X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=gssapiP_eap.h;h=de45508635b06036cf9b918d4f40a8dac83b86ca;hb=15c93f06ee6ddefa7e7b095351f6e66698c7cc9e;hp=4e34b78638b9cdc474431d7d7523e28091f5df52;hpb=e60dc6fcc9eeb05e284b3fa085420c59c8586231;p=mech_eap.git diff --git a/gssapiP_eap.h b/gssapiP_eap.h index 4e34b78..de45508 100644 --- a/gssapiP_eap.h +++ b/gssapiP_eap.h @@ -33,52 +33,76 @@ #ifndef _GSSAPIP_EAP_H_ #define _GSSAPIP_EAP_H_ 1 +#include "config.h" #include #include #include #include #include #include +#include /* GSS includes */ #include +#include #include #include "gssapi_eap.h" -#include "util.h" -/* EAP includes */ +/* Kerberos includes */ +#include + +/* EAP includes (not C++ clean) */ +#ifndef __cplusplus #include #include #include -#include /* XXX testing implementation only */ +#include #include +#endif + +/* Workaround for FreeRADIUS not being C++ clean */ +#ifdef __cplusplus +extern "C" { +#define operator fr_operator +#endif +#include +#include +#include +#include +#ifdef __cplusplus +#undef operator +} +#endif + +#include "gsseap_err.h" +#include "radsec_err.h" +#include "util.h" -/* Kerberos includes */ -#include +#ifdef __cplusplus +extern "C" { +#endif +/* These name flags are informative and not actually used by anything yet */ #define NAME_FLAG_NAI 0x00000001 #define NAME_FLAG_SERVICE 0x00000002 -#define NAME_FLAG_SAML 0x00000010 -#define NAME_FLAG_RADIUS 0x00000020 - -#define NAME_HAS_ATTRIBUTES(name) ((name)->flags & \ - (NAME_FLAG_SAML | NAME_FLAG_RADIUS)) +#define NAME_FLAG_COMPOSITE 0x00000004 -struct eap_gss_saml_assertion; -struct eap_gss_avp_list; +struct gss_eap_saml_attr_ctx; +struct gss_eap_attr_ctx; struct gss_name_struct { - GSSEAP_MUTEX mutex; /* mutex protecting attributes */ + GSSEAP_MUTEX mutex; /* mutex protects attrCtx */ OM_uint32 flags; krb5_principal krbPrincipal; /* this is immutable */ - struct eap_gss_saml_assertion *assertion; - struct eap_gss_avp_list *avps; + struct gss_eap_attr_ctx *attrCtx; }; -#define CRED_FLAG_INITIATE 0x00000001 -#define CRED_FLAG_ACCEPT 0x00000002 -#define CRED_FLAG_DEFAULT_IDENTITY 0x00000004 -#define CRED_FLAG_PASSWORD 0x00000008 +#define CRED_FLAG_INITIATE 0x00010000 +#define CRED_FLAG_ACCEPT 0x00020000 +#define CRED_FLAG_DEFAULT_IDENTITY 0x00040000 +#define CRED_FLAG_PASSWORD 0x00080000 +#define CRED_FLAG_DEFAULT_CCACHE 0x00100000 +#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF struct gss_cred_id_struct { GSSEAP_MUTEX mutex; @@ -87,18 +111,28 @@ struct gss_cred_id_struct { gss_buffer_desc password; gss_OID_set mechanisms; time_t expiryTime; + char *radiusConfigFile; + char *radiusConfigStanza; +#ifdef GSSEAP_ENABLE_REAUTH + krb5_ccache krbCredCache; + gss_cred_id_t krbCred; +#endif }; #define CTX_FLAG_INITIATOR 0x00000001 +#define CTX_FLAG_KRB_REAUTH_GSS 0x00000002 #define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0) -enum eap_gss_state { - EAP_STATE_AUTHENTICATE = 0, - EAP_STATE_KEY_TRANSPORT, - EAP_STATE_SECURE_ASSOCIATION, - EAP_STATE_GSS_CHANNEL_BINDINGS, - EAP_STATE_ESTABLISHED +enum gss_eap_state { + EAP_STATE_IDENTITY = 0, + EAP_STATE_AUTHENTICATE, + EAP_STATE_EXTENSIONS_REQ, + EAP_STATE_EXTENSIONS_RESP, + EAP_STATE_ESTABLISHED, +#ifdef GSSEAP_ENABLE_REAUTH + EAP_STATE_KRB_REAUTH_GSS +#endif }; #define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == EAP_STATE_ESTABLISHED) @@ -113,39 +147,50 @@ enum eap_gss_state { #define CTX_FLAG_EAP_PORT_ENABLED 0x00400000 #define CTX_FLAG_EAP_ALT_ACCEPT 0x00800000 #define CTX_FLAG_EAP_ALT_REJECT 0x01000000 +#define CTX_FLAG_EAP_MASK 0xFFFF0000 -struct eap_gss_initiator_ctx { +struct gss_eap_initiator_ctx { + gss_cred_id_t defaultCred; unsigned int idleWhile; +#ifndef __cplusplus struct eap_peer_config eapPeerConfig; struct eap_sm *eap; struct wpabuf reqData; +#endif }; -struct eap_gss_acceptor_ctx { - struct eap_eapol_interface *eapPolInterface; - void *tlsContext; - struct eap_sm *eap; +struct gss_eap_acceptor_ctx { + struct rs_handle *radHandle; + struct rs_connection *radConn; + char *radServer; + gss_buffer_desc state; + VALUE_PAIR *vps; }; struct gss_ctx_id_struct { GSSEAP_MUTEX mutex; - enum eap_gss_state state; + enum gss_eap_state state; OM_uint32 flags; OM_uint32 gssFlags; gss_OID mechanismUsed; + krb5_cksumtype checksumType; krb5_enctype encryptionType; krb5_keyblock rfc3961Key; gss_name_t initiatorName; gss_name_t acceptorName; time_t expiryTime; + uint64_t sendSeq, recvSeq; + void *seqState; union { - struct eap_gss_initiator_ctx initiator; + struct gss_eap_initiator_ctx initiator; #define initiatorCtx ctxU.initiator - struct eap_gss_acceptor_ctx acceptor; + struct gss_eap_acceptor_ctx acceptor; #define acceptorCtx ctxU.acceptor +#ifdef GSSEAP_ENABLE_REAUTH + gss_ctx_id_t kerberos; + #define kerberosCtx ctxU.kerberos +#endif } ctxU; - uint64_t sendSeq, recvSeq; - void *seqState; }; #define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01 @@ -176,5 +221,32 @@ gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status, int iov_count, enum gss_eap_token_type toktype); +OM_uint32 +gssEapWrapIovLength(OM_uint32 *minor, + gss_ctx_id_t ctx, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count); +OM_uint32 +gssEapWrap(OM_uint32 *minor, + gss_ctx_id_t ctx, + int conf_req_flag, + gss_qop_t qop_req, + gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer); + +unsigned char +rfc4121Flags(gss_ctx_id_t ctx, int receiving); + +/* display_status.c */ +void +gssEapSaveStatusInfo(OM_uint32 minor, const char *format, ...); + +#ifdef __cplusplus +} +#endif #endif /* _GSSAPIP_EAP_H_ */