2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gssapiP_eap.h"
36 gssEapImportPartialContext(OM_uint32 *minor,
41 unsigned char *p = *pBuf;
42 size_t remain = *pRemain;
47 return GSS_S_DEFECTIVE_TOKEN;
50 buf.length = load_uint32_be(p);
52 if (buf.length != 0) {
54 return GSS_S_DEFECTIVE_TOKEN;
58 return GSS_S_COMPLETE;
62 importMechanismOid(OM_uint32 *minor,
68 unsigned char *p = *pBuf;
69 size_t remain = *pRemain;
72 oidBuf.length = load_uint32_be(p);
73 if (remain < 4 + oidBuf.length || oidBuf.length == 0) {
75 return GSS_S_DEFECTIVE_TOKEN;
78 oidBuf.elements = &p[4];
80 if (!gssEapIsConcreteMechanismOid(&oidBuf)) {
81 return GSS_S_BAD_MECH;
84 if (!gssEapInternalizeOid(&oidBuf, pOid)) {
85 major = duplicateOid(minor, &oidBuf, pOid);
90 *pBuf += 4 + oidBuf.length;
91 *pRemain -= 4 + oidBuf.length;
94 return GSS_S_COMPLETE;
98 importKerberosKey(OM_uint32 *minor,
103 unsigned char *p = *pBuf;
104 size_t remain = *pRemain;
105 OM_uint32 encryptionType;
111 return GSS_S_DEFECTIVE_TOKEN;
114 encryptionType = load_uint32_be(&p[0]);
115 length = load_uint32_be(&p[4]);
117 if ((length != 0) != (encryptionType != ENCTYPE_NULL)) {
119 return GSS_S_DEFECTIVE_TOKEN;
122 if (remain - 8 < length) {
124 return GSS_S_DEFECTIVE_TOKEN;
127 if (load_buffer(&p[8], length, &tmp) == NULL) {
129 return GSS_S_FAILURE;
132 KRB_KEY_TYPE(key) = encryptionType;
133 KRB_KEY_LENGTH(key) = tmp.length;
134 KRB_KEY_DATA(key) = (unsigned char *)tmp.value;
137 *pRemain -= 8 + length;
140 return GSS_S_COMPLETE;
144 importName(OM_uint32 *minor,
145 unsigned char **pBuf,
150 unsigned char *p = *pBuf;
151 size_t remain = *pRemain;
156 return GSS_S_DEFECTIVE_TOKEN;
159 tmp.length = load_uint32_be(p);
160 if (tmp.length != 0) {
161 if (remain - 4 < tmp.length) {
163 return GSS_S_DEFECTIVE_TOKEN;
168 major = gssEapImportName(minor, &tmp, GSS_C_NT_EXPORT_NAME, pName);
169 if (GSS_ERROR(major))
173 *pBuf += 4 + tmp.length;
174 *pRemain -= 4 + tmp.length;
177 return GSS_S_COMPLETE;
181 gssEapImportContext(OM_uint32 *minor,
186 unsigned char *p = (unsigned char *)token->value;
187 size_t remain = token->length;
191 return GSS_S_DEFECTIVE_TOKEN;
193 if (load_uint32_be(&p[0]) != EAP_EXPORT_CONTEXT_V1) {
195 return GSS_S_DEFECTIVE_TOKEN;
197 ctx->state = load_uint32_be(&p[4]);
198 ctx->flags = load_uint32_be(&p[8]);
199 ctx->gssFlags = load_uint32_be(&p[12]);
204 if (ctx->state < EAP_STATE_AUTHENTICATE ||
205 ctx->state > EAP_STATE_ESTABLISHED)
206 return GSS_S_DEFECTIVE_TOKEN;
208 /* Only acceptor can export partial context tokens */
209 if (CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx))
210 return GSS_S_DEFECTIVE_TOKEN;
212 major = importMechanismOid(minor, &p, &remain, &ctx->mechanismUsed);
213 if (GSS_ERROR(major))
216 major = importKerberosKey(minor, &p, &remain, &ctx->rfc3961Key);
217 if (GSS_ERROR(major))
220 ctx->encryptionType = KRB_KEY_TYPE(&ctx->rfc3961Key);
222 major = importName(minor, &p, &remain, &ctx->initiatorName);
223 if (GSS_ERROR(major))
226 major = importName(minor, &p, &remain, &ctx->acceptorName);
227 if (GSS_ERROR(major))
230 /* Check that, if context is established, names are valid */
231 if (CTX_IS_ESTABLISHED(ctx) &&
232 (CTX_IS_INITIATOR(ctx) ? ctx->acceptorName == GSS_C_NO_NAME
233 : ctx->initiatorName == GSS_C_NO_NAME)) {
234 return GSS_S_DEFECTIVE_TOKEN;
237 if (remain < 24 + sequenceSize(ctx->seqState)) {
239 return GSS_S_DEFECTIVE_TOKEN;
241 ctx->expiryTime = (time_t)load_uint64_be(&p[0]); /* XXX */
242 ctx->sendSeq = load_uint64_be(&p[8]);
243 ctx->recvSeq = load_uint64_be(&p[16]);
247 *minor = sequenceInternalize(&ctx->seqState, &p, &remain);
249 return GSS_S_FAILURE;
252 * The partial context should only be expected for unestablished
255 if (!CTX_IS_INITIATOR(ctx) && !CTX_IS_ESTABLISHED(ctx)) {
256 major = gssEapImportPartialContext(minor, &p, &remain, ctx);
257 if (GSS_ERROR(major))
264 major = GSS_S_COMPLETE;
270 gss_import_sec_context(OM_uint32 *minor,
271 gss_buffer_t interprocess_token,
272 gss_ctx_id_t *context_handle)
274 OM_uint32 major, tmpMinor;
275 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
277 *context_handle = GSS_C_NO_CONTEXT;
279 if (interprocess_token == GSS_C_NO_BUFFER ||
280 interprocess_token->length == 0)
281 return GSS_S_DEFECTIVE_TOKEN;
283 major = gssEapAllocContext(minor, &ctx);
284 if (GSS_ERROR(major))
287 major = gssEapImportContext(minor, interprocess_token, ctx);
288 if (GSS_ERROR(major))
291 *context_handle = ctx;
294 if (GSS_ERROR(major))
295 gssEapReleaseContext(&tmpMinor, &ctx);