X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=moonshot%2Fmech_eap%2Finit_sec_context.c;h=a67d38149fa3f515e4f981330fc6fbbb0ae61dbc;hb=6196f93aaca970f23276407af0812179c51a29ea;hp=061bd38801ad03254db80bdbe34b5071326b457b;hpb=410bcd9d406a112740e5db4a73d788d66c8b62bc;p=moonshot.git diff --git a/moonshot/mech_eap/init_sec_context.c b/moonshot/mech_eap/init_sec_context.c index 061bd38..a67d381 100644 --- a/moonshot/mech_eap/init_sec_context.c +++ b/moonshot/mech_eap/init_sec_context.c @@ -123,7 +123,7 @@ peerGetInt(void *data, enum eapol_int_var variable) if (ctx == GSS_C_NO_CONTEXT) return FALSE; - assert(CTX_IS_INITIATOR(ctx)); + GSSEAP_ASSERT(CTX_IS_INITIATOR(ctx)); switch (variable) { case EAPOL_idleWhile: @@ -143,7 +143,7 @@ peerSetInt(void *data, enum eapol_int_var variable, if (ctx == GSS_C_NO_CONTEXT) return; - assert(CTX_IS_INITIATOR(ctx)); + GSSEAP_ASSERT(CTX_IS_INITIATOR(ctx)); switch (variable) { case EAPOL_idleWhile: @@ -167,10 +167,20 @@ peerSetConfigBlob(void *ctx GSSEAP_UNUSED, } static const struct wpa_config_blob * -peerGetConfigBlob(void *ctx GSSEAP_UNUSED, - const char *name GSSEAP_UNUSED) +peerGetConfigBlob(void *ctx, + const char *name) { - return NULL; + gss_ctx_id_t gssCtx = (gss_ctx_id_t)ctx; + size_t index; + + if (strcmp(name, "client-cert") == 0) + index = CONFIG_BLOB_CLIENT_CERT; + else if (strcmp(name, "private-key") == 0) + index = CONFIG_BLOB_PRIVATE_KEY; + else + return NULL; + + return &gssCtx->initiatorCtx.configBlobs[index]; } static void @@ -200,6 +210,7 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) OM_uint32 major; krb5_context krbContext; struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig; + struct wpa_config_blob *configBlobs = ctx->initiatorCtx.configBlobs; gss_buffer_desc identity = GSS_C_EMPTY_BUFFER; gss_buffer_desc realm = GSS_C_EMPTY_BUFFER; gss_cred_id_t cred = ctx->cred; @@ -211,7 +222,7 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) eapPeerConfig->password = NULL; eapPeerConfig->password_len = 0; - assert(cred != GSS_C_NO_CREDENTIAL); + GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL); GSSEAP_KRB_INIT(&krbContext); @@ -220,7 +231,7 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) wpa_debug_level = 0; #endif - assert(cred->name != GSS_C_NO_NAME); + GSSEAP_ASSERT(cred->name != GSS_C_NO_NAME); if ((cred->name->flags & (NAME_FLAG_NAI | NAME_FLAG_SERVICE)) == 0) { *minor = GSSEAP_BAD_INITIATOR_NAME; @@ -250,14 +261,37 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) eapPeerConfig->anonymous_identity_len = 1 + realm.length; /* password */ - eapPeerConfig->password = (unsigned char *)cred->password.value; - eapPeerConfig->password_len = cred->password.length; + if ((cred->flags & CRED_FLAG_CERTIFICATE) == 0) { + eapPeerConfig->password = (unsigned char *)cred->password.value; + eapPeerConfig->password_len = cred->password.length; + } /* certs */ eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value; eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value; eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value; + if (cred->flags & CRED_FLAG_CERTIFICATE) { + /* + * CRED_FLAG_CONFIG_BLOB is an internal flag which will be used in the + * future to directly pass certificate and private key data to the + * EAP implementation, rather than an indirected string pointer. + */ + if (cred->flags & CRED_FLAG_CONFIG_BLOB) { + eapPeerConfig->client_cert = (unsigned char *)"blob://client-cert"; + configBlobs[CONFIG_BLOB_CLIENT_CERT].data = cred->clientCertificate.value; + configBlobs[CONFIG_BLOB_CLIENT_CERT].len = cred->clientCertificate.length; + + eapPeerConfig->client_cert = (unsigned char *)"blob://private-key"; + configBlobs[CONFIG_BLOB_PRIVATE_KEY].data = cred->clientCertificate.value; + configBlobs[CONFIG_BLOB_PRIVATE_KEY].len = cred->privateKey.length; + } else { + eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value; + eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value; + } + eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value; + } + *minor = 0; return GSS_S_COMPLETE; } @@ -355,7 +389,7 @@ initBegin(OM_uint32 *minor, OM_uint32 major; gss_cred_id_t cred = ctx->cred; - assert(cred != GSS_C_NO_CREDENTIAL); + GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL); if (cred->expiryTime) ctx->expiryTime = cred->expiryTime; @@ -433,7 +467,7 @@ eapGssSmInitError(OM_uint32 *minor, *minor = GSSEAP_BAD_ERROR_TOKEN; } - assert(GSS_ERROR(major)); + GSSEAP_ASSERT(GSS_ERROR(major)); return major; } @@ -457,8 +491,10 @@ eapGssSmInitGssReauth(OM_uint32 *minor, gss_OID actualMech = GSS_C_NO_OID; OM_uint32 gssFlags, timeRec; - assert(cred != GSS_C_NO_CREDENTIAL); - + /* + * Here we use the passed in credential handle because the resolved + * context credential does not currently have the reauth creds. + */ if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) { if (!gssEapCanReauthP(cred, target, timeReq)) return GSS_S_CONTINUE_NEEDED; @@ -470,6 +506,8 @@ eapGssSmInitGssReauth(OM_uint32 *minor, goto cleanup; } + GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL); + major = gssEapMechToGlueName(minor, target, &mechTarget); if (GSS_ERROR(major)) goto cleanup; @@ -493,7 +531,7 @@ eapGssSmInitGssReauth(OM_uint32 *minor, ctx->gssFlags = gssFlags; if (major == GSS_S_COMPLETE) { - assert(GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE); + GSSEAP_ASSERT(GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE); major = gssEapReauthComplete(minor, ctx, cred, actualMech, timeRec); if (GSS_ERROR(major)) @@ -607,8 +645,8 @@ eapGssSmInitIdentity(OM_uint32 *minor, #endif *smFlags |= SM_FLAG_FORCE_SEND_TOKEN; - assert((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0); - assert(inputToken == GSS_C_NO_BUFFER); + GSSEAP_ASSERT((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0); + GSSEAP_ASSERT(inputToken == GSS_C_NO_BUFFER); memset(&eapConfig, 0, sizeof(eapConfig)); @@ -655,14 +693,14 @@ eapGssSmInitAuthenticate(OM_uint32 *minor, *minor = 0; - assert(inputToken != GSS_C_NO_BUFFER); + GSSEAP_ASSERT(inputToken != GSS_C_NO_BUFFER); major = peerConfigInit(minor, ctx); if (GSS_ERROR(major)) goto cleanup; - assert(ctx->initiatorCtx.eap != NULL); - assert(ctx->flags & CTX_FLAG_EAP_PORT_ENABLED); + GSSEAP_ASSERT(ctx->initiatorCtx.eap != NULL); + GSSEAP_ASSERT(ctx->flags & CTX_FLAG_EAP_PORT_ENABLED); ctx->flags |= CTX_FLAG_EAP_REQ; /* we have a Request from the acceptor */ @@ -697,7 +735,7 @@ cleanup: OM_uint32 tmpMajor; gss_buffer_desc respBuf; - assert(major == GSS_S_CONTINUE_NEEDED); + GSSEAP_ASSERT(major == GSS_S_CONTINUE_NEEDED); respBuf.length = wpabuf_len(resp); respBuf.value = (void *)wpabuf_head(resp); @@ -765,7 +803,7 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - assert(outputToken->value != NULL); + GSSEAP_ASSERT(outputToken->value != NULL); *minor = 0; *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL; @@ -944,9 +982,9 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { }; OM_uint32 -gss_init_sec_context(OM_uint32 *minor, +gssEapInitSecContext(OM_uint32 *minor, gss_cred_id_t cred, - gss_ctx_id_t *context_handle, + gss_ctx_id_t ctx, gss_name_t target_name, gss_OID mech_type, OM_uint32 req_flags, @@ -959,32 +997,13 @@ gss_init_sec_context(OM_uint32 *minor, OM_uint32 *time_rec) { OM_uint32 major, tmpMinor; - gss_ctx_id_t ctx = *context_handle; - int initialContextToken = 0; - - *minor = 0; - - output_token->length = 0; - output_token->value = NULL; - - if (ctx == GSS_C_NO_CONTEXT) { - if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { - *minor = GSSEAP_WRONG_SIZE; - return GSS_S_DEFECTIVE_TOKEN; - } - - major = gssEapAllocContext(minor, &ctx); - if (GSS_ERROR(major)) - return major; - - ctx->flags |= CTX_FLAG_INITIATOR; - initialContextToken = 1; - - *context_handle = ctx; - } - - GSSEAP_MUTEX_LOCK(&ctx->mutex); + int initialContextToken = (ctx->mechanismUsed == GSS_C_NO_OID); + /* + * XXX is acquiring the credential lock here necessary? The password is + * mutable but the contract could specify that this is not updated whilst + * a context is being initialized. + */ if (cred != GSS_C_NO_CREDENTIAL) GSSEAP_MUTEX_LOCK(&cred->mutex); @@ -993,13 +1012,13 @@ gss_init_sec_context(OM_uint32 *minor, if (GSS_ERROR(major)) goto cleanup; - assert(ctx->cred != GSS_C_NO_CREDENTIAL); + GSSEAP_ASSERT(ctx->cred != GSS_C_NO_CREDENTIAL); } GSSEAP_MUTEX_LOCK(&ctx->cred->mutex); - assert(ctx->cred->flags & CRED_FLAG_RESOLVED); - assert(ctx->cred->flags & CRED_FLAG_INITIATE); + GSSEAP_ASSERT(ctx->cred->flags & CRED_FLAG_RESOLVED); + GSSEAP_ASSERT(ctx->cred->flags & CRED_FLAG_INITIATE); if (initialContextToken) { major = initBegin(minor, ctx, target_name, mech_type, @@ -1038,13 +1057,71 @@ gss_init_sec_context(OM_uint32 *minor, if (time_rec != NULL) gssEapContextTime(&tmpMinor, ctx, time_rec); - assert(CTX_IS_ESTABLISHED(ctx) || major == GSS_S_CONTINUE_NEEDED); + GSSEAP_ASSERT(CTX_IS_ESTABLISHED(ctx) || major == GSS_S_CONTINUE_NEEDED); cleanup: if (cred != GSS_C_NO_CREDENTIAL) GSSEAP_MUTEX_UNLOCK(&cred->mutex); if (ctx->cred != GSS_C_NO_CREDENTIAL) GSSEAP_MUTEX_UNLOCK(&ctx->cred->mutex); + + return major; +} + +OM_uint32 GSSAPI_CALLCONV +gss_init_sec_context(OM_uint32 *minor, + gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec) +{ + OM_uint32 major, tmpMinor; + gss_ctx_id_t ctx = *context_handle; + + *minor = 0; + + output_token->length = 0; + output_token->value = NULL; + + if (ctx == GSS_C_NO_CONTEXT) { + if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { + *minor = GSSEAP_WRONG_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } + + major = gssEapAllocContext(minor, &ctx); + if (GSS_ERROR(major)) + return major; + + ctx->flags |= CTX_FLAG_INITIATOR; + + *context_handle = ctx; + } + + GSSEAP_MUTEX_LOCK(&ctx->mutex); + + major = gssEapInitSecContext(minor, + cred, + ctx, + target_name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + GSSEAP_MUTEX_UNLOCK(&ctx->mutex); if (GSS_ERROR(major))