mech_eap/util.h

   1 /*
   2  * Copyright (c) 2011, JANET(UK)
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * 3. Neither the name of JANET(UK) nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32 /*
  33  * Portions Copyright 2003-2010 Massachusetts Institute of Technology.
  34  * All Rights Reserved.
  35  *
  36  * Export of this software from the United States of America may
  37  *   require a specific license from the United States Government.
  38  *   It is the responsibility of any person or organization contemplating
  39  *   export to obtain such a license before exporting.
  40  *
  41  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  42  * distribute this software and its documentation for any purpose and
  43  * without fee is hereby granted, provided that the above copyright
  44  * notice appear in all copies and that both that copyright notice and
  45  * this permission notice appear in supporting documentation, and that
  46  * the name of M.I.T. not be used in advertising or publicity pertaining
  47  * to distribution of the software without specific, written prior
  48  * permission.  Furthermore if you modify this software you must label
  49  * your software as modified software and not distribute it in such a
  50  * fashion that it might be confused with the original M.I.T. software.
  51  * M.I.T. makes no representations about the suitability of
  52  * this software for any purpose.  It is provided "as is" without express
  53  * or implied warranty.
  54  *
  55  */
  56
  57 /*
  58  * Utility functions.
  59  */
  60
  61 #ifndef _UTIL_H_
  62 #define _UTIL_H_ 1
  63
  64 #ifdef HAVE_SYS_PARAM_H
  65 #include <sys/param.h>
  66 #endif
  67 #ifdef HAVE_STDINT_H
  68 #include <stdint.h>
  69 #endif
  70 #include <string.h>
  71 #include <errno.h>
  72
  73 #include <krb5.h>
  74 #ifndef HAVE_HEIMDAL_VERSION
  75 #include "gssapi_headerfix.h"
  76 #endif
  77
  78 #ifdef WIN32
  79 # ifndef __cplusplus
  80 # define inline __inline
  81 # endif
  82 #define snprintf _snprintf
  83 #endif
  84
  85 #ifdef __cplusplus
  86 extern "C" {
  87 #endif
  88
  89 #ifndef MIN
  90 #define MIN(_a,_b)  ((_a)<(_b)?(_a):(_b))
  91 #endif
  92
  93 #if !defined(WIN32) && !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
  94 #define GSSEAP_UNUSED __attribute__ ((__unused__))
  95 #else
  96 #define GSSEAP_UNUSED
  97 #endif
  98
  99 /* util_buffer.c */
 100 OM_uint32
 101 makeStringBuffer(OM_uint32 *minor,
 102                  const char *string,
 103                  gss_buffer_t buffer);
 104
 105 #define makeStringBufferOrCleanup(src, dst)             \
 106     do {                                                \
 107         major = makeStringBuffer((minor), (src), (dst));\
 108         if (GSS_ERROR(major))                           \
 109             goto cleanup;                               \
 110     } while (0)
 111
 112 OM_uint32
 113 bufferToString(OM_uint32 *minor,
 114                const gss_buffer_t buffer,
 115                char **pString);
 116
 117 OM_uint32
 118 duplicateBuffer(OM_uint32 *minor,
 119                 const gss_buffer_t src,
 120                 gss_buffer_t dst);
 121
 122 #define duplicateBufferOrCleanup(src, dst)              \
 123     do {                                                \
 124         major = duplicateBuffer((minor), (src), (dst)); \
 125         if (GSS_ERROR(major))                           \
 126             goto cleanup;                               \
 127     } while (0)
 128
 129 static inline int
 130 bufferEqual(const gss_buffer_t b1, const gss_buffer_t b2)
 131 {
 132     return (b1->length == b2->length &&
 133             memcmp(b1->value, b2->value, b2->length) == 0);
 134 }
 135
 136 static inline int
 137 bufferEqualString(const gss_buffer_t b1, const char *s)
 138 {
 139     gss_buffer_desc b2;
 140
 141     b2.length = strlen(s);
 142     b2.value = (char *)s;
 143
 144     return bufferEqual(b1, &b2);
 145 }
 146
 147 /* util_cksum.c */
 148 enum gss_eap_token_type {
 149     TOK_TYPE_NONE                    = 0x0000,  /* no token */
 150     TOK_TYPE_MIC                     = 0x0404,  /* RFC 4121 MIC token */
 151     TOK_TYPE_WRAP                    = 0x0504,  /* RFC 4121 wrap token */
 152     TOK_TYPE_EXPORT_NAME             = 0x0401,  /* RFC 2743 exported name */
 153     TOK_TYPE_EXPORT_NAME_COMPOSITE   = 0x0402,  /* exported composite name */
 154     TOK_TYPE_DELETE_CONTEXT          = 0x0405,  /* RFC 2743 delete context */
 155     TOK_TYPE_INITIATOR_CONTEXT       = 0x0601,  /* initiator-sent context token */
 156     TOK_TYPE_ACCEPTOR_CONTEXT        = 0x0602,  /* acceptor-sent context token */
 157 };
 158
 159 int
 160 gssEapSign(krb5_context context,
 161            krb5_cksumtype type,
 162            size_t rrc,
 163 #ifdef HAVE_HEIMDAL_VERSION
 164            krb5_crypto crypto,
 165 #else
 166            krb5_keyblock *key,
 167 #endif
 168            krb5_keyusage sign_usage,
 169            gss_iov_buffer_desc *iov,
 170            int iov_count,
 171            enum gss_eap_token_type toktype);
 172
 173 int
 174 gssEapVerify(krb5_context context,
 175              krb5_cksumtype type,
 176              size_t rrc,
 177 #ifdef HAVE_HEIMDAL_VERSION
 178              krb5_crypto crypto,
 179 #else
 180              krb5_keyblock *key,
 181 #endif
 182              krb5_keyusage sign_usage,
 183              gss_iov_buffer_desc *iov,
 184              int iov_count,
 185              enum gss_eap_token_type toktype,
 186              int *valid);
 187
 188 #if 0
 189 OM_uint32
 190 gssEapEncodeGssChannelBindings(OM_uint32 *minor,
 191                                gss_channel_bindings_t chanBindings,
 192                                gss_buffer_t encodedBindings);
 193 #endif
 194
 195 /* util_context.c */
 196 #define EAP_EXPORT_CONTEXT_V1           1
 197
 198 /* inner token types and flags */
 199 #define ITOK_TYPE_NONE                  0x00000000
 200 #define ITOK_TYPE_CONTEXT_ERR           0x00000001 /* critical */
 201 #define ITOK_TYPE_ACCEPTOR_NAME_REQ     0x00000002 /* TBD */
 202 #define ITOK_TYPE_ACCEPTOR_NAME_RESP    0x00000003 /* TBD */
 203 #define ITOK_TYPE_EAP_RESP              0x00000004 /* critical, required, if not reauth */
 204 #define ITOK_TYPE_EAP_REQ               0x00000005 /* critical, required, if not reauth */
 205 #define ITOK_TYPE_GSS_CHANNEL_BINDINGS  0x00000006 /* critical, required, if not reauth */
 206 #define ITOK_TYPE_REAUTH_CREDS          0x00000007 /* optional */
 207 #define ITOK_TYPE_REAUTH_REQ            0x00000008 /* optional */
 208 #define ITOK_TYPE_REAUTH_RESP           0x00000009 /* optional */
 209 #define ITOK_TYPE_VERSION_INFO          0x0000000A /* optional */
 210 #define ITOK_TYPE_VENDOR_INFO           0x0000000B /* optional */
 211 #define ITOK_TYPE_GSS_FLAGS             0x0000000C /* optional */
 212 #define ITOK_TYPE_INITIATOR_MIC         0x0000000D /* critical, required, if not reauth */
 213 #define ITOK_TYPE_ACCEPTOR_MIC          0x0000000E /* TBD */
 214
 215 #define ITOK_FLAG_CRITICAL              0x80000000  /* critical, wire flag */
 216 #define ITOK_FLAG_VERIFIED              0x40000000  /* verified, API flag */
 217
 218 #define ITOK_TYPE_MASK                  (~(ITOK_FLAG_CRITICAL | ITOK_FLAG_VERIFIED))
 219
 220 #define GSSEAP_WIRE_FLAGS_MASK          ( GSS_C_MUTUAL_FLAG             | \
 221                                           GSS_C_DCE_STYLE               | \
 222                                           GSS_C_IDENTIFY_FLAG           | \
 223                                           GSS_C_EXTENDED_ERROR_FLAG       )
 224
 225 OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
 226 OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
 227
 228 OM_uint32
 229 gssEapMakeToken(OM_uint32 *minor,
 230                 gss_ctx_id_t ctx,
 231                 const gss_buffer_t innerToken,
 232                 enum gss_eap_token_type tokenType,
 233                 gss_buffer_t outputToken);
 234
 235 OM_uint32
 236 gssEapVerifyToken(OM_uint32 *minor,
 237                   gss_ctx_id_t ctx,
 238                   const gss_buffer_t inputToken,
 239                   enum gss_eap_token_type *tokenType,
 240                   gss_buffer_t innerInputToken);
 241
 242 OM_uint32
 243 gssEapContextTime(OM_uint32 *minor,
 244                   gss_const_ctx_id_t context_handle,
 245                   OM_uint32 *time_rec);
 246
 247 OM_uint32
 248 gssEapMakeTokenMIC(OM_uint32 *minor,
 249                    gss_ctx_id_t ctx,
 250                    gss_buffer_t tokenMIC);
 251
 252 OM_uint32
 253 gssEapVerifyTokenMIC(OM_uint32 *minor,
 254                      gss_ctx_id_t ctx,
 255                      const gss_buffer_t tokenMIC);
 256
 257 /* util_cred.c */
 258 OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
 259 OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
 260
 261 gss_OID
 262 gssEapPrimaryMechForCred(gss_cred_id_t cred);
 263
 264 OM_uint32
 265 gssEapAcquireCred(OM_uint32 *minor,
 266                   gss_const_name_t desiredName,
 267                   OM_uint32 timeReq,
 268                   const gss_OID_set desiredMechs,
 269                   int cred_usage,
 270                   gss_cred_id_t *pCred,
 271                   gss_OID_set *pActualMechs,
 272                   OM_uint32 *timeRec);
 273
 274 OM_uint32
 275 gssEapSetCredPassword(OM_uint32 *minor,
 276                       gss_cred_id_t cred,
 277                       const gss_buffer_t password);
 278
 279 OM_uint32
 280 gssEapSetCredClientCertificate(OM_uint32 *minor,
 281                                gss_cred_id_t cred,
 282                                const gss_buffer_t clientCert,
 283                                const gss_buffer_t privateKey);
 284
 285 OM_uint32
 286 gssEapSetCredService(OM_uint32 *minor,
 287                      gss_cred_id_t cred,
 288                      gss_const_name_t target);
 289
 290 OM_uint32
 291 gssEapResolveInitiatorCred(OM_uint32 *minor,
 292                            const gss_cred_id_t cred,
 293                            gss_const_name_t target,
 294                            gss_cred_id_t *resolvedCred);
 295
 296 int gssEapCredAvailable(gss_const_cred_id_t cred, gss_OID mech);
 297
 298 OM_uint32
 299 gssEapInquireCred(OM_uint32 *minor,
 300                   gss_cred_id_t cred,
 301                   gss_name_t *name,
 302                   OM_uint32 *pLifetime,
 303                   gss_cred_usage_t *cred_usage,
 304                   gss_OID_set *mechanisms);
 305
 306 /* util_crypt.c */
 307 int
 308 gssEapEncrypt(krb5_context context, int dce_style, size_t ec,
 309               size_t rrc,
 310 #ifdef HAVE_HEIMDAL_VERSION
 311               krb5_crypto crypto,
 312 #else
 313               krb5_keyblock *key,
 314 #endif
 315               int usage,
 316               gss_iov_buffer_desc *iov, int iov_count);
 317
 318 int
 319 gssEapDecrypt(krb5_context context, int dce_style, size_t ec,
 320               size_t rrc,
 321 #ifdef HAVE_HEIMDAL_VERSION
 322               krb5_crypto crypto,
 323 #else
 324               krb5_keyblock *key,
 325 #endif
 326               int usage,
 327               gss_iov_buffer_desc *iov, int iov_count);
 328
 329 int
 330 gssEapMapCryptoFlag(OM_uint32 type);
 331
 332 gss_iov_buffer_t
 333 gssEapLocateIov(gss_iov_buffer_desc *iov,
 334                 int iov_count,
 335                 OM_uint32 type);
 336
 337 gss_iov_buffer_t
 338 gssEapLocateHeaderIov(gss_iov_buffer_desc *iov,
 339                       int iov_count,
 340                       enum gss_eap_token_type toktype);
 341
 342 void
 343 gssEapIovMessageLength(gss_iov_buffer_desc *iov,
 344                        int iov_count,
 345                        size_t *data_length,
 346                        size_t *assoc_data_length);
 347
 348 void
 349 gssEapReleaseIov(gss_iov_buffer_desc *iov, int iov_count);
 350
 351 int
 352 gssEapIsIntegrityOnly(gss_iov_buffer_desc *iov, int iov_count);
 353
 354 int
 355 gssEapAllocIov(gss_iov_buffer_t iov, size_t size);
 356
 357 OM_uint32
 358 gssEapDeriveRfc3961Key(OM_uint32 *minor,
 359                        const unsigned char *key,
 360                        size_t keyLength,
 361                        krb5_enctype enctype,
 362                        krb5_keyblock *pKey);
 363
 364 /* util_krb.c */
 365
 366 #ifndef KRB_MALLOC
 367 /*
 368  * If your Kerberos library uses a different allocator to your
 369  * GSS mechanism glue, then you might wish to define these in
 370  * config.h or elsewhere. This should eventually go away when
 371  * we no longer need to allocate memory that is freed by the
 372  * Kerberos library.
 373  */
 374 #define KRB_CALLOC                      calloc
 375 #define KRB_MALLOC                      malloc
 376 #define KRB_FREE                        free
 377 #define KRB_REALLOC                     realloc
 378 #endif /* KRB_MALLOC */
 379
 380 #ifdef HAVE_HEIMDAL_VERSION
 381
 382 #include <der.h>
 383
 384 #define KRB_TIME_FOREVER        ((time_t)~0L)
 385
 386 #define KRB_KEY_TYPE(key)       ((key)->keytype)
 387 #define KRB_KEY_DATA(key)       ((key)->keyvalue.data)
 388 #define KRB_KEY_LENGTH(key)     ((key)->keyvalue.length)
 389
 390 #define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len)
 391 #define KRB_PRINC_TYPE(princ)   ((princ)->name.name_type)
 392 #define KRB_PRINC_NAME(princ)   ((princ)->name.name_string.val)
 393 #define KRB_PRINC_REALM(princ)  ((princ)->realm)
 394
 395 #define KRB_KT_ENT_KEYBLOCK(e)  (&(e)->keyblock)
 396 #define KRB_KT_ENT_FREE(c, e)   krb5_kt_free_entry((c), (e))
 397
 398 #define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto)
 399
 400 #define KRB_DATA_INIT(d)        krb5_data_zero((d))
 401
 402 #define KRB_CHECKSUM_TYPE(c)    ((c)->cksumtype)
 403 #define KRB_CHECKSUM_LENGTH(c)  ((c)->checksum.length)
 404 #define KRB_CHECKSUM_DATA(c)    ((c)->checksum.data)
 405
 406 #define KRB_CHECKSUM_INIT(cksum, type, d)      do { \
 407         (cksum)->cksumtype = (type);                \
 408         (cksum)->checksum.length = (d)->length;     \
 409         (cksum)->checksum.data = (d)->value;        \
 410     } while (0)
 411
 412 #define KRB_CHECKSUM_FREE(ctx, cksum)          do { \
 413         der_free_octet_string(&(cksum)->checksum);  \
 414         memset((cksum), 0, sizeof(*(cksum)));       \
 415     } while (0)
 416
 417 #else
 418
 419 #define KRB_TIME_FOREVER        KRB5_INT32_MAX
 420
 421 #define KRB_KEY_TYPE(key)       ((key)->enctype)
 422 #define KRB_KEY_DATA(key)       ((key)->contents)
 423 #define KRB_KEY_LENGTH(key)     ((key)->length)
 424
 425 #define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ)))
 426 #define KRB_PRINC_TYPE(princ)   (krb5_princ_type(NULL, (princ)))
 427 #define KRB_PRINC_NAME(princ)   (krb5_princ_name(NULL, (princ)))
 428 #define KRB_PRINC_REALM(princ)  (krb5_princ_realm(NULL, (princ)))
 429 #define KRB_PRINC_COMPONENT(princ, component) \
 430         (krb5_princ_component(NULL, (princ), (component)))
 431
 432 #define KRB_KT_ENT_KEYBLOCK(e)  (&(e)->key)
 433 #define KRB_KT_ENT_FREE(c, e)   krb5_free_keytab_entry_contents((c), (e))
 434
 435 #define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key)
 436
 437 #define KRB_DATA_INIT(d)        do {        \
 438         (d)->magic = KV5M_DATA;             \
 439         (d)->length = 0;                    \
 440         (d)->data = NULL;                   \
 441     } while (0)
 442
 443 #define KRB_CHECKSUM_TYPE(c)    ((c)->checksum_type)
 444 #define KRB_CHECKSUM_LENGTH(c)  ((c)->length)
 445 #define KRB_CHECKSUM_DATA(c)    ((c)->contents)
 446
 447 #define KRB_CHECKSUM_INIT(cksum, type, d)      do { \
 448         (cksum)->checksum_type = (type);            \
 449         (cksum)->length = (d)->length;              \
 450         (cksum)->contents = (d)->value;             \
 451     } while (0)
 452
 453 #define KRB_CHECKSUM_FREE(ctx, cksum) krb5_free_checksum_contents((ctx), (cksum))
 454
 455 #endif /* HAVE_HEIMDAL_VERSION */
 456
 457 #define KRB_KEY_INIT(key)       do {        \
 458         KRB_KEY_TYPE(key) = ENCTYPE_NULL;   \
 459         KRB_KEY_DATA(key) = NULL;           \
 460         KRB_KEY_LENGTH(key) = 0;            \
 461     } while (0)
 462
 463 #define GSSEAP_KRB_INIT(ctx) do {                   \
 464         OM_uint32 tmpMajor;                         \
 465                                                     \
 466         tmpMajor  = gssEapKerberosInit(minor, ctx); \
 467         if (GSS_ERROR(tmpMajor)) {                  \
 468             return tmpMajor;                        \
 469         }                                           \
 470     } while (0)
 471
 472 OM_uint32
 473 gssEapKerberosInit(OM_uint32 *minor, krb5_context *context);
 474
 475 OM_uint32
 476 rfc3961ChecksumTypeForKey(OM_uint32 *minor,
 477                           krb5_keyblock *key,
 478                           krb5_cksumtype *cksumtype);
 479
 480 krb5_error_code
 481 krbCryptoLength(krb5_context krbContext,
 482 #ifdef HAVE_HEIMDAL_VERSION
 483                 krb5_crypto krbCrypto,
 484 #else
 485                 const krb5_keyblock *key,
 486 #endif
 487                 int type,
 488                 size_t *length);
 489
 490 krb5_error_code
 491 krbPaddingLength(krb5_context krbContext,
 492 #ifdef HAVE_HEIMDAL_VERSION
 493                  krb5_crypto krbCrypto,
 494 #else
 495                  const krb5_keyblock *key,
 496 #endif
 497                  size_t dataLength,
 498                  size_t *padLength);
 499
 500 krb5_error_code
 501 krbBlockSize(krb5_context krbContext,
 502 #ifdef HAVE_HEIMDAL_VERSION
 503                  krb5_crypto krbCrypto,
 504 #else
 505                  const krb5_keyblock *key,
 506 #endif
 507                  size_t *blockSize);
 508
 509 krb5_error_code
 510 krbEnctypeToString(krb5_context krbContext,
 511                    krb5_enctype enctype,
 512                    const char *prefix,
 513                    gss_buffer_t string);
 514
 515 krb5_error_code
 516 krbMakeAuthDataKdcIssued(krb5_context context,
 517                          const krb5_keyblock *key,
 518                          krb5_const_principal issuer,
 519 #ifdef HAVE_HEIMDAL_VERSION
 520                          const AuthorizationData *authdata,
 521                          AuthorizationData *adKdcIssued
 522 #else
 523                          krb5_authdata *const *authdata,
 524                          krb5_authdata ***adKdcIssued
 525 #endif
 526                          );
 527
 528 krb5_error_code
 529 krbMakeCred(krb5_context context,
 530             krb5_auth_context authcontext,
 531             krb5_creds *creds,
 532             krb5_data *data);
 533
 534 /* util_lucid.c */
 535 OM_uint32
 536 gssEapExportLucidSecContext(OM_uint32 *minor,
 537                             gss_const_ctx_id_t ctx,
 538                             const gss_OID desiredObject,
 539                             gss_buffer_set_t *data_set);
 540
 541 /* util_mech.c */
 542 extern gss_OID GSS_EAP_MECHANISM;
 543
 544 #define OID_FLAG_NULL_VALID                 0x00000001
 545 #define OID_FLAG_FAMILY_MECH_VALID          0x00000002
 546 #define OID_FLAG_MAP_NULL_TO_DEFAULT_MECH   0x00000004
 547 #define OID_FLAG_MAP_FAMILY_MECH_TO_NULL    0x00000008
 548
 549 OM_uint32
 550 gssEapCanonicalizeOid(OM_uint32 *minor,
 551                       const gss_OID oid,
 552                       OM_uint32 flags,
 553                       gss_OID *pOid);
 554
 555 OM_uint32
 556 gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid);
 557
 558 OM_uint32
 559 gssEapDefaultMech(OM_uint32 *minor,
 560                   gss_OID *oid);
 561
 562 OM_uint32
 563 gssEapIndicateMechs(OM_uint32 *minor,
 564                     gss_OID_set *mechs);
 565
 566 OM_uint32
 567 gssEapEnctypeToOid(OM_uint32 *minor,
 568                    krb5_enctype enctype,
 569                    gss_OID *pOid);
 570
 571 OM_uint32
 572 gssEapOidToEnctype(OM_uint32 *minor,
 573                    const gss_OID oid,
 574                    krb5_enctype *enctype);
 575
 576 int
 577 gssEapIsMechanismOid(const gss_OID oid);
 578
 579 int
 580 gssEapIsConcreteMechanismOid(const gss_OID oid);
 581
 582 OM_uint32
 583 gssEapValidateMechs(OM_uint32 *minor,
 584                    const gss_OID_set mechs);
 585
 586 gss_buffer_t
 587 gssEapOidToSaslName(const gss_OID oid);
 588
 589 gss_OID
 590 gssEapSaslNameToOid(const gss_buffer_t name);
 591
 592 /* util_moonshot.c */
 593 OM_uint32
 594 libMoonshotResolveDefaultIdentity(OM_uint32 *minor,
 595                                   const gss_cred_id_t cred,
 596                                   gss_name_t *pName);
 597
 598 OM_uint32
 599 libMoonshotResolveInitiatorCred(OM_uint32 *minor,
 600                                 gss_cred_id_t cred,
 601                                 gss_const_name_t targetName);
 602
 603 /* util_name.c */
 604 #define EXPORT_NAME_FLAG_OID                    0x1
 605 #define EXPORT_NAME_FLAG_COMPOSITE              0x2
 606 #define EXPORT_NAME_FLAG_ALLOW_COMPOSITE        0x4
 607
 608 OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName);
 609 OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName);
 610 OM_uint32 gssEapExportName(OM_uint32 *minor,
 611                            gss_const_name_t name,
 612                            gss_buffer_t exportedName);
 613 OM_uint32 gssEapExportNameInternal(OM_uint32 *minor,
 614                                    gss_const_name_t name,
 615                                    gss_buffer_t exportedName,
 616                                    OM_uint32 flags);
 617 OM_uint32 gssEapImportName(OM_uint32 *minor,
 618                            const gss_buffer_t input_name_buffer,
 619                            const gss_OID input_name_type,
 620                            const gss_OID input_mech_type,
 621                            gss_name_t *output_name);
 622 OM_uint32 gssEapImportNameInternal(OM_uint32 *minor,
 623                                    const gss_buffer_t input_name_buffer,
 624                                    gss_name_t *output_name,
 625                                    OM_uint32 flags);
 626 OM_uint32
 627 gssEapDuplicateName(OM_uint32 *minor,
 628                     gss_const_name_t input_name,
 629                     gss_name_t *dest_name);
 630
 631 OM_uint32
 632 gssEapCanonicalizeName(OM_uint32 *minor,
 633                        gss_const_name_t input_name,
 634                        const gss_OID mech_type,
 635                        gss_name_t *dest_name);
 636
 637 OM_uint32
 638 gssEapDisplayName(OM_uint32 *minor,
 639                   gss_const_name_t name,
 640                   gss_buffer_t output_name_buffer,
 641                   gss_OID *output_name_type);
 642
 643 #define COMPARE_NAME_FLAG_IGNORE_EMPTY_REALMS   0x1
 644
 645 OM_uint32
 646 gssEapCompareName(OM_uint32 *minor,
 647                   gss_const_name_t name1,
 648                   gss_const_name_t name2,
 649                   OM_uint32 flags,
 650                   int *name_equal);
 651
 652 /* util_oid.c */
 653 OM_uint32
 654 composeOid(OM_uint32 *minor_status,
 655            const char *prefix,
 656            size_t prefix_len,
 657            int suffix,
 658            gss_OID_desc *oid);
 659
 660 OM_uint32
 661 decomposeOid(OM_uint32 *minor_status,
 662              const char *prefix,
 663              size_t prefix_len,
 664              gss_OID_desc *oid,
 665              int *suffix) ;
 666
 667 OM_uint32
 668 duplicateOid(OM_uint32 *minor_status,
 669              const gss_OID_desc * const oid,
 670              gss_OID *new_oid);
 671
 672 OM_uint32
 673 duplicateOidSet(OM_uint32 *minor,
 674                 const gss_OID_set src,
 675                 gss_OID_set *dst);
 676
 677 extern int
 678 oidEqual(const gss_OID_desc *o1, const gss_OID_desc *o2);
 679
 680 /* util_ordering.c */
 681 OM_uint32
 682 sequenceInternalize(OM_uint32 *minor,
 683                     void **vqueue,
 684                     unsigned char **buf,
 685                     size_t *lenremain);
 686
 687 OM_uint32
 688 sequenceExternalize(OM_uint32 *minor,
 689                     void *vqueue,
 690                     unsigned char **buf,
 691                     size_t *lenremain);
 692
 693 size_t
 694 sequenceSize(void *vqueue);
 695
 696 OM_uint32
 697 sequenceFree(OM_uint32 *minor, void **vqueue);
 698
 699 OM_uint32
 700 sequenceCheck(OM_uint32 *minor, void **vqueue, uint64_t seqnum);
 701
 702 OM_uint32
 703 sequenceInit(OM_uint32 *minor, void **vqueue, uint64_t seqnum,
 704              int do_replay, int do_sequence, int wide_nums);
 705
 706 /* util_sm.c */
 707 enum gss_eap_state {
 708     GSSEAP_STATE_INITIAL        = 0x01,     /* initial state */
 709     GSSEAP_STATE_AUTHENTICATE   = 0x02,     /* exchange EAP messages */
 710     GSSEAP_STATE_INITIATOR_EXTS = 0x04,     /* initiator extensions */
 711     GSSEAP_STATE_ACCEPTOR_EXTS  = 0x08,     /* acceptor extensions */
 712 #ifdef GSSEAP_ENABLE_REAUTH
 713     GSSEAP_STATE_REAUTHENTICATE = 0x10,     /* GSS reauthentication messages */
 714 #endif
 715     GSSEAP_STATE_ESTABLISHED    = 0x20,     /* context established */
 716     GSSEAP_STATE_ALL            = 0x3F
 717 };
 718
 719 #define GSSEAP_STATE_NEXT(s)    ((s) << 1)
 720
 721 #define GSSEAP_SM_STATE(ctx)                ((ctx)->state)
 722
 723 #ifdef GSSEAP_DEBUG
 724 void gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
 725 #define GSSEAP_SM_TRANSITION(ctx, state)    gssEapSmTransition((ctx), (state))
 726 #else
 727 #define GSSEAP_SM_TRANSITION(ctx, newstate)    do { (ctx)->state = (newstate); } while (0)
 728 #endif
 729
 730 #define GSSEAP_SM_TRANSITION_NEXT(ctx)      GSSEAP_SM_TRANSITION((ctx), GSSEAP_STATE_NEXT(GSSEAP_SM_STATE((ctx))))
 731
 732 /* state machine entry */
 733 struct gss_eap_sm {
 734     OM_uint32 inputTokenType;
 735     OM_uint32 outputTokenType;
 736     enum gss_eap_state validStates;
 737     OM_uint32 itokFlags;
 738     OM_uint32 (*processToken)(OM_uint32 *,
 739                               gss_cred_id_t,
 740                               gss_ctx_id_t,
 741                               gss_const_name_t,
 742                               gss_OID,
 743                               OM_uint32,
 744                               OM_uint32,
 745                               gss_channel_bindings_t,
 746                               gss_buffer_t,
 747                               gss_buffer_t,
 748                               OM_uint32 *);
 749 };
 750
 751 /* state machine flags, set by handler */
 752 #define SM_FLAG_FORCE_SEND_TOKEN            0x00000001  /* send token even if no inner tokens */
 753 #define SM_FLAG_OUTPUT_TOKEN_CRITICAL       0x00000002  /* output token is critical */
 754
 755 /* state machine flags, set by state machine */
 756 #define SM_FLAG_INPUT_TOKEN_CRITICAL        0x10000000  /* input token was critical */
 757
 758 #define SM_ITOK_FLAG_REQUIRED               0x00000001  /* received tokens must be present */
 759
 760 OM_uint32
 761 gssEapSmStep(OM_uint32 *minor,
 762              gss_cred_id_t cred,
 763              gss_ctx_id_t ctx,
 764              gss_const_name_t target,
 765              gss_OID mech,
 766              OM_uint32 reqFlags,
 767              OM_uint32 timeReq,
 768              gss_channel_bindings_t chanBindings,
 769              gss_buffer_t inputToken,
 770              gss_buffer_t outputToken,
 771              struct gss_eap_sm *sm,
 772              size_t smCount);
 773
 774 void
 775 gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
 776
 777 /* util_token.c */
 778 struct gss_eap_token_buffer_set {
 779     gss_buffer_set_desc buffers; /* pointers only */
 780     OM_uint32 *types;
 781 };
 782
 783 OM_uint32
 784 gssEapEncodeInnerTokens(OM_uint32 *minor,
 785                         struct gss_eap_token_buffer_set *tokens,
 786                         gss_buffer_t buffer);
 787 OM_uint32
 788 gssEapDecodeInnerTokens(OM_uint32 *minor,
 789                         const gss_buffer_t buffer,
 790                         struct gss_eap_token_buffer_set *tokens);
 791
 792 OM_uint32
 793 gssEapReleaseInnerTokens(OM_uint32 *minor,
 794                          struct gss_eap_token_buffer_set *tokens,
 795                          int freeBuffers);
 796
 797 OM_uint32
 798 gssEapAllocInnerTokens(OM_uint32 *minor,
 799                        size_t count,
 800                        struct gss_eap_token_buffer_set *tokens);
 801
 802 size_t
 803 tokenSize(const gss_OID_desc *mech, size_t body_size);
 804
 805 void
 806 makeTokenHeader(const gss_OID_desc *mech,
 807                 size_t body_size,
 808                 unsigned char **buf,
 809                 enum gss_eap_token_type tok_type);
 810
 811 OM_uint32
 812 verifyTokenHeader(OM_uint32 *minor,
 813                   gss_OID mech,
 814                   size_t *body_size,
 815                   unsigned char **buf_in,
 816                   size_t toksize_in,
 817                   enum gss_eap_token_type *ret_tok_type);
 818
 819 /* Helper macros */
 820 #ifndef GSSEAP_MALLOC
 821 #if _WIN32
 822 #include <gssapi/gssapi_alloc.h>
 823 #define GSSEAP_MALLOC                   gssalloc_malloc
 824 #define GSSEAP_CALLOC                   gssalloc_calloc
 825 #define GSSEAP_FREE                     gssalloc_free
 826 #define GSSEAP_REALLOC                  gssalloc_realloc
 827 #else
 828 #define GSSEAP_CALLOC                   calloc
 829 #define GSSEAP_MALLOC                   malloc
 830 #define GSSEAP_FREE                     free
 831 #define GSSEAP_REALLOC                  realloc
 832 #endif /* _WIN32 */
 833 #endif /* !GSSEAP_MALLOC */
 834
 835 #ifndef GSSAPI_CALLCONV
 836 #define GSSAPI_CALLCONV                 KRB5_CALLCONV
 837 #endif
 838
 839 #ifndef GSSEAP_ASSERT
 840 #include <assert.h>
 841 #define GSSEAP_ASSERT(x)                assert((x))
 842 #endif /* !GSSEAP_ASSERT */
 843
 844 #ifdef WIN32
 845 #define GSSEAP_CONSTRUCTOR
 846 #define GSSEAP_DESTRUCTOR
 847 #else
 848 #define GSSEAP_CONSTRUCTOR              __attribute__((constructor))
 849 #define GSSEAP_DESTRUCTOR               __attribute__((destructor))
 850 #endif
 851
 852 #define GSSEAP_NOT_IMPLEMENTED          do {            \
 853         GSSEAP_ASSERT(0 && "not implemented");          \
 854         *minor = ENOSYS;                                \
 855         return GSS_S_FAILURE;                           \
 856     } while (0)
 857
 858 #ifdef WIN32
 859
 860 #include <winbase.h>
 861
 862 #define GSSEAP_GET_LAST_ERROR()         (GetLastError()) /* XXX FIXME */
 863
 864 #define GSSEAP_MUTEX                    CRITICAL_SECTION
 865 #define GSSEAP_MUTEX_INIT(m)            (InitializeCriticalSection((m)), 0)
 866 #define GSSEAP_MUTEX_DESTROY(m)         DeleteCriticalSection((m))
 867 #define GSSEAP_MUTEX_LOCK(m)            EnterCriticalSection((m))
 868 #define GSSEAP_MUTEX_UNLOCK(m)          LeaveCriticalSection((m))
 869 #define GSSEAP_ONCE_LEAVE               do { return TRUE; } while (0)
 870
 871 /* Thread-local is handled separately */
 872
 873 #define GSSEAP_THREAD_ONCE              INIT_ONCE
 874 #define GSSEAP_ONCE_CALLBACK(cb)        BOOL CALLBACK cb(PINIT_ONCE InitOnce, PVOID Parameter, PVOID *Context)
 875 #define GSSEAP_ONCE(o, i)               InitOnceExecuteOnce((o), (i), NULL, NULL)
 876 #define GSSEAP_ONCE_INITIALIZER         INIT_ONCE_STATIC_INIT
 877
 878 #else
 879
 880 #include <pthread.h>
 881
 882 #define GSSEAP_GET_LAST_ERROR()         (errno)
 883
 884 #define GSSEAP_MUTEX                    pthread_mutex_t
 885 #define GSSEAP_MUTEX_INIT(m)            pthread_mutex_init((m), NULL)
 886 #define GSSEAP_MUTEX_DESTROY(m)         pthread_mutex_destroy((m))
 887 #define GSSEAP_MUTEX_LOCK(m)            pthread_mutex_lock((m))
 888 #define GSSEAP_MUTEX_UNLOCK(m)          pthread_mutex_unlock((m))
 889
 890 #define GSSEAP_THREAD_KEY               pthread_key_t
 891 #define GSSEAP_KEY_CREATE(k, d)         pthread_key_create((k), (d))
 892 #define GSSEAP_GETSPECIFIC(k)           pthread_getspecific((k))
 893 #define GSSEAP_SETSPECIFIC(k, d)        pthread_setspecific((k), (d))
 894
 895 #define GSSEAP_THREAD_ONCE              pthread_once_t
 896 #define GSSEAP_ONCE_CALLBACK(cb)        void cb(void)
 897 #define GSSEAP_ONCE(o, i)               pthread_once((o), (i))
 898 #define GSSEAP_ONCE_INITIALIZER         PTHREAD_ONCE_INIT
 899 #define GSSEAP_ONCE_LEAVE               do { } while (0)
 900
 901 #endif /* WIN32 */
 902
 903 /* Helper functions */
 904 static inline void
 905 store_uint16_be(uint16_t val, void *vp)
 906 {
 907     unsigned char *p = (unsigned char *)vp;
 908
 909     p[0] = (val >>  8) & 0xff;
 910     p[1] = (val      ) & 0xff;
 911 }
 912
 913 static inline uint16_t
 914 load_uint16_be(const void *cvp)
 915 {
 916     const unsigned char *p = (const unsigned char *)cvp;
 917
 918     return (p[1] | (p[0] << 8));
 919 }
 920
 921 static inline void
 922 store_uint32_be(uint32_t val, void *vp)
 923 {
 924     unsigned char *p = (unsigned char *)vp;
 925
 926     p[0] = (val >> 24) & 0xff;
 927     p[1] = (val >> 16) & 0xff;
 928     p[2] = (val >>  8) & 0xff;
 929     p[3] = (val      ) & 0xff;
 930 }
 931
 932 static inline uint32_t
 933 load_uint32_be(const void *cvp)
 934 {
 935     const unsigned char *p = (const unsigned char *)cvp;
 936
 937     return (p[3] | (p[2] << 8)
 938             | ((uint32_t) p[1] << 16)
 939             | ((uint32_t) p[0] << 24));
 940 }
 941
 942 static inline void
 943 store_uint64_be(uint64_t val, void *vp)
 944 {
 945     unsigned char *p = (unsigned char *)vp;
 946
 947     p[0] = (unsigned char)((val >> 56) & 0xff);
 948     p[1] = (unsigned char)((val >> 48) & 0xff);
 949     p[2] = (unsigned char)((val >> 40) & 0xff);
 950     p[3] = (unsigned char)((val >> 32) & 0xff);
 951     p[4] = (unsigned char)((val >> 24) & 0xff);
 952     p[5] = (unsigned char)((val >> 16) & 0xff);
 953     p[6] = (unsigned char)((val >>  8) & 0xff);
 954     p[7] = (unsigned char)((val      ) & 0xff);
 955 }
 956
 957 static inline uint64_t
 958 load_uint64_be(const void *cvp)
 959 {
 960     const unsigned char *p = (const unsigned char *)cvp;
 961
 962     return ((uint64_t)load_uint32_be(p) << 32) | load_uint32_be(p + 4);
 963 }
 964
 965 static inline unsigned char *
 966 store_buffer(gss_buffer_t buffer, void *vp, int wide_nums)
 967 {
 968     unsigned char *p = (unsigned char *)vp;
 969
 970     if (wide_nums) {
 971         store_uint64_be(buffer->length, p);
 972         p += 8;
 973     } else {
 974         store_uint32_be(buffer->length, p);
 975         p += 4;
 976     }
 977
 978     if (buffer->value != NULL) {
 979         memcpy(p, buffer->value, buffer->length);
 980         p += buffer->length;
 981     }
 982
 983     return p;
 984 }
 985
 986 static inline unsigned char *
 987 load_buffer(const void *cvp, size_t length, gss_buffer_t buffer)
 988 {
 989     buffer->length = 0;
 990     buffer->value = GSSEAP_MALLOC(length);
 991     if (buffer->value == NULL)
 992         return NULL;
 993     buffer->length = length;
 994     memcpy(buffer->value, cvp, length);
 995     return (unsigned char *)cvp + length;
 996 }
 997
 998 static inline unsigned char *
 999 store_oid(gss_OID oid, void *vp)
1000 {
1001     gss_buffer_desc buf;
1002
1003     if (oid != GSS_C_NO_OID) {
1004         buf.length = oid->length;
1005         buf.value = oid->elements;
1006     } else {
1007         buf.length = 0;
1008         buf.value = NULL;
1009     }
1010
1011     return store_buffer(&buf, vp, FALSE);
1012 }
1013
1014 static inline void
1015 krbDataToGssBuffer(krb5_data *data, gss_buffer_t buffer)
1016 {
1017     buffer->value = (void *)data->data;
1018     buffer->length = data->length;
1019 }
1020
1021 static inline void
1022 krbPrincComponentToGssBuffer(krb5_principal krbPrinc,
1023                              int index, gss_buffer_t buffer)
1024 {
1025     if (KRB_PRINC_LENGTH(krbPrinc) <= index) {
1026         buffer->value = NULL;
1027         buffer->length = 0;
1028     } else {
1029 #ifdef HAVE_HEIMDAL_VERSION
1030         buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index];
1031         buffer->length = strlen((char *)buffer->value);
1032 #else
1033         buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data;
1034         buffer->length = krb5_princ_component(NULL, krbPrinc, index)->length;
1035 #endif /* HAVE_HEIMDAL_VERSION */
1036     }
1037 }
1038
1039 static inline krb5_error_code
1040 krbPrincUnparseServiceSpecifics(krb5_context krbContext, krb5_principal krbPrinc,
1041                                 gss_buffer_t nameBuf)
1042 {
1043     krb5_error_code result = 0;
1044     if (KRB_PRINC_LENGTH(krbPrinc) > 2) {
1045         /* Acceptor-Service-Specific */
1046         krb5_principal_data ssiPrinc = *krbPrinc;
1047         char *ssi;
1048
1049         KRB_PRINC_LENGTH(&ssiPrinc) -= 2;
1050         KRB_PRINC_NAME(&ssiPrinc) += 2;
1051
1052         result = krb5_unparse_name_flags(krbContext, &ssiPrinc,
1053                                          KRB5_PRINCIPAL_UNPARSE_NO_REALM, &ssi);
1054         if (result != 0)
1055             return result;
1056
1057         nameBuf->value = ssi;
1058         nameBuf->length = strlen(ssi);
1059     } else {
1060         nameBuf->value = NULL;
1061         nameBuf->length = 0;
1062     }
1063
1064     return result;
1065 }
1066
1067 static inline void
1068 krbFreeUnparsedName(krb5_context krbContext GSSEAP_UNUSED, gss_buffer_t nameBuf)
1069 {
1070 #ifdef HAVE_HEIMDAL_VERSION
1071     krb5_xfree((char *) nameBuf->value);
1072 #else
1073     krb5_free_unparsed_name(krbContext, (char *)(nameBuf->value));
1074 #endif
1075     nameBuf->value = NULL;
1076     nameBuf->length = 0;
1077 }
1078
1079 static inline void
1080 krbPrincRealmToGssBuffer(krb5_principal krbPrinc, gss_buffer_t buffer)
1081 {
1082 #ifdef HAVE_HEIMDAL_VERSION
1083     buffer->value = (void *)KRB_PRINC_REALM(krbPrinc);
1084     buffer->length = strlen((char *)buffer->value);
1085 #else
1086     krbDataToGssBuffer(KRB_PRINC_REALM(krbPrinc), buffer);
1087 #endif
1088 }
1089
1090 static inline void
1091 gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data)
1092 {
1093     data->data = (char *)buffer->value;
1094     data->length = buffer->length;
1095 }
1096
1097 /* util_tld.c */
1098 struct gss_eap_status_info;
1099
1100 struct gss_eap_thread_local_data {
1101     krb5_context krbContext;
1102     struct gss_eap_status_info *statusInfo;
1103 };
1104
1105 struct gss_eap_thread_local_data *
1106 gssEapGetThreadLocalData(void);
1107
1108 void
1109 gssEapDestroyStatusInfo(struct gss_eap_status_info *status);
1110
1111 void
1112 gssEapDestroyKrbContext(krb5_context context);
1113
1114 #ifdef __cplusplus
1115 }
1116 #endif
1117
1118 #ifdef GSSEAP_ENABLE_ACCEPTOR
1119 #include "util_json.h"
1120 #include "util_attr.h"
1121 #include "util_base64.h"
1122 #endif /* GSSEAP_ENABLE_ACCEPTOR */
1123 #ifdef GSSEAP_ENABLE_REAUTH
1124 #include "util_reauth.h"
1125 #endif
1126
1127 #endif /* _UTIL_H_ */