X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=util.h;h=8afc97c1f54a79b1afa45d386fa1774bf9e1b160;hb=36696c5fc69f7b5c59526268b772255107530c90;hp=de8dcb89dc6fb70c3373ea8edbe288acfc2a2c96;hpb=434ff1d00ac6e00b5724d46c485452b5cf87b2ed;p=mech_eap.orig diff --git a/util.h b/util.h index de8dcb8..8afc97c 100644 --- a/util.h +++ b/util.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, JANET(UK) + * Copyright (c) 2011, JANET(UK) * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -114,7 +114,11 @@ int gssEapSign(krb5_context context, krb5_cksumtype type, size_t rrc, +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto crypto, +#else krb5_keyblock *key, +#endif krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count); @@ -123,7 +127,11 @@ int gssEapVerify(krb5_context context, krb5_cksumtype type, size_t rrc, +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto crypto, +#else krb5_keyblock *key, +#endif krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, @@ -146,14 +154,28 @@ enum gss_eap_token_type { TOK_TYPE_EXPORT_NAME = 0x0401, /* RFC 2743 exported name */ TOK_TYPE_EXPORT_NAME_COMPOSITE = 0x0402, /* exported composite name */ TOK_TYPE_DELETE_CONTEXT = 0x0405, /* RFC 2743 delete context */ - TOK_TYPE_EAP_RESP = 0x0601, /* EAP response */ - TOK_TYPE_EAP_REQ = 0x0602, /* EAP request */ - TOK_TYPE_EXT_REQ = 0x0603, /* GSS EAP extensions request */ - TOK_TYPE_EXT_RESP = 0x0604, /* GSS EAP extensions response */ - TOK_TYPE_GSS_REAUTH = 0x0605, /* GSS EAP fast reauthentication token */ - TOK_TYPE_CONTEXT_ERR = 0x0606, /* context error */ + TOK_TYPE_ESTABLISH_CONTEXT = 0x0601, /* establish context */ }; +/* inner token types and flags */ +#define ITOK_TYPE_NONE 0x00000000 +#define ITOK_TYPE_CONTEXT_ERR 0x00000001 +#define ITOK_TYPE_ACCEPTOR_NAME_REQ 0x00000002 +#define ITOK_TYPE_ACCEPTOR_NAME_RESP 0x00000003 +#define ITOK_TYPE_EAP_RESP 0x00000004 +#define ITOK_TYPE_EAP_REQ 0x00000005 +#define ITOK_TYPE_GSS_CHANNEL_BINDINGS 0x00000006 +#define ITOK_TYPE_REAUTH_CREDS 0x00000007 +#define ITOK_TYPE_REAUTH_REQ 0x00000008 +#define ITOK_TYPE_REAUTH_RESP 0x00000009 +#define ITOK_TYPE_VERSION_INFO 0x0000000A +#define ITOK_TYPE_VENDOR_INFO 0x0000000B + +#define ITOK_FLAG_CRITICAL 0x80000000 /* critical, wire flag */ +#define ITOK_FLAG_VERIFIED 0x40000000 /* verified, API flag */ + +#define ITOK_TYPE_MASK (~(ITOK_FLAG_CRITICAL | ITOK_FLAG_VERIFIED)) + OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx); OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx); @@ -202,15 +224,27 @@ int gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech); /* util_crypt.c */ int gssEapEncrypt(krb5_context context, int dce_style, size_t ec, - size_t rrc, krb5_keyblock *key, int usage, krb5_pointer iv, + size_t rrc, +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto crypto, +#else + krb5_keyblock *key, +#endif + int usage, gss_iov_buffer_desc *iov, int iov_count); int gssEapDecrypt(krb5_context context, int dce_style, size_t ec, - size_t rrc, krb5_keyblock *key, int usage, krb5_pointer iv, + size_t rrc, +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto crypto, +#else + krb5_keyblock *key, +#endif + int usage, gss_iov_buffer_desc *iov, int iov_count); -krb5_cryptotype +int gssEapMapCryptoFlag(OM_uint32 type); gss_iov_buffer_t @@ -240,48 +274,45 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, krb5_enctype enctype, krb5_keyblock *pKey); -/* util_exts.c */ -#define EXT_FLAG_CRITICAL 0x80000000 /* critical, wire flag */ -#define EXT_FLAG_VERIFIED 0x40000000 /* verified, API flag */ - -#define EXT_TYPE_GSS_CHANNEL_BINDINGS 0x00000000 -#define EXT_TYPE_REAUTH_CREDS 0x00000001 -#define EXT_TYPE_MASK (~(EXT_FLAG_CRITICAL | EXT_FLAG_VERIFIED)) - -struct gss_eap_extension_provider { - OM_uint32 type; - int critical; /* client */ - int required; /* server */ - OM_uint32 (*make)(OM_uint32 *, - gss_cred_id_t, - gss_ctx_id_t, - gss_channel_bindings_t, - gss_buffer_t); - OM_uint32 (*verify)(OM_uint32 *, - gss_cred_id_t, - gss_ctx_id_t, - gss_channel_bindings_t, - const gss_buffer_t); -}; +/* util_krb.c */ +#ifdef HAVE_HEIMDAL_VERSION -OM_uint32 -gssEapMakeExtensions(OM_uint32 *minor, - gss_cred_id_t cred, - gss_ctx_id_t ctx, - gss_channel_bindings_t chanBindings, - gss_buffer_t buffer); +#define KRB_TIME_FOREVER ((time_t)~0L) -OM_uint32 -gssEapVerifyExtensions(OM_uint32 *minor, - gss_cred_id_t cred, - gss_ctx_id_t ctx, - gss_channel_bindings_t chanBindings, - const gss_buffer_t buffer); +#define KRB_KEY_TYPE(key) ((key)->keytype) +#define KRB_KEY_DATA(key) ((key)->keyvalue.data) +#define KRB_KEY_LENGTH(key) ((key)->keyvalue.length) + +#define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len) +#define KRB_PRINC_TYPE(princ) ((princ)->name.name_type) +#define KRB_PRINC_NAME(princ) ((princ)->name.name_string.val) +#define KRB_PRINC_REALM(princ) ((princ)->realm) + +#define KRB_KT_ENT_KEYBLOCK(e) (&(e)->keyblock) +#define KRB_KT_ENT_FREE(c, e) krb5_kt_free_entry((c), (e)) + +#define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto) + +#else + +#define KRB_TIME_FOREVER KRB5_INT32_MAX -/* util_krb.c */ #define KRB_KEY_TYPE(key) ((key)->enctype) #define KRB_KEY_DATA(key) ((key)->contents) #define KRB_KEY_LENGTH(key) ((key)->length) + +#define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ))) +#define KRB_PRINC_TYPE(princ) (krb5_princ_type(NULL, (princ))) +#define KRB_PRINC_NAME(princ) (krb5_princ_name(NULL, (princ))) +#define KRB_PRINC_REALM(princ) (krb5_princ_realm(NULL, (princ))) + +#define KRB_KT_ENT_KEYBLOCK(e) (&(e)->key) +#define KRB_KT_ENT_FREE(c, e) krb5_free_keytab_entry_contents((c), (e)) + +#define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key) + +#endif /* HAVE_HEIMDAL_VERSION */ + #define KRB_KEY_INIT(key) do { \ KRB_KEY_TYPE(key) = ENCTYPE_NULL; \ KRB_KEY_DATA(key) = NULL; \ @@ -305,6 +336,63 @@ rfc3961ChecksumTypeForKey(OM_uint32 *minor, krb5_keyblock *key, krb5_cksumtype *cksumtype); +krb5_const_principal +krbAnonymousPrincipal(void); + +krb5_error_code +krbCryptoLength(krb5_context krbContext, +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto krbCrypto, +#else + krb5_keyblock *key, +#endif + int type, + size_t *length); + +krb5_error_code +krbPaddingLength(krb5_context krbContext, +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto krbCrypto, +#else + krb5_keyblock *key, +#endif + size_t dataLength, + size_t *padLength); + +krb5_error_code +krbBlockSize(krb5_context krbContext, +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto krbCrypto, +#else + krb5_keyblock *key, +#endif + size_t *blockSize); + +krb5_error_code +krbEnctypeToString(krb5_context krbContext, + krb5_enctype enctype, + const char *prefix, + gss_buffer_t string); + +krb5_error_code +krbMakeAuthDataKdcIssued(krb5_context context, + const krb5_keyblock *key, + krb5_const_principal issuer, +#ifdef HAVE_HEIMDAL_VERSION + const AuthorizationData *authdata, + AuthorizationData *adKdcIssued +#else + krb5_authdata *const *authdata, + krb5_authdata ***adKdcIssued +#endif + ); + +krb5_error_code +krbMakeCred(krb5_context context, + krb5_auth_context authcontext, + krb5_creds *creds, + krb5_data *data); + /* util_lucid.c */ OM_uint32 gssEapExportLucidSecContext(OM_uint32 *minor, @@ -320,6 +408,9 @@ gssEapInternalizeOid(const gss_OID oid, gss_OID *const pInternalizedOid); OM_uint32 +gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid); + +OM_uint32 gssEapDefaultMech(OM_uint32 *minor, gss_OID *oid); @@ -442,7 +533,82 @@ OM_uint32 sequenceInit(OM_uint32 *minor, void **vqueue, uint64_t seqnum, int do_replay, int do_sequence, int wide_nums); +/* util_sm.c */ +enum gss_eap_state { + GSSEAP_STATE_INITIAL = 0x01, /* initial state */ + GSSEAP_STATE_AUTHENTICATE = 0x02, /* exchange EAP messages */ + GSSEAP_STATE_INITIATOR_EXTS = 0x04, /* initiator extensions */ + GSSEAP_STATE_ACCEPTOR_EXTS = 0x08, /* acceptor extensions */ + GSSEAP_STATE_REAUTHENTICATE = 0x10, /* GSS reauthentication messages */ + GSSEAP_STATE_ESTABLISHED = 0x20, /* context established */ + GSSEAP_STATE_ALL = 0x3F +}; + +#define GSSEAP_STATE_NEXT(s) ((s) << 1) + +#ifdef GSSEAP_DEBUG +void gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state); +#define GSSEAP_SM_TRANSITION(ctx, state) gssEapSmTransition((ctx), (state)) +#else +#define GSSEAP_SM_TRANSITION(ctx, state) do { (ctx)->state = (state); } while (0) +#endif + +#define GSSEAP_SM_TRANSITION_NEXT(ctx) GSSEAP_SM_TRANSITION((ctx), GSSEAP_STATE_NEXT((ctx)->state)) + +/* state machine entry */ +struct gss_eap_sm { + OM_uint32 inputTokenType; + OM_uint32 outputTokenType; + enum gss_eap_state validStates; + OM_uint32 itokFlags; + OM_uint32 (*processToken)(OM_uint32 *, + gss_cred_id_t, + gss_ctx_id_t, + gss_name_t, + gss_OID, + OM_uint32, + OM_uint32, + gss_channel_bindings_t, + gss_buffer_t, + gss_buffer_t, + OM_uint32 *); +}; + +#define SM_FLAG_FORCE_SEND_TOKEN 0x00000001 /* send token even if empty */ +#define SM_FLAG_STOP_EVAL 0x00000002 /* no more handlers for this state */ + +#define SM_ITOK_FLAG_CRITICAL 0x00000001 /* sent tokens marked critical */ +#define SM_ITOK_FLAG_REQUIRED 0x00000002 /* received tokens must be present */ + +OM_uint32 +gssEapSmStep(OM_uint32 *minor, + gss_cred_id_t cred, + gss_ctx_id_t ctx, + gss_name_t target, + gss_OID mech, + OM_uint32 reqFlags, + OM_uint32 timeReq, + gss_channel_bindings_t chanBindings, + gss_buffer_t inputToken, + gss_buffer_t outputToken, + struct gss_eap_sm *sm, + size_t smCount); + +void +gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state); + /* util_token.c */ +OM_uint32 +gssEapEncodeInnerTokens(OM_uint32 *minor, + gss_buffer_set_t extensions, + OM_uint32 *types, + gss_buffer_t buffer); +OM_uint32 +gssEapDecodeInnerTokens(OM_uint32 *minor, + const gss_buffer_t buffer, + gss_buffer_set_t *pExtensions, + OM_uint32 **pTypes); + size_t tokenSize(const gss_OID_desc *mech, size_t body_size); @@ -611,6 +777,30 @@ krbDataToGssBuffer(krb5_data *data, gss_buffer_t buffer) } static inline void +krbPrincComponentToGssBuffer(krb5_principal krbPrinc, + int index, gss_buffer_t buffer) +{ +#ifdef HAVE_HEIMDAL_VERSION + buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index]; + buffer->length = strlen((char *)buffer->value); +#else + buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data; + buffer->length = krb5_princ_component(NULL, krbPrinc, index)->length; +#endif /* HAVE_HEIMDAL_VERSION */ +} + +static inline void +krbPrincRealmToGssBuffer(krb5_principal krbPrinc, gss_buffer_t buffer) +{ +#ifdef HAVE_HEIMDAL_VERSION + buffer->value = (void *)KRB_PRINC_REALM(krbPrinc); + buffer->length = strlen((char *)buffer->value); +#else + krbDataToGssBuffer(KRB_PRINC_REALM(krbPrinc), buffer); +#endif +} + +static inline void gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data) { data->data = (char *)buffer->value;