2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * RADIUS attribute provider implementation.
37 #include "gssapiP_eap.h"
39 /* stuff that should be provided by libradsec/libfreeradius-radius */
40 #define VENDORATTR(vendor, attr) (((vendor) << 16) | (attr))
43 #define ATTRID(attr) ((attr) & 0xFFFF)
46 static gss_buffer_desc radiusUrnPrefix = {
47 sizeof("urn:x-radius:") - 1,
48 (void *)"urn:x-radius:"
51 static VALUE_PAIR *copyAvps(const VALUE_PAIR *src);
53 gss_eap_radius_attr_provider::gss_eap_radius_attr_provider(void)
56 m_authenticated = false;
59 gss_eap_radius_attr_provider::~gss_eap_radius_attr_provider(void)
66 gss_eap_radius_attr_provider::initWithExistingContext(const gss_eap_attr_ctx *manager,
67 const gss_eap_attr_provider *ctx)
69 const gss_eap_radius_attr_provider *radius;
71 if (!gss_eap_attr_provider::initWithExistingContext(manager, ctx))
74 radius = static_cast<const gss_eap_radius_attr_provider *>(ctx);
76 if (radius->m_vps != NULL)
77 m_vps = copyAvps(const_cast<VALUE_PAIR *>(radius->getAvps()));
79 m_authenticated = radius->m_authenticated;
85 gss_eap_radius_attr_provider::initWithGssContext(const gss_eap_attr_ctx *manager,
86 const gss_cred_id_t gssCred,
87 const gss_ctx_id_t gssCtx)
89 if (!gss_eap_attr_provider::initWithGssContext(manager, gssCred, gssCtx))
92 if (gssCtx != GSS_C_NO_CONTEXT) {
93 if (gssCtx->acceptorCtx.vps != NULL) {
94 m_vps = copyAvps(gssCtx->acceptorCtx.vps);
98 /* We assume libradsec validated this for us */
99 assert(pairfind(m_vps, PW_MESSAGE_AUTHENTICATOR) != NULL);
100 m_authenticated = true;
108 alreadyAddedAttributeP(std::vector <std::string> &attrs, VALUE_PAIR *vp)
110 for (std::vector<std::string>::const_iterator a = attrs.begin();
113 if (strcmp(vp->name, (*a).c_str()) == 0)
121 isSecretAttributeP(uint16_t attrid, uint16_t vendor)
123 bool bSecretAttribute = false;
128 case PW_MS_MPPE_SEND_KEY:
129 case PW_MS_MPPE_RECV_KEY:
130 bSecretAttribute = true;
139 return bSecretAttribute;
143 isSecretAttributeP(uint32_t attribute)
145 return isSecretAttributeP(ATTRID(attribute), VENDOR(attribute));
149 isInternalAttributeP(uint16_t attrid, uint16_t vendor)
151 bool bInternalAttribute = false;
153 /* should have been filtered */
154 assert(!isSecretAttributeP(attrid, vendor));
157 case VENDORPEC_UKERNA:
159 case PW_GSS_ACCEPTOR_SERVICE_NAME:
160 case PW_GSS_ACCEPTOR_HOST_NAME:
161 case PW_GSS_ACCEPTOR_SERVICE_SPECIFIC:
162 case PW_GSS_ACCEPTOR_REALM_NAME:
163 case PW_SAML_AAA_ASSERTION:
164 bInternalAttribute = true;
174 return bInternalAttribute;
178 isInternalAttributeP(uint32_t attribute)
180 return isInternalAttributeP(ATTRID(attribute), VENDOR(attribute));
184 isFragmentedAttributeP(uint16_t attrid, uint16_t vendor)
186 /* A bit of a hack for the PAC for now. Should be configurable. */
187 return (vendor == VENDORPEC_UKERNA) &&
188 !isInternalAttributeP(attrid, vendor);
192 isFragmentedAttributeP(uint32_t attribute)
194 return isFragmentedAttributeP(ATTRID(attribute), VENDOR(attribute));
198 * Copy AVP list, same as paircopy except it filters out attributes
202 copyAvps(const VALUE_PAIR *src)
204 const VALUE_PAIR *vp;
205 VALUE_PAIR *dst = NULL, **pDst = &dst;
207 for (vp = src; vp != NULL; vp = vp->next) {
210 if (isSecretAttributeP(vp->attribute))
213 vpcopy = paircopyvp(vp);
214 if (vpcopy == NULL) {
216 throw std::bad_alloc();
219 pDst = &vpcopy->next;
226 gss_eap_radius_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
230 std::vector <std::string> seen;
232 for (vp = m_vps; vp != NULL; vp = vp->next) {
233 gss_buffer_desc attribute;
236 /* Don't advertise attributes that are internal to the GSS-EAP mechanism */
237 if (isInternalAttributeP(vp->attribute))
240 if (alreadyAddedAttributeP(seen, vp))
243 snprintf(attrid, sizeof(attrid), "%s%d",
244 (char *)radiusUrnPrefix.value, vp->attribute);
246 attribute.value = attrid;
247 attribute.length = strlen(attrid);
249 if (!addAttribute(m_manager, this, &attribute, data))
252 seen.push_back(std::string(vp->name));
259 getAttributeId(const gss_buffer_t attr)
262 gss_buffer_desc strAttr = GSS_C_EMPTY_BUFFER;
267 if (attr->length < radiusUrnPrefix.length ||
268 memcmp(attr->value, radiusUrnPrefix.value, radiusUrnPrefix.length) != 0)
271 /* need to duplicate because attr may not be NUL terminated */
272 duplicateBuffer(*attr, &strAttr);
273 s = (char *)strAttr.value + radiusUrnPrefix.length;
276 attrid = strtoul(s, NULL, 10);
278 da = dict_attrbyname(s);
283 gss_release_buffer(&tmpMinor, &strAttr);
289 gss_eap_radius_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
291 const gss_buffer_t value)
293 OM_uint32 major = GSS_S_UNAVAILABLE, minor;
295 if (!isSecretAttributeP(attrid) &&
296 !isInternalAttributeP(attrid)) {
297 deleteAttribute(attrid);
299 major = gssEapRadiusAddAvp(&minor, &m_vps,
300 ATTRID(attrid), VENDOR(attrid),
304 return !GSS_ERROR(major);
308 gss_eap_radius_attr_provider::setAttribute(int complete,
309 const gss_buffer_t attr,
310 const gss_buffer_t value)
312 uint32_t attrid = getAttributeId(attr);
317 return setAttribute(complete, attrid, value);
321 gss_eap_radius_attr_provider::deleteAttribute(uint32_t attrid)
323 if (isSecretAttributeP(attrid) || isInternalAttributeP(attrid) ||
324 pairfind(m_vps, attrid) == NULL)
327 pairdelete(&m_vps, attrid);
333 gss_eap_radius_attr_provider::deleteAttribute(const gss_buffer_t attr)
335 uint32_t attrid = getAttributeId(attr);
340 return deleteAttribute(attrid);
344 gss_eap_radius_attr_provider::getAttribute(const gss_buffer_t attr,
348 gss_buffer_t display_value,
353 attrid = getAttributeId(attr);
357 return getAttribute(attrid, authenticated, complete,
358 value, display_value, more);
362 gss_eap_radius_attr_provider::getAttribute(uint32_t attrid,
366 gss_buffer_t display_value,
370 int i = *more, count = 0;
377 if (isSecretAttributeP(attrid) || isInternalAttributeP(attrid)) {
379 } else if (isFragmentedAttributeP(attrid)) {
380 return getFragmentedAttribute(attrid,
386 for (vp = pairfind(m_vps, attrid);
388 vp = pairfind(vp->next, attrid)) {
390 if (pairfind(vp->next, attrid) != NULL)
396 if (vp == NULL && *more == 0)
399 if (value != GSS_C_NO_BUFFER) {
400 gss_buffer_desc valueBuf;
402 valueBuf.value = (void *)vp->vp_octets;
403 valueBuf.length = vp->length;
405 duplicateBuffer(valueBuf, value);
408 if (display_value != GSS_C_NO_BUFFER) {
409 char displayString[MAX_STRING_LEN];
410 gss_buffer_desc displayBuf;
412 displayBuf.length = vp_prints_value(displayString,
413 sizeof(displayString), vp, 0);
414 displayBuf.value = (void *)displayString;
416 duplicateBuffer(displayBuf, display_value);
419 if (authenticated != NULL)
420 *authenticated = m_authenticated;
421 if (complete != NULL)
428 gss_eap_radius_attr_provider::getFragmentedAttribute(uint16_t attribute,
432 gss_buffer_t value) const
434 OM_uint32 major, minor;
436 major = gssEapRadiusGetAvp(&minor, m_vps, attribute, vendor, value, TRUE);
438 if (authenticated != NULL)
439 *authenticated = m_authenticated;
440 if (complete != NULL)
443 return !GSS_ERROR(major);
447 gss_eap_radius_attr_provider::getFragmentedAttribute(uint32_t attrid,
450 gss_buffer_t value) const
452 return getFragmentedAttribute(ATTRID(attrid), VENDOR(attrid),
453 authenticated, complete, value);
457 gss_eap_radius_attr_provider::getAttribute(uint16_t attribute,
462 gss_buffer_t display_value,
466 return getAttribute(VENDORATTR(attribute, vendor),
467 authenticated, complete,
468 value, display_value, more);
472 gss_eap_radius_attr_provider::mapToAny(int authenticated,
473 gss_buffer_t type_id GSSEAP_UNUSED) const
475 if (authenticated && !m_authenticated)
476 return (gss_any_t)NULL;
478 return (gss_any_t)copyAvps(m_vps);
482 gss_eap_radius_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
483 gss_any_t input) const
485 VALUE_PAIR *vp = (VALUE_PAIR *)input;
490 gss_eap_radius_attr_provider::init(void)
492 struct rs_context *radContext;
494 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS, createAttrContext);
498 * This hack is necessary in order to force the loading of the global
499 * dictionary, otherwise accepting reauthentication tokens fails unless
500 * the acceptor has already accepted a normal authentication token.
502 if (rs_context_create(&radContext) != 0)
505 if (rs_context_read_config(radContext, RS_CONFIG_FILE) != 0) {
506 rs_context_destroy(radContext);
510 if (rs_context_init_freeradius_dict(radContext, NULL)) {
511 rs_context_destroy(radContext);
515 rs_context_destroy(radContext);
522 gss_eap_radius_attr_provider::finalize(void)
524 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_RADIUS);
527 gss_eap_attr_provider *
528 gss_eap_radius_attr_provider::createAttrContext(void)
530 return new gss_eap_radius_attr_provider;
534 gssEapRadiusAddAvp(OM_uint32 *minor,
538 const gss_buffer_t buffer)
540 uint32_t attrid = VENDORATTR(vendor, attribute);
541 unsigned char *p = (unsigned char *)buffer->value;
542 size_t remain = buffer->length;
549 * There's an extra byte of padding; RADIUS AVPs can only
552 if (n >= MAX_STRING_LEN)
553 n = MAX_STRING_LEN - 1;
555 vp = paircreate(attrid, PW_TYPE_OCTETS);
558 return GSS_S_FAILURE;
561 memcpy(vp->vp_octets, p, n);
568 } while (remain != 0);
570 return GSS_S_COMPLETE;
574 gssEapRadiusGetRawAvp(OM_uint32 *minor,
580 uint32_t attr = VENDORATTR(vendor, attribute);
582 *vp = pairfind(vps, attr);
584 *minor = GSSEAP_NO_SUCH_ATTR;
585 return GSS_S_UNAVAILABLE;
588 return GSS_S_COMPLETE;
592 gssEapRadiusGetAvp(OM_uint32 *minor,
601 uint32_t attr = VENDORATTR(vendor, attribute);
603 if (buffer != GSS_C_NO_BUFFER) {
605 buffer->value = NULL;
608 vp = pairfind(vps, attr);
610 *minor = GSSEAP_NO_SUCH_ATTR;
611 return GSS_S_UNAVAILABLE;
614 if (buffer != GSS_C_NO_BUFFER) {
616 buffer->length += vp->length;
617 } while (concat && (vp = pairfind(vp->next, attr)) != NULL);
619 buffer->value = GSSEAP_MALLOC(buffer->length);
620 if (buffer->value == NULL) {
622 return GSS_S_FAILURE;
625 p = (unsigned char *)buffer->value;
627 for (vp = pairfind(vps, attr);
628 concat && vp != NULL;
629 vp = pairfind(vp->next, attr)) {
630 memcpy(p, vp->vp_octets, vp->length);
636 return GSS_S_COMPLETE;
640 gssEapRadiusFreeAvps(OM_uint32 *minor,
645 return GSS_S_COMPLETE;
649 gssEapRadiusAttrProviderInit(OM_uint32 *minor)
651 if (!gss_eap_radius_attr_provider::init()) {
652 *minor = GSSEAP_RADSEC_INIT_FAILURE;
653 return GSS_S_FAILURE;
656 return GSS_S_COMPLETE;
660 gssEapRadiusAttrProviderFinalize(OM_uint32 *minor)
662 gss_eap_radius_attr_provider::finalize();
665 return GSS_S_COMPLETE;
669 avpToJson(const VALUE_PAIR *vp)
673 assert(vp->length <= MAX_STRING_LEN);
676 case PW_TYPE_INTEGER:
679 obj.set("value", vp->lvalue);
682 obj.set("value", vp->vp_strvalue);
687 if (base64Encode(vp->vp_octets, vp->length, &b64) < 0)
688 throw std::bad_alloc();
690 obj.set("value", b64);
696 obj.set("type", vp->attribute);
702 jsonToAvp(VALUE_PAIR **pVp, JSONObject &obj)
704 VALUE_PAIR *vp = NULL;
708 JSONObject type = obj["type"];
709 JSONObject value = obj["value"];
711 if (!type.isInteger())
714 attrid = type.integer();
715 da = dict_attrbyvalue(attrid);
719 int type = base64Valid(value.string()) ?
720 PW_TYPE_OCTETS : PW_TYPE_STRING;
721 vp = paircreate(attrid, type);
724 throw std::bad_alloc();
727 case PW_TYPE_INTEGER:
730 if (!value.isInteger())
734 vp->lvalue = value.integer();
736 case PW_TYPE_STRING: {
737 if (!value.isString())
740 const char *str = value.string();
741 size_t len = strlen(str);
743 if (len >= MAX_STRING_LEN)
747 memcpy(vp->vp_strvalue, str, len + 1);
752 if (!value.isString())
755 const char *str = value.string();
756 ssize_t len = strlen(str);
758 /* this optimization requires base64Decode only understand packed encoding */
759 if (len >= BASE64_EXPAND(MAX_STRING_LEN))
762 len = base64Decode(str, vp->vp_octets);
783 gss_eap_radius_attr_provider::name(void) const
789 gss_eap_radius_attr_provider::initWithJsonObject(const gss_eap_attr_ctx *ctx,
792 VALUE_PAIR **pNext = &m_vps;
794 if (!gss_eap_attr_provider::initWithJsonObject(ctx, obj))
797 JSONObject attrs = obj["attributes"];
798 size_t nelems = attrs.size();
800 for (size_t i = 0; i < nelems; i++) {
801 JSONObject attr = attrs[i];
804 if (!jsonToAvp(&vp, attr))
811 m_authenticated = obj["authenticated"].integer();
817 gss_eap_radius_attr_provider::prefix(void) const
819 return "urn:ietf:params:gss-eap:radius-avp";
823 gss_eap_radius_attr_provider::jsonRepresentation(void) const
825 JSONObject obj, attrs = JSONObject::array();
827 for (VALUE_PAIR *vp = m_vps; vp != NULL; vp = vp->next) {
828 JSONObject attr = avpToJson(vp);
832 obj.set("attributes", attrs);
834 obj.set("authenticated", m_authenticated);
840 gss_eap_radius_attr_provider::getExpiryTime(void) const
844 vp = pairfind(m_vps, PW_SESSION_TIMEOUT);
845 if (vp == NULL || vp->lvalue == 0)
848 return time(NULL) + vp->lvalue;
852 gssEapRadiusMapError(OM_uint32 *minor,
853 struct rs_error *err)
859 code = rs_err_code(err, 0);
861 if (code == RSE_OK) {
863 return GSS_S_COMPLETE;
866 *minor = ERROR_TABLE_BASE_rse + code;
868 gssEapSaveStatusInfo(*minor, "%s", rs_err_msg(err));
871 return GSS_S_FAILURE;