X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=gssapiP_eap.h;h=0cf0cb9ea3f8484d69415c4d7ea621f0d198e15e;hb=11f9efdde75b31b6d4b78ff04618cebd4b4496f4;hp=bc87bc5e1e0dd8f8af198e8ca3b519272c482d20;hpb=042d1d1dd0638c46343eff7078de4b4b5a9e737d;p=mech_eap.git diff --git a/gssapiP_eap.h b/gssapiP_eap.h index bc87bc5..0cf0cb9 100644 --- a/gssapiP_eap.h +++ b/gssapiP_eap.h @@ -33,59 +33,105 @@ #ifndef _GSSAPIP_EAP_H_ #define _GSSAPIP_EAP_H_ 1 +#include "config.h" #include #include #include +#include +#include #include +#include /* GSS includes */ #include +#include #include #include "gssapi_eap.h" -#include "util.h" -/* EAP includes */ -#define IEEE8021X_EAPOL 1 +/* Kerberos includes */ +#include +/* EAP includes (not C++ clean) */ +#ifndef __cplusplus #include #include #include +#include #include +#endif + +/* Workaround for FreeRADIUS not being C++ clean */ +#ifdef __cplusplus +extern "C" { +#define operator fr_operator +#endif +#include +#include +#include +#include +#ifdef __cplusplus +#undef operator +} +#endif + +#include "gsseap_err.h" +#include "util.h" -/* Kerberos includes */ -#include +#ifdef __cplusplus +extern "C" { +#endif + +/* These name flags are informative and not actually used by anything yet */ +#define NAME_FLAG_NAI 0x00000001 +#define NAME_FLAG_SERVICE 0x00000002 +#define NAME_FLAG_COMPOSITE 0x00000004 + +struct gss_eap_saml_attr_ctx; +struct gss_eap_attr_ctx; struct gss_name_struct { - GSSEAP_MUTEX mutex; + GSSEAP_MUTEX mutex; /* mutex protects attrCtx */ OM_uint32 flags; - krb5_principal kerberosName; - void *aaa; - void *assertion; + krb5_principal krbPrincipal; /* this is immutable */ + struct gss_eap_attr_ctx *attrCtx; }; -#define CRED_FLAG_INITIATOR 0x00000001 -#define CRED_FLAG_ACCEPTOR 0x00000002 -#define CRED_FLAG_DEFAULT_IDENTITY 0x00000004 -#define CRED_FLAG_PASSWORD 0x00000008 +#define CRED_FLAG_INITIATE 0x00010000 +#define CRED_FLAG_ACCEPT 0x00020000 +#define CRED_FLAG_DEFAULT_IDENTITY 0x00040000 +#define CRED_FLAG_PASSWORD 0x00080000 +#define CRED_FLAG_DEFAULT_CCACHE 0x00100000 +#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF struct gss_cred_id_struct { GSSEAP_MUTEX mutex; OM_uint32 flags; gss_name_t name; gss_buffer_desc password; + gss_OID_set mechanisms; time_t expiryTime; + char *radiusConfigFile; + char *radiusConfigStanza; +#ifdef GSSEAP_ENABLE_REAUTH + krb5_ccache krbCredCache; + gss_cred_id_t krbCred; +#endif }; #define CTX_FLAG_INITIATOR 0x00000001 +#define CTX_FLAG_KRB_REAUTH_GSS 0x00000002 #define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0) -enum eap_gss_state { - EAP_STATE_AUTHENTICATE = 1, - EAP_STATE_KEY_TRANSPORT, - EAP_STATE_SECURE_ASSOCIATION, - EAP_STATE_GSS_CHANNEL_BINDINGS, - EAP_STATE_ESTABLISHED +enum gss_eap_state { + EAP_STATE_IDENTITY = 0, + EAP_STATE_AUTHENTICATE, + EAP_STATE_EXTENSIONS_REQ, + EAP_STATE_EXTENSIONS_RESP, + EAP_STATE_ESTABLISHED, +#ifdef GSSEAP_ENABLE_REAUTH + EAP_STATE_KRB_REAUTH_GSS +#endif }; #define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == EAP_STATE_ESTABLISHED) @@ -100,49 +146,60 @@ enum eap_gss_state { #define CTX_FLAG_EAP_PORT_ENABLED 0x00400000 #define CTX_FLAG_EAP_ALT_ACCEPT 0x00800000 #define CTX_FLAG_EAP_ALT_REJECT 0x01000000 +#define CTX_FLAG_EAP_MASK 0xFFFF0000 -struct eap_gss_initiator_ctx { - struct wpabuf *eapReqData; +struct gss_eap_initiator_ctx { + gss_cred_id_t defaultCred; unsigned int idleWhile; - struct eap_peer_config eapConfig; +#ifndef __cplusplus + struct eap_peer_config eapPeerConfig; struct eap_sm *eap; + struct wpabuf reqData; +#endif }; -/* Acceptor context flags */ -struct eap_gss_acceptor_ctx { +struct gss_eap_acceptor_ctx { + struct rs_handle *radHandle; + struct rs_connection *radConn; + char *radServer; + gss_buffer_desc state; + VALUE_PAIR *vps; }; struct gss_ctx_id_struct { GSSEAP_MUTEX mutex; - enum eap_gss_state state; + enum gss_eap_state state; OM_uint32 flags; OM_uint32 gssFlags; - krb5_context kerberosCtx; gss_OID mechanismUsed; - krb5_enctype encryptionType; krb5_cksumtype checksumType; - krb5_keyblock *rfc3961Key; + krb5_enctype encryptionType; + krb5_keyblock rfc3961Key; gss_name_t initiatorName; gss_name_t acceptorName; time_t expiryTime; + uint64_t sendSeq, recvSeq; + void *seqState; union { - struct eap_gss_initiator_ctx initiator; + struct gss_eap_initiator_ctx initiator; #define initiatorCtx ctxU.initiator - struct eap_gss_acceptor_ctx acceptor; + struct gss_eap_acceptor_ctx acceptor; #define acceptorCtx ctxU.acceptor +#ifdef GSSEAP_ENABLE_REAUTH + gss_ctx_id_t kerberos; + #define kerberosCtx ctxU.kerberos +#endif } ctxU; - uint64_t sendSeq, recvSeq; - void *seqState; }; #define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01 #define TOK_FLAG_WRAP_CONFIDENTIAL 0x02 #define TOK_FLAG_ACCEPTOR_SUBKEY 0x04 -#define KEY_USAGE_ACCEPTOR_SEAL 512 -#define KEY_USAGE_ACCEPTOR_SIGN 513 -#define KEY_USAGE_INITIATOR_SEAL 514 -#define KEY_USAGE_INITIATOR_SIGN 515 +#define KEY_USAGE_ACCEPTOR_SEAL 22 +#define KEY_USAGE_ACCEPTOR_SIGN 23 +#define KEY_USAGE_INITIATOR_SEAL 24 +#define KEY_USAGE_INITIATOR_SIGN 25 /* wrap_iov.c */ OM_uint32 @@ -163,5 +220,32 @@ gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status, int iov_count, enum gss_eap_token_type toktype); +OM_uint32 +gssEapWrapIovLength(OM_uint32 *minor, + gss_ctx_id_t ctx, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count); +OM_uint32 +gssEapWrap(OM_uint32 *minor, + gss_ctx_id_t ctx, + int conf_req_flag, + gss_qop_t qop_req, + gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer); + +unsigned char +rfc4121Flags(gss_ctx_id_t ctx, int receiving); + +/* display_status.c */ +void +gssEapSaveStatusInfo(OM_uint32 minor, const char *format, ...); + +#ifdef __cplusplus +} +#endif #endif /* _GSSAPIP_EAP_H_ */