static void
start_gssrequest(dns_name_t *master) {
- gss_ctx_id_t context;
+ dns_gss_ctx_id_t context;
isc_buffer_t buf;
isc_result_t result;
uint32_t val = 0;
nsu_gssinfo_t *reqinfo;
dns_message_t *tsigquery = NULL;
isc_sockaddr_t *addr;
- gss_ctx_id_t context;
+ dns_gss_ctx_id_t context;
isc_buffer_t buf;
dns_name_t *servname;
dns_fixedname_t fname;
return (result);
}
-gss_ctx_id_t
+dns_gss_ctx_id_t
dst_key_getgssctx(const dst_key_t *key) {
REQUIRE(key != NULL);
}
isc_result_t
-dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
- dst_key_t **keyp, isc_region_t *intoken) {
+dst_key_fromgssapi(const dns_name_t *name, dns_gss_ctx_id_t gssctx,
+ isc_mem_t *mctx, dst_key_t **keyp, isc_region_t *intoken) {
dst_key_t *key;
isc_result_t result;
char *label; /*%< engine label (HSM) */
union {
void *generic;
- gss_ctx_id_t gssctx;
+ dns_gss_ctx_id_t gssctx;
DH *dh;
#if USE_OPENSSL
EVP_PKEY *pkey;
isc_buffer_remainingregion(b, &r);
REGION_TO_GBUFFER(r, gssbuffer);
major = gss_import_sec_context(&minor, &gssbuffer,
- &key->keydata.gssctx);
+ (gss_ctx_id_t *)&key->keydata.gssctx);
if (major != GSS_S_COMPLETE) {
isc_buffer_free(&b);
return (ISC_R_FAILURE);
isc_region_t r;
isc_result_t result;
- major = gss_export_sec_context(&minor, &key->keydata.gssctx,
- &gssbuffer);
+ major = gss_export_sec_context(
+ &minor, (gss_ctx_id_t *)&key->keydata.gssctx, &gssbuffer);
if (major != GSS_S_COMPLETE) {
fprintf(stderr, "gss_export_sec_context -> %u, %u\n", major,
minor);
isc_result_t
dst_gssapi_acquirecred(const dns_name_t *name, bool initiate,
- gss_cred_id_t *cred) {
+ dns_gss_cred_id_t *cred) {
isc_result_t result;
isc_buffer_t namebuf;
gss_name_t gname;
}
gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
- usage, cred, NULL, &lifetime);
+ usage, (gss_cred_id_t *)cred, NULL, &lifetime);
if (gret != GSS_S_COMPLETE) {
gss_log(3, "failed to acquire %s credentials for %s: %s",
}
isc_result_t
-dst_gssapi_releasecred(gss_cred_id_t *cred) {
+dst_gssapi_releasecred(dns_gss_cred_id_t *cred) {
OM_uint32 gret, minor;
char buf[1024];
REQUIRE(cred != NULL && *cred != NULL);
- gret = gss_release_cred(&minor, cred);
+ gret = gss_release_cred(&minor, (gss_cred_id_t *)cred);
if (gret != GSS_S_COMPLETE) {
/* Log the error, but still free the credential's memory */
gss_log(3, "failed releasing credential: %s",
isc_result_t
dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
- isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
+ isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx,
isc_mem_t *mctx, char **err_message) {
isc_region_t r;
isc_buffer_t namebuf;
*/
flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
- gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx, gname,
- GSS_SPNEGO_MECHANISM, flags, 0, NULL,
- gintokenp, NULL, &gouttoken, &ret_flags,
- NULL);
+ gret = gss_init_sec_context(
+ &minor, GSS_C_NO_CREDENTIAL, (gss_ctx_id_t *)gssctx, gname,
+ GSS_SPNEGO_MECHANISM, flags, 0, NULL, gintokenp, NULL,
+ &gouttoken, &ret_flags, NULL);
if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
gss_err_message(mctx, gret, minor, err_message);
}
isc_result_t
-dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab,
+dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
isc_region_t *intoken, isc_buffer_t **outtoken,
- gss_ctx_id_t *ctxout, dns_name_t *principal,
+ dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
isc_mem_t *mctx) {
isc_region_t r;
isc_buffer_t namebuf;
}
isc_result_t
-dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx) {
+dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx) {
OM_uint32 gret, minor;
char buf[1024];
REQUIRE(gssctx != NULL && *gssctx != NULL);
/* Delete the context from the GSS provider */
- gret = gss_delete_sec_context(&minor, gssctx, GSS_C_NO_BUFFER);
+ gret = gss_delete_sec_context(&minor, (gss_ctx_id_t *)gssctx,
+ GSS_C_NO_BUFFER);
if (gret != GSS_S_COMPLETE) {
/* Log the error, but still free the context's memory */
gss_log(3, "Failure deleting security context %s",
isc_result_t
dst_gssapi_acquirecred(const dns_name_t *name, bool initiate,
- gss_cred_id_t *cred) {
+ dns_gss_cred_id_t *cred) {
REQUIRE(cred != NULL && *cred == NULL);
UNUSED(name);
}
isc_result_t
-dst_gssapi_releasecred(gss_cred_id_t *cred) {
+dst_gssapi_releasecred(dns_gss_cred_id_t *cred) {
UNUSED(cred);
return (ISC_R_NOTIMPLEMENTED);
isc_result_t
dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
- isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
+ isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx,
isc_mem_t *mctx, char **err_message) {
UNUSED(name);
UNUSED(intoken);
}
isc_result_t
-dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab,
+dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
isc_region_t *intoken, isc_buffer_t **outtoken,
- gss_ctx_id_t *ctxout, dns_name_t *principal,
+ dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
isc_mem_t *mctx) {
UNUSED(cred);
UNUSED(gssapi_keytab);
}
isc_result_t
-dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx) {
+dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx) {
UNUSED(mctx);
UNUSED(gssctx);
return (ISC_R_NOTIMPLEMENTED);
#define DNS_TKEYMODE_DELETE 5
struct dns_tkeyctx {
- dst_key_t * dhkey;
- dns_name_t * domain;
- gss_cred_id_t gsscred;
- isc_mem_t * mctx;
- char * gssapi_keytab;
+ dst_key_t * dhkey;
+ dns_name_t * domain;
+ dns_gss_cred_id_t gsscred;
+ isc_mem_t * mctx;
+ char * gssapi_keytab;
};
isc_result_t
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
const dns_name_t *gname, isc_buffer_t *intoken,
- uint32_t lifetime, gss_ctx_id_t *context, bool win2k,
+ uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k,
isc_mem_t *mctx, char **err_message);
/*%<
* Builds a query containing a TKEY that will generate a GSSAPI context.
isc_result_t
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- const dns_name_t *gname, gss_ctx_id_t *context,
+ const dns_name_t *gname, dns_gss_ctx_id_t *context,
isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
dns_tsig_keyring_t *ring, char **err_message);
/*%<
isc_result_t
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
- const dns_name_t *server, gss_ctx_id_t *context,
+ const dns_name_t *server, dns_gss_ctx_id_t *context,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
bool win2k, char **err_message);
*\li If successful, key will contain a valid private key.
*/
-gss_ctx_id_t
+dns_gss_ctx_id_t
dst_key_getgssctx(const dst_key_t *key);
/*%<
* Returns the opaque key data.
*/
isc_result_t
-dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
- dst_key_t **keyp, isc_region_t *intoken);
+dst_key_fromgssapi(const dns_name_t *name, dns_gss_ctx_id_t gssctx,
+ isc_mem_t *mctx, dst_key_t **keyp, isc_region_t *intoken);
/*%<
* Converts a GSSAPI opaque context id into a DST key.
*
* information regarding copyright ownership.
*/
-#ifndef DST_GSSAPI_H
-#define DST_GSSAPI_H 1
+#pragma once
/*! \file dst/gssapi.h */
#include <inttypes.h>
#include <stdbool.h>
-#if HAVE_GSSAPI_GSSAPI_H
-#include <gssapi/gssapi.h>
-#elif HAVE_GSSAPI_H
-#include <gssapi.h>
-#endif
-
#include <isc/formatcheck.h>
#include <isc/lang.h>
#include <isc/platform.h>
#include <dns/types.h>
-/*
- * Define dummy opaque typedefs if we are not using GSSAPI
- *
- * FIXME: Make the gssapi types completely opaque and include <gssapi.h> only
- * internally.
- */
-#if !HAVE_GSSAPI
-typedef void *gss_cred_id_t;
-typedef void *gss_ctx_id_t;
-#endif
+typedef void *dns_gss_cred_id_t;
+typedef void *dns_gss_ctx_id_t;
ISC_LANG_BEGINDECLS
isc_result_t
dst_gssapi_acquirecred(const dns_name_t *name, bool initiate,
- gss_cred_id_t *cred);
+ dns_gss_cred_id_t *cred);
/*
* Acquires GSS credentials.
*
* Requires:
- * 'name' is a valid name, preferably one known by the GSS provider
- * 'initiate' indicates whether the credentials are for initiating or
+ * 'name' is a valid name, preferably one known by the GSS provider
+ * 'initiate' indicates whether the credentials are for initiating or
* accepting contexts
* 'cred' is a pointer to NULL, which will be allocated with the
* credential handle. Call dst_gssapi_releasecred to free
*/
isc_result_t
-dst_gssapi_releasecred(gss_cred_id_t *cred);
+dst_gssapi_releasecred(dns_gss_cred_id_t *cred);
/*
* Releases GSS credentials. Calling this function does release the
- * memory allocated for the credential in dst_gssapi_acquirecred()
+ * memory allocated for the credential in dst_gssapi_acquirecred()
*
* Requires:
* 'mctx' is a valid memory context
* 'cred' is a pointer to the credential to be released
*
* Returns:
- * ISC_R_SUCCESS credential was released successfully
+ * ISC_R_SUCCESS credential was released successfully
* other an error occurred while releaseing
* the credential
*/
isc_result_t
dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
- isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
+ isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx,
isc_mem_t *mctx, char **err_message);
/*
* Initiates a GSS context.
*
* Requires:
- * 'name' is a valid name, preferably one known by the GSS
- * provider
- * 'intoken' is a token received from the acceptor, or NULL if
+ * 'name' is a valid name, preferably one known by the GSS
+ * provider
+ * 'intoken' is a token received from the acceptor, or NULL if
* there isn't one
- * 'outtoken' is a buffer to receive the token generated by
+ * 'outtoken' is a buffer to receive the token generated by
* gss_init_sec_context() to be sent to the acceptor
- * 'context' is a pointer to a valid gss_ctx_id_t
- * (which may have the value GSS_C_NO_CONTEXT)
+ * 'context' is a pointer to a valid dns_gss_ctx_id_t
+ * (which may have the value DNS_GSS_C_NO_CONTEXT)
*
* Returns:
* ISC_R_SUCCESS msg was successfully updated to include the
- * query to be sent
+ * query to be sent
* other an error occurred while building the message
* *err_message optional error message
*/
isc_result_t
-dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab,
+dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
isc_region_t *intoken, isc_buffer_t **outtoken,
- gss_ctx_id_t *context, dns_name_t *principal,
+ dns_gss_ctx_id_t *context, dns_name_t *principal,
isc_mem_t *mctx);
/*
* Accepts a GSS context.
*
* Requires:
- * 'mctx' is a valid memory context
+ * 'mctx' is a valid memory context
* 'cred' is the acceptor's valid GSS credential handle
- * 'intoken' is a token received from the initiator
- * 'outtoken' is a pointer a buffer pointer used to return the token
+ * 'intoken' is a token received from the initiator
+ * 'outtoken' is a pointer a buffer pointer used to return the token
* generated by gss_accept_sec_context() to be sent to the
* initiator
* 'context' is a valid pointer to receive the generated context handle.
* On the initial call, it should be a pointer to NULL, which
- * will be allocated as a gss_ctx_id_t. Subsequent calls
+ * will be allocated as a dns_gss_ctx_id_t. Subsequent calls
* should pass in the handle generated on the first call.
* Call dst_gssapi_releasecred to delete the context and free
* the memory.
*
* Returns:
* ISC_R_SUCCESS msg was successfully updated to include the
- * query to be sent
+ * query to be sent
* DNS_R_CONTINUE transaction still in progress
- * other an error occurred while building the message
+ * other an error occurred while building the message
*/
isc_result_t
-dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx);
+dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx);
/*
* Destroys a GSS context. This function deletes the context from the GSS
- * provider and then frees the memory used by the context pointer.
+ * provider and then frees the memory used by the context pointer.
*
* Requires:
* 'mctx' is a valid memory context
*
* Requires:
* 'major' is a GSS major status code
- * 'minor' is a GSS minor status code
+ * 'minor' is a GSS minor status code
*
* Returns:
* A string containing the text representation of the error codes.
- * Users should copy the string if they wish to keep it.
+ * Users should copy the string if they wish to keep it.
*/
bool
*/
ISC_LANG_ENDDECLS
-
-#endif /* DST_GSSAPI_H */
#include <inttypes.h>
#include <stdbool.h>
-#if HAVE_GSSAPI
#if HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
#elif HAVE_GSSAPI_H
#include <gssapi.h>
#endif
-#endif /* HAVE_GSSAPI */
#include <isc/buffer.h>
#include <isc/md.h>
isc_stdtime_t now;
isc_region_t intoken;
isc_buffer_t *outtoken = NULL;
- gss_ctx_id_t gss_ctx = NULL;
+ dns_gss_ctx_id_t gss_ctx = NULL;
/*
* You have to define either a gss credential (principal) to
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
const dns_name_t *gname, isc_buffer_t *intoken,
- uint32_t lifetime, gss_ctx_id_t *context, bool win2k,
+ uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k,
isc_mem_t *mctx, char **err_message) {
dns_rdata_tkey_t tkey;
isc_result_t result;
isc_result_t
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- const dns_name_t *gname, gss_ctx_id_t *context,
+ const dns_name_t *gname, dns_gss_ctx_id_t *context,
isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
dns_tsig_keyring_t *ring, char **err_message) {
dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
isc_result_t
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
- const dns_name_t *server, gss_ctx_id_t *context,
+ const dns_name_t *server, dns_gss_ctx_id_t *context,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
bool win2k, char **err_message) {
dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
projects / thirdparty / bind9.git / commitdiff
