/*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
GSSEAP_KEY_CREATE(&krbContextKey, destroyKrbContext);
}
+static krb5_error_code
+initKrbContext(krb5_context *pKrbContext)
+{
+ krb5_context krbContext;
+ krb5_error_code code;
+ char *defaultRealm = NULL;
+
+ *pKrbContext = NULL;
+
+ code = krb5_init_context(&krbContext);
+ if (code != 0)
+ goto cleanup;
+
+ krb5_appdefault_string(krbContext, "eap_gss",
+ NULL, "default_realm", "", &defaultRealm);
+
+ if (defaultRealm != NULL && defaultRealm[0] != '\0') {
+ code = krb5_set_default_realm(krbContext, defaultRealm);
+ if (code != 0)
+ goto cleanup;
+ }
+
+ *pKrbContext = krbContext;
+
+cleanup:
+ if (code != 0 && krbContext != NULL)
+ krb5_free_context(krbContext);
+
+ if (defaultRealm != NULL)
+ GSSEAP_FREE(defaultRealm);
+
+ return code;
+}
+
OM_uint32
gssEapKerberosInit(OM_uint32 *minor, krb5_context *context)
{
*context = GSSEAP_GETSPECIFIC(krbContextKey);
if (*context == NULL) {
- *minor = krb5_init_context(context);
+ *minor = initKrbContext(context);
if (*minor == 0) {
if (GSSEAP_SETSPECIFIC(krbContextKey, *context) != 0) {
*minor = errno;
}
krb5_error_code
-krbEnctypeToString(krb5_context krbContext,
+krbEnctypeToString(
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_context krbContext,
+#else
+ krb5_context krbContext GSSEAP_UNUSED,
+#endif
krb5_enctype enctype,
const char *prefix,
gss_buffer_t string)
memset(&kdcIssued, 0, sizeof(kdcIssued));
memset(adKdcIssued, 0, sizeof(*adKdcIssued));
- kdcIssued.i_realm = issuer->realm != NULL ? &issuer->realm : NULL;
- kdcIssued.i_sname = &issuer->name;
+ kdcIssued.i_realm = issuer->realm != NULL ? (Realm *)&issuer->realm : NULL;
+ kdcIssued.i_sname = (PrincipalName *)&issuer->name;
kdcIssued.elements = *authdata;
ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, authdata, &len, code);
adKdcIssued);
#endif /* HAVE_HEIMDAL_VERSION */
}
+
+krb5_error_code
+krbMakeCred(krb5_context krbContext,
+ krb5_auth_context authContext,
+ krb5_creds *creds,
+ krb5_data *data)
+{
+ krb5_error_code code;
+#ifdef HAVE_HEIMDAL_VERSION
+ KRB_CRED krbCred;
+ KrbCredInfo krbCredInfo;
+ EncKrbCredPart encKrbCredPart;
+ krb5_keyblock *key;
+ krb5_crypto krbCrypto = NULL;
+ krb5_data encKrbCredPartData;
+ krb5_replay_data rdata;
+ size_t len;
+#else
+ krb5_data *d = NULL;
+#endif
+
+ memset(data, 0, sizeof(*data));
+#ifdef HAVE_HEIMDAL_VERSION
+ memset(&krbCred, 0, sizeof(krbCred));
+ memset(&krbCredInfo, 0, sizeof(krbCredInfo));
+ memset(&encKrbCredPart, 0, sizeof(encKrbCredPart));
+ memset(&rdata, 0, sizeof(rdata));
+
+ if (authContext->local_subkey)
+ key = authContext->local_subkey;
+ else if (authContext->remote_subkey)
+ key = authContext->remote_subkey;
+ else
+ key = authContext->keyblock;
+
+ krbCred.pvno = 5;
+ krbCred.msg_type = krb_cred;
+ krbCred.tickets.val = (Ticket *)GSSEAP_CALLOC(1, sizeof(Ticket));
+ if (krbCred.tickets.val == NULL) {
+ code = ENOMEM;
+ goto cleanup;
+ }
+ krbCred.tickets.len = 1;
+
+ code = decode_Ticket(creds->ticket.data,
+ creds->ticket.length,
+ krbCred.tickets.val, &len);
+ if (code != 0)
+ goto cleanup;
+
+ krbCredInfo.key = creds->session;
+ krbCredInfo.prealm = &creds->client->realm;
+ krbCredInfo.pname = &creds->client->name;
+ krbCredInfo.flags = &creds->flags.b;
+ krbCredInfo.authtime = &creds->times.authtime;
+ krbCredInfo.starttime = &creds->times.starttime;
+ krbCredInfo.endtime = &creds->times.endtime;
+ krbCredInfo.renew_till = &creds->times.renew_till;
+ krbCredInfo.srealm = &creds->server->realm;
+ krbCredInfo.sname = &creds->server->name;
+ krbCredInfo.caddr = creds->addresses.len ? &creds->addresses : NULL;
+
+ encKrbCredPart.ticket_info.len = 1;
+ encKrbCredPart.ticket_info.val = &krbCredInfo;
+ if (authContext->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+ rdata.seq = authContext->local_seqnumber;
+ encKrbCredPart.nonce = (int32_t *)&rdata.seq;
+ } else {
+ encKrbCredPart.nonce = NULL;
+ }
+ if (authContext->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+ krb5_us_timeofday(krbContext, &rdata.timestamp, &rdata.usec);
+ encKrbCredPart.timestamp = &rdata.timestamp;
+ encKrbCredPart.usec = &rdata.usec;
+ } else {
+ encKrbCredPart.timestamp = NULL;
+ encKrbCredPart.usec = NULL;
+ }
+ encKrbCredPart.s_address = authContext->local_address;
+ encKrbCredPart.r_address = authContext->remote_address;
+
+ ASN1_MALLOC_ENCODE(EncKrbCredPart, encKrbCredPartData.data,
+ encKrbCredPartData.length, &encKrbCredPart,
+ &len, code);
+ if (code != 0)
+ goto cleanup;
+
+ code = krb5_crypto_init(krbContext, key, 0, &krbCrypto);
+ if (code != 0)
+ goto cleanup;
+
+ code = krb5_encrypt_EncryptedData(krbContext,
+ krbCrypto,
+ KRB5_KU_KRB_CRED,
+ encKrbCredPartData.data,
+ encKrbCredPartData.length,
+ 0,
+ &krbCred.enc_part);
+ if (code != 0)
+ goto cleanup;
+
+ ASN1_MALLOC_ENCODE(KRB_CRED, data->data, data->length,
+ &krbCred, &len, code);
+ if (code != 0)
+ goto cleanup;
+
+ if (authContext->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
+ authContext->local_seqnumber++;
+
+cleanup:
+ if (krbCrypto != NULL)
+ krb5_crypto_destroy(krbContext, krbCrypto);
+ free_KRB_CRED(&krbCred);
+ krb5_data_free(&encKrbCredPartData);
+
+ return code;
+#else
+ code = krb5_mk_1cred(krbContext, authContext, creds, &d, NULL);
+ if (code == 0) {
+ *data = *d;
+ GSSEAP_FREE(d);
+ }
+
+ return code;
+#endif /* HAVE_HEIMDAL_VERSION */
+}
projects / moonshot.git / blobdiff