2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * Serialise a security context. On the acceptor, this may be partially
38 #include "gssapiP_eap.h"
41 exportPartialRadiusContext(OM_uint32 *minor,
45 OM_uint32 major, tmpMinor;
46 size_t length, serverLen = 0;
48 char serverBuf[MAXHOSTNAMELEN];
50 if (ctx->acceptorCtx.radConn != NULL) {
51 if (rs_conn_get_current_peer(ctx->acceptorCtx.radConn,
52 serverBuf, sizeof(serverBuf)) != 0) {
54 return gssEapRadiusMapError(minor,
55 rs_err_conn_pop(ctx->acceptorCtx.radConn));
57 serverBuf[0] = '\0'; /* not implemented yet */
60 serverLen = strlen(serverBuf);
63 length = 4 + serverLen + 4 + ctx->acceptorCtx.state.length;
65 token->value = GSSEAP_MALLOC(length);
66 if (token->value == NULL) {
67 major = GSS_S_FAILURE;
71 token->length = length;
73 p = (unsigned char *)token->value;
75 store_uint32_be(serverLen, p);
78 memcpy(p, serverBuf, serverLen);
82 store_uint32_be(ctx->acceptorCtx.state.length, p);
84 if (ctx->acceptorCtx.state.length != 0) {
85 memcpy(p, ctx->acceptorCtx.state.value,
86 ctx->acceptorCtx.state.length);
87 p += ctx->acceptorCtx.state.length;
90 assert(p == (unsigned char *)token->value + token->length);
92 major = GSS_S_COMPLETE;
97 gss_release_buffer(&tmpMinor, token);
103 gssEapExportSecContext(OM_uint32 *minor,
107 OM_uint32 major, tmpMinor;
109 gss_buffer_desc initiatorName = GSS_C_EMPTY_BUFFER;
110 gss_buffer_desc acceptorName = GSS_C_EMPTY_BUFFER;
111 gss_buffer_desc partialCtx = GSS_C_EMPTY_BUFFER;
115 if ((CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx)) ||
116 ctx->mechanismUsed == GSS_C_NO_OID) {
117 *minor = GSSEAP_CONTEXT_INCOMPLETE;
118 return GSS_S_NO_CONTEXT;
121 key.length = KRB_KEY_LENGTH(&ctx->rfc3961Key);
122 key.value = KRB_KEY_DATA(&ctx->rfc3961Key);
124 if (ctx->initiatorName != GSS_C_NO_NAME) {
125 major = gssEapExportNameInternal(minor, ctx->initiatorName,
127 EXPORT_NAME_FLAG_COMPOSITE);
128 if (GSS_ERROR(major))
132 if (ctx->acceptorName != GSS_C_NO_NAME) {
133 major = gssEapExportNameInternal(minor, ctx->acceptorName,
135 EXPORT_NAME_FLAG_COMPOSITE);
136 if (GSS_ERROR(major))
141 * The partial context is only transmitted for unestablished acceptor
144 if (!CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx) &&
145 (ctx->flags & CTX_FLAG_KRB_REAUTH) == 0) {
146 major = exportPartialRadiusContext(minor, ctx, &partialCtx);
147 if (GSS_ERROR(major))
151 length = 16; /* version, state, flags, */
152 length += 4 + ctx->mechanismUsed->length; /* mechanismUsed */
153 length += 12 + key.length; /* rfc3961Key.value */
154 length += 4 + initiatorName.length; /* initiatorName.value */
155 length += 4 + acceptorName.length; /* acceptorName.value */
156 length += 24 + sequenceSize(ctx->seqState); /* seqState */
158 if (!CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx))
159 length += 4 + ctx->conversation.length;
161 if (partialCtx.value != NULL)
162 length += 4 + partialCtx.length; /* partialCtx.value */
164 token->value = GSSEAP_MALLOC(length);
165 if (token->value == NULL) {
166 major = GSS_S_FAILURE;
170 token->length = length;
172 p = (unsigned char *)token->value;
174 store_uint32_be(EAP_EXPORT_CONTEXT_V1, &p[0]); /* version */
175 store_uint32_be(GSSEAP_SM_STATE(ctx), &p[4]);
176 store_uint32_be(ctx->flags, &p[8]);
177 store_uint32_be(ctx->gssFlags, &p[12]);
178 p = store_oid(ctx->mechanismUsed, &p[16]);
180 store_uint32_be(ctx->checksumType, &p[0]);
181 store_uint32_be(ctx->encryptionType, &p[4]);
182 p = store_buffer(&key, &p[8], FALSE);
184 p = store_buffer(&initiatorName, p, FALSE);
185 p = store_buffer(&acceptorName, p, FALSE);
187 store_uint64_be(ctx->expiryTime, &p[0]);
188 store_uint64_be(ctx->sendSeq, &p[8]);
189 store_uint64_be(ctx->recvSeq, &p[16]);
192 major = sequenceExternalize(minor, ctx->seqState, &p, &length);
193 if (GSS_ERROR(major))
196 if (!CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx))
197 p = store_buffer(&ctx->conversation, p, FALSE);
199 if (partialCtx.value != NULL)
200 p = store_buffer(&partialCtx, p, FALSE);
202 assert(p == (unsigned char *)token->value + token->length);
204 major = GSS_S_COMPLETE;
208 if (GSS_ERROR(major))
209 gss_release_buffer(&tmpMinor, token);
210 gss_release_buffer(&tmpMinor, &initiatorName);
211 gss_release_buffer(&tmpMinor, &acceptorName);
212 gss_release_buffer(&tmpMinor, &partialCtx);
218 gss_export_sec_context(OM_uint32 *minor,
219 gss_ctx_id_t *context_handle,
220 gss_buffer_t interprocess_token)
222 OM_uint32 major, tmpMinor;
223 gss_ctx_id_t ctx = *context_handle;
225 interprocess_token->length = 0;
226 interprocess_token->value = NULL;
228 if (ctx == GSS_C_NO_CONTEXT) {
230 return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT;
235 GSSEAP_MUTEX_LOCK(&ctx->mutex);
237 major = gssEapExportSecContext(minor, ctx, interprocess_token);
238 if (GSS_ERROR(major)) {
239 GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
243 *context_handle = GSS_C_NO_CONTEXT;
245 GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
247 gssEapReleaseContext(&tmpMinor, &ctx);
249 return GSS_S_COMPLETE;