2 * Copyright 2010 PADL Software Pty Ltd. All rights reserved.
5 * Portions Copyright (c) 1998-2003 Carnegie Mellon University.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. The name "Carnegie Mellon University" must not be used to
21 * endorse or promote products derived from this software without
22 * prior written permission. For permission or any other legal
23 * details, please contact
24 * Office of Technology Transfer
25 * Carnegie Mellon University
27 * Pittsburgh, PA 15213-3890
28 * (412) 268-4387, fax: (412) 268-7395
29 * tech-transfer@andrew.cmu.edu
31 * 4. Redistributions of any form whatsoever must retain the following
33 * "This product includes software developed by Computing Services
34 * at Carnegie Mellon University (http://www.cmu.edu/computing/)."
36 * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
37 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
38 * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
39 * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
40 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
41 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
42 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
46 #include <gssapi/gssapi.h>
47 #include <gssapi/gssapi_ext.h>
54 #include "plugin_common.h"
62 #include "gs2_token.h"
64 #define GS2_CB_FLAG_MASK 0x0F
65 #define GS2_CB_FLAG_P SASL_CB_FLAG_USED
66 #define GS2_CB_FLAG_N SASL_CB_FLAG_NONE
67 #define GS2_CB_FLAG_Y SASL_CB_FLAG_WANT
68 #define GS2_NONSTD_FLAG 0x10
70 typedef struct context {
72 gss_name_t client_name;
73 gss_name_t server_name;
74 gss_cred_id_t server_creds;
75 gss_cred_id_t client_creds;
78 const sasl_utils_t *utils;
82 sasl_client_plug_t *client;
83 sasl_server_plug_t *server;
88 struct gss_channel_bindings_struct bindings;
89 sasl_secret_t *password;
90 unsigned int free_password;
94 static gss_OID_set gs2_mechs = GSS_C_NO_OID_SET;
96 static int gs2_ask_user_info(context_t *context,
97 sasl_client_params_t *params,
98 char **realms, int nrealm,
99 sasl_interact_t **prompt_need,
100 sasl_out_params_t *oparams);
102 static int gs2_verify_initial_message(context_t *text,
103 sasl_server_params_t *sparams,
108 static int gs2_make_header(context_t *text,
109 sasl_client_params_t *cparams,
114 static int gs2_make_message(context_t *text,
115 sasl_client_params_t *cparams,
116 int initialContextToken,
121 static int gs2_get_mech_attrs(const sasl_utils_t *utils,
123 unsigned int *security_flags,
124 unsigned int *features);
126 static int gs2_indicate_mechs(const sasl_utils_t *utils);
128 static int gs2_map_sasl_name(const sasl_utils_t *utils,
132 static int gs2_duplicate_buffer(const sasl_utils_t *utils,
133 const gss_buffer_t src,
136 static int gs2_unescape_authzid(const sasl_utils_t *utils,
141 static int gs2_escape_authzid(const sasl_utils_t *utils,
146 /* sasl_gs_log: only logs status string returned from gss_display_status() */
147 #define sasl_gs2_log(x,y,z) sasl_gs2_seterror_(x,y,z,1)
148 #define sasl_gs2_seterror(x,y,z) sasl_gs2_seterror_(x,y,z,0)
151 sasl_gs2_seterror_(const sasl_utils_t *utils, OM_uint32 maj, OM_uint32 min,
155 sasl_gs2_new_context(const sasl_utils_t *utils)
159 ret = utils->malloc(sizeof(context_t));
163 memset(ret, 0, sizeof(context_t));
170 sasl_gs2_free_context_contents(context_t *text)
177 if (text->gss_ctx != GSS_C_NO_CONTEXT) {
178 gss_delete_sec_context(&min_stat,&text->gss_ctx,
180 text->gss_ctx = GSS_C_NO_CONTEXT;
183 if (text->client_name != GSS_C_NO_NAME) {
184 gss_release_name(&min_stat,&text->client_name);
185 text->client_name = GSS_C_NO_NAME;
188 if (text->server_name != GSS_C_NO_NAME) {
189 gss_release_name(&min_stat,&text->server_name);
190 text->server_name = GSS_C_NO_NAME;
193 if (text->server_creds != GSS_C_NO_CREDENTIAL) {
194 gss_release_cred(&min_stat, &text->server_creds);
195 text->server_creds = GSS_C_NO_CREDENTIAL;
198 if (text->client_creds != GSS_C_NO_CREDENTIAL) {
199 gss_release_cred(&min_stat, &text->client_creds);
200 text->client_creds = GSS_C_NO_CREDENTIAL;
203 if (text->authid != NULL) {
204 text->utils->free(text->authid);
208 if (text->authzid != NULL) {
209 text->utils->free(text->authzid);
210 text->authzid = NULL;
213 if (text->mechanism != NULL) {
214 gss_release_oid(&min_stat, &text->mechanism);
215 text->mechanism = GSS_C_NO_OID;
218 gss_release_buffer(&min_stat, &text->bindings.application_data);
220 if (text->out_buf != NULL) {
221 text->utils->free(text->out_buf);
222 text->out_buf = NULL;
225 text->out_buf_len = 0;
227 if (text->cb_name != NULL) {
228 text->utils->free(text->cb_name);
229 text->cb_name = NULL;
232 if (text->free_password)
233 _plug_free_secret(text->utils, &text->password);
235 memset(text, 0, sizeof(*text));
241 gs2_common_mech_dispose(void *conn_context, const sasl_utils_t *utils)
243 sasl_gs2_free_context_contents((context_t *)(conn_context));
244 utils->free(conn_context);
248 gs2_common_mech_free(void *global_context __attribute__((unused)),
249 const sasl_utils_t *utils)
253 if (gs2_mechs != GSS_C_NO_OID_SET) {
254 gss_release_oid_set(&minor, &gs2_mechs);
255 gs2_mechs = GSS_C_NO_OID_SET;
259 /***************************** Server Section *****************************/
262 gs2_server_mech_new(void *glob_context,
263 sasl_server_params_t *params,
264 const char *challenge __attribute__((unused)),
265 unsigned challen __attribute__((unused)),
271 text = sasl_gs2_new_context(params->utils);
273 MEMERROR(params->utils);
277 text->gss_ctx = GSS_C_NO_CONTEXT;
278 text->client_name = GSS_C_NO_NAME;
279 text->server_name = GSS_C_NO_NAME;
280 text->server_creds = GSS_C_NO_CREDENTIAL;
281 text->client_creds = GSS_C_NO_CREDENTIAL;
282 text->plug.server = glob_context;
284 ret = gs2_map_sasl_name(params->utils, text->plug.server->mech_name,
286 if (ret != SASL_OK) {
287 gs2_common_mech_dispose(text, params->utils);
291 *conn_context = text;
297 gs2_server_mech_step(void *conn_context,
298 sasl_server_params_t *params,
299 const char *clientin,
300 unsigned clientinlen,
301 const char **serverout,
302 unsigned *serveroutlen,
303 sasl_out_params_t *oparams)
305 context_t *text = (context_t *)conn_context;
306 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
307 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
308 OM_uint32 maj_stat = GSS_S_FAILURE, min_stat = 0;
309 gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
310 gss_buffer_desc short_name_buf = GSS_C_EMPTY_BUFFER;
311 gss_name_t without = GSS_C_NO_NAME;
312 gss_OID_set_desc mechs;
313 gss_OID actual_mech = GSS_C_NO_OID;
314 OM_uint32 out_flags = 0;
315 int ret = 0, equal = 0;
316 int initialContextToken = (text->gss_ctx == GSS_C_NO_CONTEXT);
319 if (serverout == NULL) {
320 PARAMERROR(text->utils);
321 return SASL_BADPARAM;
327 if (initialContextToken) {
328 name_buf.length = strlen(params->service) + 1 + strlen(params->serverFQDN);
329 name_buf.value = params->utils->malloc(name_buf.length + 1);
330 if (name_buf.value == NULL) {
331 MEMERROR(text->utils);
335 snprintf(name_buf.value, name_buf.length + 1,
336 "%s@%s", params->service, params->serverFQDN);
337 maj_stat = gss_import_name(&min_stat,
339 GSS_C_NT_HOSTBASED_SERVICE,
341 params->utils->free(name_buf.value);
342 name_buf.value = NULL;
344 if (GSS_ERROR(maj_stat))
347 assert(text->server_creds == GSS_C_NO_CREDENTIAL);
350 mechs.elements = (gss_OID)text->mechanism;
352 if (params->gss_creds == GSS_C_NO_CREDENTIAL) {
353 maj_stat = gss_acquire_cred(&min_stat,
361 if (GSS_ERROR(maj_stat))
365 ret = gs2_verify_initial_message(text,
373 input_token.value = (void *)clientin;
374 input_token.length = clientinlen;
377 maj_stat = gss_accept_sec_context(&min_stat,
379 (params->gss_creds != GSS_C_NO_CREDENTIAL)
381 : text->server_creds,
389 &text->client_creds);
390 if (GSS_ERROR(maj_stat)) {
391 sasl_gs2_log(text->utils, maj_stat, min_stat);
392 text->utils->seterror(text->utils->conn, SASL_NOLOG,
393 "GS2 Failure: gss_accept_sec_context");
398 *serveroutlen = output_token.length;
399 if (output_token.value != NULL) {
400 ret = _plug_buf_alloc(text->utils, &text->out_buf,
401 &text->out_buf_len, *serveroutlen);
404 memcpy(text->out_buf, output_token.value, *serveroutlen);
405 *serverout = text->out_buf;
407 /* No output token, send an empty string */
412 if (maj_stat == GSS_S_CONTINUE_NEEDED) {
417 assert(maj_stat == GSS_S_COMPLETE);
419 if (!g_OID_equal(text->mechanism, actual_mech)) {
420 ret = SASL_WRONGMECH;
423 if ((out_flags & GSS_C_SEQUENCE_FLAG) == 0) {
428 maj_stat = gss_display_name(&min_stat, text->client_name,
430 if (GSS_ERROR(maj_stat))
433 ret = gs2_duplicate_buffer(params->utils, &name_buf, &short_name_buf);
437 p = (char *)memchr(name_buf.value, '@', name_buf.length);
439 short_name_buf.length = (p - (char *)name_buf.value);
441 maj_stat = gss_import_name(&min_stat,
445 if (GSS_ERROR(maj_stat)) {
450 maj_stat = gss_compare_name(&min_stat, text->client_name,
452 if (GSS_ERROR(maj_stat)) {
458 ((char *)short_name_buf.value)[short_name_buf.length] = '\0';
461 text->authid = (char *)short_name_buf.value;
462 short_name_buf.value = NULL;
463 short_name_buf.length = 0;
465 if (text->authzid != NULL) {
466 ret = params->canon_user(params->utils->conn,
468 SASL_CU_AUTHZID, oparams);
473 ret = params->canon_user(params->utils->conn,
475 text->authzid == NULL
476 ? (SASL_CU_AUTHZID | SASL_CU_AUTHID)
482 switch (text->gs2_flags & GS2_CB_FLAG_MASK) {
484 oparams->chanbindingflag = SASL_CB_FLAG_NONE;
487 oparams->chanbindingflag = SASL_CB_FLAG_USED;
490 oparams->chanbindingflag == SASL_CB_FLAG_WANT;
494 if (text->client_creds != GSS_C_NO_CREDENTIAL)
495 oparams->client_creds = &text->client_creds;
497 oparams->client_creds = NULL;
499 oparams->gss_peer_name = text->client_name;
500 oparams->gss_local_name = text->server_name;
501 oparams->maxoutbuf = 0xFFFFFF;
502 oparams->encode = NULL;
503 oparams->decode = NULL;
504 oparams->mech_ssf = 0;
505 oparams->doneflag = 1;
510 if (initialContextToken)
511 gss_release_buffer(&min_stat, &input_token);
512 gss_release_buffer(&min_stat, &name_buf);
513 gss_release_buffer(&min_stat, &short_name_buf);
514 gss_release_buffer(&min_stat, &output_token);
515 gss_release_name(&min_stat, &without);
516 gss_release_oid(&min_stat, &actual_mech);
518 if (ret == SASL_OK && maj_stat != GSS_S_COMPLETE) {
519 sasl_gs2_seterror(text->utils, maj_stat, min_stat);
522 if (ret != SASL_OK && ret != SASL_CONTINUE)
523 sasl_gs2_free_context_contents(text);
529 gs2_common_plug_init(const sasl_utils_t *utils,
531 int (*plug_alloc)(const sasl_utils_t *,
538 OM_uint32 major, minor;
545 if (gs2_indicate_mechs(utils) != SASL_OK) {
549 plugs = utils->malloc(2 * gs2_mechs->count * plugsize);
554 memset(plugs, 0, 2 * gs2_mechs->count * plugsize);
556 for (i = 0; i < gs2_mechs->count; i++) {
557 gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER;
559 major = gss_inquire_saslname_for_mech(&minor,
560 &gs2_mechs->elements[i],
564 if (GSS_ERROR(major))
567 #define PLUG_AT(index) (void *)((unsigned char *)plugs + (count * plugsize))
569 if (plug_alloc(utils, PLUG_AT(count), &sasl_mech_name,
570 &gs2_mechs->elements[i]) == SASL_OK)
573 gss_release_buffer(&minor, &sasl_mech_name);
588 gs2_server_plug_alloc(const sasl_utils_t *utils,
590 gss_buffer_t sasl_name,
594 sasl_server_plug_t *splug = (sasl_server_plug_t *)plug;
597 memset(splug, 0, sizeof(*splug));
599 ret = gs2_get_mech_attrs(utils, mech,
600 &splug->security_flags,
605 ret = gs2_duplicate_buffer(utils, sasl_name, &buf);
609 splug->mech_name = (char *)buf.value;
610 splug->glob_context = plug;
611 splug->mech_new = gs2_server_mech_new;
612 splug->mech_step = gs2_server_mech_step;
613 splug->mech_dispose = gs2_common_mech_dispose;
614 splug->mech_free = gs2_common_mech_free;
619 static sasl_server_plug_t *gs2_server_plugins;
620 static int gs2_server_plugcount;
623 gs2_server_plug_init(const sasl_utils_t *utils,
626 sasl_server_plug_t **pluglist,
634 if (maxversion < SASL_SERVER_PLUG_VERSION)
637 *outversion = SASL_SERVER_PLUG_VERSION;
639 if (gs2_server_plugins == NULL) {
640 ret = gs2_common_plug_init(utils,
641 sizeof(sasl_server_plug_t),
642 gs2_server_plug_alloc,
643 (void **)&gs2_server_plugins,
644 &gs2_server_plugcount);
649 *pluglist = gs2_server_plugins;
650 *plugcount = gs2_server_plugcount;
655 /***************************** Client Section *****************************/
657 static int gs2_client_mech_step(void *conn_context,
658 sasl_client_params_t *params,
659 const char *serverin,
660 unsigned serverinlen,
661 sasl_interact_t **prompt_need,
662 const char **clientout,
663 unsigned *clientoutlen,
664 sasl_out_params_t *oparams)
666 context_t *text = (context_t *)conn_context;
667 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
668 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
669 gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
670 OM_uint32 maj_stat = GSS_S_FAILURE, min_stat = 0;
671 OM_uint32 req_flags, ret_flags;
672 gss_OID actual_mech = GSS_C_NO_OID;
674 int initialContextToken;
679 if (text->gss_ctx == GSS_C_NO_CONTEXT) {
680 ret = gs2_ask_user_info(text, params, NULL, 0, prompt_need, oparams);
684 if (params->gss_creds == GSS_C_NO_CREDENTIAL &&
685 text->password != NULL && text->password->len != 0) {
686 gss_buffer_desc password_buf;
687 gss_buffer_desc name_buf;
688 gss_OID_set_desc mechs;
690 name_buf.length = strlen(oparams->authid);
691 name_buf.value = (void *)oparams->authid;
693 password_buf.length = text->password->len;
694 password_buf.value = text->password->data;
697 mechs.elements = (gss_OID)text->mechanism;
699 maj_stat = gss_import_name(&min_stat,
703 if (GSS_ERROR(maj_stat))
706 maj_stat = gss_acquire_cred_with_password(&min_stat,
715 if (GSS_ERROR(maj_stat))
719 initialContextToken = 1;
721 initialContextToken = 0;
723 if (text->server_name == GSS_C_NO_NAME) { /* only once */
724 name_buf.length = strlen(params->service) + 1 + strlen(params->serverFQDN);
725 name_buf.value = params->utils->malloc(name_buf.length + 1);
726 if (name_buf.value == NULL) {
730 if (params->serverFQDN == NULL ||
731 strlen(params->serverFQDN) == 0) {
732 SETERROR(text->utils, "GS2 Failure: no serverFQDN");
737 snprintf(name_buf.value, name_buf.length + 1,
738 "%s@%s", params->service, params->serverFQDN);
740 maj_stat = gss_import_name (&min_stat,
742 GSS_C_NT_HOSTBASED_SERVICE,
744 params->utils->free(name_buf.value);
745 name_buf.value = NULL;
747 if (GSS_ERROR(maj_stat))
751 /* From GSSAPI plugin: apparently this is for some IMAP bug workaround */
752 if (serverinlen == 0 && text->gss_ctx != GSS_C_NO_CONTEXT) {
753 gss_delete_sec_context(&min_stat, &text->gss_ctx, GSS_C_NO_BUFFER);
754 text->gss_ctx = GSS_C_NO_CONTEXT;
757 input_token.value = (void *)serverin;
758 input_token.length = serverinlen;
760 if (initialContextToken) {
761 if ((text->plug.client->features & SASL_FEAT_GSS_FRAMING) == 0)
762 text->gs2_flags |= GS2_NONSTD_FLAG;
764 switch (params->chanbindingflag) {
765 case SASL_CB_FLAG_NONE:
766 text->gs2_flags |= GS2_CB_FLAG_N;
768 case SASL_CB_FLAG_USED:
769 text->gs2_flags |= GS2_CB_FLAG_P;
771 case SASL_CB_FLAG_WANT:
772 text->gs2_flags |= GS2_CB_FLAG_Y;
776 ret = gs2_make_header(text, params,
777 strcmp(oparams->user, oparams->authid) ?
778 (char *) oparams->user : NULL,
779 &text->out_buf, &text->out_buf_len);
784 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
786 maj_stat = gss_init_sec_context(&min_stat,
787 (params->gss_creds != GSS_C_NO_CREDENTIAL)
789 : text->client_creds,
792 (gss_OID)text->mechanism,
796 serverinlen ? &input_token : GSS_C_NO_BUFFER,
801 if (GSS_ERROR(maj_stat))
804 ret = gs2_make_message(text, params, initialContextToken, &output_token,
805 &text->out_buf, &text->out_buf_len);
809 *clientout = text->out_buf;
810 *clientoutlen = text->out_buf_len;
812 if (maj_stat == GSS_S_CONTINUE_NEEDED) {
817 if (text->client_name != GSS_C_NO_NAME)
818 gss_release_name(&min_stat, &text->client_name);
820 maj_stat = gss_inquire_context(&min_stat,
826 &ret_flags, /* flags */
829 if (GSS_ERROR(maj_stat))
832 if (!g_OID_equal(text->mechanism, actual_mech)) {
833 ret = SASL_WRONGMECH;
836 if ((ret_flags & req_flags) != req_flags) {
837 maj_stat = SASL_BADAUTH;
841 maj_stat = gss_display_name(&min_stat,
845 if (GSS_ERROR(maj_stat))
848 oparams->gss_peer_name = text->server_name;
849 oparams->gss_local_name = text->client_name;
850 oparams->encode = NULL;
851 oparams->decode = NULL;
852 oparams->mech_ssf = 0;
853 oparams->maxoutbuf = 0xFFFFFF;
854 oparams->doneflag = 1;
857 gss_release_buffer(&min_stat, &output_token);
858 gss_release_buffer(&min_stat, &name_buf);
859 gss_release_oid(&min_stat, &actual_mech);
861 if (ret == SASL_OK && maj_stat != GSS_S_COMPLETE) {
862 sasl_gs2_seterror(text->utils, maj_stat, min_stat);
865 if (ret != SASL_OK && ret != SASL_CONTINUE)
866 sasl_gs2_free_context_contents(text);
871 static int gs2_client_mech_new(void *glob_context,
872 sasl_client_params_t *params,
878 text = sasl_gs2_new_context(params->utils);
880 MEMERROR(params->utils);
884 text->gss_ctx = GSS_C_NO_CONTEXT;
885 text->client_name = GSS_C_NO_NAME;
886 text->server_creds = GSS_C_NO_CREDENTIAL;
887 text->client_creds = GSS_C_NO_CREDENTIAL;
888 text->plug.client = glob_context;
890 ret = gs2_map_sasl_name(params->utils, text->plug.client->mech_name,
892 if (ret != SASL_OK) {
893 gs2_common_mech_dispose(text, params->utils);
897 *conn_context = text;
902 static const unsigned long gs2_required_prompts[] = {
907 gs2_client_plug_alloc(const sasl_utils_t *utils,
909 gss_buffer_t sasl_name,
913 sasl_client_plug_t *cplug = (sasl_client_plug_t *)plug;
916 memset(cplug, 0, sizeof(*cplug));
918 ret = gs2_get_mech_attrs(utils, mech,
919 &cplug->security_flags,
924 ret = gs2_duplicate_buffer(utils, sasl_name, &buf);
928 cplug->mech_name = (char *)buf.value;
929 cplug->features |= SASL_FEAT_NEEDSERVERFQDN;
930 cplug->glob_context = plug;
931 cplug->mech_new = gs2_client_mech_new;
932 cplug->mech_step = gs2_client_mech_step;
933 cplug->mech_dispose = gs2_common_mech_dispose;
934 cplug->mech_free = gs2_common_mech_free;
935 cplug->required_prompts = gs2_required_prompts;
940 static sasl_client_plug_t *gs2_client_plugins;
941 static int gs2_client_plugcount;
944 gs2_client_plug_init(const sasl_utils_t *utils,
947 sasl_client_plug_t **pluglist,
955 if (maxversion < SASL_CLIENT_PLUG_VERSION)
958 *outversion = SASL_CLIENT_PLUG_VERSION;
960 if (gs2_client_plugins == NULL) {
961 ret = gs2_common_plug_init(utils,
962 sizeof(sasl_client_plug_t),
963 gs2_client_plug_alloc,
964 (void **)&gs2_client_plugins,
965 &gs2_client_plugcount);
970 *pluglist = gs2_client_plugins;
971 *plugcount = gs2_client_plugcount;
977 * Copy header and application channel bindings to GSS channel bindings
978 * structure in context.
981 gs2_save_cbindings(context_t *text,
983 const char *chanbindingdata,
984 unsigned int chanbindinglen)
986 gss_buffer_t gss_bindings = &text->bindings.application_data;
990 assert(gss_bindings->value == NULL);
993 * The application-data field MUST be set to the gs2-header, excluding
994 * the initial [gs2-nonstd-flag ","] part, concatenated with, when a
995 * gs2-cb-flag of "p" is used, the application's channel binding data.
997 len = header->length;
998 if (text->gs2_flags & GS2_NONSTD_FLAG) {
1002 if ((text->gs2_flags & GS2_CB_FLAG_MASK) == GS2_CB_FLAG_P)
1003 len += chanbindinglen;
1005 gss_bindings->length = len;
1006 gss_bindings->value = text->utils->malloc(len);
1007 if (gss_bindings->value == NULL)
1010 p = (unsigned char *)gss_bindings->value;
1011 if (text->gs2_flags & GS2_NONSTD_FLAG) {
1012 memcpy(p, (unsigned char *)header->value + 2, header->length - 2);
1013 p += header->length - 2;
1015 memcpy(p, header->value, header->length);
1016 p += header->length;
1019 if ((text->gs2_flags & GS2_CB_FLAG_MASK) == GS2_CB_FLAG_P &&
1020 chanbindinglen != 0) {
1021 memcpy(p, chanbindingdata, chanbindinglen);
1027 #define CHECK_REMAIN(n) do { if (remain < (n)) return SASL_BADAUTH; } while (0)
1030 * Verify gs2-header, save authzid and channel bindings to context.
1033 gs2_verify_initial_message(context_t *text,
1034 sasl_server_params_t *sparams,
1039 char *p = (char *)in;
1040 unsigned remain = inlen;
1042 gss_buffer_desc buf = GSS_C_EMPTY_BUFFER;
1044 assert(text->cb_name == NULL);
1045 assert(text->authzid == NULL);
1048 token->value = NULL;
1050 /* minimum header includes CB flag and non-zero GSS token */
1051 CHECK_REMAIN(4); /* [pny],,. */
1053 /* non-standard GSS framing flag */
1054 if (remain > 1 && memcmp(p, "F,", 2) == 0) {
1055 text->gs2_flags |= GS2_NONSTD_FLAG;
1060 /* SASL channel bindings */
1061 CHECK_REMAIN(1); /* [pny] */
1065 CHECK_REMAIN(1); /* = */
1068 return SASL_BADAUTH;
1070 ret = gs2_unescape_authzid(text->utils, &p, &remain, &text->cb_name);
1074 text->gs2_flags |= GS2_CB_FLAG_P;
1077 text->gs2_flags |= GS2_CB_FLAG_N;
1080 text->gs2_flags |= GS2_CB_FLAG_Y;
1084 CHECK_REMAIN(1); /* , */
1087 return SASL_BADAUTH;
1089 /* authorization identity */
1090 if (remain > 1 && memcmp(p, "a=", 2) == 0) {
1095 ret = gs2_unescape_authzid(text->utils, &p, &remain, &text->authzid);
1101 CHECK_REMAIN(1); /* , */
1104 return SASL_BADAUTH;
1106 buf.length = inlen - remain;
1107 buf.value = (void *)in;
1109 /* stash channel bindings to pass into gss_accept_sec_context() */
1110 ret = gs2_save_cbindings(text, &buf, sparams->chanbindingdata,
1111 sparams->chanbindinglen);
1115 buf.length = remain;
1118 if (text->gs2_flags & GS2_NONSTD_FLAG) {
1119 token->value = text->utils->malloc(buf.length);
1120 if (token->value == NULL)
1123 token->length = buf.length;
1124 memcpy(token->value, buf.value, buf.length);
1126 unsigned int token_size;
1128 /* create a properly formed GSS token */
1129 token_size = gs2_token_size(text->mechanism, buf.length);
1130 token->value = text->utils->malloc(token_size);
1131 if (token->value == NULL)
1134 token->length = token_size;
1136 p = (char *)token->value;
1137 gs2_make_token_header(text->mechanism, buf.length,
1138 (unsigned char **)&p);
1139 memcpy(p, buf.value, buf.length);
1146 * Create gs2-header, save channel bindings to context.
1149 gs2_make_header(context_t *text,
1150 sasl_client_params_t *cparams,
1151 const char *authzid,
1155 size_t required = 0;
1156 size_t wire_authzid_len = 0, cb_name_len = 0;
1157 char *wire_authzid = NULL;
1160 gss_buffer_desc buf;
1165 /* non-standard GSS framing flag */
1166 if (text->gs2_flags & GS2_NONSTD_FLAG)
1167 required += 2; /* F, */
1169 /* SASL channel bindings */
1170 switch (text->gs2_flags & GS2_CB_FLAG_MASK) {
1172 if (cparams->chanbindingtype == NULL)
1173 return SASL_BADPARAM;
1174 cb_name_len = strlen(cparams->chanbindingtype);
1175 required += 1 /*=*/ + cb_name_len;
1179 required += 2; /* [pny], */
1182 return SASL_BADPARAM;
1185 /* authorization identity */
1186 if (authzid != NULL) {
1187 ret = gs2_escape_authzid(text->utils, authzid,
1188 strlen(authzid), &wire_authzid);
1192 wire_authzid_len = strlen(wire_authzid);
1193 required += 2 /* a= */ + wire_authzid_len;
1196 required += 1; /* trailing comma */
1198 ret = _plug_buf_alloc(text->utils, out, outlen, required);
1199 if (ret != SASL_OK) {
1200 text->utils->free(wire_authzid);
1204 *out = text->out_buf;
1207 p = (char *)text->out_buf;
1208 if (text->gs2_flags & GS2_NONSTD_FLAG) {
1212 switch (text->gs2_flags & GS2_CB_FLAG_MASK) {
1215 memcpy(p + 2, cparams->chanbindingtype, cb_name_len);
1216 p += 2 + cb_name_len;
1226 if (wire_authzid != NULL) {
1228 memcpy(p + 2, wire_authzid, wire_authzid_len);
1229 text->utils->free(wire_authzid);
1230 p += 2 + wire_authzid_len;
1234 assert(p == (char *)text->out_buf + required);
1236 buf.length = required;
1239 ret = gs2_save_cbindings(text, &buf, cparams->chanbindingdata,
1240 cparams->chanbindinglen);
1246 * Convert a GSS token to a GS2 one
1249 gs2_make_message(context_t *text,
1250 sasl_client_params_t *cparams __attribute__((unused)),
1251 int initialContextToken,
1256 OM_uint32 major, minor;
1257 unsigned char *mech_token_data;
1258 size_t mech_token_size;
1260 unsigned header_len = 0;
1263 mech_token_size = token->length;
1264 mech_token_data = (unsigned char *)token->value;
1266 if (initialContextToken) {
1267 header_len = *outlen;
1269 major = gs2_verify_token_header(&minor, text->mechanism,
1270 &mech_token_size, &mech_token_data,
1272 if ((major == GSS_S_DEFECTIVE_TOKEN &&
1273 (text->plug.client->features & SASL_FEAT_GSS_FRAMING)) ||
1278 ret = _plug_buf_alloc(text->utils, out, outlen,
1279 header_len + mech_token_size);
1283 p = *out + header_len;
1284 memcpy(p, mech_token_data, mech_token_size);
1286 *outlen = header_len + mech_token_size;
1292 * Map GSS mechanism attributes to SASL ones
1295 gs2_get_mech_attrs(const sasl_utils_t *utils,
1297 unsigned int *security_flags,
1298 unsigned int *features)
1300 OM_uint32 major, minor;
1302 gss_OID_set attrs = GSS_C_NO_OID_SET;
1304 major = gss_inquire_attrs_for_mech(&minor, mech, &attrs, NULL);
1305 if (GSS_ERROR(major)) {
1306 utils->seterror(utils->conn, SASL_NOLOG,
1307 "GS2 Failure: gss_inquire_attrs_for_mech");
1311 *security_flags = SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE;
1312 *features = SASL_FEAT_WANT_CLIENT_FIRST | SASL_FEAT_CHANNEL_BINDING;
1314 #define MA_PRESENT(a) (gss_test_oid_set_member(&minor, (gss_OID)(a), \
1315 attrs, &present) == GSS_S_COMPLETE && \
1320 if (MA_PRESENT(GSS_C_MA_PFS))
1321 *security_flags |= SASL_SEC_FORWARD_SECRECY;
1322 if (!MA_PRESENT(GSS_C_MA_AUTH_INIT_ANON))
1323 *security_flags |= SASL_SEC_NOANONYMOUS;
1324 if (MA_PRESENT(GSS_C_MA_DELEG_CRED))
1325 *security_flags |= SASL_SEC_PASS_CREDENTIALS;
1326 if (MA_PRESENT(GSS_C_MA_AUTH_TARG))
1327 *security_flags |= SASL_SEC_MUTUAL_AUTH;
1328 if (MA_PRESENT(GSS_C_MA_ITOK_FRAMED))
1329 *features |= SASL_FEAT_GSS_FRAMING;
1331 gss_release_oid_set(&minor, &attrs);
1336 * Enumerate GSS mechanisms that can be used for GS2
1338 static int gs2_indicate_mechs(const sasl_utils_t *utils)
1340 OM_uint32 major, minor;
1341 gss_OID_desc desired_oids[3];
1342 gss_OID_set_desc desired_attrs;
1343 gss_OID_desc except_oids[3];
1344 gss_OID_set_desc except_attrs;
1346 if (gs2_mechs != GSS_C_NO_OID_SET)
1349 desired_oids[0] = *GSS_C_MA_AUTH_INIT;
1350 desired_oids[1] = *GSS_C_MA_AUTH_TARG;
1351 desired_oids[2] = *GSS_C_MA_CBINDINGS;
1352 desired_attrs.count = sizeof(desired_oids)/sizeof(desired_oids[0]);
1353 desired_attrs.elements = desired_oids;
1355 except_oids[0] = *GSS_C_MA_MECH_NEGO;
1356 except_oids[1] = *GSS_C_MA_NOT_MECH;
1357 except_oids[2] = *GSS_C_MA_DEPRECATED;
1359 except_attrs.count = sizeof(except_oids)/sizeof(except_oids[0]);
1360 except_attrs.elements = except_oids;
1362 major = gss_indicate_mechs_by_attrs(&minor,
1367 if (GSS_ERROR(major)) {
1368 utils->seterror(utils->conn, SASL_NOLOG,
1369 "GS2 Failure: gss_indicate_mechs_by_attrs");
1373 return (gs2_mechs->count > 0) ? SASL_OK : SASL_NOMECH;
1377 * Map SASL mechanism name to OID
1380 gs2_map_sasl_name(const sasl_utils_t *utils,
1384 OM_uint32 major, minor;
1385 gss_buffer_desc buf;
1387 buf.length = strlen(mech);
1388 buf.value = (void *)mech;
1390 major = gss_inquire_mech_for_saslname(&minor, &buf, oid);
1391 if (GSS_ERROR(major)) {
1392 utils->seterror(utils->conn, SASL_NOLOG,
1393 "GS2 Failure: gss_inquire_mech_for_saslname");
1401 gs2_duplicate_buffer(const sasl_utils_t *utils,
1402 const gss_buffer_t src,
1405 dst->value = utils->malloc(src->length + 1);
1406 if (dst->value == NULL)
1409 memcpy(dst->value, src->value, src->length);
1410 ((char *)dst->value)[src->length] = '\0';
1411 dst->length = src->length;
1417 gs2_unescape_authzid(const sasl_utils_t *utils,
1423 size_t i, len, inlen = *remain;
1428 for (i = 0, len = 0; i < inlen; i++) {
1433 } else if (in[i] == '=') {
1435 return SASL_BADPROT;
1441 if (len == 0 || *endp == NULL)
1442 return SASL_BADPROT;
1444 p = *authzid = utils->malloc(len + 1);
1445 if (*authzid == NULL)
1448 for (i = 0; i < inlen; i++) {
1451 else if (in[i] == '=') {
1452 if (memcmp(&in[i + 1], "2C", 2) == 0)
1454 else if (memcmp(&in[i + 1], "3D", 2) == 0)
1457 utils->free(*authzid);
1459 return SASL_BADPROT;
1472 gs2_escape_authzid(const sasl_utils_t *utils,
1480 p = *authzid = utils->malloc((inlen * 3) + 1);
1481 if (*authzid == NULL)
1484 for (i = 0; i < inlen; i++) {
1486 memcpy(p, "=2C", 3);
1488 } else if (in[i] == '=') {
1489 memcpy(p, "=3D", 3);
1502 gs2_ask_user_info(context_t *text,
1503 sasl_client_params_t *params,
1504 char **realms __attribute__((unused)),
1505 int nrealm __attribute__((unused)),
1506 sasl_interact_t **prompt_need,
1507 sasl_out_params_t *oparams)
1509 int result = SASL_OK;
1510 const char *authid = NULL, *userid = NULL;
1511 int user_result = SASL_OK;
1512 int auth_result = SASL_OK;
1513 int pass_result = SASL_OK;
1515 /* try to get the authid */
1516 if (oparams->authid == NULL) {
1517 auth_result = _plug_get_authid(params->utils, &authid, prompt_need);
1519 if (auth_result != SASL_OK && auth_result != SASL_INTERACT) {
1524 /* try to get the userid */
1525 if (oparams->user == NULL) {
1526 user_result = _plug_get_userid(params->utils, &userid, prompt_need);
1528 if (user_result != SASL_OK && user_result != SASL_INTERACT) {
1533 /* try to get the password */
1534 if (text->password == NULL) {
1535 pass_result = _plug_get_password(params->utils, &text->password,
1536 &text->free_password, prompt_need);
1537 if (pass_result != SASL_OK && pass_result != SASL_INTERACT) {
1542 /* free prompts we got */
1543 if (prompt_need && *prompt_need) {
1544 params->utils->free(*prompt_need);
1545 *prompt_need = NULL;
1548 /* if there are prompts not filled in */
1549 if (user_result == SASL_INTERACT || auth_result == SASL_INTERACT ||
1550 pass_result == SASL_INTERACT) {
1552 /* make the prompt list */
1554 _plug_make_prompts(params->utils, prompt_need,
1555 user_result == SASL_INTERACT ?
1556 "Please enter your authorization name" : NULL,
1558 auth_result == SASL_INTERACT ?
1559 "Please enter your authentication name" : NULL,
1561 pass_result == SASL_INTERACT ?
1562 "Please enter your password" : NULL, NULL,
1566 if (result == SASL_OK) return SASL_INTERACT;
1571 if (oparams->authid == NULL) {
1572 if (userid == NULL || userid[0] == '\0') {
1573 result = params->canon_user(params->utils->conn, authid, 0,
1574 SASL_CU_AUTHID | SASL_CU_AUTHZID,
1577 result = params->canon_user(params->utils->conn,
1578 authid, 0, SASL_CU_AUTHID, oparams);
1579 if (result != SASL_OK) return result;
1581 result = params->canon_user(params->utils->conn,
1582 userid, 0, SASL_CU_AUTHZID, oparams);
1584 if (result != SASL_OK)
1592 sasl_gs2_seterror_(const sasl_utils_t *utils, OM_uint32 maj, OM_uint32 min,
1595 OM_uint32 maj_stat, min_stat;
1596 gss_buffer_desc msg;
1600 unsigned int len, curlen = 0;
1601 const char prefix[] = "GSSAPI Error: ";
1603 len = sizeof(prefix);
1604 ret = _plug_buf_alloc(utils, &out, &curlen, 256);
1608 strcpy(out, prefix);
1612 maj_stat = gss_display_status(&min_stat, maj,
1613 GSS_C_GSS_CODE, GSS_C_NULL_OID,
1616 if (GSS_ERROR(maj_stat)) {
1618 utils->log(utils->conn, SASL_LOG_FAIL,
1619 "GS2 Failure: (could not get major error message)");
1621 utils->seterror(utils->conn, 0,
1623 "(could not get major error message)");
1629 len += len + msg.length;
1630 ret = _plug_buf_alloc(utils, &out, &curlen, len);
1631 if (ret != SASL_OK) {
1636 strcat(out, msg.value);
1638 gss_release_buffer(&min_stat, &msg);
1644 /* Now get the minor status */
1647 ret = _plug_buf_alloc(utils, &out, &curlen, len);
1648 if (ret != SASL_OK) {
1657 maj_stat = gss_display_status(&min_stat, min,
1658 GSS_C_MECH_CODE, GSS_C_NULL_OID,
1661 if (GSS_ERROR(maj_stat)) {
1663 utils->log(utils->conn, SASL_LOG_FAIL,
1664 "GS2 Failure: (could not get minor error message)");
1666 utils->seterror(utils->conn, 0,
1668 "(could not get minor error message)");
1674 len += len + msg.length;
1676 ret = _plug_buf_alloc(utils, &out, &curlen, len);
1677 if (ret != SASL_OK) {
1682 strcat(out, msg.value);
1684 gss_release_buffer(&min_stat, &msg);
1691 ret = _plug_buf_alloc(utils, &out, &curlen, len);
1692 if (ret != SASL_OK) {
1700 utils->log(utils->conn, SASL_LOG_FAIL, out);
1702 utils->seterror(utils->conn, 0, out);
projects / cyrus-sasl.git / blob