imapext-2007

annotate src/osdep/nt/kerb_w2k.c @ 0:ada5e610ab86

find changesets by author, revision, files, or words in the commit message
imap-2007e
author yuuji@gentei.org
date Mon, 14 Sep 2009 15:17:45 +0900
parents
children
rev   line source
yuuji@0 1 /* ========================================================================
yuuji@0 2 * Copyright 1988-2006 University of Washington
yuuji@0 3 *
yuuji@0 4 * Licensed under the Apache License, Version 2.0 (the "License");
yuuji@0 5 * you may not use this file except in compliance with the License.
yuuji@0 6 * You may obtain a copy of the License at
yuuji@0 7 *
yuuji@0 8 * http://www.apache.org/licenses/LICENSE-2.0
yuuji@0 9 *
yuuji@0 10 *
yuuji@0 11 * ========================================================================
yuuji@0 12 */
yuuji@0 13
yuuji@0 14 /*
yuuji@0 15 * Program: GSSAPI Kerberos Shim 5 for Windows 2000/XP IMAP Toolkit
yuuji@0 16 *
yuuji@0 17 * Author: Mark Crispin
yuuji@0 18 * Networks and Distributed Computing
yuuji@0 19 * Computing & Communications
yuuji@0 20 * University of Washington
yuuji@0 21 * Administration Building, AG-44
yuuji@0 22 * Seattle, WA 98195
yuuji@0 23 * Internet: MRC@CAC.Washington.EDU
yuuji@0 24 *
yuuji@0 25 * Date: 6 March 2000
yuuji@0 26 * Last Edited: 30 August 2006
yuuji@0 27 */
yuuji@0 28
yuuji@0 29 /* The purpose of this module is to be a shim, so that the auth_gss.c module
yuuji@0 30 * (written for MIT Kerberos) will compile, link, and run with SSPI Kerberos
yuuji@0 31 * on Windows 2000 systems.
yuuji@0 32 * There is no attempt whatsoever to make this be a complete implementation
yuuji@0 33 * of GSSAPI. A number of shortcuts were taken that a real GSSAPI
yuuji@0 34 * implementation for SSPI can't do.
yuuji@0 35 * Nor is there any attempt to make the types identical with MIT Kerberos;
yuuji@0 36 * you can't link this library with object files compiled with the MIT
yuuji@0 37 * Kerberos .h files.
yuuji@0 38 */
yuuji@0 39
yuuji@0 40
yuuji@0 41 /* GSSAPI generic definitions */
yuuji@0 42
yuuji@0 43
yuuji@0 44 #define SECURITY_WIN32
yuuji@0 45 #include <security.h>
yuuji@0 46
yuuji@0 47
yuuji@0 48 /* GSSAPI types for which we use SSPI equivalent types */
yuuji@0 49
yuuji@0 50 typedef ULONG OM_uint32;
yuuji@0 51 typedef PCredHandle gss_cred_id_t;
yuuji@0 52 typedef ULONG gss_cred_usage_t;
yuuji@0 53 typedef PCtxtHandle gss_ctx_id_t;
yuuji@0 54 typedef SEC_CHAR * gss_name_t;
yuuji@0 55 typedef ULONG gss_qop_t;
yuuji@0 56
yuuji@0 57
yuuji@0 58 /* Major status codes */
yuuji@0 59
yuuji@0 60 #define GSS_S_COMPLETE SEC_E_OK
yuuji@0 61 #define GSS_S_BAD_MECH SEC_E_SECPKG_NOT_FOUND
yuuji@0 62 #define GSS_S_CONTINUE_NEEDED SEC_I_CONTINUE_NEEDED
yuuji@0 63 #define GSS_S_CREDENTIALS_EXPIRED SEC_E_CERT_EXPIRED
yuuji@0 64 #define GSS_S_FAILURE SEC_E_INTERNAL_ERROR
yuuji@0 65 #define GSS_S_NO_CRED SEC_E_NO_CREDENTIALS
yuuji@0 66 #define GSS_S_NO_CONTEXT SEC_E_INVALID_HANDLE
yuuji@0 67
yuuji@0 68
yuuji@0 69 /* Flag bits for context-level services */
yuuji@0 70
yuuji@0 71 #define GSS_C_DELEG_FLAG ISC_REQ_DELEGATE
yuuji@0 72 #define GSS_C_MUTUAL_FLAG ISC_REQ_MUTUAL_AUTH
yuuji@0 73 #define GSS_C_REPLAY_FLAG ISC_REQ_REPLAY_DETECT
yuuji@0 74 #define GSS_C_SEQUENCE_FLAG ISC_REQ_SEQUENCE_DETECT
yuuji@0 75 #define GSS_C_CONF_FLAG ISC_REQ_CONFIDENTIALITY
yuuji@0 76 #define GSS_C_INTEG_FLAG ISC_REQ_INTEGRITY
yuuji@0 77
yuuji@0 78
yuuji@0 79 /* Credential usage options */
yuuji@0 80
yuuji@0 81 #define GSS_C_BOTH SECPKG_CRED_BOTH
yuuji@0 82 #define GSS_C_INITIATE SECPKG_CRED_OUTBOUND
yuuji@0 83 #define GSS_C_ACCEPT SECPKG_CRED_INBOUND
yuuji@0 84
yuuji@0 85
yuuji@0 86 /* Major status codes defined by shim */
yuuji@0 87
yuuji@0 88 #define GSS_S_BAD_BINDINGS 100
yuuji@0 89 #define GSS_S_BAD_NAME 101
yuuji@0 90 #define GSS_S_BAD_NAMETYPE 102
yuuji@0 91 #define GSS_S_BAD_STATUS 103
yuuji@0 92
yuuji@0 93 /* GSSAPI types as used in GSSAPI */
yuuji@0 94
yuuji@0 95
yuuji@0 96 /* Buffer */
yuuji@0 97
yuuji@0 98 typedef struct gss_buffer_desc_struct {
yuuji@0 99 size_t length;
yuuji@0 100 void *value;
yuuji@0 101 } gss_buffer_desc,*gss_buffer_t;
yuuji@0 102
yuuji@0 103
yuuji@0 104 /* Object identifier */
yuuji@0 105
yuuji@0 106 typedef struct gss_OID_desc_struct {
yuuji@0 107 OM_uint32 length;
yuuji@0 108 void *elements;
yuuji@0 109 } gss_OID_desc,*gss_OID;
yuuji@0 110
yuuji@0 111 typedef struct gss_OID_set_desc_struct {
yuuji@0 112 size_t count;
yuuji@0 113 gss_OID elements;
yuuji@0 114 } gss_OID_set_desc,*gss_OID_set;
yuuji@0 115
yuuji@0 116
yuuji@0 117 /* Unused, but needed in prototypes */
yuuji@0 118
yuuji@0 119 typedef void * gss_channel_bindings_t;
yuuji@0 120
yuuji@0 121
yuuji@0 122 /* Default constants */
yuuji@0 123
yuuji@0 124 #define GSS_C_EMPTY_BUFFER {0,NIL}
yuuji@0 125 #define GSS_C_NO_BUFFER ((gss_buffer_t) NIL)
yuuji@0 126 #define GSS_C_NO_OID ((gss_OID) NIL)
yuuji@0 127 #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) NIL)
yuuji@0 128 #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) NIL)
yuuji@0 129 #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) NIL)
yuuji@0 130 #define GSS_C_QOP_DEFAULT NIL
yuuji@0 131
yuuji@0 132
yuuji@0 133 /* Status code types for gss_display_status */
yuuji@0 134
yuuji@0 135 #define GSS_C_GSS_CODE 1
yuuji@0 136 #define GSS_C_MECH_CODE 2
yuuji@0 137
yuuji@0 138
yuuji@0 139 /* GSSAPI constants */
yuuji@0 140
yuuji@0 141 const gss_OID gss_nt_service_name;
yuuji@0 142 #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
yuuji@0 143 const gss_OID gss_mech_krb5;
yuuji@0 144 const gss_OID_set gss_mech_set_krb5;
yuuji@0 145
yuuji@0 146 /* GSSAPI prototypes */
yuuji@0 147
yuuji@0 148
yuuji@0 149 OM_uint32 gss_accept_sec_context (OM_uint32 *minor_status,
yuuji@0 150 gss_ctx_id_t *context_handle,
yuuji@0 151 gss_cred_id_t acceptor_cred_handle,
yuuji@0 152 gss_buffer_t input_token_buffer,
yuuji@0 153 gss_channel_bindings_t input_chan_bindings,
yuuji@0 154 gss_name_t *src_name,gss_OID *mech_type,
yuuji@0 155 gss_buffer_t output_token,
yuuji@0 156 OM_uint32 *ret_flags,OM_uint32 *time_rec,
yuuji@0 157 gss_cred_id_t *delegated_cred_handle);
yuuji@0 158 OM_uint32 gss_acquire_cred (OM_uint32 *minor_status,gss_name_t desired_name,
yuuji@0 159 OM_uint32 time_req,gss_OID_set desired_mechs,
yuuji@0 160 gss_cred_usage_t cred_usage,
yuuji@0 161 gss_cred_id_t *output_cred_handle,
yuuji@0 162 gss_OID_set *actual_mechs,OM_uint32 *time_rec);
yuuji@0 163 OM_uint32 gss_delete_sec_context (OM_uint32 *minor_status,
yuuji@0 164 gss_ctx_id_t *context_handle,
yuuji@0 165 gss_buffer_t output_token);
yuuji@0 166 OM_uint32 gss_display_name (OM_uint32 *minor_status,gss_name_t input_name,
yuuji@0 167 gss_buffer_t output_name_buffer,
yuuji@0 168 gss_OID *output_name_type);
yuuji@0 169 OM_uint32 gss_display_status (OM_uint32 *minor_status,OM_uint32 status_value,
yuuji@0 170 int status_type,gss_OID mech_type,
yuuji@0 171 OM_uint32 *message_context,
yuuji@0 172 gss_buffer_t status_string);
yuuji@0 173 OM_uint32 gss_import_name (OM_uint32 *minor_status,
yuuji@0 174 gss_buffer_t input_name_buffer,
yuuji@0 175 gss_OID input_name_type,gss_name_t *output_name);
yuuji@0 176 OM_uint32 gss_init_sec_context (OM_uint32 *minor_status,
yuuji@0 177 gss_cred_id_t claimant_cred_handle,
yuuji@0 178 gss_ctx_id_t *context_handle,
yuuji@0 179 gss_name_t target_name,gss_OID mech_type,
yuuji@0 180 OM_uint32 req_flags,OM_uint32 time_req,
yuuji@0 181 gss_channel_bindings_t input_chan_bindings,
yuuji@0 182 gss_buffer_t input_token,
yuuji@0 183 gss_OID *actual_mech_type,
yuuji@0 184 gss_buffer_t output_token,OM_uint32 *ret_flags,
yuuji@0 185 OM_uint32 *time_rec);
yuuji@0 186 OM_uint32 gss_release_buffer (OM_uint32 *minor_status,gss_buffer_t buffer);
yuuji@0 187 OM_uint32 gss_release_cred (OM_uint32 *minor_status,gss_cred_id_t *cred_handle);
yuuji@0 188 OM_uint32 gss_release_name (OM_uint32 *minor_status,gss_name_t *input_name);
yuuji@0 189 OM_uint32 gss_wrap (OM_uint32 *minor_status,gss_ctx_id_t context_handle,
yuuji@0 190 int conf_req_flag,gss_qop_t qop_req,
yuuji@0 191 gss_buffer_t input_message_buffer,int *conf_state,
yuuji@0 192 gss_buffer_t output_message_buffer);
yuuji@0 193 OM_uint32 gss_unwrap (OM_uint32 *minor_status,gss_ctx_id_t context_handle,
yuuji@0 194 gss_buffer_t input_message_buffer,
yuuji@0 195 gss_buffer_t output_message_buffer,int *conf_state,
yuuji@0 196 gss_qop_t *qop_state);
yuuji@0 197
yuuji@0 198 /* Kerberos definitions */
yuuji@0 199
yuuji@0 200 long kerberos_server_valid (void);
yuuji@0 201 long kerberos_try_kinit (OM_uint32 error);
yuuji@0 202 char *kerberos_login (char *user,char *authuser,int argc,char *argv[]);
yuuji@0 203
yuuji@0 204
yuuji@0 205 #define STRING WINSTRING /* conflict with mail.h */
yuuji@0 206 #include <NTSecAPI.h>
yuuji@0 207
yuuji@0 208 /* GSSAPI build-in object identifiers */
yuuji@0 209
yuuji@0 210 static gss_OID_desc oids[] = { /* stupid C language makes this necessary */
yuuji@0 211 {10,"\052\206\110\206\367\022\001\002\001\004"},
yuuji@0 212 {9,"\052\206\110\206\367\022\001\002\002"}
yuuji@0 213 };
yuuji@0 214
yuuji@0 215 /* stupid C language ditto */
yuuji@0 216 static gss_OID_set_desc oidsets[] = {
yuuji@0 217 {1,(gss_OID) oids+1}
yuuji@0 218 };
yuuji@0 219
yuuji@0 220 /* these are the real OIDs */
yuuji@0 221 const gss_OID gss_nt_service_name = oids+0;
yuuji@0 222 const gss_OID gss_mech_krb5 = oids+1;
yuuji@0 223 const gss_OID_set gss_mech_set_krb5 = oidsets+0;
yuuji@0 224
yuuji@0 225
yuuji@0 226 /* Other globals */
yuuji@0 227
yuuji@0 228 /* substitute for GSS_C_NO_CREDENTIAL */
yuuji@0 229 static gss_cred_id_t gss_default_cred = NIL;
yuuji@0 230
yuuji@0 231 /* GSSAPI import name (convert to full service principal name)
yuuji@0 232 * Accepts: pointer to return minor status
yuuji@0 233 * buffer containining input name
yuuji@0 234 * type of input name
yuuji@0 235 * pointer to return output internal name
yuuji@0 236 * Returns: major status, always
yuuji@0 237 */
yuuji@0 238
yuuji@0 239 OM_uint32 gss_import_name (OM_uint32 *minor_status,
yuuji@0 240 gss_buffer_t input_name_buffer,
yuuji@0 241 gss_OID input_name_type,gss_name_t *output_name)
yuuji@0 242 {
yuuji@0 243 OM_uint32 major_status = GSS_S_COMPLETE;
yuuji@0 244 TimeStamp expiry;
yuuji@0 245 static CredHandle gss_cred;
yuuji@0 246 char *s,tmp[MAILTMPLEN];
yuuji@0 247 *minor_status = 0; /* never any minor status */
yuuji@0 248 if (!gss_default_cred) { /* default credentials set up yet? */
yuuji@0 249 if (AcquireCredentialsHandle/* no, acquire them now */
yuuji@0 250 (NIL,MICROSOFT_KERBEROS_NAME_A,SECPKG_CRED_OUTBOUND,NIL,NIL,NIL,NIL,
yuuji@0 251 &gss_cred,&expiry) != SEC_E_OK) return GSS_S_FAILURE;
yuuji@0 252 /* have default credentials now */
yuuji@0 253 gss_default_cred = &gss_cred;
yuuji@0 254 }
yuuji@0 255 /* must be the gss_nt_service_name format */
yuuji@0 256 if (input_name_type != gss_nt_service_name)
yuuji@0 257 major_status = GSS_S_BAD_NAMETYPE;
yuuji@0 258 /* name must be of sane length */
yuuji@0 259 else if (input_name_buffer->length > (MAILTMPLEN/2))
yuuji@0 260 major_status = GSS_S_BAD_NAME;
yuuji@0 261 else { /* copy name */
yuuji@0 262 memcpy (tmp,input_name_buffer->value,input_name_buffer->length);
yuuji@0 263 tmp[input_name_buffer->length] = '\0';
yuuji@0 264 if (s = strchr (tmp,'@')) { /* find service/host/delimiter */
yuuji@0 265 *s = '/'; /* convert to full service principal name */
yuuji@0 266 *output_name = cpystr (tmp);
yuuji@0 267 }
yuuji@0 268 else major_status = GSS_S_BAD_NAME;
yuuji@0 269 }
yuuji@0 270 return major_status;
yuuji@0 271 }
yuuji@0 272
yuuji@0 273 /* GSSAPI Initialize security context
yuuji@0 274 * Accepts: pointer to return minor status
yuuji@0 275 * claimant credential handle
yuuji@0 276 * context (NIL means "none assigned yet")
yuuji@0 277 * desired principal
yuuji@0 278 * desired mechanisms
yuuji@0 279 * required context attributes
yuuji@0 280 * desired lifetime
yuuji@0 281 * input channel bindings
yuuji@0 282 * input token buffer
yuuji@0 283 * pointer to return mechanism type
yuuji@0 284 * buffer to return output token
yuuji@0 285 * pointer to return flags
yuuji@0 286 * pointer to return context lifetime
yuuji@0 287 * Returns: major status, always
yuuji@0 288 */
yuuji@0 289
yuuji@0 290 OM_uint32 gss_init_sec_context (OM_uint32 *minor_status,
yuuji@0 291 gss_cred_id_t claimant_cred_handle,
yuuji@0 292 gss_ctx_id_t *context_handle,
yuuji@0 293 gss_name_t target_name,gss_OID mech_type,
yuuji@0 294 OM_uint32 req_flags,OM_uint32 time_req,
yuuji@0 295 gss_channel_bindings_t input_chan_bindings,
yuuji@0 296 gss_buffer_t input_token,
yuuji@0 297 gss_OID *actual_mech_type,
yuuji@0 298 gss_buffer_t output_token,OM_uint32 *ret_flags,
yuuji@0 299 OM_uint32 *time_rec)
yuuji@0 300 {
yuuji@0 301 OM_uint32 i;
yuuji@0 302 OM_uint32 major_status;
yuuji@0 303 TimeStamp expiry;
yuuji@0 304 SecBuffer ibuf[1],obuf[1];
yuuji@0 305 SecBufferDesc ibufs,obufs;
yuuji@0 306 *minor_status = 0; /* never any minor status */
yuuji@0 307 /* error if non-default time requested */
yuuji@0 308 if (time_req) return GSS_S_FAILURE;
yuuji@0 309 if (mech_type && memcmp (mech_type,gss_mech_krb5,sizeof (gss_OID)))
yuuji@0 310 return GSS_S_BAD_MECH;
yuuji@0 311 /* ditto if any channel bindings */
yuuji@0 312 if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS)
yuuji@0 313 return GSS_S_BAD_BINDINGS;
yuuji@0 314
yuuji@0 315 /* apply default credential if necessary */
yuuji@0 316 if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
yuuji@0 317 claimant_cred_handle = gss_default_cred;
yuuji@0 318 /* create output buffer storage as needed */
yuuji@0 319 req_flags |= ISC_REQ_ALLOCATE_MEMORY;
yuuji@0 320 /* make output buffer */
yuuji@0 321 obuf[0].BufferType = SECBUFFER_TOKEN;
yuuji@0 322 obuf[0].cbBuffer = 0; obuf[0].pvBuffer = NIL;
yuuji@0 323 /* output buffer descriptor */
yuuji@0 324 obufs.ulVersion = SECBUFFER_VERSION;
yuuji@0 325 obufs.cBuffers = 1;
yuuji@0 326 obufs.pBuffers = obuf;
yuuji@0 327 /* first time caller? */
yuuji@0 328 if (*context_handle == GSS_C_NO_CONTEXT) {
yuuji@0 329 /* yes, set up output context handle */
yuuji@0 330 PCtxtHandle ctx = (PCtxtHandle) fs_get (sizeof (CtxtHandle));
yuuji@0 331 major_status = InitializeSecurityContext (claimant_cred_handle,NIL,
yuuji@0 332 target_name,req_flags,0,
yuuji@0 333 SECURITY_NETWORK_DREP,NIL,0,ctx,
yuuji@0 334 &obufs,
yuuji@0 335 ret_flags ? ret_flags : &i,
yuuji@0 336 &expiry);
yuuji@0 337 *context_handle = ctx; /* return updated context */
yuuji@0 338 }
yuuji@0 339 else { /* no, make SSPI buffer from GSSAPI buffer */
yuuji@0 340 ibuf[0].BufferType = obuf[0].BufferType = SECBUFFER_TOKEN;
yuuji@0 341 ibuf[0].cbBuffer = input_token->length;
yuuji@0 342 ibuf[0].pvBuffer = input_token->value;
yuuji@0 343 /* input buffer descriptor */
yuuji@0 344 ibufs.ulVersion = SECBUFFER_VERSION;
yuuji@0 345 ibufs.cBuffers = 1;
yuuji@0 346 ibufs.pBuffers = ibuf;
yuuji@0 347 major_status = InitializeSecurityContext (claimant_cred_handle,
yuuji@0 348 *context_handle,target_name,
yuuji@0 349 req_flags,0,
yuuji@0 350 SECURITY_NETWORK_DREP,&ibufs,0,
yuuji@0 351 *context_handle,&obufs,
yuuji@0 352 ret_flags ? ret_flags : &i,
yuuji@0 353 &expiry);
yuuji@0 354 }
yuuji@0 355 /* return output */
yuuji@0 356 output_token->value = obuf[0].pvBuffer;
yuuji@0 357 output_token->length = obuf[0].cbBuffer;
yuuji@0 358 /* in case client wanted lifetime returned */
yuuji@0 359 if (time_rec) *time_rec = expiry.LowPart;
yuuji@0 360 return major_status;
yuuji@0 361 }
yuuji@0 362
yuuji@0 363 /* GSSAPI display status text
yuuji@0 364 * Accepts: pointer to return minor status
yuuji@0 365 * status to display
yuuji@0 366 * status type
yuuji@0 367 * message context for continuation
yuuji@0 368 * buffer to write status string
yuuji@0 369 * Returns: major status, always
yuuji@0 370 */
yuuji@0 371
yuuji@0 372 OM_uint32 gss_display_status (OM_uint32 *minor_status,OM_uint32 status_value,
yuuji@0 373 int status_type,gss_OID mech_type,
yuuji@0 374 OM_uint32 *message_context,
yuuji@0 375 gss_buffer_t status_string)
yuuji@0 376 {
yuuji@0 377 char *s,tmp[MAILTMPLEN];
yuuji@0 378 *minor_status = 0; /* never any minor status */
yuuji@0 379 if (*message_context) return GSS_S_FAILURE;
yuuji@0 380 switch (status_type) { /* what type of status code? */
yuuji@0 381 case GSS_C_GSS_CODE: /* major_status */
yuuji@0 382 switch (status_value) { /* analyze status value */
yuuji@0 383 case GSS_S_FAILURE:
yuuji@0 384 s = "Unspecified failure"; break;
yuuji@0 385 case GSS_S_CREDENTIALS_EXPIRED:
yuuji@0 386 s = "Credentials expired"; break;
yuuji@0 387 case GSS_S_BAD_BINDINGS:
yuuji@0 388 s = "Bad bindings"; break;
yuuji@0 389 case GSS_S_BAD_MECH:
yuuji@0 390 s = "Bad mechanism type"; break;
yuuji@0 391 case GSS_S_BAD_NAME:
yuuji@0 392 s = "Bad name"; break;
yuuji@0 393 case GSS_S_BAD_NAMETYPE:
yuuji@0 394 s = "Bad name type"; break;
yuuji@0 395 case GSS_S_BAD_STATUS:
yuuji@0 396 s = "Bad status"; break;
yuuji@0 397 case GSS_S_NO_CONTEXT:
yuuji@0 398 s = "Invalid context handle"; break;
yuuji@0 399 case GSS_S_NO_CRED:
yuuji@0 400 s = "Unable to authenticate to Kerberos service";
yuuji@0 401 mail_parameters (NIL,DISABLE_AUTHENTICATOR,"GSSAPI");
yuuji@0 402 break;
yuuji@0 403 case SEC_E_NO_AUTHENTICATING_AUTHORITY:
yuuji@0 404 s = "No authenticating authority"; break;
yuuji@0 405 case SEC_E_TARGET_UNKNOWN:
yuuji@0 406 s = "Destination server unknown to Kerberos service"; break;
yuuji@0 407 default:
yuuji@0 408 sprintf (s = tmp,"SSPI code %lx",status_value);
yuuji@0 409 }
yuuji@0 410 break;
yuuji@0 411 case GSS_C_MECH_CODE: /* minor status - drop into default */
yuuji@0 412 default:
yuuji@0 413 return GSS_S_BAD_STATUS; /* bad status type */
yuuji@0 414 }
yuuji@0 415 /* return status string */
yuuji@0 416 status_string->length = strlen (status_string->value = cpystr (s));
yuuji@0 417 return GSS_S_COMPLETE;
yuuji@0 418 }
yuuji@0 419
yuuji@0 420 /* GSSAPI delete security context
yuuji@0 421 * Accepts: pointer to return minor status
yuuji@0 422 * context to delete
yuuji@0 423 * output context token
yuuji@0 424 * Returns: major status, always
yuuji@0 425 */
yuuji@0 426
yuuji@0 427 OM_uint32 gss_delete_sec_context (OM_uint32 *minor_status,
yuuji@0 428 gss_ctx_id_t *context_handle,
yuuji@0 429 gss_buffer_t output_token)
yuuji@0 430 {
yuuji@0 431 OM_uint32 major_status;
yuuji@0 432 *minor_status = 0; /* never any minor status */
yuuji@0 433 /* output token not supported */
yuuji@0 434 major_status = output_token ? GSS_S_FAILURE :
yuuji@0 435 DeleteSecurityContext (*context_handle);
yuuji@0 436 fs_give ((void **) context_handle);
yuuji@0 437 return major_status;
yuuji@0 438 }
yuuji@0 439
yuuji@0 440
yuuji@0 441 /* GSSAPI release buffer
yuuji@0 442 * Accepts: pointer to return minor status
yuuji@0 443 * buffer to release
yuuji@0 444 * Returns: GSS_S_COMPLETE, always
yuuji@0 445 */
yuuji@0 446
yuuji@0 447 OM_uint32 gss_release_buffer (OM_uint32 *minor_status,gss_buffer_t buffer)
yuuji@0 448 {
yuuji@0 449 *minor_status = 0; /* never any minor status */
yuuji@0 450 fs_give (&buffer->value);
yuuji@0 451 return GSS_S_COMPLETE;
yuuji@0 452 }
yuuji@0 453
yuuji@0 454
yuuji@0 455 /* GSSAPI release name
yuuji@0 456 * Accepts: pointer to return minor status
yuuji@0 457 * pointer to name to release
yuuji@0 458 * Returns: GSS_S_COMPLETE, always
yuuji@0 459 */
yuuji@0 460
yuuji@0 461 OM_uint32 gss_release_name (OM_uint32 *minor_status,gss_name_t *input_name)
yuuji@0 462 {
yuuji@0 463 *minor_status = 0; /* never any minor status */
yuuji@0 464 fs_give (input_name);
yuuji@0 465 return GSS_S_COMPLETE;
yuuji@0 466 }
yuuji@0 467
yuuji@0 468 /* GSSAPI wrap data
yuuji@0 469 * Accepts: pointer to return minor status
yuuji@0 470 * context handle
yuuji@0 471 * requested confidentiality
yuuji@0 472 * requested quality of protection
yuuji@0 473 * input message buffer
yuuji@0 474 * pointer to return confidentiality state
yuuji@0 475 * output message buffer
yuuji@0 476 * Returns: major status, always
yuuji@0 477 */
yuuji@0 478
yuuji@0 479 OM_uint32 gss_wrap (OM_uint32 *minor_status,gss_ctx_id_t context_handle,
yuuji@0 480 int conf_req_flag,gss_qop_t qop_req,
yuuji@0 481 gss_buffer_t input_message_buffer,int *conf_state,
yuuji@0 482 gss_buffer_t output_message_buffer)
yuuji@0 483 {
yuuji@0 484 OM_uint32 major_status;
yuuji@0 485 SecBuffer buf[3];
yuuji@0 486 SecBufferDesc bufs;
yuuji@0 487 SecPkgContext_Sizes sizes;
yuuji@0 488 *minor_status = NIL; /* never any minor status */
yuuji@0 489 *conf_state = conf_req_flag; /* same as requested */
yuuji@0 490 if ((major_status = /* get trailer and padding sizes */
yuuji@0 491 QueryContextAttributes (context_handle,SECPKG_ATTR_SIZES,&sizes)) ==
yuuji@0 492 SEC_E_OK) {
yuuji@0 493 /* create big enough output buffer */
yuuji@0 494 output_message_buffer->value =
yuuji@0 495 fs_get (sizes.cbSecurityTrailer + input_message_buffer->length +
yuuji@0 496 sizes.cbBlockSize);
yuuji@0 497 /* MSDN claims that for EncryptMessage() in Kerberos, you need an
yuuji@0 498 * uninitialized SECBUFFER_STREAM_HEADER; a SECBUFFER_DATA that "contains
yuuji@0 499 * the message to be encrypted. The message is encrypted in place,
yuuji@0 500 * overwriting the original contents of its buffer"; an uninitialized
yuuji@0 501 * SECBUFFER_STREAM_TRAILER, and an uninitialized SECBUFFER_EMPTY. I've
yuuji@0 502 * never been able to get it to work that way.
yuuji@0 503 */
yuuji@0 504 bufs.cBuffers = 3; /* set up buffer descriptor */
yuuji@0 505 bufs.pBuffers = buf;
yuuji@0 506 bufs.ulVersion = SECBUFFER_VERSION;
yuuji@0 507 buf[0].BufferType = SECBUFFER_TOKEN;
yuuji@0 508 buf[0].pvBuffer = output_message_buffer->value;
yuuji@0 509 buf[0].cbBuffer = sizes.cbSecurityTrailer;
yuuji@0 510 /* I/O buffer */
yuuji@0 511 buf[1].BufferType = SECBUFFER_DATA;
yuuji@0 512 buf[1].pvBuffer = ((char *) buf[0].pvBuffer) + buf[0].cbBuffer;
yuuji@0 513 buf[1].cbBuffer = input_message_buffer->length;
yuuji@0 514 memcpy (buf[1].pvBuffer,input_message_buffer->value,buf[1].cbBuffer);
yuuji@0 515 buf[2].BufferType = SECBUFFER_PADDING;
yuuji@0 516 buf[2].pvBuffer = ((char *) buf[1].pvBuffer) + buf[1].cbBuffer;
yuuji@0 517 buf[2].cbBuffer = sizes.cbBlockSize;
yuuji@0 518 if ((major_status = EncryptMessage (context_handle,qop_req,&bufs,0)) ==
yuuji@0 519 GSS_S_COMPLETE) {
yuuji@0 520 /* slide data as necessary (how annoying!) */
yuuji@0 521 unsigned long i = sizes.cbSecurityTrailer - buf[0].cbBuffer;
yuuji@0 522 if (i) buf[1].pvBuffer =
yuuji@0 523 memmove (((char *) buf[0].pvBuffer) + buf[0].cbBuffer,
yuuji@0 524 buf[1].pvBuffer,buf[1].cbBuffer);
yuuji@0 525 if (i += (input_message_buffer->length - buf[1].cbBuffer))
yuuji@0 526 buf[1].pvBuffer = memmove (((char *)buf[1].pvBuffer) + buf[1].cbBuffer,
yuuji@0 527 buf[2].pvBuffer,buf[2].cbBuffer);
yuuji@0 528 output_message_buffer->length = buf[0].cbBuffer + buf[1].cbBuffer +
yuuji@0 529 buf[2].cbBuffer;
yuuji@0 530 }
yuuji@0 531 else fs_give (&output_message_buffer->value);
yuuji@0 532 }
yuuji@0 533 return major_status; /* return status */
yuuji@0 534 }
yuuji@0 535
yuuji@0 536 /* GSSAPI unwrap data
yuuji@0 537 * Accepts: pointer to return minor status
yuuji@0 538 * context handle
yuuji@0 539 * input message buffer
yuuji@0 540 * output message buffer
yuuji@0 541 * pointer to return confidentiality state
yuuji@0 542 * pointer to return quality of protection
yuuji@0 543 * Returns: major status, always
yuuji@0 544 */
yuuji@0 545
yuuji@0 546 OM_uint32 gss_unwrap (OM_uint32 *minor_status,gss_ctx_id_t context_handle,
yuuji@0 547 gss_buffer_t input_message_buffer,
yuuji@0 548 gss_buffer_t output_message_buffer,int *conf_state,
yuuji@0 549 gss_qop_t *qop_state)
yuuji@0 550 {
yuuji@0 551 OM_uint32 major_status;
yuuji@0 552 SecBuffer buf[2];
yuuji@0 553 SecBufferDesc bufs;
yuuji@0 554 *minor_status = NIL; /* never any minor status */
yuuji@0 555 *conf_state = NIL; /* or confidentiality state */
yuuji@0 556 /* MSDN implies that all that is needed for DecryptMessage() in Kerberos
yuuji@0 557 * is a single SECBUFFER_DATA which "contains the encrypted message. The
yuuji@0 558 * encrypted message is decrypted in place, overwriting the original
yuuji@0 559 * contents of its buffer." I've never been able to get it to work without
yuuji@0 560 * using a SECBUFFER_STREAM for input and an uninitialized SECBUFFER_DATA
yuuji@0 561 * for output.
yuuji@0 562 * It *does* overwrite the input buffer, but not at the same point; e.g.
yuuji@0 563 * with an input pointer of 0xa140a8 and size of 53, the output ends up
yuuji@0 564 * at 0xa140d5 and size of 4.
yuuji@0 565 */
yuuji@0 566 bufs.cBuffers = 2; /* set up buffer descriptor */
yuuji@0 567 bufs.pBuffers = buf;
yuuji@0 568 bufs.ulVersion = SECBUFFER_VERSION;
yuuji@0 569 /* input buffer */
yuuji@0 570 buf[0].BufferType = SECBUFFER_STREAM;
yuuji@0 571 buf[0].pvBuffer = input_message_buffer->value;
yuuji@0 572 buf[0].cbBuffer = input_message_buffer->length;
yuuji@0 573 /* output buffer */
yuuji@0 574 buf[1].BufferType = SECBUFFER_DATA;
yuuji@0 575 buf[1].pvBuffer = NIL;
yuuji@0 576 buf[1].cbBuffer = 0;
yuuji@0 577 /* decrypt and copy to output buffer */
yuuji@0 578 if ((major_status = DecryptMessage (context_handle,&bufs,0,qop_state)) ==
yuuji@0 579 SEC_E_OK)
yuuji@0 580 memcpy (output_message_buffer->value = fs_get (buf[1].cbBuffer),
yuuji@0 581 buf[1].pvBuffer,output_message_buffer->length = buf[1].cbBuffer);
yuuji@0 582 return major_status; /* return status */
yuuji@0 583 }
yuuji@0 584
yuuji@0 585 /* From here on are server-only functions, currently unused */
yuuji@0 586
yuuji@0 587
yuuji@0 588 /* GSSAPI acquire credentials
yuuji@0 589 * Accepts: pointer to return minor status
yuuji@0 590 * desired principal
yuuji@0 591 * desired lifetime
yuuji@0 592 * desired mechanisms
yuuji@0 593 * credentials usage
yuuji@0 594 * pointer to return credentials handle
yuuji@0 595 * pointer to return mechanisms
yuuji@0 596 * pointer to return lifetime
yuuji@0 597 * Returns: GSS_S_FAILURE, always
yuuji@0 598 */
yuuji@0 599
yuuji@0 600 OM_uint32 gss_acquire_cred (OM_uint32 *minor_status,gss_name_t desired_name,
yuuji@0 601 OM_uint32 time_req,gss_OID_set desired_mechs,
yuuji@0 602 gss_cred_usage_t cred_usage,
yuuji@0 603 gss_cred_id_t *output_cred_handle,
yuuji@0 604 gss_OID_set *actual_mechs,OM_uint32 *time_rec)
yuuji@0 605 {
yuuji@0 606 *minor_status = 0; /* never any minor status */
yuuji@0 607 return GSS_S_FAILURE; /* server only */
yuuji@0 608 }
yuuji@0 609
yuuji@0 610
yuuji@0 611 /* GSSAPI release credentials
yuuji@0 612 * Accepts: pointer to return minor status
yuuji@0 613 * credentials handle to free
yuuji@0 614 * Returns: GSS_S_COMPLETE, always
yuuji@0 615 */
yuuji@0 616
yuuji@0 617 OM_uint32 gss_release_cred (OM_uint32 *minor_status,gss_cred_id_t *cred_handle)
yuuji@0 618 {
yuuji@0 619 *minor_status = 0; /* never any minor status */
yuuji@0 620 return GSS_S_FAILURE; /* server only */
yuuji@0 621 }
yuuji@0 622
yuuji@0 623 /* GSSAPI Accept security context
yuuji@0 624 * Accepts: pointer to return minor status
yuuji@0 625 * context
yuuji@0 626 * acceptor credentials
yuuji@0 627 * input token buffer
yuuji@0 628 * input channel bindings
yuuji@0 629 * pointer to return source name
yuuji@0 630 * pointer to return mechanism type
yuuji@0 631 * buffer to return output token
yuuji@0 632 * pointer to return flags
yuuji@0 633 * pointer to return context lifetime
yuuji@0 634 * pointer to return delegated credentials
yuuji@0 635 * Returns: GSS_S_FAILURE, always
yuuji@0 636 */
yuuji@0 637
yuuji@0 638 OM_uint32 gss_accept_sec_context (OM_uint32 *minor_status,
yuuji@0 639 gss_ctx_id_t *context_handle,
yuuji@0 640 gss_cred_id_t acceptor_cred_handle,
yuuji@0 641 gss_buffer_t input_token_buffer,
yuuji@0 642 gss_channel_bindings_t input_chan_bindings,
yuuji@0 643 gss_name_t *src_name,gss_OID *mech_type,
yuuji@0 644 gss_buffer_t output_token,
yuuji@0 645 OM_uint32 *ret_flags,OM_uint32 *time_rec,
yuuji@0 646 gss_cred_id_t *delegated_cred_handle)
yuuji@0 647 {
yuuji@0 648 *minor_status = 0; /* never any minor status */
yuuji@0 649 return GSS_S_FAILURE; /* server only */
yuuji@0 650 }
yuuji@0 651
yuuji@0 652
yuuji@0 653 /* GSSAPI return printable name
yuuji@0 654 * Accepts: pointer to return minor status
yuuji@0 655 * internal name
yuuji@0 656 * buffer to return output name
yuuji@0 657 * output name type
yuuji@0 658 * Returns: GSS_S_FAILURE, always
yuuji@0 659 */
yuuji@0 660
yuuji@0 661 OM_uint32 gss_display_name (OM_uint32 *minor_status,gss_name_t input_name,
yuuji@0 662 gss_buffer_t output_name_buffer,
yuuji@0 663 gss_OID *output_name_type)
yuuji@0 664 {
yuuji@0 665 *minor_status = 0; /* never any minor status */
yuuji@0 666 return GSS_S_FAILURE; /* server only */
yuuji@0 667 }
yuuji@0 668
yuuji@0 669 /* Kerberos server valid check
yuuji@0 670 * Returns: T if have keytab, NIL otherwise
yuuji@0 671 */
yuuji@0 672
yuuji@0 673 long kerberos_server_valid ()
yuuji@0 674 {
yuuji@0 675 return NIL;
yuuji@0 676 }
yuuji@0 677
yuuji@0 678
yuuji@0 679 /* Kerberos check for missing or expired credentials
yuuji@0 680 * Returns: T if should suggest running kinit, NIL otherwise
yuuji@0 681 */
yuuji@0 682
yuuji@0 683 long kerberos_try_kinit (OM_uint32 error)
yuuji@0 684 {
yuuji@0 685 return NIL;
yuuji@0 686 }
yuuji@0 687
yuuji@0 688 /* Kerberos server log in
yuuji@0 689 * Accepts: authorization ID as user name
yuuji@0 690 * authentication ID as Kerberos principal
yuuji@0 691 * argument count
yuuji@0 692 * argument vector
yuuji@0 693 * Returns: logged in user name if logged in, NIL otherwise
yuuji@0 694 */
yuuji@0 695
yuuji@0 696 char *kerberos_login (char *user,char *authuser,int argc,char *argv[])
yuuji@0 697 {
yuuji@0 698 return NIL;
yuuji@0 699 }

UW-IMAP'd extensions by yuuji