X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2FgssapiP_eap.h;h=8a997d507d8b00ea849b52ade8886350a5b29809;hb=26311844916784cc0781b1a304b590dff5742fcb;hp=503ac522bc7a841fe4af0072aea726b276a668bf;hpb=85893cd14827015aa8f7fc9eea041ff420223d4d;p=mech_eap.git diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h index 503ac52..8a997d5 100644 --- a/mech_eap/gssapiP_eap.h +++ b/mech_eap/gssapiP_eap.h @@ -42,11 +42,26 @@ #include #include #include +#ifdef HAVE_UNISTD_H #include +#endif +#ifdef HAVE_STDLIB_H #include +#endif +#ifdef HAVE_STDARG_H #include +#endif #include +#ifdef HAVE_SYS_PARAM_H #include +#endif + +#ifdef WIN32 +#ifndef MAXHOSTNAMELEN +# include +# define MAXHOSTNAMELEN NI_MAXHOST +#endif +#endif /* GSS headers */ #include @@ -66,6 +81,7 @@ typedef const gss_OID_desc *gss_const_OID; #include /* EAP headers */ +#include #include #include #include @@ -74,20 +90,11 @@ typedef const gss_OID_desc *gss_const_OID; #include #ifdef GSSEAP_ENABLE_ACCEPTOR -/* FreeRADIUS headers */ -#ifdef __cplusplus -extern "C" { -#define operator fr_operator -#endif -#include -#include +/* libradsec headers */ #include #include -#ifdef __cplusplus -#undef operator -} +#include #endif -#endif /*GSSEAP_ENABLE_ACCEPTOR*/ #include "gsseap_err.h" #include "radsec_err.h" @@ -115,14 +122,19 @@ struct gss_name_struct OM_uint32 flags; gss_OID mechanismUsed; /* this is immutable */ krb5_principal krbPrincipal; /* this is immutable */ +#ifdef GSSEAP_ENABLE_ACCEPTOR struct gss_eap_attr_ctx *attrCtx; +#endif }; #define CRED_FLAG_INITIATE 0x00010000 #define CRED_FLAG_ACCEPT 0x00020000 -#define CRED_FLAG_DEFAULT_IDENTITY 0x00040000 -#define CRED_FLAG_PASSWORD 0x00080000 -#define CRED_FLAG_DEFAULT_CCACHE 0x00100000 +#define CRED_FLAG_PASSWORD 0x00040000 +#define CRED_FLAG_DEFAULT_CCACHE 0x00080000 +#define CRED_FLAG_RESOLVED 0x00100000 +#define CRED_FLAG_TARGET 0x00200000 +#define CRED_FLAG_CERTIFICATE 0x00400000 +#define CRED_FLAG_CONFIG_BLOB 0x00800000 #define CRED_FLAG_PUBLIC_MASK 0x0000FFFF #ifdef HAVE_HEIMDAL_VERSION @@ -134,11 +146,17 @@ struct gss_cred_id_struct GSSEAP_MUTEX mutex; OM_uint32 flags; gss_name_t name; + gss_name_t target; /* for initiator */ gss_buffer_desc password; gss_OID_set mechanisms; time_t expiryTime; - char *radiusConfigFile; - char *radiusConfigStanza; + gss_buffer_desc radiusConfigFile; + gss_buffer_desc radiusConfigStanza; + gss_buffer_desc caCertificate; + gss_buffer_desc subjectNameConstraint; + gss_buffer_desc subjectAltNameConstraint; + gss_buffer_desc clientCertificate; + gss_buffer_desc privateKey; #ifdef GSSEAP_ENABLE_REAUTH krb5_ccache krbCredCache; gss_cred_id_t reauthCred; @@ -147,6 +165,7 @@ struct gss_cred_id_struct #define CTX_FLAG_INITIATOR 0x00000001 #define CTX_FLAG_KRB_REAUTH 0x00000002 +#define CTX_FLAG_CHANNEL_BINDINGS_VERIFIED 0x00000004 #define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0) @@ -162,13 +181,21 @@ struct gss_cred_id_struct #define CTX_FLAG_EAP_PORT_ENABLED 0x00400000 #define CTX_FLAG_EAP_ALT_ACCEPT 0x00800000 #define CTX_FLAG_EAP_ALT_REJECT 0x01000000 +#define CTX_FLAG_EAP_CHBIND_ACCEPT 0x02000000 #define CTX_FLAG_EAP_MASK 0xFFFF0000 +#define CONFIG_BLOB_CLIENT_CERT 0 +#define CONFIG_BLOB_PRIVATE_KEY 1 +#define CONFIG_BLOB_MAX 2 + struct gss_eap_initiator_ctx { unsigned int idleWhile; struct eap_peer_config eapPeerConfig; struct eap_sm *eap; struct wpabuf reqData; + struct wpabuf *chbindData; + unsigned int chbindReqFlags; + struct wpa_config_blob configBlobs[CONFIG_BLOB_MAX]; }; #ifdef GSSEAP_ENABLE_ACCEPTOR @@ -177,7 +204,7 @@ struct gss_eap_acceptor_ctx { struct rs_connection *radConn; char *radServer; gss_buffer_desc state; - VALUE_PAIR *vps; + rs_avp *vps; }; #endif @@ -200,7 +227,7 @@ struct gss_ctx_id_struct time_t expiryTime; uint64_t sendSeq, recvSeq; void *seqState; - gss_cred_id_t defaultCred; + gss_cred_id_t cred; union { struct gss_eap_initiator_ctx initiator; #define initiatorCtx ctxU.initiator @@ -213,6 +240,8 @@ struct gss_ctx_id_struct #define reauthCtx ctxU.reauth #endif } ctxU; + const struct gss_eap_token_buffer_set *inputTokens; + const struct gss_eap_token_buffer_set *outputTokens; }; #define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01 @@ -224,6 +253,40 @@ struct gss_ctx_id_struct #define KEY_USAGE_INITIATOR_SEAL 24 #define KEY_USAGE_INITIATOR_SIGN 25 +#define KEY_USAGE_GSSEAP_CHBIND_MIC 60 +#define KEY_USAGE_GSSEAP_ACCTOKEN_MIC 61 +#define KEY_USAGE_GSSEAP_INITOKEN_MIC 62 + +/* accept_sec_context.c */ +OM_uint32 +gssEapAcceptSecContext(OM_uint32 *minor, + gss_ctx_id_t ctx, + gss_cred_id_t cred, + gss_buffer_t input_token, + gss_channel_bindings_t input_chan_bindings, + gss_name_t *src_name, + gss_OID *mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + gss_cred_id_t *delegated_cred_handle); + +/* init_sec_context.c */ +OM_uint32 +gssEapInitSecContext(OM_uint32 *minor, + gss_cred_id_t cred, + gss_ctx_id_t ctx, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec); + /* wrap_iov.c */ OM_uint32 gssEapWrapOrGetMIC(OM_uint32 *minor, @@ -267,15 +330,80 @@ rfc4121Flags(gss_ctx_id_t ctx, int receiving); void gssEapSaveStatusInfo(OM_uint32 minor, const char *format, ...); +OM_uint32 +gssEapDisplayStatus(OM_uint32 *minor, + OM_uint32 status_value, + gss_buffer_t status_string); + #define IS_WIRE_ERROR(err) ((err) > GSSEAP_RESERVED && \ (err) <= GSSEAP_RADIUS_PROT_FAILURE) +#ifdef GSSEAP_ENABLE_ACCEPTOR +#define IS_RADIUS_ERROR(err) ((err) >= ERROR_TABLE_BASE_rse && \ + (err) <= ERROR_TABLE_BASE_rse + RSE_MAX) +#else +#define IS_RADIUS_ERROR(err) (0) +#endif + +/* exchange_meta_data.c */ +OM_uint32 GSSAPI_CALLCONV +gssEapExchangeMetaData(OM_uint32 *minor, + gss_const_OID mech, + gss_cred_id_t cred, + gss_ctx_id_t *ctx, + const gss_name_t name, + OM_uint32 req_flags, + gss_const_buffer_t meta_data); + /* export_sec_context.c */ OM_uint32 gssEapExportSecContext(OM_uint32 *minor, gss_ctx_id_t ctx, gss_buffer_t token); +/* import_sec_context.c */ +OM_uint32 +gssEapImportContext(OM_uint32 *minor, + gss_buffer_t token, + gss_ctx_id_t ctx); + +/* inquire_sec_context_by_oid.c */ +#define NEGOEX_INITIATOR_SALT "gss-eap-negoex-initiator" +#define NEGOEX_INITIATOR_SALT_LEN (sizeof(NEGOEX_INITIATOR_SALT) - 1) + +#define NEGOEX_ACCEPTOR_SALT "gss-eap-negoex-acceptor" +#define NEGOEX_ACCEPTOR_SALT_LEN (sizeof(NEGOEX_ACCEPTOR_SALT) - 1) + +/* pseudo_random.c */ +OM_uint32 +gssEapPseudoRandom(OM_uint32 *minor, + gss_ctx_id_t ctx, + int prf_key, + const gss_buffer_t prf_in, + gss_buffer_t prf_out); + +/* query_mechanism_info.c */ +OM_uint32 +gssQueryMechanismInfo(OM_uint32 *minor, + gss_const_OID mech_oid, + unsigned char auth_scheme[16]); + +/* query_meta_data.c */ +OM_uint32 +gssEapQueryMetaData(OM_uint32 *minor, + gss_const_OID mech GSSEAP_UNUSED, + gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + const gss_name_t name, + OM_uint32 req_flags GSSEAP_UNUSED, + gss_buffer_t meta_data); + +/* eap_mech.c */ +OM_uint32 +gssEapInitiatorInit(OM_uint32 *minor); + +void +gssEapFinalize(void); #ifdef __cplusplus }