Merge branch 'master' into tlv-mic

[moonshot.git] / mech_eap / util.h

diff --git a/mech_eap/util.h b/mech_eap/util.h
index 826a335..e5376a6 100644 (file)
--- a/mech_eap/util.h
+++ b/mech_eap/util.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -75,6 +75,12 @@ extern "C" {
 #define MIN(_a,_b)  ((_a)<(_b)?(_a):(_b))
 #endif
 
+#if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
+#define GSSEAP_UNUSED __attribute__ ((__unused__)) 
+#else
+#define GSSEAP_UNUSED
+#endif
+
 /* util_buffer.c */
 OM_uint32
 makeStringBuffer(OM_uint32 *minor,
@@ -154,41 +160,69 @@ enum gss_eap_token_type {
     TOK_TYPE_EXPORT_NAME             = 0x0401,  /* RFC 2743 exported name */
     TOK_TYPE_EXPORT_NAME_COMPOSITE   = 0x0402,  /* exported composite name */
     TOK_TYPE_DELETE_CONTEXT          = 0x0405,  /* RFC 2743 delete context */
-    TOK_TYPE_EAP_RESP                = 0x0601,  /* EAP response */
-    TOK_TYPE_EAP_REQ                 = 0x0602,  /* EAP request */
-    TOK_TYPE_EXT_REQ                 = 0x0603,  /* GSS EAP extensions request */
-    TOK_TYPE_EXT_RESP                = 0x0604,  /* GSS EAP extensions response */
-    TOK_TYPE_GSS_REAUTH              = 0x0605,  /* GSS EAP fast reauthentication token */
-    TOK_TYPE_CONTEXT_ERR             = 0x0606,  /* context error */
+    TOK_TYPE_INITIATOR_CONTEXT       = 0x0601,  /* initiator-sent context token */
+    TOK_TYPE_ACCEPTOR_CONTEXT        = 0x0602,  /* acceptor-sent context token */
 };
 
+struct gss_eap_itok_map {
+    OM_uint32 type;                             /* inner token type */
+    OM_uint32 flag;                             /* context flag */
+};
+
+/* inner token types and flags */
+#define ITOK_TYPE_NONE                      0x00000000
+#define ITOK_TYPE_CONTEXT_ERR               0x00000001 /* critical */
+#define ITOK_TYPE_ACCEPTOR_NAME_REQ         0x00000002 /* TBD */
+#define ITOK_TYPE_ACCEPTOR_NAME_RESP        0x00000003 /* TBD */
+#define ITOK_TYPE_EAP_RESP                  0x00000004 /* critical, required, if not reauth */
+#define ITOK_TYPE_EAP_REQ                   0x00000005 /* critical, required, if not reauth */
+#define ITOK_TYPE_GSS_CHANNEL_BINDINGS      0x00000006 /* optional */
+#define ITOK_TYPE_REAUTH_CREDS              0x00000007 /* optional */
+#define ITOK_TYPE_REAUTH_REQ                0x00000008 /* optional */
+#define ITOK_TYPE_REAUTH_RESP               0x00000009 /* optional */
+#define ITOK_TYPE_GSS_FLAGS                 0x0000000A /* optional */
+#define ITOK_TYPE_INITIATOR_MIC             0x0000000B /* required */
+#define ITOK_TYPE_ACCEPTOR_MIC              0x0000000C /* required */
+#define ITOK_TYPE_SUPPORTED_ACCEPTOR_EXTS   0x0000000D /* optional */
+#define ITOK_TYPE_SUPPORTED_INITIATOR_EXTS  0x0000000E /* optional */
+
+/* experimental */
+#define ITOK_TYPE_VERSION_INFO              0x00000080 /* optional */
+#define ITOK_TYPE_VENDOR_INFO               0x00000081 /* optional */
+
+#define ITOK_FLAG_CRITICAL                  0x80000000  /* critical, wire flag */
+#define ITOK_FLAG_VERIFIED                  0x40000000  /* verified, API flag */
+
+#define ITOK_TYPE_MASK                      (~(ITOK_FLAG_CRITICAL | ITOK_FLAG_VERIFIED))
+
+#define ITOK_HEADER_LENGTH                  8           /* type || length */
+
+#define GSSEAP_WIRE_FLAGS_MASK              ( GSS_C_MUTUAL_FLAG )
+
 OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
 OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
 
 OM_uint32
-gssEapMakeToken(OM_uint32 *minor,
-                gss_ctx_id_t ctx,
-                const gss_buffer_t innerToken,
-                enum gss_eap_token_type tokenType,
-                gss_buffer_t outputToken);
+gssEapContextTime(OM_uint32 *minor,
+                  gss_ctx_id_t context_handle,
+                  OM_uint32 *time_rec);
 
 OM_uint32
-gssEapVerifyToken(OM_uint32 *minor,
-                  gss_ctx_id_t ctx,
-                  const gss_buffer_t inputToken,
-                  enum gss_eap_token_type *tokenType,
-                  gss_buffer_t innerInputToken);
+gssEapGetConversationMIC(OM_uint32 *minor,
+                         gss_ctx_id_t ctx,
+                         gss_buffer_t convMIC);
 
 OM_uint32
-gssEapContextTime(OM_uint32 *minor,
-                  gss_ctx_id_t context_handle,
-                  OM_uint32 *time_rec);
+gssEapVerifyConversationMIC(OM_uint32 *minor,
+                            gss_ctx_id_t ctx,
+                            const gss_buffer_t convMIC);
 
 OM_uint32
-gssEapDisplayName(OM_uint32 *minor,
-                  gss_name_t name,
-                  gss_buffer_t output_name_buffer,
-                  gss_OID *output_name_type);
+gssEapMakeTokenChannelBindings(OM_uint32 *minor,
+                               gss_ctx_id_t ctx,
+                               gss_channel_bindings_t userBindings,
+                               gss_buffer_t inputToken,
+                               gss_channel_bindings_t wireBindings);
 
 /* util_cred.c */
 OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
@@ -260,83 +294,50 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor,
                        krb5_enctype enctype,
                        krb5_keyblock *pKey);
 
-/* util_exts.c */
-#define EXT_FLAG_CRITICAL               0x80000000  /* critical, wire flag */
-#define EXT_FLAG_VERIFIED               0x40000000  /* verified, API flag */
-
-#define EXT_TYPE_GSS_CHANNEL_BINDINGS   0x00000000
-#define EXT_TYPE_REAUTH_CREDS           0x00000001
-#define EXT_TYPE_MASK                   (~(EXT_FLAG_CRITICAL | EXT_FLAG_VERIFIED))
-
-struct gss_eap_extension_provider {
-    OM_uint32 type;
-    int critical; /* client */
-    int required; /* server */
-    OM_uint32 (*make)(OM_uint32 *,
-                      gss_cred_id_t,
-                      gss_ctx_id_t,
-                      gss_channel_bindings_t,
-                      gss_buffer_t);
-    OM_uint32 (*verify)(OM_uint32 *,
-                        gss_cred_id_t,
-                        gss_ctx_id_t,
-                        gss_channel_bindings_t,
-                        const gss_buffer_t);
-};
-
-OM_uint32
-gssEapMakeExtensions(OM_uint32 *minor,
-                     gss_cred_id_t cred,
-                     gss_ctx_id_t ctx,
-                     gss_channel_bindings_t chanBindings,
-                     gss_buffer_t buffer);
-
-OM_uint32
-gssEapVerifyExtensions(OM_uint32 *minor,
-                       gss_cred_id_t cred,
-                       gss_ctx_id_t ctx,
-                       gss_channel_bindings_t chanBindings,
-                       const gss_buffer_t buffer);
-
 /* util_krb.c */
 #ifdef HAVE_HEIMDAL_VERSION
+
 #define KRB_TIME_FOREVER        ((time_t)~0L)
+
 #define KRB_KEY_TYPE(key)       ((key)->keytype)
 #define KRB_KEY_DATA(key)       ((key)->keyvalue.data)
 #define KRB_KEY_LENGTH(key)     ((key)->keyvalue.length)
-#else
-#define KRB_TIME_FOREVER        KRB5_INT32_MAX
-#define KRB_KEY_TYPE(key)       ((key)->enctype)
-#define KRB_KEY_DATA(key)       ((key)->contents)
-#define KRB_KEY_LENGTH(key)     ((key)->length)
-#endif /* HAVE_HEIMDAL_VERSION */
-
-#define KRB_KEY_INIT(key)       do {        \
-        KRB_KEY_TYPE(key) = ENCTYPE_NULL;   \
-        KRB_KEY_DATA(key) = NULL;           \
-        KRB_KEY_LENGTH(key) = 0;            \
-    } while (0)
 
-#ifdef HAVE_HEIMDAL_VERSION
 #define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len)
 #define KRB_PRINC_TYPE(princ)   ((princ)->name.name_type)
 #define KRB_PRINC_NAME(princ)   ((princ)->name.name_string.val)
 #define KRB_PRINC_REALM(princ)  ((princ)->realm)
+
+#define KRB_KT_ENT_KEYBLOCK(e)  (&(e)->keyblock)
+#define KRB_KT_ENT_FREE(c, e)   krb5_kt_free_entry((c), (e))
+
 #define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto)
+
 #else
+
+#define KRB_TIME_FOREVER        KRB5_INT32_MAX
+
+#define KRB_KEY_TYPE(key)       ((key)->enctype)
+#define KRB_KEY_DATA(key)       ((key)->contents)
+#define KRB_KEY_LENGTH(key)     ((key)->length)
+
 #define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ)))
 #define KRB_PRINC_TYPE(princ)   (krb5_princ_type(NULL, (princ)))
 #define KRB_PRINC_NAME(princ)   (krb5_princ_name(NULL, (princ)))
 #define KRB_PRINC_REALM(princ)  (krb5_princ_realm(NULL, (princ)))
+
+#define KRB_KT_ENT_KEYBLOCK(e)  (&(e)->key)
+#define KRB_KT_ENT_FREE(c, e)   krb5_free_keytab_entry_contents((c), (e))
+
 #define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key)
-#endif /* HAVE_HEIMDAL_VERSION */
 
-#ifdef HAVE_HEIMDAL_VERSION
-#define GSS_IOV_BUFFER_FLAG_ALLOCATE    GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE
-#define GSS_IOV_BUFFER_FLAG_ALLOCATED   GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED
+#endif /* HAVE_HEIMDAL_VERSION */
 
-#define GSS_S_CRED_UNAVAIL              GSS_S_FAILURE
-#endif
+#define KRB_KEY_INIT(key)       do {        \
+        KRB_KEY_TYPE(key) = ENCTYPE_NULL;   \
+        KRB_KEY_DATA(key) = NULL;           \
+        KRB_KEY_LENGTH(key) = 0;            \
+    } while (0)
 
 #define GSSEAP_KRB_INIT(ctx) do {                   \
         OM_uint32 tmpMajor;                         \
@@ -355,9 +356,6 @@ rfc3961ChecksumTypeForKey(OM_uint32 *minor,
                           krb5_keyblock *key,
                           krb5_cksumtype *cksumtype);
 
-krb5_const_principal
-krbAnonymousPrincipal(void);
-
 krb5_error_code
 krbCryptoLength(krb5_context krbContext,
 #ifdef HAVE_HEIMDAL_VERSION
@@ -406,6 +404,12 @@ krbMakeAuthDataKdcIssued(krb5_context context,
 #endif
                          );
 
+krb5_error_code
+krbMakeCred(krb5_context context,
+            krb5_auth_context authcontext,
+            krb5_creds *creds,
+            krb5_data *data);
+
 /* util_lucid.c */
 OM_uint32
 gssEapExportLucidSecContext(OM_uint32 *minor,
@@ -416,9 +420,19 @@ gssEapExportLucidSecContext(OM_uint32 *minor,
 /* util_mech.c */
 extern gss_OID GSS_EAP_MECHANISM;
 
-int
-gssEapInternalizeOid(const gss_OID oid,
-                     gss_OID *const pInternalizedOid);
+#define OID_FLAG_NULL_VALID                 0x00000001
+#define OID_FLAG_FAMILY_MECH_VALID          0x00000002
+#define OID_FLAG_MAP_NULL_TO_DEFAULT_MECH   0x00000004
+#define OID_FLAG_MAP_FAMILY_MECH_TO_NULL    0x00000008
+
+OM_uint32
+gssEapCanonicalizeOid(OM_uint32 *minor,
+                      const gss_OID oid,
+                      OM_uint32 flags,
+                      gss_OID *pOid);
+
+OM_uint32
+gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid);
 
 OM_uint32
 gssEapDefaultMech(OM_uint32 *minor,
@@ -455,8 +469,9 @@ gss_OID
 gssEapSaslNameToOid(const gss_buffer_t name);
 
 /* util_name.c */
-#define EXPORT_NAME_FLAG_OID        0x1
-#define EXPORT_NAME_FLAG_COMPOSITE  0x2
+#define EXPORT_NAME_FLAG_OID                    0x1
+#define EXPORT_NAME_FLAG_COMPOSITE              0x2
+#define EXPORT_NAME_FLAG_ALLOW_COMPOSITE        0x4
 
 OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName);
 OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName);
@@ -466,20 +481,39 @@ OM_uint32 gssEapExportName(OM_uint32 *minor,
 OM_uint32 gssEapExportNameInternal(OM_uint32 *minor,
                                    const gss_name_t name,
                                    gss_buffer_t exportedName,
-                                   unsigned int flags);
+                                   OM_uint32 flags);
 OM_uint32 gssEapImportName(OM_uint32 *minor,
                            const gss_buffer_t input_name_buffer,
-                           gss_OID input_name_type,
+                           const gss_OID input_name_type,
+                           const gss_OID input_mech_type,
                            gss_name_t *output_name);
 OM_uint32 gssEapImportNameInternal(OM_uint32 *minor,
                                    const gss_buffer_t input_name_buffer,
                                    gss_name_t *output_name,
-                                   unsigned int flags);
+                                   OM_uint32 flags);
 OM_uint32
 gssEapDuplicateName(OM_uint32 *minor,
                     const gss_name_t input_name,
                     gss_name_t *dest_name);
 
+OM_uint32
+gssEapCanonicalizeName(OM_uint32 *minor,
+                       const gss_name_t input_name,
+                       const gss_OID mech_type,
+                       gss_name_t *dest_name);
+
+OM_uint32
+gssEapDisplayName(OM_uint32 *minor,
+                  gss_name_t name,
+                  gss_buffer_t output_name_buffer,
+                  gss_OID *output_name_type);
+
+OM_uint32
+gssEapCompareName(OM_uint32 *minor,
+                  gss_name_t name1,
+                  gss_name_t name2,
+                  int *name_equal);
+
 /* util_oid.c */
 OM_uint32
 composeOid(OM_uint32 *minor_status,
@@ -543,15 +577,121 @@ OM_uint32
 sequenceInit(OM_uint32 *minor, void **vqueue, uint64_t seqnum,
              int do_replay, int do_sequence, int wide_nums);
 
+/* util_sm.c */
+enum gss_eap_state {
+    GSSEAP_STATE_INITIAL        = 0x01,     /* initial state */
+    GSSEAP_STATE_AUTHENTICATE   = 0x02,     /* exchange EAP messages */
+    GSSEAP_STATE_INITIATOR_EXTS = 0x04,     /* initiator extensions */
+    GSSEAP_STATE_ACCEPTOR_EXTS  = 0x08,     /* acceptor extensions */
+#ifdef GSSEAP_ENABLE_REAUTH
+    GSSEAP_STATE_REAUTHENTICATE = 0x10,     /* GSS reauthentication messages */
+#endif
+    GSSEAP_STATE_ESTABLISHED    = 0x20,     /* context established */
+    GSSEAP_STATE_ALL            = 0x3F
+};
+
+#define GSSEAP_STATE_NEXT(s)    ((s) << 1)
+
+#define GSSEAP_SM_STATE(ctx)                ((ctx)->state)
+
+#ifdef GSSEAP_DEBUG
+void gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
+#define GSSEAP_SM_TRANSITION(ctx, state)    gssEapSmTransition((ctx), (state))
+#else
+#define GSSEAP_SM_TRANSITION(ctx, newstate)    do { (ctx)->state = (newstate); } while (0)
+#endif
+
+#define GSSEAP_SM_TRANSITION_NEXT(ctx)      GSSEAP_SM_TRANSITION((ctx), GSSEAP_STATE_NEXT(GSSEAP_SM_STATE((ctx))))
+
+/* state machine entry */
+struct gss_eap_sm {
+    OM_uint32 inputTokenType;
+    OM_uint32 outputTokenType;
+    enum gss_eap_state validStates;
+    OM_uint32 itokFlags;
+    OM_uint32 (*processToken)(OM_uint32 *,
+                              gss_cred_id_t,
+                              gss_ctx_id_t,
+                              gss_name_t,
+                              gss_OID,
+                              OM_uint32,
+                              OM_uint32,
+                              gss_channel_bindings_t,
+                              gss_buffer_t,
+                              gss_buffer_t,
+                              OM_uint32 *);
+};
+
+/* state machine flags, set by handler */
+#define SM_FLAG_SEND_TOKEN                  0x00000001  /* exit state machine, send token */
+#define SM_FLAG_OUTPUT_TOKEN_CRITICAL       0x00000002  /* output token is critical */
+
+/* state machine flags, set by state machine */
+#define SM_FLAG_INPUT_TOKEN_CRITICAL        0x10000000  /* input token was critical */
+
+#define SM_ITOK_FLAG_REQUIRED               0x00000001  /* received tokens must be present */
+
+OM_uint32
+gssEapSmStep(OM_uint32 *minor,
+             gss_cred_id_t cred,
+             gss_ctx_id_t ctx,
+             gss_name_t target,
+             gss_OID mech,
+             OM_uint32 reqFlags,
+             OM_uint32 timeReq,
+             gss_channel_bindings_t chanBindings,
+             gss_buffer_t inputToken,
+             gss_buffer_t outputToken,
+             struct gss_eap_sm *sm,
+             size_t smCount);
+
+void
+gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state);
+
 /* util_token.c */
+OM_uint32
+gssEapDecodeInnerTokens(OM_uint32 *minor,
+                        const gss_buffer_t buffer,
+                        gss_buffer_set_t *pExtensions,
+                        OM_uint32 **pTypes);
+
+OM_uint32
+gssEapRecordContextTokenHeader(OM_uint32 *minor,
+                               gss_ctx_id_t ctx,
+                               enum gss_eap_token_type tokType);
+
+OM_uint32
+gssEapRecordInnerContextToken(OM_uint32 *minor,
+                              gss_ctx_id_t ctx,
+                              gss_buffer_t innerToken,
+                              OM_uint32 type);
+
+OM_uint32
+gssEapVerifyContextToken(OM_uint32 *minor,
+                         gss_ctx_id_t ctx,
+                         const gss_buffer_t inputToken,
+                         enum gss_eap_token_type tokenType,
+                         gss_buffer_t innerInputToken);
+
+OM_uint32
+gssEapEncodeSupportedExts(OM_uint32 *minor,
+                          OM_uint32 *types,
+                          size_t typesCount,
+                          gss_buffer_t outputToken);
+
+OM_uint32
+gssEapProcessSupportedExts(OM_uint32 *minor,
+                           gss_buffer_t inputToken,
+                           struct gss_eap_itok_map *map,
+                           size_t mapCount,
+                           OM_uint32 *flags);
+
 size_t
-tokenSize(const gss_OID_desc *mech, size_t body_size);
+tokenSize(size_t bodySize);
 
 void
-makeTokenHeader(const gss_OID_desc *mech,
-                size_t body_size,
-                unsigned char **buf,
-                enum gss_eap_token_type tok_type);
+makeTokenHeader(size_t body_size,
+                unsigned char **buf);
 
 OM_uint32
 verifyTokenHeader(OM_uint32 *minor,
@@ -746,7 +886,9 @@ gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data)
 }
 #endif
 
+#include "util_json.h"
 #include "util_attr.h"
+#include "util_base64.h"
 #ifdef GSSEAP_ENABLE_REAUTH
 #include "util_reauth.h"
 #endif