/*
 * Mark an acceptor context as ready for cryptographic operations
 */
static OM_uint32
acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
{
    OM_uint32 major, tmpMinor;
    VALUE_PAIR *vp;
    gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;

    gssEapReleaseName(&tmpMinor, &ctx->initiatorName);

    major = gssEapRadiusGetRawAvp(minor, ctx->acceptorCtx.vps,
                                  PW_USER_NAME, 0, &vp);
    if (major == GSS_S_COMPLETE && vp->length) {
        nameBuf.length = vp->length;
        nameBuf.value = vp->vp_strvalue;
    } else {
        ctx->gssFlags |= GSS_C_ANON_FLAG;
    }

    major = gssEapImportName(minor, &nameBuf,
                             (ctx->gssFlags & GSS_C_ANON_FLAG) ?
                                GSS_C_NT_ANONYMOUS : GSS_C_NT_USER_NAME,
                             ctx->mechanismUsed,
                             &ctx->initiatorName);
    if (GSS_ERROR(major))
        return major;

    major = gssEapRadiusGetRawAvp(minor, ctx->acceptorCtx.vps,
                                  PW_MS_MPPE_SEND_KEY, VENDORPEC_MS, &vp);
    if (GSS_ERROR(major)) {
        *minor = GSSEAP_KEY_UNAVAILABLE;
        return GSS_S_UNAVAILABLE;
    }

    major = sequenceInit(minor,
                         &ctx->seqState, ctx->recvSeq,
                         ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0),
                         ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0),
                         TRUE);
    if (GSS_ERROR(major))
        return major;

    major = gssEapCreateAttrContext(minor, cred, ctx,
                                    &ctx->initiatorName->attrCtx,
                                    &ctx->expiryTime);
    if (GSS_ERROR(major))
        return major;

    if (ctx->expiryTime != 0 && ctx->expiryTime < time(NULL)) {
        *minor = GSSEAP_CRED_EXPIRED;
        return GSS_S_CREDENTIALS_EXPIRED;
    }

    *minor = 0;
    return GSS_S_COMPLETE;
}
OM_uint32 GSSAPI_CALLCONV
gss_import_name(OM_uint32 *minor,
                gss_buffer_t import_name_buffer,
                gss_OID input_name_type,
                gss_name_t *output_name)
{
    return gssEapImportName(minor, import_name_buffer,
                            input_name_type, GSS_C_NO_OID, output_name);
/* #ifdef MECH_EAP
#else
    return GSS_S_UNAVAILABLE;
#endif */
}
Exemple #3
0
static OM_uint32
staticIdentityFileResolveInitiatorCred(OM_uint32 *minor, gss_cred_id_t cred)
{
    OM_uint32 major, tmpMinor;
    gss_buffer_desc defaultIdentity = GSS_C_EMPTY_BUFFER;
    gss_name_t defaultIdentityName = GSS_C_NO_NAME;
    gss_buffer_desc defaultPassword = GSS_C_EMPTY_BUFFER;
    int isDefaultIdentity = 0;

    major = readStaticIdentityFile(minor, &defaultIdentity, &defaultPassword);
    if (GSS_ERROR(major))
        goto cleanup;

    major = gssEapImportName(minor, &defaultIdentity, GSS_C_NT_USER_NAME,
                             gssEapPrimaryMechForCred(cred), &defaultIdentityName);
    if (GSS_ERROR(major))
        goto cleanup;

    if (defaultIdentityName == GSS_C_NO_NAME) {
        if (cred->name == GSS_C_NO_NAME) {
            major = GSS_S_CRED_UNAVAIL;
            *minor = GSSEAP_NO_DEFAULT_IDENTITY;
            goto cleanup;
        }
    } else {
        if (cred->name == GSS_C_NO_NAME) {
            cred->name = defaultIdentityName;
            defaultIdentityName = GSS_C_NO_NAME;
            isDefaultIdentity = 1;
        } else {
            major = gssEapCompareName(minor, cred->name,
                                      defaultIdentityName, &isDefaultIdentity);
            if (GSS_ERROR(major))
                goto cleanup;
        }
    }

    if (isDefaultIdentity &&
        (cred->flags & CRED_FLAG_PASSWORD) == 0) {
        major = gssEapSetCredPassword(minor, cred, &defaultPassword);
        if (GSS_ERROR(major))
            goto cleanup;
    }

cleanup:
    gssEapReleaseName(&tmpMinor, &defaultIdentityName);
    zeroAndReleasePassword(&defaultPassword);
    gss_release_buffer(&tmpMinor, &defaultIdentity);

    return major;
}
Exemple #4
0
static OM_uint32
gssEapResolveCredIdentity(OM_uint32 *minor,
                          gss_cred_id_t cred)
{
    OM_uint32 major;
    gss_OID nameMech = gssEapPrimaryMechForCred(cred);

    if (cred->name != GSS_C_NO_NAME) {
        *minor = 0;
        return GSS_S_COMPLETE;
    }

    if (cred->flags & CRED_FLAG_ACCEPT) {
        gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
        char serviceName[5 + MAXHOSTNAMELEN];

        /* default host-based service is host@localhost */
        memcpy(serviceName, "host@", 5);
        if (gethostname(&serviceName[5], MAXHOSTNAMELEN) != 0) {
            *minor = GSSEAP_NO_HOSTNAME;
            return GSS_S_FAILURE;
        }

        nameBuf.value = serviceName;
        nameBuf.length = strlen((char *)nameBuf.value);

        major = gssEapImportName(minor, &nameBuf, GSS_C_NT_HOSTBASED_SERVICE,
                                 nameMech, &cred->name);
        if (GSS_ERROR(major))
            return major;
    } else if (cred->flags & CRED_FLAG_INITIATE) {
#ifdef HAVE_MOONSHOT_GET_IDENTITY
        major = libMoonshotResolveDefaultIdentity(minor, cred, &cred->name);
        if (major == GSS_S_CRED_UNAVAIL)
#endif
            major = staticIdentityFileResolveDefaultIdentity(minor, cred, &cred->name);
        if (major != GSS_S_CRED_UNAVAIL)
            return major;
    }

    *minor = 0;
    return GSS_S_COMPLETE;
}
Exemple #5
0
static OM_uint32
staticIdentityFileResolveDefaultIdentity(OM_uint32 *minor,
                                         const gss_cred_id_t cred,
                                         gss_name_t *pName)
{
    OM_uint32 major, tmpMinor;
    gss_OID nameMech = gssEapPrimaryMechForCred(cred);
    gss_buffer_desc defaultIdentity = GSS_C_EMPTY_BUFFER;

    *pName = GSS_C_NO_NAME;

    major = readStaticIdentityFile(minor, &defaultIdentity, GSS_C_NO_BUFFER);
    if (major == GSS_S_COMPLETE) {
        major = gssEapImportName(minor, &defaultIdentity, GSS_C_NT_USER_NAME,
                                 nameMech, pName);
    }

    gss_release_buffer(&tmpMinor, &defaultIdentity);

    return major;
}
/*
 * Mark an acceptor context as ready for cryptographic operations
 */
static OM_uint32
acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
{
    OM_uint32 major, tmpMinor;
    rs_const_avp *vp;
    gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;

    /* Cache encryption type derived from selected mechanism OID */
    major = gssEapOidToEnctype(minor, ctx->mechanismUsed,
                               &ctx->encryptionType);
    if (GSS_ERROR(major))
        return major;

    gssEapReleaseName(&tmpMinor, &ctx->initiatorName);

    major = gssEapRadiusGetRawAvp(minor, ctx->acceptorCtx.vps,
                                  PW_USER_NAME, 0, &vp);
    if (major == GSS_S_COMPLETE && rs_avp_length(vp) != 0) {
        rs_avp_octets_value_byref((rs_avp *)vp,
                                  (unsigned char **)&nameBuf.value,
                                  &nameBuf.length);
    } else {
        ctx->gssFlags |= GSS_C_ANON_FLAG;
    }

    major = gssEapImportName(minor, &nameBuf,
                             (ctx->gssFlags & GSS_C_ANON_FLAG) ?
                                GSS_C_NT_ANONYMOUS : GSS_C_NT_USER_NAME,
                             ctx->mechanismUsed,
                             &ctx->initiatorName);
    if (GSS_ERROR(major))
        return major;

    major = gssEapRadiusGetRawAvp(minor, ctx->acceptorCtx.vps,
                                  PW_MS_MPPE_SEND_KEY, VENDORPEC_MICROSOFT, &vp);
    if (GSS_ERROR(major)) {
        *minor = GSSEAP_KEY_UNAVAILABLE;
        return GSS_S_UNAVAILABLE;
    }

    major = gssEapDeriveRfc3961Key(minor,
                                   rs_avp_octets_value_const_ptr(vp),
                                   rs_avp_length(vp),
                                   ctx->encryptionType,
                                   &ctx->rfc3961Key);
    if (GSS_ERROR(major))
        return major;

    major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key,
                                       &ctx->checksumType);
    if (GSS_ERROR(major))
        return major;

    major = sequenceInit(minor,
                         &ctx->seqState, ctx->recvSeq,
                         ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0),
                         ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0),
                         TRUE);
    if (GSS_ERROR(major))
        return major;

    major = gssEapCreateAttrContext(minor, cred, ctx,
                                    &ctx->initiatorName->attrCtx,
                                    &ctx->expiryTime);
    if (GSS_ERROR(major))
        return major;

    if (ctx->expiryTime != 0 && ctx->expiryTime < time(NULL)) {
        *minor = GSSEAP_CRED_EXPIRED;
        return GSS_S_CREDENTIALS_EXPIRED;
    }

    *minor = 0;
    return GSS_S_COMPLETE;
}
/*
 * Mark an acceptor context as ready for cryptographic operations
 */
static OM_uint32
acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
{
    OM_uint32 major, tmpMinor;
#ifdef MECH_EAP
    VALUE_PAIR *vp;
    gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;


    /* Cache encryption type derived from selected mechanism OID */
    major = gssEapOidToEnctype(minor, ctx->mechanismUsed,
                               &ctx->encryptionType);
#else
    /* Cache encryption type specified by IdP */
    major = krbStringToEnctype(gl_encryption_type, &ctx->encryptionType);
#endif
    if (GSS_ERROR(major))
        return major;

#ifdef MECH_EAP
    gssEapReleaseName(&tmpMinor, &ctx->initiatorName);

    major = gssEapRadiusGetRawAvp(minor, ctx->acceptorCtx.vps,
                                  PW_USER_NAME, 0, &vp);
    if (major == GSS_S_COMPLETE && vp->length) {
        nameBuf.length = vp->length;
        nameBuf.value = vp->vp_strvalue;
    } else {
        ctx->gssFlags |= GSS_C_ANON_FLAG;
    }

    major = gssEapImportName(minor, &nameBuf,
                             (ctx->gssFlags & GSS_C_ANON_FLAG) ?
                             GSS_C_NT_ANONYMOUS : GSS_C_NT_USER_NAME,
                             ctx->mechanismUsed,
                             &ctx->initiatorName);
    if (GSS_ERROR(major))
        return major;

    major = gssEapRadiusGetRawAvp(minor, ctx->acceptorCtx.vps,
                                  PW_MS_MPPE_SEND_KEY, VENDORPEC_MS, &vp);
    if (GSS_ERROR(major)) {
        *minor = GSSEAP_KEY_UNAVAILABLE;
        return GSS_S_UNAVAILABLE;
    }

    major = gssEapDeriveRfc3961Key(minor,
                                   rs_avp_octets_value_const_ptr(vp),
                                   rs_avp_length(vp),
                                   ctx->encryptionType,
                                   &ctx->rfc3961Key);
#else
    major = gssEapDeriveRfc3961Key(minor,
                                   gl_generated_key,
                                   strlen(gl_generated_key),
                                   ctx->encryptionType,
                                   &ctx->rfc3961Key);
#endif
    if (GSS_ERROR(major))
        return major;

    major = rfc3961ChecksumTypeForKey(minor, &ctx->rfc3961Key,
                                      &ctx->checksumType);
    if (GSS_ERROR(major))
        return major;

    major = sequenceInit(minor,
                         &ctx->seqState, ctx->recvSeq,
                         ((ctx->gssFlags & GSS_C_REPLAY_FLAG) != 0),
                         ((ctx->gssFlags & GSS_C_SEQUENCE_FLAG) != 0),
                         TRUE);
    if (GSS_ERROR(major))
        return major;

#ifdef MECH_EAP

    major = gssEapCreateAttrContext(minor, cred, ctx,
                                    &ctx->initiatorName->attrCtx,
                                    &ctx->expiryTime);
    if (GSS_ERROR(major))
        return major;
#else
    ctx->expiryTime = 0; /* indefinite */
#endif

    if (ctx->expiryTime != 0 && ctx->expiryTime < time(NULL)) {
        *minor = GSSEAP_CRED_EXPIRED;
        return GSS_S_CREDENTIALS_EXPIRED;
    }

#ifndef MECH_EAP
    ctx->gssFlags |= GSS_C_PROT_READY_FLAG;
#endif

    *minor = 0;
    return GSS_S_COMPLETE;
}