* SUCH DAMAGE.
*/
+/*
+ * Fast reauthentication support.
+ */
+
#include "gssapiP_eap.h"
#include <dlfcn.h>
code = getAcceptorKey(krbContext, ctx, cred,
&ticket.server, &acceptorKey);
if (code == KRB5_KT_NOTFOUND) {
- gss_buffer_desc emptyToken = { 0, "" };
-
- /*
- * If we can't produce the KRB-CRED message, we need to
- * return an empty (not NULL) token to the caller so we
- * don't change the number of authentication legs.
- */
- return duplicateBuffer(minor, &emptyToken, credBuf);
+ *minor = code;
+ return GSS_S_UNAVAILABLE;
} else if (code != 0)
goto cleanup;
enc_part.client = ctx->initiatorName->krbPrincipal;
enc_part.times.authtime = time(NULL);
enc_part.times.starttime = enc_part.times.authtime;
- enc_part.times.endtime = ctx->expiryTime
+ enc_part.times.endtime = (ctx->expiryTime != 0)
? ctx->expiryTime
: KRB5_INT32_MAX;
enc_part.times.renew_till = 0;
isTicketGrantingServiceP(krb5_context krbContext,
krb5_const_principal principal)
{
- if (krb5_princ_size(krbContext, principal) == 2 &&
+ if (KRB_PRINC_LENGTH(principal) == 2 &&
krb5_princ_component(krbContext, principal, 0)->length == 6 &&
memcmp(krb5_princ_component(krbContext,
principal, 0)->data, "krbtgt", 6) == 0)
}
/*
+ * Returns TRUE if the configuration variable reauth_use_ccache is
+ * set in krb5.conf for the eap_gss application and the client realm.
+ */
+static int
+reauthUseCredsCache(krb5_context krbContext,
+ krb5_principal principal)
+{
+ int reauthUseCCache;
+
+ /* if reauth_use_ccache, use default credentials cache if ticket is for us */
+ krb5_appdefault_boolean(krbContext, "eap_gss",
+ krb5_princ_realm(krbContext, principal),
+ "reauth_use_ccache", 0, &reauthUseCCache);
+
+ return reauthUseCCache;
+}
+
+/*
+ * Look in default credentials cache for reauthentication credentials,
+ * if policy allows.
+ */
+static OM_uint32
+getDefaultReauthCredentials(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_name_t target,
+ time_t now,
+ OM_uint32 timeReq)
+{
+ OM_uint32 major = GSS_S_CRED_UNAVAIL;
+ krb5_context krbContext = NULL;
+ krb5_error_code code = 0;
+ krb5_ccache ccache = NULL;
+ krb5_creds match = { 0 };
+ krb5_creds creds = { 0 };
+
+ GSSEAP_KRB_INIT(&krbContext);
+
+ assert(cred != GSS_C_NO_CREDENTIAL);
+ assert(target != GSS_C_NO_NAME);
+
+ if (cred->name == GSS_C_NO_NAME ||
+ !reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
+ goto cleanup;
+
+ match.client = cred->name->krbPrincipal;
+ match.server = target->krbPrincipal;
+ if (timeReq != 0 && timeReq != GSS_C_INDEFINITE)
+ match.times.endtime = now + timeReq;
+
+ code = krb5_cc_default(krbContext, &ccache);
+ if (code != 0)
+ goto cleanup;
+
+ code = krb5_cc_retrieve_cred(krbContext, ccache, 0, &match, &creds);
+ if (code != 0)
+ goto cleanup;
+
+ cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
+ cred->krbCredCache = ccache;
+ ccache = NULL;
+
+ major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
+ &cred->krbCred);
+
+cleanup:
+ if (major == GSS_S_CRED_UNAVAIL)
+ *minor = code;
+
+ if (ccache != NULL)
+ krb5_cc_close(krbContext, ccache);
+ krb5_free_cred_contents(krbContext, &creds);
+
+ return major;
+}
+
+/*
+ * Returns TRUE if the credential handle's reauth credentials are
+ * valid or if we can use the default credentials cache. Credentials
+ * handle must be locked.
+ */
+int
+gssEapCanReauthP(gss_cred_id_t cred,
+ gss_name_t target,
+ OM_uint32 timeReq)
+{
+ time_t now, expiryReq;
+ OM_uint32 minor;
+
+ assert(cred != GSS_C_NO_CREDENTIAL);
+
+ now = time(NULL);
+ expiryReq = now;
+ if (timeReq != GSS_C_INDEFINITE)
+ expiryReq += timeReq;
+
+ if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq)
+ return TRUE;
+
+ if (getDefaultReauthCredentials(&minor, cred, target,
+ now, timeReq) == GSS_S_COMPLETE)
+ return TRUE;
+
+ return FALSE;
+}
+
+/*
* Store re-authentication (Kerberos) credentials in a credential handle.
+ * Credentials handle must be locked.
*/
OM_uint32
gssEapStoreReauthCreds(OM_uint32 *minor,
gss_cred_id_t cred,
gss_buffer_t credBuf)
{
- OM_uint32 major = GSS_S_COMPLETE, code;
+ OM_uint32 major = GSS_S_COMPLETE;
+ krb5_error_code code;
krb5_context krbContext = NULL;
krb5_auth_context authContext = NULL;
krb5_data credData = { 0 };
krb5_creds **creds = NULL;
krb5_principal canonPrinc;
+ krb5_principal ccPrinc = NULL;
int i;
if (credBuf->length == 0 || cred == GSS_C_NO_CREDENTIAL)
krb5_free_principal(krbContext, cred->name->krbPrincipal);
cred->name->krbPrincipal = canonPrinc;
- cred->expiryTime = creds[0]->times.endtime;
+ if (creds[0]->times.endtime == KRB5_INT32_MAX)
+ cred->expiryTime = 0;
+ else
+ cred->expiryTime = creds[0]->times.endtime;
- code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
- if (code != 0)
- goto cleanup;
+ if (cred->krbCredCache == NULL) {
+ if (reauthUseCredsCache(krbContext, creds[0]->client) &&
+ krb5_cc_default(krbContext, &cred->krbCredCache) == 0)
+ cred->flags |= CRED_FLAG_DEFAULT_CCACHE;
+ } else {
+ /*
+ * If we already have an associated credentials cache, possibly from
+ * the last time we stored a reauthentication credential, then we
+ * need to clear it out and release the associated GSS credential.
+ */
+ if (cred->flags & CRED_FLAG_DEFAULT_CCACHE) {
+ krb5_cc_remove_cred(krbContext, cred->krbCredCache, 0, creds[0]);
+ } else {
+ krb5_cc_destroy(krbContext, cred->krbCredCache);
+ cred->krbCredCache = NULL;
+ }
+ gssReleaseCred(minor, &cred->krbCred);
+ }
- code = krb5_cc_initialize(krbContext, cred->krbCredCache,
- creds[0]->client);
- if (code != 0)
- goto cleanup;
+ if (cred->krbCredCache == NULL) {
+ code = krb5_cc_new_unique(krbContext, "MEMORY", NULL, &cred->krbCredCache);
+ if (code != 0)
+ goto cleanup;
+ }
+
+ if ((cred->flags & CRED_FLAG_DEFAULT_CCACHE) == 0 ||
+ krb5_cc_get_principal(krbContext, cred->krbCredCache, &ccPrinc) != 0) {
+ code = krb5_cc_initialize(krbContext, cred->krbCredCache,
+ creds[0]->client);
+ if (code != 0)
+ goto cleanup;
+ }
for (i = 0; creds[i] != NULL; i++) {
krb5_creds kcred = *(creds[i]);
goto cleanup;
}
- /*
- * To turn a credentials cache into a GSS credentials handle, we
- * require the gss_krb5_import_cred() API (present in Heimdal, but
- * not shipped in MIT yet).
- */
major = gss_krb5_import_cred(minor, cred->krbCredCache, NULL, NULL,
&cred->krbCred);
if (GSS_ERROR(major))
cleanup:
*minor = code;
+ krb5_free_principal(krbContext, ccPrinc);
krb5_auth_con_free(krbContext, authContext);
if (creds != NULL) {
for (i = 0; creds[i] != NULL; i++)
krb5_free_creds(krbContext, creds[i]);
+ GSSEAP_FREE(creds);
}
if (major == GSS_S_COMPLETE)
major = *minor ? GSS_S_FAILURE : GSS_S_COMPLETE;
gss_buffer_t,
int *);
-#define NEXT_SYMBOL(local, global) ((local) = dlsym(RTLD_NEXT, (global)))
+#define NEXT_SYMBOL(local, global) do { \
+ ((local) = dlsym(RTLD_NEXT, (global))); \
+ if ((local) == NULL) { \
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL; \
+ major = GSS_S_UNAVAILABLE; \
+ /* but continue */ \
+ } \
+ } while (0)
OM_uint32
gssEapReauthInitialize(OM_uint32 *minor)
{
+ OM_uint32 major = GSS_S_COMPLETE;
+
NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context");
NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context");
NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred");
NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred");
NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute");
- return GSS_S_COMPLETE;
+ return major;
}
OM_uint32
OM_uint32 *ret_flags,
OM_uint32 *time_rec)
{
- if (gssInitSecContextNext == NULL)
+ if (gssInitSecContextNext == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssInitSecContextNext(minor, cred, context_handle,
target_name, mech_type, req_flags,
OM_uint32 *time_rec,
gss_cred_id_t *delegated_cred_handle)
{
- if (gssAcceptSecContextNext == NULL)
+ if (gssAcceptSecContextNext == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssAcceptSecContextNext(minor, context_handle, cred,
input_token, input_chan_bindings,
gssReleaseCred(OM_uint32 *minor,
gss_cred_id_t *cred_handle)
{
- if (gssReleaseCredNext == NULL)
+ if (gssReleaseCredNext == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssReleaseCredNext(minor, cred_handle);
}
gssReleaseName(OM_uint32 *minor,
gss_name_t *name)
{
- if (gssReleaseName == NULL)
+ if (gssReleaseName == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssReleaseNameNext(minor, name);
}
gss_ctx_id_t *context_handle,
gss_buffer_t output_token)
{
- if (gssDeleteSecContextNext == NULL)
+ if (gssDeleteSecContextNext == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssDeleteSecContextNext(minor, context_handle, output_token);
}
gss_buffer_t buffer,
gss_OID *name_type)
{
- if (gssDisplayNameNext == NULL)
+ if (gssDisplayNameNext == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssDisplayNameNext(minor, name, buffer, name_type);
}
gss_OID name_type,
gss_name_t *name)
{
- if (gssImportNameNext == NULL)
+ if (gssImportNameNext == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssImportNameNext(minor, buffer, name_type, name);
}
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
- if (gssInquireSecContextByOidNext == NULL)
+ if (gssInquireSecContextByOidNext == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssInquireSecContextByOidNext(minor, context_handle,
desired_object, data_set);
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
- if (gssStoreCredNext == NULL)
+ if (gssStoreCredNext == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssStoreCredNext(minor, input_cred_handle, input_usage,
desired_mech, overwrite_cred, default_cred,
gss_buffer_t display_value,
int *more)
{
- if (gssGetNameAttributeNext == NULL)
+ if (gssGetNameAttributeNext == NULL) {
+ *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
return GSS_S_UNAVAILABLE;
+ }
return gssGetNameAttributeNext(minor, name, attr, authenticated, complete,
value, display_value, more);