1 /*
2 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
3 */
4 /*
5 * Copyright 1993 by OpenVision Technologies, Inc.
6 *
7 * Permission to use, copy, modify, distribute, and sell this software
8 * and its documentation for any purpose is hereby granted without fee,
9 * provided that the above copyright notice appears in all copies and
10 * that both that copyright notice and this permission notice appear in
11 * supporting documentation, and that the name of OpenVision not be used
12 * in advertising or publicity pertaining to distribution of the software
13 * without specific, written prior permission. OpenVision makes no
14 * representations about the suitability of this software for any
15 * purpose. It is provided "as is" without express or implied warranty.
16 *
17 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
18 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
19 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
20 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
21 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
22 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
23 * PERFORMANCE OF THIS SOFTWARE.
24 */
25
26 /*
27 * $Id: krb5_gss_glue.c 18262 2006-06-29 04:38:48Z tlyu $
28 */
29
30 #include "gssapiP_krb5.h"
31 #include "mglueP.h"
32 #include <syslog.h>
33
34 /** mechglue wrappers **/
35
36 static OM_uint32 k5glue_acquire_cred
37 (void *, OM_uint32*, /* minor_status */
38 gss_name_t, /* desired_name */
39 OM_uint32, /* time_req */
40 gss_OID_set, /* desired_mechs */
41 gss_cred_usage_t, /* cred_usage */
42 gss_cred_id_t*, /* output_cred_handle */
43 gss_OID_set*, /* actual_mechs */
44 OM_uint32* /* time_rec */
45 );
46
47 static OM_uint32 k5glue_release_cred
48 (void *, OM_uint32*, /* minor_status */
49 gss_cred_id_t* /* cred_handle */
50 );
51
52 static OM_uint32 k5glue_init_sec_context
53 (void *, OM_uint32*, /* minor_status */
54 gss_cred_id_t, /* claimant_cred_handle */
55 gss_ctx_id_t*, /* context_handle */
56 gss_name_t, /* target_name */
57 gss_OID, /* mech_type */
58 OM_uint32, /* req_flags */
59 OM_uint32, /* time_req */
60 gss_channel_bindings_t,
61 /* input_chan_bindings */
62 gss_buffer_t, /* input_token */
63 gss_OID*, /* actual_mech_type */
64 gss_buffer_t, /* output_token */
65 OM_uint32*, /* ret_flags */
66 OM_uint32* /* time_rec */
67 );
68
69 static OM_uint32 k5glue_accept_sec_context
70 (void *, OM_uint32*, /* minor_status */
71 gss_ctx_id_t*, /* context_handle */
72 gss_cred_id_t, /* verifier_cred_handle */
73 gss_buffer_t, /* input_token_buffer */
74 gss_channel_bindings_t,
75 /* input_chan_bindings */
76 gss_name_t*, /* src_name */
77 gss_OID*, /* mech_type */
78 gss_buffer_t, /* output_token */
79 OM_uint32*, /* ret_flags */
80 OM_uint32*, /* time_rec */
81 gss_cred_id_t* /* delegated_cred_handle */
82 );
83
84 static OM_uint32 k5glue_process_context_token
85 (void *, OM_uint32*, /* minor_status */
86 gss_ctx_id_t, /* context_handle */
87 gss_buffer_t /* token_buffer */
88 );
89
90 static OM_uint32 k5glue_delete_sec_context
91 (void *, OM_uint32*, /* minor_status */
92 gss_ctx_id_t*, /* context_handle */
93 gss_buffer_t /* output_token */
94 );
95
96 static OM_uint32 k5glue_context_time
97 (void *, OM_uint32*, /* minor_status */
98 gss_ctx_id_t, /* context_handle */
99 OM_uint32* /* time_rec */
100 );
101
102 static OM_uint32 k5glue_sign
103 (void *, OM_uint32*, /* minor_status */
104 gss_ctx_id_t, /* context_handle */
105 int, /* qop_req */
106 gss_buffer_t, /* message_buffer */
107 gss_buffer_t /* message_token */
108 );
109
110 static OM_uint32 k5glue_verify
111 (void *, OM_uint32*, /* minor_status */
112 gss_ctx_id_t, /* context_handle */
113 gss_buffer_t, /* message_buffer */
114 gss_buffer_t, /* token_buffer */
115 int* /* qop_state */
116 );
117
118 /* EXPORT DELETE START */
119 static OM_uint32 k5glue_seal
120 (void *, OM_uint32*, /* minor_status */
121 gss_ctx_id_t, /* context_handle */
122 int, /* conf_req_flag */
123 int, /* qop_req */
124 gss_buffer_t, /* input_message_buffer */
125 int*, /* conf_state */
126 gss_buffer_t /* output_message_buffer */
127 );
128
129 static OM_uint32 k5glue_unseal
130 (void *, OM_uint32*, /* minor_status */
131 gss_ctx_id_t, /* context_handle */
132 gss_buffer_t, /* input_message_buffer */
133 gss_buffer_t, /* output_message_buffer */
134 int*, /* conf_state */
135 int* /* qop_state */
136 );
137 /* EXPORT DELETE END */
138
139 static OM_uint32 k5glue_display_status
140 (void *, OM_uint32*, /* minor_status */
141 OM_uint32, /* status_value */
142 int, /* status_type */
143 gss_OID, /* mech_type */
144 OM_uint32*, /* message_context */
145 gss_buffer_t /* status_string */
146 );
147
148 static OM_uint32 k5glue_indicate_mechs
149 (void *, OM_uint32*, /* minor_status */
150 gss_OID_set* /* mech_set */
151 );
152
153 static OM_uint32 k5glue_compare_name
154 (void *, OM_uint32*, /* minor_status */
155 gss_name_t, /* name1 */
156 gss_name_t, /* name2 */
157 int* /* name_equal */
158 );
159
160 static OM_uint32 k5glue_display_name
161 (void *, OM_uint32*, /* minor_status */
162 gss_name_t, /* input_name */
163 gss_buffer_t, /* output_name_buffer */
164 gss_OID* /* output_name_type */
165 );
166
167 static OM_uint32 k5glue_import_name
168 (void *, OM_uint32*, /* minor_status */
169 gss_buffer_t, /* input_name_buffer */
170 gss_OID, /* input_name_type */
171 gss_name_t* /* output_name */
172 );
173
174 static OM_uint32 k5glue_release_name
175 (void *, OM_uint32*, /* minor_status */
176 gss_name_t* /* input_name */
177 );
178
179 static OM_uint32 k5glue_inquire_cred
180 (void *, OM_uint32 *, /* minor_status */
181 gss_cred_id_t, /* cred_handle */
182 gss_name_t *, /* name */
183 OM_uint32 *, /* lifetime */
184 gss_cred_usage_t*,/* cred_usage */
185 gss_OID_set * /* mechanisms */
186 );
187
188 static OM_uint32 k5glue_inquire_context
189 (void *, OM_uint32*, /* minor_status */
190 gss_ctx_id_t, /* context_handle */
191 gss_name_t*, /* initiator_name */
192 gss_name_t*, /* acceptor_name */
193 OM_uint32*, /* lifetime_rec */
194 gss_OID*, /* mech_type */
195 OM_uint32*, /* ret_flags */
196 int*, /* locally_initiated */
197 int* /* open */
198 );
199
200 #if 0
201 /* New V2 entry points */
202 static OM_uint32 k5glue_get_mic
203 (void *, OM_uint32 *, /* minor_status */
204 gss_ctx_id_t, /* context_handle */
205 gss_qop_t, /* qop_req */
206 gss_buffer_t, /* message_buffer */
207 gss_buffer_t /* message_token */
208 );
209
210 static OM_uint32 k5glue_verify_mic
211 (void *, OM_uint32 *, /* minor_status */
212 gss_ctx_id_t, /* context_handle */
213 gss_buffer_t, /* message_buffer */
214 gss_buffer_t, /* message_token */
215 gss_qop_t * /* qop_state */
216 );
217
218 static OM_uint32 k5glue_wrap
219 (void *, OM_uint32 *, /* minor_status */
220 gss_ctx_id_t, /* context_handle */
221 int, /* conf_req_flag */
222 gss_qop_t, /* qop_req */
223 gss_buffer_t, /* input_message_buffer */
224 int *, /* conf_state */
225 gss_buffer_t /* output_message_buffer */
226 );
227
228 static OM_uint32 k5glue_unwrap
229 (void *, OM_uint32 *, /* minor_status */
230 gss_ctx_id_t, /* context_handle */
231 gss_buffer_t, /* input_message_buffer */
232 gss_buffer_t, /* output_message_buffer */
233 int *, /* conf_state */
234 gss_qop_t * /* qop_state */
235 );
236 #endif
237
238 static OM_uint32 k5glue_wrap_size_limit
239 (void *, OM_uint32 *, /* minor_status */
240 gss_ctx_id_t, /* context_handle */
241 int, /* conf_req_flag */
242 gss_qop_t, /* qop_req */
243 OM_uint32, /* req_output_size */
244 OM_uint32 * /* max_input_size */
245 );
246
247 #if 0
248 static OM_uint32 k5glue_import_name_object
249 (void *, OM_uint32 *, /* minor_status */
250 void *, /* input_name */
251 gss_OID, /* input_name_type */
252 gss_name_t * /* output_name */
253 );
254
255 static OM_uint32 k5glue_export_name_object
256 (void *, OM_uint32 *, /* minor_status */
257 gss_name_t, /* input_name */
258 gss_OID, /* desired_name_type */
259 void * * /* output_name */
260 );
261 #endif
262
263 static OM_uint32 k5glue_add_cred
264 (void *, OM_uint32 *, /* minor_status */
265 gss_cred_id_t, /* input_cred_handle */
266 gss_name_t, /* desired_name */
267 gss_OID, /* desired_mech */
268 gss_cred_usage_t, /* cred_usage */
269 OM_uint32, /* initiator_time_req */
270 OM_uint32, /* acceptor_time_req */
271 gss_cred_id_t *, /* output_cred_handle */
272 gss_OID_set *, /* actual_mechs */
273 OM_uint32 *, /* initiator_time_rec */
274 OM_uint32 * /* acceptor_time_rec */
275 );
276
277 static OM_uint32 k5glue_inquire_cred_by_mech
278 (void *, OM_uint32 *, /* minor_status */
279 gss_cred_id_t, /* cred_handle */
280 gss_OID, /* mech_type */
281 gss_name_t *, /* name */
282 OM_uint32 *, /* initiator_lifetime */
283 OM_uint32 *, /* acceptor_lifetime */
284 gss_cred_usage_t * /* cred_usage */
285 );
286
287 static OM_uint32 k5glue_export_sec_context
288 (void *, OM_uint32 *, /* minor_status */
289 gss_ctx_id_t *, /* context_handle */
290 gss_buffer_t /* interprocess_token */
291 );
292
293 static OM_uint32 k5glue_import_sec_context
294 (void *, OM_uint32 *, /* minor_status */
295 gss_buffer_t, /* interprocess_token */
296 gss_ctx_id_t * /* context_handle */
297 );
298
299 krb5_error_code k5glue_ser_init(krb5_context);
300
301 static OM_uint32 k5glue_internal_release_oid
302 (void *, OM_uint32 *, /* minor_status */
303 gss_OID * /* oid */
304 );
305
306 static OM_uint32 k5glue_inquire_names_for_mech
307 (void *, OM_uint32 *, /* minor_status */
308 gss_OID, /* mechanism */
309 gss_OID_set * /* name_types */
310 );
311
312 #if 0
313 static OM_uint32 k5glue_canonicalize_name
314 (void *, OM_uint32 *, /* minor_status */
315 const gss_name_t, /* input_name */
316 const gss_OID, /* mech_type */
317 gss_name_t * /* output_name */
318 );
319 #endif
320
321 static OM_uint32 k5glue_export_name
322 (void *, OM_uint32 *, /* minor_status */
323 const gss_name_t, /* input_name */
324 gss_buffer_t /* exported_name */
325 );
326
327 /* SUNW15resync - Solaris specific */
328 static OM_uint32 k5glue_store_cred (
329 void *,
330 OM_uint32 *, /* minor_status */
331 const gss_cred_id_t, /* input_cred */
332 gss_cred_usage_t, /* cred_usage */
333 const gss_OID, /* desired_mech */
334 OM_uint32, /* overwrite_cred */
335 OM_uint32, /* default_cred */
336 gss_OID_set *, /* elements_stored */
337 gss_cred_usage_t * /* cred_usage_stored */
338 );
339
340 /* SUNW17PACresync - this decl not needed in MIT but is for Sol */
341 /* Note code is in gsspi_krb5.c */
342 OM_uint32 krb5_gss_inquire_sec_context_by_oid(
343 OM_uint32 *,
344 const gss_ctx_id_t,
345 const gss_OID,
346 gss_buffer_set_t *);
347
348 static OM_uint32
349 k5glue_userok(
350 void *, /* context */
351 OM_uint32 *, /* minor_status */
352 const gss_name_t, /* pname */
353 const char *, /* local user */
354 int * /* user ok? */
355 /* */);
356
357 static OM_uint32
358 k5glue_pname_to_uid(
359 void *, /* context */
360 OM_uint32 *, /* minor_status */
361 const gss_name_t, /* pname */
362 uid_t * /* uid */
363 /* */);
364
365
366
367
368 #if 0
369 static OM_uint32 k5glue_duplicate_name
370 (void *, OM_uint32 *, /* minor_status */
371 const gss_name_t, /* input_name */
372 gss_name_t * /* dest_name */
373 );
374 #endif
375
376 #if 0
377 static OM_uint32 k5glue_validate_cred
378 (void *, OM_uint32 *, /* minor_status */
379 gss_cred_id_t /* cred */
380 );
381 #endif
382
383 #if 0
384 /*
385 * SUNW15resync
386 * Solaris can't use the KRB5_GSS_CONFIG_INIT macro because of the src
387 * slicing&dicing needs of the "nightly -SD" build. When it goes away,
388 * we should use it assuming MIT still uses it then.
389 */
390
391 /*
392 * The krb5 mechanism provides two mech OIDs; use this initializer to
393 * ensure that both dispatch tables contain identical function
394 * pointers.
395 */
396 #define KRB5_GSS_CONFIG_INIT \
397 NULL, \
398 ...
399 #endif
400
401
402 static struct gss_config krb5_mechanism = {
403 #if 0 /* Solaris Kerberos */
404 100, "kerberos_v5",
405 #endif
406 { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
407 NULL,
408 k5glue_acquire_cred,
409 k5glue_release_cred,
410 k5glue_init_sec_context,
411 k5glue_accept_sec_context,
412 /* EXPORT DELETE START */ /* CRYPT DELETE START */
413 k5glue_unseal,
414 /* EXPORT DELETE END */ /* CRYPT DELETE END */
415 k5glue_process_context_token,
416 k5glue_delete_sec_context,
417 k5glue_context_time,
418 k5glue_display_status,
419 k5glue_indicate_mechs,
420 k5glue_compare_name,
421 k5glue_display_name,
422 k5glue_import_name,
423 k5glue_release_name,
424 k5glue_inquire_cred,
425 k5glue_add_cred,
426 /* EXPORT DELETE START */ /* CRYPT DELETE START */
427 k5glue_seal,
428 /* EXPORT DELETE END */ /* CRYPT DELETE END */
429 k5glue_export_sec_context,
430 k5glue_import_sec_context,
431 k5glue_inquire_cred_by_mech,
432 k5glue_inquire_names_for_mech,
433 k5glue_inquire_context,
434 k5glue_internal_release_oid,
435 k5glue_wrap_size_limit,
436 k5glue_pname_to_uid,
437 k5glue_userok,
438 k5glue_export_name,
439 /* EXPORT DELETE START */
440 /* CRYPT DELETE START */
441 #if 0
442 /* CRYPT DELETE END */
443 k5glue_seal,
444 k5glue_unseal,
445 /* CRYPT DELETE START */
446 #endif
447 /* CRYPT DELETE END */
448 /* EXPORT DELETE END */
449 k5glue_sign,
450 k5glue_verify,
451 k5glue_store_cred,
452 krb5_gss_inquire_sec_context_by_oid
453 };
454
455 static struct gss_config krb5_mechanism_old = {
456 #if 0 /* Solaris Kerberos */
457 200, "kerberos_v5 (pre-RFC OID)",
458 #endif
459 { GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID },
460 NULL,
461 k5glue_acquire_cred,
462 k5glue_release_cred,
463 k5glue_init_sec_context,
464 k5glue_accept_sec_context,
465 /* EXPORT DELETE START */ /* CRYPT DELETE START */
466 k5glue_unseal,
467 /* EXPORT DELETE END */ /* CRYPT DELETE END */
468 k5glue_process_context_token,
469 k5glue_delete_sec_context,
470 k5glue_context_time,
471 k5glue_display_status,
472 k5glue_indicate_mechs,
473 k5glue_compare_name,
474 k5glue_display_name,
475 k5glue_import_name,
476 k5glue_release_name,
477 k5glue_inquire_cred,
478 k5glue_add_cred,
479 /* EXPORT DELETE START */ /* CRYPT DELETE START */
480 k5glue_seal,
481 /* EXPORT DELETE END */ /* CRYPT DELETE END */
482 k5glue_export_sec_context,
483 k5glue_import_sec_context,
484 k5glue_inquire_cred_by_mech,
485 k5glue_inquire_names_for_mech,
486 k5glue_inquire_context,
487 k5glue_internal_release_oid,
488 k5glue_wrap_size_limit,
489 k5glue_pname_to_uid,
490 k5glue_userok,
491 k5glue_export_name,
492 /* EXPORT DELETE START */
493 /* CRYPT DELETE START */
494 #if 0
495 /* CRYPT DELETE END */
496 k5glue_seal,
497 k5glue_unseal,
498 /* CRYPT DELETE START */
499 #endif
500 /* CRYPT DELETE END */
501 /* EXPORT DELETE END */
502 k5glue_sign,
503 k5glue_verify,
504 k5glue_store_cred,
505 krb5_gss_inquire_sec_context_by_oid
506 };
507
508 static struct gss_config krb5_mechanism_wrong = {
509 #if 0 /* Solaris Kerberos */
510 300, "kerberos_v5 (wrong OID)",
511 #endif
512 { GSS_MECH_KRB5_WRONG_OID_LENGTH, GSS_MECH_KRB5_WRONG_OID },
513 NULL,
514 k5glue_acquire_cred,
515 k5glue_release_cred,
516 k5glue_init_sec_context,
517 k5glue_accept_sec_context,
518 /* EXPORT DELETE START */ /* CRYPT DELETE START */
519 k5glue_unseal,
520 /* EXPORT DELETE END */ /* CRYPT DELETE END */
521 k5glue_process_context_token,
522 k5glue_delete_sec_context,
523 k5glue_context_time,
524 k5glue_display_status,
525 k5glue_indicate_mechs,
526 k5glue_compare_name,
527 k5glue_display_name,
528 k5glue_import_name,
529 k5glue_release_name,
530 k5glue_inquire_cred,
531 k5glue_add_cred,
532 /* EXPORT DELETE START */ /* CRYPT DELETE START */
533 k5glue_seal,
534 /* EXPORT DELETE END */ /* CRYPT DELETE END */
535 k5glue_export_sec_context,
536 k5glue_import_sec_context,
537 k5glue_inquire_cred_by_mech,
538 k5glue_inquire_names_for_mech,
539 k5glue_inquire_context,
540 k5glue_internal_release_oid,
541 k5glue_wrap_size_limit,
542 k5glue_pname_to_uid,
543 k5glue_userok,
544 k5glue_export_name,
545 /* EXPORT DELETE START */
546 /* CRYPT DELETE START */
547 #if 0
548 /* CRYPT DELETE END */
549 k5glue_seal,
550 k5glue_unseal,
551 /* CRYPT DELETE START */
552 #endif
553 /* CRYPT DELETE END */
554 /* EXPORT DELETE END */
555 k5glue_sign,
556 k5glue_verify,
557 k5glue_store_cred,
558 krb5_gss_inquire_sec_context_by_oid
559 };
560
561 static gss_mechanism krb5_mech_configs[] = {
562 &krb5_mechanism, &krb5_mechanism_old, &krb5_mechanism_wrong, NULL
563 };
564
565 #ifdef MS_BUG_TEST
566 static gss_mechanism krb5_mech_configs_hack[] = {
567 &krb5_mechanism, &krb5_mechanism_old, NULL
568 };
569 #endif
570
571 #if 1
572 #define gssint_get_mech_configs krb5_gss_get_mech_configs
573 #endif
574
575 gss_mechanism *
576 gssint_get_mech_configs(void)
577 {
578 #ifdef MS_BUG_TEST
579 char *envstr = getenv("MS_FORCE_NO_MSOID");
580
581 if (envstr != NULL && strcmp(envstr, "1") == 0) {
582 return krb5_mech_configs_hack;
583 }
584 #endif
585 return krb5_mech_configs;
586 }
587
588 static OM_uint32
589 k5glue_accept_sec_context(ctx, minor_status, context_handle, verifier_cred_handle,
590 input_token, input_chan_bindings, src_name, mech_type,
591 output_token, ret_flags, time_rec, delegated_cred_handle)
592 void *ctx;
593 OM_uint32 *minor_status;
594 gss_ctx_id_t *context_handle;
595 gss_cred_id_t verifier_cred_handle;
596 gss_buffer_t input_token;
597 gss_channel_bindings_t input_chan_bindings;
598 gss_name_t *src_name;
599 gss_OID *mech_type;
600 gss_buffer_t output_token;
601 OM_uint32 *ret_flags;
602 OM_uint32 *time_rec;
603 gss_cred_id_t *delegated_cred_handle;
604 {
605 return(krb5_gss_accept_sec_context(minor_status,
606 context_handle,
607 verifier_cred_handle,
608 input_token,
609 input_chan_bindings,
610 src_name,
611 mech_type,
612 output_token,
613 ret_flags,
614 time_rec,
615 delegated_cred_handle));
616 }
617
618 static OM_uint32
619 k5glue_acquire_cred(ctx, minor_status, desired_name, time_req, desired_mechs,
620 cred_usage, output_cred_handle, actual_mechs, time_rec)
621 void *ctx;
622 OM_uint32 *minor_status;
623 gss_name_t desired_name;
624 OM_uint32 time_req;
625 gss_OID_set desired_mechs;
626 gss_cred_usage_t cred_usage;
627 gss_cred_id_t *output_cred_handle;
628 gss_OID_set *actual_mechs;
629 OM_uint32 *time_rec;
630 {
631 return(krb5_gss_acquire_cred(minor_status,
632 desired_name,
633 time_req,
634 desired_mechs,
635 cred_usage,
636 output_cred_handle,
637 actual_mechs,
638 time_rec));
639 }
640
641 /* V2 */
642 static OM_uint32
643 k5glue_add_cred(ctx, minor_status, input_cred_handle, desired_name, desired_mech,
644 cred_usage, initiator_time_req, acceptor_time_req,
645 output_cred_handle, actual_mechs, initiator_time_rec,
646 acceptor_time_rec)
647 void *ctx;
648 OM_uint32 *minor_status;
649 gss_cred_id_t input_cred_handle;
650 gss_name_t desired_name;
651 gss_OID desired_mech;
652 gss_cred_usage_t cred_usage;
653 OM_uint32 initiator_time_req;
654 OM_uint32 acceptor_time_req;
655 gss_cred_id_t *output_cred_handle;
656 gss_OID_set *actual_mechs;
657 OM_uint32 *initiator_time_rec;
658 OM_uint32 *acceptor_time_rec;
659 {
660 return(krb5_gss_add_cred(minor_status, input_cred_handle, desired_name,
661 desired_mech, cred_usage, initiator_time_req,
662 acceptor_time_req, output_cred_handle,
663 actual_mechs, initiator_time_rec,
664 acceptor_time_rec));
665 }
666
667 #if 0
668 /* V2 */
669 static OM_uint32
670 k5glue_add_oid_set_member(ctx, minor_status, member_oid, oid_set)
671 void *ctx;
672 OM_uint32 *minor_status;
673 gss_OID member_oid;
674 gss_OID_set *oid_set;
675 {
676 return(generic_gss_add_oid_set_member(minor_status, member_oid, oid_set));
677 }
678 #endif
679
680 static OM_uint32
681 k5glue_compare_name(ctx, minor_status, name1, name2, name_equal)
682 void *ctx;
683 OM_uint32 *minor_status;
684 gss_name_t name1;
685 gss_name_t name2;
686 int *name_equal;
687 {
688 return(krb5_gss_compare_name(minor_status, name1,
689 name2, name_equal));
690 }
691
692 static OM_uint32
693 k5glue_context_time(ctx, minor_status, context_handle, time_rec)
694 void *ctx;
695 OM_uint32 *minor_status;
696 gss_ctx_id_t context_handle;
697 OM_uint32 *time_rec;
698 {
699 return(krb5_gss_context_time(minor_status, context_handle,
700 time_rec));
701 }
702
703 #if 0
704 /* V2 */
705 static OM_uint32
706 k5glue_create_empty_oid_set(ctx, minor_status, oid_set)
707 void *ctx;
708 OM_uint32 *minor_status;
709 gss_OID_set *oid_set;
710 {
711 return(generic_gss_create_empty_oid_set(minor_status, oid_set));
712 }
713 #endif
714
715 static OM_uint32
716 k5glue_delete_sec_context(ctx, minor_status, context_handle, output_token)
717 void *ctx;
718 OM_uint32 *minor_status;
719 gss_ctx_id_t *context_handle;
720 gss_buffer_t output_token;
721 {
722 return(krb5_gss_delete_sec_context(minor_status,
723 context_handle, output_token));
724 }
725
726 static OM_uint32
727 k5glue_display_name(ctx, minor_status, input_name, output_name_buffer, output_name_type)
728 void *ctx;
729 OM_uint32 *minor_status;
730 gss_name_t input_name;
731 gss_buffer_t output_name_buffer;
732 gss_OID *output_name_type;
733 {
734 return(krb5_gss_display_name(minor_status, input_name,
735 output_name_buffer, output_name_type));
736 }
737
738 static OM_uint32
739 k5glue_display_status(ctx, minor_status, status_value, status_type,
740 mech_type, message_context, status_string)
741 void *ctx;
742 OM_uint32 *minor_status;
743 OM_uint32 status_value;
744 int status_type;
745 gss_OID mech_type;
746 OM_uint32 *message_context;
747 gss_buffer_t status_string;
748 {
749 return(krb5_gss_display_status(minor_status, status_value,
750 status_type, mech_type, message_context,
751 status_string));
752 }
753
754 /* V2 */
755 static OM_uint32
756 k5glue_export_sec_context(ctx, minor_status, context_handle, interprocess_token)
757 void *ctx;
758 OM_uint32 *minor_status;
759 gss_ctx_id_t *context_handle;
760 gss_buffer_t interprocess_token;
761 {
762 return(krb5_gss_export_sec_context(minor_status,
763 context_handle,
764 interprocess_token));
765 }
766
767 #if 0
768 /* V2 */
769 static OM_uint32
770 k5glue_get_mic(ctx, minor_status, context_handle, qop_req,
771 message_buffer, message_token)
772 void *ctx;
773 OM_uint32 *minor_status;
774 gss_ctx_id_t context_handle;
775 gss_qop_t qop_req;
776 gss_buffer_t message_buffer;
777 gss_buffer_t message_token;
778 {
779 return(krb5_gss_get_mic(minor_status, context_handle,
780 qop_req, message_buffer, message_token));
781 }
782 #endif
783
784 static OM_uint32
785 k5glue_import_name(ctx, minor_status, input_name_buffer, input_name_type, output_name)
786 void *ctx;
787 OM_uint32 *minor_status;
788 gss_buffer_t input_name_buffer;
789 gss_OID input_name_type;
790 gss_name_t *output_name;
791 {
792 #if 0
793 OM_uint32 err;
794 err = gssint_initialize_library();
795 if (err) {
796 *minor_status = err;
797 return GSS_S_FAILURE;
798 }
799 #endif
800 return(krb5_gss_import_name(minor_status, input_name_buffer,
801 input_name_type, output_name));
802 }
803
804 /* V2 */
805 static OM_uint32
806 k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle)
807 void *ctx;
808 OM_uint32 *minor_status;
809 gss_buffer_t interprocess_token;
810 gss_ctx_id_t *context_handle;
811 {
812 return(krb5_gss_import_sec_context(minor_status,
813 interprocess_token,
814 context_handle));
815 }
816
817 static OM_uint32
818 k5glue_indicate_mechs(ctx, minor_status, mech_set)
819 void *ctx;
820 OM_uint32 *minor_status;
821 gss_OID_set *mech_set;
822 {
823 return(krb5_gss_indicate_mechs(minor_status, mech_set));
824 }
825
826 static OM_uint32
827 k5glue_init_sec_context(ctx, minor_status, claimant_cred_handle, context_handle,
828 target_name, mech_type, req_flags, time_req,
829 input_chan_bindings, input_token, actual_mech_type,
830 output_token, ret_flags, time_rec)
831 void *ctx;
832 OM_uint32 *minor_status;
833 gss_cred_id_t claimant_cred_handle;
834 gss_ctx_id_t *context_handle;
835 gss_name_t target_name;
836 gss_OID mech_type;
837 OM_uint32 req_flags;
838 OM_uint32 time_req;
839 gss_channel_bindings_t input_chan_bindings;
840 gss_buffer_t input_token;
841 gss_OID *actual_mech_type;
842 gss_buffer_t output_token;
843 OM_uint32 *ret_flags;
844 OM_uint32 *time_rec;
845 {
846 return(krb5_gss_init_sec_context(minor_status,
847 claimant_cred_handle, context_handle,
848 target_name, mech_type, req_flags,
849 time_req, input_chan_bindings, input_token,
850 actual_mech_type, output_token, ret_flags,
851 time_rec));
852 }
853
854 static OM_uint32
855 k5glue_inquire_context(ctx, minor_status, context_handle, initiator_name, acceptor_name,
856 lifetime_rec, mech_type, ret_flags,
857 locally_initiated, open)
858 void *ctx;
859 OM_uint32 *minor_status;
860 gss_ctx_id_t context_handle;
861 gss_name_t *initiator_name;
862 gss_name_t *acceptor_name;
863 OM_uint32 *lifetime_rec;
864 gss_OID *mech_type;
865 OM_uint32 *ret_flags;
866 int *locally_initiated;
867 int *open;
868 {
869 return(krb5_gss_inquire_context(minor_status, context_handle,
870 initiator_name, acceptor_name, lifetime_rec,
871 mech_type, ret_flags, locally_initiated,
872 open));
873 }
874
875 static OM_uint32
876 k5glue_inquire_cred(ctx, minor_status, cred_handle, name, lifetime_ret,
877 cred_usage, mechanisms)
878 void *ctx;
879 OM_uint32 *minor_status;
880 gss_cred_id_t cred_handle;
881 gss_name_t *name;
882 OM_uint32 *lifetime_ret;
883 gss_cred_usage_t *cred_usage;
884 gss_OID_set *mechanisms;
885 {
886 return(krb5_gss_inquire_cred(minor_status, cred_handle,
887 name, lifetime_ret, cred_usage, mechanisms));
888 }
889
890 /* V2 */
891 static OM_uint32
892 k5glue_inquire_cred_by_mech(ctx, minor_status, cred_handle, mech_type, name,
893 initiator_lifetime, acceptor_lifetime, cred_usage)
894 void *ctx;
895 OM_uint32 *minor_status;
896 gss_cred_id_t cred_handle;
897 gss_OID mech_type;
898 gss_name_t *name;
899 OM_uint32 *initiator_lifetime;
900 OM_uint32 *acceptor_lifetime;
901 gss_cred_usage_t *cred_usage;
902 {
903 return(krb5_gss_inquire_cred_by_mech(minor_status, cred_handle,
904 mech_type, name, initiator_lifetime,
905 acceptor_lifetime, cred_usage));
906 }
907
908 /* V2 */
909 static OM_uint32
910 k5glue_inquire_names_for_mech(ctx, minor_status, mechanism, name_types)
911 void *ctx;
912 OM_uint32 *minor_status;
913 gss_OID mechanism;
914 gss_OID_set *name_types;
915 {
916 return(krb5_gss_inquire_names_for_mech(minor_status,
917 mechanism,
918 name_types));
919 }
920
921 #if 0
922 /* V2 */
923 static OM_uint32
924 k5glue_oid_to_str(ctx, minor_status, oid, oid_str)
925 void *ctx;
926 OM_uint32 *minor_status;
927 gss_OID oid;
928 gss_buffer_t oid_str;
929 {
930 return(generic_gss_oid_to_str(minor_status, oid, oid_str));
931 }
932 #endif
933
934 static OM_uint32
935 k5glue_process_context_token(ctx, minor_status, context_handle, token_buffer)
936 void *ctx;
937 OM_uint32 *minor_status;
938 gss_ctx_id_t context_handle;
939 gss_buffer_t token_buffer;
940 {
941 return(krb5_gss_process_context_token(minor_status,
942 context_handle, token_buffer));
943 }
944
945 static OM_uint32
946 k5glue_release_cred(ctx, minor_status, cred_handle)
947 void *ctx;
948 OM_uint32 *minor_status;
949 gss_cred_id_t *cred_handle;
950 {
951 return(krb5_gss_release_cred(minor_status, cred_handle));
952 }
953
954 static OM_uint32
955 k5glue_release_name(ctx, minor_status, input_name)
956 void *ctx;
957 OM_uint32 *minor_status;
958 gss_name_t *input_name;
959 {
960 return(krb5_gss_release_name(minor_status, input_name));
961 }
962
963 #if 0
964 static OM_uint32
965 k5glue_release_buffer(ctx, minor_status, buffer)
966 void *ctx;
967 OM_uint32 *minor_status;
968 gss_buffer_t buffer;
969 {
970 return(generic_gss_release_buffer(minor_status,
971 buffer));
972 }
973 #endif
974
975 /* V2 */
976 static OM_uint32
977 k5glue_internal_release_oid(ctx, minor_status, oid)
978 void *ctx;
979 OM_uint32 *minor_status;
980 gss_OID *oid;
981 {
982 return(krb5_gss_internal_release_oid(minor_status, oid));
983 }
984
985 #if 0
986 static OM_uint32
987 k5glue_release_oid_set(ctx, minor_status, set)
988 void *ctx;
989 OM_uint32 * minor_status;
990 gss_OID_set *set;
991 {
992 return(generic_gss_release_oid_set(minor_status, set));
993 }
994 #endif
995
996 /* EXPORT DELETE START */
997 /* V1 only */
998 static OM_uint32
999 k5glue_seal(ctx, minor_status, context_handle, conf_req_flag, qop_req,
1000 input_message_buffer, conf_state, output_message_buffer)
1001 void *ctx;
1002 OM_uint32 *minor_status;
1003 gss_ctx_id_t context_handle;
1004 int conf_req_flag;
1005 int qop_req;
1006 gss_buffer_t input_message_buffer;
1007 int *conf_state;
1008 gss_buffer_t output_message_buffer;
1009 {
1010 return(krb5_gss_seal(minor_status, context_handle,
1011 conf_req_flag, qop_req, input_message_buffer,
1012 conf_state, output_message_buffer));
1013 }
1014 /* EXPORT DELETE END */
1015
1016 static OM_uint32
1017 k5glue_sign(ctx, minor_status, context_handle,
1018 qop_req, message_buffer,
1019 message_token)
1020 void *ctx;
1021 OM_uint32 *minor_status;
1022 gss_ctx_id_t context_handle;
1023 int qop_req;
1024 gss_buffer_t message_buffer;
1025 gss_buffer_t message_token;
1026 {
1027 return(krb5_gss_sign(minor_status, context_handle,
1028 qop_req, message_buffer, message_token));
1029 }
1030
1031 #if 0
1032 /* V2 */
1033 static OM_uint32
1034 k5glue_verify_mic(ctx, minor_status, context_handle,
1035 message_buffer, token_buffer, qop_state)
1036 void *ctx;
1037 OM_uint32 *minor_status;
1038 gss_ctx_id_t context_handle;
1039 gss_buffer_t message_buffer;
1040 gss_buffer_t token_buffer;
1041 gss_qop_t *qop_state;
1042 {
1043 return(krb5_gss_verify_mic(minor_status, context_handle,
1044 message_buffer, token_buffer, qop_state));
1045 }
1046
1047 /* V2 */
1048 static OM_uint32
1049 k5glue_wrap(ctx, minor_status, context_handle, conf_req_flag, qop_req,
1050 input_message_buffer, conf_state, output_message_buffer)
1051 void *ctx;
1052 OM_uint32 *minor_status;
1053 gss_ctx_id_t context_handle;
1054 int conf_req_flag;
1055 gss_qop_t qop_req;
1056 gss_buffer_t input_message_buffer;
1057 int *conf_state;
1058 gss_buffer_t output_message_buffer;
1059 {
1060 return(krb5_gss_wrap(minor_status, context_handle, conf_req_flag, qop_req,
1061 input_message_buffer, conf_state,
1062 output_message_buffer));
1063 }
1064
1065 /* V2 */
1066 static OM_uint32
1067 k5glue_str_to_oid(ctx, minor_status, oid_str, oid)
1068 void *ctx;
1069 OM_uint32 *minor_status;
1070 gss_buffer_t oid_str;
1071 gss_OID *oid;
1072 {
1073 return(generic_gss_str_to_oid(minor_status, oid_str, oid));
1074 }
1075
1076 /* V2 */
1077 static OM_uint32
1078 k5glue_test_oid_set_member(ctx, minor_status, member, set, present)
1079 void *ctx;
1080 OM_uint32 *minor_status;
1081 gss_OID member;
1082 gss_OID_set set;
1083 int *present;
1084 {
1085 return(generic_gss_test_oid_set_member(minor_status, member, set,
1086 present));
1087 }
1088 #endif
1089
1090 /* EXPORT DELETE START */
1091 /* V1 only */
1092 static OM_uint32
1093 k5glue_unseal(ctx, minor_status, context_handle, input_message_buffer,
1094 output_message_buffer, conf_state, qop_state)
1095 void *ctx;
1096 OM_uint32 *minor_status;
1097 gss_ctx_id_t context_handle;
1098 gss_buffer_t input_message_buffer;
1099 gss_buffer_t output_message_buffer;
1100 int *conf_state;
1101 int *qop_state;
1102 {
1103 return(krb5_gss_unseal(minor_status, context_handle,
1104 input_message_buffer, output_message_buffer,
1105 conf_state, qop_state));
1106 }
1107 /* EXPORT DELETE END */
1108
1109 #if 0
1110 /* V2 */
1111 static OM_uint32
1112 k5glue_unwrap(ctx, minor_status, context_handle, input_message_buffer,
1113 output_message_buffer, conf_state, qop_state)
1114 void *ctx;
1115 OM_uint32 *minor_status;
1116 gss_ctx_id_t context_handle;
1117 gss_buffer_t input_message_buffer;
1118 gss_buffer_t output_message_buffer;
1119 int *conf_state;
1120 gss_qop_t *qop_state;
1121 {
1122 return(krb5_gss_unwrap(minor_status, context_handle, input_message_buffer,
1123 output_message_buffer, conf_state, qop_state));
1124 }
1125 #endif
1126
1127 /* V1 only */
1128 static OM_uint32
1129 k5glue_verify(ctx, minor_status, context_handle, message_buffer,
1130 token_buffer, qop_state)
1131 void *ctx;
1132 OM_uint32 *minor_status;
1133 gss_ctx_id_t context_handle;
1134 gss_buffer_t message_buffer;
1135 gss_buffer_t token_buffer;
1136 int *qop_state;
1137 {
1138 return(krb5_gss_verify(minor_status,
1139 context_handle,
1140 message_buffer,
1141 token_buffer,
1142 qop_state));
1143 }
1144
1145 /* V2 interface */
1146 static OM_uint32
1147 k5glue_wrap_size_limit(ctx, minor_status, context_handle, conf_req_flag,
1148 qop_req, req_output_size, max_input_size)
1149 void *ctx;
1150 OM_uint32 *minor_status;
1151 gss_ctx_id_t context_handle;
1152 int conf_req_flag;
1153 gss_qop_t qop_req;
1154 OM_uint32 req_output_size;
1155 OM_uint32 *max_input_size;
1156 {
1157 return(krb5_gss_wrap_size_limit(minor_status, context_handle,
1158 conf_req_flag, qop_req,
1159 req_output_size, max_input_size));
1160 }
1161
1162 #if 0
1163 /* V2 interface */
1164 static OM_uint32
1165 k5glue_canonicalize_name(ctx, minor_status, input_name, mech_type, output_name)
1166 void *ctx;
1167 OM_uint32 *minor_status;
1168 const gss_name_t input_name;
1169 const gss_OID mech_type;
1170 gss_name_t *output_name;
1171 {
1172 return krb5_gss_canonicalize_name(minor_status, input_name,
1173 mech_type, output_name);
1174 }
1175 #endif
1176
1177 /* V2 interface */
1178 static OM_uint32
1179 k5glue_export_name(ctx, minor_status, input_name, exported_name)
1180 void *ctx;
1181 OM_uint32 *minor_status;
1182 const gss_name_t input_name;
1183 gss_buffer_t exported_name;
1184 {
1185 return krb5_gss_export_name(minor_status, input_name, exported_name);
1186 }
1187
1188 /* SUNW15resync - this is not in the MIT mech (lib) yet */
1189 static OM_uint32
1190 k5glue_store_cred(ctx, minor_status, input_cred, cred_usage, desired_mech,
1191 overwrite_cred, default_cred, elements_stored,
1192 cred_usage_stored)
1193 void *ctx;
1194 OM_uint32 *minor_status;
1195 const gss_cred_id_t input_cred;
1196 gss_cred_usage_t cred_usage;
1197 gss_OID desired_mech;
1198 OM_uint32 overwrite_cred;
1199 OM_uint32 default_cred;
1200 gss_OID_set *elements_stored;
1201 gss_cred_usage_t *cred_usage_stored;
1202 {
1203 return(krb5_gss_store_cred(minor_status, input_cred,
1204 cred_usage, desired_mech,
1205 overwrite_cred, default_cred, elements_stored,
1206 cred_usage_stored));
1207 }
1208
1209 static OM_uint32
1210 k5glue_userok(
1211 void *ctxt, /* context */
1212 OM_uint32 *minor, /* minor_status */
1213 const gss_name_t pname, /* pname */
1214 const char *user, /* local user */
1215 int *user_ok /* user ok? */
1216 /* */)
1217 {
1218 return(krb5_gss_userok(minor, pname, user, user_ok));
1219 }
1220
1221 static OM_uint32
1222 k5glue_pname_to_uid(
1223 void *ctxt, /* context */
1224 OM_uint32 *minor, /* minor_status */
1225 const gss_name_t pname, /* pname */
1226 uid_t *uidOut /* uid */
1227 /* */)
1228 {
1229 return (krb5_pname_to_uid(minor, pname, uidOut));
1230 }
1231
1232
1233
1234 #if 0
1235 /* V2 interface */
1236 static OM_uint32
1237 k5glue_duplicate_name(ctx, minor_status, input_name, dest_name)
1238 void *ctx;
1239 OM_uint32 *minor_status;
1240 const gss_name_t input_name;
1241 gss_name_t *dest_name;
1242 {
1243 return krb5_gss_duplicate_name(minor_status, input_name, dest_name);
1244 }
1245 #endif
1246
1247
1248 OM_uint32 KRB5_CALLCONV
1249 gss_krb5_copy_ccache(
1250 OM_uint32 *minor_status,
1251 gss_cred_id_t cred_handle,
1252 krb5_ccache out_ccache)
1253 {
1254 gss_union_cred_t ucred;
1255 gss_cred_id_t mcred;
1256
1257 ucred = (gss_union_cred_t)cred_handle;
1258
1259 mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type);
1260 if (mcred != GSS_C_NO_CREDENTIAL)
1261 return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache);
1262
1263 mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type);
1264 if (mcred != GSS_C_NO_CREDENTIAL)
1265 return gss_krb5int_copy_ccache(minor_status, mcred, out_ccache);
1266
1267 return GSS_S_DEFECTIVE_CREDENTIAL;
1268 }
1269
1270 OM_uint32 KRB5_CALLCONV
1271 gss_krb5_set_allowable_enctypes(
1272 OM_uint32 *minor_status,
1273 gss_cred_id_t cred,
1274 OM_uint32 num_ktypes,
1275 krb5_enctype *ktypes)
1276 {
1277 gss_union_cred_t ucred;
1278 gss_cred_id_t mcred;
1279
1280 ucred = (gss_union_cred_t)cred;
1281 mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism.mech_type);
1282 if (mcred != GSS_C_NO_CREDENTIAL)
1283 return gss_krb5int_set_allowable_enctypes(minor_status, mcred,
1284 num_ktypes, ktypes);
1285
1286 mcred = gssint_get_mechanism_cred(ucred, &krb5_mechanism_old.mech_type);
1287 if (mcred != GSS_C_NO_CREDENTIAL)
1288 return gss_krb5int_set_allowable_enctypes(minor_status, mcred,
1289 num_ktypes, ktypes);
1290
1291 return GSS_S_DEFECTIVE_CREDENTIAL;
1292 }
1293
1294 /*
1295 * Glue routine for returning the mechanism-specific credential from a
1296 * external union credential.
1297 */
1298 /* SUNW15resync - in MIT 1.5, it's in g_glue.c (libgss) but we don't
1299 want to link against libgss so we put it here since we need it in the mech */
1300 gss_cred_id_t
1301 gssint_get_mechanism_cred(union_cred, mech_type)
1302 gss_union_cred_t union_cred;
1303 gss_OID mech_type;
1304 {
1305 int i;
1306
1307 if (union_cred == (gss_union_cred_t) GSS_C_NO_CREDENTIAL)
1308 return GSS_C_NO_CREDENTIAL;
1309
1310 for (i=0; i < union_cred->count; i++) {
1311 if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
1312 return union_cred->cred_array[i];
1313 }
1314 return GSS_C_NO_CREDENTIAL;
1315 }
1316
1317
1318
1319 /*
1320 * entry point for the gss layer,
1321 * called "krb5_gss_initialize()" in MIT 1.2.1
1322 */
1323 /* SUNW15resync - this used to be in k5mech.c */
1324 gss_mechanism
1325 gss_mech_initialize(oid)
1326 const gss_OID oid;
1327 {
1328 /*
1329 * Solaris Kerberos: We also want to use the same functions for KRB5 as
1330 * we do for the MS KRB5 (krb5_mechanism_wrong). So both are valid.
1331 */
1332 /* ensure that the requested oid matches our oid */
1333 if (oid == NULL || (!g_OID_equal(oid, &krb5_mechanism.mech_type) &&
1334 !g_OID_equal(oid, &krb5_mechanism_wrong.mech_type))) {
1335 (void) syslog(LOG_INFO, "krb5mech: gss_mech_initialize: bad oid");
1336 return (NULL);
1337 }
1338
1339 #if 0 /* SUNW15resync - no longer needed(?) */
1340 if (krb5_gss_get_context(&(krb5_mechanism.context)) !=
1341 GSS_S_COMPLETE)
1342 return (NULL);
1343 #endif
1344
1345 return (&krb5_mechanism);
1346 }
1347
1348 /*
1349 * This API should go away and be replaced with an accessor
1350 * into a gss_name_t.
1351 */
1352 OM_uint32 KRB5_CALLCONV
1353 gsskrb5_extract_authz_data_from_sec_context(
1354 OM_uint32 *minor_status,
1355 gss_ctx_id_t context_handle,
1356 int ad_type,
1357 gss_buffer_t ad_data)
1358 {
1359 gss_OID_desc req_oid;
1360 unsigned char oid_buf[GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH + 6];
1361 OM_uint32 major_status;
1362 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
1363
1364 if (ad_data == NULL)
1365 return GSS_S_CALL_INACCESSIBLE_WRITE;
1366
1367 req_oid.elements = oid_buf;
1368 req_oid.length = sizeof(oid_buf);
1369
1370 major_status = generic_gss_oid_compose(minor_status,
1371 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID,
1372 GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH,
1373 ad_type,
1374 &req_oid);
1375 if (GSS_ERROR(major_status))
1376 return major_status;
1377
1378 major_status = gss_inquire_sec_context_by_oid(minor_status,
1379 context_handle,
1380 (gss_OID)&req_oid,
1381 &data_set);
1382 if (major_status != GSS_S_COMPLETE) {
1383 return major_status;
1384 }
1385
1386 /*
1387 * SUNW17PACresync / Solaris Kerberos
1388 * MIT17 allows only count==1 which is correct for pre-Win2008 but
1389 * our testing with Win2008 shows count==2 and Win7 count==3.
1390 */
1391 if ((data_set == GSS_C_NO_BUFFER_SET) || (data_set->count == 0)) {
1392 gss_release_buffer_set(minor_status, &data_set);
1393 *minor_status = EINVAL;
1394 return GSS_S_FAILURE;
1395 }
1396
1397 ad_data->length = data_set->elements[0].length;
1398 ad_data->value = malloc(ad_data->length);
1399 if (!ad_data->value) {
1400 gss_release_buffer_set(minor_status, &data_set);
1401 return ENOMEM;
1402 }
1403 bcopy(data_set->elements[0].value, ad_data->value, ad_data->length);
1404
1405 gss_release_buffer_set(minor_status, &data_set);
1406
1407 return GSS_S_COMPLETE;
1408 }
1409
1410
1411 OM_uint32 KRB5_CALLCONV
1412 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
1413 gss_ctx_id_t context_handle,
1414 krb5_timestamp *authtime)
1415 {
1416 static const gss_OID_desc req_oid = {
1417 GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH,
1418 GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID };
1419 OM_uint32 major_status;
1420 gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
1421
1422 if (authtime == NULL)
1423 return GSS_S_CALL_INACCESSIBLE_WRITE;
1424
1425 major_status = gss_inquire_sec_context_by_oid(minor_status,
1426 context_handle,
1427 (gss_OID)&req_oid,
1428 &data_set);
1429 if (major_status != GSS_S_COMPLETE)
1430 return major_status;
1431
1432 if (data_set == GSS_C_NO_BUFFER_SET ||
1433 data_set->count != 1 ||
1434 data_set->elements[0].length != sizeof(*authtime)) {
1435 *minor_status = EINVAL;
1436 return GSS_S_FAILURE;
1437 }
1438
1439 *authtime = *((krb5_timestamp *)data_set->elements[0].value);
1440
1441 gss_release_buffer_set(minor_status, &data_set);
1442
1443 *minor_status = 0;
1444
1445 return GSS_S_COMPLETE;
1446 }