X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=util_reauth.c;h=47be2a39b18081c7ff57f3bb561db13b95f628b7;hb=163856b1a70d7773c46d4ea5495b85c4dce0f089;hp=7b16c0d8a3c53353631fe6260280a6d266d191bf;hpb=4af65190a8d5a03d0a68ea42c84cf3d910534d2c;p=mech_eap.orig diff --git a/util_reauth.c b/util_reauth.c index 7b16c0d..47be2a3 100644 --- a/util_reauth.c +++ b/util_reauth.c @@ -30,6 +30,10 @@ * SUCH DAMAGE. */ +/* + * Fast reauthentication support. + */ + #include "gssapiP_eap.h" #include @@ -44,6 +48,18 @@ krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *); krb5_error_code encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code); +static OM_uint32 +gssDisplayName(OM_uint32 *minor, + gss_name_t name, + gss_buffer_t buffer, + gss_OID *name_type); + +static OM_uint32 +gssImportName(OM_uint32 *minor, + gss_buffer_t buffer, + gss_OID name_type, + gss_name_t *name); + static krb5_error_code getAcceptorKey(krb5_context krbContext, gss_ctx_id_t ctx, @@ -53,12 +69,11 @@ getAcceptorKey(krb5_context krbContext, { krb5_error_code code; krb5_keytab keytab = NULL; - krb5_keytab_entry ktent; + krb5_keytab_entry ktent = { 0 }; krb5_kt_cursor cursor = NULL; *princ = NULL; memset(key, 0, sizeof(*key)); - memset(&ktent, 0, sizeof(ktent)); code = krb5_kt_default(krbContext, &keytab); if (code != 0) @@ -71,17 +86,20 @@ getAcceptorKey(krb5_context krbContext, if (code != 0) goto cleanup; } else { + /* + * It's not clear that looking encrypting the ticket in the + * requested EAP enctype provides any value. + */ code = krb5_kt_start_seq_get(krbContext, keytab, &cursor); if (code != 0) goto cleanup; while ((code = krb5_kt_next_entry(krbContext, keytab, &ktent, &cursor)) == 0) { - if (ktent.key.enctype == ctx->encryptionType) { + if (ktent.key.enctype == ctx->encryptionType) break; - } else { + else krb5_free_keytab_entry_contents(krbContext, &ktent); - } } } @@ -95,18 +113,54 @@ cleanup: krb5_kt_end_seq_get(krbContext, keytab, &cursor); krb5_kt_close(krbContext, keytab); + if (code != 0) + krb5_free_keytab_entry_contents(krbContext, &ktent); + + return code; +} + +static OM_uint32 +freezeAttrContext(OM_uint32 *minor, + gss_name_t initiatorName, + krb5_const_principal acceptorPrinc, + krb5_keyblock *session, + krb5_authdata ***authdata) +{ + OM_uint32 major, tmpMinor; + krb5_error_code code; + gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER; + krb5_authdata *authData[2], authDatum = { 0 }; + krb5_context krbContext; + + GSSEAP_KRB_INIT(&krbContext); + + major = gssEapExportAttrContext(minor, initiatorName, &attrBuf); + if (GSS_ERROR(major)) + return major; + + authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP; + authDatum.length = attrBuf.length; + authDatum.contents = attrBuf.value; + authData[0] = &authDatum; + authData[1] = NULL; + + code = krb5_make_authdata_kdc_issued(krbContext, session, acceptorPrinc, + authData, authdata); if (code != 0) { - if (*princ != NULL) { - krb5_free_principal(krbContext, *princ); - *princ = NULL; - } - krb5_free_keyblock_contents(krbContext, key), - memset(key, 0, sizeof(key)); + major = GSS_S_FAILURE; + *minor = code; + } else { + major = GSS_S_COMPLETE; } - return code; + gss_release_buffer(&tmpMinor, &attrBuf); + + return major; } +/* + * Fabricate a ticket to ourselves given a GSS EAP context. + */ OM_uint32 gssEapMakeReauthCreds(OM_uint32 *minor, gss_ctx_id_t ctx, @@ -119,8 +173,6 @@ gssEapMakeReauthCreds(OM_uint32 *minor, krb5_ticket ticket = { 0 }; krb5_keyblock session = { 0 }, acceptorKey = { 0 }; krb5_enc_tkt_part enc_part = { 0 }; - gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER; - krb5_authdata *authData[2], authDatum = { 0 }; krb5_data *ticketData = NULL, *credsData = NULL; krb5_creds creds = { 0 }; krb5_auth_context authContext = NULL; @@ -133,19 +185,17 @@ gssEapMakeReauthCreds(OM_uint32 *minor, code = getAcceptorKey(krbContext, ctx, cred, &ticket.server, &acceptorKey); if (code == KRB5_KT_NOTFOUND) { - gss_buffer_desc emptyToken = { 0, "" }; - - /* - * If we can't produce the KRB-CRED message, we need to - * return an empty (not NULL) token to the caller so we - * don't change the number of authentication legs. - */ - return duplicateBuffer(minor, &emptyToken, credBuf); + *minor = code; + return GSS_S_UNAVAILABLE; } else if (code != 0) goto cleanup; enc_part.flags = TKT_FLG_INITIAL; + /* + * Generate a random session key to place in the ticket and + * sign the "KDC-Issued" authorization data element. + */ code = krb5_c_make_random_key(krbContext, ctx->encryptionType, &session); if (code != 0) @@ -155,28 +205,16 @@ gssEapMakeReauthCreds(OM_uint32 *minor, enc_part.client = ctx->initiatorName->krbPrincipal; enc_part.times.authtime = time(NULL); enc_part.times.starttime = enc_part.times.authtime; - enc_part.times.endtime = ctx->expiryTime + enc_part.times.endtime = (ctx->expiryTime != 0) ? ctx->expiryTime : KRB5_INT32_MAX; enc_part.times.renew_till = 0; - major = gssEapExportAttrContext(minor, ctx->initiatorName, - &attrBuf); + major = freezeAttrContext(minor, ctx->initiatorName, ticket.server, + &session, &enc_part.authorization_data); if (GSS_ERROR(major)) goto cleanup; - authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP; - authDatum.length = attrBuf.length; - authDatum.contents = attrBuf.value; - authData[0] = &authDatum; - authData[1] = NULL; - - code = krb5_make_authdata_kdc_issued(krbContext, &session, - ticket.server, authData, - &enc_part.authorization_data); - if (code != 0) - goto cleanup; - ticket.enc_part2 = &enc_part; code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket); @@ -193,7 +231,7 @@ gssEapMakeReauthCreds(OM_uint32 *minor, creds.times = enc_part.times; creds.ticket_flags = enc_part.flags; creds.ticket = *ticketData; - creds.authdata = authData; + creds.authdata = enc_part.authorization_data; code = krb5_auth_con_init(krbContext, &authContext); if (code != 0) @@ -219,7 +257,6 @@ cleanup: GSSEAP_FREE(ticket.enc_part.ciphertext.data); krb5_free_keyblock_contents(krbContext, &session); krb5_free_keyblock_contents(krbContext, &acceptorKey); - gss_release_buffer(minor, &attrBuf); krb5_free_data(krbContext, ticketData); krb5_auth_con_free(krbContext, authContext); krb5_free_authdata(krbContext, enc_part.authorization_data); @@ -238,26 +275,139 @@ static int isTicketGrantingServiceP(krb5_context krbContext, krb5_const_principal principal) { - if (krb5_princ_size(krbContext, principal) == 2 && + if (KRB_PRINC_LENGTH(principal) == 2 && krb5_princ_component(krbContext, principal, 0)->length == 6 && - memcmp(krb5_princ_component(krbContext, principal, 0)->data, "krbtgt", 6) == 0) + memcmp(krb5_princ_component(krbContext, + principal, 0)->data, "krbtgt", 6) == 0) return TRUE; return FALSE; } +/* + * Returns TRUE if the configuration variable reauth_use_ccache is + * set in krb5.conf for the eap_gss application and the client realm. + */ +static int +reauthUseCredsCache(krb5_context krbContext, + krb5_principal principal) +{ + int reauthUseCCache; + + /* if reauth_use_ccache, use default credentials cache if ticket is for us */ + krb5_appdefault_boolean(krbContext, "eap_gss", + krb5_princ_realm(krbContext, principal), + "reauth_use_ccache", 0, &reauthUseCCache); + + return reauthUseCCache; +} + +/* + * Look in default credentials cache for reauthentication credentials, + * if policy allows. + */ +static OM_uint32 +getDefaultReauthCredentials(OM_uint32 *minor, + gss_cred_id_t cred, + gss_name_t target, + time_t now, + OM_uint32 timeReq) +{ + OM_uint32 major = GSS_S_CRED_UNAVAIL; + krb5_context krbContext = NULL; + krb5_error_code code = 0; + krb5_ccache ccache = NULL; + krb5_creds match = { 0 }; + krb5_creds creds = { 0 }; + + GSSEAP_KRB_INIT(&krbContext); + + assert(cred != GSS_C_NO_CREDENTIAL); + assert(target != GSS_C_NO_NAME); + + if (cred->name == GSS_C_NO_NAME || + !reauthUseCredsCache(krbContext, cred->name->krbPrincipal)) + goto cleanup; + + match.client = cred->name->krbPrincipal; + match.server = target->krbPrincipal; + if (timeReq != 0 && timeReq != GSS_C_INDEFINITE) + match.times.endtime = now + timeReq; + + code = krb5_cc_default(krbContext, &ccache); + if (code != 0) + goto cleanup; + + code = krb5_cc_retrieve_cred(krbContext, ccache, 0, &match, &creds); + if (code != 0) + goto cleanup; + + cred->flags |= CRED_FLAG_DEFAULT_CCACHE; + cred->krbCredCache = ccache; + ccache = NULL; + + major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL, + &cred->krbCred); + +cleanup: + if (major == GSS_S_CRED_UNAVAIL) + *minor = code; + + if (ccache != NULL) + krb5_cc_close(krbContext, ccache); + krb5_free_cred_contents(krbContext, &creds); + + return major; +} + +/* + * Returns TRUE if the credential handle's reauth credentials are + * valid or if we can use the default credentials cache. Credentials + * handle must be locked. + */ +int +gssEapCanReauthP(gss_cred_id_t cred, + gss_name_t target, + OM_uint32 timeReq) +{ + time_t now, expiryReq; + OM_uint32 minor; + + assert(cred != GSS_C_NO_CREDENTIAL); + + now = time(NULL); + expiryReq = now; + if (timeReq != GSS_C_INDEFINITE) + expiryReq += timeReq; + + if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq) + return TRUE; + + if (getDefaultReauthCredentials(&minor, cred, target, + now, timeReq) == GSS_S_COMPLETE) + return TRUE; + + return FALSE; +} + +/* + * Store re-authentication (Kerberos) credentials in a credential handle. + * Credentials handle must be locked. + */ OM_uint32 gssEapStoreReauthCreds(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred, gss_buffer_t credBuf) { - OM_uint32 major = GSS_S_COMPLETE, code; + OM_uint32 major = GSS_S_COMPLETE; + krb5_error_code code; krb5_context krbContext = NULL; krb5_auth_context authContext = NULL; krb5_data credData = { 0 }; krb5_creds **creds = NULL; krb5_principal canonPrinc; + krb5_principal ccPrinc = NULL; int i; if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL) @@ -294,23 +444,52 @@ gssEapStoreReauthCreds(OM_uint32 *minor, krb5_free_principal(krbContext, cred->name->krbPrincipal); cred->name->krbPrincipal = canonPrinc; - cred->expiryTime = creds[0]->times.endtime; + if (creds[0]->times.endtime == KRB5_INT32_MAX) + cred->expiryTime = 0; + else + cred->expiryTime = creds[0]->times.endtime; - code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache); - if (code != 0) - goto cleanup; + if (cred->krbCredCache == NULL) { + if (reauthUseCredsCache(krbContext, creds[0]->client) && + krb5_cc_default(krbContext, &cred->krbCredCache) == 0) + cred->flags |= CRED_FLAG_DEFAULT_CCACHE; + } else { + /* + * If we already have an associated credentials cache, possibly from + * the last time we stored a reauthentication credential, then we + * need to clear it out and release the associated GSS credential. + */ + if (cred->flags & CRED_FLAG_DEFAULT_CCACHE) { + krb5_cc_remove_cred(krbContext, cred->krbCredCache, 0, creds[0]); + } else { + krb5_cc_destroy(krbContext, cred->krbCredCache); + cred->krbCredCache = NULL; + } + gssReleaseCred(minor, &cred->krbCred); + } - code = krb5_cc_initialize(krbContext, cred->krbCredCache, - creds[0]->client); - if (code != 0) - goto cleanup; + if (cred->krbCredCache == NULL) { + code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache); + if (code != 0) + goto cleanup; + } + + if ((cred->flags & CRED_FLAG_DEFAULT_CCACHE) == 0 || + krb5_cc_get_principal(krbContext, cred->krbCredCache, &ccPrinc) != 0) { + code = krb5_cc_initialize(krbContext, cred->krbCredCache, + creds[0]->client); + if (code != 0) + goto cleanup; + } for (i = 0; creds[i] != NULL; i++) { krb5_creds kcred = *(creds[i]); /* * Swap in the acceptor name the client asked for so - * get_credentials() works + * get_credentials() works. We're making the assumption that + * any service tickets returned are for us. We'll need to + * reflect some more on whether that is a safe assumption. */ if (!isTicketGrantingServiceP(krbContext, kcred.server)) kcred.server = ctx->acceptorName->krbPrincipal; @@ -328,10 +507,12 @@ gssEapStoreReauthCreds(OM_uint32 *minor, cleanup: *minor = code; + krb5_free_principal(krbContext, ccPrinc); krb5_auth_con_free(krbContext, authContext); if (creds != NULL) { for (i = 0; creds[i] != NULL; i++) krb5_free_creds(krbContext, creds[i]); + GSSEAP_FREE(creds); } if (major == GSS_S_COMPLETE) major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE; @@ -339,274 +520,6 @@ cleanup: return major; } -static OM_uint32 (*gssInitSecContextNext)( - OM_uint32 *minor, - gss_cred_id_t cred, - gss_ctx_id_t *context_handle, - gss_name_t target_name, - gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec); - -static OM_uint32 (*gssAcceptSecContextNext)( - OM_uint32 *minor, - gss_ctx_id_t *context_handle, - gss_cred_id_t cred, - gss_buffer_t input_token, - gss_channel_bindings_t input_chan_bindings, - gss_name_t *src_name, - gss_OID *mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - gss_cred_id_t *delegated_cred_handle); - -static OM_uint32 (*gssReleaseCredNext)( - OM_uint32 *minor, - gss_cred_id_t *cred_handle); - -static OM_uint32 (*gssReleaseNameNext)( - OM_uint32 *minor, - gss_name_t *name); - -static OM_uint32 (*gssInquireSecContextByOidNext)( - OM_uint32 *minor, - const gss_ctx_id_t context_handle, - const gss_OID desired_object, - gss_buffer_set_t *data_set); - -static OM_uint32 (*gssDeleteSecContextNext)( - OM_uint32 *minor, - gss_ctx_id_t *context_handle, - gss_buffer_t output_token); - -static OM_uint32 (*gssDisplayNameNext)( - OM_uint32 *minor, - gss_name_t name, - gss_buffer_t output_name_buffer, - gss_OID *output_name_type); - -static OM_uint32 (*gssImportNameNext)( - OM_uint32 *minor, - gss_buffer_t buffer, - gss_OID nameType, - gss_name_t *outputName); - -static OM_uint32 (*gssKrbExtractAuthzDataFromSecContextNext)( - OM_uint32 *minor, - const gss_ctx_id_t context_handle, - int ad_type, - gss_buffer_t ad_data); - -static OM_uint32 (*gssStoreCredNext)( - OM_uint32 *minor, - const gss_cred_id_t input_cred_handle, - gss_cred_usage_t input_usage, - const gss_OID desired_mech, - OM_uint32 overwrite_cred, - OM_uint32 default_cred, - gss_OID_set *elements_stored, - gss_cred_usage_t *cred_usage_stored); - -static OM_uint32 (*gssGetNameAttributeNext)( - OM_uint32 *minor, - gss_name_t name, - gss_buffer_t attr, - int *authenticated, - int *complete, - gss_buffer_t value, - gss_buffer_t display_value, - int *more); - -#define NEXT_SYMBOL(local, global) ((local) = dlsym(RTLD_NEXT, (global))) - -OM_uint32 -gssEapReauthInitialize(OM_uint32 *minor) -{ - NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context"); - NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context"); - NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred"); - NEXT_SYMBOL(gssReleaseNameNext, "gss_release_name"); - NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid"); - NEXT_SYMBOL(gssDeleteSecContextNext, "gss_delete_sec_context"); - NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name"); - NEXT_SYMBOL(gssImportNameNext, "gss_import_name"); - NEXT_SYMBOL(gssKrbExtractAuthzDataFromSecContextNext, "gsskrb5_extract_authz_data_from_sec_context"); - NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred"); - NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute"); - - return GSS_S_COMPLETE; -} - -OM_uint32 -gssInitSecContext(OM_uint32 *minor, - gss_cred_id_t cred, - gss_ctx_id_t *context_handle, - gss_name_t target_name, - gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec) -{ - if (gssInitSecContextNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssInitSecContextNext(minor, cred, context_handle, - target_name, mech_type, req_flags, - time_req, input_chan_bindings, - input_token, actual_mech_type, - output_token, ret_flags, time_rec); -} - -OM_uint32 -gssAcceptSecContext(OM_uint32 *minor, - gss_ctx_id_t *context_handle, - gss_cred_id_t cred, - gss_buffer_t input_token, - gss_channel_bindings_t input_chan_bindings, - gss_name_t *src_name, - gss_OID *mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - gss_cred_id_t *delegated_cred_handle) -{ - if (gssAcceptSecContextNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssAcceptSecContextNext(minor, context_handle, cred, - input_token, input_chan_bindings, - src_name, mech_type, output_token, - ret_flags, time_rec, delegated_cred_handle); -} - -OM_uint32 -gssReleaseCred(OM_uint32 *minor, - gss_cred_id_t *cred_handle) -{ - if (gssReleaseCredNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssReleaseCredNext(minor, cred_handle); -} - -OM_uint32 -gssReleaseName(OM_uint32 *minor, - gss_name_t *name) -{ - if (gssReleaseName == NULL) - return GSS_S_UNAVAILABLE; - - return gssReleaseNameNext(minor, name); -} - -OM_uint32 -gssDeleteSecContext(OM_uint32 *minor, - gss_ctx_id_t *context_handle, - gss_buffer_t output_token) -{ - if (gssDeleteSecContextNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssDeleteSecContextNext(minor, context_handle, output_token); -} - -static OM_uint32 -gssDisplayName(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t buffer, - gss_OID *name_type) -{ - if (gssDisplayNameNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssDisplayNameNext(minor, name, buffer, name_type); -} - -static OM_uint32 -gssImportName(OM_uint32 *minor, - gss_buffer_t buffer, - gss_OID name_type, - gss_name_t *name) -{ - if (gssImportNameNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssImportNameNext(minor, buffer, name_type, name); -} - -OM_uint32 -gssInquireSecContextByOid(OM_uint32 *minor, - const gss_ctx_id_t context_handle, - const gss_OID desired_object, - gss_buffer_set_t *data_set) -{ - if (gssInquireSecContextByOidNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssInquireSecContextByOidNext(minor, context_handle, - desired_object, data_set); -} - -OM_uint32 -gssKrbExtractAuthzDataFromSecContext(OM_uint32 *minor, - const gss_ctx_id_t ctx, - int ad_type, - gss_buffer_t ad_data) -{ - if (gssKrbExtractAuthzDataFromSecContextNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssKrbExtractAuthzDataFromSecContextNext(minor, ctx, - ad_type, ad_data); -} - -OM_uint32 -gssStoreCred(OM_uint32 *minor, - const gss_cred_id_t input_cred_handle, - gss_cred_usage_t input_usage, - const gss_OID desired_mech, - OM_uint32 overwrite_cred, - OM_uint32 default_cred, - gss_OID_set *elements_stored, - gss_cred_usage_t *cred_usage_stored) -{ - if (gssStoreCredNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssStoreCredNext(minor, input_cred_handle, input_usage, - desired_mech, overwrite_cred, default_cred, - elements_stored, cred_usage_stored); -} - -OM_uint32 -gssGetNameAttribute(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t attr, - int *authenticated, - int *complete, - gss_buffer_t value, - gss_buffer_t display_value, - int *more) -{ - if (gssGetNameAttributeNext == NULL) - return GSS_S_UNAVAILABLE; - - return gssGetNameAttributeNext(minor, name, attr, authenticated, complete, - value, display_value, more); -} - static gss_buffer_desc radiusAvpKrbAttr = { sizeof("urn:authdata-radius-avp") - 1, "urn:authdata-radius-avp" }; @@ -656,6 +569,10 @@ defrostAttrContext(OM_uint32 *minor, return major; } +/* + * Convert a mechanism glue to an EAP mechanism name by displaying and + * importing it. This also handles the RADIUS attributes. + */ OM_uint32 gssEapGlueToMechName(OM_uint32 *minor, gss_name_t glueName, @@ -690,6 +607,10 @@ cleanup: return major; } +/* + * Convert an EAP mechanism name to a mechanism glue name by displaying + * and importing it. + */ OM_uint32 gssEapMechToGlueName(OM_uint32 *minor, gss_name_t mechName, @@ -715,6 +636,10 @@ cleanup: return major; } +/* + * Suck out the analgous elements of a Kerberos GSS context into an EAP + * one so that the application doesn't know the difference. + */ OM_uint32 gssEapReauthComplete(OM_uint32 *minor, gss_ctx_id_t ctx, @@ -730,6 +655,7 @@ gssEapReauthComplete(OM_uint32 *minor, goto cleanup; } + /* Get the raw subsession key and encryption type*/ major = gssInquireSecContextByOid(minor, ctx->kerberosCtx, GSS_C_INQ_SSPI_SESSION_KEY, &keyData); if (GSS_ERROR(major)) @@ -778,6 +704,7 @@ gssEapReauthComplete(OM_uint32 *minor, if (timeRec != GSS_C_INDEFINITE) ctx->expiryTime = time(NULL) + timeRec; + /* Initialize our sequence state */ major = sequenceInit(minor, &ctx->seqState, ctx->recvSeq, ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0), @@ -793,3 +720,282 @@ cleanup: return major; } + +/* + * The remainder of this file consists of wrappers so we can call into the + * mechanism glue without calling ourselves. + */ +static OM_uint32 +(*gssInitSecContextNext)(OM_uint32 *, + gss_cred_id_t, + gss_ctx_id_t *, + gss_name_t, + gss_OID, + OM_uint32, + OM_uint32, + gss_channel_bindings_t, + gss_buffer_t, + gss_OID *, + gss_buffer_t, + OM_uint32 *, + OM_uint32 *); + +static OM_uint32 +(*gssAcceptSecContextNext)(OM_uint32 *, + gss_ctx_id_t *, + gss_cred_id_t, + gss_buffer_t, + gss_channel_bindings_t, + gss_name_t *, + gss_OID *, + gss_buffer_t, + OM_uint32 *, + OM_uint32 *, + gss_cred_id_t *); + +static OM_uint32 +(*gssReleaseCredNext)(OM_uint32 *, gss_cred_id_t *); + +static OM_uint32 +(*gssReleaseNameNext)(OM_uint32 *, gss_name_t *); + +static OM_uint32 +(*gssInquireSecContextByOidNext)(OM_uint32 *, + const gss_ctx_id_t, + const gss_OID, + gss_buffer_set_t *); + +static OM_uint32 +(*gssDeleteSecContextNext)(OM_uint32 *, + gss_ctx_id_t *, + gss_buffer_t); + +static OM_uint32 +(*gssDisplayNameNext)(OM_uint32 *, + gss_name_t, + gss_buffer_t, + gss_OID *); + +static OM_uint32 +(*gssImportNameNext)(OM_uint32 *, + gss_buffer_t, + gss_OID, + gss_name_t *); + +static OM_uint32 +(*gssStoreCredNext)(OM_uint32 *, + const gss_cred_id_t, + gss_cred_usage_t, + const gss_OID, + OM_uint32, + OM_uint32, + gss_OID_set *, + gss_cred_usage_t *); + +static OM_uint32 +(*gssGetNameAttributeNext)(OM_uint32 *, + gss_name_t, + gss_buffer_t, + int *, + int *, + gss_buffer_t, + gss_buffer_t, + int *); + +#define NEXT_SYMBOL(local, global) do { \ + ((local) = dlsym(RTLD_NEXT, (global))); \ + if ((local) == NULL) { \ + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; \ + major = GSS_S_UNAVAILABLE; \ + /* but continue */ \ + } \ + } while (0) + +OM_uint32 +gssEapReauthInitialize(OM_uint32 *minor) +{ + OM_uint32 major = GSS_S_COMPLETE; + + NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context"); + NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context"); + NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred"); + NEXT_SYMBOL(gssReleaseNameNext, "gss_release_name"); + NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid"); + NEXT_SYMBOL(gssDeleteSecContextNext, "gss_delete_sec_context"); + NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name"); + NEXT_SYMBOL(gssImportNameNext, "gss_import_name"); + NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred"); + NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute"); + + return major; +} + +OM_uint32 +gssInitSecContext(OM_uint32 *minor, + gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec) +{ + if (gssInitSecContextNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssInitSecContextNext(minor, cred, context_handle, + target_name, mech_type, req_flags, + time_req, input_chan_bindings, + input_token, actual_mech_type, + output_token, ret_flags, time_rec); +} + +OM_uint32 +gssAcceptSecContext(OM_uint32 *minor, + gss_ctx_id_t *context_handle, + gss_cred_id_t cred, + gss_buffer_t input_token, + gss_channel_bindings_t input_chan_bindings, + gss_name_t *src_name, + gss_OID *mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + gss_cred_id_t *delegated_cred_handle) +{ + if (gssAcceptSecContextNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssAcceptSecContextNext(minor, context_handle, cred, + input_token, input_chan_bindings, + src_name, mech_type, output_token, + ret_flags, time_rec, delegated_cred_handle); +} + +OM_uint32 +gssReleaseCred(OM_uint32 *minor, + gss_cred_id_t *cred_handle) +{ + if (gssReleaseCredNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssReleaseCredNext(minor, cred_handle); +} + +OM_uint32 +gssReleaseName(OM_uint32 *minor, + gss_name_t *name) +{ + if (gssReleaseName == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssReleaseNameNext(minor, name); +} + +OM_uint32 +gssDeleteSecContext(OM_uint32 *minor, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token) +{ + if (gssDeleteSecContextNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssDeleteSecContextNext(minor, context_handle, output_token); +} + +static OM_uint32 +gssDisplayName(OM_uint32 *minor, + gss_name_t name, + gss_buffer_t buffer, + gss_OID *name_type) +{ + if (gssDisplayNameNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssDisplayNameNext(minor, name, buffer, name_type); +} + +static OM_uint32 +gssImportName(OM_uint32 *minor, + gss_buffer_t buffer, + gss_OID name_type, + gss_name_t *name) +{ + if (gssImportNameNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssImportNameNext(minor, buffer, name_type, name); +} + +OM_uint32 +gssInquireSecContextByOid(OM_uint32 *minor, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + if (gssInquireSecContextByOidNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssInquireSecContextByOidNext(minor, context_handle, + desired_object, data_set); +} + +OM_uint32 +gssStoreCred(OM_uint32 *minor, + const gss_cred_id_t input_cred_handle, + gss_cred_usage_t input_usage, + const gss_OID desired_mech, + OM_uint32 overwrite_cred, + OM_uint32 default_cred, + gss_OID_set *elements_stored, + gss_cred_usage_t *cred_usage_stored) +{ + if (gssStoreCredNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssStoreCredNext(minor, input_cred_handle, input_usage, + desired_mech, overwrite_cred, default_cred, + elements_stored, cred_usage_stored); +} + +OM_uint32 +gssGetNameAttribute(OM_uint32 *minor, + gss_name_t name, + gss_buffer_t attr, + int *authenticated, + int *complete, + gss_buffer_t value, + gss_buffer_t display_value, + int *more) +{ + if (gssGetNameAttributeNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; + return GSS_S_UNAVAILABLE; + } + + return gssGetNameAttributeNext(minor, name, attr, authenticated, complete, + value, display_value, more); +}