X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=gssapiP_eap.h;h=c6c634e6f6cefd9f0a493a54d85e3a215a041f7b;hb=44923e0e7d9daa3c06e458112a618f4674fba464;hp=9bb77d3baaf224d1dbdf51b1158db78a3b305541;hpb=8df7533a16abccca7dd2c1a03582e3fe7e9c9aca;p=mech_eap.orig diff --git a/gssapiP_eap.h b/gssapiP_eap.h index 9bb77d3..c6c634e 100644 --- a/gssapiP_eap.h +++ b/gssapiP_eap.h @@ -33,56 +33,86 @@ #ifndef _GSSAPIP_EAP_H_ #define _GSSAPIP_EAP_H_ 1 +#include "config.h" #include #include #include +#include +#include #include /* GSS includes */ #include +#include #include #include "gssapi_eap.h" -/* EAP includes */ -#define IEEE8021X_EAPOL 1 +/* Kerberos includes */ +#include +/* EAP includes */ +#ifndef __cplusplus #include #include #include +#include #include +#endif -/* Kerberos includes */ -#include +#include +#include + +#include "util.h" + +/* These name flags are informative and not actually used by anything yet */ +#define NAME_FLAG_NAI 0x00000001 +#define NAME_FLAG_SERVICE 0x00000002 +#define NAME_FLAG_COMPOSITE 0x00000004 + +struct gss_eap_saml_attr_ctx; +struct gss_eap_attr_ctx; struct gss_name_struct { + GSSEAP_MUTEX mutex; /* mutex protects attrCtx */ OM_uint32 flags; - krb5_principal kerberosName; - void *aaa; - void *assertion; + krb5_principal krbPrincipal; /* this is immutable */ + struct gss_eap_attr_ctx *attrCtx; }; -#define CRED_FLAG_INITIATOR 0x00000001 -#define CRED_FLAG_ACCEPTOR 0x00000002 -#define CRED_FLAG_DEFAULT_IDENTITY 0x00000004 -#define CRED_FLAG_PASSWORD 0x00000008 +#define CRED_FLAG_INITIATE 0x00010000 +#define CRED_FLAG_ACCEPT 0x00020000 +#define CRED_FLAG_DEFAULT_IDENTITY 0x00040000 +#define CRED_FLAG_PASSWORD 0x00080000 +#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF struct gss_cred_id_struct { + GSSEAP_MUTEX mutex; OM_uint32 flags; gss_name_t name; gss_buffer_desc password; + gss_OID_set mechanisms; time_t expiryTime; + char *radiusConfigFile; +#ifdef GSSEAP_ENABLE_REAUTH + krb5_ccache krbCredCache; + gss_cred_id_t krbCred; +#endif }; #define CTX_FLAG_INITIATOR 0x00000001 +#define CTX_FLAG_KRB_REAUTH_GSS 0x00000002 #define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0) -enum eap_gss_state { - EAP_STATE_AUTHENTICATE = 1, - EAP_STATE_KEY_TRANSPORT, - EAP_STATE_SECURE_ASSOCIATION, - EAP_STATE_GSS_CHANNEL_BINDINGS, - EAP_STATE_ESTABLISHED +enum gss_eap_state { + EAP_STATE_IDENTITY = 0, + EAP_STATE_AUTHENTICATE, + EAP_STATE_EXTENSIONS_REQ, + EAP_STATE_EXTENSIONS_RESP, + EAP_STATE_ESTABLISHED, +#ifdef GSSEAP_ENABLE_REAUTH + EAP_STATE_KRB_REAUTH_GSS +#endif }; #define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == EAP_STATE_ESTABLISHED) @@ -97,58 +127,60 @@ enum eap_gss_state { #define CTX_FLAG_EAP_PORT_ENABLED 0x00400000 #define CTX_FLAG_EAP_ALT_ACCEPT 0x00800000 #define CTX_FLAG_EAP_ALT_REJECT 0x01000000 +#define CTX_FLAG_EAP_MASK 0xFFFF0000 -struct eap_gss_initiator_ctx { - struct wpabuf *eapReqData; +struct gss_eap_initiator_ctx { + gss_cred_id_t defaultCred; unsigned int idleWhile; - struct eap_peer_config eapConfig; +#ifndef __cplusplus + struct eap_peer_config eapPeerConfig; struct eap_sm *eap; + struct wpabuf reqData; +#endif }; -/* Acceptor context flags */ -struct eap_gss_acceptor_ctx { +struct gss_eap_acceptor_ctx { + rc_handle *radHandle; + int lastStatus; + VALUE_PAIR *avps; + gss_buffer_desc state; }; struct gss_ctx_id_struct { - enum eap_gss_state state; + GSSEAP_MUTEX mutex; + enum gss_eap_state state; OM_uint32 flags; OM_uint32 gssFlags; - krb5_context kerberosCtx; gss_OID mechanismUsed; - krb5_enctype encryptionType; krb5_cksumtype checksumType; - krb5_keyblock *rfc3961Key; + krb5_enctype encryptionType; + krb5_keyblock rfc3961Key; gss_name_t initiatorName; gss_name_t acceptorName; time_t expiryTime; + uint64_t sendSeq, recvSeq; + void *seqState; union { - struct eap_gss_initiator_ctx initiator; + struct gss_eap_initiator_ctx initiator; #define initiatorCtx ctxU.initiator - struct eap_gss_acceptor_ctx acceptor; + struct gss_eap_acceptor_ctx acceptor; #define acceptorCtx ctxU.acceptor +#ifdef GSSEAP_ENABLE_REAUTH + gss_ctx_id_t kerberos; + #define kerberosCtx ctxU.kerberos +#endif } ctxU; - uint64_t sendSeq, recvSeq; - void *seqState; }; #define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01 #define TOK_FLAG_WRAP_CONFIDENTIAL 0x02 #define TOK_FLAG_ACCEPTOR_SUBKEY 0x04 -#define KEY_USAGE_ACCEPTOR_SEAL 512 -#define KEY_USAGE_ACCEPTOR_SIGN 513 -#define KEY_USAGE_INITIATOR_SEAL 514 -#define KEY_USAGE_INITIATOR_SIGN 515 - -enum gss_eap_token_type { - TOK_TYPE_EAP_RESP = 0x0601, - TOK_TYPE_EAP_REQ = 0x0602, - TOK_TYPE_GSS_CB = 0x0603, - TOK_TYPE_MIC = 0x0404, - TOK_TYPE_WRAP = 0x0504, - TOK_TYPE_DELETE = 0x0405, - TOK_TYPE_NONE = 0xFFFF -}; +#define KEY_USAGE_ACCEPTOR_SEAL 22 +#define KEY_USAGE_ACCEPTOR_SIGN 23 +#define KEY_USAGE_INITIATOR_SEAL 24 +#define KEY_USAGE_INITIATOR_SIGN 25 +#define KEY_USAGE_CHANNEL_BINDINGS 64 /* wrap_iov.c */ OM_uint32 @@ -169,7 +201,24 @@ gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status, int iov_count, enum gss_eap_token_type toktype); - -#include "util.h" +OM_uint32 +gssEapWrapIovLength(OM_uint32 *minor, + gss_ctx_id_t ctx, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count); +OM_uint32 +gssEapWrap(OM_uint32 *minor, + gss_ctx_id_t ctx, + int conf_req_flag, + gss_qop_t qop_req, + gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer); + +unsigned char +rfc4121Flags(gss_ctx_id_t ctx, int receiving); #endif /* _GSSAPIP_EAP_H_ */