From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- .../lib/gssapi/netlogon/accept_sec_context.c | 89 +++ .../heimdal/lib/gssapi/netlogon/acquire_cred.c | 186 ++++++ third_party/heimdal/lib/gssapi/netlogon/add_cred.c | 89 +++ .../lib/gssapi/netlogon/canonicalize_name.c | 46 ++ .../heimdal/lib/gssapi/netlogon/compare_name.c | 61 ++ .../heimdal/lib/gssapi/netlogon/context_time.c | 47 ++ third_party/heimdal/lib/gssapi/netlogon/crypto.c | 733 +++++++++++++++++++++ .../lib/gssapi/netlogon/delete_sec_context.c | 62 ++ .../heimdal/lib/gssapi/netlogon/display_name.c | 67 ++ .../heimdal/lib/gssapi/netlogon/display_status.c | 55 ++ .../heimdal/lib/gssapi/netlogon/duplicate_cred.c | 54 ++ .../heimdal/lib/gssapi/netlogon/duplicate_name.c | 77 +++ .../heimdal/lib/gssapi/netlogon/export_name.c | 45 ++ .../lib/gssapi/netlogon/export_sec_context.c | 50 ++ third_party/heimdal/lib/gssapi/netlogon/external.c | 111 ++++ .../heimdal/lib/gssapi/netlogon/import_name.c | 94 +++ .../lib/gssapi/netlogon/import_sec_context.c | 50 ++ .../heimdal/lib/gssapi/netlogon/indicate_mechs.c | 48 ++ .../heimdal/lib/gssapi/netlogon/init_sec_context.c | 289 ++++++++ .../heimdal/lib/gssapi/netlogon/inquire_context.c | 76 +++ .../heimdal/lib/gssapi/netlogon/inquire_cred.c | 68 ++ .../lib/gssapi/netlogon/inquire_cred_by_mech.c | 66 ++ .../lib/gssapi/netlogon/inquire_mechs_for_name.c | 48 ++ .../lib/gssapi/netlogon/inquire_names_for_mech.c | 58 ++ .../heimdal/lib/gssapi/netlogon/iter_cred.c | 44 ++ third_party/heimdal/lib/gssapi/netlogon/netlogon.h | 150 +++++ .../lib/gssapi/netlogon/process_context_token.c | 46 ++ third_party/heimdal/lib/gssapi/netlogon/regen.sh | 3 + .../heimdal/lib/gssapi/netlogon/release_cred.c | 54 ++ .../heimdal/lib/gssapi/netlogon/release_name.c | 54 ++ 30 files changed, 2920 insertions(+) create mode 100644 third_party/heimdal/lib/gssapi/netlogon/accept_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/acquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/add_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/canonicalize_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/compare_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/context_time.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/crypto.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/delete_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/display_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/display_status.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/duplicate_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/duplicate_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/export_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/export_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/external.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/import_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/import_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/indicate_mechs.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/init_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_cred_by_mech.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_mechs_for_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_names_for_mech.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/iter_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/netlogon.h create mode 100644 third_party/heimdal/lib/gssapi/netlogon/process_context_token.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/regen.sh create mode 100644 third_party/heimdal/lib/gssapi/netlogon/release_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/release_name.c (limited to 'third_party/heimdal/lib/gssapi/netlogon') diff --git a/third_party/heimdal/lib/gssapi/netlogon/accept_sec_context.c b/third_party/heimdal/lib/gssapi/netlogon/accept_sec_context.c new file mode 100644 index 0000000..06ddfd5 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/accept_sec_context.c @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +/* + * Not implemented: this is needed only by domain controllers. + */ + +OM_uint32 +_netlogon_accept_sec_context +(OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + gss_const_cred_id_t acceptor_cred_handle, + const gss_buffer_t input_token_buffer, + const gss_channel_bindings_t input_chan_bindings, + gss_name_t * src_name, + gss_OID * mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec, + gss_cred_id_t * delegated_cred_handle + ) +{ + + output_token->value = NULL; + output_token->length = 0; + + *minor_status = 0; + + if (context_handle == NULL) + return GSS_S_FAILURE; + + if (input_token_buffer == GSS_C_NO_BUFFER) + return GSS_S_FAILURE; + + if (src_name) + *src_name = GSS_C_NO_NAME; + if (mech_type) + *mech_type = GSS_C_NO_OID; + if (ret_flags) + *ret_flags = 0; + if (time_rec) + *time_rec = 0; + if (delegated_cred_handle) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + + if (*context_handle == GSS_C_NO_CONTEXT) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } else { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + return GSS_S_UNAVAILABLE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/acquire_cred.c b/third_party/heimdal/lib/gssapi/netlogon/acquire_cred.c new file mode 100644 index 0000000..d790d08 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/acquire_cred.c @@ -0,0 +1,186 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" +#include + +OM_uint32 +_netlogon_acquire_cred(OM_uint32 * min_stat, + gss_const_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t * output_cred_handle, + gss_OID_set * actual_mechs, + OM_uint32 * time_rec) +{ + OM_uint32 ret; + gssnetlogon_cred cred; + + /* only initiator support so far */ + if (cred_usage != GSS_C_INITIATE) + return GSS_S_FAILURE; + + if (desired_name == GSS_C_NO_NAME) + return GSS_S_BAD_NAME; + + cred = (gssnetlogon_cred)calloc(1, sizeof(*cred)); + if (cred == NULL) { + *min_stat = ENOMEM; + return GSS_S_FAILURE; + } + cred->SignatureAlgorithm = NL_SIGN_ALG_HMAC_MD5; + cred->SealAlgorithm = NL_SEAL_ALG_RC4; + + ret = _netlogon_duplicate_name(min_stat, desired_name, + (gss_name_t *)&cred->Name); + if (GSS_ERROR(ret)) { + free(cred); + return ret; + } + + *output_cred_handle = (gss_cred_id_t)cred; + if (actual_mechs != NULL) + *actual_mechs = GSS_C_NO_OID_SET; + if (time_rec != NULL) + *time_rec = GSS_C_INDEFINITE; + + return GSS_S_COMPLETE; +} + +OM_uint32 +_netlogon_acquire_cred_ex(gss_status_id_t status, + gss_const_name_t desired_name, + OM_uint32 flags, + OM_uint32 time_req, + gss_cred_usage_t cred_usage, + gss_auth_identity_t identity, + void *ctx, + void (*complete)(void *, OM_uint32, gss_status_id_t, gss_cred_id_t, OM_uint32)) +{ + return GSS_S_UNAVAILABLE; +} + +/* + * value contains 16 byte session key + */ +static OM_uint32 +_netlogon_set_session_key(OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_buffer_t value) +{ + gssnetlogon_cred cred; + + if (*cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + cred = (gssnetlogon_cred)*cred_handle; + + if (value->length != sizeof(cred->SessionKey)) { + *minor_status = ERANGE; + return GSS_S_FAILURE; + } + + memcpy(cred->SessionKey, value->value, value->length); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +/* + * value contains 16 bit little endian encoded seal algorithm + */ +static OM_uint32 +_netlogon_set_sign_algorithm(OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_buffer_t value) +{ + gssnetlogon_cred cred; + uint16_t alg; + const uint8_t *p; + + if (*cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + cred = (gssnetlogon_cred)*cred_handle; + + if (value->length != 2) { + *minor_status = ERANGE; + return GSS_S_FAILURE; + } + + p = (const uint8_t *)value->value; + alg = (p[0] << 0) | (p[1] << 8); + + if (alg != NL_SIGN_ALG_HMAC_MD5 && alg != NL_SIGN_ALG_SHA256) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + cred->SignatureAlgorithm = alg; + if (alg == NL_SIGN_ALG_SHA256) + cred->SealAlgorithm = NL_SEAL_ALG_AES128; + else + cred->SealAlgorithm = NL_SEAL_ALG_RC4; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +_netlogon_set_cred_option + (OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_OID desired_object, + const gss_buffer_t value) +{ + if (value == GSS_C_NO_BUFFER) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (gss_oid_equal(desired_object, GSS_NETLOGON_SET_SESSION_KEY_X)) + return _netlogon_set_session_key(minor_status, cred_handle, value); + else if (gss_oid_equal(desired_object, GSS_NETLOGON_SET_SIGN_ALGORITHM_X)) + return _netlogon_set_sign_algorithm(minor_status, cred_handle, value); + + *minor_status = EINVAL; + return GSS_S_FAILURE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/add_cred.c b/third_party/heimdal/lib/gssapi/netlogon/add_cred.c new file mode 100644 index 0000000..0222303 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/add_cred.c @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_add_cred ( + OM_uint32 *minor_status, + gss_const_cred_id_t input_cred_handle, + gss_const_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec) +{ + OM_uint32 ret; + int equal; + const gssnetlogon_cred src = (const gssnetlogon_cred)input_cred_handle; + gssnetlogon_cred dst; + + if (desired_name != GSS_C_NO_NAME) { + if (input_cred_handle != GSS_C_NO_CREDENTIAL) { + ret = _netlogon_compare_name(minor_status, desired_name, + (gss_name_t)src->Name, &equal); + if (GSS_ERROR(ret)) + return ret; + + if (!equal) + return GSS_S_BAD_NAME; + } + } + + ret = _netlogon_acquire_cred(minor_status, + input_cred_handle ? (gss_name_t)src->Name : desired_name, + initiator_time_req, GSS_C_NO_OID_SET, cred_usage, + output_cred_handle, actual_mechs, initiator_time_rec); + if (GSS_ERROR(ret)) + return ret; + + dst = (gssnetlogon_cred)*output_cred_handle; + + if (src != NULL) { + dst->SignatureAlgorithm = src->SignatureAlgorithm; + dst->SealAlgorithm = src->SealAlgorithm; + + memcpy(dst->SessionKey, src->SessionKey, sizeof(src->SessionKey)); + } + + if (acceptor_time_rec != NULL) + *acceptor_time_rec = 0; + + return GSS_S_COMPLETE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/canonicalize_name.c b/third_party/heimdal/lib/gssapi/netlogon/canonicalize_name.c new file mode 100644 index 0000000..1e8087a --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/canonicalize_name.c @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_canonicalize_name ( + OM_uint32 * minor_status, + gss_const_name_t input_name, + const gss_OID mech_type, + gss_name_t * output_name + ) +{ + return _netlogon_duplicate_name(minor_status, input_name, output_name); +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/compare_name.c b/third_party/heimdal/lib/gssapi/netlogon/compare_name.c new file mode 100644 index 0000000..986c3b0 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/compare_name.c @@ -0,0 +1,61 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_compare_name + (OM_uint32 * minor_status, + gss_const_name_t name1, + gss_const_name_t name2, + int * name_equal + ) +{ + const gssnetlogon_name n1 = (const gssnetlogon_name)name1; + const gssnetlogon_name n2 = (const gssnetlogon_name)name2; + + *name_equal = 0; + + if (n1->NetbiosName.value != NULL && n2->NetbiosName.value != NULL) + *name_equal = (strcasecmp((char *)n1->NetbiosName.value, + (char *)n2->NetbiosName.value) == 0); + + if (n1->DnsName.value != NULL && n2->DnsName.value != NULL) + *name_equal = (strcasecmp((char *)n1->DnsName.value, + (char *)n2->DnsName.value) == 0); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/context_time.c b/third_party/heimdal/lib/gssapi/netlogon/context_time.c new file mode 100644 index 0000000..c7bf9eb --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/context_time.c @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_context_time + (OM_uint32 * minor_status, + gss_const_ctx_id_t context_handle, + OM_uint32 * time_rec + ) +{ + if (time_rec != NULL) + *time_rec = GSS_C_INDEFINITE; + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/crypto.c b/third_party/heimdal/lib/gssapi/netlogon/crypto.c new file mode 100644 index 0000000..6147eec --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/crypto.c @@ -0,0 +1,733 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +static uint8_t zeros[4]; + +static void +_netlogon_encode_sequence_number(uint64_t SequenceNumber, uint8_t *p, + int initiatorFlag) +{ + uint32_t LowPart, HighPart; + + LowPart = (SequenceNumber >> 0 ) & 0xFFFFFFFF; + HighPart = (SequenceNumber >> 32) & 0xFFFFFFFF; + + _gss_mg_encode_be_uint32(LowPart, &p[0]); + _gss_mg_encode_be_uint32(HighPart, &p[4]); + + if (initiatorFlag) + p[4] |= 0x80; +} + +static int +_netlogon_decode_sequence_number(void *ptr, uint64_t *n, + int initiatorFlag) +{ + uint8_t *p = ptr; + uint32_t LowPart, HighPart; + int gotInitiatorFlag; + + gotInitiatorFlag = (p[4] & 0x80) != 0; + if (gotInitiatorFlag != initiatorFlag) + return -1; + + p[4] &= 0x7F; /* clear initiator bit */ + + _gss_mg_decode_be_uint32(&p[0], &LowPart); + _gss_mg_decode_be_uint32(&p[4], &HighPart); + + *n = (LowPart << 0) | ((uint64_t)HighPart << 32); + + return 0; +} + +static inline size_t +_netlogon_checksum_length(NL_AUTH_SIGNATURE *sig) +{ +#if 0 + return (sig->SignatureAlgorithm == NL_SIGN_ALG_SHA256) ? 32 : 8; +#else + /* Owing to a bug in Windows it always uses the old value */ + return 8; +#endif +} + +static inline size_t +_netlogon_signature_length(uint16_t alg, int conf_req_flag) +{ + return NL_AUTH_SIGNATURE_COMMON_LENGTH + + (alg == NL_SIGN_ALG_SHA256 ? 32 : 8) + + (conf_req_flag ? 8 : 0); +} + +static inline uint8_t * +_netlogon_confounder(NL_AUTH_SIGNATURE *sig) +{ + size_t cksumlen = _netlogon_checksum_length(sig); + + return &sig->Checksum[cksumlen]; +} + +static int +_netlogon_encode_NL_AUTH_SIGNATURE(NL_AUTH_SIGNATURE *sig, + uint8_t *p, size_t len) +{ + *p++ = (sig->SignatureAlgorithm >> 0) & 0xFF; + *p++ = (sig->SignatureAlgorithm >> 8) & 0xFF; + *p++ = (sig->SealAlgorithm >> 0) & 0xFF; + *p++ = (sig->SealAlgorithm >> 8) & 0xFF; + *p++ = (sig->Pad >> 0) & 0xFF; + *p++ = (sig->Pad >> 8) & 0xFF; + *p++ = (sig->Flags >> 0) & 0xFF; + *p++ = (sig->Flags >> 8) & 0xFF; + + if (len > NL_AUTH_SIGNATURE_HEADER_LENGTH) { + memcpy(p, sig->SequenceNumber, 8); + p += 8; + } + + if (len > NL_AUTH_SIGNATURE_COMMON_LENGTH) { + size_t cksumlen = _netlogon_checksum_length(sig); + + memcpy(p, sig->Checksum, cksumlen); + p += cksumlen; + + /* Confounder, if present, is immediately after checksum */ + if (sig->SealAlgorithm != NL_SEAL_ALG_NONE) { + memcpy(p, &sig->Checksum[cksumlen], 8); + } + } + + return 0; +} + +static int +_netlogon_decode_NL_AUTH_SIGNATURE(const uint8_t *ptr, + size_t len, + NL_AUTH_SIGNATURE *sig) +{ + const uint8_t *p = ptr; + size_t cksumlen; + + if (len < NL_AUTH_SIGNATURE_COMMON_LENGTH) + return KRB5_BAD_MSIZE; + + sig->SignatureAlgorithm = (p[0] << 0) | (p[1] << 8); + sig->SealAlgorithm = (p[2] << 0) | (p[3] << 8); + sig->Pad = (p[4] << 0) | (p[5] << 8); + sig->Flags = (p[6] << 0) | (p[7] << 8); + p += 8; + + memcpy(sig->SequenceNumber, p, 8); + p += 8; + + /* Validate signature algorithm is known and matches enctype */ + switch (sig->SignatureAlgorithm) { + case NL_SIGN_ALG_HMAC_MD5: + cksumlen = NL_AUTH_SIGNATURE_LENGTH; + break; + case NL_SIGN_ALG_SHA256: + cksumlen = NL_AUTH_SHA2_SIGNATURE_LENGTH; + break; + default: + return EINVAL; + break; + } + + if (sig->SealAlgorithm == NL_SEAL_ALG_NONE) + cksumlen -= 8; /* confounder is optional if no sealing */ + + if (len < cksumlen) + return KRB5_BAD_MSIZE; + + /* Copy variable length checksum */ + cksumlen = _netlogon_checksum_length(sig); + memcpy(sig->Checksum, p, cksumlen); + p += cksumlen; + + /* Copy confounder in past checksum */ + if (sig->SealAlgorithm != NL_SEAL_ALG_NONE) + memcpy(&sig->Checksum[cksumlen], p, 8); + + return 0; +} + +static void +_netlogon_derive_rc4_hmac_key(uint8_t key[16], + uint8_t *salt, + size_t saltLength, + EVP_CIPHER_CTX *rc4Key, + int enc) +{ + uint8_t tmpData[MD5_DIGEST_LENGTH]; + uint8_t derivedKey[MD5_DIGEST_LENGTH]; + unsigned int len = MD5_DIGEST_LENGTH; + + HMAC(EVP_md5(), key, 16, zeros, sizeof(zeros), tmpData, &len); + HMAC(EVP_md5(), tmpData, MD5_DIGEST_LENGTH, + salt, saltLength, derivedKey, &len); + + assert(len == MD5_DIGEST_LENGTH); + + EVP_CipherInit_ex(rc4Key, EVP_rc4(), NULL, derivedKey, NULL, enc); + + memset(derivedKey, 0, sizeof(derivedKey)); +} + +static void +_netlogon_derive_rc4_seal_key(gssnetlogon_ctx ctx, + NL_AUTH_SIGNATURE *sig, + EVP_CIPHER_CTX *sealkey, + int enc) +{ + uint8_t xorKey[16]; + int i; + + for (i = 0; i < sizeof(xorKey); i++) { + xorKey[i] = ctx->SessionKey[i] ^ 0xF0; + } + + _netlogon_derive_rc4_hmac_key(xorKey, + sig->SequenceNumber, sizeof(sig->SequenceNumber), sealkey, enc); + + memset(xorKey, 0, sizeof(xorKey)); +} + +static void +_netlogon_derive_rc4_seq_key(gssnetlogon_ctx ctx, + NL_AUTH_SIGNATURE *sig, + EVP_CIPHER_CTX *seqkey, + int enc) +{ + _netlogon_derive_rc4_hmac_key(ctx->SessionKey, + sig->Checksum, sizeof(sig->Checksum), seqkey, enc); +} + +static void +_netlogon_derive_aes_seal_key(gssnetlogon_ctx ctx, + NL_AUTH_SIGNATURE *sig, + EVP_CIPHER_CTX *sealkey, + int enc) +{ + uint8_t encryptionKey[16]; + uint8_t ivec[16]; + int i; + + for (i = 0; i < sizeof(encryptionKey); i++) { + encryptionKey[i] = ctx->SessionKey[i] ^ 0xF0; + } + + memcpy(&ivec[0], sig->SequenceNumber, 8); + memcpy(&ivec[8], sig->SequenceNumber, 8); + + EVP_CipherInit_ex(sealkey, EVP_aes_128_cfb8(), + NULL, encryptionKey, ivec, enc); + + memset(encryptionKey, 0, sizeof(encryptionKey)); +} + +static void +_netlogon_derive_aes_seq_key(gssnetlogon_ctx ctx, + NL_AUTH_SIGNATURE *sig, + EVP_CIPHER_CTX *seqkey, + int enc) +{ + uint8_t ivec[16]; + + memcpy(&ivec[0], sig->Checksum, 8); + memcpy(&ivec[8], sig->Checksum, 8); + + EVP_CipherInit_ex(seqkey, EVP_aes_128_cfb8(), + NULL, ctx->SessionKey, ivec, enc); +} + +static void +_netlogon_seal(gssnetlogon_ctx ctx, + NL_AUTH_SIGNATURE *sig, + gss_iov_buffer_desc *iov, + int iov_count, + int enc) +{ + EVP_CIPHER_CTX sealkey; + int i; + uint8_t *confounder = _netlogon_confounder(sig); + + EVP_CIPHER_CTX_init(&sealkey); + + if (sig->SealAlgorithm == NL_SEAL_ALG_AES128) + _netlogon_derive_aes_seal_key(ctx, sig, &sealkey, enc); + else + _netlogon_derive_rc4_seal_key(ctx, sig, &sealkey, enc); + + EVP_Cipher(&sealkey, confounder, confounder, 8); + + /* + * For RC4, Windows resets the cipherstate after encrypting + * the confounder, thus defeating the purpose of the confounder + */ + if (sig->SealAlgorithm == NL_SEAL_ALG_RC4) { + EVP_CipherFinal_ex(&sealkey, NULL, &i); + _netlogon_derive_rc4_seal_key(ctx, sig, &sealkey, enc); + } + + for (i = 0; i < iov_count; i++) { + gss_iov_buffer_t iovp = &iov[i]; + + switch (GSS_IOV_BUFFER_TYPE(iovp->type)) { + case GSS_IOV_BUFFER_TYPE_DATA: + case GSS_IOV_BUFFER_TYPE_PADDING: + EVP_Cipher(&sealkey, iovp->buffer.value, iovp->buffer.value, + iovp->buffer.length); + break; + default: + break; + } + } + + EVP_CipherFinal_ex(&sealkey, NULL, &i); + EVP_CIPHER_CTX_cleanup(&sealkey); +} + +static void +_netlogon_seq(gssnetlogon_ctx ctx, + NL_AUTH_SIGNATURE *sig, + int enc) +{ + EVP_CIPHER_CTX seqkey; + + EVP_CIPHER_CTX_init(&seqkey); + + if (sig->SignatureAlgorithm == NL_SIGN_ALG_SHA256) + _netlogon_derive_aes_seq_key(ctx, sig, &seqkey, enc); + else + _netlogon_derive_rc4_seq_key(ctx, sig, &seqkey, enc); + + EVP_Cipher(&seqkey, sig->SequenceNumber, sig->SequenceNumber, 8); + + EVP_CIPHER_CTX_cleanup(&seqkey); +} + +static void +_netlogon_digest_md5(gssnetlogon_ctx ctx, + NL_AUTH_SIGNATURE *sig, + gss_iov_buffer_desc *iov, + int iov_count, + uint8_t *md) +{ + EVP_MD_CTX *md5; + uint8_t header[NL_AUTH_SIGNATURE_HEADER_LENGTH]; + uint8_t digest[MD5_DIGEST_LENGTH]; + unsigned int md_len = MD5_DIGEST_LENGTH; + int i; + + _netlogon_encode_NL_AUTH_SIGNATURE(sig, header, sizeof(header)); + + md5 = EVP_MD_CTX_create(); + EVP_DigestInit_ex(md5, EVP_md5(), NULL); + EVP_DigestUpdate(md5, zeros, sizeof(zeros)); + EVP_DigestUpdate(md5, header, sizeof(header)); + + if (sig->SealAlgorithm != NL_SEAL_ALG_NONE) { + EVP_DigestUpdate(md5, sig->Confounder, sizeof(sig->Confounder)); + } + + for (i = 0; i < iov_count; i++) { + gss_iov_buffer_t iovp = &iov[i]; + + switch (GSS_IOV_BUFFER_TYPE(iovp->type)) { + case GSS_IOV_BUFFER_TYPE_DATA: + case GSS_IOV_BUFFER_TYPE_PADDING: + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + EVP_DigestUpdate(md5, iovp->buffer.value, iovp->buffer.length); + break; + default: + break; + } + } + + EVP_DigestFinal_ex(md5, digest, NULL); + EVP_MD_CTX_destroy(md5); + + HMAC(EVP_md5(), ctx->SessionKey, sizeof(ctx->SessionKey), + digest, sizeof(digest), digest, &md_len); + memcpy(md, digest, 8); +} + +static void +_netlogon_digest_sha256(gssnetlogon_ctx ctx, + NL_AUTH_SIGNATURE *sig, + gss_iov_buffer_desc *iov, + int iov_count, + uint8_t *md) +{ + HMAC_CTX hmac; + uint8_t header[NL_AUTH_SIGNATURE_HEADER_LENGTH]; + uint8_t digest[SHA256_DIGEST_LENGTH]; + unsigned int md_len = SHA256_DIGEST_LENGTH; + int i; + + /* Encode first 8 bytes of signature into header */ + _netlogon_encode_NL_AUTH_SIGNATURE(sig, header, sizeof(header)); + + HMAC_CTX_init(&hmac); + HMAC_Init_ex(&hmac, ctx->SessionKey, sizeof(ctx->SessionKey), + EVP_sha256(), NULL); + HMAC_Update(&hmac, header, sizeof(header)); + + if (sig->SealAlgorithm != NL_SEAL_ALG_NONE) { + /* + * If the checksum length bug is ever fixed, then be sure to + * update this code to point to &sig->Checksum[32] as that is + * where the confounder is supposed to be. + */ + HMAC_Update(&hmac, sig->Confounder, 8); + } + + for (i = 0; i < iov_count; i++) { + gss_iov_buffer_t iovp = &iov[i]; + + switch (GSS_IOV_BUFFER_TYPE(iovp->type)) { + case GSS_IOV_BUFFER_TYPE_DATA: + case GSS_IOV_BUFFER_TYPE_PADDING: + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + HMAC_Update(&hmac, iovp->buffer.value, iovp->buffer.length); + break; + default: + break; + } + } + + HMAC_Final(&hmac, digest, &md_len); + HMAC_CTX_cleanup(&hmac); + memcpy(md, digest, 8); +} + +static void +_netlogon_digest(gssnetlogon_ctx ctx, + NL_AUTH_SIGNATURE *sig, + gss_iov_buffer_desc *iov, + int iov_count, + uint8_t *md) +{ + if (sig->SignatureAlgorithm == NL_SIGN_ALG_SHA256) + _netlogon_digest_sha256(ctx, sig, iov, iov_count, md); + else + _netlogon_digest_md5(ctx, sig, iov, iov_count, md); +} + +OM_uint32 +_netlogon_wrap_iov(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + OM_uint32 ret; + gss_iov_buffer_t header; + NL_AUTH_SIGNATURE_U sigbuf = { { 0 } }; + NL_AUTH_SIGNATURE *sig = NL_AUTH_SIGNATURE_P(&sigbuf); + gssnetlogon_ctx ctx = (gssnetlogon_ctx)context_handle; + size_t size; + uint8_t *seqdata; + + if (ctx->State != NL_AUTH_ESTABLISHED) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + header = _gss_mg_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); + if (header == NULL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + size = _netlogon_signature_length(ctx->SignatureAlgorithm, conf_req_flag); + + if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) { + ret = _gss_mg_allocate_buffer(minor_status, header, size); + if (GSS_ERROR(ret)) + return ret; + } else if (header->buffer.length < size) { + *minor_status = KRB5_BAD_MSIZE; + return GSS_S_FAILURE; + } else { + header->buffer.length = size; + } + + memset(header->buffer.value, 0, header->buffer.length); + + sig->SignatureAlgorithm = ctx->SignatureAlgorithm; + sig->SealAlgorithm = conf_req_flag ? ctx->SealAlgorithm : NL_SEAL_ALG_NONE; + + if (conf_req_flag) + krb5_generate_random_block(_netlogon_confounder(sig), 8); + + sig->Pad = 0xFFFF; /* [MS-NRPC] 3.3.4.2.1.3 */ + sig->Flags = 0; /* [MS-NRPC] 3.3.4.2.1.4 */ + HEIMDAL_MUTEX_lock(&ctx->Mutex); + _netlogon_encode_sequence_number(ctx->SequenceNumber, sig->SequenceNumber, + ctx->LocallyInitiated); + ctx->SequenceNumber++; + HEIMDAL_MUTEX_unlock(&ctx->Mutex); + + /* [MS-NRPC] 3.3.4.2.1.7: sign header, optional confounder and data */ + _netlogon_digest(ctx, sig, iov, iov_count, sig->Checksum); + + /* [MS-NRPC] 3.3.4.2.1.8: optionally encrypt confounder and data */ + if (conf_req_flag) + _netlogon_seal(ctx, sig, iov, iov_count, 1); + + /* [MS-NRPC] 3.3.4.2.1.9: encrypt sequence number */ + _netlogon_seq(ctx, sig, 1); + + _netlogon_encode_NL_AUTH_SIGNATURE(sig, header->buffer.value, + header->buffer.length); + + if (conf_state != NULL) + *conf_state = conf_req_flag; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +_netlogon_unwrap_iov(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + OM_uint32 ret; + gss_iov_buffer_t header; + NL_AUTH_SIGNATURE_U sigbuf; + NL_AUTH_SIGNATURE *sig = NL_AUTH_SIGNATURE_P(&sigbuf); + gssnetlogon_ctx ctx = (gssnetlogon_ctx)context_handle; + uint8_t checksum[SHA256_DIGEST_LENGTH]; + uint64_t SequenceNumber; + + if (ctx->State != NL_AUTH_ESTABLISHED) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + header = _gss_mg_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); + if (header == NULL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + ret = _netlogon_decode_NL_AUTH_SIGNATURE(header->buffer.value, + header->buffer.length, + sig); + if (ret != 0) { + *minor_status = ret; + return GSS_S_DEFECTIVE_TOKEN; + } + + /* [MS-NRPC] 3.3.4.2.2.1: verify signature algorithm selection */ + if (sig->SignatureAlgorithm != ctx->SignatureAlgorithm) + return GSS_S_BAD_SIG; + + /* [MS-NRPC] 3.3.4.2.2.2: verify encryption algorithm selection */ + if (sig->SealAlgorithm != NL_SEAL_ALG_NONE && + sig->SealAlgorithm != ctx->SealAlgorithm) + return GSS_S_DEFECTIVE_TOKEN; + + /* [MS-NRPC] 3.3.4.2.2.3: verify Pad bytes */ + if (sig->Pad != 0xFFFF) + return GSS_S_DEFECTIVE_TOKEN; + + /* [MS-NRPC] 3.3.4.2.2.5: decrypt sequence number */ + _netlogon_seq(ctx, sig, 0); + + /* [MS-NRPC] 3.3.4.2.2.6: decode sequence number */ + if (_netlogon_decode_sequence_number(sig->SequenceNumber, &SequenceNumber, + !ctx->LocallyInitiated) != 0) + return GSS_S_UNSEQ_TOKEN; + + /* [MS-NRPC] 3.3.4.2.2.9: decrypt confounder and data */ + if (sig->SealAlgorithm != NL_SEAL_ALG_NONE) + _netlogon_seal(ctx, sig, iov, iov_count, 0); + + /* [MS-NRPC] 3.3.4.2.2.10: verify signature */ + _netlogon_digest(ctx, sig, iov, iov_count, checksum); + if (ct_memcmp(sig->Checksum, checksum, _netlogon_checksum_length(sig)) != 0) + return GSS_S_BAD_SIG; + + HEIMDAL_MUTEX_lock(&ctx->Mutex); + if (SequenceNumber != ctx->SequenceNumber) { + /* [MS-NRPC] 3.3.4.2.2.7: check sequence number */ + ret = GSS_S_UNSEQ_TOKEN; + } else { + /* [MS-NRPC] 3.3.4.2.2.8: increment sequence number */ + ctx->SequenceNumber++; + ret = GSS_S_COMPLETE; + } + HEIMDAL_MUTEX_unlock(&ctx->Mutex); + + if (conf_state != NULL) + *conf_state = (sig->SealAlgorithm != NL_SEAL_ALG_NONE); + if (qop_state != NULL) + *qop_state = GSS_C_QOP_DEFAULT; + + *minor_status = 0; + return ret; +} + +OM_uint32 +_netlogon_wrap_iov_length(OM_uint32 * minor_status, + gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + OM_uint32 ret; + gss_iov_buffer_t iovp; + gssnetlogon_ctx ctx = (gssnetlogon_ctx)context_handle; + size_t len; + + iovp = _gss_mg_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); + if (iovp == NULL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + len = NL_AUTH_SIGNATURE_COMMON_LENGTH; + if (ctx->SignatureAlgorithm == NL_SIGN_ALG_SHA256) + len += 32; /* SHA2 checksum size */ + else + len += 8; /* HMAC checksum size */ + if (conf_req_flag) + len += 8; /* counfounder */ + + iovp->buffer.length = len; + + iovp = _gss_mg_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); + if (iovp != NULL) + iovp->buffer.length = 0; + + iovp = _gss_mg_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); + if (iovp != NULL) + iovp->buffer.length = 0; + + if (conf_state != NULL) + *conf_state = conf_req_flag; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 _netlogon_get_mic + (OM_uint32 * minor_status, + gss_const_ctx_id_t context_handle, + gss_qop_t qop_req, + const gss_buffer_t message_buffer, + gss_buffer_t message_token + ) +{ + gss_iov_buffer_desc iov[2]; + OM_uint32 ret; + + iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[0].buffer = *message_buffer; + iov[1].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; + iov[1].buffer.length = 0; + iov[1].buffer.value = NULL; + + ret = _netlogon_wrap_iov(minor_status, context_handle, 0, + qop_req, NULL, iov, 2); + if (ret == GSS_S_COMPLETE) + *message_token = iov[1].buffer; + + return ret; +} + +OM_uint32 +_netlogon_verify_mic + (OM_uint32 * minor_status, + gss_const_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t * qop_state + ) +{ + gss_iov_buffer_desc iov[2]; + + iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[0].buffer = *message_buffer; + iov[1].type = GSS_IOV_BUFFER_TYPE_HEADER; + iov[1].buffer = *token_buffer; + + return _netlogon_unwrap_iov(minor_status, context_handle, + NULL, qop_state, iov, 2); +} + +OM_uint32 +_netlogon_wrap_size_limit ( + OM_uint32 * minor_status, + gss_const_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size + ) +{ + gss_iov_buffer_desc iov[1]; + OM_uint32 ret; + + iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; + iov[0].buffer.length = 0; + + ret = _netlogon_wrap_iov_length(minor_status, context_handle, + conf_req_flag, qop_req, NULL, + iov, sizeof(iov)/sizeof(iov[0])); + if (GSS_ERROR(ret)) + return ret; + + if (req_output_size < iov[0].buffer.length) + *max_input_size = 0; + else + *max_input_size = req_output_size - iov[0].buffer.length; + + return GSS_S_COMPLETE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/delete_sec_context.c b/third_party/heimdal/lib/gssapi/netlogon/delete_sec_context.c new file mode 100644 index 0000000..8710416 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/delete_sec_context.c @@ -0,0 +1,62 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 +_netlogon_delete_sec_context(OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + gss_buffer_t output_token) +{ + if (context_handle != NULL && *context_handle != GSS_C_NO_CONTEXT) { + gssnetlogon_ctx ctx = (gssnetlogon_ctx)*context_handle; + + *context_handle = GSS_C_NO_CONTEXT; + + _netlogon_release_name(minor_status, (gss_name_t *)&ctx->SourceName); + _netlogon_release_name(minor_status, (gss_name_t *)&ctx->TargetName); + HEIMDAL_MUTEX_destroy(&ctx->Mutex); + memset(ctx, 0, sizeof(*ctx)); + free(ctx); + } + + if (output_token != GSS_C_NO_BUFFER) { + output_token->length = 0; + output_token->value = NULL; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/display_name.c b/third_party/heimdal/lib/gssapi/netlogon/display_name.c new file mode 100644 index 0000000..7b0e223 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/display_name.c @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_display_name + (OM_uint32 * minor_status, + gss_const_name_t input_name, + gss_buffer_t output_name_buffer, + gss_OID * output_name_type + ) +{ + const gssnetlogon_name name = (const gssnetlogon_name)input_name; + gss_buffer_t namebuf; + + if (output_name_type != NULL) + *output_name_type = GSS_C_NO_OID; + + if (output_name_buffer != NULL) { + namebuf = name->DnsName.length ? &name->DnsName : &name->NetbiosName; + + output_name_buffer->value = malloc(namebuf->length + 1); + if (output_name_buffer->value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy(output_name_buffer->value, namebuf->value, namebuf->length); + ((char *)output_name_buffer->value)[namebuf->length] = '\0'; + output_name_buffer->length = namebuf->length; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/display_status.c b/third_party/heimdal/lib/gssapi/netlogon/display_status.c new file mode 100644 index 0000000..68946e5 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/display_status.c @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_display_status + (OM_uint32 *minor_status, + OM_uint32 status_value, + int status_type, + const gss_OID mech_type, + OM_uint32 *message_context, + gss_buffer_t status_string) +{ + if (minor_status) + *minor_status = 0; + if (status_string) { + status_string->length = 0; + status_string->value = NULL; + } + if (message_context) + *message_context = 0; + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/duplicate_cred.c b/third_party/heimdal/lib/gssapi/netlogon/duplicate_cred.c new file mode 100644 index 0000000..0271fb2 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/duplicate_cred.c @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2010-2018 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 +_netlogon_duplicate_cred(OM_uint32 *minor_status, + gss_const_cred_id_t input_cred_handle, + gss_cred_id_t *output_cred_handle) +{ + gssnetlogon_const_cred src = (gssnetlogon_const_cred)input_cred_handle; + gssnetlogon_cred dst; + + dst = calloc(1, sizeof(*dst)); + if (dst == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + *dst = *src; + return _netlogon_duplicate_name(minor_status, (gss_name_t)&src->Name, &dst->Name) +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/duplicate_name.c b/third_party/heimdal/lib/gssapi/netlogon/duplicate_name.c new file mode 100644 index 0000000..1365e76 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/duplicate_name.c @@ -0,0 +1,77 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_duplicate_name ( + OM_uint32 * minor_status, + gss_const_name_t src_name, + gss_name_t * dest_name + ) +{ + const gssnetlogon_name src = (const gssnetlogon_name)src_name; + gssnetlogon_name dst = NULL; + + dst = calloc(1, sizeof(*dst)); + if (dst == NULL) + goto fail; + + dst->NetbiosName.value = malloc(src->NetbiosName.length + 1); + if (dst->NetbiosName.value == NULL) + goto fail; + memcpy(dst->NetbiosName.value, src->NetbiosName.value, + src->NetbiosName.length); + dst->NetbiosName.length = src->NetbiosName.length; + ((char *)dst->NetbiosName.value)[dst->NetbiosName.length] = '\0'; + + if (src->DnsName.length != 0) { + dst->DnsName.value = malloc(src->DnsName.length + 1); + if (dst->DnsName.value == NULL) + goto fail; + memcpy(dst->DnsName.value, src->DnsName.value, src->DnsName.length); + dst->DnsName.length = src->DnsName.length; + ((char *)dst->DnsName.value)[dst->DnsName.length] = '\0'; + } + + *minor_status = 0; + *dest_name = (gss_name_t)dst; + return GSS_S_COMPLETE; + +fail: + _netlogon_release_name(minor_status, (gss_name_t *)&dst); + *minor_status = ENOMEM; + return GSS_S_FAILURE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/export_name.c b/third_party/heimdal/lib/gssapi/netlogon/export_name.c new file mode 100644 index 0000000..9984f8b --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/export_name.c @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_export_name + (OM_uint32 * minor_status, + gss_const_name_t input_name, + gss_buffer_t exported_name + ) +{ + return GSS_S_UNAVAILABLE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/export_sec_context.c b/third_party/heimdal/lib/gssapi/netlogon/export_sec_context.c new file mode 100644 index 0000000..7e410aa --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/export_sec_context.c @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 +_netlogon_export_sec_context ( + OM_uint32 * minor_status, + gss_ctx_id_t * context_handle, + gss_buffer_t interprocess_token + ) +{ + if (interprocess_token != GSS_C_NO_BUFFER) { + interprocess_token->length = 0; + interprocess_token->value = NULL; + } + return GSS_S_UNAVAILABLE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/external.c b/third_party/heimdal/lib/gssapi/netlogon/external.c new file mode 100644 index 0000000..14f471e --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/external.c @@ -0,0 +1,111 @@ +/* + * Copyright (c) 2010-2018 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +static gssapi_mech_interface_desc netlogon_mech = { + GMI_VERSION, + "netlogon", + {6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x02") }, + 0, + _netlogon_acquire_cred, + _netlogon_release_cred, + _netlogon_init_sec_context, + _netlogon_accept_sec_context, + _netlogon_process_context_token, + _netlogon_delete_sec_context, + _netlogon_context_time, + _netlogon_get_mic, + _netlogon_verify_mic, + NULL, + NULL, + _netlogon_display_status, + NULL, + _netlogon_compare_name, + _netlogon_display_name, + _netlogon_import_name, + _netlogon_export_name, + _netlogon_release_name, + _netlogon_inquire_cred, + _netlogon_inquire_context, + _netlogon_wrap_size_limit, + _netlogon_add_cred, + _netlogon_inquire_cred_by_mech, + _netlogon_export_sec_context, + _netlogon_import_sec_context, + _netlogon_inquire_names_for_mech, + _netlogon_inquire_mechs_for_name, + _netlogon_canonicalize_name, + _netlogon_duplicate_name, + NULL, + NULL, + NULL, + _netlogon_set_cred_option, + NULL, + _netlogon_wrap_iov, + _netlogon_unwrap_iov, + _netlogon_wrap_iov_length, + NULL, /* gm_store_cred */ + NULL, /* gm_export_cred */ + NULL, /* gm_import_cred */ + NULL, /* gm_acquire_cred_from */ + NULL, /* gm_acquire_cred_impersonate_name */ + NULL, /* gm_iter_creds */ + NULL, /* gm_destroy_cred */ + NULL, /* gm_cred_hold */ + NULL, /* gm_cred_unhold */ + NULL, /* gm_cred_label_get */ + NULL, /* gm_cred_label_set */ + NULL, /* gm_mo */ + 0, /* gm_mo_num */ + NULL, /* gm_localname */ + NULL, /* gm_authorize_localname */ + NULL, /* gm_display_name_ext */ + NULL, /* gm_inquire_name */ + NULL, /* gm_get_name_attribute */ + NULL, /* gm_set_name_attribute */ + NULL, /* gm_delete_name_attribute */ + NULL, /* gm_export_name_composite */ + NULL, /* gm_duplicate_cred */ + NULL, /* gm_add_cred_from */ + NULL, /* gm_store_cred_into */ + NULL /* gm_compat */ +}; + +gssapi_mech_interface +__gss_netlogon_initialize(void) +{ + return &netlogon_mech; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/import_name.c b/third_party/heimdal/lib/gssapi/netlogon/import_name.c new file mode 100644 index 0000000..8d46486 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/import_name.c @@ -0,0 +1,94 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" +#include + +OM_uint32 _netlogon_import_name + (OM_uint32 * minor_status, + const gss_buffer_t input_name_buffer, + const gss_OID input_name_type, + gss_name_t * output_name + ) +{ + gssnetlogon_name name; + const char *netbiosName; + const char *dnsName = NULL; + size_t len, i; + + if (!gss_oid_equal(input_name_type, GSS_NETLOGON_NT_NETBIOS_DNS_NAME)) { + return GSS_S_BAD_NAME; + } + + /* encoding is NetBIOS name \0 DNS name \0 */ + + netbiosName = input_name_buffer->value; + len = strlen(netbiosName); + if (len < input_name_buffer->length) + dnsName = netbiosName + len + 1; + + name = (gssnetlogon_name)calloc(1, sizeof(*name)); + if (name == NULL) + goto cleanup; + + name->NetbiosName.value = malloc(len + 1); + if (name->NetbiosName.value == NULL) + goto cleanup; + memcpy(name->NetbiosName.value, netbiosName, len + 1); + name->NetbiosName.length = len; + + /* normalise name to uppercase XXX UTF-8 OK? */ + for (i = 0; i < len; i++) { + ((unsigned char *)name->NetbiosName.value)[i] = + toupper(((unsigned char *)name->NetbiosName.value)[i]); + } + + if (dnsName != NULL && dnsName[0] != '\0') { + name->DnsName.value = strdup(dnsName); + if (name->DnsName.value == NULL) + goto cleanup; + name->DnsName.length = strlen(dnsName); + } + + *output_name = (gss_name_t)name; + *minor_status = 0; + return GSS_S_COMPLETE; + +cleanup: + _netlogon_release_name(minor_status, (gss_name_t *)&name); + *minor_status = ENOMEM; + return GSS_S_FAILURE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/import_sec_context.c b/third_party/heimdal/lib/gssapi/netlogon/import_sec_context.c new file mode 100644 index 0000000..0415b39 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/import_sec_context.c @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 +_netlogon_import_sec_context ( + OM_uint32 * minor_status, + const gss_buffer_t interprocess_token, + gss_ctx_id_t * context_handle + ) +{ + *minor_status = 0; + if (context_handle != NULL) + *context_handle = GSS_C_NO_CONTEXT; + + return GSS_S_UNAVAILABLE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/indicate_mechs.c b/third_party/heimdal/lib/gssapi/netlogon/indicate_mechs.c new file mode 100644 index 0000000..9192e42 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/indicate_mechs.c @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_indicate_mechs +(OM_uint32 * minor_status, + gss_OID_set * mech_set + ) +{ + *minor_status = 0; + if (mech_set != NULL) + *mech_set = GSS_C_NO_OID_SET; + + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/init_sec_context.c b/third_party/heimdal/lib/gssapi/netlogon/init_sec_context.c new file mode 100644 index 0000000..906f457 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/init_sec_context.c @@ -0,0 +1,289 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" +#include + +static OM_uint32 +_netlogon_encode_dns_string(OM_uint32 *minor_status, + const gss_buffer_t str, + gss_buffer_t buffer) +{ + int ret; + + memset(buffer->value, 0, buffer->length); + + ret = ns_name_compress((const char *)str->value, + (uint8_t *)buffer->value, buffer->length, + NULL, NULL); + if (ret < 0) { + *minor_status = errno; + return GSS_S_FAILURE; + } + + buffer->length = ret; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +static OM_uint32 +_netlogon_make_initial_auth_message(OM_uint32 *minor_status, + gssnetlogon_ctx ctx, + gss_buffer_t output_token) +{ + uint32_t flags = 0; +#define MAX_NL_NAMES 5 + gss_buffer_desc names[MAX_NL_NAMES]; + uint8_t comp_names[3][MAXHOSTNAMELEN * 2]; + size_t n = 0, i = 0, len; + OM_uint32 ret; + uint8_t *p; + + if (ctx->TargetName->NetbiosName.length) { + flags |= NL_FLAG_NETBIOS_DOMAIN_NAME; + names[n] = ctx->TargetName->NetbiosName; /* OEM encoding */ + names[n].length++; + n++; + } + if (ctx->SourceName->NetbiosName.length) { + flags |= NL_FLAG_NETBIOS_COMPUTER_NAME; + names[n] = ctx->SourceName->NetbiosName; /* OEM encoding */ + names[n].length++; + n++; + } + if (ctx->TargetName->DnsName.length) { + flags |= NL_FLAG_DNS_DOMAIN_NAME; + names[n].value = comp_names[i++]; + names[n].length = MAXHOSTNAMELEN * 2; + ret = _netlogon_encode_dns_string(minor_status, + &ctx->TargetName->DnsName, + &names[n]); + if (GSS_ERROR(ret)) + return ret; + n++; + } + if (ctx->SourceName->DnsName.length) { + flags |= NL_FLAG_DNS_HOST_NAME; + names[n].value = comp_names[i++]; + names[n].length = MAXHOSTNAMELEN * 2; + ret = _netlogon_encode_dns_string(minor_status, + &ctx->SourceName->DnsName, + &names[n]); + if (GSS_ERROR(ret)) + return ret; + n++; + } + if (ctx->SourceName->NetbiosName.length) { + flags |= NL_FLAG_UTF8_COMPUTER_NAME; + names[n].value = comp_names[i++]; + names[n].length = MAXHOSTNAMELEN * 2; + ret = _netlogon_encode_dns_string(minor_status, + &ctx->SourceName->NetbiosName, + &names[n]); + if (GSS_ERROR(ret)) + return ret; + n++; + } + + for (i = 0, len = NL_AUTH_MESSAGE_LENGTH; i < n; i++) { + len += names[i].length; + } + + output_token->value = malloc(len); + if (output_token->value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + p = (uint8_t *)output_token->value; + _gss_mg_encode_le_uint32(NL_NEGOTIATE_REQUEST_MESSAGE, p); + _gss_mg_encode_le_uint32(flags, p + 4); + p += 8; + + for (i = 0; i < n; i++) { + assert(names[i].length != 0); + assert(((char *)names[i].value)[names[i].length - 1] == '\0'); + memcpy(p, names[i].value, names[i].length); + p += names[i].length; + } + + output_token->length = len; + assert(p == (uint8_t *)output_token->value + len); + + *minor_status = 0; + return GSS_S_CONTINUE_NEEDED; +} + +static OM_uint32 +_netlogon_read_initial_auth_message(OM_uint32 *minor_status, + gssnetlogon_ctx ctx, + const gss_buffer_t input_token) +{ + NL_AUTH_MESSAGE msg; + const uint8_t *p = (const uint8_t *)input_token->value; + + if (ctx->State != NL_AUTH_NEGOTIATE) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (input_token->length < NL_AUTH_MESSAGE_LENGTH) + return GSS_S_DEFECTIVE_TOKEN; + + _gss_mg_decode_le_uint32(&p[0], &msg.MessageType); + _gss_mg_decode_le_uint32(&p[4], &msg.Flags); + + if (msg.MessageType != NL_NEGOTIATE_RESPONSE_MESSAGE || + msg.Flags != 0) + return GSS_S_DEFECTIVE_TOKEN; + + ctx->State = NL_AUTH_ESTABLISHED; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +static OM_uint32 +_netlogon_alloc_context(OM_uint32 *minor_status, + gssnetlogon_ctx *pContext) +{ + gssnetlogon_ctx ctx; + + ctx = (gssnetlogon_ctx)calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + ctx->State = NL_AUTH_NEGOTIATE; + ctx->LocallyInitiated = 1; + ctx->MessageBlockSize = 1; + + HEIMDAL_MUTEX_init(&ctx->Mutex); + + *pContext = ctx; + + return GSS_S_COMPLETE; +} + +OM_uint32 +_netlogon_init_sec_context(OM_uint32 * minor_status, + gss_const_cred_id_t initiator_cred_handle, + gss_ctx_id_t * context_handle, + gss_const_name_t target_name, + const gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + const gss_channel_bindings_t input_chan_bindings, + const gss_buffer_t input_token, + gss_OID * actual_mech_type, + gss_buffer_t output_token, + OM_uint32 * ret_flags, + OM_uint32 * time_rec) +{ + const gssnetlogon_cred cred = (const gssnetlogon_cred)initiator_cred_handle; + gssnetlogon_ctx ctx = (gssnetlogon_ctx)*context_handle; + const gssnetlogon_name target = (const gssnetlogon_name)target_name; + OM_uint32 ret; + + *minor_status = 0; + + output_token->value = NULL; + output_token->length = 0; + + /* Validate arguments */ + if (cred == NULL) + return GSS_S_NO_CRED; + else if (target == NULL) + return GSS_S_BAD_NAME; + + if (ctx == NULL) { + if (input_token->length != 0) + return GSS_S_DEFECTIVE_TOKEN; + + ret = _netlogon_alloc_context(minor_status, &ctx); + if (GSS_ERROR(ret)) + goto cleanup; + + HEIMDAL_MUTEX_lock(&ctx->Mutex); + *context_handle = (gss_ctx_id_t)ctx; + + ctx->GssFlags = req_flags & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | + GSS_C_INTEG_FLAG | GSS_C_DCE_STYLE); + ctx->SignatureAlgorithm = cred->SignatureAlgorithm; + ctx->SealAlgorithm = cred->SealAlgorithm; + + ret = _netlogon_duplicate_name(minor_status, (gss_name_t)cred->Name, + (gss_name_t *)&ctx->SourceName); + if (GSS_ERROR(ret)) + goto cleanup; + + ret = _netlogon_duplicate_name(minor_status, (gss_name_t)target, + (gss_name_t *)&ctx->TargetName); + if (GSS_ERROR(ret)) + goto cleanup; + + memcpy(ctx->SessionKey, cred->SessionKey, sizeof(cred->SessionKey)); + + ret = _netlogon_make_initial_auth_message(minor_status, ctx, + output_token); + if (GSS_ERROR(ret)) + goto cleanup; + } else { + HEIMDAL_MUTEX_lock(&ctx->Mutex); + ret = _netlogon_read_initial_auth_message(minor_status, ctx, + input_token); + } + + if (ret_flags != NULL) + *ret_flags = ctx->GssFlags; + if (time_rec != NULL) + *time_rec = GSS_C_INDEFINITE; + if (actual_mech_type != NULL) + *actual_mech_type = GSS_NETLOGON_MECHANISM; + +cleanup: + HEIMDAL_MUTEX_unlock(&ctx->Mutex); + + if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) { + OM_uint32 tmp; + _netlogon_delete_sec_context(&tmp, context_handle, NULL); + } + + return ret; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/inquire_context.c b/third_party/heimdal/lib/gssapi/netlogon/inquire_context.c new file mode 100644 index 0000000..24995c2 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/inquire_context.c @@ -0,0 +1,76 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_inquire_context ( + OM_uint32 * minor_status, + gss_const_ctx_id_t context_handle, + gss_name_t * src_name, + gss_name_t * targ_name, + OM_uint32 * lifetime_rec, + gss_OID * mech_type, + OM_uint32 * ctx_flags, + int * locally_initiated, + int * open_context + ) +{ + const gssnetlogon_ctx ctx = (const gssnetlogon_ctx)context_handle; + OM_uint32 ret; + + if (src_name != NULL) { + ret = _netlogon_duplicate_name(minor_status, (gss_name_t)ctx->SourceName, + (gss_name_t *)src_name); + if (GSS_ERROR(ret)) + return ret; + } + if (targ_name != NULL) { + ret = _netlogon_duplicate_name(minor_status, (gss_name_t)ctx->TargetName, + (gss_name_t *)targ_name); + if (GSS_ERROR(ret)) + return ret; + } + if (mech_type != NULL) + *mech_type = GSS_NETLOGON_MECHANISM; + if (ctx_flags != NULL) + *ctx_flags = ctx->GssFlags; + if (locally_initiated != NULL) + *locally_initiated = ctx->LocallyInitiated; + if (open_context != NULL) + *open_context = (ctx->State == NL_AUTH_ESTABLISHED); + + return GSS_S_COMPLETE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/inquire_cred.c b/third_party/heimdal/lib/gssapi/netlogon/inquire_cred.c new file mode 100644 index 0000000..6c7ca34 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/inquire_cred.c @@ -0,0 +1,68 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_inquire_cred + (OM_uint32 * minor_status, + gss_const_cred_id_t cred_handle, + gss_name_t * name, + OM_uint32 * lifetime, + gss_cred_usage_t * cred_usage, + gss_OID_set * mechanisms + ) +{ + OM_uint32 ret; + const gssnetlogon_cred cred = (const gssnetlogon_cred)cred_handle; + + *minor_status = 0; + + if (cred == NULL) + return GSS_S_NO_CRED; + + if (name != NULL) { + ret = _netlogon_duplicate_name(minor_status, + (gss_const_name_t)cred->Name, name); + if (GSS_ERROR(ret)) + return ret; + } + if (lifetime != NULL) + *lifetime = GSS_C_INDEFINITE; + if (cred_usage != NULL) + *cred_usage = GSS_C_INITIATE; + if (mechanisms != NULL) + *mechanisms = GSS_C_NO_OID_SET; + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/inquire_cred_by_mech.c b/third_party/heimdal/lib/gssapi/netlogon/inquire_cred_by_mech.c new file mode 100644 index 0000000..f36310f --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/inquire_cred_by_mech.c @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_inquire_cred_by_mech ( + OM_uint32 * minor_status, + gss_const_cred_id_t cred_handle, + const gss_OID mech_type, + gss_name_t * name, + OM_uint32 * initiator_lifetime, + OM_uint32 * acceptor_lifetime, + gss_cred_usage_t * cred_usage + ) +{ + OM_uint32 ret; + const gssnetlogon_cred cred = (const gssnetlogon_cred)cred_handle; + + if (name != NULL) { + ret = _netlogon_duplicate_name(minor_status, + (gss_const_name_t)cred->Name, name); + if (GSS_ERROR(ret)) + return ret; + } + if (initiator_lifetime != NULL) + *initiator_lifetime = GSS_C_INDEFINITE; + if (acceptor_lifetime != NULL) + *acceptor_lifetime = GSS_C_INDEFINITE; + if (cred_usage != NULL) + *cred_usage = GSS_C_INITIATE; + *minor_status = 0; + return GSS_S_COMPLETE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/inquire_mechs_for_name.c b/third_party/heimdal/lib/gssapi/netlogon/inquire_mechs_for_name.c new file mode 100644 index 0000000..dbf385c --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/inquire_mechs_for_name.c @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_inquire_mechs_for_name ( + OM_uint32 * minor_status, + gss_const_name_t input_name, + gss_OID_set * mech_types + ) +{ + if (mech_types != NULL) + *mech_types = GSS_C_NO_OID_SET; + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/inquire_names_for_mech.c b/third_party/heimdal/lib/gssapi/netlogon/inquire_names_for_mech.c new file mode 100644 index 0000000..9802e53 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/inquire_names_for_mech.c @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_inquire_names_for_mech ( + OM_uint32 * minor_status, + const gss_OID mechanism, + gss_OID_set * name_types + ) +{ + OM_uint32 ret, tmp; + + ret = gss_create_empty_oid_set(minor_status, name_types); + if (ret != GSS_S_COMPLETE) + return ret; + + ret = gss_add_oid_set_member(minor_status, GSS_NETLOGON_NT_NETBIOS_DNS_NAME, name_types); + if (ret != GSS_S_COMPLETE) { + gss_release_oid_set(&tmp, name_types); + return ret; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/iter_cred.c b/third_party/heimdal/lib/gssapi/netlogon/iter_cred.c new file mode 100644 index 0000000..93a8d59 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/iter_cred.c @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" +#include + +void +_netlogon_iter_creds_f(OM_uint32 flags, + void *userctx , + void (*cred_iter)(void *, gss_OID, gss_cred_id_t)) +{ +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/netlogon.h b/third_party/heimdal/lib/gssapi/netlogon/netlogon.h new file mode 100644 index 0000000..68573e2 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/netlogon.h @@ -0,0 +1,150 @@ +/* + * Copyright (c) 2010-2018 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef NETLOGON_NETLOGON_H +#define NETLOGON_NETLOGON_H + +#include + +#include +#include +#include +#include +#include + +#include +#include +#include + +#include + +#include +#include + +#define HC_DEPRECATED_CRYPTO +#include "crypto-headers.h" + +/* + * + */ + +typedef struct { +#define NL_NEGOTIATE_REQUEST_MESSAGE 0x00000000 +#define NL_NEGOTIATE_RESPONSE_MESSAGE 0x00000001 + uint32_t MessageType; +#define NL_FLAG_NETBIOS_DOMAIN_NAME 0x00000001 +#define NL_FLAG_NETBIOS_COMPUTER_NAME 0x00000002 +#define NL_FLAG_DNS_DOMAIN_NAME 0x00000004 +#define NL_FLAG_DNS_HOST_NAME 0x00000008 /* not used */ +#define NL_FLAG_UTF8_COMPUTER_NAME 0x00000010 + uint32_t Flags; + char *Buffer[0]; +} NL_AUTH_MESSAGE; + +#define NL_AUTH_MESSAGE_LENGTH 8 + +/* SignatureAlgorithm */ +#define NL_SIGN_ALG_HMAC_MD5 0x0077 +#define NL_SIGN_ALG_SHA256 0x0013 + +/* SealAlgorithm */ +#define NL_SEAL_ALG_RC4 0x007A +#define NL_SEAL_ALG_AES128 0x001A +#define NL_SEAL_ALG_NONE 0xFFFF + +typedef struct { + uint16_t SignatureAlgorithm; + uint16_t SealAlgorithm; + uint16_t Pad; + uint16_t Flags; + uint8_t SequenceNumber[8]; + uint8_t Checksum[8]; + uint8_t Confounder[8]; +} NL_AUTH_SIGNATURE; + +#define NL_AUTH_SIGNATURE_HEADER_LENGTH 8 +#define NL_AUTH_SIGNATURE_COMMON_LENGTH 16 +#define NL_AUTH_SIGNATURE_LENGTH 32 + +typedef struct { + uint16_t SignatureAlgorithm; + uint16_t SealAlgorithm; + uint16_t Pad; + uint16_t Flags; + uint8_t SequenceNumber[8]; + uint8_t Checksum[32]; + uint8_t Confounder[8]; +} NL_AUTH_SHA2_SIGNATURE; + +#define NL_AUTH_SHA2_SIGNATURE_LENGTH 56 + +typedef union { + NL_AUTH_SIGNATURE Signature; + NL_AUTH_SHA2_SIGNATURE SHA2Signature; +} NL_AUTH_SIGNATURE_U; + +#define NL_AUTH_SIGNATURE_P(_u) (&(_u)->Signature) + +typedef struct gssnetlogon_name { + gss_buffer_desc NetbiosName; + gss_buffer_desc DnsName; +} *gssnetlogon_name; +typedef const struct gssnetlogon_name *gssnetlogon_const_name; + +typedef struct gssnetlogon_cred { + gssnetlogon_name *Name; + uint16_t SignatureAlgorithm; + uint16_t SealAlgorithm; + uint8_t SessionKey[16]; +} *gssnetlogon_cred; +typedef const struct gssnetlogon_cred *gssnetlogon_const_cred; + +typedef struct gssnetlogon_ctx { + HEIMDAL_MUTEX Mutex; + enum { NL_AUTH_NEGOTIATE, NL_AUTH_ESTABLISHED } State; + OM_uint32 GssFlags; + uint8_t LocallyInitiated; + uint32_t MessageBlockSize; + uint16_t SignatureAlgorithm; + uint16_t SealAlgorithm; + uint64_t SequenceNumber; + gssnetlogon_name SourceName; + gssnetlogon_name TargetName; + uint8_t SessionKey[16]; +} *gssnetlogon_ctx; + +#include + +#endif /* NETLOGON_NETLOGON_H */ diff --git a/third_party/heimdal/lib/gssapi/netlogon/process_context_token.c b/third_party/heimdal/lib/gssapi/netlogon/process_context_token.c new file mode 100644 index 0000000..0f83613 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/process_context_token.c @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_process_context_token ( + OM_uint32 *minor_status, + gss_const_ctx_id_t context_handle, + const gss_buffer_t token_buffer + ) +{ + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/third_party/heimdal/lib/gssapi/netlogon/regen.sh b/third_party/heimdal/lib/gssapi/netlogon/regen.sh new file mode 100644 index 0000000..b034dbf --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/regen.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +perl ../../../cf/make-proto.pl -q -P comment -p netlogon-private.h *.c diff --git a/third_party/heimdal/lib/gssapi/netlogon/release_cred.c b/third_party/heimdal/lib/gssapi/netlogon/release_cred.c new file mode 100644 index 0000000..7db71b6 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/release_cred.c @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_release_cred + (OM_uint32 * minor_status, + gss_cred_id_t * cred_handle + ) +{ + gssnetlogon_cred cred = (gssnetlogon_cred)*cred_handle; + + if (cred != NULL) { + _netlogon_release_name(minor_status, (gss_name_t *)&cred->Name); + memset(cred, 0, sizeof(*cred)); + free(cred); + *cred_handle = GSS_C_NO_CREDENTIAL; + } + + return GSS_S_COMPLETE; +} + diff --git a/third_party/heimdal/lib/gssapi/netlogon/release_name.c b/third_party/heimdal/lib/gssapi/netlogon/release_name.c new file mode 100644 index 0000000..27ca018 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/netlogon/release_name.c @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2010 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2010 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "netlogon.h" + +OM_uint32 _netlogon_release_name + (OM_uint32 * minor_status, + gss_name_t * input_name + ) +{ + gssnetlogon_name name = (gssnetlogon_name)*input_name; + + if (name != NULL) { + gss_release_buffer(minor_status, &name->NetbiosName); + gss_release_buffer(minor_status, &name->DnsName); + free(name); + *input_name = GSS_C_NO_NAME; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} -- cgit v1.2.3