Acceptor code is enabled by default; use configure --enable-acceptor=no to disable.
When disabled, Acceptor functions are stubbed out and return GSS_S_UNAVAILABLE.
util_attr,util_json,util_radius,util_saml are removed to eliminate dependencies on saml, radius, shibboleth, and json.
AC_INIT([mech_eap], [0.1], [bugs@project-moonshot.org])
dnl AC_CONFIG_MACRO_DIR([m4])
dnl AM_INIT_AUTOMAKE([silent-rules])
+AC_USE_SYSTEM_EXTENSIONS
+AC_GNU_SOURCE
AM_INIT_AUTOMAKE
-AM_MAINTAINTER_MODE()
+AM_MAINTAINER_MODE()
LT_PREREQ([2.2])
LT_INIT([dlopen disable-static])
-AC_GNU_SOURCE
AC_PROG_CC
AC_PROG_CXX
AC_CONFIG_HEADERS([config.h])
fi
AM_CONDITIONAL(GSSEAP_ENABLE_REAUTH, test "x$reauth" != "xno")
+acceptor=yes
+AC_ARG_ENABLE(acceptor,
+ [ --enable-acceptor whether to enable acceptor codepaths: yes/no; default yes ],
+ [ if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then
+ acceptor=$enableval
+ else
+ echo "--enable-acceptor argument must be yes or no"
+ exit -1
+ fi
+ ])
+
+if test "x$acceptor" = "xyes" ; then
+ echo "acceptor enabled"
+ TARGET_CFLAGS="$TARGET_CFLAGS -DGSSEAP_ENABLE_ACCEPTOR"
+fi
+AM_CONDITIONAL(GSSEAP_ENABLE_ACCEPTOR, test "x$acceptor" != "xno")
+
AC_SUBST(TARGET_CFLAGS)
AC_SUBST(TARGET_LDFLAGS)
AX_CHECK_KRB5
store_cred.c \
unwrap.c \
unwrap_iov.c \
- util_attr.cpp \
util_base64.c \
util_buffer.c \
util_context.c \
util_cksum.c \
util_cred.c \
util_crypt.c \
- util_json.cpp \
util_krb.c \
util_lucid.c \
util_mech.c \
util_name.c \
util_oid.c \
util_ordering.c \
- util_radius.cpp \
- util_saml.cpp \
- util_shib.cpp \
util_sm.c \
util_token.c \
verify_mic.c \
BUILT_SOURCES = gsseap_err.c radsec_err.c
+if GSSEAP_ENABLE_ACCEPTOR
+mech_eap_la_SOURCES += util_attr.c util_json.c util_radius.c util_shib.c util_saml.c
+endif
+
if GSSEAP_ENABLE_REAUTH
mech_eap_la_SOURCES += util_reauth.c
-
-
if !HEIMDAL
krb5pluginsdir = $(libdir)/krb5/plugins/authdata
krb5plugins_LTLIBRARIES = radius_ad.la
endif
endif
+
gsseap_err.h gsseap_err.c: gsseap_err.et
$(COMPILE_ET) $<
*/
#include "gssapiP_eap.h"
-
+#ifdef GSSEAP_ENABLE_ACCEPTOR
#ifdef GSSEAP_ENABLE_REAUTH
static OM_uint32
eapGssSmAcceptGssReauth(OM_uint32 *minor,
eapGssSmAcceptCompleteAcceptorExts
},
};
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
+
+#ifdef GSSEAP_ENABLE_ACCEPTOR
+#define ACCEPTOR_PARAM(p) p
+#else
+#define ACCEPTOR_PARAM(p) UNUSED_PARAM(p)
+#endif
OM_uint32
-gss_accept_sec_context(OM_uint32 *minor,
- gss_ctx_id_t *context_handle,
- gss_cred_id_t cred,
- gss_buffer_t input_token,
- gss_channel_bindings_t input_chan_bindings,
- gss_name_t *src_name,
- gss_OID *mech_type,
- gss_buffer_t output_token,
- OM_uint32 *ret_flags,
- OM_uint32 *time_rec,
- gss_cred_id_t *delegated_cred_handle)
+gss_accept_sec_context(OM_uint32 *ACCEPTOR_PARAM(minor),
+ gss_ctx_id_t *ACCEPTOR_PARAM(context_handle),
+ gss_cred_id_t ACCEPTOR_PARAM(cred),
+ gss_buffer_t ACCEPTOR_PARAM(input_token),
+ gss_channel_bindings_t ACCEPTOR_PARAM(input_chan_bindings),
+ gss_name_t *ACCEPTOR_PARAM(src_name),
+ gss_OID *ACCEPTOR_PARAM(mech_type),
+ gss_buffer_t ACCEPTOR_PARAM(output_token),
+ OM_uint32 *ACCEPTOR_PARAM(ret_flags),
+ OM_uint32 *ACCEPTOR_PARAM(time_rec),
+ gss_cred_id_t *ACCEPTOR_PARAM(delegated_cred_handle))
{
+#ifdef GSSEAP_ENABLE_ACCEPTOR
OM_uint32 major, tmpMinor;
gss_ctx_id_t ctx = *context_handle;
}
GSSEAP_MUTEX_LOCK(&ctx->mutex);
-
+
if (cred == GSS_C_NO_CREDENTIAL) {
if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) {
major = gssEapAcquireCred(minor,
gssEapReleaseContext(&tmpMinor, context_handle);
return major;
+#else
+ return GSS_S_UNAVAILABLE;
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
}
+#ifdef GSSEAP_ENABLE_ACCEPTOR
#ifdef GSSEAP_ENABLE_REAUTH
static OM_uint32
acceptReadyKrb(OM_uint32 *minor,
return major;
}
#endif /* GSSEAP_ENABLE_REAUTH */
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
\ No newline at end of file
gss_name_t name,
gss_buffer_t attr)
{
+#ifdef GSSEAP_ENABLE_ACCEPTOR
OM_uint32 major;
*minor = 0;
GSSEAP_MUTEX_UNLOCK(&name->mutex);
return major;
+#else
+ return GSS_S_UNAVAILABLE;
+#endif
}
*/
#include "gssapiP_eap.h"
-
+#ifdef GSSEAP_ENABLE_ACCEPTOR
static OM_uint32
gssEapExportPartialContext(OM_uint32 *minor,
gss_ctx_id_t ctx,
size_t length, serverLen = 0;
unsigned char *p;
char serverBuf[MAXHOSTNAMELEN];
-
if (ctx->acceptorCtx.radConn != NULL) {
if (rs_conn_get_current_peer(ctx->acceptorCtx.radConn,
serverBuf, sizeof(serverBuf)) != 0) {
}
serverLen = strlen(serverBuf);
}
-
length = 4 + serverLen + 4 + ctx->acceptorCtx.state.length;
token->value = GSSEAP_MALLOC(length);
return major;
}
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
OM_uint32
gssEapExportSecContext(OM_uint32 *minor,
if (GSS_ERROR(major))
goto cleanup;
}
-
+#ifdef GSSEAP_ENABLE_ACCEPTOR
/*
* The partial context is only transmitted for unestablished acceptor
* contexts.
if (GSS_ERROR(major))
goto cleanup;
}
+#endif
length = 16; /* version, state, flags, */
length += 4 + ctx->mechanismUsed->length; /* mechanismUsed */
gss_buffer_t display_value,
int *more)
{
+#ifdef GSSEAP_ENABLE_ACCEPTOR
OM_uint32 major;
*minor = 0;
GSSEAP_MUTEX_UNLOCK(&name->mutex);
return major;
+#else
+ return GSS_S_UNAVAILABLE;
+#endif
}
#include <eap_common/eap_common.h>
#include <wpabuf.h>
+#ifdef GSSEAP_ENABLE_ACCEPTOR
/* FreeRADIUS headers */
#ifdef __cplusplus
extern "C" {
#undef operator
}
#endif
+#endif /*GSSEAP_ENABLE_ACCEPTOR*/
#include "gsseap_err.h"
#include "radsec_err.h"
struct wpabuf reqData;
};
+#ifdef GSSEAP_ENABLE_ACCEPTOR
struct gss_eap_acceptor_ctx {
struct rs_context *radContext;
struct rs_connection *radConn;
gss_buffer_desc state;
VALUE_PAIR *vps;
};
+#endif
#ifdef HAVE_HEIMDAL_VERSION
struct gss_ctx_id_t_desc_struct
union {
struct gss_eap_initiator_ctx initiator;
#define initiatorCtx ctxU.initiator
+#ifdef GSSEAP_ENABLE_ACCEPTOR
struct gss_eap_acceptor_ctx acceptor;
#define acceptorCtx ctxU.acceptor
+#endif
#ifdef GSSEAP_ENABLE_REAUTH
gss_ctx_id_t reauth;
#define reauthCtx ctxU.reauth
} \
} while (0)
+#ifdef GSSEAP_ENABLE_ACCEPTOR
static OM_uint32
gssEapImportPartialContext(OM_uint32 *minor,
unsigned char **pBuf,
return GSS_S_COMPLETE;
}
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
static OM_uint32
importMechanismOid(OM_uint32 *minor,
major = sequenceInternalize(minor, &ctx->seqState, &p, &remain);
if (GSS_ERROR(major))
return major;
-
+#ifdef GSSEAP_ENABLE_ACCEPTOR
/*
* The partial context should only be expected for unestablished
* acceptor contexts.
if (GSS_ERROR(major))
return major;
}
+#endif
#ifdef GSSEAP_DEBUG
assert(remain == 0);
gss_buffer_t attr,
gss_buffer_t value)
{
+#ifdef GSSEAP_ENABLE_ACCEPTOR
OM_uint32 major;
if (name == GSS_C_NO_NAME) {
GSSEAP_MUTEX_UNLOCK(&name->mutex);
return major;
+#else
+ return GSS_S_UNAVAILABLE;
+#endif
}
}
#endif
+#ifdef GSSEAP_ENABLE_ACCEPTOR
#include "util_json.h"
#include "util_attr.h"
+#endif
#include "util_base64.h"
#ifdef GSSEAP_ENABLE_REAUTH
#include "util_reauth.h"
eap_peer_sm_deinit(ctx->eap);
}
+#ifdef GSSEAP_ENABLE_ACCEPTOR
static void
releaseAcceptorContext(struct gss_eap_acceptor_ctx *ctx)
{
if (ctx->vps != NULL)
gssEapRadiusFreeAvps(&tmpMinor, &ctx->vps);
}
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
OM_uint32
gssEapReleaseContext(OM_uint32 *minor,
if (CTX_IS_INITIATOR(ctx)) {
releaseInitiatorContext(&ctx->initiatorCtx);
} else {
+#ifdef GSSEAP_ENABLE_ACCEPTOR
releaseAcceptorContext(&ctx->acceptorCtx);
+#endif
}
krb5_free_keyblock_contents(krbContext, &ctx->rfc3961Key);
#include "gssapiP_eap.h"
#include <pwd.h>
-#include <stdio.h> // for BUFSIZ
-
+#include <stdio.h> /* for BUFSIZ */
OM_uint32
gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred)
GSSEAP_KRB_INIT(&krbContext);
krb5_free_principal(krbContext, name->krbPrincipal);
gssEapReleaseOid(&tmpMinor, &name->mechanismUsed);
-
+#ifdef GSSEAP_ENABLE_ACCEPTOR
gssEapReleaseAttrContext(&tmpMinor, name);
+#endif
GSSEAP_MUTEX_DESTROY(&name->mutex);
GSSEAP_FREE(name);
buf.length = remain;
buf.value = p;
-
+#ifdef GSSEAP_ENABLE_ACCEPTOR
major = gssEapImportAttrContext(minor, &buf, name);
+#else
+ major = GSS_S_UNAVAILABLE;
+#endif
if (GSS_ERROR(major))
goto cleanup;
}
}
exportedNameLen += 4 + nameBuf.length;
if (flags & EXPORT_NAME_FLAG_COMPOSITE) {
+#ifdef GSSEAP_ENABLE_ACCEPTOR
major = gssEapExportAttrContext(minor, name, &attrs);
+#else
+ major = GSS_S_UNAVAILABLE;
+#endif
if (GSS_ERROR(major))
goto cleanup;
exportedNameLen += attrs.length;
}
if (input_name->attrCtx != NULL) {
+#ifdef GSSEAP_ENABLE_ACCEPTOR
major = gssEapDuplicateAttrContext(minor, input_name, name);
+#else
+ major = GSS_S_UNAVAILABLE;
+#endif
if (GSS_ERROR(major))
goto cleanup;
}