2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Portions Copyright 2009 by the Massachusetts Institute of Technology.
34 * All Rights Reserved.
36 * Export of this software from the United States of America may
37 * require a specific license from the United States Government.
38 * It is the responsibility of any person or organization contemplating
39 * export to obtain such a license before exporting.
41 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
42 * distribute this software and its documentation for any purpose and
43 * without fee is hereby granted, provided that the above copyright
44 * notice appear in all copies and that both that copyright notice and
45 * this permission notice appear in supporting documentation, and that
46 * the name of M.I.T. not be used in advertising or publicity pertaining
47 * to distribution of the software without specific, written prior
48 * permission. Furthermore if you modify this software you must label
49 * your software as modified software and not distribute it in such a
50 * fashion that it might be confused with the original M.I.T. software.
51 * M.I.T. makes no representations about the suitability of
52 * this software for any purpose. It is provided "as is" without express
53 * or implied warranty.
57 * Name utility routines.
60 #include "gssapiP_eap.h"
62 static gss_OID_desc gssEapNtEapName = {
63 /* 1.3.6.1.5.5.15.2.1 */
64 8, "\x2B\x06\x01\x05\x05\x0f\x02\x01"
67 gss_OID GSS_EAP_NT_EAP_NAME = &gssEapNtEapName;
70 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName)
75 *pName = GSS_C_NO_NAME;
77 name = (gss_name_t)GSSEAP_CALLOC(1, sizeof(*name));
83 if (GSSEAP_MUTEX_INIT(&name->mutex) != 0) {
84 *minor = GSSEAP_GET_LAST_ERROR();
85 gssEapReleaseName(&tmpMinor, &name);
91 return GSS_S_COMPLETE;
95 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName)
98 krb5_context krbContext = NULL;
104 return GSS_S_COMPLETE;
108 if (name == GSS_C_NO_NAME) {
109 return GSS_S_COMPLETE;
112 GSSEAP_KRB_INIT(&krbContext);
113 krb5_free_principal(krbContext, name->krbPrincipal);
114 gssEapReleaseOid(&tmpMinor, &name->mechanismUsed);
115 #ifdef GSSEAP_ENABLE_ACCEPTOR
116 gssEapReleaseAttrContext(&tmpMinor, name);
119 GSSEAP_MUTEX_DESTROY(&name->mutex);
123 return GSS_S_COMPLETE;
127 krbPrincipalToName(OM_uint32 *minor,
128 krb5_principal *principal,
134 major = gssEapAllocName(minor, &name);
135 if (GSS_ERROR(major))
138 name->krbPrincipal = *principal;
141 if (KRB_PRINC_LENGTH(name->krbPrincipal) >= 1) {
142 name->flags |= NAME_FLAG_SERVICE;
144 if (KRB_PRINC_LENGTH(name->krbPrincipal) == 1) {
145 name->flags |= NAME_FLAG_NAI;
151 return GSS_S_COMPLETE;
155 gssEapGetDefaultRealm(krb5_context krbContext)
157 char *defaultRealm = NULL;
159 krb5_appdefault_string(krbContext, "eap_gss",
160 NULL, "default_realm", "", &defaultRealm);
166 importServiceName(OM_uint32 *minor,
167 const gss_buffer_t nameBuffer,
171 krb5_error_code code;
172 krb5_context krbContext;
173 krb5_principal krbPrinc;
174 char *service, *host, *realm = NULL;
176 GSSEAP_KRB_INIT(&krbContext);
178 major = bufferToString(minor, nameBuffer, &service);
179 if (GSS_ERROR(major))
182 host = strchr(service, '@');
188 realm = gssEapGetDefaultRealm(krbContext);
190 code = krb5_build_principal(krbContext,
192 realm != NULL ? strlen(realm) : 0,
193 realm != NULL ? realm : "",
199 KRB_PRINC_TYPE(krbPrinc) = KRB5_NT_SRV_HST;
201 major = krbPrincipalToName(minor, &krbPrinc, pName);
202 if (GSS_ERROR(major))
203 krb5_free_principal(krbContext, krbPrinc);
205 major = GSS_S_FAILURE;
206 *minor = GSSEAP_BAD_SERVICE_NAME;
210 krb5_free_default_realm(krbContext, realm);
211 GSSEAP_FREE(service);
216 #define IMPORT_FLAG_DEFAULT_REALM 0x1
219 * Import an EAP name, possibly appending the default GSS EAP realm,
222 importEapNameFlags(OM_uint32 *minor,
223 const gss_buffer_t nameBuffer,
224 OM_uint32 importFlags,
228 krb5_context krbContext;
229 krb5_principal krbPrinc = NULL;
230 krb5_error_code code;
233 GSSEAP_KRB_INIT(&krbContext);
235 if (nameBuffer == GSS_C_NO_BUFFER) {
237 code = KRB5_PARSE_MALFORMED;
239 major = bufferToString(minor, nameBuffer, &nameString);
240 if (GSS_ERROR(major))
244 * First, attempt to parse the name on the assumption that it includes
245 * a qualifying realm. This allows us to avoid accidentally appending
246 * the default Kerberos realm to an unqualified name. (A bug in MIT
247 * Kerberos prevents the default realm being set to an empty value.)
249 code = krb5_parse_name_flags(krbContext, nameString,
250 KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &krbPrinc);
253 if (code == KRB5_PARSE_MALFORMED) {
254 char *defaultRealm = NULL;
257 /* Possibly append the default EAP realm if required */
258 if (importFlags & IMPORT_FLAG_DEFAULT_REALM)
259 defaultRealm = gssEapGetDefaultRealm(krbContext);
261 /* If no default realm, leave the realm empty in the parsed name */
262 if (defaultRealm == NULL || defaultRealm[0] == '\0')
263 parseFlags |= KRB5_PRINCIPAL_PARSE_NO_REALM;
265 code = krb5_parse_name_flags(krbContext, nameString, parseFlags, &krbPrinc);
267 #ifdef HAVE_HEIMDAL_VERSION
268 if (code == 0 && KRB_PRINC_REALM(krbPrinc) == NULL) {
269 KRB_PRINC_REALM(krbPrinc) = KRB_CALLOC(1, sizeof(char));
270 if (KRB_PRINC_REALM(krbPrinc) == NULL)
273 krb5_xfree(defaultRealm);
275 if (defaultRealm != NULL)
276 krb5_free_default_realm(krbContext, defaultRealm);
280 if (nameBuffer != GSS_C_NO_BUFFER)
281 GSSEAP_FREE(nameString);
285 return GSS_S_FAILURE;
288 GSSEAP_ASSERT(krbPrinc != NULL);
290 major = krbPrincipalToName(minor, &krbPrinc, pName);
291 if (GSS_ERROR(major))
292 krb5_free_principal(krbContext, krbPrinc);
298 importEapName(OM_uint32 *minor,
299 const gss_buffer_t nameBuffer,
302 return importEapNameFlags(minor, nameBuffer, 0, pName);
306 importUserName(OM_uint32 *minor,
307 const gss_buffer_t nameBuffer,
310 return importEapNameFlags(minor, nameBuffer, IMPORT_FLAG_DEFAULT_REALM, pName);
314 importAnonymousName(OM_uint32 *minor,
315 const gss_buffer_t nameBuffer GSSEAP_UNUSED,
318 return importEapNameFlags(minor, GSS_C_NO_BUFFER, 0, pName);
321 #define UPDATE_REMAIN(n) do { \
326 #define CHECK_REMAIN(n) do { \
327 if (remain < (n)) { \
328 major = GSS_S_BAD_NAME; \
329 *minor = GSSEAP_TOK_TRUNC; \
335 gssEapImportNameInternal(OM_uint32 *minor,
336 const gss_buffer_t nameBuffer,
340 OM_uint32 major, tmpMinor;
341 krb5_context krbContext;
345 gss_name_t name = GSS_C_NO_NAME;
346 gss_OID mechanismUsed = GSS_C_NO_OID;
348 GSSEAP_KRB_INIT(&krbContext);
350 p = (unsigned char *)nameBuffer->value;
351 remain = nameBuffer->length;
353 if (flags & EXPORT_NAME_FLAG_OID) {
355 enum gss_eap_token_type tokType;
356 uint16_t wireTokType;
358 /* TOK_ID || MECH_OID_LEN || MECH_OID */
360 *minor = GSSEAP_BAD_NAME_TOKEN;
361 return GSS_S_BAD_NAME;
364 if (flags & EXPORT_NAME_FLAG_COMPOSITE)
365 tokType = TOK_TYPE_EXPORT_NAME_COMPOSITE;
367 tokType = TOK_TYPE_EXPORT_NAME;
370 wireTokType = load_uint16_be(p);
372 if ((flags & EXPORT_NAME_FLAG_ALLOW_COMPOSITE) &&
373 wireTokType == TOK_TYPE_EXPORT_NAME_COMPOSITE) {
374 tokType = TOK_TYPE_EXPORT_NAME_COMPOSITE;
375 flags |= EXPORT_NAME_FLAG_COMPOSITE;
378 if (wireTokType != tokType) {
379 *minor = GSSEAP_WRONG_TOK_ID;
380 return GSS_S_BAD_NAME;
385 len = load_uint16_be(p);
387 *minor = GSSEAP_BAD_NAME_TOKEN;
388 return GSS_S_BAD_NAME;
394 *minor = GSSEAP_BAD_NAME_TOKEN;
395 return GSS_S_BAD_NAME;
399 mech.elements = &p[2];
401 CHECK_REMAIN(mech.length);
403 major = gssEapCanonicalizeOid(minor,
405 OID_FLAG_FAMILY_MECH_VALID |
406 OID_FLAG_MAP_FAMILY_MECH_TO_NULL,
408 if (GSS_ERROR(major))
411 UPDATE_REMAIN(2 + mech.length);
416 len = load_uint32_be(p);
425 major = importEapNameFlags(minor, &buf, 0, &name);
426 if (GSS_ERROR(major))
429 name->mechanismUsed = mechanismUsed;
430 mechanismUsed = GSS_C_NO_OID;
432 #ifdef GSSEAP_ENABLE_ACCEPTOR
433 if (flags & EXPORT_NAME_FLAG_COMPOSITE) {
439 major = gssEapImportAttrContext(minor, &buf, name);
440 if (GSS_ERROR(major))
445 major = GSS_S_COMPLETE;
449 if (GSS_ERROR(major)) {
450 gssEapReleaseOid(&tmpMinor, &mechanismUsed);
451 gssEapReleaseName(&tmpMinor, &name);
460 importExportName(OM_uint32 *minor,
461 const gss_buffer_t nameBuffer,
464 return gssEapImportNameInternal(minor, nameBuffer, name,
465 EXPORT_NAME_FLAG_OID |
466 EXPORT_NAME_FLAG_ALLOW_COMPOSITE);
469 #ifdef HAVE_GSS_C_NT_COMPOSITE_EXPORT
471 importCompositeExportName(OM_uint32 *minor,
472 const gss_buffer_t nameBuffer,
475 return gssEapImportNameInternal(minor, nameBuffer, name,
476 EXPORT_NAME_FLAG_OID |
477 EXPORT_NAME_FLAG_COMPOSITE);
481 struct gss_eap_name_import_provider {
483 OM_uint32 (*import)(OM_uint32 *, const gss_buffer_t, gss_name_t *);
487 gssEapImportName(OM_uint32 *minor,
488 const gss_buffer_t nameBuffer,
489 const gss_OID nameType,
490 const gss_OID mechType,
493 struct gss_eap_name_import_provider nameTypes[] = {
494 { GSS_EAP_NT_EAP_NAME, importEapName },
495 { GSS_C_NT_USER_NAME, importUserName },
496 { GSS_C_NT_HOSTBASED_SERVICE, importServiceName },
497 { GSS_C_NT_HOSTBASED_SERVICE_X, importServiceName },
498 { GSS_C_NT_ANONYMOUS, importAnonymousName },
499 { GSS_C_NT_EXPORT_NAME, importExportName },
500 { GSS_KRB5_NT_PRINCIPAL_NAME, importUserName },
501 #ifdef HAVE_GSS_C_NT_COMPOSITE_EXPORT
502 { GSS_C_NT_COMPOSITE_EXPORT, importCompositeExportName },
506 OM_uint32 major = GSS_S_BAD_NAMETYPE;
508 gss_name_t name = GSS_C_NO_NAME;
510 for (i = 0; i < sizeof(nameTypes) / sizeof(nameTypes[0]); i++) {
511 if (oidEqual(nameTypes[i].oid,
512 nameType == GSS_C_NO_OID ? GSS_EAP_NT_EAP_NAME : nameType)) {
513 major = nameTypes[i].import(minor, nameBuffer, &name);
518 if (major == GSS_S_COMPLETE &&
519 mechType != GSS_C_NO_OID) {
520 GSSEAP_ASSERT(gssEapIsConcreteMechanismOid(mechType));
521 GSSEAP_ASSERT(name != GSS_C_NO_NAME);
522 GSSEAP_ASSERT(name->mechanismUsed == GSS_C_NO_OID);
524 major = gssEapCanonicalizeOid(minor, mechType, 0, &name->mechanismUsed);
527 if (GSS_ERROR(major))
528 gssEapReleaseName(&tmpMinor, &name);
536 gssEapExportName(OM_uint32 *minor,
537 gss_const_name_t name,
538 gss_buffer_t exportedName)
540 return gssEapExportNameInternal(minor, name, exportedName,
541 EXPORT_NAME_FLAG_OID);
545 gssEapExportNameInternal(OM_uint32 *minor,
546 gss_const_name_t name,
547 gss_buffer_t exportedName,
550 OM_uint32 major = GSS_S_FAILURE, tmpMinor;
551 gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
552 size_t exportedNameLen;
554 gss_buffer_desc attrs = GSS_C_EMPTY_BUFFER;
557 exportedName->length = 0;
558 exportedName->value = NULL;
560 if (name->mechanismUsed != GSS_C_NO_OID)
561 mech = name->mechanismUsed;
563 mech = GSS_EAP_MECHANISM;
565 major = gssEapDisplayName(minor, name, &nameBuf, NULL);
566 if (GSS_ERROR(major))
570 if (flags & EXPORT_NAME_FLAG_OID) {
571 exportedNameLen += 6 + mech->length;
573 exportedNameLen += 4 + nameBuf.length;
574 #ifdef GSSEAP_ENABLE_ACCEPTOR
575 if (flags & EXPORT_NAME_FLAG_COMPOSITE) {
576 major = gssEapExportAttrContext(minor, name, &attrs);
577 if (GSS_ERROR(major))
579 exportedNameLen += attrs.length;
583 exportedName->value = GSSEAP_MALLOC(exportedNameLen);
584 if (exportedName->value == NULL) {
585 major = GSS_S_FAILURE;
589 exportedName->length = exportedNameLen;
591 p = (unsigned char *)exportedName->value;
593 if (flags & EXPORT_NAME_FLAG_OID) {
594 /* TOK | MECH_OID_LEN */
595 store_uint16_be((flags & EXPORT_NAME_FLAG_COMPOSITE)
596 ? TOK_TYPE_EXPORT_NAME_COMPOSITE
597 : TOK_TYPE_EXPORT_NAME,
600 store_uint16_be(mech->length + 2, p);
605 *p++ = mech->length & 0xff;
606 memcpy(p, mech->elements, mech->length);
611 store_uint32_be(nameBuf.length, p);
615 memcpy(p, nameBuf.value, nameBuf.length);
618 if (flags & EXPORT_NAME_FLAG_COMPOSITE) {
619 memcpy(p, attrs.value, attrs.length);
623 GSSEAP_ASSERT(p == (unsigned char *)exportedName->value + exportedNameLen);
625 major = GSS_S_COMPLETE;
629 gss_release_buffer(&tmpMinor, &attrs);
630 gss_release_buffer(&tmpMinor, &nameBuf);
631 if (GSS_ERROR(major))
632 gss_release_buffer(&tmpMinor, exportedName);
638 gssEapCanonicalizeName(OM_uint32 *minor,
639 gss_const_name_t input_name,
640 const gss_OID mech_type,
641 gss_name_t *dest_name)
643 OM_uint32 major, tmpMinor;
644 krb5_context krbContext;
648 if (input_name == GSS_C_NO_NAME) {
650 return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME;
653 GSSEAP_KRB_INIT(&krbContext);
655 major = gssEapAllocName(minor, &name);
656 if (GSS_ERROR(major)) {
660 if (mech_type != GSS_C_NO_OID)
661 mech_used = mech_type;
663 mech_used = input_name->mechanismUsed;
665 major = gssEapCanonicalizeOid(minor,
668 &name->mechanismUsed);
669 if (GSS_ERROR(major))
672 name->flags = input_name->flags;
674 *minor = krb5_copy_principal(krbContext, input_name->krbPrincipal,
675 &name->krbPrincipal);
677 major = GSS_S_FAILURE;
681 #ifdef GSSEAP_ENABLE_ACCEPTOR
682 if (input_name->attrCtx != NULL) {
683 major = gssEapDuplicateAttrContext(minor, input_name, name);
684 if (GSS_ERROR(major))
692 if (GSS_ERROR(major)) {
693 gssEapReleaseName(&tmpMinor, &name);
700 gssEapDuplicateName(OM_uint32 *minor,
701 gss_const_name_t input_name,
702 gss_name_t *dest_name)
704 return gssEapCanonicalizeName(minor, input_name,
705 GSS_C_NO_OID, dest_name);
709 hasRealmP(gss_const_name_t name)
711 #ifdef HAVE_HEIMDAL_VERSION
712 if (KRB_PRINC_REALM(name->krbPrincipal) != NULL &&
713 KRB_PRINC_REALM(name->krbPrincipal)[0] != '\0')
715 if (KRB_PRINC_REALM(name->krbPrincipal)->length != 0)
723 gssEapDisplayName(OM_uint32 *minor,
724 gss_const_name_t name,
725 gss_buffer_t output_name_buffer,
726 gss_OID *output_name_type)
729 krb5_context krbContext;
734 GSSEAP_KRB_INIT(&krbContext);
736 output_name_buffer->length = 0;
737 output_name_buffer->value = NULL;
739 if (name == GSS_C_NO_NAME) {
741 return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME;
745 * According to draft-ietf-abfab-gss-eap-01, when the realm is
746 * absent the trailing '@' is not included.
748 if (!hasRealmP(name))
749 flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM;
751 *minor = krb5_unparse_name_flags(krbContext, name->krbPrincipal,
754 return GSS_S_FAILURE;
757 major = makeStringBuffer(minor, krbName, output_name_buffer);
758 #ifdef HAVE_HEIMDAL_VERSION
761 krb5_free_unparsed_name(krbContext, krbName);
763 if (GSS_ERROR(major))
766 if (output_name_buffer->length == 0) {
767 name_type = GSS_C_NT_ANONYMOUS;
768 } else if (name->flags & NAME_FLAG_NAI) {
769 name_type = GSS_C_NT_USER_NAME;
771 name_type = GSS_EAP_NT_EAP_NAME;
774 if (output_name_type != NULL)
775 *output_name_type = name_type;
777 return GSS_S_COMPLETE;
781 gssEapCompareName(OM_uint32 *minor,
782 gss_const_name_t name1,
783 gss_const_name_t name2,
787 krb5_context krbContext;
791 if (name1 == GSS_C_NO_NAME && name2 == GSS_C_NO_NAME) {
793 } else if (name1 != GSS_C_NO_NAME && name2 != GSS_C_NO_NAME) {
794 GSSEAP_KRB_INIT(&krbContext);
796 /* krbPrincipal is immutable, so lock not required */
797 if ((flags & COMPARE_NAME_FLAG_IGNORE_EMPTY_REALMS) &&
798 (hasRealmP(name1) == FALSE || hasRealmP(name2) == FALSE)) {
799 *name_equal = krb5_principal_compare_any_realm(krbContext,
801 name2->krbPrincipal);
803 *name_equal = krb5_principal_compare(krbContext,
805 name2->krbPrincipal);
811 return GSS_S_COMPLETE;
projects / mech_eap.git / blob