X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2Fexport_sec_context.c;h=2ea2c5c669cd32e6d6cf5f7449c28130f5a78b4f;hb=refs%2Fheads%2Fddf-name;hp=0285dcee80c9ef532fc1edcd19244156081d635c;hpb=c9ee9a0e791adbddcf06191a26bfaf7f9bc936a8;p=moonshot.git diff --git a/mech_eap/export_sec_context.c b/mech_eap/export_sec_context.c index 0285dce..2ea2c5c 100644 --- a/mech_eap/export_sec_context.c +++ b/mech_eap/export_sec_context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, JANET(UK) + * Copyright (c) 2011, JANET(UK) * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -30,12 +30,211 @@ * SUCH DAMAGE. */ +/* + * Serialise a security context. On the acceptor, this may be partially + * established. + */ + #include "gssapiP_eap.h" +static OM_uint32 +gssEapExportPartialContext(OM_uint32 *minor, + gss_ctx_id_t ctx, + gss_buffer_t token) +{ + OM_uint32 major, tmpMinor; + size_t length, serverLen = 0; + unsigned char *p; + char serverBuf[MAXHOSTNAMELEN]; + + if (ctx->acceptorCtx.radConn != NULL) { + if (rs_conn_get_current_peer(ctx->acceptorCtx.radConn, + serverBuf, sizeof(serverBuf)) != 0) { + return gssEapRadiusMapError(minor, + rs_err_conn_pop(ctx->acceptorCtx.radConn)); + } + serverLen = strlen(serverBuf); + } + + length = 4 + serverLen + 4 + ctx->acceptorCtx.state.length; + + token->value = GSSEAP_MALLOC(length); + if (token->value == NULL) { + major = GSS_S_FAILURE; + *minor = ENOMEM; + goto cleanup; + } + token->length = length; + + p = (unsigned char *)token->value; + + store_uint32_be(serverLen, p); + p += 4; + if (serverLen != 0) { + memcpy(p, serverBuf, serverLen); + p += serverLen; + } + + store_uint32_be(ctx->acceptorCtx.state.length, p); + p += 4; + if (ctx->acceptorCtx.state.length != 0) { + memcpy(p, ctx->acceptorCtx.state.value, + ctx->acceptorCtx.state.length); + p += ctx->acceptorCtx.state.length; + } + + assert(p == (unsigned char *)token->value + token->length); + + major = GSS_S_COMPLETE; + *minor = 0; + +cleanup: + if (GSS_ERROR(major)) + gss_release_buffer(&tmpMinor, token); + + return major; +} + +static OM_uint32 +gssEapExportSecContext(OM_uint32 *minor, + gss_ctx_id_t ctx, + gss_buffer_t token) +{ + OM_uint32 major, tmpMinor; + size_t length; + gss_buffer_desc initiatorName = GSS_C_EMPTY_BUFFER; + gss_buffer_desc acceptorName = GSS_C_EMPTY_BUFFER; + gss_buffer_desc partialCtx = GSS_C_EMPTY_BUFFER; + gss_buffer_desc key; + unsigned char *p; + + if ((CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx)) || + ctx->mechanismUsed == GSS_C_NO_OID) { + *minor = GSSEAP_CONTEXT_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + + key.length = KRB_KEY_LENGTH(&ctx->rfc3961Key); + key.value = KRB_KEY_DATA(&ctx->rfc3961Key); + + if (ctx->initiatorName != GSS_C_NO_NAME) { + major = gssEapExportNameInternal(minor, ctx->initiatorName, + &initiatorName, + EXPORT_NAME_FLAG_COMPOSITE); + if (GSS_ERROR(major)) + goto cleanup; + } + if (ctx->acceptorName != GSS_C_NO_NAME) { + major = gssEapExportNameInternal(minor, ctx->acceptorName, + &acceptorName, + EXPORT_NAME_FLAG_COMPOSITE); + if (GSS_ERROR(major)) + goto cleanup; + } + + /* + * The partial context is only transmitted for unestablished acceptor + * contexts. + */ + if (!CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx)) { + assert((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0); + + major = gssEapExportPartialContext(minor, ctx, &partialCtx); + if (GSS_ERROR(major)) + goto cleanup; + } + + length = 16; /* version, state, flags, */ + length += 4 + ctx->mechanismUsed->length; /* mechanismUsed */ + length += 12 + key.length; /* rfc3961Key.value */ + length += 4 + initiatorName.length; /* initiatorName.value */ + length += 4 + acceptorName.length; /* acceptorName.value */ + length += 24 + sequenceSize(ctx->seqState); /* seqState */ + + if (partialCtx.value != NULL) + length += 4 + partialCtx.length; /* partialCtx.value */ + + token->value = GSSEAP_MALLOC(length); + if (token->value == NULL) { + major = GSS_S_FAILURE; + *minor = ENOMEM; + goto cleanup; + } + token->length = length; + + p = (unsigned char *)token->value; + + store_uint32_be(EAP_EXPORT_CONTEXT_V1, &p[0]); /* version */ + store_uint32_be(GSSEAP_SM_STATE(ctx), &p[4]); + store_uint32_be(ctx->flags, &p[8]); + store_uint32_be(ctx->gssFlags, &p[12]); + p = store_oid(ctx->mechanismUsed, &p[16]); + + store_uint32_be(ctx->checksumType, &p[0]); + store_uint32_be(ctx->encryptionType, &p[4]); + p = store_buffer(&key, &p[8], FALSE); + + p = store_buffer(&initiatorName, p, FALSE); + p = store_buffer(&acceptorName, p, FALSE); + + store_uint64_be(ctx->expiryTime, &p[0]); + store_uint64_be(ctx->sendSeq, &p[8]); + store_uint64_be(ctx->recvSeq, &p[16]); + p += 24; + + major = sequenceExternalize(minor, ctx->seqState, &p, &length); + if (GSS_ERROR(major)) + goto cleanup; + + if (partialCtx.value != NULL) + p = store_buffer(&partialCtx, p, FALSE); + + assert(p == (unsigned char *)token->value + token->length); + + major = GSS_S_COMPLETE; + *minor = 0; + +cleanup: + if (GSS_ERROR(major)) + gss_release_buffer(&tmpMinor, token); + gss_release_buffer(&tmpMinor, &initiatorName); + gss_release_buffer(&tmpMinor, &acceptorName); + gss_release_buffer(&tmpMinor, &partialCtx); + + return major; +} + OM_uint32 gss_export_sec_context(OM_uint32 *minor, gss_ctx_id_t *context_handle, gss_buffer_t interprocess_token) { - GSSEAP_NOT_IMPLEMENTED; + OM_uint32 major, tmpMinor; + gss_ctx_id_t ctx = *context_handle; + + interprocess_token->length = 0; + interprocess_token->value = NULL; + + if (ctx == GSS_C_NO_CONTEXT) { + *minor = EINVAL; + return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT; + } + + *minor = 0; + + GSSEAP_MUTEX_LOCK(&ctx->mutex); + + major = gssEapExportSecContext(minor, ctx, interprocess_token); + if (GSS_ERROR(major)) { + GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + return major; + } + + *context_handle = GSS_C_NO_CONTEXT; + + GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + + gssEapReleaseContext(&tmpMinor, &ctx); + + return GSS_S_COMPLETE; }