diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 4af130ab42..d96071a49f 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -77,8 +77,14 @@ #ifdef GSSAPI #include #ifdef WIN32 +#include +#include #include #else /* ifdef WIN32 */ +#include ISC_PLATFORM_GSSAPIHEADER +#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER +#include ISC_PLATFORM_GSSAPI_KRB5_HEADER +#endif /* ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER */ #include ISC_PLATFORM_KRB5HEADER #endif /* ifdef WIN32 */ #endif /* ifdef GSSAPI */ @@ -214,7 +220,7 @@ static dns_name_t *keyname; typedef struct nsu_gssinfo { dns_message_t *msg; isc_sockaddr_t *addr; - gss_ctx_id_t context; + dns_gss_ctx_id_t context; } nsu_gssinfo_t; static void @@ -223,7 +229,7 @@ static void start_gssrequest(dns_name_t *master); static void send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, - dns_request_t **request, gss_ctx_id_t context); + dns_request_t **request, dns_gss_ctx_id_t context); static void recvgss(isc_task_t *task, isc_event_t *event); #endif /* GSSAPI */ @@ -2916,7 +2922,7 @@ failed_gssrequest() { static void start_gssrequest(dns_name_t *master) { - gss_ctx_id_t context; + dns_gss_ctx_id_t context; isc_buffer_t buf; isc_result_t result; uint32_t val = 0; @@ -3019,7 +3025,7 @@ failure: static void send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, - dns_request_t **request, gss_ctx_id_t context) { + dns_request_t **request, dns_gss_ctx_id_t context) { isc_result_t result; nsu_gssinfo_t *reqinfo; unsigned int options = 0; @@ -3061,7 +3067,7 @@ recvgss(isc_task_t *task, isc_event_t *event) { nsu_gssinfo_t *reqinfo; dns_message_t *tsigquery = NULL; isc_sockaddr_t *addr; - gss_ctx_id_t context; + dns_gss_ctx_id_t context; isc_buffer_t buf; dns_name_t *servname; dns_fixedname_t fname; diff --git a/bin/tests/optional/gsstest.c b/bin/tests/optional/gsstest.c index ef3aedacad..13aeab040c 100644 --- a/bin/tests/optional/gsstest.c +++ b/bin/tests/optional/gsstest.c @@ -64,8 +64,8 @@ static isc_sockaddr_t address; static dns_tsig_keyring_t *ring; static dns_tsigkey_t *tsigkey = NULL; -static gss_ctx_id_t gssctx; -static gss_ctx_id_t *gssctxp = &gssctx; +static dns_gss_ctx_id_t gssctx; +static dns_gss_ctx_id_t *gssctxp = &gssctx; #define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 8bd0605e83..5634b81ee1 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -846,7 +846,7 @@ out: return (result); } -gss_ctx_id_t +dns_gss_ctx_id_t dst_key_getgssctx(const dst_key_t *key) { REQUIRE(key != NULL); @@ -854,8 +854,8 @@ dst_key_getgssctx(const dst_key_t *key) { } isc_result_t -dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx, - dst_key_t **keyp, isc_region_t *intoken) { +dst_key_fromgssapi(const dns_name_t *name, dns_gss_ctx_id_t gssctx, + isc_mem_t *mctx, dst_key_t **keyp, isc_region_t *intoken) { dst_key_t *key; isc_result_t result; diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 6252632851..f128629261 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -53,6 +53,24 @@ #include +#ifdef GSSAPI +#ifdef WIN32 +/* + * MSVC does not like macros in #include lines. + */ +#include +#include +#else /* ifdef WIN32 */ +#include ISC_PLATFORM_GSSAPIHEADER +#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER +#include ISC_PLATFORM_GSSAPI_KRB5_HEADER +#endif /* ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER */ +#endif /* ifdef WIN32 */ +#ifndef GSS_SPNEGO_MECHANISM +#define GSS_SPNEGO_MECHANISM ((void *)0) +#endif /* ifndef GSS_SPNEGO_MECHANISM */ +#endif /* ifdef GSSAPI */ + ISC_LANG_BEGINDECLS #define KEY_MAGIC ISC_MAGIC('D', 'S', 'T', 'K') @@ -96,7 +114,7 @@ struct dst_key { char *label; /*%< engine label (HSM) */ union { void *generic; - gss_ctx_id_t gssctx; + dns_gss_ctx_id_t gssctx; DH *dh; #if USE_OPENSSL EVP_PKEY *pkey; diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c index 06b55e3d81..d6fde4be09 100644 --- a/lib/dns/gssapi_link.c +++ b/lib/dns/gssapi_link.c @@ -279,7 +279,7 @@ gssapi_restore(dst_key_t *key, const char *keystr) { isc_buffer_remainingregion(b, &r); REGION_TO_GBUFFER(r, gssbuffer); major = gss_import_sec_context(&minor, &gssbuffer, - &key->keydata.gssctx); + (gss_ctx_id_t *)&key->keydata.gssctx); if (major != GSS_S_COMPLETE) { isc_buffer_free(&b); return (ISC_R_FAILURE); @@ -299,8 +299,8 @@ gssapi_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) { isc_region_t r; isc_result_t result; - major = gss_export_sec_context(&minor, &key->keydata.gssctx, - &gssbuffer); + major = gss_export_sec_context( + &minor, (gss_ctx_id_t *)&key->keydata.gssctx, &gssbuffer); if (major != GSS_S_COMPLETE) { fprintf(stderr, "gss_export_sec_context -> %u, %u\n", major, minor); diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c index 0b72c0b728..961ff964ee 100644 --- a/lib/dns/gssapictx.c +++ b/lib/dns/gssapictx.c @@ -133,7 +133,7 @@ name_to_gbuffer(const dns_name_t *name, isc_buffer_t *buffer, } static void -log_cred(const gss_cred_id_t cred) { +log_cred(const dns_gss_cred_id_t cred) { OM_uint32 gret, minor, lifetime; gss_name_t gname; gss_buffer_desc gbuffer; @@ -141,7 +141,8 @@ log_cred(const gss_cred_id_t cred) { const char *usage_text; char buf[1024]; - gret = gss_inquire_cred(&minor, cred, &gname, &lifetime, &usage, NULL); + gret = gss_inquire_cred(&minor, (gss_cred_id_t)cred, &gname, &lifetime, + &usage, NULL); if (gret != GSS_S_COMPLETE) { gss_log(3, "failed gss_inquire_cred: %s", gss_error_tostring(gret, minor, buf, sizeof(buf))); @@ -247,7 +248,7 @@ check_config(const char *gss_name) { isc_result_t dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, - gss_cred_id_t *cred) { + dns_gss_cred_id_t *cred) { #ifdef GSSAPI isc_result_t result; isc_buffer_t namebuf; @@ -302,7 +303,7 @@ dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, } gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, &mech_oid_set, - usage, cred, NULL, &lifetime); + usage, (gss_cred_id_t *)cred, NULL, &lifetime); if (gret != GSS_S_COMPLETE) { gss_log(3, "failed to acquire %s credentials for %s: %s", @@ -519,14 +520,14 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, } isc_result_t -dst_gssapi_releasecred(gss_cred_id_t *cred) { +dst_gssapi_releasecred(dns_gss_cred_id_t *cred) { #ifdef GSSAPI OM_uint32 gret, minor; char buf[1024]; REQUIRE(cred != NULL && *cred != NULL); - gret = gss_release_cred(&minor, cred); + gret = gss_release_cred(&minor, (gss_cred_id_t *)cred); if (gret != GSS_S_COMPLETE) { /* Log the error, but still free the credential's memory */ gss_log(3, "failed releasing credential: %s", @@ -568,7 +569,7 @@ gss_err_message(isc_mem_t *mctx, uint32_t major, uint32_t minor, isc_result_t dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, - isc_buffer_t *outtoken, gss_ctx_id_t *gssctx, + isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx, isc_mem_t *mctx, char **err_message) { #ifdef GSSAPI isc_region_t r; @@ -609,10 +610,10 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, */ flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG; - gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx, gname, - GSS_SPNEGO_MECHANISM, flags, 0, NULL, - gintokenp, NULL, &gouttoken, &ret_flags, - NULL); + gret = gss_init_sec_context( + &minor, GSS_C_NO_CREDENTIAL, (gss_ctx_id_t *)gssctx, gname, + GSS_SPNEGO_MECHANISM, flags, 0, NULL, gintokenp, NULL, + &gouttoken, &ret_flags, NULL); if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) { gss_err_message(mctx, gret, minor, err_message); @@ -665,9 +666,9 @@ out: } isc_result_t -dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab, +dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, isc_region_t *intoken, isc_buffer_t **outtoken, - gss_ctx_id_t *ctxout, dns_name_t *principal, + dns_gss_ctx_id_t *ctxout, dns_name_t *principal, isc_mem_t *mctx) { #ifdef GSSAPI isc_region_t r; @@ -833,7 +834,7 @@ out: } isc_result_t -dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx) { +dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx) { #ifdef GSSAPI OM_uint32 gret, minor; char buf[1024]; @@ -843,7 +844,8 @@ dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx) { REQUIRE(gssctx != NULL && *gssctx != NULL); /* Delete the context from the GSS provider */ - gret = gss_delete_sec_context(&minor, gssctx, GSS_C_NO_BUFFER); + gret = gss_delete_sec_context(&minor, (gss_ctx_id_t *)gssctx, + GSS_C_NO_BUFFER); if (gret != GSS_S_COMPLETE) { /* Log the error, but still free the context's memory */ gss_log(3, "Failure deleting security context %s", diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h index 992479b885..6170d37338 100644 --- a/lib/dns/include/dns/tkey.h +++ b/lib/dns/include/dns/tkey.h @@ -34,11 +34,11 @@ ISC_LANG_BEGINDECLS #define DNS_TKEYMODE_DELETE 5 struct dns_tkeyctx { - dst_key_t * dhkey; - dns_name_t * domain; - gss_cred_id_t gsscred; - isc_mem_t * mctx; - char * gssapi_keytab; + dst_key_t * dhkey; + dns_name_t * domain; + dns_gss_cred_id_t gsscred; + isc_mem_t * mctx; + char * gssapi_keytab; }; isc_result_t @@ -117,7 +117,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, isc_result_t dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name, const dns_name_t *gname, isc_buffer_t *intoken, - uint32_t lifetime, gss_ctx_id_t *context, bool win2k, + uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k, isc_mem_t *mctx, char **err_message); /*%< * Builds a query containing a TKEY that will generate a GSSAPI context. @@ -180,7 +180,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg, isc_result_t dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, - const dns_name_t *gname, gss_ctx_id_t *context, + const dns_name_t *gname, dns_gss_ctx_id_t *context, isc_buffer_t *outtoken, dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, char **err_message); /*%< @@ -208,7 +208,7 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg, isc_result_t dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, - const dns_name_t *server, gss_ctx_id_t *context, + const dns_name_t *server, dns_gss_ctx_id_t *context, dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, bool win2k, char **err_message); diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 010bc99a39..f219aa8e31 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -563,7 +563,7 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer); *\li If successful, key will contain a valid private key. */ -gss_ctx_id_t +dns_gss_ctx_id_t dst_key_getgssctx(const dst_key_t *key); /*%< * Returns the opaque key data. @@ -577,8 +577,8 @@ dst_key_getgssctx(const dst_key_t *key); */ isc_result_t -dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx, - dst_key_t **keyp, isc_region_t *intoken); +dst_key_fromgssapi(const dns_name_t *name, dns_gss_ctx_id_t gssctx, + isc_mem_t *mctx, dst_key_t **keyp, isc_region_t *intoken); /*%< * Converts a GSSAPI opaque context id into a DST key. * diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h index 93d09d37fd..10f8467aef 100644 --- a/lib/dns/include/dst/gssapi.h +++ b/lib/dns/include/dst/gssapi.h @@ -24,23 +24,8 @@ #include -#ifdef GSSAPI -#ifdef WIN32 -/* - * MSVC does not like macros in #include lines. - */ -#include -#include -#else /* ifdef WIN32 */ -#include ISC_PLATFORM_GSSAPIHEADER -#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER -#include ISC_PLATFORM_GSSAPI_KRB5_HEADER -#endif /* ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER */ -#endif /* ifdef WIN32 */ -#ifndef GSS_SPNEGO_MECHANISM -#define GSS_SPNEGO_MECHANISM ((void *)0) -#endif /* ifndef GSS_SPNEGO_MECHANISM */ -#endif /* ifdef GSSAPI */ +typedef void *dns_gss_cred_id_t; +typedef void *dns_gss_ctx_id_t; ISC_LANG_BEGINDECLS @@ -54,7 +39,7 @@ ISC_LANG_BEGINDECLS isc_result_t dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, - gss_cred_id_t *cred); + dns_gss_cred_id_t *cred); /* * Acquires GSS credentials. * @@ -73,7 +58,7 @@ dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, */ isc_result_t -dst_gssapi_releasecred(gss_cred_id_t *cred); +dst_gssapi_releasecred(dns_gss_cred_id_t *cred); /* * Releases GSS credentials. Calling this function does release the * memory allocated for the credential in dst_gssapi_acquirecred() @@ -90,7 +75,7 @@ dst_gssapi_releasecred(gss_cred_id_t *cred); isc_result_t dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, - isc_buffer_t *outtoken, gss_ctx_id_t *gssctx, + isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx, isc_mem_t *mctx, char **err_message); /* * Initiates a GSS context. @@ -102,7 +87,7 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, * there isn't one * 'outtoken' is a buffer to receive the token generated by * gss_init_sec_context() to be sent to the acceptor - * 'context' is a pointer to a valid gss_ctx_id_t + * 'context' is a pointer to a valid dns_gss_ctx_id_t * (which may have the value GSS_C_NO_CONTEXT) * * Returns: @@ -113,9 +98,9 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, */ isc_result_t -dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab, +dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, isc_region_t *intoken, isc_buffer_t **outtoken, - gss_ctx_id_t *context, dns_name_t *principal, + dns_gss_ctx_id_t *context, dns_name_t *principal, isc_mem_t *mctx); /* * Accepts a GSS context. @@ -129,7 +114,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab, * initiator * 'context' is a valid pointer to receive the generated context handle. * On the initial call, it should be a pointer to NULL, which - * will be allocated as a gss_ctx_id_t. Subsequent calls + * will be allocated as a dns_gss_ctx_id_t. Subsequent calls * should pass in the handle generated on the first call. * Call dst_gssapi_releasecred to delete the context and free * the memory. @@ -145,7 +130,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab, */ isc_result_t -dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx); +dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx); /* * Destroys a GSS context. This function deletes the context from the GSS * provider and then frees the memory used by the context pointer. diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index 4447c6b5f6..fdcdc4261e 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -507,7 +507,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin, isc_stdtime_t now; isc_region_t intoken; isc_buffer_t *outtoken = NULL; - gss_ctx_id_t gss_ctx = NULL; + dns_gss_ctx_id_t gss_ctx = NULL; /* * You have to define either a gss credential (principal) to @@ -1109,7 +1109,7 @@ failure: isc_result_t dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name, const dns_name_t *gname, isc_buffer_t *intoken, - uint32_t lifetime, gss_ctx_id_t *context, bool win2k, + uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k, isc_mem_t *mctx, char **err_message) { dns_rdata_tkey_t tkey; isc_result_t result; @@ -1342,7 +1342,7 @@ failure: isc_result_t dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, - const dns_name_t *gname, gss_ctx_id_t *context, + const dns_name_t *gname, dns_gss_ctx_id_t *context, isc_buffer_t *outtoken, dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, char **err_message) { dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT; @@ -1479,7 +1479,7 @@ failure: isc_result_t dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, - const dns_name_t *server, gss_ctx_id_t *context, + const dns_name_t *server, dns_gss_ctx_id_t *context, dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, bool win2k, char **err_message) { dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;