X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=blobdiff_plain;f=mech_eap%2Futil.h;h=bf3a25a990882fbbc7f0dc702de92b9bcb0a0fad;hp=1d4e47cacc4ffc5df184d8513ac702bbc76103a3;hb=HEAD;hpb=b42849e230e179b8d9875e7af3bb55186482c7c9 diff --git a/mech_eap/util.h b/mech_eap/util.h index 1d4e47c..bf3a25a 100644 --- a/mech_eap/util.h +++ b/mech_eap/util.h @@ -61,11 +61,26 @@ #ifndef _UTIL_H_ #define _UTIL_H_ 1 +#ifdef HAVE_SYS_PARAM_H #include +#endif +#ifdef HAVE_STDINT_H +#include +#endif #include #include #include +#ifndef HAVE_HEIMDAL_VERSION +#include "gssapi_headerfix.h" +#endif + +#ifdef WIN32 +# ifndef __cplusplus +# define inline __inline +# endif +#define snprintf _snprintf +#endif #ifdef __cplusplus extern "C" { @@ -75,8 +90,8 @@ extern "C" { #define MIN(_a,_b) ((_a)<(_b)?(_a):(_b)) #endif -#if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)) -#define GSSEAP_UNUSED __attribute__ ((__unused__)) +#if !defined(WIN32) && !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)) +#define GSSEAP_UNUSED __attribute__ ((__unused__)) #else #define GSSEAP_UNUSED #endif @@ -87,6 +102,13 @@ makeStringBuffer(OM_uint32 *minor, const char *string, gss_buffer_t buffer); +#define makeStringBufferOrCleanup(src, dst) \ + do { \ + major = makeStringBuffer((minor), (src), (dst));\ + if (GSS_ERROR(major)) \ + goto cleanup; \ + } while (0) + OM_uint32 bufferToString(OM_uint32 *minor, const gss_buffer_t buffer, @@ -97,6 +119,13 @@ duplicateBuffer(OM_uint32 *minor, const gss_buffer_t src, gss_buffer_t dst); +#define duplicateBufferOrCleanup(src, dst) \ + do { \ + major = duplicateBuffer((minor), (src), (dst)); \ + if (GSS_ERROR(major)) \ + goto cleanup; \ + } while (0) + static inline int bufferEqual(const gss_buffer_t b1, const gss_buffer_t b2) { @@ -116,6 +145,17 @@ bufferEqualString(const gss_buffer_t b1, const char *s) } /* util_cksum.c */ +enum gss_eap_token_type { + TOK_TYPE_NONE = 0x0000, /* no token */ + TOK_TYPE_MIC = 0x0404, /* RFC 4121 MIC token */ + TOK_TYPE_WRAP = 0x0504, /* RFC 4121 wrap token */ + TOK_TYPE_EXPORT_NAME = 0x0401, /* RFC 2743 exported name */ + TOK_TYPE_EXPORT_NAME_COMPOSITE = 0x0402, /* exported composite name */ + TOK_TYPE_DELETE_CONTEXT = 0x0405, /* RFC 2743 delete context */ + TOK_TYPE_INITIATOR_CONTEXT = 0x0601, /* initiator-sent context token */ + TOK_TYPE_ACCEPTOR_CONTEXT = 0x0602, /* acceptor-sent context token */ +}; + int gssEapSign(krb5_context context, krb5_cksumtype type, @@ -127,7 +167,8 @@ gssEapSign(krb5_context context, #endif krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, - int iov_count); + int iov_count, + enum gss_eap_token_type toktype); int gssEapVerify(krb5_context context, @@ -141,6 +182,7 @@ gssEapVerify(krb5_context context, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, + enum gss_eap_token_type toktype, int *valid); #if 0 @@ -153,17 +195,6 @@ gssEapEncodeGssChannelBindings(OM_uint32 *minor, /* util_context.c */ #define EAP_EXPORT_CONTEXT_V1 1 -enum gss_eap_token_type { - TOK_TYPE_NONE = 0x0000, /* no token */ - TOK_TYPE_MIC = 0x0404, /* RFC 4121 MIC token */ - TOK_TYPE_WRAP = 0x0504, /* RFC 4121 wrap token */ - TOK_TYPE_EXPORT_NAME = 0x0401, /* RFC 2743 exported name */ - TOK_TYPE_EXPORT_NAME_COMPOSITE = 0x0402, /* exported composite name */ - TOK_TYPE_DELETE_CONTEXT = 0x0405, /* RFC 2743 delete context */ - TOK_TYPE_INITIATOR_CONTEXT = 0x0601, /* initiator-sent context token */ - TOK_TYPE_ACCEPTOR_CONTEXT = 0x0602, /* acceptor-sent context token */ -}; - /* inner token types and flags */ #define ITOK_TYPE_NONE 0x00000000 #define ITOK_TYPE_CONTEXT_ERR 0x00000001 /* critical */ @@ -186,7 +217,10 @@ enum gss_eap_token_type { #define ITOK_TYPE_MASK (~(ITOK_FLAG_CRITICAL | ITOK_FLAG_VERIFIED)) -#define GSSEAP_WIRE_FLAGS_MASK GSS_C_MUTUAL_FLAG +#define GSSEAP_WIRE_FLAGS_MASK ( GSS_C_MUTUAL_FLAG | \ + GSS_C_DCE_STYLE | \ + GSS_C_IDENTIFY_FLAG | \ + GSS_C_EXTENDED_ERROR_FLAG ) OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx); OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx); @@ -207,7 +241,7 @@ gssEapVerifyToken(OM_uint32 *minor, OM_uint32 gssEapContextTime(OM_uint32 *minor, - gss_ctx_id_t context_handle, + gss_const_ctx_id_t context_handle, OM_uint32 *time_rec); OM_uint32 @@ -224,10 +258,12 @@ gssEapVerifyTokenMIC(OM_uint32 *minor, OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred); OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred); +gss_OID +gssEapPrimaryMechForCred(gss_cred_id_t cred); + OM_uint32 gssEapAcquireCred(OM_uint32 *minor, - const gss_name_t desiredName, - const gss_buffer_t password, + gss_const_name_t desiredName, OM_uint32 timeReq, const gss_OID_set desiredMechs, int cred_usage, @@ -235,7 +271,29 @@ gssEapAcquireCred(OM_uint32 *minor, gss_OID_set *pActualMechs, OM_uint32 *timeRec); -int gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech); +OM_uint32 +gssEapSetCredPassword(OM_uint32 *minor, + gss_cred_id_t cred, + const gss_buffer_t password); + +OM_uint32 +gssEapSetCredClientCertificate(OM_uint32 *minor, + gss_cred_id_t cred, + const gss_buffer_t clientCert, + const gss_buffer_t privateKey); + +OM_uint32 +gssEapSetCredService(OM_uint32 *minor, + gss_cred_id_t cred, + gss_const_name_t target); + +OM_uint32 +gssEapResolveInitiatorCred(OM_uint32 *minor, + const gss_cred_id_t cred, + gss_const_name_t target, + gss_cred_id_t *resolvedCred); + +int gssEapCredAvailable(gss_const_cred_id_t cred, gss_OID mech); OM_uint32 gssEapInquireCred(OM_uint32 *minor, @@ -276,6 +334,11 @@ gssEapLocateIov(gss_iov_buffer_desc *iov, int iov_count, OM_uint32 type); +gss_iov_buffer_t +gssEapLocateHeaderIov(gss_iov_buffer_desc *iov, + int iov_count, + enum gss_eap_token_type toktype); + void gssEapIovMessageLength(gss_iov_buffer_desc *iov, int iov_count, @@ -299,8 +362,25 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, krb5_keyblock *pKey); /* util_krb.c */ + +#ifndef KRB_MALLOC +/* + * If your Kerberos library uses a different allocator to your + * GSS mechanism glue, then you might wish to define these in + * config.h or elsewhere. This should eventually go away when + * we no longer need to allocate memory that is freed by the + * Kerberos library. + */ +#define KRB_CALLOC calloc +#define KRB_MALLOC malloc +#define KRB_FREE free +#define KRB_REALLOC realloc +#endif /* KRB_MALLOC */ + #ifdef HAVE_HEIMDAL_VERSION +#include + #define KRB_TIME_FOREVER ((time_t)~0L) #define KRB_KEY_TYPE(key) ((key)->keytype) @@ -317,6 +397,23 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, #define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto) +#define KRB_DATA_INIT(d) krb5_data_zero((d)) + +#define KRB_CHECKSUM_TYPE(c) ((c)->cksumtype) +#define KRB_CHECKSUM_LENGTH(c) ((c)->checksum.length) +#define KRB_CHECKSUM_DATA(c) ((c)->checksum.data) + +#define KRB_CHECKSUM_INIT(cksum, type, d) do { \ + (cksum)->cksumtype = (type); \ + (cksum)->checksum.length = (d)->length; \ + (cksum)->checksum.data = (d)->value; \ + } while (0) + +#define KRB_CHECKSUM_FREE(ctx, cksum) do { \ + der_free_octet_string(&(cksum)->checksum); \ + memset((cksum), 0, sizeof(*(cksum))); \ + } while (0) + #else #define KRB_TIME_FOREVER KRB5_INT32_MAX @@ -329,12 +426,32 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, #define KRB_PRINC_TYPE(princ) (krb5_princ_type(NULL, (princ))) #define KRB_PRINC_NAME(princ) (krb5_princ_name(NULL, (princ))) #define KRB_PRINC_REALM(princ) (krb5_princ_realm(NULL, (princ))) +#define KRB_PRINC_COMPONENT(princ, component) \ + (krb5_princ_component(NULL, (princ), (component))) #define KRB_KT_ENT_KEYBLOCK(e) (&(e)->key) #define KRB_KT_ENT_FREE(c, e) krb5_free_keytab_entry_contents((c), (e)) #define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key) +#define KRB_DATA_INIT(d) do { \ + (d)->magic = KV5M_DATA; \ + (d)->length = 0; \ + (d)->data = NULL; \ + } while (0) + +#define KRB_CHECKSUM_TYPE(c) ((c)->checksum_type) +#define KRB_CHECKSUM_LENGTH(c) ((c)->length) +#define KRB_CHECKSUM_DATA(c) ((c)->contents) + +#define KRB_CHECKSUM_INIT(cksum, type, d) do { \ + (cksum)->checksum_type = (type); \ + (cksum)->length = (d)->length; \ + (cksum)->contents = (d)->value; \ + } while (0) + +#define KRB_CHECKSUM_FREE(ctx, cksum) krb5_free_checksum_contents((ctx), (cksum)) + #endif /* HAVE_HEIMDAL_VERSION */ #define KRB_KEY_INIT(key) do { \ @@ -365,7 +482,7 @@ krbCryptoLength(krb5_context krbContext, #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto, #else - krb5_keyblock *key, + const krb5_keyblock *key, #endif int type, size_t *length); @@ -375,7 +492,7 @@ krbPaddingLength(krb5_context krbContext, #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto, #else - krb5_keyblock *key, + const krb5_keyblock *key, #endif size_t dataLength, size_t *padLength); @@ -385,7 +502,7 @@ krbBlockSize(krb5_context krbContext, #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto, #else - krb5_keyblock *key, + const krb5_keyblock *key, #endif size_t *blockSize); @@ -417,7 +534,7 @@ krbMakeCred(krb5_context context, /* util_lucid.c */ OM_uint32 gssEapExportLucidSecContext(OM_uint32 *minor, - gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, const gss_OID desiredObject, gss_buffer_set_t *data_set); @@ -472,6 +589,17 @@ gssEapOidToSaslName(const gss_OID oid); gss_OID gssEapSaslNameToOid(const gss_buffer_t name); +/* util_moonshot.c */ +OM_uint32 +libMoonshotResolveDefaultIdentity(OM_uint32 *minor, + const gss_cred_id_t cred, + gss_name_t *pName); + +OM_uint32 +libMoonshotResolveInitiatorCred(OM_uint32 *minor, + gss_cred_id_t cred, + gss_const_name_t targetName); + /* util_name.c */ #define EXPORT_NAME_FLAG_OID 0x1 #define EXPORT_NAME_FLAG_COMPOSITE 0x2 @@ -480,10 +608,10 @@ gssEapSaslNameToOid(const gss_buffer_t name); OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName); OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName); OM_uint32 gssEapExportName(OM_uint32 *minor, - const gss_name_t name, + gss_const_name_t name, gss_buffer_t exportedName); OM_uint32 gssEapExportNameInternal(OM_uint32 *minor, - const gss_name_t name, + gss_const_name_t name, gss_buffer_t exportedName, OM_uint32 flags); OM_uint32 gssEapImportName(OM_uint32 *minor, @@ -497,25 +625,28 @@ OM_uint32 gssEapImportNameInternal(OM_uint32 *minor, OM_uint32 flags); OM_uint32 gssEapDuplicateName(OM_uint32 *minor, - const gss_name_t input_name, + gss_const_name_t input_name, gss_name_t *dest_name); OM_uint32 gssEapCanonicalizeName(OM_uint32 *minor, - const gss_name_t input_name, + gss_const_name_t input_name, const gss_OID mech_type, gss_name_t *dest_name); OM_uint32 gssEapDisplayName(OM_uint32 *minor, - gss_name_t name, + gss_const_name_t name, gss_buffer_t output_name_buffer, gss_OID *output_name_type); +#define COMPARE_NAME_FLAG_IGNORE_EMPTY_REALMS 0x1 + OM_uint32 gssEapCompareName(OM_uint32 *minor, - gss_name_t name1, - gss_name_t name2, + gss_const_name_t name1, + gss_const_name_t name2, + OM_uint32 flags, int *name_equal); /* util_oid.c */ @@ -543,17 +674,8 @@ duplicateOidSet(OM_uint32 *minor, const gss_OID_set src, gss_OID_set *dst); -static inline int -oidEqual(const gss_OID_desc *o1, const gss_OID_desc *o2) -{ - if (o1 == GSS_C_NO_OID) - return (o2 == GSS_C_NO_OID); - else if (o2 == GSS_C_NO_OID) - return (o1 == GSS_C_NO_OID); - else - return (o1->length == o2->length && - memcmp(o1->elements, o2->elements, o1->length) == 0); -} +extern int +oidEqual(const gss_OID_desc *o1, const gss_OID_desc *o2); /* util_ordering.c */ OM_uint32 @@ -616,7 +738,7 @@ struct gss_eap_sm { OM_uint32 (*processToken)(OM_uint32 *, gss_cred_id_t, gss_ctx_id_t, - gss_name_t, + gss_const_name_t, gss_OID, OM_uint32, OM_uint32, @@ -639,7 +761,7 @@ OM_uint32 gssEapSmStep(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target, + gss_const_name_t target, gss_OID mech, OM_uint32 reqFlags, OM_uint32 timeReq, @@ -695,23 +817,71 @@ verifyTokenHeader(OM_uint32 *minor, enum gss_eap_token_type *ret_tok_type); /* Helper macros */ - +#ifndef GSSEAP_MALLOC +#if _WIN32 +#include +#define GSSEAP_MALLOC gssalloc_malloc +#define GSSEAP_CALLOC gssalloc_calloc +#define GSSEAP_FREE gssalloc_free +#define GSSEAP_REALLOC gssalloc_realloc +#else #define GSSEAP_CALLOC calloc #define GSSEAP_MALLOC malloc #define GSSEAP_FREE free #define GSSEAP_REALLOC realloc +#endif /* _WIN32 */ +#endif /* !GSSEAP_MALLOC */ + +#ifndef GSSAPI_CALLCONV +#define GSSAPI_CALLCONV KRB5_CALLCONV +#endif + +#ifndef GSSEAP_ASSERT +#include +#define GSSEAP_ASSERT(x) assert((x)) +#endif /* !GSSEAP_ASSERT */ + +#ifdef WIN32 +#define GSSEAP_CONSTRUCTOR +#define GSSEAP_DESTRUCTOR +#else +#define GSSEAP_CONSTRUCTOR __attribute__((constructor)) +#define GSSEAP_DESTRUCTOR __attribute__((destructor)) +#endif #define GSSEAP_NOT_IMPLEMENTED do { \ - assert(0 && "not implemented"); \ + GSSEAP_ASSERT(0 && "not implemented"); \ *minor = ENOSYS; \ return GSS_S_FAILURE; \ } while (0) +#ifdef WIN32 + +#include + +#define GSSEAP_GET_LAST_ERROR() (GetLastError()) /* XXX FIXME */ + +#define GSSEAP_MUTEX CRITICAL_SECTION +#define GSSEAP_MUTEX_INIT(m) (InitializeCriticalSection((m)), 0) +#define GSSEAP_MUTEX_DESTROY(m) DeleteCriticalSection((m)) +#define GSSEAP_MUTEX_LOCK(m) EnterCriticalSection((m)) +#define GSSEAP_MUTEX_UNLOCK(m) LeaveCriticalSection((m)) +#define GSSEAP_ONCE_LEAVE do { return TRUE; } while (0) + +/* Thread-local is handled separately */ + +#define GSSEAP_THREAD_ONCE INIT_ONCE +#define GSSEAP_ONCE_CALLBACK(cb) BOOL CALLBACK cb(PINIT_ONCE InitOnce, PVOID Parameter, PVOID *Context) +#define GSSEAP_ONCE(o, i) InitOnceExecuteOnce((o), (i), NULL, NULL) +#define GSSEAP_ONCE_INITIALIZER INIT_ONCE_STATIC_INIT + +#else + #include -#define GSSEAP_MUTEX pthread_mutex_t -#define GSSEAP_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER +#define GSSEAP_GET_LAST_ERROR() (errno) +#define GSSEAP_MUTEX pthread_mutex_t #define GSSEAP_MUTEX_INIT(m) pthread_mutex_init((m), NULL) #define GSSEAP_MUTEX_DESTROY(m) pthread_mutex_destroy((m)) #define GSSEAP_MUTEX_LOCK(m) pthread_mutex_lock((m)) @@ -723,8 +893,12 @@ verifyTokenHeader(OM_uint32 *minor, #define GSSEAP_SETSPECIFIC(k, d) pthread_setspecific((k), (d)) #define GSSEAP_THREAD_ONCE pthread_once_t +#define GSSEAP_ONCE_CALLBACK(cb) void cb(void) #define GSSEAP_ONCE(o, i) pthread_once((o), (i)) #define GSSEAP_ONCE_INITIALIZER PTHREAD_ONCE_INIT +#define GSSEAP_ONCE_LEAVE do { } while (0) + +#endif /* WIN32 */ /* Helper functions */ static inline void @@ -848,13 +1022,58 @@ static inline void krbPrincComponentToGssBuffer(krb5_principal krbPrinc, int index, gss_buffer_t buffer) { + if (KRB_PRINC_LENGTH(krbPrinc) <= index) { + buffer->value = NULL; + buffer->length = 0; + } else { #ifdef HAVE_HEIMDAL_VERSION - buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index]; - buffer->length = strlen((char *)buffer->value); + buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index]; + buffer->length = strlen((char *)buffer->value); #else - buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data; - buffer->length = krb5_princ_component(NULL, krbPrinc, index)->length; + buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data; + buffer->length = krb5_princ_component(NULL, krbPrinc, index)->length; #endif /* HAVE_HEIMDAL_VERSION */ + } +} + +static inline krb5_error_code +krbPrincUnparseServiceSpecifics(krb5_context krbContext, krb5_principal krbPrinc, + gss_buffer_t nameBuf) +{ + krb5_error_code result = 0; + if (KRB_PRINC_LENGTH(krbPrinc) > 2) { + /* Acceptor-Service-Specific */ + krb5_principal_data ssiPrinc = *krbPrinc; + char *ssi; + + KRB_PRINC_LENGTH(&ssiPrinc) -= 2; + KRB_PRINC_NAME(&ssiPrinc) += 2; + + result = krb5_unparse_name_flags(krbContext, &ssiPrinc, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &ssi); + if (result != 0) + return result; + + nameBuf->value = ssi; + nameBuf->length = strlen(ssi); + } else { + nameBuf->value = NULL; + nameBuf->length = 0; + } + + return result; +} + +static inline void +krbFreeUnparsedName(krb5_context krbContext GSSEAP_UNUSED, gss_buffer_t nameBuf) +{ +#ifdef HAVE_HEIMDAL_VERSION + krb5_xfree((char *) nameBuf->value); +#else + krb5_free_unparsed_name(krbContext, (char *)(nameBuf->value)); +#endif + nameBuf->value = NULL; + nameBuf->length = 0; } static inline void @@ -875,13 +1094,32 @@ gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data) data->length = buffer->length; } +/* util_tld.c */ +struct gss_eap_status_info; + +struct gss_eap_thread_local_data { + krb5_context krbContext; + struct gss_eap_status_info *statusInfo; +}; + +struct gss_eap_thread_local_data * +gssEapGetThreadLocalData(void); + +void +gssEapDestroyStatusInfo(struct gss_eap_status_info *status); + +void +gssEapDestroyKrbContext(krb5_context context); + #ifdef __cplusplus } #endif +#ifdef GSSEAP_ENABLE_ACCEPTOR #include "util_json.h" #include "util_attr.h" #include "util_base64.h" +#endif /* GSSEAP_ENABLE_ACCEPTOR */ #ifdef GSSEAP_ENABLE_REAUTH #include "util_reauth.h" #endif