/*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* SUCH DAMAGE.
*/
+/*
+ * Serialise a security context. On the acceptor, this may be partially
+ * established.
+ */
+
#include "gssapiP_eap.h"
+static OM_uint32
+exportPartialRadiusContext(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ gss_buffer_t token)
+{
+ OM_uint32 major, tmpMinor;
+ size_t length, serverLen = 0;
+ unsigned char *p;
+ char serverBuf[MAXHOSTNAMELEN];
+
+ if (ctx->acceptorCtx.radConn != NULL) {
+ if (rs_conn_get_current_peer(ctx->acceptorCtx.radConn,
+ serverBuf, sizeof(serverBuf)) != 0) {
+#if 0
+ return gssEapRadiusMapError(minor,
+ rs_err_conn_pop(ctx->acceptorCtx.radConn));
+#else
+ serverBuf[0] = '\0'; /* not implemented yet */
+#endif
+ }
+ serverLen = strlen(serverBuf);
+ }
+
+ length = 4 + serverLen + 4 + ctx->acceptorCtx.state.length;
+
+ token->value = GSSEAP_MALLOC(length);
+ if (token->value == NULL) {
+ major = GSS_S_FAILURE;
+ *minor = ENOMEM;
+ goto cleanup;
+ }
+ token->length = length;
+
+ p = (unsigned char *)token->value;
+
+ store_uint32_be(serverLen, p);
+ p += 4;
+ if (serverLen != 0) {
+ memcpy(p, serverBuf, serverLen);
+ p += serverLen;
+ }
+
+ store_uint32_be(ctx->acceptorCtx.state.length, p);
+ p += 4;
+ if (ctx->acceptorCtx.state.length != 0) {
+ memcpy(p, ctx->acceptorCtx.state.value,
+ ctx->acceptorCtx.state.length);
+ p += ctx->acceptorCtx.state.length;
+ }
+
+ assert(p == (unsigned char *)token->value + token->length);
+
+ major = GSS_S_COMPLETE;
+ *minor = 0;
+
+cleanup:
+ if (GSS_ERROR(major))
+ gss_release_buffer(&tmpMinor, token);
+
+ return major;
+}
+
+OM_uint32
+gssEapExportSecContext(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ gss_buffer_t token)
+{
+ OM_uint32 major, tmpMinor;
+ size_t length;
+ gss_buffer_desc initiatorName = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc acceptorName = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc partialCtx = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc key;
+ unsigned char *p;
+
+ if ((CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx)) ||
+ ctx->mechanismUsed == GSS_C_NO_OID) {
+ *minor = GSSEAP_CONTEXT_INCOMPLETE;
+ return GSS_S_NO_CONTEXT;
+ }
+
+ key.length = KRB_KEY_LENGTH(&ctx->rfc3961Key);
+ key.value = KRB_KEY_DATA(&ctx->rfc3961Key);
+
+ if (ctx->initiatorName != GSS_C_NO_NAME) {
+ major = gssEapExportNameInternal(minor, ctx->initiatorName,
+ &initiatorName,
+ EXPORT_NAME_FLAG_COMPOSITE);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ if (ctx->acceptorName != GSS_C_NO_NAME) {
+ major = gssEapExportNameInternal(minor, ctx->acceptorName,
+ &acceptorName,
+ EXPORT_NAME_FLAG_COMPOSITE);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ /*
+ * The partial context is only transmitted for unestablished acceptor
+ * contexts.
+ */
+ if (!CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx) &&
+ (ctx->flags & CTX_FLAG_KRB_REAUTH) == 0) {
+ major = gssEapExportPartialContext(minor, ctx, &partialCtx);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ length = 16; /* version, state, flags, */
+ length += 4 + ctx->mechanismUsed->length; /* mechanismUsed */
+ length += 12 + key.length; /* rfc3961Key.value */
+ length += 4 + initiatorName.length; /* initiatorName.value */
+ length += 4 + acceptorName.length; /* acceptorName.value */
+ length += 24 + sequenceSize(ctx->seqState); /* seqState */
+
+ if (!CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx))
+ length += 4 + ctx->conversation.length;
+
+ if (partialCtx.value != NULL)
+ length += 4 + partialCtx.length; /* partialCtx.value */
+
+ token->value = GSSEAP_MALLOC(length);
+ if (token->value == NULL) {
+ major = GSS_S_FAILURE;
+ *minor = ENOMEM;
+ goto cleanup;
+ }
+ token->length = length;
+
+ p = (unsigned char *)token->value;
+
+ store_uint32_be(EAP_EXPORT_CONTEXT_V1, &p[0]); /* version */
+ store_uint32_be(GSSEAP_SM_STATE(ctx), &p[4]);
+ store_uint32_be(ctx->flags, &p[8]);
+ store_uint32_be(ctx->gssFlags, &p[12]);
+ p = store_oid(ctx->mechanismUsed, &p[16]);
+
+ store_uint32_be(ctx->checksumType, &p[0]);
+ store_uint32_be(ctx->encryptionType, &p[4]);
+ p = store_buffer(&key, &p[8], FALSE);
+
+ p = store_buffer(&initiatorName, p, FALSE);
+ p = store_buffer(&acceptorName, p, FALSE);
+
+ store_uint64_be(ctx->expiryTime, &p[0]);
+ store_uint64_be(ctx->sendSeq, &p[8]);
+ store_uint64_be(ctx->recvSeq, &p[16]);
+ p += 24;
+
+ major = sequenceExternalize(minor, ctx->seqState, &p, &length);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ if (!CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx))
+ p = store_buffer(&ctx->conversation, &p, FALSE);
+
+ if (partialCtx.value != NULL)
+ p = store_buffer(&partialCtx, p, FALSE);
+
+ assert(p == (unsigned char *)token->value + token->length);
+
+ major = GSS_S_COMPLETE;
+ *minor = 0;
+
+cleanup:
+ if (GSS_ERROR(major))
+ gss_release_buffer(&tmpMinor, token);
+ gss_release_buffer(&tmpMinor, &initiatorName);
+ gss_release_buffer(&tmpMinor, &acceptorName);
+ gss_release_buffer(&tmpMinor, &partialCtx);
+
+ return major;
+}
+
OM_uint32
gss_export_sec_context(OM_uint32 *minor,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token)
{
- GSSEAP_NOT_IMPLEMENTED;
+ OM_uint32 major, tmpMinor;
+ gss_ctx_id_t ctx = *context_handle;
+
+ interprocess_token->length = 0;
+ interprocess_token->value = NULL;
+
+ if (ctx == GSS_C_NO_CONTEXT) {
+ *minor = EINVAL;
+ return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT;
+ }
+
+ *minor = 0;
+
+ GSSEAP_MUTEX_LOCK(&ctx->mutex);
+
+ major = gssEapExportSecContext(minor, ctx, interprocess_token);
+ if (GSS_ERROR(major)) {
+ GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
+ return major;
+ }
+
+ *context_handle = GSS_C_NO_CONTEXT;
+
+ GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
+
+ gssEapReleaseContext(&tmpMinor, &ctx);
+
+ return GSS_S_COMPLETE;
}