Heimdal portability fixes (except for reauth)

[mech_eap.orig] / util_reauth.c
diff --git a/util_reauth.c b/util_reauth.c

index a552fcb..47be2a3 100644 (file)
--- a/util_reauth.c
+++ b/util_reauth.c
@@ -30,6 +30,10 @@
   * SUCH DAMAGE.
   */
  
+/*
+ * Fast reauthentication support.
+ */
+
  #include "gssapiP_eap.h"
  
  #include <dlfcn.h>
@@ -82,6 +86,10 @@ getAcceptorKey(krb5_context krbContext,
          if (code != 0)
              goto cleanup;
      } else {
+        /*
+         * It's not clear that looking encrypting the ticket in the
+         * requested EAP enctype provides any value.
+         */
          code = krb5_kt_start_seq_get(krbContext, keytab, &cursor);
          if (code != 0)
              goto cleanup;
@@ -177,14 +185,8 @@ gssEapMakeReauthCreds(OM_uint32 *minor,
      code = getAcceptorKey(krbContext, ctx, cred,
                            &ticket.server, &acceptorKey);
      if (code == KRB5_KT_NOTFOUND) {
-        gss_buffer_desc emptyToken = { 0, "" };
-
-        /*
-         * If we can't produce the KRB-CRED message, we need to
-         * return an empty (not NULL) token to the caller so we
-         * don't change the number of authentication legs.
-         */
-        return duplicateBuffer(minor, &emptyToken, credBuf);
+        *minor = code;
+        return GSS_S_UNAVAILABLE;
      } else if (code != 0)
          goto cleanup;
  
@@ -203,7 +205,7 @@ gssEapMakeReauthCreds(OM_uint32 *minor,
      enc_part.client = ctx->initiatorName->krbPrincipal;
      enc_part.times.authtime = time(NULL);
      enc_part.times.starttime = enc_part.times.authtime;
-    enc_part.times.endtime = ctx->expiryTime
+    enc_part.times.endtime = (ctx->expiryTime != 0)
                               ? ctx->expiryTime
                               : KRB5_INT32_MAX;
      enc_part.times.renew_till = 0;
@@ -273,7 +275,7 @@ static int
  isTicketGrantingServiceP(krb5_context krbContext,
                           krb5_const_principal principal)
  {
-    if (krb5_princ_size(krbContext, principal) == 2 &&
+    if (KRB_PRINC_LENGTH(principal) == 2 &&
          krb5_princ_component(krbContext, principal, 0)->length == 6 &&
          memcmp(krb5_princ_component(krbContext,
                                      principal, 0)->data, "krbtgt", 6) == 0)
@@ -283,7 +285,114 @@ isTicketGrantingServiceP(krb5_context krbContext,
  }
  
  /*
+ * Returns TRUE if the configuration variable reauth_use_ccache is
+ * set in krb5.conf for the eap_gss application and the client realm.
+ */
+static int
+reauthUseCredsCache(krb5_context krbContext,
+                    krb5_principal principal)
+{
+    int reauthUseCCache;
+
+    /* if reauth_use_ccache, use default credentials cache if ticket is for us */
+    krb5_appdefault_boolean(krbContext, "eap_gss",
+                            krb5_princ_realm(krbContext, principal),
+                            "reauth_use_ccache", 0, &reauthUseCCache);
+
+    return reauthUseCCache;
+}
+
+/*
+ * Look in default credentials cache for reauthentication credentials,
+ * if policy allows.
+ */
+static OM_uint32
+getDefaultReauthCredentials(OM_uint32 *minor,
+                            gss_cred_id_t cred,
+                            gss_name_t target,
+                            time_t now,
+                            OM_uint32 timeReq)
+{
+    OM_uint32 major = GSS_S_CRED_UNAVAIL;
+    krb5_context krbContext = NULL;
+    krb5_error_code code = 0;
+    krb5_ccache ccache = NULL;
+    krb5_creds match = { 0 };
+    krb5_creds creds = { 0 };
+
+    GSSEAP_KRB_INIT(&krbContext);
+
+    assert(cred != GSS_C_NO_CREDENTIAL);
+    assert(target != GSS_C_NO_NAME);
+
+    if (cred->name == GSS_C_NO_NAME ||
+        !reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
+        goto cleanup;
+
+    match.client = cred->name->krbPrincipal;
+    match.server = target->krbPrincipal;
+    if (timeReq != 0 && timeReq != GSS_C_INDEFINITE)
+        match.times.endtime = now + timeReq;
+
+    code = krb5_cc_default(krbContext, &ccache);
+    if (code != 0)
+        goto cleanup;
+
+    code = krb5_cc_retrieve_cred(krbContext, ccache, 0, &match, &creds);
+    if (code != 0)
+        goto cleanup;
+
+    cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
+    cred->krbCredCache = ccache;
+    ccache = NULL;
+
+    major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
+                                 &cred->krbCred);
+
+cleanup:
+    if (major == GSS_S_CRED_UNAVAIL)
+        *minor = code;
+
+    if (ccache != NULL)
+        krb5_cc_close(krbContext, ccache);
+    krb5_free_cred_contents(krbContext, &creds);
+
+    return major;
+}
+
+/*
+ * Returns TRUE if the credential handle's reauth credentials are
+ * valid or if we can use the default credentials cache. Credentials
+ * handle must be locked.
+ */
+int
+gssEapCanReauthP(gss_cred_id_t cred,
+                 gss_name_t target,
+                 OM_uint32 timeReq)
+{
+    time_t now, expiryReq;
+    OM_uint32 minor;
+
+    assert(cred != GSS_C_NO_CREDENTIAL);
+
+    now = time(NULL);
+    expiryReq = now;
+    if (timeReq != GSS_C_INDEFINITE)
+        expiryReq += timeReq;
+
+    if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq)
+        return TRUE;
+
+    if (getDefaultReauthCredentials(&minor, cred, target,
+                                    now, timeReq) == GSS_S_COMPLETE)
+        return TRUE;
+
+    return FALSE;
+}
+
+/*
   * Store re-authentication (Kerberos) credentials in a credential handle.
+ * Credentials handle must be locked.
   */
  OM_uint32
  gssEapStoreReauthCreds(OM_uint32 *minor,
@@ -291,12 +400,14 @@ gssEapStoreReauthCreds(OM_uint32 *minor,
                         gss_cred_id_t cred,
                         gss_buffer_t credBuf)
  {
-    OM_uint32 major = GSS_S_COMPLETE, code;
+    OM_uint32 major = GSS_S_COMPLETE;
+    krb5_error_code code;
      krb5_context krbContext = NULL;
      krb5_auth_context authContext = NULL;
      krb5_data credData = { 0 };
      krb5_creds **creds = NULL;
      krb5_principal canonPrinc;
+    krb5_principal ccPrinc = NULL;
      int i;
  
      if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
@@ -333,16 +444,43 @@ gssEapStoreReauthCreds(OM_uint32 *minor,
      krb5_free_principal(krbContext, cred->name->krbPrincipal);
      cred->name->krbPrincipal = canonPrinc;
  
-    cred->expiryTime = creds[0]->times.endtime;
+    if (creds[0]->times.endtime == KRB5_INT32_MAX)
+        cred->expiryTime = 0;
+    else
+        cred->expiryTime = creds[0]->times.endtime;
  
-    code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
-    if (code != 0)
-        goto cleanup;
+    if (cred->krbCredCache == NULL) {
+        if (reauthUseCredsCache(krbContext, creds[0]->client) &&
+            krb5_cc_default(krbContext, &cred->krbCredCache) == 0)
+            cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
+    } else {
+        /*
+         * If we already have an associated credentials cache, possibly from
+         * the last time we stored a reauthentication credential, then we
+         * need to clear it out and release the associated GSS credential.
+         */
+        if (cred->flags & CRED_FLAG_DEFAULT_CCACHE) {
+            krb5_cc_remove_cred(krbContext, cred->krbCredCache, 0, creds[0]);
+        } else {
+            krb5_cc_destroy(krbContext, cred->krbCredCache);
+            cred->krbCredCache = NULL;
+        }
+        gssReleaseCred(minor, &cred->krbCred);
+    }
  
-    code = krb5_cc_initialize(krbContext, cred->krbCredCache,
-                              creds[0]->client);
-    if (code != 0)
-        goto cleanup;
+    if (cred->krbCredCache == NULL) {
+        code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
+        if (code != 0)
+            goto cleanup;
+    }
+
+    if ((cred->flags & CRED_FLAG_DEFAULT_CCACHE) == 0 ||
+        krb5_cc_get_principal(krbContext, cred->krbCredCache, &ccPrinc) != 0) {
+        code = krb5_cc_initialize(krbContext, cred->krbCredCache,
+                                  creds[0]->client);
+        if (code != 0)
+            goto cleanup;
+    }
  
      for (i = 0; creds[i] != NULL; i++) {
          krb5_creds kcred = *(creds[i]);
@@ -361,11 +499,6 @@ gssEapStoreReauthCreds(OM_uint32 *minor,
              goto cleanup;
      }
  
-    /*
-     * To turn a credentials cache into a GSS credentials handle, we
-     * require the gss_krb5_import_cred() API (present in Heimdal, but
-     * not shipped in MIT yet).
-     */
      major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
                                   &cred->krbCred);
      if (GSS_ERROR(major))
@@ -374,10 +507,12 @@ gssEapStoreReauthCreds(OM_uint32 *minor,
  cleanup:
      *minor = code;
  
+    krb5_free_principal(krbContext, ccPrinc);
      krb5_auth_con_free(krbContext, authContext);
      if (creds != NULL) {
          for (i = 0; creds[i] != NULL; i++)
              krb5_free_creds(krbContext, creds[i]);
+        GSSEAP_FREE(creds);
      }
      if (major == GSS_S_COMPLETE)
          major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
@@ -520,7 +655,7 @@ gssEapReauthComplete(OM_uint32 *minor,
          goto cleanup;
      }
  
-    /* Get the raw subsession key and encryptino type*/
+    /* Get the raw subsession key and encryption type*/
      major = gssInquireSecContextByOid(minor, ctx->kerberosCtx,
                                        GSS_C_INQ_SSPI_SESSION_KEY, &keyData);
      if (GSS_ERROR(major))
@@ -667,23 +802,32 @@ static OM_uint32
                            gss_buffer_t,
                            int *);
  
-#define NEXT_SYMBOL(local, global)  ((local) = dlsym(RTLD_NEXT, (global)))
+#define NEXT_SYMBOL(local, global)  do {        \
+        ((local) = dlsym(RTLD_NEXT, (global))); \
+        if ((local) == NULL) {                  \
+            *minor = GSSEAP_NO_MECHGLUE_SYMBOL; \
+            major = GSS_S_UNAVAILABLE;          \
+            /* but continue */                  \
+        }                                       \
+    } while (0)
  
  OM_uint32
  gssEapReauthInitialize(OM_uint32 *minor)
  {
-    NEXT_SYMBOL(gssInitSecContextNext,                    "gss_init_sec_context");
-    NEXT_SYMBOL(gssAcceptSecContextNext,                  "gss_accept_sec_context");
-    NEXT_SYMBOL(gssReleaseCredNext,                       "gss_release_cred");
-    NEXT_SYMBOL(gssReleaseNameNext,                       "gss_release_name");
-    NEXT_SYMBOL(gssInquireSecContextByOidNext,            "gss_inquire_sec_context_by_oid");
-    NEXT_SYMBOL(gssDeleteSecContextNext,                  "gss_delete_sec_context");
-    NEXT_SYMBOL(gssDisplayNameNext,                       "gss_display_name");
-    NEXT_SYMBOL(gssImportNameNext,                        "gss_import_name");
-    NEXT_SYMBOL(gssStoreCredNext,                         "gss_store_cred");
-    NEXT_SYMBOL(gssGetNameAttributeNext,                  "gss_get_name_attribute");
-
-    return GSS_S_COMPLETE;
+    OM_uint32 major = GSS_S_COMPLETE;
+
+    NEXT_SYMBOL(gssInitSecContextNext,         "gss_init_sec_context");
+    NEXT_SYMBOL(gssAcceptSecContextNext,       "gss_accept_sec_context");
+    NEXT_SYMBOL(gssReleaseCredNext,            "gss_release_cred");
+    NEXT_SYMBOL(gssReleaseNameNext,            "gss_release_name");
+    NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid");
+    NEXT_SYMBOL(gssDeleteSecContextNext,       "gss_delete_sec_context");
+    NEXT_SYMBOL(gssDisplayNameNext,            "gss_display_name");
+    NEXT_SYMBOL(gssImportNameNext,             "gss_import_name");
+    NEXT_SYMBOL(gssStoreCredNext,              "gss_store_cred");
+    NEXT_SYMBOL(gssGetNameAttributeNext,       "gss_get_name_attribute");
+
+    return major;
  }
  
  OM_uint32
@@ -701,8 +845,10 @@ gssInitSecContext(OM_uint32 *minor,
                    OM_uint32 *ret_flags,
                    OM_uint32 *time_rec)
  {
-    if (gssInitSecContextNext == NULL)
+    if (gssInitSecContextNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssInitSecContextNext(minor, cred, context_handle,
                                   target_name, mech_type, req_flags,
@@ -724,8 +870,10 @@ gssAcceptSecContext(OM_uint32 *minor,
                      OM_uint32 *time_rec,
                      gss_cred_id_t *delegated_cred_handle)
  {
-    if (gssAcceptSecContextNext == NULL)
+    if (gssAcceptSecContextNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssAcceptSecContextNext(minor, context_handle, cred,
                                     input_token, input_chan_bindings,
@@ -737,8 +885,10 @@ OM_uint32
  gssReleaseCred(OM_uint32 *minor,
                 gss_cred_id_t *cred_handle)
  {
-    if (gssReleaseCredNext == NULL)
+    if (gssReleaseCredNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssReleaseCredNext(minor, cred_handle);
  }
@@ -747,8 +897,10 @@ OM_uint32
  gssReleaseName(OM_uint32 *minor,
                 gss_name_t *name)
  {
-    if (gssReleaseName == NULL)
+    if (gssReleaseName == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssReleaseNameNext(minor, name);
  }
@@ -758,8 +910,10 @@ gssDeleteSecContext(OM_uint32 *minor,
                      gss_ctx_id_t *context_handle,
                      gss_buffer_t output_token)
  {
-    if (gssDeleteSecContextNext == NULL)
+    if (gssDeleteSecContextNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssDeleteSecContextNext(minor, context_handle, output_token);
  }
@@ -770,8 +924,10 @@ gssDisplayName(OM_uint32 *minor,
                 gss_buffer_t buffer,
                 gss_OID *name_type)
  {
-    if (gssDisplayNameNext == NULL)
+    if (gssDisplayNameNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssDisplayNameNext(minor, name, buffer, name_type);
  }
@@ -782,8 +938,10 @@ gssImportName(OM_uint32 *minor,
                gss_OID name_type,
                gss_name_t *name)
  {
-    if (gssImportNameNext == NULL)
+    if (gssImportNameNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssImportNameNext(minor, buffer, name_type, name);
  }
@@ -794,8 +952,10 @@ gssInquireSecContextByOid(OM_uint32 *minor,
                            const gss_OID desired_object,
                            gss_buffer_set_t *data_set)
  {
-    if (gssInquireSecContextByOidNext == NULL)
+    if (gssInquireSecContextByOidNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssInquireSecContextByOidNext(minor, context_handle,
                                           desired_object, data_set);
@@ -811,8 +971,10 @@ gssStoreCred(OM_uint32 *minor,
               gss_OID_set *elements_stored,
               gss_cred_usage_t *cred_usage_stored)
  {
-    if (gssStoreCredNext == NULL)
+    if (gssStoreCredNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssStoreCredNext(minor, input_cred_handle, input_usage,
                              desired_mech, overwrite_cred, default_cred,
@@ -829,8 +991,10 @@ gssGetNameAttribute(OM_uint32 *minor,
                      gss_buffer_t display_value,
                      int *more)
  {
-    if (gssGetNameAttributeNext == NULL)
+    if (gssGetNameAttributeNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
          return GSS_S_UNAVAILABLE;
+    }
  
      return gssGetNameAttributeNext(minor, name, attr, authenticated, complete,
                                     value, display_value, more);