2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gssapiP_eap.h"
38 * Fast reauthentication support for EAP GSS.
41 #define KRB5_AUTHDATA_RADIUS_AVP 513
44 krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
47 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
49 static krb5_error_code
50 getAcceptorKey(krb5_context krbContext,
53 krb5_principal *princ,
57 krb5_keytab keytab = NULL;
58 krb5_keytab_entry ktent;
59 krb5_kt_cursor cursor = NULL;
62 memset(key, 0, sizeof(*key));
63 memset(&ktent, 0, sizeof(ktent));
65 code = krb5_kt_default(krbContext, &keytab);
69 if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) {
70 code = krb5_kt_get_entry(krbContext, keytab,
71 cred->name->krbPrincipal, 0,
72 ctx->encryptionType, &ktent);
76 code = krb5_kt_start_seq_get(krbContext, keytab, &cursor);
80 while ((code = krb5_kt_next_entry(krbContext, keytab,
81 &ktent, &cursor)) == 0) {
82 if (ktent.key.enctype == ctx->encryptionType) {
85 krb5_free_keytab_entry_contents(krbContext, &ktent);
91 *princ = ktent.principal;
96 if (cred == GSS_C_NO_CREDENTIAL || cred->name == GSS_C_NO_NAME)
97 krb5_kt_end_seq_get(krbContext, keytab, &cursor);
98 krb5_kt_close(krbContext, keytab);
101 if (*princ != NULL) {
102 krb5_free_principal(krbContext, *princ);
105 krb5_free_keyblock_contents(krbContext, key),
106 memset(key, 0, sizeof(key));
113 gssEapMakeReauthCreds(OM_uint32 *minor,
116 gss_buffer_t credBuf)
118 OM_uint32 major = GSS_S_COMPLETE, code;
119 krb5_context krbContext = NULL;
120 krb5_ticket ticket = { 0 };
121 krb5_keyblock session, acceptorKey = { 0 };
122 krb5_enc_tkt_part enc_part = { 0 };
123 gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER;
124 krb5_authdata *authData[2], authDatum = { 0 };
125 krb5_data *ticketData = NULL, *credsData = NULL;
126 krb5_creds creds = { 0 };
127 krb5_auth_context authContext = NULL;
130 credBuf->value = NULL;
132 GSSEAP_KRB_INIT(&krbContext);
134 code = getAcceptorKey(krbContext, ctx, cred,
135 &ticket.server, &acceptorKey);
139 enc_part.flags = TKT_FLG_INITIAL;
141 code = krb5_c_make_random_key(krbContext, ctx->encryptionType,
146 enc_part.session = &session;
147 enc_part.client = ctx->initiatorName->krbPrincipal;
148 enc_part.times.authtime = time(NULL);
149 enc_part.times.starttime = enc_part.times.authtime;
150 enc_part.times.endtime = ctx->expiryTime
153 enc_part.times.renew_till = 0;
155 major = gssEapExportAttrContext(minor, ctx->initiatorName,
157 if (GSS_ERROR(major))
160 authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP;
161 authDatum.length = attrBuf.length;
162 authDatum.contents = attrBuf.value;
163 authData[0] = &authDatum;
165 enc_part.authorization_data = authData;
167 ticket.enc_part2 = &enc_part;
169 code = encode_krb5_ticket(&ticket, &ticketData);
173 code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket);
177 creds.client = enc_part.client;
178 creds.server = ticket.server;
179 creds.keyblock = session;
180 creds.times = enc_part.times;
181 creds.ticket_flags = enc_part.flags;
182 creds.ticket = *ticketData;
183 creds.authdata = authData;
185 code = krb5_auth_con_init(krbContext, &authContext);
189 code = krb5_auth_con_setflags(krbContext, authContext, 0);
193 code = krb5_auth_con_setsendsubkey(krbContext, authContext, &ctx->rfc3961Key);
197 code = krb5_mk_1cred(krbContext, authContext, &creds, &credsData, NULL);
201 krbDataToGssBuffer(credsData, credBuf);
206 if (ticket.enc_part.ciphertext.data != NULL)
207 GSSEAP_FREE(ticket.enc_part.ciphertext.data);
209 krb5_free_keyblock_contents(krbContext, &session);
210 krb5_free_keyblock_contents(krbContext, &acceptorKey);
211 gss_release_buffer(&code, &attrBuf);
212 krb5_free_data(krbContext, ticketData);
213 krb5_auth_con_free(krbContext, authContext);
214 if (credsData != NULL)
215 GSSEAP_FREE(credsData);
217 if (major == GSS_S_COMPLETE)
218 major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
224 gssEapStoreReauthCreds(OM_uint32 *minor,
227 gss_buffer_t credBuf)
229 OM_uint32 major = GSS_S_COMPLETE, code;
230 krb5_context krbContext = NULL;
231 krb5_auth_context authContext = NULL;
232 krb5_data credData = { 0 };
233 krb5_creds **creds = NULL;
236 if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
237 return GSS_S_COMPLETE;
239 GSSEAP_KRB_INIT(&krbContext);
241 code = krb5_auth_con_init(krbContext, &authContext);
245 code = krb5_auth_con_setflags(krbContext, authContext, 0);
249 code = krb5_auth_con_setrecvsubkey(krbContext, authContext,
254 gssBufferToKrbData(credBuf, &credData);
256 code = krb5_rd_cred(krbContext, authContext, &credData, &creds, NULL);
260 if (creds == NULL || creds[0] == NULL)
263 code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
267 code = krb5_cc_initialize(krbContext, cred->krbCredCache, creds[0]->client);
271 code = krb5_cc_store_cred(krbContext, cred->krbCredCache, creds[0]);
275 major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL, &cred->krbCred);
276 if (GSS_ERROR(major))
282 krb5_auth_con_free(krbContext, authContext);
284 for (i = 0; creds[i] != NULL; i++)
285 krb5_free_creds(krbContext, creds[i]);
287 if (major == GSS_S_COMPLETE)
288 major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
293 static OM_uint32 (*gssInitSecContextNext)(
296 gss_ctx_id_t *context_handle,
297 gss_name_t target_name,
301 gss_channel_bindings_t input_chan_bindings,
302 gss_buffer_t input_token,
303 gss_OID *actual_mech_type,
304 gss_buffer_t output_token,
305 OM_uint32 *ret_flags,
306 OM_uint32 *time_rec);
308 static OM_uint32 (*gssAcceptSecContextNext)(
310 gss_ctx_id_t *context_handle,
312 gss_buffer_t input_token,
313 gss_channel_bindings_t input_chan_bindings,
314 gss_name_t *src_name,
316 gss_buffer_t output_token,
317 OM_uint32 *ret_flags,
319 gss_cred_id_t *delegated_cred_handle);
321 static OM_uint32 (*gssReleaseCredNext)(
323 gss_cred_id_t *cred_handle);
325 static OM_uint32 (*gssReleaseNameNext)(
329 static OM_uint32 (*gssInquireSecContextByOidNext)(
331 const gss_ctx_id_t context_handle,
332 const gss_OID desired_object,
333 gss_buffer_set_t *data_set);
335 static OM_uint32 (*gssDeleteSecContextNext)(
337 gss_ctx_id_t *context_handle,
338 gss_buffer_t output_token);
340 static OM_uint32 (*gssDisplayNameNext)(
343 gss_buffer_t output_name_buffer,
344 gss_OID *output_name_type);
347 gssEapReauthInitialize(OM_uint32 *minor)
349 gssInitSecContextNext = dlsym(RTLD_NEXT, "gss_init_sec_context");
350 gssAcceptSecContextNext = dlsym(RTLD_NEXT, "gss_accept_sec_context");
351 gssReleaseCredNext = dlsym(RTLD_NEXT, "gss_release_cred");
352 gssReleaseNameNext = dlsym(RTLD_NEXT, "gss_release_name");
353 gssInquireSecContextByOidNext = dlsym(RTLD_NEXT, "gss_inquire_sec_context_by_oid");
354 gssDeleteSecContextNext = dlsym(RTLD_NEXT, "gss_delete_sec_context");
356 return GSS_S_COMPLETE;
360 gssInitSecContext(OM_uint32 *minor,
362 gss_ctx_id_t *context_handle,
363 gss_name_t target_name,
367 gss_channel_bindings_t input_chan_bindings,
368 gss_buffer_t input_token,
369 gss_OID *actual_mech_type,
370 gss_buffer_t output_token,
371 OM_uint32 *ret_flags,
374 if (gssInitSecContextNext == NULL)
375 return GSS_S_UNAVAILABLE;
377 return gssInitSecContextNext(minor, cred, context_handle,
378 target_name, mech_type, req_flags,
379 time_req, input_chan_bindings,
380 input_token, actual_mech_type,
381 output_token, ret_flags, time_rec);
385 gssAcceptSecContext(OM_uint32 *minor,
386 gss_ctx_id_t *context_handle,
388 gss_buffer_t input_token,
389 gss_channel_bindings_t input_chan_bindings,
390 gss_name_t *src_name,
392 gss_buffer_t output_token,
393 OM_uint32 *ret_flags,
395 gss_cred_id_t *delegated_cred_handle)
397 if (gssAcceptSecContextNext == NULL)
398 return GSS_S_UNAVAILABLE;
400 return gssAcceptSecContextNext(minor, context_handle, cred,
401 input_token, input_chan_bindings,
402 src_name, mech_type, output_token,
403 ret_flags, time_rec, delegated_cred_handle);
407 gssReleaseCred(OM_uint32 *minor,
408 gss_cred_id_t *cred_handle)
410 if (gssReleaseCredNext == NULL)
411 return GSS_S_UNAVAILABLE;
413 return gssReleaseCredNext(minor, cred_handle);
417 gssReleaseName(OM_uint32 *minor,
420 if (gssReleaseName == NULL)
421 return GSS_S_UNAVAILABLE;
423 return gssReleaseNameNext(minor, name);
427 gssDeleteSecContext(OM_uint32 *minor,
428 gss_ctx_id_t *context_handle,
429 gss_buffer_t output_token)
431 if (gssDeleteSecContextNext == NULL)
432 return GSS_S_UNAVAILABLE;
434 return gssDeleteSecContextNext(minor, context_handle, output_token);
438 gssDisplayName(OM_uint32 *minor,
443 if (gssDisplayNameNext == NULL)
444 return GSS_S_UNAVAILABLE;
446 return gssDisplayNameNext(minor, name, buffer, name_type);
450 gssInquireSecContextByOid(OM_uint32 *minor,
451 const gss_ctx_id_t context_handle,
452 const gss_OID desired_object,
453 gss_buffer_set_t *data_set)
455 if (gssInquireSecContextByOidNext == NULL)
456 return GSS_S_UNAVAILABLE;
458 return gssInquireSecContextByOidNext(minor, context_handle,
459 desired_object, data_set);