2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Portions Copyright 2009 by the Massachusetts Institute of Technology.
34 * All Rights Reserved.
36 * Export of this software from the United States of America may
37 * require a specific license from the United States Government.
38 * It is the responsibility of any person or organization contemplating
39 * export to obtain such a license before exporting.
41 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
42 * distribute this software and its documentation for any purpose and
43 * without fee is hereby granted, provided that the above copyright
44 * notice appear in all copies and that both that copyright notice and
45 * this permission notice appear in supporting documentation, and that
46 * the name of M.I.T. not be used in advertising or publicity pertaining
47 * to distribution of the software without specific, written prior
48 * permission. Furthermore if you modify this software you must label
49 * your software as modified software and not distribute it in such a
50 * fashion that it might be confused with the original M.I.T. software.
51 * M.I.T. makes no representations about the suitability of
52 * this software for any purpose. It is provided "as is" without express
53 * or implied warranty.
57 * Name utility routines.
60 #include "gssapiP_eap.h"
62 static gss_OID_desc gssEapNtEapName = {
63 /* 1.3.6.1.4.1.5322.22.2.1 */
64 10, "\x2B\x06\x01\x04\x01\xA9\x4A\x16\x02\x01"
67 gss_OID GSS_EAP_NT_EAP_NAME = &gssEapNtEapName;
70 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName)
75 *pName = GSS_C_NO_NAME;
77 name = (gss_name_t)GSSEAP_CALLOC(1, sizeof(*name));
83 if (GSSEAP_MUTEX_INIT(&name->mutex) != 0) {
85 gssEapReleaseName(&tmpMinor, &name);
91 return GSS_S_COMPLETE;
95 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName)
98 krb5_context krbContext = NULL;
104 return GSS_S_COMPLETE;
108 if (name == GSS_C_NO_NAME) {
109 return GSS_S_COMPLETE;
112 GSSEAP_KRB_INIT(&krbContext);
113 krb5_free_principal(krbContext, name->krbPrincipal);
114 gssEapReleaseOid(&tmpMinor, &name->mechanismUsed);
116 gssEapReleaseAttrContext(&tmpMinor, name);
118 GSSEAP_MUTEX_DESTROY(&name->mutex);
122 return GSS_S_COMPLETE;
126 krbPrincipalToName(OM_uint32 *minor,
127 krb5_principal *principal,
133 major = gssEapAllocName(minor, &name);
134 if (GSS_ERROR(major))
137 name->krbPrincipal = *principal;
140 if (KRB_PRINC_LENGTH(name->krbPrincipal) > 1) {
141 name->flags |= NAME_FLAG_SERVICE;
143 name->flags |= NAME_FLAG_NAI;
149 return GSS_S_COMPLETE;
153 gssEapGetDefaultRealm(krb5_context krbContext)
155 char *defaultRealm = NULL;
157 krb5_appdefault_string(krbContext, "eap_gss",
158 NULL, "default_realm", "", &defaultRealm);
164 importServiceName(OM_uint32 *minor,
165 const gss_buffer_t nameBuffer,
169 krb5_error_code code;
170 krb5_context krbContext;
171 krb5_principal krbPrinc;
172 char *service, *host, *realm = NULL;
174 GSSEAP_KRB_INIT(&krbContext);
176 major = bufferToString(minor, nameBuffer, &service);
177 if (GSS_ERROR(major))
180 host = strchr(service, '@');
186 realm = gssEapGetDefaultRealm(krbContext);
188 code = krb5_build_principal(krbContext,
190 realm != NULL ? strlen(realm) : 0,
191 realm != NULL ? realm : "",
197 KRB_PRINC_TYPE(krbPrinc) = KRB5_NT_SRV_HST;
199 major = krbPrincipalToName(minor, &krbPrinc, pName);
200 if (GSS_ERROR(major))
201 krb5_free_principal(krbContext, krbPrinc);
203 major = GSS_S_FAILURE;
204 *minor = GSSEAP_BAD_SERVICE_NAME;
209 GSSEAP_FREE(service);
214 #define IMPORT_FLAG_DEFAULT_REALM 0x1
217 * Import an EAP name, possibly appending the default GSS EAP realm,
220 importEapNameFlags(OM_uint32 *minor,
221 const gss_buffer_t nameBuffer,
222 OM_uint32 importFlags,
226 krb5_context krbContext;
227 krb5_principal krbPrinc = NULL;
228 krb5_error_code code;
231 GSSEAP_KRB_INIT(&krbContext);
233 if (nameBuffer == GSS_C_NO_BUFFER) {
235 code = KRB5_PARSE_MALFORMED;
237 major = bufferToString(minor, nameBuffer, &nameString);
238 if (GSS_ERROR(major))
242 * First, attempt to parse the name on the assumption that it includes
243 * a qualifying realm. This allows us to avoid accidentally appending
244 * the default Kerberos realm to an unqualified name. (A bug in MIT
245 * Kerberos prevents the default realm being set to an empty value.)
247 code = krb5_parse_name_flags(krbContext, nameString,
248 KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &krbPrinc);
251 if (code == KRB5_PARSE_MALFORMED) {
252 char *defaultRealm = NULL;
255 /* Possibly append the default EAP realm if required */
256 if (importFlags & IMPORT_FLAG_DEFAULT_REALM)
257 defaultRealm = gssEapGetDefaultRealm(krbContext);
259 /* If no default realm, leave the realm empty in the parsed name */
260 if (defaultRealm == NULL || defaultRealm[0] == '\0')
261 parseFlags |= KRB5_PRINCIPAL_PARSE_NO_REALM;
263 code = krb5_parse_name_flags(krbContext, nameString, parseFlags, &krbPrinc);
265 #ifdef HAVE_HEIMDAL_VERSION
266 if (code == 0 && KRB_PRINC_REALM(krbPrinc) == NULL) {
267 KRB_PRINC_REALM(krbPrinc) = GSSEAP_CALLOC(1, sizeof(char));
268 if (KRB_PRINC_REALM(krbPrinc) == NULL)
273 if (defaultRealm != NULL)
274 GSSEAP_FREE(defaultRealm);
277 if (nameBuffer != GSS_C_NO_BUFFER)
278 GSSEAP_FREE(nameString);
282 return GSS_S_FAILURE;
285 assert(krbPrinc != NULL);
287 major = krbPrincipalToName(minor, &krbPrinc, pName);
288 if (GSS_ERROR(major))
289 krb5_free_principal(krbContext, krbPrinc);
295 importEapName(OM_uint32 *minor,
296 const gss_buffer_t nameBuffer,
299 return importEapNameFlags(minor, nameBuffer, 0, pName);
303 importUserName(OM_uint32 *minor,
304 const gss_buffer_t nameBuffer,
307 return importEapNameFlags(minor, nameBuffer, IMPORT_FLAG_DEFAULT_REALM, pName);
311 importAnonymousName(OM_uint32 *minor,
312 const gss_buffer_t nameBuffer GSSEAP_UNUSED,
315 return importEapNameFlags(minor, GSS_C_NO_BUFFER, 0, pName);
318 #define UPDATE_REMAIN(n) do { \
323 #define CHECK_REMAIN(n) do { \
324 if (remain < (n)) { \
325 major = GSS_S_BAD_NAME; \
326 *minor = GSSEAP_TOK_TRUNC; \
332 gssEapImportNameInternal(OM_uint32 *minor,
333 const gss_buffer_t nameBuffer,
337 OM_uint32 major, tmpMinor;
338 krb5_context krbContext;
342 enum gss_eap_token_type tokType;
343 gss_name_t name = GSS_C_NO_NAME;
344 gss_OID mechanismUsed = GSS_C_NO_OID;
346 GSSEAP_KRB_INIT(&krbContext);
348 p = (unsigned char *)nameBuffer->value;
349 remain = nameBuffer->length;
351 if (flags & EXPORT_NAME_FLAG_OID) {
354 /* TOK_ID || MECH_OID_LEN || MECH_OID */
356 *minor = GSSEAP_BAD_NAME_TOKEN;
357 return GSS_S_BAD_NAME;
360 if (flags & EXPORT_NAME_FLAG_COMPOSITE)
361 tokType = TOK_TYPE_EXPORT_NAME_COMPOSITE;
363 tokType = TOK_TYPE_EXPORT_NAME;
366 if (load_uint16_be(p) != tokType) {
367 *minor = GSSEAP_WRONG_TOK_ID;
368 return GSS_S_BAD_NAME;
373 len = load_uint16_be(p);
375 *minor = GSSEAP_BAD_NAME_TOKEN;
376 return GSS_S_BAD_NAME;
382 *minor = GSSEAP_BAD_NAME_TOKEN;
383 return GSS_S_BAD_NAME;
387 mech.elements = &p[2];
389 CHECK_REMAIN(mech.length);
391 major = gssEapCanonicalizeOid(minor,
393 OID_FLAG_FAMILY_MECH_VALID |
394 OID_FLAG_MAP_FAMILY_MECH_TO_NULL,
396 if (GSS_ERROR(major))
399 UPDATE_REMAIN(2 + mech.length);
404 len = load_uint32_be(p);
413 major = importEapNameFlags(minor, &buf, 0, &name);
414 if (GSS_ERROR(major))
417 name->mechanismUsed = mechanismUsed;
418 mechanismUsed = GSS_C_NO_OID;
420 if (flags & EXPORT_NAME_FLAG_COMPOSITE) {
426 major = gssEapImportAttrContext(minor, &buf, name);
427 if (GSS_ERROR(major))
431 major = GSS_S_COMPLETE;
435 if (GSS_ERROR(major)) {
436 gssEapReleaseOid(&tmpMinor, &mechanismUsed);
437 gssEapReleaseName(&tmpMinor, &name);
446 importExportName(OM_uint32 *minor,
447 const gss_buffer_t nameBuffer,
450 return gssEapImportNameInternal(minor, nameBuffer, name,
451 EXPORT_NAME_FLAG_OID);
454 #ifdef HAVE_GSS_C_NT_COMPOSITE_EXPORT
456 importCompositeExportName(OM_uint32 *minor,
457 const gss_buffer_t nameBuffer,
460 return gssEapImportNameInternal(minor, nameBuffer, name,
461 EXPORT_NAME_FLAG_OID |
462 EXPORT_NAME_FLAG_COMPOSITE);
466 struct gss_eap_name_import_provider {
468 OM_uint32 (*import)(OM_uint32 *, const gss_buffer_t, gss_name_t *);
472 gssEapImportName(OM_uint32 *minor,
473 const gss_buffer_t nameBuffer,
474 const gss_OID nameType,
475 const gss_OID mechType,
478 struct gss_eap_name_import_provider nameTypes[] = {
479 { GSS_EAP_NT_EAP_NAME, importEapName },
480 { GSS_C_NT_USER_NAME, importUserName },
481 { GSS_C_NT_HOSTBASED_SERVICE, importServiceName },
482 { GSS_C_NT_HOSTBASED_SERVICE_X, importServiceName },
483 { GSS_C_NT_ANONYMOUS, importAnonymousName },
484 { GSS_C_NT_EXPORT_NAME, importExportName },
485 { GSS_KRB5_NT_PRINCIPAL_NAME, importUserName },
486 #ifdef HAVE_GSS_C_NT_COMPOSITE_EXPORT
487 { GSS_C_NT_COMPOSITE_EXPORT, importCompositeExportName },
491 OM_uint32 major = GSS_S_BAD_NAMETYPE;
493 gss_name_t name = GSS_C_NO_NAME;
495 for (i = 0; i < sizeof(nameTypes) / sizeof(nameTypes[0]); i++) {
496 if (oidEqual(nameTypes[i].oid,
497 nameType == GSS_C_NO_OID ? GSS_EAP_NT_EAP_NAME : nameType)) {
498 major = nameTypes[i].import(minor, nameBuffer, &name);
503 if (major == GSS_S_COMPLETE &&
504 mechType != GSS_C_NO_OID) {
505 assert(gssEapIsConcreteMechanismOid(mechType));
506 assert(name->mechanismUsed == GSS_C_NO_OID);
508 major = gssEapCanonicalizeOid(minor, mechType, 0, &name->mechanismUsed);
511 if (GSS_ERROR(major))
512 gssEapReleaseName(&tmpMinor, &name);
520 gssEapExportName(OM_uint32 *minor,
521 const gss_name_t name,
522 gss_buffer_t exportedName)
524 return gssEapExportNameInternal(minor, name, exportedName,
525 EXPORT_NAME_FLAG_OID);
529 gssEapExportNameInternal(OM_uint32 *minor,
530 const gss_name_t name,
531 gss_buffer_t exportedName,
534 OM_uint32 major = GSS_S_FAILURE, tmpMinor;
535 gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
536 size_t exportedNameLen;
538 gss_buffer_desc attrs = GSS_C_EMPTY_BUFFER;
541 exportedName->length = 0;
542 exportedName->value = NULL;
544 if (name->mechanismUsed != GSS_C_NO_OID)
545 mech = name->mechanismUsed;
547 mech = GSS_EAP_MECHANISM;
549 major = gssEapDisplayName(minor, name, &nameBuf, NULL);
550 if (GSS_ERROR(major))
554 if (flags & EXPORT_NAME_FLAG_OID) {
555 exportedNameLen += 6 + mech->length;
557 exportedNameLen += 4 + nameBuf.length;
558 if (flags & EXPORT_NAME_FLAG_COMPOSITE) {
559 major = gssEapExportAttrContext(minor, name, &attrs);
560 if (GSS_ERROR(major))
562 exportedNameLen += attrs.length;
565 exportedName->value = GSSEAP_MALLOC(exportedNameLen);
566 if (exportedName->value == NULL) {
567 major = GSS_S_FAILURE;
571 exportedName->length = exportedNameLen;
573 p = (unsigned char *)exportedName->value;
575 if (flags & EXPORT_NAME_FLAG_OID) {
576 /* TOK | MECH_OID_LEN */
577 store_uint16_be((flags & EXPORT_NAME_FLAG_COMPOSITE)
578 ? TOK_TYPE_EXPORT_NAME_COMPOSITE
579 : TOK_TYPE_EXPORT_NAME,
582 store_uint16_be(mech->length + 2, p);
587 *p++ = mech->length & 0xff;
588 memcpy(p, mech->elements, mech->length);
593 store_uint32_be(nameBuf.length, p);
597 memcpy(p, nameBuf.value, nameBuf.length);
600 if (flags & EXPORT_NAME_FLAG_COMPOSITE) {
601 memcpy(p, attrs.value, attrs.length);
605 assert(p == (unsigned char *)exportedName->value + exportedNameLen);
607 major = GSS_S_COMPLETE;
611 gss_release_buffer(&tmpMinor, &attrs);
612 gss_release_buffer(&tmpMinor, &nameBuf);
613 if (GSS_ERROR(major))
614 gss_release_buffer(&tmpMinor, exportedName);
620 gssEapCanonicalizeName(OM_uint32 *minor,
621 const gss_name_t input_name,
622 const gss_OID mech_type,
623 gss_name_t *dest_name)
625 OM_uint32 major, tmpMinor;
626 krb5_context krbContext;
630 if (input_name == GSS_C_NO_NAME) {
632 return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME;
635 GSSEAP_KRB_INIT(&krbContext);
637 major = gssEapAllocName(minor, &name);
638 if (GSS_ERROR(major)) {
642 if (mech_type != GSS_C_NO_OID)
643 mech_used = mech_type;
645 mech_used = input_name->mechanismUsed;
647 major = gssEapCanonicalizeOid(minor,
650 &name->mechanismUsed);
651 if (GSS_ERROR(major))
654 name->flags = input_name->flags;
656 *minor = krb5_copy_principal(krbContext, input_name->krbPrincipal,
657 &name->krbPrincipal);
659 major = GSS_S_FAILURE;
663 if (input_name->attrCtx != NULL) {
664 major = gssEapDuplicateAttrContext(minor, input_name, name);
665 if (GSS_ERROR(major))
672 if (GSS_ERROR(major)) {
673 gssEapReleaseName(&tmpMinor, &name);
680 gssEapDuplicateName(OM_uint32 *minor,
681 const gss_name_t input_name,
682 gss_name_t *dest_name)
684 return gssEapCanonicalizeName(minor, input_name,
685 GSS_C_NO_OID, dest_name);
689 gssEapDisplayName(OM_uint32 *minor,
691 gss_buffer_t output_name_buffer,
692 gss_OID *output_name_type)
695 krb5_context krbContext;
700 GSSEAP_KRB_INIT(&krbContext);
702 output_name_buffer->length = 0;
703 output_name_buffer->value = NULL;
705 if (name == GSS_C_NO_NAME) {
707 return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME;
711 * According to draft-ietf-abfab-gss-eap-01, when the realm is
712 * absent the trailing '@' is not included.
714 #ifdef HAVE_HEIMDAL_VERSION
715 if (KRB_PRINC_REALM(name->krbPrincipal) == NULL ||
716 KRB_PRINC_REALM(name->krbPrincipal)[0] == '\0')
718 if (KRB_PRINC_REALM(name->krbPrincipal)->length == 0)
720 flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM;
722 *minor = krb5_unparse_name_flags(krbContext, name->krbPrincipal,
725 return GSS_S_FAILURE;
728 major = makeStringBuffer(minor, krbName, output_name_buffer);
729 if (GSS_ERROR(major)) {
730 krb5_free_unparsed_name(krbContext, krbName);
734 krb5_free_unparsed_name(krbContext, krbName);
736 if (output_name_buffer->length == 0) {
737 name_type = GSS_C_NT_ANONYMOUS;
738 } else if (name->flags & NAME_FLAG_NAI) {
739 name_type = GSS_C_NT_USER_NAME;
741 name_type = GSS_EAP_NT_EAP_NAME;
744 if (output_name_type != NULL)
745 *output_name_type = name_type;
747 return GSS_S_COMPLETE;
751 gssEapCompareName(OM_uint32 *minor,
756 krb5_context krbContext;
760 if (name1 == GSS_C_NO_NAME && name2 == GSS_C_NO_NAME) {
762 } else if (name1 != GSS_C_NO_NAME && name2 != GSS_C_NO_NAME) {
763 GSSEAP_KRB_INIT(&krbContext);
765 /* krbPrincipal is immutable, so lock not required */
766 *name_equal = krb5_principal_compare(krbContext,
768 name2->krbPrincipal);
771 return GSS_S_COMPLETE;
projects / moonshot.git / blob