/*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* SUCH DAMAGE.
*/
+/*
+ * RADIUS attribute provider implementation.
+ */
+
#include "gssapiP_eap.h"
-#define VENDORATTR(vendor, attr) ((vendor) << 16 | (attr))
+/* stuff that should be provided by libradsec/libfreeradius-radius */
+#define VENDORATTR(vendor, attr) (((vendor) << 16) | (attr))
#ifndef ATTRID
#define ATTRID(attr) ((attr) & 0xFFFF)
(void *)"urn:x-radius:"
};
-static void *
-gssEapCalloc(size_t nmemb, size_t size)
-{
- return GSSEAP_CALLOC(nmemb, size);
-}
-
-static void *
-gssEapMalloc(size_t size)
-{
- return GSSEAP_MALLOC(size);
-}
-
-static void
-gssEapFree(void *ptr)
-{
- GSSEAP_FREE(ptr);
-}
-
-static void *
-gssEapRealloc(void *ptr, size_t size)
-{
- return GSSEAP_REALLOC(ptr, size);
-}
-
-static struct rs_error *
-radiusAllocHandle(const char *configFile,
- rs_handle **pHandle)
-{
- rs_handle *rh;
- struct rs_alloc_scheme ralloc;
-
- *pHandle = NULL;
-
- if (configFile == NULL || configFile[0] == '\0')
- configFile = RS_CONFIG_FILE;
-
- if (rs_context_create(&rh, RS_DICT_FILE) != 0)
- return NULL;
-
- ralloc.calloc = gssEapCalloc;
- ralloc.malloc = gssEapMalloc;
- ralloc.free = gssEapFree;
- ralloc.realloc = gssEapRealloc;
-
- rs_context_set_alloc_scheme(rh, &ralloc);
-
- if (rs_context_read_config(rh, configFile) != 0) {
- rs_context_destroy(rh);
- return rs_err_ctx_pop(rh);
- }
-
- *pHandle = rh;
- return NULL;
-}
+static VALUE_PAIR *copyAvps(const VALUE_PAIR *src);
gss_eap_radius_attr_provider::gss_eap_radius_attr_provider(void)
{
- m_rh = NULL;
- m_avps = NULL;
+ m_vps = NULL;
m_authenticated = false;
}
gss_eap_radius_attr_provider::~gss_eap_radius_attr_provider(void)
{
- if (m_rh != NULL)
- rs_context_destroy(m_rh);
- if (m_avps != NULL)
- pairfree(&m_avps);
-}
-
-bool
-gss_eap_radius_attr_provider::allocRadHandle(const std::string &configFile)
-{
- m_configFile.assign(configFile);
-
- /*
- * Currently none of the FreeRADIUS functions we use here actually take
- * a handle, so we may as well leave it as NULL.
- */
-#if 0
- radiusAllocHandle(m_configFile.c_str(), &m_rh);
-
- return (m_rh != NULL);
-#else
- return true;
-#endif
+ if (m_vps != NULL)
+ pairfree(&m_vps);
}
bool
-gss_eap_radius_attr_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
+gss_eap_radius_attr_provider::initWithExistingContext(const gss_eap_attr_ctx *manager,
const gss_eap_attr_provider *ctx)
{
const gss_eap_radius_attr_provider *radius;
- if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
+ if (!gss_eap_attr_provider::initWithExistingContext(manager, ctx))
return false;
radius = static_cast<const gss_eap_radius_attr_provider *>(ctx);
- if (!allocRadHandle(radius->m_configFile))
- return false;
+ if (radius->m_vps != NULL)
+ m_vps = copyAvps(const_cast<VALUE_PAIR *>(radius->getAvps()));
- if (radius->m_avps != NULL)
- m_avps = paircopy(const_cast<VALUE_PAIR *>(radius->getAvps()));
+ m_authenticated = radius->m_authenticated;
return true;
}
bool
-gss_eap_radius_attr_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
+gss_eap_radius_attr_provider::initWithGssContext(const gss_eap_attr_ctx *manager,
const gss_cred_id_t gssCred,
const gss_ctx_id_t gssCtx)
{
- std::string configFile(RS_CONFIG_FILE);
-
- if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
- return false;
-
- if (gssCred != GSS_C_NO_CREDENTIAL && gssCred->radiusConfigFile != NULL)
- configFile.assign(gssCred->radiusConfigFile);
-
- if (!allocRadHandle(configFile))
+ if (!gss_eap_attr_provider::initWithGssContext(manager, gssCred, gssCtx))
return false;
if (gssCtx != GSS_C_NO_CONTEXT) {
- if (gssCtx->acceptorCtx.avps != NULL) {
- m_avps = paircopy(gssCtx->acceptorCtx.avps);
- if (m_avps == NULL)
+ if (gssCtx->acceptorCtx.vps != NULL) {
+ m_vps = copyAvps(gssCtx->acceptorCtx.vps);
+ if (m_vps == NULL)
return false;
+
+ /* We assume libradsec validated this for us */
+ assert(pairfind(m_vps, PW_MESSAGE_AUTHENTICATOR) != NULL);
+ m_authenticated = true;
}
}
}
static bool
-isHiddenAttributeP(int attrid, uint16_t vendor)
+isSecretAttributeP(uint16_t attrid, uint16_t vendor)
{
- bool ret = false;
+ bool bSecretAttribute = false;
switch (vendor) {
case VENDORPEC_MS:
switch (attrid) {
case PW_MS_MPPE_SEND_KEY:
case PW_MS_MPPE_RECV_KEY:
- ret = true;
+ bSecretAttribute = true;
break;
default:
break;
}
+ default:
+ break;
+ }
+
+ return bSecretAttribute;
+}
+
+static bool
+isSecretAttributeP(uint32_t attribute)
+{
+ return isSecretAttributeP(ATTRID(attribute), VENDOR(attribute));
+}
+
+static bool
+isInternalAttributeP(uint16_t attrid, uint16_t vendor)
+{
+ bool bInternalAttribute = false;
+
+ /* should have been filtered */
+ assert(!isSecretAttributeP(attrid, vendor));
+
+ switch (vendor) {
case VENDORPEC_UKERNA:
- ret = true;
+ bInternalAttribute = true;
break;
default:
break;
}
- return ret;
+ return bInternalAttribute;
+}
+
+static bool
+isInternalAttributeP(uint32_t attribute)
+{
+ return isInternalAttributeP(ATTRID(attribute), VENDOR(attribute));
+}
+
+/*
+ * Copy AVP list, same as paircopy except it filters out attributes
+ * containing keys.
+ */
+static VALUE_PAIR *
+copyAvps(const VALUE_PAIR *src)
+{
+ const VALUE_PAIR *vp;
+ VALUE_PAIR *dst = NULL, **pDst = &dst;
+
+ for (vp = src; vp != NULL; vp = vp->next) {
+ VALUE_PAIR *vpcopy;
+
+ if (isSecretAttributeP(vp->attribute))
+ continue;
+
+ vpcopy = paircopyvp(vp);
+ if (vpcopy == NULL) {
+ pairfree(&dst);
+ throw std::bad_alloc();
+ }
+ *pDst = vpcopy;
+ pDst = &vpcopy->next;
+ }
+
+ return dst;
}
bool
-gss_eap_radius_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute, void *data) const
+gss_eap_radius_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
+ void *data) const
{
VALUE_PAIR *vp;
std::vector <std::string> seen;
- for (vp = m_avps; vp != NULL; vp = vp->next) {
+ for (vp = m_vps; vp != NULL; vp = vp->next) {
gss_buffer_desc attribute;
char attrid[64];
- if (isHiddenAttributeP(ATTRID(vp->attribute), VENDOR(vp->attribute)))
+
+ /* Don't advertise attributes that are internal to the GSS-EAP mechanism */
+ if (isInternalAttributeP(vp->attribute))
continue;
if (alreadyAddedAttributeP(seen, vp))
attribute.value = attrid;
attribute.length = strlen(attrid);
- if (!addAttribute(this, &attribute, data))
+ if (!addAttribute(m_manager, this, &attribute, data))
return false;
seen.push_back(std::string(vp->name));
return true;
}
-void
+uint32_t
+getAttributeId(const gss_buffer_t attr)
+{
+ OM_uint32 tmpMinor;
+ gss_buffer_desc strAttr = GSS_C_EMPTY_BUFFER;
+ DICT_ATTR *da;
+ char *s;
+ uint32_t attrid = 0;
+
+ if (attr->length < radiusUrnPrefix.length ||
+ memcmp(attr->value, radiusUrnPrefix.value, radiusUrnPrefix.length) != 0)
+ return 0;
+
+ /* need to duplicate because attr may not be NUL terminated */
+ duplicateBuffer(*attr, &strAttr);
+ s = (char *)strAttr.value + radiusUrnPrefix.length;
+
+ if (isdigit(*s)) {
+ attrid = strtoul(s, NULL, 10);
+ } else {
+ da = dict_attrbyname(s);
+ if (da != NULL)
+ attrid = da->attr;
+ }
+
+ gss_release_buffer(&tmpMinor, &strAttr);
+
+ return attrid;
+}
+
+bool
+gss_eap_radius_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
+ uint32_t attrid,
+ const gss_buffer_t value)
+{
+ OM_uint32 major = GSS_S_UNAVAILABLE, minor;
+
+ if (!isSecretAttributeP(attrid) &&
+ !isInternalAttributeP(attrid)) {
+ deleteAttribute(attrid);
+
+ major = gssEapRadiusAddAvp(&minor, &m_vps,
+ ATTRID(attrid), VENDOR(attrid),
+ value);
+ }
+
+ return !GSS_ERROR(major);
+}
+
+bool
gss_eap_radius_attr_provider::setAttribute(int complete,
const gss_buffer_t attr,
const gss_buffer_t value)
{
+ uint32_t attrid = getAttributeId(attr);
+
+ if (!attrid)
+ return false;
+
+ return setAttribute(complete, attrid, value);
+}
+
+bool
+gss_eap_radius_attr_provider::deleteAttribute(uint32_t attrid)
+{
+ if (isSecretAttributeP(attrid) || isInternalAttributeP(attrid) ||
+ pairfind(m_vps, attrid) == NULL)
+ return false;
+
+ pairdelete(&m_vps, attrid);
+
+ return true;
}
-void
-gss_eap_radius_attr_provider::deleteAttribute(const gss_buffer_t value)
+bool
+gss_eap_radius_attr_provider::deleteAttribute(const gss_buffer_t attr)
{
+ uint32_t attrid = getAttributeId(attr);
+
+ if (!attrid)
+ return false;
+
+ return deleteAttribute(attrid);
}
bool
gss_buffer_t display_value,
int *more) const
{
- OM_uint32 tmpMinor;
- gss_buffer_desc strAttr = GSS_C_EMPTY_BUFFER;
- DICT_ATTR *da;
- int attrid;
- char *s;
-
- duplicateBuffer(*attr, &strAttr);
- s = (char *)strAttr.value;
+ uint32_t attrid;
- if (attr->length < radiusUrnPrefix.length ||
- memcmp(s, radiusUrnPrefix.value, radiusUrnPrefix.length) != 0)
+ attrid = getAttributeId(attr);
+ if (!attrid)
return false;
- s += radiusUrnPrefix.length;
-
- if (isdigit(*s)) {
- attrid = strtoul(s, NULL, 10);
- } else {
- da = dict_attrbyname(s);
- if (da == NULL) {
- gss_release_buffer(&tmpMinor, &strAttr);
- return false;
- }
- attrid = da->attr;
- }
-
- gss_release_buffer(&tmpMinor, &strAttr);
-
return getAttribute(attrid, authenticated, complete,
value, display_value, more);
}
bool
-gss_eap_radius_attr_provider::getAttribute(uint16_t vattrid,
- uint16_t vendor,
+gss_eap_radius_attr_provider::getAttribute(uint32_t attrid,
int *authenticated,
int *complete,
gss_buffer_t value,
gss_buffer_t display_value,
int *more) const
{
- uint32_t attrid = VENDORATTR(vendor, vattrid);
VALUE_PAIR *vp;
int i = *more, count = 0;
*more = 0;
- if (isHiddenAttributeP(attrid, vendor))
- return false;
-
if (i == -1)
i = 0;
- for (vp = pairfind(m_avps, attrid);
+ for (vp = pairfind(m_vps, attrid);
vp != NULL;
vp = pairfind(vp->next, attrid)) {
if (count++ == i) {
{
OM_uint32 major, minor;
- major = gssEapRadiusGetAvp(&minor, m_avps, attribute, vendor, value, TRUE);
+ major = gssEapRadiusGetAvp(&minor, m_vps, attribute, vendor, value, TRUE);
if (authenticated != NULL)
*authenticated = m_authenticated;
}
bool
-gss_eap_radius_attr_provider::getAttribute(uint32_t attrid,
+gss_eap_radius_attr_provider::getAttribute(uint16_t attribute,
+ uint16_t vendor,
int *authenticated,
int *complete,
gss_buffer_t value,
int *more) const
{
- return getAttribute(ATTRID(attrid), VENDOR(attrid),
+ return getAttribute(VENDORATTR(attribute, vendor),
authenticated, complete,
value, display_value, more);
}
gss_any_t
gss_eap_radius_attr_provider::mapToAny(int authenticated,
- gss_buffer_t type_id) const
+ gss_buffer_t type_id GSSEAP_UNUSED) const
{
if (authenticated && !m_authenticated)
return (gss_any_t)NULL;
- return (gss_any_t)paircopy(m_avps);
+ return (gss_any_t)copyAvps(m_vps);
}
void
-gss_eap_radius_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
+gss_eap_radius_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
gss_any_t input) const
{
- pairfree((VALUE_PAIR **)&input);
+ VALUE_PAIR *vp = (VALUE_PAIR *)input;
+ pairfree(&vp);
}
bool
gss_eap_radius_attr_provider::init(void)
{
- gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS,
- "urn:ietf:params:gss-eap:radius-avp",
- gss_eap_radius_attr_provider::createAttrContext);
+ struct rs_context *radContext;
+
+ gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS, createAttrContext);
+
+#if 1
+ /*
+ * This hack is necessary in order to force the loading of the global
+ * dictionary, otherwise accepting reauthentication tokens fails unless
+ * the acceptor has already accepted a normal authentication token.
+ */
+ if (rs_context_create(&radContext) != 0)
+ return false;
+
+ if (rs_context_read_config(radContext, RS_CONFIG_FILE) != 0) {
+ rs_context_destroy(radContext);
+ return false;
+ }
+
+ if (rs_context_init_freeradius_dict(radContext, NULL)) {
+ rs_context_destroy(radContext);
+ return false;
+ }
+
+ rs_context_destroy(radContext);
+#endif
+
return true;
}
OM_uint32
gssEapRadiusAddAvp(OM_uint32 *minor,
- rs_handle *rh,
VALUE_PAIR **vps,
- uint16_t vattrid,
+ uint16_t attribute,
uint16_t vendor,
- gss_buffer_t buffer)
+ const gss_buffer_t buffer)
{
- uint16_t attrid = VENDORATTR(vendor, vattrid);
+ uint32_t attrid = VENDORATTR(vendor, attribute);
unsigned char *p = (unsigned char *)buffer->value;
size_t remain = buffer->length;
VALUE_PAIR *vp;
size_t n = remain;
- if (n > MAX_STRING_LEN)
- n = MAX_STRING_LEN;
+ /*
+ * There's an extra byte of padding; RADIUS AVPs can only
+ * be 253 octets.
+ */
+ if (n >= MAX_STRING_LEN)
+ n = MAX_STRING_LEN - 1;
vp = paircreate(attrid, PW_TYPE_OCTETS);
if (vp == NULL) {
}
memcpy(vp->vp_octets, p, n);
+ vp->length = n;
+
pairadd(vps, vp);
p += n;
OM_uint32
gssEapRadiusGetRawAvp(OM_uint32 *minor,
VALUE_PAIR *vps,
- uint16_t type,
+ uint16_t attribute,
uint16_t vendor,
VALUE_PAIR **vp)
{
- uint16_t attr = VENDORATTR(vendor, type);
+ uint32_t attr = VENDORATTR(vendor, attribute);
*vp = pairfind(vps, attr);
+ if (*vp == NULL) {
+ *minor = GSSEAP_NO_SUCH_ATTR;
+ return GSS_S_UNAVAILABLE;
+ }
- return (*vp == NULL) ? GSS_S_UNAVAILABLE : GSS_S_COMPLETE;
+ return GSS_S_COMPLETE;
}
OM_uint32
gssEapRadiusGetAvp(OM_uint32 *minor,
VALUE_PAIR *vps,
- uint16_t type,
+ uint16_t attribute,
uint16_t vendor,
gss_buffer_t buffer,
int concat)
{
VALUE_PAIR *vp;
unsigned char *p;
- uint32_t attr = VENDORATTR(vendor, type);
+ uint32_t attr = VENDORATTR(vendor, attribute);
buffer->length = 0;
buffer->value = NULL;
vp = pairfind(vps, attr);
- if (vp == NULL)
+ if (vp == NULL) {
+ *minor = GSSEAP_NO_SUCH_ATTR;
return GSS_S_UNAVAILABLE;
+ }
do {
buffer->length += vp->length;
}
OM_uint32
-gssEapRadiusAttrProviderInit(OM_uint32 *minor)
-{
- return gss_eap_radius_attr_provider::init()
- ? GSS_S_COMPLETE : GSS_S_FAILURE;
-}
-
-OM_uint32
-gssEapRadiusAttrProviderFinalize(OM_uint32 *minor)
+gssEapRadiusFreeAvps(OM_uint32 *minor,
+ VALUE_PAIR **vps)
{
- gss_eap_radius_attr_provider::finalize();
+ pairfree(vps);
+ *minor = 0;
return GSS_S_COMPLETE;
}
OM_uint32
-gssEapRadiusMapError(OM_uint32 *minor,
- struct rs_error *err)
+gssEapRadiusAttrProviderInit(OM_uint32 *minor)
{
- if (err != NULL)
- rs_err_code(err, 1);
+ if (!gss_eap_radius_attr_provider::init()) {
+ *minor = GSSEAP_RADSEC_INIT_FAILURE;
+ return GSS_S_FAILURE;
+ }
- return GSS_S_FAILURE;
+ return GSS_S_COMPLETE;
}
OM_uint32
-gssEapRadiusAllocConn(OM_uint32 *minor,
- const gss_cred_id_t cred,
- gss_ctx_id_t ctx)
+gssEapRadiusAttrProviderFinalize(OM_uint32 *minor)
{
- struct gss_eap_acceptor_ctx *actx = &ctx->acceptorCtx;
- const char *configFile = NULL;
- struct rs_error *err;
-
- assert(actx->radHandle == NULL);
- assert(actx->radConn == NULL);
-
- if (cred != GSS_C_NO_CREDENTIAL && cred->radiusConfigFile != NULL)
- configFile = cred->radiusConfigFile;
-
- err = radiusAllocHandle(configFile, &actx->radHandle);
- if (err != NULL || actx->radHandle == NULL) {
- return gssEapRadiusMapError(minor, err);
- }
-
- if (rs_conn_create(actx->radHandle, &actx->radConn, "gss-eap") != 0) {
- return gssEapRadiusMapError(minor, rs_err_conn_pop(actx->radConn));
- }
-
- /* XXX TODO rs_conn_select_server does not exist yet */
-#if 0
- if (actx->radServer != NULL) {
- if (rs_conn_select_server(actx->radConn, actx->radServer) != 0)
- return gssEapRadiusMapError(minor, rs_err_conn_pop(actx->radConn));
- }
-#endif
+ gss_eap_radius_attr_provider::finalize();
*minor = 0;
return GSS_S_COMPLETE;
}
-/*
- * Encoding is:
- * 4 octet NBO attribute ID | 4 octet attribute length | attribute data
- */
-static size_t
-avpSize(const VALUE_PAIR *vp)
+static JSONObject
+avpToJson(const VALUE_PAIR *vp)
{
- size_t size = 4 + 1;
+ JSONObject obj;
- if (vp != NULL)
- size += vp->length;
-
- return size;
-}
-
-static bool
-avpExport(rs_handle *rh,
- const VALUE_PAIR *vp,
- unsigned char **pBuffer,
- size_t *pRemain)
-{
- unsigned char *p = *pBuffer;
- size_t remain = *pRemain;
-
- assert(remain >= avpSize(vp));
-
- store_uint32_be(vp->attribute, p);
+ assert(vp->length <= MAX_STRING_LEN);
switch (vp->type) {
case PW_TYPE_INTEGER:
case PW_TYPE_IPADDR:
case PW_TYPE_DATE:
- p[4] = 4;
- store_uint32_be(vp->lvalue, p + 5);
+ obj.set("value", vp->lvalue);
break;
- default:
- assert(vp->length <= MAX_STRING_LEN);
- p[4] = (uint8_t)vp->length;
- memcpy(p + 5, vp->vp_octets, vp->length);
+ case PW_TYPE_STRING:
+ obj.set("value", vp->vp_strvalue);
break;
- }
+ default: {
+ char *b64;
- *pBuffer += 5 + p[4];
- *pRemain -= 5 + p[4];
+ if (base64Encode(vp->vp_octets, vp->length, &b64) < 0)
+ throw std::bad_alloc();
- return true;
+ obj.set("value", b64);
+ GSSEAP_FREE(b64);
+ break;
+ }
+ }
+
+ obj.set("type", vp->attribute);
+ return obj;
}
static bool
-avpImport(rs_handle *rh,
- VALUE_PAIR **pVp,
- unsigned char **pBuffer,
- size_t *pRemain)
+jsonToAvp(VALUE_PAIR **pVp, JSONObject &obj)
{
- unsigned char *p = *pBuffer;
- size_t remain = *pRemain;
VALUE_PAIR *vp = NULL;
DICT_ATTR *da;
- OM_uint32 attrid;
-
- if (remain < avpSize(NULL))
- goto fail;
+ uint32_t attrid;
- attrid = load_uint32_be(p);
- p += 4;
- remain -= 4;
+ JSONObject type = obj["type"];
+ JSONObject value = obj["value"];
- da = dict_attrbyvalue(attrid);
- if (da == NULL)
+ if (!type.isInteger())
goto fail;
- vp = pairalloc(da);
- if (vp == NULL) {
- throw new std::bad_alloc;
- goto fail;
+ attrid = type.integer();
+ da = dict_attrbyvalue(attrid);
+ if (da != NULL) {
+ vp = pairalloc(da);
+ } else {
+ int type = base64Valid(value.string()) ?
+ PW_TYPE_OCTETS : PW_TYPE_STRING;
+ vp = paircreate(attrid, type);
}
-
- if (remain < p[0])
- goto fail;
+ if (vp == NULL)
+ throw std::bad_alloc();
switch (vp->type) {
case PW_TYPE_INTEGER:
case PW_TYPE_IPADDR:
case PW_TYPE_DATE:
- if (p[0] != 4)
+ if (!value.isInteger())
goto fail;
vp->length = 4;
- vp->lvalue = load_uint32_be(p + 1);
- p += 5;
- remain -= 5;
+ vp->lvalue = value.integer();
break;
- case PW_TYPE_STRING:
- /* check enough room to NUL terminate */
- if (p[0] >= MAX_STRING_LEN)
+ case PW_TYPE_STRING: {
+ if (!value.isString())
goto fail;
- /* fallthrough */
- default:
- vp->length = (uint32_t)p[0];
- memcpy(vp->vp_octets, p + 1, vp->length);
- if (vp->type == PW_TYPE_STRING)
- vp->vp_strvalue[vp->length] = '\0';
+ const char *str = value.string();
+ size_t len = strlen(str);
+
+ if (len >= MAX_STRING_LEN)
+ goto fail;
- p += 1 + vp->length;
- remain -= 1 + vp->length;
+ vp->length = len;
+ memcpy(vp->vp_strvalue, str, len + 1);
break;
}
+ case PW_TYPE_OCTETS:
+ default: {
+ if (!value.isString())
+ goto fail;
+
+ const char *str = value.string();
+ ssize_t len = strlen(str);
+
+ /* this optimization requires base64Decode only understand packed encoding */
+ if (len >= BASE64_EXPAND(MAX_STRING_LEN))
+ goto fail;
+
+ len = base64Decode(str, vp->vp_octets);
+ if (len < 0)
+ goto fail;
+
+ vp->length = len;
+ break;
+ }
+ }
*pVp = vp;
- *pBuffer = p;
- *pRemain = remain;
return true;
fail:
- pairbasicfree(vp);
+ if (vp != NULL)
+ pairbasicfree(vp);
+ *pVp = NULL;
return false;
}
-bool
-gss_eap_radius_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
- const gss_buffer_t buffer)
+const char *
+gss_eap_radius_attr_provider::name(void) const
{
- unsigned char *p = (unsigned char *)buffer->value;
- size_t remain = buffer->length;
- OM_uint32 configFileLen, count;
- VALUE_PAIR **pNext = &m_avps;
-
- if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
- return false;
-
- if (remain < 4)
- return false;
-
- configFileLen = load_uint32_be(p);
- p += 4;
- remain -= 4;
-
- if (remain < configFileLen)
- return false;
-
- std::string configFile((char *)p, configFileLen);
- p += configFileLen;
- remain -= configFileLen;
+ return "radius";
+}
- if (!allocRadHandle(configFile))
- return false;
+bool
+gss_eap_radius_attr_provider::initWithJsonObject(const gss_eap_attr_ctx *ctx,
+ JSONObject &obj)
+{
+ VALUE_PAIR **pNext = &m_vps;
- if (remain < 4)
+ if (!gss_eap_attr_provider::initWithJsonObject(ctx, obj))
return false;
- count = load_uint32_be(p);
- p += 4;
- remain -= 4;
+ JSONObject attrs = obj["attributes"];
+ size_t nelems = attrs.size();
- do {
- VALUE_PAIR *attr;
+ for (size_t i = 0; i < nelems; i++) {
+ JSONObject attr = attrs[i];
+ VALUE_PAIR *vp;
- if (!avpImport(m_rh, &attr, &p, &remain))
+ if (!jsonToAvp(&vp, attr))
return false;
- *pNext = attr;
- pNext = &attr->next;
-
- count--;
- } while (remain != 0);
+ *pNext = vp;
+ pNext = &vp->next;
+ }
- if (count != 0)
- return false;
+ m_authenticated = obj["authenticated"].integer();
return true;
}
-void
-gss_eap_radius_attr_provider::exportToBuffer(gss_buffer_t buffer) const
+const char *
+gss_eap_radius_attr_provider::prefix(void) const
{
- OM_uint32 count = 0;
- VALUE_PAIR *vp;
- unsigned char *p;
- size_t remain = 4 + m_configFile.length() + 4;
+ return "urn:ietf:params:gss-eap:radius-avp";
+}
- for (vp = m_avps; vp != NULL; vp = vp->next) {
- remain += avpSize(vp);
- count++;
- }
+JSONObject
+gss_eap_radius_attr_provider::jsonRepresentation(void) const
+{
+ JSONObject obj, attrs = JSONObject::array();
- buffer->value = GSSEAP_MALLOC(remain);
- if (buffer->value == NULL) {
- throw new std::bad_alloc;
- return;
+ for (VALUE_PAIR *vp = m_vps; vp != NULL; vp = vp->next) {
+ JSONObject attr = avpToJson(vp);
+ attrs.append(attr);
}
- buffer->length = remain;
-
- p = (unsigned char *)buffer->value;
- store_uint32_be(m_configFile.length(), p);
- p += 4;
- remain -= 4;
+ obj.set("attributes", attrs);
- memcpy(p, m_configFile.c_str(), m_configFile.length());
- p += m_configFile.length();
- remain -= m_configFile.length();
+ obj.set("authenticated", m_authenticated);
- store_uint32_be(count, p);
- p += 4;
- remain -= 4;
-
- for (vp = m_avps; vp != NULL; vp = vp->next) {
- avpExport(m_rh, vp, &p, &remain);
- }
-
- assert(remain == 0);
+ return obj;
}
time_t
{
VALUE_PAIR *vp;
- vp = pairfind(m_avps, PW_SESSION_TIMEOUT);
+ vp = pairfind(m_vps, PW_SESSION_TIMEOUT);
if (vp == NULL || vp->lvalue == 0)
return 0;
return time(NULL) + vp->lvalue;
}
+
+OM_uint32
+gssEapRadiusMapError(OM_uint32 *minor,
+ struct rs_error *err)
+{
+ int code;
+
+ assert(err != NULL);
+
+ code = rs_err_code(err, 0);
+
+ if (code == RSE_OK) {
+ *minor = 0;
+ return GSS_S_COMPLETE;
+ }
+
+ *minor = ERROR_TABLE_BASE_rse + code;
+
+ gssEapSaveStatusInfo(*minor, "%s", rs_err_msg(err));
+ rs_err_free(err);
+
+ return GSS_S_FAILURE;
+}