1		/*
2		* Copyright 1999-2006 University of Chicago
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*/
16
17		#ifndef GLOBUS_DONT_DOCUMENT_INTERNAL
18		/**
19		* @file import_name.c
20		* @author Sam Lang, Sam Meder
21		*
22		* $RCSfile: import_name.c,v $
23		* $Revision: 1.16.8.3 $
24		* $Date: 2008/09/24 17:42:15 $
25		*/
26		#endif
27
28		static char *rcsid = "$Id: import_name.c,v 1.16.8.3 2008/09/24 17:42:15 bester Exp $";
29
30		#include "gssapi_openssl.h"
31		#include "globus_i_gsi_gss_utils.h"
32		#include "globus_gsi_gss_constants.h"
33		#include <string.h>
34		#include <stdlib.h>
35		#include <ctype.h>
36
37		static
38		OM_uint32
39		gss_l_resolve_ip(
40		OM_uint32 * minor_status,
41		gss_name_desc * name);
42
43
44		/**
45		* Import a name into a gss_name_t
46		* @ingroup globus_gsi_gssapi
47		*
48		* Creates a new gss_name_t which contains a mechanism-specific representation
49		* of the input name. GSSAPI OpenSSL implements the following name types, based
50		* on the input_name_type OID:
51		*
52		* - GSS_C_NT_ANONYMOUS (input_name_buffer is ignored)
53		* - GSS_C_NT_HOSTBASED_SERVICE (input_name_buffer contains a string
54		* "service@FQN" which will match /CN=service/FQDN)
55		* - GSS_C_NT_EXPORT_NAME (input_name_buffer contains a string with the
56		* X509_oneline representation of a name)
57		* like "/X=Y/Z=A...")
58		* - GSS_C_NO_OID or GSS_C_NT_USER_NAME (input_name_buffer contains an X.500
59		* name formatted
60		* like "/X=Y/Z=A...")
61		* - GLOBUS_GSS_C_NT_HOST_IP (input_name_buffer contains a string
62		* "FQDN/ip-address" which will match names with the FQDN or the IP address)
63		* - GLOBUS_SSS_C_NT_X509 (input buffer is an X509 struct from OpenSSL)
64		*
65		* @param minor_status
66		* Minor status
67		* @param input_name_buffer
68		* Input name buffer which is interpreted based on the @a input_name_type
69		* @param input_name_type
70		* OID of the name
71		* @param output_name_P
72		* New gss_name_t value containing the name
73		*
74		* @retval GSS_S_COMPLETE
75		* indicates that a valid name representation is
76		* output in output_name and described by the type value in
77		* output_name_type.
78		* @retval GSS_S_BAD_NAMETYPE
79		* indicates that the input_name_type is unsupported
80		* by the applicable underlying GSS-API mechanism(s), so the import
81		* operation could not be completed.
82		* @retval GSS_S_BAD_NAME
83		* indicates that the provided input_name_string is ill-formed in terms of
84		* the input_name_type, so the import operation could not be completed.
85		* @retval GSS_S_BAD_MECH
86		* indicates that the input presented for import was an exported name
87		* object and that its enclosed mechanism type was not recognized or was
88		* unsupported by the GSS-API implementation.
89		* @retval GSS_S_FAILURE
90		* indicates that the requested operation could not be performed for
91		* reasons unspecified at the GSS-API level.
92		*/
93		OM_uint32
94		GSS_CALLCONV gss_import_name(
95		OM_uint32 * minor_status,
96		const gss_buffer_t input_name_buffer,
97		const gss_OID input_name_type,
98		gss_name_t * output_name_P)
99	2318	{
100	2318	OM_uint32 major_status = GSS_S_COMPLETE;
101	2318	globus_result_t local_result = GLOBUS_SUCCESS;
102	2318	gss_name_desc * output_name = NULL;
103		int length, i;
104	2318	char * name_buffer = NULL;
105		char * index;
106		static char * _function_name_ = "gss_import_name";
107
108	2318	GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
109
110	2318	if (minor_status == NULL || input_name_buffer == NULL ||
111		output_name_P == NULL)
112		{
113	6	major_status = GSS_S_FAILURE;
114
115	6	if (minor_status != NULL)
116		{
117	4	GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
118		minor_status,
119		GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
120		(_GGSL("Invalid parameter")));
121		}
122
123	6	goto out;
124		}
125
126	2312	*minor_status = (OM_uint32) GLOBUS_SUCCESS;
127
128	2312	output_name = calloc(1, sizeof(gss_name_desc));
129
130	2312	if (output_name == NULL)
131		{
132	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
133	0	major_status = GSS_S_FAILURE;
134	0	goto out;
135		}
136
137	2312	output_name->name_oid = input_name_type;
138	2312	output_name->x509n = X509_NAME_new();
139	2312	if (output_name->x509n == NULL)
140		{
141	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
142	0	major_status = GSS_S_FAILURE;
143	0	goto release_name_out;
144		}
145
146	2312	if(g_OID_equal(input_name_type, GSS_C_NT_ANONYMOUS))
147		{
148		;
149		}
150	2194	else if (g_OID_equal(GSS_C_NT_HOSTBASED_SERVICE, input_name_type))
151		{
152	54	name_buffer = globus_libc_strdup(input_name_buffer->value);
153	54	if (name_buffer == NULL)
154		{
155	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
156	0	major_status = GSS_S_FAILURE;
157	0	goto release_name_out;
158		}
159
160	54	index = strchr(name_buffer, '@');
161	54	if (index)
162		{
163	28	*index = '\0';
164	28	output_name->service_name = name_buffer;
165	28	name_buffer = NULL;
166	28	output_name->host_name = globus_libc_strdup(index+1);
167	28	if (output_name->host_name == NULL)
168		{
169	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
170	0	major_status = GSS_S_FAILURE;
171
172	0	goto release_name_out;
173		}
174		}
175		else
176		{
177	26	output_name->host_name = name_buffer;
178	26	name_buffer = NULL;
179		}
180	54	name_buffer = globus_common_create_string(
181		"/CN=%s%s%s",
182		output_name->service_name ? output_name->service_name : "",
183		output_name->service_name ? "/" : "",
184		output_name->host_name);
185	54	if (name_buffer == NULL)
186		{
187	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
188	0	major_status = GSS_S_FAILURE;
189
190	0	goto release_name_out;
191		}
192
193	54	local_result = globus_gsi_cert_utils_get_x509_name(
194		name_buffer,
195		strlen(name_buffer),
196		output_name->x509n);
197
198	54	free(name_buffer);
199	54	name_buffer = NULL;
200
201	54	if (local_result != GLOBUS_SUCCESS)
202		{
203	0	GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
204		minor_status, local_result,
205		GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME);
206	0	major_status = GSS_S_FAILURE;
207
208	0	goto release_name_out;
209		}
210	54	output_name->x509n_oneline =
211		X509_NAME_oneline(output_name->x509n, NULL, 0);
212	54	if (output_name->x509n_oneline == NULL)
213		{
214	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
215	0	major_status = GSS_S_FAILURE;
216
217	0	goto release_name_out;
218		}
219		}
220	2086	else if (g_OID_equal(GSS_C_NT_EXPORT_NAME, input_name_type))
221		{
222		/* Note: Does not support all name types */
223	0	output_name->name_oid = GSS_C_NO_OID;
224	0	name_buffer = input_name_buffer->value;
225
226	0	i = 0;
227	0	if (name_buffer[i++] != 0x04 || name_buffer[i++] != 0x01 ||
228		name_buffer[i++] !=
229		((gss_mech_globus_gssapi_openssl->length+2) >> 8) ||
230		name_buffer[i++] !=
231		((gss_mech_globus_gssapi_openssl->length+2) & 0xff) ||
232		name_buffer[i++] != 0x06 ||
233		name_buffer[i++] !=
234		(gss_mech_globus_gssapi_openssl->length & 0xff) ||
235		(memcmp(&(name_buffer[i]), gss_mech_globus_gssapi_openssl->elements,
236		gss_mech_globus_gssapi_openssl->length) != 0))
237		{
238	0	GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
239		minor_status, local_result,
240		GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME);
241	0	major_status = GSS_S_BAD_NAME;
242	0	goto release_name_out;
243		}
244
245	0	i += gss_mech_globus_gssapi_openssl->length;
246	0	length = name_buffer[i++] << 24;
247	0	length += name_buffer[i++] << 16;
248	0	length += name_buffer[i++] << 8;
249	0	length += name_buffer[i++] & 0xff;
250
251	0	local_result = globus_gsi_cert_utils_get_x509_name(
252		&(name_buffer[i]),
253		length,
254		output_name->x509n);
255	0	if(local_result != GLOBUS_SUCCESS)
256		{
257	0	GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
258		minor_status, local_result,
259		GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME);
260	0	major_status = GSS_S_BAD_NAME;
261	0	goto release_name_out;
262		}
263	0	output_name->x509n_oneline =
264		X509_NAME_oneline(output_name->x509n, NULL, 0);
265	0	output_name->host_name =
266		(char *) globus_i_gsi_gssapi_get_hostname(output_name);
267		}
268	2128	else if (g_OID_equal(GSS_C_NO_OID, input_name_type) ||
269		g_OID_equal(GSS_C_NT_USER_NAME, input_name_type))
270		{
271	44	output_name->user_name = globus_libc_strdup(input_name_buffer->value);
272	44	if (output_name->user_name == NULL)
273		{
274	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
275	0	major_status = GSS_S_FAILURE;
276
277	0	goto release_name_out;
278		}
279	44	local_result = globus_gsi_cert_utils_get_x509_name(
280		output_name->user_name,
281		strlen(output_name->user_name),
282		output_name->x509n);
283	44	if(local_result != GLOBUS_SUCCESS)
284		{
285	2	GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
286		minor_status, local_result,
287		GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME);
288	2	major_status = GSS_S_BAD_NAME;
289
290	2	goto release_name_out;
291		}
292	42	output_name->x509n_oneline =
293		X509_NAME_oneline(output_name->x509n, NULL, 0);
294	42	if (output_name->x509n_oneline == NULL)
295		{
296	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
297	0	major_status = GSS_S_FAILURE;
298
299	0	goto release_name_out;
300		}
301	42	output_name->host_name =
302		(char *) globus_i_gsi_gssapi_get_hostname(output_name);
303	42	if (output_name->host_name == NULL)
304		{
305	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
306	0	major_status = GSS_S_FAILURE;
307
308	0	goto release_name_out;
309		}
310		}
311	2094	else if (g_OID_equal(GLOBUS_GSS_C_NT_HOST_IP, input_name_type))
312		{
313	52	name_buffer = globus_libc_strdup(input_name_buffer->value);
314	52	if (name_buffer == NULL)
315		{
316	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
317	0	major_status = GSS_S_FAILURE;
318
319	0	goto release_name_out;
320		}
321
322	52	index = strchr(name_buffer, '/');
323	52	if (index)
324		{
325	52	*index = '\0';
326	52	output_name->host_name = name_buffer;
327	52	name_buffer = NULL;
328	52	output_name->ip_address = globus_libc_strdup(index+1);
329		}
330		else
331		{
332	0	free(name_buffer);
333	0	name_buffer = NULL;
334
335	0	major_status = GSS_S_BAD_NAME;
336
337	0	GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
338		minor_status,
339		GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME,
340		(_GGSL("Bad name")));
341		}
342	52	name_buffer = globus_common_create_string(
343		"/CN=%s",
344		output_name->host_name);
345	52	if (name_buffer == NULL)
346		{
347	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
348	0	major_status = GSS_S_FAILURE;
349
350	0	goto release_name_out;
351		}
352
353	52	local_result = globus_gsi_cert_utils_get_x509_name(
354		name_buffer,
355		strlen(name_buffer),
356		output_name->x509n);
357	52	free(name_buffer);
358	52	name_buffer = NULL;
359	52	if(local_result != GLOBUS_SUCCESS)
360		{
361	0	GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
362		minor_status, local_result,
363		GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME);
364	0	major_status = GSS_S_BAD_NAME;
365
366	0	goto release_name_out;
367		}
368	52	output_name->x509n_oneline =
369		X509_NAME_oneline(output_name->x509n, NULL, 0);
370	52	if (output_name->x509n_oneline == NULL)
371		{
372	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
373	0	major_status = GSS_S_FAILURE;
374
375	0	goto release_name_out;
376		}
377	52	major_status = gss_l_resolve_ip(minor_status, output_name);
378		}
379	3980	else if (g_OID_equal(GLOBUS_GSS_C_NT_X509, input_name_type))
380		{
381		X509_NAME * n;
382	1990	X509 * x509_input = input_name_buffer->value;
383		GENERAL_NAMES * subject_alt_name;
384		int idx;
385
386		/* Extract SubjectName if present */
387	1990	if ((n = X509_get_subject_name(x509_input)) != NULL)
388		{
389	1990	X509_NAME_free(output_name->x509n);
390
391	1990	output_name->x509n = X509_NAME_dup(n);
392	1990	if (output_name->x509n == NULL)
393		{
394	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
395	0	major_status = GSS_S_FAILURE;
396
397	0	goto release_name_out;
398		}
399	1990	output_name->x509n_oneline =
400		X509_NAME_oneline(output_name->x509n, NULL, 0);
401	1990	if (output_name->x509n_oneline == NULL)
402		{
403	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
404	0	major_status = GSS_S_FAILURE;
405
406	0	goto release_name_out;
407		}
408	1990	output_name->host_name =
409		(char *) globus_i_gsi_gssapi_get_hostname(output_name);
410	1990	if (output_name->host_name == NULL)
411		{
412	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
413	0	major_status = GSS_S_FAILURE;
414
415	0	goto release_name_out;
416		}
417		}
418
419		/* Extract subjectAltName if present */
420	1990	idx = -1;
421	1990	for (idx = X509_get_ext_by_NID(x509_input, NID_subject_alt_name, idx);
422	4028	idx != -1;
423	48	idx = X509_get_ext_by_NID(x509_input, NID_subject_alt_name, idx))
424		{
425		X509_EXTENSION * ext_value;
426
427	48	ext_value = X509_get_ext(x509_input, idx);
428	48	if (!ext_value)
429		{
430	0	continue;
431		}
432	48	subject_alt_name = X509V3_EXT_d2i(ext_value);
433	48	if (!subject_alt_name)
434		{
435	0	continue;
436		}
437
438	48	output_name->subjectAltNames =
439		sk_GENERAL_NAME_dup(subject_alt_name);
440	48	sk_GENERAL_NAME_free(subject_alt_name);
441	48	if (output_name->subjectAltNames == NULL)
442		{
443	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
444	0	major_status = GSS_S_FAILURE;
445
446	0	goto release_name_out;
447		}
448		}
449		}
450		else
451		{
452	0	GLOBUS_GSI_GSSAPI_ERROR_RESULT(
453		minor_status,
454		GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME,
455		(_GGSL("Bad name type")));
456
457	0	major_status = GSS_S_BAD_NAMETYPE;
458
459	0	goto release_name_out;
460		}
461
462	2310	if (major_status != GSS_S_COMPLETE)
463		{
464		OM_uint32 dummy;
465	2	release_name_out:
466	2	gss_release_name(&dummy, &output_name);
467		}
468
469	2312	*output_name_P = output_name;
470
471	2318	out:
472
473	2318	GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
474	2318	return major_status;
475		}
476		/* gss_import_name */
477
478
479		static
480		OM_uint32
481		gss_l_resolve_ip(
482		OM_uint32 * minor_status,
483		gss_name_desc * name)
484	52	{
485		char realhostname[NI_MAXHOST + 1];
486		OM_uint32 major_status;
487	52	globus_result_t result = GLOBUS_SUCCESS;
488		globus_addrinfo_t hints;
489	52	globus_addrinfo_t * addrinfo = NULL;
490		static char * _function_name_ = "gss_l_resolve_ip";
491
492	52	major_status = GSS_S_COMPLETE;
493
494	52	memset(&hints, 0, sizeof(globus_addrinfo_t));
495	52	hints.ai_family = PF_UNSPEC;
496	52	hints.ai_socktype = SOCK_STREAM;
497	52	hints.ai_protocol = 0;
498
499		/*
500		* Hostname is an ip address: do a non-canonname getaddrinfo to get
501		* the sockaddr, then getnameinfo to get the canonical hostname from that
502		* address
503		*/
504	52	hints.ai_flags = GLOBUS_AI_NUMERICHOST;
505	52	result = globus_libc_getaddrinfo(name->ip_address, NULL, &hints, &addrinfo);
506
507	52	if (result == GLOBUS_SUCCESS)
508		{
509	52	if (addrinfo == NULL || addrinfo->ai_addr == NULL)
510		{
511		goto error_exit;
512		}
513
514		/*
515		* For connections to localhost, check for certificate
516		* matching our real hostname, not "localhost"
517		*/
518	52	if (globus_libc_addr_is_loopback(
519		(const globus_sockaddr_t *) addrinfo->ai_addr) == GLOBUS_TRUE)
520		{
521	0	globus_libc_gethostname(
522		realhostname, sizeof(realhostname) - 1);
523		}
524		else
525		{
526		/* use GLOBUS_NI_NAMEREQD to fail if address can't be looked up?
527		* if not, realhostname will just be the same ip address
528		* we pass in */
529	52	result = globus_libc_getnameinfo(
530		(const globus_sockaddr_t *) addrinfo->ai_addr,
531		realhostname,
532		sizeof(realhostname) - 1,
533		NULL,
534		0,
535		0);
536	52	if(result != GLOBUS_SUCCESS)
537		{
538	0	goto error_exit;
539		}
540		}
541		}
542		else
543		{
544	0	goto error_exit;
545		}
546
547	52	name->ip_name = globus_libc_strdup(realhostname);
548	52	if (name->ip_name == NULL)
549		{
550	0	GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
551	0	major_status = GSS_S_FAILURE;
552		}
553
554	52	error_exit:
555	52	if (addrinfo != NULL)
556		{
557	52	globus_libc_freeaddrinfo(addrinfo);
558		}
559	52	return major_status;
560		}