diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index e303ee9dc8..73cb363fe3 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -2901,7 +2901,7 @@ failed_gssrequest(void) { static void start_gssrequest(dns_name_t *master) { - gss_ctx_id_t context; + dns_gss_ctx_id_t context; isc_buffer_t buf; isc_result_t result; uint32_t val = 0; @@ -3046,7 +3046,7 @@ recvgss(isc_task_t *task, isc_event_t *event) { nsu_gssinfo_t *reqinfo; dns_message_t *tsigquery = NULL; isc_sockaddr_t *addr; - gss_ctx_id_t context; + dns_gss_ctx_id_t context; isc_buffer_t buf; dns_name_t *servname; dns_fixedname_t fname; diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index a501d0be11..7e89a72a2b 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -846,7 +846,7 @@ out: return (result); } -gss_ctx_id_t +dns_gss_ctx_id_t dst_key_getgssctx(const dst_key_t *key) { REQUIRE(key != NULL); @@ -854,8 +854,8 @@ dst_key_getgssctx(const dst_key_t *key) { } isc_result_t -dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx, - dst_key_t **keyp, isc_region_t *intoken) { +dst_key_fromgssapi(const dns_name_t *name, dns_gss_ctx_id_t gssctx, + isc_mem_t *mctx, dst_key_t **keyp, isc_region_t *intoken) { dst_key_t *key; isc_result_t result; diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 43ab84ab15..776638fdc4 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -96,7 +96,7 @@ struct dst_key { char *label; /*%< engine label (HSM) */ union { void *generic; - gss_ctx_id_t gssctx; + dns_gss_ctx_id_t gssctx; DH *dh; #if USE_OPENSSL EVP_PKEY *pkey; diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c index a175f44d23..f595d3c87e 100644 --- a/lib/dns/gssapi_link.c +++ b/lib/dns/gssapi_link.c @@ -291,7 +291,7 @@ gssapi_restore(dst_key_t *key, const char *keystr) { isc_buffer_remainingregion(b, &r); REGION_TO_GBUFFER(r, gssbuffer); major = gss_import_sec_context(&minor, &gssbuffer, - &key->keydata.gssctx); + (gss_ctx_id_t *)&key->keydata.gssctx); if (major != GSS_S_COMPLETE) { isc_buffer_free(&b); return (ISC_R_FAILURE); @@ -311,8 +311,8 @@ gssapi_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) { isc_region_t r; isc_result_t result; - major = gss_export_sec_context(&minor, &key->keydata.gssctx, - &gssbuffer); + major = gss_export_sec_context( + &minor, (gss_ctx_id_t *)&key->keydata.gssctx, &gssbuffer); if (major != GSS_S_COMPLETE) { fprintf(stderr, "gss_export_sec_context -> %u, %u\n", major, minor); diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c index b083294d40..ee512041fe 100644 --- a/lib/dns/gssapictx.c +++ b/lib/dns/gssapictx.c @@ -270,7 +270,7 @@ mech_oid_set_release(gss_OID_set *mech_oid_set) { isc_result_t dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, - gss_cred_id_t *cred) { + dns_gss_cred_id_t *cred) { isc_result_t result; isc_buffer_t namebuf; gss_name_t gname; @@ -332,7 +332,7 @@ dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, } gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set, - usage, cred, NULL, &lifetime); + usage, (gss_cred_id_t *)cred, NULL, &lifetime); if (gret != GSS_S_COMPLETE) { gss_log(3, "failed to acquire %s credentials for %s: %s", @@ -526,13 +526,13 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, } isc_result_t -dst_gssapi_releasecred(gss_cred_id_t *cred) { +dst_gssapi_releasecred(dns_gss_cred_id_t *cred) { OM_uint32 gret, minor; char buf[1024]; REQUIRE(cred != NULL && *cred != NULL); - gret = gss_release_cred(&minor, cred); + gret = gss_release_cred(&minor, (gss_cred_id_t *)cred); if (gret != GSS_S_COMPLETE) { /* Log the error, but still free the credential's memory */ gss_log(3, "failed releasing credential: %s", @@ -567,7 +567,7 @@ gss_err_message(isc_mem_t *mctx, uint32_t major, uint32_t minor, isc_result_t dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, - isc_buffer_t *outtoken, gss_ctx_id_t *gssctx, + isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx, isc_mem_t *mctx, char **err_message) { isc_region_t r; isc_buffer_t namebuf; @@ -607,10 +607,10 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, */ flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG; - gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx, gname, - GSS_SPNEGO_MECHANISM, flags, 0, NULL, - gintokenp, NULL, &gouttoken, &ret_flags, - NULL); + gret = gss_init_sec_context( + &minor, GSS_C_NO_CREDENTIAL, (gss_ctx_id_t *)gssctx, gname, + GSS_SPNEGO_MECHANISM, flags, 0, NULL, gintokenp, NULL, + &gouttoken, &ret_flags, NULL); if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) { gss_err_message(mctx, gret, minor, err_message); @@ -653,9 +653,9 @@ out: } isc_result_t -dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab, +dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, isc_region_t *intoken, isc_buffer_t **outtoken, - gss_ctx_id_t *ctxout, dns_name_t *principal, + dns_gss_ctx_id_t *ctxout, dns_name_t *principal, isc_mem_t *mctx) { isc_region_t r; isc_buffer_t namebuf; @@ -809,7 +809,7 @@ out: } isc_result_t -dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx) { +dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx) { OM_uint32 gret, minor; char buf[1024]; @@ -818,7 +818,8 @@ dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx) { REQUIRE(gssctx != NULL && *gssctx != NULL); /* Delete the context from the GSS provider */ - gret = gss_delete_sec_context(&minor, gssctx, GSS_C_NO_BUFFER); + gret = gss_delete_sec_context(&minor, (gss_ctx_id_t *)gssctx, + GSS_C_NO_BUFFER); if (gret != GSS_S_COMPLETE) { /* Log the error, but still free the context's memory */ gss_log(3, "Failure deleting security context %s", @@ -859,7 +860,7 @@ gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen) { isc_result_t dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, - gss_cred_id_t *cred) { + dns_gss_cred_id_t *cred) { REQUIRE(cred != NULL && *cred == NULL); UNUSED(name); @@ -894,7 +895,7 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, } isc_result_t -dst_gssapi_releasecred(gss_cred_id_t *cred) { +dst_gssapi_releasecred(dns_gss_cred_id_t *cred) { UNUSED(cred); return (ISC_R_NOTIMPLEMENTED); @@ -902,7 +903,7 @@ dst_gssapi_releasecred(gss_cred_id_t *cred) { isc_result_t dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, - isc_buffer_t *outtoken, gss_ctx_id_t *gssctx, + isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx, isc_mem_t *mctx, char **err_message) { UNUSED(name); UNUSED(intoken); @@ -915,9 +916,9 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, } isc_result_t -dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab, +dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, isc_region_t *intoken, isc_buffer_t **outtoken, - gss_ctx_id_t *ctxout, dns_name_t *principal, + dns_gss_ctx_id_t *ctxout, dns_name_t *principal, isc_mem_t *mctx) { UNUSED(cred); UNUSED(gssapi_keytab); @@ -931,7 +932,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab, } isc_result_t -dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx) { +dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx) { UNUSED(mctx); UNUSED(gssctx); return (ISC_R_NOTIMPLEMENTED); diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h index 992479b885..6170d37338 100644 --- a/lib/dns/include/dns/tkey.h +++ b/lib/dns/include/dns/tkey.h @@ -34,11 +34,11 @@ ISC_LANG_BEGINDECLS #define DNS_TKEYMODE_DELETE 5 struct dns_tkeyctx { - dst_key_t * dhkey; - dns_name_t * domain; - gss_cred_id_t gsscred; - isc_mem_t * mctx; - char * gssapi_keytab; + dst_key_t * dhkey; + dns_name_t * domain; + dns_gss_cred_id_t gsscred; + isc_mem_t * mctx; + char * gssapi_keytab; }; isc_result_t @@ -117,7 +117,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, isc_result_t dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name, const dns_name_t *gname, isc_buffer_t *intoken, - uint32_t lifetime, gss_ctx_id_t *context, bool win2k, + uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k, isc_mem_t *mctx, char **err_message); /*%< * Builds a query containing a TKEY that will generate a GSSAPI context. @@ -180,7 +180,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg, isc_result_t dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, - const dns_name_t *gname, gss_ctx_id_t *context, + const dns_name_t *gname, dns_gss_ctx_id_t *context, isc_buffer_t *outtoken, dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, char **err_message); /*%< @@ -208,7 +208,7 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg, isc_result_t dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, - const dns_name_t *server, gss_ctx_id_t *context, + const dns_name_t *server, dns_gss_ctx_id_t *context, dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, bool win2k, char **err_message); diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 010bc99a39..f219aa8e31 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -563,7 +563,7 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer); *\li If successful, key will contain a valid private key. */ -gss_ctx_id_t +dns_gss_ctx_id_t dst_key_getgssctx(const dst_key_t *key); /*%< * Returns the opaque key data. @@ -577,8 +577,8 @@ dst_key_getgssctx(const dst_key_t *key); */ isc_result_t -dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx, - dst_key_t **keyp, isc_region_t *intoken); +dst_key_fromgssapi(const dns_name_t *name, dns_gss_ctx_id_t gssctx, + isc_mem_t *mctx, dst_key_t **keyp, isc_region_t *intoken); /*%< * Converts a GSSAPI opaque context id into a DST key. * diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h index e90d20330a..8ae8168ee2 100644 --- a/lib/dns/include/dst/gssapi.h +++ b/lib/dns/include/dst/gssapi.h @@ -9,20 +9,13 @@ * information regarding copyright ownership. */ -#ifndef DST_GSSAPI_H -#define DST_GSSAPI_H 1 +#pragma once /*! \file dst/gssapi.h */ #include #include -#if HAVE_GSSAPI_GSSAPI_H -#include -#elif HAVE_GSSAPI_H -#include -#endif - #include #include #include @@ -30,16 +23,8 @@ #include -/* - * Define dummy opaque typedefs if we are not using GSSAPI - * - * FIXME: Make the gssapi types completely opaque and include only - * internally. - */ -#if !HAVE_GSSAPI -typedef void *gss_cred_id_t; -typedef void *gss_ctx_id_t; -#endif +typedef void *dns_gss_cred_id_t; +typedef void *dns_gss_ctx_id_t; ISC_LANG_BEGINDECLS @@ -53,13 +38,13 @@ ISC_LANG_BEGINDECLS isc_result_t dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, - gss_cred_id_t *cred); + dns_gss_cred_id_t *cred); /* * Acquires GSS credentials. * * Requires: - * 'name' is a valid name, preferably one known by the GSS provider - * 'initiate' indicates whether the credentials are for initiating or + * 'name' is a valid name, preferably one known by the GSS provider + * 'initiate' indicates whether the credentials are for initiating or * accepting contexts * 'cred' is a pointer to NULL, which will be allocated with the * credential handle. Call dst_gssapi_releasecred to free @@ -72,63 +57,63 @@ dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, */ isc_result_t -dst_gssapi_releasecred(gss_cred_id_t *cred); +dst_gssapi_releasecred(dns_gss_cred_id_t *cred); /* * Releases GSS credentials. Calling this function does release the - * memory allocated for the credential in dst_gssapi_acquirecred() + * memory allocated for the credential in dst_gssapi_acquirecred() * * Requires: * 'mctx' is a valid memory context * 'cred' is a pointer to the credential to be released * * Returns: - * ISC_R_SUCCESS credential was released successfully + * ISC_R_SUCCESS credential was released successfully * other an error occurred while releaseing * the credential */ isc_result_t dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, - isc_buffer_t *outtoken, gss_ctx_id_t *gssctx, + isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx, isc_mem_t *mctx, char **err_message); /* * Initiates a GSS context. * * Requires: - * 'name' is a valid name, preferably one known by the GSS - * provider - * 'intoken' is a token received from the acceptor, or NULL if + * 'name' is a valid name, preferably one known by the GSS + * provider + * 'intoken' is a token received from the acceptor, or NULL if * there isn't one - * 'outtoken' is a buffer to receive the token generated by + * 'outtoken' is a buffer to receive the token generated by * gss_init_sec_context() to be sent to the acceptor - * 'context' is a pointer to a valid gss_ctx_id_t - * (which may have the value GSS_C_NO_CONTEXT) + * 'context' is a pointer to a valid dns_gss_ctx_id_t + * (which may have the value DNS_GSS_C_NO_CONTEXT) * * Returns: * ISC_R_SUCCESS msg was successfully updated to include the - * query to be sent + * query to be sent * other an error occurred while building the message * *err_message optional error message */ isc_result_t -dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab, +dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, isc_region_t *intoken, isc_buffer_t **outtoken, - gss_ctx_id_t *context, dns_name_t *principal, + dns_gss_ctx_id_t *context, dns_name_t *principal, isc_mem_t *mctx); /* * Accepts a GSS context. * * Requires: - * 'mctx' is a valid memory context + * 'mctx' is a valid memory context * 'cred' is the acceptor's valid GSS credential handle - * 'intoken' is a token received from the initiator - * 'outtoken' is a pointer a buffer pointer used to return the token + * 'intoken' is a token received from the initiator + * 'outtoken' is a pointer a buffer pointer used to return the token * generated by gss_accept_sec_context() to be sent to the * initiator * 'context' is a valid pointer to receive the generated context handle. * On the initial call, it should be a pointer to NULL, which - * will be allocated as a gss_ctx_id_t. Subsequent calls + * will be allocated as a dns_gss_ctx_id_t. Subsequent calls * should pass in the handle generated on the first call. * Call dst_gssapi_releasecred to delete the context and free * the memory. @@ -138,16 +123,16 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab, * * Returns: * ISC_R_SUCCESS msg was successfully updated to include the - * query to be sent + * query to be sent * DNS_R_CONTINUE transaction still in progress - * other an error occurred while building the message + * other an error occurred while building the message */ isc_result_t -dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx); +dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx); /* * Destroys a GSS context. This function deletes the context from the GSS - * provider and then frees the memory used by the context pointer. + * provider and then frees the memory used by the context pointer. * * Requires: * 'mctx' is a valid memory context @@ -174,11 +159,11 @@ gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen); * * Requires: * 'major' is a GSS major status code - * 'minor' is a GSS minor status code + * 'minor' is a GSS minor status code * * Returns: * A string containing the text representation of the error codes. - * Users should copy the string if they wish to keep it. + * Users should copy the string if they wish to keep it. */ bool @@ -204,5 +189,3 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, */ ISC_LANG_ENDDECLS - -#endif /* DST_GSSAPI_H */ diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index fc5866891c..b807e4312c 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -14,13 +14,11 @@ #include #include -#if HAVE_GSSAPI #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H #include #endif -#endif /* HAVE_GSSAPI */ #include #include @@ -515,7 +513,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin, isc_stdtime_t now; isc_region_t intoken; isc_buffer_t *outtoken = NULL; - gss_ctx_id_t gss_ctx = NULL; + dns_gss_ctx_id_t gss_ctx = NULL; /* * You have to define either a gss credential (principal) to @@ -1117,7 +1115,7 @@ failure: isc_result_t dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name, const dns_name_t *gname, isc_buffer_t *intoken, - uint32_t lifetime, gss_ctx_id_t *context, bool win2k, + uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k, isc_mem_t *mctx, char **err_message) { dns_rdata_tkey_t tkey; isc_result_t result; @@ -1350,7 +1348,7 @@ failure: isc_result_t dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, - const dns_name_t *gname, gss_ctx_id_t *context, + const dns_name_t *gname, dns_gss_ctx_id_t *context, isc_buffer_t *outtoken, dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, char **err_message) { dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT; @@ -1487,7 +1485,7 @@ failure: isc_result_t dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, - const dns_name_t *server, gss_ctx_id_t *context, + const dns_name_t *server, dns_gss_ctx_id_t *context, dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, bool win2k, char **err_message) { dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;