/*
*/
#include "mglueP.h"
#include "gssapiP_generic.h"
#include <stdio.h>
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
#endif
#include <string.h>
#include <errno.h>
/*
* SUNW17PACresync
* MIT has diff names for these GSS utilities. Solaris needs to change
* Revisit for full 1.7 resync.
*/
extern gss_mechanism *gssint_mechs_array;
/*
* This file contains the support routines for the glue layer.
*/
/*
* get_der_length: Givin a pointer to a buffer that contains a DER encoded
* length, decode the length updating the buffer to point to the character
* after the DER encoding. The parameter bytes will point to the number of
* bytes that made up the DER encoding of the length originally pointed to
* by the buffer. Note we return -1 on error.
*/
int
unsigned int *bytes)
{
/* p points to the beginning of the buffer */
unsigned char *p = *buf;
unsigned int octets;
if (buf_len < 1)
return (-1);
/* We should have at least one byte */
*bytes = 1;
/*
* If the High order bit is not set then the length is just the value
* of *p.
*/
if (*p < 128) {
return (*p); /* return the length */
}
/*
* if the High order bit is set, then the low order bits represent
* the number of bytes that contain the DER encoding of the length.
*/
octets = *p++ & 0x7f;
/* See if the supplied buffer contains enough bytes for the length. */
return (-1);
/*
* Calculate a multibyte length. The length is encoded as an
* unsigned integer base 256.
*/
return (-1);
length = new_length;
}
*buf = p; /* Advance the buffer */
return (length);
}
/*
* der_length_size: Return the number of bytes to encode a given length.
*/
unsigned int
{
int i;
if (len < 128)
return (1);
for (i = 0; len; i++) {
len >>= 8;
}
return (i+1);
}
/*
* put_der_length: Encode the supplied length into the buffer pointed to
* by buf. max_length represents the maximum length of the buffer pointed
* to by buff. We will advance buf to point to the character after the newly
* DER encoded length. We return 0 on success or -l it the length cannot
* be encoded in max_len characters.
*/
int
unsigned int max_len)
{
unsigned char *s, *p;
unsigned int buf_len = 0;
int i, first;
/* Oops */
return (-1);
s = *buf;
/* Single byte is the length */
if (length < 128) {
*s++ = length;
*buf = s;
return (0);
}
/* First byte contains the number of octets */
p = s + 1;
/* Running total of the DER encoding length */
buf_len = 0;
/*
* Encode MSB first. We do the encoding by setting a shift
* factor to MSO_BIT (24 for 32 bit words) and then shifting the length
* by the factor. We then encode the resulting low order byte.
* We subtract 8 from the shift factor and repeat to ecnode the next
* byte. We stop when the shift factor is zero or we've run out of
* buffer to encode into.
*/
first = 0;
unsigned int v;
v = (length >> i) & 0xff;
if ((v) || first) {
buf_len += 1;
*p++ = v;
first = 1;
}
}
if (i >= 0) /* buffer overflow */
return (-1);
/*
* We go back now and set the first byte to be the length with
* the high order bit set.
*/
*s = buf_len | 0x80;
*buf = p;
return (0);
}
/*
* glue routine for get_mech_type
*
*/
{
unsigned char *buffer_ptr;
int length;
/*
* This routine reads the prefix of "token" in order to determine
* its mechanism type. It assumes the encoding suggested in
* Appendix B of RFC 1508. This format starts out as follows :
*
* tag for APPLICATION 0, Sequence[constructed, definite length]
* length of remainder of token
* tag of OBJECT IDENTIFIER
* length of mechanism OID
* encoding of mechanism OID
* <the rest of the token>
*
* Numerically, this looks like :
*
* 0x60
* <length> - could be multiple bytes
* 0x06
* <length> - assume only one byte, hence OID length < 127
* <mech OID bytes>
*
* The routine fills in the OID value and returns an error as necessary.
*/
return (GSS_S_CALL_INACCESSIBLE_WRITE);
return (GSS_S_DEFECTIVE_TOKEN);
if (*(buffer_ptr++) != 0x60)
return (GSS_S_DEFECTIVE_TOKEN);
length = *buffer_ptr++;
/* check if token length is null */
if (length == 0)
return (GSS_S_DEFECTIVE_TOKEN);
if (length & 0x80) {
return (GSS_S_DEFECTIVE_TOKEN);
}
if (*(buffer_ptr++) != 0x06)
return (GSS_S_DEFECTIVE_TOKEN);
return (GSS_S_COMPLETE);
}
/*
* The following mechanisms do not always identify themselves
* per the GSS-API specification, when interoperating with MS
* peers. We include the OIDs here so we do not have to link
* with the mechanism.
*/
{10, (void *)"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"};
{6, (void *)"\x2b\x06\x01\x05\x05\x02"};
{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
{
/* Check for interoperability exceptions */
sizeof (NTLMSSP_SIGNATURE)) == 0) {
/* Could be a raw AP-REQ (check for APPLICATION tag) */
} else {
}
return (GSS_S_COMPLETE);
}
/*
* Internal routines to get and release an internal mechanism name
*/
#if 0 /* SUNW17PACresync */
#include "mglueP.h"
#endif
{
if (mech) {
if (mech->gss_import_name) {
if (status != GSS_S_COMPLETE)
} else
return (status);
}
return (GSS_S_BAD_MECH);
}
const gss_name_t internal_name;
{
int mechOidDERLen = 0;
int mechOidLen = 0;
if (!mech)
return (GSS_S_BAD_MECH);
if (mech->gss_export_name) {
name_buf);
if (status != GSS_S_COMPLETE)
return (status);
}
/*
* if we are here it is because the mechanism does not provide
* a gss_export_name so we will use our implementation. We
* do required that the mechanism define a gss_display_name.
*/
if (!mech->gss_display_name)
return (GSS_S_UNAVAILABLE);
/*
* NOTE: RFC2743 (section 3.2) governs the format of the outer
* wrapper of exported names; the mechanisms' specs govern
* the format of the inner portion of the exported name
* and, for some (e.g., RFC1964, the Kerberos V mech), a
* generic default as implemented here will do.
*
* The outer wrapper of an exported MN is: 2-octet tok Id
* (0x0401) + 2-octet network-byte order mech OID length + mech
* oid (in DER format, including DER tag and DER length) +
* 4-octet network-byte order length of inner portion + inner
* portion.
*
* For the Kerberos V mechanism the inner portion of an exported
* MN is the display name string and ignores the name type OID
* altogether. And we hope this will be so for any future
* the mech and into libgss pays off.
*/
&dispName,
&nameOid))
!= GSS_S_COMPLETE) {
return (status);
}
/* determine the size of the buffer needed */
(void*)NULL) {
return (GSS_S_FAILURE);
}
/* now create the name ..... */
/* spec allows only 2 bytes for the mech oid length */
buf += 2;
/*
* DER Encoding of mech OID contains OID Tag (0x06), length and
* mech OID value
*/
*buf++ = 0x06;
return (GSS_S_FAILURE);
}
/* spec designates the next 4 bytes for the name length */
buf += 4;
/* for the final ingredient - add the name from gss_display_name */
/* release the buffer obtained from gss_display_name */
return (GSS_S_COMPLETE);
} /* gssint_export_internal_name */
{
if (mech) {
if (mech->gss_display_name) {
if (status != GSS_S_COMPLETE)
} else
return (status);
}
return (GSS_S_BAD_MECH);
}
{
if (mech) {
if (mech->gss_release_name) {
if (status != GSS_S_COMPLETE)
} else
return (status);
}
return (GSS_S_BAD_MECH);
}
{
if (mech) {
if (mech->gss_delete_sec_context)
else
/* SUNW17PACresync - map error here? */
return (status);
}
return (GSS_S_BAD_MECH);
}
/*
* This function converts an internal gssapi name to a union gssapi
* name. Note that internal_name should be considered "consumed" by
* this call, whether or not we return an error.
*/
{
if (!union_name) {
*minor_status = ENOMEM;
goto allocation_failure;
}
union_name->mech_type = 0;
union_name->name_type = 0;
union_name->external_name = 0;
&union_name->mech_type);
if (major_status != GSS_S_COMPLETE) {
goto allocation_failure;
}
if (!union_name->external_name) {
*minor_status = ENOMEM;
goto allocation_failure;
}
&union_name->name_type);
if (major_status != GSS_S_COMPLETE) {
goto allocation_failure;
}
return (GSS_S_COMPLETE);
if (union_name) {
if (union_name->external_name) {
}
if (union_name->name_type)
if (union_name->mech_type)
}
/*
* do as the top comment says - since we are now owners of
* internal_name, we must clean it up
*/
if (internal_name)
return (major_status);
}
/*
* Glue routine for returning the mechanism-specific credential from a
* external union credential.
*/
{
int i;
return (GSS_C_NO_CREDENTIAL);
/*
* SUNW17PACresync
* Disable this block as it causes problems for gss_add_cred
* for HTTP SSO (and also probably causes STC gss.13 to fail too).
*/
#if 0
/* SPNEGO mechanism will again call into GSSAPI */
return ((gss_cred_id_t)union_cred);
#endif
for (i = 0; i < union_cred->count; i++) {
return (union_cred->cred_array[i]);
/* for SPNEGO, check the next-lower set of creds */
&union_cred->mechs_array[i])) {
if (sub_cred != GSS_C_NO_CREDENTIAL)
return (sub_cred);
}
}
return (GSS_C_NO_CREDENTIAL);
}
/*
* Routine to create and copy the gss_buffer_desc structure.
* Both space for the structure and the data is allocated.
*/
const gss_buffer_t srcBuf;
int addNullChar;
{
unsigned int len;
return (GSS_S_CALL_INACCESSIBLE_WRITE);
*destBuf = 0;
if (!aBuf)
return (GSS_S_FAILURE);
if (addNullChar)
else
return (GSS_S_FAILURE);
}
/* optionally add a NULL character */
if (addNullChar)
return (GSS_S_COMPLETE);
} /* ****** gssint_create_copy_buffer ****** */