1 files changed, 56 insertions, 21 deletions

diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 11b7c50..bcbde38 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -68,8 +68,17 @@
 			 ((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
 				 GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)))
 
+#define KG2_TOK_INITIAL		0x0101
+#define KG2_TOK_RESPONSE	0x0202
+#define KG2_TOK_MIC		0x0303
+#define KG2_TOK_WRAP_INTEG	0x0404
+#define KG2_TOK_WRAP_PRIV	0x0505
+
 #define KRB5_GSS_FOR_CREDS_OPTION 1
 
+#define KG2_RESP_FLAG_ERROR		0x0001
+#define KG2_RESP_FLAG_DELEG_OK		0x0002
+
 /** internal types **/
 
 typedef krb5_principal krb5_gss_name_t;
@@ -78,25 +87,19 @@ typedef struct _krb5_gss_cred_id_rec {
    /* name/type of credential */
    gss_cred_usage_t usage;
    krb5_principal princ;	/* this is not interned as a gss_name_t */
-   const gss_OID_set_desc *actual_mechs;
-   int prerfc_mech;		/* these are a cache of the set above */
+   int prerfc_mech;
    int rfc_mech;
+   int rfcv2_mech;
 
    /* keytab (accept) data */
    krb5_keytab keytab;
+   krb5_rcache rcache;
 
    /* ccache (init) data */
    krb5_ccache ccache;
    krb5_timestamp tgt_expire;
-   krb5_rcache rcache;
 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t; 
 
-typedef struct _krb5_gss_enc_desc {
-   int processed;
-   krb5_keyblock *key;
-   krb5_encrypt_block eblock;
-} krb5_gss_enc_desc;
-
 typedef struct _krb5_gss_ctx_id_rec {
    int initiate;	/* nonzero if initiating, zero if accepting */
    OM_uint32 gss_flags;
@@ -108,21 +111,35 @@ typedef struct _krb5_gss_ctx_id_rec {
    int signalg;
    int cksum_size;
    int sealalg;
-   krb5_gss_enc_desc enc;
-   krb5_gss_enc_desc seq;
+   krb5_keyblock *enc;
+   krb5_keyblock *seq;
    krb5_timestamp endtime;
    krb5_flags krb_flags;
-   krb5_int32 seq_send;
-   krb5_int32 seq_recv;
+   /* XXX these used to be signed.  the old spec is inspecific, and
+      the new spec specifies unsigned.  I don't believe that the change
+      affects the wire encoding. */
+   krb5_ui_4 seq_send;
+   krb5_ui_4 seq_recv;
    void *seqstate;
    int established;
    int big_endian;
    krb5_auth_context auth_context;
    gss_OID_desc *mech_used;
+   int gsskrb5_version;
+   int nctypes;
+   krb5_cksumtype *ctypes;
 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
 
 extern void *kg_vdb;
 
+struct kg2_option {
+    int option_id;		/* set by caller */
+    int length;			/* filled in by parser */
+    unsigned char *data;	/* filled in by parser.  points inside
+				   passed-in token, so nothing needs to
+				   be freed */
+};
+
 /* helper macros */
 
 #define kg_save_name(name)		g_save_name(&kg_vdb,name)
@@ -151,12 +168,12 @@ krb5_error_code kg_checksum_channel_bindings
 					     int bigend));
 
 krb5_error_code kg_make_seq_num PROTOTYPE((krb5_context context,
-					   krb5_gss_enc_desc *ed,
+					   krb5_keyblock *key,
             int direction, krb5_int32 seqnum, unsigned char *cksum,
 				unsigned char *buf));
 
 krb5_error_code kg_get_seq_num PROTOTYPE((krb5_context context,
-					  krb5_gss_enc_desc *ed,
+					  krb5_keyblock *key,
             unsigned char *cksum, unsigned char *buf, int *direction,
 					  krb5_int32 *seqnum));
 
@@ -164,19 +181,20 @@ krb5_error_code kg_make_seed PROTOTYPE((krb5_context context,
 					krb5_keyblock *key,
 					unsigned char *seed));
 
-int kg_confounder_size PROTOTYPE((krb5_gss_enc_desc *ed));
+int kg_confounder_size PROTOTYPE((krb5_context context, krb5_keyblock *key));
 
-krb5_error_code kg_make_confounder PROTOTYPE((krb5_gss_enc_desc *ed,
-            unsigned char *buf));
+krb5_error_code kg_make_confounder PROTOTYPE((krb5_context context, 
+	    krb5_keyblock *key, unsigned char *buf));
 
-int kg_encrypt_size PROTOTYPE((krb5_gss_enc_desc *ed, int n));
+int kg_encrypt_size PROTOTYPE((krb5_context context,
+			       krb5_keyblock *key, int n));
 
 krb5_error_code kg_encrypt PROTOTYPE((krb5_context context, 
-            krb5_gss_enc_desc *ed,
+            krb5_keyblock *key,
             krb5_pointer iv, krb5_pointer in, krb5_pointer out, int length));
 
 krb5_error_code kg_decrypt PROTOTYPE((krb5_context context,
-                           krb5_gss_enc_desc *ed, 
+                           krb5_keyblock *key, 
 			   krb5_pointer iv, krb5_pointer in, krb5_pointer out, int length));
 
 OM_uint32 kg_seal PROTOTYPE((krb5_context context,
@@ -223,6 +241,23 @@ krb5_error_code kg_ctx_internalize PROTOTYPE((krb5_context kcontext,
 OM_uint32 kg_get_context PROTOTYPE((OM_uint32 *minor_status,
 				    krb5_context *context));
 	
+OM_uint32
+kg2_parse_token PROTOTYPE((OM_uint32 *minor_status,
+			   unsigned char *ptr,
+			   int length,
+			   krb5_ui_4 *flags,
+			   int *nctypes, /* OUT */
+			   krb5_cksumtype **ctypes, /* OUT */
+			   int noptions,
+			   struct kg2_option *options, /* INOUT */
+			   krb5_data *kmsg,
+			   krb5_data *mic));
+
+void kg2_intersect_ctypes PROTOTYPE((int *nc1, 
+				     krb5_cksumtype *c1,
+				     int nc2,
+				     const krb5_cksumtype *c2));
+
 /** declarations of internal name mechanism functions **/
 
 OM_uint32 krb5_gss_acquire_cred