2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gssapiP_eap.h"
35 /* stuff that should be provided by libradsec/libfreeradius-radius */
36 #define VENDORATTR(vendor, attr) (((vendor) << 16) | (attr))
39 #define ATTRID(attr) ((attr) & 0xFFFF)
42 static gss_buffer_desc radiusUrnPrefix = {
43 sizeof("urn:x-radius:") - 1,
44 (void *)"urn:x-radius:"
47 static VALUE_PAIR *copyAvps(const VALUE_PAIR *src);
49 gss_eap_radius_attr_provider::gss_eap_radius_attr_provider(void)
52 m_authenticated = false;
55 gss_eap_radius_attr_provider::~gss_eap_radius_attr_provider(void)
62 gss_eap_radius_attr_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
63 const gss_eap_attr_provider *ctx)
65 const gss_eap_radius_attr_provider *radius;
67 if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
70 radius = static_cast<const gss_eap_radius_attr_provider *>(ctx);
72 if (radius->m_vps != NULL)
73 m_vps = copyAvps(const_cast<VALUE_PAIR *>(radius->getAvps()));
79 gss_eap_radius_attr_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
80 const gss_cred_id_t gssCred,
81 const gss_ctx_id_t gssCtx)
83 if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
86 if (gssCtx != GSS_C_NO_CONTEXT) {
87 if (gssCtx->acceptorCtx.vps != NULL) {
88 m_vps = copyAvps(gssCtx->acceptorCtx.vps);
98 alreadyAddedAttributeP(std::vector <std::string> &attrs, VALUE_PAIR *vp)
100 for (std::vector<std::string>::const_iterator a = attrs.begin();
103 if (strcmp(vp->name, (*a).c_str()) == 0)
111 isSecretAttributeP(uint16_t attrid, uint16_t vendor)
118 case PW_MS_MPPE_SEND_KEY:
119 case PW_MS_MPPE_RECV_KEY:
133 isSecretAttributeP(uint32_t attribute)
135 return isSecretAttributeP(ATTRID(attribute), VENDOR(attribute));
139 isHiddenAttributeP(uint16_t attrid, uint16_t vendor)
143 /* should have been filtered */
144 assert(!isSecretAttributeP(attrid, vendor));
147 case VENDORPEC_UKERNA:
158 isHiddenAttributeP(uint32_t attribute)
160 return isHiddenAttributeP(ATTRID(attribute), VENDOR(attribute));
164 * Copy AVP list, same as paircopy except it filters out attributes
168 copyAvps(const VALUE_PAIR *src)
170 const VALUE_PAIR *vp;
171 VALUE_PAIR *dst = NULL, **pDst = &dst;
173 for (vp = src; vp != NULL; vp = vp->next) {
176 if (isSecretAttributeP(vp->attribute))
179 vpcopy = paircopyvp(vp);
180 if (vpcopy == NULL) {
182 throw new std::bad_alloc;
186 pDst = &vpcopy->next;
193 gss_eap_radius_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute, void *data) const
196 std::vector <std::string> seen;
198 for (vp = m_vps; vp != NULL; vp = vp->next) {
199 gss_buffer_desc attribute;
202 if (isHiddenAttributeP(vp->attribute))
205 if (alreadyAddedAttributeP(seen, vp))
208 snprintf(attrid, sizeof(attrid), "%s%d",
209 (char *)radiusUrnPrefix.value, vp->attribute);
211 attribute.value = attrid;
212 attribute.length = strlen(attrid);
214 if (!addAttribute(this, &attribute, data))
217 seen.push_back(std::string(vp->name));
224 gss_eap_radius_attr_provider::setAttribute(int complete,
225 const gss_buffer_t attr,
226 const gss_buffer_t value)
231 gss_eap_radius_attr_provider::deleteAttribute(const gss_buffer_t value)
236 gss_eap_radius_attr_provider::getAttribute(const gss_buffer_t attr,
240 gss_buffer_t display_value,
244 gss_buffer_desc strAttr = GSS_C_EMPTY_BUFFER;
249 duplicateBuffer(*attr, &strAttr);
250 s = (char *)strAttr.value;
252 if (attr->length < radiusUrnPrefix.length ||
253 memcmp(s, radiusUrnPrefix.value, radiusUrnPrefix.length) != 0)
256 s += radiusUrnPrefix.length;
259 attrid = strtoul(s, NULL, 10);
261 da = dict_attrbyname(s);
263 gss_release_buffer(&tmpMinor, &strAttr);
269 gss_release_buffer(&tmpMinor, &strAttr);
271 return getAttribute(attrid, authenticated, complete,
272 value, display_value, more);
276 gss_eap_radius_attr_provider::getAttribute(uint32_t attrid,
280 gss_buffer_t display_value,
284 int i = *more, count = 0;
288 if (isHiddenAttributeP(attrid))
294 for (vp = pairfind(m_vps, attrid);
296 vp = pairfind(vp->next, attrid)) {
298 if (pairfind(vp->next, attrid) != NULL)
304 if (vp == NULL && *more == 0)
307 if (value != GSS_C_NO_BUFFER) {
308 gss_buffer_desc valueBuf;
310 valueBuf.value = (void *)vp->vp_octets;
311 valueBuf.length = vp->length;
313 duplicateBuffer(valueBuf, value);
316 if (display_value != GSS_C_NO_BUFFER) {
317 char displayString[MAX_STRING_LEN];
318 gss_buffer_desc displayBuf;
320 displayBuf.length = vp_prints_value(displayString,
321 sizeof(displayString), vp, 0);
322 displayBuf.value = (void *)displayString;
324 duplicateBuffer(displayBuf, display_value);
327 if (authenticated != NULL)
328 *authenticated = m_authenticated;
329 if (complete != NULL)
336 gss_eap_radius_attr_provider::getFragmentedAttribute(uint16_t attribute,
340 gss_buffer_t value) const
342 OM_uint32 major, minor;
344 major = gssEapRadiusGetAvp(&minor, m_vps, attribute, vendor, value, TRUE);
346 if (authenticated != NULL)
347 *authenticated = m_authenticated;
348 if (complete != NULL)
351 return !GSS_ERROR(major);
355 gss_eap_radius_attr_provider::getAttribute(uint16_t attribute,
360 gss_buffer_t display_value,
364 return getAttribute(VENDORATTR(attribute, vendor),
365 authenticated, complete,
366 value, display_value, more);
370 gss_eap_radius_attr_provider::mapToAny(int authenticated,
371 gss_buffer_t type_id) const
373 if (authenticated && !m_authenticated)
374 return (gss_any_t)NULL;
376 return (gss_any_t)copyAvps(m_vps);
380 gss_eap_radius_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
381 gss_any_t input) const
383 pairfree((VALUE_PAIR **)&input);
387 gss_eap_radius_attr_provider::init(void)
389 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS,
390 "urn:ietf:params:gss-eap:radius-avp",
391 gss_eap_radius_attr_provider::createAttrContext);
396 gss_eap_radius_attr_provider::finalize(void)
398 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_RADIUS);
401 gss_eap_attr_provider *
402 gss_eap_radius_attr_provider::createAttrContext(void)
404 return new gss_eap_radius_attr_provider;
408 gssEapRadiusAddAvp(OM_uint32 *minor,
414 uint32_t attrid = VENDORATTR(vendor, attribute);
415 unsigned char *p = (unsigned char *)buffer->value;
416 size_t remain = buffer->length;
422 if (n > MAX_STRING_LEN)
425 vp = paircreate(attrid, PW_TYPE_OCTETS);
428 return GSS_S_FAILURE;
431 memcpy(vp->vp_octets, p, n);
438 } while (remain != 0);
440 return GSS_S_COMPLETE;
444 gssEapRadiusGetRawAvp(OM_uint32 *minor,
450 uint32_t attr = VENDORATTR(vendor, attribute);
452 *vp = pairfind(vps, attr);
454 return (*vp == NULL) ? GSS_S_UNAVAILABLE : GSS_S_COMPLETE;
458 gssEapRadiusGetAvp(OM_uint32 *minor,
467 uint32_t attr = VENDORATTR(vendor, attribute);
470 buffer->value = NULL;
472 vp = pairfind(vps, attr);
474 return GSS_S_UNAVAILABLE;
477 buffer->length += vp->length;
478 } while (concat && (vp = pairfind(vp->next, attr)) != NULL);
480 buffer->value = GSSEAP_MALLOC(buffer->length);
481 if (buffer->value == NULL) {
483 return GSS_S_FAILURE;
486 p = (unsigned char *)buffer->value;
488 for (vp = pairfind(vps, attr);
489 concat && vp != NULL;
490 vp = pairfind(vp->next, attr)) {
491 memcpy(p, vp->vp_octets, vp->length);
496 return GSS_S_COMPLETE;
500 gssEapRadiusFreeAvps(OM_uint32 *minor,
505 return GSS_S_COMPLETE;
509 gssEapRadiusAttrProviderInit(OM_uint32 *minor)
511 return gss_eap_radius_attr_provider::init()
512 ? GSS_S_COMPLETE : GSS_S_FAILURE;
516 gssEapRadiusAttrProviderFinalize(OM_uint32 *minor)
518 gss_eap_radius_attr_provider::finalize();
519 return GSS_S_COMPLETE;
522 /* partition error namespace so it does not conflict with krb5 */
523 #define ERROR_TABLE_BASE_rse (46882560L)
525 #define RS_TO_COM_ERR(rse) ((rse) == RSE_OK ? 0 : (rse) + ERROR_TABLE_BASE_rse)
526 #define COM_TO_RS_ERR(err) ((err) > ERROR_TABLE_BASE_rse && \
527 (err) <= (ERROR_TABLE_BASE_rse + RSE_SOME_ERROR) ? \
528 (err) - ERROR_TABLE_BASE_rse : RSE_SOME_ERROR)
531 gssEapRadiusMapError(OM_uint32 *minor,
532 struct rs_error *err)
537 code = rs_err_code(err, 0);
539 code = RSE_SOME_ERROR;
541 *minor = RS_TO_COM_ERR(code);
543 gssEapSaveStatusInfo(*minor, "radsec: %s", rs_err_msg(err, 0));
546 return GSS_S_FAILURE;
550 gssEapRadiusAllocConn(OM_uint32 *minor,
551 const gss_cred_id_t cred,
554 struct gss_eap_acceptor_ctx *actx = &ctx->acceptorCtx;
555 const char *configFile = RS_CONFIG_FILE;
556 const char *configStanza = "gss-eap";
557 struct rs_alloc_scheme ralloc;
558 struct rs_error *err;
560 assert(actx->radHandle == NULL);
561 assert(actx->radConn == NULL);
563 if (rs_context_create(&actx->radHandle, RS_DICT_FILE) != 0)
564 return GSS_S_FAILURE;
566 if (cred != GSS_C_NO_CREDENTIAL) {
567 if (cred->radiusConfigFile != NULL)
568 configFile = cred->radiusConfigFile;
569 if (cred->radiusConfigStanza != NULL)
570 configStanza = cred->radiusConfigStanza;
573 ralloc.calloc = GSSEAP_CALLOC;
574 ralloc.malloc = GSSEAP_MALLOC;
575 ralloc.free = GSSEAP_FREE;
576 ralloc.realloc = GSSEAP_REALLOC;
578 rs_context_set_alloc_scheme(actx->radHandle, &ralloc);
580 if (rs_context_read_config(actx->radHandle, configFile) != 0) {
581 err = rs_err_ctx_pop(actx->radHandle);
585 if (rs_conn_create(actx->radHandle, &actx->radConn, configStanza) != 0) {
586 err = rs_err_conn_pop(actx->radConn);
590 /* XXX TODO rs_conn_select_server does not exist yet */
592 if (actx->radServer != NULL) {
593 if (rs_conn_select_server(actx->radConn, actx->radServer) != 0) {
594 err = rs_err_conn_pop(actx->radConn);
601 return GSS_S_COMPLETE;
604 OM_uint32 major = gssEapRadiusMapError(minor, err);
606 if (actx->radConn != NULL) {
607 rs_conn_destroy(actx->radConn);
608 actx->radConn = NULL;
611 if (actx->radHandle != NULL) {
612 rs_context_destroy(actx->radHandle);
613 actx->radHandle = NULL;
621 * 4 octet NBO attribute ID | 4 octet attribute length | attribute data
624 avpSize(const VALUE_PAIR *vp)
635 avpExport(const VALUE_PAIR *vp,
636 unsigned char **pBuffer,
639 unsigned char *p = *pBuffer;
640 size_t remain = *pRemain;
642 assert(remain >= avpSize(vp));
644 store_uint32_be(vp->attribute, p);
647 case PW_TYPE_INTEGER:
651 store_uint32_be(vp->lvalue, p + 5);
654 assert(vp->length <= MAX_STRING_LEN);
655 p[4] = (uint8_t)vp->length;
656 memcpy(p + 5, vp->vp_octets, vp->length);
660 *pBuffer += 5 + p[4];
661 *pRemain -= 5 + p[4];
668 avpImport(VALUE_PAIR **pVp,
669 unsigned char **pBuffer,
672 unsigned char *p = *pBuffer;
673 size_t remain = *pRemain;
674 VALUE_PAIR *vp = NULL;
678 if (remain < avpSize(NULL))
681 attrid = load_uint32_be(p);
685 da = dict_attrbyvalue(attrid);
691 throw new std::bad_alloc;
699 case PW_TYPE_INTEGER:
706 vp->lvalue = load_uint32_be(p + 1);
711 /* check enough room to NUL terminate */
712 if (p[0] == MAX_STRING_LEN)
717 if (p[0] > MAX_STRING_LEN)
720 vp->length = (uint32_t)p[0];
721 memcpy(vp->vp_octets, p + 1, vp->length);
723 if (vp->type == PW_TYPE_STRING)
724 vp->vp_strvalue[vp->length] = '\0';
727 remain -= 1 + vp->length;
743 gss_eap_radius_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
744 const gss_buffer_t buffer)
746 unsigned char *p = (unsigned char *)buffer->value;
747 size_t remain = buffer->length;
749 VALUE_PAIR **pNext = &m_vps;
751 if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
757 count = load_uint32_be(p);
764 if (!avpImport(&attr, &p, &remain))
771 } while (remain != 0);
780 gss_eap_radius_attr_provider::exportToBuffer(gss_buffer_t buffer) const
787 for (vp = m_vps; vp != NULL; vp = vp->next) {
788 remain += avpSize(vp);
792 buffer->value = GSSEAP_MALLOC(remain);
793 if (buffer->value == NULL) {
794 throw new std::bad_alloc;
797 buffer->length = remain;
799 p = (unsigned char *)buffer->value;
801 store_uint32_be(count, p);
805 for (vp = m_vps; vp != NULL; vp = vp->next) {
806 avpExport(vp, &p, &remain);
813 gss_eap_radius_attr_provider::getExpiryTime(void) const
817 vp = pairfind(m_vps, PW_SESSION_TIMEOUT);
818 if (vp == NULL || vp->lvalue == 0)
821 return time(NULL) + vp->lvalue;