2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * Fast reauthentication support.
37 #include "gssapiP_eap.h"
42 * Fast reauthentication support for EAP GSS.
46 krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
49 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
52 gssDisplayName(OM_uint32 *minor,
58 gssImportName(OM_uint32 *minor,
63 static krb5_error_code
64 getAcceptorKey(krb5_context krbContext,
67 krb5_principal *princ,
71 krb5_keytab keytab = NULL;
72 krb5_keytab_entry ktent = { 0 };
73 krb5_kt_cursor cursor = NULL;
76 memset(key, 0, sizeof(*key));
78 code = krb5_kt_default(krbContext, &keytab);
82 if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) {
83 code = krb5_kt_get_entry(krbContext, keytab,
84 cred->name->krbPrincipal, 0,
85 ctx->encryptionType, &ktent);
90 * It's not clear that looking encrypting the ticket in the
91 * requested EAP enctype provides any value.
93 code = krb5_kt_start_seq_get(krbContext, keytab, &cursor);
97 while ((code = krb5_kt_next_entry(krbContext, keytab,
98 &ktent, &cursor)) == 0) {
99 if (ktent.key.enctype == ctx->encryptionType)
102 krb5_free_keytab_entry_contents(krbContext, &ktent);
107 *princ = ktent.principal;
112 if (cred == GSS_C_NO_CREDENTIAL || cred->name == GSS_C_NO_NAME)
113 krb5_kt_end_seq_get(krbContext, keytab, &cursor);
114 krb5_kt_close(krbContext, keytab);
117 krb5_free_keytab_entry_contents(krbContext, &ktent);
123 freezeAttrContext(OM_uint32 *minor,
124 gss_name_t initiatorName,
125 krb5_const_principal acceptorPrinc,
126 krb5_keyblock *session,
127 krb5_authdata ***authdata)
129 OM_uint32 major, tmpMinor;
130 krb5_error_code code;
131 gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER;
132 krb5_authdata *authData[2], authDatum = { 0 };
133 krb5_context krbContext;
135 GSSEAP_KRB_INIT(&krbContext);
137 major = gssEapExportAttrContext(minor, initiatorName, &attrBuf);
138 if (GSS_ERROR(major))
141 authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP;
142 authDatum.length = attrBuf.length;
143 authDatum.contents = attrBuf.value;
144 authData[0] = &authDatum;
147 code = krb5_make_authdata_kdc_issued(krbContext, session, acceptorPrinc,
150 major = GSS_S_FAILURE;
153 major = GSS_S_COMPLETE;
156 gss_release_buffer(&tmpMinor, &attrBuf);
162 * Fabricate a ticket to ourselves given a GSS EAP context.
165 gssEapMakeReauthCreds(OM_uint32 *minor,
168 gss_buffer_t credBuf)
170 OM_uint32 major = GSS_S_COMPLETE;
171 krb5_error_code code;
172 krb5_context krbContext = NULL;
173 krb5_ticket ticket = { 0 };
174 krb5_keyblock session = { 0 }, acceptorKey = { 0 };
175 krb5_enc_tkt_part enc_part = { 0 };
176 krb5_data *ticketData = NULL, *credsData = NULL;
177 krb5_creds creds = { 0 };
178 krb5_auth_context authContext = NULL;
181 credBuf->value = NULL;
183 GSSEAP_KRB_INIT(&krbContext);
185 code = getAcceptorKey(krbContext, ctx, cred,
186 &ticket.server, &acceptorKey);
187 if (code == KRB5_KT_NOTFOUND) {
188 gss_buffer_desc emptyToken = { 0, "" };
191 * If we can't produce the KRB-CRED message, we need to
192 * return an empty (not NULL) token to the caller so we
193 * don't change the number of authentication legs.
195 return duplicateBuffer(minor, &emptyToken, credBuf);
196 } else if (code != 0)
199 enc_part.flags = TKT_FLG_INITIAL;
202 * Generate a random session key to place in the ticket and
203 * sign the "KDC-Issued" authorization data element.
205 code = krb5_c_make_random_key(krbContext, ctx->encryptionType,
210 enc_part.session = &session;
211 enc_part.client = ctx->initiatorName->krbPrincipal;
212 enc_part.times.authtime = time(NULL);
213 enc_part.times.starttime = enc_part.times.authtime;
214 enc_part.times.endtime = (ctx->expiryTime != 0)
217 enc_part.times.renew_till = 0;
219 major = freezeAttrContext(minor, ctx->initiatorName, ticket.server,
220 &session, &enc_part.authorization_data);
221 if (GSS_ERROR(major))
224 ticket.enc_part2 = &enc_part;
226 code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket);
230 code = encode_krb5_ticket(&ticket, &ticketData);
234 creds.client = enc_part.client;
235 creds.server = ticket.server;
236 creds.keyblock = session;
237 creds.times = enc_part.times;
238 creds.ticket_flags = enc_part.flags;
239 creds.ticket = *ticketData;
240 creds.authdata = enc_part.authorization_data;
242 code = krb5_auth_con_init(krbContext, &authContext);
246 code = krb5_auth_con_setflags(krbContext, authContext, 0);
250 code = krb5_auth_con_setsendsubkey(krbContext, authContext,
255 code = krb5_mk_1cred(krbContext, authContext, &creds, &credsData, NULL);
259 krbDataToGssBuffer(credsData, credBuf);
262 if (ticket.enc_part.ciphertext.data != NULL)
263 GSSEAP_FREE(ticket.enc_part.ciphertext.data);
264 krb5_free_keyblock_contents(krbContext, &session);
265 krb5_free_keyblock_contents(krbContext, &acceptorKey);
266 krb5_free_data(krbContext, ticketData);
267 krb5_auth_con_free(krbContext, authContext);
268 krb5_free_authdata(krbContext, enc_part.authorization_data);
269 if (credsData != NULL)
270 GSSEAP_FREE(credsData);
272 if (major == GSS_S_COMPLETE) {
274 major = code != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE;
281 isTicketGrantingServiceP(krb5_context krbContext,
282 krb5_const_principal principal)
284 if (krb5_princ_size(krbContext, principal) == 2 &&
285 krb5_princ_component(krbContext, principal, 0)->length == 6 &&
286 memcmp(krb5_princ_component(krbContext,
287 principal, 0)->data, "krbtgt", 6) == 0)
294 * Returns TRUE if the configuration variable reauth_use_ccache is
295 * set in krb5.conf for the eap_gss application and the client realm.
298 reauthUseCredsCache(krb5_context krbContext,
299 krb5_principal principal)
303 /* if reauth_use_ccache, use default credentials cache if ticket is for us */
304 krb5_appdefault_boolean(krbContext, "eap_gss",
305 krb5_princ_realm(krbContext, principal),
306 "reauth_use_ccache", 0, &reauthUseCCache);
308 return reauthUseCCache;
312 * Look in default credentials cache for reauthentication credentials,
316 getDefaultReauthCredentials(OM_uint32 *minor,
322 OM_uint32 major = GSS_S_CRED_UNAVAIL;
323 krb5_context krbContext = NULL;
324 krb5_error_code code = 0;
325 krb5_ccache ccache = NULL;
326 krb5_creds match = { 0 };
327 krb5_creds creds = { 0 };
329 GSSEAP_KRB_INIT(&krbContext);
331 assert(cred != GSS_C_NO_CREDENTIAL);
332 assert(target != GSS_C_NO_NAME);
334 if (cred->name == GSS_C_NO_NAME ||
335 !reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
338 match.client = cred->name->krbPrincipal;
339 match.server = target->krbPrincipal;
340 if (timeReq != 0 && timeReq != GSS_C_INDEFINITE)
341 match.times.endtime = now + timeReq;
343 code = krb5_cc_default(krbContext, &ccache);
347 code = krb5_cc_retrieve_cred(krbContext, ccache, 0, &match, &creds);
351 cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
352 cred->krbCredCache = ccache;
355 major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
359 if (major == GSS_S_CRED_UNAVAIL)
363 krb5_cc_close(krbContext, ccache);
364 krb5_free_cred_contents(krbContext, &creds);
370 * Returns TRUE if the credential handle's reauth credentials are
371 * valid or if we can use the default credentials cache. Credentials
372 * handle must be locked.
375 gssEapCanReauthP(gss_cred_id_t cred,
379 time_t now, expiryReq;
382 assert(cred != GSS_C_NO_CREDENTIAL);
386 if (timeReq != GSS_C_INDEFINITE)
387 expiryReq += timeReq;
389 if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq)
392 if (getDefaultReauthCredentials(&minor, cred, target,
393 now, timeReq) == GSS_S_COMPLETE)
400 * Store re-authentication (Kerberos) credentials in a credential handle.
401 * Credentials handle must be locked.
404 gssEapStoreReauthCreds(OM_uint32 *minor,
407 gss_buffer_t credBuf)
409 OM_uint32 major = GSS_S_COMPLETE;
410 krb5_error_code code;
411 krb5_context krbContext = NULL;
412 krb5_auth_context authContext = NULL;
413 krb5_data credData = { 0 };
414 krb5_creds **creds = NULL;
415 krb5_principal canonPrinc;
416 krb5_principal ccPrinc = NULL;
419 if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
420 return GSS_S_COMPLETE;
422 GSSEAP_KRB_INIT(&krbContext);
424 code = krb5_auth_con_init(krbContext, &authContext);
428 code = krb5_auth_con_setflags(krbContext, authContext, 0);
432 code = krb5_auth_con_setrecvsubkey(krbContext, authContext,
437 gssBufferToKrbData(credBuf, &credData);
439 code = krb5_rd_cred(krbContext, authContext, &credData, &creds, NULL);
443 if (creds == NULL || creds[0] == NULL)
446 code = krb5_copy_principal(krbContext, creds[0]->client, &canonPrinc);
450 krb5_free_principal(krbContext, cred->name->krbPrincipal);
451 cred->name->krbPrincipal = canonPrinc;
453 if (creds[0]->times.endtime == KRB5_INT32_MAX)
454 cred->expiryTime = 0;
456 cred->expiryTime = creds[0]->times.endtime;
458 if (cred->krbCredCache == NULL) {
459 if (reauthUseCredsCache(krbContext, creds[0]->client) &&
460 krb5_cc_default(krbContext, &cred->krbCredCache) == 0)
461 cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
464 * If we already have an associated credentials cache, possibly from
465 * the last time we stored a reauthentication credential, then we
466 * need to clear it out and release the associated GSS credential.
468 if (cred->flags & CRED_FLAG_DEFAULT_CCACHE) {
469 krb5_cc_remove_cred(krbContext, cred->krbCredCache, 0, creds[0]);
471 krb5_cc_destroy(krbContext, cred->krbCredCache);
472 cred->krbCredCache = NULL;
474 gssReleaseCred(minor, &cred->krbCred);
477 if (cred->krbCredCache == NULL) {
478 code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
483 if ((cred->flags & CRED_FLAG_DEFAULT_CCACHE) == 0 ||
484 krb5_cc_get_principal(krbContext, cred->krbCredCache, &ccPrinc) != 0) {
485 code = krb5_cc_initialize(krbContext, cred->krbCredCache,
491 for (i = 0; creds[i] != NULL; i++) {
492 krb5_creds kcred = *(creds[i]);
495 * Swap in the acceptor name the client asked for so
496 * get_credentials() works. We're making the assumption that
497 * any service tickets returned are for us. We'll need to
498 * reflect some more on whether that is a safe assumption.
500 if (!isTicketGrantingServiceP(krbContext, kcred.server))
501 kcred.server = ctx->acceptorName->krbPrincipal;
503 code = krb5_cc_store_cred(krbContext, cred->krbCredCache, &kcred);
508 major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
510 if (GSS_ERROR(major))
516 krb5_free_principal(krbContext, ccPrinc);
517 krb5_auth_con_free(krbContext, authContext);
519 for (i = 0; creds[i] != NULL; i++)
520 krb5_free_creds(krbContext, creds[i]);
523 if (major == GSS_S_COMPLETE)
524 major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
529 static gss_buffer_desc radiusAvpKrbAttr = {
530 sizeof("urn:authdata-radius-avp") - 1, "urn:authdata-radius-avp"
534 * Unfortunately extracting an AD-KDCIssued authorization data element
535 * is pretty implementation-dependent. It's not possible to verify the
536 * signature ourselves because the ticket session key is not exposed
537 * outside GSS. In an ideal world, all AD-KDCIssued elements would be
538 * verified by the Kerberos library and authentication would fail if
539 * verification failed. We're not quite there yet and as a result have
540 * to go through some hoops to get this to work. The alternative would
541 * be to sign the authorization data with our long-term key, but it
542 * seems a pity to compromise the design because of current implementation
545 * (Specifically, the hoops involve a libkrb5 authorisation data plugin
546 * that exposes the verified and serialised attribute context through
547 * the Kerberos GSS mechanism's naming extensions API.)
550 defrostAttrContext(OM_uint32 *minor,
554 OM_uint32 major, tmpMinor;
555 gss_buffer_desc authData = GSS_C_EMPTY_BUFFER;
556 gss_buffer_desc authDataDisplay = GSS_C_EMPTY_BUFFER;
558 int authenticated, complete;
560 major = gssGetNameAttribute(minor, glueName, &radiusAvpKrbAttr,
561 &authenticated, &complete,
562 &authData, &authDataDisplay, &more);
563 if (major == GSS_S_COMPLETE) {
564 if (authenticated == 0)
565 major = GSS_S_BAD_NAME;
567 major = gssEapImportAttrContext(minor, &authData, mechName);
568 } else if (major == GSS_S_UNAVAILABLE) {
569 major = GSS_S_COMPLETE;
572 gss_release_buffer(&tmpMinor, &authData);
573 gss_release_buffer(&tmpMinor, &authDataDisplay);
579 * Convert a mechanism glue to an EAP mechanism name by displaying and
580 * importing it. This also handles the RADIUS attributes.
583 gssEapGlueToMechName(OM_uint32 *minor,
585 gss_name_t *pMechName)
587 OM_uint32 major, tmpMinor;
588 gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
590 *pMechName = GSS_C_NO_NAME;
592 major = gssDisplayName(minor, glueName, &nameBuf, NULL);
593 if (GSS_ERROR(major))
596 major = gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
598 if (GSS_ERROR(major))
601 major = defrostAttrContext(minor, glueName, *pMechName);
602 if (GSS_ERROR(major))
606 if (GSS_ERROR(major)) {
607 gssReleaseName(&tmpMinor, pMechName);
608 *pMechName = GSS_C_NO_NAME;
611 gss_release_buffer(&tmpMinor, &nameBuf);
617 * Convert an EAP mechanism name to a mechanism glue name by displaying
621 gssEapMechToGlueName(OM_uint32 *minor,
623 gss_name_t *pGlueName)
625 OM_uint32 major, tmpMinor;
626 gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
628 *pGlueName = GSS_C_NO_NAME;
630 major = gssEapDisplayName(minor, mechName, &nameBuf, NULL);
631 if (GSS_ERROR(major))
634 major = gssImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
636 if (GSS_ERROR(major))
640 gss_release_buffer(&tmpMinor, &nameBuf);
646 * Suck out the analgous elements of a Kerberos GSS context into an EAP
647 * one so that the application doesn't know the difference.
650 gssEapReauthComplete(OM_uint32 *minor,
656 OM_uint32 major, tmpMinor;
657 gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET;
659 if (!oidEqual(mech, gss_mech_krb5)) {
660 major = GSS_S_BAD_MECH;
664 /* Get the raw subsession key and encryption type*/
665 major = gssInquireSecContextByOid(minor, ctx->kerberosCtx,
666 GSS_C_INQ_SSPI_SESSION_KEY, &keyData);
667 if (GSS_ERROR(major))
674 oid.length = keyData->elements[1].length;
675 oid.elements = keyData->elements[1].value;
677 /* GSS_KRB5_SESSION_KEY_ENCTYPE_OID */
678 major = decomposeOid(minor,
679 "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04",
681 if (GSS_ERROR(major))
684 ctx->encryptionType = suffix;
688 krb5_context krbContext = NULL;
691 GSSEAP_KRB_INIT(&krbContext);
693 KRB_KEY_LENGTH(&key) = keyData->elements[0].length;
694 KRB_KEY_DATA(&key) = keyData->elements[0].value;
695 KRB_KEY_TYPE(&key) = ctx->encryptionType;
697 *minor = krb5_copy_keyblock_contents(krbContext,
698 &key, &ctx->rfc3961Key);
700 major = GSS_S_FAILURE;
705 major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key,
707 if (GSS_ERROR(major))
710 if (timeRec != GSS_C_INDEFINITE)
711 ctx->expiryTime = time(NULL) + timeRec;
713 /* Initialize our sequence state */
714 major = sequenceInit(minor,
715 &ctx->seqState, ctx->recvSeq,
716 ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0),
717 ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0),
719 if (GSS_ERROR(major))
722 major = GSS_S_COMPLETE;
725 gss_release_buffer_set(&tmpMinor, &keyData);
731 * The remainder of this file consists of wrappers so we can call into the
732 * mechanism glue without calling ourselves.
735 (*gssInitSecContextNext)(OM_uint32 *,
742 gss_channel_bindings_t,
750 (*gssAcceptSecContextNext)(OM_uint32 *,
754 gss_channel_bindings_t,
763 (*gssReleaseCredNext)(OM_uint32 *, gss_cred_id_t *);
766 (*gssReleaseNameNext)(OM_uint32 *, gss_name_t *);
769 (*gssInquireSecContextByOidNext)(OM_uint32 *,
775 (*gssDeleteSecContextNext)(OM_uint32 *,
780 (*gssDisplayNameNext)(OM_uint32 *,
786 (*gssImportNameNext)(OM_uint32 *,
792 (*gssStoreCredNext)(OM_uint32 *,
802 (*gssGetNameAttributeNext)(OM_uint32 *,
811 #define NEXT_SYMBOL(local, global) do { \
812 ((local) = dlsym(RTLD_NEXT, (global))); \
813 if ((local) == NULL) { \
814 *minor = GSSEAP_NO_MECHGLUE_SYMBOL; \
815 major = GSS_S_UNAVAILABLE; \
821 gssEapReauthInitialize(OM_uint32 *minor)
823 OM_uint32 major = GSS_S_COMPLETE;
825 NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context");
826 NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context");
827 NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred");
828 NEXT_SYMBOL(gssReleaseNameNext, "gss_release_name");
829 NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid");
830 NEXT_SYMBOL(gssDeleteSecContextNext, "gss_delete_sec_context");
831 NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name");
832 NEXT_SYMBOL(gssImportNameNext, "gss_import_name");
833 NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred");
834 NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute");
840 gssInitSecContext(OM_uint32 *minor,
842 gss_ctx_id_t *context_handle,
843 gss_name_t target_name,
847 gss_channel_bindings_t input_chan_bindings,
848 gss_buffer_t input_token,
849 gss_OID *actual_mech_type,
850 gss_buffer_t output_token,
851 OM_uint32 *ret_flags,
854 if (gssInitSecContextNext == NULL) {
855 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
856 return GSS_S_UNAVAILABLE;
859 return gssInitSecContextNext(minor, cred, context_handle,
860 target_name, mech_type, req_flags,
861 time_req, input_chan_bindings,
862 input_token, actual_mech_type,
863 output_token, ret_flags, time_rec);
867 gssAcceptSecContext(OM_uint32 *minor,
868 gss_ctx_id_t *context_handle,
870 gss_buffer_t input_token,
871 gss_channel_bindings_t input_chan_bindings,
872 gss_name_t *src_name,
874 gss_buffer_t output_token,
875 OM_uint32 *ret_flags,
877 gss_cred_id_t *delegated_cred_handle)
879 if (gssAcceptSecContextNext == NULL) {
880 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
881 return GSS_S_UNAVAILABLE;
884 return gssAcceptSecContextNext(minor, context_handle, cred,
885 input_token, input_chan_bindings,
886 src_name, mech_type, output_token,
887 ret_flags, time_rec, delegated_cred_handle);
891 gssReleaseCred(OM_uint32 *minor,
892 gss_cred_id_t *cred_handle)
894 if (gssReleaseCredNext == NULL) {
895 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
896 return GSS_S_UNAVAILABLE;
899 return gssReleaseCredNext(minor, cred_handle);
903 gssReleaseName(OM_uint32 *minor,
906 if (gssReleaseName == NULL) {
907 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
908 return GSS_S_UNAVAILABLE;
911 return gssReleaseNameNext(minor, name);
915 gssDeleteSecContext(OM_uint32 *minor,
916 gss_ctx_id_t *context_handle,
917 gss_buffer_t output_token)
919 if (gssDeleteSecContextNext == NULL) {
920 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
921 return GSS_S_UNAVAILABLE;
924 return gssDeleteSecContextNext(minor, context_handle, output_token);
928 gssDisplayName(OM_uint32 *minor,
933 if (gssDisplayNameNext == NULL) {
934 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
935 return GSS_S_UNAVAILABLE;
938 return gssDisplayNameNext(minor, name, buffer, name_type);
942 gssImportName(OM_uint32 *minor,
947 if (gssImportNameNext == NULL) {
948 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
949 return GSS_S_UNAVAILABLE;
952 return gssImportNameNext(minor, buffer, name_type, name);
956 gssInquireSecContextByOid(OM_uint32 *minor,
957 const gss_ctx_id_t context_handle,
958 const gss_OID desired_object,
959 gss_buffer_set_t *data_set)
961 if (gssInquireSecContextByOidNext == NULL) {
962 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
963 return GSS_S_UNAVAILABLE;
966 return gssInquireSecContextByOidNext(minor, context_handle,
967 desired_object, data_set);
971 gssStoreCred(OM_uint32 *minor,
972 const gss_cred_id_t input_cred_handle,
973 gss_cred_usage_t input_usage,
974 const gss_OID desired_mech,
975 OM_uint32 overwrite_cred,
976 OM_uint32 default_cred,
977 gss_OID_set *elements_stored,
978 gss_cred_usage_t *cred_usage_stored)
980 if (gssStoreCredNext == NULL) {
981 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
982 return GSS_S_UNAVAILABLE;
985 return gssStoreCredNext(minor, input_cred_handle, input_usage,
986 desired_mech, overwrite_cred, default_cred,
987 elements_stored, cred_usage_stored);
991 gssGetNameAttribute(OM_uint32 *minor,
997 gss_buffer_t display_value,
1000 if (gssGetNameAttributeNext == NULL) {
1001 *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
1002 return GSS_S_UNAVAILABLE;
1005 return gssGetNameAttributeNext(minor, name, attr, authenticated, complete,
1006 value, display_value, more);