moonshot/mech_eap/util.h

   1 /*
   2  * Copyright (c) 2011, JANET(UK)
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * 3. Neither the name of JANET(UK) nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32 /*
  33  * Portions Copyright 2003-2010 Massachusetts Institute of Technology.
  34  * All Rights Reserved.
  35  *
  36  * Export of this software from the United States of America may
  37  *   require a specific license from the United States Government.
  38  *   It is the responsibility of any person or organization contemplating
  39  *   export to obtain such a license before exporting.
  40  *
  41  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  42  * distribute this software and its documentation for any purpose and
  43  * without fee is hereby granted, provided that the above copyright
  44  * notice appear in all copies and that both that copyright notice and
  45  * this permission notice appear in supporting documentation, and that
  46  * the name of M.I.T. not be used in advertising or publicity pertaining
  47  * to distribution of the software without specific, written prior
  48  * permission.  Furthermore if you modify this software you must label
  49  * your software as modified software and not distribute it in such a
  50  * fashion that it might be confused with the original M.I.T. software.
  51  * M.I.T. makes no representations about the suitability of
  52  * this software for any purpose.  It is provided "as is" without express
  53  * or implied warranty.
  54  *
  55  */
  56
  57 /*
  58  * Utility functions.
  59  */
  60
  61 #ifndef _UTIL_H_
  62 #define _UTIL_H_ 1
  63
  64 #include <sys/param.h>
  65 #include <string.h>
  66 #include <errno.h>
  67
  68 #include <krb5.h>
  69
  70 #ifdef __cplusplus
  71 extern "C" {
  72 #endif
  73
  74 #ifndef MIN
  75 #define MIN(_a,_b)  ((_a)<(_b)?(_a):(_b))
  76 #endif
  77
  78 #if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
  79 #define GSSEAP_UNUSED __attribute__ ((__unused__))
  80 #else
  81 #define GSSEAP_UNUSED
  82 #endif
  83
  84 /* util_buffer.c */
  85 OM_uint32
  86 makeStringBuffer(OM_uint32 *minor,
  87                  const char *string,
  88                  gss_buffer_t buffer);
  89
  90 OM_uint32
  91 bufferToString(OM_uint32 *minor,
  92                const gss_buffer_t buffer,
  93                char **pString);
  94
  95 OM_uint32
  96 duplicateBuffer(OM_uint32 *minor,
  97                 const gss_buffer_t src,
  98                 gss_buffer_t dst);
  99
 100 static inline int
 101 bufferEqual(const gss_buffer_t b1, const gss_buffer_t b2)
 102 {
 103     return (b1->length == b2->length &&
 104             memcmp(b1->value, b2->value, b2->length) == 0);
 105 }
 106
 107 static inline int
 108 bufferEqualString(const gss_buffer_t b1, const char *s)
 109 {
 110     gss_buffer_desc b2;
 111
 112     b2.length = strlen(s);
 113     b2.value = (char *)s;
 114
 115     return bufferEqual(b1, &b2);
 116 }
 117
 118 /* util_cksum.c */
 119 int
 120 gssEapSign(krb5_context context,
 121            krb5_cksumtype type,
 122            size_t rrc,
 123 #ifdef HAVE_HEIMDAL_VERSION
 124            krb5_crypto crypto,
 125 #else
 126            krb5_keyblock *key,
 127 #endif
 128            krb5_keyusage sign_usage,
 129            gss_iov_buffer_desc *iov,
 130            int iov_count);
 131
 132 int
 133 gssEapVerify(krb5_context context,
 134              krb5_cksumtype type,
 135              size_t rrc,
 136 #ifdef HAVE_HEIMDAL_VERSION
 137              krb5_crypto crypto,
 138 #else
 139              krb5_keyblock *key,
 140 #endif
 141              krb5_keyusage sign_usage,
 142              gss_iov_buffer_desc *iov,
 143              int iov_count,
 144              int *valid);
 145
 146 #if 0
 147 OM_uint32
 148 gssEapEncodeGssChannelBindings(OM_uint32 *minor,
 149                                gss_channel_bindings_t chanBindings,
 150                                gss_buffer_t encodedBindings);
 151 #endif
 152
 153 /* util_context.c */
 154 #define EAP_EXPORT_CONTEXT_V1           1
 155
 156 enum gss_eap_token_type {
 157     TOK_TYPE_NONE                    = 0x0000,  /* no token */
 158     TOK_TYPE_MIC                     = 0x0404,  /* RFC 4121 MIC token */
 159     TOK_TYPE_WRAP                    = 0x0504,  /* RFC 4121 wrap token */
 160     TOK_TYPE_EXPORT_NAME             = 0x0401,  /* RFC 2743 exported name */
 161     TOK_TYPE_EXPORT_NAME_COMPOSITE   = 0x0402,  /* exported composite name */
 162     TOK_TYPE_DELETE_CONTEXT          = 0x0405,  /* RFC 2743 delete context */
 163     TOK_TYPE_INITIATOR_CONTEXT       = 0x0601,  /* initiator-sent context token */
 164     TOK_TYPE_ACCEPTOR_CONTEXT        = 0x0602,  /* acceptor-sent context token */
 165 };
 166
 167 struct gss_eap_itok_map {
 168     OM_uint32 type;                             /* inner token type */
 169     OM_uint32 flag;                             /* context flag */
 170 };
 171
 172 /* inner token types and flags */
 173 #define ITOK_TYPE_NONE                      0x00000000
 174 #define ITOK_TYPE_CONTEXT_ERR               0x00000001 /* critical */
 175 #define ITOK_TYPE_ACCEPTOR_NAME_REQ         0x00000002 /* TBD */
 176 #define ITOK_TYPE_ACCEPTOR_NAME_RESP        0x00000003 /* TBD */
 177 #define ITOK_TYPE_EAP_RESP                  0x00000004 /* critical, required, if not reauth */
 178 #define ITOK_TYPE_EAP_REQ                   0x00000005 /* critical, required, if not reauth */
 179 #define ITOK_TYPE_GSS_CHANNEL_BINDINGS      0x00000006 /* optional */
 180 #define ITOK_TYPE_REAUTH_CREDS              0x00000007 /* optional */
 181 #define ITOK_TYPE_REAUTH_REQ                0x00000008 /* optional */
 182 #define ITOK_TYPE_REAUTH_RESP               0x00000009 /* optional */
 183 #define ITOK_TYPE_GSS_FLAGS                 0x0000000A /* optional */
 184 #define ITOK_TYPE_INITIATOR_MIC             0x0000000B /* required */
 185 #define ITOK_TYPE_ACCEPTOR_MIC              0x0000000C /* required */
 186 #define ITOK_TYPE_SUPPORTED_ACCEPTOR_EXTS   0x0000000D /* optional */
 187 #define ITOK_TYPE_SUPPORTED_INITIATOR_EXTS  0x0000000E /* optional */
 188
 189 /* experimental */
 190 #define ITOK_TYPE_VERSION_INFO              0x00000080 /* optional */
 191 #define ITOK_TYPE_VENDOR_INFO               0x00000081 /* optional */
 192
 193 #define ITOK_FLAG_CRITICAL                  0x80000000  /* critical, wire flag */
 194 #define ITOK_FLAG_VERIFIED                  0x40000000  /* verified, API flag */
 195
 196 #define ITOK_TYPE_MASK                      (~(ITOK_FLAG_CRITICAL | ITOK_FLAG_VERIFIED))
 197
 198 #define ITOK_HEADER_LENGTH                  8           /* type || length */
 199
 200 #define GSSEAP_WIRE_FLAGS_MASK              ( GSS_C_MUTUAL_FLAG )
 201
 202 OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
 203 OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
 204
 205 OM_uint32
 206 gssEapContextTime(OM_uint32 *minor,
 207                   gss_ctx_id_t context_handle,
 208                   OM_uint32 *time_rec);
 209
 210 OM_uint32
 211 gssEapGetConversationMIC(OM_uint32 *minor,
 212                          gss_ctx_id_t ctx,
 213                          gss_buffer_t convMIC);
 214
 215 OM_uint32
 216 gssEapVerifyConversationMIC(OM_uint32 *minor,
 217                             gss_ctx_id_t ctx,
 218                             const gss_buffer_t convMIC);
 219
 220 OM_uint32
 221 gssEapMakeTokenChannelBindings(OM_uint32 *minor,
 222                                gss_ctx_id_t ctx,
 223                                gss_channel_bindings_t userBindings,
 224                                gss_buffer_t inputToken,
 225                                gss_channel_bindings_t wireBindings);
 226
 227 /* util_cred.c */
 228 extern const gss_OID_desc gssEapPasswordCredType;
 229
 230 OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
 231 OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
 232
 233 OM_uint32
 234 gssEapAcquireCred(OM_uint32 *minor,
 235                   const gss_name_t desiredName,
 236                   gss_const_OID credType,
 237                   const void *credData,
 238                   OM_uint32 timeReq,
 239                   const gss_OID_set desiredMechs,
 240                   int cred_usage,
 241                   gss_cred_id_t *pCred,
 242                   gss_OID_set *pActualMechs,
 243                   OM_uint32 *timeRec);
 244
 245 int gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech);
 246
 247 OM_uint32
 248 gssEapInquireCred(OM_uint32 *minor,
 249                   gss_cred_id_t cred,
 250                   gss_name_t *name,
 251                   OM_uint32 *pLifetime,
 252                   gss_cred_usage_t *cred_usage,
 253                   gss_OID_set *mechanisms);
 254
 255 /* util_crypt.c */
 256 int
 257 gssEapEncrypt(krb5_context context, int dce_style, size_t ec,
 258               size_t rrc,
 259 #ifdef HAVE_HEIMDAL_VERSION
 260               krb5_crypto crypto,
 261 #else
 262               krb5_keyblock *key,
 263 #endif
 264               int usage,
 265               gss_iov_buffer_desc *iov, int iov_count);
 266
 267 int
 268 gssEapDecrypt(krb5_context context, int dce_style, size_t ec,
 269               size_t rrc,
 270 #ifdef HAVE_HEIMDAL_VERSION
 271               krb5_crypto crypto,
 272 #else
 273               krb5_keyblock *key,
 274 #endif
 275               int usage,
 276               gss_iov_buffer_desc *iov, int iov_count);
 277
 278 int
 279 gssEapMapCryptoFlag(OM_uint32 type);
 280
 281 gss_iov_buffer_t
 282 gssEapLocateIov(gss_iov_buffer_desc *iov,
 283                 int iov_count,
 284                 OM_uint32 type);
 285
 286 void
 287 gssEapIovMessageLength(gss_iov_buffer_desc *iov,
 288                        int iov_count,
 289                        size_t *data_length,
 290                        size_t *assoc_data_length);
 291
 292 void
 293 gssEapReleaseIov(gss_iov_buffer_desc *iov, int iov_count);
 294
 295 int
 296 gssEapIsIntegrityOnly(gss_iov_buffer_desc *iov, int iov_count);
 297
 298 int
 299 gssEapAllocIov(gss_iov_buffer_t iov, size_t size);
 300
 301 OM_uint32
 302 gssEapDeriveRfc3961Key(OM_uint32 *minor,
 303                        const unsigned char *key,
 304                        size_t keyLength,
 305                        krb5_enctype enctype,
 306                        krb5_keyblock *pKey);
 307
 308 /* util_krb.c */
 309 #ifdef HAVE_HEIMDAL_VERSION
 310
 311 #define KRB_TIME_FOREVER        ((time_t)~0L)
 312
 313 #define KRB_KEY_TYPE(key)       ((key)->keytype)
 314 #define KRB_KEY_DATA(key)       ((key)->keyvalue.data)
 315 #define KRB_KEY_LENGTH(key)     ((key)->keyvalue.length)
 316
 317 #define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len)
 318 #define KRB_PRINC_TYPE(princ)   ((princ)->name.name_type)
 319 #define KRB_PRINC_NAME(princ)   ((princ)->name.name_string.val)
 320 #define KRB_PRINC_REALM(princ)  ((princ)->realm)
 321
 322 #define KRB_KT_ENT_KEYBLOCK(e)  (&(e)->keyblock)
 323 #define KRB_KT_ENT_FREE(c, e)   krb5_kt_free_entry((c), (e))
 324
 325 #define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto)
 326
 327 #else
 328
 329 #define KRB_TIME_FOREVER        KRB5_INT32_MAX
 330
 331 #define KRB_KEY_TYPE(key)       ((key)->enctype)
 332 #define KRB_KEY_DATA(key)       ((key)->contents)
 333 #define KRB_KEY_LENGTH(key)     ((key)->length)
 334
 335 #define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ)))
 336 #define KRB_PRINC_TYPE(princ)   (krb5_princ_type(NULL, (princ)))
 337 #define KRB_PRINC_NAME(princ)   (krb5_princ_name(NULL, (princ)))
 338 #define KRB_PRINC_REALM(princ)  (krb5_princ_realm(NULL, (princ)))
 339
 340 #define KRB_KT_ENT_KEYBLOCK(e)  (&(e)->key)
 341 #define KRB_KT_ENT_FREE(c, e)   krb5_free_keytab_entry_contents((c), (e))
 342
 343 #define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key)
 344
 345 #endif /* HAVE_HEIMDAL_VERSION */
 346
 347 #define KRB_KEY_INIT(key)       do {        \
 348         KRB_KEY_TYPE(key) = ENCTYPE_NULL;   \
 349         KRB_KEY_DATA(key) = NULL;           \
 350         KRB_KEY_LENGTH(key) = 0;            \
 351     } while (0)
 352
 353 #define GSSEAP_KRB_INIT(ctx) do {                   \
 354         OM_uint32 tmpMajor;                         \
 355                                                     \
 356         tmpMajor  = gssEapKerberosInit(minor, ctx); \
 357         if (GSS_ERROR(tmpMajor)) {                  \
 358             return tmpMajor;                        \
 359         }                                           \
 360     } while (0)
 361
 362 OM_uint32
 363 gssEapKerberosInit(OM_uint32 *minor, krb5_context *context);
 364
 365 OM_uint32
 366 rfc3961ChecksumTypeForKey(OM_uint32 *minor,
 367                           krb5_keyblock *key,
 368                           krb5_cksumtype *cksumtype);
 369
 370 krb5_error_code
 371 krbCryptoLength(krb5_context krbContext,
 372 #ifdef HAVE_HEIMDAL_VERSION
 373                 krb5_crypto krbCrypto,
 374 #else
 375                 krb5_keyblock *key,
 376 #endif
 377                 int type,
 378                 size_t *length);
 379
 380 krb5_error_code
 381 krbPaddingLength(krb5_context krbContext,
 382 #ifdef HAVE_HEIMDAL_VERSION
 383                  krb5_crypto krbCrypto,
 384 #else
 385                  krb5_keyblock *key,
 386 #endif
 387                  size_t dataLength,
 388                  size_t *padLength);
 389
 390 krb5_error_code
 391 krbBlockSize(krb5_context krbContext,
 392 #ifdef HAVE_HEIMDAL_VERSION
 393                  krb5_crypto krbCrypto,
 394 #else
 395                  krb5_keyblock *key,
 396 #endif
 397                  size_t *blockSize);
 398
 399 krb5_error_code
 400 krbEnctypeToString(krb5_context krbContext,
 401                    krb5_enctype enctype,
 402                    const char *prefix,
 403                    gss_buffer_t string);
 404
 405 krb5_error_code
 406 krbMakeAuthDataKdcIssued(krb5_context context,
 407                          const krb5_keyblock *key,
 408                          krb5_const_principal issuer,
 409 #ifdef HAVE_HEIMDAL_VERSION
 410                          const AuthorizationData *authdata,
 411                          AuthorizationData *adKdcIssued
 412 #else
 413                          krb5_authdata *const *authdata,
 414                          krb5_authdata ***adKdcIssued
 415 #endif
 416                          );
 417
 418 krb5_error_code
 419 krbMakeCred(krb5_context context,
 420             krb5_auth_context authcontext,
 421             krb5_creds *creds,
 422             krb5_data *data);
 423
 424 /* util_lucid.c */
 425 OM_uint32
 426 gssEapExportLucidSecContext(OM_uint32 *minor,
 427                             gss_ctx_id_t ctx,
 428                             const gss_OID desiredObject,
 429                             gss_buffer_set_t *data_set);
 430
 431 /* util_mech.c */
 432 extern gss_OID GSS_EAP_MECHANISM;
 433
 434 #define OID_FLAG_NULL_VALID                 0x00000001
 435 #define OID_FLAG_FAMILY_MECH_VALID          0x00000002
 436 #define OID_FLAG_MAP_NULL_TO_DEFAULT_MECH   0x00000004
 437 #define OID_FLAG_MAP_FAMILY_MECH_TO_NULL    0x00000008
 438
 439 OM_uint32
 440 gssEapCanonicalizeOid(OM_uint32 *minor,
 441                       const gss_OID oid,
 442                       OM_uint32 flags,
 443                       gss_OID *pOid);
 444
 445 OM_uint32
 446 gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid);
 447
 448 OM_uint32
 449 gssEapDefaultMech(OM_uint32 *minor,
 450                   gss_OID *oid);
 451
 452 OM_uint32
 453 gssEapIndicateMechs(OM_uint32 *minor,
 454                     gss_OID_set *mechs);
 455
 456 OM_uint32
 457 gssEapEnctypeToOid(OM_uint32 *minor,
 458                    krb5_enctype enctype,
 459                    gss_OID *pOid);
 460
 461 OM_uint32
 462 gssEapOidToEnctype(OM_uint32 *minor,
 463                    const gss_OID oid,
 464                    krb5_enctype *enctype);
 465
 466 int
 467 gssEapIsMechanismOid(const gss_OID oid);
 468
 469 int
 470 gssEapIsConcreteMechanismOid(const gss_OID oid);
 471
 472 OM_uint32
 473 gssEapValidateMechs(OM_uint32 *minor,
 474                    const gss_OID_set mechs);
 475
 476 gss_buffer_t
 477 gssEapOidToSaslName(const gss_OID oid);
 478
 479 gss_OID
 480 gssEapSaslNameToOid(const gss_buffer_t name);
 481
 482 /* util_name.c */
 483 #define EXPORT_NAME_FLAG_OID                    0x1
 484 #define EXPORT_NAME_FLAG_COMPOSITE              0x2
 485 #define EXPORT_NAME_FLAG_ALLOW_COMPOSITE        0x4
 486
 487 OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName);
 488 OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName);
 489 OM_uint32 gssEapExportName(OM_uint32 *minor,
 490                            const gss_name_t name,
 491                            gss_buffer_t exportedName);
 492 OM_uint32 gssEapExportNameInternal(OM_uint32 *minor,
 493                                    const gss_name_t name,
 494                                    gss_buffer_t exportedName,
 495                                    OM_uint32 flags);
 496 OM_uint32 gssEapImportName(OM_uint32 *minor,
 497                            const gss_buffer_t input_name_buffer,
 498                            const gss_OID input_name_type,
 499                            const gss_OID input_mech_type,
 500                            gss_name_t *output_name);
 501 OM_uint32 gssEapImportNameInternal(OM_uint32 *minor,
 502                                    const gss_buffer_t input_name_buffer,
 503                                    gss_name_t *output_name,
 504                                    OM_uint32 flags);
 505 OM_uint32
 506 gssEapDuplicateName(OM_uint32 *minor,
 507                     const gss_name_t input_name,
 508                     gss_name_t *dest_name);
 509
 510 OM_uint32
 511 gssEapCanonicalizeName(OM_uint32 *minor,
 512                        const gss_name_t input_name,
 513                        const gss_OID mech_type,
 514                        gss_name_t *dest_name);
 515
 516 OM_uint32
 517 gssEapDisplayName(OM_uint32 *minor,
 518                   gss_name_t name,
 519                   gss_buffer_t output_name_buffer,
 520                   gss_OID *output_name_type);
 521
 522 OM_uint32
 523 gssEapCompareName(OM_uint32 *minor,
 524                   gss_name_t name1,
 525                   gss_name_t name2,
 526                   int *name_equal);
 527
 528 /* util_oid.c */
 529 OM_uint32
 530 composeOid(OM_uint32 *minor_status,
 531            const char *prefix,
 532            size_t prefix_len,
 533            int suffix,
 534            gss_OID_desc *oid);
 535
 536 OM_uint32
 537 decomposeOid(OM_uint32 *minor_status,
 538              const char *prefix,
 539              size_t prefix_len,
 540              gss_OID_desc *oid,
 541              int *suffix) ;
 542
 543 OM_uint32
 544 duplicateOid(OM_uint32 *minor_status,
 545              const gss_OID_desc * const oid,
 546              gss_OID *new_oid);
 547
 548 OM_uint32
 549 duplicateOidSet(OM_uint32 *minor,
 550                 const gss_OID_set src,
 551                 gss_OID_set *dst);
 552
 553 static inline int
 554 oidEqual(const gss_OID_desc *o1, const gss_OID_desc *o2)
 555 {
 556     if (o1 == GSS_C_NO_OID)
 557         return (o2 == GSS_C_NO_OID);
 558     else if (o2 == GSS_C_NO_OID)
 559         return (o1 == GSS_C_NO_OID);
 560     else
 561         return (o1->length == o2->length &&
 562                 memcmp(o1->elements, o2->elements, o1->length) == 0);
 563 }
 564
 565 /* util_ordering.c */
 566 OM_uint32
 567 sequenceInternalize(OM_uint32 *minor,
 568                     void **vqueue,
 569                     unsigned char **buf,
 570                     size_t *lenremain);
 571
 572 OM_uint32
 573 sequenceExternalize(OM_uint32 *minor,
 574                     void *vqueue,
 575                     unsigned char **buf,
 576                     size_t *lenremain);
 577
 578 size_t
 579 sequenceSize(void *vqueue);
 580
 581 OM_uint32
 582 sequenceFree(OM_uint32 *minor, void **vqueue);
 583
 584 OM_uint32
 585 sequenceCheck(OM_uint32 *minor, void **vqueue, uint64_t seqnum);
 586
 587 OM_uint32
 588 sequenceInit(OM_uint32 *minor, void **vqueue, uint64_t seqnum,
 589              int do_replay, int do_sequence, int wide_nums);
 590
 591 /* util_sm.c */
 592 enum gss_eap_state {
 593     GSSEAP_STATE_INITIAL        = 0x01,     /* initial state */
 594     GSSEAP_STATE_AUTHENTICATE   = 0x02,     /* exchange EAP messages */
 595     GSSEAP_STATE_INITIATOR_EXTS = 0x04,     /* initiator extensions */
 596     GSSEAP_STATE_ACCEPTOR_EXTS  = 0x08,     /* acceptor extensions */
 597 #ifdef GSSEAP_ENABLE_REAUTH
 598     GSSEAP_STATE_REAUTHENTICATE = 0x10,     /* GSS reauthentication messages */
 599 #endif
 600     GSSEAP_STATE_ESTABLISHED    = 0x20,     /* context established */
 601     GSSEAP_STATE_ALL            = 0x3F
 602 };
 603
 604 #define GSSEAP_STATE_NEXT(s)    ((s) << 1)
 605
 606 #define GSSEAP_SM_STATE(ctx)                ((ctx)->state)
 607
 608 #ifdef GSSEAP_DEBUG
 609 void gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
 610 #define GSSEAP_SM_TRANSITION(ctx, state)    gssEapSmTransition((ctx), (state))
 611 #else
 612 #define GSSEAP_SM_TRANSITION(ctx, newstate)    do { (ctx)->state = (newstate); } while (0)
 613 #endif
 614
 615 #define GSSEAP_SM_TRANSITION_NEXT(ctx)      GSSEAP_SM_TRANSITION((ctx), GSSEAP_STATE_NEXT(GSSEAP_SM_STATE((ctx))))
 616
 617 /* state machine entry */
 618 struct gss_eap_sm {
 619     OM_uint32 inputTokenType;
 620     OM_uint32 outputTokenType;
 621     enum gss_eap_state validStates;
 622     OM_uint32 itokFlags;
 623     OM_uint32 (*processToken)(OM_uint32 *,
 624                               gss_cred_id_t,
 625                               gss_ctx_id_t,
 626                               gss_name_t,
 627                               gss_OID,
 628                               OM_uint32,
 629                               OM_uint32,
 630                               gss_channel_bindings_t,
 631                               gss_buffer_t,
 632                               gss_buffer_t,
 633                               OM_uint32 *);
 634 };
 635
 636 /* state machine flags, set by handler */
 637 #define SM_FLAG_SEND_TOKEN                  0x00000001  /* exit state machine, send token */
 638 #define SM_FLAG_OUTPUT_TOKEN_CRITICAL       0x00000002  /* output token is critical */
 639
 640 /* state machine flags, set by state machine */
 641 #define SM_FLAG_INPUT_TOKEN_CRITICAL        0x10000000  /* input token was critical */
 642
 643 #define SM_ITOK_FLAG_REQUIRED               0x00000001  /* received tokens must be present */
 644
 645 OM_uint32
 646 gssEapSmStep(OM_uint32 *minor,
 647              gss_cred_id_t cred,
 648              gss_ctx_id_t ctx,
 649              gss_name_t target,
 650              gss_OID mech,
 651              OM_uint32 reqFlags,
 652              OM_uint32 timeReq,
 653              gss_channel_bindings_t chanBindings,
 654              gss_buffer_t inputToken,
 655              gss_buffer_t outputToken,
 656              struct gss_eap_sm *sm,
 657              size_t smCount);
 658
 659 void
 660 gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
 661
 662 /* util_token.c */
 663 OM_uint32
 664 gssEapDecodeInnerTokens(OM_uint32 *minor,
 665                         const gss_buffer_t buffer,
 666                         gss_buffer_set_t *pExtensions,
 667                         OM_uint32 **pTypes);
 668
 669 OM_uint32
 670 gssEapRecordContextTokenHeader(OM_uint32 *minor,
 671                                gss_ctx_id_t ctx,
 672                                enum gss_eap_token_type tokType);
 673
 674 OM_uint32
 675 gssEapRecordInnerContextToken(OM_uint32 *minor,
 676                               gss_ctx_id_t ctx,
 677                               gss_buffer_t innerToken,
 678                               OM_uint32 type);
 679
 680 OM_uint32
 681 gssEapVerifyContextToken(OM_uint32 *minor,
 682                          gss_ctx_id_t ctx,
 683                          const gss_buffer_t inputToken,
 684                          enum gss_eap_token_type tokenType,
 685                          gss_buffer_t innerInputToken);
 686
 687 OM_uint32
 688 gssEapEncodeSupportedExts(OM_uint32 *minor,
 689                           OM_uint32 *types,
 690                           size_t typesCount,
 691                           gss_buffer_t outputToken);
 692
 693 OM_uint32
 694 gssEapProcessSupportedExts(OM_uint32 *minor,
 695                            gss_buffer_t inputToken,
 696                            struct gss_eap_itok_map *map,
 697                            size_t mapCount,
 698                            OM_uint32 *flags);
 699
 700 size_t
 701 tokenSize(size_t bodySize);
 702
 703 void
 704 makeTokenHeader(size_t body_size,
 705                 unsigned char **buf);
 706
 707 OM_uint32
 708 verifyTokenHeader(OM_uint32 *minor,
 709                   gss_OID mech,
 710                   size_t *body_size,
 711                   unsigned char **buf_in,
 712                   size_t toksize_in,
 713                   enum gss_eap_token_type *ret_tok_type);
 714
 715 /* Helper macros */
 716
 717 #define GSSEAP_CALLOC                   calloc
 718 #define GSSEAP_MALLOC                   malloc
 719 #define GSSEAP_FREE                     free
 720 #define GSSEAP_REALLOC                  realloc
 721
 722 #define GSSEAP_NOT_IMPLEMENTED          do {            \
 723         assert(0 && "not implemented");                 \
 724         *minor = ENOSYS;                                \
 725         return GSS_S_FAILURE;                           \
 726     } while (0)
 727
 728 #include <pthread.h>
 729
 730 #define GSSEAP_MUTEX                    pthread_mutex_t
 731 #define GSSEAP_MUTEX_INITIALIZER        PTHREAD_MUTEX_INITIALIZER
 732
 733 #define GSSEAP_MUTEX_INIT(m)            pthread_mutex_init((m), NULL)
 734 #define GSSEAP_MUTEX_DESTROY(m)         pthread_mutex_destroy((m))
 735 #define GSSEAP_MUTEX_LOCK(m)            pthread_mutex_lock((m))
 736 #define GSSEAP_MUTEX_UNLOCK(m)          pthread_mutex_unlock((m))
 737
 738 #define GSSEAP_THREAD_KEY               pthread_key_t
 739 #define GSSEAP_KEY_CREATE(k, d)         pthread_key_create((k), (d))
 740 #define GSSEAP_GETSPECIFIC(k)           pthread_getspecific((k))
 741 #define GSSEAP_SETSPECIFIC(k, d)        pthread_setspecific((k), (d))
 742
 743 #define GSSEAP_THREAD_ONCE              pthread_once_t
 744 #define GSSEAP_ONCE(o, i)               pthread_once((o), (i))
 745 #define GSSEAP_ONCE_INITIALIZER         PTHREAD_ONCE_INIT
 746
 747 /* Helper functions */
 748 static inline void
 749 store_uint16_be(uint16_t val, void *vp)
 750 {
 751     unsigned char *p = (unsigned char *)vp;
 752
 753     p[0] = (val >>  8) & 0xff;
 754     p[1] = (val      ) & 0xff;
 755 }
 756
 757 static inline uint16_t
 758 load_uint16_be(const void *cvp)
 759 {
 760     const unsigned char *p = (const unsigned char *)cvp;
 761
 762     return (p[1] | (p[0] << 8));
 763 }
 764
 765 static inline void
 766 store_uint32_be(uint32_t val, void *vp)
 767 {
 768     unsigned char *p = (unsigned char *)vp;
 769
 770     p[0] = (val >> 24) & 0xff;
 771     p[1] = (val >> 16) & 0xff;
 772     p[2] = (val >>  8) & 0xff;
 773     p[3] = (val      ) & 0xff;
 774 }
 775
 776 static inline uint32_t
 777 load_uint32_be(const void *cvp)
 778 {
 779     const unsigned char *p = (const unsigned char *)cvp;
 780
 781     return (p[3] | (p[2] << 8)
 782             | ((uint32_t) p[1] << 16)
 783             | ((uint32_t) p[0] << 24));
 784 }
 785
 786 static inline void
 787 store_uint64_be(uint64_t val, void *vp)
 788 {
 789     unsigned char *p = (unsigned char *)vp;
 790
 791     p[0] = (unsigned char)((val >> 56) & 0xff);
 792     p[1] = (unsigned char)((val >> 48) & 0xff);
 793     p[2] = (unsigned char)((val >> 40) & 0xff);
 794     p[3] = (unsigned char)((val >> 32) & 0xff);
 795     p[4] = (unsigned char)((val >> 24) & 0xff);
 796     p[5] = (unsigned char)((val >> 16) & 0xff);
 797     p[6] = (unsigned char)((val >>  8) & 0xff);
 798     p[7] = (unsigned char)((val      ) & 0xff);
 799 }
 800
 801 static inline uint64_t
 802 load_uint64_be(const void *cvp)
 803 {
 804     const unsigned char *p = (const unsigned char *)cvp;
 805
 806     return ((uint64_t)load_uint32_be(p) << 32) | load_uint32_be(p + 4);
 807 }
 808
 809 static inline unsigned char *
 810 store_buffer(gss_buffer_t buffer, void *vp, int wide_nums)
 811 {
 812     unsigned char *p = (unsigned char *)vp;
 813
 814     if (wide_nums) {
 815         store_uint64_be(buffer->length, p);
 816         p += 8;
 817     } else {
 818         store_uint32_be(buffer->length, p);
 819         p += 4;
 820     }
 821
 822     if (buffer->value != NULL) {
 823         memcpy(p, buffer->value, buffer->length);
 824         p += buffer->length;
 825     }
 826
 827     return p;
 828 }
 829
 830 static inline unsigned char *
 831 load_buffer(const void *cvp, size_t length, gss_buffer_t buffer)
 832 {
 833     buffer->length = 0;
 834     buffer->value = GSSEAP_MALLOC(length);
 835     if (buffer->value == NULL)
 836         return NULL;
 837     buffer->length = length;
 838     memcpy(buffer->value, cvp, length);
 839     return (unsigned char *)cvp + length;
 840 }
 841
 842 static inline unsigned char *
 843 store_oid(gss_OID oid, void *vp)
 844 {
 845     gss_buffer_desc buf;
 846
 847     if (oid != GSS_C_NO_OID) {
 848         buf.length = oid->length;
 849         buf.value = oid->elements;
 850     } else {
 851         buf.length = 0;
 852         buf.value = NULL;
 853     }
 854
 855     return store_buffer(&buf, vp, FALSE);
 856 }
 857
 858 static inline void
 859 krbDataToGssBuffer(krb5_data *data, gss_buffer_t buffer)
 860 {
 861     buffer->value = (void *)data->data;
 862     buffer->length = data->length;
 863 }
 864
 865 static inline void
 866 krbPrincComponentToGssBuffer(krb5_principal krbPrinc,
 867                              int index, gss_buffer_t buffer)
 868 {
 869 #ifdef HAVE_HEIMDAL_VERSION
 870     buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index];
 871     buffer->length = strlen((char *)buffer->value);
 872 #else
 873     buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data;
 874     buffer->length = krb5_princ_component(NULL, krbPrinc, index)->length;
 875 #endif /* HAVE_HEIMDAL_VERSION */
 876 }
 877
 878 static inline void
 879 krbPrincRealmToGssBuffer(krb5_principal krbPrinc, gss_buffer_t buffer)
 880 {
 881 #ifdef HAVE_HEIMDAL_VERSION
 882     buffer->value = (void *)KRB_PRINC_REALM(krbPrinc);
 883     buffer->length = strlen((char *)buffer->value);
 884 #else
 885     krbDataToGssBuffer(KRB_PRINC_REALM(krbPrinc), buffer);
 886 #endif
 887 }
 888
 889 static inline void
 890 gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data)
 891 {
 892     data->data = (char *)buffer->value;
 893     data->length = buffer->length;
 894 }
 895
 896 #ifdef __cplusplus
 897 }
 898 #endif
 899
 900 #include "util_json.h"
 901 #include "util_attr.h"
 902 #include "util_base64.h"
 903 #ifdef GSSEAP_ENABLE_REAUTH
 904 #include "util_reauth.h"
 905 #endif
 906
 907 #endif /* _UTIL_H_ */