util_reauth.c

   1 /*
   2  * Copyright (c) 2010, JANET(UK)
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * 3. Neither the name of JANET(UK) nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32
  33 #include "gssapiP_eap.h"
  34
  35 #include <dlfcn.h>
  36
  37 /*
  38  * Fast reauthentication support for EAP GSS.
  39  */
  40
  41 #define KRB5_AUTHDATA_RADIUS_AVP        513
  42
  43 krb5_error_code
  44 krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
  45
  46 krb5_error_code
  47 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
  48
  49 static krb5_error_code
  50 getAcceptorKey(krb5_context krbContext,
  51                gss_ctx_id_t ctx,
  52                gss_cred_id_t cred,
  53                krb5_principal *princ,
  54                krb5_keyblock *key)
  55 {
  56     krb5_error_code code;
  57     krb5_keytab keytab = NULL;
  58     krb5_keytab_entry ktent;
  59     krb5_kt_cursor cursor = NULL;
  60
  61     *princ = NULL;
  62     memset(key, 0, sizeof(*key));
  63     memset(&ktent, 0, sizeof(ktent));
  64
  65     code = krb5_kt_default(krbContext, &keytab);
  66     if (code != 0)
  67         goto cleanup;
  68
  69     if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) {
  70         code = krb5_kt_get_entry(krbContext, keytab,
  71                                  cred->name->krbPrincipal, 0,
  72                                  ctx->encryptionType, &ktent);
  73         if (code != 0)
  74             goto cleanup;
  75     } else {
  76         code = krb5_kt_start_seq_get(krbContext, keytab, &cursor);
  77         if (code != 0)
  78             goto cleanup;
  79
  80         while ((code = krb5_kt_next_entry(krbContext, keytab,
  81                                           &ktent, &cursor)) == 0) {
  82             if (ktent.key.enctype == ctx->encryptionType) {
  83                 break;
  84             } else {
  85                 krb5_free_keytab_entry_contents(krbContext, &ktent);
  86             }
  87         }
  88     }
  89
  90     if (code == 0) {
  91         *princ = ktent.principal;
  92         *key = ktent.key;
  93     }
  94
  95 cleanup:
  96     if (cred == GSS_C_NO_CREDENTIAL || cred->name == GSS_C_NO_NAME)
  97         krb5_kt_end_seq_get(krbContext, keytab, &cursor);
  98     krb5_kt_close(krbContext, keytab);
  99
 100     if (code != 0) {
 101         if (*princ != NULL) {
 102             krb5_free_principal(krbContext, *princ);
 103             *princ = NULL;
 104         }
 105         krb5_free_keyblock_contents(krbContext, key),
 106         memset(key, 0, sizeof(key));
 107     }
 108
 109     return code;
 110 }
 111
 112 OM_uint32
 113 gssEapMakeReauthCreds(OM_uint32 *minor,
 114                       gss_ctx_id_t ctx,
 115                       gss_cred_id_t cred,
 116                       gss_buffer_t credBuf)
 117 {
 118     OM_uint32 major = GSS_S_COMPLETE, code;
 119     krb5_context krbContext = NULL;
 120     krb5_ticket ticket = { 0 };
 121     krb5_keyblock session, acceptorKey = { 0 };
 122     krb5_enc_tkt_part enc_part = { 0 };
 123     gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER;
 124     krb5_authdata *authData[2], authDatum = { 0 };
 125     krb5_data *ticketData = NULL, *credsData = NULL;
 126     krb5_creds creds = { 0 };
 127     krb5_auth_context authContext = NULL;
 128
 129     credBuf->length = 0;
 130     credBuf->value = NULL;
 131
 132     GSSEAP_KRB_INIT(&krbContext);
 133
 134     code = getAcceptorKey(krbContext, ctx, cred,
 135                           &ticket.server, &acceptorKey);
 136     if (code != 0)
 137         goto cleanup;
 138
 139     enc_part.flags = TKT_FLG_INITIAL;
 140
 141     code = krb5_c_make_random_key(krbContext, ctx->encryptionType,
 142                                   &session);
 143     if (code != 0)
 144         goto cleanup;
 145
 146     enc_part.session = &session;
 147     enc_part.client = ctx->initiatorName->krbPrincipal;
 148     enc_part.times.authtime = time(NULL);
 149     enc_part.times.starttime = enc_part.times.authtime;
 150     enc_part.times.endtime = ctx->expiryTime
 151                              ? ctx->expiryTime
 152                              : KRB5_INT32_MAX;
 153     enc_part.times.renew_till = 0;
 154
 155     major = gssEapExportAttrContext(minor, ctx->initiatorName,
 156                                     &attrBuf);
 157     if (GSS_ERROR(major))
 158         goto cleanup;
 159
 160     authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP;
 161     authDatum.length = attrBuf.length;
 162     authDatum.contents = attrBuf.value;
 163     authData[0] = &authDatum;
 164     authData[1] = NULL;
 165     enc_part.authorization_data = authData;
 166
 167     ticket.enc_part2 = &enc_part;
 168
 169     code = encode_krb5_ticket(&ticket, &ticketData);
 170     if (code != 0)
 171         goto cleanup;
 172
 173     code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket);
 174     if (code != 0)
 175         goto cleanup;
 176
 177     creds.client = enc_part.client;
 178     creds.server = ticket.server;
 179     creds.keyblock = session;
 180     creds.times = enc_part.times;
 181     creds.ticket_flags = enc_part.flags;
 182     creds.ticket = *ticketData;
 183     creds.authdata = authData;
 184
 185     code = krb5_auth_con_init(krbContext, &authContext);
 186     if (code != 0)
 187         goto cleanup;
 188
 189     code = krb5_auth_con_setflags(krbContext, authContext, 0);
 190     if (code != 0)
 191         goto cleanup;
 192
 193     code = krb5_auth_con_setsendsubkey(krbContext, authContext, &ctx->rfc3961Key);
 194     if (code != 0)
 195         goto cleanup;
 196
 197     code = krb5_mk_1cred(krbContext, authContext, &creds, &credsData, NULL);
 198     if (code != 0)
 199         goto cleanup;
 200
 201     krbDataToGssBuffer(credsData, credBuf);
 202
 203 cleanup:
 204     *minor = code;
 205
 206     if (ticket.enc_part.ciphertext.data != NULL)
 207         GSSEAP_FREE(ticket.enc_part.ciphertext.data);
 208
 209     krb5_free_keyblock_contents(krbContext, &session);
 210     krb5_free_keyblock_contents(krbContext, &acceptorKey);
 211     gss_release_buffer(&code, &attrBuf);
 212     krb5_free_data(krbContext, ticketData);
 213     krb5_auth_con_free(krbContext, authContext);
 214     if (credsData != NULL)
 215         GSSEAP_FREE(credsData);
 216
 217     if (major == GSS_S_COMPLETE)
 218         major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
 219
 220     return major;
 221 }
 222
 223 OM_uint32
 224 gssEapStoreReauthCreds(OM_uint32 *minor,
 225                        gss_ctx_id_t ctx,
 226                        gss_cred_id_t cred,
 227                        gss_buffer_t credBuf)
 228 {
 229     OM_uint32 major = GSS_S_COMPLETE, code;
 230     krb5_context krbContext = NULL;
 231     krb5_auth_context authContext = NULL;
 232     krb5_data credData = { 0 };
 233     krb5_creds **creds = NULL;
 234     int i;
 235
 236     if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
 237         return GSS_S_COMPLETE;
 238
 239     GSSEAP_KRB_INIT(&krbContext);
 240
 241     code = krb5_auth_con_init(krbContext, &authContext);
 242     if (code != 0)
 243         goto cleanup;
 244
 245     code = krb5_auth_con_setflags(krbContext, authContext, 0);
 246     if (code != 0)
 247         goto cleanup;
 248
 249     code = krb5_auth_con_setrecvsubkey(krbContext, authContext,
 250                                        &ctx->rfc3961Key);
 251     if (code != 0)
 252         goto cleanup;
 253
 254     gssBufferToKrbData(credBuf, &credData);
 255
 256     code = krb5_rd_cred(krbContext, authContext, &credData, &creds, NULL);
 257     if (code != 0)
 258         goto cleanup;
 259
 260     if (creds == NULL || creds[0] == NULL)
 261         goto cleanup;
 262
 263     code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
 264     if (code != 0)
 265         goto cleanup;
 266
 267     code = krb5_cc_initialize(krbContext, cred->krbCredCache, creds[0]->client);
 268     if (code != 0)
 269         goto cleanup;
 270
 271     code = krb5_cc_store_cred(krbContext, cred->krbCredCache, creds[0]);
 272     if (code != 0)
 273         goto cleanup;
 274
 275     major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL, &cred->krbCred);
 276     if (GSS_ERROR(major))
 277         goto cleanup;
 278
 279 cleanup:
 280     *minor = code;
 281
 282     krb5_auth_con_free(krbContext, authContext);
 283     if (creds != NULL) {
 284         for (i = 0; creds[i] != NULL; i++)
 285             krb5_free_creds(krbContext, creds[i]);
 286     }
 287     if (major == GSS_S_COMPLETE)
 288         major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
 289
 290     return major;
 291 }
 292
 293 static OM_uint32 (*gssInitSecContextNext)(
 294     OM_uint32 *minor,
 295     gss_cred_id_t cred,
 296     gss_ctx_id_t *context_handle,
 297     gss_name_t target_name,
 298     gss_OID mech_type,
 299     OM_uint32 req_flags,
 300     OM_uint32 time_req,
 301     gss_channel_bindings_t input_chan_bindings,
 302     gss_buffer_t input_token,
 303     gss_OID *actual_mech_type,
 304     gss_buffer_t output_token,
 305     OM_uint32 *ret_flags,
 306     OM_uint32 *time_rec);
 307
 308 static OM_uint32 (*gssAcceptSecContextNext)(
 309     OM_uint32 *minor,
 310     gss_ctx_id_t *context_handle,
 311     gss_cred_id_t cred,
 312     gss_buffer_t input_token,
 313     gss_channel_bindings_t input_chan_bindings,
 314     gss_name_t *src_name,
 315     gss_OID *mech_type,
 316     gss_buffer_t output_token,
 317     OM_uint32 *ret_flags,
 318     OM_uint32 *time_rec,
 319     gss_cred_id_t *delegated_cred_handle);
 320
 321 static OM_uint32 (*gssReleaseCredNext)(
 322     OM_uint32 *minor,
 323     gss_cred_id_t *cred_handle);
 324
 325 static OM_uint32 (*gssReleaseNameNext)(
 326     OM_uint32 *minor,
 327     gss_name_t *name);
 328
 329 static OM_uint32 (*gssInquireSecContextByOidNext)(
 330     OM_uint32 *minor,
 331     const gss_ctx_id_t context_handle,
 332     const gss_OID desired_object,
 333     gss_buffer_set_t *data_set);
 334
 335 static OM_uint32 (*gssDeleteSecContextNext)(
 336     OM_uint32 *minor,
 337     gss_ctx_id_t *context_handle,
 338     gss_buffer_t output_token);
 339
 340 static OM_uint32 (*gssDisplayNameNext)(
 341     OM_uint32 *minor,
 342     gss_name_t name,
 343     gss_buffer_t output_name_buffer,
 344     gss_OID *output_name_type);
 345
 346 OM_uint32
 347 gssEapReauthInitialize(OM_uint32 *minor)
 348 {
 349     gssInitSecContextNext = dlsym(RTLD_NEXT, "gss_init_sec_context");
 350     gssAcceptSecContextNext = dlsym(RTLD_NEXT, "gss_accept_sec_context");
 351     gssReleaseCredNext = dlsym(RTLD_NEXT, "gss_release_cred");
 352     gssReleaseNameNext = dlsym(RTLD_NEXT, "gss_release_name");
 353     gssInquireSecContextByOidNext = dlsym(RTLD_NEXT, "gss_inquire_sec_context_by_oid");
 354     gssDeleteSecContextNext = dlsym(RTLD_NEXT, "gss_delete_sec_context");
 355
 356     return GSS_S_COMPLETE;
 357 }
 358
 359 OM_uint32
 360 gssInitSecContext(OM_uint32 *minor,
 361                   gss_cred_id_t cred,
 362                   gss_ctx_id_t *context_handle,
 363                   gss_name_t target_name,
 364                   gss_OID mech_type,
 365                   OM_uint32 req_flags,
 366                   OM_uint32 time_req,
 367                   gss_channel_bindings_t input_chan_bindings,
 368                   gss_buffer_t input_token,
 369                   gss_OID *actual_mech_type,
 370                   gss_buffer_t output_token,
 371                   OM_uint32 *ret_flags,
 372                   OM_uint32 *time_rec)
 373 {
 374     if (gssInitSecContextNext == NULL)
 375         return GSS_S_UNAVAILABLE;
 376
 377     return gssInitSecContextNext(minor, cred, context_handle,
 378                                  target_name, mech_type, req_flags,
 379                                  time_req, input_chan_bindings,
 380                                  input_token, actual_mech_type,
 381                                  output_token, ret_flags, time_rec);
 382 }
 383
 384 OM_uint32
 385 gssAcceptSecContext(OM_uint32 *minor,
 386                     gss_ctx_id_t *context_handle,
 387                     gss_cred_id_t cred,
 388                     gss_buffer_t input_token,
 389                     gss_channel_bindings_t input_chan_bindings,
 390                     gss_name_t *src_name,
 391                     gss_OID *mech_type,
 392                     gss_buffer_t output_token,
 393                     OM_uint32 *ret_flags,
 394                     OM_uint32 *time_rec,
 395                     gss_cred_id_t *delegated_cred_handle)
 396 {
 397     if (gssAcceptSecContextNext == NULL)
 398         return GSS_S_UNAVAILABLE;
 399
 400     return gssAcceptSecContextNext(minor, context_handle, cred,
 401                                    input_token, input_chan_bindings,
 402                                    src_name, mech_type, output_token,
 403                                    ret_flags, time_rec, delegated_cred_handle);
 404 }
 405
 406 OM_uint32
 407 gssReleaseCred(OM_uint32 *minor,
 408                gss_cred_id_t *cred_handle)
 409 {
 410     if (gssReleaseCredNext == NULL)
 411         return GSS_S_UNAVAILABLE;
 412
 413     return gssReleaseCredNext(minor, cred_handle);
 414 }
 415
 416 OM_uint32
 417 gssReleaseName(OM_uint32 *minor,
 418                gss_name_t *name)
 419 {
 420     if (gssReleaseName == NULL)
 421         return GSS_S_UNAVAILABLE;
 422
 423     return gssReleaseNameNext(minor, name);
 424 }
 425
 426 OM_uint32
 427 gssDeleteSecContext(OM_uint32 *minor,
 428                     gss_ctx_id_t *context_handle,
 429                     gss_buffer_t output_token)
 430 {
 431     if (gssDeleteSecContextNext == NULL)
 432         return GSS_S_UNAVAILABLE;
 433
 434     return gssDeleteSecContextNext(minor, context_handle, output_token);
 435 }
 436
 437 OM_uint32
 438 gssDisplayName(OM_uint32 *minor,
 439                gss_name_t name,
 440                gss_buffer_t buffer,
 441                gss_OID *name_type)
 442 {
 443     if (gssDisplayNameNext == NULL)
 444         return GSS_S_UNAVAILABLE;
 445
 446     return gssDisplayNameNext(minor, name, buffer, name_type);
 447 }
 448
 449 OM_uint32
 450 gssInquireSecContextByOid(OM_uint32 *minor,
 451                           const gss_ctx_id_t context_handle,
 452                           const gss_OID desired_object,
 453                           gss_buffer_set_t *data_set)
 454 {
 455     if (gssInquireSecContextByOidNext == NULL)
 456         return GSS_S_UNAVAILABLE;
 457
 458     return gssInquireSecContextByOidNext(minor, context_handle,
 459                                          desired_object, data_set);
 460 }