www.project-moonshot.org Git - mech_eap.orig/blob - util_reauth.c

   1 /*
   2  * Copyright (c) 2010, JANET(UK)
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * 3. Neither the name of JANET(UK) nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32
  33 #include "gssapiP_eap.h"
  34
  35 #include <dlfcn.h>
  36
  37 /*
  38  * Fast reauthentication support for EAP GSS.
  39  */
  40
  41 krb5_error_code
  42 krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
  43
  44 krb5_error_code
  45 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
  46
  47 static OM_uint32
  48 gssDisplayName(OM_uint32 *minor,
  49                gss_name_t name,
  50                gss_buffer_t buffer,
  51                gss_OID *name_type);
  52
  53 static OM_uint32
  54 gssImportName(OM_uint32 *minor,
  55               gss_buffer_t buffer,
  56               gss_OID name_type,
  57               gss_name_t *name);
  58
  59 static krb5_error_code
  60 getAcceptorKey(krb5_context krbContext,
  61                gss_ctx_id_t ctx,
  62                gss_cred_id_t cred,
  63                krb5_principal *princ,
  64                krb5_keyblock *key)
  65 {
  66     krb5_error_code code;
  67     krb5_keytab keytab = NULL;
  68     krb5_keytab_entry ktent = { 0 };
  69     krb5_kt_cursor cursor = NULL;
  70
  71     *princ = NULL;
  72     memset(key, 0, sizeof(*key));
  73
  74     code = krb5_kt_default(krbContext, &keytab);
  75     if (code != 0)
  76         goto cleanup;
  77
  78     if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) {
  79         code = krb5_kt_get_entry(krbContext, keytab,
  80                                  cred->name->krbPrincipal, 0,
  81                                  ctx->encryptionType, &ktent);
  82         if (code != 0)
  83             goto cleanup;
  84     } else {
  85         /*
  86          * It's not clear that looking encrypting the ticket in the
  87          * requested EAP enctype provides any value.
  88          */
  89         code = krb5_kt_start_seq_get(krbContext, keytab, &cursor);
  90         if (code != 0)
  91             goto cleanup;
  92
  93         while ((code = krb5_kt_next_entry(krbContext, keytab,
  94                                           &ktent, &cursor)) == 0) {
  95             if (ktent.key.enctype == ctx->encryptionType)
  96                 break;
  97             else
  98                 krb5_free_keytab_entry_contents(krbContext, &ktent);
  99         }
 100     }
 101
 102     if (code == 0) {
 103         *princ = ktent.principal;
 104         *key = ktent.key;
 105     }
 106
 107 cleanup:
 108     if (cred == GSS_C_NO_CREDENTIAL || cred->name == GSS_C_NO_NAME)
 109         krb5_kt_end_seq_get(krbContext, keytab, &cursor);
 110     krb5_kt_close(krbContext, keytab);
 111
 112     if (code != 0)
 113         krb5_free_keytab_entry_contents(krbContext, &ktent);
 114
 115     return code;
 116 }
 117
 118 static OM_uint32
 119 freezeAttrContext(OM_uint32 *minor,
 120                   gss_name_t initiatorName,
 121                   krb5_const_principal acceptorPrinc,
 122                   krb5_keyblock *session,
 123                   krb5_authdata ***authdata)
 124 {
 125     OM_uint32 major, tmpMinor;
 126     krb5_error_code code;
 127     gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER;
 128     krb5_authdata *authData[2], authDatum = { 0 };
 129     krb5_context krbContext;
 130
 131     GSSEAP_KRB_INIT(&krbContext);
 132
 133     major = gssEapExportAttrContext(minor, initiatorName, &attrBuf);
 134     if (GSS_ERROR(major))
 135         return major;
 136
 137     authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP;
 138     authDatum.length = attrBuf.length;
 139     authDatum.contents = attrBuf.value;
 140     authData[0] = &authDatum;
 141     authData[1] = NULL;
 142
 143     code = krb5_make_authdata_kdc_issued(krbContext, session, acceptorPrinc,
 144                                          authData, authdata);
 145     if (code != 0) {
 146         major = GSS_S_FAILURE;
 147         *minor = code;
 148     } else {
 149         major = GSS_S_COMPLETE;
 150     }
 151
 152     gss_release_buffer(&tmpMinor, &attrBuf);
 153
 154     return major;
 155 }
 156
 157 /*
 158  * Fabricate a ticket to ourselves given a GSS EAP context.
 159  */
 160 OM_uint32
 161 gssEapMakeReauthCreds(OM_uint32 *minor,
 162                       gss_ctx_id_t ctx,
 163                       gss_cred_id_t cred,
 164                       gss_buffer_t credBuf)
 165 {
 166     OM_uint32 major = GSS_S_COMPLETE;
 167     krb5_error_code code;
 168     krb5_context krbContext = NULL;
 169     krb5_ticket ticket = { 0 };
 170     krb5_keyblock session = { 0 }, acceptorKey = { 0 };
 171     krb5_enc_tkt_part enc_part = { 0 };
 172     krb5_data *ticketData = NULL, *credsData = NULL;
 173     krb5_creds creds = { 0 };
 174     krb5_auth_context authContext = NULL;
 175
 176     credBuf->length = 0;
 177     credBuf->value = NULL;
 178
 179     GSSEAP_KRB_INIT(&krbContext);
 180
 181     code = getAcceptorKey(krbContext, ctx, cred,
 182                           &ticket.server, &acceptorKey);
 183     if (code == KRB5_KT_NOTFOUND) {
 184         gss_buffer_desc emptyToken = { 0, "" };
 185
 186         /*
 187          * If we can't produce the KRB-CRED message, we need to
 188          * return an empty (not NULL) token to the caller so we
 189          * don't change the number of authentication legs.
 190          */
 191         return duplicateBuffer(minor, &emptyToken, credBuf);
 192     } else if (code != 0)
 193         goto cleanup;
 194
 195     enc_part.flags = TKT_FLG_INITIAL;
 196
 197     /*
 198      * Generate a random session key to place in the ticket and
 199      * sign the "KDC-Issued" authorization data element.
 200      */
 201     code = krb5_c_make_random_key(krbContext, ctx->encryptionType,
 202                                   &session);
 203     if (code != 0)
 204         goto cleanup;
 205
 206     enc_part.session = &session;
 207     enc_part.client = ctx->initiatorName->krbPrincipal;
 208     enc_part.times.authtime = time(NULL);
 209     enc_part.times.starttime = enc_part.times.authtime;
 210     enc_part.times.endtime = ctx->expiryTime
 211                              ? ctx->expiryTime
 212                              : KRB5_INT32_MAX;
 213     enc_part.times.renew_till = 0;
 214
 215     major = freezeAttrContext(minor, ctx->initiatorName, ticket.server,
 216                               &session, &enc_part.authorization_data);
 217     if (GSS_ERROR(major))
 218         goto cleanup;
 219
 220     ticket.enc_part2 = &enc_part;
 221
 222     code = krb5_encrypt_tkt_part(krbContext, &acceptorKey, &ticket);
 223     if (code != 0)
 224         goto cleanup;
 225
 226     code = encode_krb5_ticket(&ticket, &ticketData);
 227     if (code != 0)
 228         goto cleanup;
 229
 230     creds.client = enc_part.client;
 231     creds.server = ticket.server;
 232     creds.keyblock = session;
 233     creds.times = enc_part.times;
 234     creds.ticket_flags = enc_part.flags;
 235     creds.ticket = *ticketData;
 236     creds.authdata = enc_part.authorization_data;
 237
 238     code = krb5_auth_con_init(krbContext, &authContext);
 239     if (code != 0)
 240         goto cleanup;
 241
 242     code = krb5_auth_con_setflags(krbContext, authContext, 0);
 243     if (code != 0)
 244         goto cleanup;
 245
 246     code = krb5_auth_con_setsendsubkey(krbContext, authContext,
 247                                        &ctx->rfc3961Key);
 248     if (code != 0)
 249         goto cleanup;
 250
 251     code = krb5_mk_1cred(krbContext, authContext, &creds, &credsData, NULL);
 252     if (code != 0)
 253         goto cleanup;
 254
 255     krbDataToGssBuffer(credsData, credBuf);
 256
 257 cleanup:
 258     if (ticket.enc_part.ciphertext.data != NULL)
 259         GSSEAP_FREE(ticket.enc_part.ciphertext.data);
 260     krb5_free_keyblock_contents(krbContext, &session);
 261     krb5_free_keyblock_contents(krbContext, &acceptorKey);
 262     krb5_free_data(krbContext, ticketData);
 263     krb5_auth_con_free(krbContext, authContext);
 264     krb5_free_authdata(krbContext, enc_part.authorization_data);
 265     if (credsData != NULL)
 266         GSSEAP_FREE(credsData);
 267
 268     if (major == GSS_S_COMPLETE) {
 269         *minor = code;
 270         major = code != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE;
 271     }
 272
 273     return major;
 274 }
 275
 276 static int
 277 isTicketGrantingServiceP(krb5_context krbContext,
 278                          krb5_const_principal principal)
 279 {
 280     if (krb5_princ_size(krbContext, principal) == 2 &&
 281         krb5_princ_component(krbContext, principal, 0)->length == 6 &&
 282         memcmp(krb5_princ_component(krbContext,
 283                                     principal, 0)->data, "krbtgt", 6) == 0)
 284         return TRUE;
 285
 286     return FALSE;
 287 }
 288
 289 /*
 290  * Returns TRUE if the configuration variable reauth_use_ccache is
 291  * set in krb5.conf for the eap_gss application and the client realm.
 292  */
 293 static int
 294 reauthUseCredsCache(krb5_context krbContext,
 295                     krb5_principal principal)
 296 {
 297     int reauthUseCCache;
 298
 299     /* if reauth_use_ccache, use default credentials cache if ticket is for us */
 300     krb5_appdefault_boolean(krbContext, "eap_gss",
 301                             krb5_princ_realm(krbContext, principal),
 302                             "reauth_use_ccache", 0, &reauthUseCCache);
 303
 304     return reauthUseCCache;
 305 }
 306
 307 /*
 308  * Look in default credentials cache for reauthentication credentials,
 309  * if policy allows.
 310  */
 311 static OM_uint32
 312 getReauthCredentials(OM_uint32 *minor,
 313                      gss_cred_id_t cred,
 314                      gss_name_t target,
 315                      time_t now,
 316                      OM_uint32 timeReq)
 317 {
 318     OM_uint32 major = GSS_S_CRED_UNAVAIL;
 319     krb5_context krbContext = NULL;
 320     krb5_error_code code;
 321     krb5_ccache ccache = NULL;
 322     krb5_creds match = { 0 };
 323     krb5_creds creds = { 0 };
 324
 325     GSSEAP_KRB_INIT(&krbContext);
 326
 327     assert(cred != GSS_C_NO_CREDENTIAL);
 328     assert(target != GSS_C_NO_NAME);
 329
 330     if (!reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
 331         goto cleanup;
 332
 333     match.client = cred->name->krbPrincipal;
 334     match.server = target->krbPrincipal;
 335     if (timeReq != 0 && timeReq != GSS_C_INDEFINITE)
 336         match.times.endtime = now + timeReq;
 337
 338     code = krb5_cc_default(krbContext, &ccache);
 339     if (code != 0)
 340         goto cleanup;
 341
 342     code = krb5_cc_retrieve_cred(krbContext, ccache, 0, &match, &creds);
 343     if (code != 0)
 344         goto cleanup;
 345
 346     cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
 347     cred->krbCredCache = ccache;
 348     ccache = NULL;
 349
 350     major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
 351                                  &cred->krbCred);
 352
 353 cleanup:
 354     if (major == GSS_S_CRED_UNAVAIL)
 355         *minor = code;
 356
 357     if (ccache != NULL)
 358         krb5_cc_close(krbContext, ccache);
 359     krb5_free_cred_contents(krbContext, &creds);
 360
 361     return major;
 362 }
 363
 364 /*
 365  * Returns TRUE if the credential handle's reauth credentials are
 366  * valid or if we can use the default credentials cache. Credentials
 367  * handle must be locked.
 368  */
 369 int
 370 gssEapCanReauthP(gss_cred_id_t cred,
 371                  gss_name_t target,
 372                  OM_uint32 timeReq)
 373 {
 374     time_t now;
 375
 376     if (cred == GSS_C_NO_CREDENTIAL)
 377         return FALSE;
 378
 379     now = time(NULL);
 380
 381     if (cred->krbCredCache != NULL &&
 382         cred->expiryTime > time(NULL) + (timeReq ? timeReq : 0))
 383         return TRUE;
 384
 385     if (cred->name != GSS_C_NO_NAME) {
 386         OM_uint32 major, minor;
 387
 388         major = getReauthCredentials(&minor, cred, target, now, timeReq);
 389
 390         return !GSS_ERROR(major);
 391     }
 392
 393     return FALSE;
 394 }
 395
 396 /*
 397  * Store re-authentication (Kerberos) credentials in a credential handle.
 398  * Credentials handle must be locked.
 399  */
 400 OM_uint32
 401 gssEapStoreReauthCreds(OM_uint32 *minor,
 402                        gss_ctx_id_t ctx,
 403                        gss_cred_id_t cred,
 404                        gss_buffer_t credBuf)
 405 {
 406     OM_uint32 major = GSS_S_COMPLETE;
 407     krb5_error_code code;
 408     krb5_context krbContext = NULL;
 409     krb5_auth_context authContext = NULL;
 410     krb5_data credData = { 0 };
 411     krb5_creds **creds = NULL;
 412     krb5_principal canonPrinc;
 413     krb5_principal ccPrinc = NULL;
 414     int i;
 415
 416     if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
 417         return GSS_S_COMPLETE;
 418
 419     GSSEAP_KRB_INIT(&krbContext);
 420
 421     code = krb5_auth_con_init(krbContext, &authContext);
 422     if (code != 0)
 423         goto cleanup;
 424
 425     code = krb5_auth_con_setflags(krbContext, authContext, 0);
 426     if (code != 0)
 427         goto cleanup;
 428
 429     code = krb5_auth_con_setrecvsubkey(krbContext, authContext,
 430                                        &ctx->rfc3961Key);
 431     if (code != 0)
 432         goto cleanup;
 433
 434     gssBufferToKrbData(credBuf, &credData);
 435
 436     code = krb5_rd_cred(krbContext, authContext, &credData, &creds, NULL);
 437     if (code != 0)
 438         goto cleanup;
 439
 440     if (creds == NULL || creds[0] == NULL)
 441         goto cleanup;
 442
 443     code = krb5_copy_principal(krbContext, creds[0]->client, &canonPrinc);
 444     if (code != 0)
 445         goto cleanup;
 446
 447     krb5_free_principal(krbContext, cred->name->krbPrincipal);
 448     cred->name->krbPrincipal = canonPrinc;
 449
 450     cred->expiryTime = creds[0]->times.endtime;
 451
 452     if (cred->krbCredCache == NULL) {
 453         if (reauthUseCredsCache(krbContext, creds[0]->client) &&
 454             krb5_cc_default(krbContext, &cred->krbCredCache) == 0)
 455             cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
 456     } else {
 457         /*
 458          * If we already have an associated credentials cache, possibly from
 459          * the last time we stored a reauthentication credential, then we
 460          * need to clear it out and release the associated GSS credential.
 461          */
 462         if (cred->flags & CRED_FLAG_DEFAULT_CCACHE) {
 463             krb5_cc_remove_cred(krbContext, cred->krbCredCache, 0, creds[0]);
 464         } else {
 465             krb5_cc_destroy(krbContext, cred->krbCredCache);
 466             cred->krbCredCache = NULL;
 467         }
 468         gssReleaseCred(minor, &cred->krbCred);
 469     }
 470
 471     if (cred->krbCredCache == NULL) {
 472         code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
 473         if (code != 0)
 474             goto cleanup;
 475     }
 476
 477     if ((cred->flags & CRED_FLAG_DEFAULT_CCACHE) == 0 ||
 478         krb5_cc_get_principal(krbContext, cred->krbCredCache, &ccPrinc) != 0) {
 479         code = krb5_cc_initialize(krbContext, cred->krbCredCache,
 480                                   creds[0]->client);
 481         if (code != 0)
 482             goto cleanup;
 483     }
 484
 485     for (i = 0; creds[i] != NULL; i++) {
 486         krb5_creds kcred = *(creds[i]);
 487
 488         /*
 489          * Swap in the acceptor name the client asked for so
 490          * get_credentials() works. We're making the assumption that
 491          * any service tickets returned are for us. We'll need to
 492          * reflect some more on whether that is a safe assumption.
 493          */
 494         if (!isTicketGrantingServiceP(krbContext, kcred.server))
 495             kcred.server = ctx->acceptorName->krbPrincipal;
 496
 497         code = krb5_cc_store_cred(krbContext, cred->krbCredCache, &kcred);
 498         if (code != 0)
 499             goto cleanup;
 500     }
 501
 502     major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
 503                                  &cred->krbCred);
 504     if (GSS_ERROR(major))
 505         goto cleanup;
 506
 507 cleanup:
 508     *minor = code;
 509
 510     krb5_free_principal(krbContext, ccPrinc);
 511     krb5_auth_con_free(krbContext, authContext);
 512     if (creds != NULL) {
 513         for (i = 0; creds[i] != NULL; i++)
 514             krb5_free_creds(krbContext, creds[i]);
 515         GSSEAP_FREE(creds);
 516     }
 517     if (major == GSS_S_COMPLETE)
 518         major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
 519
 520     return major;
 521 }
 522
 523 static gss_buffer_desc radiusAvpKrbAttr = {
 524     sizeof("urn:authdata-radius-avp") - 1, "urn:authdata-radius-avp"
 525 };
 526
 527 /*
 528  * Unfortunately extracting an AD-KDCIssued authorization data element
 529  * is pretty implementation-dependent. It's not possible to verify the
 530  * signature ourselves because the ticket session key is not exposed
 531  * outside GSS. In an ideal world, all AD-KDCIssued elements would be
 532  * verified by the Kerberos library and authentication would fail if
 533  * verification failed. We're not quite there yet and as a result have
 534  * to go through some hoops to get this to work. The alternative would
 535  * be to sign the authorization data with our long-term key, but it
 536  * seems a pity to compromise the design because of current implementation
 537  * limitations.
 538  *
 539  * (Specifically, the hoops involve a libkrb5 authorisation data plugin
 540  * that exposes the verified and serialised attribute context through
 541  * the Kerberos GSS mechanism's naming extensions API.)
 542  */
 543 static OM_uint32
 544 defrostAttrContext(OM_uint32 *minor,
 545                    gss_name_t glueName,
 546                    gss_name_t mechName)
 547 {
 548     OM_uint32 major, tmpMinor;
 549     gss_buffer_desc authData = GSS_C_EMPTY_BUFFER;
 550     gss_buffer_desc authDataDisplay = GSS_C_EMPTY_BUFFER;
 551     int more = -1;
 552     int authenticated, complete;
 553
 554     major = gssGetNameAttribute(minor, glueName, &radiusAvpKrbAttr,
 555                                 &authenticated, &complete,
 556                                 &authData, &authDataDisplay, &more);
 557     if (major == GSS_S_COMPLETE) {
 558         if (authenticated == 0)
 559             major = GSS_S_BAD_NAME;
 560         else
 561             major = gssEapImportAttrContext(minor, &authData, mechName);
 562     } else if (major == GSS_S_UNAVAILABLE) {
 563         major = GSS_S_COMPLETE;
 564     }
 565
 566     gss_release_buffer(&tmpMinor, &authData);
 567     gss_release_buffer(&tmpMinor, &authDataDisplay);
 568
 569     return major;
 570 }
 571
 572 /*
 573  * Convert a mechanism glue to an EAP mechanism name by displaying and
 574  * importing it. This also handles the RADIUS attributes.
 575  */
 576 OM_uint32
 577 gssEapGlueToMechName(OM_uint32 *minor,
 578                      gss_name_t glueName,
 579                      gss_name_t *pMechName)
 580 {
 581     OM_uint32 major, tmpMinor;
 582     gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
 583
 584     *pMechName = GSS_C_NO_NAME;
 585
 586     major = gssDisplayName(minor, glueName, &nameBuf, NULL);
 587     if (GSS_ERROR(major))
 588         goto cleanup;
 589
 590     major = gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
 591                              pMechName);
 592     if (GSS_ERROR(major))
 593         goto cleanup;
 594
 595     major = defrostAttrContext(minor, glueName, *pMechName);
 596     if (GSS_ERROR(major))
 597         goto cleanup;
 598
 599 cleanup:
 600     if (GSS_ERROR(major)) {
 601         gssReleaseName(&tmpMinor, pMechName);
 602         *pMechName = GSS_C_NO_NAME;
 603     }
 604
 605     gss_release_buffer(&tmpMinor, &nameBuf);
 606
 607     return major;
 608 }
 609
 610 /*
 611  * Convert an EAP mechanism name to a mechanism glue name by displaying
 612  * and importing it.
 613  */
 614 OM_uint32
 615 gssEapMechToGlueName(OM_uint32 *minor,
 616                      gss_name_t mechName,
 617                      gss_name_t *pGlueName)
 618 {
 619     OM_uint32 major, tmpMinor;
 620     gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
 621
 622     *pGlueName = GSS_C_NO_NAME;
 623
 624     major = gssEapDisplayName(minor, mechName, &nameBuf, NULL);
 625     if (GSS_ERROR(major))
 626         goto cleanup;
 627
 628     major = gssImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
 629                           pGlueName);
 630     if (GSS_ERROR(major))
 631         goto cleanup;
 632
 633 cleanup:
 634     gss_release_buffer(&tmpMinor, &nameBuf);
 635
 636     return major;
 637 }
 638
 639 /*
 640  * Suck out the analgous elements of a Kerberos GSS context into an EAP
 641  * one so that the application doesn't know the difference.
 642  */
 643 OM_uint32
 644 gssEapReauthComplete(OM_uint32 *minor,
 645                     gss_ctx_id_t ctx,
 646                     gss_cred_id_t cred,
 647                     const gss_OID mech,
 648                     OM_uint32 timeRec)
 649 {
 650     OM_uint32 major, tmpMinor;
 651     gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET;
 652
 653     if (!oidEqual(mech, gss_mech_krb5)) {
 654         major = GSS_S_BAD_MECH;
 655         goto cleanup;
 656     }
 657
 658     /* Get the raw subsession key and encryption type*/
 659     major = gssInquireSecContextByOid(minor, ctx->kerberosCtx,
 660                                       GSS_C_INQ_SSPI_SESSION_KEY, &keyData);
 661     if (GSS_ERROR(major))
 662         goto cleanup;
 663
 664     {
 665         gss_OID_desc oid;
 666         int suffix;
 667
 668         oid.length = keyData->elements[1].length;
 669         oid.elements = keyData->elements[1].value;
 670
 671         /* GSS_KRB5_SESSION_KEY_ENCTYPE_OID */
 672         major = decomposeOid(minor,
 673                              "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04",
 674                              10, &oid, &suffix);
 675         if (GSS_ERROR(major))
 676             goto cleanup;
 677
 678         ctx->encryptionType = suffix;
 679     }
 680
 681     {
 682         krb5_context krbContext = NULL;
 683         krb5_keyblock key;
 684
 685         GSSEAP_KRB_INIT(&krbContext);
 686
 687         KRB_KEY_LENGTH(&key) = keyData->elements[0].length;
 688         KRB_KEY_DATA(&key)   = keyData->elements[0].value;
 689         KRB_KEY_TYPE(&key)   = ctx->encryptionType;
 690
 691         *minor = krb5_copy_keyblock_contents(krbContext,
 692                                              &key, &ctx->rfc3961Key);
 693         if (*minor != 0) {
 694             major = GSS_S_FAILURE;
 695             goto cleanup;
 696         }
 697     }
 698
 699     major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key,
 700                                       &ctx->checksumType);
 701     if (GSS_ERROR(major))
 702         goto cleanup;
 703
 704     if (timeRec != GSS_C_INDEFINITE)
 705         ctx->expiryTime = time(NULL) + timeRec;
 706
 707     /* Initialize our sequence state */
 708     major = sequenceInit(minor,
 709                          &ctx->seqState, ctx->recvSeq,
 710                          ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0),
 711                          ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0),
 712                          TRUE);
 713     if (GSS_ERROR(major))
 714         goto cleanup;
 715
 716     major = GSS_S_COMPLETE;
 717
 718 cleanup:
 719     gss_release_buffer_set(&tmpMinor, &keyData);
 720
 721     return major;
 722 }
 723
 724 /*
 725  * The remainder of this file consists of wrappers so we can call into the
 726  * mechanism glue without calling ourselves.
 727  */
 728 static OM_uint32
 729 (*gssInitSecContextNext)(OM_uint32 *,
 730                          gss_cred_id_t,
 731                          gss_ctx_id_t *,
 732                          gss_name_t,
 733                          gss_OID,
 734                          OM_uint32,
 735                          OM_uint32,
 736                          gss_channel_bindings_t,
 737                          gss_buffer_t,
 738                          gss_OID *,
 739                          gss_buffer_t,
 740                          OM_uint32 *,
 741                          OM_uint32 *);
 742
 743 static OM_uint32
 744 (*gssAcceptSecContextNext)(OM_uint32 *,
 745                            gss_ctx_id_t *,
 746                            gss_cred_id_t,
 747                            gss_buffer_t,
 748                            gss_channel_bindings_t,
 749                            gss_name_t *,
 750                            gss_OID *,
 751                            gss_buffer_t,
 752                            OM_uint32 *,
 753                            OM_uint32 *,
 754                            gss_cred_id_t *);
 755
 756 static OM_uint32
 757 (*gssReleaseCredNext)(OM_uint32 *, gss_cred_id_t *);
 758
 759 static OM_uint32
 760 (*gssReleaseNameNext)(OM_uint32 *, gss_name_t *);
 761
 762 static OM_uint32
 763 (*gssInquireSecContextByOidNext)(OM_uint32 *,
 764                                  const gss_ctx_id_t,
 765                                  const gss_OID,
 766                                  gss_buffer_set_t *);
 767
 768 static OM_uint32
 769 (*gssDeleteSecContextNext)(OM_uint32 *,
 770                           gss_ctx_id_t *,
 771                           gss_buffer_t);
 772
 773 static OM_uint32
 774 (*gssDisplayNameNext)(OM_uint32 *,
 775                       gss_name_t,
 776                       gss_buffer_t,
 777                       gss_OID *);
 778
 779 static OM_uint32
 780 (*gssImportNameNext)(OM_uint32 *,
 781                      gss_buffer_t,
 782                      gss_OID,
 783                      gss_name_t *);
 784
 785 static OM_uint32
 786 (*gssStoreCredNext)(OM_uint32 *,
 787                     const gss_cred_id_t,
 788                     gss_cred_usage_t,
 789                     const gss_OID,
 790                     OM_uint32,
 791                     OM_uint32,
 792                     gss_OID_set *,
 793                     gss_cred_usage_t *);
 794
 795 static OM_uint32
 796 (*gssGetNameAttributeNext)(OM_uint32 *,
 797                           gss_name_t,
 798                           gss_buffer_t,
 799                           int *,
 800                           int *,
 801                           gss_buffer_t,
 802                           gss_buffer_t,
 803                           int *);
 804
 805 #define NEXT_SYMBOL(local, global)  ((local) = dlsym(RTLD_NEXT, (global)))
 806
 807 OM_uint32
 808 gssEapReauthInitialize(OM_uint32 *minor)
 809 {
 810     NEXT_SYMBOL(gssInitSecContextNext,         "gss_init_sec_context");
 811     NEXT_SYMBOL(gssAcceptSecContextNext,       "gss_accept_sec_context");
 812     NEXT_SYMBOL(gssReleaseCredNext,            "gss_release_cred");
 813     NEXT_SYMBOL(gssReleaseNameNext,            "gss_release_name");
 814     NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid");
 815     NEXT_SYMBOL(gssDeleteSecContextNext,       "gss_delete_sec_context");
 816     NEXT_SYMBOL(gssDisplayNameNext,            "gss_display_name");
 817     NEXT_SYMBOL(gssImportNameNext,             "gss_import_name");
 818     NEXT_SYMBOL(gssStoreCredNext,              "gss_store_cred");
 819     NEXT_SYMBOL(gssGetNameAttributeNext,       "gss_get_name_attribute");
 820
 821     return GSS_S_COMPLETE;
 822 }
 823
 824 OM_uint32
 825 gssInitSecContext(OM_uint32 *minor,
 826                   gss_cred_id_t cred,
 827                   gss_ctx_id_t *context_handle,
 828                   gss_name_t target_name,
 829                   gss_OID mech_type,
 830                   OM_uint32 req_flags,
 831                   OM_uint32 time_req,
 832                   gss_channel_bindings_t input_chan_bindings,
 833                   gss_buffer_t input_token,
 834                   gss_OID *actual_mech_type,
 835                   gss_buffer_t output_token,
 836                   OM_uint32 *ret_flags,
 837                   OM_uint32 *time_rec)
 838 {
 839     if (gssInitSecContextNext == NULL)
 840         return GSS_S_UNAVAILABLE;
 841
 842     return gssInitSecContextNext(minor, cred, context_handle,
 843                                  target_name, mech_type, req_flags,
 844                                  time_req, input_chan_bindings,
 845                                  input_token, actual_mech_type,
 846                                  output_token, ret_flags, time_rec);
 847 }
 848
 849 OM_uint32
 850 gssAcceptSecContext(OM_uint32 *minor,
 851                     gss_ctx_id_t *context_handle,
 852                     gss_cred_id_t cred,
 853                     gss_buffer_t input_token,
 854                     gss_channel_bindings_t input_chan_bindings,
 855                     gss_name_t *src_name,
 856                     gss_OID *mech_type,
 857                     gss_buffer_t output_token,
 858                     OM_uint32 *ret_flags,
 859                     OM_uint32 *time_rec,
 860                     gss_cred_id_t *delegated_cred_handle)
 861 {
 862     if (gssAcceptSecContextNext == NULL)
 863         return GSS_S_UNAVAILABLE;
 864
 865     return gssAcceptSecContextNext(minor, context_handle, cred,
 866                                    input_token, input_chan_bindings,
 867                                    src_name, mech_type, output_token,
 868                                    ret_flags, time_rec, delegated_cred_handle);
 869 }
 870
 871 OM_uint32
 872 gssReleaseCred(OM_uint32 *minor,
 873                gss_cred_id_t *cred_handle)
 874 {
 875     if (gssReleaseCredNext == NULL)
 876         return GSS_S_UNAVAILABLE;
 877
 878     return gssReleaseCredNext(minor, cred_handle);
 879 }
 880
 881 OM_uint32
 882 gssReleaseName(OM_uint32 *minor,
 883                gss_name_t *name)
 884 {
 885     if (gssReleaseName == NULL)
 886         return GSS_S_UNAVAILABLE;
 887
 888     return gssReleaseNameNext(minor, name);
 889 }
 890
 891 OM_uint32
 892 gssDeleteSecContext(OM_uint32 *minor,
 893                     gss_ctx_id_t *context_handle,
 894                     gss_buffer_t output_token)
 895 {
 896     if (gssDeleteSecContextNext == NULL)
 897         return GSS_S_UNAVAILABLE;
 898
 899     return gssDeleteSecContextNext(minor, context_handle, output_token);
 900 }
 901
 902 static OM_uint32
 903 gssDisplayName(OM_uint32 *minor,
 904                gss_name_t name,
 905                gss_buffer_t buffer,
 906                gss_OID *name_type)
 907 {
 908     if (gssDisplayNameNext == NULL)
 909         return GSS_S_UNAVAILABLE;
 910
 911     return gssDisplayNameNext(minor, name, buffer, name_type);
 912 }
 913
 914 static OM_uint32
 915 gssImportName(OM_uint32 *minor,
 916               gss_buffer_t buffer,
 917               gss_OID name_type,
 918               gss_name_t *name)
 919 {
 920     if (gssImportNameNext == NULL)
 921         return GSS_S_UNAVAILABLE;
 922
 923     return gssImportNameNext(minor, buffer, name_type, name);
 924 }
 925
 926 OM_uint32
 927 gssInquireSecContextByOid(OM_uint32 *minor,
 928                           const gss_ctx_id_t context_handle,
 929                           const gss_OID desired_object,
 930                           gss_buffer_set_t *data_set)
 931 {
 932     if (gssInquireSecContextByOidNext == NULL)
 933         return GSS_S_UNAVAILABLE;
 934
 935     return gssInquireSecContextByOidNext(minor, context_handle,
 936                                          desired_object, data_set);
 937 }
 938
 939 OM_uint32
 940 gssStoreCred(OM_uint32 *minor,
 941              const gss_cred_id_t input_cred_handle,
 942              gss_cred_usage_t input_usage,
 943              const gss_OID desired_mech,
 944              OM_uint32 overwrite_cred,
 945              OM_uint32 default_cred,
 946              gss_OID_set *elements_stored,
 947              gss_cred_usage_t *cred_usage_stored)
 948 {
 949     if (gssStoreCredNext == NULL)
 950         return GSS_S_UNAVAILABLE;
 951
 952     return gssStoreCredNext(minor, input_cred_handle, input_usage,
 953                             desired_mech, overwrite_cred, default_cred,
 954                             elements_stored, cred_usage_stored);
 955 }
 956
 957 OM_uint32
 958 gssGetNameAttribute(OM_uint32 *minor,
 959                     gss_name_t name,
 960                     gss_buffer_t attr,
 961                     int *authenticated,
 962                     int *complete,
 963                     gss_buffer_t value,
 964                     gss_buffer_t display_value,
 965                     int *more)
 966 {
 967     if (gssGetNameAttributeNext == NULL)
 968         return GSS_S_UNAVAILABLE;
 969
 970     return gssGetNameAttributeNext(minor, name, attr, authenticated, complete,
 971                                    value, display_value, more);
 972 }