From: Luke Howard Date: Sun, 2 Jan 2011 08:57:19 +0000 (+1100) Subject: Merge branch 'master' of ssh://moonshot.suchdamage.org:822/srv/git/moonshot X-Git-Tag: vm/20110310~67 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.orig;a=commitdiff_plain;h=7db57acddeddad5f96d16288b3776baf6c10c0b1;hp=bb9927f5ce8a09c29d449cfacc6f5309c42c06e0 Merge branch 'master' of ssh://moonshot.suchdamage.org:822/srv/git/moonshot Reauth fixes Conflicts: shibboleth/opensaml2 shibboleth/sp --- diff --git a/release_oid.c b/release_oid.c index 947baa2..184dbab 100644 --- a/release_oid.c +++ b/release_oid.c @@ -40,16 +40,5 @@ OM_uint32 gss_internal_release_oid(OM_uint32 *minor, gss_OID *oid) { - gss_OID internalizedOid = GSS_C_NO_OID; - - *minor = 0; - - if (gssEapInternalizeOid(*oid, &internalizedOid)) { - /* OID was internalized, so we can mark it as "freed" */ - *oid = GSS_C_NO_OID; - return GSS_S_COMPLETE; - } - - /* we don't know about this OID */ - return GSS_S_CONTINUE_NEEDED; + return gssEapReleaseOid(minor, oid); } diff --git a/util.h b/util.h index 7f2e7fe..49c7c91 100644 --- a/util.h +++ b/util.h @@ -439,6 +439,9 @@ gssEapInternalizeOid(const gss_OID oid, gss_OID *const pInternalizedOid); OM_uint32 +gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid); + +OM_uint32 gssEapDefaultMech(OM_uint32 *minor, gss_OID *oid); diff --git a/util_context.c b/util_context.c index e54203f..0020ef6 100644 --- a/util_context.c +++ b/util_context.c @@ -127,7 +127,7 @@ gssEapReleaseContext(OM_uint32 *minor, krb5_free_keyblock_contents(krbContext, &ctx->rfc3961Key); gssEapReleaseName(&tmpMinor, &ctx->initiatorName); gssEapReleaseName(&tmpMinor, &ctx->acceptorName); - gss_release_oid(&tmpMinor, &ctx->mechanismUsed); + gssEapReleaseOid(&tmpMinor, &ctx->mechanismUsed); sequenceFree(&tmpMinor, &ctx->seqState); gssEapReleaseCred(&tmpMinor, &ctx->defaultCred); diff --git a/util_krb.c b/util_krb.c index e96f5e6..7143685 100644 --- a/util_krb.c +++ b/util_krb.c @@ -498,8 +498,8 @@ krbMakeCred(krb5_context krbContext, KrbCredInfo krbCredInfo; krb5_keyblock *key; krb5_crypto krbCrypto = NULL; - unsigned char *buf = NULL; - size_t buf_size, len; + krb5_data credInfoData = { 0 }; + size_t len; #else krb5_data *d = NULL; #endif @@ -540,7 +540,8 @@ krbMakeCred(krb5_context krbContext, krbCredInfo.sname = &creds->server->name; krbCredInfo.caddr = creds->addresses.len ? &creds->addresses : NULL; - ASN1_MALLOC_ENCODE(KrbCredInfo, buf, buf_size, &krbCredInfo, &len, code); + ASN1_MALLOC_ENCODE(KrbCredInfo, credInfoData.data, credInfoData.length, + &krbCredInfo, &len, code); if (code != 0) goto cleanup; @@ -551,26 +552,23 @@ krbMakeCred(krb5_context krbContext, code = krb5_encrypt_EncryptedData(krbContext, krbCrypto, KRB5_KU_KRB_CRED, - buf, - len, + credInfoData.data, + credInfoData.length, 0, &krbCred.enc_part); if (code != 0) goto cleanup; - GSSEAP_FREE(buf); - buf = NULL; - - ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &krbCred, &len, code); + ASN1_MALLOC_ENCODE(KRB_CRED, data->data, data->length, + &krbCred, &len, code); if (code != 0) goto cleanup; cleanup: - if (buf != NULL) - GSSEAP_FREE(buf); if (krbCrypto != NULL) krb5_crypto_destroy(krbContext, krbCrypto); free_KRB_CRED(&krbCred); + krb5_data_free(&credInfoData); return code; #else diff --git a/util_mech.c b/util_mech.c index 81a6163..7343b31 100644 --- a/util_mech.c +++ b/util_mech.c @@ -282,6 +282,23 @@ gssEapInternalizeOid(const gss_OID oid, return 1; } +OM_uint32 +gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid) +{ + gss_OID internalizedOid = GSS_C_NO_OID; + + *minor = 0; + + if (gssEapInternalizeOid(*oid, &internalizedOid)) { + /* OID was internalized, so we can mark it as "freed" */ + *oid = GSS_C_NO_OID; + return GSS_S_COMPLETE; + } + + /* we don't know about this OID */ + return GSS_S_CONTINUE_NEEDED; +} + static gss_buffer_desc gssEapSaslMechs[] = { { sizeof("EAP") - 1, "EAP", }, /* not used */ { sizeof("EAP-AES128") - 1, "EAP-AES128" }, diff --git a/util_reauth.c b/util_reauth.c index 28dd133..8b853cb 100644 --- a/util_reauth.c +++ b/util_reauth.c @@ -196,13 +196,15 @@ gssEapMakeReauthCreds(OM_uint32 *minor, EncTicketPart enc_part; AuthorizationData authData = { 0 }; krb5_crypto krbCrypto = NULL; - unsigned char *buf = NULL; - size_t buf_size, len; + krb5_data ticketData = { 0 }; + krb5_data encPartData = { 0 }; + size_t len; #else krb5_ticket ticket; krb5_enc_tkt_part enc_part; + krb5_data *ticketData = NULL; #endif - krb5_data *ticketData = NULL, credsData = { 0 }; + krb5_data credsData = { 0 }; krb5_creds creds = { 0 }; krb5_auth_context authContext = NULL; @@ -232,12 +234,12 @@ gssEapMakeReauthCreds(OM_uint32 *minor, * Generate a random session key to place in the ticket and * sign the "KDC-Issued" authorization data element. */ - code = krb5_c_make_random_key(krbContext, ctx->encryptionType, - &session); +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_generate_random_keyblock(krbContext, ctx->encryptionType, + &session); if (code != 0) goto cleanup; -#ifdef HAVE_HEIMDAL_VERSION enc_part.flags.initial = 1; enc_part.key = session; enc_part.crealm = ctx->initiatorName->krbPrincipal->realm; @@ -254,7 +256,8 @@ gssEapMakeReauthCreds(OM_uint32 *minor, if (GSS_ERROR(major)) goto cleanup; - ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, &enc_part, &len, code); + ASN1_MALLOC_ENCODE(EncTicketPart, encPartData.data, encPartData.length, + &enc_part, &len, code); if (code != 0) goto cleanup; @@ -265,20 +268,23 @@ gssEapMakeReauthCreds(OM_uint32 *minor, code = krb5_encrypt_EncryptedData(krbContext, krbCrypto, KRB5_KU_TICKET, - buf, - len, + encPartData.data, + encPartData.length, 0, &ticket.enc_part); if (code != 0) goto cleanup; - GSSEAP_FREE(buf); - buf = NULL; - - ASN1_MALLOC_ENCODE(Ticket, buf, buf_size, &ticket, &len, code); + ASN1_MALLOC_ENCODE(Ticket, ticketData.data, ticketData.length, + &ticket, &len, code); if (code != 0) goto cleanup; #else + code = krb5_c_make_random_key(krbContext, ctx->encryptionType, + &session); + if (code != 0) + goto cleanup; + enc_part.flags = TKT_FLG_INITIAL; enc_part.session = &session; enc_part.client = ctx->initiatorName->krbPrincipal; @@ -314,7 +320,7 @@ gssEapMakeReauthCreds(OM_uint32 *minor, creds.times.endtime = enc_part.endtime; creds.times.renew_till = 0; creds.flags.b = enc_part.flags; - creds.ticket = *ticketData; + creds.ticket = ticketData; creds.authdata = authData; #else creds.keyblock = session; @@ -347,19 +353,19 @@ cleanup: #ifdef HAVE_HEIMDAL_VERSION if (krbCrypto != NULL) krb5_crypto_destroy(krbContext, krbCrypto); - if (buf != NULL) - GSSEAP_FREE(buf); free_AuthorizationData(&authData); free_EncryptedData(&ticket.enc_part); + krb5_data_free(&ticketData); + krb5_data_free(&encPartData); #else krb5_free_authdata(krbContext, enc_part.authorization_data); if (ticket.enc_part.ciphertext.data != NULL) GSSEAP_FREE(ticket.enc_part.ciphertext.data); + krb5_free_data(krbContext, ticketData); #endif krb5_free_keyblock_contents(krbContext, &session); krb5_free_principal(krbContext, server); krb5_free_keyblock_contents(krbContext, &acceptorKey); - krb5_free_data(krbContext, ticketData); krb5_auth_con_free(krbContext, authContext); if (major == GSS_S_COMPLETE) { @@ -1000,7 +1006,9 @@ gssEapReauthInitialize(OM_uint32 *minor) NEXT_SYMBOL(gssDisplayNameNext, "gss_display_name"); NEXT_SYMBOL(gssImportNameNext, "gss_import_name"); NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred"); +#ifndef HAVE_HEIMDAL_VERSION NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute"); +#endif return major; }