| blob | 30e1058116edf6620d83aabcc9cebe63b8a4df2d |
1 /*
2 * Copyright (C) 2007 Free Software Foundation
3 * Author: Simon Josefsson
4 *
5 * This file is part of GNUTLS.
6 *
7 * The GNUTLS library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
20 * USA
21 *
22 */
24 /*
25 * This file implements the authz extensions in
26 * draft-housley-tls-authz-extns-07 using the supplemental handshake
27 * record type, which see RFC 4680 and gnutls_supplemental.c.
28 *
29 * There are three parts of this file. The first is the client hello
30 * and server hello extensions, which are used to negotiate use of
31 * supplemental authz data. If they successfully negotiate that the
32 * client will send some format(s) and/or the server will send some
33 * format(s), this will request that gnutls_handshake() invoke a
34 * supplemental phase in the corresponding direction.
35 *
36 * It may be possible that client authz data format type negotiation
37 * fails, but server authz data format type negotiation succeeds. In
38 * that case, only the server will send supplemental data, and the
39 * client will only expect to receive supplemental data.
40 *
41 * The second part is parsing and generating the authz supplemental
42 * data itself, by using the callbacks.
43 *
44 * The third part is the public APIs for use in the callbacks, and of
45 * course gnutls_authz_enable() to request that authz should be used.
46 */
52 #include <ext_authz.h>
54 static int
58 {
64 }
66 static int
71 {
77 {
80 }
83 data_size--;
86 {
89 }
93 {
97 }
98 else
99 {
102 in++;
103 }
107 }
109 static int
114 {
122 /* Make room for size. */
127 {
132 }
137 }
139 int
143 {
153 {
155 {
157 session);
159 }
160 else
162 }
165 }
167 int
171 {
176 /* Should we be sending this? */
179 {
182 }
187 {
189 session);
191 }
194 }
196 int
200 {
210 {
212 {
214 session);
216 }
217 else
219 }
222 }
224 int
228 {
233 /* Should we be sending this? */
236 {
239 }
244 {
246 session);
248 }
251 }
253 int
257 {
265 gnutls_authz_recv_callback_func callback =
269 {
272 }
274 /* XXX Will there be more than one data item for each authz format?
275 If so, we can't know the maximum size of the list of authz data,
276 so replace the static arrays with dynamically allocated lists.
277 Let's worry about that when someone reports it. */
280 do
281 {
303 {
311 else
312 {
315 }
316 p++;
326 }
327 else
328 {
332 }
334 i++;
337 {
340 }
341 }
347 }
349 int
352 {
357 gnutls_authz_send_callback_func callback =
364 {
367 }
373 {
376 }
380 {
383 }
388 }
390 static int
394 gnutls_authz_data_format_type_t format,
395 gnutls_mac_algorithm_t hash_type,
397 {
404 {
407 }
410 {
413 }
423 {
426 }
430 {
433 }
436 {
444 {
447 }
451 {
454 }
455 }
458 }
460 /**
461 * gnutls_authz_send_x509_attr_cert:
462 * @session: is a #gnutls_session_t structure.
463 * @data: buffer with a X.509 attribute certificate.
464 * @len: length of buffer.
465 *
466 * Send a X.509 attribute certificate as authorization data. This
467 * function may only be called inside a @send_callback set by
468 * gnutls_authz_enable().
469 *
470 * Returns: Returns 0 on success, or an error code on failures. If
471 * the supplied data was too long (the authorization extension only
472 * support 64kb large attribute certificates),
473 * %GNUTLS_E_INVALID_REQUEST is returned.
474 **/
475 int
479 {
481 }
483 /**
484 * gnutls_authz_send_saml_assertion:
485 * @session: is a #gnutls_session_t structure.
486 * @data: buffer with a SAML assertion.
487 * @len: length of buffer.
488 *
489 * Send a SAML assertion as authorization data. This function may
490 * only be called inside a @send_callback set by
491 * gnutls_authz_enable().
492 *
493 * Returns: Returns 0 on success, or an error code on failures. If
494 * the supplied data was too long (the authorization extension only
495 * support 64kb large SAML assertions), %GNUTLS_E_INVALID_REQUEST is
496 * returned.
497 **/
498 int
502 {
504 }
506 /**
507 * gnutls_authz_send_x509_attr_cert_url:
508 * @session: is a #gnutls_session_t structure.
509 * @url: buffer with a URL pointing to X.509 attribute certificate.
510 * @urllen: length of buffer.
511 * @hash_type: type of hash in @hash.
512 * @hash: buffer with hash of URL target.
513 *
514 * Send a URL to an X.509 attribute certificate as authorization data,
515 * including a hash used to make sure the retrieved data was the
516 * intended data. This function may only be called inside a
517 * @send_callback set by gnutls_authz_enable().
518 *
519 * Returns: Returns 0 on success, or an error code on failures. If
520 * the supplied data was too long (the authorization extension only
521 * support 64kb large URLs), %GNUTLS_E_INVALID_REQUEST is returned.
522 **/
523 int
527 gnutls_mac_algorithm_t hash_type,
529 {
532 }
534 /**
535 * gnutls_authz_send_saml_assertion_url:
536 * @session: is a #gnutls_session_t structure.
537 * @url: buffer with a URL pointing to a SAML assertion.
538 * @urllen: length of buffer.
539 * @hash_type: type of hash in @hash.
540 * @hash: buffer with hash of URL target.
541 *
542 * Send a URL to a SAML assertion as authorization data, including a
543 * hash used to make sure the retrieved data was the intended data.
544 * This function may only be called inside a @send_callback set by
545 * gnutls_authz_enable().
546 *
547 * Returns: Returns 0 on success, or an error code on failures. If
548 * the supplied data was too long (the authorization extension only
549 * support 64kb large URLs), %GNUTLS_E_INVALID_REQUEST is returned.
550 **/
551 int
555 gnutls_mac_algorithm_t hash_type,
557 {
560 }
562 /**
563 * gnutls_authz_enable:
564 * @session: is a #gnutls_session_t structure.
565 * @client_formats: zero-terminated list of
566 * #gnutls_authz_data_format_type_t elements with authorization
567 * data formats.
568 * @server_formats: zero-terminated list of
569 * #gnutls_authz_data_format_type_t elements with authorization
570 * data formats.
571 * @recv_callback: your callback function which will receive
572 * authz information when it is received.
573 * @send_callback: your callback function which is responsible for
574 * generating authorization data to send.
575 *
576 * Indicate willingness to send and receive authorization data, and
577 * which formats.
578 *
579 * For clients, @client_formats indicate which formats the client is
580 * willing to send, and @server_formats indicate which formats the
581 * client can receive.
582 *
583 * For servers, @client_formats indicate which formats the server is
584 * willing to accept from the client, and @server_formats indicate
585 * which formats the server is willing to send. Before the list is
586 * sent to the client, the formats which the client do not support are
587 * removed. If no supported formats remains, either or both of the
588 * extensions will not be sent.
589 *
590 * The @send_callback is invoked during the handshake if negotiation
591 * of the authorization extension was successful. The function
592 * prototype is:
593 *
594 * int (*gnutls_authz_send_callback_func) (gnutls_session_t @session,
595 * const int *@client_formats, const int *@server_formats);
596 *
597 * The @client_format contains a list of successfully negotiated
598 * formats which the client may send data for to the server. The
599 * @server_formats contains a list of successfully neogitated formats
600 * which the server may send data for to the client. The callback is
601 * supposed to invoke gnutls_authz_send_x509_attr_cert(),
602 * gnutls_authz_send_saml_assertion(),
603 * gnutls_authz_send_x509_attr_cert_url(), or
604 * gnutls_authz_send_saml_assertion_url() for the data it wishes to
605 * send, passing along the @session parameter, and the data. The
606 * @client_format function should return 0 on success, or an error
607 * code, which may be used to abort the handshake on failures.
608 *
609 * The @recv_callback is invoked during the handshake when
610 * authorization data is received. The prototype of the callback
611 * should be:
612 *
613 * int (*gnutls_authz_recv_callback_func) (gnutls_session_t session,
614 * const char *authz_formats, gnutls_datum_t *datums);
615 *
616 * The @authz_formats contains a list of formats for which data where
617 * received. The data for each format is stored in the @datums array,
618 * where the data associated with the @authz_formats[0] format is
619 * stored in @datums[0]. The function should return 0 on success, but
620 * may return an error, which may cause the handshake to abort.
621 *
622 * Note that there is no guarantee that @send_callback or
623 * @recv_callback is invoked just because gnutls_authz_enable was
624 * invoked. Whether the callbacks are invoked depend on whether
625 * negotiation of the extension succeeds. Therefor, if verification
626 * of authorization data is done by the @recv_callback, care should be
627 * made that if the callback is never invoked, it is not interpretetd
628 * as successful authorization verification. It is suggested to add
629 * some logic check whether authorization data was successfully
630 * verified after the call to gnutls_handshake(). That logic could
631 * shut down the connection if the authorization data is insufficient.
632 *
633 * This function have no effect if it is called during a handshake.
634 **/
635 void
639 gnutls_authz_recv_callback_func recv_callback,
640 gnutls_authz_send_callback_func send_callback)
641 {
656 else
664 else
669 }