mech_eap/util.h

   1 /*
   2  * Copyright (c) 2011, JANET(UK)
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * 3. Neither the name of JANET(UK) nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32 /*
  33  * Portions Copyright 2003-2010 Massachusetts Institute of Technology.
  34  * All Rights Reserved.
  35  *
  36  * Export of this software from the United States of America may
  37  *   require a specific license from the United States Government.
  38  *   It is the responsibility of any person or organization contemplating
  39  *   export to obtain such a license before exporting.
  40  *
  41  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  42  * distribute this software and its documentation for any purpose and
  43  * without fee is hereby granted, provided that the above copyright
  44  * notice appear in all copies and that both that copyright notice and
  45  * this permission notice appear in supporting documentation, and that
  46  * the name of M.I.T. not be used in advertising or publicity pertaining
  47  * to distribution of the software without specific, written prior
  48  * permission.  Furthermore if you modify this software you must label
  49  * your software as modified software and not distribute it in such a
  50  * fashion that it might be confused with the original M.I.T. software.
  51  * M.I.T. makes no representations about the suitability of
  52  * this software for any purpose.  It is provided "as is" without express
  53  * or implied warranty.
  54  *
  55  */
  56
  57 /*
  58  * Utility functions.
  59  */
  60
  61 #ifndef _UTIL_H_
  62 #define _UTIL_H_ 1
  63
  64 #include <sys/param.h>
  65 #include <string.h>
  66 #include <errno.h>
  67
  68 #include <krb5.h>
  69
  70 #ifdef __cplusplus
  71 extern "C" {
  72 #endif
  73
  74 #ifndef MIN
  75 #define MIN(_a,_b)  ((_a)<(_b)?(_a):(_b))
  76 #endif
  77
  78 #if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
  79 #define GSSEAP_UNUSED __attribute__ ((__unused__))
  80 #else
  81 #define GSSEAP_UNUSED
  82 #endif
  83
  84 /* util_buffer.c */
  85 OM_uint32
  86 makeStringBuffer(OM_uint32 *minor,
  87                  const char *string,
  88                  gss_buffer_t buffer);
  89
  90 #define makeStringBufferOrCleanup(src, dst)             \
  91     do {                                                \
  92         major = makeStringBuffer((minor), (src), (dst));\
  93         if (GSS_ERROR(major))                           \
  94             goto cleanup;                               \
  95     } while (0)
  96
  97 OM_uint32
  98 bufferToString(OM_uint32 *minor,
  99                const gss_buffer_t buffer,
 100                char **pString);
 101
 102 OM_uint32
 103 duplicateBuffer(OM_uint32 *minor,
 104                 const gss_buffer_t src,
 105                 gss_buffer_t dst);
 106
 107 #define duplicateBufferOrCleanup(src, dst)              \
 108     do {                                                \
 109         major = duplicateBuffer((minor), (src), (dst)); \
 110         if (GSS_ERROR(major))                           \
 111             goto cleanup;                               \
 112     } while (0)
 113
 114 static inline int
 115 bufferEqual(const gss_buffer_t b1, const gss_buffer_t b2)
 116 {
 117     return (b1->length == b2->length &&
 118             memcmp(b1->value, b2->value, b2->length) == 0);
 119 }
 120
 121 static inline int
 122 bufferEqualString(const gss_buffer_t b1, const char *s)
 123 {
 124     gss_buffer_desc b2;
 125
 126     b2.length = strlen(s);
 127     b2.value = (char *)s;
 128
 129     return bufferEqual(b1, &b2);
 130 }
 131
 132 /* util_cksum.c */
 133 int
 134 gssEapSign(krb5_context context,
 135            krb5_cksumtype type,
 136            size_t rrc,
 137 #ifdef HAVE_HEIMDAL_VERSION
 138            krb5_crypto crypto,
 139 #else
 140            krb5_keyblock *key,
 141 #endif
 142            krb5_keyusage sign_usage,
 143            gss_iov_buffer_desc *iov,
 144            int iov_count);
 145
 146 int
 147 gssEapVerify(krb5_context context,
 148              krb5_cksumtype type,
 149              size_t rrc,
 150 #ifdef HAVE_HEIMDAL_VERSION
 151              krb5_crypto crypto,
 152 #else
 153              krb5_keyblock *key,
 154 #endif
 155              krb5_keyusage sign_usage,
 156              gss_iov_buffer_desc *iov,
 157              int iov_count,
 158              int *valid);
 159
 160 #if 0
 161 OM_uint32
 162 gssEapEncodeGssChannelBindings(OM_uint32 *minor,
 163                                gss_channel_bindings_t chanBindings,
 164                                gss_buffer_t encodedBindings);
 165 #endif
 166
 167 /* util_context.c */
 168 #define EAP_EXPORT_CONTEXT_V1           1
 169
 170 enum gss_eap_token_type {
 171     TOK_TYPE_NONE                    = 0x0000,  /* no token */
 172     TOK_TYPE_MIC                     = 0x0404,  /* RFC 4121 MIC token */
 173     TOK_TYPE_WRAP                    = 0x0504,  /* RFC 4121 wrap token */
 174     TOK_TYPE_EXPORT_NAME             = 0x0401,  /* RFC 2743 exported name */
 175     TOK_TYPE_EXPORT_NAME_COMPOSITE   = 0x0402,  /* exported composite name */
 176     TOK_TYPE_DELETE_CONTEXT          = 0x0405,  /* RFC 2743 delete context */
 177     TOK_TYPE_INITIATOR_CONTEXT       = 0x0601,  /* initiator-sent context token */
 178     TOK_TYPE_ACCEPTOR_CONTEXT        = 0x0602,  /* acceptor-sent context token */
 179 };
 180
 181 /* inner token types and flags */
 182 #define ITOK_TYPE_NONE                  0x00000000
 183 #define ITOK_TYPE_CONTEXT_ERR           0x00000001 /* critical */
 184 #define ITOK_TYPE_ACCEPTOR_NAME_REQ     0x00000002 /* TBD */
 185 #define ITOK_TYPE_ACCEPTOR_NAME_RESP    0x00000003 /* TBD */
 186 #define ITOK_TYPE_EAP_RESP              0x00000004 /* critical, required, if not reauth */
 187 #define ITOK_TYPE_EAP_REQ               0x00000005 /* critical, required, if not reauth */
 188 #define ITOK_TYPE_GSS_CHANNEL_BINDINGS  0x00000006 /* critical, required, if not reauth */
 189 #define ITOK_TYPE_REAUTH_CREDS          0x00000007 /* optional */
 190 #define ITOK_TYPE_REAUTH_REQ            0x00000008 /* optional */
 191 #define ITOK_TYPE_REAUTH_RESP           0x00000009 /* optional */
 192 #define ITOK_TYPE_VERSION_INFO          0x0000000A /* optional */
 193 #define ITOK_TYPE_VENDOR_INFO           0x0000000B /* optional */
 194
 195 #define ITOK_FLAG_CRITICAL              0x80000000  /* critical, wire flag */
 196 #define ITOK_FLAG_VERIFIED              0x40000000  /* verified, API flag */
 197
 198 #define ITOK_TYPE_MASK                  (~(ITOK_FLAG_CRITICAL | ITOK_FLAG_VERIFIED))
 199
 200 OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
 201 OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
 202
 203 OM_uint32
 204 gssEapMakeToken(OM_uint32 *minor,
 205                 gss_ctx_id_t ctx,
 206                 const gss_buffer_t innerToken,
 207                 enum gss_eap_token_type tokenType,
 208                 gss_buffer_t outputToken);
 209
 210 OM_uint32
 211 gssEapVerifyToken(OM_uint32 *minor,
 212                   gss_ctx_id_t ctx,
 213                   const gss_buffer_t inputToken,
 214                   enum gss_eap_token_type *tokenType,
 215                   gss_buffer_t innerInputToken);
 216
 217 OM_uint32
 218 gssEapContextTime(OM_uint32 *minor,
 219                   gss_ctx_id_t context_handle,
 220                   OM_uint32 *time_rec);
 221
 222 /* util_cred.c */
 223 OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
 224 OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
 225
 226 gss_OID
 227 gssEapPrimaryMechForCred(gss_cred_id_t cred);
 228
 229 OM_uint32
 230 gssEapAcquireCred(OM_uint32 *minor,
 231                   const gss_name_t desiredName,
 232                   OM_uint32 timeReq,
 233                   const gss_OID_set desiredMechs,
 234                   int cred_usage,
 235                   gss_cred_id_t *pCred,
 236                   gss_OID_set *pActualMechs,
 237                   OM_uint32 *timeRec);
 238
 239 OM_uint32
 240 gssEapSetCredPassword(OM_uint32 *minor,
 241                       gss_cred_id_t cred,
 242                       const gss_buffer_t password);
 243
 244 OM_uint32
 245 gssEapSetCredService(OM_uint32 *minor,
 246                      gss_cred_id_t cred,
 247                      const gss_name_t target);
 248
 249 OM_uint32
 250 gssEapResolveInitiatorCred(OM_uint32 *minor,
 251                            const gss_cred_id_t cred,
 252                            const gss_name_t target,
 253                            gss_cred_id_t *resolvedCred);
 254
 255 int gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech);
 256
 257 OM_uint32
 258 gssEapInquireCred(OM_uint32 *minor,
 259                   gss_cred_id_t cred,
 260                   gss_name_t *name,
 261                   OM_uint32 *pLifetime,
 262                   gss_cred_usage_t *cred_usage,
 263                   gss_OID_set *mechanisms);
 264
 265 /* util_crypt.c */
 266 int
 267 gssEapEncrypt(krb5_context context, int dce_style, size_t ec,
 268               size_t rrc,
 269 #ifdef HAVE_HEIMDAL_VERSION
 270               krb5_crypto crypto,
 271 #else
 272               krb5_keyblock *key,
 273 #endif
 274               int usage,
 275               gss_iov_buffer_desc *iov, int iov_count);
 276
 277 int
 278 gssEapDecrypt(krb5_context context, int dce_style, size_t ec,
 279               size_t rrc,
 280 #ifdef HAVE_HEIMDAL_VERSION
 281               krb5_crypto crypto,
 282 #else
 283               krb5_keyblock *key,
 284 #endif
 285               int usage,
 286               gss_iov_buffer_desc *iov, int iov_count);
 287
 288 int
 289 gssEapMapCryptoFlag(OM_uint32 type);
 290
 291 gss_iov_buffer_t
 292 gssEapLocateIov(gss_iov_buffer_desc *iov,
 293                 int iov_count,
 294                 OM_uint32 type);
 295
 296 void
 297 gssEapIovMessageLength(gss_iov_buffer_desc *iov,
 298                        int iov_count,
 299                        size_t *data_length,
 300                        size_t *assoc_data_length);
 301
 302 void
 303 gssEapReleaseIov(gss_iov_buffer_desc *iov, int iov_count);
 304
 305 int
 306 gssEapIsIntegrityOnly(gss_iov_buffer_desc *iov, int iov_count);
 307
 308 int
 309 gssEapAllocIov(gss_iov_buffer_t iov, size_t size);
 310
 311 OM_uint32
 312 gssEapDeriveRfc3961Key(OM_uint32 *minor,
 313                        const unsigned char *key,
 314                        size_t keyLength,
 315                        krb5_enctype enctype,
 316                        krb5_keyblock *pKey);
 317
 318 /* util_krb.c */
 319 #ifdef HAVE_HEIMDAL_VERSION
 320
 321 #define KRB_TIME_FOREVER        ((time_t)~0L)
 322
 323 #define KRB_KEY_TYPE(key)       ((key)->keytype)
 324 #define KRB_KEY_DATA(key)       ((key)->keyvalue.data)
 325 #define KRB_KEY_LENGTH(key)     ((key)->keyvalue.length)
 326
 327 #define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len)
 328 #define KRB_PRINC_TYPE(princ)   ((princ)->name.name_type)
 329 #define KRB_PRINC_NAME(princ)   ((princ)->name.name_string.val)
 330 #define KRB_PRINC_REALM(princ)  ((princ)->realm)
 331
 332 #define KRB_KT_ENT_KEYBLOCK(e)  (&(e)->keyblock)
 333 #define KRB_KT_ENT_FREE(c, e)   krb5_kt_free_entry((c), (e))
 334
 335 #define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto)
 336
 337 #else
 338
 339 #define KRB_TIME_FOREVER        KRB5_INT32_MAX
 340
 341 #define KRB_KEY_TYPE(key)       ((key)->enctype)
 342 #define KRB_KEY_DATA(key)       ((key)->contents)
 343 #define KRB_KEY_LENGTH(key)     ((key)->length)
 344
 345 #define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ)))
 346 #define KRB_PRINC_TYPE(princ)   (krb5_princ_type(NULL, (princ)))
 347 #define KRB_PRINC_NAME(princ)   (krb5_princ_name(NULL, (princ)))
 348 #define KRB_PRINC_REALM(princ)  (krb5_princ_realm(NULL, (princ)))
 349
 350 #define KRB_KT_ENT_KEYBLOCK(e)  (&(e)->key)
 351 #define KRB_KT_ENT_FREE(c, e)   krb5_free_keytab_entry_contents((c), (e))
 352
 353 #define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key)
 354
 355 #endif /* HAVE_HEIMDAL_VERSION */
 356
 357 #define KRB_KEY_INIT(key)       do {        \
 358         KRB_KEY_TYPE(key) = ENCTYPE_NULL;   \
 359         KRB_KEY_DATA(key) = NULL;           \
 360         KRB_KEY_LENGTH(key) = 0;            \
 361     } while (0)
 362
 363 #define GSSEAP_KRB_INIT(ctx) do {                   \
 364         OM_uint32 tmpMajor;                         \
 365                                                     \
 366         tmpMajor  = gssEapKerberosInit(minor, ctx); \
 367         if (GSS_ERROR(tmpMajor)) {                  \
 368             return tmpMajor;                        \
 369         }                                           \
 370     } while (0)
 371
 372 OM_uint32
 373 gssEapKerberosInit(OM_uint32 *minor, krb5_context *context);
 374
 375 OM_uint32
 376 rfc3961ChecksumTypeForKey(OM_uint32 *minor,
 377                           krb5_keyblock *key,
 378                           krb5_cksumtype *cksumtype);
 379
 380 krb5_error_code
 381 krbCryptoLength(krb5_context krbContext,
 382 #ifdef HAVE_HEIMDAL_VERSION
 383                 krb5_crypto krbCrypto,
 384 #else
 385                 krb5_keyblock *key,
 386 #endif
 387                 int type,
 388                 size_t *length);
 389
 390 krb5_error_code
 391 krbPaddingLength(krb5_context krbContext,
 392 #ifdef HAVE_HEIMDAL_VERSION
 393                  krb5_crypto krbCrypto,
 394 #else
 395                  krb5_keyblock *key,
 396 #endif
 397                  size_t dataLength,
 398                  size_t *padLength);
 399
 400 krb5_error_code
 401 krbBlockSize(krb5_context krbContext,
 402 #ifdef HAVE_HEIMDAL_VERSION
 403                  krb5_crypto krbCrypto,
 404 #else
 405                  krb5_keyblock *key,
 406 #endif
 407                  size_t *blockSize);
 408
 409 krb5_error_code
 410 krbEnctypeToString(krb5_context krbContext,
 411                    krb5_enctype enctype,
 412                    const char *prefix,
 413                    gss_buffer_t string);
 414
 415 krb5_error_code
 416 krbMakeAuthDataKdcIssued(krb5_context context,
 417                          const krb5_keyblock *key,
 418                          krb5_const_principal issuer,
 419 #ifdef HAVE_HEIMDAL_VERSION
 420                          const AuthorizationData *authdata,
 421                          AuthorizationData *adKdcIssued
 422 #else
 423                          krb5_authdata *const *authdata,
 424                          krb5_authdata ***adKdcIssued
 425 #endif
 426                          );
 427
 428 krb5_error_code
 429 krbMakeCred(krb5_context context,
 430             krb5_auth_context authcontext,
 431             krb5_creds *creds,
 432             krb5_data *data);
 433
 434 /* util_lucid.c */
 435 OM_uint32
 436 gssEapExportLucidSecContext(OM_uint32 *minor,
 437                             gss_ctx_id_t ctx,
 438                             const gss_OID desiredObject,
 439                             gss_buffer_set_t *data_set);
 440
 441 /* util_mech.c */
 442 extern gss_OID GSS_EAP_MECHANISM;
 443
 444 #define OID_FLAG_NULL_VALID                 0x00000001
 445 #define OID_FLAG_FAMILY_MECH_VALID          0x00000002
 446 #define OID_FLAG_MAP_NULL_TO_DEFAULT_MECH   0x00000004
 447 #define OID_FLAG_MAP_FAMILY_MECH_TO_NULL    0x00000008
 448
 449 OM_uint32
 450 gssEapCanonicalizeOid(OM_uint32 *minor,
 451                       const gss_OID oid,
 452                       OM_uint32 flags,
 453                       gss_OID *pOid);
 454
 455 OM_uint32
 456 gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid);
 457
 458 OM_uint32
 459 gssEapDefaultMech(OM_uint32 *minor,
 460                   gss_OID *oid);
 461
 462 OM_uint32
 463 gssEapIndicateMechs(OM_uint32 *minor,
 464                     gss_OID_set *mechs);
 465
 466 OM_uint32
 467 gssEapEnctypeToOid(OM_uint32 *minor,
 468                    krb5_enctype enctype,
 469                    gss_OID *pOid);
 470
 471 OM_uint32
 472 gssEapOidToEnctype(OM_uint32 *minor,
 473                    const gss_OID oid,
 474                    krb5_enctype *enctype);
 475
 476 int
 477 gssEapIsMechanismOid(const gss_OID oid);
 478
 479 int
 480 gssEapIsConcreteMechanismOid(const gss_OID oid);
 481
 482 OM_uint32
 483 gssEapValidateMechs(OM_uint32 *minor,
 484                    const gss_OID_set mechs);
 485
 486 gss_buffer_t
 487 gssEapOidToSaslName(const gss_OID oid);
 488
 489 gss_OID
 490 gssEapSaslNameToOid(const gss_buffer_t name);
 491
 492 /* util_moonshot.c */
 493 OM_uint32
 494 libMoonshotResolveDefaultIdentity(OM_uint32 *minor,
 495                                   const gss_cred_id_t cred,
 496                                   gss_name_t *pName);
 497
 498 OM_uint32
 499 libMoonshotResolveInitiatorCred(OM_uint32 *minor,
 500                                 gss_cred_id_t cred,
 501                                 const gss_name_t targetName);
 502
 503 /* util_name.c */
 504 #define EXPORT_NAME_FLAG_OID                    0x1
 505 #define EXPORT_NAME_FLAG_COMPOSITE              0x2
 506 #define EXPORT_NAME_FLAG_ALLOW_COMPOSITE        0x4
 507
 508 OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName);
 509 OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName);
 510 OM_uint32 gssEapExportName(OM_uint32 *minor,
 511                            const gss_name_t name,
 512                            gss_buffer_t exportedName);
 513 OM_uint32 gssEapExportNameInternal(OM_uint32 *minor,
 514                                    const gss_name_t name,
 515                                    gss_buffer_t exportedName,
 516                                    OM_uint32 flags);
 517 OM_uint32 gssEapImportName(OM_uint32 *minor,
 518                            const gss_buffer_t input_name_buffer,
 519                            const gss_OID input_name_type,
 520                            const gss_OID input_mech_type,
 521                            gss_name_t *output_name);
 522 OM_uint32 gssEapImportNameInternal(OM_uint32 *minor,
 523                                    const gss_buffer_t input_name_buffer,
 524                                    gss_name_t *output_name,
 525                                    OM_uint32 flags);
 526 OM_uint32
 527 gssEapDuplicateName(OM_uint32 *minor,
 528                     const gss_name_t input_name,
 529                     gss_name_t *dest_name);
 530
 531 OM_uint32
 532 gssEapCanonicalizeName(OM_uint32 *minor,
 533                        const gss_name_t input_name,
 534                        const gss_OID mech_type,
 535                        gss_name_t *dest_name);
 536
 537 OM_uint32
 538 gssEapDisplayName(OM_uint32 *minor,
 539                   gss_name_t name,
 540                   gss_buffer_t output_name_buffer,
 541                   gss_OID *output_name_type);
 542
 543 OM_uint32
 544 gssEapCompareName(OM_uint32 *minor,
 545                   gss_name_t name1,
 546                   gss_name_t name2,
 547                   int *name_equal);
 548
 549 /* util_oid.c */
 550 OM_uint32
 551 composeOid(OM_uint32 *minor_status,
 552            const char *prefix,
 553            size_t prefix_len,
 554            int suffix,
 555            gss_OID_desc *oid);
 556
 557 OM_uint32
 558 decomposeOid(OM_uint32 *minor_status,
 559              const char *prefix,
 560              size_t prefix_len,
 561              gss_OID_desc *oid,
 562              int *suffix) ;
 563
 564 OM_uint32
 565 duplicateOid(OM_uint32 *minor_status,
 566              const gss_OID_desc * const oid,
 567              gss_OID *new_oid);
 568
 569 OM_uint32
 570 duplicateOidSet(OM_uint32 *minor,
 571                 const gss_OID_set src,
 572                 gss_OID_set *dst);
 573
 574 static inline int
 575 oidEqual(const gss_OID_desc *o1, const gss_OID_desc *o2)
 576 {
 577     if (o1 == GSS_C_NO_OID)
 578         return (o2 == GSS_C_NO_OID);
 579     else if (o2 == GSS_C_NO_OID)
 580         return (o1 == GSS_C_NO_OID);
 581     else
 582         return (o1->length == o2->length &&
 583                 memcmp(o1->elements, o2->elements, o1->length) == 0);
 584 }
 585
 586 /* util_ordering.c */
 587 OM_uint32
 588 sequenceInternalize(OM_uint32 *minor,
 589                     void **vqueue,
 590                     unsigned char **buf,
 591                     size_t *lenremain);
 592
 593 OM_uint32
 594 sequenceExternalize(OM_uint32 *minor,
 595                     void *vqueue,
 596                     unsigned char **buf,
 597                     size_t *lenremain);
 598
 599 size_t
 600 sequenceSize(void *vqueue);
 601
 602 OM_uint32
 603 sequenceFree(OM_uint32 *minor, void **vqueue);
 604
 605 OM_uint32
 606 sequenceCheck(OM_uint32 *minor, void **vqueue, uint64_t seqnum);
 607
 608 OM_uint32
 609 sequenceInit(OM_uint32 *minor, void **vqueue, uint64_t seqnum,
 610              int do_replay, int do_sequence, int wide_nums);
 611
 612 /* util_sm.c */
 613 enum gss_eap_state {
 614     GSSEAP_STATE_INITIAL        = 0x01,     /* initial state */
 615     GSSEAP_STATE_AUTHENTICATE   = 0x02,     /* exchange EAP messages */
 616     GSSEAP_STATE_INITIATOR_EXTS = 0x04,     /* initiator extensions */
 617     GSSEAP_STATE_ACCEPTOR_EXTS  = 0x08,     /* acceptor extensions */
 618 #ifdef GSSEAP_ENABLE_REAUTH
 619     GSSEAP_STATE_REAUTHENTICATE = 0x10,     /* GSS reauthentication messages */
 620 #endif
 621     GSSEAP_STATE_ESTABLISHED    = 0x20,     /* context established */
 622     GSSEAP_STATE_ALL            = 0x3F
 623 };
 624
 625 #define GSSEAP_STATE_NEXT(s)    ((s) << 1)
 626
 627 #define GSSEAP_SM_STATE(ctx)                ((ctx)->state)
 628
 629 #ifdef GSSEAP_DEBUG
 630 void gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
 631 #define GSSEAP_SM_TRANSITION(ctx, state)    gssEapSmTransition((ctx), (state))
 632 #else
 633 #define GSSEAP_SM_TRANSITION(ctx, newstate)    do { (ctx)->state = (newstate); } while (0)
 634 #endif
 635
 636 #define GSSEAP_SM_TRANSITION_NEXT(ctx)      GSSEAP_SM_TRANSITION((ctx), GSSEAP_STATE_NEXT(GSSEAP_SM_STATE((ctx))))
 637
 638 /* state machine entry */
 639 struct gss_eap_sm {
 640     OM_uint32 inputTokenType;
 641     OM_uint32 outputTokenType;
 642     enum gss_eap_state validStates;
 643     OM_uint32 itokFlags;
 644     OM_uint32 (*processToken)(OM_uint32 *,
 645                               gss_cred_id_t,
 646                               gss_ctx_id_t,
 647                               gss_name_t,
 648                               gss_OID,
 649                               OM_uint32,
 650                               OM_uint32,
 651                               gss_channel_bindings_t,
 652                               gss_buffer_t,
 653                               gss_buffer_t,
 654                               OM_uint32 *);
 655 };
 656
 657 /* state machine flags, set by handler */
 658 #define SM_FLAG_FORCE_SEND_TOKEN            0x00000001  /* send token even if no inner tokens */
 659 #define SM_FLAG_OUTPUT_TOKEN_CRITICAL       0x00000002  /* output token is critical */
 660
 661 /* state machine flags, set by state machine */
 662 #define SM_FLAG_INPUT_TOKEN_CRITICAL        0x10000000  /* input token was critical */
 663
 664 #define SM_ITOK_FLAG_REQUIRED               0x00000001  /* received tokens must be present */
 665
 666 OM_uint32
 667 gssEapSmStep(OM_uint32 *minor,
 668              gss_cred_id_t cred,
 669              gss_ctx_id_t ctx,
 670              gss_name_t target,
 671              gss_OID mech,
 672              OM_uint32 reqFlags,
 673              OM_uint32 timeReq,
 674              gss_channel_bindings_t chanBindings,
 675              gss_buffer_t inputToken,
 676              gss_buffer_t outputToken,
 677              struct gss_eap_sm *sm,
 678              size_t smCount);
 679
 680 void
 681 gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
 682
 683 /* util_token.c */
 684 OM_uint32
 685 gssEapEncodeInnerTokens(OM_uint32 *minor,
 686                         gss_buffer_set_t extensions,
 687                         OM_uint32 *types,
 688                         gss_buffer_t buffer);
 689 OM_uint32
 690 gssEapDecodeInnerTokens(OM_uint32 *minor,
 691                         const gss_buffer_t buffer,
 692                         gss_buffer_set_t *pExtensions,
 693                         OM_uint32 **pTypes);
 694
 695 size_t
 696 tokenSize(const gss_OID_desc *mech, size_t body_size);
 697
 698 void
 699 makeTokenHeader(const gss_OID_desc *mech,
 700                 size_t body_size,
 701                 unsigned char **buf,
 702                 enum gss_eap_token_type tok_type);
 703
 704 OM_uint32
 705 verifyTokenHeader(OM_uint32 *minor,
 706                   gss_OID mech,
 707                   size_t *body_size,
 708                   unsigned char **buf_in,
 709                   size_t toksize_in,
 710                   enum gss_eap_token_type *ret_tok_type);
 711
 712 /* Helper macros */
 713
 714 #define GSSEAP_CALLOC                   calloc
 715 #define GSSEAP_MALLOC                   malloc
 716 #define GSSEAP_FREE                     free
 717 #define GSSEAP_REALLOC                  realloc
 718
 719 #define GSSEAP_NOT_IMPLEMENTED          do {            \
 720         assert(0 && "not implemented");                 \
 721         *minor = ENOSYS;                                \
 722         return GSS_S_FAILURE;                           \
 723     } while (0)
 724
 725 #include <pthread.h>
 726
 727 #define GSSEAP_MUTEX                    pthread_mutex_t
 728 #define GSSEAP_MUTEX_INITIALIZER        PTHREAD_MUTEX_INITIALIZER
 729
 730 #define GSSEAP_MUTEX_INIT(m)            pthread_mutex_init((m), NULL)
 731 #define GSSEAP_MUTEX_DESTROY(m)         pthread_mutex_destroy((m))
 732 #define GSSEAP_MUTEX_LOCK(m)            pthread_mutex_lock((m))
 733 #define GSSEAP_MUTEX_UNLOCK(m)          pthread_mutex_unlock((m))
 734
 735 #define GSSEAP_THREAD_KEY               pthread_key_t
 736 #define GSSEAP_KEY_CREATE(k, d)         pthread_key_create((k), (d))
 737 #define GSSEAP_GETSPECIFIC(k)           pthread_getspecific((k))
 738 #define GSSEAP_SETSPECIFIC(k, d)        pthread_setspecific((k), (d))
 739
 740 #define GSSEAP_THREAD_ONCE              pthread_once_t
 741 #define GSSEAP_ONCE(o, i)               pthread_once((o), (i))
 742 #define GSSEAP_ONCE_INITIALIZER         PTHREAD_ONCE_INIT
 743
 744 /* Helper functions */
 745 static inline void
 746 store_uint16_be(uint16_t val, void *vp)
 747 {
 748     unsigned char *p = (unsigned char *)vp;
 749
 750     p[0] = (val >>  8) & 0xff;
 751     p[1] = (val      ) & 0xff;
 752 }
 753
 754 static inline uint16_t
 755 load_uint16_be(const void *cvp)
 756 {
 757     const unsigned char *p = (const unsigned char *)cvp;
 758
 759     return (p[1] | (p[0] << 8));
 760 }
 761
 762 static inline void
 763 store_uint32_be(uint32_t val, void *vp)
 764 {
 765     unsigned char *p = (unsigned char *)vp;
 766
 767     p[0] = (val >> 24) & 0xff;
 768     p[1] = (val >> 16) & 0xff;
 769     p[2] = (val >>  8) & 0xff;
 770     p[3] = (val      ) & 0xff;
 771 }
 772
 773 static inline uint32_t
 774 load_uint32_be(const void *cvp)
 775 {
 776     const unsigned char *p = (const unsigned char *)cvp;
 777
 778     return (p[3] | (p[2] << 8)
 779             | ((uint32_t) p[1] << 16)
 780             | ((uint32_t) p[0] << 24));
 781 }
 782
 783 static inline void
 784 store_uint64_be(uint64_t val, void *vp)
 785 {
 786     unsigned char *p = (unsigned char *)vp;
 787
 788     p[0] = (unsigned char)((val >> 56) & 0xff);
 789     p[1] = (unsigned char)((val >> 48) & 0xff);
 790     p[2] = (unsigned char)((val >> 40) & 0xff);
 791     p[3] = (unsigned char)((val >> 32) & 0xff);
 792     p[4] = (unsigned char)((val >> 24) & 0xff);
 793     p[5] = (unsigned char)((val >> 16) & 0xff);
 794     p[6] = (unsigned char)((val >>  8) & 0xff);
 795     p[7] = (unsigned char)((val      ) & 0xff);
 796 }
 797
 798 static inline uint64_t
 799 load_uint64_be(const void *cvp)
 800 {
 801     const unsigned char *p = (const unsigned char *)cvp;
 802
 803     return ((uint64_t)load_uint32_be(p) << 32) | load_uint32_be(p + 4);
 804 }
 805
 806 static inline unsigned char *
 807 store_buffer(gss_buffer_t buffer, void *vp, int wide_nums)
 808 {
 809     unsigned char *p = (unsigned char *)vp;
 810
 811     if (wide_nums) {
 812         store_uint64_be(buffer->length, p);
 813         p += 8;
 814     } else {
 815         store_uint32_be(buffer->length, p);
 816         p += 4;
 817     }
 818
 819     if (buffer->value != NULL) {
 820         memcpy(p, buffer->value, buffer->length);
 821         p += buffer->length;
 822     }
 823
 824     return p;
 825 }
 826
 827 static inline unsigned char *
 828 load_buffer(const void *cvp, size_t length, gss_buffer_t buffer)
 829 {
 830     buffer->length = 0;
 831     buffer->value = GSSEAP_MALLOC(length);
 832     if (buffer->value == NULL)
 833         return NULL;
 834     buffer->length = length;
 835     memcpy(buffer->value, cvp, length);
 836     return (unsigned char *)cvp + length;
 837 }
 838
 839 static inline unsigned char *
 840 store_oid(gss_OID oid, void *vp)
 841 {
 842     gss_buffer_desc buf;
 843
 844     if (oid != GSS_C_NO_OID) {
 845         buf.length = oid->length;
 846         buf.value = oid->elements;
 847     } else {
 848         buf.length = 0;
 849         buf.value = NULL;
 850     }
 851
 852     return store_buffer(&buf, vp, FALSE);
 853 }
 854
 855 static inline void
 856 krbDataToGssBuffer(krb5_data *data, gss_buffer_t buffer)
 857 {
 858     buffer->value = (void *)data->data;
 859     buffer->length = data->length;
 860 }
 861
 862 static inline void
 863 krbPrincComponentToGssBuffer(krb5_principal krbPrinc,
 864                              int index, gss_buffer_t buffer)
 865 {
 866 #ifdef HAVE_HEIMDAL_VERSION
 867     buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index];
 868     buffer->length = strlen((char *)buffer->value);
 869 #else
 870     buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data;
 871     buffer->length = krb5_princ_component(NULL, krbPrinc, index)->length;
 872 #endif /* HAVE_HEIMDAL_VERSION */
 873 }
 874
 875 static inline void
 876 krbPrincRealmToGssBuffer(krb5_principal krbPrinc, gss_buffer_t buffer)
 877 {
 878 #ifdef HAVE_HEIMDAL_VERSION
 879     buffer->value = (void *)KRB_PRINC_REALM(krbPrinc);
 880     buffer->length = strlen((char *)buffer->value);
 881 #else
 882     krbDataToGssBuffer(KRB_PRINC_REALM(krbPrinc), buffer);
 883 #endif
 884 }
 885
 886 static inline void
 887 gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data)
 888 {
 889     data->data = (char *)buffer->value;
 890     data->length = buffer->length;
 891 }
 892
 893 #ifdef __cplusplus
 894 }
 895 #endif
 896
 897 #include "util_json.h"
 898 #include "util_attr.h"
 899 #include "util_base64.h"
 900 #ifdef GSSEAP_ENABLE_REAUTH
 901 #include "util_reauth.h"
 902 #endif
 903
 904 #endif /* _UTIL_H_ */