From 040fe91fb58c6c94e71e9c61f237c89d90eeec9d Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sun, 19 Sep 2010 13:33:08 +0200 Subject: [PATCH] cleanup name exporting for internal use --- mech_eap/export_name.c | 2 +- mech_eap/export_name_composite.c | 3 +- mech_eap/export_sec_context.c | 8 ++- mech_eap/get_name_attribute.c | 8 --- mech_eap/import_sec_context.c | 3 +- mech_eap/util.h | 14 +++- mech_eap/util_attr.cpp | 8 +-- mech_eap/util_name.c | 144 ++++++++++++++++++++++----------------- mech_eap/util_radius.h | 3 + mech_eap/util_saml.cpp | 21 +++--- mech_eap/util_shib.cpp | 27 +++++--- 11 files changed, 143 insertions(+), 98 deletions(-) diff --git a/mech_eap/export_name.c b/mech_eap/export_name.c index 667849a..6477c3b 100644 --- a/mech_eap/export_name.c +++ b/mech_eap/export_name.c @@ -42,5 +42,5 @@ gss_export_name(OM_uint32 *minor, return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME; } - return gssEapExportName(minor, input_name, exported_name, 0); + return gssEapExportName(minor, input_name, exported_name); } diff --git a/mech_eap/export_name_composite.c b/mech_eap/export_name_composite.c index 2b80dba..859baaa 100644 --- a/mech_eap/export_name_composite.c +++ b/mech_eap/export_name_composite.c @@ -47,5 +47,6 @@ gss_export_name_composite(OM_uint32 *minor, return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME; } - return gssEapExportName(minor, input_name, exported_name, 1); + return gssEapExportNameInternal(minor, input_name, exported_name, + EXPORT_NAME_FLAG_OID | EXPORT_NAME_FLAG_ATTRS); } diff --git a/mech_eap/export_sec_context.c b/mech_eap/export_sec_context.c index b98bba9..92c42bc 100644 --- a/mech_eap/export_sec_context.c +++ b/mech_eap/export_sec_context.c @@ -67,12 +67,16 @@ gssEapExportSecContext(OM_uint32 *minor, key.value = KRB_KEY_DATA(&ctx->rfc3961Key); if (ctx->initiatorName != GSS_C_NO_NAME) { - major = gssEapExportName(minor, ctx->initiatorName, &initiatorName, TRUE); + major = gssEapExportNameInternal(minor, ctx->initiatorName, + &initiatorName, + EXPORT_NAME_FLAG_ATTRS); if (GSS_ERROR(major)) goto cleanup; } if (ctx->acceptorName != GSS_C_NO_NAME) { - major = gssEapExportName(minor, ctx->acceptorName, &acceptorName, TRUE); + major = gssEapExportNameInternal(minor, ctx->acceptorName, + &acceptorName, + EXPORT_NAME_FLAG_ATTRS); if (GSS_ERROR(major)) goto cleanup; } diff --git a/mech_eap/get_name_attribute.c b/mech_eap/get_name_attribute.c index 7fe328f..c5c067b 100644 --- a/mech_eap/get_name_attribute.c +++ b/mech_eap/get_name_attribute.c @@ -49,14 +49,6 @@ gss_get_name_attribute(OM_uint32 *minor, return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME; } - *authenticated = 0; - *complete = 0; - value->length = 0; - value->value = NULL; - display_value->length = 0; - display_value->value = NULL; - *more = -1; - GSSEAP_MUTEX_LOCK(&name->mutex); major = gssEapGetNameAttribute(minor, name, attr, diff --git a/mech_eap/import_sec_context.c b/mech_eap/import_sec_context.c index fce6cf3..648bff5 100644 --- a/mech_eap/import_sec_context.c +++ b/mech_eap/import_sec_context.c @@ -169,7 +169,8 @@ importName(OM_uint32 *minor, tmp.value = p + 4; - major = gssEapImportName(minor, &tmp, GSS_C_NT_EXPORT_NAME, pName); + major = gssEapImportNameInternal(minor, &tmp, pName, + EXPORT_NAME_FLAG_ATTRS); if (GSS_ERROR(major)) return major; } diff --git a/mech_eap/util.h b/mech_eap/util.h index dd0cb73..2429458 100644 --- a/mech_eap/util.h +++ b/mech_eap/util.h @@ -281,16 +281,26 @@ gssEapValidateMechs(OM_uint32 *minor, const gss_OID_set mechs); /* util_name.c */ +#define EXPORT_NAME_FLAG_OID 0x1 +#define EXPORT_NAME_FLAG_ATTRS 0x2 + OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName); OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName); OM_uint32 gssEapExportName(OM_uint32 *minor, const gss_name_t name, - gss_buffer_t exportedName, - int composite); + gss_buffer_t exportedName); +OM_uint32 gssEapExportNameInternal(OM_uint32 *minor, + const gss_name_t name, + gss_buffer_t exportedName, + unsigned int flags); OM_uint32 gssEapImportName(OM_uint32 *minor, const gss_buffer_t input_name_buffer, gss_OID input_name_type, gss_name_t *output_name); +OM_uint32 gssEapImportNameInternal(OM_uint32 *minor, + const gss_buffer_t input_name_buffer, + gss_name_t *output_name, + unsigned int flags); /* util_oid.c */ OM_uint32 diff --git a/mech_eap/util_attr.cpp b/mech_eap/util_attr.cpp index 5414749..1a891bf 100644 --- a/mech_eap/util_attr.cpp +++ b/mech_eap/util_attr.cpp @@ -480,16 +480,16 @@ gssEapGetNameAttribute(OM_uint32 *minor, *authenticated = 0; *complete = 0; - value->length = 0; - value->value = NULL; + if (value != NULL) { + value->length = 0; + value->value = NULL; + } if (display_value != NULL) { display_value->length = 0; display_value->value = NULL; } - *more = -1; - if (name->attrCtx == NULL) return GSS_S_UNAVAILABLE; diff --git a/mech_eap/util_name.c b/mech_eap/util_name.c index d0000b1..50da741 100644 --- a/mech_eap/util_name.c +++ b/mech_eap/util_name.c @@ -213,10 +213,24 @@ importUserName(OM_uint32 *minor, return major; } -static OM_uint32 -importExportedName(OM_uint32 *minor, - const gss_buffer_t nameBuffer, - gss_name_t *pName) +#define UPDATE_REMAIN(n) do { \ + p += (n); \ + remain -= (n); \ + } while (0) + +#define CHECK_REMAIN(n) do { \ + if (remain < (n)) { \ + *minor = ERANGE; \ + major = GSS_S_BAD_NAME; \ + goto cleanup; \ + } \ + } while (0) + +OM_uint32 +gssEapImportNameInternal(OM_uint32 *minor, + const gss_buffer_t nameBuffer, + gss_name_t *pName, + unsigned int flags) { OM_uint32 major, tmpMinor; krb5_context krbContext; @@ -231,48 +245,40 @@ importExportedName(OM_uint32 *minor, p = (unsigned char *)nameBuffer->value; remain = nameBuffer->length; - if (remain < 6 + GSS_EAP_MECHANISM->length + 4) - return GSS_S_BAD_NAME; - -#define UPDATE_REMAIN(n) do { \ - p += (n); \ - remain -= (n); \ - } while (0) - - /* TOK_ID */ - tok_type = load_uint16_be(p); - if (tok_type != TOK_TYPE_EXPORT_NAME && - tok_type != TOK_TYPE_EXPORT_NAME_COMPOSITE) - return GSS_S_BAD_NAME; - UPDATE_REMAIN(2); - - /* MECH_OID_LEN */ - len = load_uint16_be(p); - if (len != 2 + GSS_EAP_MECHANISM->length) - return GSS_S_BAD_NAME; - UPDATE_REMAIN(2); - - /* MECH_OID */ - if (p[0] != 0x06) - return GSS_S_BAD_NAME; - if (p[1] != GSS_EAP_MECHANISM->length) - return GSS_S_BAD_MECH; - if (memcmp(&p[2], GSS_EAP_MECHANISM->elements, GSS_EAP_MECHANISM->length)) - return GSS_S_BAD_MECH; - UPDATE_REMAIN(2 + GSS_EAP_MECHANISM->length); + if (flags & EXPORT_NAME_FLAG_OID) { + if (remain < 6 + GSS_EAP_MECHANISM->length + 4) + return GSS_S_BAD_NAME; + + /* TOK_ID */ + tok_type = load_uint16_be(p); + if (tok_type != TOK_TYPE_EXPORT_NAME && + tok_type != TOK_TYPE_EXPORT_NAME_COMPOSITE) + return GSS_S_BAD_NAME; + UPDATE_REMAIN(2); + + if (tok_type == TOK_TYPE_EXPORT_NAME_COMPOSITE) + flags |= EXPORT_NAME_FLAG_ATTRS; + + /* MECH_OID_LEN */ + len = load_uint16_be(p); + if (len != 2 + GSS_EAP_MECHANISM->length) + return GSS_S_BAD_NAME; + UPDATE_REMAIN(2); + + /* MECH_OID */ + if (p[0] != 0x06) + return GSS_S_BAD_NAME; + if (p[1] != GSS_EAP_MECHANISM->length) + return GSS_S_BAD_MECH; + if (memcmp(&p[2], GSS_EAP_MECHANISM->elements, GSS_EAP_MECHANISM->length)) + return GSS_S_BAD_MECH; + UPDATE_REMAIN(2 + GSS_EAP_MECHANISM->length); + } /* NAME_LEN */ len = load_uint32_be(p); UPDATE_REMAIN(4); -#define CHECK_REMAIN(n) do { \ - if (remain < (n)) { \ - *minor = ERANGE; \ - major = GSS_S_BAD_NAME; \ - goto cleanup; \ - } \ - } while (0) - /* NAME */ CHECK_REMAIN(len); buf.length = len; @@ -283,7 +289,7 @@ importExportedName(OM_uint32 *minor, if (GSS_ERROR(major)) goto cleanup; - if (tok_type == TOK_TYPE_EXPORT_NAME_COMPOSITE) { + if (flags & EXPORT_NAME_FLAG_ATTRS) { gss_buffer_desc buf; CHECK_REMAIN(4); @@ -328,7 +334,8 @@ gssEapImportName(OM_uint32 *minor, oidEqual(nameType, GSS_C_NT_HOSTBASED_SERVICE_X)) major = importServiceName(minor, nameBuffer, name); else if (oidEqual(nameType, GSS_C_NT_EXPORT_NAME)) - major = importExportedName(minor, nameBuffer, name); + major = gssEapImportNameInternal(minor, nameBuffer, name, + EXPORT_NAME_FLAG_OID); else major = GSS_S_BAD_NAMETYPE; @@ -341,8 +348,17 @@ gssEapImportName(OM_uint32 *minor, OM_uint32 gssEapExportName(OM_uint32 *minor, const gss_name_t name, - gss_buffer_t exportedName, - int composite) + gss_buffer_t exportedName) +{ + return gssEapExportNameInternal(minor, name, exportedName, + EXPORT_NAME_FLAG_OID); +} + +OM_uint32 +gssEapExportNameInternal(OM_uint32 *minor, + const gss_name_t name, + gss_buffer_t exportedName, + unsigned int flags) { OM_uint32 major = GSS_S_FAILURE, tmpMinor; krb5_context krbContext; @@ -364,8 +380,12 @@ gssEapExportName(OM_uint32 *minor, } krbNameLen = strlen(krbName); - exportedName->length = 6 + GSS_EAP_MECHANISM->length + 4 + krbNameLen; - if (composite) { + exportedName->length = 0; + if (flags & EXPORT_NAME_FLAG_OID) { + exportedName->length += 6 + GSS_EAP_MECHANISM->length; + } + exportedName->length += 4 + krbNameLen; + if (flags & EXPORT_NAME_FLAG_ATTRS) { major = gssEapExportAttrContext(minor, name, &attrs); if (GSS_ERROR(major)) goto cleanup; @@ -378,22 +398,24 @@ gssEapExportName(OM_uint32 *minor, *minor = ENOMEM; goto cleanup; } - - /* TOK | MECH_OID_LEN */ p = (unsigned char *)exportedName->value; - store_uint16_be(composite + + if (flags & EXPORT_NAME_FLAG_OID) { + /* TOK | MECH_OID_LEN */ + store_uint16_be((flags & EXPORT_NAME_FLAG_ATTRS) ? TOK_TYPE_EXPORT_NAME_COMPOSITE : TOK_TYPE_EXPORT_NAME, - p); - p += 2; - store_uint16_be(GSS_EAP_MECHANISM->length + 2, p); - p += 2; - - /* MECH_OID */ - *p++ = 0x06; - *p++ = GSS_EAP_MECHANISM->length & 0xff; - memcpy(p, GSS_EAP_MECHANISM->elements, GSS_EAP_MECHANISM->length); - p += GSS_EAP_MECHANISM->length; + p); + p += 2; + store_uint16_be(GSS_EAP_MECHANISM->length + 2, p); + p += 2; + + /* MECH_OID */ + *p++ = 0x06; + *p++ = GSS_EAP_MECHANISM->length & 0xff; + memcpy(p, GSS_EAP_MECHANISM->elements, GSS_EAP_MECHANISM->length); + p += GSS_EAP_MECHANISM->length; + } /* NAME_LEN */ store_uint32_be(krbNameLen, p); @@ -403,7 +425,7 @@ gssEapExportName(OM_uint32 *minor, memcpy(p, krbName, krbNameLen); p += krbNameLen; - if (composite) { + if (flags & EXPORT_NAME_FLAG_ATTRS) { store_uint32_be(attrs.length, p); memcpy(&p[4], attrs.value, attrs.length); p += 4 + attrs.length; diff --git a/mech_eap/util_radius.h b/mech_eap/util_radius.h index 8edce31..fff01b4 100644 --- a/mech_eap/util_radius.h +++ b/mech_eap/util_radius.h @@ -82,4 +82,7 @@ private: bool m_authenticated; }; +/* For now */ +#define PW_SAML_ASSERTION 1936 + #endif /* _UTIL_RADIUS_H_ */ diff --git a/mech_eap/util_saml.cpp b/mech_eap/util_saml.cpp index 070014e..c4cdd98 100644 --- a/mech_eap/util_saml.cpp +++ b/mech_eap/util_saml.cpp @@ -88,7 +88,7 @@ gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *mana radius = static_cast (m_manager->getProvider(ATTR_TYPE_RADIUS)); if (radius != NULL && - radius->getAttribute(512 /* XXX */, &authenticated, &complete, + radius->getAttribute(PW_SAML_ASSERTION, &authenticated, &complete, &value, NULL, &more)) { setAssertion(&value, authenticated); gss_release_buffer(&minor, &value); @@ -460,16 +460,19 @@ gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr, av = dynamic_cast(a->getAttributeValues().at(i) ); if (av != NULL) { - value->value = toUTF8(av->getTextContent(), true); - value->length = strlen((char *)value->value); - - if (display_value != NULL) - duplicateBuffer(*value, display_value); - - if (nvalues > ++i) - *more = i; + if (value != NULL) { + value->value = toUTF8(av->getTextContent(), true); + value->length = strlen((char *)value->value); + } + if (display_value != NULL) { + display_value->value = toUTF8(av->getTextContent(), true); + display_value->length = strlen((char *)value->value); + } } + if (nvalues > ++i) + *more = i; + return true; } diff --git a/mech_eap/util_shib.cpp b/mech_eap/util_shib.cpp index 03bb263..815b57a 100644 --- a/mech_eap/util_shib.cpp +++ b/mech_eap/util_shib.cpp @@ -308,29 +308,38 @@ gss_eap_shib_attr_provider::getAttribute(const gss_buffer_t attr, { const Attribute *shibAttr = NULL; gss_buffer_desc buf; + int nvalues, i = *more; + + *more = 0; shibAttr = getAttribute(attr); if (shibAttr == NULL) return false; - if (*more == -1) { - *more = 0; - } else if (*more >= (int)shibAttr->valueCount()) { - *more = 0; - return true; - } + nvalues = shibAttr->valueCount(); + + if (i == -1) + i = 0; + else if (i >= nvalues) + return false; buf.value = (void *)shibAttr->getString(*more); buf.length = strlen((char *)buf.value); - duplicateBuffer(buf, value); + if (buf.length != 0) { + if (value != NULL) + duplicateBuffer(buf, value); - if (display_value != NULL) - duplicateBuffer(buf, display_value); + if (display_value != NULL) + duplicateBuffer(buf, display_value); + } *authenticated = m_authenticated; *complete = false; + if (nvalues > ++i) + *more = i; + return true; } -- 2.1.4