work with user-generated sets. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It member +The object identifier whose presence is to be tested. +.It set +The Object Identifier set. +.It present +Non-zero if the specified OID is a member of the set, zero if not. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.El +.Sh SEE ALSO +.Xr gss_indicate_mechs 3 , +.Xr gss_acquire_cred 3 , +.Xr gss_inquire_cred 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_test_oid_set_member.c b/lib/libgssapi/gss_test_oid_set_member.c new file mode 100644 index 000000000000..1a09540dbc53 --- /dev/null +++ b/lib/libgssapi/gss_test_oid_set_member.c @@ -0,0 +1,56 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +static int +_gss_oid_equal(const gss_OID oid1, const gss_OID oid2) +{ + if (oid1->length != oid2->length) + return (0); + if (memcmp(oid1->elements, oid2->elements, oid1->length)) + return (0); + return (1); +} + +OM_uint32 +gss_test_oid_set_member(OM_uint32 *minor_status, + const gss_OID member, + const gss_OID_set set, + int *present) +{ + int i; + + *present = 0; + for (i = 0; i < set->count; i++) + if (_gss_oid_equal(member, &set->elements[i])) + *present = 1; + + *minor_status = 0; + return (GSS_S_COMPLETE); +} diff --git a/lib/libgssapi/gss_unseal.c b/lib/libgssapi/gss_unseal.c new file mode 100644 index 000000000000..bc7dc26111c0 --- /dev/null +++ b/lib/libgssapi/gss_unseal.c @@ -0,0 +1,43 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +OM_uint32 +gss_unseal(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + int *qop_state) +{ + + return (gss_unwrap(minor_status, + context_handle, input_message_buffer, + output_message_buffer, conf_state, qop_state)); +} diff --git a/lib/libgssapi/gss_unwrap.3 b/lib/libgssapi/gss_unwrap.3 new file mode 100644 index 000000000000..345ce30654a1 --- /dev/null +++ b/lib/libgssapi/gss_unwrap.3 @@ -0,0 +1,191 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_UNWRAP 3 PRM +.Sh NAME +.Nm gss_unwrap , +.Nm gss_unseal +.Nd Convert a message previously protected by +.Xr gss_wrap 3 +back to a usable form +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_unwrap +.Fa "OM_uint32 *minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "const gss_buffer_t input_message_buffer" +.Fa "gss_buffer_t output_message_buffer" +.Fa "int *conf_state" +.Fa "gss_qop_t *qop_state" +.Fc +.Ft OM_uint32 +.Fo gss_unseal +.Fa "OM_uint32 *minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "gss_buffer_t input_message_buffer" +.Fa "gss_buffer_t output_message_buffer" +.Fa "int *conf_state" +.Fa "gss_qop_t *qop_state" +.Fc +.Sh DESCRIPTION +Converts a message previously protected by +.Xr gss_wrap 3 +back to a usable form, +verifying the embedded MIC. +The +.Dv conf_state +parameter indicates whether the message was encrypted; +the +.Dv qop_state +parameter indicates the strength of protection that was used to provide the +confidentiality and integrity services. +.Pp +Since some application-level protocols may wish to use tokens emitted +by +.Xr gss_wrap 3 +to provide "secure framing", +implementations must support the wrapping and unwrapping of +zero-length messages. +.Pp +The +.Fn gss_unseal +routine is an obsolete variant of +.Fn gss_unwrap . +It is +provided for backwards +compatibility with applications using the GSS-API V1 interface. +A distinct entrypoint (as opposed to #define) is provided, +both to allow GSS-API V1 applications to link +and to retain the slight parameter type differences between the +obsolete versions of this routine and its current form. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +Identifies the context on which the message arrived. +.It input_message_buffer +Protected message. +.It output_message_buffer +Buffer to receive unwrapped message. +Storage associated with this buffer must +be freed by the application after use use +with a call to +.Xr gss_release_buffer 3 . +.It conf_state +.Bl -tag -width "Non-zero" +.It Non-zero +Confidentiality and integrity protection were used. +.It Zero +Integrity service only was used. +.El +.Pp +Specify NULL if not required. +.It qop_state +Quality of protection provided. Specify NULL if not required. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion. +.It GSS_S_DEFECTIVE_TOKEN +The token failed consistency checks. +.It GSS_S_BAD_SIG +The MIC was incorrect +.It GSS_S_DUPLICATE_TOKEN +The token was valid, and contained a correct +MIC for the message, but it had already been +processed. +.It GSS_S_OLD_TOKEN +The token was valid, and contained a correct MIC +for the message, but it is too old to check for +duplication. +.It GSS_S_UNSEQ_TOKEN +The token was valid, and contained a correct MIC +for the message, but has been verified out of +sequence; a later token has already been +received. +.It GSS_S_GAP_TOKEN +The token was valid, and contained a correct MIC +for the message, but has been verified out of +sequence; an earlier expected token has not yet +been received. +.It GSS_S_CONTEXT_EXPIRED +The context has already expired. +.It GSS_S_NO_CONTEXT +The context_handle parameter did not identify a valid context. +.El +.Sh SEE ALSO +.Xr gss_wrap 3 , +.Xr gss_release_buffer 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_unwrap.c b/lib/libgssapi/gss_unwrap.c new file mode 100644 index 000000000000..9ccc848d3efe --- /dev/null +++ b/lib/libgssapi/gss_unwrap.c @@ -0,0 +1,48 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_unwrap(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t *qop_state) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + + return (m->gm_unwrap(minor_status, ctx->gc_ctx, + input_message_buffer, output_message_buffer, + conf_state, qop_state)); +} diff --git a/lib/libgssapi/gss_utils.c b/lib/libgssapi/gss_utils.c new file mode 100644 index 000000000000..d9f3e8926189 --- /dev/null +++ b/lib/libgssapi/gss_utils.c @@ -0,0 +1,79 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include "utils.h" + +int +_gss_oid_equal(const gss_OID oid1, const gss_OID oid2) +{ + if (oid1->length != oid2->length) + return (0); + if (memcmp(oid1->elements, oid2->elements, oid1->length)) + return (0); + return (1); +} + +OM_uint32 +_gss_copy_oid(OM_uint32 *minor_status, + const gss_OID from_oid, gss_OID to_oid) +{ + size_t len = from_oid->length; + + *minor_status = 0; + to_oid->elements = malloc(len); + if (!to_oid->elements) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + to_oid->length = len; + memcpy(to_oid->elements, from_oid->elements, len); + return (GSS_S_COMPLETE); +} + + +OM_uint32 +_gss_copy_buffer(OM_uint32 *minor_status, + const gss_buffer_t from_buf, gss_buffer_t to_buf) +{ + size_t len = from_buf->length; + + *minor_status = 0; + to_buf->value = malloc(len); + if (!to_buf->value) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + to_buf->length = len; + memcpy(to_buf->value, from_buf->value, len); + return (GSS_S_COMPLETE); +} + diff --git a/lib/libgssapi/gss_verify.c b/lib/libgssapi/gss_verify.c new file mode 100644 index 000000000000..31108750e3dd --- /dev/null +++ b/lib/libgssapi/gss_verify.c @@ -0,0 +1,41 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +OM_uint32 +gss_verify(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t message_buffer, + gss_buffer_t token_buffer, + int *qop_state) +{ + + return (gss_verify_mic(minor_status, + context_handle, message_buffer, token_buffer, qop_state)); +} diff --git a/lib/libgssapi/gss_verify_mic.3 b/lib/libgssapi/gss_verify_mic.3 new file mode 100644 index 000000000000..0abb83e5bf24 --- /dev/null +++ b/lib/libgssapi/gss_verify_mic.3 @@ -0,0 +1,172 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_VERIFY_MIC 3 PRM +.Sh NAME +.Nm gss_verify_mic , +.Nm gss_verify +.Nd Check a MIC against a message; verify integrity of a received message +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_verify_mic +.Fa "OM_uint32 *minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "const gss_buffer_t message_buffer" +.Fa "const gss_buffer_t token_buffer" +.Fa "gss_qop_t *qop_state" +.Fc +.Ft OM_uint32 +.Fo gss_verify +.Fa "OM_uint32 *minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "gss_buffer_t message_buffer" +.Fa "gss_buffer_t token_buffer" +.Fa "gss_qop_t *qop_state" +.Fc +.Sh DESCRIPTION +Verifies that a cryptographic MIC, +contained in the token parameter, +fits the supplied message. +The +.Fa qop_state +parameter allows a message recipient to determine the strength of +protection that was applied to the message. +.Pp +Since some application-level protocols may wish to use tokens emitted +by +.Fn gss_wrap +to provide "secure framing", +implementations must support the calculation and verification of MICs +over zero-length messages. +.Pp +The +.Fn gss_verify +routine is an obsolete variant of +.Fn gss_verify_mic . +It is provided for backwards +compatibility with applications using the GSS-API V1 interface. +A distinct entrypoint (as opposed to #define) is provided, +both to allow GSS-API V1 applications to link +and to retain the slight parameter type differences between the +obsolete versions of this routine and its current form. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +Identifies the context on which the message arrived. +.It message_buffer +Message to be verified. +.It token_buffer +Token associated with message. +.It qop_state +Quality of protection gained from MIC. +Specify +.Dv NULL +if not required. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion +.It GSS_S_DEFECTIVE_TOKEN +The token failed consistency checks +.It GSS_S_BAD_SIG +The MIC was incorrect +.It GSS_S_DUPLICATE_TOKEN +The token was valid, +and contained a correct MIC for the message, +but it had already been processed +.It GSS_S_OLD_TOKEN +The token was valid, +and contained a correct MIC for the message, +but it is too old to check for duplication +.It GSS_S_UNSEQ_TOKEN +The token was valid, +and contained a correct MIC for the message, +but has been verified out of sequence; +a later token has already been received. +.It GSS_S_GAP_TOKEN +The token was valid, +and contained a correct MIC for the message, +but has been verified out of sequence; +an earlier expected token has not yet been received +.It GSS_S_CONTEXT_EXPIRED +The context has already expired +.It GSS_S_NO_CONTEXT +The context_handle parameter did not identify a valid context +.El +.Sh SEE ALSO +.Xr gss_wrap 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_verify_mic.c b/lib/libgssapi/gss_verify_mic.c new file mode 100644 index 000000000000..4e11ab1e08fc --- /dev/null +++ b/lib/libgssapi/gss_verify_mic.c @@ -0,0 +1,46 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_verify_mic(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t *qop_state) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + + return (m->gm_verify_mic(minor_status, ctx->gc_ctx, + message_buffer, token_buffer, qop_state)); +} diff --git a/lib/libgssapi/gss_wrap.3 b/lib/libgssapi/gss_wrap.3 new file mode 100644 index 000000000000..342d5906653d --- /dev/null +++ b/lib/libgssapi/gss_wrap.3 @@ -0,0 +1,178 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_WRAP 3 PRM +.Sh NAME +.Nm gss_wrap , +.Nm gss_seal +.Nd Attach a cryptographic MIC and optionally encrypt a message +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_wrap +.Fa "OM_uint32 *minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "int conf_req_flag" +.Fa "gss_qop_t qop_req" +.Fa "const gss_buffer_t input_message_buffer" +.Fa "int *conf_state" +.Fa "gss_buffer_t output_message_buffer" +.Fc +.Ft OM_uint32 +.Fo gss_seal +.Fa "OM_uint32 *minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "int conf_req_flag" +.Fa "gss_qop_t qop_req" +.Fa "gss_buffer_t input_message_buffer" +.Fa "int *conf_state" +.Fa "gss_buffer_t output_message_buffer" +.Fc +.Sh DESCRIPTION +Attaches a cryptographic MIC and optionally encrypts the specified +.Dv input_message . +The output_message contains both the MIC and the message. +The +.Dv qop_req +parameter allows a choice between several cryptographic algorithms, +if supported by the chosen mechanism. +.Pp +Since some application-level protocols may wish to use tokens emitted +by +.Fn gss_wrap +to provide "secure framing", +implementations must support the wrapping of zero-length messages. +.Pp +The +.Fn gss_seal +routine is an obsolete variant of +.Fn gss_wrap . +It is +provided for backwards +compatibility with applications using the GSS-API V1 interface. +A distinct entrypoint (as opposed to #define) is provided, +both to allow GSS-API V1 applications to link +and to retain the slight parameter type differences between the +obsolete versions of this routine and its current form. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +Identifies the context on which the message will be sent. +.It conf_req_flag +.Bl -tag -width "Non-zero" +.It Non-zero +Both confidentiality and integrity services are requested. +.It Zero +Only integrity service is requested. +.El +.It qop_req +Specifies required quality of protection. +A mechanism-specific default may be requested by setting qop_req to +.Dv GSS_C_QOP_DEFAULT . +If an unsupported protection strength is requested, +.Fn gss_wrap +will return a major_status of +.Dv GSS_S_BAD_QOP . +.It input_message_buffer +Message to be protected. +.It conf_state +.Bl -tag -width "Non-zero" +.It Non-zero +Confidentiality, data origin authentication and integrity services +have been applied. +.It Zero +Integrity and data origin services only has been applied. +.El +.It output_message_buffer +Buffer to receive protected message. +Storage associated with this buffer must +be freed by the application after use use +with a call to +.Xr gss_release_buffer 3 . +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion. +.It GSS_S_CONTEXT_EXPIRED +The context has already expired +.It GSS_S_NO_CONTEXT +The context_handle parameter did not identify a valid context. +.It GSS_S_BAD_QOP +The specified QOP is not supported by the mechanism. +.El +.Sh SEE ALSO +.Xr gss_unwrap 3 , +.Xr gss_release_buffer 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_wrap.c b/lib/libgssapi/gss_wrap.c new file mode 100644 index 000000000000..0d7c74933c31 --- /dev/null +++ b/lib/libgssapi/gss_wrap.c @@ -0,0 +1,49 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_wrap(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + + return (m->gm_wrap(minor_status, ctx->gc_ctx, + conf_req_flag, qop_req, input_message_buffer, + conf_state, output_message_buffer)); +} diff --git a/lib/libgssapi/gss_wrap_size_limit.3 b/lib/libgssapi/gss_wrap_size_limit.3 new file mode 100644 index 000000000000..63017e269db6 --- /dev/null +++ b/lib/libgssapi/gss_wrap_size_limit.3 @@ -0,0 +1,163 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_WRAP_SIZE_LIMIT 3 PRM +.Sh NAME +.Nm gss_wrap_size_limit +.Nd Determine maximum message sizes +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_wrap_size_limit +.Fa "OM_uint32 *minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "int conf_req_flag" +.Fa "gss_qop_t qop_req" +.Fa "OM_uint32 req_output_size" +.Fa "OM_uint32 *max_input_size" +.Fc +.Sh DESCRIPTION +Allows an application to determine the maximum message size that, +if presented to +.Xr gss_wrap 3 +with the same +.Dv conf_req_flag +and +.Dv qop_req +parameters, +will result in an output token containing no more than +.Dv req_output_size +bytes. +.Pp +This call is intended for use by applications that +communicate over protocols that impose a maximum message size. +It enables the application to fragment messages prior to applying protection. +.Pp +GSS-API implementations are recommended but not required to detect +invalid QOP values when +.Fn gss_wrap_size_limit +is called. +This routine guarantees only a maximum message size, +not the availability of specific QOP values for message protection. +.Pp +Successful completion of this call does not guarantee that +.Xr gss_wrap 3 +will be able to protect a message of length max_input_size bytes, +since this ability may depend on the availability of system resources +at the time that +.Xr gss_wrap 3 +is called. +However, if the implementation itself imposes an upper limit on +the length of messages that may be processed by gss_wrap, +the implementation should not return a value via +.Dv max_input_bytes +that is greater than this length. +.Sh PARAMETERS +.Bl -tag +.It minor_status +Mechanism specific status code. +.It context_handle +A handle that refers to the security over which the messages will be sent. +.It conf_req_flag +Indicates whether +.Xr gss_wrap 3 +will be asked to apply confidentiality protection +in addition to integrity protection. +.It qop_req +Indicates the level of protection that +.Xr gss_wrap 3 +will be asked to provide. +.It req_output_size +The desired maximum size for tokens emitted by +.Xr gss_wrap 3 . +.It max_input_size +The maximum input message size that may be presented to +.Xr gss_wrap 3 +in order to guarantee that the emitted token shall +be no larger than +.Dv req_output_size +bytes. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion. +.It GSS_S_NO_CONTEXT +The referenced context could not be accessed. +.It GSS_S_CONTEXT_EXPIRED +The context has expired. +.It GSS_S_BAD_QOP +The specified QOP is not supported by the mechanism. +.El +.Sh SEE ALSO +.Xr gss_wrap 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/gss_wrap_size_limit.c b/lib/libgssapi/gss_wrap_size_limit.c new file mode 100644 index 000000000000..8abd52a12094 --- /dev/null +++ b/lib/libgssapi/gss_wrap_size_limit.c @@ -0,0 +1,47 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include "mech_switch.h" +#include "context.h" + +OM_uint32 +gss_wrap_size_limit(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size) +{ + struct _gss_context *ctx = (struct _gss_context *) context_handle; + struct _gss_mech_switch *m = ctx->gc_mech; + + return (m->gm_wrap_size_limit(minor_status, ctx->gc_ctx, + conf_req_flag, qop_req, req_output_size, max_input_size)); +} diff --git a/lib/libgssapi/gssapi.3 b/lib/libgssapi/gssapi.3 new file mode 100644 index 000000000000..4eae06389e27 --- /dev/null +++ b/lib/libgssapi/gssapi.3 @@ -0,0 +1,261 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.Dd November 30, 2005 +.Dt GSSAPI 3 +.Os +.Sh NAME +.Nm gssapi +.Nd "Generic Security Services API" +.Sh LIBRARY +GSS-API Library (libgssapi, -lgssapi) +.Sh SYNOPSIS +.In gssapi/gssapi.h +.Sh DESCRIPTION +The Generic Security Service Application Programming Interface +provides security services to its callers, +and is intended for implementation atop a variety of underlying +cryptographic mechanisms. +Typically, GSS-API callers will be application protocols into which +security enhancements are integrated through invocation of services +provided by the GSS-API. +The GSS-API allows a caller application to authenticate a principal +identity associated with a peer application, to delegate rights to a +peer, +and to apply security services such as confidentiality and integrity +on a per-message basis. +.Pp +There are four stages to using the GSS-API: +.Pp +.Bl -tag -width "a)" +.It a) +The application acquires a set of credentials with which it may prove +its identity to other processes. +The application's credentials vouch for its global identity, +which may or may not be related to any local username under which it +may be running. +.It b) +A pair of communicating applications establish a joint security +context using their credentials. +The security context is a pair of GSS-API data structures that contain +shared state information, which is required in order that per-message +security services may be provided. +Examples of state that might be shared between applications as part of +a security context are cryptographic keys, +and message sequence numbers. +As part of the establishment of a security context, +the context initiator is authenticated to the responder, +and may require that the responder is authenticated in turn. +The initiator may optionally give the responder the right to initiate +further security contexts, +acting as an agent or delegate of the initiator. +This transfer of rights is termed delegation, +and is achieved by creating a set of credentials, +similar to those used by the initiating application, +but which may be used by the responder. +.Pp +To establish and maintain the shared information that makes up the +security context, +certain GSS-API calls will return a token data structure, +which is an opaque data type that may contain cryptographically +protected data. +The caller of such a GSS-API routine is responsible for transferring +the token to the peer application, +encapsulated if necessary in an application protocol. +On receipt of such a token, the peer application should pass it to a +corresponding GSS-API routine which will decode the token and extract +the information, +updating the security context state information accordingly. +.It c) +Per-message services are invoked to apply either: +.Pp +integrity and data origin authentication, or confidentiality, +integrity and data origin authentication to application data, +which are treated by GSS-API as arbitrary octet-strings. +An application transmitting a message that it wishes to protect will +call the appropriate GSS-API routine (gss_get_mic or gss_wrap) to +apply protection, +specifying the appropriate security context, +and send the resulting token to the receiving application. +The receiver will pass the received token (and, in the case of data +protected by gss_get_mic, the accompanying message-data) to the +corresponding decoding routine (gss_verify_mic or gss_unwrap) to +remove the protection and validate the data. +.It d) +At the completion of a communications session (which may extend across +several transport connections), +each application calls a GSS-API routine to delete the security +context. +Multiple contexts may also be used (either successively or +simultaneously) within a single communications association, at the +option of the applications. +.El +.Sh GSS-API ROUTINES +This section lists the routines that make up the GSS-API, +and offers a brief description of the purpose of each routine. +.Pp +GSS-API Credential-management Routines: +.Bl -tag -width "gss_inquire_cred_by_mech" +.It gss_acquire_cred +Assume a global identity; Obtain a GSS-API credential handle for +pre-existing credentials. +.It gss_add_cred +Construct credentials incrementally +.It gss_inquire_cred +Obtain information about a credential +.It gss_inquire_cred_by_mech +Obtain per-mechanism information about a credential. +.It gss_release_cred +Discard a credential handle. +.El +.Pp +GSS-API Context-Level Routines: +.Bl -tag -width "gss_inquire_cred_by_mech" +.It gss_init_sec_context +Initiate a security context with a peer application +.It gss_accept_sec_context + Accept a security context initiated by a peer application +.It gss_delete_sec_context +Discard a security context +.It gss_process_context_token +Process a token on a security context from a peer application +.It gss_context_time +Determine for how long a context will remain valid +.It gss_inquire_context +Obtain information about a security context +.It gss_wrap_size_limit +Determine token-size limit for +.Xr gss_wrap 3 +on a context +.It gss_export_sec_context +Transfer a security context to another process +.It gss_import_sec_context +Import a transferred context +.El +.Pp +GSS-API Per-message Routines: +.Bl -tag -width "gss_inquire_cred_by_mech" +.It gss_get_mic +Calculate a cryptographic message integrity code (MIC) for a message; +integrity service +.It gss_verify_mic +Check a MIC against a message; +verify integrity of a received message +.It gss_wrap +Attach a MIC to a message, and optionally encrypt the message content; +confidentiality service +.It gss_unwrap +Verify a message with attached MIC, and decrypt message content if +necessary. +.El +.Pp +GSS-API Name manipulation Routines: +.Bl -tag -width "gss_inquire_cred_by_mech" +.It gss_import_name +Convert a contiguous string name to internal-form +.It gss_display_name +Convert internal-form name to text +.It gss_compare_name +Compare two internal-form names +.It gss_release_name +Discard an internal-form name +.It gss_inquire_names_for_mech +List the name-types supported by the specified mechanism +.It gss_inquire_mechs_for_name +List mechanisms that support the specified name-type +.It gss_canonicalize_name +Convert an internal name to an MN +.It gss_export_name +Convert an MN to export form +.It gss_duplicate_name +Create a copy of an internal name +.El +.Pp +GSS-API Miscellaneous Routines +.Bl -tag -width "gss_inquire_cred_by_mech" +.It gss_add_oid_set_member +Add an object identifier to a set +.It gss_display_status +Convert a GSS-API status code to text +.It gss_indicate_mechs +Determine available underlying authentication mechanisms +.It gss_release_buffer +Discard a buffer +.It gss_release_oid_set +Discard a set of object identifiers +.It gss_create_empty_oid_set +Create a set containing no object identifiers +.It gss_test_oid_set_member +Determines whether an object identifier is a member of a set. +.El +.Pp +Individual GSS-API implementations may augment these routines by +providing additional mechanism-specific routines if required +functionality is not available from the generic forms. +Applications are encouraged to use the generic routines wherever +possible on portability grounds. +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.El +.Sh HISTORY +The +.Nm +manual page first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates diff --git a/lib/libgssapi/mech.5 b/lib/libgssapi/mech.5 new file mode 100644 index 000000000000..1edcc1a846df --- /dev/null +++ b/lib/libgssapi/mech.5 @@ -0,0 +1,94 @@ +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd November 14, 2005 +.Dt MECH 5 +.Os +.Sh NAME +.Nm mech , +.Nm qop +.Nd "GSS-API Mechanism and QOP files" +.Sh SYNOPSIS +.Pa "/etc/gss/mech" +.Pa "/etc/gss/qop" +.Sh DESCRIPTION +The +.Pa "/etc/gss/mech" +file contains a list of installed GSS-API security mechanisms. +Each line of the file either contains a comment if the first character +is '#' or it contains five fields with the following meanings: +.Bl -tag +.It Name +The name of this GSS-API mechanism. +.It Object identifier +The OID for this mechanism. +.It Library +A shared library containing the implementation of this mechanism. +.It Kernel module (optional) +A kernel module containing the implementation of this mechanism (not +yet supported in FreeBSD). +.It Library options (optional) +Optionsal parameters interpreted by the mechanism. Library options +must be enclosed in brackets ([ ]) to differentiate them from the +optional kernel module entry. +.El +.Pp +The +.Pa "/etc/gss/qop" +file contains a list of Quality of Protection values for use with +GSS-API. +Each line of the file either contains a comment if the first character +is '#' or it contains three fields with the following meanings: +.Bl -tag +.It QOP string +The name of this Quality of Protection algorithm. +.It QOP value +The numeric value used to select this algorithm for use with GSS-API +functions such as +.Xr gss_get_mic 3 . +.It Mechanism name +The GSS-API mechanism name that corresponds to this algorithm. +.El +.Sh EXAMPLES +This is a typical entry from +.Pa "/etc/gss/mech" : +.Bd -literal +kerberosv5 1.2.840.113554.1.2.2 /usr/lib/libgssapi_krb5.so.8 - +.Ed +.Pp +This is a typical entry from +.Pa "/etc/gss/qop" : +.Bd -literal +GSS_KRB5_CONF_C_QOP_DES 0x0100 kerberosv5 +.Ed +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +This +manual page was written by +.An Doug Rabson Aq dfr@FreeBSD.org . diff --git a/lib/libgssapi/mech_switch.h b/lib/libgssapi/mech_switch.h new file mode 100644 index 000000000000..4add12d8af10 --- /dev/null +++ b/lib/libgssapi/mech_switch.h @@ -0,0 +1,327 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +typedef OM_uint32 _gss_acquire_cred_t + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* desired_name */ + OM_uint32, /* time_req */ + const gss_OID_set, /* desired_mechs */ + gss_cred_usage_t, /* cred_usage */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 * /* time_rec */ + ); + +typedef OM_uint32 _gss_release_cred_t + (OM_uint32 *, /* minor_status */ + gss_cred_id_t * /* cred_handle */ + ); + +typedef OM_uint32 _gss_init_sec_context_t + (OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* initiator_cred_handle */ + gss_ctx_id_t *, /* context_handle */ + const gss_name_t, /* target_name */ + const gss_OID, /* mech_type */ + OM_uint32, /* req_flags */ + OM_uint32, /* time_req */ + const gss_channel_bindings_t, + /* input_chan_bindings */ + const gss_buffer_t, /* input_token */ + gss_OID *, /* actual_mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32 *, /* ret_flags */ + OM_uint32 * /* time_rec */ + ); + +typedef OM_uint32 _gss_accept_sec_context_t + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + const gss_cred_id_t, /* acceptor_cred_handle */ + const gss_buffer_t, /* input_token_buffer */ + const gss_channel_bindings_t, + /* input_chan_bindings */ + gss_name_t *, /* src_name */ + gss_OID *, /* mech_type */ + gss_buffer_t, /* output_token */ + OM_uint32 *, /* ret_flags */ + OM_uint32 *, /* time_rec */ + gss_cred_id_t * /* delegated_cred_handle */ + ); + +typedef OM_uint32 _gss_process_context_token_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_buffer_t /* token_buffer */ + ); + +typedef OM_uint32 _gss_delete_sec_context_t + (OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* output_token */ + ); + +typedef OM_uint32 _gss_context_time_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + OM_uint32 * /* time_rec */ + ); + +typedef OM_uint32 _gss_get_mic_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + gss_qop_t, /* qop_req */ + const gss_buffer_t, /* message_buffer */ + gss_buffer_t /* message_token */ + ); + +typedef OM_uint32 _gss_verify_mic_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_buffer_t, /* message_buffer */ + const gss_buffer_t, /* token_buffer */ + gss_qop_t * /* qop_state */ + ); + +typedef OM_uint32 _gss_wrap_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + const gss_buffer_t, /* input_message_buffer */ + int *, /* conf_state */ + gss_buffer_t /* output_message_buffer */ + ); + +typedef OM_uint32 _gss_unwrap_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + const gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* output_message_buffer */ + int *, /* conf_state */ + gss_qop_t * /* qop_state */ + ); + +typedef OM_uint32 _gss_display_status_t + (OM_uint32 *, /* minor_status */ + OM_uint32, /* status_value */ + int, /* status_type */ + const gss_OID, /* mech_type */ + OM_uint32 *, /* message_context */ + gss_buffer_t /* status_string */ + ); + +typedef OM_uint32 _gss_indicate_mechs_t + (OM_uint32 *, /* minor_status */ + gss_OID_set * /* mech_set */ + ); + +typedef OM_uint32 _gss_compare_name_t + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* name1 */ + const gss_name_t, /* name2 */ + int * /* name_equal */ + ); + +typedef OM_uint32 _gss_display_name_t + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_buffer_t, /* output_name_buffer */ + gss_OID * /* output_name_type */ + ); + +typedef OM_uint32 _gss_import_name_t + (OM_uint32 *, /* minor_status */ + const gss_buffer_t, /* input_name_buffer */ + const gss_OID, /* input_name_type */ + gss_name_t * /* output_name */ + ); + +typedef OM_uint32 _gss_export_name_t + (OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_buffer_t /* exported_name */ + ); + +typedef OM_uint32 _gss_release_name_t + (OM_uint32 *, /* minor_status */ + gss_name_t * /* input_name */ + ); + +typedef OM_uint32 _gss_inquire_cred_t + (OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* cred_handle */ + gss_name_t *, /* name */ + OM_uint32 *, /* lifetime */ + gss_cred_usage_t *, /* cred_usage */ + gss_OID_set * /* mechanisms */ + ); + +typedef OM_uint32 _gss_inquire_context_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + gss_name_t *, /* src_name */ + gss_name_t *, /* targ_name */ + OM_uint32 *, /* lifetime_rec */ + gss_OID *, /* mech_type */ + OM_uint32 *, /* ctx_flags */ + int *, /* locally_initiated */ + int * /* open */ + ); + +typedef OM_uint32 _gss_wrap_size_limit_t + (OM_uint32 *, /* minor_status */ + const gss_ctx_id_t, /* context_handle */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req */ + OM_uint32, /* req_output_size */ + OM_uint32 * /* max_input_size */ + ); + +typedef OM_uint32 _gss_add_cred_t ( + OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* input_cred_handle */ + const gss_name_t, /* desired_name */ + const gss_OID, /* desired_mech */ + gss_cred_usage_t, /* cred_usage */ + OM_uint32, /* initiator_time_req */ + OM_uint32, /* acceptor_time_req */ + gss_cred_id_t *, /* output_cred_handle */ + gss_OID_set *, /* actual_mechs */ + OM_uint32 *, /* initiator_time_rec */ + OM_uint32 * /* acceptor_time_rec */ + ); + +typedef OM_uint32 _gss_inquire_cred_by_mech_t ( + OM_uint32 *, /* minor_status */ + const gss_cred_id_t, /* cred_handle */ + const gss_OID, /* mech_type */ + gss_name_t *, /* name */ + OM_uint32 *, /* initiator_lifetime */ + OM_uint32 *, /* acceptor_lifetime */ + gss_cred_usage_t * /* cred_usage */ + ); + +typedef OM_uint32 _gss_export_sec_context_t ( + OM_uint32 *, /* minor_status */ + gss_ctx_id_t *, /* context_handle */ + gss_buffer_t /* interprocess_token */ + ); + +typedef OM_uint32 _gss_import_sec_context_t ( + OM_uint32 *, /* minor_status */ + const gss_buffer_t, /* interprocess_token */ + gss_ctx_id_t * /* context_handle */ + ); + +typedef OM_uint32 _gss_inquire_names_for_mech_t ( + OM_uint32 *, /* minor_status */ + const gss_OID, /* mechanism */ + gss_OID_set * /* name_types */ + ); + +typedef OM_uint32 _gss_inquire_mechs_for_name_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + gss_OID_set * /* mech_types */ + ); + +typedef OM_uint32 _gss_canonicalize_name_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* input_name */ + const gss_OID, /* mech_type */ + gss_name_t * /* output_name */ + ); + +typedef OM_uint32 _gss_duplicate_name_t ( + OM_uint32 *, /* minor_status */ + const gss_name_t, /* src_name */ + gss_name_t * /* dest_name */ + ); + +typedef OM_uint32 _gsskrb5_register_acceptor_identity ( + const char * /* identity */ + ); + +typedef OM_uint32 _gss_krb5_copy_ccache ( + OM_uint32 *, /* minor_status */ + gss_cred_id_t, /* cred_handle */ + struct krb5_ccache_data * /* out */ + ); + +typedef OM_uint32 _gss_krb5_compat_des3_mic ( + OM_uint32 *, /* minor_status */ + gss_ctx_id_t, /* context_handle */ + int /* flag */ + ); + +struct _gss_mech_switch { + SLIST_ENTRY(_gss_mech_switch) gm_link; + gss_OID_desc gm_mech_oid; + void *gm_so; + _gss_acquire_cred_t *gm_acquire_cred; + _gss_release_cred_t *gm_release_cred; + _gss_init_sec_context_t *gm_init_sec_context; + _gss_accept_sec_context_t *gm_accept_sec_context; + _gss_process_context_token_t *gm_process_context_token; + _gss_delete_sec_context_t *gm_delete_sec_context; + _gss_context_time_t *gm_context_time; + _gss_get_mic_t *gm_get_mic; + _gss_verify_mic_t *gm_verify_mic; + _gss_wrap_t *gm_wrap; + _gss_unwrap_t *gm_unwrap; + _gss_display_status_t *gm_display_status; + _gss_indicate_mechs_t *gm_indicate_mechs; + _gss_compare_name_t *gm_compare_name; + _gss_display_name_t *gm_display_name; + _gss_import_name_t *gm_import_name; + _gss_export_name_t *gm_export_name; + _gss_release_name_t *gm_release_name; + _gss_inquire_cred_t *gm_inquire_cred; + _gss_inquire_context_t *gm_inquire_context; + _gss_wrap_size_limit_t *gm_wrap_size_limit; + _gss_add_cred_t *gm_add_cred; + _gss_inquire_cred_by_mech_t *gm_inquire_cred_by_mech; + _gss_export_sec_context_t *gm_export_sec_context; + _gss_import_sec_context_t *gm_import_sec_context; + _gss_inquire_names_for_mech_t *gm_inquire_names_for_mech; + _gss_inquire_mechs_for_name_t *gm_inquire_mechs_for_name; + _gss_canonicalize_name_t *gm_canonicalize_name; + _gss_duplicate_name_t *gm_duplicate_name; + _gsskrb5_register_acceptor_identity *gm_krb5_register_acceptor_identity; + _gss_krb5_copy_ccache *gm_krb5_copy_ccache; + _gss_krb5_compat_des3_mic *gm_krb5_compat_des3_mic; +}; +SLIST_HEAD(_gss_mech_switch_list, _gss_mech_switch); +extern struct _gss_mech_switch_list _gss_mechs; +extern gss_OID_set _gss_mech_oids; + +extern void _gss_load_mech(void); +extern struct _gss_mech_switch *_gss_find_mech_switch(gss_OID); diff --git a/lib/libgssapi/name.h b/lib/libgssapi/name.h new file mode 100644 index 000000000000..a64d5d91e728 --- /dev/null +++ b/lib/libgssapi/name.h @@ -0,0 +1,48 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +struct _gss_mechanism_name { + SLIST_ENTRY(_gss_mechanism_name) gmn_link; + struct _gss_mech_switch *gmn_mech; /* mechanism ops for MN */ + gss_OID gmn_mech_oid; /* mechanism oid for MN */ + gss_name_t gmn_name; /* underlying MN */ +}; +SLIST_HEAD(_gss_mechanism_name_list, _gss_mechanism_name); + +struct _gss_name { + gss_OID_desc gn_type; /* type of name */ + gss_buffer_desc gn_value; /* value (as imported) */ + struct _gss_mechanism_name_list gn_mn; /* list of MNs */ +}; + +extern struct _gss_mechanism_name * + _gss_find_mn(struct _gss_name *name, gss_OID mech); +struct _gss_name * + _gss_make_name(struct _gss_mech_switch *m, gss_name_t new_mn); diff --git a/lib/libgssapi/spnego.h b/lib/libgssapi/spnego.h new file mode 100644 index 000000000000..8b2e22d537f2 --- /dev/null +++ b/lib/libgssapi/spnego.h @@ -0,0 +1,34 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +typedef xder_OID MechType; + +typedef struct { + size_t MechTypeList_len; + MechType *MechTypeList_val; +} MechTypeList; diff --git a/lib/libgssapi/utils.h b/lib/libgssapi/utils.h new file mode 100644 index 000000000000..46edb9d4a25a --- /dev/null +++ b/lib/libgssapi/utils.h @@ -0,0 +1,32 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +extern int _gss_oid_equal(const gss_OID, const gss_OID); +extern OM_uint32 _gss_copy_oid(OM_uint32 *, const gss_OID, gss_OID); +extern OM_uint32 _gss_copy_buffer(OM_uint32 *minor_status, + const gss_buffer_t from_buf, gss_buffer_t to_buf); diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile index a8a1f74a5b37..ddd6b5c876c7 100644 --- a/secure/lib/libssh/Makefile +++ b/secure/lib/libssh/Makefile @@ -31,7 +31,7 @@ DPADD= ${LIBZ} LDADD= -lz .if !defined(NO_KERBEROS) -CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_H=1 -DKRB5 -DHEIMDAL +CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBMD} ${LIBROKEN} LDADD+= -lgssapi -lkrb5 -lasn1 -lcom_err -lmd -lroken .endif diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile index 274e481e23f7..9d1e0b5f8e0d 100644 --- a/secure/usr.bin/ssh/Makefile +++ b/secure/usr.bin/ssh/Makefile @@ -15,9 +15,9 @@ DPADD= ${LIBSSH} ${LIBUTIL} ${LIBZ} LDADD= -lssh -lutil -lz .if !defined(NO_KERBEROS) -CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_H=1 -DKRB5 -DHEIMDAL -DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBMD} ${LIBROKEN} -LDADD+= -lgssapi -lkrb5 -lasn1 -lcom_err -lmd -lroken +CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL +DPADD+= ${LIBGSSAPI} +LDADD+= -lgssapi .endif .if defined(X11BASE) diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index 4e73571084a5..fa0a21aa3b05 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -24,7 +24,7 @@ DPADD= ${LIBSSH} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPAM} LDADD= -lssh -lutil -lz -lwrap ${MINUSLPAM} .if !defined(NO_KERBEROS) -CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_H=1 -DKRB5 -DHEIMDAL +CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN} LDADD+= -lgssapi -lkrb5 -lasn1 -lcom_err -lroken .endif diff --git a/tools/make_libdeps.sh b/tools/make_libdeps.sh index c79be8751b79..b5af4bcc75c1 100644 --- a/tools/make_libdeps.sh +++ b/tools/make_libdeps.sh @@ -49,7 +49,7 @@ sed -E -e's;-lbsdxml!;lib/libexpat;g' -e's;-lm!;lib/msun;g' -e's;-l(supc\+\+)!;gnu/lib/lib\1;g' - -e's;-l(asn1|gssapi|krb5|roken)!;kerberos5/lib/lib\1;g' + -e's;-l(asn1|krb5|roken)!;kerberos5/lib/lib\1;g' -e's;-l(crypto|ssh|ssl)!;secure/lib/lib\1;g' -e's;-l([^!]+)!;lib/lib\1;g' "