2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * RADIUS attribute provider implementation.
37 #include "gssapiP_eap.h"
39 #define RS_MAP_ERROR(code) (ERROR_TABLE_BASE_rse + (code))
41 static rs_avp *copyAvps(rs_const_avp *src);
44 gssEapRadiusGetAvp(OM_uint32 *minor,
46 const gss_eap_attrid &attrid,
51 gssEapRadiusAddAvp(OM_uint32 *minor,
53 const gss_eap_attrid &attrid,
54 const gss_buffer_t buffer);
57 avpToAttrId(rs_const_avp *vp)
59 gss_eap_attrid attrid;
61 rs_avp_attrid(vp, &attrid.second, &attrid.first);
66 gss_eap_radius_attr_provider::gss_eap_radius_attr_provider(void)
69 m_authenticated = false;
72 gss_eap_radius_attr_provider::~gss_eap_radius_attr_provider(void)
79 gss_eap_radius_attr_provider::initWithExistingContext(const gss_eap_attr_ctx *manager,
80 const gss_eap_attr_provider *ctx)
82 const gss_eap_radius_attr_provider *radius;
84 if (!gss_eap_attr_provider::initWithExistingContext(manager, ctx))
87 radius = static_cast<const gss_eap_radius_attr_provider *>(ctx);
89 if (radius->m_vps != NULL)
90 m_vps = copyAvps(radius->getAvps());
92 m_authenticated = radius->m_authenticated;
98 gss_eap_radius_attr_provider::initWithGssContext(const gss_eap_attr_ctx *manager,
99 const gss_cred_id_t gssCred,
100 const gss_ctx_id_t gssCtx)
102 if (!gss_eap_attr_provider::initWithGssContext(manager, gssCred, gssCtx))
105 if (gssCtx != GSS_C_NO_CONTEXT) {
106 if (gssCtx->acceptorCtx.vps != NULL) {
107 m_vps = copyAvps(gssCtx->acceptorCtx.vps);
111 /* We assume libradsec validated this for us */
112 GSSEAP_ASSERT(rs_avp_find(m_vps, PW_MESSAGE_AUTHENTICATOR, 0) != NULL);
113 m_authenticated = true;
121 alreadyAddedAttributeP(std::vector <gss_eap_attrid> &attrs,
122 gss_eap_attrid &attrid)
124 for (std::vector<gss_eap_attrid>::const_iterator a = attrs.begin();
127 if (attrid.first == (*a).first &&
128 attrid.second == (*a).second)
136 isSecretAttributeP(const gss_eap_attrid &attrid)
138 bool bSecretAttribute = false;
140 switch (attrid.first) {
141 case VENDORPEC_MICROSOFT:
142 switch (attrid.second) {
143 case PW_MS_MPPE_SEND_KEY:
144 case PW_MS_MPPE_RECV_KEY:
145 bSecretAttribute = true;
154 return bSecretAttribute;
158 isSecretAttributeP(rs_const_avp *vp)
160 return isSecretAttributeP(avpToAttrId(vp));
164 isInternalAttributeP(const gss_eap_attrid &attrid)
166 bool bInternalAttribute = false;
168 /* should have been filtered */
169 GSSEAP_ASSERT(!isSecretAttributeP(attrid));
171 switch (attrid.first) {
172 case VENDORPEC_UKERNA:
173 switch (attrid.second) {
174 case PW_GSS_ACCEPTOR_SERVICE_NAME:
175 case PW_GSS_ACCEPTOR_HOST_NAME:
176 case PW_GSS_ACCEPTOR_SERVICE_SPECIFIC:
177 case PW_GSS_ACCEPTOR_REALM_NAME:
178 case PW_SAML_AAA_ASSERTION:
179 bInternalAttribute = true;
189 return bInternalAttribute;
193 isInternalAttributeP(rs_const_avp *vp)
195 return isInternalAttributeP(avpToAttrId(vp));
199 isFragmentedAttributeP(const gss_eap_attrid &attrid)
201 /* A bit of a hack for the PAC for now. Should be configurable. */
202 return (attrid.first == VENDORPEC_UKERNA) &&
203 !isInternalAttributeP(attrid);
207 * Copy AVP list, same as paircopy except it filters out attributes
211 copyAvps(rs_const_avp *src)
216 for (vp = src; vp != NULL; vp = rs_avp_next_const(vp)) {
219 if (isSecretAttributeP(vp))
222 vpcopy = rs_avp_dup(vp);
223 if (vpcopy == NULL) {
225 throw std::bad_alloc();
228 rs_avp_append(&dst, vpcopy);
235 gss_eap_radius_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
239 std::vector <gss_eap_attrid> seen;
241 for (vp = m_vps; vp != NULL; vp = rs_avp_next(vp)) {
242 gss_buffer_desc desc;
243 gss_eap_attrid attrid;
246 /* Don't advertise attributes that are internal to the GSS-EAP mechanism */
247 if (isInternalAttributeP(vp))
250 rs_avp_attrid(vp, &attrid.second, &attrid.first);
252 if (alreadyAddedAttributeP(seen, attrid))
255 if (attrid.first != 0) {
256 snprintf(buf, sizeof(buf), "%u.%u", attrid.first, attrid.second);
258 snprintf(buf, sizeof(buf), "%u", attrid.second);
262 desc.length = strlen(buf);
264 if (!addAttribute(m_manager, this, &desc, data))
267 seen.push_back(attrid);
274 getAttributeId(const gss_buffer_t desc,
275 gss_eap_attrid *attrid)
278 gss_buffer_desc strAttr = GSS_C_EMPTY_BUFFER;
282 /* need to duplicate because attr may not be NUL terminated */
283 duplicateBuffer(*desc, &strAttr);
284 s = (char *)strAttr.value;
288 unsigned int tmp = strtoul(s, &s2, 10);
291 /* Vendor attributes formatted as Vendor.Attribute */
293 attrid->second = strtoul(s2 + 1, NULL, 10);
295 } else if (*s2 == '\0') {
296 /* Non-vendor attrbiute */
298 attrid->second = tmp;
304 ret = (rs_attr_find(s, &attrid->second, &attrid->first) == RSE_OK);
307 gss_release_buffer(&tmpMinor, &strAttr);
313 gss_eap_radius_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
314 const gss_eap_attrid &attrid,
315 const gss_buffer_t value)
317 OM_uint32 major = GSS_S_UNAVAILABLE, minor;
319 if (!isSecretAttributeP(attrid) &&
320 !isInternalAttributeP(attrid)) {
321 deleteAttribute(attrid);
323 major = gssEapRadiusAddAvp(&minor, &m_vps, attrid, value);
326 return !GSS_ERROR(major);
330 gss_eap_radius_attr_provider::setAttribute(int complete,
331 const gss_buffer_t attr,
332 const gss_buffer_t value)
334 gss_eap_attrid attrid;
336 if (!getAttributeId(attr, &attrid))
339 return setAttribute(complete, attrid, value);
343 gss_eap_radius_attr_provider::deleteAttribute(const gss_eap_attrid &attrid)
345 if (isSecretAttributeP(attrid) ||
346 isInternalAttributeP(attrid) ||
347 rs_avp_find(m_vps, attrid.second, attrid.first) == NULL)
350 return (rs_avp_delete(&m_vps, attrid.second, attrid.first) == RSE_OK);
354 gss_eap_radius_attr_provider::deleteAttribute(const gss_buffer_t attr)
356 gss_eap_attrid attrid;
358 if (!getAttributeId(attr, &attrid))
361 return deleteAttribute(attrid);
365 gss_eap_radius_attr_provider::getAttribute(const gss_buffer_t attr,
369 gss_buffer_t display_value,
372 gss_eap_attrid attrid;
374 if (!getAttributeId(attr, &attrid))
377 return getAttribute(attrid,
378 authenticated, complete,
379 value, display_value, more);
383 gss_eap_radius_attr_provider::getAttribute(const gss_eap_attrid &attrid,
387 gss_buffer_t display_value,
391 int i = *more, count = 0;
398 if (isSecretAttributeP(attrid) ||
399 isInternalAttributeP(attrid)) {
401 } else if (isFragmentedAttributeP(attrid)) {
402 return getFragmentedAttribute(attrid,
408 for (vp = rs_avp_find_const(m_vps, attrid.second, attrid.first);
410 vp = rs_avp_find_const(rs_avp_next_const(vp), attrid.second, attrid.first)) {
412 if (rs_avp_find_const(rs_avp_next_const(vp), attrid.second, attrid.first) != NULL)
418 if (vp == NULL && *more == 0)
421 if (value != GSS_C_NO_BUFFER) {
422 gss_buffer_desc valueBuf;
424 rs_avp_octets_value_byref((rs_avp *)vp,
425 (unsigned char **)&valueBuf.value,
428 duplicateBuffer(valueBuf, value);
431 if (display_value != GSS_C_NO_BUFFER &&
432 !rs_avp_is_octets(vp)) {
433 char displayString[RS_MAX_STRING_LEN];
434 gss_buffer_desc displayBuf;
436 displayBuf.length = rs_avp_display_value(vp, displayString,
437 sizeof(displayString));
438 displayBuf.value = (void *)displayString;
440 duplicateBuffer(displayBuf, display_value);
443 if (authenticated != NULL)
444 *authenticated = m_authenticated;
445 if (complete != NULL)
452 gss_eap_radius_attr_provider::getFragmentedAttribute(const gss_eap_attrid &attrid,
455 gss_buffer_t value) const
457 OM_uint32 major, minor;
459 major = gssEapRadiusGetAvp(&minor, m_vps, attrid, value, TRUE);
461 if (authenticated != NULL)
462 *authenticated = m_authenticated;
463 if (complete != NULL)
466 return !GSS_ERROR(major);
470 gss_eap_radius_attr_provider::mapToAny(int authenticated,
471 gss_buffer_t type_id GSSEAP_UNUSED) const
473 if (authenticated && !m_authenticated)
474 return (gss_any_t)NULL;
476 return (gss_any_t)copyAvps(m_vps);
480 gss_eap_radius_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
481 gss_any_t input) const
483 rs_avp *vp = (rs_avp *)input;
488 gss_eap_radius_attr_provider::init(void)
490 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS, createAttrContext);
496 gss_eap_radius_attr_provider::finalize(void)
498 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_RADIUS);
501 gss_eap_attr_provider *
502 gss_eap_radius_attr_provider::createAttrContext(void)
504 return new gss_eap_radius_attr_provider;
508 gssEapRadiusAddAvp(OM_uint32 *minor,
510 const gss_eap_attrid &attrid,
511 const gss_buffer_t buffer)
513 unsigned char *p = (unsigned char *)buffer->value;
514 size_t remain = buffer->length;
521 * There's an extra byte of padding; RADIUS AVPs can only
524 if (n >= RS_MAX_STRING_LEN)
525 n = RS_MAX_STRING_LEN - 1;
527 vp = rs_avp_alloc(attrid.second, attrid.first);
530 return GSS_S_FAILURE;
533 rs_avp_octets_set(vp, p, n);
535 rs_avp_append(vps, vp);
539 } while (remain != 0);
541 return GSS_S_COMPLETE;
545 gssEapRadiusAddAvp(OM_uint32 *minor,
546 struct rs_packet *pkt,
547 unsigned int attribute,
549 const gss_buffer_t buffer)
551 gss_eap_attrid attrid(vendor, attribute);
554 code = rs_packet_append_avp(pkt, attrid.second, attrid.first,
555 buffer->value, buffer->length);
556 if (code != RSE_OK) {
557 *minor = RS_MAP_ERROR(code);
558 return GSS_S_FAILURE;
562 return GSS_S_COMPLETE;
566 gssEapRadiusGetRawAvp(OM_uint32 *minor,
568 unsigned int attribute,
572 *vp = rs_avp_find_const(vps, attribute, vendor);
574 *minor = GSSEAP_NO_SUCH_ATTR;
575 return GSS_S_UNAVAILABLE;
578 return GSS_S_COMPLETE;
582 gssEapRadiusGetAvp(OM_uint32 *minor,
584 const gss_eap_attrid &attrid,
591 if (buffer != GSS_C_NO_BUFFER) {
593 buffer->value = NULL;
596 vp = rs_avp_find_const(vps, attrid.second, attrid.first);
598 *minor = GSSEAP_NO_SUCH_ATTR;
599 return GSS_S_UNAVAILABLE;
602 if (buffer != GSS_C_NO_BUFFER) {
604 rs_avp_fragmented_value(vp, NULL, &buffer->length);
606 buffer->length = rs_avp_length(vp);
608 buffer->value = GSSEAP_MALLOC(buffer->length);
609 if (buffer->value == NULL) {
611 return GSS_S_FAILURE;
615 err = rs_avp_fragmented_value(vp, (unsigned char *)buffer->value, &buffer->length);
617 err = rs_avp_octets_value(vp, (unsigned char *)buffer->value, &buffer->length);
620 *minor = RS_MAP_ERROR(err);
621 return GSS_S_FAILURE;
626 return GSS_S_COMPLETE;
630 gssEapRadiusGetAvp(OM_uint32 *minor,
631 struct rs_packet *pkt,
632 unsigned int attribute,
638 gss_eap_attrid attrid(vendor, attribute);
640 rs_packet_avps(pkt, &vps);
642 return gssEapRadiusGetAvp(minor, *vps, attrid, buffer, concat);
646 gssEapRadiusFreeAvps(OM_uint32 *minor,
651 return GSS_S_COMPLETE;
655 gssEapRadiusAttrProviderInit(OM_uint32 *minor)
657 if (!gss_eap_radius_attr_provider::init()) {
658 *minor = GSSEAP_RADSEC_INIT_FAILURE;
659 return GSS_S_FAILURE;
662 return GSS_S_COMPLETE;
666 gssEapRadiusAttrProviderFinalize(OM_uint32 *minor)
668 gss_eap_radius_attr_provider::finalize();
671 return GSS_S_COMPLETE;
675 avpToJson(rs_const_avp *vp)
678 gss_eap_attrid attrid;
680 GSSEAP_ASSERT(rs_avp_length(vp) <= RS_MAX_STRING_LEN);
682 switch (rs_avp_typeof(vp)) {
683 case RS_TYPE_INTEGER:
684 obj.set("value", rs_avp_integer_value(vp));
687 obj.set("value", rs_avp_date_value(vp));
690 obj.set("value", rs_avp_string_value(vp));
695 if (base64Encode(rs_avp_octets_value_const_ptr(vp),
696 rs_avp_length(vp), &b64) < 0)
697 throw std::bad_alloc();
699 obj.set("value", b64);
705 attrid = avpToAttrId(vp);
707 obj.set("type", attrid.second);
708 if (attrid.first != 0)
709 obj.set("vendor", attrid.first);
715 jsonToAvp(rs_avp **pVp, JSONObject &obj)
718 gss_eap_attrid attrid;
720 JSONObject type = obj["type"];
721 JSONObject vendor = obj["vendor"];
722 JSONObject value = obj["value"];
724 if (!type.isInteger())
726 attrid.second = type.integer();
728 if (!vendor.isNull()) {
729 if (!vendor.isInteger())
731 attrid.first = vendor.integer();
736 vp = rs_avp_alloc(attrid.second, attrid.first);
738 throw std::bad_alloc();
740 switch (rs_avp_typeof(vp)) {
741 case RS_TYPE_INTEGER:
744 if (!value.isInteger())
747 if (rs_avp_integer_set(vp, value.integer()) != RSE_OK)
751 case RS_TYPE_STRING: {
752 if (!value.isString())
755 if (rs_avp_string_set(vp, value.string()) != RSE_OK)
762 unsigned char buf[RS_MAX_STRING_LEN];
764 if (!value.isString())
767 const char *str = value.string();
768 ssize_t len = strlen(str);
770 /* this optimization requires base64Decode only understand packed encoding */
771 if (len >= BASE64_EXPAND(RS_MAX_STRING_LEN))
774 len = base64Decode(str, buf);
778 if (rs_avp_octets_set(vp, buf, len) != RSE_OK)
797 gss_eap_radius_attr_provider::name(void) const
803 gss_eap_radius_attr_provider::initWithJsonObject(const gss_eap_attr_ctx *ctx,
806 if (!gss_eap_attr_provider::initWithJsonObject(ctx, obj))
809 JSONObject attrs = obj["attributes"];
810 size_t nelems = attrs.size();
812 for (size_t i = 0; i < nelems; i++) {
813 JSONObject attr = attrs[i];
816 if (!jsonToAvp(&vp, attr))
819 rs_avp_append(&m_vps, vp);
822 m_authenticated = obj["authenticated"].integer() ? true : false;
828 gss_eap_radius_attr_provider::prefix(void) const
830 return "urn:ietf:params:gssapi:aaa-radius";
834 gss_eap_radius_attr_provider::jsonRepresentation(void) const
836 JSONObject obj, attrs = JSONObject::array();
838 for (rs_avp *vp = m_vps; vp != NULL; vp = rs_avp_next(vp)) {
839 JSONObject attr = avpToJson(vp);
843 obj.set("attributes", attrs);
845 obj.set("authenticated", m_authenticated);
851 gss_eap_radius_attr_provider::getExpiryTime(void) const
856 vp = rs_avp_find(m_vps, PW_SESSION_TIMEOUT, 0);
860 value = rs_avp_integer_value(vp);
864 return time(NULL) + value;
868 gssEapRadiusMapError(OM_uint32 *minor,
869 struct rs_error *err)
873 GSSEAP_ASSERT(err != NULL);
875 code = rs_err_code(err, 0);
877 if (code == RSE_OK) {
879 return GSS_S_COMPLETE;
882 *minor = RS_MAP_ERROR(code);
884 gssEapSaveStatusInfo(*minor, "%s", rs_err_msg(err));
887 return GSS_S_FAILURE;
891 gssEapCreateRadiusContext(OM_uint32 *minor,
893 struct rs_context **pRadContext)
895 const char *configFile = RS_CONFIG_FILE;
896 struct rs_context *radContext;
897 struct rs_alloc_scheme ralloc;
898 struct rs_error *err;
903 if (rs_context_create(&radContext) != 0) {
904 *minor = GSSEAP_RADSEC_CONTEXT_FAILURE;
905 return GSS_S_FAILURE;
908 if (cred->radiusConfigFile.value != NULL)
909 configFile = (const char *)cred->radiusConfigFile.value;
911 ralloc.calloc = GSSEAP_CALLOC;
912 ralloc.malloc = GSSEAP_MALLOC;
913 ralloc.free = GSSEAP_FREE;
914 ralloc.realloc = GSSEAP_REALLOC;
916 rs_context_set_alloc_scheme(radContext, &ralloc);
918 if (rs_context_read_config(radContext, configFile) != 0) {
919 err = rs_err_ctx_pop(radContext);
923 *pRadContext = radContext;
926 return GSS_S_COMPLETE;
929 major = gssEapRadiusMapError(minor, err);
930 rs_context_destroy(radContext);