2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Portions Copyright 2003-2010 Massachusetts Institute of Technology.
34 * All Rights Reserved.
36 * Export of this software from the United States of America may
37 * require a specific license from the United States Government.
38 * It is the responsibility of any person or organization contemplating
39 * export to obtain such a license before exporting.
41 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
42 * distribute this software and its documentation for any purpose and
43 * without fee is hereby granted, provided that the above copyright
44 * notice appear in all copies and that both that copyright notice and
45 * this permission notice appear in supporting documentation, and that
46 * the name of M.I.T. not be used in advertising or publicity pertaining
47 * to distribution of the software without specific, written prior
48 * permission. Furthermore if you modify this software you must label
49 * your software as modified software and not distribute it in such a
50 * fashion that it might be confused with the original M.I.T. software.
51 * M.I.T. makes no representations about the suitability of
52 * this software for any purpose. It is provided "as is" without express
53 * or implied warranty.
64 #ifdef HAVE_SYS_PARAM_H
65 #include <sys/param.h>
74 #ifndef HAVE_HEIMDAL_VERSION
75 #include "gssapi_headerfix.h"
80 # define inline __inline
82 #define snprintf _snprintf
90 #define MIN(_a,_b) ((_a)<(_b)?(_a):(_b))
93 #if !defined(WIN32) && !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
94 #define GSSEAP_UNUSED __attribute__ ((__unused__))
101 makeStringBuffer(OM_uint32 *minor,
103 gss_buffer_t buffer);
105 #define makeStringBufferOrCleanup(src, dst) \
107 major = makeStringBuffer((minor), (src), (dst));\
108 if (GSS_ERROR(major)) \
113 bufferToString(OM_uint32 *minor,
114 const gss_buffer_t buffer,
118 duplicateBuffer(OM_uint32 *minor,
119 const gss_buffer_t src,
122 #define duplicateBufferOrCleanup(src, dst) \
124 major = duplicateBuffer((minor), (src), (dst)); \
125 if (GSS_ERROR(major)) \
130 bufferEqual(const gss_buffer_t b1, const gss_buffer_t b2)
132 return (b1->length == b2->length &&
133 memcmp(b1->value, b2->value, b2->length) == 0);
137 bufferEqualString(const gss_buffer_t b1, const char *s)
141 b2.length = strlen(s);
142 b2.value = (char *)s;
144 return bufferEqual(b1, &b2);
148 enum gss_eap_token_type {
149 TOK_TYPE_NONE = 0x0000, /* no token */
150 TOK_TYPE_MIC = 0x0404, /* RFC 4121 MIC token */
151 TOK_TYPE_WRAP = 0x0504, /* RFC 4121 wrap token */
152 TOK_TYPE_EXPORT_NAME = 0x0401, /* RFC 2743 exported name */
153 TOK_TYPE_EXPORT_NAME_COMPOSITE = 0x0402, /* exported composite name */
154 TOK_TYPE_DELETE_CONTEXT = 0x0405, /* RFC 2743 delete context */
155 TOK_TYPE_INITIATOR_CONTEXT = 0x0601, /* initiator-sent context token */
156 TOK_TYPE_ACCEPTOR_CONTEXT = 0x0602, /* acceptor-sent context token */
160 gssEapSign(krb5_context context,
163 #ifdef HAVE_HEIMDAL_VERSION
168 krb5_keyusage sign_usage,
169 gss_iov_buffer_desc *iov,
171 enum gss_eap_token_type toktype);
174 gssEapVerify(krb5_context context,
177 #ifdef HAVE_HEIMDAL_VERSION
182 krb5_keyusage sign_usage,
183 gss_iov_buffer_desc *iov,
185 enum gss_eap_token_type toktype,
190 gssEapEncodeGssChannelBindings(OM_uint32 *minor,
191 gss_channel_bindings_t chanBindings,
192 gss_buffer_t encodedBindings);
196 #define EAP_EXPORT_CONTEXT_V1 1
198 /* inner token types and flags */
199 #define ITOK_TYPE_NONE 0x00000000
200 #define ITOK_TYPE_CONTEXT_ERR 0x00000001 /* critical */
201 #define ITOK_TYPE_ACCEPTOR_NAME_REQ 0x00000002 /* TBD */
202 #define ITOK_TYPE_ACCEPTOR_NAME_RESP 0x00000003 /* TBD */
203 #define ITOK_TYPE_EAP_RESP 0x00000004 /* critical, required, if not reauth */
204 #define ITOK_TYPE_EAP_REQ 0x00000005 /* critical, required, if not reauth */
205 #define ITOK_TYPE_GSS_CHANNEL_BINDINGS 0x00000006 /* critical, required, if not reauth */
206 #define ITOK_TYPE_REAUTH_CREDS 0x00000007 /* optional */
207 #define ITOK_TYPE_REAUTH_REQ 0x00000008 /* optional */
208 #define ITOK_TYPE_REAUTH_RESP 0x00000009 /* optional */
209 #define ITOK_TYPE_VERSION_INFO 0x0000000A /* optional */
210 #define ITOK_TYPE_VENDOR_INFO 0x0000000B /* optional */
211 #define ITOK_TYPE_GSS_FLAGS 0x0000000C /* optional */
212 #define ITOK_TYPE_INITIATOR_MIC 0x0000000D /* critical, required, if not reauth */
213 #define ITOK_TYPE_ACCEPTOR_MIC 0x0000000E /* TBD */
215 #define ITOK_FLAG_CRITICAL 0x80000000 /* critical, wire flag */
216 #define ITOK_FLAG_VERIFIED 0x40000000 /* verified, API flag */
218 #define ITOK_TYPE_MASK (~(ITOK_FLAG_CRITICAL | ITOK_FLAG_VERIFIED))
220 #define GSSEAP_WIRE_FLAGS_MASK ( GSS_C_MUTUAL_FLAG | \
222 GSS_C_IDENTIFY_FLAG | \
223 GSS_C_EXTENDED_ERROR_FLAG )
225 OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
226 OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
229 gssEapMakeToken(OM_uint32 *minor,
231 const gss_buffer_t innerToken,
232 enum gss_eap_token_type tokenType,
233 gss_buffer_t outputToken);
236 gssEapVerifyToken(OM_uint32 *minor,
238 const gss_buffer_t inputToken,
239 enum gss_eap_token_type *tokenType,
240 gss_buffer_t innerInputToken);
243 gssEapContextTime(OM_uint32 *minor,
244 gss_const_ctx_id_t context_handle,
245 OM_uint32 *time_rec);
248 gssEapMakeTokenMIC(OM_uint32 *minor,
250 gss_buffer_t tokenMIC);
253 gssEapVerifyTokenMIC(OM_uint32 *minor,
255 const gss_buffer_t tokenMIC);
258 OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
259 OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
262 gssEapPrimaryMechForCred(gss_cred_id_t cred);
265 gssEapAcquireCred(OM_uint32 *minor,
266 gss_const_name_t desiredName,
268 const gss_OID_set desiredMechs,
270 gss_cred_id_t *pCred,
271 gss_OID_set *pActualMechs,
275 gssEapSetCredPassword(OM_uint32 *minor,
277 const gss_buffer_t password);
280 gssEapSetCredClientCertificate(OM_uint32 *minor,
282 const gss_buffer_t clientCert,
283 const gss_buffer_t privateKey);
286 gssEapSetCredService(OM_uint32 *minor,
288 gss_const_name_t target);
291 gssEapResolveInitiatorCred(OM_uint32 *minor,
292 const gss_cred_id_t cred,
293 gss_const_name_t target,
294 gss_cred_id_t *resolvedCred);
296 int gssEapCredAvailable(gss_const_cred_id_t cred, gss_OID mech);
299 gssEapInquireCred(OM_uint32 *minor,
302 OM_uint32 *pLifetime,
303 gss_cred_usage_t *cred_usage,
304 gss_OID_set *mechanisms);
308 gssEapEncrypt(krb5_context context, int dce_style, size_t ec,
310 #ifdef HAVE_HEIMDAL_VERSION
316 gss_iov_buffer_desc *iov, int iov_count);
319 gssEapDecrypt(krb5_context context, int dce_style, size_t ec,
321 #ifdef HAVE_HEIMDAL_VERSION
327 gss_iov_buffer_desc *iov, int iov_count);
330 gssEapMapCryptoFlag(OM_uint32 type);
333 gssEapLocateIov(gss_iov_buffer_desc *iov,
338 gssEapLocateHeaderIov(gss_iov_buffer_desc *iov,
340 enum gss_eap_token_type toktype);
343 gssEapIovMessageLength(gss_iov_buffer_desc *iov,
346 size_t *assoc_data_length);
349 gssEapReleaseIov(gss_iov_buffer_desc *iov, int iov_count);
352 gssEapIsIntegrityOnly(gss_iov_buffer_desc *iov, int iov_count);
355 gssEapAllocIov(gss_iov_buffer_t iov, size_t size);
358 gssEapDeriveRfc3961Key(OM_uint32 *minor,
359 const unsigned char *key,
361 krb5_enctype enctype,
362 krb5_keyblock *pKey);
368 * If your Kerberos library uses a different allocator to your
369 * GSS mechanism glue, then you might wish to define these in
370 * config.h or elsewhere. This should eventually go away when
371 * we no longer need to allocate memory that is freed by the
374 #define KRB_CALLOC calloc
375 #define KRB_MALLOC malloc
376 #define KRB_FREE free
377 #define KRB_REALLOC realloc
378 #endif /* KRB_MALLOC */
380 #ifdef HAVE_HEIMDAL_VERSION
384 #define KRB_TIME_FOREVER ((time_t)~0L)
386 #define KRB_KEY_TYPE(key) ((key)->keytype)
387 #define KRB_KEY_DATA(key) ((key)->keyvalue.data)
388 #define KRB_KEY_LENGTH(key) ((key)->keyvalue.length)
390 #define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len)
391 #define KRB_PRINC_TYPE(princ) ((princ)->name.name_type)
392 #define KRB_PRINC_NAME(princ) ((princ)->name.name_string.val)
393 #define KRB_PRINC_REALM(princ) ((princ)->realm)
395 #define KRB_KT_ENT_KEYBLOCK(e) (&(e)->keyblock)
396 #define KRB_KT_ENT_FREE(c, e) krb5_kt_free_entry((c), (e))
398 #define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto)
400 #define KRB_DATA_INIT(d) krb5_data_zero((d))
402 #define KRB_CHECKSUM_TYPE(c) ((c)->cksumtype)
403 #define KRB_CHECKSUM_LENGTH(c) ((c)->checksum.length)
404 #define KRB_CHECKSUM_DATA(c) ((c)->checksum.data)
406 #define KRB_CHECKSUM_INIT(cksum, type, d) do { \
407 (cksum)->cksumtype = (type); \
408 (cksum)->checksum.length = (d)->length; \
409 (cksum)->checksum.data = (d)->value; \
412 #define KRB_CHECKSUM_FREE(ctx, cksum) do { \
413 der_free_octet_string(&(cksum)->checksum); \
414 memset((cksum), 0, sizeof(*(cksum))); \
419 #define KRB_TIME_FOREVER KRB5_INT32_MAX
421 #define KRB_KEY_TYPE(key) ((key)->enctype)
422 #define KRB_KEY_DATA(key) ((key)->contents)
423 #define KRB_KEY_LENGTH(key) ((key)->length)
425 #define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ)))
426 #define KRB_PRINC_TYPE(princ) (krb5_princ_type(NULL, (princ)))
427 #define KRB_PRINC_NAME(princ) (krb5_princ_name(NULL, (princ)))
428 #define KRB_PRINC_REALM(princ) (krb5_princ_realm(NULL, (princ)))
429 #define KRB_PRINC_COMPONENT(princ, component) \
430 (krb5_princ_component(NULL, (princ), (component)))
432 #define KRB_KT_ENT_KEYBLOCK(e) (&(e)->key)
433 #define KRB_KT_ENT_FREE(c, e) krb5_free_keytab_entry_contents((c), (e))
435 #define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key)
437 #define KRB_DATA_INIT(d) do { \
438 (d)->magic = KV5M_DATA; \
443 #define KRB_CHECKSUM_TYPE(c) ((c)->checksum_type)
444 #define KRB_CHECKSUM_LENGTH(c) ((c)->length)
445 #define KRB_CHECKSUM_DATA(c) ((c)->contents)
447 #define KRB_CHECKSUM_INIT(cksum, type, d) do { \
448 (cksum)->checksum_type = (type); \
449 (cksum)->length = (d)->length; \
450 (cksum)->contents = (d)->value; \
453 #define KRB_CHECKSUM_FREE(ctx, cksum) krb5_free_checksum_contents((ctx), (cksum))
455 #endif /* HAVE_HEIMDAL_VERSION */
457 #define KRB_KEY_INIT(key) do { \
458 KRB_KEY_TYPE(key) = ENCTYPE_NULL; \
459 KRB_KEY_DATA(key) = NULL; \
460 KRB_KEY_LENGTH(key) = 0; \
463 #define GSSEAP_KRB_INIT(ctx) do { \
464 OM_uint32 tmpMajor; \
466 tmpMajor = gssEapKerberosInit(minor, ctx); \
467 if (GSS_ERROR(tmpMajor)) { \
473 gssEapKerberosInit(OM_uint32 *minor, krb5_context *context);
476 rfc3961ChecksumTypeForKey(OM_uint32 *minor,
478 krb5_cksumtype *cksumtype);
481 krbCryptoLength(krb5_context krbContext,
482 #ifdef HAVE_HEIMDAL_VERSION
483 krb5_crypto krbCrypto,
485 const krb5_keyblock *key,
491 krbPaddingLength(krb5_context krbContext,
492 #ifdef HAVE_HEIMDAL_VERSION
493 krb5_crypto krbCrypto,
495 const krb5_keyblock *key,
501 krbBlockSize(krb5_context krbContext,
502 #ifdef HAVE_HEIMDAL_VERSION
503 krb5_crypto krbCrypto,
505 const krb5_keyblock *key,
510 krbEnctypeToString(krb5_context krbContext,
511 krb5_enctype enctype,
513 gss_buffer_t string);
516 krbMakeAuthDataKdcIssued(krb5_context context,
517 const krb5_keyblock *key,
518 krb5_const_principal issuer,
519 #ifdef HAVE_HEIMDAL_VERSION
520 const AuthorizationData *authdata,
521 AuthorizationData *adKdcIssued
523 krb5_authdata *const *authdata,
524 krb5_authdata ***adKdcIssued
529 krbMakeCred(krb5_context context,
530 krb5_auth_context authcontext,
536 gssEapExportLucidSecContext(OM_uint32 *minor,
537 gss_const_ctx_id_t ctx,
538 const gss_OID desiredObject,
539 gss_buffer_set_t *data_set);
542 extern gss_OID GSS_EAP_MECHANISM;
544 #define OID_FLAG_NULL_VALID 0x00000001
545 #define OID_FLAG_FAMILY_MECH_VALID 0x00000002
546 #define OID_FLAG_MAP_NULL_TO_DEFAULT_MECH 0x00000004
547 #define OID_FLAG_MAP_FAMILY_MECH_TO_NULL 0x00000008
550 gssEapCanonicalizeOid(OM_uint32 *minor,
556 gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid);
559 gssEapDefaultMech(OM_uint32 *minor,
563 gssEapIndicateMechs(OM_uint32 *minor,
567 gssEapEnctypeToOid(OM_uint32 *minor,
568 krb5_enctype enctype,
572 gssEapOidToEnctype(OM_uint32 *minor,
574 krb5_enctype *enctype);
577 gssEapIsMechanismOid(const gss_OID oid);
580 gssEapIsConcreteMechanismOid(const gss_OID oid);
583 gssEapValidateMechs(OM_uint32 *minor,
584 const gss_OID_set mechs);
587 gssEapOidToSaslName(const gss_OID oid);
590 gssEapSaslNameToOid(const gss_buffer_t name);
592 /* util_moonshot.c */
594 libMoonshotResolveDefaultIdentity(OM_uint32 *minor,
595 const gss_cred_id_t cred,
599 libMoonshotResolveInitiatorCred(OM_uint32 *minor,
601 gss_const_name_t targetName);
604 #define EXPORT_NAME_FLAG_OID 0x1
605 #define EXPORT_NAME_FLAG_COMPOSITE 0x2
606 #define EXPORT_NAME_FLAG_ALLOW_COMPOSITE 0x4
608 OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName);
609 OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName);
610 OM_uint32 gssEapExportName(OM_uint32 *minor,
611 gss_const_name_t name,
612 gss_buffer_t exportedName);
613 OM_uint32 gssEapExportNameInternal(OM_uint32 *minor,
614 gss_const_name_t name,
615 gss_buffer_t exportedName,
617 OM_uint32 gssEapImportName(OM_uint32 *minor,
618 const gss_buffer_t input_name_buffer,
619 const gss_OID input_name_type,
620 const gss_OID input_mech_type,
621 gss_name_t *output_name);
622 OM_uint32 gssEapImportNameInternal(OM_uint32 *minor,
623 const gss_buffer_t input_name_buffer,
624 gss_name_t *output_name,
627 gssEapDuplicateName(OM_uint32 *minor,
628 gss_const_name_t input_name,
629 gss_name_t *dest_name);
632 gssEapCanonicalizeName(OM_uint32 *minor,
633 gss_const_name_t input_name,
634 const gss_OID mech_type,
635 gss_name_t *dest_name);
638 gssEapDisplayName(OM_uint32 *minor,
639 gss_const_name_t name,
640 gss_buffer_t output_name_buffer,
641 gss_OID *output_name_type);
643 #define COMPARE_NAME_FLAG_IGNORE_EMPTY_REALMS 0x1
646 gssEapCompareName(OM_uint32 *minor,
647 gss_const_name_t name1,
648 gss_const_name_t name2,
654 composeOid(OM_uint32 *minor_status,
661 decomposeOid(OM_uint32 *minor_status,
668 duplicateOid(OM_uint32 *minor_status,
669 const gss_OID_desc * const oid,
673 duplicateOidSet(OM_uint32 *minor,
674 const gss_OID_set src,
678 oidEqual(const gss_OID_desc *o1, const gss_OID_desc *o2);
680 /* util_ordering.c */
682 sequenceInternalize(OM_uint32 *minor,
688 sequenceExternalize(OM_uint32 *minor,
694 sequenceSize(void *vqueue);
697 sequenceFree(OM_uint32 *minor, void **vqueue);
700 sequenceCheck(OM_uint32 *minor, void **vqueue, uint64_t seqnum);
703 sequenceInit(OM_uint32 *minor, void **vqueue, uint64_t seqnum,
704 int do_replay, int do_sequence, int wide_nums);
708 GSSEAP_STATE_INITIAL = 0x01, /* initial state */
709 GSSEAP_STATE_AUTHENTICATE = 0x02, /* exchange EAP messages */
710 GSSEAP_STATE_INITIATOR_EXTS = 0x04, /* initiator extensions */
711 GSSEAP_STATE_ACCEPTOR_EXTS = 0x08, /* acceptor extensions */
712 #ifdef GSSEAP_ENABLE_REAUTH
713 GSSEAP_STATE_REAUTHENTICATE = 0x10, /* GSS reauthentication messages */
715 GSSEAP_STATE_ESTABLISHED = 0x20, /* context established */
716 GSSEAP_STATE_ALL = 0x3F
719 #define GSSEAP_STATE_NEXT(s) ((s) << 1)
721 #define GSSEAP_SM_STATE(ctx) ((ctx)->state)
724 void gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
725 #define GSSEAP_SM_TRANSITION(ctx, state) gssEapSmTransition((ctx), (state))
727 #define GSSEAP_SM_TRANSITION(ctx, newstate) do { (ctx)->state = (newstate); } while (0)
730 #define GSSEAP_SM_TRANSITION_NEXT(ctx) GSSEAP_SM_TRANSITION((ctx), GSSEAP_STATE_NEXT(GSSEAP_SM_STATE((ctx))))
732 /* state machine entry */
734 OM_uint32 inputTokenType;
735 OM_uint32 outputTokenType;
736 enum gss_eap_state validStates;
738 OM_uint32 (*processToken)(OM_uint32 *,
745 gss_channel_bindings_t,
751 /* state machine flags, set by handler */
752 #define SM_FLAG_FORCE_SEND_TOKEN 0x00000001 /* send token even if no inner tokens */
753 #define SM_FLAG_OUTPUT_TOKEN_CRITICAL 0x00000002 /* output token is critical */
755 /* state machine flags, set by state machine */
756 #define SM_FLAG_INPUT_TOKEN_CRITICAL 0x10000000 /* input token was critical */
758 #define SM_ITOK_FLAG_REQUIRED 0x00000001 /* received tokens must be present */
761 gssEapSmStep(OM_uint32 *minor,
764 gss_const_name_t target,
768 gss_channel_bindings_t chanBindings,
769 gss_buffer_t inputToken,
770 gss_buffer_t outputToken,
771 struct gss_eap_sm *sm,
775 gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
778 struct gss_eap_token_buffer_set {
779 gss_buffer_set_desc buffers; /* pointers only */
784 gssEapEncodeInnerTokens(OM_uint32 *minor,
785 struct gss_eap_token_buffer_set *tokens,
786 gss_buffer_t buffer);
788 gssEapDecodeInnerTokens(OM_uint32 *minor,
789 const gss_buffer_t buffer,
790 struct gss_eap_token_buffer_set *tokens);
793 gssEapReleaseInnerTokens(OM_uint32 *minor,
794 struct gss_eap_token_buffer_set *tokens,
798 gssEapAllocInnerTokens(OM_uint32 *minor,
800 struct gss_eap_token_buffer_set *tokens);
803 tokenSize(const gss_OID_desc *mech, size_t body_size);
806 makeTokenHeader(const gss_OID_desc *mech,
809 enum gss_eap_token_type tok_type);
812 verifyTokenHeader(OM_uint32 *minor,
815 unsigned char **buf_in,
817 enum gss_eap_token_type *ret_tok_type);
820 #ifndef GSSEAP_MALLOC
822 #include <gssapi/gssapi_alloc.h>
823 #define GSSEAP_MALLOC gssalloc_malloc
824 #define GSSEAP_CALLOC gssalloc_calloc
825 #define GSSEAP_FREE gssalloc_free
826 #define GSSEAP_REALLOC gssalloc_realloc
828 #define GSSEAP_CALLOC calloc
829 #define GSSEAP_MALLOC malloc
830 #define GSSEAP_FREE free
831 #define GSSEAP_REALLOC realloc
833 #endif /* !GSSEAP_MALLOC */
835 #ifndef GSSAPI_CALLCONV
836 #define GSSAPI_CALLCONV KRB5_CALLCONV
839 #ifndef GSSEAP_ASSERT
841 #define GSSEAP_ASSERT(x) assert((x))
842 #endif /* !GSSEAP_ASSERT */
845 #define GSSEAP_CONSTRUCTOR
846 #define GSSEAP_DESTRUCTOR
848 #define GSSEAP_CONSTRUCTOR __attribute__((constructor))
849 #define GSSEAP_DESTRUCTOR __attribute__((destructor))
852 #define GSSEAP_NOT_IMPLEMENTED do { \
853 GSSEAP_ASSERT(0 && "not implemented"); \
855 return GSS_S_FAILURE; \
862 #define GSSEAP_GET_LAST_ERROR() (GetLastError()) /* XXX FIXME */
864 #define GSSEAP_MUTEX CRITICAL_SECTION
865 #define GSSEAP_MUTEX_INIT(m) (InitializeCriticalSection((m)), 0)
866 #define GSSEAP_MUTEX_DESTROY(m) DeleteCriticalSection((m))
867 #define GSSEAP_MUTEX_LOCK(m) EnterCriticalSection((m))
868 #define GSSEAP_MUTEX_UNLOCK(m) LeaveCriticalSection((m))
869 #define GSSEAP_ONCE_LEAVE do { return TRUE; } while (0)
871 /* Thread-local is handled separately */
873 #define GSSEAP_THREAD_ONCE INIT_ONCE
874 #define GSSEAP_ONCE_CALLBACK(cb) BOOL CALLBACK cb(PINIT_ONCE InitOnce, PVOID Parameter, PVOID *Context)
875 #define GSSEAP_ONCE(o, i) InitOnceExecuteOnce((o), (i), NULL, NULL)
876 #define GSSEAP_ONCE_INITIALIZER INIT_ONCE_STATIC_INIT
882 #define GSSEAP_GET_LAST_ERROR() (errno)
884 #define GSSEAP_MUTEX pthread_mutex_t
885 #define GSSEAP_MUTEX_INIT(m) pthread_mutex_init((m), NULL)
886 #define GSSEAP_MUTEX_DESTROY(m) pthread_mutex_destroy((m))
887 #define GSSEAP_MUTEX_LOCK(m) pthread_mutex_lock((m))
888 #define GSSEAP_MUTEX_UNLOCK(m) pthread_mutex_unlock((m))
890 #define GSSEAP_THREAD_KEY pthread_key_t
891 #define GSSEAP_KEY_CREATE(k, d) pthread_key_create((k), (d))
892 #define GSSEAP_GETSPECIFIC(k) pthread_getspecific((k))
893 #define GSSEAP_SETSPECIFIC(k, d) pthread_setspecific((k), (d))
895 #define GSSEAP_THREAD_ONCE pthread_once_t
896 #define GSSEAP_ONCE_CALLBACK(cb) void cb(void)
897 #define GSSEAP_ONCE(o, i) pthread_once((o), (i))
898 #define GSSEAP_ONCE_INITIALIZER PTHREAD_ONCE_INIT
899 #define GSSEAP_ONCE_LEAVE do { } while (0)
903 /* Helper functions */
905 store_uint16_be(uint16_t val, void *vp)
907 unsigned char *p = (unsigned char *)vp;
909 p[0] = (val >> 8) & 0xff;
910 p[1] = (val ) & 0xff;
913 static inline uint16_t
914 load_uint16_be(const void *cvp)
916 const unsigned char *p = (const unsigned char *)cvp;
918 return (p[1] | (p[0] << 8));
922 store_uint32_be(uint32_t val, void *vp)
924 unsigned char *p = (unsigned char *)vp;
926 p[0] = (val >> 24) & 0xff;
927 p[1] = (val >> 16) & 0xff;
928 p[2] = (val >> 8) & 0xff;
929 p[3] = (val ) & 0xff;
932 static inline uint32_t
933 load_uint32_be(const void *cvp)
935 const unsigned char *p = (const unsigned char *)cvp;
937 return (p[3] | (p[2] << 8)
938 | ((uint32_t) p[1] << 16)
939 | ((uint32_t) p[0] << 24));
943 store_uint64_be(uint64_t val, void *vp)
945 unsigned char *p = (unsigned char *)vp;
947 p[0] = (unsigned char)((val >> 56) & 0xff);
948 p[1] = (unsigned char)((val >> 48) & 0xff);
949 p[2] = (unsigned char)((val >> 40) & 0xff);
950 p[3] = (unsigned char)((val >> 32) & 0xff);
951 p[4] = (unsigned char)((val >> 24) & 0xff);
952 p[5] = (unsigned char)((val >> 16) & 0xff);
953 p[6] = (unsigned char)((val >> 8) & 0xff);
954 p[7] = (unsigned char)((val ) & 0xff);
957 static inline uint64_t
958 load_uint64_be(const void *cvp)
960 const unsigned char *p = (const unsigned char *)cvp;
962 return ((uint64_t)load_uint32_be(p) << 32) | load_uint32_be(p + 4);
965 static inline unsigned char *
966 store_buffer(gss_buffer_t buffer, void *vp, int wide_nums)
968 unsigned char *p = (unsigned char *)vp;
971 store_uint64_be(buffer->length, p);
974 store_uint32_be(buffer->length, p);
978 if (buffer->value != NULL) {
979 memcpy(p, buffer->value, buffer->length);
986 static inline unsigned char *
987 load_buffer(const void *cvp, size_t length, gss_buffer_t buffer)
990 buffer->value = GSSEAP_MALLOC(length);
991 if (buffer->value == NULL)
993 buffer->length = length;
994 memcpy(buffer->value, cvp, length);
995 return (unsigned char *)cvp + length;
998 static inline unsigned char *
999 store_oid(gss_OID oid, void *vp)
1001 gss_buffer_desc buf;
1003 if (oid != GSS_C_NO_OID) {
1004 buf.length = oid->length;
1005 buf.value = oid->elements;
1011 return store_buffer(&buf, vp, FALSE);
1015 krbDataToGssBuffer(krb5_data *data, gss_buffer_t buffer)
1017 buffer->value = (void *)data->data;
1018 buffer->length = data->length;
1022 krbPrincComponentToGssBuffer(krb5_principal krbPrinc,
1023 int index, gss_buffer_t buffer)
1025 if (KRB_PRINC_LENGTH(krbPrinc) <= index) {
1026 buffer->value = NULL;
1029 #ifdef HAVE_HEIMDAL_VERSION
1030 buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index];
1031 buffer->length = strlen((char *)buffer->value);
1033 buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data;
1034 buffer->length = krb5_princ_component(NULL, krbPrinc, index)->length;
1035 #endif /* HAVE_HEIMDAL_VERSION */
1039 static inline krb5_error_code
1040 krbPrincUnparseServiceSpecifics(krb5_context krbContext, krb5_principal krbPrinc,
1041 gss_buffer_t nameBuf)
1043 krb5_error_code result = 0;
1044 if (KRB_PRINC_LENGTH(krbPrinc) > 2) {
1045 /* Acceptor-Service-Specific */
1046 krb5_principal_data ssiPrinc = *krbPrinc;
1049 KRB_PRINC_LENGTH(&ssiPrinc) -= 2;
1050 KRB_PRINC_NAME(&ssiPrinc) += 2;
1052 result = krb5_unparse_name_flags(krbContext, &ssiPrinc,
1053 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &ssi);
1057 nameBuf->value = ssi;
1058 nameBuf->length = strlen(ssi);
1060 nameBuf->value = NULL;
1061 nameBuf->length = 0;
1068 krbFreeUnparsedName(krb5_context krbContext GSSEAP_UNUSED, gss_buffer_t nameBuf)
1070 #ifdef HAVE_HEIMDAL_VERSION
1071 krb5_xfree((char *) nameBuf->value);
1073 krb5_free_unparsed_name(krbContext, (char *)(nameBuf->value));
1075 nameBuf->value = NULL;
1076 nameBuf->length = 0;
1080 krbPrincRealmToGssBuffer(krb5_principal krbPrinc, gss_buffer_t buffer)
1082 #ifdef HAVE_HEIMDAL_VERSION
1083 buffer->value = (void *)KRB_PRINC_REALM(krbPrinc);
1084 buffer->length = strlen((char *)buffer->value);
1086 krbDataToGssBuffer(KRB_PRINC_REALM(krbPrinc), buffer);
1091 gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data)
1093 data->data = (char *)buffer->value;
1094 data->length = buffer->length;
1098 struct gss_eap_status_info;
1100 struct gss_eap_thread_local_data {
1101 krb5_context krbContext;
1102 struct gss_eap_status_info *statusInfo;
1105 struct gss_eap_thread_local_data *
1106 gssEapGetThreadLocalData(void);
1109 gssEapDestroyStatusInfo(struct gss_eap_status_info *status);
1112 gssEapDestroyKrbContext(krb5_context context);
1118 #ifdef GSSEAP_ENABLE_ACCEPTOR
1119 #include "util_json.h"
1120 #include "util_attr.h"
1121 #include "util_base64.h"
1122 #endif /* GSSEAP_ENABLE_ACCEPTOR */
1123 #ifdef GSSEAP_ENABLE_REAUTH
1124 #include "util_reauth.h"
1127 #endif /* _UTIL_H_ */