projects / mech_eap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
get reauthenticating working
[mech_eap.git] / util_reauth.c
1 /*
2  * Copyright (c) 2010, JANET(UK)
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * 3. Neither the name of JANET(UK) nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32
33 #include "gssapiP_eap.h"
34
35 #include <dlfcn.h>
36
37 /*
38  * Fast reauthentication support for EAP GSS.
39  */
40
41 krb5_error_code
42 krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
43
44 krb5_error_code
45 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
46
47 static krb5_error_code
48 getAcceptorKey(krb5_context krbContext,
49                gss_ctx_id_t ctx,
50                gss_cred_id_t cred,
51                krb5_principal *princ,
52                krb5_keyblock *key)
53 {
54     krb5_error_code code;
55     krb5_keytab keytab = NULL;
56     krb5_keytab_entry ktent;
57     krb5_kt_cursor cursor = NULL;
58
59     *princ = NULL;
60     memset(key, 0, sizeof(*key));
61     memset(&ktent, 0, sizeof(ktent));
62
63     code = krb5_kt_default(krbContext, &keytab);
64     if (code != 0)
65         goto cleanup;
66
67     if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) {
68         code = krb5_kt_get_entry(krbContext, keytab,
69                                  cred->name->krbPrincipal, 0, 
70                                  ctx->encryptionType, &ktent);
71         if (code != 0)
72             goto cleanup;
73     } else {
74         code = krb5_kt_start_seq_get(krbContext, keytab, &cursor);
75         if (code != 0)
76             goto cleanup;
77
78         while ((code = krb5_kt_next_entry(krbContext, keytab,
79                                           &ktent, &cursor)) == 0) {
80             if (ktent.key.enctype == ctx->encryptionType) {
81                 break;
82             } else {
83                 krb5_free_keytab_entry_contents(krbContext, &ktent);
84             }
85         }
86     }
87
88     if (code == 0) {
89         *princ = ktent.principal;
90         *key = ktent.key;
91     }
92
93 cleanup:
94     if (cred == GSS_C_NO_CREDENTIAL || cred->name == GSS_C_NO_NAME)
95         krb5_kt_end_seq_get(krbContext, keytab, &cursor);
96     krb5_kt_close(krbContext, keytab);
97
98     if (code != 0) {
99         if (*princ != NULL) {
100             krb5_free_principal(krbContext, *princ);
101             *princ = NULL;
102         }
103         krb5_free_keyblock_contents(krbContext, key),
104         memset(key, 0, sizeof(key));
105     }
106
107     return code; 
108 }
109
110 OM_uint32
111 gssEapMakeReauthCreds(OM_uint32 *minor,
112                       gss_ctx_id_t ctx,
113                       gss_cred_id_t cred,
114                       gss_buffer_t credBuf)
115 {
116     OM_uint32 major = GSS_S_COMPLETE;
117     krb5_error_code code;
118     krb5_context krbContext = NULL;
119     krb5_ticket ticket = { 0 };
120     krb5_keyblock session, acceptorKey = { 0 };
121     krb5_enc_tkt_part enc_part = { 0 };
122     gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER;
123     krb5_authdata *authData[2], authDatum = { 0 };
124     krb5_data *ticketData = NULL, *credsData = NULL;
125     krb5_creds creds = { 0 };
126     krb5_auth_context authContext = NULL;
127  
128     credBuf->length = 0;
129     credBuf->value = NULL;
130  
131     GSSEAP_KRB_INIT(&krbContext);
132
133     code = getAcceptorKey(krbContext, ctx, cred,
134                           &ticket.server, &acceptorKey);
135     if (code == KRB5_KT_NOTFOUND) {
136         gss_buffer_desc emptyToken = { 0, "" };
137
138         /*
139          * If we can't produce the KRB-CRED message, we need to
140          * return an empty (not NULL) token to the caller so we
141          * don't change the number of authentication legs.
142          */
143         return duplicateBuffer(minor, &emptyToken, credBuf);
144     } else if (code != 0)
145         goto cleanup;
146
147     enc_part.flags = TKT_FLG_INITIAL;
148
149     code = krb5_c_make_random_key(krbContext, ctx->encryptionType,
150                                   &session);
151     if (code != 0)
152         goto cleanup;
153
154     enc_part.session = &session;
155     enc_part.client = ctx->initiatorName->krbPrincipal;
156     enc_part.times.authtime = time(NULL);
157     enc_part.times.starttime = enc_part.times.authtime;
158     enc_part.times.endtime = ctx->expiryTime
159                              ? ctx->expiryTime
160                              : KRB5_INT32_MAX;
161     enc_part.times.renew_till = 0;
162
163     major = gssEapExportAttrContext(minor, ctx->initiatorName,
164                                     &attrBuf);
165     if (GSS_ERROR(major))
166         goto cleanup;
167
168     authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP;
169     authDatum.length = attrBuf.length;
170     authDatum.contents = attrBuf.value;
171     authData[0] = &authDatum;
172     authData[1] = NULL;
173     enc_part.authorization_data = authData;
174
175     ticket.enc_part2 = &enc_part;
176
177     code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket);
178     if (code != 0)
179         goto cleanup;
180
181     code = encode_krb5_ticket(&ticket, &ticketData);
182     if (code != 0)
183         goto cleanup;
184
185     creds.client = enc_part.client;
186     creds.server = ticket.server;
187     creds.keyblock = session;
188     creds.times = enc_part.times;
189     creds.ticket_flags = enc_part.flags;
190     creds.ticket = *ticketData;
191     creds.authdata = authData;
192
193     code = krb5_auth_con_init(krbContext, &authContext);
194     if (code != 0)
195         goto cleanup;
196
197     code = krb5_auth_con_setflags(krbContext, authContext, 0);
198     if (code != 0)
199         goto cleanup;
200
201     code = krb5_auth_con_setsendsubkey(krbContext, authContext, &ctx->rfc3961Key);
202     if (code != 0)
203         goto cleanup;
204
205     code = krb5_mk_1cred(krbContext, authContext, &creds, &credsData, NULL);
206     if (code != 0)
207         goto cleanup;
208
209     krbDataToGssBuffer(credsData, credBuf);
210
211 cleanup:
212     if (ticket.enc_part.ciphertext.data != NULL)
213         GSSEAP_FREE(ticket.enc_part.ciphertext.data);
214     krb5_free_keyblock_contents(krbContext, &session);
215     krb5_free_keyblock_contents(krbContext, &acceptorKey);
216     gss_release_buffer(minor, &attrBuf);
217     krb5_free_data(krbContext, ticketData);
218     krb5_auth_con_free(krbContext, authContext);
219     if (credsData != NULL)
220         GSSEAP_FREE(credsData);
221
222     if (major == GSS_S_COMPLETE) {
223         *minor = code;
224         major = code != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE;
225     }
226
227     return major;
228 }
229
230 static int
231 isTicketGrantingServiceP(krb5_context krbContext,
232                          krb5_const_principal principal)
233 {
234     if (krb5_princ_size(krbContext, principal) == 2 &&
235         krb5_princ_component(krbContext, principal, 0)->length == 6 &&
236         memcmp(krb5_princ_component(krbContext, principal, 0)->data, "krbtgt", 6) == 0)
237         return TRUE;
238
239     return FALSE;
240 }
241
242 OM_uint32
243 gssEapStoreReauthCreds(OM_uint32 *minor,
244                        gss_ctx_id_t ctx,
245                        gss_cred_id_t cred,
246                        gss_buffer_t credBuf)
247 {
248     OM_uint32 major = GSS_S_COMPLETE, code;
249     krb5_context krbContext = NULL;
250     krb5_auth_context authContext = NULL;
251     krb5_data credData = { 0 };
252     krb5_creds **creds = NULL;
253     krb5_principal canonPrinc;
254     int i;
255
256     if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
257         return GSS_S_COMPLETE;
258
259     GSSEAP_KRB_INIT(&krbContext);
260
261     code = krb5_auth_con_init(krbContext, &authContext);
262     if (code != 0)
263         goto cleanup;
264
265     code = krb5_auth_con_setflags(krbContext, authContext, 0);
266     if (code != 0)
267         goto cleanup;
268
269     code = krb5_auth_con_setrecvsubkey(krbContext, authContext,
270                                        &ctx->rfc3961Key);
271     if (code != 0)
272         goto cleanup;
273
274     gssBufferToKrbData(credBuf, &credData);
275
276     code = krb5_rd_cred(krbContext, authContext, &credData, &creds, NULL);
277     if (code != 0)
278         goto cleanup;
279
280     if (creds == NULL || creds[0] == NULL)
281         goto cleanup;
282
283     code = krb5_copy_principal(krbContext, creds[0]->client, &canonPrinc);
284     if (code != 0)
285         goto cleanup;
286
287     krb5_free_principal(krbContext, cred->name->krbPrincipal);
288     cred->name->krbPrincipal = canonPrinc;
289
290     cred->expiryTime = creds[0]->times.endtime;
291
292     code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
293     if (code != 0)
294         goto cleanup;
295
296     code = krb5_cc_initialize(krbContext, cred->krbCredCache, creds[0]->client);
297     if (code != 0)
298         goto cleanup;
299
300     for (i = 0; creds[i] != NULL; i++) {
301         krb5_creds kcred = *(creds[i]);
302
303         /* Swap in the acceptor name the client asked for so get_credentials() works */
304         if (!isTicketGrantingServiceP(krbContext, kcred.server))
305             kcred.server = ctx->acceptorName->krbPrincipal;
306
307         code = krb5_cc_store_cred(krbContext, cred->krbCredCache, &kcred);
308         if (code != 0)
309             goto cleanup;
310     }
311
312     major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
313                                  &cred->krbCred);
314     if (GSS_ERROR(major))
315         goto cleanup;
316
317 cleanup:
318     *minor = code;
319
320     krb5_auth_con_free(krbContext, authContext);
321     if (creds != NULL) {
322         for (i = 0; creds[i] != NULL; i++)
323             krb5_free_creds(krbContext, creds[i]);
324     }
325     if (major == GSS_S_COMPLETE)
326         major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
327
328     return major;
329 }
330
331 static OM_uint32 (*gssInitSecContextNext)(
332     OM_uint32 *minor,
333     gss_cred_id_t cred,
334     gss_ctx_id_t *context_handle,
335     gss_name_t target_name,
336     gss_OID mech_type,
337     OM_uint32 req_flags,
338     OM_uint32 time_req,
339     gss_channel_bindings_t input_chan_bindings,
340     gss_buffer_t input_token,
341     gss_OID *actual_mech_type,
342     gss_buffer_t output_token,
343     OM_uint32 *ret_flags,
344     OM_uint32 *time_rec);
345
346 static OM_uint32 (*gssAcceptSecContextNext)(
347     OM_uint32 *minor,
348     gss_ctx_id_t *context_handle,
349     gss_cred_id_t cred,
350     gss_buffer_t input_token,
351     gss_channel_bindings_t input_chan_bindings,
352     gss_name_t *src_name,
353     gss_OID *mech_type,
354     gss_buffer_t output_token,
355     OM_uint32 *ret_flags,
356     OM_uint32 *time_rec,
357     gss_cred_id_t *delegated_cred_handle);
358
359 static OM_uint32 (*gssReleaseCredNext)(
360     OM_uint32 *minor,
361     gss_cred_id_t *cred_handle);
362
363 static OM_uint32 (*gssReleaseNameNext)(
364     OM_uint32 *minor,
365     gss_name_t *name);
366
367 static OM_uint32 (*gssInquireSecContextByOidNext)(
368     OM_uint32 *minor,
369     const gss_ctx_id_t context_handle,
370     const gss_OID desired_object,
371     gss_buffer_set_t *data_set);
372
373 static OM_uint32 (*gssDeleteSecContextNext)(
374     OM_uint32 *minor,
375     gss_ctx_id_t *context_handle,
376     gss_buffer_t output_token);
377
378 static OM_uint32 (*gssDisplayNameNext)(
379     OM_uint32 *minor,
380     gss_name_t name,
381     gss_buffer_t output_name_buffer,
382     gss_OID *output_name_type);
383
384 static OM_uint32 (*gssImportNameNext)(
385     OM_uint32 *minor,
386     gss_buffer_t buffer,
387     gss_OID nameType,
388     gss_name_t *outputName);
389
390 static OM_uint32 (*gssKrbExtractAuthzDataFromSecContextNext)(
391     OM_uint32 *minor,
392     const gss_ctx_id_t context_handle,
393     int ad_type,
394     gss_buffer_t ad_data);
395
396 OM_uint32
397 gssEapReauthInitialize(OM_uint32 *minor)
398 {
399     gssInitSecContextNext = dlsym(RTLD_NEXT, "gss_init_sec_context");
400     gssAcceptSecContextNext = dlsym(RTLD_NEXT, "gss_accept_sec_context");
401     gssReleaseCredNext = dlsym(RTLD_NEXT, "gss_release_cred");
402     gssReleaseNameNext = dlsym(RTLD_NEXT, "gss_release_name");
403     gssInquireSecContextByOidNext = dlsym(RTLD_NEXT, "gss_inquire_sec_context_by_oid");
404     gssDeleteSecContextNext = dlsym(RTLD_NEXT, "gss_delete_sec_context");
405     gssDisplayNameNext = dlsym(RTLD_NEXT, "gss_display_name");
406     gssImportNameNext = dlsym(RTLD_NEXT, "gss_import_name");
407     gssKrbExtractAuthzDataFromSecContextNext = dlsym(RTLD_NEXT, "gsskrb5_extract_authz_data_from_sec_context");
408
409     return GSS_S_COMPLETE;
410 }
411
412 OM_uint32
413 gssInitSecContext(OM_uint32 *minor,
414                   gss_cred_id_t cred,
415                   gss_ctx_id_t *context_handle,
416                   gss_name_t target_name,
417                   gss_OID mech_type,
418                   OM_uint32 req_flags,
419                   OM_uint32 time_req,
420                   gss_channel_bindings_t input_chan_bindings,
421                   gss_buffer_t input_token,
422                   gss_OID *actual_mech_type,
423                   gss_buffer_t output_token,
424                   OM_uint32 *ret_flags,
425                   OM_uint32 *time_rec)
426 {
427     if (gssInitSecContextNext == NULL)
428         return GSS_S_UNAVAILABLE;
429
430     return gssInitSecContextNext(minor, cred, context_handle,
431                                  target_name, mech_type, req_flags,
432                                  time_req, input_chan_bindings,
433                                  input_token, actual_mech_type,
434                                  output_token, ret_flags, time_rec);
435 }
436
437 OM_uint32
438 gssAcceptSecContext(OM_uint32 *minor,
439                     gss_ctx_id_t *context_handle,
440                     gss_cred_id_t cred,
441                     gss_buffer_t input_token,
442                     gss_channel_bindings_t input_chan_bindings,
443                     gss_name_t *src_name,
444                     gss_OID *mech_type,
445                     gss_buffer_t output_token,
446                     OM_uint32 *ret_flags,
447                     OM_uint32 *time_rec,
448                     gss_cred_id_t *delegated_cred_handle)
449 {
450     if (gssAcceptSecContextNext == NULL)
451         return GSS_S_UNAVAILABLE;
452
453     return gssAcceptSecContextNext(minor, context_handle, cred,
454                                    input_token, input_chan_bindings,
455                                    src_name, mech_type, output_token,
456                                    ret_flags, time_rec, delegated_cred_handle);
457 }
458
459 OM_uint32
460 gssReleaseCred(OM_uint32 *minor,
461                gss_cred_id_t *cred_handle)
462 {
463     if (gssReleaseCredNext == NULL)
464         return GSS_S_UNAVAILABLE;
465
466     return gssReleaseCredNext(minor, cred_handle);
467 }
468
469 OM_uint32
470 gssReleaseName(OM_uint32 *minor,
471                gss_name_t *name)
472 {
473     if (gssReleaseName == NULL)
474         return GSS_S_UNAVAILABLE;
475
476     return gssReleaseNameNext(minor, name);
477 }
478
479 OM_uint32
480 gssDeleteSecContext(OM_uint32 *minor,
481                     gss_ctx_id_t *context_handle,
482                     gss_buffer_t output_token)
483 {
484     if (gssDeleteSecContextNext == NULL)
485         return GSS_S_UNAVAILABLE;
486
487     return gssDeleteSecContextNext(minor, context_handle, output_token);
488 }
489
490 static OM_uint32
491 gssDisplayName(OM_uint32 *minor,
492                gss_name_t name,
493                gss_buffer_t buffer,
494                gss_OID *name_type)
495 {
496     if (gssDisplayNameNext == NULL)
497         return GSS_S_UNAVAILABLE;
498
499     return gssDisplayNameNext(minor, name, buffer, name_type);
500 }
501
502 static OM_uint32
503 gssImportName(OM_uint32 *minor,
504               gss_buffer_t buffer,
505               gss_OID name_type,
506               gss_name_t *name)
507 {
508     if (gssImportNameNext == NULL)
509         return GSS_S_UNAVAILABLE;
510
511     return gssImportNameNext(minor, buffer, name_type, name);
512 }
513
514 OM_uint32
515 gssInquireSecContextByOid(OM_uint32 *minor,
516                           const gss_ctx_id_t context_handle,
517                           const gss_OID desired_object,
518                           gss_buffer_set_t *data_set)
519 {
520     if (gssInquireSecContextByOidNext == NULL)
521         return GSS_S_UNAVAILABLE;
522
523     return gssInquireSecContextByOidNext(minor, context_handle,
524                                          desired_object, data_set);
525 }
526
527 OM_uint32
528 gssKrbExtractAuthzDataFromSecContext(OM_uint32 *minor,
529                                      const gss_ctx_id_t ctx,
530                                      int ad_type,
531                                      gss_buffer_t ad_data)
532 {
533     if (gssKrbExtractAuthzDataFromSecContextNext == NULL)
534         return GSS_S_UNAVAILABLE;
535
536     return gssKrbExtractAuthzDataFromSecContextNext(minor, ctx, ad_type, ad_data);
537 }
538
539 OM_uint32
540 gssEapGlueToMechName(OM_uint32 *minor,
541                      gss_name_t glueName,
542                      gss_name_t *pMechName)
543 {
544     OM_uint32 major, tmpMinor;
545     gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
546
547     *pMechName = GSS_C_NO_NAME;
548
549     major = gssDisplayName(minor, glueName, &nameBuf, NULL);
550     if (GSS_ERROR(major))
551         goto cleanup;
552
553     major = gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
554                              pMechName);
555     if (GSS_ERROR(major))
556         goto cleanup;
557
558 cleanup:
559     gss_release_buffer(&tmpMinor, &nameBuf);
560
561     return major;
562 }
563
564 OM_uint32
565 gssEapMechToGlueName(OM_uint32 *minor,
566                      gss_name_t mechName,
567                      gss_name_t *pGlueName)
568 {
569     OM_uint32 major, tmpMinor;
570     gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
571
572     *pGlueName = GSS_C_NO_NAME;
573
574     major = gssEapDisplayName(minor, mechName, &nameBuf, NULL);
575     if (GSS_ERROR(major))
576         goto cleanup;
577
578     major = gssImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
579                           pGlueName);
580     if (GSS_ERROR(major))
581         goto cleanup;
582
583 cleanup:
584     gss_release_buffer(&tmpMinor, &nameBuf);
585
586     return major;
587 }
588
589 OM_uint32
590 gssEapReauthComplete(OM_uint32 *minor,
591                     gss_ctx_id_t ctx,
592                     gss_cred_id_t cred,
593                     const gss_OID mech,
594                     OM_uint32 timeRec)
595 {
596     OM_uint32 major, tmpMinor;
597     gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET;
598
599     if (!oidEqual(mech, gss_mech_krb5)) {
600         major = GSS_S_BAD_MECH;
601         goto cleanup;
602     }
603
604     major = gssInquireSecContextByOid(minor, ctx->kerberosCtx,
605                                       GSS_C_INQ_SSPI_SESSION_KEY, &keyData);
606     if (GSS_ERROR(major))
607         goto cleanup;
608
609     {
610         gss_OID_desc oid;
611         int suffix;
612
613         oid.length = keyData->elements[1].length;
614         oid.elements = keyData->elements[1].value;
615
616         /* GSS_KRB5_SESSION_KEY_ENCTYPE_OID */
617         major = decomposeOid(minor,
618                              "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04",
619                              10, &oid, &suffix);
620         if (GSS_ERROR(major))
621             goto cleanup;
622
623         ctx->encryptionType = suffix;
624     }
625
626     {
627         krb5_context krbContext = NULL;
628         krb5_keyblock key;
629
630         GSSEAP_KRB_INIT(&krbContext);
631
632         KRB_KEY_LENGTH(&key) = keyData->elements[0].length;
633         KRB_KEY_DATA(&key)   = keyData->elements[0].value;
634         KRB_KEY_TYPE(&key)   = ctx->encryptionType;
635
636         *minor = krb5_copy_keyblock_contents(krbContext,
637                                              &key, &ctx->rfc3961Key);
638         if (*minor != 0) {
639             major = GSS_S_FAILURE;
640             goto cleanup;
641         }
642     }
643
644     major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key,
645                                       &ctx->checksumType);
646     if (GSS_ERROR(major))
647         goto cleanup;
648
649     if (timeRec != GSS_C_INDEFINITE)
650         ctx->expiryTime = time(NULL) + timeRec;
651
652     major = sequenceInit(minor,
653                          &ctx->seqState, ctx->recvSeq,
654                          ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0),
655                          ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0),
656                          TRUE);
657     if (GSS_ERROR(major))
658         goto cleanup;
659
660     major = GSS_S_COMPLETE;
661
662 cleanup:
663     gss_release_buffer_set(&tmpMinor, &keyData);
664
665     return major;
666 }
Moonshot GSS-API mechanism