X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=util_reauth.c;h=7015451afb83cf446b65d1703934e7c9e1df68f9;hb=41c5d9a50692df8b48865db62f819cdea474956b;hp=c4420389cfafc3365e082ffc5650375ff693be73;hpb=40bf3d686a893e69a9c24dac8ead23d499a9fbd2;p=mech_eap.git diff --git a/util_reauth.c b/util_reauth.c index c442038..7015451 100644 --- a/util_reauth.c +++ b/util_reauth.c @@ -38,14 +38,24 @@ * Fast reauthentication support for EAP GSS. */ -#define KRB5_AUTHDATA_RADIUS_AVP 513 - krb5_error_code krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *); krb5_error_code encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code); +static OM_uint32 +gssDisplayName(OM_uint32 *minor, + gss_name_t name, + gss_buffer_t buffer, + gss_OID *name_type); + +static OM_uint32 +gssImportName(OM_uint32 *minor, + gss_buffer_t buffer, + gss_OID name_type, + gss_name_t *name); + static krb5_error_code getAcceptorKey(krb5_context krbContext, gss_ctx_id_t ctx, @@ -55,12 +65,11 @@ getAcceptorKey(krb5_context krbContext, { krb5_error_code code; krb5_keytab keytab = NULL; - krb5_keytab_entry ktent; + krb5_keytab_entry ktent = { 0 }; krb5_kt_cursor cursor = NULL; *princ = NULL; memset(key, 0, sizeof(*key)); - memset(&ktent, 0, sizeof(ktent)); code = krb5_kt_default(krbContext, &keytab); if (code != 0) @@ -68,22 +77,25 @@ getAcceptorKey(krb5_context krbContext, if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) { code = krb5_kt_get_entry(krbContext, keytab, - cred->name->krbPrincipal, 0, + cred->name->krbPrincipal, 0, ctx->encryptionType, &ktent); if (code != 0) goto cleanup; } else { + /* + * It's not clear that looking encrypting the ticket in the + * requested EAP enctype provides any value. + */ code = krb5_kt_start_seq_get(krbContext, keytab, &cursor); if (code != 0) goto cleanup; while ((code = krb5_kt_next_entry(krbContext, keytab, &ktent, &cursor)) == 0) { - if (ktent.key.enctype == ctx->encryptionType) { + if (ktent.key.enctype == ctx->encryptionType) break; - } else { + else krb5_free_keytab_entry_contents(krbContext, &ktent); - } } } @@ -97,47 +109,95 @@ cleanup: krb5_kt_end_seq_get(krbContext, keytab, &cursor); krb5_kt_close(krbContext, keytab); + if (code != 0) + krb5_free_keytab_entry_contents(krbContext, &ktent); + + return code; +} + +static OM_uint32 +freezeAttrContext(OM_uint32 *minor, + gss_name_t initiatorName, + krb5_const_principal acceptorPrinc, + krb5_keyblock *session, + krb5_authdata ***authdata) +{ + OM_uint32 major, tmpMinor; + krb5_error_code code; + gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER; + krb5_authdata *authData[2], authDatum = { 0 }; + krb5_context krbContext; + + GSSEAP_KRB_INIT(&krbContext); + + major = gssEapExportAttrContext(minor, initiatorName, &attrBuf); + if (GSS_ERROR(major)) + return major; + + authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP; + authDatum.length = attrBuf.length; + authDatum.contents = attrBuf.value; + authData[0] = &authDatum; + authData[1] = NULL; + + code = krb5_make_authdata_kdc_issued(krbContext, session, acceptorPrinc, + authData, authdata); if (code != 0) { - if (*princ != NULL) { - krb5_free_principal(krbContext, *princ); - *princ = NULL; - } - krb5_free_keyblock_contents(krbContext, key), - memset(key, 0, sizeof(key)); + major = GSS_S_FAILURE; + *minor = code; + } else { + major = GSS_S_COMPLETE; } - return code; + gss_release_buffer(&tmpMinor, &attrBuf); + + return major; } +/* + * Fabricate a ticket to ourselves given a GSS EAP context. + */ OM_uint32 gssEapMakeReauthCreds(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred, gss_buffer_t credBuf) { - OM_uint32 major = GSS_S_COMPLETE, code; + OM_uint32 major = GSS_S_COMPLETE; + krb5_error_code code; krb5_context krbContext = NULL; krb5_ticket ticket = { 0 }; - krb5_keyblock session, acceptorKey = { 0 }; + krb5_keyblock session = { 0 }, acceptorKey = { 0 }; krb5_enc_tkt_part enc_part = { 0 }; - gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER; - krb5_authdata *authData[2], authDatum = { 0 }; krb5_data *ticketData = NULL, *credsData = NULL; krb5_creds creds = { 0 }; krb5_auth_context authContext = NULL; - + credBuf->length = 0; credBuf->value = NULL; - + GSSEAP_KRB_INIT(&krbContext); code = getAcceptorKey(krbContext, ctx, cred, &ticket.server, &acceptorKey); - if (code != 0) + if (code == KRB5_KT_NOTFOUND) { + gss_buffer_desc emptyToken = { 0, "" }; + + /* + * If we can't produce the KRB-CRED message, we need to + * return an empty (not NULL) token to the caller so we + * don't change the number of authentication legs. + */ + return duplicateBuffer(minor, &emptyToken, credBuf); + } else if (code != 0) goto cleanup; enc_part.flags = TKT_FLG_INITIAL; + /* + * Generate a random session key to place in the ticket and + * sign the "KDC-Issued" authorization data element. + */ code = krb5_c_make_random_key(krbContext, ctx->encryptionType, &session); if (code != 0) @@ -152,25 +212,18 @@ gssEapMakeReauthCreds(OM_uint32 *minor, : KRB5_INT32_MAX; enc_part.times.renew_till = 0; - major = gssEapExportAttrContext(minor, ctx->initiatorName, - &attrBuf); + major = freezeAttrContext(minor, ctx->initiatorName, ticket.server, + &session, &enc_part.authorization_data); if (GSS_ERROR(major)) goto cleanup; - authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP; - authDatum.length = attrBuf.length; - authDatum.contents = attrBuf.value; - authData[0] = &authDatum; - authData[1] = NULL; - enc_part.authorization_data = authData; - ticket.enc_part2 = &enc_part; - code = encode_krb5_ticket(&ticket, &ticketData); + code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket); if (code != 0) goto cleanup; - code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket); + code = encode_krb5_ticket(&ticket, &ticketData); if (code != 0) goto cleanup; @@ -180,7 +233,7 @@ gssEapMakeReauthCreds(OM_uint32 *minor, creds.times = enc_part.times; creds.ticket_flags = enc_part.flags; creds.ticket = *ticketData; - creds.authdata = authData; + creds.authdata = enc_part.authorization_data; code = krb5_auth_con_init(krbContext, &authContext); if (code != 0) @@ -190,7 +243,8 @@ gssEapMakeReauthCreds(OM_uint32 *minor, if (code != 0) goto cleanup; - code = krb5_auth_con_setsendsubkey(krbContext, authContext, &ctx->rfc3961Key); + code = krb5_auth_con_setsendsubkey(krbContext, authContext, + &ctx->rfc3961Key); if (code != 0) goto cleanup; @@ -201,25 +255,40 @@ gssEapMakeReauthCreds(OM_uint32 *minor, krbDataToGssBuffer(credsData, credBuf); cleanup: - *minor = code; - if (ticket.enc_part.ciphertext.data != NULL) GSSEAP_FREE(ticket.enc_part.ciphertext.data); - krb5_free_keyblock_contents(krbContext, &session); krb5_free_keyblock_contents(krbContext, &acceptorKey); - gss_release_buffer(&code, &attrBuf); krb5_free_data(krbContext, ticketData); krb5_auth_con_free(krbContext, authContext); + krb5_free_authdata(krbContext, enc_part.authorization_data); if (credsData != NULL) GSSEAP_FREE(credsData); - if (major == GSS_S_COMPLETE) - major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE; + if (major == GSS_S_COMPLETE) { + *minor = code; + major = code != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE; + } return major; } +static int +isTicketGrantingServiceP(krb5_context krbContext, + krb5_const_principal principal) +{ + if (krb5_princ_size(krbContext, principal) == 2 && + krb5_princ_component(krbContext, principal, 0)->length == 6 && + memcmp(krb5_princ_component(krbContext, + principal, 0)->data, "krbtgt", 6) == 0) + return TRUE; + + return FALSE; +} + +/* + * Store re-authentication (Kerberos) credentials in a credential handle. + */ OM_uint32 gssEapStoreReauthCreds(OM_uint32 *minor, gss_ctx_id_t ctx, @@ -231,6 +300,7 @@ gssEapStoreReauthCreds(OM_uint32 *minor, krb5_auth_context authContext = NULL; krb5_data credData = { 0 }; krb5_creds **creds = NULL; + krb5_principal canonPrinc; int i; if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL) @@ -260,17 +330,54 @@ gssEapStoreReauthCreds(OM_uint32 *minor, if (creds == NULL || creds[0] == NULL) goto cleanup; + code = krb5_copy_principal(krbContext, creds[0]->client, &canonPrinc); + if (code != 0) + goto cleanup; + + krb5_free_principal(krbContext, cred->name->krbPrincipal); + cred->name->krbPrincipal = canonPrinc; + + cred->expiryTime = creds[0]->times.endtime; + code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache); if (code != 0) goto cleanup; - code = krb5_cc_store_cred(krbContext, cred->krbCredCache, creds[0]); + code = krb5_cc_initialize(krbContext, cred->krbCredCache, + creds[0]->client); if (code != 0) goto cleanup; - major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL, &cred->krbCred); + for (i = 0; creds[i] != NULL; i++) { + krb5_creds kcred = *(creds[i]); + + /* + * Swap in the acceptor name the client asked for so + * get_credentials() works. We're making the assumption that + * any service tickets returned are for us. We'll need to + * reflect some more on whether that is a safe assumption. + */ + if (!isTicketGrantingServiceP(krbContext, kcred.server)) + kcred.server = ctx->acceptorName->krbPrincipal; + + code = krb5_cc_store_cred(krbContext, cred->krbCredCache, &kcred); + if (code != 0) + goto cleanup; + } + +#ifdef HAVE_GSS_KRB5_IMPORT_CRED + /* + * To turn a credentials cache into a GSS credentials handle, we + * require the gss_krb5_import_cred() API (present in Heimdal, but + * not shipped in MIT yet). + */ + major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL, + &cred->krbCred); if (GSS_ERROR(major)) goto cleanup; +#else +#warning Missing gss_krb5_import_cred() implementation +#endif cleanup: *minor = code; @@ -286,68 +393,303 @@ cleanup: return major; } -static OM_uint32 (*gssInitSecContextNext)( - OM_uint32 *minor, - gss_cred_id_t cred, - gss_ctx_id_t *context_handle, - gss_name_t target_name, - gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec); - -static OM_uint32 (*gssAcceptSecContextNext)( - OM_uint32 *minor, - gss_ctx_id_t *context_handle, - gss_cred_id_t cred, - gss_buffer_t input_token, - gss_channel_bindings_t input_chan_bindings, - gss_name_t *src_name, - gss_OID *mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - gss_cred_id_t *delegated_cred_handle); - -static OM_uint32 (*gssReleaseCredNext)( - OM_uint32 *minor, - gss_cred_id_t *cred_handle); - -static OM_uint32 (*gssReleaseNameNext)( - OM_uint32 *minor, - gss_name_t *name); - -static OM_uint32 (*gssInquireSecContextByOidNext)( - OM_uint32 *minor, - const gss_ctx_id_t context_handle, - const gss_OID desired_object, - gss_buffer_set_t *data_set); - -static OM_uint32 (*gssDeleteSecContextNext)( - OM_uint32 *minor, - gss_ctx_id_t *context_handle, - gss_buffer_t output_token); - -static OM_uint32 (*gssDisplayNameNext)( - OM_uint32 *minor, - gss_name_t name, - gss_buffer_t output_name_buffer, - gss_OID *output_name_type); +static gss_buffer_desc radiusAvpKrbAttr = { + sizeof("urn:authdata-radius-avp") - 1, "urn:authdata-radius-avp" +}; + +/* + * Unfortunately extracting an AD-KDCIssued authorization data element + * is pretty implementation-dependent. It's not possible to verify the + * signature ourselves because the ticket session key is not exposed + * outside GSS. In an ideal world, all AD-KDCIssued elements would be + * verified by the Kerberos library and authentication would fail if + * verification failed. We're not quite there yet and as a result have + * to go through some hoops to get this to work. The alternative would + * be to sign the authorization data with our long-term key, but it + * seems a pity to compromise the design because of current implementation + * limitations. + * + * (Specifically, the hoops involve a libkrb5 authorisation data plugin + * that exposes the verified and serialised attribute context through + * the Kerberos GSS mechanism's naming extensions API.) + */ +static OM_uint32 +defrostAttrContext(OM_uint32 *minor, + gss_name_t glueName, + gss_name_t mechName) +{ + OM_uint32 major, tmpMinor; + gss_buffer_desc authData = GSS_C_EMPTY_BUFFER; + gss_buffer_desc authDataDisplay = GSS_C_EMPTY_BUFFER; + int more = -1; + int authenticated, complete; + + major = gssGetNameAttribute(minor, glueName, &radiusAvpKrbAttr, + &authenticated, &complete, + &authData, &authDataDisplay, &more); + if (major == GSS_S_COMPLETE) { + if (authenticated == 0) + major = GSS_S_BAD_NAME; + else + major = gssEapImportAttrContext(minor, &authData, mechName); + } else if (major == GSS_S_UNAVAILABLE) { + major = GSS_S_COMPLETE; + } + + gss_release_buffer(&tmpMinor, &authData); + gss_release_buffer(&tmpMinor, &authDataDisplay); + + return major; +} + +/* + * Convert a mechanism glue to an EAP mechanism name by displaying and + * importing it. This also handles the RADIUS attributes. + */ +OM_uint32 +gssEapGlueToMechName(OM_uint32 *minor, + gss_name_t glueName, + gss_name_t *pMechName) +{ + OM_uint32 major, tmpMinor; + gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER; + + *pMechName = GSS_C_NO_NAME; + + major = gssDisplayName(minor, glueName, &nameBuf, NULL); + if (GSS_ERROR(major)) + goto cleanup; + + major = gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME, + pMechName); + if (GSS_ERROR(major)) + goto cleanup; + + major = defrostAttrContext(minor, glueName, *pMechName); + if (GSS_ERROR(major)) + goto cleanup; + +cleanup: + if (GSS_ERROR(major)) { + gssReleaseName(&tmpMinor, pMechName); + *pMechName = GSS_C_NO_NAME; + } + + gss_release_buffer(&tmpMinor, &nameBuf); + + return major; +} + +/* + * Convert an EAP mechanism name to a mechanism glue name by displaying + * and importing it. + */ +OM_uint32 +gssEapMechToGlueName(OM_uint32 *minor, + gss_name_t mechName, + gss_name_t *pGlueName) +{ + OM_uint32 major, tmpMinor; + gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER; + + *pGlueName = GSS_C_NO_NAME; + + major = gssEapDisplayName(minor, mechName, &nameBuf, NULL); + if (GSS_ERROR(major)) + goto cleanup; + + major = gssImportName(minor, &nameBuf, GSS_C_NT_USER_NAME, + pGlueName); + if (GSS_ERROR(major)) + goto cleanup; + +cleanup: + gss_release_buffer(&tmpMinor, &nameBuf); + + return major; +} + +/* + * Suck out the analgous elements of a Kerberos GSS context into an EAP + * one so that the application doesn't know the difference. + */ +OM_uint32 +gssEapReauthComplete(OM_uint32 *minor, + gss_ctx_id_t ctx, + gss_cred_id_t cred, + const gss_OID mech, + OM_uint32 timeRec) +{ + OM_uint32 major, tmpMinor; + gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET; + + if (!oidEqual(mech, gss_mech_krb5)) { + major = GSS_S_BAD_MECH; + goto cleanup; + } + + /* Get the raw subsession key and encryption type*/ + major = gssInquireSecContextByOid(minor, ctx->kerberosCtx, + GSS_C_INQ_SSPI_SESSION_KEY, &keyData); + if (GSS_ERROR(major)) + goto cleanup; + + { + gss_OID_desc oid; + int suffix; + + oid.length = keyData->elements[1].length; + oid.elements = keyData->elements[1].value; + + /* GSS_KRB5_SESSION_KEY_ENCTYPE_OID */ + major = decomposeOid(minor, + "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04", + 10, &oid, &suffix); + if (GSS_ERROR(major)) + goto cleanup; + + ctx->encryptionType = suffix; + } + + { + krb5_context krbContext = NULL; + krb5_keyblock key; + + GSSEAP_KRB_INIT(&krbContext); + + KRB_KEY_LENGTH(&key) = keyData->elements[0].length; + KRB_KEY_DATA(&key) = keyData->elements[0].value; + KRB_KEY_TYPE(&key) = ctx->encryptionType; + + *minor = krb5_copy_keyblock_contents(krbContext, + &key, &ctx->rfc3961Key); + if (*minor != 0) { + major = GSS_S_FAILURE; + goto cleanup; + } + } + + major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key, + &ctx->checksumType); + if (GSS_ERROR(major)) + goto cleanup; + + if (timeRec != GSS_C_INDEFINITE) + ctx->expiryTime = time(NULL) + timeRec; + + /* Initialize our sequence state */ + major = sequenceInit(minor, + &ctx->seqState, ctx->recvSeq, + ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0), + ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0), + TRUE); + if (GSS_ERROR(major)) + goto cleanup; + + major = GSS_S_COMPLETE; + +cleanup: + gss_release_buffer_set(&tmpMinor, &keyData); + + return major; +} + +/* + * The remainder of this file consists of wrappers so we can call into the + * mechanism glue without calling ourselves. + */ +static OM_uint32 +(*gssInitSecContextNext)(OM_uint32 *, + gss_cred_id_t, + gss_ctx_id_t *, + gss_name_t, + gss_OID, + OM_uint32, + OM_uint32, + gss_channel_bindings_t, + gss_buffer_t, + gss_OID *, + gss_buffer_t, + OM_uint32 *, + OM_uint32 *); + +static OM_uint32 +(*gssAcceptSecContextNext)(OM_uint32 *, + gss_ctx_id_t *, + gss_cred_id_t, + gss_buffer_t, + gss_channel_bindings_t, + gss_name_t *, + gss_OID *, + gss_buffer_t, + OM_uint32 *, + OM_uint32 *, + gss_cred_id_t *); + +static OM_uint32 +(*gssReleaseCredNext)(OM_uint32 *, gss_cred_id_t *); + +static OM_uint32 +(*gssReleaseNameNext)(OM_uint32 *, gss_name_t *); + +static OM_uint32 +(*gssInquireSecContextByOidNext)(OM_uint32 *, + const gss_ctx_id_t, + const gss_OID, + gss_buffer_set_t *); + +static OM_uint32 +(*gssDeleteSecContextNext)(OM_uint32 *, + gss_ctx_id_t *, + gss_buffer_t); + +static OM_uint32 +(*gssDisplayNameNext)(OM_uint32 *, + gss_name_t, + gss_buffer_t, + gss_OID *); + +static OM_uint32 +(*gssImportNameNext)(OM_uint32 *, + gss_buffer_t, + gss_OID, + gss_name_t *); + +static OM_uint32 +(*gssStoreCredNext)(OM_uint32 *, + const gss_cred_id_t, + gss_cred_usage_t, + const gss_OID, + OM_uint32, + OM_uint32, + gss_OID_set *, + gss_cred_usage_t *); + +static OM_uint32 +(*gssGetNameAttributeNext)(OM_uint32 *, + gss_name_t, + gss_buffer_t, + int *, + int *, + gss_buffer_t, + gss_buffer_t, + int *); + +#define NEXT_SYMBOL(local, global) ((local) = dlsym(RTLD_NEXT, (global))) OM_uint32 gssEapReauthInitialize(OM_uint32 *minor) { - gssInitSecContextNext = dlsym(RTLD_NEXT, "gss_init_sec_context"); - gssAcceptSecContextNext = dlsym(RTLD_NEXT, "gss_accept_sec_context"); - gssReleaseCredNext = dlsym(RTLD_NEXT, "gss_release_cred"); - gssReleaseNameNext = dlsym(RTLD_NEXT, "gss_release_name"); - gssInquireSecContextByOidNext = dlsym(RTLD_NEXT, "gss_inquire_sec_context_by_oid"); - gssDeleteSecContextNext = dlsym(RTLD_NEXT, "gss_delete_sec_context"); + NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context"); + NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context"); + NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred"); + NEXT_SYMBOL(gssReleaseNameNext, "gss_release_name"); + NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid"); + NEXT_SYMBOL(gssDeleteSecContextNext, "gss_delete_sec_context"); + NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name"); + NEXT_SYMBOL(gssImportNameNext, "gss_import_name"); + NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred"); + NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute"); return GSS_S_COMPLETE; } @@ -430,7 +772,7 @@ gssDeleteSecContext(OM_uint32 *minor, return gssDeleteSecContextNext(minor, context_handle, output_token); } -OM_uint32 +static OM_uint32 gssDisplayName(OM_uint32 *minor, gss_name_t name, gss_buffer_t buffer, @@ -442,6 +784,18 @@ gssDisplayName(OM_uint32 *minor, return gssDisplayNameNext(minor, name, buffer, name_type); } +static OM_uint32 +gssImportName(OM_uint32 *minor, + gss_buffer_t buffer, + gss_OID name_type, + gss_name_t *name) +{ + if (gssImportNameNext == NULL) + return GSS_S_UNAVAILABLE; + + return gssImportNameNext(minor, buffer, name_type, name); +} + OM_uint32 gssInquireSecContextByOid(OM_uint32 *minor, const gss_ctx_id_t context_handle, @@ -454,3 +808,38 @@ gssInquireSecContextByOid(OM_uint32 *minor, return gssInquireSecContextByOidNext(minor, context_handle, desired_object, data_set); } + +OM_uint32 +gssStoreCred(OM_uint32 *minor, + const gss_cred_id_t input_cred_handle, + gss_cred_usage_t input_usage, + const gss_OID desired_mech, + OM_uint32 overwrite_cred, + OM_uint32 default_cred, + gss_OID_set *elements_stored, + gss_cred_usage_t *cred_usage_stored) +{ + if (gssStoreCredNext == NULL) + return GSS_S_UNAVAILABLE; + + return gssStoreCredNext(minor, input_cred_handle, input_usage, + desired_mech, overwrite_cred, default_cred, + elements_stored, cred_usage_stored); +} + +OM_uint32 +gssGetNameAttribute(OM_uint32 *minor, + gss_name_t name, + gss_buffer_t attr, + int *authenticated, + int *complete, + gss_buffer_t value, + gss_buffer_t display_value, + int *more) +{ + if (gssGetNameAttributeNext == NULL) + return GSS_S_UNAVAILABLE; + + return gssGetNameAttributeNext(minor, name, attr, authenticated, complete, + value, display_value, more); +}