if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) {
code = krb5_kt_get_entry(krbContext, keytab,
- cred->name->krbPrincipal, 0,
+ cred->name->krbPrincipal, 0,
ctx->encryptionType, &ktent);
if (code != 0)
goto cleanup;
memset(key, 0, sizeof(key));
}
- return code;
+ return code;
}
OM_uint32
krb5_error_code code;
krb5_context krbContext = NULL;
krb5_ticket ticket = { 0 };
- krb5_keyblock session, acceptorKey = { 0 };
+ krb5_keyblock session = { 0 }, acceptorKey = { 0 };
krb5_enc_tkt_part enc_part = { 0 };
gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER;
krb5_authdata *authData[2], authDatum = { 0 };
krb5_data *ticketData = NULL, *credsData = NULL;
krb5_creds creds = { 0 };
krb5_auth_context authContext = NULL;
-
+
credBuf->length = 0;
credBuf->value = NULL;
-
+
GSSEAP_KRB_INIT(&krbContext);
code = getAcceptorKey(krbContext, ctx, cred,
authDatum.contents = attrBuf.value;
authData[0] = &authDatum;
authData[1] = NULL;
- enc_part.authorization_data = authData;
+
+ code = krb5_make_authdata_kdc_issued(krbContext, &session,
+ ticket.server, authData,
+ &enc_part.authorization_data);
+ if (code != 0)
+ goto cleanup;
ticket.enc_part2 = &enc_part;
if (code != 0)
goto cleanup;
- code = krb5_auth_con_setsendsubkey(krbContext, authContext, &ctx->rfc3961Key);
+ code = krb5_auth_con_setsendsubkey(krbContext, authContext,
+ &ctx->rfc3961Key);
if (code != 0)
goto cleanup;
gss_release_buffer(minor, &attrBuf);
krb5_free_data(krbContext, ticketData);
krb5_auth_con_free(krbContext, authContext);
+ krb5_free_authdata(krbContext, enc_part.authorization_data);
if (credsData != NULL)
GSSEAP_FREE(credsData);
if (code != 0)
goto cleanup;
- code = krb5_cc_initialize(krbContext, cred->krbCredCache, creds[0]->client);
+ code = krb5_cc_initialize(krbContext, cred->krbCredCache,
+ creds[0]->client);
if (code != 0)
goto cleanup;
for (i = 0; creds[i] != NULL; i++) {
krb5_creds kcred = *(creds[i]);
- /* Swap in the acceptor name the client asked for so get_credentials() works */
+ /*
+ * Swap in the acceptor name the client asked for so
+ * get_credentials() works
+ */
if (!isTicketGrantingServiceP(krbContext, kcred.server))
kcred.server = ctx->acceptorName->krbPrincipal;
int ad_type,
gss_buffer_t ad_data);
+static OM_uint32 (*gssStoreCredNext)(
+ OM_uint32 *minor,
+ const gss_cred_id_t input_cred_handle,
+ gss_cred_usage_t input_usage,
+ const gss_OID desired_mech,
+ OM_uint32 overwrite_cred,
+ OM_uint32 default_cred,
+ gss_OID_set *elements_stored,
+ gss_cred_usage_t *cred_usage_stored);
+
+static OM_uint32 (*gssGetNameAttributeNext)(
+ OM_uint32 *minor,
+ gss_name_t name,
+ gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value,
+ gss_buffer_t display_value,
+ int *more);
+
+#define NEXT_SYMBOL(local, global) ((local) = dlsym(RTLD_NEXT, (global)))
+
OM_uint32
gssEapReauthInitialize(OM_uint32 *minor)
{
- gssInitSecContextNext = dlsym(RTLD_NEXT, "gss_init_sec_context");
- gssAcceptSecContextNext = dlsym(RTLD_NEXT, "gss_accept_sec_context");
- gssReleaseCredNext = dlsym(RTLD_NEXT, "gss_release_cred");
- gssReleaseNameNext = dlsym(RTLD_NEXT, "gss_release_name");
- gssInquireSecContextByOidNext = dlsym(RTLD_NEXT, "gss_inquire_sec_context_by_oid");
- gssDeleteSecContextNext = dlsym(RTLD_NEXT, "gss_delete_sec_context");
- gssDisplayNameNext = dlsym(RTLD_NEXT, "gss_display_name");
- gssImportNameNext = dlsym(RTLD_NEXT, "gss_import_name");
- gssKrbExtractAuthzDataFromSecContextNext = dlsym(RTLD_NEXT, "gsskrb5_extract_authz_data_from_sec_context");
+ NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context");
+ NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context");
+ NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred");
+ NEXT_SYMBOL(gssReleaseNameNext, "gss_release_name");
+ NEXT_SYMBOL(gssInquireSecContextByOidNext, "gss_inquire_sec_context_by_oid");
+ NEXT_SYMBOL(gssDeleteSecContextNext, "gss_delete_sec_context");
+ NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name");
+ NEXT_SYMBOL(gssImportNameNext, "gss_import_name");
+ NEXT_SYMBOL(gssKrbExtractAuthzDataFromSecContextNext, "gsskrb5_extract_authz_data_from_sec_context");
+ NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred");
+ NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute");
return GSS_S_COMPLETE;
}
if (gssKrbExtractAuthzDataFromSecContextNext == NULL)
return GSS_S_UNAVAILABLE;
- return gssKrbExtractAuthzDataFromSecContextNext(minor, ctx, ad_type, ad_data);
+ return gssKrbExtractAuthzDataFromSecContextNext(minor, ctx,
+ ad_type, ad_data);
+}
+
+OM_uint32
+gssStoreCred(OM_uint32 *minor,
+ const gss_cred_id_t input_cred_handle,
+ gss_cred_usage_t input_usage,
+ const gss_OID desired_mech,
+ OM_uint32 overwrite_cred,
+ OM_uint32 default_cred,
+ gss_OID_set *elements_stored,
+ gss_cred_usage_t *cred_usage_stored)
+{
+ if (gssStoreCredNext == NULL)
+ return GSS_S_UNAVAILABLE;
+
+ return gssStoreCredNext(minor, input_cred_handle, input_usage,
+ desired_mech, overwrite_cred, default_cred,
+ elements_stored, cred_usage_stored);
+}
+
+OM_uint32
+gssGetNameAttribute(OM_uint32 *minor,
+ gss_name_t name,
+ gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value,
+ gss_buffer_t display_value,
+ int *more)
+{
+ if (gssGetNameAttributeNext == NULL)
+ return GSS_S_UNAVAILABLE;
+
+ return gssGetNameAttributeNext(minor, name, attr, authenticated, complete,
+ value, display_value, more);
+}
+
+static gss_buffer_desc radiusAvpKrbAttr = {
+ sizeof("urn:authdata-radius-avp") - 1, "urn:authdata-radius-avp"
+};
+
+/*
+ * Unfortunately extracting an AD-KDCIssued authorization data element
+ * is pretty implementation-dependent. It's not possible to verify the
+ * signature ourselves because the ticket session key is not exposed
+ * outside GSS. In an ideal world, all AD-KDCIssued elements would be
+ * verified by the Kerberos library and authentication would fail if
+ * verification failed. We're not quite there yet and as a result have
+ * to go through some hoops to get this to work. The alternative would
+ * be to sign the authorization data with our long-term key, but it
+ * seems a pity to compromise the design because of current implementation
+ * limitations.
+ */
+OM_uint32
+defrostAttrContext(OM_uint32 *minor,
+ gss_name_t glueName,
+ gss_name_t mechName)
+{
+ OM_uint32 major, tmpMinor;
+ gss_buffer_desc authData = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc authDataDisplay = GSS_C_EMPTY_BUFFER;
+ int more = -1;
+ int authenticated, complete;
+
+ major = gssGetNameAttribute(minor, glueName, &radiusAvpKrbAttr,
+ &authenticated, &complete,
+ &authData, &authDataDisplay, &more);
+ if (major == GSS_S_COMPLETE) {
+ if (authenticated == 0)
+ major = GSS_S_BAD_NAME;
+ else
+ major = gssEapImportAttrContext(minor, &authData, mechName);
+ } else if (major == GSS_S_UNAVAILABLE) {
+ major = GSS_S_COMPLETE;
+ }
+
+ gss_release_buffer(&tmpMinor, &authData);
+ gss_release_buffer(&tmpMinor, &authDataDisplay);
+
+ return major;
}
OM_uint32
if (GSS_ERROR(major))
goto cleanup;
+ major = defrostAttrContext(minor, glueName, *pMechName);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
cleanup:
+ if (GSS_ERROR(major)) {
+ gssReleaseName(&tmpMinor, pMechName);
+ *pMechName = GSS_C_NO_NAME;
+ }
+
gss_release_buffer(&tmpMinor, &nameBuf);
return major;
return major;
}
+
projects / mech_eap.orig / blobdiff