2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Portions Copyright 2003-2010 Massachusetts Institute of Technology.
34 * All Rights Reserved.
36 * Export of this software from the United States of America may
37 * require a specific license from the United States Government.
38 * It is the responsibility of any person or organization contemplating
39 * export to obtain such a license before exporting.
41 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
42 * distribute this software and its documentation for any purpose and
43 * without fee is hereby granted, provided that the above copyright
44 * notice appear in all copies and that both that copyright notice and
45 * this permission notice appear in supporting documentation, and that
46 * the name of M.I.T. not be used in advertising or publicity pertaining
47 * to distribution of the software without specific, written prior
48 * permission. Furthermore if you modify this software you must label
49 * your software as modified software and not distribute it in such a
50 * fashion that it might be confused with the original M.I.T. software.
51 * M.I.T. makes no representations about the suitability of
52 * this software for any purpose. It is provided "as is" without express
53 * or implied warranty.
64 #include <sys/param.h>
75 #define MIN(_a,_b) ((_a)<(_b)?(_a):(_b))
80 makeStringBuffer(OM_uint32 *minor,
85 bufferToString(OM_uint32 *minor,
86 const gss_buffer_t buffer,
90 duplicateBuffer(OM_uint32 *minor,
91 const gss_buffer_t src,
95 bufferEqual(const gss_buffer_t b1, const gss_buffer_t b2)
97 return (b1->length == b2->length &&
98 memcmp(b1->value, b2->value, b2->length) == 0);
102 bufferEqualString(const gss_buffer_t b1, const char *s)
106 b2.length = strlen(s);
107 b2.value = (char *)s;
109 return bufferEqual(b1, &b2);
114 gssEapSign(krb5_context context,
117 #ifdef HAVE_HEIMDAL_VERSION
122 krb5_keyusage sign_usage,
123 gss_iov_buffer_desc *iov,
127 gssEapVerify(krb5_context context,
130 #ifdef HAVE_HEIMDAL_VERSION
135 krb5_keyusage sign_usage,
136 gss_iov_buffer_desc *iov,
142 gssEapEncodeGssChannelBindings(OM_uint32 *minor,
143 gss_channel_bindings_t chanBindings,
144 gss_buffer_t encodedBindings);
148 #define EAP_EXPORT_CONTEXT_V1 1
150 enum gss_eap_token_type {
151 TOK_TYPE_NONE = 0x0000, /* no token */
152 TOK_TYPE_MIC = 0x0404, /* RFC 4121 MIC token */
153 TOK_TYPE_WRAP = 0x0504, /* RFC 4121 wrap token */
154 TOK_TYPE_EXPORT_NAME = 0x0401, /* RFC 2743 exported name */
155 TOK_TYPE_EXPORT_NAME_COMPOSITE = 0x0402, /* exported composite name */
156 TOK_TYPE_DELETE_CONTEXT = 0x0405, /* RFC 2743 delete context */
157 TOK_TYPE_EAP_RESP = 0x0601, /* EAP response */
158 TOK_TYPE_EAP_REQ = 0x0602, /* EAP request */
159 TOK_TYPE_EXT_REQ = 0x0603, /* GSS EAP extensions request */
160 TOK_TYPE_EXT_RESP = 0x0604, /* GSS EAP extensions response */
161 TOK_TYPE_GSS_REAUTH = 0x0605, /* GSS EAP fast reauthentication token */
162 TOK_TYPE_CONTEXT_ERR = 0x0606, /* context error */
165 OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
166 OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
169 gssEapMakeToken(OM_uint32 *minor,
171 const gss_buffer_t innerToken,
172 enum gss_eap_token_type tokenType,
173 gss_buffer_t outputToken);
176 gssEapVerifyToken(OM_uint32 *minor,
178 const gss_buffer_t inputToken,
179 enum gss_eap_token_type *tokenType,
180 gss_buffer_t innerInputToken);
183 gssEapContextTime(OM_uint32 *minor,
184 gss_ctx_id_t context_handle,
185 OM_uint32 *time_rec);
188 gssEapDisplayName(OM_uint32 *minor,
190 gss_buffer_t output_name_buffer,
191 gss_OID *output_name_type);
194 OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
195 OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
198 gssEapAcquireCred(OM_uint32 *minor,
199 const gss_name_t desiredName,
200 const gss_buffer_t password,
202 const gss_OID_set desiredMechs,
204 gss_cred_id_t *pCred,
205 gss_OID_set *pActualMechs,
208 int gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech);
212 gssEapEncrypt(krb5_context context, int dce_style, size_t ec,
214 #ifdef HAVE_HEIMDAL_VERSION
220 gss_iov_buffer_desc *iov, int iov_count);
223 gssEapDecrypt(krb5_context context, int dce_style, size_t ec,
225 #ifdef HAVE_HEIMDAL_VERSION
231 gss_iov_buffer_desc *iov, int iov_count);
234 gssEapMapCryptoFlag(OM_uint32 type);
237 gssEapLocateIov(gss_iov_buffer_desc *iov,
242 gssEapIovMessageLength(gss_iov_buffer_desc *iov,
245 size_t *assoc_data_length);
248 gssEapReleaseIov(gss_iov_buffer_desc *iov, int iov_count);
251 gssEapIsIntegrityOnly(gss_iov_buffer_desc *iov, int iov_count);
254 gssEapAllocIov(gss_iov_buffer_t iov, size_t size);
257 gssEapDeriveRfc3961Key(OM_uint32 *minor,
258 const unsigned char *key,
260 krb5_enctype enctype,
261 krb5_keyblock *pKey);
264 #define EXT_FLAG_CRITICAL 0x80000000 /* critical, wire flag */
265 #define EXT_FLAG_VERIFIED 0x40000000 /* verified, API flag */
267 #define EXT_TYPE_GSS_CHANNEL_BINDINGS 0x00000000
268 #define EXT_TYPE_REAUTH_CREDS 0x00000001
269 #define EXT_TYPE_MASK (~(EXT_FLAG_CRITICAL | EXT_FLAG_VERIFIED))
271 struct gss_eap_extension_provider {
273 int critical; /* client */
274 int required; /* server */
275 OM_uint32 (*make)(OM_uint32 *,
278 gss_channel_bindings_t,
280 OM_uint32 (*verify)(OM_uint32 *,
283 gss_channel_bindings_t,
288 gssEapMakeExtensions(OM_uint32 *minor,
291 gss_channel_bindings_t chanBindings,
292 gss_buffer_t buffer);
295 gssEapVerifyExtensions(OM_uint32 *minor,
298 gss_channel_bindings_t chanBindings,
299 const gss_buffer_t buffer);
302 #ifdef HAVE_HEIMDAL_VERSION
304 #define KRB_TIME_FOREVER ((time_t)~0L)
306 #define KRB_KEY_TYPE(key) ((key)->keytype)
307 #define KRB_KEY_DATA(key) ((key)->keyvalue.data)
308 #define KRB_KEY_LENGTH(key) ((key)->keyvalue.length)
310 #define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len)
311 #define KRB_PRINC_TYPE(princ) ((princ)->name.name_type)
312 #define KRB_PRINC_NAME(princ) ((princ)->name.name_string.val)
313 #define KRB_PRINC_REALM(princ) ((princ)->realm)
315 #define KRB_KT_ENT_KEYBLOCK(e) (&(e)->keyblock)
316 #define KRB_KT_ENT_FREE(c, e) krb5_kt_free_entry((c), (e))
318 #define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto)
322 #define KRB_TIME_FOREVER KRB5_INT32_MAX
324 #define KRB_KEY_TYPE(key) ((key)->enctype)
325 #define KRB_KEY_DATA(key) ((key)->contents)
326 #define KRB_KEY_LENGTH(key) ((key)->length)
328 #define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ)))
329 #define KRB_PRINC_TYPE(princ) (krb5_princ_type(NULL, (princ)))
330 #define KRB_PRINC_NAME(princ) (krb5_princ_name(NULL, (princ)))
331 #define KRB_PRINC_REALM(princ) (krb5_princ_realm(NULL, (princ)))
333 #define KRB_KT_ENT_KEYBLOCK(e) (&(e)->key)
334 #define KRB_KT_ENT_FREE(c, e) krb5_free_keytab_entry_contents((c), (e))
336 #define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key)
338 #endif /* HAVE_HEIMDAL_VERSION */
340 #define KRB_KEY_INIT(key) do { \
341 KRB_KEY_TYPE(key) = ENCTYPE_NULL; \
342 KRB_KEY_DATA(key) = NULL; \
343 KRB_KEY_LENGTH(key) = 0; \
346 #ifdef HAVE_HEIMDAL_VERSION
347 #define GSS_IOV_BUFFER_FLAG_ALLOCATE GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE
348 #define GSS_IOV_BUFFER_FLAG_ALLOCATED GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED
350 #define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
353 #define GSSEAP_KRB_INIT(ctx) do { \
354 OM_uint32 tmpMajor; \
356 tmpMajor = gssEapKerberosInit(minor, ctx); \
357 if (GSS_ERROR(tmpMajor)) { \
363 gssEapKerberosInit(OM_uint32 *minor, krb5_context *context);
366 rfc3961ChecksumTypeForKey(OM_uint32 *minor,
368 krb5_cksumtype *cksumtype);
371 krbAnonymousPrincipal(void);
374 krbCryptoLength(krb5_context krbContext,
375 #ifdef HAVE_HEIMDAL_VERSION
376 krb5_crypto krbCrypto,
384 krbPaddingLength(krb5_context krbContext,
385 #ifdef HAVE_HEIMDAL_VERSION
386 krb5_crypto krbCrypto,
394 krbBlockSize(krb5_context krbContext,
395 #ifdef HAVE_HEIMDAL_VERSION
396 krb5_crypto krbCrypto,
403 krbEnctypeToString(krb5_context krbContext,
404 krb5_enctype enctype,
406 gss_buffer_t string);
409 krbMakeAuthDataKdcIssued(krb5_context context,
410 const krb5_keyblock *key,
411 krb5_const_principal issuer,
412 #ifdef HAVE_HEIMDAL_VERSION
413 const AuthorizationData *authdata,
414 AuthorizationData *adKdcIssued
416 krb5_authdata *const *authdata,
417 krb5_authdata ***adKdcIssued
422 krbMakeCred(krb5_context context,
423 krb5_auth_context authcontext,
429 gssEapExportLucidSecContext(OM_uint32 *minor,
431 const gss_OID desiredObject,
432 gss_buffer_set_t *data_set);
435 extern gss_OID GSS_EAP_MECHANISM;
438 gssEapInternalizeOid(const gss_OID oid,
439 gss_OID *const pInternalizedOid);
442 gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid);
445 gssEapDefaultMech(OM_uint32 *minor,
449 gssEapIndicateMechs(OM_uint32 *minor,
453 gssEapEnctypeToOid(OM_uint32 *minor,
454 krb5_enctype enctype,
458 gssEapOidToEnctype(OM_uint32 *minor,
460 krb5_enctype *enctype);
463 gssEapIsMechanismOid(const gss_OID oid);
466 gssEapIsConcreteMechanismOid(const gss_OID oid);
469 gssEapValidateMechs(OM_uint32 *minor,
470 const gss_OID_set mechs);
473 gssEapOidToSaslName(const gss_OID oid);
476 gssEapSaslNameToOid(const gss_buffer_t name);
479 #define EXPORT_NAME_FLAG_OID 0x1
480 #define EXPORT_NAME_FLAG_COMPOSITE 0x2
482 OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName);
483 OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName);
484 OM_uint32 gssEapExportName(OM_uint32 *minor,
485 const gss_name_t name,
486 gss_buffer_t exportedName);
487 OM_uint32 gssEapExportNameInternal(OM_uint32 *minor,
488 const gss_name_t name,
489 gss_buffer_t exportedName,
491 OM_uint32 gssEapImportName(OM_uint32 *minor,
492 const gss_buffer_t input_name_buffer,
493 gss_OID input_name_type,
494 gss_name_t *output_name);
495 OM_uint32 gssEapImportNameInternal(OM_uint32 *minor,
496 const gss_buffer_t input_name_buffer,
497 gss_name_t *output_name,
500 gssEapDuplicateName(OM_uint32 *minor,
501 const gss_name_t input_name,
502 gss_name_t *dest_name);
506 composeOid(OM_uint32 *minor_status,
513 decomposeOid(OM_uint32 *minor_status,
520 duplicateOid(OM_uint32 *minor_status,
521 const gss_OID_desc * const oid,
525 duplicateOidSet(OM_uint32 *minor,
526 const gss_OID_set src,
530 oidEqual(const gss_OID_desc *o1, const gss_OID_desc *o2)
532 if (o1 == GSS_C_NO_OID)
533 return (o2 == GSS_C_NO_OID);
534 else if (o2 == GSS_C_NO_OID)
535 return (o1 == GSS_C_NO_OID);
537 return (o1->length == o2->length &&
538 memcmp(o1->elements, o2->elements, o1->length) == 0);
541 /* util_ordering.c */
543 sequenceInternalize(OM_uint32 *minor,
549 sequenceExternalize(OM_uint32 *minor,
555 sequenceSize(void *vqueue);
558 sequenceFree(OM_uint32 *minor, void **vqueue);
561 sequenceCheck(OM_uint32 *minor, void **vqueue, uint64_t seqnum);
564 sequenceInit(OM_uint32 *minor, void **vqueue, uint64_t seqnum,
565 int do_replay, int do_sequence, int wide_nums);
569 tokenSize(const gss_OID_desc *mech, size_t body_size);
572 makeTokenHeader(const gss_OID_desc *mech,
575 enum gss_eap_token_type tok_type);
578 verifyTokenHeader(OM_uint32 *minor,
581 unsigned char **buf_in,
583 enum gss_eap_token_type *ret_tok_type);
587 #define GSSEAP_CALLOC calloc
588 #define GSSEAP_MALLOC malloc
589 #define GSSEAP_FREE free
590 #define GSSEAP_REALLOC realloc
592 #define GSSEAP_NOT_IMPLEMENTED do { \
593 assert(0 && "not implemented"); \
595 return GSS_S_FAILURE; \
600 #define GSSEAP_MUTEX pthread_mutex_t
601 #define GSSEAP_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
603 #define GSSEAP_MUTEX_INIT(m) pthread_mutex_init((m), NULL)
604 #define GSSEAP_MUTEX_DESTROY(m) pthread_mutex_destroy((m))
605 #define GSSEAP_MUTEX_LOCK(m) pthread_mutex_lock((m))
606 #define GSSEAP_MUTEX_UNLOCK(m) pthread_mutex_unlock((m))
608 #define GSSEAP_THREAD_KEY pthread_key_t
609 #define GSSEAP_KEY_CREATE(k, d) pthread_key_create((k), (d))
610 #define GSSEAP_GETSPECIFIC(k) pthread_getspecific((k))
611 #define GSSEAP_SETSPECIFIC(k, d) pthread_setspecific((k), (d))
613 #define GSSEAP_THREAD_ONCE pthread_once_t
614 #define GSSEAP_ONCE(o, i) pthread_once((o), (i))
615 #define GSSEAP_ONCE_INITIALIZER PTHREAD_ONCE_INIT
617 /* Helper functions */
619 store_uint16_be(uint16_t val, void *vp)
621 unsigned char *p = (unsigned char *)vp;
623 p[0] = (val >> 8) & 0xff;
624 p[1] = (val ) & 0xff;
627 static inline uint16_t
628 load_uint16_be(const void *cvp)
630 const unsigned char *p = (const unsigned char *)cvp;
632 return (p[1] | (p[0] << 8));
636 store_uint32_be(uint32_t val, void *vp)
638 unsigned char *p = (unsigned char *)vp;
640 p[0] = (val >> 24) & 0xff;
641 p[1] = (val >> 16) & 0xff;
642 p[2] = (val >> 8) & 0xff;
643 p[3] = (val ) & 0xff;
646 static inline uint32_t
647 load_uint32_be(const void *cvp)
649 const unsigned char *p = (const unsigned char *)cvp;
651 return (p[3] | (p[2] << 8)
652 | ((uint32_t) p[1] << 16)
653 | ((uint32_t) p[0] << 24));
657 store_uint64_be(uint64_t val, void *vp)
659 unsigned char *p = (unsigned char *)vp;
661 p[0] = (unsigned char)((val >> 56) & 0xff);
662 p[1] = (unsigned char)((val >> 48) & 0xff);
663 p[2] = (unsigned char)((val >> 40) & 0xff);
664 p[3] = (unsigned char)((val >> 32) & 0xff);
665 p[4] = (unsigned char)((val >> 24) & 0xff);
666 p[5] = (unsigned char)((val >> 16) & 0xff);
667 p[6] = (unsigned char)((val >> 8) & 0xff);
668 p[7] = (unsigned char)((val ) & 0xff);
671 static inline uint64_t
672 load_uint64_be(const void *cvp)
674 const unsigned char *p = (const unsigned char *)cvp;
676 return ((uint64_t)load_uint32_be(p) << 32) | load_uint32_be(p + 4);
679 static inline unsigned char *
680 store_buffer(gss_buffer_t buffer, void *vp, int wide_nums)
682 unsigned char *p = (unsigned char *)vp;
685 store_uint64_be(buffer->length, p);
688 store_uint32_be(buffer->length, p);
692 if (buffer->value != NULL) {
693 memcpy(p, buffer->value, buffer->length);
700 static inline unsigned char *
701 load_buffer(const void *cvp, size_t length, gss_buffer_t buffer)
704 buffer->value = GSSEAP_MALLOC(length);
705 if (buffer->value == NULL)
707 buffer->length = length;
708 memcpy(buffer->value, cvp, length);
709 return (unsigned char *)cvp + length;
712 static inline unsigned char *
713 store_oid(gss_OID oid, void *vp)
717 if (oid != GSS_C_NO_OID) {
718 buf.length = oid->length;
719 buf.value = oid->elements;
725 return store_buffer(&buf, vp, FALSE);
729 krbDataToGssBuffer(krb5_data *data, gss_buffer_t buffer)
731 buffer->value = (void *)data->data;
732 buffer->length = data->length;
736 krbPrincComponentToGssBuffer(krb5_principal krbPrinc,
737 int index, gss_buffer_t buffer)
739 #ifdef HAVE_HEIMDAL_VERSION
740 buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index];
741 buffer->length = strlen((char *)buffer->value);
743 buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data;
744 buffer->length = krb5_princ_component(NULL, krbPrinc, index)->length;
745 #endif /* HAVE_HEIMDAL_VERSION */
749 krbPrincRealmToGssBuffer(krb5_principal krbPrinc, gss_buffer_t buffer)
751 #ifdef HAVE_HEIMDAL_VERSION
752 buffer->value = (void *)KRB_PRINC_REALM(krbPrinc);
753 buffer->length = strlen((char *)buffer->value);
755 krbDataToGssBuffer(KRB_PRINC_REALM(krbPrinc), buffer);
760 gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data)
762 data->data = (char *)buffer->value;
763 data->length = buffer->length;
770 #include "util_attr.h"
771 #ifdef GSSEAP_ENABLE_REAUTH
772 #include "util_reauth.h"
775 #endif /* _UTIL_H_ */
projects / mech_eap.orig / blob