2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * RADIUS attribute provider implementation.
37 #include "gssapiP_eap.h"
39 #include <xercesc/util/Base64.hpp>
41 /* stuff that should be provided by libradsec/libfreeradius-radius */
42 #define VENDORATTR(vendor, attr) (((vendor) << 16) | (attr))
45 #define ATTRID(attr) ((attr) & 0xFFFF)
48 static gss_buffer_desc radiusUrnPrefix = {
49 sizeof("urn:x-radius:") - 1,
50 (void *)"urn:x-radius:"
53 static VALUE_PAIR *copyAvps(const VALUE_PAIR *src);
55 gss_eap_radius_attr_provider::gss_eap_radius_attr_provider(void)
58 m_authenticated = false;
61 gss_eap_radius_attr_provider::~gss_eap_radius_attr_provider(void)
68 gss_eap_radius_attr_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
69 const gss_eap_attr_provider *ctx)
71 const gss_eap_radius_attr_provider *radius;
73 if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
76 radius = static_cast<const gss_eap_radius_attr_provider *>(ctx);
78 if (radius->m_vps != NULL)
79 m_vps = copyAvps(const_cast<VALUE_PAIR *>(radius->getAvps()));
81 m_authenticated = radius->m_authenticated;
87 gss_eap_radius_attr_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
88 const gss_cred_id_t gssCred,
89 const gss_ctx_id_t gssCtx)
91 if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
94 if (gssCtx != GSS_C_NO_CONTEXT) {
95 if (gssCtx->acceptorCtx.vps != NULL) {
96 m_vps = copyAvps(gssCtx->acceptorCtx.vps);
100 /* We assume libradsec validated this for us */
101 assert(pairfind(m_vps, PW_MESSAGE_AUTHENTICATOR) != NULL);
102 m_authenticated = true;
110 alreadyAddedAttributeP(std::vector <std::string> &attrs, VALUE_PAIR *vp)
112 for (std::vector<std::string>::const_iterator a = attrs.begin();
115 if (strcmp(vp->name, (*a).c_str()) == 0)
123 isSecretAttributeP(uint16_t attrid, uint16_t vendor)
125 bool bSecretAttribute = false;
130 case PW_MS_MPPE_SEND_KEY:
131 case PW_MS_MPPE_RECV_KEY:
132 bSecretAttribute = true;
141 return bSecretAttribute;
145 isSecretAttributeP(uint32_t attribute)
147 return isSecretAttributeP(ATTRID(attribute), VENDOR(attribute));
151 isInternalAttributeP(uint16_t attrid, uint16_t vendor)
153 bool bInternalAttribute = false;
155 /* should have been filtered */
156 assert(!isSecretAttributeP(attrid, vendor));
159 case VENDORPEC_UKERNA:
160 bInternalAttribute = true;
166 return bInternalAttribute;
170 isInternalAttributeP(uint32_t attribute)
172 return isInternalAttributeP(ATTRID(attribute), VENDOR(attribute));
176 * Copy AVP list, same as paircopy except it filters out attributes
180 copyAvps(const VALUE_PAIR *src)
182 const VALUE_PAIR *vp;
183 VALUE_PAIR *dst = NULL, **pDst = &dst;
185 for (vp = src; vp != NULL; vp = vp->next) {
188 if (isSecretAttributeP(vp->attribute))
191 vpcopy = paircopyvp(vp);
192 if (vpcopy == NULL) {
194 throw new std::bad_alloc;
198 pDst = &vpcopy->next;
205 gss_eap_radius_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
209 std::vector <std::string> seen;
211 for (vp = m_vps; vp != NULL; vp = vp->next) {
212 gss_buffer_desc attribute;
215 /* Don't advertise attributes that are internal to the GSS-EAP mechanism */
216 if (isInternalAttributeP(vp->attribute))
219 if (alreadyAddedAttributeP(seen, vp))
222 snprintf(attrid, sizeof(attrid), "%s%d",
223 (char *)radiusUrnPrefix.value, vp->attribute);
225 attribute.value = attrid;
226 attribute.length = strlen(attrid);
228 if (!addAttribute(this, &attribute, data))
231 seen.push_back(std::string(vp->name));
238 getAttributeId(const gss_buffer_t attr)
241 gss_buffer_desc strAttr = GSS_C_EMPTY_BUFFER;
246 if (attr->length < radiusUrnPrefix.length ||
247 memcmp(attr->value, radiusUrnPrefix.value, radiusUrnPrefix.length) != 0)
250 /* need to duplicate because attr may not be NUL terminated */
251 duplicateBuffer(*attr, &strAttr);
252 s = (char *)strAttr.value + radiusUrnPrefix.length;
255 attrid = strtoul(s, NULL, 10);
257 da = dict_attrbyname(s);
262 gss_release_buffer(&tmpMinor, &strAttr);
268 gss_eap_radius_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
270 const gss_buffer_t value)
272 OM_uint32 major = GSS_S_UNAVAILABLE, minor;
274 if (!isSecretAttributeP(attrid) &&
275 !isInternalAttributeP(attrid)) {
276 deleteAttribute(attrid);
278 major = gssEapRadiusAddAvp(&minor, &m_vps,
279 ATTRID(attrid), VENDOR(attrid),
283 return !GSS_ERROR(major);
287 gss_eap_radius_attr_provider::setAttribute(int complete,
288 const gss_buffer_t attr,
289 const gss_buffer_t value)
291 uint32_t attrid = getAttributeId(attr);
296 return setAttribute(complete, attrid, value);
300 gss_eap_radius_attr_provider::deleteAttribute(uint32_t attrid)
302 if (isSecretAttributeP(attrid) || isInternalAttributeP(attrid) ||
303 pairfind(m_vps, attrid) == NULL)
306 pairdelete(&m_vps, attrid);
312 gss_eap_radius_attr_provider::deleteAttribute(const gss_buffer_t attr)
314 uint32_t attrid = getAttributeId(attr);
319 return deleteAttribute(attrid);
323 gss_eap_radius_attr_provider::getAttribute(const gss_buffer_t attr,
327 gss_buffer_t display_value,
332 attrid = getAttributeId(attr);
336 return getAttribute(attrid, authenticated, complete,
337 value, display_value, more);
341 gss_eap_radius_attr_provider::getAttribute(uint32_t attrid,
345 gss_buffer_t display_value,
349 int i = *more, count = 0;
356 for (vp = pairfind(m_vps, attrid);
358 vp = pairfind(vp->next, attrid)) {
360 if (pairfind(vp->next, attrid) != NULL)
366 if (vp == NULL && *more == 0)
369 if (value != GSS_C_NO_BUFFER) {
370 gss_buffer_desc valueBuf;
372 valueBuf.value = (void *)vp->vp_octets;
373 valueBuf.length = vp->length;
375 duplicateBuffer(valueBuf, value);
378 if (display_value != GSS_C_NO_BUFFER) {
379 char displayString[MAX_STRING_LEN];
380 gss_buffer_desc displayBuf;
382 displayBuf.length = vp_prints_value(displayString,
383 sizeof(displayString), vp, 0);
384 displayBuf.value = (void *)displayString;
386 duplicateBuffer(displayBuf, display_value);
389 if (authenticated != NULL)
390 *authenticated = m_authenticated;
391 if (complete != NULL)
398 gss_eap_radius_attr_provider::getFragmentedAttribute(uint16_t attribute,
402 gss_buffer_t value) const
404 OM_uint32 major, minor;
406 major = gssEapRadiusGetAvp(&minor, m_vps, attribute, vendor, value, TRUE);
408 if (authenticated != NULL)
409 *authenticated = m_authenticated;
410 if (complete != NULL)
413 return !GSS_ERROR(major);
417 gss_eap_radius_attr_provider::getAttribute(uint16_t attribute,
422 gss_buffer_t display_value,
426 return getAttribute(VENDORATTR(attribute, vendor),
427 authenticated, complete,
428 value, display_value, more);
432 gss_eap_radius_attr_provider::mapToAny(int authenticated,
433 gss_buffer_t type_id GSSEAP_UNUSED) const
435 if (authenticated && !m_authenticated)
436 return (gss_any_t)NULL;
438 return (gss_any_t)copyAvps(m_vps);
442 gss_eap_radius_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
443 gss_any_t input) const
445 VALUE_PAIR *vp = (VALUE_PAIR *)input;
450 gss_eap_radius_attr_provider::init(void)
452 struct rs_context *radContext;
454 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS,
455 "urn:ietf:params:gss-eap:radius-avp",
460 * This hack is necessary in order to force the loading of the global
461 * dictionary, otherwise accepting reauthentication tokens fails unless
462 * the acceptor has already accepted a normal authentication token.
464 if (rs_context_create(&radContext) != 0)
467 if (rs_context_read_config(radContext, RS_CONFIG_FILE) != 0) {
468 rs_context_destroy(radContext);
472 if (rs_context_init_freeradius_dict(radContext, NULL)) {
473 rs_context_destroy(radContext);
477 rs_context_destroy(radContext);
484 gss_eap_radius_attr_provider::finalize(void)
486 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_RADIUS);
489 gss_eap_attr_provider *
490 gss_eap_radius_attr_provider::createAttrContext(void)
492 return new gss_eap_radius_attr_provider;
496 gssEapRadiusAddAvp(OM_uint32 *minor,
500 const gss_buffer_t buffer)
502 uint32_t attrid = VENDORATTR(vendor, attribute);
503 unsigned char *p = (unsigned char *)buffer->value;
504 size_t remain = buffer->length;
511 * There's an extra byte of padding; RADIUS AVPs can only
514 if (n >= MAX_STRING_LEN)
515 n = MAX_STRING_LEN - 1;
517 vp = paircreate(attrid, PW_TYPE_OCTETS);
520 return GSS_S_FAILURE;
523 memcpy(vp->vp_octets, p, n);
530 } while (remain != 0);
532 return GSS_S_COMPLETE;
536 gssEapRadiusGetRawAvp(OM_uint32 *minor,
542 uint32_t attr = VENDORATTR(vendor, attribute);
544 *vp = pairfind(vps, attr);
546 *minor = GSSEAP_NO_SUCH_ATTR;
547 return GSS_S_UNAVAILABLE;
550 return GSS_S_COMPLETE;
554 gssEapRadiusGetAvp(OM_uint32 *minor,
563 uint32_t attr = VENDORATTR(vendor, attribute);
566 buffer->value = NULL;
568 vp = pairfind(vps, attr);
570 *minor = GSSEAP_NO_SUCH_ATTR;
571 return GSS_S_UNAVAILABLE;
575 buffer->length += vp->length;
576 } while (concat && (vp = pairfind(vp->next, attr)) != NULL);
578 buffer->value = GSSEAP_MALLOC(buffer->length);
579 if (buffer->value == NULL) {
581 return GSS_S_FAILURE;
584 p = (unsigned char *)buffer->value;
586 for (vp = pairfind(vps, attr);
587 concat && vp != NULL;
588 vp = pairfind(vp->next, attr)) {
589 memcpy(p, vp->vp_octets, vp->length);
594 return GSS_S_COMPLETE;
598 gssEapRadiusFreeAvps(OM_uint32 *minor,
603 return GSS_S_COMPLETE;
607 gssEapRadiusAttrProviderInit(OM_uint32 *minor)
609 if (!gss_eap_radius_attr_provider::init()) {
610 *minor = GSSEAP_RADSEC_INIT_FAILURE;
611 return GSS_S_FAILURE;
614 return GSS_S_COMPLETE;
618 gssEapRadiusAttrProviderFinalize(OM_uint32 *minor)
620 gss_eap_radius_attr_provider::finalize();
623 return GSS_S_COMPLETE;
627 avpMarshall(const VALUE_PAIR *vp)
631 obj.addmember("type").integer(vp->attribute);
633 assert(vp->length <= MAX_STRING_LEN);
636 case PW_TYPE_INTEGER:
639 obj.addmember("value").integer(vp->lvalue);
642 obj.addmember("value").string(vp->vp_strvalue);
646 XMLByte *b64 = xercesc::Base64::encode(vp->vp_octets, vp->length, &len);
648 if (b64[len - 1] == '\n')
649 b64[--len] = '\0'; /* XXX there may be embedded newlines */
651 obj.addmember("value").string((char *)b64);
661 avpUnmarshall(VALUE_PAIR **pVp, DDF &obj)
663 VALUE_PAIR *vp = NULL;
667 attrid = obj["type"].integer();
669 da = dict_attrbyvalue(attrid);
673 vp = paircreate(attrid, PW_TYPE_STRING);
676 throw new std::bad_alloc;
681 case PW_TYPE_INTEGER:
685 vp->lvalue = obj["value"].integer();;
687 case PW_TYPE_STRING: {
688 const char *str = obj["value"].string();
689 size_t len = strlen(str);
690 if (str == NULL || len >= MAX_STRING_LEN)
694 memcpy(vp->vp_strvalue, str, len + 1);
700 const XMLByte *b64 = (const XMLByte *)obj["value"].string();
701 XMLByte *data = xercesc::Base64::decode(b64, &len);
702 if (data == NULL || len >= MAX_STRING_LEN) {
708 memcpy(vp->vp_octets, data, len);
709 vp->vp_octets[len] = '\0';
727 gss_eap_radius_attr_provider::marshallingKey(void) const
733 gss_eap_radius_attr_provider::unmarshallAndInit(const gss_eap_attr_ctx *ctx,
736 VALUE_PAIR **pNext = &m_vps;
738 if (!gss_eap_attr_provider::unmarshallAndInit(ctx, obj))
741 DDF attrs = obj["attributes"];
742 DDF attr = attrs.first();
744 while (!attr.isnull()) {
747 if (!avpUnmarshall(&vp, attr))
760 gss_eap_radius_attr_provider::marshall(void) const
763 DDF attrs = obj.structure().addmember("attributes").list();
765 for (VALUE_PAIR *vp = m_vps; vp != NULL; vp = vp->next) {
766 DDF attr = avpMarshall(vp);
774 gss_eap_radius_attr_provider::getExpiryTime(void) const
778 vp = pairfind(m_vps, PW_SESSION_TIMEOUT);
779 if (vp == NULL || vp->lvalue == 0)
782 return time(NULL) + vp->lvalue;
786 gssEapRadiusMapError(OM_uint32 *minor,
787 struct rs_error *err)
793 code = rs_err_code(err, 0);
795 if (code == RSE_OK) {
797 return GSS_S_COMPLETE;
800 *minor = ERROR_TABLE_BASE_rse + code;
802 gssEapSaveStatusInfo(*minor, "%s", rs_err_msg(err));
805 return GSS_S_FAILURE;
projects / moonshot.git / blob