From a7ce2b2f04c83e37b8f26327414f7398a6450a87 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sat, 1 Jan 2011 21:01:20 +1100 Subject: [PATCH] Partial build of reauth code against Heimdal --- Makefile.am | 2 + acinclude.m4 | 3 +- configure.ac | 2 +- util.h | 25 ++++++-- util_krb.c | 70 ++++++++++++++++++++ util_reauth.c | 203 +++++++++++++++++++++++++++++++++++++++++++++++++++------- 6 files changed, 277 insertions(+), 28 deletions(-) diff --git a/Makefile.am b/Makefile.am index fa81241..533a2d4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -94,6 +94,7 @@ mech_eap_la_SOURCES = \ if GSSEAP_ENABLE_REAUTH mech_eap_la_SOURCES += util_reauth.c +if !HEIMDAL krb5pluginsdir = $(libdir)/krb5/plugins/authdata krb5plugins_LTLIBRARIES = radius_ad.la @@ -104,6 +105,7 @@ radius_ad_la_LDFLAGS = -avoid-version -module \ radius_ad_la_LIBADD = @KRB5_LIBS@ radius_ad_la_SOURCES = util_adshim.c endif +endif gsseap_err.h: gsseap_err.et $(COMPILE_ET) $< diff --git a/acinclude.m4 b/acinclude.m4 index 242a1f0..ba85af3 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -37,7 +37,8 @@ else AC_CHECK_LIB(gssapi_krb5, GSS_C_NT_COMPOSITE_EXPORT, [AC_DEFINE_UNQUOTED([HAVE_GSS_C_NT_COMPOSITE_EXPORT], 1, [Define if GSS-API library supports recent naming extensions draft])], [], "$KRB5_LIBS") AC_CHECK_LIB(gssapi_krb5, gss_inquire_attrs_for_mech, [AC_DEFINE_UNQUOTED([HAVE_GSS_INQUIRE_ATTRS_FOR_MECH], 1, [Define if GSS-API library supports RFC 5587])], [], "$KRB5_LIBS") AC_CHECK_LIB(gssapi_krb5, gss_krb5_import_cred, [AC_DEFINE_UNQUOTED([HAVE_GSS_KRB5_IMPORT_CRED], 1, [Define if GSS-API library supports gss_krb5_import_cred])], [], "$KRB5_LIBS") - AC_CHECK_LIB(krb5, heimdal_version, [AC_DEFINE_UNQUOTED([HAVE_HEIMDAL_VERSION], 1, [Define if building against Heimdal Kerberos implementation])], [], "$KRB5_LIBS") + AC_CHECK_LIB(krb5, heimdal_version, [AC_DEFINE_UNQUOTED([HAVE_HEIMDAL_VERSION], 1, [Define if building against Heimdal Kerberos implementation]), heimdal=yes], [heimdal=no], "$KRB5_LIBS") + AM_CONDITIONAL(HEIMDAL, test "x$heimdal" != "xno") fi ])dnl diff --git a/configure.ac b/configure.ac index 9967ee4..e5a351b 100644 --- a/configure.ac +++ b/configure.ac @@ -41,7 +41,7 @@ if test "x$reauth" = "xyes" ; then echo "Fast reauthentication protocol enabled" TARGET_CFLAGS="$TARGET_CFLAGS -DGSSEAP_ENABLE_REAUTH" fi -AM_CONDITIONAL(GSSEAP_ENABLE_REAUTH, test "$reauth" = "yes") +AM_CONDITIONAL(GSSEAP_ENABLE_REAUTH, test "x$reauth" != "xno") AC_SUBST(TARGET_CFLAGS) AC_SUBST(TARGET_LDFLAGS) diff --git a/util.h b/util.h index 16af15e..826a335 100644 --- a/util.h +++ b/util.h @@ -300,10 +300,12 @@ gssEapVerifyExtensions(OM_uint32 *minor, /* util_krb.c */ #ifdef HAVE_HEIMDAL_VERSION +#define KRB_TIME_FOREVER ((time_t)~0L) #define KRB_KEY_TYPE(key) ((key)->keytype) #define KRB_KEY_DATA(key) ((key)->keyvalue.data) #define KRB_KEY_LENGTH(key) ((key)->keyvalue.length) #else +#define KRB_TIME_FOREVER KRB5_INT32_MAX #define KRB_KEY_TYPE(key) ((key)->enctype) #define KRB_KEY_DATA(key) ((key)->contents) #define KRB_KEY_LENGTH(key) ((key)->length) @@ -319,11 +321,13 @@ gssEapVerifyExtensions(OM_uint32 *minor, #define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len) #define KRB_PRINC_TYPE(princ) ((princ)->name.name_type) #define KRB_PRINC_NAME(princ) ((princ)->name.name_string.val) +#define KRB_PRINC_REALM(princ) ((princ)->realm) #define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto) #else #define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ))) #define KRB_PRINC_TYPE(princ) (krb5_princ_type(NULL, (princ))) #define KRB_PRINC_NAME(princ) (krb5_princ_name(NULL, (princ))) +#define KRB_PRINC_REALM(princ) (krb5_princ_realm(NULL, (princ))) #define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key) #endif /* HAVE_HEIMDAL_VERSION */ @@ -389,6 +393,19 @@ krbEnctypeToString(krb5_context krbContext, const char *prefix, gss_buffer_t string); +krb5_error_code +krbMakeAuthDataKdcIssued(krb5_context context, + const krb5_keyblock *key, + krb5_const_principal issuer, +#ifdef HAVE_HEIMDAL_VERSION + const AuthorizationData *authdata, + AuthorizationData *adKdcIssued +#else + krb5_authdata *const *authdata, + krb5_authdata ***adKdcIssued +#endif + ); + /* util_lucid.c */ OM_uint32 gssEapExportLucidSecContext(OM_uint32 *minor, @@ -699,7 +716,7 @@ krbPrincComponentToGssBuffer(krb5_principal krbPrinc, int index, gss_buffer_t buffer) { #ifdef HAVE_HEIMDAL_VERSION - buffer->value = (void *)krbPrinc->name.name_string.val[index]; + buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index]; buffer->length = strlen((char *)buffer->value); #else buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data; @@ -711,10 +728,10 @@ static inline void krbPrincRealmToGssBuffer(krb5_principal krbPrinc, gss_buffer_t buffer) { #ifdef HAVE_HEIMDAL_VERSION - buffer->value = (void *)krbPrinc->realm; - buffer->length = strlen(krbPrinc->realm); + buffer->value = (void *)KRB_PRINC_REALM(krbPrinc); + buffer->length = strlen((char *)buffer->value); #else - krbDataToGssBuffer(krb5_princ_realm(NULL, krbPrinc), buffer); + krbDataToGssBuffer(KRB_PRINC_REALM(krbPrinc), buffer); #endif } diff --git a/util_krb.c b/util_krb.c index 82d6c50..dca48a4 100644 --- a/util_krb.c +++ b/util_krb.c @@ -415,3 +415,73 @@ krbEnctypeToString(krb5_context krbContext, return 0; } + +krb5_error_code +krbMakeAuthDataKdcIssued(krb5_context context, + const krb5_keyblock *key, + krb5_const_principal issuer, +#ifdef HAVE_HEIMDAL_VERSION + const AuthorizationData *authdata, + AuthorizationData *adKdcIssued +#else + krb5_authdata *const *authdata, + krb5_authdata ***adKdcIssued +#endif + ) +{ +#ifdef HAVE_HEIMDAL_VERSION + krb5_error_code code; + AD_KDCIssued kdcIssued; + AuthorizationDataElement adDatum; + unsigned char *buf; + size_t buf_size, len; + krb5_crypto crypto = NULL; + + memset(&kdcIssued, 0, sizeof(kdcIssued)); + memset(adKdcIssued, 0, sizeof(*adKdcIssued)); + + kdcIssued.i_realm = issuer->realm != NULL ? &issuer->realm : NULL; + kdcIssued.i_sname = &issuer->name; + kdcIssued.elements = *authdata; + + ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, authdata, &len, code); + if (code != 0) + goto cleanup; + + code = krb5_crypto_init(context, key, 0, &crypto); + if (code != 0) + goto cleanup; + + code = krb5_create_checksum(context, crypto, KRB5_KU_AD_KDC_ISSUED, + 0, buf, buf_size, &kdcIssued.ad_checksum); + if (code != 0) + goto cleanup; + + GSSEAP_FREE(buf); + buf = NULL; + + ASN1_MALLOC_ENCODE(AD_KDCIssued, buf, buf_size, &kdcIssued, &len, code); + if (code != 0) + goto cleanup; + + adDatum.ad_type = KRB5_AUTHDATA_KDC_ISSUED; + adDatum.ad_data.length = buf_size; + adDatum.ad_data.data = buf; + + code = add_AuthorizationData(adKdcIssued, &adDatum); + if (code != 0) + goto cleanup; + +cleanup: + if (buf != NULL) + GSSEAP_FREE(buf); + if (crypto != NULL) + krb5_crypto_destroy(context, crypto); + free_Checksum(&kdcIssued.ad_checksum); + + return code; +#else + return krb5_make_authdata_kdc_issued(context, key, issuer, authdata, + adKdcIssued); +#endif /* HAVE_HEIMDAL_VERSION */ +} diff --git a/util_reauth.c b/util_reauth.c index 47be2a3..0a8373d 100644 --- a/util_reauth.c +++ b/util_reauth.c @@ -70,7 +70,11 @@ getAcceptorKey(krb5_context krbContext, krb5_error_code code; krb5_keytab keytab = NULL; krb5_keytab_entry ktent = { 0 }; +#ifdef HAVE_HEIMDAL_VERSION + krb5_kt_cursor cursor = { 0 }; +#else krb5_kt_cursor cursor = NULL; +#endif *princ = NULL; memset(key, 0, sizeof(*key)); @@ -96,16 +100,27 @@ getAcceptorKey(krb5_context krbContext, while ((code = krb5_kt_next_entry(krbContext, keytab, &ktent, &cursor)) == 0) { +#ifdef HAVE_HEIMDAL_VERSION + if (ktent.keyblock.keytype == ctx->encryptionType) + break; + else + krb5_kt_free_entry(krbContext, &ktent); +#else if (ktent.key.enctype == ctx->encryptionType) break; else krb5_free_keytab_entry_contents(krbContext, &ktent); +#endif } } if (code == 0) { *princ = ktent.principal; +#ifdef HAVE_HEIMDAL_VERSION + *key = ktent.keyblock; +#else *key = ktent.key; +#endif } cleanup: @@ -114,7 +129,11 @@ cleanup: krb5_kt_close(krbContext, keytab); if (code != 0) +#ifdef HAVE_HEIMDAL_VERSION + krb5_kt_free_entry(krbContext, &ktent); +#else krb5_free_keytab_entry_contents(krbContext, &ktent); +#endif return code; } @@ -124,12 +143,22 @@ freezeAttrContext(OM_uint32 *minor, gss_name_t initiatorName, krb5_const_principal acceptorPrinc, krb5_keyblock *session, - krb5_authdata ***authdata) +#ifdef HAVE_HEIMDAL_VERSION + krb5_authdata *authdata +#else + krb5_authdata ***authdata +#endif + ) { OM_uint32 major, tmpMinor; krb5_error_code code; gss_buffer_desc attrBuf = GSS_C_EMPTY_BUFFER; +#ifdef HAVE_HEIMDAL_VERSION + AuthorizationData authDataBuf, *authData = &authDataBuf; + AuthorizationDataElement authDatum = { 0 }; +#else krb5_authdata *authData[2], authDatum = { 0 }; +#endif krb5_context krbContext; GSSEAP_KRB_INIT(&krbContext); @@ -139,13 +168,20 @@ freezeAttrContext(OM_uint32 *minor, return major; authDatum.ad_type = KRB5_AUTHDATA_RADIUS_AVP; +#ifdef HAVE_HEIMDAL_VERSION + authDatum.ad_data.length = attrBuf.length; + authDatum.ad_data.data = attrBuf.value; + authData->len = 1; + authData->val = &authDatum; +#else authDatum.length = attrBuf.length; authDatum.contents = attrBuf.value; authData[0] = &authDatum; authData[1] = NULL; +#endif - code = krb5_make_authdata_kdc_issued(krbContext, session, acceptorPrinc, - authData, authdata); + code = krbMakeAuthDataKdcIssued(krbContext, session, acceptorPrinc, + authData, authdata); if (code != 0) { major = GSS_S_FAILURE; *minor = code; @@ -170,27 +206,44 @@ gssEapMakeReauthCreds(OM_uint32 *minor, OM_uint32 major = GSS_S_COMPLETE; krb5_error_code code; krb5_context krbContext = NULL; - krb5_ticket ticket = { 0 }; krb5_keyblock session = { 0 }, acceptorKey = { 0 }; - krb5_enc_tkt_part enc_part = { 0 }; + krb5_principal server = NULL; +#ifdef HAVE_HEIMDAL_VERSION + Ticket ticket; + EncTicketPart enc_part; + AuthorizationData authData = { 0 }; + krb5_crypto krbCrypto = NULL; + unsigned char *buf = NULL; + size_t buf_size, len; +#else + krb5_ticket ticket; + krb5_enc_tkt_part enc_part; +#endif krb5_data *ticketData = NULL, *credsData = NULL; krb5_creds creds = { 0 }; krb5_auth_context authContext = NULL; + memset(&ticket, 0, sizeof(ticket)); + memset(&enc_part, 0, sizeof(enc_part)); + credBuf->length = 0; credBuf->value = NULL; GSSEAP_KRB_INIT(&krbContext); - code = getAcceptorKey(krbContext, ctx, cred, - &ticket.server, &acceptorKey); + code = getAcceptorKey(krbContext, ctx, cred, &server, &acceptorKey); if (code == KRB5_KT_NOTFOUND) { *minor = code; return GSS_S_UNAVAILABLE; } else if (code != 0) goto cleanup; - enc_part.flags = TKT_FLG_INITIAL; +#ifdef HAVE_HEIMDAL_VERSION + ticket.realm = server->realm; + ticket.sname = server->name; +#else + ticket.server = server; +#endif /* * Generate a random session key to place in the ticket and @@ -201,16 +254,59 @@ gssEapMakeReauthCreds(OM_uint32 *minor, if (code != 0) goto cleanup; +#ifdef HAVE_HEIMDAL_VERSION + enc_part.flags.initial = 1; + enc_part.key = session; + enc_part.crealm = ctx->initiatorName->krbPrincipal->realm; + enc_part.cname = ctx->initiatorName->krbPrincipal->name; + enc_part.authtime = time(NULL); + enc_part.starttime = &enc_part.authtime; + enc_part.endtime = (ctx->expiryTime != 0) + ? ctx->expiryTime : KRB_TIME_FOREVER; + enc_part.renew_till = NULL; + enc_part.authorization_data = &authData; + + major = freezeAttrContext(minor, ctx->initiatorName, server, + &session, &authData); + if (GSS_ERROR(major)) + goto cleanup; + + ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, &enc_part, &len, code); + if (code != 0) + goto cleanup; + + code = krb5_crypto_init(krbContext, &acceptorKey, 0, &krbCrypto); + if (code != 0) + goto cleanup; + + code = krb5_encrypt_EncryptedData(krbContext, + krbCrypto, + KRB5_KU_TICKET, + buf, + len, + 0, + &ticket.enc_part); + if (code != 0) + goto cleanup; + + GSSEAP_FREE(buf); + buf = NULL; + + ASN1_MALLOC_ENCODE(Ticket, buf, buf_size, &ticket, &len, code); + if (code != 0) + goto cleanup; +#else + enc_part.flags = TKT_FLG_INITIAL; enc_part.session = &session; enc_part.client = ctx->initiatorName->krbPrincipal; enc_part.times.authtime = time(NULL); enc_part.times.starttime = enc_part.times.authtime; enc_part.times.endtime = (ctx->expiryTime != 0) ? ctx->expiryTime - : KRB5_INT32_MAX; + : KRB_TIME_FOREVER; enc_part.times.renew_till = 0; - major = freezeAttrContext(minor, ctx->initiatorName, ticket.server, + major = freezeAttrContext(minor, ctx->initiatorName, server, &session, &enc_part.authorization_data); if (GSS_ERROR(major)) goto cleanup; @@ -224,14 +320,26 @@ gssEapMakeReauthCreds(OM_uint32 *minor, code = encode_krb5_ticket(&ticket, &ticketData); if (code != 0) goto cleanup; - - creds.client = enc_part.client; - creds.server = ticket.server; +#endif /* HAVE_HEIMDAL_VERSION */ + + creds.client = ctx->initiatorName->krbPrincipal; + creds.server = server; +#ifdef HAVE_HEIMDAL_VERSION + creds.session = session; + creds.times.authtime = enc_part.authtime; + creds.times.starttime = *enc_part.starttime; + creds.times.endtime = enc_part.endtime; + creds.times.renew_till = 0; + creds.flags.b = enc_part.flags; + creds.ticket = *ticketData; + creds.authdata = authData; +#else creds.keyblock = session; creds.times = enc_part.times; creds.ticket_flags = enc_part.flags; creds.ticket = *ticketData; creds.authdata = enc_part.authorization_data; +#endif code = krb5_auth_con_init(krbContext, &authContext); if (code != 0) @@ -253,19 +361,29 @@ gssEapMakeReauthCreds(OM_uint32 *minor, krbDataToGssBuffer(credsData, credBuf); cleanup: +#ifdef HAVE_HEIMDAL_VERSION + if (krbCrypto != NULL) + krb5_crypto_destroy(krbContext, krbCrypto); + if (buf != NULL) + GSSEAP_FREE(buf); + free_AuthorizationData(&authData); + free_EncryptedData(&ticket.enc_part); +#else + krb5_free_authdata(krbContext, enc_part.authorization_data); if (ticket.enc_part.ciphertext.data != NULL) GSSEAP_FREE(ticket.enc_part.ciphertext.data); +#endif krb5_free_keyblock_contents(krbContext, &session); + krb5_free_principal(krbContext, server); krb5_free_keyblock_contents(krbContext, &acceptorKey); krb5_free_data(krbContext, ticketData); krb5_auth_con_free(krbContext, authContext); - krb5_free_authdata(krbContext, enc_part.authorization_data); if (credsData != NULL) GSSEAP_FREE(credsData); if (major == GSS_S_COMPLETE) { *minor = code; - major = code != 0 ? GSS_S_FAILURE : GSS_S_COMPLETE; + major = (code != 0) ? GSS_S_FAILURE : GSS_S_COMPLETE; } return major; @@ -276,9 +394,14 @@ isTicketGrantingServiceP(krb5_context krbContext, krb5_const_principal principal) { if (KRB_PRINC_LENGTH(principal) == 2 && +#ifdef HAVE_HEIMDAL_VERSION + strcmp(KRB_PRINC_NAME(principal)[0], "krbtgt") == 0 +#else krb5_princ_component(krbContext, principal, 0)->length == 6 && memcmp(krb5_princ_component(krbContext, - principal, 0)->data, "krbtgt", 6) == 0) + principal, 0)->data, "krbtgt", 6) == 0 +#endif + ) return TRUE; return FALSE; @@ -296,7 +419,7 @@ reauthUseCredsCache(krb5_context krbContext, /* if reauth_use_ccache, use default credentials cache if ticket is for us */ krb5_appdefault_boolean(krbContext, "eap_gss", - krb5_princ_realm(krbContext, principal), + KRB_PRINC_REALM(principal), "reauth_use_ccache", 0, &reauthUseCCache); return reauthUseCCache; @@ -444,7 +567,7 @@ gssEapStoreReauthCreds(OM_uint32 *minor, krb5_free_principal(krbContext, cred->name->krbPrincipal); cred->name->krbPrincipal = canonPrinc; - if (creds[0]->times.endtime == KRB5_INT32_MAX) + if (creds[0]->times.endtime == KRB_TIME_FOREVER) cred->expiryTime = 0; else cred->expiryTime = creds[0]->times.endtime; @@ -649,18 +772,52 @@ gssEapReauthComplete(OM_uint32 *minor, { OM_uint32 major, tmpMinor; gss_buffer_set_t keyData = GSS_C_NO_BUFFER_SET; + krb5_context krbContext = NULL; +#ifdef HAVE_HEIMDAL_VERSION + krb5_storage *sp = NULL; +#endif + + GSSEAP_KRB_INIT(&krbContext); if (!oidEqual(mech, gss_mech_krb5)) { major = GSS_S_BAD_MECH; goto cleanup; } - /* Get the raw subsession key and encryption type*/ + /* Get the raw subsession key and encryption type */ +#ifdef HAVE_HEIMDAL_VERSION +#define KRB_GSS_SUBKEY_COUNT 1 /* encoded session key */ + major = gssInquireSecContextByOid(minor, ctx->kerberosCtx, + GSS_KRB5_GET_SUBKEY_X, &keyData); +#else +#define KRB_GSS_SUBKEY_COUNT 2 /* raw session key, enctype OID */ major = gssInquireSecContextByOid(minor, ctx->kerberosCtx, GSS_C_INQ_SSPI_SESSION_KEY, &keyData); +#endif if (GSS_ERROR(major)) goto cleanup; + if (keyData == GSS_C_NO_BUFFER_SET || keyData->count < KRB_GSS_SUBKEY_COUNT) { + *minor = GSSEAP_KEY_UNAVAILABLE; + major = GSS_S_FAILURE; + goto cleanup; + } + +#ifdef HAVE_HEIMDAL_VERSION + sp = krb5_storage_from_mem(keyData->elements[0].value, + keyData->elements[0].length); + if (sp == NULL) { + *minor = ENOMEM; + major = GSS_S_FAILURE; + goto cleanup; + } + + *minor = krb5_ret_keyblock(sp, &ctx->rfc3961Key); + if (*minor != 0) { + major = GSS_S_FAILURE; + goto cleanup; + } +#else { gss_OID_desc oid; int suffix; @@ -679,11 +836,8 @@ gssEapReauthComplete(OM_uint32 *minor, } { - krb5_context krbContext = NULL; krb5_keyblock key; - GSSEAP_KRB_INIT(&krbContext); - KRB_KEY_LENGTH(&key) = keyData->elements[0].length; KRB_KEY_DATA(&key) = keyData->elements[0].value; KRB_KEY_TYPE(&key) = ctx->encryptionType; @@ -695,6 +849,7 @@ gssEapReauthComplete(OM_uint32 *minor, goto cleanup; } } +#endif /* HAVE_HEIMDAL_VERSION */ major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key, &ctx->checksumType); @@ -716,6 +871,10 @@ gssEapReauthComplete(OM_uint32 *minor, major = GSS_S_COMPLETE; cleanup: +#ifdef HAVE_HEIMDAL_VERSION + if (sp != NULL) + krb5_storage_free(sp); +#endif gss_release_buffer_set(&tmpMinor, &keyData); return major; -- 2.1.4