X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2FgssapiP_eap.h;h=d1d6bce181d8fec7d1cde2e3da443a208b4e7e3d;hb=70aabaea618f8dc42336a8f27e6443b3f2655830;hp=5fb8383d9700d38520267753479456a79890780d;hpb=10ead9c41d8fc01d3ca7aa7c65194dbc980ae3ed;p=moonshot.git diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h index 5fb8383..d1d6bce 100644 --- a/mech_eap/gssapiP_eap.h +++ b/mech_eap/gssapiP_eap.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, JANET(UK) + * Copyright (c) 2011, JANET(UK) * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -33,77 +33,118 @@ #ifndef _GSSAPIP_EAP_H_ #define _GSSAPIP_EAP_H_ 1 +#include "config.h" + +#ifdef HAVE_HEIMDAL_VERSION +#define KRB5_DEPRECATED /* so we can use krb5_free_unparsed_name() */ +#endif + #include #include #include #include #include +#include #include +#include -/* GSS includes */ +/* GSS headers */ #include +#include +#ifdef HAVE_HEIMDAL_VERSION +typedef struct gss_any *gss_any_t; +#else #include +#endif #include "gssapi_eap.h" -#include "util.h" -/* EAP includes */ +/* Kerberos headers */ +#include + +/* EAP headers */ #include #include #include -#include /* XXX testing implementation only */ +#include +#include #include -/* Kerberos includes */ -#include +/* FreeRADIUS headers */ +#ifdef __cplusplus +extern "C" { +#define operator fr_operator +#endif +#include +#include +#include +#include +#ifdef __cplusplus +#undef operator +} +#endif +#include "gsseap_err.h" +#include "radsec_err.h" +#include "util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* These name flags are informative and not actually used by anything yet */ #define NAME_FLAG_NAI 0x00000001 #define NAME_FLAG_SERVICE 0x00000002 -#define NAME_FLAG_SAML 0x00000010 -#define NAME_FLAG_RADIUS 0x00000020 - -#define NAME_HAS_ATTRIBUTES(name) ((name)->flags & \ - (NAME_FLAG_SAML | NAME_FLAG_RADIUS)) +#define NAME_FLAG_COMPOSITE 0x00000004 -struct eap_gss_saml_assertion; -struct eap_gss_avp_list; +struct gss_eap_saml_attr_ctx; +struct gss_eap_attr_ctx; -struct gss_name_struct { - GSSEAP_MUTEX mutex; /* mutex protecting attributes */ +#ifdef HAVE_HEIMDAL_VERSION +struct gss_name_t_desc_struct +#else +struct gss_name_struct +#endif +{ + GSSEAP_MUTEX mutex; /* mutex protects attrCtx */ OM_uint32 flags; + gss_OID mechanismUsed; /* this is immutable */ krb5_principal krbPrincipal; /* this is immutable */ - struct eap_gss_saml_assertion *assertion; - struct eap_gss_avp_list *avps; + struct gss_eap_attr_ctx *attrCtx; }; -#define CRED_FLAG_INITIATE 0x00000001 -#define CRED_FLAG_ACCEPT 0x00000002 -#define CRED_FLAG_DEFAULT_IDENTITY 0x00000004 -#define CRED_FLAG_PASSWORD 0x00000008 +#define CRED_FLAG_INITIATE 0x00010000 +#define CRED_FLAG_ACCEPT 0x00020000 +#define CRED_FLAG_DEFAULT_IDENTITY 0x00040000 +#define CRED_FLAG_PASSWORD 0x00080000 +#define CRED_FLAG_DEFAULT_CCACHE 0x00100000 +#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF -struct gss_cred_id_struct { +#ifdef HAVE_HEIMDAL_VERSION +struct gss_cred_id_t_desc_struct +#else +struct gss_cred_id_struct +#endif +{ GSSEAP_MUTEX mutex; OM_uint32 flags; gss_name_t name; gss_buffer_desc password; gss_OID_set mechanisms; time_t expiryTime; + char *radiusConfigFile; + char *radiusConfigStanza; +#ifdef GSSEAP_ENABLE_REAUTH + krb5_ccache krbCredCache; + gss_cred_id_t reauthCred; +#endif }; #define CTX_FLAG_INITIATOR 0x00000001 +#define CTX_FLAG_KRB_REAUTH 0x00000002 #define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0) -enum eap_gss_state { - EAP_STATE_AUTHENTICATE = 0, -#if 0 - EAP_STATE_KEY_TRANSPORT, - EAP_STATE_SECURE_ASSOCIATION, -#endif - EAP_STATE_GSS_CHANNEL_BINDINGS, - EAP_STATE_ESTABLISHED -}; - -#define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == EAP_STATE_ESTABLISHED) +#define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == GSSEAP_STATE_ESTABLISHED) /* Initiator context flags */ #define CTX_FLAG_EAP_SUCCESS 0x00010000 @@ -115,39 +156,53 @@ enum eap_gss_state { #define CTX_FLAG_EAP_PORT_ENABLED 0x00400000 #define CTX_FLAG_EAP_ALT_ACCEPT 0x00800000 #define CTX_FLAG_EAP_ALT_REJECT 0x01000000 +#define CTX_FLAG_EAP_MASK 0xFFFF0000 -struct eap_gss_initiator_ctx { +struct gss_eap_initiator_ctx { unsigned int idleWhile; struct eap_peer_config eapPeerConfig; struct eap_sm *eap; struct wpabuf reqData; }; -struct eap_gss_acceptor_ctx { - struct eap_eapol_interface *eapPolInterface; - void *tlsContext; - struct eap_sm *eap; +struct gss_eap_acceptor_ctx { + struct rs_context *radContext; + struct rs_connection *radConn; + char *radServer; + gss_buffer_desc state; + VALUE_PAIR *vps; }; -struct gss_ctx_id_struct { +#ifdef HAVE_HEIMDAL_VERSION +struct gss_ctx_id_t_desc_struct +#else +struct gss_ctx_id_struct +#endif +{ GSSEAP_MUTEX mutex; - enum eap_gss_state state; + enum gss_eap_state state; OM_uint32 flags; OM_uint32 gssFlags; gss_OID mechanismUsed; + krb5_cksumtype checksumType; krb5_enctype encryptionType; krb5_keyblock rfc3961Key; gss_name_t initiatorName; gss_name_t acceptorName; time_t expiryTime; + uint64_t sendSeq, recvSeq; + void *seqState; + gss_cred_id_t defaultCred; union { - struct eap_gss_initiator_ctx initiator; + struct gss_eap_initiator_ctx initiator; #define initiatorCtx ctxU.initiator - struct eap_gss_acceptor_ctx acceptor; + struct gss_eap_acceptor_ctx acceptor; #define acceptorCtx ctxU.acceptor +#ifdef GSSEAP_ENABLE_REAUTH + gss_ctx_id_t reauth; + #define reauthCtx ctxU.reauth +#endif } ctxU; - uint64_t sendSeq, recvSeq; - void *seqState; }; #define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01 @@ -158,7 +213,6 @@ struct gss_ctx_id_struct { #define KEY_USAGE_ACCEPTOR_SIGN 23 #define KEY_USAGE_INITIATOR_SEAL 24 #define KEY_USAGE_INITIATOR_SIGN 25 -#define KEY_USAGE_CHANNEL_BINDINGS 64 /* wrap_iov.c */ OM_uint32 @@ -179,5 +233,42 @@ gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status, int iov_count, enum gss_eap_token_type toktype); +OM_uint32 +gssEapWrapIovLength(OM_uint32 *minor, + gss_ctx_id_t ctx, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count); +OM_uint32 +gssEapWrap(OM_uint32 *minor, + gss_ctx_id_t ctx, + int conf_req_flag, + gss_qop_t qop_req, + gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer); + +unsigned char +rfc4121Flags(gss_ctx_id_t ctx, int receiving); + +/* display_status.c */ +void +gssEapSaveStatusInfo(OM_uint32 minor, const char *format, ...); + +#define IS_WIRE_ERROR(err) ((err) > GSSEAP_RESERVED && \ + (err) <= GSSEAP_RADIUS_PROT_FAILURE) + +/* export_sec_context.c */ +OM_uint32 +gssEapExportSecContext(OM_uint32 *minor, + gss_ctx_id_t ctx, + gss_buffer_t token); + + +#ifdef __cplusplus +} +#endif #endif /* _GSSAPIP_EAP_H_ */