2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gssapiP_eap.h"
35 #ifdef HAVE_MOONSHOT_GET_IDENTITY
36 #include <libmoonshot.h>
39 libMoonshotMapError(OM_uint32 *minor,
40 MoonshotError **pError)
42 MoonshotError *error = *pError;
44 GSSEAP_ASSERT(error != NULL);
46 switch (error->code) {
47 case MOONSHOT_ERROR_UNABLE_TO_START_SERVICE:
48 *minor = GSSEAP_UNABLE_TO_START_IDENTITY_SERVICE;
50 case MOONSHOT_ERROR_NO_IDENTITY_SELECTED:
51 *minor = GSSEAP_NO_IDENTITY_SELECTED;
53 case MOONSHOT_ERROR_INSTALLATION_ERROR:
54 *minor = GSSEAP_IDENTITY_SERVICE_INSTALL_ERROR;
56 case MOONSHOT_ERROR_OS_ERROR:
57 *minor = GSSEAP_IDENTITY_SERVICE_OS_ERROR;
59 case MOONSHOT_ERROR_IPC_ERROR:
60 *minor = GSSEAP_IDENTITY_SERVICE_IPC_ERROR;
63 *minor = GSSEAP_IDENTITY_SERVICE_UNKNOWN_ERROR;
67 gssEapSaveStatusInfo(*minor, error->message);
68 moonshot_error_free(error);
71 return GSS_S_CRED_UNAVAIL;
75 libMoonshotResolveDefaultIdentity(OM_uint32 *minor,
76 const gss_cred_id_t cred,
79 OM_uint32 major, tmpMinor;
80 gss_OID nameMech = gssEapPrimaryMechForCred(cred);
81 gss_name_t name = GSS_C_NO_NAME;
82 gss_buffer_desc tmpBuffer = GSS_C_EMPTY_BUFFER;
84 char *password = NULL;
85 char *serverCertificateHash = NULL;
86 char *caCertificate = NULL;
87 char *subjectNameConstraint = NULL;
88 char *subjectAltNameConstraint = NULL;
89 MoonshotError *error = NULL;
91 *pName = GSS_C_NO_NAME;
93 if (!moonshot_get_default_identity(&nai,
95 &serverCertificateHash,
97 &subjectNameConstraint,
98 &subjectAltNameConstraint,
100 if (error->code == MOONSHOT_ERROR_NO_IDENTITY_SELECTED) {
101 major = GSS_S_CRED_UNAVAIL;
102 *minor = GSSEAP_NO_DEFAULT_IDENTITY;
103 moonshot_error_free(error);
105 major = libMoonshotMapError(minor, &error);
109 tmpBuffer.value = nai;
110 tmpBuffer.length = strlen(nai);
112 major = gssEapImportName(minor, &tmpBuffer, GSS_C_NT_USER_NAME, nameMech, &name);
113 if (GSS_ERROR(major))
117 name = GSS_C_NO_NAME;
121 moonshot_free(password);
122 moonshot_free(serverCertificateHash);
123 moonshot_free(caCertificate);
124 moonshot_free(subjectNameConstraint);
125 moonshot_free(subjectAltNameConstraint);
127 gssEapReleaseName(&tmpMinor, &name);
133 libMoonshotResolveInitiatorCred(OM_uint32 *minor,
135 const gss_name_t targetName)
137 OM_uint32 major, tmpMinor;
138 gss_OID nameMech = gssEapPrimaryMechForCred(cred);
139 gss_buffer_desc initiator = GSS_C_EMPTY_BUFFER;
140 gss_buffer_desc target = GSS_C_EMPTY_BUFFER;
141 gss_buffer_desc tmpBuffer = GSS_C_EMPTY_BUFFER;
143 char *password = NULL;
144 char *serverCertificateHash = NULL;
145 char *caCertificate = NULL;
146 char *subjectNameConstraint = NULL;
147 char *subjectAltNameConstraint = NULL;
148 MoonshotError *error = NULL;
150 if (cred->name != GSS_C_NO_NAME) {
151 major = gssEapExportName(minor, cred->name, &initiator);
152 if (GSS_ERROR(major))
156 if (targetName != GSS_C_NO_NAME) {
157 major = gssEapExportName(minor, targetName, &target);
158 if (GSS_ERROR(major))
162 if (!moonshot_get_identity((const char *)initiator.value,
163 (const char *)cred->password.value,
164 (const char *)target.value,
167 &serverCertificateHash,
169 &subjectNameConstraint,
170 &subjectAltNameConstraint,
172 major = libMoonshotMapError(minor, &error);
176 gssEapReleaseName(&tmpMinor, &cred->name);
178 tmpBuffer.value = nai;
179 tmpBuffer.length = strlen(nai);
181 major = gssEapImportName(minor, &tmpBuffer, GSS_C_NT_USER_NAME,
182 nameMech, &cred->name);
183 if (GSS_ERROR(major))
186 tmpBuffer.value = password;
187 tmpBuffer.length = strlen(password);
189 major = gssEapSetCredPassword(minor, cred, &tmpBuffer);
190 if (GSS_ERROR(major))
193 gss_release_buffer(&tmpMinor, &cred->caCertificate);
194 gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint);
195 gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint);
197 if (serverCertificateHash != NULL) {
198 size_t len = strlen(serverCertificateHash);
200 #define HASH_PREFIX "hash://server/sha256/"
201 #define HASH_PREFIX_LEN (sizeof(HASH_PREFIX) - 1)
203 cred->caCertificate.value = GSSEAP_MALLOC(HASH_PREFIX_LEN + len + 1);
204 if (cred->caCertificate.value == NULL) {
205 major = GSS_S_FAILURE;
210 memcpy(cred->caCertificate.value, HASH_PREFIX, HASH_PREFIX_LEN);
211 memcpy((char *)cred->caCertificate.value + HASH_PREFIX_LEN, serverCertificateHash, len);
213 ((char *)cred->caCertificate.value)[HASH_PREFIX_LEN + len] = '\0';
215 cred->caCertificate.length = HASH_PREFIX_LEN + len;
216 } else if (caCertificate != NULL) {
217 makeStringBufferOrCleanup(caCertificate, &cred->caCertificate);
220 if (subjectNameConstraint != NULL)
221 makeStringBufferOrCleanup(subjectNameConstraint, &cred->subjectNameConstraint);
222 if (subjectAltNameConstraint != NULL)
223 makeStringBufferOrCleanup(subjectAltNameConstraint, &cred->subjectAltNameConstraint);
227 moonshot_free(password);
228 moonshot_free(serverCertificateHash);
229 moonshot_free(caCertificate);
230 moonshot_free(subjectNameConstraint);
231 moonshot_free(subjectAltNameConstraint);
233 gss_release_buffer(&tmpMinor, &initiator);
234 gss_release_buffer(&tmpMinor, &target);
238 #endif /* HAVE_MOONSHOT_GET_IDENTITY */