X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2Futil_reauth.c;h=6c665705bbdcf5e4a12fb3f374471902c16fda0e;hb=e82fcf22c3b6961beae883fc66bf4567896b7c4b;hp=141ee77f9a46b2101f97f35c15e3aa4b18c704c9;hpb=099caae05ed44afbdc3d2ad8f69f9c820b274fac;p=moonshot.git diff --git a/mech_eap/util_reauth.c b/mech_eap/util_reauth.c index 141ee77..6c66570 100644 --- a/mech_eap/util_reauth.c +++ b/mech_eap/util_reauth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, JANET(UK) + * Copyright (c) 2011, JANET(UK) * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -70,10 +70,11 @@ getAcceptorKey(krb5_context krbContext, krb5_error_code code; krb5_keytab keytab = NULL; krb5_keytab_entry ktent = { 0 }; - krb5_kt_cursor cursor = NULL; + krb5_kt_cursor cursor; *princ = NULL; memset(key, 0, sizeof(*key)); + memset(&cursor, 0, sizeof(cursor)); code = krb5_kt_default(krbContext, &keytab); if (code != 0) @@ -96,25 +97,24 @@ getAcceptorKey(krb5_context krbContext, while ((code = krb5_kt_next_entry(krbContext, keytab, &ktent, &cursor)) == 0) { - if (ktent.key.enctype == ctx->encryptionType) + if (KRB_KEY_TYPE(KRB_KT_ENT_KEYBLOCK(&ktent)) == ctx->encryptionType) break; else - krb5_free_keytab_entry_contents(krbContext, &ktent); + KRB_KT_ENT_FREE(krbContext, &ktent); } } if (code == 0) { *princ = ktent.principal; - *key = ktent.key; + *key = *KRB_KT_ENT_KEYBLOCK(&ktent); } cleanup: if (cred == GSS_C_NO_CREDENTIAL || cred->name == GSS_C_NO_NAME) krb5_kt_end_seq_get(krbContext, keytab, &cursor); krb5_kt_close(krbContext, keytab); - if (code != 0) - krb5_free_keytab_entry_contents(krbContext, &ktent); + KRB_KT_ENT_FREE(krbContext, &ktent); return code; } @@ -124,13 +124,25 @@ freezeAttrContext(OM_uint32 *minor, gss_name_t initiatorName, krb5_const_principal acceptorPrinc, krb5_keyblock *session, - krb5_authdata ***authdata) +#ifdef HAVE_HEIMDAL_VERSION + krb5_authdata *kdcIssuedAuthData +#else + krb5_authdata ***kdcIssuedAuthData +#endif + ) { OM_uint32 major, tmpMinor; krb5_error_code code; + krb5_context krbContext; gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER; +#ifdef HAVE_HEIMDAL_VERSION + krb5_authdata authDataBuf, *authData = &authDataBuf; + AuthorizationDataElement authDatum = { 0 }; +#else krb5_authdata *authData[2], authDatum = { 0 }; - krb5_context krbContext; +#endif + + memset(kdcIssuedAuthData, 0, sizeof(*kdcIssuedAuthData)); GSSEAP_KRB_INIT(&krbContext); @@ -139,13 +151,20 @@ freezeAttrContext(OM_uint32 *minor, return major; authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP; +#ifdef HAVE_HEIMDAL_VERSION + authDatum.ad_data.length = attrBuf.length; + authDatum.ad_data.data = attrBuf.value; + authData->len = 1; + authData->val = &authDatum; +#else authDatum.length = attrBuf.length; authDatum.contents = attrBuf.value; authData[0] = &authDatum; authData[1] = NULL; +#endif - code = krb5_make_authdata_kdc_issued(krbContext, session, acceptorPrinc, - authData, authdata); + code = krbMakeAuthDataKdcIssued(krbContext, session, acceptorPrinc, + authData, kdcIssuedAuthData); if (code != 0) { major = GSS_S_FAILURE; *minor = code; @@ -170,53 +189,110 @@ gssEapMakeReauthCreds(OM_uint32 *minor, OM_uint32 major = GSS_S_COMPLETE; krb5_error_code code; krb5_context krbContext = NULL; - krb5_ticket ticket = { 0 }; krb5_keyblock session = { 0 }, acceptorKey = { 0 }; - krb5_enc_tkt_part enc_part = { 0 }; - krb5_data *ticketData = NULL, *credsData = NULL; + krb5_principal server = NULL; +#ifdef HAVE_HEIMDAL_VERSION + Ticket ticket; + EncTicketPart enc_part; + AuthorizationData authData = { 0 }; + krb5_crypto krbCrypto = NULL; + krb5_data ticketData = { 0 }; + krb5_data encPartData = { 0 }; + size_t len; +#else + krb5_ticket ticket; + krb5_enc_tkt_part enc_part; + krb5_data *ticketData = NULL; +#endif + krb5_data credsData = { 0 }; krb5_creds creds = { 0 }; krb5_auth_context authContext = NULL; + memset(&ticket, 0, sizeof(ticket)); + memset(&enc_part, 0, sizeof(enc_part)); + credBuf->length = 0; credBuf->value = NULL; GSSEAP_KRB_INIT(&krbContext); - code = getAcceptorKey(krbContext, ctx, cred, - &ticket.server, &acceptorKey); - if (code == KRB5_KT_NOTFOUND) { - gss_buffer_desc emptyToken = { 0, "" }; - - /* - * If we can't produce the KRB-CRED message, we need to - * return an empty (not NULL) token to the caller so we - * don't change the number of authentication legs. - */ - return duplicateBuffer(minor, &emptyToken, credBuf); - } else if (code != 0) - goto cleanup; - - enc_part.flags = TKT_FLG_INITIAL; + code = getAcceptorKey(krbContext, ctx, cred, &server, &acceptorKey); + if (code != 0) { + *minor = code; + return GSS_S_UNAVAILABLE; + } /* * Generate a random session key to place in the ticket and * sign the "KDC-Issued" authorization data element. */ +#ifdef HAVE_HEIMDAL_VERSION + ticket.realm = server->realm; + ticket.sname = server->name; + + code = krb5_generate_random_keyblock(krbContext, ctx->encryptionType, + &session); + if (code != 0) + goto cleanup; + + enc_part.flags.initial = 1; + enc_part.key = session; + enc_part.crealm = ctx->initiatorName->krbPrincipal->realm; + enc_part.cname = ctx->initiatorName->krbPrincipal->name; + enc_part.authtime = time(NULL); + enc_part.starttime = &enc_part.authtime; + enc_part.endtime = (ctx->expiryTime != 0) + ? ctx->expiryTime : KRB_TIME_FOREVER; + enc_part.renew_till = NULL; + enc_part.authorization_data = &authData; + + major = freezeAttrContext(minor, ctx->initiatorName, server, + &session, &authData); + if (GSS_ERROR(major)) + goto cleanup; + + ASN1_MALLOC_ENCODE(EncTicketPart, encPartData.data, encPartData.length, + &enc_part, &len, code); + if (code != 0) + goto cleanup; + + code = krb5_crypto_init(krbContext, &acceptorKey, 0, &krbCrypto); + if (code != 0) + goto cleanup; + + code = krb5_encrypt_EncryptedData(krbContext, + krbCrypto, + KRB5_KU_TICKET, + encPartData.data, + encPartData.length, + 0, + &ticket.enc_part); + if (code != 0) + goto cleanup; + + ASN1_MALLOC_ENCODE(Ticket, ticketData.data, ticketData.length, + &ticket, &len, code); + if (code != 0) + goto cleanup; +#else + ticket.server = server; + code = krb5_c_make_random_key(krbContext, ctx->encryptionType, &session); if (code != 0) goto cleanup; + enc_part.flags = TKT_FLG_INITIAL; enc_part.session = &session; enc_part.client = ctx->initiatorName->krbPrincipal; enc_part.times.authtime = time(NULL); enc_part.times.starttime = enc_part.times.authtime; enc_part.times.endtime = (ctx->expiryTime != 0) ? ctx->expiryTime - : KRB5_INT32_MAX; + : KRB_TIME_FOREVER; enc_part.times.renew_till = 0; - major = freezeAttrContext(minor, ctx->initiatorName, ticket.server, + major = freezeAttrContext(minor, ctx->initiatorName, server, &session, &enc_part.authorization_data); if (GSS_ERROR(major)) goto cleanup; @@ -230,14 +306,26 @@ gssEapMakeReauthCreds(OM_uint32 *minor, code = encode_krb5_ticket(&ticket, &ticketData); if (code != 0) goto cleanup; - - creds.client = enc_part.client; - creds.server = ticket.server; +#endif /* HAVE_HEIMDAL_VERSION */ + + creds.client = ctx->initiatorName->krbPrincipal; + creds.server = server; +#ifdef HAVE_HEIMDAL_VERSION + creds.session = session; + creds.times.authtime = enc_part.authtime; + creds.times.starttime = *enc_part.starttime; + creds.times.endtime = enc_part.endtime; + creds.times.renew_till = 0; + creds.flags.b = enc_part.flags; + creds.ticket = ticketData; + creds.authdata = authData; +#else creds.keyblock = session; creds.times = enc_part.times; creds.ticket_flags = enc_part.flags; creds.ticket = *ticketData; creds.authdata = enc_part.authorization_data; +#endif code = krb5_auth_con_init(krbContext, &authContext); if (code != 0) @@ -252,39 +340,52 @@ gssEapMakeReauthCreds(OM_uint32 *minor, if (code != 0) goto cleanup; - code = krb5_mk_1cred(krbContext, authContext, &creds, &credsData, NULL); + code = krbMakeCred(krbContext, authContext, &creds, &credsData); if (code != 0) goto cleanup; - krbDataToGssBuffer(credsData, credBuf); + krbDataToGssBuffer(&credsData, credBuf); cleanup: +#ifdef HAVE_HEIMDAL_VERSION + if (krbCrypto != NULL) + krb5_crypto_destroy(krbContext, krbCrypto); + free_AuthorizationData(&authData); + free_EncryptedData(&ticket.enc_part); + krb5_data_free(&ticketData); + krb5_data_free(&encPartData); +#else + krb5_free_authdata(krbContext, enc_part.authorization_data); if (ticket.enc_part.ciphertext.data != NULL) GSSEAP_FREE(ticket.enc_part.ciphertext.data); + krb5_free_data(krbContext, ticketData); +#endif krb5_free_keyblock_contents(krbContext, &session); + krb5_free_principal(krbContext, server); krb5_free_keyblock_contents(krbContext, &acceptorKey); - krb5_free_data(krbContext, ticketData); krb5_auth_con_free(krbContext, authContext); - krb5_free_authdata(krbContext, enc_part.authorization_data); - if (credsData != NULL) - GSSEAP_FREE(credsData); if (major == GSS_S_COMPLETE) { *minor = code; - major = code != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE; + major = (code != 0) ? GSS_S_FAILURE : GSS_S_COMPLETE; } return major; } static int -isTicketGrantingServiceP(krb5_context krbContext, +isTicketGrantingServiceP(krb5_context krbContext GSSEAP_UNUSED, krb5_const_principal principal) { - if (krb5_princ_size(krbContext, principal) == 2 && + if (KRB_PRINC_LENGTH(principal) == 2 && +#ifdef HAVE_HEIMDAL_VERSION + strcmp(KRB_PRINC_NAME(principal)[0], "krbtgt") == 0 +#else krb5_princ_component(krbContext, principal, 0)->length == 6 && memcmp(krb5_princ_component(krbContext, - principal, 0)->data, "krbtgt", 6) == 0) + principal, 0)->data, "krbtgt", 6) == 0 +#endif + ) return TRUE; return FALSE; @@ -302,7 +403,7 @@ reauthUseCredsCache(krb5_context krbContext, /* if reauth_use_ccache, use default credentials cache if ticket is for us */ krb5_appdefault_boolean(krbContext, "eap_gss", - krb5_princ_realm(krbContext, principal), + KRB_PRINC_REALM(principal), "reauth_use_ccache", 0, &reauthUseCCache); return reauthUseCCache; @@ -450,7 +551,7 @@ gssEapStoreReauthCreds(OM_uint32 *minor, krb5_free_principal(krbContext, cred->name->krbPrincipal); cred->name->krbPrincipal = canonPrinc; - if (creds[0]->times.endtime == KRB5_INT32_MAX) + if (creds[0]->times.endtime == KRB_TIME_FOREVER) cred->expiryTime = 0; else cred->expiryTime = creds[0]->times.endtime; @@ -526,9 +627,11 @@ cleanup: return major; } +#ifndef HAVE_HEIMDAL_VERSION static gss_buffer_desc radiusAvpKrbAttr = { sizeof("urn:authdata-radius-avp") - 1, "urn:authdata-radius-avp" }; +#endif /* * Unfortunately extracting an AD-KDCIssued authorization data element @@ -548,15 +651,49 @@ static gss_buffer_desc radiusAvpKrbAttr = { */ static OM_uint32 defrostAttrContext(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_ctx_id_t glueContext, +#else gss_name_t glueName, +#endif gss_name_t mechName) { OM_uint32 major, tmpMinor; +#ifdef HAVE_HEIMDAL_VERSION + gss_OID_desc oid = { 0 }; + gss_buffer_set_t authData = GSS_C_NO_BUFFER_SET; +#else gss_buffer_desc authData = GSS_C_EMPTY_BUFFER; gss_buffer_desc authDataDisplay = GSS_C_EMPTY_BUFFER; int more = -1; int authenticated, complete; +#endif + +#ifdef HAVE_HEIMDAL_VERSION + major = composeOid(minor, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length, + KRB5_AUTHDATA_RADIUS_AVP, &oid); + if (GSS_ERROR(major)) + return major; + + /* XXX we are assuming that this verifies AD-KDCIssued signature */ + major = gssInquireSecContextByOid(minor, glueContext, + &oid, &authData); + if (major == GSS_S_COMPLETE) { + if (authData == GSS_C_NO_BUFFER_SET || authData->count != 1) + major = GSS_S_FAILURE; + else + major = gssEapImportAttrContext(minor, authData->elements, mechName); + } else if (major == GSS_S_FAILURE && *minor == ENOENT) { + /* This is the equivalent of GSS_S_UNAVAILABLE for MIT attr APIs */ + *minor = 0; + major = GSS_S_COMPLETE; + } + gss_release_buffer_set(&tmpMinor, &authData); + GSSEAP_FREE(oid.elements); +#else major = gssGetNameAttribute(minor, glueName, &radiusAvpKrbAttr, &authenticated, &complete, &authData, &authDataDisplay, &more); @@ -571,6 +708,7 @@ defrostAttrContext(OM_uint32 *minor, gss_release_buffer(&tmpMinor, &authData); gss_release_buffer(&tmpMinor, &authDataDisplay); +#endif /* HAVE_HEIMDAL_VERSION */ return major; } @@ -581,6 +719,7 @@ defrostAttrContext(OM_uint32 *minor, */ OM_uint32 gssEapGlueToMechName(OM_uint32 *minor, + gss_ctx_id_t ctx, gss_name_t glueName, gss_name_t *pMechName) { @@ -594,11 +733,17 @@ gssEapGlueToMechName(OM_uint32 *minor, goto cleanup; major = gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME, - pMechName); + ctx->mechanismUsed, pMechName); if (GSS_ERROR(major)) goto cleanup; - major = defrostAttrContext(minor, glueName, *pMechName); + major = defrostAttrContext(minor, +#ifdef HAVE_HEIMDAL_VERSION + ctx->reauthCtx, +#else + glueName, +#endif + *pMechName); if (GSS_ERROR(major)) goto cleanup; @@ -648,25 +793,59 @@ cleanup: */ OM_uint32 gssEapReauthComplete(OM_uint32 *minor, - gss_ctx_id_t ctx, - gss_cred_id_t cred, - const gss_OID mech, - OM_uint32 timeRec) + gss_ctx_id_t ctx, + gss_cred_id_t cred GSSEAP_UNUSED, + const gss_OID mech, + OM_uint32 timeRec) { OM_uint32 major, tmpMinor; gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET; + krb5_context krbContext = NULL; +#ifdef HAVE_HEIMDAL_VERSION + krb5_storage *sp = NULL; +#endif + + GSSEAP_KRB_INIT(&krbContext); if (!oidEqual(mech, gss_mech_krb5)) { major = GSS_S_BAD_MECH; goto cleanup; } - /* Get the raw subsession key and encryption type*/ - major = gssInquireSecContextByOid(minor, ctx->kerberosCtx, + /* Get the raw subsession key and encryption type */ +#ifdef HAVE_HEIMDAL_VERSION +#define KRB_GSS_SUBKEY_COUNT 1 /* encoded session key */ + major = gssInquireSecContextByOid(minor, ctx->reauthCtx, + GSS_KRB5_GET_SUBKEY_X, &keyData); +#else +#define KRB_GSS_SUBKEY_COUNT 2 /* raw session key, enctype OID */ + major = gssInquireSecContextByOid(minor, ctx->reauthCtx, GSS_C_INQ_SSPI_SESSION_KEY, &keyData); +#endif if (GSS_ERROR(major)) goto cleanup; + if (keyData == GSS_C_NO_BUFFER_SET || keyData->count < KRB_GSS_SUBKEY_COUNT) { + *minor = GSSEAP_KEY_UNAVAILABLE; + major = GSS_S_FAILURE; + goto cleanup; + } + +#ifdef HAVE_HEIMDAL_VERSION + sp = krb5_storage_from_mem(keyData->elements[0].value, + keyData->elements[0].length); + if (sp == NULL) { + *minor = ENOMEM; + major = GSS_S_FAILURE; + goto cleanup; + } + + *minor = krb5_ret_keyblock(sp, &ctx->rfc3961Key); + if (*minor != 0) { + major = GSS_S_FAILURE; + goto cleanup; + } +#else { gss_OID_desc oid; int suffix; @@ -685,11 +864,8 @@ gssEapReauthComplete(OM_uint32 *minor, } { - krb5_context krbContext = NULL; krb5_keyblock key; - GSSEAP_KRB_INIT(&krbContext); - KRB_KEY_LENGTH(&key) = keyData->elements[0].length; KRB_KEY_DATA(&key) = keyData->elements[0].value; KRB_KEY_TYPE(&key) = ctx->encryptionType; @@ -701,6 +877,7 @@ gssEapReauthComplete(OM_uint32 *minor, goto cleanup; } } +#endif /* HAVE_HEIMDAL_VERSION */ major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key, &ctx->checksumType); @@ -722,6 +899,10 @@ gssEapReauthComplete(OM_uint32 *minor, major = GSS_S_COMPLETE; cleanup: +#ifdef HAVE_HEIMDAL_VERSION + if (sp != NULL) + krb5_storage_free(sp); +#endif gss_release_buffer_set(&tmpMinor, &keyData); return major; @@ -831,7 +1012,9 @@ gssEapReauthInitialize(OM_uint32 *minor) NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name"); NEXT_SYMBOL(gssImportNameNext, "gss_import_name"); NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred"); +#ifndef HAVE_HEIMDAL_VERSION NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute"); +#endif return major; }