2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gssapiP_eap.h"
36 #ifdef HAVE_MOONSHOT_GET_IDENTITY
37 #include <libmoonshot.h>
40 libMoonshotMapError(OM_uint32 *minor,
41 MoonshotError **pError)
43 MoonshotError *error = *pError;
45 GSSEAP_ASSERT(error != NULL);
47 switch (error->code) {
48 case MOONSHOT_ERROR_UNABLE_TO_START_SERVICE:
49 *minor = GSSEAP_UNABLE_TO_START_IDENTITY_SERVICE;
51 case MOONSHOT_ERROR_NO_IDENTITY_SELECTED:
52 *minor = GSSEAP_NO_IDENTITY_SELECTED;
54 case MOONSHOT_ERROR_INSTALLATION_ERROR:
55 *minor = GSSEAP_IDENTITY_SERVICE_INSTALL_ERROR;
57 case MOONSHOT_ERROR_OS_ERROR:
58 *minor = GSSEAP_IDENTITY_SERVICE_OS_ERROR;
60 case MOONSHOT_ERROR_IPC_ERROR:
61 *minor = GSSEAP_IDENTITY_SERVICE_IPC_ERROR;
64 *minor = GSSEAP_IDENTITY_SERVICE_UNKNOWN_ERROR;
68 gssEapSaveStatusInfo(*minor, error->message);
69 moonshot_error_free(error);
72 return GSS_S_CRED_UNAVAIL;
76 libMoonshotResolveDefaultIdentity(OM_uint32 *minor,
77 const gss_cred_id_t cred,
80 OM_uint32 major, tmpMinor;
81 gss_OID nameMech = gssEapPrimaryMechForCred(cred);
82 gss_name_t name = GSS_C_NO_NAME;
83 gss_buffer_desc tmpBuffer = GSS_C_EMPTY_BUFFER;
85 char *password = NULL;
86 char *serverCertificateHash = NULL;
87 char *caCertificate = NULL;
88 char *subjectNameConstraint = NULL;
89 char *subjectAltNameConstraint = NULL;
90 MoonshotError *error = NULL;
92 *pName = GSS_C_NO_NAME;
94 if (!moonshot_get_default_identity(&nai,
96 &serverCertificateHash,
98 &subjectNameConstraint,
99 &subjectAltNameConstraint,
101 if (error->code == MOONSHOT_ERROR_NO_IDENTITY_SELECTED) {
102 major = GSS_S_CRED_UNAVAIL;
103 *minor = GSSEAP_NO_DEFAULT_IDENTITY;
104 moonshot_error_free(error);
106 major = libMoonshotMapError(minor, &error);
110 tmpBuffer.value = nai;
111 tmpBuffer.length = strlen(nai);
113 major = gssEapImportName(minor, &tmpBuffer, GSS_C_NT_USER_NAME, nameMech, &name);
114 if (GSS_ERROR(major))
118 name = GSS_C_NO_NAME;
122 moonshot_free(password);
123 moonshot_free(serverCertificateHash);
124 moonshot_free(caCertificate);
125 moonshot_free(subjectNameConstraint);
126 moonshot_free(subjectAltNameConstraint);
128 gssEapReleaseName(&tmpMinor, &name);
133 static int stringEmpty(const char * s)
143 libMoonshotResolveInitiatorCred(OM_uint32 *minor,
145 const gss_name_t targetName)
147 OM_uint32 major, tmpMinor;
148 gss_OID nameMech = gssEapPrimaryMechForCred(cred);
149 gss_buffer_desc initiator = GSS_C_EMPTY_BUFFER;
150 gss_buffer_desc target = GSS_C_EMPTY_BUFFER;
151 gss_buffer_desc tmpBuffer = GSS_C_EMPTY_BUFFER;
153 char *password = NULL;
154 char *serverCertificateHash = NULL;
155 char *caCertificate = NULL;
156 char *subjectNameConstraint = NULL;
157 char *subjectAltNameConstraint = NULL;
158 MoonshotError *error = NULL;
160 if (cred->name != GSS_C_NO_NAME) {
161 major = gssEapDisplayName(minor, cred->name, &initiator, NULL);
162 if (GSS_ERROR(major))
166 if (targetName != GSS_C_NO_NAME) {
167 major = gssEapDisplayName(minor, targetName, &target, NULL);
168 if (GSS_ERROR(major))
172 if (!moonshot_get_identity((const char *)initiator.value,
173 (const char *)cred->password.value,
174 (const char *)target.value,
177 &serverCertificateHash,
179 &subjectNameConstraint,
180 &subjectAltNameConstraint,
182 major = libMoonshotMapError(minor, &error);
186 gssEapReleaseName(&tmpMinor, &cred->name);
188 tmpBuffer.value = nai;
189 tmpBuffer.length = strlen(nai);
191 major = gssEapImportName(minor, &tmpBuffer, GSS_C_NT_USER_NAME,
192 nameMech, &cred->name);
193 if (GSS_ERROR(major))
196 tmpBuffer.value = password;
197 tmpBuffer.length = strlen(password);
199 major = gssEapSetCredPassword(minor, cred, &tmpBuffer);
200 if (GSS_ERROR(major))
203 gss_release_buffer(&tmpMinor, &cred->caCertificate);
204 gss_release_buffer(&tmpMinor, &cred->caCertificateBlob);
205 gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint);
206 gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint);
208 if (!stringEmpty(serverCertificateHash)) {
209 size_t len = strlen(serverCertificateHash);
211 #define HASH_PREFIX "hash://server/sha256/"
212 #define HASH_PREFIX_LEN (sizeof(HASH_PREFIX) - 1)
214 cred->caCertificate.value = GSSEAP_MALLOC(HASH_PREFIX_LEN + len + 1);
215 if (cred->caCertificate.value == NULL) {
216 major = GSS_S_FAILURE;
221 memcpy(cred->caCertificate.value, HASH_PREFIX, HASH_PREFIX_LEN);
222 memcpy((char *)cred->caCertificate.value + HASH_PREFIX_LEN, serverCertificateHash, len);
224 ((char *)cred->caCertificate.value)[HASH_PREFIX_LEN + len] = '\0';
226 cred->caCertificate.length = HASH_PREFIX_LEN + len;
227 } else if (!stringEmpty(caCertificate)) {
229 tmp.value = g_base64_decode(caCertificate, &tmp.length);
230 if (tmp.value == NULL) {
231 major = GSS_S_DEFECTIVE_CREDENTIAL;
232 *minor = GSSEAP_BAD_CACERTIFICATE;
235 major = duplicateBuffer(minor, &tmp, &cred->caCertificateBlob);
237 if (major != GSS_S_COMPLETE) {
240 makeStringBufferOrCleanup("blob://ca-cert", &cred->caCertificate);
243 if (!stringEmpty(subjectNameConstraint))
244 makeStringBufferOrCleanup(subjectNameConstraint, &cred->subjectNameConstraint);
245 if (!stringEmpty(subjectAltNameConstraint))
246 makeStringBufferOrCleanup(subjectAltNameConstraint, &cred->subjectAltNameConstraint);
250 moonshot_free(password);
251 moonshot_free(serverCertificateHash);
252 moonshot_free(caCertificate);
253 moonshot_free(subjectNameConstraint);
254 moonshot_free(subjectAltNameConstraint);
256 gss_release_buffer(&tmpMinor, &initiator);
257 gss_release_buffer(&tmpMinor, &target);
261 #endif /* HAVE_MOONSHOT_GET_IDENTITY */