2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Portions Copyright 2009 by the Massachusetts Institute of Technology.
34 * All Rights Reserved.
36 * Export of this software from the United States of America may
37 * require a specific license from the United States Government.
38 * It is the responsibility of any person or organization contemplating
39 * export to obtain such a license before exporting.
41 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
42 * distribute this software and its documentation for any purpose and
43 * without fee is hereby granted, provided that the above copyright
44 * notice appear in all copies and that both that copyright notice and
45 * this permission notice appear in supporting documentation, and that
46 * the name of M.I.T. not be used in advertising or publicity pertaining
47 * to distribution of the software without specific, written prior
48 * permission. Furthermore if you modify this software you must label
49 * your software as modified software and not distribute it in such a
50 * fashion that it might be confused with the original M.I.T. software.
51 * M.I.T. makes no representations about the suitability of
52 * this software for any purpose. It is provided "as is" without express
53 * or implied warranty.
56 #include "gssapiP_eap.h"
58 static const gss_OID_desc gssEapNtPrincipalName = {
59 /* 1.3.6.1.4.1.5322.21.2.1 */
60 12, "\x06\x0A\x2B\x06\x01\x04\x01\xA9\x4A\x15\x02\x01"
63 const gss_OID_desc *const GSS_EAP_NT_PRINCIPAL_NAME =
64 &gssEapNtPrincipalName;
67 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName)
72 assert(*pName == GSS_C_NO_NAME);
74 name = (gss_name_t)GSSEAP_CALLOC(1, sizeof(*name));
80 if (GSSEAP_MUTEX_INIT(&name->mutex) != 0) {
82 gssEapReleaseName(&tmpMinor, &name);
88 return GSS_S_COMPLETE;
92 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName)
95 krb5_context krbContext = NULL;
99 return GSS_S_COMPLETE;
103 if (name == GSS_C_NO_NAME) {
104 return GSS_S_COMPLETE;
107 GSSEAP_KRB_INIT(&krbContext);
108 krb5_free_principal(krbContext, name->krbPrincipal);
110 radiusFreeAVPs(&tmpMinor, name->avps);
111 samlFreeAssertion(&tmpMinor, name->assertion);
113 GSSEAP_MUTEX_DESTROY(&name->mutex);
118 return GSS_S_COMPLETE;
122 krbPrincipalToName(OM_uint32 *minor,
123 krb5_principal *principal,
129 major = gssEapAllocName(minor, &name);
130 if (GSS_ERROR(major))
133 name->krbPrincipal = *principal;
137 return GSS_S_COMPLETE;
141 importServiceName(OM_uint32 *minor,
142 const gss_buffer_t nameBuffer,
145 OM_uint32 major, tmpMinor;
146 krb5_context krbContext;
147 krb5_principal krbPrinc;
148 char *service, *host;
150 GSSEAP_KRB_INIT(&krbContext);
152 major = bufferToString(minor, nameBuffer, &service);
153 if (GSS_ERROR(major))
156 host = strchr(service, '@');
162 /* XXX this is probably NOT what we want to be doing */
163 *minor = krb5_sname_to_principal(krbContext, host, service,
164 KRB5_NT_SRV_HST, &krbPrinc);
166 GSSEAP_FREE(service);
167 return GSS_S_FAILURE;
170 major = krbPrincipalToName(minor, &krbPrinc, pName);
171 if (GSS_ERROR(major)) {
172 krb5_free_principal(krbContext, krbPrinc);
175 GSSEAP_FREE(service);
180 importUserName(OM_uint32 *minor,
181 const gss_buffer_t nameBuffer,
184 OM_uint32 major, tmpMinor;
185 krb5_context krbContext;
186 krb5_principal krbPrinc;
189 GSSEAP_KRB_INIT(&krbContext);
191 major = bufferToString(minor, nameBuffer, &nameString);
192 if (GSS_ERROR(major))
195 *minor = krb5_parse_name(krbContext, nameString, &krbPrinc);
197 GSSEAP_FREE(nameString);
198 return GSS_S_FAILURE;
201 major = krbPrincipalToName(minor, &krbPrinc, pName);
202 if (GSS_ERROR(major)) {
203 krb5_free_principal(krbContext, krbPrinc);
206 GSSEAP_FREE(nameString);
211 importExportedName(OM_uint32 *minor,
212 const gss_buffer_t nameBuffer,
215 OM_uint32 major, tmpMinor;
216 krb5_context krbContext;
222 GSSEAP_KRB_INIT(&krbContext);
224 p = (unsigned char *)nameBuffer->value;
225 remain = nameBuffer->length;
227 if (remain < 6 + GSS_EAP_MECHANISM->length + 4)
228 return GSS_S_BAD_NAME;
231 return GSS_S_BAD_NAME;
240 return GSS_S_BAD_NAME;
245 len = load_uint16_be(p);
246 if (len != 2 + GSS_EAP_MECHANISM->length)
247 return GSS_S_BAD_NAME;
252 return GSS_S_BAD_NAME;
253 if (*p++ != GSS_EAP_MECHANISM->length)
254 return GSS_S_BAD_MECH;
257 if (memcmp(p, GSS_EAP_MECHANISM->elements, GSS_EAP_MECHANISM->length))
258 return GSS_S_BAD_MECH;
259 p += GSS_EAP_MECHANISM->length;
260 remain -= GSS_EAP_MECHANISM->length;
262 len = load_uint32_be(p);
266 return GSS_S_BAD_NAME;
274 if (composite == 0 && remain != 0)
275 return GSS_S_BAD_NAME;
277 major = importUserName(minor, &buf, pName);
278 if (GSS_ERROR(major))
281 /* XXX TODO composite handling */
283 return GSS_S_COMPLETE;
286 OM_uint32 gssEapImportName(OM_uint32 *minor,
287 const gss_buffer_t nameBuffer,
291 OM_uint32 major, tmpMinor;
293 *name = GSS_C_NO_NAME;
295 if (nameType == GSS_C_NULL_OID ||
296 oidEqual(nameType, GSS_C_NT_USER_NAME) ||
297 oidEqual(nameType, GSS_EAP_NT_PRINCIPAL_NAME))
298 major = importUserName(minor, nameBuffer, name);
299 else if (oidEqual(nameType, GSS_C_NT_HOSTBASED_SERVICE) ||
300 oidEqual(nameType, GSS_C_NT_HOSTBASED_SERVICE_X))
301 major = importServiceName(minor, nameBuffer, name);
302 else if (oidEqual(nameType, GSS_C_NT_EXPORT_NAME))
303 major = importExportedName(minor, nameBuffer, name);
305 major = GSS_S_BAD_NAMETYPE;
307 if (GSS_ERROR(major))
308 gssEapReleaseName(&tmpMinor, name);
313 OM_uint32 gssEapExportName(OM_uint32 *minor,
314 const gss_name_t name,
315 gss_buffer_t exportedName,
318 OM_uint32 major, tmpMinor;
319 krb5_context krbContext;
320 char *krbName = NULL;
324 exportedName->length = 0;
325 exportedName->value = NULL;
327 GSSEAP_KRB_INIT(&krbContext);
329 if (name == GSS_C_NO_NAME) {
331 return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME;
334 GSSEAP_MUTEX_LOCK(&name->mutex);
337 * Don't export a composite name if we don't have any attributes.
340 (name->flags & (NAME_FLAG_SAML | NAME_FLAG_RADIUS)) == 0) {
344 *minor = krb5_unparse_name(krbContext, name->krbPrincipal, &krbName);
346 major = GSS_S_FAILURE;
349 krbNameLen = strlen(krbName);
351 exportedName->length = 6 + GSS_EAP_MECHANISM->length + 4 + krbNameLen;
353 /* TODO: export SAML/AVP, this is pending specification */
354 GSSEAP_NOT_IMPLEMENTED;
357 exportedName->value = GSSEAP_MALLOC(exportedName->length);
358 if (exportedName->value == NULL) {
360 major = GSS_S_FAILURE;
364 p = (unsigned char *)exportedName->value;
371 store_uint16_be(GSS_EAP_MECHANISM->length + 2, p);
374 *p++ = GSS_EAP_MECHANISM->length & 0xff;
375 memcpy(p, GSS_EAP_MECHANISM->elements, GSS_EAP_MECHANISM->length);
376 p += GSS_EAP_MECHANISM->length;
378 store_uint32_be(krbNameLen, p);
380 memcpy(p, krbName, krbNameLen);
384 major = GSS_S_COMPLETE;
387 GSSEAP_MUTEX_UNLOCK(&name->mutex);
388 if (GSS_ERROR(major))
389 gss_release_buffer(&tmpMinor, exportedName);
390 krb5_free_unparsed_name(krbContext, krbName);