typedef const gss_OID_desc *gss_const_OID;
#endif
+#ifndef GSS_IOV_BUFFER_TYPE_MIC_TOKEN
+#define GSS_IOV_BUFFER_TYPE_MIC_TOKEN 12 /* MIC token destination */
+#endif
+
/* Kerberos headers */
#include <krb5.h>
+#ifdef HAVE_HEIMDAL_VERSION
+#include <com_err.h>
+#else
+#include <et/com_err.h>
+#endif
/* EAP headers */
#include <includes.h>
#include <wpabuf.h>
#ifdef GSSEAP_ENABLE_ACCEPTOR
-/* FreeRADIUS headers */
-#ifdef __cplusplus
-extern "C" {
-#ifndef WIN32
-#define operator fr_operator
-#endif
-#endif
-#include <freeradius/libradius.h>
-#include <freeradius/radius.h>
-
-#undef pid_t
-
/* libradsec headers */
#include <radsec/radsec.h>
#include <radsec/request.h>
-#ifdef __cplusplus
-#ifndef WIN32
-#undef operator
+#include <radsec/radius.h>
#endif
-}
-#endif
-#endif /* GSSEAP_ENABLE_ACCEPTOR */
+#ifndef HAVE_HEIMDAL_VERSION
+#include "gssapi_headerfix.h"
+#endif
#include "gsseap_err.h"
#include "radsec_err.h"
#include "util.h"
#define CRED_FLAG_DEFAULT_CCACHE 0x00080000
#define CRED_FLAG_RESOLVED 0x00100000
#define CRED_FLAG_TARGET 0x00200000
+#define CRED_FLAG_CERTIFICATE 0x00400000
+#define CRED_FLAG_CONFIG_BLOB 0x00800000
#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF
#ifdef HAVE_HEIMDAL_VERSION
gss_buffer_desc caCertificate;
gss_buffer_desc subjectNameConstraint;
gss_buffer_desc subjectAltNameConstraint;
+ gss_buffer_desc clientCertificate;
+ gss_buffer_desc privateKey;
+ gss_buffer_desc caCertificateBlob;
#ifdef GSSEAP_ENABLE_REAUTH
krb5_ccache krbCredCache;
gss_cred_id_t reauthCred;
#define CTX_FLAG_INITIATOR 0x00000001
#define CTX_FLAG_KRB_REAUTH 0x00000002
+#define CTX_FLAG_CHANNEL_BINDINGS_VERIFIED 0x00000004
#define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0)
#define CTX_FLAG_EAP_PORT_ENABLED 0x00400000
#define CTX_FLAG_EAP_ALT_ACCEPT 0x00800000
#define CTX_FLAG_EAP_ALT_REJECT 0x01000000
+#define CTX_FLAG_EAP_CHBIND_ACCEPT 0x02000000
+#define CTX_FLAG_EAP_TRIGGER_START 0x04000000
#define CTX_FLAG_EAP_MASK 0xFFFF0000
+#define CONFIG_BLOB_CLIENT_CERT 0
+#define CONFIG_BLOB_PRIVATE_KEY 1
+#define CONFIG_BLOB_CA_CERT 2
+#define CONFIG_BLOB_MAX 3
+
struct gss_eap_initiator_ctx {
unsigned int idleWhile;
struct eap_peer_config eapPeerConfig;
struct eap_sm *eap;
struct wpabuf reqData;
+ struct wpabuf *chbindData;
+ unsigned int chbindReqFlags;
+ struct wpa_config_blob configBlobs[CONFIG_BLOB_MAX];
};
#ifdef GSSEAP_ENABLE_ACCEPTOR
struct rs_connection *radConn;
char *radServer;
gss_buffer_desc state;
- VALUE_PAIR *vps;
+ rs_avp *vps;
};
#endif
const struct gss_eap_token_buffer_set *outputTokens;
};
+
#define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01
#define TOK_FLAG_WRAP_CONFIDENTIAL 0x02
#define TOK_FLAG_ACCEPTOR_SUBKEY 0x04
#define KEY_USAGE_INITIATOR_SEAL 24
#define KEY_USAGE_INITIATOR_SIGN 25
+#define KEY_USAGE_GSSEAP_CHBIND_MIC 60
+#define KEY_USAGE_GSSEAP_ACCTOKEN_MIC 61
+#define KEY_USAGE_GSSEAP_INITOKEN_MIC 62
+
/* accept_sec_context.c */
OM_uint32
gssEapAcceptSecContext(OM_uint32 *minor,
gssEapInitSecContext(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target_name,
+ gss_const_name_t target_name,
gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
OM_uint32
gssEapWrapIovLength(OM_uint32 *minor,
- gss_ctx_id_t ctx,
+ gss_const_ctx_id_t ctx,
int conf_req_flag,
gss_qop_t qop_req,
int *conf_state,
gss_iov_buffer_desc *iov,
- int iov_count);
+ int iov_count,
+ enum gss_eap_token_type tokType);
+
OM_uint32
gssEapWrap(OM_uint32 *minor,
gss_ctx_id_t ctx,
gss_buffer_t output_message_buffer);
unsigned char
-rfc4121Flags(gss_ctx_id_t ctx, int receiving);
+rfc4121Flags(gss_const_ctx_id_t ctx, int receiving);
/* display_status.c */
void
OM_uint32 status_value,
gss_buffer_t status_string);
-#define IS_WIRE_ERROR(err) ((err) > GSSEAP_RESERVED && \
+#define IS_WIRE_ERROR(err) ((err) >= GSSEAP_RESERVED && \
(err) <= GSSEAP_RADIUS_PROT_FAILURE)
-/* upper bound of RADIUS error range must be kept in sync with radsec.h */
+#ifdef GSSEAP_ENABLE_ACCEPTOR
#define IS_RADIUS_ERROR(err) ((err) >= ERROR_TABLE_BASE_rse && \
- (err) <= ERROR_TABLE_BASE_rse + 20)
+ (err) <= ERROR_TABLE_BASE_rse + RSE_MAX)
+#else
+#define IS_RADIUS_ERROR(err) (0)
+#endif
/* exchange_meta_data.c */
OM_uint32 GSSAPI_CALLCONV
/* pseudo_random.c */
OM_uint32
gssEapPseudoRandom(OM_uint32 *minor,
- gss_ctx_id_t ctx,
+ gss_const_ctx_id_t ctx,
int prf_key,
const gss_buffer_t prf_in,
- ssize_t desired_output_len,
gss_buffer_t prf_out);
/* query_mechanism_info.c */
void
gssEapFinalize(void);
+/* Debugging and tracing */
+
+static inline void
+gssEapTraceStatus(const char *function,
+ OM_uint32 major,
+ OM_uint32 minor)
+{
+ gss_buffer_desc gssErrorCodeBuf = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc gssMechBuf = GSS_C_EMPTY_BUFFER;
+ OM_uint32 tmpMajor, tmpMinor;
+ OM_uint32 messageCtx = 0;
+
+ tmpMajor = gss_display_status(&tmpMinor, major,
+ GSS_C_GSS_CODE, GSS_C_NO_OID,
+ &messageCtx, &gssErrorCodeBuf);
+ if (!GSS_ERROR(tmpMajor)) {
+ if (minor == 0)
+ tmpMajor = makeStringBuffer(&tmpMinor, "no minor", &gssMechBuf);
+ else
+ tmpMajor = gssEapDisplayStatus(&tmpMinor, minor, &gssMechBuf);
+ }
+
+ if (!GSS_ERROR(tmpMajor))
+ wpa_printf(MSG_INFO, "%s: %.*s/%.*s",
+ function,
+ (int)gssErrorCodeBuf.length, (char *)gssErrorCodeBuf.value,
+ (int)gssMechBuf.length, (char *)gssMechBuf.value);
+ else
+ wpa_printf(MSG_INFO, "%s: %u/%u",
+ function, major, minor);
+
+ gss_release_buffer(&tmpMinor, &gssErrorCodeBuf);
+ gss_release_buffer(&tmpMinor, &gssMechBuf);
+}
+
+/* If built as a library on Linux, don't respect environment when set*uid */
+#ifdef HAVE_SECURE_GETENV
+#define getenv secure_getenv
+#endif
+
#ifdef __cplusplus
}
#endif