aboutsummaryrefslogtreecommitdiff
path: root/lib/libgssapi
diff options
context:
space:
mode:
authorDoug Rabson <dfr@FreeBSD.org>2005-12-29 14:40:22 +0000
committerDoug Rabson <dfr@FreeBSD.org>2005-12-29 14:40:22 +0000
commitc0b9f4fe659b6839541970eb5675e57f4d814969 (patch)
treef226da354a25653f837708c3ecef3468ea981824 /lib/libgssapi
parent66c6b326543894776c17486b5932438e9dd098c9 (diff)
downloadsrc-c0b9f4fe659b6839541970eb5675e57f4d814969.tar.gz
src-c0b9f4fe659b6839541970eb5675e57f4d814969.zip
Add a new extensible GSS-API layer which can support GSS-API plugins,
similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
Notes
Notes: svn path=/head/; revision=153838
Diffstat (limited to 'lib/libgssapi')
-rw-r--r--lib/libgssapi/Makefile95
-rw-r--r--lib/libgssapi/context.h32
-rw-r--r--lib/libgssapi/cred.h43
-rw-r--r--lib/libgssapi/gss_accept_sec_context.3484
-rw-r--r--lib/libgssapi/gss_accept_sec_context.c221
-rw-r--r--lib/libgssapi/gss_acquire_cred.3238
-rw-r--r--lib/libgssapi/gss_acquire_cred.c166
-rw-r--r--lib/libgssapi/gss_add_cred.3338
-rw-r--r--lib/libgssapi/gss_add_cred.c178
-rw-r--r--lib/libgssapi/gss_add_oid_set_member.3130
-rw-r--r--lib/libgssapi/gss_add_oid_set_member.c77
-rw-r--r--lib/libgssapi/gss_canonicalize_name.3137
-rw-r--r--lib/libgssapi/gss_canonicalize_name.c91
-rw-r--r--lib/libgssapi/gss_compare_name.3122
-rw-r--r--lib/libgssapi/gss_compare_name.c76
-rw-r--r--lib/libgssapi/gss_context_time.3108
-rw-r--r--lib/libgssapi/gss_context_time.c43
-rw-r--r--lib/libgssapi/gss_create_empty_oid_set.3112
-rw-r--r--lib/libgssapi/gss_create_empty_oid_set.c53
-rw-r--r--lib/libgssapi/gss_delete_sec_context.3163
-rw-r--r--lib/libgssapi/gss_delete_sec_context.c62
-rw-r--r--lib/libgssapi/gss_display_name.3151
-rw-r--r--lib/libgssapi/gss_display_name.c78
-rw-r--r--lib/libgssapi/gss_display_status.3210
-rw-r--r--lib/libgssapi/gss_display_status.c110
-rw-r--r--lib/libgssapi/gss_duplicate_name.3123
-rw-r--r--lib/libgssapi/gss_duplicate_name.c78
-rw-r--r--lib/libgssapi/gss_export_name.3128
-rw-r--r--lib/libgssapi/gss_export_name.c58
-rw-r--r--lib/libgssapi/gss_export_sec_context.3168
-rw-r--r--lib/libgssapi/gss_export_sec_context.c77
-rw-r--r--lib/libgssapi/gss_get_mic.3165
-rw-r--r--lib/libgssapi/gss_get_mic.c46
-rw-r--r--lib/libgssapi/gss_import_name.3139
-rw-r--r--lib/libgssapi/gss_import_name.c219
-rw-r--r--lib/libgssapi/gss_import_sec_context.3120
-rw-r--r--lib/libgssapi/gss_import_sec_context.c86
-rw-r--r--lib/libgssapi/gss_indicate_mechs.3107
-rw-r--r--lib/libgssapi/gss_indicate_mechs.c60
-rw-r--r--lib/libgssapi/gss_init_sec_context.3571
-rw-r--r--lib/libgssapi/gss_init_sec_context.c129
-rw-r--r--lib/libgssapi/gss_inquire_context.3284
-rw-r--r--lib/libgssapi/gss_inquire_context.c88
-rw-r--r--lib/libgssapi/gss_inquire_cred.3158
-rw-r--r--lib/libgssapi/gss_inquire_cred.c167
-rw-r--r--lib/libgssapi/gss_inquire_cred_by_mech.3173
-rw-r--r--lib/libgssapi/gss_inquire_cred_by_mech.c82
-rw-r--r--lib/libgssapi/gss_inquire_mechs_for_name.3134
-rw-r--r--lib/libgssapi/gss_inquire_mechs_for_name.c77
-rw-r--r--lib/libgssapi/gss_inquire_names_for_mech.3107
-rw-r--r--lib/libgssapi/gss_inquire_names_for_mech.c74
-rw-r--r--lib/libgssapi/gss_krb5.c87
-rw-r--r--lib/libgssapi/gss_mech_switch.c301
-rw-r--r--lib/libgssapi/gss_names.c253
-rw-r--r--lib/libgssapi/gss_process_context_token.3136
-rw-r--r--lib/libgssapi/gss_process_context_token.c44
-rw-r--r--lib/libgssapi/gss_release_buffer.3111
-rw-r--r--lib/libgssapi/gss_release_buffer.c43
-rw-r--r--lib/libgssapi/gss_release_cred.3108
-rw-r--r--lib/libgssapi/gss_release_cred.c56
-rw-r--r--lib/libgssapi/gss_release_name.3104
-rw-r--r--lib/libgssapi/gss_release_name.c59
-rw-r--r--lib/libgssapi/gss_release_oid_set.3109
-rw-r--r--lib/libgssapi/gss_release_oid_set.c46
-rw-r--r--lib/libgssapi/gss_seal.c45
-rw-r--r--lib/libgssapi/gss_sign.c41
-rw-r--r--lib/libgssapi/gss_test_oid_set_member.3116
-rw-r--r--lib/libgssapi/gss_test_oid_set_member.c56
-rw-r--r--lib/libgssapi/gss_unseal.c43
-rw-r--r--lib/libgssapi/gss_unwrap.3191
-rw-r--r--lib/libgssapi/gss_unwrap.c48
-rw-r--r--lib/libgssapi/gss_utils.c79
-rw-r--r--lib/libgssapi/gss_verify.c41
-rw-r--r--lib/libgssapi/gss_verify_mic.3172
-rw-r--r--lib/libgssapi/gss_verify_mic.c46
-rw-r--r--lib/libgssapi/gss_wrap.3178
-rw-r--r--lib/libgssapi/gss_wrap.c49
-rw-r--r--lib/libgssapi/gss_wrap_size_limit.3163
-rw-r--r--lib/libgssapi/gss_wrap_size_limit.c47
-rw-r--r--lib/libgssapi/gssapi.3261
-rw-r--r--lib/libgssapi/mech.594
-rw-r--r--lib/libgssapi/mech_switch.h327
-rw-r--r--lib/libgssapi/name.h48
-rw-r--r--lib/libgssapi/spnego.h34
-rw-r--r--lib/libgssapi/utils.h32
85 files changed, 10704 insertions, 0 deletions
diff --git a/lib/libgssapi/Makefile b/lib/libgssapi/Makefile
new file mode 100644
index 000000000000..5c274144a791
--- /dev/null
+++ b/lib/libgssapi/Makefile
@@ -0,0 +1,95 @@
+# $FreeBSD$
+
+LIB= gssapi
+SHLIB_MAJOR= 7
+
+SRCS=
+SRCS+= gss_utils.c
+SRCS+= gss_mech_switch.c
+SRCS+= gss_names.c
+SRCS+= gss_acquire_cred.c
+SRCS+= gss_release_cred.c
+SRCS+= gss_init_sec_context.c
+SRCS+= gss_accept_sec_context.c
+SRCS+= gss_process_context_token.c
+SRCS+= gss_delete_sec_context.c
+SRCS+= gss_context_time.c
+SRCS+= gss_get_mic.c
+SRCS+= gss_verify_mic.c
+SRCS+= gss_wrap.c
+SRCS+= gss_unwrap.c
+SRCS+= gss_display_status.c
+SRCS+= gss_indicate_mechs.c
+SRCS+= gss_compare_name.c
+SRCS+= gss_display_name.c
+SRCS+= gss_import_name.c
+SRCS+= gss_export_name.c
+SRCS+= gss_release_name.c
+SRCS+= gss_inquire_cred.c
+SRCS+= gss_inquire_context.c
+SRCS+= gss_wrap_size_limit.c
+SRCS+= gss_add_cred.c
+SRCS+= gss_inquire_cred_by_mech.c
+SRCS+= gss_export_sec_context.c
+SRCS+= gss_import_sec_context.c
+SRCS+= gss_inquire_names_for_mech.c
+SRCS+= gss_inquire_mechs_for_name.c
+SRCS+= gss_canonicalize_name.c
+SRCS+= gss_duplicate_name.c
+SRCS+= gss_sign.c
+SRCS+= gss_verify.c
+SRCS+= gss_seal.c
+SRCS+= gss_unseal.c
+SRCS+= gss_krb5.c
+SRCS+= gss_create_empty_oid_set.c
+SRCS+= gss_add_oid_set_member.c
+SRCS+= gss_test_oid_set_member.c
+SRCS+= gss_release_oid_set.c
+SRCS+= gss_release_buffer.c
+
+MAN=
+MAN+= gssapi.3
+MAN+= gss_accept_sec_context.3
+MAN+= gss_acquire_cred.3
+MAN+= gss_add_cred.3
+MAN+= gss_add_oid_set_member.3
+MAN+= gss_canonicalize_name.3
+MAN+= gss_compare_name.3
+MAN+= gss_context_time.3
+MAN+= gss_create_empty_oid_set.3
+MAN+= gss_delete_sec_context.3
+MAN+= gss_display_name.3
+MAN+= gss_display_status.3
+MAN+= gss_duplicate_name.3
+MAN+= gss_export_name.3
+MAN+= gss_export_sec_context.3
+MAN+= gss_get_mic.3
+MAN+= gss_import_name.3
+MAN+= gss_import_sec_context.3
+MAN+= gss_indicate_mechs.3
+MAN+= gss_init_sec_context.3
+MAN+= gss_inquire_context.3
+MAN+= gss_inquire_cred.3
+MAN+= gss_inquire_cred_by_mech.3
+MAN+= gss_inquire_mechs_for_name.3
+MAN+= gss_inquire_names_for_mech.3
+MAN+= gss_process_context_token.3
+MAN+= gss_release_buffer.3
+MAN+= gss_release_cred.3
+MAN+= gss_release_name.3
+MAN+= gss_release_oid_set.3
+MAN+= gss_test_oid_set_member.3
+MAN+= gss_unwrap.3
+MAN+= gss_verify_mic.3
+MAN+= gss_wrap.3
+MAN+= gss_wrap_size_limit.3
+MAN+= mech.5
+
+MLINKS=
+MLINKS+= gss_get_mic.3 gss_sign.3
+MLINKS+= gss_unwrap.3 gss_unseal.3
+MLINKS+= gss_verify_mic.3 gss_verify.3
+MLINKS+= gss_wrap.3 gss_seal.3
+MLINKS+= mech.5 qop.5
+
+.include <bsd.lib.mk>
diff --git a/lib/libgssapi/context.h b/lib/libgssapi/context.h
new file mode 100644
index 000000000000..403b3909ca9f
--- /dev/null
+++ b/lib/libgssapi/context.h
@@ -0,0 +1,32 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+struct _gss_context {
+ struct _gss_mech_switch *gc_mech;
+ gss_ctx_id_t gc_ctx;
+};
diff --git a/lib/libgssapi/cred.h b/lib/libgssapi/cred.h
new file mode 100644
index 000000000000..6301b895b59c
--- /dev/null
+++ b/lib/libgssapi/cred.h
@@ -0,0 +1,43 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/queue.h>
+
+struct _gss_mechanism_cred {
+ SLIST_ENTRY(_gss_mechanism_cred) gmc_link;
+ struct _gss_mech_switch *gmc_mech; /* mechanism ops for MC */
+ gss_OID gmc_mech_oid; /* mechanism oid for MC */
+ gss_cred_id_t gmc_cred; /* underlying MC */
+};
+SLIST_HEAD(_gss_mechanism_cred_list, _gss_mechanism_cred);
+
+struct _gss_cred {
+ gss_cred_usage_t gc_usage;
+ struct _gss_mechanism_cred_list gc_mc;
+};
+
diff --git a/lib/libgssapi/gss_accept_sec_context.3 b/lib/libgssapi/gss_accept_sec_context.3
new file mode 100644
index 000000000000..679eb152fdef
--- /dev/null
+++ b/lib/libgssapi/gss_accept_sec_context.3
@@ -0,0 +1,484 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_ACCEPT_SEC_CONTEXT 3 PRM
+.Sh NAME
+.Nm gss_accept_sec_context
+.Nd Accept a security context initiated by a peer application
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_accept_sec_context
+.Fa "OM_uint32 *minor_status
+.Fa "gss_ctx_id_t *context_handle"
+.Fa "const gss_cred_id_t acceptor_cred_handle"
+.Fa "const gss_buffer_t input_token_buffer"
+.Fa "const gss_channel_bindings_t input_chan_bindings"
+.Fa "const gss_name_t *src_name"
+.Fa "gss_OID *mech_type"
+.Fa "gss_buffer_t output_token"
+.Fa "OM_uint32 *ret_flags"
+.Fa "OM_uint32 *time_rec"
+.Fa "gss_cred_id_t *delegated_cred_handle"
+.Fc
+.Sh DESCRIPTION
+Allows a remotely initiated security context between the application
+and a remote peer to be established. The routine may return a
+.Fa output_token
+which should be transferred to the peer application,
+where the peer application will present it to
+.Xr gss_init_sec_context 3 .
+If no token need be sent,
+.Fn gss_accept_sec_context
+will indicate this
+by setting the length field of the
+.Fa output_token
+argument to zero.
+To complete the context establishment, one or more reply tokens may be
+required from the peer application; if so,
+.Fn gss_accept_sec_context
+will return a status flag of
+.Dv GSS_S_CONTINUE_NEEDED , in which case it
+should be called again when the reply token is received from the peer
+application, passing the token to
+.Fn gss_accept_sec_context
+via the
+.Fa input_token
+parameters.
+.Pp
+Portable applications should be constructed to use the token length
+and return status to determine whether a token needs to be sent or
+waited for. Thus a typical portable caller should always invoke
+.Fn gss_accept_sec_context
+within a loop:
+.Bd -literal
+gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+
+do {
+ receive_token_from_peer(input_token);
+ maj_stat = gss_accept_sec_context(&min_stat,
+ &context_hdl,
+ cred_hdl,
+ input_token,
+ input_bindings,
+ &client_name,
+ &mech_type,
+ output_token,
+ &ret_flags,
+ &time_rec,
+ &deleg_cred);
+ if (GSS_ERROR(maj_stat)) {
+ report_error(maj_stat, min_stat);
+ };
+ if (output_token->length != 0) {
+ send_token_to_peer(output_token);
+
+ gss_release_buffer(&min_stat, output_token);
+ };
+ if (GSS_ERROR(maj_stat)) {
+ if (context_hdl != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&min_stat,
+ &context_hdl,
+ GSS_C_NO_BUFFER);
+ break;
+ };
+} while (maj_stat & GSS_S_CONTINUE_NEEDED);
+.Ed
+.Pp
+Whenever the routine returns a major status that includes the value
+.Dv GSS_S_CONTINUE_NEEDED , the context is not fully established and the
+following restrictions apply to the output parameters:
+.Pp
+The value returned via the
+.Fa time_rec
+parameter is undefined Unless the
+accompanying
+.Fa ret_flags
+parameter contains the bit
+.Dv GSS_C_PROT_READY_FLAG , indicating that per-message services may be
+applied in advance of a successful completion status, the value
+returned via the
+.Fa mech_type
+parameter may be undefined until the
+routine returns a major status value of
+.Dv GSS_S_COMPLETE .
+.Pp
+The values of the
+.Dv GSS_C_DELEG_FLAG ,
+.Dv GSS_C_MUTUAL_FLAG ,
+.Dv GSS_C_REPLAY_FLAG ,
+.Dv GSS_C_SEQUENCE_FLAG ,
+.Dv GSS_C_CONF_FLAG ,
+.Dv GSS_C_INTEG_FLAG
+and
+.Dv GSS_C_ANON_FLAG bits returned
+via the
+.Fa ret_flags
+parameter should contain the values that the
+implementation expects would be valid if context establishment were
+to succeed.
+.Pp
+The values of the
+.Dv GSS_C_PROT_READY_FLAG
+and
+.Dv GSS_C_TRANS_FLAG bits
+within
+.Fa ret_flags
+should indicate the actual state at the time
+.Fn gss_accept_sec_context
+returns, whether or not the context is fully established.
+.Pp
+Although this requires that GSS-API implementations set the
+.Dv GSS_C_PROT_READY_FLAG
+in the final
+.Fa ret_flags
+returned to a caller
+(i.e. when accompanied by a
+.Dv GSS_S_COMPLETE
+status code), applications
+should not rely on this behavior as the flag was not defined in
+Version 1 of the GSS-API. Instead, applications should be prepared to
+use per-message services after a successful context establishment,
+according to the
+.Dv GSS_C_INTEG_FLAG
+and
+.Dv GSS_C_CONF_FLAG values.
+.Pp
+All other bits within the
+.Fa ret_flags
+argument should be set to zero.
+While the routine returns
+.Dv GSS_S_CONTINUE_NEEDED , the values returned
+via the
+.Fa ret_flags
+argument indicate the services that the
+implementation expects to be available from the established context.
+.Pp
+If the initial call of
+.Fn gss_accept_sec_context
+fails, the
+implementation should not create a context object, and should leave
+the value of the context_handle parameter set to
+.Dv GSS_C_NO_CONTEXT to
+indicate this. In the event of a failure on a subsequent call, the
+implementation is permitted to delete the "half-built" security
+context (in which case it should set the
+.Fa context_handle
+parameter to
+.Dv GSS_C_NO_CONTEXT ), but the preferred behavior is to leave the
+security context (and the context_handle parameter) untouched for the
+application to delete (using
+.Xr gss_delete_sec_context 3 ).
+.Pp
+During context establishment, the informational status bits
+.Dv GSS_S_OLD_TOKEN
+and
+.Dv GSS_S_DUPLICATE_TOKEN
+indicate fatal errors, and
+GSS-API mechanisms should always return them in association with a
+routine error of
+.Dv GSS_S_FAILURE . This requirement for pairing did not
+exist in version 1 of the GSS-API specification, so applications that
+wish to run over version 1 implementations must special-case these
+codes.
+.Sh PARAMETERS
+.Bl -tag
+.It context_handle
+Context handle for new context.
+Supply
+.Dv GSS_C_NO_CONTEXT for first
+call; use value returned in subsequent calls.
+Once
+.Fn gss_accept_sec_context
+has returned a
+value via this parameter, resources have been
+assigned to the corresponding context, and must
+be freed by the application after use with a
+call to
+.Xr gss_delete_sec_context 3 .
+.It acceptor_cred_handle
+Credential handle claimed by context acceptor.
+Specify
+.Dv GSS_C_NO_CREDENTIAL to accept the context as a
+default principal.
+If
+.Dv GSS_C_NO_CREDENTIAL is
+specified, but no default acceptor principal is
+defined,
+.Dv GSS_S_NO_CRED will be returned.
+.It input_token_buffer
+Token obtained from remote application.
+.It input_chan_bindings
+Application-specified bindings.
+Allows application to securely bind channel identification information
+to the security context.
+If channel bindings are not used, specify
+.Dv GSS_C_NO_CHANNEL_BINDINGS .
+.It src_name
+Authenticated name of context initiator.
+After use, this name should be deallocated by passing it to
+.Xr gss_release_name 3 .
+If not required, specify
+.Dv NULL .
+.It mech_type
+Security mechanism used.
+The returned OID value will be a pointer into static storage,
+and should be treated as read-only by the caller
+(in particular, it does not need to be freed).
+If not required, specify
+.Dv NULL .
+.It output_token
+Token to be passed to peer application.
+If the length field of the returned token buffer is 0,
+then no token need be passed to the peer application.
+If a non-zero length field is returned,
+the associated storage must be freed after use by the
+application with a call to
+.Xr gss_release_buffer 3 .
+.It ret_flags
+Contains various independent flags,
+each of which indicates that the context supports a specific service option.
+If not needed, specify
+.Dv NULL .
+Symbolic names are provided for each flag,
+and the symbolic names corresponding to the required flags should be
+logically-ANDed with the
+.Fa ret_flags
+value to test whether a given option is supported by the context.
+The flags are:
+.Bl -tag -width "WW"
+.It GSS_C_DELEG_FLAG
+.Bl -tag -width "False"
+.It True
+Delegated credentials are available via the delegated_cred_handle parameter
+.It False
+No credentials were delegated
+.El
+.It GSS_C_MUTUAL_FLAG
+.Bl -tag -width "False"
+.It True
+Remote peer asked for mutual authentication
+.It False
+Remote peer did not ask for mutual authentication
+.El
+.It GSS_C_REPLAY_FLAG
+.Bl -tag -width "False"
+.It True
+Replay of protected messages will be detected
+.It False
+Replayed messages will not be detected
+.El
+.It GSS_C_SEQUENCE_FLAG
+.Bl -tag -width "False"
+.It True
+Out-of-sequence protected messages will be detected
+.It False
+Out-of-sequence messages will not be detected
+.El
+.It GSS_C_CONF_FLAG
+.Bl -tag -width "False"
+.It True
+Confidentiality service may be invoked by calling the
+.Xr gss_wrap 3
+routine
+.It False
+No confidentiality service (via
+.Xr gss_wrap 3 )
+available.
+.Xr gss_wrap 3
+will provide message encapsulation,
+data-origin authentication and integrity services only.
+.El
+.It GSS_C_INTEG_FLAG
+.Bl -tag -width "False"
+.It True
+Integrity service may be invoked by calling either
+.Xr gss_get_mic 3
+or
+.Xr gss_wrap 3
+routines.
+.It False
+Per-message integrity service unavailable.
+.El
+.It GSS_C_ANON_FLAG
+.Bl -tag -width "False"
+.It True
+The initiator does not wish to be authenticated; the
+.Fa src_name
+parameter (if requested) contains an anonymous internal name.
+.It False
+The initiator has been authenticated normally.
+.El
+.It GSS_C_PROT_READY_FLAG
+.Bl -tag -width "False"
+.It True
+Protection services (as specified by the states of the
+.Dv GSS_C_CONF_FLAG
+and
+.Dv GSS_C_INTEG_FLAG )
+are available if the accompanying major status return value is either
+.Dv GSS_S_COMPLETE
+or
+.Dv GSS_S_CONTINUE_NEEDED.
+.It False
+Protection services (as specified by the states of the
+.Dv GSS_C_CONF_FLAG
+and
+.Dv GSS_C_INTEG_FLAG )
+are available only if the accompanying major status return value is
+.Dv GSS_S_COMPLETE .
+.El
+.It GSS_C_TRANS_FLAG
+.Bl -tag -width "False"
+.It True
+The resultant security context may be transferred to other processes
+via a call to
+.Xr gss_export_sec_context 3 .
+.It False
+The security context is not transferable.
+.El
+.El
+.Pp
+All other bits should be set to zero.
+.It time_rec
+Number of seconds for which the context will remain valid.
+Specify
+.Dv NULL
+if not required.
+.It delegated_cred_handle
+Credential
+handle for credentials received from context initiator.
+Only valid if
+.Dv GSS_C_DELEG_FLAG
+in
+.Fa ret_flags
+is true,
+in which case an explicit credential handle
+(i.e. not
+.Dv GSS_C_NO_CREDENTIAL )
+will be returned; if false,
+.Fn gss_accept_context
+will set this parameter to
+.Dv GSS_C_NO_CREDENTIAL .
+If a credential handle is returned,
+the associated resources must be released by the application after use
+with a call to
+.Xr gss_release_cred 3 .
+Specify
+.Dv NULL if not required.
+.It minor_status
+Mechanism specific status code.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_CONTINUE_NEEDED
+Indicates that a token from the peer application is required to
+complete the context,
+and that gss_accept_sec_context must be called again with that token.
+.It GSS_S_DEFECTIVE_TOKEN
+Indicates that consistency checks performed on the input_token failed.
+.It GSS_S_DEFECTIVE_CREDENTIAL
+Indicates that consistency checks performed on the credential failed.
+.It GSS_S_NO_CRED
+The supplied credentials were not valid for context acceptance,
+or the credential handle did not reference any credentials.
+.It GSS_S_CREDENTIALS_EXPIRED
+The referenced credentials have expired.
+.It GSS_S_BAD_BINDINGS
+The input_token contains different channel bindings to those specified via the
+input_chan_bindings parameter.
+.It GSS_S_NO_CONTEXT
+Indicates that the supplied context handle did not refer to a valid context.
+.It GSS_S_BAD_SIG
+The input_token contains an invalid MIC.
+.It GSS_S_OLD_TOKEN
+The input_token was too old.
+This is a fatal error during context establishment.
+.It GSS_S_DUPLICATE_TOKEN
+The input_token is valid,
+but is a duplicate of a token already processed.
+This is a fatal error during context establishment.
+.It GSS_S_BAD_MECH
+The received token specified a mechanism that is not supported by
+the implementation or the provided credential.
+.El
+.Sh SEE ALSO
+.Xr gss_delete_sec_context 3 ,
+.Xr gss_export_sec_context 3 ,
+.Xr gss_get_mic 3 ,
+.Xr gss_init_sec_context 3 ,
+.Xr gss_release_buffer 3 ,
+.Xr gss_release_cred 3 ,
+.Xr gss_release_name 3 ,
+.Xr gss_wrap 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.El
+.\" .Sh HISTORY
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_accept_sec_context.c b/lib/libgssapi/gss_accept_sec_context.c
new file mode 100644
index 000000000000..9bc57cae9019
--- /dev/null
+++ b/lib/libgssapi/gss_accept_sec_context.c
@@ -0,0 +1,221 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "context.h"
+#include "cred.h"
+#include "name.h"
+
+OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ const gss_cred_id_t acceptor_cred_handle,
+ const gss_buffer_t input_token,
+ const gss_channel_bindings_t input_chan_bindings,
+ gss_name_t *src_name,
+ gss_OID *mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ gss_cred_id_t *delegated_cred_handle)
+{
+ OM_uint32 major_status;
+ struct _gss_mech_switch *m;
+ struct _gss_context *ctx = (struct _gss_context *) *context_handle;
+ struct _gss_cred *cred = (struct _gss_cred *) acceptor_cred_handle;
+ struct _gss_mechanism_cred *mc;
+ gss_cred_id_t acceptor_mc, delegated_mc;
+ gss_name_t src_mn;
+ int allocated_ctx;
+
+ *minor_status = 0;
+ if (src_name) *src_name = 0;
+ if (mech_type) *mech_type = 0;
+ if (ret_flags) *ret_flags = 0;
+ if (time_rec) *time_rec = 0;
+ if (delegated_cred_handle) *delegated_cred_handle = 0;
+ output_token->length = 0;
+ output_token->value = 0;
+
+ /*
+ * If this is the first call (*context_handle is NULL), we must
+ * parse the input token to figure out the mechanism to use.
+ */
+ if (*context_handle == GSS_C_NO_CONTEXT) {
+ unsigned char *p = input_token->value;
+ size_t len = input_token->length;
+ size_t a, b;
+ gss_OID_desc mech_oid;
+
+ /*
+ * Token must start with [APPLICATION 0] SEQUENCE.
+ */
+ if (len == 0 || *p != 0x60)
+ return (GSS_S_DEFECTIVE_TOKEN);
+ p++;
+ len--;
+
+ /*
+ * Decode the length and make sure it agrees with the
+ * token length.
+ */
+ if (len == 0)
+ return (GSS_S_DEFECTIVE_TOKEN);
+ if ((*p & 0x80) == 0) {
+ a = *p;
+ p++;
+ len--;
+ } else {
+ b = *p & 0x7f;
+ p++;
+ len--;
+ if (len < b)
+ return (GSS_S_DEFECTIVE_TOKEN);
+ a = 0;
+ while (b) {
+ a = (a << 8) | *p;
+ p++;
+ len--;
+ b--;
+ }
+ }
+ if (a != len)
+ return (GSS_S_DEFECTIVE_TOKEN);
+
+ /*
+ * Decode the OID for the mechanism. Simplify life by
+ * assuming that the OID length is less than 128 bytes.
+ */
+ if (len < 2 || *p != 0x06)
+ return (GSS_S_DEFECTIVE_TOKEN);
+ if ((p[1] & 0x80) || p[1] > (len - 2))
+ return (GSS_S_DEFECTIVE_TOKEN);
+ mech_oid.length = p[1];
+ p += 2;
+ len -= 2;
+ mech_oid.elements = p;
+
+ /*
+ * Now that we have a mechanism, we can find the
+ * implementation.
+ */
+ ctx = malloc(sizeof(struct _gss_context));
+ if (!ctx) {
+ *minor_status = ENOMEM;
+ return (GSS_S_DEFECTIVE_TOKEN);
+ }
+ memset(ctx, 0, sizeof(struct _gss_context));
+ m = ctx->gc_mech = _gss_find_mech_switch(&mech_oid);
+ if (!m) {
+ free(ctx);
+ return (GSS_S_BAD_MECH);
+ }
+ allocated_ctx = 1;
+ } else {
+ m = ctx->gc_mech;
+ allocated_ctx = 0;
+ }
+
+ if (cred) {
+ SLIST_FOREACH(mc, &cred->gc_mc, gmc_link)
+ if (mc->gmc_mech == m)
+ break;
+ if (!mc)
+ return (GSS_S_BAD_MECH);
+ acceptor_mc = mc->gmc_cred;
+ } else {
+ acceptor_mc = GSS_C_NO_CREDENTIAL;
+ }
+ delegated_mc = GSS_C_NO_CREDENTIAL;
+
+ major_status = m->gm_accept_sec_context(minor_status,
+ &ctx->gc_ctx,
+ acceptor_mc,
+ input_token,
+ input_chan_bindings,
+ &src_mn,
+ mech_type,
+ output_token,
+ ret_flags,
+ time_rec,
+ &delegated_mc);
+ if (major_status != GSS_S_COMPLETE &&
+ major_status != GSS_S_CONTINUE_NEEDED)
+ return (major_status);
+
+ if (!src_name) {
+ m->gm_release_name(minor_status, &src_mn);
+ } else {
+ /*
+ * Make a new name and mark it as an MN.
+ */
+ struct _gss_name *name = _gss_make_name(m, src_mn);
+
+ if (!name) {
+ m->gm_release_name(minor_status, &src_mn);
+ return (GSS_S_FAILURE);
+ }
+ *src_name = (gss_name_t) name;
+ }
+
+ if (*ret_flags & GSS_C_DELEG_FLAG) {
+ if (!delegated_cred_handle) {
+ m->gm_release_cred(minor_status, &delegated_mc);
+ *ret_flags &= ~GSS_C_DELEG_FLAG;
+ } else {
+ struct _gss_cred *cred;
+ struct _gss_mechanism_cred *mc;
+
+ cred = malloc(sizeof(struct _gss_cred));
+ if (!cred) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ mc = malloc(sizeof(struct _gss_mechanism_cred));
+ if (!mc) {
+ free(cred);
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ m->gm_inquire_cred(minor_status, delegated_mc,
+ 0, 0, &cred->gc_usage, 0);
+ mc->gmc_mech = m;
+ mc->gmc_mech_oid = &m->gm_mech_oid;
+ mc->gmc_cred = delegated_mc;
+ SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
+
+ *delegated_cred_handle = (gss_cred_id_t) cred;
+ }
+ }
+
+ *context_handle = (gss_ctx_id_t) ctx;
+ return (major_status);
+}
diff --git a/lib/libgssapi/gss_acquire_cred.3 b/lib/libgssapi/gss_acquire_cred.3
new file mode 100644
index 000000000000..d108875e71ad
--- /dev/null
+++ b/lib/libgssapi/gss_acquire_cred.3
@@ -0,0 +1,238 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_ACQUIRE_CRED 3 PRM
+.Sh NAME
+.Nm gss_acquire_cred
+.Nd Obtain a GSS-API credential handle for pre-existing credentials
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_acquire_cred
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_name_t desired_name"
+.Fa "OM_uint32 time_req"
+.Fa "const gss_OID_set desired_mechs"
+.Fa "gss_cred_usage_t cred_usage"
+.Fa "gss_cred_id_t *output_cred_handle"
+.Fa "gss_OID_set *actual_mechs"
+.Fa "OM_uint32 *time_rec"
+.Fc
+.Sh DESCRIPTION
+Allows an application to acquire a handle for a pre-existing
+credential by name.
+GSS-API implementations must impose a local
+access-control policy on callers of this routine to prevent
+unauthorized callers from acquiring credentials to which they are not
+entitled.
+This routine is not intended to provide a "login to the
+network" function, as such a function would involve the creation of
+new credentials rather than merely acquiring a handle to existing
+credentials.
+Such functions, if required, should be defined in
+implementation-specific extensions to the API.
+.Pp
+If desired_name is
+.Dv GSS_C_NO_NAME ,
+the call is interpreted as a
+request for a credential handle that will invoke default behavior
+when passed to
+.Fn gss_init_sec_context
+(if cred_usage is
+.Dv GSS_C_INITIATE
+or
+.Dv GSS_C_BOTH )
+or
+.Fn gss_accept_sec_context
+(if cred_usage is
+.Dv GSS_C_ACCEPT
+or
+.Dv GSS_C_BOTH ).
+.Pp
+Mechanisms should honor the
+.Fa desired_mechs
+parameter,
+and return a credential that is suitable to use only with the
+requested mechanisms.
+An exception to this is the case where one underlying credential
+element can be shared by multiple mechanisms;
+in this case it is permissible for an implementation to indicate all
+mechanisms with which the credential element may be used.
+If
+.Fa desired_mechs
+is an empty set, behavior is undefined.
+.Pp
+This routine is expected to be used primarily by context acceptors,
+since implementations are likely to provide mechanism-specific ways
+of obtaining GSS-API initiator credentials from the system login
+process.
+Some implementations may therefore not support the acquisition of
+.Dv GSS_C_INITIATE
+or
+.Dv GSS_C_BOTH
+credentials via
+.Fn gss_acquire_cred
+for any name other than
+.Dv GSS_C_NO_NAME ,
+or a name produced by applying either
+.Fn gss_inquire_cred
+to a valid credential, or
+.Fn gss_inquire_context
+to an active context.
+.Pp
+If credential acquisition is time-consuming for a mechanism,
+the mechanism may choose to delay the actual acquisition until the
+credential is required
+(e.g. by
+.Fn gss_init_sec_context
+or
+.Fn gss_accept_sec_context ).
+Such mechanism-specific implementation
+decisions should be invisible to the calling application;
+thus a call of
+.Fn gss_inquire_cred
+immediately following the call of
+.Fn gss_acquire_cred
+must return valid credential data,
+and may therefore incur the overhead of a deferred credential acquisition.
+.Sh PARAMETERS
+.Bl -tag
+.It desired_name
+Name of principal whose credential should be acquired.
+.It time_req
+Number of seconds that credentials should remain valid.
+Specify
+.Dv GSS_C_INDEFINITE
+to request that the credentials have the maximum
+permitted lifetime.
+.It desired_mechs
+Set of underlying security mechanisms that may be used.
+.Dv GSS_C_NO_OID_SET
+may be used to obtain an implementation-specific default.
+.It cred_usage
+.Bl -tag -width "GSS_C_INITIATE"
+.It GSS_C_BOTH
+Credentials may be used either to initiate or accept security
+contexts.
+.It GSS_C_INITIATE
+Credentials will only be used to initiate security contexts.
+.It GSS_C_ACCEPT
+Credentials will only be used to accept security contexts.
+.El
+.It output_cred_handle
+The returned credential handle.
+Resources
+associated with this credential handle must be released by
+the application after use with a call to
+.Fn gss_release_cred .
+.It actual_mechs
+The set of mechanisms for which the credential is valid.
+Storage associated with the returned OID-set must be released by the
+application after use with a call to
+.Fn gss_release_oid_set .
+Specify
+.Dv NULL if not required.
+.It time_rec
+Actual number of seconds for which the returned credentials will
+remain valid.
+If the implementation does not support expiration of credentials,
+the value
+.Dv GSS_C_INDEFINITE
+will be returned.
+Specify NULL if not required.
+.It minor_status
+Mechanism specific status code.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion.
+.It GSS_S_BAD_MECH
+Unavailable mechanism requested.
+.It GSS_S_BAD_NAMETYPE
+Type contained within desired_name parameter is not supported.
+.It GSS_S_BAD_NAME
+Value supplied for desired_name parameter is ill formed.
+.It GSS_S_CREDENTIALS_EXPIRED
+The credentials could not be acquired Because they have expired.
+.It GSS_S_NO_CRED
+No credentials were found for the specified name.
+.El
+.Sh SEE ALSO
+.Xr gss_init_sec_context 3 ,
+.Xr gss_accept_sec_context 3 ,
+.Xr gss_inquire_cred 3 ,
+.Xr gss_inquire_context 3 ,
+.Xr gss_release_cred 3 ,
+.Xr gss_release_oid_set 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_acquire_cred.c b/lib/libgssapi/gss_acquire_cred.c
new file mode 100644
index 000000000000..e65bb27c3eec
--- /dev/null
+++ b/lib/libgssapi/gss_acquire_cred.c
@@ -0,0 +1,166 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "name.h"
+#include "cred.h"
+
+OM_uint32
+gss_acquire_cred(OM_uint32 *minor_status,
+ const gss_name_t desired_name,
+ OM_uint32 time_req,
+ const gss_OID_set desired_mechs,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t *output_cred_handle,
+ gss_OID_set *actual_mechs,
+ OM_uint32 *time_rec)
+{
+ OM_uint32 major_status;
+ gss_OID_set mechs = desired_mechs;
+ gss_OID_set_desc set;
+ struct _gss_name *name = (struct _gss_name *) desired_name;
+ struct _gss_mech_switch *m;
+ struct _gss_cred *cred;
+ struct _gss_mechanism_cred *mc;
+ struct _gss_mechanism_name *mn;
+ OM_uint32 min_time, time;
+ int i;
+
+ /*
+ * First make sure that at least one of the requested
+ * mechanisms is one that we support.
+ */
+ if (mechs) {
+ _gss_load_mech();
+ for (i = 0; i < mechs->count; i++) {
+ int t;
+ gss_test_oid_set_member(minor_status,
+ &mechs->elements[i], _gss_mech_oids, &t);
+ if (t)
+ break;
+ }
+ if (i == mechs->count) {
+ *output_cred_handle = 0;
+ *minor_status = 0;
+ return (GSS_S_BAD_MECH);
+ }
+ }
+
+ if (actual_mechs) {
+ major_status = gss_create_empty_oid_set(minor_status,
+ actual_mechs);
+ if (major_status)
+ return (major_status);
+ }
+
+ cred = malloc(sizeof(struct _gss_cred));
+ if (!cred) {
+ if (actual_mechs)
+ gss_release_oid_set(minor_status, actual_mechs);
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ cred->gc_usage = cred_usage;
+ SLIST_INIT(&cred->gc_mc);
+
+ if (mechs == GSS_C_NO_OID_SET)
+ mechs = _gss_mech_oids;
+
+ set.count = 1;
+ min_time = GSS_C_INDEFINITE;
+ for (i = 0; i < mechs->count; i++) {
+ m = _gss_find_mech_switch(&mechs->elements[i]);
+ if (!m)
+ continue;
+
+ if (desired_name != GSS_C_NO_NAME) {
+ mn = _gss_find_mn(name, &mechs->elements[i]);
+ if (!mn)
+ continue;
+ }
+
+ mc = malloc(sizeof(struct _gss_mechanism_cred));
+ if (!mc) {
+ continue;
+ }
+ mc->gmc_mech = m;
+ mc->gmc_mech_oid = &m->gm_mech_oid;
+
+ /*
+ * XXX Probably need to do something with actual_mechs.
+ */
+ set.elements = &mechs->elements[i];
+ major_status = m->gm_acquire_cred(minor_status,
+ (desired_name != GSS_C_NO_NAME
+ ? mn->gmn_name : GSS_C_NO_NAME),
+ time_req, &set, cred_usage,
+ &mc->gmc_cred, NULL, &time);
+ if (major_status) {
+ free(mc);
+ continue;
+ }
+ if (time < min_time)
+ min_time = time;
+
+ if (actual_mechs) {
+ major_status = gss_add_oid_set_member(minor_status,
+ mc->gmc_mech_oid, actual_mechs);
+ if (major_status) {
+ m->gm_release_cred(minor_status,
+ &mc->gmc_cred);
+ free(mc);
+ continue;
+ }
+ }
+
+ SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
+ }
+
+ /*
+ * If we didn't manage to create a single credential, return
+ * an error.
+ */
+ if (!SLIST_FIRST(&cred->gc_mc)) {
+ free(cred);
+ if (actual_mechs)
+ gss_release_oid_set(minor_status, actual_mechs);
+ *output_cred_handle = 0;
+ *minor_status = 0;
+ return (GSS_S_NO_CRED);
+ }
+
+ if (time_rec)
+ *time_rec = min_time;
+ *output_cred_handle = (gss_cred_id_t) cred;
+ *minor_status = 0;
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_add_cred.3 b/lib/libgssapi/gss_add_cred.3
new file mode 100644
index 000000000000..98d80523bfad
--- /dev/null
+++ b/lib/libgssapi/gss_add_cred.3
@@ -0,0 +1,338 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_ADD_CRED 3 PRM
+.Sh NAME
+.Nm gss_add_cred
+.Nd Construct credentials incrementally
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_add_cred
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_cred_id_t input_cred_handle"
+.Fa "const gss_name_t desired_name"
+.Fa "const gss_OID desired_mech"
+.Fa "gss_cred_usage_t cred_usage"
+.Fa "OM_uint32 initiator_time_req"
+.Fa "OM_uint32 acceptor_time_req"
+.Fa "gss_cred_id_t *output_cred_handle"
+.Fa "gss_OID_set *actual_mechs"
+.Fa "OM_uint32 *initiator_time_rec"
+.Fa "OM_uint32 *acceptor_time_rec"
+.Fc
+.Sh DESCRIPTION
+Adds a credential-element to a credential.
+The credential-element is identified by the name of the principal to
+which it refers.
+GSS-API implementations must impose a local access-control policy on
+callers of this routine to prevent unauthorized callers from acquiring
+credential-elements to which they are not entitled.
+This routine is not intended to provide a "login to the network"
+function,
+as such a function would involve the creation of new
+mechanism-specific authentication data,
+rather than merely acquiring a GSS-API handle to existing data.
+Such functions,
+if required,
+should be defined in implementation-specific extensions to the API.
+.Pp
+If
+.Fa desired_name
+is
+.Dv GSS_C_NO_NAME ,
+the call is interpreted as a request to add a credential element that
+will invoke default behavior when passed to
+.Fn gss_init_sec_context
+(if cred_usage is
+.Dv GSS_C_INITIATE
+or
+.Dv GSS_C_BOTH )
+or
+.Fn gss_accept_sec_context
+(if
+.Fa cred_usage
+is
+.Dv GSS_C_ACCEPT
+or
+.Dv GSS_C_BOTH ).
+.PP
+This routine is expected to be used primarily by context acceptors,
+since implementations are likely to provide mechanism-specific ways of
+obtaining GSS-API initiator credentials from the system login process.
+Some implementations may therefore not support the acquisition of
+.Dv GSS_C_INITIATE
+or
+.Dv GSS_C_BOTH
+credentials via
+.Fn gss_acquire_cred
+for any name other than
+.Dv GSS_C_NO_NAME ,
+or a name produced by applying either
+.Fn gss_inquire_cred
+to a valid credential,
+or
+.Fn gss_inquire_context
+to an active context.
+.Pp
+If credential acquisition is time-consuming for a mechanism,
+the mechanism may choose to delay the actual acquisition until the
+credential is required (e.g. by
+.Fn gss_init_sec_context
+or
+.Fn gss_accept_sec_context ).
+Such mechanism-specific implementation decisions should be invisible
+to the calling application;
+thus a call of
+.Fn gss_inquire_cred
+immediately following the call of
+.Fn gss_add_cred
+must return valid credential data,
+and may therefore incur the overhead of a deferred credential acquisition.
+.Pp
+This routine can be used to either compose a new credential containing
+all credential-elements of the original in addition to the
+newly-acquire credential-element,
+or to add the new credential-element to an existing credential.
+If
+.Dv NULL
+is specified for the
+.Fa output_cred_handle
+parameter argument,
+the new credential-element will be added to the credential identified
+by
+.Fa input_cred_handle ;
+if a valid pointer is specified for the
+.Fa output_cred_handle
+parameter,
+a new credential handle will be created.
+.Pp
+If
+.Dv GSS_C_NO_CREDENTIAL
+is specified as the
+.Fa input_cred_handle ,
+.Fn gss_add_cred
+will compose a credential (and set the
+.Fa output_cred_handle
+parameter accordingly) based on default behavior.
+That is, the call will have the same effect as if the application had
+first made a call to
+.Fn gss_acquire_cred ,
+specifying the same usage and passing
+.Dv GSS_C_NO_NAME
+as the
+.Fa desired_name
+parameter to obtain an explicit credential handle embodying default
+behavior,
+passed this credential handle to
+.Fn gss_add_cred ,
+and finally called
+.Fn gss_release_cred
+on the first credential handle.
+.Pp
+If
+.Dv GSS_C_NO_CREDENTIAL
+is specified as the
+.Fa input_cred_handle
+parameter,
+a non-
+.Dv NULL
+.Fa output_cred_handle
+must be supplied.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It input_cred_handle
+The credential to which a credential-element will be added.
+If
+.Dv GSS_C_NO_CREDENTIAL
+is specified, the routine will compose the new credential based on
+default behavior (see description above).
+Note that, while the credential-handle is not modified by
+.Fn gss_add_cred ,
+the underlying credential will be modified if
+.Fa output_credential_handle
+is
+.Dv NULL .
+.It desired_name
+Name of principal whose credential should be acquired.
+.It desired_mech
+Underlying security mechanism with which the credential may be used.
+.It cred_usage
+.Bl -tag -width "GSS_C_INITIATE"
+.It GSS_C_BOTH
+Credential may be used either to initiate or accept security
+contexts.
+.It GSS_C_INITIATE
+Credential will only be used to initiate security contexts.
+.It GSS_C_ACCEPT
+Credential will only be used to accept security contexts.
+.El
+.It initiator_time_req
+Number of seconds that the credential should remain valid for
+initiating security contexts.
+This argument is ignored if the composed credentials are of type
+.Dv GSS_C_ACCEPT .
+Specify
+.Dv GSS_C_INDEFINITE
+to request that the credentials have the maximum permitted initiator lifetime.
+.It acceptor_time_req
+Number of seconds that the credential should remain valid for
+accepting security contexts.
+This argument is ignored if the composed credentials are of type
+.Dv GSS_C_INITIATE .
+Specify
+.Dv GSS_C_INDEFINITE
+to request that the credentials have the maximum permitted initiator lifetime.
+.It output_cred_handle
+The returned credential handle,
+containing
+the new credential-element and all the credential-elements from
+.Fa input_cred_handle .
+If a valid pointer to a
+.Fa gss_cred_id_t
+is supplied for this parameter,
+.Fn gss_add_cred
+creates a new credential handle containing all credential-elements
+from the
+.Fa input_cred_handle
+and the newly acquired credential-element;
+if
+.Dv NULL
+is specified for this parameter,
+the newly acquired credential-element will be added to the credential
+identified by
+.Fa input_cred_handle .
+.Pp
+The resources associated with any credential handle returned via this
+parameter must be released by the application after use with a call to
+.Fn gss_release_cred .
+.It actual_mechs
+The complete set of mechanisms for which the new credential is valid.
+Storage for the returned OID-set must be freed by the application
+after use with a call to
+.Fn gss_release_oid_set .
+Specify
+.Dv NULL if not required.
+.It initiator_time_rec
+Actual number of seconds for which the returned credentials will
+remain valid for initiating contexts using the specified mechanism.
+If the implementation or mechanism does not support expiration of
+credentials,
+the value
+.Dv GSS_C_INDEFINITE
+will be returned.
+Specify
+.Dv NULL
+if not required.
+.It acceptor_time_rec
+Actual number of seconds for which the returned credentials will
+remain valid for accepting security contexts using the specified
+mechanism.
+If the implementation or mechanism does not support expiration of
+credentials,
+the value
+.Dv GSS_C_INDEFINITE
+will be returned.
+Specify
+.Dv NULL
+if not required.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion.
+.It GSS_S_BAD_MECH
+Unavailable mechanism requested.
+.It GSS_S_BAD_NAMETYPE
+Type contained within desired_name parameter is not supported
+.It GSS_S_BAD_NAME
+Value supplied for desired_name parameter is ill-formed.
+.It GSS_S_DUPLICATE_ELEMENT
+The credential already contains an element for the requested mechanism
+with overlapping usage and validity period.
+.It GSS_S_CREDENTIALS_EXPIRED
+The required credentials could not be added because they have expired.
+.It GSS_S_NO_CRED
+No credentials were found for the specified name.
+.El
+.Sh SEE ALSO
+.Xr gss_init_sec_context 3 ,
+.Xr gss_accept_sec_context 3 ,
+.Xr gss_acquire_cred 3 ,
+.Xr gss_inquire_cred 3 ,
+.Xr gss_inquire_context 3 ,
+.Xr gss_release_cred 3 ,
+.Xr gss_release_oid_set 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_add_cred.c b/lib/libgssapi/gss_add_cred.c
new file mode 100644
index 000000000000..aec4464d34af
--- /dev/null
+++ b/lib/libgssapi/gss_add_cred.c
@@ -0,0 +1,178 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "cred.h"
+#include "name.h"
+
+static struct _gss_mechanism_cred *
+_gss_copy_cred(struct _gss_mechanism_cred *mc)
+{
+ struct _gss_mechanism_cred *new_mc;
+ struct _gss_mech_switch *m = mc->gmc_mech;
+ OM_uint32 major_status, minor_status;
+ gss_name_t name;
+ gss_cred_id_t cred;
+ OM_uint32 initiator_lifetime, acceptor_lifetime;
+ gss_cred_usage_t cred_usage;
+
+ major_status = m->gm_inquire_cred_by_mech(&minor_status,
+ mc->gmc_cred, mc->gmc_mech_oid,
+ &name, &initiator_lifetime, &acceptor_lifetime, &cred_usage);
+ if (major_status)
+ return (0);
+
+ major_status = m->gm_add_cred(&minor_status,
+ GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid,
+ cred_usage, initiator_lifetime, acceptor_lifetime,
+ &cred, 0, 0, 0);
+ m->gm_release_name(&minor_status, &name);
+
+ if (major_status)
+ return (0);
+
+ new_mc = malloc(sizeof(struct _gss_mechanism_cred));
+ if (!new_mc) {
+ m->gm_release_cred(&minor_status, &cred);
+ return (0);
+ }
+ new_mc->gmc_mech = m;
+ new_mc->gmc_mech_oid = &m->gm_mech_oid;
+ new_mc->gmc_cred = cred;
+
+ return (new_mc);
+}
+
+OM_uint32
+gss_add_cred(OM_uint32 *minor_status,
+ const gss_cred_id_t input_cred_handle,
+ const gss_name_t desired_name,
+ const gss_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ OM_uint32 initiator_time_req,
+ OM_uint32 acceptor_time_req,
+ gss_cred_id_t *output_cred_handle,
+ gss_OID_set *actual_mechs,
+ OM_uint32 *initiator_time_rec,
+ OM_uint32 *acceptor_time_rec)
+{
+ OM_uint32 major_status;
+ struct _gss_mech_switch *m;
+ gss_OID_set_desc set;
+ struct _gss_name *name = (struct _gss_name *) desired_name;
+ struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
+ struct _gss_cred *new_cred;
+ struct _gss_mechanism_cred *mc, *target_mc, *copy_mc;
+ struct _gss_mechanism_name *mn;
+ OM_uint32 min_time, time, junk;
+ int i;
+
+ *output_cred_handle = 0;
+ *minor_status = 0;
+
+ new_cred = malloc(sizeof(struct _gss_cred));
+ if (!new_cred) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ new_cred->gc_usage = cred_usage;
+ SLIST_INIT(&new_cred->gc_mc);
+
+ /*
+ * We go through all the mc attached to the input_cred_handle
+ * and check the mechanism. If it matches, we call
+ * gss_add_cred for that mechanism, otherwise we copy the mc
+ * to new_cred.
+ */
+ target_mc = 0;
+ if (cred) {
+ SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+ if (_gss_oid_equal(mc->gmc_mech, desired_mech)) {
+ target_mc = mc;
+ }
+ copy_mc = _gss_copy_cred(mc);
+ if (!copy_mc) {
+ gss_release_cred(&junk, (gss_cred_id_t*) &new_cred);
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ SLIST_INSERT_HEAD(&new_cred->gc_mc, copy_mc, gmc_link);
+ }
+ }
+
+ /*
+ * Figure out a suitable mn, if any.
+ */
+ if (desired_name) {
+ mn = _gss_find_mn((struct _gss_name *) desired_name,
+ desired_mech);
+ if (!mn) {
+ free(new_cred);
+ return (GSS_S_BAD_NAME);
+ }
+ } else {
+ mn = 0;
+ }
+
+ m = _gss_find_mech_switch(desired_mech);
+
+ mc = malloc(sizeof(struct _gss_mechanism_cred));
+ if (!mc) {
+ gss_release_cred(&junk, (gss_cred_id_t*) &new_cred);
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ mc->gmc_mech = m;
+ mc->gmc_mech_oid = &m->gm_mech_oid;
+
+ major_status = m->gm_add_cred(minor_status,
+ target_mc ? target_mc->gmc_cred : GSS_C_NO_CREDENTIAL,
+ desired_name ? mn->gmn_name : GSS_C_NO_NAME,
+ desired_mech,
+ cred_usage,
+ initiator_time_req,
+ acceptor_time_req,
+ &mc->gmc_cred,
+ actual_mechs,
+ initiator_time_rec,
+ acceptor_time_rec);
+
+ if (major_status) {
+ gss_release_cred(&junk, (gss_cred_id_t*) &new_cred);
+ free(mc);
+ return (major_status);
+ }
+ SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link);
+ *output_cred_handle = (gss_cred_id_t) new_cred;
+
+ return (GSS_S_COMPLETE);
+}
+
diff --git a/lib/libgssapi/gss_add_oid_set_member.3 b/lib/libgssapi/gss_add_oid_set_member.3
new file mode 100644
index 000000000000..15f661b5041e
--- /dev/null
+++ b/lib/libgssapi/gss_add_oid_set_member.3
@@ -0,0 +1,130 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_ADD_OID_SET_MEMBER 3 PRM
+.Sh NAME
+.Nm gss_add_oid_set_member
+.Nd Add an object identifier to a set
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_add_oid_set_member
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_OID member_oid"
+.Fa "gss_OID_set *oid_set"
+.Fc
+.Sh DESCRIPTION
+Add an Object Identifier to an Object Identifier set.
+This routine is intended for use in conjunction with
+.Fn gss_create_empty_oid_set
+when constructing a set of mechanism OIDs for input to
+.Fn gss_acquire_cred .
+The
+.Fa oid_set
+parameter must refer to an OID-set that was created by GSS-API
+(e.g. a set returned by
+.Fn gss_create_empty_oid_set ).
+GSS-API creates a copy of the
+.Fa member_oid
+and inserts this copy into the set,
+expanding the storage allocated to the OID-set's elements array if
+necessary.
+The routine may add the new member OID anywhere within the elements
+array,
+and implementations should verify that the new
+.Fa member_oid
+is not already contained within the elements array;
+if the
+.Fa member_oid
+is already present,
+the
+.Fa oid_set
+should remain unchanged.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It member_oid
+The object identifier to copied into the set.
+.It oid_set
+The set in which the object identifier should be inserted.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.El
+.Sh SEE ALSO
+.Xr gss_create_empty_oid_set 3 ,
+.Xr gss_acquire_cred 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_add_oid_set_member.c b/lib/libgssapi/gss_add_oid_set_member.c
new file mode 100644
index 000000000000..f1f8214878e5
--- /dev/null
+++ b/lib/libgssapi/gss_add_oid_set_member.c
@@ -0,0 +1,77 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+OM_uint32
+gss_add_oid_set_member(OM_uint32 *minor_status,
+ const gss_OID member_oid,
+ gss_OID_set *oid_set)
+{
+ OM_uint32 major_status;
+ gss_OID_set set = *oid_set;
+ gss_OID new_elements;
+ gss_OID new_oid;
+ int t;
+
+ *minor_status = 0;
+
+ major_status = gss_test_oid_set_member(minor_status,
+ member_oid, *oid_set, &t);
+ if (major_status)
+ return (major_status);
+ if (t)
+ return (GSS_S_COMPLETE);
+
+ new_elements = malloc((set->count + 1) * sizeof(gss_OID_desc));
+ if (!new_elements) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+
+ new_oid = &new_elements[set->count];
+ new_oid->elements = malloc(member_oid->length);
+ if (!new_oid->elements) {
+ free(new_elements);
+ return (GSS_S_FAILURE);
+ }
+ new_oid->length = member_oid->length;
+ memcpy(new_oid->elements, member_oid->elements, member_oid->length);
+
+ if (set->elements) {
+ memcpy(new_elements, set->elements,
+ set->count * sizeof(gss_OID_desc));
+ free(set->elements);
+ }
+ set->elements = new_elements;
+ set->count++;
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_canonicalize_name.3 b/lib/libgssapi/gss_canonicalize_name.3
new file mode 100644
index 000000000000..1d7b77230c4b
--- /dev/null
+++ b/lib/libgssapi/gss_canonicalize_name.3
@@ -0,0 +1,137 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_CANONICALIZE_NAME 3 PRM
+.Sh NAME
+.Nm gss_canonicalize_name
+.Nd Convert an internal name to an MN
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_canonicalize_name
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_name_t input_name"
+.Fa "const gss_OID mech_type"
+.Fa "gss_name_t *output_name"
+.Fc
+.Sh DESCRIPTION
+Generate a canonical mechanism name (MN) from an arbitrary internal
+name.
+The mechanism name is the name that would be returned to a context
+acceptor on successful authentication of a context where the initiator
+used the
+.Fa input_name
+in a successful call to
+.Fn gss_acquire_cred ,
+specifying an OID set containing
+.Fa mech_type
+as its only member,
+followed by a call to
+.Fn gss_init_sec_context ,
+specifying
+.Fa mech_type
+as the authentication mechanism.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It input_name
+The name for which a canonical form is desired.
+.It mech_type
+The authentication mechanism for which the canonical form of the name
+is desired.
+The desired mechanism must be specified explicitly;
+ no default is provided.
+.It output_name
+The resultant canonical name.
+Storage associated with this name must be freed by the application
+after use with a call to
+.Fn gss_release_name .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion.
+.It GSS_S_BAD_MECH
+The identified mechanism is not supported.
+.It GSS_S_BAD_NAMETYPE
+The provided internal name contains no elements that could be
+processed by the specified mechanism.
+.It GSS_S_BAD_NAME
+The provided internal name was ill-formed.
+.El
+.Sh SEE ALSO
+.Xr gss_acquire_cred 3 ,
+.Xr gss_init_sec_context 3 ,
+.Xr gss_release_name 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_canonicalize_name.c b/lib/libgssapi/gss_canonicalize_name.c
new file mode 100644
index 000000000000..5fbcbe50022f
--- /dev/null
+++ b/lib/libgssapi/gss_canonicalize_name.c
@@ -0,0 +1,91 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "name.h"
+
+OM_uint32
+gss_canonicalize_name(OM_uint32 *minor_status,
+ const gss_name_t input_name,
+ const gss_OID mech_type,
+ gss_name_t *output_name)
+{
+ OM_uint32 major_status;
+ struct _gss_name *name = (struct _gss_name *) input_name;
+ struct _gss_mechanism_name *mn;
+ struct _gss_mech_switch *m = _gss_find_mech_switch(mech_type);
+ gss_name_t new_canonical_name;
+
+ *minor_status = 0;
+ *output_name = 0;
+
+ mn = _gss_find_mn(name, mech_type);
+ if (!mn) {
+ return (GSS_S_BAD_MECH);
+ }
+
+ m = mn->gmn_mech;
+ major_status = m->gm_canonicalize_name(minor_status,
+ mn->gmn_name, mech_type, &new_canonical_name);
+ if (major_status)
+ return (major_status);
+
+ /*
+ * Now we make a new name and mark it as an MN.
+ */
+ *minor_status = 0;
+ name = malloc(sizeof(struct _gss_name));
+ if (!name) {
+ m->gm_release_name(minor_status, &new_canonical_name);
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ memset(name, 0, sizeof(struct _gss_name));
+
+ mn = malloc(sizeof(struct _gss_mechanism_name));
+ if (!mn) {
+ m->gm_release_name(minor_status, &new_canonical_name);
+ free(name);
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+
+ SLIST_INIT(&name->gn_mn);
+ mn->gmn_mech = m;
+ mn->gmn_mech_oid = &m->gm_mech_oid;
+ mn->gmn_name = new_canonical_name;
+ SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+
+ *output_name = (gss_name_t) name;
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_compare_name.3 b/lib/libgssapi/gss_compare_name.3
new file mode 100644
index 000000000000..06055f8a9771
--- /dev/null
+++ b/lib/libgssapi/gss_compare_name.3
@@ -0,0 +1,122 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_COMPARE_NAME PRM
+.Sh NAME
+.Nm gss_compare_name
+.Nd Compare two internal-form names
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_compare_name
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_name_t name1"
+.Fa "const gss_name_t name2"
+.Fa "int *name_equal"
+.Fc
+.Sh DESCRIPTION
+Allows an application to compare two internal-form names to determine
+whether they refer to the same entity.
+.Pp
+If either name presented to
+.Fn gss_compare_name
+denotes an anonymous principal,
+the routines should indicate that the two names do not refer to the
+same identity.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It name1
+Internal-form name.
+.It name2
+Internal-form name.
+.It name_equal
+.Bl -tag
+.It non-zero
+Names refer to same entity
+.It zero
+Names refer to different entities (strictly, the names are not known
+to refer to the same identity).
+.El
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_BAD_NAMETYPE
+The two names were of incomparable types.
+.It GSS_S_BAD_NAME
+One or both of name1 or name2 was ill-formed.
+.El
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_compare_name.c b/lib/libgssapi/gss_compare_name.c
new file mode 100644
index 000000000000..644b4a6ff5ab
--- /dev/null
+++ b/lib/libgssapi/gss_compare_name.c
@@ -0,0 +1,76 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "name.h"
+
+OM_uint32
+gss_compare_name(OM_uint32 *minor_status,
+ const gss_name_t name1_arg,
+ const gss_name_t name2_arg,
+ int *name_equal)
+{
+ struct _gss_name *name1 = (struct _gss_name *) name1_arg;
+ struct _gss_name *name2 = (struct _gss_name *) name2_arg;
+
+ /*
+ * First check the implementation-independant name if both
+ * names have one. Otherwise, try to find common mechanism
+ * names and compare them.
+ */
+ if (name1->gn_value.value && name2->gn_value.value) {
+ *name_equal = 1;
+ if (!_gss_oid_equal(name1->gn_type, name2->gn_type)) {
+ *name_equal = 0;
+ } else if (name1->gn_value.length != name2->gn_value.length ||
+ memcmp(name1->gn_value.value, name1->gn_value.value,
+ name1->gn_value.length)) {
+ *name_equal = 0;
+ }
+ } else {
+ struct _gss_mechanism_name *mn1;
+ struct _gss_mechanism_name *mn2;
+
+ SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) {
+ mn2 = _gss_find_mn(name2, mn1->gmn_mech_oid);
+ if (mn2) {
+ return (mn1->gmn_mech->gm_compare_name(
+ minor_status,
+ mn1->gmn_name,
+ mn2->gmn_name,
+ name_equal));
+ }
+ }
+ *name_equal = 0;
+ }
+
+ *minor_status = 0;
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_context_time.3 b/lib/libgssapi/gss_context_time.3
new file mode 100644
index 000000000000..7abc900ed5bd
--- /dev/null
+++ b/lib/libgssapi/gss_context_time.3
@@ -0,0 +1,108 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_CONTEXT_TIME 3 PRM
+.Sh NAME
+.Nm gss_context_time
+.Nd Determine for how long a context will remain valid
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_context_time
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "OM_uint32 *time_rec"
+.Fc
+.Sh DESCRIPTION
+Determines the number of seconds for which the specified context will
+remain valid.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+Identifies the context to be interrogated.
+.It time_rec
+Number of seconds that the context will remain valid.
+If the context has already expired, zero will be returned.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_CONTEXT_EXPIRED
+The context has already expired
+.It GSS_S_NO_CONTEXT
+The context_handle parameter did not identify a valid context
+.El
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_context_time.c b/lib/libgssapi/gss_context_time.c
new file mode 100644
index 000000000000..585ebd690875
--- /dev/null
+++ b/lib/libgssapi/gss_context_time.c
@@ -0,0 +1,43 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_context_time(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ OM_uint32 *time_rec)
+{
+ struct _gss_context *ctx = (struct _gss_context *) context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+
+ return (m->gm_context_time(minor_status, ctx->gc_ctx, time_rec));
+}
diff --git a/lib/libgssapi/gss_create_empty_oid_set.3 b/lib/libgssapi/gss_create_empty_oid_set.3
new file mode 100644
index 000000000000..47e368b0fd37
--- /dev/null
+++ b/lib/libgssapi/gss_create_empty_oid_set.3
@@ -0,0 +1,112 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_CREATE_EMPTY_OID_SET 3 PRM
+.Sh NAME
+.Nm gss_create_empty_oid_set
+.Nd Create a set containing no object identifiers
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_create_empty_oid_set
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_OID_set *oid_set"
+.Fc
+.Sh DESCRIPTION
+Create an object-identifier set containing no object identifiers,
+to which members may be subsequently added using the
+.Fn gss_add_oid_set_member
+routine.
+These routines are intended to be used to construct sets of mechanism
+object identifiers for input to
+.Fn gss_acquire_cred .
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It oid_set
+
+The empty object identifier set.
+The routine will allocate the gss_OID_set_desc object,
+which the application must free after use with a call to
+.Fn gss_release_oid_set .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.El
+.Sh SEE ALSO
+.Xr gss_add_oid_set_member 3 ,
+.Xr gss_acquire_cred 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_create_empty_oid_set.c b/lib/libgssapi/gss_create_empty_oid_set.c
new file mode 100644
index 000000000000..0412817a280f
--- /dev/null
+++ b/lib/libgssapi/gss_create_empty_oid_set.c
@@ -0,0 +1,53 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+OM_uint32
+gss_create_empty_oid_set(OM_uint32 *minor_status,
+ gss_OID_set *oid_set)
+{
+ gss_OID_set set;
+
+ *minor_status = 0;
+ *oid_set = 0;
+
+ set = malloc(sizeof(gss_OID_set_desc));
+ if (!set) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+
+ set->count = 0;
+ set->elements = 0;
+ *oid_set = set;
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_delete_sec_context.3 b/lib/libgssapi/gss_delete_sec_context.3
new file mode 100644
index 000000000000..7ecbb2b8af95
--- /dev/null
+++ b/lib/libgssapi/gss_delete_sec_context.3
@@ -0,0 +1,163 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_DELETE_SEC_CONTEXT 3 PRM
+.Sh NAME
+.Nm gss_delete_sec_context
+.Nd Discard a security context
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_delete_sec_context
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_ctx_id_t *context_handle"
+.Fa "gss_buffer_t output_token"
+.Fc
+.Sh DESCRIPTION
+Delete a security context.
+.Fn gss_delete_sec_context
+will delete the local data structures associated with the specified
+security context,
+and may generate an output_token,
+which when passed to the peer
+.Fn gss_process_context_token
+will instruct it to do likewise.
+If no token is required by the mechanism,
+the GSS-API should set the length field of the output_token (if
+provided) to zero.
+No further security services may be obtained using the context
+specified by
+.Fa context_handle .
+.Pp
+In addition to deleting established security contexts,
+.Fn gss_delete_sec_context
+must also be able to delete "half-built" security contexts resulting
+from an incomplete sequence of
+.Fn gss_init_sec_context
+/
+.Fn gss_accept_sec_context
+calls.
+.Pp
+The
+.Fa output_token
+parameter is retained for compatibility with version 1 of the GSS-API.
+It is recommended that both peer applications invoke
+.Fn gss_delete_sec_context
+passing the value
+.Dv GSS_C_NO_BUFFER
+for the
+.Fa output_token
+parameter,
+indicating that no token is required,
+and that
+.Fn gss_delete_sec_context
+should simply delete local context data structures.
+If the application does pass a valid buffer to
+.Fn gss_delete_sec_context ,
+mechanisms are encouraged to return a zero-length token,
+indicating that no peer action is necessary,
+and that no token should be transferred by the application.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+Context handle identifying context to delete.
+After deleting the context,
+the GSS-API will set this context handle to
+.Dv GSS_C_NO_CONTEXT .
+.It output_token
+Token to be sent to remote application to instruct it to also delete
+the context.
+It is recommended that applications specify
+.Dv GSS_C_NO_BUFFER
+for this parameter,
+requesting local deletion only.
+If a buffer parameter is provided by the application,
+the mechanism may return a token in it;
+mechanisms that implement only local deletion should set the length
+field of this token to zero to indicate to the application that no
+token is to be sent to the peer.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_NO_CONTEXT
+No valid context was supplied
+.El
+.Sh SEE ALSO
+.Xr gss_process_context_token 3 ,
+.Xr gss_init_sec_context 3 ,
+.Xr gss_accept_sec_context 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_delete_sec_context.c b/lib/libgssapi/gss_delete_sec_context.c
new file mode 100644
index 000000000000..b1f39c24c0fd
--- /dev/null
+++ b/lib/libgssapi/gss_delete_sec_context.c
@@ -0,0 +1,62 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_delete_sec_context(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ gss_buffer_t output_token)
+{
+ OM_uint32 major_status;
+ struct _gss_context *ctx = (struct _gss_context *) *context_handle;
+
+ *minor_status = 0;
+ if (ctx) {
+ /*
+ * If we have an implementation ctx, delete it,
+ * otherwise fake an empty token.
+ */
+ if (ctx->gc_ctx) {
+ major_status = ctx->gc_mech->gm_delete_sec_context(
+ minor_status, &ctx->gc_ctx, output_token);
+ } else if (output_token != GSS_C_NO_BUFFER) {
+ output_token->length = 0;
+ output_token->value = 0;
+ }
+ free(ctx);
+ *context_handle = 0;
+ }
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_display_name.3 b/lib/libgssapi/gss_display_name.3
new file mode 100644
index 000000000000..78789533c475
--- /dev/null
+++ b/lib/libgssapi/gss_display_name.3
@@ -0,0 +1,151 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_DISPLAY_NAME 3 PRM
+.Sh NAME
+.Nm gss_display_name
+.Nd Convert internal-form name to text
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_display_name
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_name_t input_name"
+.Fa "gss_buffer_t output_name_buffer"
+.Fa "gss_OID *output_name_type"
+.Fc
+.Sh DESCRIPTION
+Allows an application to obtain a textual representation of an opaque
+internal-form name for display purposes.
+The syntax of a printable name is defined by the GSS-API implementation.
+.Pp
+If
+.Fa input_name
+denotes an anonymous principal,
+the implementation should return the
+.Fa gss_OID
+value
+.Dv GSS_C_NT_ANONYMOUS
+as the
+.Fa output_name_type ,
+and a textual name that is syntactically distinct from all valid
+supported printable names in
+.Fa output_name_buffer .
+.Pp
+If
+.Fa input_name
+was created by a call to
+.Fn gss_import_name ,
+specifying
+.Dv GSS_C_NO_OID
+as the name-type,
+implementations that employ lazy conversion between name types may
+return
+.Dv GSS_C_NO_OID
+via the
+.Fa output_name_type
+parameter.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It input_name
+Name to be displayed.
+.It output_name_buffer
+Buffer to receive textual name string.
+The application must free storage associated with this name after use
+with a call to
+.Fn gss_release_buffer .
+.It output_name_type
+The type of the returned name.
+The returned
+.Fa gss_OID
+will be a pointer into static storage,
+and should be treated as read-only by the caller
+(in particular, the application should not attempt to free it).
+Specify
+.Dv NULL
+if not required.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_BAD_NAME
+.Fa input_name
+was ill-formed
+.El
+.Sh SEE ALSO
+.Xr gss_import_name 3 ,
+.Xr gss_release_buffer 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_display_name.c b/lib/libgssapi/gss_display_name.c
new file mode 100644
index 000000000000..a5c3e5ec2797
--- /dev/null
+++ b/lib/libgssapi/gss_display_name.c
@@ -0,0 +1,78 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "name.h"
+
+OM_uint32
+gss_display_name(OM_uint32 *minor_status,
+ const gss_name_t input_name,
+ gss_buffer_t output_name_buffer,
+ gss_OID *output_name_type)
+{
+ OM_uint32 major_status;
+ struct _gss_name *name = (struct _gss_name *) input_name;
+ struct _gss_mechanism_name *mn;
+
+ /*
+ * If we know it, copy the buffer used to import the name in
+ * the first place. Otherwise, ask all the MNs in turn if
+ * they can display the thing.
+ */
+ if (name->gn_value.value) {
+ output_name_buffer->value = malloc(name->gn_value.length);
+ if (!output_name_buffer->value) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ output_name_buffer->length = name->gn_value.length;
+ memcpy(output_name_buffer->value, name->gn_value.value,
+ output_name_buffer->length);
+ if (output_name_type)
+ *output_name_type = &name->gn_type;
+
+ *minor_status = 0;
+ return (GSS_S_COMPLETE);
+ } else {
+ SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+ major_status = mn->gmn_mech->gm_display_name(
+ minor_status, mn->gmn_name,
+ output_name_buffer,
+ output_name_type);
+ if (major_status == GSS_S_COMPLETE)
+ return (GSS_S_COMPLETE);
+ }
+ }
+
+ *minor_status = 0;
+ return (GSS_S_FAILURE);
+}
diff --git a/lib/libgssapi/gss_display_status.3 b/lib/libgssapi/gss_display_status.3
new file mode 100644
index 000000000000..58ded924797b
--- /dev/null
+++ b/lib/libgssapi/gss_display_status.3
@@ -0,0 +1,210 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_DISPLAY_STATUS 3 PRM
+.Sh NAME
+.Nm gss_display_status
+.Nd Convert a GSS-API status code to text
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_display_status
+.Fa "OM_uint32 *minor_status"
+.Fa "OM_uint32 status_value"
+.Fa "int status_type"
+.Fa "const gss_OID mech_type"
+.Fa "OM_uint32 *message_context"
+.Fa "gss_buffer_t status_string"
+.Fc
+.Sh DESCRIPTION
+Allows an application to obtain a textual representation of a GSS-API
+status code,
+for display to the user or for logging purposes.
+Since some status values may indicate multiple conditions,
+applications may need to call
+.Fn gss_display_status
+multiple times,
+each call generating a single text string.
+The
+.Fa message_context
+parameter is used by
+.Fn gss_display_status
+to store state information about which error messages have already
+been extracted from a given
+.Fa status_value ;
+.Fa message_context
+must be initialized to zero by the application prior to the first call,
+and
+.Fn gss_display_status
+will return a non-zero value in this parameter if there are further
+messages to extract.
+.Pp
+The
+.Fa message_context
+parameter contains all state information required by
+.Fn gss_display_status
+in order to extract further messages from the
+.Fa status_value ;
+even when a non-zero value is returned in this parameter,
+the application is not required to call
+.Fn gss_display_status
+again unless subsequent messages are desired.
+The following code extracts all messages from a given status code and prints them to stderr:
+.Bd -literal
+OM_uint32 message_context;
+OM_uint32 status_code;
+OM_uint32 maj_status;
+OM_uint32 min_status;
+gss_buffer_desc status_string;
+
+ ...
+
+message_context = 0;
+
+do {
+
+ maj_status = gss_display_status (
+ &min_status,
+ status_code,
+ GSS_C_GSS_CODE,
+ GSS_C_NO_OID,
+ &message_context,
+ &status_string)
+
+ fprintf(stderr,
+ "%.*s\\n",
+ (int)status_string.length,
+ (char *)status_string.value);
+
+ gss_release_buffer(&min_status, &status_string);
+
+} while (message_context != 0);
+.Ed
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It status_value
+Status value to be converted
+.It status_type
+.Bl -tag
+.It GSS_C_GSS_CODE
+.Fa status_value
+is a GSS status code
+.It GSS_C_MECH_CODE
+.Fa status_value
+is a mechanism status code
+.El
+.It mech_type
+Underlying mechanism (used to interpret a minor status value).
+Supply
+.Dv GSS_C_NO_OID
+to obtain the system default.
+.It message_context
+Should be initialized to zero by the application prior to the first
+call.
+On return from
+.Fn gss_display_status ,
+a non-zero status_value parameter indicates that additional messages
+may be extracted from the status code via subsequent calls to
+.Fn gss_display_status ,
+passing the same
+.Fa status_value ,
+.Fa status_type ,
+.Fa mech_type ,
+and
+.Fa message_context
+parameters.
+.It status_string
+Textual interpretation of the
+.Fa status_value .
+Storage associated with this parameter must be freed by the
+application after use with a call to
+.Fn gss_release_buffer .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_BAD_MECH
+Indicates that translation in accordance with an unsupported mechanism
+type was requested
+.It GSS_S_BAD_STATUS
+The status value was not recognized, or the status type was neither
+.Dv GSS_C_GSS_CODE
+nor
+.Dv GSS_C_MECH_CODE .
+.El
+.Sh SEE ALSO
+.Xr gss_release_buffer 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_display_status.c b/lib/libgssapi/gss_display_status.c
new file mode 100644
index 000000000000..04cf4c71f14e
--- /dev/null
+++ b/lib/libgssapi/gss_display_status.c
@@ -0,0 +1,110 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <string.h>
+
+#include "mech_switch.h"
+
+struct _gss_status_desc {
+ OM_uint32 gs_status;
+ const char* gs_desc;
+};
+
+static struct _gss_status_desc _gss_status_descs[] = {
+ GSS_S_BAD_MECH, "An unsupported mechanism was requested",
+ GSS_S_BAD_NAME, "An invalid name was supplied",
+ GSS_S_BAD_NAMETYPE, "A supplied name was of an unsupported type",
+ GSS_S_BAD_BINDINGS, "Incorrect channel bindings were supplied",
+ GSS_S_BAD_STATUS, "An invalid status code was supplied",
+ GSS_S_BAD_MIC, "A token had an invalid MIC",
+ GSS_S_NO_CRED, "No credentials were supplied, or the "
+ "credentials were unavailable or inaccessible",
+ GSS_S_NO_CONTEXT, "No context has been established",
+ GSS_S_DEFECTIVE_TOKEN, "A token was invalid",
+ GSS_S_DEFECTIVE_CREDENTIAL, "A credential was invalid",
+ GSS_S_CREDENTIALS_EXPIRED, "The referenced credentials have expired",
+ GSS_S_CONTEXT_EXPIRED, "The context has expired",
+ GSS_S_FAILURE, "Miscellaneous failure",
+ GSS_S_BAD_QOP, "The quality-of-protection requested could "
+ "not be provided",
+ GSS_S_UNAUTHORIZED, "The operation is forbidden by local security "
+ "policy",
+ GSS_S_UNAVAILABLE, "The operation or option is unavailable",
+ GSS_S_DUPLICATE_ELEMENT, "The requested credential element already "
+ "exists",
+ GSS_S_NAME_NOT_MN, "The provided name was not a mechanism name"
+};
+#define _gss_status_desc_count \
+ sizeof(_gss_status_descs) / sizeof(_gss_status_descs[0])
+
+
+OM_uint32
+gss_display_status(OM_uint32 *minor_status,
+ OM_uint32 status_value,
+ int status_type,
+ const gss_OID mech_type,
+ OM_uint32 *message_content,
+ gss_buffer_t status_string)
+{
+ OM_uint32 major_status;
+ struct _gss_mech_switch *m;
+ int i;
+ const char *message;
+
+ *minor_status = 0;
+ switch (status_type) {
+ case GSS_C_GSS_CODE:
+ for (i = 0; i < _gss_status_desc_count; i++) {
+ if (_gss_status_descs[i].gs_status == status_value) {
+ message = _gss_status_descs[i].gs_desc;
+ status_string->length = strlen(message);
+ status_string->value = strdup(message);
+ return (GSS_S_COMPLETE);
+ }
+ }
+
+ /*
+ * Fall through to attempt to get some underlying
+ * implementation to describe the value.
+ */
+ case GSS_C_MECH_CODE:
+ SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+ if (mech_type &&
+ !_gss_oid_equal(&m->gm_mech_oid, mech_type))
+ continue;
+ major_status = m->gm_display_status(minor_status,
+ status_value, status_type, mech_type,
+ message_content, status_string);
+ if (major_status == GSS_S_COMPLETE)
+ return (GSS_S_COMPLETE);
+ }
+ }
+
+ return (GSS_S_BAD_STATUS);
+}
diff --git a/lib/libgssapi/gss_duplicate_name.3 b/lib/libgssapi/gss_duplicate_name.3
new file mode 100644
index 000000000000..789c79c9193c
--- /dev/null
+++ b/lib/libgssapi/gss_duplicate_name.3
@@ -0,0 +1,123 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_DUPLICATE_NAME 3 PRM
+.Sh NAME
+.Nm gss_duplicate_name
+.Nd Create a copy of an internal name
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_duplicate_name
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_name_t src_name"
+.Fa "gss_name_t *dest_name"
+.Fc
+.Sh DESCRIPTION
+Create an exact duplicate of the existing internal name
+.Fa src_name .
+The new
+.Fa dest_name
+will be independent of
+.Fa src_name
+(i.e.
+.Fa src_name
+and
+.Fa dest_name
+must both be released,
+and the release of one shall not affect the validity of the other).
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It src_name
+Internal name to be duplicated.
+.It dest_name
+The resultant copy of
+.Fa src_name.
+Storage associated with this name must be freed by the application
+after use with a call to
+.Fn gss_release_name .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_BAD_NAME
+The
+.Fa src_name
+parameter was ill-formed
+.El
+.Sh SEE ALSO
+.Xr gss_release_name 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_duplicate_name.c b/lib/libgssapi/gss_duplicate_name.c
new file mode 100644
index 000000000000..b7be18299b7b
--- /dev/null
+++ b/lib/libgssapi/gss_duplicate_name.c
@@ -0,0 +1,78 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "name.h"
+
+OM_uint32 gss_duplicate_name(OM_uint32 *minor_status,
+ const gss_name_t src_name,
+ gss_name_t *dest_name)
+{
+ OM_uint32 major_status;
+ struct _gss_name *name = (struct _gss_name *) src_name;
+ struct _gss_name *new_name;
+ struct _gss_mechanism_name *mn;
+
+ *minor_status = 0;
+
+ /*
+ * If this name has a value (i.e. it didn't come from
+ * gss_canonicalize_name(), we re-import the thing. Otherwise,
+ * we make an empty name to hold the MN copy.
+ */
+ if (name->gn_value.value) {
+ major_status = gss_import_name(minor_status,
+ &name->gn_value, &name->gn_type, dest_name);
+ if (major_status != GSS_S_COMPLETE)
+ return (major_status);
+ new_name = (struct _gss_name *) *dest_name;
+ } else {
+ new_name = malloc(sizeof(struct _gss_name));
+ if (!new_name) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ memset(new_name, 0, sizeof(struct _gss_name));
+ SLIST_INIT(&name->gn_mn);
+ *dest_name = (gss_name_t) new_name;
+ }
+
+ /*
+ * Import the new name into any mechanisms listed in the
+ * original name. We could probably get away with only doing
+ * this if the original was canonical.
+ */
+ SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+ _gss_find_mn(new_name, mn->gmn_mech_oid);
+ }
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_export_name.3 b/lib/libgssapi/gss_export_name.3
new file mode 100644
index 000000000000..e0e6689db6ff
--- /dev/null
+++ b/lib/libgssapi/gss_export_name.3
@@ -0,0 +1,128 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_EXPORT_NAME 3 PRM
+.Sh NAME
+.Nm gss_export_name
+.Nd Convert an MN to export form
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_export_name
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_name_t input_name"
+.Fa "gss_buffer_t exported_name"
+.Fc
+.Sh DESCRIPTION
+To produce a canonical contiguous string representation of a mechanism
+name (MN),
+suitable for direct comparison
+(e.g. with memcmp)
+for use in authorization functions
+(e.g. matching entries in an access-control list).
+The
+.Fa input_name
+parameter must specify a valid MN
+(i.e. an internal name generated by
+.Fn gss_accept_sec_context
+or by
+.Fn gss_canonicalize_name ).
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It input_name
+The MN to be exported.
+.It exported_name
+The canonical contiguous string form of
+.Fa input_name .
+Storage associated with this string must freed by the application
+after use with
+.Fn gss_release_buffer .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_NAME_NOT_MN
+The provided internal name was not a mechanism name.
+.It GSS_S_BAD_NAME
+The provided internal name was ill-formed.
+.It GSS_S_BAD_NAMETYPE
+The internal name was of a type not supported by the GSS-API implementation.
+.El
+.Sh SEE ALSO
+.Xr gss_accept_sec_context 3 ,
+.Xr gss_canonicalize_name 3 ,
+.Xr gss_release_buffer 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_export_name.c b/lib/libgssapi/gss_export_name.c
new file mode 100644
index 000000000000..f5043339dd89
--- /dev/null
+++ b/lib/libgssapi/gss_export_name.c
@@ -0,0 +1,58 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "name.h"
+
+OM_uint32
+gss_export_name(OM_uint32 *minor_status,
+ const gss_name_t input_name,
+ gss_buffer_t exported_name)
+{
+ struct _gss_name *name = (struct _gss_name *) input_name;
+ struct _gss_mechanism_name *mn;
+
+ /*
+ * If this name already has any attached MNs, export the first
+ * one, otherwise export based on the first mechanism in our
+ * list.
+ */
+ mn = SLIST_FIRST(&name->gn_mn);
+ if (!mn)
+ mn = _gss_find_mn(name,
+ &SLIST_FIRST(&_gss_mechs)->gm_mech_oid);
+ if (!mn) {
+ *minor_status = 0;
+ return (GSS_S_BAD_MECH);
+ }
+
+ return mn->gmn_mech->gm_export_name(minor_status,
+ mn->gmn_name, exported_name);
+}
diff --git a/lib/libgssapi/gss_export_sec_context.3 b/lib/libgssapi/gss_export_sec_context.3
new file mode 100644
index 000000000000..f08d229d761a
--- /dev/null
+++ b/lib/libgssapi/gss_export_sec_context.3
@@ -0,0 +1,168 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_EXPORT_SEC_CONTEXT 3 PRM
+.Sh NAME
+.Nm gss_export_sec_context
+.Nd Transfer a security context to another process
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_export_sec_context
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_ctx_id_t *context_handle"
+.Fa "gss_buffer_t interprocess_token"
+.Fc
+.Sh DESCRIPTION
+Provided to support the sharing of work between multiple processes.
+This routine will typically be used by the context-acceptor,
+in an application where a single process receives incoming connection
+requests and accepts security contexts over them,
+then passes the established context to one or more other processes for
+message exchange.
+.Fn gss_export_sec_context
+deactivates the security context for the calling process and creates
+an interprocess token which,
+when passed to
+.Fn gss_import_sec_context
+in another process,
+will re-activate the context in the second process.
+Only a single instantiation of a given context may be active at any
+one time;
+a subsequent attempt by a context exporter to access the exported security context will fail.
+.Pp
+The implementation may constrain the set of processes by which the
+interprocess token may be imported,
+either as a function of local security policy,
+or as a result of implementation decisions.
+For example,
+some implementations may constrain contexts to be passed only between
+processes that run under the same account,
+or which are part of the same process group.
+.Pp
+The interprocess token may contain security-sensitive information
+(for example cryptographic keys).
+While mechanisms are encouraged to either avoid placing such sensitive
+information within interprocess tokens,
+or to encrypt the token before returning it to the application,
+in a typical object-library GSS-API implementation this may not be
+possible.
+Thus the application must take care to protect the interprocess token,
+and ensure that any process to which the token is transferred is
+trustworthy.
+.Pp
+If creation of the interprocess token is successful,
+the implementation shall deallocate all process-wide resources
+associated with the security context,
+and set the context_handle to
+.Dv GSS_C_NO_CONTEXT .
+In the event of an error that makes it impossible to complete the
+export of the security context,
+the implementation must not return an interprocess token,
+and should strive to leave the security context referenced by the
+.Fa context_handle
+parameter untouched.
+If this is impossible,
+it is permissible for the implementation to delete the security
+context,
+providing it also sets the
+.Fa context_handle
+parameter to
+.Dv GSS_C_NO_CONTEXT .
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+Context handle identifying the context to transfer.
+.It interprocess_token
+Token to be transferred to target process.
+Storage associated with this token must be freed by the application
+after use with a call to
+.Fn gss_release_buffer .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_CONTEXT_EXPIRED
+The context has expired
+.It GSS_S_NO_CONTEXT
+The context was invalid
+.It GSS_S_UNAVAILABLE
+The operation is not supported
+.El
+.Sh SEE ALSO
+.Xr gss_import_sec_context 3 ,
+.Xr gss_release_buffer 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_export_sec_context.c b/lib/libgssapi/gss_export_sec_context.c
new file mode 100644
index 000000000000..a7e9b8af72b5
--- /dev/null
+++ b/lib/libgssapi/gss_export_sec_context.c
@@ -0,0 +1,77 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_export_sec_context(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ gss_buffer_t interprocess_token)
+{
+ OM_uint32 major_status;
+ struct _gss_context *ctx = (struct _gss_context *) *context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+ gss_buffer_desc buf;
+
+ major_status = m->gm_export_sec_context(minor_status,
+ &ctx->gc_ctx, &buf);
+
+ if (major_status == GSS_S_COMPLETE) {
+ unsigned char *p;
+
+ free(ctx);
+ *context_handle = GSS_C_NO_CONTEXT;
+ interprocess_token->length = buf.length
+ + 2 + m->gm_mech_oid.length;
+ interprocess_token->value = malloc(interprocess_token->length);
+ if (!interprocess_token->value) {
+ /*
+ * We are in trouble here - the context is
+ * already gone. This is allowed as long as we
+ * set the caller's context_handle to
+ * GSS_C_NO_CONTEXT, which we did above.
+ * Return GSS_S_FAILURE.
+ */
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ p = interprocess_token->value;
+ p[0] = m->gm_mech_oid.length >> 8;
+ p[1] = m->gm_mech_oid.length;
+ memcpy(p + 2, m->gm_mech_oid.elements, m->gm_mech_oid.length);
+ memcpy(p + 2 + m->gm_mech_oid.length, buf.value, buf.length);
+ gss_release_buffer(minor_status, &buf);
+ }
+
+ return (major_status);
+}
diff --git a/lib/libgssapi/gss_get_mic.3 b/lib/libgssapi/gss_get_mic.3
new file mode 100644
index 000000000000..75498aeb0289
--- /dev/null
+++ b/lib/libgssapi/gss_get_mic.3
@@ -0,0 +1,165 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_GET_MIC 3 PRM
+.Sh NAME
+.Nm gss_get_mic ,
+.Nm gss_sign
+.Nd Calculate a cryptographic message integrity code (MIC) for a
+message; integrity service
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_get_mic
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "gss_qop_t qop_req"
+.Fa "const gss_buffer_t message_buffer"
+.Fa "gss_buffer_t msg_token"
+.Fc
+.Ft OM_uint32
+.Fo gss_sign
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "gss_qop_t qop_req"
+.Fa "gss_buffer_t message_buffer"
+.Fa "gss_buffer_t msg_token"
+.Fc
+.Sh DESCRIPTION
+Generates a cryptographic MIC for the supplied message,
+and places the MIC in a token for transfer to the peer application.
+The
+.Fa qop_req
+parameter allows a choice between several cryptographic algorithms,
+if supported by the chosen mechanism.
+.Pp
+Since some application-level protocols may wish to use tokens emitted
+by
+.Fn gss_wrap
+to provide "secure framing",
+implementations must support derivation of MICs from zero-length messages.
+.Pp
+The
+.Fn gss_sign
+routine is an obsolete variant of
+.Fn gss_get_mic .
+It is
+provided for backwards
+compatibility with applications using the GSS-API V1 interface.
+A distinct entrypoint (as opposed to #define) is provided,
+both to allow GSS-API V1 applications to link
+and to retain the slight parameter type differences between the
+obsolete versions of this routine and its current form.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+Identifies the context on which the message will be sent.
+.It qop_req
+Specifies requested quality of protection.
+Callers are encouraged, on portability grounds,
+to accept the default quality of protection offered by the chosen
+mechanism,
+which may be requested by specifying
+.Dv GSS_C_QOP_DEFAULT
+for this parameter.
+If an unsupported protection strength is requested,
+.Fn gss_get_mic
+will return a
+.Fa major_status
+of
+.Dv GSS_S_BAD_QOP .
+.It message_buffer
+Message to be protected.
+.It msg_token
+Buffer to receive token.
+The application must free storage associated with this buffer after
+use with a call to
+.Fn gss_release_buffer .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_CONTEXT_EXPIRED
+The context has already expired
+.It GSS_S_NO_CONTEXT
+The context_handle parameter did not identify a valid context
+.It GSS_S_BAD_QOP
+The specified QOP is not supported by the mechanism
+.El
+.Sh SEE ALSO
+.Xr gss_wrap 3 ,
+.Xr gss_release_buffer 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_get_mic.c b/lib/libgssapi/gss_get_mic.c
new file mode 100644
index 000000000000..a3495ecfe794
--- /dev/null
+++ b/lib/libgssapi/gss_get_mic.c
@@ -0,0 +1,46 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_get_mic(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ gss_qop_t qop_req,
+ const gss_buffer_t message_buffer,
+ gss_buffer_t message_token)
+{
+ struct _gss_context *ctx = (struct _gss_context *) context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+
+ return (m->gm_get_mic(minor_status, ctx->gc_ctx, qop_req,
+ message_buffer, message_token));
+}
diff --git a/lib/libgssapi/gss_import_name.3 b/lib/libgssapi/gss_import_name.3
new file mode 100644
index 000000000000..e356f74ce209
--- /dev/null
+++ b/lib/libgssapi/gss_import_name.3
@@ -0,0 +1,139 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_IMPORT_NAME 3 PRM
+.Sh NAME
+.Nm gss_import_name
+.Nd Convert a contiguous string name to internal-form
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_import_name
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_buffer_t input_name_buffer"
+.Fa "const gss_OID input_name_type"
+.Fa "gss_name_t *output_name"
+.Fc
+.Sh DESCRIPTION
+Convert a contiguous string name to internal form.
+In general,
+the internal name returned (via the
+.Fa output_name
+parameter) will not be an MN;
+the exception to this is if the
+.Fa input_name_type
+indicates that the contiguous string provided via the
+.Fa input_name_buffer
+parameter is of type
+.Dv GSS_C_NT_EXPORT_NAME ,
+in which case the returned internal name will be an MN for the
+mechanism that exported the name.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It input_name_buffer
+Buffer containing contiguous string name to convert.
+.It input_name_type
+Object ID specifying type of printable name.
+Applications may specify either
+.Dv GSS_C_NO_OID
+to use a mechanism-specific default printable syntax,
+or an OID recognized by the GSS-API implementation to name a specific
+namespace.
+.It output_name
+Returned name in internal form.
+Storage associated with this name must be freed by the application
+after use with a call to
+.Fn gss_release_name .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_BAD_NAMETYPE
+The
+.Fa input_name_type
+was unrecognized
+.It GSS_S_BAD_NAME
+The
+.Fa input_name
+parameter could not be interpreted as a name of the specified type
+.It GSS_S_BAD_MECH
+The input name-type was
+.Dv GSS_C_NT_EXPORT_NAME ,
+but the mechanism contained within the input-name is not supported
+.El
+.Sh SEE ALSO
+.Xr gss_release_name 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_import_name.c b/lib/libgssapi/gss_import_name.c
new file mode 100644
index 000000000000..638df2510663
--- /dev/null
+++ b/lib/libgssapi/gss_import_name.c
@@ -0,0 +1,219 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "utils.h"
+#include "name.h"
+
+static OM_uint32
+_gss_import_export_name(OM_uint32 *minor_status,
+ const gss_buffer_t input_name_buffer,
+ gss_name_t *output_name)
+{
+ OM_uint32 major_status;
+ unsigned char *p = input_name_buffer->value;
+ size_t len = input_name_buffer->length;
+ size_t t;
+ gss_OID_desc mech_oid;
+ struct _gss_mech_switch *m;
+ struct _gss_name *name;
+ struct _gss_mechanism_name *mn;
+ gss_name_t new_canonical_name;
+
+ *minor_status = 0;
+ *output_name = 0;
+
+ /*
+ * Make sure that TOK_ID is {4, 1}.
+ */
+ if (len < 2)
+ return (GSS_S_BAD_NAME);
+ if (p[0] != 4 || p[1] != 1)
+ return (GSS_S_BAD_NAME);
+ p += 2;
+ len -= 2;
+
+ /*
+ * Get the mech length and the name length and sanity
+ * check the size of of the buffer.
+ */
+ if (len < 2)
+ return (GSS_S_BAD_NAME);
+ t = (p[0] << 8) + p[1];
+ p += 2;
+ len -= 2;
+
+ /*
+ * Check the DER encoded OID to make sure it agrees with the
+ * length we just decoded.
+ */
+ if (p[0] != 6) /* 6=OID */
+ return (GSS_S_BAD_NAME);
+ p++;
+ len--;
+ t--;
+ if (p[0] & 0x80) {
+ int digits = p[0];
+ p++;
+ len--;
+ t--;
+ mech_oid.length = 0;
+ while (digits--) {
+ mech_oid.length = (mech_oid.length << 8) | p[0];
+ p++;
+ len--;
+ t--;
+ }
+ } else {
+ mech_oid.length = p[0];
+ p++;
+ len--;
+ t--;
+ }
+ if (mech_oid.length != t)
+ return (GSS_S_BAD_NAME);
+
+ mech_oid.elements = p;
+
+ if (len < t + 4)
+ return (GSS_S_BAD_NAME);
+ p += t;
+ len -= t;
+
+ t = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+ p += 4;
+ len -= 4;
+
+ if (len != t)
+ return (GSS_S_BAD_NAME);
+
+ m = _gss_find_mech_switch(&mech_oid);
+ if (!m)
+ return (GSS_S_BAD_MECH);
+
+ /*
+ * Ask the mechanism to import the name.
+ */
+ major_status = m->gm_import_name(minor_status,
+ input_name_buffer, GSS_C_NT_EXPORT_NAME, &new_canonical_name);
+
+ /*
+ * Now we make a new name and mark it as an MN.
+ */
+ name = _gss_make_name(m, new_canonical_name);
+ if (!name) {
+ m->gm_release_name(minor_status, &new_canonical_name);
+ return (GSS_S_FAILURE);
+ }
+
+ *output_name = (gss_name_t) name;
+
+ *minor_status = 0;
+ return (GSS_S_COMPLETE);
+}
+
+OM_uint32
+gss_import_name(OM_uint32 *minor_status,
+ const gss_buffer_t input_name_buffer,
+ const gss_OID input_name_type,
+ gss_name_t *output_name)
+{
+ gss_OID name_type = input_name_type;
+ OM_uint32 major_status;
+ struct _gss_name *name;
+
+ if (input_name_buffer->length == 0) {
+ *minor_status = 0;
+ *output_name = 0;
+ return (GSS_S_BAD_NAME);
+ }
+
+ /*
+ * Use GSS_NT_USER_NAME as default name type.
+ */
+ if (name_type == GSS_C_NO_OID)
+ name_type = GSS_C_NT_USER_NAME;
+
+ /*
+ * If this is an exported name, we need to parse it to find
+ * the mechanism and then import it as an MN. See RFC 2743
+ * section 3.2 for a description of the format.
+ */
+ if (_gss_oid_equal(name_type, GSS_C_NT_EXPORT_NAME)) {
+ return _gss_import_export_name(minor_status,
+ input_name_buffer, output_name);
+ }
+
+ /*
+ * Only allow certain name types. This is pretty bogus - we
+ * should figure out the list of supported name types using
+ * gss_inquire_names_for_mech.
+ */
+ if (!_gss_oid_equal(name_type, GSS_C_NT_USER_NAME)
+ && !_gss_oid_equal(name_type, GSS_C_NT_MACHINE_UID_NAME)
+ && !_gss_oid_equal(name_type, GSS_C_NT_STRING_UID_NAME)
+ && !_gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE_X)
+ && !_gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE)
+ && !_gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS)
+ && !_gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) {
+ *minor_status = 0;
+ *output_name = 0;
+ return (GSS_S_BAD_NAMETYPE);
+ }
+
+ *minor_status = 0;
+ name = malloc(sizeof(struct _gss_name));
+ if (!name) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ memset(name, 0, sizeof(struct _gss_name));
+
+ major_status = _gss_copy_oid(minor_status,
+ name_type, &name->gn_type);
+ if (major_status) {
+ free(name);
+ return (GSS_S_FAILURE);
+ }
+
+ major_status = _gss_copy_buffer(minor_status,
+ input_name_buffer, &name->gn_value);
+ if (major_status) {
+ gss_release_name(minor_status, (gss_name_t*) &name);
+ return (GSS_S_FAILURE);
+ }
+
+ SLIST_INIT(&name->gn_mn);
+
+ *output_name = (gss_name_t) name;
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_import_sec_context.3 b/lib/libgssapi/gss_import_sec_context.3
new file mode 100644
index 000000000000..4509c2e18f31
--- /dev/null
+++ b/lib/libgssapi/gss_import_sec_context.3
@@ -0,0 +1,120 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_IMPORT_SEC_CONTEXT 3 PRM
+.Sh NAME
+.Nm gss_import_sec_context
+.Nd Import a transferred context
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_import_sec_context
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_buffer_t interprocess_token"
+.Fa "gss_ctx_id_t *context_handle"
+.Fc
+.Sh DESCRIPTION
+Allows a process to import a security context established by another
+process.
+A given interprocess token may be imported only once.
+See
+.Fn gss_export_sec_context .
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It interprocess_token
+Token received from exporting process.
+.It context_handle
+Context handle of newly reactivated context.
+Resources associated with this context handle must be released by the
+application after use with a call to
+.Fn gss_delete_sec_context .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_NO_CONTEXT
+The token did not contain a valid context reference
+.It GSS_S_DEFECTIVE_TOKEN
+The token was invalid
+.It GSS_S_UNAVAILABLE
+The operation is unavailable
+.It GSS_S_UNAUTHORIZED
+Local policy prevents the import of this context by the current process
+.El
+.Sh SEE ALSO
+.Xr gss_export_sec_context 3 ,
+.Xr gss_delete_sec_context 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_import_sec_context.c b/lib/libgssapi/gss_import_sec_context.c
new file mode 100644
index 000000000000..ce3ddd10c3f3
--- /dev/null
+++ b/lib/libgssapi/gss_import_sec_context.c
@@ -0,0 +1,86 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_import_sec_context(OM_uint32 *minor_status,
+ const gss_buffer_t interprocess_token,
+ gss_ctx_id_t *context_handle)
+{
+ OM_uint32 major_status;
+ struct _gss_mech_switch *m;
+ struct _gss_context *ctx;
+ gss_OID_desc mech_oid;
+ gss_buffer_desc buf;
+ unsigned char *p;
+ size_t len;
+
+ *minor_status = 0;
+ *context_handle = 0;
+
+ /*
+ * We added an oid to the front of the token in
+ * gss_export_sec_context.
+ */
+ p = interprocess_token->value;
+ len = interprocess_token->length;
+ if (len < 2)
+ return (GSS_S_DEFECTIVE_TOKEN);
+ mech_oid.length = (p[0] << 8) | p[1];
+ if (len < mech_oid.length + 2)
+ return (GSS_S_DEFECTIVE_TOKEN);
+ mech_oid.elements = p + 2;
+ buf.length = len - 2 - mech_oid.length;
+ buf.value = p + 2 + mech_oid.length;
+
+ m = _gss_find_mech_switch(&mech_oid);
+ if (!m)
+ return (GSS_S_DEFECTIVE_TOKEN);
+
+ ctx = malloc(sizeof(struct _gss_context));
+ if (!ctx) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ ctx->gc_mech = m;
+ major_status = m->gm_import_sec_context(minor_status,
+ &buf, &ctx->gc_ctx);
+ if (major_status != GSS_S_COMPLETE) {
+ free(ctx);
+ } else {
+ *context_handle = (gss_ctx_id_t) ctx;
+ }
+
+ return (major_status);
+}
diff --git a/lib/libgssapi/gss_indicate_mechs.3 b/lib/libgssapi/gss_indicate_mechs.3
new file mode 100644
index 000000000000..efddcecfe26c
--- /dev/null
+++ b/lib/libgssapi/gss_indicate_mechs.3
@@ -0,0 +1,107 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_INDICATE_MECHS 3 PRM
+.Sh NAME
+.Nm gss_indicate_mechs
+.Nd Determine available underlying authentication mechanisms
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_indicate_mechs
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_OID_set *mech_set"
+.Fc
+.Sh DESCRIPTION
+Allows an application to determine which underlying security
+mechanisms are available.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It mech_set
+Set of implementation-supported mechanisms.
+The returned
+.Fa mech_set
+value will be a dynamically-allocated OID set,
+that should be released by the caller after use with a call to
+.Fn gss_release_oid_set .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.El
+.Sh SEE ALSO
+.Xr gss_release_oid_set 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_indicate_mechs.c b/lib/libgssapi/gss_indicate_mechs.c
new file mode 100644
index 000000000000..7abab20fc548
--- /dev/null
+++ b/lib/libgssapi/gss_indicate_mechs.c
@@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+
+OM_uint32
+gss_indicate_mechs(OM_uint32 *minor_status,
+ gss_OID_set *mech_set)
+{
+ struct _gss_mech_switch *m;
+ OM_uint32 major_status;
+ gss_OID_set set;
+ int i;
+
+ _gss_load_mech();
+
+ major_status = gss_create_empty_oid_set(minor_status, mech_set);
+ if (major_status)
+ return (major_status);
+
+ SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+ major_status = m->gm_indicate_mechs(minor_status, &set);
+ if (major_status)
+ continue;
+ for (i = 0; i < set->count; i++)
+ major_status = gss_add_oid_set_member(minor_status,
+ &set->elements[i], mech_set);
+ gss_release_oid_set(minor_status, &set);
+ }
+
+ *minor_status = 0;
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_init_sec_context.3 b/lib/libgssapi/gss_init_sec_context.3
new file mode 100644
index 000000000000..a407fba9257c
--- /dev/null
+++ b/lib/libgssapi/gss_init_sec_context.3
@@ -0,0 +1,571 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_INIT_SEC_CONTEXT 3 PRM
+.Sh NAME
+.Nm gss_init_sec_context
+.Nd Initiate a security context with a peer application
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_init_sec_context
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_cred_id_t initiator_cred_handle"
+.Fa "gss_ctx_id_t *context_handle"
+.Fa "const gss_name_t target_name"
+.Fa "const gss_OID mech_type"
+.Fa "OM_uint32 req_flags"
+.Fa "OM_uint32 time_req"
+.Fa "const gss_channel_bindings_t input_chan_bindings"
+.Fa "const gss_buffer_t input_token"
+.Fa "gss_OID *actual_mech_type"
+.Fa "gss_buffer_t output_token"
+.Fa "OM_uint32 *ret_flags"
+.Fa "OM_uint32 *time_rec"
+.Fc
+.Sh DESCRIPTION
+Initiates the establishment of a security context between the
+application and a remote peer.
+Initially, the input_token parameter should be specified either as
+.Dv GSS_C_NO_BUFFER, or as a pointer to a
+gss_buffer_desc object whose length field contains the value zero.
+The routine may return a output_token which should be transferred to
+the peer application, where the peer application will present it to
+.Xr gss_accept_sec_context 3 . If no token need be sent,
+.Fn gss_init_sec_context
+will indicate this by setting the
+.Dv length field
+of the output_token argument to zero. To complete the context
+establishment, one or more reply tokens may be required from the peer
+application; if so,
+.Fn gss_init_sec_context
+will return a status
+containing the supplementary information bit
+.Dv GSS_S_CONTINUE_NEEDED.
+In this case,
+.Fn gss_init_sec_context
+should be called again when the reply token is received from the peer
+application, passing the reply token to
+.Fn gss_init_sec_context
+via the input_token parameters.
+.Pp
+Portable applications should be constructed to use the token length
+and return status to determine whether a token needs to be sent or
+waited for. Thus a typical portable caller should always invoke
+.Fn gss_init_sec_context
+within a loop:
+.Bd -literal
+int context_established = 0;
+gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+ ...
+input_token->length = 0;
+
+while (!context_established) {
+ maj_stat = gss_init_sec_context(&min_stat,
+ cred_hdl,
+ &context_hdl,
+ target_name,
+ desired_mech,
+ desired_services,
+ desired_time,
+ input_bindings,
+ input_token,
+ &actual_mech,
+ output_token,
+ &actual_services,
+ &actual_time);
+ if (GSS_ERROR(maj_stat)) {
+ report_error(maj_stat, min_stat);
+ };
+
+ if (output_token->length != 0) {
+ send_token_to_peer(output_token);
+ gss_release_buffer(&min_stat, output_token)
+ };
+ if (GSS_ERROR(maj_stat)) {
+
+ if (context_hdl != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&min_stat,
+ &context_hdl,
+ GSS_C_NO_BUFFER);
+ break;
+ };
+
+ if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+ receive_token_from_peer(input_token);
+ } else {
+ context_established = 1;
+ };
+};
+.Ed
+.Pp
+Whenever the routine returns a major status that includes the value
+.Dv GSS_S_CONTINUE_NEEDED, the context is not fully established and the
+following restrictions apply to the output parameters:
+.Bl -bullet
+.It
+The value returned via the
+.Fa time_rec
+parameter is undefined Unless
+the accompanying
+.Fa ret_flags
+parameter contains the bit
+.Dv GSS_C_PROT_READY_FLAG, indicating that per-message services may be
+applied in advance of a successful completion status, the value
+returned via the
+.Fa actual_mech_type
+parameter is undefined until the
+routine returns a major status value of
+.Dv GSS_S_COMPLETE.
+.It
+The values of the
+.Dv GSS_C_DELEG_FLAG ,
+.Dv GSS_C_MUTUAL_FLAG ,
+.Dv GSS_C_REPLAY_FLAG ,
+.Dv GSS_C_SEQUENCE_FLAG ,
+.Fv GSS_C_CONF_FLAG ,
+.Dv GSS_C_INTEG_FLAG and
+.Dv GSS_C_ANON_FLAG bits returned via the
+.Fa ret_flags
+parameter should contain the values that the
+implementation expects would be valid if context establishment
+were to succeed. In particular, if the application has requested
+a service such as delegation or anonymous authentication via the
+.Fa req_flags
+argument, and such a service is unavailable from the
+underlying mechanism,
+.Fn gss_init_sec_context
+should generate a token
+that will not provide the service, and indicate via the
+.Fa ret_flags
+argument that the service will not be supported. The application
+may choose to abort the context establishment by calling
+.Xr gss_delete_sec_context 3
+(if it cannot continue in the absence of
+the service), or it may choose to transmit the token and continue
+context establishment (if the service was merely desired but not
+mandatory).
+.It
+The values of the
+.Dv GSS_C_PROT_READY_FLAG and
+.Dv GSS_C_TRANS_FLAG bits
+within
+.Fa ret_flags
+should indicate the actual state at the time
+.Fn gss_init_sec_context
+returns, whether or not the context is fully established.
+.It
+GSS-API implementations that support per-message protection are
+encouraged to set the
+.Dv GSS_C_PROT_READY_FLAG in the final
+.Fa ret_flags
+returned to a caller (i.e. when accompanied by a
+.Dv GSS_S_COMPLETE
+status code). However, applications should not rely on this
+behavior as the flag was not defined in Version 1 of the GSS-API.
+Instead, applications should determine what per-message services
+are available after a successful context establishment according
+to the
+.Dv GSS_C_INTEG_FLAG and
+.Dv GSS_C_CONF_FLAG values.
+.It
+All other bits within the
+.Fa ret_flags
+argument should be set to
+zero.
+.El
+.Pp
+If the initial call of
+.Fn gss_init_sec_context
+fails, the
+implementation should not create a context object, and should leave
+the value of the
+.Fa context_handle
+parameter set to
+.Dv GSS_C_NO_CONTEXT to
+indicate this. In the event of a failure on a subsequent call, the
+implementation is permitted to delete the "half-built" security
+context (in which case it should set the
+.Fa context_handle
+parameter to
+.Dv GSS_C_NO_CONTEXT ), but the preferred behavior is to leave the
+security context untouched for the application to delete (using
+.Xr gss_delete_sec_context 3 ).
+.Pp
+During context establishment, the informational status bits
+.Dv GSS_S_OLD_TOKEN and
+.Dv GSS_S_DUPLICATE_TOKEN indicate fatal errors, and
+GSS-API mechanisms should always return them in association with a
+routine error of
+.Dv GSS_S_FAILURE .
+This requirement for pairing did not
+exist in version 1 of the GSS-API specification, so applications that
+wish to run over version 1 implementations must special-case these
+codes.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It initiator_cred_handle
+handle for credentials claimed. Supply
+.Dv GSS_C_NO_CREDENTIAL to act as a default
+initiator principal. If no default
+initiator is defined, the function will
+return
+.Dv GSS_S_NO_CRED.
+.It context_handle
+context handle for new context. Supply
+.Dv GSS_C_NO_CONTEXT for first call; use value
+returned by first call in continuation calls.
+Resources associated with this context-handle
+must be released by the application after use
+with a call to
+.Fn gss_delete_sec_context .
+.It target_name
+Name of target
+.It mech_type
+Object ID of desired mechanism. Supply
+.Dv GSS_C_NO_OID to obtain an implementation
+specific default
+.It req_flags
+Contains various independent flags, each of
+which requests that the context support a
+specific service option. Symbolic
+names are provided for each flag, and the
+symbolic names corresponding to the required
+flags should be logically-ORed
+together to form the bit-mask value. The
+flags are:
+.Bl -tag -width "WW"
+.It GSS_C_DELEG_FLAG
+.Bl -tag -width "False"
+.It True
+Delegate credentials to remote peer
+.It False
+Don't delegate
+.El
+.It GSS_C_MUTUAL_FLAG
+.Bl -tag -width "False"
+.It True
+Request that remote peer authenticate itself
+.It False
+Authenticate self to remote peer only
+.El
+.It GSS_C_REPLAY_FLAG
+.Bl -tag -width "False"
+.It True
+Enable replay detection for messages protected with
+.Xr gss_wrap 3
+or
+.Xr gss_get_mic 3
+.It False
+Don't attempt to detect replayed messages
+.El
+.It GSS_C_SEQUENCE_FLAG
+.Bl -tag -width "False"
+.It True
+Enable detection of out-of-sequence protected messages
+.It False
+Don't attempt to detect out-of-sequence messages
+.El
+.It GSS_C_CONF_FLAG
+.Bl -tag -width "False"
+.It True
+Request that confidentiality service be made available (via
+.Xr gss_wrap 3 )
+.It False
+No per-message confidentiality service is required.
+.El
+.It GSS_C_INTEG_FLAG
+.Bl -tag -width "False"
+.It True
+Request that integrity service be made available (via
+.Xr gss_wrap 3
+or
+.Xr gss_get_mic 3 )
+.It False
+No per-message integrity service is required.
+.El
+.It GSS_C_ANON_FLAG
+.Bl -tag -width "False"
+.It True
+Do not reveal the initiator's identity to the acceptor.
+.It False
+Authenticate normally.
+.El
+.El
+.It time_req
+Desired number of seconds for which context
+should remain valid. Supply 0 to request a
+default validity period.
+.It input_chan_bindings
+Application-specified bindings. Allows
+application to securely bind channel
+identification information to the security
+context. Specify
+.Dv GSS_C_NO_CHANNEL_BINDINGS
+if channel bindings are not used.
+.It input_token
+Token received from peer application.
+Supply
+.Dv GSS_C_NO_BUFFER, or a pointer to
+a buffer containing the value
+.Dv GSS_C_EMPTY_BUFFER
+on initial call.
+.It actual_mech_type
+Actual mechanism used. The OID returned via
+this parameter will be a pointer to static
+storage that should be treated as read-only;
+In particular the application should not attempt
+to free it. Specify
+.Dv NULL if not required.
+.It output_token
+token to be sent to peer application. If
+the length field of the returned buffer is
+zero, no token need be sent to the peer
+application. Storage associated with this
+buffer must be freed by the application
+after use with a call to
+.Xr gss_release_buffer 3 .
+.It ret_flags
+Contains various independent flags, each of which
+indicates that the context supports a specific
+service option. Specify
+.Dv NULL if not
+required. Symbolic names are provided
+for each flag, and the symbolic names
+corresponding to the required flags should be
+logically-ANDed with the
+.Fa ret_flags
+value to test
+whether a given option is supported by the
+context. The flags are:
+.Bl -tag -width "WW"
+.It GSS_C_DELEG_FLAG
+.Bl -tag -width "False"
+.It True
+Credentials were delegated to the remote peer
+.It False
+No credentials were delegated
+.El
+.It GSS_C_MUTUAL_FLAG
+.Bl -tag -width "False"
+.It True
+The remote peer has authenticated itself.
+.It False
+Remote peer has not authenticated itself.
+.El
+.It GSS_C_REPLAY_FLAG
+.Bl -tag -width "False"
+.It True
+Replay of protected messages will be detected
+.It False
+Replayed messages will not be detected
+.El
+.It GSS_C_SEQUENCE_FLAG
+.Bl -tag -width "False"
+.It True
+Out-of-sequence protected messages will be detected
+.It False
+Out-of-sequence messages will not be detected
+.El
+.It GSS_C_CONF_FLAG
+.Bl -tag -width "False"
+.It True
+Confidentiality service may be invoked by calling
+.Xr gss_wrap 3
+routine
+.It False
+No confidentiality service (via
+.Xr gss_wrap 3 ) available.
+.Xr gss_wrap 3 will
+provide message encapsulation,
+data-origin authentication and
+integrity services only.
+.El
+.It GSS_C_INTEG_FLAG
+.Bl -tag -width "False"
+.It True
+Integrity service may be invoked by calling either
+.Xr gss_get_mic 3
+or
+.Xr gss_wrap 3
+routines.
+.It False
+Per-message integrity service unavailable.
+.El
+.It GSS_C_ANON_FLAG
+.Bl -tag -width "False"
+.It True
+The initiator's identity has not been
+revealed, and will not be revealed if
+any emitted token is passed to the
+acceptor.
+.It False
+The initiator's identity has been or will be authenticated normally.
+.El
+.It GSS_C_PROT_READY_FLAG
+.Bl -tag -width "False"
+.It True
+Protection services (as specified by the states of the
+.Dv GSS_C_CONF_FLAG
+and
+.Dv GSS_C_INTEG_FLAG ) are available for
+use if the accompanying major status
+return value is either
+.Dv GSS_S_COMPLETE
+or
+.Dv GSS_S_CONTINUE_NEEDED.
+.It False
+Protection services (as specified by the states of the
+.Dv GSS_C_CONF_FLAG
+and
+.Dv GSS_C_INTEG_FLAG ) are available
+only if the accompanying major status
+return value is
+.Dv GSS_S_COMPLETE.
+.El
+.It GSS_C_TRANS_FLAG
+.Bl -tag -width "False"
+.It True
+The resultant security context may be transferred to other processes via
+a call to
+.Fn gss_export_sec_context .
+.It False
+The security context is not transferable.
+.El
+.El
+.Pp
+All other bits should be set to zero.
+.It time_rec
+Number of seconds for which the context
+will remain valid. If the implementation does
+not support context expiration, the value
+.Dv GSS_C_INDEFINITE will be returned. Specify
+.Dv NULL if not required.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_CONTINUE_NEEDED
+Indicates that a token from the peer
+application is required to complete the
+context, and that gss_init_sec_context
+must be called again with that token.
+.It GSS_S_DEFECTIVE_TOKEN
+Indicates that consistency checks performed
+on the input_token failed
+.It GSS_S_DEFECTIVE_CREDENTIAL
+Indicates that consistency checks
+performed on the credential failed.
+.It GSS_S_NO_CRED
+The supplied credentials were not valid for
+context initiation, or the credential handle
+did not reference any credentials.
+.It GSS_S_CREDENTIALS_EXPIRED
+The referenced credentials have expired
+.It GSS_S_BAD_BINDINGS
+The input_token contains different channel
+bindings to those specified via the
+input_chan_bindings parameter
+.It GSS_S_BAD_SIG
+The input_token contains an invalid MIC, or a MIC
+that could not be verified
+.It GSS_S_OLD_TOKEN
+The input_token was too old. This is a fatal
+error during context establishment
+.It GSS_S_DUPLICATE_TOKEN
+The input_token is valid, but is a duplicate
+of a token already processed. This is a
+fatal error during context establishment.
+.It GSS_S_NO_CONTEXT
+Indicates that the supplied context handle did
+not refer to a valid context
+.It GSS_S_BAD_NAMETYPE
+The provided target_name parameter contained an
+invalid or unsupported type of name
+.It GSS_S_BAD_NAME
+The provided target_name parameter was ill-formed.
+.It GSS_S_BAD_MECH
+The specified mechanism is not supported by the
+provided credential, or is unrecognized by the
+implementation.
+.El
+.Sh SEE ALSO
+.Xr gss_accept_sec_context 3 ,
+.Xr gss_delete_sec_context 3 ,
+.Xr gss_get_mic 3 ,
+.Xr gss_release_buffer 3 ,
+.Xr gss_wrap 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.El
+.\" .Sh HISTORY
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_init_sec_context.c b/lib/libgssapi/gss_init_sec_context.c
new file mode 100644
index 000000000000..46e3213b6053
--- /dev/null
+++ b/lib/libgssapi/gss_init_sec_context.c
@@ -0,0 +1,129 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "name.h"
+#include "cred.h"
+#include "context.h"
+
+OM_uint32
+gss_init_sec_context(OM_uint32 * minor_status,
+ const gss_cred_id_t initiator_cred_handle,
+ gss_ctx_id_t * context_handle,
+ const gss_name_t target_name,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec)
+{
+ OM_uint32 major_status;
+ struct _gss_mech_switch *m;
+ struct _gss_name *name = (struct _gss_name *) target_name;
+ struct _gss_mechanism_name *mn;
+ struct _gss_context *ctx = (struct _gss_context *) *context_handle;
+ struct _gss_cred *cred = (struct _gss_cred *) initiator_cred_handle;
+ struct _gss_mechanism_cred *mc;
+ gss_cred_id_t cred_handle;
+ int allocated_ctx;
+
+ *minor_status = 0;
+
+ /*
+ * If we haven't allocated a context yet, do so now and lookup
+ * the mechanism switch table. If we have one already, make
+ * sure we use the same mechanism switch as before.
+ */
+ if (!ctx) {
+ ctx = malloc(sizeof(struct _gss_context));
+ if (!ctx) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ memset(ctx, 0, sizeof(struct _gss_context));
+ m = ctx->gc_mech = _gss_find_mech_switch(mech_type);
+ if (!m) {
+ free(ctx);
+ return (GSS_S_BAD_MECH);
+ }
+ allocated_ctx = 1;
+ } else {
+ m = ctx->gc_mech;
+ allocated_ctx = 0;
+ }
+
+ /*
+ * Find the MN for this mechanism.
+ */
+ mn = _gss_find_mn(name, mech_type);
+
+ /*
+ * If we have a cred, find the cred for this mechanism.
+ */
+ cred_handle = GSS_C_NO_CREDENTIAL;
+ if (cred) {
+ SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+ if (_gss_oid_equal(mech_type, mc->gmc_mech_oid)) {
+ cred_handle = mc->gmc_cred;
+ break;
+ }
+ }
+ }
+
+ major_status = m->gm_init_sec_context(minor_status,
+ cred_handle,
+ &ctx->gc_ctx,
+ mn->gmn_name,
+ mech_type,
+ req_flags,
+ time_req,
+ input_chan_bindings,
+ input_token,
+ actual_mech_type,
+ output_token,
+ ret_flags,
+ time_rec);
+
+ if (major_status != GSS_S_COMPLETE
+ && major_status != GSS_S_CONTINUE_NEEDED) {
+ if (allocated_ctx)
+ free(ctx);
+ } else {
+ *context_handle = (gss_ctx_id_t) ctx;
+ }
+
+ return (major_status);
+}
diff --git a/lib/libgssapi/gss_inquire_context.3 b/lib/libgssapi/gss_inquire_context.3
new file mode 100644
index 000000000000..3c8847c27649
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_context.3
@@ -0,0 +1,284 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_INQUIRE_CONTEXT 3 PRM
+.Sh NAME
+.Nm gss_inquire_context
+.Nd Obtain information about a security context
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_inquire_context
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "gss_name_t *src_name"
+.Fa "gss_name_t *targ_name"
+.Fa "OM_uint32 *lifetime_rec"
+.Fa "gss_OID *mech_type"
+.Fa "OM_uint32 *ctx_flags"
+.Fa "int *locally_initiated"
+.Fa "int *open"
+.Fc
+.Sh DESCRIPTION
+Obtains information about a security context.
+The caller must already have obtained a handle that refers to the
+context,
+although the context need not be fully established.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+A handle that refers to the security context.
+.It src_name
+The name of the context initiator.
+If the context was established using anonymous authentication,
+and if the application invoking
+.Fn gss_inquire_context
+is the context acceptor,
+an anonymous name will be returned.
+Storage associated with this name must be freed by the application
+after use with a call to
+.Fn gss_release_name .
+Specify
+.Dv NULL
+if not required.
+.It targ_name
+The name of the context acceptor.
+Storage associated with this name must be freed by the application
+after use with a call to
+.Fn gss_release_name .
+If the context acceptor did not authenticate itself,
+and if the initiator did not specify a target name in its call to
+.Fn gss_init_sec_context ,
+the value
+.Dv GSS_C_NO_NAME
+will be returned.
+Specify
+.Dv NULL
+if not required.
+.It lifetime_rec
+The number of seconds for which the context will remain valid.
+If the context has expired,
+this parameter will be set to zero.
+If the implementation does not support context expiration,
+the value
+.Dv GSS_C_INDEFINITE
+will be returned.
+Specify
+.Dv NULL
+if not required.
+.It mech_type
+The security mechanism providing the context.
+The returned OID will be a pointer to static storage that should be
+treated as read-only by the application;
+in particular the application should not attempt to free it.
+Specify
+.Dv NULL
+if not required.
+.It ctx_flags
+Contains various independent flags,
+each of which indicates that the context supports
+(or is expected to support, if
+.Fa open
+is false)
+a specific service option.
+If not needed, specify
+.Dv NULL .
+Symbolic names are provided for each flag,
+and the symbolic names corresponding to the required flags should be
+logically-ANDed with the
+.Fa ctx_flags
+value to test whether a given option is supported by the context.
+The flags are:
+.Bl -tag -width "WW"
+.It GSS_C_DELEG_FLAG
+.Bl -tag -width "False"
+.It True
+Credentials were delegated from the initiator to the acceptor.
+.It False
+No credentials were delegated.
+.El
+.It GSS_C_MUTUAL_FLAG
+.Bl -tag -width "False"
+.It True
+The acceptor was authenticated to the initiator.
+.It False
+The acceptor did not authenticate itself.
+.El
+.It GSS_C_REPLAY_FLAG
+.Bl -tag -width "False"
+.It True
+Replay of protected messages will be detected.
+.It False
+Replayed messages will not be detected.
+.El
+.It GSS_C_SEQUENCE_FLAG
+.Bl -tag -width "False"
+.It True
+Out-of-sequence protected messages will be detected.
+.It False
+Out-of-sequence messages will not be detected.
+.El
+.It GSS_C_CONF_FLAG
+.Bl -tag -width "False"
+.It True
+Confidentiality service may be invoked by calling
+.Fn gss_wrap
+routine.
+.It False
+No confidentiality service
+(via
+.Fn gss_wrap )
+available.
+.Fn gss_wrap
+will provide message encapsulation,
+data-origin authentication and integrity services only.
+.El
+.It GSS_C_INTEG_FLAG
+.Bl -tag -width "False"
+.It True
+Integrity service may be invoked by calling either
+.Fn gss_get_mic
+or
+.Fn gss_wrap
+routines.
+.It False
+Per-message integrity service unavailable.
+.El
+.It GSS_C_ANON_FLAG
+.Bl -tag -width "False"
+.It True
+The initiator's identity will not be revealed to the acceptor.
+The
+.Fa src_name
+parameter (if requested) contains an anonymous internal name.
+.It False
+The initiator has been authenticated normally.
+.El
+.It GSS_C_PROT_READY_FLAG
+.Bl -tag -width "False"
+.It True
+Protection services
+(as specified by the states of the
+.Dv GSS_C_CONF_FLAG
+and
+.Dv GSS_C_INTEG_FLAG )
+are available for use.
+.It False
+Protection services
+(as specified by the states of the
+.Dv GSS_C_CONF_FLAG
+and
+.Dv GSS_C_INTEG_FLAG )
+are available only if the context is fully established
+(i.e. if the
+.Fa open
+parameter is non-zero).
+.El
+.It GSS_C_TRANS_FLAG
+.Bl -tag -width "False"
+.It True
+The security context may be transferred to other processes via a call to
+.Fn gss_export_sec_context .
+.It False
+The security context is not transferable.
+.El
+.El
+.It locally_initiated
+Non-zero if the invoking application is the context initiator.
+Specify
+.Dv NULL
+if not required.
+.It open
+Non-zero if the context is fully established;
+Zero if a context-establishment token is expected from the peer
+application.
+Specify
+.Dv NULL
+if not required.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_NO_CONTEXT
+The referenced context could not be accessed
+.El
+.Sh SEE ALSO
+.Xr gss_release_name 3 ,
+.Xr gss_init_sec_context 3 ,
+.Xr gss_wrap 3 ,
+.Xr gss_get_mic 3 ,
+.Xr gss_export_sec_context 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_inquire_context.c b/lib/libgssapi/gss_inquire_context.c
new file mode 100644
index 000000000000..3f4531d2c428
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_context.c
@@ -0,0 +1,88 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "context.h"
+#include "name.h"
+
+OM_uint32
+gss_inquire_context(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ gss_name_t *src_name,
+ gss_name_t *targ_name,
+ OM_uint32 *lifetime_rec,
+ gss_OID *mech_type,
+ OM_uint32 *ctx_flags,
+ int *locally_initiated,
+ int *open)
+{
+ OM_uint32 major_status;
+ struct _gss_context *ctx = (struct _gss_context *) context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+ struct _gss_name *name;
+ gss_name_t src_mn, targ_mn;
+
+ major_status = m->gm_inquire_context(minor_status,
+ ctx->gc_ctx,
+ src_name ? &src_mn : 0,
+ targ_name ? &targ_mn : 0,
+ lifetime_rec,
+ mech_type,
+ ctx_flags,
+ locally_initiated,
+ open);
+
+ if (src_name) *src_name = 0;
+ if (targ_name) *targ_name = 0;
+
+ if (major_status != GSS_S_COMPLETE) {
+ return (major_status);
+ }
+
+ if (src_name) {
+ name = _gss_make_name(m, src_mn);
+ if (!name) {
+ minor_status = 0;
+ return (GSS_S_FAILURE);
+ }
+ *src_name = (gss_name_t) name;
+ }
+
+ if (targ_name) {
+ name = _gss_make_name(m, targ_mn);
+ if (!name) {
+ minor_status = 0;
+ return (GSS_S_FAILURE);
+ }
+ *targ_name = (gss_name_t) name;
+ }
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_inquire_cred.3 b/lib/libgssapi/gss_inquire_cred.3
new file mode 100644
index 000000000000..1dd1d92a4ca9
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_cred.3
@@ -0,0 +1,158 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_INQUIRE_CRED 3 PRM
+.Sh NAME
+.Nm gss_inquire_cred
+.Nd Obtain information about a credential
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_inquire_cred
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_cred_id_t cred_handle"
+.Fa "gss_ctx_id_t *context_handle"
+.Fa "gss_name_t *name"
+.Fa "OM_uint32 *lifetime"
+.Fa "gss_cred_usage_t *cred_usage"
+.Fa "gss_OID_set *mechanisms"
+.Fc
+.Sh DESCRIPTION
+Obtains information about a credential.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It cred_handle
+A handle that refers to the target credential.
+Specify
+.Dv GSS_C_NO_CREDENTIAL
+to inquire about the default initiator principal.
+.It name
+The name whose identity the credential asserts.
+Storage associated with this name should be freed by the application
+after use with a call to
+.Fn gss_release_name .
+Specify
+.Dv NULL
+if not required.
+.It lifetime
+The number of seconds for which the credential will remain valid.
+If the credential has expired,
+this parameter will be set to zero.
+If the implementation does not support credential expiration,
+the value GSS_C_INDEFINITE will be returned.
+Specify
+.Dv NULL
+if not required.
+.It cred_usage
+How the credential may be used.
+One of the following:
+.Bl -item -offset indent -compact
+.It
+.Dv GSS_C_INITIATE
+.It
+.Dv GSS_C_ACCEPT
+.It
+.Dv GSS_C_BOTH
+.El
+Specify
+.Dv NULL
+if not required.
+.It mechanisms
+Set of mechanisms supported by the credential.
+Storage associated with this OID set must be freed by the application
+after use with a call to
+.Fn gss_release_oid_set .
+Specify
+.Dv NULL
+if not required.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_NO_CRED
+The referenced credentials could not be accessed
+.It GSS_S_DEFECTIVE_CREDENTIAL
+The referenced credentials were invalid
+.It GSS_S_CREDENTIALS_EXPIRED
+The referenced credentials have expired.
+If the lifetime parameter was not passed as
+.Dv NULL ,
+it will be set to 0
+.El
+.Sh SEE ALSO
+.Xr gss_release_name 3 ,
+.Xr gss_release_oid_set 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_inquire_cred.c b/lib/libgssapi/gss_inquire_cred.c
new file mode 100644
index 000000000000..6f598b7fd283
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_cred.c
@@ -0,0 +1,167 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "name.h"
+#include "cred.h"
+
+OM_uint32
+gss_inquire_cred(OM_uint32 *minor_status,
+ const gss_cred_id_t cred_handle,
+ gss_name_t *name_ret,
+ OM_uint32 *lifetime,
+ gss_cred_usage_t *cred_usage,
+ gss_OID_set *mechanisms)
+{
+ OM_uint32 major_status;
+ struct _gss_mech_switch *m;
+ struct _gss_cred *cred = (struct _gss_cred *) cred_handle;
+ struct _gss_mechanism_cred *mc;
+ struct _gss_name *name;
+ struct _gss_mechanism_name *mn;
+ OM_uint32 min_lifetime;
+
+ *minor_status = 0;
+ if (name_ret)
+ *name_ret = 0;
+ if (lifetime)
+ *lifetime = 0;
+ if (cred_usage)
+ *cred_usage = 0;
+
+ if (name_ret) {
+ name = malloc(sizeof(struct _gss_name));
+ if (!name) {
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ memset(name, 0, sizeof(struct _gss_name));
+ SLIST_INIT(&name->gn_mn);
+ } else {
+ name = 0;
+ }
+
+ if (mechanisms) {
+ major_status = gss_create_empty_oid_set(minor_status,
+ mechanisms);
+ if (major_status) {
+ if (name) free(name);
+ return (major_status);
+ }
+ }
+
+ min_lifetime = GSS_C_INDEFINITE;
+ if (cred) {
+ SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+ gss_name_t mc_name;
+ OM_uint32 mc_lifetime;
+
+ major_status = mc->gmc_mech->gm_inquire_cred(minor_status,
+ mc->gmc_cred, &mc_name, &mc_lifetime, NULL, NULL);
+ if (major_status)
+ continue;
+
+ if (name) {
+ mn = malloc(sizeof(struct _gss_mechanism_name));
+ if (!mn) {
+ mc->gmc_mech->gm_release_name(minor_status,
+ &mc_name);
+ continue;
+ }
+ mn->gmn_mech = mc->gmc_mech;
+ mn->gmn_mech_oid = mc->gmc_mech_oid;
+ mn->gmn_name = mc_name;
+ SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+ } else {
+ mc->gmc_mech->gm_release_name(minor_status,
+ &mc_name);
+ }
+
+ if (mc_lifetime < min_lifetime)
+ min_lifetime = mc_lifetime;
+
+ if (mechanisms)
+ gss_add_oid_set_member(minor_status,
+ mc->gmc_mech_oid, mechanisms);
+ }
+ } else {
+ SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+ gss_name_t mc_name;
+ OM_uint32 mc_lifetime;
+
+ major_status = m->gm_inquire_cred(minor_status,
+ GSS_C_NO_CREDENTIAL, &mc_name, &mc_lifetime,
+ cred_usage, NULL);
+ if (major_status)
+ continue;
+
+ if (name && mc_name) {
+ mn = malloc(
+ sizeof(struct _gss_mechanism_name));
+ if (!mn) {
+ mc->gmc_mech->gm_release_name(
+ minor_status, &mc_name);
+ continue;
+ }
+ mn->gmn_mech = mc->gmc_mech;
+ mn->gmn_mech_oid = mc->gmc_mech_oid;
+ mn->gmn_name = mc_name;
+ SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+ } else if (mc_name) {
+ mc->gmc_mech->gm_release_name(minor_status,
+ &mc_name);
+ }
+
+ if (mc_lifetime < min_lifetime)
+ min_lifetime = mc_lifetime;
+
+ if (mechanisms)
+ gss_add_oid_set_member(minor_status,
+ &m->gm_mech_oid, mechanisms);
+ }
+
+ if ((*mechanisms)->count == 0) {
+ gss_release_oid_set(minor_status, mechanisms);
+ *minor_status = 0;
+ return (GSS_S_NO_CRED);
+ }
+ }
+
+ *minor_status = 0;
+ if (name_ret)
+ *name_ret = (gss_name_t) name;
+ if (lifetime)
+ *lifetime = min_lifetime;
+ if (cred && cred_usage)
+ *cred_usage = cred->gc_usage;
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_inquire_cred_by_mech.3 b/lib/libgssapi/gss_inquire_cred_by_mech.3
new file mode 100644
index 000000000000..380b7ca963c8
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_cred_by_mech.3
@@ -0,0 +1,173 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_INQUIRE_CRED_BY_MECH 3 PRM
+.Sh NAME
+.Nm gss_inquire_cred_by_mech
+.Nd Obtain per-mechanism information about a credential
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_inquire_cred_by_mech
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_cred_id_t cred_handle"
+.Fa "const gss_OID mech_type"
+.Fa "gss_name_t *name"
+.Fa "OM_uint32 *initiator_lifetime"
+.Fa "OM_uint32 *acceptor_lifetime"
+.Fa "gss_cred_usage_t *cred_usage"
+.Fc
+.Sh DESCRIPTION
+Obtains per-mechanism information about a credential.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It cred_handle
+A handle that refers to the target credential.
+Specify
+.Dv GSS_C_NO_CREDENTIAL
+to inquire about the default initiator principal.
+.It mech_type
+The mechanism for which information should be returned.
+.It name
+The name whose identity the credential asserts.
+Storage associated with this name must be freed by the application
+after use with a call to
+.Fn gss_release_name .
+Specify
+.Dv NULL
+if not required.
+.It initiator_lifetime
+
+The number of seconds for which the credential will remain capable of
+initiating security contexts under the specified mechanism.
+If the credential can no longer be used to initiate contexts,
+or if the credential usage for this mechanism is
+.Dv GSS_C_ACCEPT ,
+this parameter will be set to zero.
+If the implementation does not support expiration of initiator
+credentials,
+the value
+.Dv GSS_C_INDEFINITE
+will be returned.
+Specify
+.Dv NULL
+if not required.
+.It acceptor_lifetime
+The number of seconds for which the credential will remain capable of
+accepting security contexts under the specified mechanism.
+If the credential can no longer be used to accept contexts,
+or if the credential usage for this mechanism is
+.Dv GSS_C_INITIATE ,
+this parameter will be set to zero.
+If the implementation does not support expiration of acceptor
+credentials,
+the value
+.Dv GSS_C_INDEFINITE
+will be returned.
+Specify
+.Dv NULL
+if not required.
+.It cred_usage
+How the credential may be used with the specified mechanism.
+One of the following:
+.Bl -item -offset indent -compact
+.It
+.Dv GSS_C_INITIATE
+.It
+.Dv GSS_C_ACCEPT
+.It
+.Dv GSS_C_BOTH
+.El
+Specify
+.Dv NULL
+if not required.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_NO_CRED
+The referenced credentials could not be accessed
+.It GSS_S_DEFECTIVE_CREDENTIAL
+The referenced credentials were invalid
+.It GSS_S_CREDENTIALS_EXPIRED
+The referenced credentials have expired.
+If the lifetime parameter was not passed as
+.Dv NULL ,
+it will be set to 0.
+.El
+.Sh SEE ALSO
+.Xr gss_release_name 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_inquire_cred_by_mech.c b/lib/libgssapi/gss_inquire_cred_by_mech.c
new file mode 100644
index 000000000000..2896f77c1e74
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_cred_by_mech.c
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "cred.h"
+#include "name.h"
+
+OM_uint32
+gss_inquire_cred_by_mech(OM_uint32 *minor_status,
+ const gss_cred_id_t cred_handle,
+ const gss_OID mech_type,
+ gss_name_t *cred_name,
+ OM_uint32 *initiator_lifetime,
+ OM_uint32 *acceptor_lifetime,
+ gss_cred_usage_t *cred_usage)
+{
+ OM_uint32 major_status;
+ struct _gss_mech_switch *m;
+ struct _gss_mechanism_cred *mcp;
+ gss_cred_id_t mc;
+ gss_name_t mn;
+ struct _gss_name *name;
+
+ *minor_status = 0;
+
+ m = _gss_find_mech_switch(mech_type);
+ if (!m)
+ return (GSS_S_NO_CRED);
+
+ if (cred_handle != GSS_C_NO_CREDENTIAL) {
+ struct _gss_cred *cred = (struct _gss_cred *) cred_handle;
+ SLIST_FOREACH(mcp, &cred->gc_mc, gmc_link)
+ if (mcp->gmc_mech == m)
+ break;
+ if (!mcp)
+ return (GSS_S_NO_CRED);
+ mc = mcp->gmc_cred;
+ } else {
+ mc = GSS_C_NO_CREDENTIAL;
+ }
+
+ major_status = m->gm_inquire_cred_by_mech(minor_status, mc, mech_type,
+ &mn, initiator_lifetime, acceptor_lifetime, cred_usage);
+ if (major_status != GSS_S_COMPLETE)
+ return (major_status);
+
+ name = _gss_make_name(m, mn);
+ if (!name) {
+ m->gm_release_name(minor_status, &mn);
+ return (GSS_S_NO_CRED);
+ }
+
+ *cred_name = (gss_name_t) name;
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_inquire_mechs_for_name.3 b/lib/libgssapi/gss_inquire_mechs_for_name.3
new file mode 100644
index 000000000000..63ee453998bc
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_mechs_for_name.3
@@ -0,0 +1,134 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_INQUIRE_MECHS_FOR_NAME 3 PRM
+.Sh NAME
+.Nm gss_inquire_mechs_for_name
+.Nd List mechanisms that support the specified name-type
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_inquire_mechs_for_name
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_name_t input_name"
+.Fa "gss_OID_set *mech_types"
+.Fc
+.Sh DESCRIPTION
+Returns the set of mechanisms supported by the GSS-API implementation
+that may be able to process the specified name.
+.Pp
+
+Each mechanism returned will recognize at least one element within the
+name.
+It is permissible for this routine to be implemented within a
+mechanism-independent GSS-API layer,
+using the type information contained within the presented name,
+and based on registration information provided by individual mechanism
+implementations.
+This means that the returned
+.Fa mech_types
+set may indicate that a particular mechanism will understand the name
+when in fact it would refuse to accept the name as input to
+.Fn gss_canonicalize_name ,
+.Fn gss_init_sec_context ,
+.Fn gss_acquire_cred
+or
+.Fn gss_add_cred
+(due to some property of the specific name, as opposed to the name
+type).
+Thus this routine should be used only as a pre-filter for a call to a
+subsequent mechanism-specific routine.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It input_name
+The name to which the inquiry relates.
+.It mech_types
+Set of mechanisms that may support the specified name.
+The returned OID set must be freed by the caller after use with a call
+to
+.Fn gss_release_oid_set .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_BAD_NAME
+The
+.Fa input_name
+parameter was ill-formed
+.El
+.Sh SEE ALSO
+.Xr gss_release_oid_set 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_inquire_mechs_for_name.c b/lib/libgssapi/gss_inquire_mechs_for_name.c
new file mode 100644
index 000000000000..10bdd7fd6314
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_mechs_for_name.c
@@ -0,0 +1,77 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "name.h"
+
+OM_uint32
+gss_inquire_mechs_for_name(OM_uint32 *minor_status,
+ const gss_name_t input_name,
+ gss_OID_set *mech_types)
+{
+ OM_uint32 major_status;
+ struct _gss_name *name = (struct _gss_name *) input_name;
+ struct _gss_mech_switch *m;
+ gss_OID_set name_types;
+ int present;
+
+ *minor_status = 0;
+
+ major_status = gss_create_empty_oid_set(minor_status, mech_types);
+ if (major_status)
+ return (major_status);
+
+ /*
+ * We go through all the loaded mechanisms and see if this
+ * name's type is supported by the mechanism. If it is, add
+ * the mechanism to the set.
+ */
+ SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+ major_status = gss_inquire_names_for_mech(minor_status,
+ &m->gm_mech_oid, &name_types);
+ if (major_status) {
+ gss_release_oid_set(minor_status, mech_types);
+ return (major_status);
+ }
+ gss_test_oid_set_member(minor_status,
+ &name->gn_type, name_types, &present);
+ gss_release_oid_set(minor_status, &name_types);
+ if (present) {
+ major_status = gss_add_oid_set_member(minor_status,
+ &m->gm_mech_oid, mech_types);
+ if (major_status) {
+ gss_release_oid_set(minor_status, mech_types);
+ return (major_status);
+ }
+ }
+ }
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_inquire_names_for_mech.3 b/lib/libgssapi/gss_inquire_names_for_mech.3
new file mode 100644
index 000000000000..b4d2d121cf0e
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_names_for_mech.3
@@ -0,0 +1,107 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_INQUIRE_NAMES_FOR_MECH 3 PRM
+.Sh NAME
+.Nm gss_inquire_names_for_mech
+.Nd List the name-types supported by the specified mechanism
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_inquire_names_for_mech
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_OID mechanism"
+.Fa "gss_OID_set *name_types"
+.Fc
+.Sh DESCRIPTION
+Returns the set of name-types supported by the specified mechanism.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It mechanism
+The mechanism to be interrogated.
+.It name_types
+Set of name-types supported by the specified mechanism.
+The returned OID set must be freed by the application after use with a
+call to
+.Fn gss_release_oid_set .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.El
+.Sh SEE ALSO
+.Xr gss_release_oid_set 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_inquire_names_for_mech.c b/lib/libgssapi/gss_inquire_names_for_mech.c
new file mode 100644
index 000000000000..3ebb6328ff69
--- /dev/null
+++ b/lib/libgssapi/gss_inquire_names_for_mech.c
@@ -0,0 +1,74 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+
+OM_uint32
+gss_inquire_names_for_mech(OM_uint32 *minor_status,
+ const gss_OID mechanism,
+ gss_OID_set *name_types)
+{
+ OM_uint32 major_status;
+ struct _gss_mech_switch *m = _gss_find_mech_switch(mechanism);
+
+ *minor_status = 0;
+ if (!m)
+ return (GSS_S_BAD_MECH);
+
+ /*
+ * If the implementation can do it, ask it for a list of
+ * names, otherwise fake it.
+ */
+ if (m->gm_inquire_names_for_mech) {
+ return (m->gm_inquire_names_for_mech(minor_status,
+ mechanism, name_types));
+ } else {
+ major_status = gss_create_empty_oid_set(minor_status,
+ name_types);
+ if (major_status)
+ return (major_status);
+ major_status = gss_add_oid_set_member(minor_status,
+ GSS_C_NT_HOSTBASED_SERVICE, name_types);
+ if (major_status) {
+ OM_uint32 ms;
+ gss_release_oid_set(&ms, name_types);
+ return (major_status);
+ }
+ major_status = gss_add_oid_set_member(minor_status,
+ GSS_C_NT_USER_NAME, name_types);
+ if (major_status) {
+ OM_uint32 ms;
+ gss_release_oid_set(&ms, name_types);
+ return (major_status);
+ }
+ }
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_krb5.c b/lib/libgssapi/gss_krb5.c
new file mode 100644
index 000000000000..5150f8564a04
--- /dev/null
+++ b/lib/libgssapi/gss_krb5.c
@@ -0,0 +1,87 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "context.h"
+#include "cred.h"
+
+OM_uint32
+gsskrb5_register_acceptor_identity(const char *identity)
+{
+ struct _gss_mech_switch *m;
+
+ _gss_load_mech();
+ SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+ if (m->gm_krb5_register_acceptor_identity)
+ m->gm_krb5_register_acceptor_identity(identity);
+ }
+
+ return (GSS_S_COMPLETE);
+}
+
+OM_uint32
+gss_krb5_copy_ccache(OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ struct krb5_ccache_data *out)
+{
+ struct _gss_mechanism_cred *mcp;
+ struct _gss_cred *cred = (struct _gss_cred *) cred_handle;
+ struct _gss_mech_switch *m;
+
+ *minor_status = 0;
+
+ SLIST_FOREACH(mcp, &cred->gc_mc, gmc_link) {
+ m = mcp->gmc_mech;
+ if (m->gm_krb5_copy_ccache)
+ return (m->gm_krb5_copy_ccache(minor_status,
+ mcp->gmc_cred, out));
+ }
+
+ return (GSS_S_FAILURE);
+}
+
+OM_uint32
+gss_krb5_compat_des3_mic(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle, int flag)
+{
+ struct _gss_context *ctx = (struct _gss_context *) context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+
+ *minor_status = 0;
+
+ if (m->gm_krb5_compat_des3_mic)
+ return (m->gm_krb5_compat_des3_mic(minor_status,
+ ctx->gc_ctx, flag));
+
+ return (GSS_S_FAILURE);
+}
+
diff --git a/lib/libgssapi/gss_mech_switch.c b/lib/libgssapi/gss_mech_switch.c
new file mode 100644
index 000000000000..4fa52a35c800
--- /dev/null
+++ b/lib/libgssapi/gss_mech_switch.c
@@ -0,0 +1,301 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mech_switch.h"
+#include "utils.h"
+
+#ifndef _PATH_GSS_MECH
+#define _PATH_GSS_MECH "/etc/gss/mech"
+#endif
+
+struct _gss_mech_switch_list _gss_mechs =
+ SLIST_HEAD_INITIALIZER(&_gss_mechs);
+gss_OID_set _gss_mech_oids;
+
+/*
+ * Convert a string containing an OID in 'dot' form
+ * (e.g. 1.2.840.113554.1.2.2) to a gss_OID.
+ */
+static int
+_gss_string_to_oid(const char* s, gss_OID oid)
+{
+ int number_count, i, j;
+ int byte_count;
+ const char *p, *q;
+ char *res;
+
+ /*
+ * First figure out how many numbers in the oid, then
+ * calculate the compiled oid size.
+ */
+ number_count = 0;
+ for (p = s; p; p = q) {
+ q = strchr(p, '.');
+ if (q) q = q + 1;
+ number_count++;
+ }
+
+ /*
+ * The first two numbers are in the first byte and each
+ * subsequent number is encoded in a variable byte sequence.
+ */
+ if (number_count < 2)
+ return (EINVAL);
+
+ /*
+ * We do this in two passes. The first pass, we just figure
+ * out the size. Second time around, we actually encode the
+ * number.
+ */
+ res = 0;
+ for (i = 0; i < 2; i++) {
+ byte_count = 0;
+ for (p = s, j = 0; p; p = q, j++) {
+ unsigned int number = 0;
+
+ /*
+ * Find the end of this number.
+ */
+ q = strchr(p, '.');
+ if (q) q = q + 1;
+
+ /*
+ * Read the number of of the string. Don't
+ * bother with anything except base ten.
+ */
+ while (*p && *p != '.') {
+ number = 10 * number + (*p - '0');
+ p++;
+ }
+
+ /*
+ * Encode the number. The first two numbers
+ * are packed into the first byte. Subsequent
+ * numbers are encoded in bytes seven bits at
+ * a time with the last byte having the high
+ * bit set.
+ */
+ if (j == 0) {
+ if (res)
+ *res = number * 40;
+ } else if (j == 1) {
+ if (res) {
+ *res += number;
+ res++;
+ }
+ byte_count++;
+ } else if (j >= 2) {
+ /*
+ * The number is encoded in seven bit chunks.
+ */
+ unsigned int t;
+ int bytes;
+
+ bytes = 0;
+ for (t = number; t; t >>= 7)
+ bytes++;
+ if (bytes == 0) bytes = 1;
+ while (bytes) {
+ if (res) {
+ int bit = 7*(bytes-1);
+
+ *res = (number >> bit) & 0x7f;
+ if (bytes != 1)
+ *res |= 0x80;
+ res++;
+ }
+ byte_count++;
+ bytes--;
+ }
+ }
+ }
+ if (!res) {
+ res = malloc(byte_count);
+ if (!res)
+ return (ENOMEM);
+ oid->length = byte_count;
+ oid->elements = res;
+ }
+ }
+
+ return (0);
+}
+
+#define SYM(name) \
+do { \
+ m->gm_ ## name = dlsym(so, "gss_" #name); \
+ if (!m->gm_ ## name) { \
+ fprintf(stderr, "can't find symbol gss_" #name "\n"); \
+ goto bad; \
+ } \
+} while (0)
+
+#define OPTSYM(name) \
+do { \
+ m->gm_ ## name = dlsym(so, "gss_" #name); \
+} while (0)
+
+#define OPTSYM2(symname, ourname) \
+do { \
+ m->ourname = dlsym(so, #symname); \
+} while (0)
+
+/*
+ * Load the mechanisms file (/etc/gss/mech).
+ */
+void
+_gss_load_mech(void)
+{
+ OM_uint32 major_status, minor_status;
+ FILE *fp;
+ char buf[256];
+ char *p;
+ char *name, *oid, *lib, *kobj;
+ struct _gss_mech_switch *m;
+ int count;
+ char **pp;
+ void *so;
+
+ if (SLIST_FIRST(&_gss_mechs))
+ return;
+
+ major_status = gss_create_empty_oid_set(&minor_status,
+ &_gss_mech_oids);
+ if (major_status)
+ return;
+
+ fp = fopen(_PATH_GSS_MECH, "r");
+ if (!fp) {
+ perror(_PATH_GSS_MECH);
+ return;
+ }
+
+ count = 0;
+ while (fgets(buf, sizeof(buf), fp)) {
+ if (*buf == '#')
+ continue;
+ p = buf;
+ name = strsep(&p, "\t\n ");
+ if (p) while (isspace(p)) p++;
+ oid = strsep(&p, "\t\n ");
+ if (p) while (isspace(p)) p++;
+ lib = strsep(&p, "\t\n ");
+ if (p) while (isspace(p)) p++;
+ kobj = strsep(&p, "\t\n ");
+ if (!name || !oid || !lib || !kobj)
+ continue;
+
+ so = dlopen(lib, RTLD_LOCAL);
+ if (!so) {
+ fprintf(stderr, "dlopen: %s\n", dlerror());
+ continue;
+ }
+
+ m = malloc(sizeof(struct _gss_mech_switch));
+ if (!m)
+ break;
+ m->gm_so = so;
+ if (_gss_string_to_oid(oid, &m->gm_mech_oid)) {
+ free(m);
+ continue;
+ }
+
+ major_status = gss_add_oid_set_member(&minor_status,
+ &m->gm_mech_oid, &_gss_mech_oids);
+ if (major_status) {
+ free(m->gm_mech_oid.elements);
+ free(m);
+ continue;
+ }
+
+ SYM(acquire_cred);
+ SYM(release_cred);
+ SYM(init_sec_context);
+ SYM(accept_sec_context);
+ SYM(process_context_token);
+ SYM(delete_sec_context);
+ SYM(context_time);
+ SYM(get_mic);
+ SYM(verify_mic);
+ SYM(wrap);
+ SYM(unwrap);
+ SYM(display_status);
+ SYM(indicate_mechs);
+ SYM(compare_name);
+ SYM(display_name);
+ SYM(import_name);
+ SYM(export_name);
+ SYM(release_name);
+ SYM(inquire_cred);
+ SYM(inquire_context);
+ SYM(wrap_size_limit);
+ SYM(add_cred);
+ SYM(inquire_cred_by_mech);
+ SYM(export_sec_context);
+ SYM(import_sec_context);
+ SYM(inquire_names_for_mech);
+ SYM(inquire_mechs_for_name);
+ SYM(canonicalize_name);
+ SYM(duplicate_name);
+ OPTSYM2(gsskrb5_register_acceptor_identity,
+ gm_krb5_register_acceptor_identity);
+ OPTSYM(krb5_copy_ccache);
+ OPTSYM(krb5_compat_des3_mic);
+
+ SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link);
+ count++;
+ continue;
+
+ bad:
+ free(m->gm_mech_oid.elements);
+ free(m);
+ dlclose(so);
+ continue;
+ }
+ fclose(fp);
+}
+
+struct _gss_mech_switch *
+_gss_find_mech_switch(gss_OID mech)
+{
+ struct _gss_mech_switch *m;
+
+ _gss_load_mech();
+ SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+ if (_gss_oid_equal(&m->gm_mech_oid, mech))
+ return m;
+ }
+ return (0);
+}
diff --git a/lib/libgssapi/gss_names.c b/lib/libgssapi/gss_names.c
new file mode 100644
index 000000000000..e2fa4ccc8979
--- /dev/null
+++ b/lib/libgssapi/gss_names.c
@@ -0,0 +1,253 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "name.h"
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ * "\x01\x02\x01\x01"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+static gss_OID_desc GSS_C_NT_USER_NAME_storage =
+ {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"};
+gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ * "\x01\x02\x01\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+static gss_OID_desc GSS_C_NT_MACHINE_UID_NAME_storage =
+ {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"};
+gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ * "\x01\x02\x01\x03"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+static gss_OID_desc GSS_C_NT_STRING_UID_NAME_storage =
+ {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"};
+gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)). The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc. This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
+ */
+static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X_storage =
+ {6, (void *)"\x2b\x06\x01\x05\x06\x02"};
+gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_storage;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ * "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}. The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
+ */
+static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_storage =
+ {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"};
+gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_storage;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+ * corresponding to an object identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name)}. The constant
+ * and GSS_C_NT_ANONYMOUS should be initialized to point
+ * to that gss_OID_desc.
+ */
+static gss_OID_desc GSS_C_NT_ANONYMOUS_storage =
+ {6, (void *)"\x2b\x06\01\x05\x06\x03"};
+gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_storage;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 4(gss-api-exported-name)}. The constant
+ * GSS_C_NT_EXPORT_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+static gss_OID_desc GSS_C_NT_EXPORT_NAME_storage =
+ {6, (void *)"\x2b\x06\x01\x05\x06\x04"};
+gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_storage;
+
+/*
+ * This name form shall be represented by the Object Identifier {iso(1)
+ * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5_name(1)}. The recommended symbolic name for this type
+ * is "GSS_KRB5_NT_PRINCIPAL_NAME".
+ */
+static gss_OID_desc GSS_KRB5_NT_PRINCIPAL_NAME_storage =
+ {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"};
+gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &GSS_KRB5_NT_PRINCIPAL_NAME_storage;
+
+/*
+ * This name form shall be represented by the Object Identifier {iso(1)
+ * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) user_name(1)}. The recommended symbolic name for this
+ * type is "GSS_KRB5_NT_USER_NAME".
+ */
+gss_OID GSS_KRB5_NT_USER_NAME = &GSS_C_NT_USER_NAME_storage;
+
+/*
+ * This name form shall be represented by the Object Identifier {iso(1)
+ * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) machine_uid_name(2)}. The recommended symbolic name for
+ * this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
+ */
+gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_storage;
+
+/*
+ * This name form shall be represented by the Object Identifier {iso(1)
+ * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) string_uid_name(3)}. The recommended symbolic name for
+ * this type is "GSS_KRB5_NT_STRING_UID_NAME".
+ */
+gss_OID GSS_KRB5_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_storage;
+
+struct _gss_mechanism_name *
+_gss_find_mn(struct _gss_name *name, gss_OID mech)
+{
+ OM_uint32 major_status, minor_status;
+ struct _gss_mech_switch *m;
+ struct _gss_mechanism_name *mn;
+
+ SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+ if (_gss_oid_equal(mech, mn->gmn_mech_oid))
+ break;
+ }
+
+ if (!mn) {
+ /*
+ * If this name is canonical (i.e. there is only an
+ * MN but it is from a different mech), give up now.
+ */
+ if (!name->gn_value.value)
+ return (0);
+
+ m = _gss_find_mech_switch(mech);
+ if (!m)
+ return (0);
+
+ mn = malloc(sizeof(struct _gss_mechanism_name));
+ if (!mn)
+ return (0);
+
+ major_status = m->gm_import_name(&minor_status,
+ &name->gn_value,
+ (name->gn_type.elements
+ ? &name->gn_type : GSS_C_NO_OID),
+ &mn->gmn_name);
+ if (major_status) {
+ free(mn);
+ return (0);
+ }
+
+ mn->gmn_mech = m;
+ mn->gmn_mech_oid = &m->gm_mech_oid;
+ SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+ }
+ return (mn);
+}
+
+/*
+ * Make a name from an MN.
+ */
+struct _gss_name *
+_gss_make_name(struct _gss_mech_switch *m, gss_name_t new_mn)
+{
+ OM_uint32 minor_status;
+ struct _gss_name *name;
+ struct _gss_mechanism_name *mn;
+
+ name = malloc(sizeof(struct _gss_name));
+ if (!name)
+ return (0);
+ memset(name, 0, sizeof(struct _gss_name));
+
+ mn = malloc(sizeof(struct _gss_mechanism_name));
+ if (!mn) {
+ free(name);
+ return (0);
+ }
+
+ SLIST_INIT(&name->gn_mn);
+ mn->gmn_mech = m;
+ mn->gmn_mech_oid = &m->gm_mech_oid;
+ mn->gmn_name = new_mn;
+ SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+
+ return (name);
+}
+
diff --git a/lib/libgssapi/gss_process_context_token.3 b/lib/libgssapi/gss_process_context_token.3
new file mode 100644
index 000000000000..d9f6863724a2
--- /dev/null
+++ b/lib/libgssapi/gss_process_context_token.3
@@ -0,0 +1,136 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_PROCESS_CONTEXT_TOKEN 3 PRM
+.Sh NAME
+.Nm gss_process_context_token
+.Nd Process a token on a security context from a peer application
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_process_context_token
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "const gss_buffer_t token_buffer"
+.Fc
+.Sh DESCRIPTION
+Provides a way to pass an asynchronous token to the security service.
+Most context-level tokens are emitted and processed synchronously by
+.Fn gss_init_sec_context
+and
+.Fn gss_accept_sec_context ,
+and the application is informed as to whether further tokens are
+expected by the
+.Dv GSS_C_CONTINUE_NEEDED
+major status bit.
+Occasionally,
+a mechanism may need to emit a context-level token at a point when the
+peer entity is not expecting a token.
+For example,
+the initiator's final call to
+.Fn gss_init_sec_context
+may emit a token and return a status of
+.Dv GSS_S_COMPLETE ,
+but the acceptor's call to
+.Fn gss_accept_sec_context
+may fail.
+The acceptor's mechanism may wish to send a token containing an error
+indication to the initiator,
+but the initiator is not expecting a token at this point,
+believing that the context is fully established.
+.Fn gss_process_context_token
+provides a way to pass such a token to the mechanism at any time.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+Context handle of context on which token is to be processed.
+.It token_buffer
+Token to process.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_DEFECTIVE_TOKEN
+Indicates that consistency checks performed on the token failed
+.It GSS_S_NO_CONTEXT
+The
+.Fa context_handle
+did not refer to a valid context
+.El
+.Sh SEE ALSO
+.Xr gss_init_sec_context 3 ,
+.Xr gss_accept_sec_context 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_process_context_token.c b/lib/libgssapi/gss_process_context_token.c
new file mode 100644
index 000000000000..0b4d7ec9bfca
--- /dev/null
+++ b/lib/libgssapi/gss_process_context_token.c
@@ -0,0 +1,44 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_process_context_token(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_buffer_t token_buffer)
+{
+ struct _gss_context *ctx = (struct _gss_context *) context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+
+ return (m->gm_process_context_token(minor_status, ctx->gc_ctx,
+ token_buffer));
+}
diff --git a/lib/libgssapi/gss_release_buffer.3 b/lib/libgssapi/gss_release_buffer.3
new file mode 100644
index 000000000000..3a583f4476e0
--- /dev/null
+++ b/lib/libgssapi/gss_release_buffer.3
@@ -0,0 +1,111 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_RELEASE_BUFFER 3 PRM
+.Sh NAME
+.Nm gss_release_buffer
+.Nd Discard a buffer
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_release_buffer
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_buffer_t buffer"
+.Fc
+.Sh DESCRIPTION
+Free storage associated with a buffer.
+The storage must have been allocated by a GSS-API routine.
+In addition to freeing the associated storage,
+the routine will zero the length field in the descriptor to which the
+buffer parameter refers,
+and implementations are encouraged to additionally set the pointer
+field in the descriptor to
+.Dv NULL .
+Any buffer object returned by a GSS-API routine may be passed to
+.Fn gss_release_buffer
+(even if there is no storage associated with the buffer).
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It buffer
+The storage associated with the buffer will be deleted.
+The gss_buffer_desc object will not be freed,
+but its length field will be zeroed.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.El
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_release_buffer.c b/lib/libgssapi/gss_release_buffer.c
new file mode 100644
index 000000000000..8e7fa60e5471
--- /dev/null
+++ b/lib/libgssapi/gss_release_buffer.c
@@ -0,0 +1,43 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+OM_uint32
+gss_release_buffer(OM_uint32 *minor_status,
+ gss_buffer_t buffer)
+{
+
+ *minor_status = 0;
+ if (buffer->value)
+ free(buffer->value);
+ buffer->length = 0;
+ buffer->value = 0;
+
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_release_cred.3 b/lib/libgssapi/gss_release_cred.3
new file mode 100644
index 000000000000..a4c5b7719fc6
--- /dev/null
+++ b/lib/libgssapi/gss_release_cred.3
@@ -0,0 +1,108 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_RELEASE_CRED 3 PRM
+.Sh NAME
+.Nm gss_release_cred
+.Nd Discard a credential handle
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_release_cred
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_cred_id_t *cred_handle"
+.Fc
+.Sh DESCRIPTION
+Informs GSS-API that the specified credential handle is no longer
+required by the application,
+and frees associated resources.
+Implementations are encouraged to set the cred_handle to
+.Dv GSS_C_NO_CREDENTIAL
+on successful completion of this call.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It cred_handle
+Opaque handle identifying credential to be released.
+If GSS_C_NO_CREDENTIAL is supplied,
+the routine will complete successfully, but will do nothing.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_NO_CRED
+Credentials could not be accessed
+.El
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_release_cred.c b/lib/libgssapi/gss_release_cred.c
new file mode 100644
index 000000000000..cec814c66291
--- /dev/null
+++ b/lib/libgssapi/gss_release_cred.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "cred.h"
+
+OM_uint32
+gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
+{
+ struct _gss_cred *cred = (struct _gss_cred *) *cred_handle;
+ struct _gss_mechanism_cred *mc;
+
+ if (*cred_handle == GSS_C_NO_CREDENTIAL)
+ return (GSS_S_COMPLETE);
+
+ while (SLIST_FIRST(&cred->gc_mc)) {
+ mc = SLIST_FIRST(&cred->gc_mc);
+ SLIST_REMOVE_HEAD(&cred->gc_mc, gmc_link);
+ mc->gmc_mech->gm_release_cred(minor_status, &mc->gmc_cred);
+ free(mc);
+ }
+ free(cred);
+
+ *minor_status = 0;
+ *cred_handle = 0;
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_release_name.3 b/lib/libgssapi/gss_release_name.3
new file mode 100644
index 000000000000..7b1390ed5399
--- /dev/null
+++ b/lib/libgssapi/gss_release_name.3
@@ -0,0 +1,104 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_RELEASE_NAME 3 PRM
+.Sh NAME
+.Nm gss_release_name
+.Nd Discard an internal-form name
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_release_name
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_name_t *name"
+.Fc
+.Sh DESCRIPTION
+Free GSS-API allocated storage associated with an internal-form name.
+Implementations are encouraged to set the name to
+.Dv GSS_C_NO_NAME
+on successful completion of this call.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It name
+The name to be deleted.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_BAD_NAME
+The name parameter did not contain a valid name
+.El
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_release_name.c b/lib/libgssapi/gss_release_name.c
new file mode 100644
index 000000000000..4294ad7c4b48
--- /dev/null
+++ b/lib/libgssapi/gss_release_name.c
@@ -0,0 +1,59 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "mech_switch.h"
+#include "name.h"
+
+OM_uint32
+gss_release_name(OM_uint32 *minor_status,
+ gss_name_t *input_name)
+{
+ struct _gss_name *name = (struct _gss_name *) *input_name;
+ struct _gss_mech_switch *m;
+
+ *minor_status = 0;
+ if (name) {
+ if (name->gn_type.elements)
+ free(name->gn_type.elements);
+ while (SLIST_FIRST(&name->gn_mn)) {
+ struct _gss_mechanism_name *mn;
+ mn = SLIST_FIRST(&name->gn_mn);
+ SLIST_REMOVE_HEAD(&name->gn_mn, gmn_link);
+ mn->gmn_mech->gm_release_name(minor_status,
+ &mn->gmn_name);
+ free(mn);
+ }
+ gss_release_buffer(minor_status, &name->gn_value);
+ *input_name = 0;
+ }
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_release_oid_set.3 b/lib/libgssapi/gss_release_oid_set.3
new file mode 100644
index 000000000000..48e8f16759ae
--- /dev/null
+++ b/lib/libgssapi/gss_release_oid_set.3
@@ -0,0 +1,109 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_RELEASE_OID_SET 3 PRM
+.Sh NAME
+.Nm gss_release_oid_set
+.Nd Discard a set of object identifiers
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_release_oid_set
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_OID_set *set"
+.Fc
+.Sh DESCRIPTION
+Free storage associated with a GSS-API generated gss_OID_set object.
+The set parameter must refer to an OID-set that was returned from a
+GSS-API routine.
+.Fn gss_release_oid_set
+will free the storage associated with each individual member OID,
+the OID set's elements array,
+and the gss_OID_set_desc itself.
+.Pp
+Implementations are encouraged to set the gss_OID_set parameter to
+.Dv GSS_C_NO_OID_SET
+on successful completion of this routine.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It set
+The storage associated with the gss_OID_set will be deleted.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.El
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_release_oid_set.c b/lib/libgssapi/gss_release_oid_set.c
new file mode 100644
index 000000000000..49c17ab8326a
--- /dev/null
+++ b/lib/libgssapi/gss_release_oid_set.c
@@ -0,0 +1,46 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+OM_uint32
+gss_release_oid_set(OM_uint32 *minor_status,
+ gss_OID_set *set)
+{
+
+ *minor_status = 0;
+ if (*set) {
+ if ((*set)->elements)
+ free((*set)->elements);
+ free(*set);
+ *set = 0;
+ }
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_seal.c b/lib/libgssapi/gss_seal.c
new file mode 100644
index 000000000000..c3e3f7a83d66
--- /dev/null
+++ b/lib/libgssapi/gss_seal.c
@@ -0,0 +1,45 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+OM_uint32
+gss_seal(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ int qop_req,
+ gss_buffer_t input_message_buffer,
+ int *conf_state,
+ gss_buffer_t output_message_buffer)
+{
+
+ return (gss_wrap(minor_status,
+ context_handle, conf_req_flag, qop_req,
+ input_message_buffer, conf_state,
+ output_message_buffer));
+}
diff --git a/lib/libgssapi/gss_sign.c b/lib/libgssapi/gss_sign.c
new file mode 100644
index 000000000000..c521a7e533e6
--- /dev/null
+++ b/lib/libgssapi/gss_sign.c
@@ -0,0 +1,41 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+OM_uint32
+gss_sign(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ int qop_req,
+ gss_buffer_t message_buffer,
+ gss_buffer_t message_token)
+{
+
+ return gss_get_mic(minor_status,
+ context_handle, qop_req, message_buffer, message_token);
+}
diff --git a/lib/libgssapi/gss_test_oid_set_member.3 b/lib/libgssapi/gss_test_oid_set_member.3
new file mode 100644
index 000000000000..e419d68e88e1
--- /dev/null
+++ b/lib/libgssapi/gss_test_oid_set_member.3
@@ -0,0 +1,116 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_TEST_OID_SET_MEMBER 3 PRM
+.Sh NAME
+.Nm gss_test_oid_set_member
+.Nd Determines whether an object identifier is a member of a set
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_test_oid_set_member
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_OID member"
+.Fa "const gss_OID_set set"
+.Fa "int *present"
+.Fc
+.Sh DESCRIPTION
+Interrogate an Object Identifier set to determine whether a specified
+Object Identifier is a member.
+This routine is intended to be used with OID sets returned by
+.Fn gss_indicate_mechs ,
+.Fn gss_acquire_cred ,
+and
+.Fn gss_inquire_cred ,
+but will also work with user-generated sets.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It member
+The object identifier whose presence is to be tested.
+.It set
+The Object Identifier set.
+.It present
+Non-zero if the specified OID is a member of the set, zero if not.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.El
+.Sh SEE ALSO
+.Xr gss_indicate_mechs 3 ,
+.Xr gss_acquire_cred 3 ,
+.Xr gss_inquire_cred 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_test_oid_set_member.c b/lib/libgssapi/gss_test_oid_set_member.c
new file mode 100644
index 000000000000..1a09540dbc53
--- /dev/null
+++ b/lib/libgssapi/gss_test_oid_set_member.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+static int
+_gss_oid_equal(const gss_OID oid1, const gss_OID oid2)
+{
+ if (oid1->length != oid2->length)
+ return (0);
+ if (memcmp(oid1->elements, oid2->elements, oid1->length))
+ return (0);
+ return (1);
+}
+
+OM_uint32
+gss_test_oid_set_member(OM_uint32 *minor_status,
+ const gss_OID member,
+ const gss_OID_set set,
+ int *present)
+{
+ int i;
+
+ *present = 0;
+ for (i = 0; i < set->count; i++)
+ if (_gss_oid_equal(member, &set->elements[i]))
+ *present = 1;
+
+ *minor_status = 0;
+ return (GSS_S_COMPLETE);
+}
diff --git a/lib/libgssapi/gss_unseal.c b/lib/libgssapi/gss_unseal.c
new file mode 100644
index 000000000000..bc7dc26111c0
--- /dev/null
+++ b/lib/libgssapi/gss_unseal.c
@@ -0,0 +1,43 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+OM_uint32
+gss_unseal(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ gss_buffer_t input_message_buffer,
+ gss_buffer_t output_message_buffer,
+ int *conf_state,
+ int *qop_state)
+{
+
+ return (gss_unwrap(minor_status,
+ context_handle, input_message_buffer,
+ output_message_buffer, conf_state, qop_state));
+}
diff --git a/lib/libgssapi/gss_unwrap.3 b/lib/libgssapi/gss_unwrap.3
new file mode 100644
index 000000000000..345ce30654a1
--- /dev/null
+++ b/lib/libgssapi/gss_unwrap.3
@@ -0,0 +1,191 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_UNWRAP 3 PRM
+.Sh NAME
+.Nm gss_unwrap ,
+.Nm gss_unseal
+.Nd Convert a message previously protected by
+.Xr gss_wrap 3
+back to a usable form
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_unwrap
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "const gss_buffer_t input_message_buffer"
+.Fa "gss_buffer_t output_message_buffer"
+.Fa "int *conf_state"
+.Fa "gss_qop_t *qop_state"
+.Fc
+.Ft OM_uint32
+.Fo gss_unseal
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_ctx_id_t context_handle"
+.Fa "gss_buffer_t input_message_buffer"
+.Fa "gss_buffer_t output_message_buffer"
+.Fa "int *conf_state"
+.Fa "gss_qop_t *qop_state"
+.Fc
+.Sh DESCRIPTION
+Converts a message previously protected by
+.Xr gss_wrap 3
+back to a usable form,
+verifying the embedded MIC.
+The
+.Dv conf_state
+parameter indicates whether the message was encrypted;
+the
+.Dv qop_state
+parameter indicates the strength of protection that was used to provide the
+confidentiality and integrity services.
+.Pp
+Since some application-level protocols may wish to use tokens emitted
+by
+.Xr gss_wrap 3
+to provide "secure framing",
+implementations must support the wrapping and unwrapping of
+zero-length messages.
+.Pp
+The
+.Fn gss_unseal
+routine is an obsolete variant of
+.Fn gss_unwrap .
+It is
+provided for backwards
+compatibility with applications using the GSS-API V1 interface.
+A distinct entrypoint (as opposed to #define) is provided,
+both to allow GSS-API V1 applications to link
+and to retain the slight parameter type differences between the
+obsolete versions of this routine and its current form.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+Identifies the context on which the message arrived.
+.It input_message_buffer
+Protected message.
+.It output_message_buffer
+Buffer to receive unwrapped message.
+Storage associated with this buffer must
+be freed by the application after use use
+with a call to
+.Xr gss_release_buffer 3 .
+.It conf_state
+.Bl -tag -width "Non-zero"
+.It Non-zero
+Confidentiality and integrity protection were used.
+.It Zero
+Integrity service only was used.
+.El
+.Pp
+Specify NULL if not required.
+.It qop_state
+Quality of protection provided. Specify NULL if not required.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion.
+.It GSS_S_DEFECTIVE_TOKEN
+The token failed consistency checks.
+.It GSS_S_BAD_SIG
+The MIC was incorrect
+.It GSS_S_DUPLICATE_TOKEN
+The token was valid, and contained a correct
+MIC for the message, but it had already been
+processed.
+.It GSS_S_OLD_TOKEN
+The token was valid, and contained a correct MIC
+for the message, but it is too old to check for
+duplication.
+.It GSS_S_UNSEQ_TOKEN
+The token was valid, and contained a correct MIC
+for the message, but has been verified out of
+sequence; a later token has already been
+received.
+.It GSS_S_GAP_TOKEN
+The token was valid, and contained a correct MIC
+for the message, but has been verified out of
+sequence; an earlier expected token has not yet
+been received.
+.It GSS_S_CONTEXT_EXPIRED
+The context has already expired.
+.It GSS_S_NO_CONTEXT
+The context_handle parameter did not identify a valid context.
+.El
+.Sh SEE ALSO
+.Xr gss_wrap 3 ,
+.Xr gss_release_buffer 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_unwrap.c b/lib/libgssapi/gss_unwrap.c
new file mode 100644
index 000000000000..9ccc848d3efe
--- /dev/null
+++ b/lib/libgssapi/gss_unwrap.c
@@ -0,0 +1,48 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_unwrap(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_buffer_t input_message_buffer,
+ gss_buffer_t output_message_buffer,
+ int *conf_state,
+ gss_qop_t *qop_state)
+{
+ struct _gss_context *ctx = (struct _gss_context *) context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+
+ return (m->gm_unwrap(minor_status, ctx->gc_ctx,
+ input_message_buffer, output_message_buffer,
+ conf_state, qop_state));
+}
diff --git a/lib/libgssapi/gss_utils.c b/lib/libgssapi/gss_utils.c
new file mode 100644
index 000000000000..d9f3e8926189
--- /dev/null
+++ b/lib/libgssapi/gss_utils.c
@@ -0,0 +1,79 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "utils.h"
+
+int
+_gss_oid_equal(const gss_OID oid1, const gss_OID oid2)
+{
+ if (oid1->length != oid2->length)
+ return (0);
+ if (memcmp(oid1->elements, oid2->elements, oid1->length))
+ return (0);
+ return (1);
+}
+
+OM_uint32
+_gss_copy_oid(OM_uint32 *minor_status,
+ const gss_OID from_oid, gss_OID to_oid)
+{
+ size_t len = from_oid->length;
+
+ *minor_status = 0;
+ to_oid->elements = malloc(len);
+ if (!to_oid->elements) {
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ to_oid->length = len;
+ memcpy(to_oid->elements, from_oid->elements, len);
+ return (GSS_S_COMPLETE);
+}
+
+
+OM_uint32
+_gss_copy_buffer(OM_uint32 *minor_status,
+ const gss_buffer_t from_buf, gss_buffer_t to_buf)
+{
+ size_t len = from_buf->length;
+
+ *minor_status = 0;
+ to_buf->value = malloc(len);
+ if (!to_buf->value) {
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ to_buf->length = len;
+ memcpy(to_buf->value, from_buf->value, len);
+ return (GSS_S_COMPLETE);
+}
+
diff --git a/lib/libgssapi/gss_verify.c b/lib/libgssapi/gss_verify.c
new file mode 100644
index 000000000000..31108750e3dd
--- /dev/null
+++ b/lib/libgssapi/gss_verify.c
@@ -0,0 +1,41 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+OM_uint32
+gss_verify(OM_uint32 *minor_status,
+ gss_ctx_id_t context_handle,
+ gss_buffer_t message_buffer,
+ gss_buffer_t token_buffer,
+ int *qop_state)
+{
+
+ return (gss_verify_mic(minor_status,
+ context_handle, message_buffer, token_buffer, qop_state));
+}
diff --git a/lib/libgssapi/gss_verify_mic.3 b/lib/libgssapi/gss_verify_mic.3
new file mode 100644
index 000000000000..0abb83e5bf24
--- /dev/null
+++ b/lib/libgssapi/gss_verify_mic.3
@@ -0,0 +1,172 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_VERIFY_MIC 3 PRM
+.Sh NAME
+.Nm gss_verify_mic ,
+.Nm gss_verify
+.Nd Check a MIC against a message; verify integrity of a received message
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_verify_mic
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "const gss_buffer_t message_buffer"
+.Fa "const gss_buffer_t token_buffer"
+.Fa "gss_qop_t *qop_state"
+.Fc
+.Ft OM_uint32
+.Fo gss_verify
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_ctx_id_t context_handle"
+.Fa "gss_buffer_t message_buffer"
+.Fa "gss_buffer_t token_buffer"
+.Fa "gss_qop_t *qop_state"
+.Fc
+.Sh DESCRIPTION
+Verifies that a cryptographic MIC,
+contained in the token parameter,
+fits the supplied message.
+The
+.Fa qop_state
+parameter allows a message recipient to determine the strength of
+protection that was applied to the message.
+.Pp
+Since some application-level protocols may wish to use tokens emitted
+by
+.Fn gss_wrap
+to provide "secure framing",
+implementations must support the calculation and verification of MICs
+over zero-length messages.
+.Pp
+The
+.Fn gss_verify
+routine is an obsolete variant of
+.Fn gss_verify_mic .
+It is provided for backwards
+compatibility with applications using the GSS-API V1 interface.
+A distinct entrypoint (as opposed to #define) is provided,
+both to allow GSS-API V1 applications to link
+and to retain the slight parameter type differences between the
+obsolete versions of this routine and its current form.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+Identifies the context on which the message arrived.
+.It message_buffer
+Message to be verified.
+.It token_buffer
+Token associated with message.
+.It qop_state
+Quality of protection gained from MIC.
+Specify
+.Dv NULL
+if not required.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion
+.It GSS_S_DEFECTIVE_TOKEN
+The token failed consistency checks
+.It GSS_S_BAD_SIG
+The MIC was incorrect
+.It GSS_S_DUPLICATE_TOKEN
+The token was valid,
+and contained a correct MIC for the message,
+but it had already been processed
+.It GSS_S_OLD_TOKEN
+The token was valid,
+and contained a correct MIC for the message,
+but it is too old to check for duplication
+.It GSS_S_UNSEQ_TOKEN
+The token was valid,
+and contained a correct MIC for the message,
+but has been verified out of sequence;
+a later token has already been received.
+.It GSS_S_GAP_TOKEN
+The token was valid,
+and contained a correct MIC for the message,
+but has been verified out of sequence;
+an earlier expected token has not yet been received
+.It GSS_S_CONTEXT_EXPIRED
+The context has already expired
+.It GSS_S_NO_CONTEXT
+The context_handle parameter did not identify a valid context
+.El
+.Sh SEE ALSO
+.Xr gss_wrap 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_verify_mic.c b/lib/libgssapi/gss_verify_mic.c
new file mode 100644
index 000000000000..4e11ab1e08fc
--- /dev/null
+++ b/lib/libgssapi/gss_verify_mic.c
@@ -0,0 +1,46 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_verify_mic(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_buffer_t message_buffer,
+ const gss_buffer_t token_buffer,
+ gss_qop_t *qop_state)
+{
+ struct _gss_context *ctx = (struct _gss_context *) context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+
+ return (m->gm_verify_mic(minor_status, ctx->gc_ctx,
+ message_buffer, token_buffer, qop_state));
+}
diff --git a/lib/libgssapi/gss_wrap.3 b/lib/libgssapi/gss_wrap.3
new file mode 100644
index 000000000000..342d5906653d
--- /dev/null
+++ b/lib/libgssapi/gss_wrap.3
@@ -0,0 +1,178 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_WRAP 3 PRM
+.Sh NAME
+.Nm gss_wrap ,
+.Nm gss_seal
+.Nd Attach a cryptographic MIC and optionally encrypt a message
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_wrap
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "int conf_req_flag"
+.Fa "gss_qop_t qop_req"
+.Fa "const gss_buffer_t input_message_buffer"
+.Fa "int *conf_state"
+.Fa "gss_buffer_t output_message_buffer"
+.Fc
+.Ft OM_uint32
+.Fo gss_seal
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_ctx_id_t context_handle"
+.Fa "int conf_req_flag"
+.Fa "gss_qop_t qop_req"
+.Fa "gss_buffer_t input_message_buffer"
+.Fa "int *conf_state"
+.Fa "gss_buffer_t output_message_buffer"
+.Fc
+.Sh DESCRIPTION
+Attaches a cryptographic MIC and optionally encrypts the specified
+.Dv input_message .
+The output_message contains both the MIC and the message.
+The
+.Dv qop_req
+parameter allows a choice between several cryptographic algorithms,
+if supported by the chosen mechanism.
+.Pp
+Since some application-level protocols may wish to use tokens emitted
+by
+.Fn gss_wrap
+to provide "secure framing",
+implementations must support the wrapping of zero-length messages.
+.Pp
+The
+.Fn gss_seal
+routine is an obsolete variant of
+.Fn gss_wrap .
+It is
+provided for backwards
+compatibility with applications using the GSS-API V1 interface.
+A distinct entrypoint (as opposed to #define) is provided,
+both to allow GSS-API V1 applications to link
+and to retain the slight parameter type differences between the
+obsolete versions of this routine and its current form.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+Identifies the context on which the message will be sent.
+.It conf_req_flag
+.Bl -tag -width "Non-zero"
+.It Non-zero
+Both confidentiality and integrity services are requested.
+.It Zero
+Only integrity service is requested.
+.El
+.It qop_req
+Specifies required quality of protection.
+A mechanism-specific default may be requested by setting qop_req to
+.Dv GSS_C_QOP_DEFAULT .
+If an unsupported protection strength is requested,
+.Fn gss_wrap
+will return a major_status of
+.Dv GSS_S_BAD_QOP .
+.It input_message_buffer
+Message to be protected.
+.It conf_state
+.Bl -tag -width "Non-zero"
+.It Non-zero
+Confidentiality, data origin authentication and integrity services
+have been applied.
+.It Zero
+Integrity and data origin services only has been applied.
+.El
+.It output_message_buffer
+Buffer to receive protected message.
+Storage associated with this buffer must
+be freed by the application after use use
+with a call to
+.Xr gss_release_buffer 3 .
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion.
+.It GSS_S_CONTEXT_EXPIRED
+The context has already expired
+.It GSS_S_NO_CONTEXT
+The context_handle parameter did not identify a valid context.
+.It GSS_S_BAD_QOP
+The specified QOP is not supported by the mechanism.
+.El
+.Sh SEE ALSO
+.Xr gss_unwrap 3 ,
+.Xr gss_release_buffer 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_wrap.c b/lib/libgssapi/gss_wrap.c
new file mode 100644
index 000000000000..0d7c74933c31
--- /dev/null
+++ b/lib/libgssapi/gss_wrap.c
@@ -0,0 +1,49 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_wrap(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ const gss_buffer_t input_message_buffer,
+ int *conf_state,
+ gss_buffer_t output_message_buffer)
+{
+ struct _gss_context *ctx = (struct _gss_context *) context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+
+ return (m->gm_wrap(minor_status, ctx->gc_ctx,
+ conf_req_flag, qop_req, input_message_buffer,
+ conf_state, output_message_buffer));
+}
diff --git a/lib/libgssapi/gss_wrap_size_limit.3 b/lib/libgssapi/gss_wrap_size_limit.3
new file mode 100644
index 000000000000..63017e269db6
--- /dev/null
+++ b/lib/libgssapi/gss_wrap_size_limit.3
@@ -0,0 +1,163 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_WRAP_SIZE_LIMIT 3 PRM
+.Sh NAME
+.Nm gss_wrap_size_limit
+.Nd Determine maximum message sizes
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_wrap_size_limit
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "int conf_req_flag"
+.Fa "gss_qop_t qop_req"
+.Fa "OM_uint32 req_output_size"
+.Fa "OM_uint32 *max_input_size"
+.Fc
+.Sh DESCRIPTION
+Allows an application to determine the maximum message size that,
+if presented to
+.Xr gss_wrap 3
+with the same
+.Dv conf_req_flag
+and
+.Dv qop_req
+parameters,
+will result in an output token containing no more than
+.Dv req_output_size
+bytes.
+.Pp
+This call is intended for use by applications that
+communicate over protocols that impose a maximum message size.
+It enables the application to fragment messages prior to applying protection.
+.Pp
+GSS-API implementations are recommended but not required to detect
+invalid QOP values when
+.Fn gss_wrap_size_limit
+is called.
+This routine guarantees only a maximum message size,
+not the availability of specific QOP values for message protection.
+.Pp
+Successful completion of this call does not guarantee that
+.Xr gss_wrap 3
+will be able to protect a message of length max_input_size bytes,
+since this ability may depend on the availability of system resources
+at the time that
+.Xr gss_wrap 3
+is called.
+However, if the implementation itself imposes an upper limit on
+the length of messages that may be processed by gss_wrap,
+the implementation should not return a value via
+.Dv max_input_bytes
+that is greater than this length.
+.Sh PARAMETERS
+.Bl -tag
+.It minor_status
+Mechanism specific status code.
+.It context_handle
+A handle that refers to the security over which the messages will be sent.
+.It conf_req_flag
+Indicates whether
+.Xr gss_wrap 3
+will be asked to apply confidentiality protection
+in addition to integrity protection.
+.It qop_req
+Indicates the level of protection that
+.Xr gss_wrap 3
+will be asked to provide.
+.It req_output_size
+The desired maximum size for tokens emitted by
+.Xr gss_wrap 3 .
+.It max_input_size
+The maximum input message size that may be presented to
+.Xr gss_wrap 3
+in order to guarantee that the emitted token shall
+be no larger than
+.Dv req_output_size
+bytes.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion.
+.It GSS_S_NO_CONTEXT
+The referenced context could not be accessed.
+.It GSS_S_CONTEXT_EXPIRED
+The context has expired.
+.It GSS_S_BAD_QOP
+The specified QOP is not supported by the mechanism.
+.El
+.Sh SEE ALSO
+.Xr gss_wrap 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/gss_wrap_size_limit.c b/lib/libgssapi/gss_wrap_size_limit.c
new file mode 100644
index 000000000000..8abd52a12094
--- /dev/null
+++ b/lib/libgssapi/gss_wrap_size_limit.c
@@ -0,0 +1,47 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <gssapi/gssapi.h>
+
+#include "mech_switch.h"
+#include "context.h"
+
+OM_uint32
+gss_wrap_size_limit(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ OM_uint32 req_output_size,
+ OM_uint32 *max_input_size)
+{
+ struct _gss_context *ctx = (struct _gss_context *) context_handle;
+ struct _gss_mech_switch *m = ctx->gc_mech;
+
+ return (m->gm_wrap_size_limit(minor_status, ctx->gc_ctx,
+ conf_req_flag, qop_req, req_output_size, max_input_size));
+}
diff --git a/lib/libgssapi/gssapi.3 b/lib/libgssapi/gssapi.3
new file mode 100644
index 000000000000..4eae06389e27
--- /dev/null
+++ b/lib/libgssapi/gssapi.3
@@ -0,0 +1,261 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.Dd November 30, 2005
+.Dt GSSAPI 3
+.Os
+.Sh NAME
+.Nm gssapi
+.Nd "Generic Security Services API"
+.Sh LIBRARY
+GSS-API Library (libgssapi, -lgssapi)
+.Sh SYNOPSIS
+.In gssapi/gssapi.h
+.Sh DESCRIPTION
+The Generic Security Service Application Programming Interface
+provides security services to its callers,
+and is intended for implementation atop a variety of underlying
+cryptographic mechanisms.
+Typically, GSS-API callers will be application protocols into which
+security enhancements are integrated through invocation of services
+provided by the GSS-API.
+The GSS-API allows a caller application to authenticate a principal
+identity associated with a peer application, to delegate rights to a
+peer,
+and to apply security services such as confidentiality and integrity
+on a per-message basis.
+.Pp
+There are four stages to using the GSS-API:
+.Pp
+.Bl -tag -width "a)"
+.It a)
+The application acquires a set of credentials with which it may prove
+its identity to other processes.
+The application's credentials vouch for its global identity,
+which may or may not be related to any local username under which it
+may be running.
+.It b)
+A pair of communicating applications establish a joint security
+context using their credentials.
+The security context is a pair of GSS-API data structures that contain
+shared state information, which is required in order that per-message
+security services may be provided.
+Examples of state that might be shared between applications as part of
+a security context are cryptographic keys,
+and message sequence numbers.
+As part of the establishment of a security context,
+the context initiator is authenticated to the responder,
+and may require that the responder is authenticated in turn.
+The initiator may optionally give the responder the right to initiate
+further security contexts,
+acting as an agent or delegate of the initiator.
+This transfer of rights is termed delegation,
+and is achieved by creating a set of credentials,
+similar to those used by the initiating application,
+but which may be used by the responder.
+.Pp
+To establish and maintain the shared information that makes up the
+security context,
+certain GSS-API calls will return a token data structure,
+which is an opaque data type that may contain cryptographically
+protected data.
+The caller of such a GSS-API routine is responsible for transferring
+the token to the peer application,
+encapsulated if necessary in an application protocol.
+On receipt of such a token, the peer application should pass it to a
+corresponding GSS-API routine which will decode the token and extract
+the information,
+updating the security context state information accordingly.
+.It c)
+Per-message services are invoked to apply either:
+.Pp
+integrity and data origin authentication, or confidentiality,
+integrity and data origin authentication to application data,
+which are treated by GSS-API as arbitrary octet-strings.
+An application transmitting a message that it wishes to protect will
+call the appropriate GSS-API routine (gss_get_mic or gss_wrap) to
+apply protection,
+specifying the appropriate security context,
+and send the resulting token to the receiving application.
+The receiver will pass the received token (and, in the case of data
+protected by gss_get_mic, the accompanying message-data) to the
+corresponding decoding routine (gss_verify_mic or gss_unwrap) to
+remove the protection and validate the data.
+.It d)
+At the completion of a communications session (which may extend across
+several transport connections),
+each application calls a GSS-API routine to delete the security
+context.
+Multiple contexts may also be used (either successively or
+simultaneously) within a single communications association, at the
+option of the applications.
+.El
+.Sh GSS-API ROUTINES
+This section lists the routines that make up the GSS-API,
+and offers a brief description of the purpose of each routine.
+.Pp
+GSS-API Credential-management Routines:
+.Bl -tag -width "gss_inquire_cred_by_mech"
+.It gss_acquire_cred
+Assume a global identity; Obtain a GSS-API credential handle for
+pre-existing credentials.
+.It gss_add_cred
+Construct credentials incrementally
+.It gss_inquire_cred
+Obtain information about a credential
+.It gss_inquire_cred_by_mech
+Obtain per-mechanism information about a credential.
+.It gss_release_cred
+Discard a credential handle.
+.El
+.Pp
+GSS-API Context-Level Routines:
+.Bl -tag -width "gss_inquire_cred_by_mech"
+.It gss_init_sec_context
+Initiate a security context with a peer application
+.It gss_accept_sec_context
+ Accept a security context initiated by a peer application
+.It gss_delete_sec_context
+Discard a security context
+.It gss_process_context_token
+Process a token on a security context from a peer application
+.It gss_context_time
+Determine for how long a context will remain valid
+.It gss_inquire_context
+Obtain information about a security context
+.It gss_wrap_size_limit
+Determine token-size limit for
+.Xr gss_wrap 3
+on a context
+.It gss_export_sec_context
+Transfer a security context to another process
+.It gss_import_sec_context
+Import a transferred context
+.El
+.Pp
+GSS-API Per-message Routines:
+.Bl -tag -width "gss_inquire_cred_by_mech"
+.It gss_get_mic
+Calculate a cryptographic message integrity code (MIC) for a message;
+integrity service
+.It gss_verify_mic
+Check a MIC against a message;
+verify integrity of a received message
+.It gss_wrap
+Attach a MIC to a message, and optionally encrypt the message content;
+confidentiality service
+.It gss_unwrap
+Verify a message with attached MIC, and decrypt message content if
+necessary.
+.El
+.Pp
+GSS-API Name manipulation Routines:
+.Bl -tag -width "gss_inquire_cred_by_mech"
+.It gss_import_name
+Convert a contiguous string name to internal-form
+.It gss_display_name
+Convert internal-form name to text
+.It gss_compare_name
+Compare two internal-form names
+.It gss_release_name
+Discard an internal-form name
+.It gss_inquire_names_for_mech
+List the name-types supported by the specified mechanism
+.It gss_inquire_mechs_for_name
+List mechanisms that support the specified name-type
+.It gss_canonicalize_name
+Convert an internal name to an MN
+.It gss_export_name
+Convert an MN to export form
+.It gss_duplicate_name
+Create a copy of an internal name
+.El
+.Pp
+GSS-API Miscellaneous Routines
+.Bl -tag -width "gss_inquire_cred_by_mech"
+.It gss_add_oid_set_member
+Add an object identifier to a set
+.It gss_display_status
+Convert a GSS-API status code to text
+.It gss_indicate_mechs
+Determine available underlying authentication mechanisms
+.It gss_release_buffer
+Discard a buffer
+.It gss_release_oid_set
+Discard a set of object identifiers
+.It gss_create_empty_oid_set
+Create a set containing no object identifiers
+.It gss_test_oid_set_member
+Determines whether an object identifier is a member of a set.
+.El
+.Pp
+Individual GSS-API implementations may augment these routines by
+providing additional mechanism-specific routines if required
+functionality is not available from the generic forms.
+Applications are encouraged to use the generic routines wherever
+possible on portability grounds.
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.El
+.Sh HISTORY
+The
+.Nm
+manual page first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates
diff --git a/lib/libgssapi/mech.5 b/lib/libgssapi/mech.5
new file mode 100644
index 000000000000..1edcc1a846df
--- /dev/null
+++ b/lib/libgssapi/mech.5
@@ -0,0 +1,94 @@
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.Dd November 14, 2005
+.Dt MECH 5
+.Os
+.Sh NAME
+.Nm mech ,
+.Nm qop
+.Nd "GSS-API Mechanism and QOP files"
+.Sh SYNOPSIS
+.Pa "/etc/gss/mech"
+.Pa "/etc/gss/qop"
+.Sh DESCRIPTION
+The
+.Pa "/etc/gss/mech"
+file contains a list of installed GSS-API security mechanisms.
+Each line of the file either contains a comment if the first character
+is '#' or it contains five fields with the following meanings:
+.Bl -tag
+.It Name
+The name of this GSS-API mechanism.
+.It Object identifier
+The OID for this mechanism.
+.It Library
+A shared library containing the implementation of this mechanism.
+.It Kernel module (optional)
+A kernel module containing the implementation of this mechanism (not
+yet supported in FreeBSD).
+.It Library options (optional)
+Optionsal parameters interpreted by the mechanism. Library options
+must be enclosed in brackets ([ ]) to differentiate them from the
+optional kernel module entry.
+.El
+.Pp
+The
+.Pa "/etc/gss/qop"
+file contains a list of Quality of Protection values for use with
+GSS-API.
+Each line of the file either contains a comment if the first character
+is '#' or it contains three fields with the following meanings:
+.Bl -tag
+.It QOP string
+The name of this Quality of Protection algorithm.
+.It QOP value
+The numeric value used to select this algorithm for use with GSS-API
+functions such as
+.Xr gss_get_mic 3 .
+.It Mechanism name
+The GSS-API mechanism name that corresponds to this algorithm.
+.El
+.Sh EXAMPLES
+This is a typical entry from
+.Pa "/etc/gss/mech" :
+.Bd -literal
+kerberosv5 1.2.840.113554.1.2.2 /usr/lib/libgssapi_krb5.so.8 -
+.Ed
+.Pp
+This is a typical entry from
+.Pa "/etc/gss/qop" :
+.Bd -literal
+GSS_KRB5_CONF_C_QOP_DES 0x0100 kerberosv5
+.Ed
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+This
+manual page was written by
+.An Doug Rabson Aq dfr@FreeBSD.org .
diff --git a/lib/libgssapi/mech_switch.h b/lib/libgssapi/mech_switch.h
new file mode 100644
index 000000000000..4add12d8af10
--- /dev/null
+++ b/lib/libgssapi/mech_switch.h
@@ -0,0 +1,327 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/queue.h>
+
+typedef OM_uint32 _gss_acquire_cred_t
+ (OM_uint32 *, /* minor_status */
+ const gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ const gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 * /* time_rec */
+ );
+
+typedef OM_uint32 _gss_release_cred_t
+ (OM_uint32 *, /* minor_status */
+ gss_cred_id_t * /* cred_handle */
+ );
+
+typedef OM_uint32 _gss_init_sec_context_t
+ (OM_uint32 *, /* minor_status */
+ const gss_cred_id_t, /* initiator_cred_handle */
+ gss_ctx_id_t *, /* context_handle */
+ const gss_name_t, /* target_name */
+ const gss_OID, /* mech_type */
+ OM_uint32, /* req_flags */
+ OM_uint32, /* time_req */
+ const gss_channel_bindings_t,
+ /* input_chan_bindings */
+ const gss_buffer_t, /* input_token */
+ gss_OID *, /* actual_mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32 *, /* ret_flags */
+ OM_uint32 * /* time_rec */
+ );
+
+typedef OM_uint32 _gss_accept_sec_context_t
+ (OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ const gss_cred_id_t, /* acceptor_cred_handle */
+ const gss_buffer_t, /* input_token_buffer */
+ const gss_channel_bindings_t,
+ /* input_chan_bindings */
+ gss_name_t *, /* src_name */
+ gss_OID *, /* mech_type */
+ gss_buffer_t, /* output_token */
+ OM_uint32 *, /* ret_flags */
+ OM_uint32 *, /* time_rec */
+ gss_cred_id_t * /* delegated_cred_handle */
+ );
+
+typedef OM_uint32 _gss_process_context_token_t
+ (OM_uint32 *, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ const gss_buffer_t /* token_buffer */
+ );
+
+typedef OM_uint32 _gss_delete_sec_context_t
+ (OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_buffer_t /* output_token */
+ );
+
+typedef OM_uint32 _gss_context_time_t
+ (OM_uint32 *, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ OM_uint32 * /* time_rec */
+ );
+
+typedef OM_uint32 _gss_get_mic_t
+ (OM_uint32 *, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ gss_qop_t, /* qop_req */
+ const gss_buffer_t, /* message_buffer */
+ gss_buffer_t /* message_token */
+ );
+
+typedef OM_uint32 _gss_verify_mic_t
+ (OM_uint32 *, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ const gss_buffer_t, /* message_buffer */
+ const gss_buffer_t, /* token_buffer */
+ gss_qop_t * /* qop_state */
+ );
+
+typedef OM_uint32 _gss_wrap_t
+ (OM_uint32 *, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ const gss_buffer_t, /* input_message_buffer */
+ int *, /* conf_state */
+ gss_buffer_t /* output_message_buffer */
+ );
+
+typedef OM_uint32 _gss_unwrap_t
+ (OM_uint32 *, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ const gss_buffer_t, /* input_message_buffer */
+ gss_buffer_t, /* output_message_buffer */
+ int *, /* conf_state */
+ gss_qop_t * /* qop_state */
+ );
+
+typedef OM_uint32 _gss_display_status_t
+ (OM_uint32 *, /* minor_status */
+ OM_uint32, /* status_value */
+ int, /* status_type */
+ const gss_OID, /* mech_type */
+ OM_uint32 *, /* message_context */
+ gss_buffer_t /* status_string */
+ );
+
+typedef OM_uint32 _gss_indicate_mechs_t
+ (OM_uint32 *, /* minor_status */
+ gss_OID_set * /* mech_set */
+ );
+
+typedef OM_uint32 _gss_compare_name_t
+ (OM_uint32 *, /* minor_status */
+ const gss_name_t, /* name1 */
+ const gss_name_t, /* name2 */
+ int * /* name_equal */
+ );
+
+typedef OM_uint32 _gss_display_name_t
+ (OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_buffer_t, /* output_name_buffer */
+ gss_OID * /* output_name_type */
+ );
+
+typedef OM_uint32 _gss_import_name_t
+ (OM_uint32 *, /* minor_status */
+ const gss_buffer_t, /* input_name_buffer */
+ const gss_OID, /* input_name_type */
+ gss_name_t * /* output_name */
+ );
+
+typedef OM_uint32 _gss_export_name_t
+ (OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_buffer_t /* exported_name */
+ );
+
+typedef OM_uint32 _gss_release_name_t
+ (OM_uint32 *, /* minor_status */
+ gss_name_t * /* input_name */
+ );
+
+typedef OM_uint32 _gss_inquire_cred_t
+ (OM_uint32 *, /* minor_status */
+ const gss_cred_id_t, /* cred_handle */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* lifetime */
+ gss_cred_usage_t *, /* cred_usage */
+ gss_OID_set * /* mechanisms */
+ );
+
+typedef OM_uint32 _gss_inquire_context_t
+ (OM_uint32 *, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ gss_name_t *, /* src_name */
+ gss_name_t *, /* targ_name */
+ OM_uint32 *, /* lifetime_rec */
+ gss_OID *, /* mech_type */
+ OM_uint32 *, /* ctx_flags */
+ int *, /* locally_initiated */
+ int * /* open */
+ );
+
+typedef OM_uint32 _gss_wrap_size_limit_t
+ (OM_uint32 *, /* minor_status */
+ const gss_ctx_id_t, /* context_handle */
+ int, /* conf_req_flag */
+ gss_qop_t, /* qop_req */
+ OM_uint32, /* req_output_size */
+ OM_uint32 * /* max_input_size */
+ );
+
+typedef OM_uint32 _gss_add_cred_t (
+ OM_uint32 *, /* minor_status */
+ const gss_cred_id_t, /* input_cred_handle */
+ const gss_name_t, /* desired_name */
+ const gss_OID, /* desired_mech */
+ gss_cred_usage_t, /* cred_usage */
+ OM_uint32, /* initiator_time_req */
+ OM_uint32, /* acceptor_time_req */
+ gss_cred_id_t *, /* output_cred_handle */
+ gss_OID_set *, /* actual_mechs */
+ OM_uint32 *, /* initiator_time_rec */
+ OM_uint32 * /* acceptor_time_rec */
+ );
+
+typedef OM_uint32 _gss_inquire_cred_by_mech_t (
+ OM_uint32 *, /* minor_status */
+ const gss_cred_id_t, /* cred_handle */
+ const gss_OID, /* mech_type */
+ gss_name_t *, /* name */
+ OM_uint32 *, /* initiator_lifetime */
+ OM_uint32 *, /* acceptor_lifetime */
+ gss_cred_usage_t * /* cred_usage */
+ );
+
+typedef OM_uint32 _gss_export_sec_context_t (
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t *, /* context_handle */
+ gss_buffer_t /* interprocess_token */
+ );
+
+typedef OM_uint32 _gss_import_sec_context_t (
+ OM_uint32 *, /* minor_status */
+ const gss_buffer_t, /* interprocess_token */
+ gss_ctx_id_t * /* context_handle */
+ );
+
+typedef OM_uint32 _gss_inquire_names_for_mech_t (
+ OM_uint32 *, /* minor_status */
+ const gss_OID, /* mechanism */
+ gss_OID_set * /* name_types */
+ );
+
+typedef OM_uint32 _gss_inquire_mechs_for_name_t (
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ gss_OID_set * /* mech_types */
+ );
+
+typedef OM_uint32 _gss_canonicalize_name_t (
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* input_name */
+ const gss_OID, /* mech_type */
+ gss_name_t * /* output_name */
+ );
+
+typedef OM_uint32 _gss_duplicate_name_t (
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* src_name */
+ gss_name_t * /* dest_name */
+ );
+
+typedef OM_uint32 _gsskrb5_register_acceptor_identity (
+ const char * /* identity */
+ );
+
+typedef OM_uint32 _gss_krb5_copy_ccache (
+ OM_uint32 *, /* minor_status */
+ gss_cred_id_t, /* cred_handle */
+ struct krb5_ccache_data * /* out */
+ );
+
+typedef OM_uint32 _gss_krb5_compat_des3_mic (
+ OM_uint32 *, /* minor_status */
+ gss_ctx_id_t, /* context_handle */
+ int /* flag */
+ );
+
+struct _gss_mech_switch {
+ SLIST_ENTRY(_gss_mech_switch) gm_link;
+ gss_OID_desc gm_mech_oid;
+ void *gm_so;
+ _gss_acquire_cred_t *gm_acquire_cred;
+ _gss_release_cred_t *gm_release_cred;
+ _gss_init_sec_context_t *gm_init_sec_context;
+ _gss_accept_sec_context_t *gm_accept_sec_context;
+ _gss_process_context_token_t *gm_process_context_token;
+ _gss_delete_sec_context_t *gm_delete_sec_context;
+ _gss_context_time_t *gm_context_time;
+ _gss_get_mic_t *gm_get_mic;
+ _gss_verify_mic_t *gm_verify_mic;
+ _gss_wrap_t *gm_wrap;
+ _gss_unwrap_t *gm_unwrap;
+ _gss_display_status_t *gm_display_status;
+ _gss_indicate_mechs_t *gm_indicate_mechs;
+ _gss_compare_name_t *gm_compare_name;
+ _gss_display_name_t *gm_display_name;
+ _gss_import_name_t *gm_import_name;
+ _gss_export_name_t *gm_export_name;
+ _gss_release_name_t *gm_release_name;
+ _gss_inquire_cred_t *gm_inquire_cred;
+ _gss_inquire_context_t *gm_inquire_context;
+ _gss_wrap_size_limit_t *gm_wrap_size_limit;
+ _gss_add_cred_t *gm_add_cred;
+ _gss_inquire_cred_by_mech_t *gm_inquire_cred_by_mech;
+ _gss_export_sec_context_t *gm_export_sec_context;
+ _gss_import_sec_context_t *gm_import_sec_context;
+ _gss_inquire_names_for_mech_t *gm_inquire_names_for_mech;
+ _gss_inquire_mechs_for_name_t *gm_inquire_mechs_for_name;
+ _gss_canonicalize_name_t *gm_canonicalize_name;
+ _gss_duplicate_name_t *gm_duplicate_name;
+ _gsskrb5_register_acceptor_identity *gm_krb5_register_acceptor_identity;
+ _gss_krb5_copy_ccache *gm_krb5_copy_ccache;
+ _gss_krb5_compat_des3_mic *gm_krb5_compat_des3_mic;
+};
+SLIST_HEAD(_gss_mech_switch_list, _gss_mech_switch);
+extern struct _gss_mech_switch_list _gss_mechs;
+extern gss_OID_set _gss_mech_oids;
+
+extern void _gss_load_mech(void);
+extern struct _gss_mech_switch *_gss_find_mech_switch(gss_OID);
diff --git a/lib/libgssapi/name.h b/lib/libgssapi/name.h
new file mode 100644
index 000000000000..a64d5d91e728
--- /dev/null
+++ b/lib/libgssapi/name.h
@@ -0,0 +1,48 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/queue.h>
+
+struct _gss_mechanism_name {
+ SLIST_ENTRY(_gss_mechanism_name) gmn_link;
+ struct _gss_mech_switch *gmn_mech; /* mechanism ops for MN */
+ gss_OID gmn_mech_oid; /* mechanism oid for MN */
+ gss_name_t gmn_name; /* underlying MN */
+};
+SLIST_HEAD(_gss_mechanism_name_list, _gss_mechanism_name);
+
+struct _gss_name {
+ gss_OID_desc gn_type; /* type of name */
+ gss_buffer_desc gn_value; /* value (as imported) */
+ struct _gss_mechanism_name_list gn_mn; /* list of MNs */
+};
+
+extern struct _gss_mechanism_name *
+ _gss_find_mn(struct _gss_name *name, gss_OID mech);
+struct _gss_name *
+ _gss_make_name(struct _gss_mech_switch *m, gss_name_t new_mn);
diff --git a/lib/libgssapi/spnego.h b/lib/libgssapi/spnego.h
new file mode 100644
index 000000000000..8b2e22d537f2
--- /dev/null
+++ b/lib/libgssapi/spnego.h
@@ -0,0 +1,34 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+typedef xder_OID MechType;
+
+typedef struct {
+ size_t MechTypeList_len;
+ MechType *MechTypeList_val;
+} MechTypeList;
diff --git a/lib/libgssapi/utils.h b/lib/libgssapi/utils.h
new file mode 100644
index 000000000000..46edb9d4a25a
--- /dev/null
+++ b/lib/libgssapi/utils.h
@@ -0,0 +1,32 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+extern int _gss_oid_equal(const gss_OID, const gss_OID);
+extern OM_uint32 _gss_copy_oid(OM_uint32 *, const gss_OID, gss_OID);
+extern OM_uint32 _gss_copy_buffer(OM_uint32 *minor_status,
+ const gss_buffer_t from_buf, gss_buffer_t to_buf);