krb5_error_code
encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
+static OM_uint32
+gssDisplayName(OM_uint32 *minor,
+ gss_name_t name,
+ gss_buffer_t buffer,
+ gss_OID *name_type);
+
+static OM_uint32
+gssImportName(OM_uint32 *minor,
+ gss_buffer_t buffer,
+ gss_OID name_type,
+ gss_name_t *name);
+
static krb5_error_code
getAcceptorKey(krb5_context krbContext,
gss_ctx_id_t ctx,
if (code != 0)
goto cleanup;
} else {
+ /*
+ * It's not clear that looking encrypting the ticket in the
+ * requested EAP enctype provides any value.
+ */
code = krb5_kt_start_seq_get(krbContext, keytab, &cursor);
if (code != 0)
goto cleanup;
return major;
}
+/*
+ * Fabricate a ticket to ourselves given a GSS EAP context.
+ */
OM_uint32
gssEapMakeReauthCreds(OM_uint32 *minor,
gss_ctx_id_t ctx,
enc_part.client = ctx->initiatorName->krbPrincipal;
enc_part.times.authtime = time(NULL);
enc_part.times.starttime = enc_part.times.authtime;
- enc_part.times.endtime = ctx->expiryTime
+ enc_part.times.endtime = (ctx->expiryTime != 0)
? ctx->expiryTime
: KRB5_INT32_MAX;
enc_part.times.renew_till = 0;
return FALSE;
}
+/*
+ * Returns TRUE if the configuration variable reauth_use_ccache is
+ * set in krb5.conf for the eap_gss application and the client realm.
+ */
+static int
+reauthUseCredsCache(krb5_context krbContext,
+ krb5_principal principal)
+{
+ int reauthUseCCache;
+
+ /* if reauth_use_ccache, use default credentials cache if ticket is for us */
+ krb5_appdefault_boolean(krbContext, "eap_gss",
+ krb5_princ_realm(krbContext, principal),
+ "reauth_use_ccache", 0, &reauthUseCCache);
+
+ return reauthUseCCache;
+}
+
+/*
+ * Look in default credentials cache for reauthentication credentials,
+ * if policy allows.
+ */
+static OM_uint32
+getDefaultReauthCredentials(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_name_t target,
+ time_t now,
+ OM_uint32 timeReq)
+{
+ OM_uint32 major = GSS_S_CRED_UNAVAIL;
+ krb5_context krbContext = NULL;
+ krb5_error_code code;
+ krb5_ccache ccache = NULL;
+ krb5_creds match = { 0 };
+ krb5_creds creds = { 0 };
+
+ GSSEAP_KRB_INIT(&krbContext);
+
+ assert(cred != GSS_C_NO_CREDENTIAL);
+ assert(target != GSS_C_NO_NAME);
+
+ if (cred->name == GSS_C_NO_NAME ||
+ !reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
+ goto cleanup;
+
+ match.client = cred->name->krbPrincipal;
+ match.server = target->krbPrincipal;
+ if (timeReq != 0 && timeReq != GSS_C_INDEFINITE)
+ match.times.endtime = now + timeReq;
+
+ code = krb5_cc_default(krbContext, &ccache);
+ if (code != 0)
+ goto cleanup;
+
+ code = krb5_cc_retrieve_cred(krbContext, ccache, 0, &match, &creds);
+ if (code != 0)
+ goto cleanup;
+
+ cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
+ cred->krbCredCache = ccache;
+ ccache = NULL;
+
+ major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
+ &cred->krbCred);
+
+cleanup:
+ if (major == GSS_S_CRED_UNAVAIL)
+ *minor = code;
+
+ if (ccache != NULL)
+ krb5_cc_close(krbContext, ccache);
+ krb5_free_cred_contents(krbContext, &creds);
+
+ return major;
+}
+
+/*
+ * Returns TRUE if the credential handle's reauth credentials are
+ * valid or if we can use the default credentials cache. Credentials
+ * handle must be locked.
+ */
+int
+gssEapCanReauthP(gss_cred_id_t cred,
+ gss_name_t target,
+ OM_uint32 timeReq)
+{
+ time_t now, expiryReq;
+ OM_uint32 minor;
+
+ assert(cred != GSS_C_NO_CREDENTIAL);
+
+ now = time(NULL);
+ expiryReq = now;
+ if (timeReq != GSS_C_INDEFINITE)
+ expiryReq += timeReq;
+
+ if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq)
+ return TRUE;
+
+ if (getDefaultReauthCredentials(&minor, cred, target,
+ now, timeReq) == GSS_S_COMPLETE)
+ return TRUE;
+
+ return FALSE;
+}
+
+/*
+ * Store re-authentication (Kerberos) credentials in a credential handle.
+ * Credentials handle must be locked.
+ */
OM_uint32
gssEapStoreReauthCreds(OM_uint32 *minor,
gss_ctx_id_t ctx,
gss_cred_id_t cred,
gss_buffer_t credBuf)
{
- OM_uint32 major = GSS_S_COMPLETE, code;
+ OM_uint32 major = GSS_S_COMPLETE;
+ krb5_error_code code;
krb5_context krbContext = NULL;
krb5_auth_context authContext = NULL;
krb5_data credData = { 0 };
krb5_creds **creds = NULL;
krb5_principal canonPrinc;
+ krb5_principal ccPrinc = NULL;
int i;
if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
krb5_free_principal(krbContext, cred->name->krbPrincipal);
cred->name->krbPrincipal = canonPrinc;
- cred->expiryTime = creds[0]->times.endtime;
+ if (creds[0]->times.endtime == KRB5_INT32_MAX)
+ cred->expiryTime = 0;
+ else
+ cred->expiryTime = creds[0]->times.endtime;
- code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
- if (code != 0)
- goto cleanup;
+ if (cred->krbCredCache == NULL) {
+ if (reauthUseCredsCache(krbContext, creds[0]->client) &&
+ krb5_cc_default(krbContext, &cred->krbCredCache) == 0)
+ cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
+ } else {
+ /*
+ * If we already have an associated credentials cache, possibly from
+ * the last time we stored a reauthentication credential, then we
+ * need to clear it out and release the associated GSS credential.
+ */
+ if (cred->flags & CRED_FLAG_DEFAULT_CCACHE) {
+ krb5_cc_remove_cred(krbContext, cred->krbCredCache, 0, creds[0]);
+ } else {
+ krb5_cc_destroy(krbContext, cred->krbCredCache);
+ cred->krbCredCache = NULL;
+ }
+ gssReleaseCred(minor, &cred->krbCred);
+ }
- code = krb5_cc_initialize(krbContext, cred->krbCredCache,
- creds[0]->client);
- if (code != 0)
- goto cleanup;
+ if (cred->krbCredCache == NULL) {
+ code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
+ if (code != 0)
+ goto cleanup;
+ }
+
+ if ((cred->flags & CRED_FLAG_DEFAULT_CCACHE) == 0 ||
+ krb5_cc_get_principal(krbContext, cred->krbCredCache, &ccPrinc) != 0) {
+ code = krb5_cc_initialize(krbContext, cred->krbCredCache,
+ creds[0]->client);
+ if (code != 0)
+ goto cleanup;
+ }
for (i = 0; creds[i] != NULL; i++) {
krb5_creds kcred = *(creds[i]);
goto cleanup;
}
- /*
- * To turn a credentials cache into a GSS credentials handle, we
- * require the gss_krb5_import_cred() API (present in Heimdal, but
- * not shipped in MIT yet).
- */
major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
&cred->krbCred);
if (GSS_ERROR(major))
cleanup:
*minor = code;
+ krb5_free_principal(krbContext, ccPrinc);
krb5_auth_con_free(krbContext, authContext);
if (creds != NULL) {
for (i = 0; creds[i] != NULL; i++)
krb5_free_creds(krbContext, creds[i]);
+ GSSEAP_FREE(creds);
}
if (major == GSS_S_COMPLETE)
major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
return major;
}
+static gss_buffer_desc radiusAvpKrbAttr = {
+ sizeof("urn:authdata-radius-avp") - 1, "urn:authdata-radius-avp"
+};
+
+/*
+ * Unfortunately extracting an AD-KDCIssued authorization data element
+ * is pretty implementation-dependent. It's not possible to verify the
+ * signature ourselves because the ticket session key is not exposed
+ * outside GSS. In an ideal world, all AD-KDCIssued elements would be
+ * verified by the Kerberos library and authentication would fail if
+ * verification failed. We're not quite there yet and as a result have
+ * to go through some hoops to get this to work. The alternative would
+ * be to sign the authorization data with our long-term key, but it
+ * seems a pity to compromise the design because of current implementation
+ * limitations.
+ *
+ * (Specifically, the hoops involve a libkrb5 authorisation data plugin
+ * that exposes the verified and serialised attribute context through
+ * the Kerberos GSS mechanism's naming extensions API.)
+ */
+static OM_uint32
+defrostAttrContext(OM_uint32 *minor,
+ gss_name_t glueName,
+ gss_name_t mechName)
+{
+ OM_uint32 major, tmpMinor;
+ gss_buffer_desc authData = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc authDataDisplay = GSS_C_EMPTY_BUFFER;
+ int more = -1;
+ int authenticated, complete;
+
+ major = gssGetNameAttribute(minor, glueName, &radiusAvpKrbAttr,
+ &authenticated, &complete,
+ &authData, &authDataDisplay, &more);
+ if (major == GSS_S_COMPLETE) {
+ if (authenticated == 0)
+ major = GSS_S_BAD_NAME;
+ else
+ major = gssEapImportAttrContext(minor, &authData, mechName);
+ } else if (major == GSS_S_UNAVAILABLE) {
+ major = GSS_S_COMPLETE;
+ }
+
+ gss_release_buffer(&tmpMinor, &authData);
+ gss_release_buffer(&tmpMinor, &authDataDisplay);
+
+ return major;
+}
+
+/*
+ * Convert a mechanism glue to an EAP mechanism name by displaying and
+ * importing it. This also handles the RADIUS attributes.
+ */
+OM_uint32
+gssEapGlueToMechName(OM_uint32 *minor,
+ gss_name_t glueName,
+ gss_name_t *pMechName)
+{
+ OM_uint32 major, tmpMinor;
+ gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
+
+ *pMechName = GSS_C_NO_NAME;
+
+ major = gssDisplayName(minor, glueName, &nameBuf, NULL);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ major = gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
+ pMechName);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ major = defrostAttrContext(minor, glueName, *pMechName);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+cleanup:
+ if (GSS_ERROR(major)) {
+ gssReleaseName(&tmpMinor, pMechName);
+ *pMechName = GSS_C_NO_NAME;
+ }
+
+ gss_release_buffer(&tmpMinor, &nameBuf);
+
+ return major;
+}
+
+/*
+ * Convert an EAP mechanism name to a mechanism glue name by displaying
+ * and importing it.
+ */
+OM_uint32
+gssEapMechToGlueName(OM_uint32 *minor,
+ gss_name_t mechName,
+ gss_name_t *pGlueName)
+{
+ OM_uint32 major, tmpMinor;
+ gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
+
+ *pGlueName = GSS_C_NO_NAME;
+
+ major = gssEapDisplayName(minor, mechName, &nameBuf, NULL);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ major = gssImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
+ pGlueName);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+cleanup:
+ gss_release_buffer(&tmpMinor, &nameBuf);
+
+ return major;
+}
+
+/*
+ * Suck out the analgous elements of a Kerberos GSS context into an EAP
+ * one so that the application doesn't know the difference.
+ */
+OM_uint32
+gssEapReauthComplete(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ gss_cred_id_t cred,
+ const gss_OID mech,
+ OM_uint32 timeRec)
+{
+ OM_uint32 major, tmpMinor;
+ gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET;
+
+ if (!oidEqual(mech, gss_mech_krb5)) {
+ major = GSS_S_BAD_MECH;
+ goto cleanup;
+ }
+
+ /* Get the raw subsession key and encryption type*/
+ major = gssInquireSecContextByOid(minor, ctx->kerberosCtx,
+ GSS_C_INQ_SSPI_SESSION_KEY, &keyData);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ {
+ gss_OID_desc oid;
+ int suffix;
+
+ oid.length = keyData->elements[1].length;
+ oid.elements = keyData->elements[1].value;
+
+ /* GSS_KRB5_SESSION_KEY_ENCTYPE_OID */
+ major = decomposeOid(minor,
+ "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04",
+ 10, &oid, &suffix);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ ctx->encryptionType = suffix;
+ }
+
+ {
+ krb5_context krbContext = NULL;
+ krb5_keyblock key;
+
+ GSSEAP_KRB_INIT(&krbContext);
+
+ KRB_KEY_LENGTH(&key) = keyData->elements[0].length;
+ KRB_KEY_DATA(&key) = keyData->elements[0].value;
+ KRB_KEY_TYPE(&key) = ctx->encryptionType;
+
+ *minor = krb5_copy_keyblock_contents(krbContext,
+ &key, &ctx->rfc3961Key);
+ if (*minor != 0) {
+ major = GSS_S_FAILURE;
+ goto cleanup;
+ }
+ }
+
+ major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key,
+ &ctx->checksumType);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ if (timeRec != GSS_C_INDEFINITE)
+ ctx->expiryTime = time(NULL) + timeRec;
+
+ /* Initialize our sequence state */
+ major = sequenceInit(minor,
+ &ctx->seqState, ctx->recvSeq,
+ ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0),
+ ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0),
+ TRUE);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ major = GSS_S_COMPLETE;
+
+cleanup:
+ gss_release_buffer_set(&tmpMinor, &keyData);
+
+ return major;
+}
+
+/*
+ * The remainder of this file consists of wrappers so we can call into the
+ * mechanism glue without calling ourselves.
+ */
static OM_uint32
(*gssInitSecContextNext)(OM_uint32 *,
gss_cred_id_t,
OM_uint32
gssEapReauthInitialize(OM_uint32 *minor)
{
- NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context");
- NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context");
- NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred");
- NEXT_SYMBOL(gssReleaseNameNext, "gss_release_name");
- NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid");
- NEXT_SYMBOL(gssDeleteSecContextNext, "gss_delete_sec_context");
- NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name");
- NEXT_SYMBOL(gssImportNameNext, "gss_import_name");
- NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred");
- NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute");
+ NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context");
+ NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context");
+ NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred");
+ NEXT_SYMBOL(gssReleaseNameNext, "gss_release_name");
+ NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid");
+ NEXT_SYMBOL(gssDeleteSecContextNext, "gss_delete_sec_context");
+ NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name");
+ NEXT_SYMBOL(gssImportNameNext, "gss_import_name");
+ NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred");
+ NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute");
return GSS_S_COMPLETE;
}
return gssGetNameAttributeNext(minor, name, attr, authenticated, complete,
value, display_value, more);
}
-
-static gss_buffer_desc radiusAvpKrbAttr = {
- sizeof("urn:authdata-radius-avp") - 1, "urn:authdata-radius-avp"
-};
-
-/*
- * Unfortunately extracting an AD-KDCIssued authorization data element
- * is pretty implementation-dependent. It's not possible to verify the
- * signature ourselves because the ticket session key is not exposed
- * outside GSS. In an ideal world, all AD-KDCIssued elements would be
- * verified by the Kerberos library and authentication would fail if
- * verification failed. We're not quite there yet and as a result have
- * to go through some hoops to get this to work. The alternative would
- * be to sign the authorization data with our long-term key, but it
- * seems a pity to compromise the design because of current implementation
- * limitations.
- *
- * (Specifically, the hoops involve a libkrb5 authorisation data plugin
- * that exposes the verified and serialised attribute context through
- * the Kerberos GSS mechanism's naming extensions API.)
- */
-static OM_uint32
-defrostAttrContext(OM_uint32 *minor,
- gss_name_t glueName,
- gss_name_t mechName)
-{
- OM_uint32 major, tmpMinor;
- gss_buffer_desc authData = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc authDataDisplay = GSS_C_EMPTY_BUFFER;
- int more = -1;
- int authenticated, complete;
-
- major = gssGetNameAttribute(minor, glueName, &radiusAvpKrbAttr,
- &authenticated, &complete,
- &authData, &authDataDisplay, &more);
- if (major == GSS_S_COMPLETE) {
- if (authenticated == 0)
- major = GSS_S_BAD_NAME;
- else
- major = gssEapImportAttrContext(minor, &authData, mechName);
- } else if (major == GSS_S_UNAVAILABLE) {
- major = GSS_S_COMPLETE;
- }
-
- gss_release_buffer(&tmpMinor, &authData);
- gss_release_buffer(&tmpMinor, &authDataDisplay);
-
- return major;
-}
-
-OM_uint32
-gssEapGlueToMechName(OM_uint32 *minor,
- gss_name_t glueName,
- gss_name_t *pMechName)
-{
- OM_uint32 major, tmpMinor;
- gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
-
- *pMechName = GSS_C_NO_NAME;
-
- major = gssDisplayName(minor, glueName, &nameBuf, NULL);
- if (GSS_ERROR(major))
- goto cleanup;
-
- major = gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
- pMechName);
- if (GSS_ERROR(major))
- goto cleanup;
-
- major = defrostAttrContext(minor, glueName, *pMechName);
- if (GSS_ERROR(major))
- goto cleanup;
-
-cleanup:
- if (GSS_ERROR(major)) {
- gssReleaseName(&tmpMinor, pMechName);
- *pMechName = GSS_C_NO_NAME;
- }
-
- gss_release_buffer(&tmpMinor, &nameBuf);
-
- return major;
-}
-
-OM_uint32
-gssEapMechToGlueName(OM_uint32 *minor,
- gss_name_t mechName,
- gss_name_t *pGlueName)
-{
- OM_uint32 major, tmpMinor;
- gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
-
- *pGlueName = GSS_C_NO_NAME;
-
- major = gssEapDisplayName(minor, mechName, &nameBuf, NULL);
- if (GSS_ERROR(major))
- goto cleanup;
-
- major = gssImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
- pGlueName);
- if (GSS_ERROR(major))
- goto cleanup;
-
-cleanup:
- gss_release_buffer(&tmpMinor, &nameBuf);
-
- return major;
-}
-
-/*
- * Suck out the analgous elements of a Kerberos GSS context into an EAP
- * one so that the application doesn't know the difference.
- */
-OM_uint32
-gssEapReauthComplete(OM_uint32 *minor,
- gss_ctx_id_t ctx,
- gss_cred_id_t cred,
- const gss_OID mech,
- OM_uint32 timeRec)
-{
- OM_uint32 major, tmpMinor;
- gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET;
-
- if (!oidEqual(mech, gss_mech_krb5)) {
- major = GSS_S_BAD_MECH;
- goto cleanup;
- }
-
- /* Get the raw subsession key and encryptino type*/
- major = gssInquireSecContextByOid(minor, ctx->kerberosCtx,
- GSS_C_INQ_SSPI_SESSION_KEY, &keyData);
- if (GSS_ERROR(major))
- goto cleanup;
-
- {
- gss_OID_desc oid;
- int suffix;
-
- oid.length = keyData->elements[1].length;
- oid.elements = keyData->elements[1].value;
-
- /* GSS_KRB5_SESSION_KEY_ENCTYPE_OID */
- major = decomposeOid(minor,
- "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04",
- 10, &oid, &suffix);
- if (GSS_ERROR(major))
- goto cleanup;
-
- ctx->encryptionType = suffix;
- }
-
- {
- krb5_context krbContext = NULL;
- krb5_keyblock key;
-
- GSSEAP_KRB_INIT(&krbContext);
-
- KRB_KEY_LENGTH(&key) = keyData->elements[0].length;
- KRB_KEY_DATA(&key) = keyData->elements[0].value;
- KRB_KEY_TYPE(&key) = ctx->encryptionType;
-
- *minor = krb5_copy_keyblock_contents(krbContext,
- &key, &ctx->rfc3961Key);
- if (*minor != 0) {
- major = GSS_S_FAILURE;
- goto cleanup;
- }
- }
-
- major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key,
- &ctx->checksumType);
- if (GSS_ERROR(major))
- goto cleanup;
-
- if (timeRec != GSS_C_INDEFINITE)
- ctx->expiryTime = time(NULL) + timeRec;
-
- major = sequenceInit(minor,
- &ctx->seqState, ctx->recvSeq,
- ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0),
- ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0),
- TRUE);
- if (GSS_ERROR(major))
- goto cleanup;
-
- major = GSS_S_COMPLETE;
-
-cleanup:
- gss_release_buffer_set(&tmpMinor, &keyData);
-
- return major;
-}