X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2FgssapiP_eap.h;h=1e8a3604f3c67c2e930834000409c2578ad036e3;hb=4f319dde67a76fe0aaf33f6d2788968012584ada;hp=43208a9a5acf31d592e1a8495cc9e4f6ba03ca75;hpb=a263a7b6fdb7061956823bf8d9cd0ae53c5916c4;p=mech_eap.git

diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h
index 43208a9..1e8a360 100644
--- a/mech_eap/gssapiP_eap.h
+++ b/mech_eap/gssapiP_eap.h
@@ -90,28 +90,11 @@ typedef const gss_OID_desc *gss_const_OID;
 #include <wpabuf.h>
 
 #ifdef GSSEAP_ENABLE_ACCEPTOR
-/* FreeRADIUS headers */
-#ifdef __cplusplus
-extern "C" {
-#ifndef WIN32
-#define operator fr_operator
-#endif
-#endif
-#include <freeradius/libradius.h>
-#include <freeradius/radius.h>
-
-#undef pid_t
-
 /* libradsec headers */
 #include <radsec/radsec.h>
 #include <radsec/request.h>
-#ifdef __cplusplus
-#ifndef WIN32
-#undef operator
+#include <radsec/radius.h>
 #endif
-}
-#endif
-#endif /* GSSEAP_ENABLE_ACCEPTOR */
 
 #include "gsseap_err.h"
 #include "radsec_err.h"
@@ -149,6 +132,9 @@ struct gss_name_struct
 #define CRED_FLAG_PASSWORD                  0x00040000
 #define CRED_FLAG_DEFAULT_CCACHE            0x00080000
 #define CRED_FLAG_RESOLVED                  0x00100000
+#define CRED_FLAG_TARGET                    0x00200000
+#define CRED_FLAG_CERTIFICATE               0x00400000
+#define CRED_FLAG_CONFIG_BLOB               0x00800000
 #define CRED_FLAG_PUBLIC_MASK               0x0000FFFF
 
 #ifdef HAVE_HEIMDAL_VERSION
@@ -169,6 +155,9 @@ struct gss_cred_id_struct
     gss_buffer_desc caCertificate;
     gss_buffer_desc subjectNameConstraint;
     gss_buffer_desc subjectAltNameConstraint;
+    gss_buffer_desc clientCertificate;
+    gss_buffer_desc privateKey;
+    gss_buffer_desc caCertificateBlob;
 #ifdef GSSEAP_ENABLE_REAUTH
     krb5_ccache krbCredCache;
     gss_cred_id_t reauthCred;
@@ -177,6 +166,7 @@ struct gss_cred_id_struct
 
 #define CTX_FLAG_INITIATOR                  0x00000001
 #define CTX_FLAG_KRB_REAUTH                 0x00000002
+#define CTX_FLAG_CHANNEL_BINDINGS_VERIFIED  0x00000004
 
 #define CTX_IS_INITIATOR(ctx)               (((ctx)->flags & CTX_FLAG_INITIATOR) != 0)
 
@@ -192,13 +182,23 @@ struct gss_cred_id_struct
 #define CTX_FLAG_EAP_PORT_ENABLED           0x00400000
 #define CTX_FLAG_EAP_ALT_ACCEPT             0x00800000
 #define CTX_FLAG_EAP_ALT_REJECT             0x01000000
+#define CTX_FLAG_EAP_CHBIND_ACCEPT          0x02000000
+#define CTX_FLAG_EAP_TRIGGER_START          0x04000000
 #define CTX_FLAG_EAP_MASK                   0xFFFF0000
 
+#define CONFIG_BLOB_CLIENT_CERT             0
+#define CONFIG_BLOB_PRIVATE_KEY             1
+#define CONFIG_BLOB_CA_CERT                 2
+#define CONFIG_BLOB_MAX                     3
+
 struct gss_eap_initiator_ctx {
     unsigned int idleWhile;
     struct eap_peer_config eapPeerConfig;
     struct eap_sm *eap;
     struct wpabuf reqData;
+    struct wpabuf *chbindData;
+    unsigned int chbindReqFlags;
+    struct wpa_config_blob configBlobs[CONFIG_BLOB_MAX];
 };
 
 #ifdef GSSEAP_ENABLE_ACCEPTOR
@@ -207,7 +207,7 @@ struct gss_eap_acceptor_ctx {
     struct rs_connection *radConn;
     char *radServer;
     gss_buffer_desc state;
-    VALUE_PAIR *vps;
+    rs_avp *vps;
 };
 #endif
 
@@ -256,6 +256,10 @@ struct gss_ctx_id_struct
 #define KEY_USAGE_INITIATOR_SEAL            24
 #define KEY_USAGE_INITIATOR_SIGN            25
 
+#define KEY_USAGE_GSSEAP_CHBIND_MIC         60
+#define KEY_USAGE_GSSEAP_ACCTOKEN_MIC       61
+#define KEY_USAGE_GSSEAP_INITOKEN_MIC       62
+
 /* accept_sec_context.c */
 OM_uint32
 gssEapAcceptSecContext(OM_uint32 *minor,
@@ -334,12 +338,25 @@ gssEapDisplayStatus(OM_uint32 *minor,
                     OM_uint32 status_value,
                     gss_buffer_t status_string);
 
-#define IS_WIRE_ERROR(err)              ((err) > GSSEAP_RESERVED && \
+#define IS_WIRE_ERROR(err)              ((err) >= GSSEAP_RESERVED && \
                                          (err) <= GSSEAP_RADIUS_PROT_FAILURE)
 
-/* upper bound of RADIUS error range must be kept in sync with radsec.h */
+#ifdef GSSEAP_ENABLE_ACCEPTOR
 #define IS_RADIUS_ERROR(err)            ((err) >= ERROR_TABLE_BASE_rse && \
-                                         (err) <= ERROR_TABLE_BASE_rse + 20)
+                                         (err) <= ERROR_TABLE_BASE_rse + RSE_MAX)
+#else
+#define IS_RADIUS_ERROR(err)            (0)
+#endif
+
+/* exchange_meta_data.c */
+OM_uint32 GSSAPI_CALLCONV
+gssEapExchangeMetaData(OM_uint32 *minor,
+                       gss_const_OID mech,
+                       gss_cred_id_t cred,
+                       gss_ctx_id_t *ctx,
+                       const gss_name_t name,
+                       OM_uint32 req_flags,
+                       gss_const_buffer_t meta_data);
 
 /* export_sec_context.c */
 OM_uint32
@@ -353,15 +370,37 @@ gssEapImportContext(OM_uint32 *minor,
                     gss_buffer_t token,
                     gss_ctx_id_t ctx);
 
+/* inquire_sec_context_by_oid.c */
+#define NEGOEX_INITIATOR_SALT      "gss-eap-negoex-initiator"
+#define NEGOEX_INITIATOR_SALT_LEN  (sizeof(NEGOEX_INITIATOR_SALT) - 1)
+
+#define NEGOEX_ACCEPTOR_SALT       "gss-eap-negoex-acceptor"
+#define NEGOEX_ACCEPTOR_SALT_LEN   (sizeof(NEGOEX_ACCEPTOR_SALT) - 1)
+
 /* pseudo_random.c */
 OM_uint32
 gssEapPseudoRandom(OM_uint32 *minor,
                    gss_ctx_id_t ctx,
                    int prf_key,
                    const gss_buffer_t prf_in,
-                   ssize_t desired_output_len,
                    gss_buffer_t prf_out);
 
+/* query_mechanism_info.c */
+OM_uint32
+gssQueryMechanismInfo(OM_uint32 *minor,
+                      gss_const_OID mech_oid,
+                      unsigned char auth_scheme[16]);
+
+/* query_meta_data.c */
+OM_uint32
+gssEapQueryMetaData(OM_uint32 *minor,
+                    gss_const_OID mech GSSEAP_UNUSED,
+                    gss_cred_id_t cred,
+                    gss_ctx_id_t *context_handle,
+                    const gss_name_t name,
+                    OM_uint32 req_flags GSSEAP_UNUSED,
+                    gss_buffer_t meta_data);
+
 /* eap_mech.c */
 OM_uint32
 gssEapInitiatorInit(OM_uint32 *minor);
@@ -369,6 +408,41 @@ gssEapInitiatorInit(OM_uint32 *minor);
 void
 gssEapFinalize(void);
 
+  /* Debugging and tracing*/
+  #define gssEapTrace(_fmt, ...) wpa_printf(MSG_INFO, _fmt, __VA_ARGS__);
+
+static inline void
+gssEapTraceStatus(const char *function,
+		  OM_uint32 major, OM_uint32 minor)
+{
+    gss_buffer_desc  gss_code_buf, mech_buf;
+    OM_uint32 tmpmaj, tmpmin, ctx = 0;
+    gss_code_buf.value = NULL;
+    mech_buf.value = NULL;
+    tmpmaj = gss_display_status(&tmpmin,  major,
+				GSS_C_GSS_CODE, GSS_C_NO_OID, &ctx,
+				&gss_code_buf);
+  if (!GSS_ERROR(tmpmaj)) {
+if (minor == 0)
+    tmpmaj = makeStringBuffer(&tmpmin, "no minor", &mech_buf);
+else tmpmaj = gssEapDisplayStatus(&tmpmin, minor, &mech_buf);
+}
+    if (!GSS_ERROR(tmpmaj))
+	wpa_printf(MSG_INFO, "%s: %.*s/%.*s",
+		   function, (int) gss_code_buf.length, (char *) gss_code_buf.value,
+		   (int) mech_buf.length, (char *) mech_buf.value);
+    else wpa_printf(MSG_INFO, "%s: %u/%u",
+		    function, major, minor);
+    tmpmaj = gss_release_buffer(&tmpmin, &gss_code_buf);
+    tmpmaj = gss_release_buffer(&tmpmin, &mech_buf);
+ }
+
+
+  /*If built as a library on Linux, don't respect environment when set*uid*/
+#ifdef HAVE_SECURE_GETENV
+#define getenv secure_getenv
+#endif
+
 #ifdef __cplusplus
 }
 #endif