/* util_krb.c */
#ifdef HAVE_HEIMDAL_VERSION
+#define KRB_TIME_FOREVER ((time_t)~0L)
#define KRB_KEY_TYPE(key) ((key)->keytype)
#define KRB_KEY_DATA(key) ((key)->keyvalue.data)
#define KRB_KEY_LENGTH(key) ((key)->keyvalue.length)
#else
+#define KRB_TIME_FOREVER KRB5_INT32_MAX
#define KRB_KEY_TYPE(key) ((key)->enctype)
#define KRB_KEY_DATA(key) ((key)->contents)
#define KRB_KEY_LENGTH(key) ((key)->length)
#define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len)
#define KRB_PRINC_TYPE(princ) ((princ)->name.name_type)
#define KRB_PRINC_NAME(princ) ((princ)->name.name_string.val)
+#define KRB_PRINC_REALM(princ) ((princ)->realm)
#define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto)
#else
#define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ)))
#define KRB_PRINC_TYPE(princ) (krb5_princ_type(NULL, (princ)))
#define KRB_PRINC_NAME(princ) (krb5_princ_name(NULL, (princ)))
+#define KRB_PRINC_REALM(princ) (krb5_princ_realm(NULL, (princ)))
#define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key)
#endif /* HAVE_HEIMDAL_VERSION */
const char *prefix,
gss_buffer_t string);
+krb5_error_code
+krbMakeAuthDataKdcIssued(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_const_principal issuer,
+#ifdef HAVE_HEIMDAL_VERSION
+ const AuthorizationData *authdata,
+ AuthorizationData *adKdcIssued
+#else
+ krb5_authdata *const *authdata,
+ krb5_authdata ***adKdcIssued
+#endif
+ );
+
/* util_lucid.c */
OM_uint32
gssEapExportLucidSecContext(OM_uint32 *minor,
int index, gss_buffer_t buffer)
{
#ifdef HAVE_HEIMDAL_VERSION
- buffer->value = (void *)krbPrinc->name.name_string.val[index];
+ buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index];
buffer->length = strlen((char *)buffer->value);
#else
buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data;
krbPrincRealmToGssBuffer(krb5_principal krbPrinc, gss_buffer_t buffer)
{
#ifdef HAVE_HEIMDAL_VERSION
- buffer->value = (void *)krbPrinc->realm;
- buffer->length = strlen(krbPrinc->realm);
+ buffer->value = (void *)KRB_PRINC_REALM(krbPrinc);
+ buffer->length = strlen((char *)buffer->value);
#else
- krbDataToGssBuffer(krb5_princ_realm(NULL, krbPrinc), buffer);
+ krbDataToGssBuffer(KRB_PRINC_REALM(krbPrinc), buffer);
#endif
}
return 0;
}
+
+krb5_error_code
+krbMakeAuthDataKdcIssued(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_const_principal issuer,
+#ifdef HAVE_HEIMDAL_VERSION
+ const AuthorizationData *authdata,
+ AuthorizationData *adKdcIssued
+#else
+ krb5_authdata *const *authdata,
+ krb5_authdata ***adKdcIssued
+#endif
+ )
+{
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_error_code code;
+ AD_KDCIssued kdcIssued;
+ AuthorizationDataElement adDatum;
+ unsigned char *buf;
+ size_t buf_size, len;
+ krb5_crypto crypto = NULL;
+
+ memset(&kdcIssued, 0, sizeof(kdcIssued));
+ memset(adKdcIssued, 0, sizeof(*adKdcIssued));
+
+ kdcIssued.i_realm = issuer->realm != NULL ? &issuer->realm : NULL;
+ kdcIssued.i_sname = &issuer->name;
+ kdcIssued.elements = *authdata;
+
+ ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, authdata, &len, code);
+ if (code != 0)
+ goto cleanup;
+
+ code = krb5_crypto_init(context, key, 0, &crypto);
+ if (code != 0)
+ goto cleanup;
+
+ code = krb5_create_checksum(context, crypto, KRB5_KU_AD_KDC_ISSUED,
+ 0, buf, buf_size, &kdcIssued.ad_checksum);
+ if (code != 0)
+ goto cleanup;
+
+ GSSEAP_FREE(buf);
+ buf = NULL;
+
+ ASN1_MALLOC_ENCODE(AD_KDCIssued, buf, buf_size, &kdcIssued, &len, code);
+ if (code != 0)
+ goto cleanup;
+
+ adDatum.ad_type = KRB5_AUTHDATA_KDC_ISSUED;
+ adDatum.ad_data.length = buf_size;
+ adDatum.ad_data.data = buf;
+
+ code = add_AuthorizationData(adKdcIssued, &adDatum);
+ if (code != 0)
+ goto cleanup;
+
+cleanup:
+ if (buf != NULL)
+ GSSEAP_FREE(buf);
+ if (crypto != NULL)
+ krb5_crypto_destroy(context, crypto);
+ free_Checksum(&kdcIssued.ad_checksum);
+
+ return code;
+#else
+ return krb5_make_authdata_kdc_issued(context, key, issuer, authdata,
+ adKdcIssued);
+#endif /* HAVE_HEIMDAL_VERSION */
+}
krb5_error_code code;
krb5_keytab keytab = NULL;
krb5_keytab_entry ktent = { 0 };
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_kt_cursor cursor = { 0 };
+#else
krb5_kt_cursor cursor = NULL;
+#endif
*princ = NULL;
memset(key, 0, sizeof(*key));
while ((code = krb5_kt_next_entry(krbContext, keytab,
&ktent, &cursor)) == 0) {
+#ifdef HAVE_HEIMDAL_VERSION
+ if (ktent.keyblock.keytype == ctx->encryptionType)
+ break;
+ else
+ krb5_kt_free_entry(krbContext, &ktent);
+#else
if (ktent.key.enctype == ctx->encryptionType)
break;
else
krb5_free_keytab_entry_contents(krbContext, &ktent);
+#endif
}
}
if (code == 0) {
*princ = ktent.principal;
+#ifdef HAVE_HEIMDAL_VERSION
+ *key = ktent.keyblock;
+#else
*key = ktent.key;
+#endif
}
cleanup:
krb5_kt_close(krbContext, keytab);
if (code != 0)
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_kt_free_entry(krbContext, &ktent);
+#else
krb5_free_keytab_entry_contents(krbContext, &ktent);
+#endif
return code;
}
gss_name_t initiatorName,
krb5_const_principal acceptorPrinc,
krb5_keyblock *session,
- krb5_authdata ***authdata)
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_authdata *authdata
+#else
+ krb5_authdata ***authdata
+#endif
+ )
{
OM_uint32 major, tmpMinor;
krb5_error_code code;
gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER;
+#ifdef HAVE_HEIMDAL_VERSION
+ AuthorizationData authDataBuf, *authData = &authDataBuf;
+ AuthorizationDataElement authDatum = { 0 };
+#else
krb5_authdata *authData[2], authDatum = { 0 };
+#endif
krb5_context krbContext;
GSSEAP_KRB_INIT(&krbContext);
return major;
authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP;
+#ifdef HAVE_HEIMDAL_VERSION
+ authDatum.ad_data.length = attrBuf.length;
+ authDatum.ad_data.data = attrBuf.value;
+ authData->len = 1;
+ authData->val = &authDatum;
+#else
authDatum.length = attrBuf.length;
authDatum.contents = attrBuf.value;
authData[0] = &authDatum;
authData[1] = NULL;
+#endif
- code = krb5_make_authdata_kdc_issued(krbContext, session, acceptorPrinc,
- authData, authdata);
+ code = krbMakeAuthDataKdcIssued(krbContext, session, acceptorPrinc,
+ authData, authdata);
if (code != 0) {
major = GSS_S_FAILURE;
*minor = code;
OM_uint32 major = GSS_S_COMPLETE;
krb5_error_code code;
krb5_context krbContext = NULL;
- krb5_ticket ticket = { 0 };
krb5_keyblock session = { 0 }, acceptorKey = { 0 };
- krb5_enc_tkt_part enc_part = { 0 };
+ krb5_principal server = NULL;
+#ifdef HAVE_HEIMDAL_VERSION
+ Ticket ticket;
+ EncTicketPart enc_part;
+ AuthorizationData authData = { 0 };
+ krb5_crypto krbCrypto = NULL;
+ unsigned char *buf = NULL;
+ size_t buf_size, len;
+#else
+ krb5_ticket ticket;
+ krb5_enc_tkt_part enc_part;
+#endif
krb5_data *ticketData = NULL, *credsData = NULL;
krb5_creds creds = { 0 };
krb5_auth_context authContext = NULL;
+ memset(&ticket, 0, sizeof(ticket));
+ memset(&enc_part, 0, sizeof(enc_part));
+
credBuf->length = 0;
credBuf->value = NULL;
GSSEAP_KRB_INIT(&krbContext);
- code = getAcceptorKey(krbContext, ctx, cred,
- &ticket.server, &acceptorKey);
+ code = getAcceptorKey(krbContext, ctx, cred, &server, &acceptorKey);
if (code == KRB5_KT_NOTFOUND) {
*minor = code;
return GSS_S_UNAVAILABLE;
} else if (code != 0)
goto cleanup;
- enc_part.flags = TKT_FLG_INITIAL;
+#ifdef HAVE_HEIMDAL_VERSION
+ ticket.realm = server->realm;
+ ticket.sname = server->name;
+#else
+ ticket.server = server;
+#endif
/*
* Generate a random session key to place in the ticket and
if (code != 0)
goto cleanup;
+#ifdef HAVE_HEIMDAL_VERSION
+ enc_part.flags.initial = 1;
+ enc_part.key = session;
+ enc_part.crealm = ctx->initiatorName->krbPrincipal->realm;
+ enc_part.cname = ctx->initiatorName->krbPrincipal->name;
+ enc_part.authtime = time(NULL);
+ enc_part.starttime = &enc_part.authtime;
+ enc_part.endtime = (ctx->expiryTime != 0)
+ ? ctx->expiryTime : KRB_TIME_FOREVER;
+ enc_part.renew_till = NULL;
+ enc_part.authorization_data = &authData;
+
+ major = freezeAttrContext(minor, ctx->initiatorName, server,
+ &session, &authData);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, &enc_part, &len, code);
+ if (code != 0)
+ goto cleanup;
+
+ code = krb5_crypto_init(krbContext, &acceptorKey, 0, &krbCrypto);
+ if (code != 0)
+ goto cleanup;
+
+ code = krb5_encrypt_EncryptedData(krbContext,
+ krbCrypto,
+ KRB5_KU_TICKET,
+ buf,
+ len,
+ 0,
+ &ticket.enc_part);
+ if (code != 0)
+ goto cleanup;
+
+ GSSEAP_FREE(buf);
+ buf = NULL;
+
+ ASN1_MALLOC_ENCODE(Ticket, buf, buf_size, &ticket, &len, code);
+ if (code != 0)
+ goto cleanup;
+#else
+ enc_part.flags = TKT_FLG_INITIAL;
enc_part.session = &session;
enc_part.client = ctx->initiatorName->krbPrincipal;
enc_part.times.authtime = time(NULL);
enc_part.times.starttime = enc_part.times.authtime;
enc_part.times.endtime = (ctx->expiryTime != 0)
? ctx->expiryTime
- : KRB5_INT32_MAX;
+ : KRB_TIME_FOREVER;
enc_part.times.renew_till = 0;
- major = freezeAttrContext(minor, ctx->initiatorName, ticket.server,
+ major = freezeAttrContext(minor, ctx->initiatorName, server,
&session, &enc_part.authorization_data);
if (GSS_ERROR(major))
goto cleanup;
code = encode_krb5_ticket(&ticket, &ticketData);
if (code != 0)
goto cleanup;
-
- creds.client = enc_part.client;
- creds.server = ticket.server;
+#endif /* HAVE_HEIMDAL_VERSION */
+
+ creds.client = ctx->initiatorName->krbPrincipal;
+ creds.server = server;
+#ifdef HAVE_HEIMDAL_VERSION
+ creds.session = session;
+ creds.times.authtime = enc_part.authtime;
+ creds.times.starttime = *enc_part.starttime;
+ creds.times.endtime = enc_part.endtime;
+ creds.times.renew_till = 0;
+ creds.flags.b = enc_part.flags;
+ creds.ticket = *ticketData;
+ creds.authdata = authData;
+#else
creds.keyblock = session;
creds.times = enc_part.times;
creds.ticket_flags = enc_part.flags;
creds.ticket = *ticketData;
creds.authdata = enc_part.authorization_data;
+#endif
code = krb5_auth_con_init(krbContext, &authContext);
if (code != 0)
krbDataToGssBuffer(credsData, credBuf);
cleanup:
+#ifdef HAVE_HEIMDAL_VERSION
+ if (krbCrypto != NULL)
+ krb5_crypto_destroy(krbContext, krbCrypto);
+ if (buf != NULL)
+ GSSEAP_FREE(buf);
+ free_AuthorizationData(&authData);
+ free_EncryptedData(&ticket.enc_part);
+#else
+ krb5_free_authdata(krbContext, enc_part.authorization_data);
if (ticket.enc_part.ciphertext.data != NULL)
GSSEAP_FREE(ticket.enc_part.ciphertext.data);
+#endif
krb5_free_keyblock_contents(krbContext, &session);
+ krb5_free_principal(krbContext, server);
krb5_free_keyblock_contents(krbContext, &acceptorKey);
krb5_free_data(krbContext, ticketData);
krb5_auth_con_free(krbContext, authContext);
- krb5_free_authdata(krbContext, enc_part.authorization_data);
if (credsData != NULL)
GSSEAP_FREE(credsData);
if (major == GSS_S_COMPLETE) {
*minor = code;
- major = code != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE;
+ major = (code != 0) ? GSS_S_FAILURE : GSS_S_COMPLETE;
}
return major;
krb5_const_principal principal)
{
if (KRB_PRINC_LENGTH(principal) == 2 &&
+#ifdef HAVE_HEIMDAL_VERSION
+ strcmp(KRB_PRINC_NAME(principal)[0], "krbtgt") == 0
+#else
krb5_princ_component(krbContext, principal, 0)->length == 6 &&
memcmp(krb5_princ_component(krbContext,
- principal, 0)->data, "krbtgt", 6) == 0)
+ principal, 0)->data, "krbtgt", 6) == 0
+#endif
+ )
return TRUE;
return FALSE;
/* if reauth_use_ccache, use default credentials cache if ticket is for us */
krb5_appdefault_boolean(krbContext, "eap_gss",
- krb5_princ_realm(krbContext, principal),
+ KRB_PRINC_REALM(principal),
"reauth_use_ccache", 0, &reauthUseCCache);
return reauthUseCCache;
krb5_free_principal(krbContext, cred->name->krbPrincipal);
cred->name->krbPrincipal = canonPrinc;
- if (creds[0]->times.endtime == KRB5_INT32_MAX)
+ if (creds[0]->times.endtime == KRB_TIME_FOREVER)
cred->expiryTime = 0;
else
cred->expiryTime = creds[0]->times.endtime;
{
OM_uint32 major, tmpMinor;
gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET;
+ krb5_context krbContext = NULL;
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_storage *sp = NULL;
+#endif
+
+ GSSEAP_KRB_INIT(&krbContext);
if (!oidEqual(mech, gss_mech_krb5)) {
major = GSS_S_BAD_MECH;
goto cleanup;
}
- /* Get the raw subsession key and encryption type*/
+ /* Get the raw subsession key and encryption type */
+#ifdef HAVE_HEIMDAL_VERSION
+#define KRB_GSS_SUBKEY_COUNT 1 /* encoded session key */
+ major = gssInquireSecContextByOid(minor, ctx->kerberosCtx,
+ GSS_KRB5_GET_SUBKEY_X, &keyData);
+#else
+#define KRB_GSS_SUBKEY_COUNT 2 /* raw session key, enctype OID */
major = gssInquireSecContextByOid(minor, ctx->kerberosCtx,
GSS_C_INQ_SSPI_SESSION_KEY, &keyData);
+#endif
if (GSS_ERROR(major))
goto cleanup;
+ if (keyData == GSS_C_NO_BUFFER_SET || keyData->count < KRB_GSS_SUBKEY_COUNT) {
+ *minor = GSSEAP_KEY_UNAVAILABLE;
+ major = GSS_S_FAILURE;
+ goto cleanup;
+ }
+
+#ifdef HAVE_HEIMDAL_VERSION
+ sp = krb5_storage_from_mem(keyData->elements[0].value,
+ keyData->elements[0].length);
+ if (sp == NULL) {
+ *minor = ENOMEM;
+ major = GSS_S_FAILURE;
+ goto cleanup;
+ }
+
+ *minor = krb5_ret_keyblock(sp, &ctx->rfc3961Key);
+ if (*minor != 0) {
+ major = GSS_S_FAILURE;
+ goto cleanup;
+ }
+#else
{
gss_OID_desc oid;
int suffix;
}
{
- krb5_context krbContext = NULL;
krb5_keyblock key;
- GSSEAP_KRB_INIT(&krbContext);
-
KRB_KEY_LENGTH(&key) = keyData->elements[0].length;
KRB_KEY_DATA(&key) = keyData->elements[0].value;
KRB_KEY_TYPE(&key) = ctx->encryptionType;
goto cleanup;
}
}
+#endif /* HAVE_HEIMDAL_VERSION */
major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key,
&ctx->checksumType);
major = GSS_S_COMPLETE;
cleanup:
+#ifdef HAVE_HEIMDAL_VERSION
+ if (sp != NULL)
+ krb5_storage_free(sp);
+#endif
gss_release_buffer_set(&tmpMinor, &keyData);
return major;