From: Luke Howard Date: Wed, 8 Sep 2010 15:09:28 +0000 (+0200) Subject: Add some plumbing for exporting names X-Git-Tag: vm/20110310~384 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=commitdiff_plain;h=4c2ed94fbe850e7914dd8caa1f9023dc466392f9 Add some plumbing for exporting names --- diff --git a/Makefile.am b/Makefile.am index 7910012..b763b12 100644 --- a/Makefile.am +++ b/Makefile.am @@ -26,6 +26,7 @@ libmech_eap_la_SOURCES = \ duplicate_name.c \ eap_mech.c \ export_name.c \ + export_name_composite.c \ export_sec_context.c \ get_mic.c \ get_name_attribute.c \ @@ -61,6 +62,8 @@ libmech_eap_la_SOURCES = \ util_name.c \ util_oid.c \ util_ordering.c \ + util_radius.c \ + util_saml.c \ util_token.c \ verify_mic.c \ wrap.c \ diff --git a/duplicate_name.c b/duplicate_name.c index 97e6158..bc95057 100644 --- a/duplicate_name.c +++ b/duplicate_name.c @@ -37,5 +37,48 @@ gss_duplicate_name(OM_uint32 *minor, const gss_name_t input_name, gss_name_t *dest_name) { - GSSEAP_NOT_IMPLEMENTED; + OM_uint32 major, tmpMinor; + krb5_context krbContext; + gss_name_t name; + + if (name == GSS_C_NO_NAME) { + *minor = EINVAL; + return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME; + } + + GSSEAP_KRB_INIT(&krbContext); + + major = gssEapAllocName(minor, &name); + if (GSS_ERROR(major)) { + return major; + } + + /* Lock mutex for copying mutable attributes */ + GSSEAP_MUTEX_LOCK(&input_name->mutex); + + *minor = krb5_copy_principal(krbContext, input_name->krbPrincipal, + &name->krbPrincipal); + if (*minor != 0) { + major = GSS_S_FAILURE; + goto cleanup; + } + + major = radiusDuplicateAVPs(minor, input_name->avps, &name->avps); + if (GSS_ERROR(major)) + goto cleanup; + + major = samlDuplicateAssertion(minor, input_name->assertion, &name->assertion); + if (GSS_ERROR(major)) + goto cleanup; + + *dest_name = name; + +cleanup: + GSSEAP_MUTEX_UNLOCK(&input_name->mutex); + + if (GSS_ERROR(major)) { + gssEapReleaseName(&tmpMinor, &name); + } + + return major; } diff --git a/export_name.c b/export_name.c index 7427cc0..66664ef 100644 --- a/export_name.c +++ b/export_name.c @@ -37,5 +37,5 @@ gss_export_name(OM_uint32 *minor, const gss_name_t input_name, gss_buffer_t exported_name) { - GSSEAP_NOT_IMPLEMENTED; + return gssEapExportName(minor, input_name, exported_name, 0); } diff --git a/export_name_composite.c b/export_name_composite.c new file mode 100644 index 0000000..c518323 --- /dev/null +++ b/export_name_composite.c @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2010, JANET(UK) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of JANET(UK) nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapiP_eap.h" + +OM_uint32 +gss_export_name_composite(OM_uint32 *minor, + gss_name_t input_name, + gss_buffer_t exported_name) +{ + return gssEapExportName(minor, input_name, exported_name, 1); +} diff --git a/gssapiP_eap.h b/gssapiP_eap.h index 9442232..9bafde4 100644 --- a/gssapiP_eap.h +++ b/gssapiP_eap.h @@ -55,15 +55,20 @@ /* Kerberos includes */ #include -#define NAME_FLAG_SAML 0x00000001 -#define NAME_FLAG_RADIUS 0x00000002 +#define NAME_FLAG_NAI 0x00000001 +#define NAME_FLAG_SERVICE 0x00000002 +#define NAME_FLAG_SAML 0x00000010 +#define NAME_FLAG_RADIUS 0x00000020 + +struct eap_gss_saml_assertion; +struct eap_gss_avp_list; struct gss_name_struct { GSSEAP_MUTEX mutex; /* mutex protecting attributes */ OM_uint32 flags; krb5_principal krbPrincipal; /* this is immutable */ - void *saml; - void *avps; + struct eap_gss_saml_assertion *assertion; + struct eap_gss_avp_list *avps; }; #define CRED_FLAG_INITIATOR 0x00000001 diff --git a/util.h b/util.h index 7299a8b..52a585a 100644 --- a/util.h +++ b/util.h @@ -59,6 +59,9 @@ #include +#include "util_saml.h" +#include "util_radius.h" + #define KRB_KEYTYPE(key) ((key)->enctype) int @@ -169,6 +172,10 @@ gssEapIsMechanismOid(const gss_OID oid); /* util_name.c */ OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName); OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName); +OM_uint32 gssEapExportName(OM_uint32 *minor, + const gss_name_t name, + gss_buffer_t exportedName, + int composite); /* util_oid.c */ OM_uint32 diff --git a/util_mech.c b/util_mech.c index f4513e8..1888feb 100644 --- a/util_mech.c +++ b/util_mech.c @@ -144,25 +144,20 @@ OM_uint32 gssEapIndicateMechs(OM_uint32 *minor, gss_OID_set *mechs) { - krb5_context context; + krb5_context krbContext; OM_uint32 major, tmpMinor; krb5_enctype *etypes; int i; - *minor = krb5_init_context(&context); - if (*minor != 0) { - return GSS_S_FAILURE; - } + GSSEAP_KRB_INIT(&krbContext); - *minor = krb5_get_permitted_enctypes(context, &etypes); + *minor = krb5_get_permitted_enctypes(krbContext, &etypes); if (*minor != 0) { - krb5_free_context(context); return GSS_S_FAILURE; } major = gss_create_empty_oid_set(minor, mechs); if (GSS_ERROR(major)) { - krb5_free_context(context); GSSEAP_FREE(etypes); /* XXX */ return major; } @@ -186,7 +181,6 @@ gssEapIndicateMechs(OM_uint32 *minor, } GSSEAP_FREE(etypes); /* XXX */ - krb5_free_context(context); return major; } diff --git a/util_name.c b/util_name.c index 0f40a17..e3898ec 100644 --- a/util_name.c +++ b/util_name.c @@ -29,6 +29,29 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ +/* + * Portions Copyright 2009 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ #include "gssapiP_eap.h" @@ -69,7 +92,8 @@ OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName) { gss_name_t name; - krb5_context kerbCtx = NULL; + krb5_context krbContext = NULL; + OM_uint32 tmpMinor; if (pName == NULL) { return GSS_S_COMPLETE; @@ -80,11 +104,11 @@ gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName) return GSS_S_COMPLETE; } - krb5_init_context(&kerbCtx); - krb5_free_principal(kerbCtx, name->krbPrincipal); - if (kerbCtx != NULL) { - krb5_free_context(kerbCtx); - } + GSSEAP_KRB_INIT(&krbContext); + krb5_free_principal(krbContext, name->krbPrincipal); + + radiusFreeAVPs(&tmpMinor, name->avps); + samlFreeAssertion(&tmpMinor, name->assertion); GSSEAP_MUTEX_DESTROY(&name->mutex); GSSEAP_FREE(name); @@ -94,3 +118,84 @@ gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName) return GSS_S_COMPLETE; } +OM_uint32 gssEapExportName(OM_uint32 *minor, + const gss_name_t name, + gss_buffer_t exportedName, + int composite) +{ + OM_uint32 major, tmpMinor; + krb5_context krbContext; + char *krbName = NULL; + size_t krbNameLen; + unsigned char *p; + + exportedName->length = 0; + exportedName->value = NULL; + + GSSEAP_KRB_INIT(&krbContext); + + if (name == GSS_C_NO_NAME) { + *minor = EINVAL; + return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME; + } + + GSSEAP_MUTEX_LOCK(&name->mutex); + + /* + * Don't export a composite name if we don't have any attributes. + */ + if (composite && + (name->flags & (NAME_FLAG_SAML | NAME_FLAG_RADIUS)) == 0) { + composite = 0; + } + + *minor = krb5_unparse_name(krbContext, name->krbPrincipal, &krbName); + if (*minor != 0) { + major = GSS_S_FAILURE; + goto cleanup; + } + krbNameLen = strlen(krbName); + + exportedName->length = 6 + GSS_EAP_MECHANISM->length + krbNameLen; + if (composite) { + /* TODO: export SAML/AVP, this is pending specification */ + GSSEAP_NOT_IMPLEMENTED; + } + + exportedName->value = GSSEAP_MALLOC(exportedName->value); + if (exportedName->value == NULL) { + *minor = ENOMEM; + major = GSS_S_FAILURE; + goto cleanup; + } + + p = (unsigned char *)exportedName->value; + *p++ = 0x04; + if (composite) { + *p++ = 0x02; + } else { + *p++ = 0x01; + } + store_uint16_be(GSS_EAP_MECHANISM->length + 2, p); + p += 2; + *p++ = 0x06; + *p++ = GSS_EAP_MECHANISM->length & 0xff; + memcpy(p, GSS_EAP_MECHANISM->elements, GSS_EAP_MECHANISM->length); + p += GSS_EAP_MECHANISM->length; + + store_uint32_be(krbNameLen, p); + p += 4; + memcpy(p, krbName, krbNameLen); + p += krbNameLen; + + *minor = 0; + major = GSS_S_COMPLETE; + +cleanup: + GSSEAP_MUTEX_UNLOCK(&name->mutex); + if (GSS_ERROR(major)) + gss_release_buffer(&tmpMinor, exportedName); + krb5_free_unparsed_name(krbContext, krbName); + + return major; +} diff --git a/util_radius.c b/util_radius.c new file mode 100644 index 0000000..c18d1c5 --- /dev/null +++ b/util_radius.c @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2010, JANET(UK) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of JANET(UK) nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapiP_eap.h" + +struct eap_gss_avp_list { +}; + +OM_uint32 +radiusDuplicateAVPs(OM_uint32 *minor, + const struct eap_gss_avp_list *in, + struct eap_gss_avp_list **out) +{ + GSSEAP_NOT_IMPLEMENTED; +} + +OM_uint32 +radiusFreeAVPs(OM_uint32 *minor, + struct eap_gss_avp_list *avps) +{ + GSSEAP_FREE(avps); +} diff --git a/util_radius.h b/util_radius.h new file mode 100644 index 0000000..4587869 --- /dev/null +++ b/util_radius.h @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2010, JANET(UK) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of JANET(UK) nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapiP_eap.h" + +#ifndef _UTIL_RADIUS_H_ +#define _UTIL_RADIUS_H_ 1 + +struct eap_gss_avp_list; + +OM_uint32 +radiusDuplicateAVPs(OM_uint32 *minor, + const struct eap_gss_avp_list *in, + struct eap_gss_avp_list **out); + +OM_uint32 +radiusFreeAVPs(OM_uint32 *minor, + struct eap_gss_avp_list *in); + +#endif /* _UTIL_RADIUS_H_ */ diff --git a/util_saml.c b/util_saml.c new file mode 100644 index 0000000..c3128a7 --- /dev/null +++ b/util_saml.c @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2010, JANET(UK) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of JANET(UK) nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapiP_eap.h" + +OM_uint32 +samlDuplicateAssertion(OM_uint32 *minor, + const struct eap_gss_saml_assertion *in, + struct eap_gss_saml_assertion **out) +{ + GSSEAP_NOT_IMPLEMENTED; +} + +OM_uint32 +samlFreeAssertion(OM_uint32 *minor, + struct eap_gss_saml_assertion *assertion) +{ + GSSEAP_NOT_IMPLEMENTED; +} diff --git a/util_saml.h b/util_saml.h new file mode 100644 index 0000000..3663c1d --- /dev/null +++ b/util_saml.h @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2010, JANET(UK) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of JANET(UK) nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapiP_eap.h" + +#ifndef _UTIL_SAML_H_ +#define _UTIL_SAML_H_ 1 + +struct eap_gss_saml_assertion; + +OM_uint32 +samlDuplicateAssertion(OM_uint32 *minor, + const struct eap_gss_saml_assertion *in, + struct eap_gss_saml_assertion **out); + +OM_uint32 +samlFreeAssertion(OM_uint32 *minor, + struct eap_gss_saml_assertion *assertion); + +#endif /* _UTIL_SAML_H_ */