projects / mech_eap.orig / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
cleanup
[mech_eap.orig] / util_reauth.c
1 /*
2  * Copyright (c) 2010, JANET(UK)
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * 3. Neither the name of JANET(UK) nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32
33 #include "gssapiP_eap.h"
34
35 #include <dlfcn.h>
36
37 /*
38  * Fast reauthentication support for EAP GSS.
39  */
40
41 krb5_error_code
42 krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
43
44 krb5_error_code
45 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
46
47 static OM_uint32
48 gssDisplayName(OM_uint32 *minor,
49                gss_name_t name,
50                gss_buffer_t buffer,
51                gss_OID *name_type);
52
53 static OM_uint32
54 gssImportName(OM_uint32 *minor,
55               gss_buffer_t buffer,
56               gss_OID name_type,
57               gss_name_t *name);
58
59 static krb5_error_code
60 getAcceptorKey(krb5_context krbContext,
61                gss_ctx_id_t ctx,
62                gss_cred_id_t cred,
63                krb5_principal *princ,
64                krb5_keyblock *key)
65 {
66     krb5_error_code code;
67     krb5_keytab keytab = NULL;
68     krb5_keytab_entry ktent = { 0 };
69     krb5_kt_cursor cursor = NULL;
70
71     *princ = NULL;
72     memset(key, 0, sizeof(*key));
73
74     code = krb5_kt_default(krbContext, &keytab);
75     if (code != 0)
76         goto cleanup;
77
78     if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) {
79         code = krb5_kt_get_entry(krbContext, keytab,
80                                  cred->name->krbPrincipal, 0,
81                                  ctx->encryptionType, &ktent);
82         if (code != 0)
83             goto cleanup;
84     } else {
85         /*
86          * It's not clear that looking encrypting the ticket in the
87          * requested EAP enctype provides any value.
88          */
89         code = krb5_kt_start_seq_get(krbContext, keytab, &cursor);
90         if (code != 0)
91             goto cleanup;
92
93         while ((code = krb5_kt_next_entry(krbContext, keytab,
94                                           &ktent, &cursor)) == 0) {
95             if (ktent.key.enctype == ctx->encryptionType)
96                 break;
97             else
98                 krb5_free_keytab_entry_contents(krbContext, &ktent);
99         }
100     }
101
102     if (code == 0) {
103         *princ = ktent.principal;
104         *key = ktent.key;
105     }
106
107 cleanup:
108     if (cred == GSS_C_NO_CREDENTIAL || cred->name == GSS_C_NO_NAME)
109         krb5_kt_end_seq_get(krbContext, keytab, &cursor);
110     krb5_kt_close(krbContext, keytab);
111
112     if (code != 0)
113         krb5_free_keytab_entry_contents(krbContext, &ktent);
114
115     return code;
116 }
117
118 static OM_uint32
119 freezeAttrContext(OM_uint32 *minor,
120                   gss_name_t initiatorName,
121                   krb5_const_principal acceptorPrinc,
122                   krb5_keyblock *session,
123                   krb5_authdata ***authdata)
124 {
125     OM_uint32 major, tmpMinor;
126     krb5_error_code code;
127     gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER;
128     krb5_authdata *authData[2], authDatum = { 0 };
129     krb5_context krbContext;
130
131     GSSEAP_KRB_INIT(&krbContext);
132
133     major = gssEapExportAttrContext(minor, initiatorName, &attrBuf);
134     if (GSS_ERROR(major))
135         return major;
136
137     authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP;
138     authDatum.length = attrBuf.length;
139     authDatum.contents = attrBuf.value;
140     authData[0] = &authDatum;
141     authData[1] = NULL;
142
143     code = krb5_make_authdata_kdc_issued(krbContext, session, acceptorPrinc,
144                                          authData, authdata);
145     if (code != 0) {
146         major = GSS_S_FAILURE;
147         *minor = code;
148     } else {
149         major = GSS_S_COMPLETE;
150     }
151
152     gss_release_buffer(&tmpMinor, &attrBuf);
153
154     return major;
155 }
156
157 /*
158  * Fabricate a ticket to ourselves given a GSS EAP context.
159  */
160 OM_uint32
161 gssEapMakeReauthCreds(OM_uint32 *minor,
162                       gss_ctx_id_t ctx,
163                       gss_cred_id_t cred,
164                       gss_buffer_t credBuf)
165 {
166     OM_uint32 major = GSS_S_COMPLETE;
167     krb5_error_code code;
168     krb5_context krbContext = NULL;
169     krb5_ticket ticket = { 0 };
170     krb5_keyblock session = { 0 }, acceptorKey = { 0 };
171     krb5_enc_tkt_part enc_part = { 0 };
172     krb5_data *ticketData = NULL, *credsData = NULL;
173     krb5_creds creds = { 0 };
174     krb5_auth_context authContext = NULL;
175
176     credBuf->length = 0;
177     credBuf->value = NULL;
178
179     GSSEAP_KRB_INIT(&krbContext);
180
181     code = getAcceptorKey(krbContext, ctx, cred,
182                           &ticket.server, &acceptorKey);
183     if (code == KRB5_KT_NOTFOUND) {
184         gss_buffer_desc emptyToken = { 0, "" };
185
186         /*
187          * If we can't produce the KRB-CRED message, we need to
188          * return an empty (not NULL) token to the caller so we
189          * don't change the number of authentication legs.
190          */
191         return duplicateBuffer(minor, &emptyToken, credBuf);
192     } else if (code != 0)
193         goto cleanup;
194
195     enc_part.flags = TKT_FLG_INITIAL;
196
197     /*
198      * Generate a random session key to place in the ticket and
199      * sign the "KDC-Issued" authorization data element.
200      */
201     code = krb5_c_make_random_key(krbContext, ctx->encryptionType,
202                                   &session);
203     if (code != 0)
204         goto cleanup;
205
206     enc_part.session = &session;
207     enc_part.client = ctx->initiatorName->krbPrincipal;
208     enc_part.times.authtime = time(NULL);
209     enc_part.times.starttime = enc_part.times.authtime;
210     enc_part.times.endtime = ctx->expiryTime
211                              ? ctx->expiryTime
212                              : KRB5_INT32_MAX;
213     enc_part.times.renew_till = 0;
214
215     major = freezeAttrContext(minor, ctx->initiatorName, ticket.server,
216                               &session, &enc_part.authorization_data);
217     if (GSS_ERROR(major))
218         goto cleanup;
219
220     ticket.enc_part2 = &enc_part;
221
222     code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket);
223     if (code != 0)
224         goto cleanup;
225
226     code = encode_krb5_ticket(&ticket, &ticketData);
227     if (code != 0)
228         goto cleanup;
229
230     creds.client = enc_part.client;
231     creds.server = ticket.server;
232     creds.keyblock = session;
233     creds.times = enc_part.times;
234     creds.ticket_flags = enc_part.flags;
235     creds.ticket = *ticketData;
236     creds.authdata = enc_part.authorization_data;
237
238     code = krb5_auth_con_init(krbContext, &authContext);
239     if (code != 0)
240         goto cleanup;
241
242     code = krb5_auth_con_setflags(krbContext, authContext, 0);
243     if (code != 0)
244         goto cleanup;
245
246     code = krb5_auth_con_setsendsubkey(krbContext, authContext,
247                                        &ctx->rfc3961Key);
248     if (code != 0)
249         goto cleanup;
250
251     code = krb5_mk_1cred(krbContext, authContext, &creds, &credsData, NULL);
252     if (code != 0)
253         goto cleanup;
254
255     krbDataToGssBuffer(credsData, credBuf);
256
257 cleanup:
258     if (ticket.enc_part.ciphertext.data != NULL)
259         GSSEAP_FREE(ticket.enc_part.ciphertext.data);
260     krb5_free_keyblock_contents(krbContext, &session);
261     krb5_free_keyblock_contents(krbContext, &acceptorKey);
262     krb5_free_data(krbContext, ticketData);
263     krb5_auth_con_free(krbContext, authContext);
264     krb5_free_authdata(krbContext, enc_part.authorization_data);
265     if (credsData != NULL)
266         GSSEAP_FREE(credsData);
267
268     if (major == GSS_S_COMPLETE) {
269         *minor = code;
270         major = code != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE;
271     }
272
273     return major;
274 }
275
276 static int
277 isTicketGrantingServiceP(krb5_context krbContext,
278                          krb5_const_principal principal)
279 {
280     if (krb5_princ_size(krbContext, principal) == 2 &&
281         krb5_princ_component(krbContext, principal, 0)->length == 6 &&
282         memcmp(krb5_princ_component(krbContext,
283                                     principal, 0)->data, "krbtgt", 6) == 0)
284         return TRUE;
285
286     return FALSE;
287 }
288
289 /*
290  * Returns TRUE if the configuration variable reauth_use_ccache is
291  * set in krb5.conf for the eap_gss application and the client realm.
292  */
293 static int
294 reauthUseCredsCache(krb5_context krbContext,
295                     krb5_principal principal)
296 {
297     int reauthUseCCache;
298
299     /* if reauth_use_ccache, use default credentials cache if ticket is for us */
300     krb5_appdefault_boolean(krbContext, "eap_gss",
301                             krb5_princ_realm(krbContext, principal),
302                             "reauth_use_ccache", 0, &reauthUseCCache);
303
304     return reauthUseCCache;
305 }
306
307 /*
308  * Look in default credentials cache for reauthentication credentials,
309  * if policy allows.
310  */
311 static OM_uint32
312 getDefaultReauthCredentials(OM_uint32 *minor,
313                             gss_cred_id_t cred,
314                             gss_name_t target,
315                             time_t now,
316                             OM_uint32 timeReq)
317 {
318     OM_uint32 major = GSS_S_CRED_UNAVAIL;
319     krb5_context krbContext = NULL;
320     krb5_error_code code;
321     krb5_ccache ccache = NULL;
322     krb5_creds match = { 0 };
323     krb5_creds creds = { 0 };
324
325     GSSEAP_KRB_INIT(&krbContext);
326
327     assert(cred != GSS_C_NO_CREDENTIAL);
328     assert(target != GSS_C_NO_NAME);
329
330     if (cred->name == GSS_C_NO_NAME ||
331         !reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
332         goto cleanup;
333
334     match.client = cred->name->krbPrincipal;
335     match.server = target->krbPrincipal;
336     if (timeReq != 0 && timeReq != GSS_C_INDEFINITE)
337         match.times.endtime = now + timeReq;
338
339     code = krb5_cc_default(krbContext, &ccache);
340     if (code != 0)
341         goto cleanup;
342
343     code = krb5_cc_retrieve_cred(krbContext, ccache, 0, &match, &creds);
344     if (code != 0)
345         goto cleanup;
346
347     cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
348     cred->krbCredCache = ccache;
349     ccache = NULL;
350
351     major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
352                                  &cred->krbCred);
353
354 cleanup:
355     if (major == GSS_S_CRED_UNAVAIL)
356         *minor = code;
357
358     if (ccache != NULL)
359         krb5_cc_close(krbContext, ccache);
360     krb5_free_cred_contents(krbContext, &creds);
361
362     return major;
363 }
364
365 /*
366  * Returns TRUE if the credential handle's reauth credentials are
367  * valid or if we can use the default credentials cache. Credentials
368  * handle must be locked.
369  */
370 int
371 gssEapCanReauthP(gss_cred_id_t cred,
372                  gss_name_t target,
373                  OM_uint32 timeReq)
374 {
375     time_t now, expiryReq;
376     OM_uint32 minor;
377
378     assert(cred != GSS_C_NO_CREDENTIAL);
379
380     now = time(NULL);
381     expiryReq = now;
382     if (timeReq != GSS_C_INDEFINITE)
383         expiryReq += timeReq;
384
385     if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq)
386         return TRUE;
387
388     if (getDefaultReauthCredentials(&minor, cred, target,
389                                     now, timeReq) == GSS_S_COMPLETE)
390         return TRUE;
391
392     return FALSE;
393 }
394
395 /*
396  * Store re-authentication (Kerberos) credentials in a credential handle.
397  * Credentials handle must be locked.
398  */
399 OM_uint32
400 gssEapStoreReauthCreds(OM_uint32 *minor,
401                        gss_ctx_id_t ctx,
402                        gss_cred_id_t cred,
403                        gss_buffer_t credBuf)
404 {
405     OM_uint32 major = GSS_S_COMPLETE;
406     krb5_error_code code;
407     krb5_context krbContext = NULL;
408     krb5_auth_context authContext = NULL;
409     krb5_data credData = { 0 };
410     krb5_creds **creds = NULL;
411     krb5_principal canonPrinc;
412     krb5_principal ccPrinc = NULL;
413     int i;
414
415     if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
416         return GSS_S_COMPLETE;
417
418     GSSEAP_KRB_INIT(&krbContext);
419
420     code = krb5_auth_con_init(krbContext, &authContext);
421     if (code != 0)
422         goto cleanup;
423
424     code = krb5_auth_con_setflags(krbContext, authContext, 0);
425     if (code != 0)
426         goto cleanup;
427
428     code = krb5_auth_con_setrecvsubkey(krbContext, authContext,
429                                        &ctx->rfc3961Key);
430     if (code != 0)
431         goto cleanup;
432
433     gssBufferToKrbData(credBuf, &credData);
434
435     code = krb5_rd_cred(krbContext, authContext, &credData, &creds, NULL);
436     if (code != 0)
437         goto cleanup;
438
439     if (creds == NULL || creds[0] == NULL)
440         goto cleanup;
441
442     code = krb5_copy_principal(krbContext, creds[0]->client, &canonPrinc);
443     if (code != 0)
444         goto cleanup;
445
446     krb5_free_principal(krbContext, cred->name->krbPrincipal);
447     cred->name->krbPrincipal = canonPrinc;
448
449     cred->expiryTime = creds[0]->times.endtime;
450
451     if (cred->krbCredCache == NULL) {
452         if (reauthUseCredsCache(krbContext, creds[0]->client) &&
453             krb5_cc_default(krbContext, &cred->krbCredCache) == 0)
454             cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
455     } else {
456         /*
457          * If we already have an associated credentials cache, possibly from
458          * the last time we stored a reauthentication credential, then we
459          * need to clear it out and release the associated GSS credential.
460          */
461         if (cred->flags & CRED_FLAG_DEFAULT_CCACHE) {
462             krb5_cc_remove_cred(krbContext, cred->krbCredCache, 0, creds[0]);
463         } else {
464             krb5_cc_destroy(krbContext, cred->krbCredCache);
465             cred->krbCredCache = NULL;
466         }
467         gssReleaseCred(minor, &cred->krbCred);
468     }
469
470     if (cred->krbCredCache == NULL) {
471         code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
472         if (code != 0)
473             goto cleanup;
474     }
475
476     if ((cred->flags & CRED_FLAG_DEFAULT_CCACHE) == 0 ||
477         krb5_cc_get_principal(krbContext, cred->krbCredCache, &ccPrinc) != 0) {
478         code = krb5_cc_initialize(krbContext, cred->krbCredCache,
479                                   creds[0]->client);
480         if (code != 0)
481             goto cleanup;
482     }
483
484     for (i = 0; creds[i] != NULL; i++) {
485         krb5_creds kcred = *(creds[i]);
486
487         /*
488          * Swap in the acceptor name the client asked for so
489          * get_credentials() works. We're making the assumption that
490          * any service tickets returned are for us. We'll need to
491          * reflect some more on whether that is a safe assumption.
492          */
493         if (!isTicketGrantingServiceP(krbContext, kcred.server))
494             kcred.server = ctx->acceptorName->krbPrincipal;
495
496         code = krb5_cc_store_cred(krbContext, cred->krbCredCache, &kcred);
497         if (code != 0)
498             goto cleanup;
499     }
500
501     major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
502                                  &cred->krbCred);
503     if (GSS_ERROR(major))
504         goto cleanup;
505
506 cleanup:
507     *minor = code;
508
509     krb5_free_principal(krbContext, ccPrinc);
510     krb5_auth_con_free(krbContext, authContext);
511     if (creds != NULL) {
512         for (i = 0; creds[i] != NULL; i++)
513             krb5_free_creds(krbContext, creds[i]);
514         GSSEAP_FREE(creds);
515     }
516     if (major == GSS_S_COMPLETE)
517         major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
518
519     return major;
520 }
521
522 static gss_buffer_desc radiusAvpKrbAttr = {
523     sizeof("urn:authdata-radius-avp") - 1, "urn:authdata-radius-avp"
524 };
525
526 /*
527  * Unfortunately extracting an AD-KDCIssued authorization data element
528  * is pretty implementation-dependent. It's not possible to verify the
529  * signature ourselves because the ticket session key is not exposed
530  * outside GSS. In an ideal world, all AD-KDCIssued elements would be
531  * verified by the Kerberos library and authentication would fail if
532  * verification failed. We're not quite there yet and as a result have
533  * to go through some hoops to get this to work. The alternative would
534  * be to sign the authorization data with our long-term key, but it
535  * seems a pity to compromise the design because of current implementation
536  * limitations.
537  *
538  * (Specifically, the hoops involve a libkrb5 authorisation data plugin
539  * that exposes the verified and serialised attribute context through
540  * the Kerberos GSS mechanism's naming extensions API.)
541  */
542 static OM_uint32
543 defrostAttrContext(OM_uint32 *minor,
544                    gss_name_t glueName,
545                    gss_name_t mechName)
546 {
547     OM_uint32 major, tmpMinor;
548     gss_buffer_desc authData = GSS_C_EMPTY_BUFFER;
549     gss_buffer_desc authDataDisplay = GSS_C_EMPTY_BUFFER;
550     int more = -1;
551     int authenticated, complete;
552
553     major = gssGetNameAttribute(minor, glueName, &radiusAvpKrbAttr,
554                                 &authenticated, &complete,
555                                 &authData, &authDataDisplay, &more);
556     if (major == GSS_S_COMPLETE) {
557         if (authenticated == 0)
558             major = GSS_S_BAD_NAME;
559         else
560             major = gssEapImportAttrContext(minor, &authData, mechName);
561     } else if (major == GSS_S_UNAVAILABLE) {
562         major = GSS_S_COMPLETE;
563     }
564
565     gss_release_buffer(&tmpMinor, &authData);
566     gss_release_buffer(&tmpMinor, &authDataDisplay);
567
568     return major;
569 }
570
571 /*
572  * Convert a mechanism glue to an EAP mechanism name by displaying and
573  * importing it. This also handles the RADIUS attributes.
574  */
575 OM_uint32
576 gssEapGlueToMechName(OM_uint32 *minor,
577                      gss_name_t glueName,
578                      gss_name_t *pMechName)
579 {
580     OM_uint32 major, tmpMinor;
581     gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
582
583     *pMechName = GSS_C_NO_NAME;
584
585     major = gssDisplayName(minor, glueName, &nameBuf, NULL);
586     if (GSS_ERROR(major))
587         goto cleanup;
588
589     major = gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
590                              pMechName);
591     if (GSS_ERROR(major))
592         goto cleanup;
593
594     major = defrostAttrContext(minor, glueName, *pMechName);
595     if (GSS_ERROR(major))
596         goto cleanup;
597
598 cleanup:
599     if (GSS_ERROR(major)) {
600         gssReleaseName(&tmpMinor, pMechName);
601         *pMechName = GSS_C_NO_NAME;
602     }
603
604     gss_release_buffer(&tmpMinor, &nameBuf);
605
606     return major;
607 }
608
609 /*
610  * Convert an EAP mechanism name to a mechanism glue name by displaying
611  * and importing it.
612  */
613 OM_uint32
614 gssEapMechToGlueName(OM_uint32 *minor,
615                      gss_name_t mechName,
616                      gss_name_t *pGlueName)
617 {
618     OM_uint32 major, tmpMinor;
619     gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
620
621     *pGlueName = GSS_C_NO_NAME;
622
623     major = gssEapDisplayName(minor, mechName, &nameBuf, NULL);
624     if (GSS_ERROR(major))
625         goto cleanup;
626
627     major = gssImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
628                           pGlueName);
629     if (GSS_ERROR(major))
630         goto cleanup;
631
632 cleanup:
633     gss_release_buffer(&tmpMinor, &nameBuf);
634
635     return major;
636 }
637
638 /*
639  * Suck out the analgous elements of a Kerberos GSS context into an EAP
640  * one so that the application doesn't know the difference.
641  */
642 OM_uint32
643 gssEapReauthComplete(OM_uint32 *minor,
644                     gss_ctx_id_t ctx,
645                     gss_cred_id_t cred,
646                     const gss_OID mech,
647                     OM_uint32 timeRec)
648 {
649     OM_uint32 major, tmpMinor;
650     gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET;
651
652     if (!oidEqual(mech, gss_mech_krb5)) {
653         major = GSS_S_BAD_MECH;
654         goto cleanup;
655     }
656
657     /* Get the raw subsession key and encryption type*/
658     major = gssInquireSecContextByOid(minor, ctx->kerberosCtx,
659                                       GSS_C_INQ_SSPI_SESSION_KEY, &keyData);
660     if (GSS_ERROR(major))
661         goto cleanup;
662
663     {
664         gss_OID_desc oid;
665         int suffix;
666
667         oid.length = keyData->elements[1].length;
668         oid.elements = keyData->elements[1].value;
669
670         /* GSS_KRB5_SESSION_KEY_ENCTYPE_OID */
671         major = decomposeOid(minor,
672                              "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04",
673                              10, &oid, &suffix);
674         if (GSS_ERROR(major))
675             goto cleanup;
676
677         ctx->encryptionType = suffix;
678     }
679
680     {
681         krb5_context krbContext = NULL;
682         krb5_keyblock key;
683
684         GSSEAP_KRB_INIT(&krbContext);
685
686         KRB_KEY_LENGTH(&key) = keyData->elements[0].length;
687         KRB_KEY_DATA(&key)   = keyData->elements[0].value;
688         KRB_KEY_TYPE(&key)   = ctx->encryptionType;
689
690         *minor = krb5_copy_keyblock_contents(krbContext,
691                                              &key, &ctx->rfc3961Key);
692         if (*minor != 0) {
693             major = GSS_S_FAILURE;
694             goto cleanup;
695         }
696     }
697
698     major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key,
699                                       &ctx->checksumType);
700     if (GSS_ERROR(major))
701         goto cleanup;
702
703     if (timeRec != GSS_C_INDEFINITE)
704         ctx->expiryTime = time(NULL) + timeRec;
705
706     /* Initialize our sequence state */
707     major = sequenceInit(minor,
708                          &ctx->seqState, ctx->recvSeq,
709                          ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0),
710                          ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0),
711                          TRUE);
712     if (GSS_ERROR(major))
713         goto cleanup;
714
715     major = GSS_S_COMPLETE;
716
717 cleanup:
718     gss_release_buffer_set(&tmpMinor, &keyData);
719
720     return major;
721 }
722
723 /*
724  * The remainder of this file consists of wrappers so we can call into the
725  * mechanism glue without calling ourselves.
726  */
727 static OM_uint32
728 (*gssInitSecContextNext)(OM_uint32 *,
729                          gss_cred_id_t,
730                          gss_ctx_id_t *,
731                          gss_name_t,
732                          gss_OID,
733                          OM_uint32,
734                          OM_uint32,
735                          gss_channel_bindings_t,
736                          gss_buffer_t,
737                          gss_OID *,
738                          gss_buffer_t,
739                          OM_uint32 *,
740                          OM_uint32 *);
741
742 static OM_uint32
743 (*gssAcceptSecContextNext)(OM_uint32 *,
744                            gss_ctx_id_t *,
745                            gss_cred_id_t,
746                            gss_buffer_t,
747                            gss_channel_bindings_t,
748                            gss_name_t *,
749                            gss_OID *,
750                            gss_buffer_t,
751                            OM_uint32 *,
752                            OM_uint32 *,
753                            gss_cred_id_t *);
754
755 static OM_uint32
756 (*gssReleaseCredNext)(OM_uint32 *, gss_cred_id_t *);
757
758 static OM_uint32
759 (*gssReleaseNameNext)(OM_uint32 *, gss_name_t *);
760
761 static OM_uint32
762 (*gssInquireSecContextByOidNext)(OM_uint32 *,
763                                  const gss_ctx_id_t,
764                                  const gss_OID,
765                                  gss_buffer_set_t *);
766
767 static OM_uint32
768 (*gssDeleteSecContextNext)(OM_uint32 *,
769                           gss_ctx_id_t *,
770                           gss_buffer_t);
771
772 static OM_uint32
773 (*gssDisplayNameNext)(OM_uint32 *,
774                       gss_name_t,
775                       gss_buffer_t,
776                       gss_OID *);
777
778 static OM_uint32
779 (*gssImportNameNext)(OM_uint32 *,
780                      gss_buffer_t,
781                      gss_OID,
782                      gss_name_t *);
783
784 static OM_uint32
785 (*gssStoreCredNext)(OM_uint32 *,
786                     const gss_cred_id_t,
787                     gss_cred_usage_t,
788                     const gss_OID,
789                     OM_uint32,
790                     OM_uint32,
791                     gss_OID_set *,
792                     gss_cred_usage_t *);
793
794 static OM_uint32
795 (*gssGetNameAttributeNext)(OM_uint32 *,
796                           gss_name_t,
797                           gss_buffer_t,
798                           int *,
799                           int *,
800                           gss_buffer_t,
801                           gss_buffer_t,
802                           int *);
803
804 #define NEXT_SYMBOL(local, global)  ((local) = dlsym(RTLD_NEXT, (global)))
805
806 OM_uint32
807 gssEapReauthInitialize(OM_uint32 *minor)
808 {
809     NEXT_SYMBOL(gssInitSecContextNext,         "gss_init_sec_context");
810     NEXT_SYMBOL(gssAcceptSecContextNext,       "gss_accept_sec_context");
811     NEXT_SYMBOL(gssReleaseCredNext,            "gss_release_cred");
812     NEXT_SYMBOL(gssReleaseNameNext,            "gss_release_name");
813     NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid");
814     NEXT_SYMBOL(gssDeleteSecContextNext,       "gss_delete_sec_context");
815     NEXT_SYMBOL(gssDisplayNameNext,            "gss_display_name");
816     NEXT_SYMBOL(gssImportNameNext,             "gss_import_name");
817     NEXT_SYMBOL(gssStoreCredNext,              "gss_store_cred");
818     NEXT_SYMBOL(gssGetNameAttributeNext,       "gss_get_name_attribute");
819
820     return GSS_S_COMPLETE;
821 }
822
823 OM_uint32
824 gssInitSecContext(OM_uint32 *minor,
825                   gss_cred_id_t cred,
826                   gss_ctx_id_t *context_handle,
827                   gss_name_t target_name,
828                   gss_OID mech_type,
829                   OM_uint32 req_flags,
830                   OM_uint32 time_req,
831                   gss_channel_bindings_t input_chan_bindings,
832                   gss_buffer_t input_token,
833                   gss_OID *actual_mech_type,
834                   gss_buffer_t output_token,
835                   OM_uint32 *ret_flags,
836                   OM_uint32 *time_rec)
837 {
838     if (gssInitSecContextNext == NULL)
839         return GSS_S_UNAVAILABLE;
840
841     return gssInitSecContextNext(minor, cred, context_handle,
842                                  target_name, mech_type, req_flags,
843                                  time_req, input_chan_bindings,
844                                  input_token, actual_mech_type,
845                                  output_token, ret_flags, time_rec);
846 }
847
848 OM_uint32
849 gssAcceptSecContext(OM_uint32 *minor,
850                     gss_ctx_id_t *context_handle,
851                     gss_cred_id_t cred,
852                     gss_buffer_t input_token,
853                     gss_channel_bindings_t input_chan_bindings,
854                     gss_name_t *src_name,
855                     gss_OID *mech_type,
856                     gss_buffer_t output_token,
857                     OM_uint32 *ret_flags,
858                     OM_uint32 *time_rec,
859                     gss_cred_id_t *delegated_cred_handle)
860 {
861     if (gssAcceptSecContextNext == NULL)
862         return GSS_S_UNAVAILABLE;
863
864     return gssAcceptSecContextNext(minor, context_handle, cred,
865                                    input_token, input_chan_bindings,
866                                    src_name, mech_type, output_token,
867                                    ret_flags, time_rec, delegated_cred_handle);
868 }
869
870 OM_uint32
871 gssReleaseCred(OM_uint32 *minor,
872                gss_cred_id_t *cred_handle)
873 {
874     if (gssReleaseCredNext == NULL)
875         return GSS_S_UNAVAILABLE;
876
877     return gssReleaseCredNext(minor, cred_handle);
878 }
879
880 OM_uint32
881 gssReleaseName(OM_uint32 *minor,
882                gss_name_t *name)
883 {
884     if (gssReleaseName == NULL)
885         return GSS_S_UNAVAILABLE;
886
887     return gssReleaseNameNext(minor, name);
888 }
889
890 OM_uint32
891 gssDeleteSecContext(OM_uint32 *minor,
892                     gss_ctx_id_t *context_handle,
893                     gss_buffer_t output_token)
894 {
895     if (gssDeleteSecContextNext == NULL)
896         return GSS_S_UNAVAILABLE;
897
898     return gssDeleteSecContextNext(minor, context_handle, output_token);
899 }
900
901 static OM_uint32
902 gssDisplayName(OM_uint32 *minor,
903                gss_name_t name,
904                gss_buffer_t buffer,
905                gss_OID *name_type)
906 {
907     if (gssDisplayNameNext == NULL)
908         return GSS_S_UNAVAILABLE;
909
910     return gssDisplayNameNext(minor, name, buffer, name_type);
911 }
912
913 static OM_uint32
914 gssImportName(OM_uint32 *minor,
915               gss_buffer_t buffer,
916               gss_OID name_type,
917               gss_name_t *name)
918 {
919     if (gssImportNameNext == NULL)
920         return GSS_S_UNAVAILABLE;
921
922     return gssImportNameNext(minor, buffer, name_type, name);
923 }
924
925 OM_uint32
926 gssInquireSecContextByOid(OM_uint32 *minor,
927                           const gss_ctx_id_t context_handle,
928                           const gss_OID desired_object,
929                           gss_buffer_set_t *data_set)
930 {
931     if (gssInquireSecContextByOidNext == NULL)
932         return GSS_S_UNAVAILABLE;
933
934     return gssInquireSecContextByOidNext(minor, context_handle,
935                                          desired_object, data_set);
936 }
937
938 OM_uint32
939 gssStoreCred(OM_uint32 *minor,
940              const gss_cred_id_t input_cred_handle,
941              gss_cred_usage_t input_usage,
942              const gss_OID desired_mech,
943              OM_uint32 overwrite_cred,
944              OM_uint32 default_cred,
945              gss_OID_set *elements_stored,
946              gss_cred_usage_t *cred_usage_stored)
947 {
948     if (gssStoreCredNext == NULL)
949         return GSS_S_UNAVAILABLE;
950
951     return gssStoreCredNext(minor, input_cred_handle, input_usage,
952                             desired_mech, overwrite_cred, default_cred,
953                             elements_stored, cred_usage_stored);
954 }
955
956 OM_uint32
957 gssGetNameAttribute(OM_uint32 *minor,
958                     gss_name_t name,
959                     gss_buffer_t attr,
960                     int *authenticated,
961                     int *complete,
962                     gss_buffer_t value,
963                     gss_buffer_t display_value,
964                     int *more)
965 {
966     if (gssGetNameAttributeNext == NULL)
967         return GSS_S_UNAVAILABLE;
968
969     return gssGetNameAttributeNext(minor, name, attr, authenticated, complete,
970                                    value, display_value, more);
971 }
Moonshot GSS-API mechanism