util_reauth.c

   1 /*
   2  * Copyright (c) 2010, JANET(UK)
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * 3. Neither the name of JANET(UK) nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32
  33 #include "gssapiP_eap.h"
  34
  35 #include <dlfcn.h>
  36
  37 /*
  38  * Fast reauthentication support for EAP GSS.
  39  */
  40
  41 #define KRB5_AUTHDATA_RADIUS_AVP        513
  42
  43 krb5_error_code
  44 krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
  45
  46 krb5_error_code
  47 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
  48
  49 static krb5_error_code
  50 getAcceptorKey(krb5_context krbContext,
  51                gss_ctx_id_t ctx,
  52                gss_cred_id_t cred,
  53                krb5_principal *princ,
  54                krb5_keyblock *key)
  55 {
  56     krb5_error_code code;
  57     krb5_keytab keytab = NULL;
  58     krb5_keytab_entry ktent;
  59     krb5_kt_cursor cursor = NULL;
  60
  61     *princ = NULL;
  62     memset(key, 0, sizeof(*key));
  63     memset(&ktent, 0, sizeof(ktent));
  64
  65     code = krb5_kt_default(krbContext, &keytab);
  66     if (code != 0)
  67         goto cleanup;
  68
  69     if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) {
  70         code = krb5_kt_get_entry(krbContext, keytab,
  71                                  cred->name->krbPrincipal, 0,
  72                                  ctx->encryptionType, &ktent);
  73         if (code != 0)
  74             goto cleanup;
  75     } else {
  76         code = krb5_kt_start_seq_get(krbContext, keytab, &cursor);
  77         if (code != 0)
  78             goto cleanup;
  79
  80         while ((code = krb5_kt_next_entry(krbContext, keytab,
  81                                           &ktent, &cursor)) == 0) {
  82             if (ktent.key.enctype == ctx->encryptionType) {
  83                 break;
  84             } else {
  85                 krb5_free_keytab_entry_contents(krbContext, &ktent);
  86             }
  87         }
  88     }
  89
  90     if (code == 0) {
  91         *princ = ktent.principal;
  92         *key = ktent.key;
  93     }
  94
  95 cleanup:
  96     if (cred == GSS_C_NO_CREDENTIAL || cred->name == GSS_C_NO_NAME)
  97         krb5_kt_end_seq_get(krbContext, keytab, &cursor);
  98     krb5_kt_close(krbContext, keytab);
  99
 100     if (code != 0) {
 101         if (*princ != NULL) {
 102             krb5_free_principal(krbContext, *princ);
 103             *princ = NULL;
 104         }
 105         krb5_free_keyblock_contents(krbContext, key),
 106         memset(key, 0, sizeof(key));
 107     }
 108
 109     return code;
 110 }
 111
 112 OM_uint32
 113 gssEapMakeReauthCreds(OM_uint32 *minor,
 114                       gss_ctx_id_t ctx,
 115                       gss_cred_id_t cred,
 116                       gss_buffer_t credBuf)
 117 {
 118     OM_uint32 major = GSS_S_COMPLETE, code;
 119     krb5_context krbContext = NULL;
 120     krb5_ticket ticket = { 0 };
 121     krb5_keyblock session, acceptorKey = { 0 };
 122     krb5_enc_tkt_part enc_part = { 0 };
 123     gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER;
 124     krb5_authdata *authData[2], authDatum = { 0 };
 125     krb5_data *ticketData = NULL, *credsData = NULL;
 126     krb5_creds creds = { 0 };
 127     krb5_auth_context authContext = NULL;
 128
 129     credBuf->length = 0;
 130     credBuf->value = NULL;
 131
 132     GSSEAP_KRB_INIT(&krbContext);
 133
 134     code = getAcceptorKey(krbContext, ctx, cred,
 135                           &ticket.server, &acceptorKey);
 136     if (code != 0)
 137         goto cleanup;
 138
 139     enc_part.flags = TKT_FLG_INITIAL;
 140
 141     code = krb5_c_make_random_key(krbContext, ctx->encryptionType,
 142                                   &session);
 143     if (code != 0)
 144         goto cleanup;
 145
 146     enc_part.session = &session;
 147     enc_part.client = ctx->initiatorName->krbPrincipal;
 148     enc_part.times.authtime = time(NULL);
 149     enc_part.times.starttime = enc_part.times.authtime;
 150     enc_part.times.endtime = ctx->expiryTime
 151                              ? ctx->expiryTime
 152                              : KRB5_INT32_MAX;
 153     enc_part.times.renew_till = 0;
 154
 155     major = gssEapExportAttrContext(minor, ctx->initiatorName,
 156                                     &attrBuf);
 157     if (GSS_ERROR(major))
 158         goto cleanup;
 159
 160     authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP;
 161     authDatum.length = attrBuf.length;
 162     authDatum.contents = attrBuf.value;
 163     authData[0] = &authDatum;
 164     authData[1] = NULL;
 165     enc_part.authorization_data = authData;
 166
 167     ticket.enc_part2 = &enc_part;
 168
 169     code = encode_krb5_ticket(&ticket, &ticketData);
 170     if (code != 0)
 171         goto cleanup;
 172
 173     code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket);
 174     if (code != 0)
 175         goto cleanup;
 176
 177     creds.client = enc_part.client;
 178     creds.server = ticket.server;
 179     creds.keyblock = session;
 180     creds.times = enc_part.times;
 181     creds.ticket_flags = enc_part.flags;
 182     creds.ticket = *ticketData;
 183     creds.authdata = authData;
 184
 185     code = krb5_auth_con_init(krbContext, &authContext);
 186     if (code != 0)
 187         goto cleanup;
 188
 189     code = krb5_auth_con_setflags(krbContext, authContext, 0);
 190     if (code != 0)
 191         goto cleanup;
 192
 193     code = krb5_auth_con_setsendsubkey(krbContext, authContext, &ctx->rfc3961Key);
 194     if (code != 0)
 195         goto cleanup;
 196
 197     code = krb5_mk_1cred(krbContext, authContext, &creds, &credsData, NULL);
 198     if (code != 0)
 199         goto cleanup;
 200
 201     krbDataToGssBuffer(credsData, credBuf);
 202
 203 cleanup:
 204     *minor = code;
 205
 206     if (ticket.enc_part.ciphertext.data != NULL)
 207         GSSEAP_FREE(ticket.enc_part.ciphertext.data);
 208
 209     krb5_free_keyblock_contents(krbContext, &session);
 210     krb5_free_keyblock_contents(krbContext, &acceptorKey);
 211     gss_release_buffer(&code, &attrBuf);
 212     krb5_free_data(krbContext, ticketData);
 213     krb5_auth_con_free(krbContext, authContext);
 214     if (credsData != NULL)
 215         GSSEAP_FREE(credsData);
 216
 217     if (major == GSS_S_COMPLETE)
 218         major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
 219
 220     return major;
 221 }
 222
 223 OM_uint32
 224 gssEapStoreReauthCreds(OM_uint32 *minor,
 225                        gss_ctx_id_t ctx,
 226                        gss_cred_id_t cred,
 227                        gss_buffer_t credBuf)
 228 {
 229     OM_uint32 major = GSS_S_COMPLETE, code;
 230     krb5_context krbContext = NULL;
 231     krb5_auth_context authContext = NULL;
 232     krb5_data credData = { 0 };
 233     krb5_creds **creds = NULL;
 234     int i;
 235
 236     if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
 237         return GSS_S_COMPLETE;
 238
 239     GSSEAP_KRB_INIT(&krbContext);
 240
 241     code = krb5_auth_con_init(krbContext, &authContext);
 242     if (code != 0)
 243         goto cleanup;
 244
 245     code = krb5_auth_con_setflags(krbContext, authContext, 0);
 246     if (code != 0)
 247         goto cleanup;
 248
 249     code = krb5_auth_con_setrecvsubkey(krbContext, authContext,
 250                                        &ctx->rfc3961Key);
 251     if (code != 0)
 252         goto cleanup;
 253
 254     gssBufferToKrbData(credBuf, &credData);
 255
 256     code = krb5_rd_cred(krbContext, authContext, &credData, &creds, NULL);
 257     if (code != 0)
 258         goto cleanup;
 259
 260     if (creds == NULL || creds[0] == NULL)
 261         goto cleanup;
 262
 263     code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
 264     if (code != 0)
 265         goto cleanup;
 266
 267     code = krb5_cc_store_cred(krbContext, cred->krbCredCache, creds[0]);
 268     if (code != 0)
 269         goto cleanup;
 270
 271     major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL, &cred->krbCred);
 272     if (GSS_ERROR(major))
 273         goto cleanup;
 274
 275 cleanup:
 276     *minor = code;
 277
 278     krb5_auth_con_free(krbContext, authContext);
 279     if (creds != NULL) {
 280         for (i = 0; creds[i] != NULL; i++)
 281             krb5_free_creds(krbContext, creds[i]);
 282     }
 283     if (major == GSS_S_COMPLETE)
 284         major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
 285
 286     return major;
 287 }
 288
 289 static OM_uint32 (*gssInitSecContextNext)(
 290     OM_uint32 *minor,
 291     gss_cred_id_t cred,
 292     gss_ctx_id_t *context_handle,
 293     gss_name_t target_name,
 294     gss_OID mech_type,
 295     OM_uint32 req_flags,
 296     OM_uint32 time_req,
 297     gss_channel_bindings_t input_chan_bindings,
 298     gss_buffer_t input_token,
 299     gss_OID *actual_mech_type,
 300     gss_buffer_t output_token,
 301     OM_uint32 *ret_flags,
 302     OM_uint32 *time_rec);
 303
 304 static OM_uint32 (*gssAcceptSecContextNext)(
 305     OM_uint32 *minor,
 306     gss_ctx_id_t *context_handle,
 307     gss_cred_id_t cred,
 308     gss_buffer_t input_token,
 309     gss_channel_bindings_t input_chan_bindings,
 310     gss_name_t *src_name,
 311     gss_OID *mech_type,
 312     gss_buffer_t output_token,
 313     OM_uint32 *ret_flags,
 314     OM_uint32 *time_rec,
 315     gss_cred_id_t *delegated_cred_handle);
 316
 317 static OM_uint32 (*gssReleaseCredNext)(
 318     OM_uint32 *minor,
 319     gss_cred_id_t *cred_handle);
 320
 321 static OM_uint32 (*gssReleaseNameNext)(
 322     OM_uint32 *minor,
 323     gss_name_t *name);
 324
 325 static OM_uint32 (*gssInquireSecContextByOidNext)(
 326     OM_uint32 *minor,
 327     const gss_ctx_id_t context_handle,
 328     const gss_OID desired_object,
 329     gss_buffer_set_t *data_set);
 330
 331 static OM_uint32 (*gssDeleteSecContextNext)(
 332     OM_uint32 *minor,
 333     gss_ctx_id_t *context_handle,
 334     gss_buffer_t output_token);
 335
 336 static OM_uint32 (*gssDisplayNameNext)(
 337     OM_uint32 *minor,
 338     gss_name_t name,
 339     gss_buffer_t output_name_buffer,
 340     gss_OID *output_name_type);
 341
 342 OM_uint32
 343 gssEapReauthInitialize(OM_uint32 *minor)
 344 {
 345     gssInitSecContextNext = dlsym(RTLD_NEXT, "gss_init_sec_context");
 346     gssAcceptSecContextNext = dlsym(RTLD_NEXT, "gss_accept_sec_context");
 347     gssReleaseCredNext = dlsym(RTLD_NEXT, "gss_release_cred");
 348     gssReleaseNameNext = dlsym(RTLD_NEXT, "gss_release_name");
 349     gssInquireSecContextByOidNext = dlsym(RTLD_NEXT, "gss_inquire_sec_context_by_oid");
 350     gssDeleteSecContextNext = dlsym(RTLD_NEXT, "gss_delete_sec_context");
 351
 352     return GSS_S_COMPLETE;
 353 }
 354
 355 OM_uint32
 356 gssInitSecContext(OM_uint32 *minor,
 357                   gss_cred_id_t cred,
 358                   gss_ctx_id_t *context_handle,
 359                   gss_name_t target_name,
 360                   gss_OID mech_type,
 361                   OM_uint32 req_flags,
 362                   OM_uint32 time_req,
 363                   gss_channel_bindings_t input_chan_bindings,
 364                   gss_buffer_t input_token,
 365                   gss_OID *actual_mech_type,
 366                   gss_buffer_t output_token,
 367                   OM_uint32 *ret_flags,
 368                   OM_uint32 *time_rec)
 369 {
 370     if (gssInitSecContextNext == NULL)
 371         return GSS_S_UNAVAILABLE;
 372
 373     return gssInitSecContextNext(minor, cred, context_handle,
 374                                  target_name, mech_type, req_flags,
 375                                  time_req, input_chan_bindings,
 376                                  input_token, actual_mech_type,
 377                                  output_token, ret_flags, time_rec);
 378 }
 379
 380 OM_uint32
 381 gssAcceptSecContext(OM_uint32 *minor,
 382                     gss_ctx_id_t *context_handle,
 383                     gss_cred_id_t cred,
 384                     gss_buffer_t input_token,
 385                     gss_channel_bindings_t input_chan_bindings,
 386                     gss_name_t *src_name,
 387                     gss_OID *mech_type,
 388                     gss_buffer_t output_token,
 389                     OM_uint32 *ret_flags,
 390                     OM_uint32 *time_rec,
 391                     gss_cred_id_t *delegated_cred_handle)
 392 {
 393     if (gssAcceptSecContextNext == NULL)
 394         return GSS_S_UNAVAILABLE;
 395
 396     return gssAcceptSecContextNext(minor, context_handle, cred,
 397                                    input_token, input_chan_bindings,
 398                                    src_name, mech_type, output_token,
 399                                    ret_flags, time_rec, delegated_cred_handle);
 400 }
 401
 402 OM_uint32
 403 gssReleaseCred(OM_uint32 *minor,
 404                gss_cred_id_t *cred_handle)
 405 {
 406     if (gssReleaseCredNext == NULL)
 407         return GSS_S_UNAVAILABLE;
 408
 409     return gssReleaseCredNext(minor, cred_handle);
 410 }
 411
 412 OM_uint32
 413 gssReleaseName(OM_uint32 *minor,
 414                gss_name_t *name)
 415 {
 416     if (gssReleaseName == NULL)
 417         return GSS_S_UNAVAILABLE;
 418
 419     return gssReleaseNameNext(minor, name);
 420 }
 421
 422 OM_uint32
 423 gssDeleteSecContext(OM_uint32 *minor,
 424                     gss_ctx_id_t *context_handle,
 425                     gss_buffer_t output_token)
 426 {
 427     if (gssDeleteSecContextNext == NULL)
 428         return GSS_S_UNAVAILABLE;
 429
 430     return gssDeleteSecContextNext(minor, context_handle, output_token);
 431 }
 432
 433 OM_uint32
 434 gssDisplayName(OM_uint32 *minor,
 435                gss_name_t name,
 436                gss_buffer_t buffer,
 437                gss_OID *name_type)
 438 {
 439     if (gssDisplayNameNext == NULL)
 440         return GSS_S_UNAVAILABLE;
 441
 442     return gssDisplayNameNext(minor, name, buffer, name_type);
 443 }
 444
 445 OM_uint32
 446 gssInquireSecContextByOid(OM_uint32 *minor,
 447                           const gss_ctx_id_t context_handle,
 448                           const gss_OID desired_object,
 449                           gss_buffer_set_t *data_set)
 450 {
 451     if (gssInquireSecContextByOidNext == NULL)
 452         return GSS_S_UNAVAILABLE;
 453
 454     return gssInquireSecContextByOidNext(minor, context_handle,
 455                                          desired_object, data_set);
 456 }