X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=util_reauth.c;h=0a8373d6b9b653f3b9f73859bff2f3d7599c987b;hb=a7ce2b2f04c83e37b8f26327414f7398a6450a87;hp=a552fcb4db63fba48144e61f3e0e773f0cf6056c;hpb=c3ff83a02d37820b9c70cc3746c72a900dfd85ac;p=mech_eap.orig diff --git a/util_reauth.c b/util_reauth.c index a552fcb..0a8373d 100644 --- a/util_reauth.c +++ b/util_reauth.c @@ -30,6 +30,10 @@ * SUCH DAMAGE. */ +/* + * Fast reauthentication support. + */ + #include "gssapiP_eap.h" #include @@ -66,7 +70,11 @@ getAcceptorKey(krb5_context krbContext, krb5_error_code code; krb5_keytab keytab = NULL; krb5_keytab_entry ktent = { 0 }; +#ifdef HAVE_HEIMDAL_VERSION + krb5_kt_cursor cursor = { 0 }; +#else krb5_kt_cursor cursor = NULL; +#endif *princ = NULL; memset(key, 0, sizeof(*key)); @@ -82,22 +90,37 @@ getAcceptorKey(krb5_context krbContext, if (code != 0) goto cleanup; } else { + /* + * It's not clear that looking encrypting the ticket in the + * requested EAP enctype provides any value. + */ code = krb5_kt_start_seq_get(krbContext, keytab, &cursor); if (code != 0) goto cleanup; while ((code = krb5_kt_next_entry(krbContext, keytab, &ktent, &cursor)) == 0) { +#ifdef HAVE_HEIMDAL_VERSION + if (ktent.keyblock.keytype == ctx->encryptionType) + break; + else + krb5_kt_free_entry(krbContext, &ktent); +#else if (ktent.key.enctype == ctx->encryptionType) break; else krb5_free_keytab_entry_contents(krbContext, &ktent); +#endif } } if (code == 0) { *princ = ktent.principal; +#ifdef HAVE_HEIMDAL_VERSION + *key = ktent.keyblock; +#else *key = ktent.key; +#endif } cleanup: @@ -106,7 +129,11 @@ cleanup: krb5_kt_close(krbContext, keytab); if (code != 0) +#ifdef HAVE_HEIMDAL_VERSION + krb5_kt_free_entry(krbContext, &ktent); +#else krb5_free_keytab_entry_contents(krbContext, &ktent); +#endif return code; } @@ -116,12 +143,22 @@ freezeAttrContext(OM_uint32 *minor, gss_name_t initiatorName, krb5_const_principal acceptorPrinc, krb5_keyblock *session, - krb5_authdata ***authdata) +#ifdef HAVE_HEIMDAL_VERSION + krb5_authdata *authdata +#else + krb5_authdata ***authdata +#endif + ) { OM_uint32 major, tmpMinor; krb5_error_code code; gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER; +#ifdef HAVE_HEIMDAL_VERSION + AuthorizationData authDataBuf, *authData = &authDataBuf; + AuthorizationDataElement authDatum = { 0 }; +#else krb5_authdata *authData[2], authDatum = { 0 }; +#endif krb5_context krbContext; GSSEAP_KRB_INIT(&krbContext); @@ -131,13 +168,20 @@ freezeAttrContext(OM_uint32 *minor, return major; authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP; +#ifdef HAVE_HEIMDAL_VERSION + authDatum.ad_data.length = attrBuf.length; + authDatum.ad_data.data = attrBuf.value; + authData->len = 1; + authData->val = &authDatum; +#else authDatum.length = attrBuf.length; authDatum.contents = attrBuf.value; authData[0] = &authDatum; authData[1] = NULL; +#endif - code = krb5_make_authdata_kdc_issued(krbContext, session, acceptorPrinc, - authData, authdata); + code = krbMakeAuthDataKdcIssued(krbContext, session, acceptorPrinc, + authData, authdata); if (code != 0) { major = GSS_S_FAILURE; *minor = code; @@ -162,33 +206,44 @@ gssEapMakeReauthCreds(OM_uint32 *minor, OM_uint32 major = GSS_S_COMPLETE; krb5_error_code code; krb5_context krbContext = NULL; - krb5_ticket ticket = { 0 }; krb5_keyblock session = { 0 }, acceptorKey = { 0 }; - krb5_enc_tkt_part enc_part = { 0 }; + krb5_principal server = NULL; +#ifdef HAVE_HEIMDAL_VERSION + Ticket ticket; + EncTicketPart enc_part; + AuthorizationData authData = { 0 }; + krb5_crypto krbCrypto = NULL; + unsigned char *buf = NULL; + size_t buf_size, len; +#else + krb5_ticket ticket; + krb5_enc_tkt_part enc_part; +#endif krb5_data *ticketData = NULL, *credsData = NULL; krb5_creds creds = { 0 }; krb5_auth_context authContext = NULL; + memset(&ticket, 0, sizeof(ticket)); + memset(&enc_part, 0, sizeof(enc_part)); + credBuf->length = 0; credBuf->value = NULL; GSSEAP_KRB_INIT(&krbContext); - code = getAcceptorKey(krbContext, ctx, cred, - &ticket.server, &acceptorKey); + code = getAcceptorKey(krbContext, ctx, cred, &server, &acceptorKey); if (code == KRB5_KT_NOTFOUND) { - gss_buffer_desc emptyToken = { 0, "" }; - - /* - * If we can't produce the KRB-CRED message, we need to - * return an empty (not NULL) token to the caller so we - * don't change the number of authentication legs. - */ - return duplicateBuffer(minor, &emptyToken, credBuf); + *minor = code; + return GSS_S_UNAVAILABLE; } else if (code != 0) goto cleanup; - enc_part.flags = TKT_FLG_INITIAL; +#ifdef HAVE_HEIMDAL_VERSION + ticket.realm = server->realm; + ticket.sname = server->name; +#else + ticket.server = server; +#endif /* * Generate a random session key to place in the ticket and @@ -199,16 +254,59 @@ gssEapMakeReauthCreds(OM_uint32 *minor, if (code != 0) goto cleanup; +#ifdef HAVE_HEIMDAL_VERSION + enc_part.flags.initial = 1; + enc_part.key = session; + enc_part.crealm = ctx->initiatorName->krbPrincipal->realm; + enc_part.cname = ctx->initiatorName->krbPrincipal->name; + enc_part.authtime = time(NULL); + enc_part.starttime = &enc_part.authtime; + enc_part.endtime = (ctx->expiryTime != 0) + ? ctx->expiryTime : KRB_TIME_FOREVER; + enc_part.renew_till = NULL; + enc_part.authorization_data = &authData; + + major = freezeAttrContext(minor, ctx->initiatorName, server, + &session, &authData); + if (GSS_ERROR(major)) + goto cleanup; + + ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, &enc_part, &len, code); + if (code != 0) + goto cleanup; + + code = krb5_crypto_init(krbContext, &acceptorKey, 0, &krbCrypto); + if (code != 0) + goto cleanup; + + code = krb5_encrypt_EncryptedData(krbContext, + krbCrypto, + KRB5_KU_TICKET, + buf, + len, + 0, + &ticket.enc_part); + if (code != 0) + goto cleanup; + + GSSEAP_FREE(buf); + buf = NULL; + + ASN1_MALLOC_ENCODE(Ticket, buf, buf_size, &ticket, &len, code); + if (code != 0) + goto cleanup; +#else + enc_part.flags = TKT_FLG_INITIAL; enc_part.session = &session; enc_part.client = ctx->initiatorName->krbPrincipal; enc_part.times.authtime = time(NULL); enc_part.times.starttime = enc_part.times.authtime; - enc_part.times.endtime = ctx->expiryTime + enc_part.times.endtime = (ctx->expiryTime != 0) ? ctx->expiryTime - : KRB5_INT32_MAX; + : KRB_TIME_FOREVER; enc_part.times.renew_till = 0; - major = freezeAttrContext(minor, ctx->initiatorName, ticket.server, + major = freezeAttrContext(minor, ctx->initiatorName, server, &session, &enc_part.authorization_data); if (GSS_ERROR(major)) goto cleanup; @@ -222,14 +320,26 @@ gssEapMakeReauthCreds(OM_uint32 *minor, code = encode_krb5_ticket(&ticket, &ticketData); if (code != 0) goto cleanup; - - creds.client = enc_part.client; - creds.server = ticket.server; +#endif /* HAVE_HEIMDAL_VERSION */ + + creds.client = ctx->initiatorName->krbPrincipal; + creds.server = server; +#ifdef HAVE_HEIMDAL_VERSION + creds.session = session; + creds.times.authtime = enc_part.authtime; + creds.times.starttime = *enc_part.starttime; + creds.times.endtime = enc_part.endtime; + creds.times.renew_till = 0; + creds.flags.b = enc_part.flags; + creds.ticket = *ticketData; + creds.authdata = authData; +#else creds.keyblock = session; creds.times = enc_part.times; creds.ticket_flags = enc_part.flags; creds.ticket = *ticketData; creds.authdata = enc_part.authorization_data; +#endif code = krb5_auth_con_init(krbContext, &authContext); if (code != 0) @@ -251,19 +361,29 @@ gssEapMakeReauthCreds(OM_uint32 *minor, krbDataToGssBuffer(credsData, credBuf); cleanup: +#ifdef HAVE_HEIMDAL_VERSION + if (krbCrypto != NULL) + krb5_crypto_destroy(krbContext, krbCrypto); + if (buf != NULL) + GSSEAP_FREE(buf); + free_AuthorizationData(&authData); + free_EncryptedData(&ticket.enc_part); +#else + krb5_free_authdata(krbContext, enc_part.authorization_data); if (ticket.enc_part.ciphertext.data != NULL) GSSEAP_FREE(ticket.enc_part.ciphertext.data); +#endif krb5_free_keyblock_contents(krbContext, &session); + krb5_free_principal(krbContext, server); krb5_free_keyblock_contents(krbContext, &acceptorKey); krb5_free_data(krbContext, ticketData); krb5_auth_con_free(krbContext, authContext); - krb5_free_authdata(krbContext, enc_part.authorization_data); if (credsData != NULL) GSSEAP_FREE(credsData); if (major == GSS_S_COMPLETE) { *minor = code; - major = code != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE; + major = (code != 0) ? GSS_S_FAILURE : GSS_S_COMPLETE; } return major; @@ -273,10 +393,121 @@ static int isTicketGrantingServiceP(krb5_context krbContext, krb5_const_principal principal) { - if (krb5_princ_size(krbContext, principal) == 2 && + if (KRB_PRINC_LENGTH(principal) == 2 && +#ifdef HAVE_HEIMDAL_VERSION + strcmp(KRB_PRINC_NAME(principal)[0], "krbtgt") == 0 +#else krb5_princ_component(krbContext, principal, 0)->length == 6 && memcmp(krb5_princ_component(krbContext, - principal, 0)->data, "krbtgt", 6) == 0) + principal, 0)->data, "krbtgt", 6) == 0 +#endif + ) + return TRUE; + + return FALSE; +} + +/* + * Returns TRUE if the configuration variable reauth_use_ccache is + * set in krb5.conf for the eap_gss application and the client realm. + */ +static int +reauthUseCredsCache(krb5_context krbContext, + krb5_principal principal) +{ + int reauthUseCCache; + + /* if reauth_use_ccache, use default credentials cache if ticket is for us */ + krb5_appdefault_boolean(krbContext, "eap_gss", + KRB_PRINC_REALM(principal), + "reauth_use_ccache", 0, &reauthUseCCache); + + return reauthUseCCache; +} + +/* + * Look in default credentials cache for reauthentication credentials, + * if policy allows. + */ +static OM_uint32 +getDefaultReauthCredentials(OM_uint32 *minor, + gss_cred_id_t cred, + gss_name_t target, + time_t now, + OM_uint32 timeReq) +{ + OM_uint32 major = GSS_S_CRED_UNAVAIL; + krb5_context krbContext = NULL; + krb5_error_code code = 0; + krb5_ccache ccache = NULL; + krb5_creds match = { 0 }; + krb5_creds creds = { 0 }; + + GSSEAP_KRB_INIT(&krbContext); + + assert(cred != GSS_C_NO_CREDENTIAL); + assert(target != GSS_C_NO_NAME); + + if (cred->name == GSS_C_NO_NAME || + !reauthUseCredsCache(krbContext, cred->name->krbPrincipal)) + goto cleanup; + + match.client = cred->name->krbPrincipal; + match.server = target->krbPrincipal; + if (timeReq != 0 && timeReq != GSS_C_INDEFINITE) + match.times.endtime = now + timeReq; + + code = krb5_cc_default(krbContext, &ccache); + if (code != 0) + goto cleanup; + + code = krb5_cc_retrieve_cred(krbContext, ccache, 0, &match, &creds); + if (code != 0) + goto cleanup; + + cred->flags |= CRED_FLAG_DEFAULT_CCACHE; + cred->krbCredCache = ccache; + ccache = NULL; + + major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL, + &cred->krbCred); + +cleanup: + if (major == GSS_S_CRED_UNAVAIL) + *minor = code; + + if (ccache != NULL) + krb5_cc_close(krbContext, ccache); + krb5_free_cred_contents(krbContext, &creds); + + return major; +} + +/* + * Returns TRUE if the credential handle's reauth credentials are + * valid or if we can use the default credentials cache. Credentials + * handle must be locked. + */ +int +gssEapCanReauthP(gss_cred_id_t cred, + gss_name_t target, + OM_uint32 timeReq) +{ + time_t now, expiryReq; + OM_uint32 minor; + + assert(cred != GSS_C_NO_CREDENTIAL); + + now = time(NULL); + expiryReq = now; + if (timeReq != GSS_C_INDEFINITE) + expiryReq += timeReq; + + if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq) + return TRUE; + + if (getDefaultReauthCredentials(&minor, cred, target, + now, timeReq) == GSS_S_COMPLETE) return TRUE; return FALSE; @@ -284,6 +515,7 @@ isTicketGrantingServiceP(krb5_context krbContext, /* * Store re-authentication (Kerberos) credentials in a credential handle. + * Credentials handle must be locked. */ OM_uint32 gssEapStoreReauthCreds(OM_uint32 *minor, @@ -291,12 +523,14 @@ gssEapStoreReauthCreds(OM_uint32 *minor, gss_cred_id_t cred, gss_buffer_t credBuf) { - OM_uint32 major = GSS_S_COMPLETE, code; + OM_uint32 major = GSS_S_COMPLETE; + krb5_error_code code; krb5_context krbContext = NULL; krb5_auth_context authContext = NULL; krb5_data credData = { 0 }; krb5_creds **creds = NULL; krb5_principal canonPrinc; + krb5_principal ccPrinc = NULL; int i; if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL) @@ -333,16 +567,43 @@ gssEapStoreReauthCreds(OM_uint32 *minor, krb5_free_principal(krbContext, cred->name->krbPrincipal); cred->name->krbPrincipal = canonPrinc; - cred->expiryTime = creds[0]->times.endtime; + if (creds[0]->times.endtime == KRB_TIME_FOREVER) + cred->expiryTime = 0; + else + cred->expiryTime = creds[0]->times.endtime; - code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache); - if (code != 0) - goto cleanup; + if (cred->krbCredCache == NULL) { + if (reauthUseCredsCache(krbContext, creds[0]->client) && + krb5_cc_default(krbContext, &cred->krbCredCache) == 0) + cred->flags |= CRED_FLAG_DEFAULT_CCACHE; + } else { + /* + * If we already have an associated credentials cache, possibly from + * the last time we stored a reauthentication credential, then we + * need to clear it out and release the associated GSS credential. + */ + if (cred->flags & CRED_FLAG_DEFAULT_CCACHE) { + krb5_cc_remove_cred(krbContext, cred->krbCredCache, 0, creds[0]); + } else { + krb5_cc_destroy(krbContext, cred->krbCredCache); + cred->krbCredCache = NULL; + } + gssReleaseCred(minor, &cred->krbCred); + } - code = krb5_cc_initialize(krbContext, cred->krbCredCache, - creds[0]->client); - if (code != 0) - goto cleanup; + if (cred->krbCredCache == NULL) { + code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache); + if (code != 0) + goto cleanup; + } + + if ((cred->flags & CRED_FLAG_DEFAULT_CCACHE) == 0 || + krb5_cc_get_principal(krbContext, cred->krbCredCache, &ccPrinc) != 0) { + code = krb5_cc_initialize(krbContext, cred->krbCredCache, + creds[0]->client); + if (code != 0) + goto cleanup; + } for (i = 0; creds[i] != NULL; i++) { krb5_creds kcred = *(creds[i]); @@ -361,11 +622,6 @@ gssEapStoreReauthCreds(OM_uint32 *minor, goto cleanup; } - /* - * To turn a credentials cache into a GSS credentials handle, we - * require the gss_krb5_import_cred() API (present in Heimdal, but - * not shipped in MIT yet). - */ major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL, &cred->krbCred); if (GSS_ERROR(major)) @@ -374,10 +630,12 @@ gssEapStoreReauthCreds(OM_uint32 *minor, cleanup: *minor = code; + krb5_free_principal(krbContext, ccPrinc); krb5_auth_con_free(krbContext, authContext); if (creds != NULL) { for (i = 0; creds[i] != NULL; i++) krb5_free_creds(krbContext, creds[i]); + GSSEAP_FREE(creds); } if (major == GSS_S_COMPLETE) major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE; @@ -514,18 +772,52 @@ gssEapReauthComplete(OM_uint32 *minor, { OM_uint32 major, tmpMinor; gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET; + krb5_context krbContext = NULL; +#ifdef HAVE_HEIMDAL_VERSION + krb5_storage *sp = NULL; +#endif + + GSSEAP_KRB_INIT(&krbContext); if (!oidEqual(mech, gss_mech_krb5)) { major = GSS_S_BAD_MECH; goto cleanup; } - /* Get the raw subsession key and encryptino type*/ + /* Get the raw subsession key and encryption type */ +#ifdef HAVE_HEIMDAL_VERSION +#define KRB_GSS_SUBKEY_COUNT 1 /* encoded session key */ + major = gssInquireSecContextByOid(minor, ctx->kerberosCtx, + GSS_KRB5_GET_SUBKEY_X, &keyData); +#else +#define KRB_GSS_SUBKEY_COUNT 2 /* raw session key, enctype OID */ major = gssInquireSecContextByOid(minor, ctx->kerberosCtx, GSS_C_INQ_SSPI_SESSION_KEY, &keyData); +#endif if (GSS_ERROR(major)) goto cleanup; + if (keyData == GSS_C_NO_BUFFER_SET || keyData->count < KRB_GSS_SUBKEY_COUNT) { + *minor = GSSEAP_KEY_UNAVAILABLE; + major = GSS_S_FAILURE; + goto cleanup; + } + +#ifdef HAVE_HEIMDAL_VERSION + sp = krb5_storage_from_mem(keyData->elements[0].value, + keyData->elements[0].length); + if (sp == NULL) { + *minor = ENOMEM; + major = GSS_S_FAILURE; + goto cleanup; + } + + *minor = krb5_ret_keyblock(sp, &ctx->rfc3961Key); + if (*minor != 0) { + major = GSS_S_FAILURE; + goto cleanup; + } +#else { gss_OID_desc oid; int suffix; @@ -544,11 +836,8 @@ gssEapReauthComplete(OM_uint32 *minor, } { - krb5_context krbContext = NULL; krb5_keyblock key; - GSSEAP_KRB_INIT(&krbContext); - KRB_KEY_LENGTH(&key) = keyData->elements[0].length; KRB_KEY_DATA(&key) = keyData->elements[0].value; KRB_KEY_TYPE(&key) = ctx->encryptionType; @@ -560,6 +849,7 @@ gssEapReauthComplete(OM_uint32 *minor, goto cleanup; } } +#endif /* HAVE_HEIMDAL_VERSION */ major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key, &ctx->checksumType); @@ -581,6 +871,10 @@ gssEapReauthComplete(OM_uint32 *minor, major = GSS_S_COMPLETE; cleanup: +#ifdef HAVE_HEIMDAL_VERSION + if (sp != NULL) + krb5_storage_free(sp); +#endif gss_release_buffer_set(&tmpMinor, &keyData); return major; @@ -667,23 +961,32 @@ static OM_uint32 gss_buffer_t, int *); -#define NEXT_SYMBOL(local, global) ((local) = dlsym(RTLD_NEXT, (global))) +#define NEXT_SYMBOL(local, global) do { \ + ((local) = dlsym(RTLD_NEXT, (global))); \ + if ((local) == NULL) { \ + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; \ + major = GSS_S_UNAVAILABLE; \ + /* but continue */ \ + } \ + } while (0) OM_uint32 gssEapReauthInitialize(OM_uint32 *minor) { - NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context"); - NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context"); - NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred"); - NEXT_SYMBOL(gssReleaseNameNext, "gss_release_name"); - NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid"); - NEXT_SYMBOL(gssDeleteSecContextNext, "gss_delete_sec_context"); - NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name"); - NEXT_SYMBOL(gssImportNameNext, "gss_import_name"); - NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred"); - NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute"); - - return GSS_S_COMPLETE; + OM_uint32 major = GSS_S_COMPLETE; + + NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context"); + NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context"); + NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred"); + NEXT_SYMBOL(gssReleaseNameNext, "gss_release_name"); + NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid"); + NEXT_SYMBOL(gssDeleteSecContextNext, "gss_delete_sec_context"); + NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name"); + NEXT_SYMBOL(gssImportNameNext, "gss_import_name"); + NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred"); + NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute"); + + return major; } OM_uint32 @@ -701,8 +1004,10 @@ gssInitSecContext(OM_uint32 *minor, OM_uint32 *ret_flags, OM_uint32 *time_rec) { - if (gssInitSecContextNext == NULL) + if (gssInitSecContextNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssInitSecContextNext(minor, cred, context_handle, target_name, mech_type, req_flags, @@ -724,8 +1029,10 @@ gssAcceptSecContext(OM_uint32 *minor, OM_uint32 *time_rec, gss_cred_id_t *delegated_cred_handle) { - if (gssAcceptSecContextNext == NULL) + if (gssAcceptSecContextNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssAcceptSecContextNext(minor, context_handle, cred, input_token, input_chan_bindings, @@ -737,8 +1044,10 @@ OM_uint32 gssReleaseCred(OM_uint32 *minor, gss_cred_id_t *cred_handle) { - if (gssReleaseCredNext == NULL) + if (gssReleaseCredNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssReleaseCredNext(minor, cred_handle); } @@ -747,8 +1056,10 @@ OM_uint32 gssReleaseName(OM_uint32 *minor, gss_name_t *name) { - if (gssReleaseName == NULL) + if (gssReleaseName == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssReleaseNameNext(minor, name); } @@ -758,8 +1069,10 @@ gssDeleteSecContext(OM_uint32 *minor, gss_ctx_id_t *context_handle, gss_buffer_t output_token) { - if (gssDeleteSecContextNext == NULL) + if (gssDeleteSecContextNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssDeleteSecContextNext(minor, context_handle, output_token); } @@ -770,8 +1083,10 @@ gssDisplayName(OM_uint32 *minor, gss_buffer_t buffer, gss_OID *name_type) { - if (gssDisplayNameNext == NULL) + if (gssDisplayNameNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssDisplayNameNext(minor, name, buffer, name_type); } @@ -782,8 +1097,10 @@ gssImportName(OM_uint32 *minor, gss_OID name_type, gss_name_t *name) { - if (gssImportNameNext == NULL) + if (gssImportNameNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssImportNameNext(minor, buffer, name_type, name); } @@ -794,8 +1111,10 @@ gssInquireSecContextByOid(OM_uint32 *minor, const gss_OID desired_object, gss_buffer_set_t *data_set) { - if (gssInquireSecContextByOidNext == NULL) + if (gssInquireSecContextByOidNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssInquireSecContextByOidNext(minor, context_handle, desired_object, data_set); @@ -811,8 +1130,10 @@ gssStoreCred(OM_uint32 *minor, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored) { - if (gssStoreCredNext == NULL) + if (gssStoreCredNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssStoreCredNext(minor, input_cred_handle, input_usage, desired_mech, overwrite_cred, default_cred, @@ -829,8 +1150,10 @@ gssGetNameAttribute(OM_uint32 *minor, gss_buffer_t display_value, int *more) { - if (gssGetNameAttributeNext == NULL) + if (gssGetNameAttributeNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssGetNameAttributeNext(minor, name, attr, authenticated, complete, value, display_value, more);