rev |
line source |
yuuji@0
|
1 /* ========================================================================
|
yuuji@0
|
2 * Copyright 1988-2006 University of Washington
|
yuuji@0
|
3 *
|
yuuji@0
|
4 * Licensed under the Apache License, Version 2.0 (the "License");
|
yuuji@0
|
5 * you may not use this file except in compliance with the License.
|
yuuji@0
|
6 * You may obtain a copy of the License at
|
yuuji@0
|
7 *
|
yuuji@0
|
8 * http://www.apache.org/licenses/LICENSE-2.0
|
yuuji@0
|
9 *
|
yuuji@0
|
10 *
|
yuuji@0
|
11 * ========================================================================
|
yuuji@0
|
12 */
|
yuuji@0
|
13
|
yuuji@0
|
14 /*
|
yuuji@0
|
15 * Program: GSSAPI Kerberos Shim 5 for Windows 2000/XP IMAP Toolkit
|
yuuji@0
|
16 *
|
yuuji@0
|
17 * Author: Mark Crispin
|
yuuji@0
|
18 * Networks and Distributed Computing
|
yuuji@0
|
19 * Computing & Communications
|
yuuji@0
|
20 * University of Washington
|
yuuji@0
|
21 * Administration Building, AG-44
|
yuuji@0
|
22 * Seattle, WA 98195
|
yuuji@0
|
23 * Internet: MRC@CAC.Washington.EDU
|
yuuji@0
|
24 *
|
yuuji@0
|
25 * Date: 6 March 2000
|
yuuji@0
|
26 * Last Edited: 30 August 2006
|
yuuji@0
|
27 */
|
yuuji@0
|
28
|
yuuji@0
|
29 /* The purpose of this module is to be a shim, so that the auth_gss.c module
|
yuuji@0
|
30 * (written for MIT Kerberos) will compile, link, and run with SSPI Kerberos
|
yuuji@0
|
31 * on Windows 2000 systems.
|
yuuji@0
|
32 * There is no attempt whatsoever to make this be a complete implementation
|
yuuji@0
|
33 * of GSSAPI. A number of shortcuts were taken that a real GSSAPI
|
yuuji@0
|
34 * implementation for SSPI can't do.
|
yuuji@0
|
35 * Nor is there any attempt to make the types identical with MIT Kerberos;
|
yuuji@0
|
36 * you can't link this library with object files compiled with the MIT
|
yuuji@0
|
37 * Kerberos .h files.
|
yuuji@0
|
38 */
|
yuuji@0
|
39
|
yuuji@0
|
40
|
yuuji@0
|
41 /* GSSAPI generic definitions */
|
yuuji@0
|
42
|
yuuji@0
|
43
|
yuuji@0
|
44 #define SECURITY_WIN32
|
yuuji@0
|
45 #include <security.h>
|
yuuji@0
|
46
|
yuuji@0
|
47
|
yuuji@0
|
48 /* GSSAPI types for which we use SSPI equivalent types */
|
yuuji@0
|
49
|
yuuji@0
|
50 typedef ULONG OM_uint32;
|
yuuji@0
|
51 typedef PCredHandle gss_cred_id_t;
|
yuuji@0
|
52 typedef ULONG gss_cred_usage_t;
|
yuuji@0
|
53 typedef PCtxtHandle gss_ctx_id_t;
|
yuuji@0
|
54 typedef SEC_CHAR * gss_name_t;
|
yuuji@0
|
55 typedef ULONG gss_qop_t;
|
yuuji@0
|
56
|
yuuji@0
|
57
|
yuuji@0
|
58 /* Major status codes */
|
yuuji@0
|
59
|
yuuji@0
|
60 #define GSS_S_COMPLETE SEC_E_OK
|
yuuji@0
|
61 #define GSS_S_BAD_MECH SEC_E_SECPKG_NOT_FOUND
|
yuuji@0
|
62 #define GSS_S_CONTINUE_NEEDED SEC_I_CONTINUE_NEEDED
|
yuuji@0
|
63 #define GSS_S_CREDENTIALS_EXPIRED SEC_E_CERT_EXPIRED
|
yuuji@0
|
64 #define GSS_S_FAILURE SEC_E_INTERNAL_ERROR
|
yuuji@0
|
65 #define GSS_S_NO_CRED SEC_E_NO_CREDENTIALS
|
yuuji@0
|
66 #define GSS_S_NO_CONTEXT SEC_E_INVALID_HANDLE
|
yuuji@0
|
67
|
yuuji@0
|
68
|
yuuji@0
|
69 /* Flag bits for context-level services */
|
yuuji@0
|
70
|
yuuji@0
|
71 #define GSS_C_DELEG_FLAG ISC_REQ_DELEGATE
|
yuuji@0
|
72 #define GSS_C_MUTUAL_FLAG ISC_REQ_MUTUAL_AUTH
|
yuuji@0
|
73 #define GSS_C_REPLAY_FLAG ISC_REQ_REPLAY_DETECT
|
yuuji@0
|
74 #define GSS_C_SEQUENCE_FLAG ISC_REQ_SEQUENCE_DETECT
|
yuuji@0
|
75 #define GSS_C_CONF_FLAG ISC_REQ_CONFIDENTIALITY
|
yuuji@0
|
76 #define GSS_C_INTEG_FLAG ISC_REQ_INTEGRITY
|
yuuji@0
|
77
|
yuuji@0
|
78
|
yuuji@0
|
79 /* Credential usage options */
|
yuuji@0
|
80
|
yuuji@0
|
81 #define GSS_C_BOTH SECPKG_CRED_BOTH
|
yuuji@0
|
82 #define GSS_C_INITIATE SECPKG_CRED_OUTBOUND
|
yuuji@0
|
83 #define GSS_C_ACCEPT SECPKG_CRED_INBOUND
|
yuuji@0
|
84
|
yuuji@0
|
85
|
yuuji@0
|
86 /* Major status codes defined by shim */
|
yuuji@0
|
87
|
yuuji@0
|
88 #define GSS_S_BAD_BINDINGS 100
|
yuuji@0
|
89 #define GSS_S_BAD_NAME 101
|
yuuji@0
|
90 #define GSS_S_BAD_NAMETYPE 102
|
yuuji@0
|
91 #define GSS_S_BAD_STATUS 103
|
yuuji@0
|
92
|
yuuji@0
|
93 /* GSSAPI types as used in GSSAPI */
|
yuuji@0
|
94
|
yuuji@0
|
95
|
yuuji@0
|
96 /* Buffer */
|
yuuji@0
|
97
|
yuuji@0
|
98 typedef struct gss_buffer_desc_struct {
|
yuuji@0
|
99 size_t length;
|
yuuji@0
|
100 void *value;
|
yuuji@0
|
101 } gss_buffer_desc,*gss_buffer_t;
|
yuuji@0
|
102
|
yuuji@0
|
103
|
yuuji@0
|
104 /* Object identifier */
|
yuuji@0
|
105
|
yuuji@0
|
106 typedef struct gss_OID_desc_struct {
|
yuuji@0
|
107 OM_uint32 length;
|
yuuji@0
|
108 void *elements;
|
yuuji@0
|
109 } gss_OID_desc,*gss_OID;
|
yuuji@0
|
110
|
yuuji@0
|
111 typedef struct gss_OID_set_desc_struct {
|
yuuji@0
|
112 size_t count;
|
yuuji@0
|
113 gss_OID elements;
|
yuuji@0
|
114 } gss_OID_set_desc,*gss_OID_set;
|
yuuji@0
|
115
|
yuuji@0
|
116
|
yuuji@0
|
117 /* Unused, but needed in prototypes */
|
yuuji@0
|
118
|
yuuji@0
|
119 typedef void * gss_channel_bindings_t;
|
yuuji@0
|
120
|
yuuji@0
|
121
|
yuuji@0
|
122 /* Default constants */
|
yuuji@0
|
123
|
yuuji@0
|
124 #define GSS_C_EMPTY_BUFFER {0,NIL}
|
yuuji@0
|
125 #define GSS_C_NO_BUFFER ((gss_buffer_t) NIL)
|
yuuji@0
|
126 #define GSS_C_NO_OID ((gss_OID) NIL)
|
yuuji@0
|
127 #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) NIL)
|
yuuji@0
|
128 #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) NIL)
|
yuuji@0
|
129 #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) NIL)
|
yuuji@0
|
130 #define GSS_C_QOP_DEFAULT NIL
|
yuuji@0
|
131
|
yuuji@0
|
132
|
yuuji@0
|
133 /* Status code types for gss_display_status */
|
yuuji@0
|
134
|
yuuji@0
|
135 #define GSS_C_GSS_CODE 1
|
yuuji@0
|
136 #define GSS_C_MECH_CODE 2
|
yuuji@0
|
137
|
yuuji@0
|
138
|
yuuji@0
|
139 /* GSSAPI constants */
|
yuuji@0
|
140
|
yuuji@0
|
141 const gss_OID gss_nt_service_name;
|
yuuji@0
|
142 #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
|
yuuji@0
|
143 const gss_OID gss_mech_krb5;
|
yuuji@0
|
144 const gss_OID_set gss_mech_set_krb5;
|
yuuji@0
|
145
|
yuuji@0
|
146 /* GSSAPI prototypes */
|
yuuji@0
|
147
|
yuuji@0
|
148
|
yuuji@0
|
149 OM_uint32 gss_accept_sec_context (OM_uint32 *minor_status,
|
yuuji@0
|
150 gss_ctx_id_t *context_handle,
|
yuuji@0
|
151 gss_cred_id_t acceptor_cred_handle,
|
yuuji@0
|
152 gss_buffer_t input_token_buffer,
|
yuuji@0
|
153 gss_channel_bindings_t input_chan_bindings,
|
yuuji@0
|
154 gss_name_t *src_name,gss_OID *mech_type,
|
yuuji@0
|
155 gss_buffer_t output_token,
|
yuuji@0
|
156 OM_uint32 *ret_flags,OM_uint32 *time_rec,
|
yuuji@0
|
157 gss_cred_id_t *delegated_cred_handle);
|
yuuji@0
|
158 OM_uint32 gss_acquire_cred (OM_uint32 *minor_status,gss_name_t desired_name,
|
yuuji@0
|
159 OM_uint32 time_req,gss_OID_set desired_mechs,
|
yuuji@0
|
160 gss_cred_usage_t cred_usage,
|
yuuji@0
|
161 gss_cred_id_t *output_cred_handle,
|
yuuji@0
|
162 gss_OID_set *actual_mechs,OM_uint32 *time_rec);
|
yuuji@0
|
163 OM_uint32 gss_delete_sec_context (OM_uint32 *minor_status,
|
yuuji@0
|
164 gss_ctx_id_t *context_handle,
|
yuuji@0
|
165 gss_buffer_t output_token);
|
yuuji@0
|
166 OM_uint32 gss_display_name (OM_uint32 *minor_status,gss_name_t input_name,
|
yuuji@0
|
167 gss_buffer_t output_name_buffer,
|
yuuji@0
|
168 gss_OID *output_name_type);
|
yuuji@0
|
169 OM_uint32 gss_display_status (OM_uint32 *minor_status,OM_uint32 status_value,
|
yuuji@0
|
170 int status_type,gss_OID mech_type,
|
yuuji@0
|
171 OM_uint32 *message_context,
|
yuuji@0
|
172 gss_buffer_t status_string);
|
yuuji@0
|
173 OM_uint32 gss_import_name (OM_uint32 *minor_status,
|
yuuji@0
|
174 gss_buffer_t input_name_buffer,
|
yuuji@0
|
175 gss_OID input_name_type,gss_name_t *output_name);
|
yuuji@0
|
176 OM_uint32 gss_init_sec_context (OM_uint32 *minor_status,
|
yuuji@0
|
177 gss_cred_id_t claimant_cred_handle,
|
yuuji@0
|
178 gss_ctx_id_t *context_handle,
|
yuuji@0
|
179 gss_name_t target_name,gss_OID mech_type,
|
yuuji@0
|
180 OM_uint32 req_flags,OM_uint32 time_req,
|
yuuji@0
|
181 gss_channel_bindings_t input_chan_bindings,
|
yuuji@0
|
182 gss_buffer_t input_token,
|
yuuji@0
|
183 gss_OID *actual_mech_type,
|
yuuji@0
|
184 gss_buffer_t output_token,OM_uint32 *ret_flags,
|
yuuji@0
|
185 OM_uint32 *time_rec);
|
yuuji@0
|
186 OM_uint32 gss_release_buffer (OM_uint32 *minor_status,gss_buffer_t buffer);
|
yuuji@0
|
187 OM_uint32 gss_release_cred (OM_uint32 *minor_status,gss_cred_id_t *cred_handle);
|
yuuji@0
|
188 OM_uint32 gss_release_name (OM_uint32 *minor_status,gss_name_t *input_name);
|
yuuji@0
|
189 OM_uint32 gss_wrap (OM_uint32 *minor_status,gss_ctx_id_t context_handle,
|
yuuji@0
|
190 int conf_req_flag,gss_qop_t qop_req,
|
yuuji@0
|
191 gss_buffer_t input_message_buffer,int *conf_state,
|
yuuji@0
|
192 gss_buffer_t output_message_buffer);
|
yuuji@0
|
193 OM_uint32 gss_unwrap (OM_uint32 *minor_status,gss_ctx_id_t context_handle,
|
yuuji@0
|
194 gss_buffer_t input_message_buffer,
|
yuuji@0
|
195 gss_buffer_t output_message_buffer,int *conf_state,
|
yuuji@0
|
196 gss_qop_t *qop_state);
|
yuuji@0
|
197
|
yuuji@0
|
198 /* Kerberos definitions */
|
yuuji@0
|
199
|
yuuji@0
|
200 long kerberos_server_valid (void);
|
yuuji@0
|
201 long kerberos_try_kinit (OM_uint32 error);
|
yuuji@0
|
202 char *kerberos_login (char *user,char *authuser,int argc,char *argv[]);
|
yuuji@0
|
203
|
yuuji@0
|
204
|
yuuji@0
|
205 #define STRING WINSTRING /* conflict with mail.h */
|
yuuji@0
|
206 #include <NTSecAPI.h>
|
yuuji@0
|
207
|
yuuji@0
|
208 /* GSSAPI build-in object identifiers */
|
yuuji@0
|
209
|
yuuji@0
|
210 static gss_OID_desc oids[] = { /* stupid C language makes this necessary */
|
yuuji@0
|
211 {10,"\052\206\110\206\367\022\001\002\001\004"},
|
yuuji@0
|
212 {9,"\052\206\110\206\367\022\001\002\002"}
|
yuuji@0
|
213 };
|
yuuji@0
|
214
|
yuuji@0
|
215 /* stupid C language ditto */
|
yuuji@0
|
216 static gss_OID_set_desc oidsets[] = {
|
yuuji@0
|
217 {1,(gss_OID) oids+1}
|
yuuji@0
|
218 };
|
yuuji@0
|
219
|
yuuji@0
|
220 /* these are the real OIDs */
|
yuuji@0
|
221 const gss_OID gss_nt_service_name = oids+0;
|
yuuji@0
|
222 const gss_OID gss_mech_krb5 = oids+1;
|
yuuji@0
|
223 const gss_OID_set gss_mech_set_krb5 = oidsets+0;
|
yuuji@0
|
224
|
yuuji@0
|
225
|
yuuji@0
|
226 /* Other globals */
|
yuuji@0
|
227
|
yuuji@0
|
228 /* substitute for GSS_C_NO_CREDENTIAL */
|
yuuji@0
|
229 static gss_cred_id_t gss_default_cred = NIL;
|
yuuji@0
|
230
|
yuuji@0
|
231 /* GSSAPI import name (convert to full service principal name)
|
yuuji@0
|
232 * Accepts: pointer to return minor status
|
yuuji@0
|
233 * buffer containining input name
|
yuuji@0
|
234 * type of input name
|
yuuji@0
|
235 * pointer to return output internal name
|
yuuji@0
|
236 * Returns: major status, always
|
yuuji@0
|
237 */
|
yuuji@0
|
238
|
yuuji@0
|
239 OM_uint32 gss_import_name (OM_uint32 *minor_status,
|
yuuji@0
|
240 gss_buffer_t input_name_buffer,
|
yuuji@0
|
241 gss_OID input_name_type,gss_name_t *output_name)
|
yuuji@0
|
242 {
|
yuuji@0
|
243 OM_uint32 major_status = GSS_S_COMPLETE;
|
yuuji@0
|
244 TimeStamp expiry;
|
yuuji@0
|
245 static CredHandle gss_cred;
|
yuuji@0
|
246 char *s,tmp[MAILTMPLEN];
|
yuuji@0
|
247 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
248 if (!gss_default_cred) { /* default credentials set up yet? */
|
yuuji@0
|
249 if (AcquireCredentialsHandle/* no, acquire them now */
|
yuuji@0
|
250 (NIL,MICROSOFT_KERBEROS_NAME_A,SECPKG_CRED_OUTBOUND,NIL,NIL,NIL,NIL,
|
yuuji@0
|
251 &gss_cred,&expiry) != SEC_E_OK) return GSS_S_FAILURE;
|
yuuji@0
|
252 /* have default credentials now */
|
yuuji@0
|
253 gss_default_cred = &gss_cred;
|
yuuji@0
|
254 }
|
yuuji@0
|
255 /* must be the gss_nt_service_name format */
|
yuuji@0
|
256 if (input_name_type != gss_nt_service_name)
|
yuuji@0
|
257 major_status = GSS_S_BAD_NAMETYPE;
|
yuuji@0
|
258 /* name must be of sane length */
|
yuuji@0
|
259 else if (input_name_buffer->length > (MAILTMPLEN/2))
|
yuuji@0
|
260 major_status = GSS_S_BAD_NAME;
|
yuuji@0
|
261 else { /* copy name */
|
yuuji@0
|
262 memcpy (tmp,input_name_buffer->value,input_name_buffer->length);
|
yuuji@0
|
263 tmp[input_name_buffer->length] = '\0';
|
yuuji@0
|
264 if (s = strchr (tmp,'@')) { /* find service/host/delimiter */
|
yuuji@0
|
265 *s = '/'; /* convert to full service principal name */
|
yuuji@0
|
266 *output_name = cpystr (tmp);
|
yuuji@0
|
267 }
|
yuuji@0
|
268 else major_status = GSS_S_BAD_NAME;
|
yuuji@0
|
269 }
|
yuuji@0
|
270 return major_status;
|
yuuji@0
|
271 }
|
yuuji@0
|
272
|
yuuji@0
|
273 /* GSSAPI Initialize security context
|
yuuji@0
|
274 * Accepts: pointer to return minor status
|
yuuji@0
|
275 * claimant credential handle
|
yuuji@0
|
276 * context (NIL means "none assigned yet")
|
yuuji@0
|
277 * desired principal
|
yuuji@0
|
278 * desired mechanisms
|
yuuji@0
|
279 * required context attributes
|
yuuji@0
|
280 * desired lifetime
|
yuuji@0
|
281 * input channel bindings
|
yuuji@0
|
282 * input token buffer
|
yuuji@0
|
283 * pointer to return mechanism type
|
yuuji@0
|
284 * buffer to return output token
|
yuuji@0
|
285 * pointer to return flags
|
yuuji@0
|
286 * pointer to return context lifetime
|
yuuji@0
|
287 * Returns: major status, always
|
yuuji@0
|
288 */
|
yuuji@0
|
289
|
yuuji@0
|
290 OM_uint32 gss_init_sec_context (OM_uint32 *minor_status,
|
yuuji@0
|
291 gss_cred_id_t claimant_cred_handle,
|
yuuji@0
|
292 gss_ctx_id_t *context_handle,
|
yuuji@0
|
293 gss_name_t target_name,gss_OID mech_type,
|
yuuji@0
|
294 OM_uint32 req_flags,OM_uint32 time_req,
|
yuuji@0
|
295 gss_channel_bindings_t input_chan_bindings,
|
yuuji@0
|
296 gss_buffer_t input_token,
|
yuuji@0
|
297 gss_OID *actual_mech_type,
|
yuuji@0
|
298 gss_buffer_t output_token,OM_uint32 *ret_flags,
|
yuuji@0
|
299 OM_uint32 *time_rec)
|
yuuji@0
|
300 {
|
yuuji@0
|
301 OM_uint32 i;
|
yuuji@0
|
302 OM_uint32 major_status;
|
yuuji@0
|
303 TimeStamp expiry;
|
yuuji@0
|
304 SecBuffer ibuf[1],obuf[1];
|
yuuji@0
|
305 SecBufferDesc ibufs,obufs;
|
yuuji@0
|
306 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
307 /* error if non-default time requested */
|
yuuji@0
|
308 if (time_req) return GSS_S_FAILURE;
|
yuuji@0
|
309 if (mech_type && memcmp (mech_type,gss_mech_krb5,sizeof (gss_OID)))
|
yuuji@0
|
310 return GSS_S_BAD_MECH;
|
yuuji@0
|
311 /* ditto if any channel bindings */
|
yuuji@0
|
312 if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS)
|
yuuji@0
|
313 return GSS_S_BAD_BINDINGS;
|
yuuji@0
|
314
|
yuuji@0
|
315 /* apply default credential if necessary */
|
yuuji@0
|
316 if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
|
yuuji@0
|
317 claimant_cred_handle = gss_default_cred;
|
yuuji@0
|
318 /* create output buffer storage as needed */
|
yuuji@0
|
319 req_flags |= ISC_REQ_ALLOCATE_MEMORY;
|
yuuji@0
|
320 /* make output buffer */
|
yuuji@0
|
321 obuf[0].BufferType = SECBUFFER_TOKEN;
|
yuuji@0
|
322 obuf[0].cbBuffer = 0; obuf[0].pvBuffer = NIL;
|
yuuji@0
|
323 /* output buffer descriptor */
|
yuuji@0
|
324 obufs.ulVersion = SECBUFFER_VERSION;
|
yuuji@0
|
325 obufs.cBuffers = 1;
|
yuuji@0
|
326 obufs.pBuffers = obuf;
|
yuuji@0
|
327 /* first time caller? */
|
yuuji@0
|
328 if (*context_handle == GSS_C_NO_CONTEXT) {
|
yuuji@0
|
329 /* yes, set up output context handle */
|
yuuji@0
|
330 PCtxtHandle ctx = (PCtxtHandle) fs_get (sizeof (CtxtHandle));
|
yuuji@0
|
331 major_status = InitializeSecurityContext (claimant_cred_handle,NIL,
|
yuuji@0
|
332 target_name,req_flags,0,
|
yuuji@0
|
333 SECURITY_NETWORK_DREP,NIL,0,ctx,
|
yuuji@0
|
334 &obufs,
|
yuuji@0
|
335 ret_flags ? ret_flags : &i,
|
yuuji@0
|
336 &expiry);
|
yuuji@0
|
337 *context_handle = ctx; /* return updated context */
|
yuuji@0
|
338 }
|
yuuji@0
|
339 else { /* no, make SSPI buffer from GSSAPI buffer */
|
yuuji@0
|
340 ibuf[0].BufferType = obuf[0].BufferType = SECBUFFER_TOKEN;
|
yuuji@0
|
341 ibuf[0].cbBuffer = input_token->length;
|
yuuji@0
|
342 ibuf[0].pvBuffer = input_token->value;
|
yuuji@0
|
343 /* input buffer descriptor */
|
yuuji@0
|
344 ibufs.ulVersion = SECBUFFER_VERSION;
|
yuuji@0
|
345 ibufs.cBuffers = 1;
|
yuuji@0
|
346 ibufs.pBuffers = ibuf;
|
yuuji@0
|
347 major_status = InitializeSecurityContext (claimant_cred_handle,
|
yuuji@0
|
348 *context_handle,target_name,
|
yuuji@0
|
349 req_flags,0,
|
yuuji@0
|
350 SECURITY_NETWORK_DREP,&ibufs,0,
|
yuuji@0
|
351 *context_handle,&obufs,
|
yuuji@0
|
352 ret_flags ? ret_flags : &i,
|
yuuji@0
|
353 &expiry);
|
yuuji@0
|
354 }
|
yuuji@0
|
355 /* return output */
|
yuuji@0
|
356 output_token->value = obuf[0].pvBuffer;
|
yuuji@0
|
357 output_token->length = obuf[0].cbBuffer;
|
yuuji@0
|
358 /* in case client wanted lifetime returned */
|
yuuji@0
|
359 if (time_rec) *time_rec = expiry.LowPart;
|
yuuji@0
|
360 return major_status;
|
yuuji@0
|
361 }
|
yuuji@0
|
362
|
yuuji@0
|
363 /* GSSAPI display status text
|
yuuji@0
|
364 * Accepts: pointer to return minor status
|
yuuji@0
|
365 * status to display
|
yuuji@0
|
366 * status type
|
yuuji@0
|
367 * message context for continuation
|
yuuji@0
|
368 * buffer to write status string
|
yuuji@0
|
369 * Returns: major status, always
|
yuuji@0
|
370 */
|
yuuji@0
|
371
|
yuuji@0
|
372 OM_uint32 gss_display_status (OM_uint32 *minor_status,OM_uint32 status_value,
|
yuuji@0
|
373 int status_type,gss_OID mech_type,
|
yuuji@0
|
374 OM_uint32 *message_context,
|
yuuji@0
|
375 gss_buffer_t status_string)
|
yuuji@0
|
376 {
|
yuuji@0
|
377 char *s,tmp[MAILTMPLEN];
|
yuuji@0
|
378 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
379 if (*message_context) return GSS_S_FAILURE;
|
yuuji@0
|
380 switch (status_type) { /* what type of status code? */
|
yuuji@0
|
381 case GSS_C_GSS_CODE: /* major_status */
|
yuuji@0
|
382 switch (status_value) { /* analyze status value */
|
yuuji@0
|
383 case GSS_S_FAILURE:
|
yuuji@0
|
384 s = "Unspecified failure"; break;
|
yuuji@0
|
385 case GSS_S_CREDENTIALS_EXPIRED:
|
yuuji@0
|
386 s = "Credentials expired"; break;
|
yuuji@0
|
387 case GSS_S_BAD_BINDINGS:
|
yuuji@0
|
388 s = "Bad bindings"; break;
|
yuuji@0
|
389 case GSS_S_BAD_MECH:
|
yuuji@0
|
390 s = "Bad mechanism type"; break;
|
yuuji@0
|
391 case GSS_S_BAD_NAME:
|
yuuji@0
|
392 s = "Bad name"; break;
|
yuuji@0
|
393 case GSS_S_BAD_NAMETYPE:
|
yuuji@0
|
394 s = "Bad name type"; break;
|
yuuji@0
|
395 case GSS_S_BAD_STATUS:
|
yuuji@0
|
396 s = "Bad status"; break;
|
yuuji@0
|
397 case GSS_S_NO_CONTEXT:
|
yuuji@0
|
398 s = "Invalid context handle"; break;
|
yuuji@0
|
399 case GSS_S_NO_CRED:
|
yuuji@0
|
400 s = "Unable to authenticate to Kerberos service";
|
yuuji@0
|
401 mail_parameters (NIL,DISABLE_AUTHENTICATOR,"GSSAPI");
|
yuuji@0
|
402 break;
|
yuuji@0
|
403 case SEC_E_NO_AUTHENTICATING_AUTHORITY:
|
yuuji@0
|
404 s = "No authenticating authority"; break;
|
yuuji@0
|
405 case SEC_E_TARGET_UNKNOWN:
|
yuuji@0
|
406 s = "Destination server unknown to Kerberos service"; break;
|
yuuji@0
|
407 default:
|
yuuji@0
|
408 sprintf (s = tmp,"SSPI code %lx",status_value);
|
yuuji@0
|
409 }
|
yuuji@0
|
410 break;
|
yuuji@0
|
411 case GSS_C_MECH_CODE: /* minor status - drop into default */
|
yuuji@0
|
412 default:
|
yuuji@0
|
413 return GSS_S_BAD_STATUS; /* bad status type */
|
yuuji@0
|
414 }
|
yuuji@0
|
415 /* return status string */
|
yuuji@0
|
416 status_string->length = strlen (status_string->value = cpystr (s));
|
yuuji@0
|
417 return GSS_S_COMPLETE;
|
yuuji@0
|
418 }
|
yuuji@0
|
419
|
yuuji@0
|
420 /* GSSAPI delete security context
|
yuuji@0
|
421 * Accepts: pointer to return minor status
|
yuuji@0
|
422 * context to delete
|
yuuji@0
|
423 * output context token
|
yuuji@0
|
424 * Returns: major status, always
|
yuuji@0
|
425 */
|
yuuji@0
|
426
|
yuuji@0
|
427 OM_uint32 gss_delete_sec_context (OM_uint32 *minor_status,
|
yuuji@0
|
428 gss_ctx_id_t *context_handle,
|
yuuji@0
|
429 gss_buffer_t output_token)
|
yuuji@0
|
430 {
|
yuuji@0
|
431 OM_uint32 major_status;
|
yuuji@0
|
432 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
433 /* output token not supported */
|
yuuji@0
|
434 major_status = output_token ? GSS_S_FAILURE :
|
yuuji@0
|
435 DeleteSecurityContext (*context_handle);
|
yuuji@0
|
436 fs_give ((void **) context_handle);
|
yuuji@0
|
437 return major_status;
|
yuuji@0
|
438 }
|
yuuji@0
|
439
|
yuuji@0
|
440
|
yuuji@0
|
441 /* GSSAPI release buffer
|
yuuji@0
|
442 * Accepts: pointer to return minor status
|
yuuji@0
|
443 * buffer to release
|
yuuji@0
|
444 * Returns: GSS_S_COMPLETE, always
|
yuuji@0
|
445 */
|
yuuji@0
|
446
|
yuuji@0
|
447 OM_uint32 gss_release_buffer (OM_uint32 *minor_status,gss_buffer_t buffer)
|
yuuji@0
|
448 {
|
yuuji@0
|
449 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
450 fs_give (&buffer->value);
|
yuuji@0
|
451 return GSS_S_COMPLETE;
|
yuuji@0
|
452 }
|
yuuji@0
|
453
|
yuuji@0
|
454
|
yuuji@0
|
455 /* GSSAPI release name
|
yuuji@0
|
456 * Accepts: pointer to return minor status
|
yuuji@0
|
457 * pointer to name to release
|
yuuji@0
|
458 * Returns: GSS_S_COMPLETE, always
|
yuuji@0
|
459 */
|
yuuji@0
|
460
|
yuuji@0
|
461 OM_uint32 gss_release_name (OM_uint32 *minor_status,gss_name_t *input_name)
|
yuuji@0
|
462 {
|
yuuji@0
|
463 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
464 fs_give (input_name);
|
yuuji@0
|
465 return GSS_S_COMPLETE;
|
yuuji@0
|
466 }
|
yuuji@0
|
467
|
yuuji@0
|
468 /* GSSAPI wrap data
|
yuuji@0
|
469 * Accepts: pointer to return minor status
|
yuuji@0
|
470 * context handle
|
yuuji@0
|
471 * requested confidentiality
|
yuuji@0
|
472 * requested quality of protection
|
yuuji@0
|
473 * input message buffer
|
yuuji@0
|
474 * pointer to return confidentiality state
|
yuuji@0
|
475 * output message buffer
|
yuuji@0
|
476 * Returns: major status, always
|
yuuji@0
|
477 */
|
yuuji@0
|
478
|
yuuji@0
|
479 OM_uint32 gss_wrap (OM_uint32 *minor_status,gss_ctx_id_t context_handle,
|
yuuji@0
|
480 int conf_req_flag,gss_qop_t qop_req,
|
yuuji@0
|
481 gss_buffer_t input_message_buffer,int *conf_state,
|
yuuji@0
|
482 gss_buffer_t output_message_buffer)
|
yuuji@0
|
483 {
|
yuuji@0
|
484 OM_uint32 major_status;
|
yuuji@0
|
485 SecBuffer buf[3];
|
yuuji@0
|
486 SecBufferDesc bufs;
|
yuuji@0
|
487 SecPkgContext_Sizes sizes;
|
yuuji@0
|
488 *minor_status = NIL; /* never any minor status */
|
yuuji@0
|
489 *conf_state = conf_req_flag; /* same as requested */
|
yuuji@0
|
490 if ((major_status = /* get trailer and padding sizes */
|
yuuji@0
|
491 QueryContextAttributes (context_handle,SECPKG_ATTR_SIZES,&sizes)) ==
|
yuuji@0
|
492 SEC_E_OK) {
|
yuuji@0
|
493 /* create big enough output buffer */
|
yuuji@0
|
494 output_message_buffer->value =
|
yuuji@0
|
495 fs_get (sizes.cbSecurityTrailer + input_message_buffer->length +
|
yuuji@0
|
496 sizes.cbBlockSize);
|
yuuji@0
|
497 /* MSDN claims that for EncryptMessage() in Kerberos, you need an
|
yuuji@0
|
498 * uninitialized SECBUFFER_STREAM_HEADER; a SECBUFFER_DATA that "contains
|
yuuji@0
|
499 * the message to be encrypted. The message is encrypted in place,
|
yuuji@0
|
500 * overwriting the original contents of its buffer"; an uninitialized
|
yuuji@0
|
501 * SECBUFFER_STREAM_TRAILER, and an uninitialized SECBUFFER_EMPTY. I've
|
yuuji@0
|
502 * never been able to get it to work that way.
|
yuuji@0
|
503 */
|
yuuji@0
|
504 bufs.cBuffers = 3; /* set up buffer descriptor */
|
yuuji@0
|
505 bufs.pBuffers = buf;
|
yuuji@0
|
506 bufs.ulVersion = SECBUFFER_VERSION;
|
yuuji@0
|
507 buf[0].BufferType = SECBUFFER_TOKEN;
|
yuuji@0
|
508 buf[0].pvBuffer = output_message_buffer->value;
|
yuuji@0
|
509 buf[0].cbBuffer = sizes.cbSecurityTrailer;
|
yuuji@0
|
510 /* I/O buffer */
|
yuuji@0
|
511 buf[1].BufferType = SECBUFFER_DATA;
|
yuuji@0
|
512 buf[1].pvBuffer = ((char *) buf[0].pvBuffer) + buf[0].cbBuffer;
|
yuuji@0
|
513 buf[1].cbBuffer = input_message_buffer->length;
|
yuuji@0
|
514 memcpy (buf[1].pvBuffer,input_message_buffer->value,buf[1].cbBuffer);
|
yuuji@0
|
515 buf[2].BufferType = SECBUFFER_PADDING;
|
yuuji@0
|
516 buf[2].pvBuffer = ((char *) buf[1].pvBuffer) + buf[1].cbBuffer;
|
yuuji@0
|
517 buf[2].cbBuffer = sizes.cbBlockSize;
|
yuuji@0
|
518 if ((major_status = EncryptMessage (context_handle,qop_req,&bufs,0)) ==
|
yuuji@0
|
519 GSS_S_COMPLETE) {
|
yuuji@0
|
520 /* slide data as necessary (how annoying!) */
|
yuuji@0
|
521 unsigned long i = sizes.cbSecurityTrailer - buf[0].cbBuffer;
|
yuuji@0
|
522 if (i) buf[1].pvBuffer =
|
yuuji@0
|
523 memmove (((char *) buf[0].pvBuffer) + buf[0].cbBuffer,
|
yuuji@0
|
524 buf[1].pvBuffer,buf[1].cbBuffer);
|
yuuji@0
|
525 if (i += (input_message_buffer->length - buf[1].cbBuffer))
|
yuuji@0
|
526 buf[1].pvBuffer = memmove (((char *)buf[1].pvBuffer) + buf[1].cbBuffer,
|
yuuji@0
|
527 buf[2].pvBuffer,buf[2].cbBuffer);
|
yuuji@0
|
528 output_message_buffer->length = buf[0].cbBuffer + buf[1].cbBuffer +
|
yuuji@0
|
529 buf[2].cbBuffer;
|
yuuji@0
|
530 }
|
yuuji@0
|
531 else fs_give (&output_message_buffer->value);
|
yuuji@0
|
532 }
|
yuuji@0
|
533 return major_status; /* return status */
|
yuuji@0
|
534 }
|
yuuji@0
|
535
|
yuuji@0
|
536 /* GSSAPI unwrap data
|
yuuji@0
|
537 * Accepts: pointer to return minor status
|
yuuji@0
|
538 * context handle
|
yuuji@0
|
539 * input message buffer
|
yuuji@0
|
540 * output message buffer
|
yuuji@0
|
541 * pointer to return confidentiality state
|
yuuji@0
|
542 * pointer to return quality of protection
|
yuuji@0
|
543 * Returns: major status, always
|
yuuji@0
|
544 */
|
yuuji@0
|
545
|
yuuji@0
|
546 OM_uint32 gss_unwrap (OM_uint32 *minor_status,gss_ctx_id_t context_handle,
|
yuuji@0
|
547 gss_buffer_t input_message_buffer,
|
yuuji@0
|
548 gss_buffer_t output_message_buffer,int *conf_state,
|
yuuji@0
|
549 gss_qop_t *qop_state)
|
yuuji@0
|
550 {
|
yuuji@0
|
551 OM_uint32 major_status;
|
yuuji@0
|
552 SecBuffer buf[2];
|
yuuji@0
|
553 SecBufferDesc bufs;
|
yuuji@0
|
554 *minor_status = NIL; /* never any minor status */
|
yuuji@0
|
555 *conf_state = NIL; /* or confidentiality state */
|
yuuji@0
|
556 /* MSDN implies that all that is needed for DecryptMessage() in Kerberos
|
yuuji@0
|
557 * is a single SECBUFFER_DATA which "contains the encrypted message. The
|
yuuji@0
|
558 * encrypted message is decrypted in place, overwriting the original
|
yuuji@0
|
559 * contents of its buffer." I've never been able to get it to work without
|
yuuji@0
|
560 * using a SECBUFFER_STREAM for input and an uninitialized SECBUFFER_DATA
|
yuuji@0
|
561 * for output.
|
yuuji@0
|
562 * It *does* overwrite the input buffer, but not at the same point; e.g.
|
yuuji@0
|
563 * with an input pointer of 0xa140a8 and size of 53, the output ends up
|
yuuji@0
|
564 * at 0xa140d5 and size of 4.
|
yuuji@0
|
565 */
|
yuuji@0
|
566 bufs.cBuffers = 2; /* set up buffer descriptor */
|
yuuji@0
|
567 bufs.pBuffers = buf;
|
yuuji@0
|
568 bufs.ulVersion = SECBUFFER_VERSION;
|
yuuji@0
|
569 /* input buffer */
|
yuuji@0
|
570 buf[0].BufferType = SECBUFFER_STREAM;
|
yuuji@0
|
571 buf[0].pvBuffer = input_message_buffer->value;
|
yuuji@0
|
572 buf[0].cbBuffer = input_message_buffer->length;
|
yuuji@0
|
573 /* output buffer */
|
yuuji@0
|
574 buf[1].BufferType = SECBUFFER_DATA;
|
yuuji@0
|
575 buf[1].pvBuffer = NIL;
|
yuuji@0
|
576 buf[1].cbBuffer = 0;
|
yuuji@0
|
577 /* decrypt and copy to output buffer */
|
yuuji@0
|
578 if ((major_status = DecryptMessage (context_handle,&bufs,0,qop_state)) ==
|
yuuji@0
|
579 SEC_E_OK)
|
yuuji@0
|
580 memcpy (output_message_buffer->value = fs_get (buf[1].cbBuffer),
|
yuuji@0
|
581 buf[1].pvBuffer,output_message_buffer->length = buf[1].cbBuffer);
|
yuuji@0
|
582 return major_status; /* return status */
|
yuuji@0
|
583 }
|
yuuji@0
|
584
|
yuuji@0
|
585 /* From here on are server-only functions, currently unused */
|
yuuji@0
|
586
|
yuuji@0
|
587
|
yuuji@0
|
588 /* GSSAPI acquire credentials
|
yuuji@0
|
589 * Accepts: pointer to return minor status
|
yuuji@0
|
590 * desired principal
|
yuuji@0
|
591 * desired lifetime
|
yuuji@0
|
592 * desired mechanisms
|
yuuji@0
|
593 * credentials usage
|
yuuji@0
|
594 * pointer to return credentials handle
|
yuuji@0
|
595 * pointer to return mechanisms
|
yuuji@0
|
596 * pointer to return lifetime
|
yuuji@0
|
597 * Returns: GSS_S_FAILURE, always
|
yuuji@0
|
598 */
|
yuuji@0
|
599
|
yuuji@0
|
600 OM_uint32 gss_acquire_cred (OM_uint32 *minor_status,gss_name_t desired_name,
|
yuuji@0
|
601 OM_uint32 time_req,gss_OID_set desired_mechs,
|
yuuji@0
|
602 gss_cred_usage_t cred_usage,
|
yuuji@0
|
603 gss_cred_id_t *output_cred_handle,
|
yuuji@0
|
604 gss_OID_set *actual_mechs,OM_uint32 *time_rec)
|
yuuji@0
|
605 {
|
yuuji@0
|
606 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
607 return GSS_S_FAILURE; /* server only */
|
yuuji@0
|
608 }
|
yuuji@0
|
609
|
yuuji@0
|
610
|
yuuji@0
|
611 /* GSSAPI release credentials
|
yuuji@0
|
612 * Accepts: pointer to return minor status
|
yuuji@0
|
613 * credentials handle to free
|
yuuji@0
|
614 * Returns: GSS_S_COMPLETE, always
|
yuuji@0
|
615 */
|
yuuji@0
|
616
|
yuuji@0
|
617 OM_uint32 gss_release_cred (OM_uint32 *minor_status,gss_cred_id_t *cred_handle)
|
yuuji@0
|
618 {
|
yuuji@0
|
619 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
620 return GSS_S_FAILURE; /* server only */
|
yuuji@0
|
621 }
|
yuuji@0
|
622
|
yuuji@0
|
623 /* GSSAPI Accept security context
|
yuuji@0
|
624 * Accepts: pointer to return minor status
|
yuuji@0
|
625 * context
|
yuuji@0
|
626 * acceptor credentials
|
yuuji@0
|
627 * input token buffer
|
yuuji@0
|
628 * input channel bindings
|
yuuji@0
|
629 * pointer to return source name
|
yuuji@0
|
630 * pointer to return mechanism type
|
yuuji@0
|
631 * buffer to return output token
|
yuuji@0
|
632 * pointer to return flags
|
yuuji@0
|
633 * pointer to return context lifetime
|
yuuji@0
|
634 * pointer to return delegated credentials
|
yuuji@0
|
635 * Returns: GSS_S_FAILURE, always
|
yuuji@0
|
636 */
|
yuuji@0
|
637
|
yuuji@0
|
638 OM_uint32 gss_accept_sec_context (OM_uint32 *minor_status,
|
yuuji@0
|
639 gss_ctx_id_t *context_handle,
|
yuuji@0
|
640 gss_cred_id_t acceptor_cred_handle,
|
yuuji@0
|
641 gss_buffer_t input_token_buffer,
|
yuuji@0
|
642 gss_channel_bindings_t input_chan_bindings,
|
yuuji@0
|
643 gss_name_t *src_name,gss_OID *mech_type,
|
yuuji@0
|
644 gss_buffer_t output_token,
|
yuuji@0
|
645 OM_uint32 *ret_flags,OM_uint32 *time_rec,
|
yuuji@0
|
646 gss_cred_id_t *delegated_cred_handle)
|
yuuji@0
|
647 {
|
yuuji@0
|
648 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
649 return GSS_S_FAILURE; /* server only */
|
yuuji@0
|
650 }
|
yuuji@0
|
651
|
yuuji@0
|
652
|
yuuji@0
|
653 /* GSSAPI return printable name
|
yuuji@0
|
654 * Accepts: pointer to return minor status
|
yuuji@0
|
655 * internal name
|
yuuji@0
|
656 * buffer to return output name
|
yuuji@0
|
657 * output name type
|
yuuji@0
|
658 * Returns: GSS_S_FAILURE, always
|
yuuji@0
|
659 */
|
yuuji@0
|
660
|
yuuji@0
|
661 OM_uint32 gss_display_name (OM_uint32 *minor_status,gss_name_t input_name,
|
yuuji@0
|
662 gss_buffer_t output_name_buffer,
|
yuuji@0
|
663 gss_OID *output_name_type)
|
yuuji@0
|
664 {
|
yuuji@0
|
665 *minor_status = 0; /* never any minor status */
|
yuuji@0
|
666 return GSS_S_FAILURE; /* server only */
|
yuuji@0
|
667 }
|
yuuji@0
|
668
|
yuuji@0
|
669 /* Kerberos server valid check
|
yuuji@0
|
670 * Returns: T if have keytab, NIL otherwise
|
yuuji@0
|
671 */
|
yuuji@0
|
672
|
yuuji@0
|
673 long kerberos_server_valid ()
|
yuuji@0
|
674 {
|
yuuji@0
|
675 return NIL;
|
yuuji@0
|
676 }
|
yuuji@0
|
677
|
yuuji@0
|
678
|
yuuji@0
|
679 /* Kerberos check for missing or expired credentials
|
yuuji@0
|
680 * Returns: T if should suggest running kinit, NIL otherwise
|
yuuji@0
|
681 */
|
yuuji@0
|
682
|
yuuji@0
|
683 long kerberos_try_kinit (OM_uint32 error)
|
yuuji@0
|
684 {
|
yuuji@0
|
685 return NIL;
|
yuuji@0
|
686 }
|
yuuji@0
|
687
|
yuuji@0
|
688 /* Kerberos server log in
|
yuuji@0
|
689 * Accepts: authorization ID as user name
|
yuuji@0
|
690 * authentication ID as Kerberos principal
|
yuuji@0
|
691 * argument count
|
yuuji@0
|
692 * argument vector
|
yuuji@0
|
693 * Returns: logged in user name if logged in, NIL otherwise
|
yuuji@0
|
694 */
|
yuuji@0
|
695
|
yuuji@0
|
696 char *kerberos_login (char *user,char *authuser,int argc,char *argv[])
|
yuuji@0
|
697 {
|
yuuji@0
|
698 return NIL;
|
yuuji@0
|
699 }
|