url = http://www.project-moonshot.org/git/openssh.git
[submodule "jansson"]
path = jansson
- url = git://github.com/akheron/jansson.git
+ url = http://www.project-moonshot.org/git/jansson.git/
[submodule "firefox"]
path = firefox
url = http://www.project-moonshot.org/git/moonshot-firefox.git
-Subproject commit 279d8bf108bd1367bdd3647e881146e1acf0123d
+Subproject commit 3008df9a5b53c9fd0cbdaeb010a2e1b067231eae
-Subproject commit ed87c383a68a6ff2d43b48b39ab1b07cb2210d3d
+Subproject commit b35d18a6317a4946b7b123b7dfd536158e5081dd
--- /dev/null
+<pkg-contents spec="1.12"><f n="PackageRoot" o="root" g="admin" p="16893" pt="." m="true" t="bom"><f n="usr" o="root" g="wheel" p="16877"><f n="local" o="root" g="admin" p="16893"><f n="bin" o="root" g="admin" p="16893"><f n="compile_et" o="root" g="admin" p="33261"/><f n="gss-client" o="root" g="admin" p="33261" c="true"/><f n="k5srvutil" o="root" g="admin" p="33261"/><f n="kadmin" o="root" g="admin" p="33261" c="true"/><f n="kdestroy" o="root" g="admin" p="33261" c="true"/><f n="kinit" o="root" g="admin" p="33261" c="true"/><f n="klist" o="root" g="admin" p="33261" c="true"/><f n="kpasswd" o="root" g="admin" p="33261" c="true"/><f n="krb5-config" o="root" g="admin" p="33261"/><f n="ktutil" o="root" g="admin" p="33261" c="true"/><f n="kvno" o="root" g="admin" p="33261" c="true"/><f n="sclient" o="root" g="admin" p="33261" c="true"/><f n="sim_client" o="root" g="admin" p="33261" c="true"/><f n="uuclient" o="root" g="admin" p="33261" c="true"/></f><f n="include" o="pete" g="admin" p="16877"><f n="com_err.h" o="root" g="admin" p="33188"/><f n="gssapi" o="root" g="admin" p="16877"><f n="gssapi.h" o="root" g="admin" p="33188"/><f n="gssapi_ext.h" o="root" g="admin" p="33188"/><f n="gssapi_generic.h" o="root" g="admin" p="33188"/><f n="gssapi_krb5.h" o="root" g="admin" p="33188"/><f n="mechglue.h" o="root" g="admin" p="33188"/></f><f n="gssapi.h" o="root" g="admin" p="33188"/><f n="gssrpc" o="root" g="admin" p="16877"><f n="auth.h" o="root" g="admin" p="33188"/><f n="auth_gss.h" o="root" g="admin" p="33188"/><f n="auth_gssapi.h" o="root" g="admin" p="33188"/><f n="auth_unix.h" o="root" g="admin" p="33188"/><f n="clnt.h" o="root" g="admin" p="33188"/><f n="netdb.h" o="root" g="admin" p="33188"/><f n="pmap_clnt.h" o="root" g="admin" p="33188"/><f n="pmap_prot.h" o="root" g="admin" p="33188"/><f n="pmap_rmt.h" o="root" g="admin" p="33188"/><f n="rename.h" o="root" g="admin" p="33188"/><f n="rpc.h" o="root" g="admin" p="33188"/><f n="rpc_msg.h" o="root" g="admin" p="33188"/><f n="svc.h" o="root" g="admin" p="33188"/><f n="svc_auth.h" o="root" g="admin" p="33188"/><f n="types.h" o="root" g="admin" p="33188"/><f n="xdr.h" o="root" g="admin" p="33188"/></f><f n="kadm5" o="root" g="admin" p="16877"><f n="admin.h" o="root" g="admin" p="33188"/><f n="chpass_util_strings.h" o="root" g="admin" p="33188"/><f n="kadm_err.h" o="root" g="admin" p="33188"/></f><f n="kdb.h" o="root" g="admin" p="33188"/><f n="krb5" o="root" g="admin" p="16877"><f n="kadm5_hook_plugin.h" o="root" g="admin" p="33188"/><f n="krb5.h" o="root" g="admin" p="33188"/><f n="locate_plugin.h" o="root" g="admin" p="33188"/><f n="plugin.h" o="root" g="admin" p="33188"/><f n="pwqual_plugin.h" o="root" g="admin" p="33188"/></f><f n="krb5.h" o="root" g="admin" p="33188"/><f n="profile.h" o="root" g="admin" p="33188"/></f><f n="lib" o="pete" g="admin" p="16877"><f n="krb5" o="root" g="admin" p="16877"><f n="plugins" o="root" g="admin" p="16877"><f n="authdata" o="root" g="admin" p="16877"/><f n="kdb" o="root" g="admin" p="16877"><f n="db2.so" o="root" g="admin" p="33188" c="true"/></f><f n="libkrb5" o="root" g="admin" p="16877"/><f n="preauth" o="root" g="admin" p="16877"><f n="encrypted_challenge.so" o="root" g="admin" p="33188" c="true"/><f n="pkinit.so" o="root" g="admin" p="33188" c="true"/></f></f></f><f n="libcom_err.3.0.dylib" o="root" g="admin" p="33188" c="true"/><f n="libcom_err.3.dylib" o="pete" g="wheel" p="41453"/><f n="libcom_err.dylib" o="pete" g="wheel" p="41453"/><f n="libgssapi_krb5.2.2.dylib" o="root" g="admin" p="33188" c="true"/><f n="libgssapi_krb5.2.dylib" o="pete" g="wheel" p="41453"/><f n="libgssapi_krb5.dylib" o="pete" g="wheel" p="41453"/><f n="libgssrpc.4.1.dylib" o="root" g="admin" p="33188" c="true"/><f n="libgssrpc.4.dylib" o="pete" g="wheel" p="41453"/><f n="libgssrpc.dylib" o="pete" g="wheel" p="41453"/><f n="libk5crypto.3.1.dylib" o="root" g="admin" p="33188" c="true"/><f n="libk5crypto.3.dylib" o="pete" g="wheel" p="41453"/><f n="libk5crypto.dylib" o="pete" g="wheel" p="41453"/><f n="libkadm5clnt.dylib" o="pete" g="wheel" p="41453"/><f n="libkadm5clnt_mit.8.0.dylib" o="root" g="admin" p="33188" c="true"/><f n="libkadm5clnt_mit.8.dylib" o="pete" g="wheel" p="41453"/><f n="libkadm5clnt_mit.dylib" o="pete" g="wheel" p="41453"/><f n="libkadm5srv.dylib" o="pete" g="wheel" p="41453"/><f n="libkadm5srv_mit.8.0.dylib" o="root" g="admin" p="33188" c="true"/><f n="libkadm5srv_mit.8.dylib" o="pete" g="wheel" p="41453"/><f n="libkadm5srv_mit.dylib" o="pete" g="wheel" p="41453"/><f n="libkdb5.5.0.dylib" o="root" g="admin" p="33188" c="true"/><f n="libkdb5.5.dylib" o="pete" g="wheel" p="41453"/><f n="libkdb5.dylib" o="pete" g="wheel" p="41453"/><f n="libkrb5.3.3.dylib" o="root" g="admin" p="33188" c="true"/><f n="libkrb5.3.dylib" o="pete" g="wheel" p="41453"/><f n="libkrb5.dylib" o="pete" g="wheel" p="41453"/><f n="libkrb5support.1.1.dylib" o="root" g="admin" p="33188" c="true"/><f n="libkrb5support.1.dylib" o="pete" g="wheel" p="41453"/><f n="libkrb5support.dylib" o="pete" g="wheel" p="41453"/></f><f n="sbin" o="root" g="admin" p="16877"><f n="gss-server" o="root" g="admin" p="33261" c="true"/><f n="kadmin.local" o="root" g="admin" p="33261" c="true"/><f n="kadmind" o="root" g="admin" p="33261" c="true"/><f n="kdb5_util" o="root" g="admin" p="33261" c="true"/><f n="kprop" o="root" g="admin" p="33261" c="true"/><f n="kpropd" o="root" g="admin" p="33261" c="true"/><f n="kproplog" o="root" g="admin" p="33261" c="true"/><f n="krb5-send-pr" o="root" g="admin" p="33261"/><f n="krb5kdc" o="root" g="admin" p="33261" c="true"/><f n="sim_server" o="root" g="admin" p="33261" c="true"/><f n="sserver" o="root" g="admin" p="33261" c="true"/><f n="uuserver" o="root" g="admin" p="33261" c="true"/></f><f n="share" o="pete" g="admin" p="16877"><f n="et" o="root" g="admin" p="16877"><f n="et_c.awk" o="root" g="admin" p="33188"/><f n="et_h.awk" o="root" g="admin" p="33188"/></f><f n="examples" o="root" g="admin" p="16877"><f n="krb5" o="root" g="admin" p="16877"><f n="kdc.conf" o="root" g="admin" p="33188"/><f n="krb5.conf" o="root" g="admin" p="33188"/><f n="services.append" o="root" g="admin" p="33188"/></f></f><f n="gnats" o="root" g="admin" p="16877"><f n="mit" o="root" g="admin" p="33188"/></f><f n="man" o="pete" g="admin" p="16877"><f n="man1" o="pete" g="admin" p="16877"><f n="compile_et.1" o="root" g="admin" p="33188"/><f n="k5srvutil.1" o="root" g="admin" p="33188"/><f n="kadmin.1" o="root" g="admin" p="33188"/><f n="kdestroy.1" o="root" g="admin" p="33188"/><f n="kerberos.1" o="root" g="admin" p="33188"/><f n="kinit.1" o="root" g="admin" p="33188"/><f n="klist.1" o="root" g="admin" p="33188"/><f n="kpasswd.1" o="root" g="admin" p="33188"/><f n="krb5-config.1" o="root" g="admin" p="33188"/><f n="krb5-send-pr.1" o="root" g="admin" p="33188"/><f n="ksu.1" o="root" g="admin" p="33188"/><f n="ktutil.1" o="root" g="admin" p="33188"/><f n="kvno.1" o="root" g="admin" p="33188"/><f n="sclient.1" o="root" g="admin" p="33188"/></f><f n="man5" o="pete" g="admin" p="16893"><f n=".k5login.5" o="root" g="admin" p="33188"/><f n="kdc.conf.5" o="root" g="admin" p="33188"/><f n="krb5.conf.5" o="root" g="admin" p="33188"/></f><f n="man8" o="root" g="admin" p="16877"><f n="kadmin.local.8" o="root" g="admin" p="33188"/><f n="kadmind.8" o="root" g="admin" p="33188"/><f n="kdb5_util.8" o="root" g="admin" p="33188"/><f n="kprop.8" o="root" g="admin" p="33188"/><f n="kpropd.8" o="root" g="admin" p="33188"/><f n="kproplog.8" o="root" g="admin" p="33188"/><f n="krb5kdc.8" o="root" g="admin" p="33188"/><f n="sserver.8" o="root" g="admin" p="33188"/></f></f></f><f n="var" o="root" g="admin" p="16877"><f n="krb5kdc" o="root" g="admin" p="16877"/></f></f></f><mod>name</mod></f></pkg-contents>
\ No newline at end of file
--- /dev/null
+<pkgref spec="1.12" uuid="F6084A5E-8184-47F2-91F0-494AF1D4F93A"><config><identifier>ja.net.moonshotClientSoftware.mech_eap.pkg</identifier><version>1.0</version><description></description><post-install type="none"/><requireAuthorization/><installTo>/</installTo><flags><followSymbolicLinks/></flags><packageStore type="internal"></packageStore><mod>installSizeKB</mod><mod>installTo</mod><mod>postInstall</mod><mod>hashDigest</mod><mod>filePrefix</mod><mod>requireAuthorization</mod><mod>identifier</mod><mod>version</mod><mod>parent</mod></config><contents><file-list>01krb-contents.xml</file-list><filter>/CVS$</filter><filter>/\.svn$</filter><filter>/\.cvsignore$</filter><filter>/\.cvspass$</filter><filter>/\.DS_Store$</filter></contents><extra><packagePath>/Users/pete/installerbuild/Moonshot Client Software.pkg</packagePath><title>krb</title><file-prefix>krb.pkg</file-prefix></extra><additionalPkgInfoXML><pkg-info><payload installKBytes="3740" numberOfFiles="151"/></pkg-info></additionalPkgInfoXML></pkgref>
\ No newline at end of file
--- /dev/null
+<pkg-contents spec="1.12"><f n="PackageRoot" o="root" g="admin" p="16893" pt="." m="true" t="bom"><f n="Library" o="root" g="admin" p="17405"><f n="Frameworks" o="root" g="admin" p="16893"><f n="SASL2.framework" o="pete" g="admin" p="16877"><f n="Headers" o="pete" g="wheel" p="41453"/><f n="Resources" o="pete" g="wheel" p="41453"/><f n="SASL2" o="pete" g="wheel" p="41453"/><f n="Versions" o="pete" g="admin" p="16877"><f n="A" o="pete" g="admin" p="16877"><f n="Headers" o="pete" g="admin" p="16893"><f n="hmac-md5.h" o="pete" g="admin" p="33204"/><f n="md5.h" o="pete" g="admin" p="33204"/><f n="md5global.h" o="pete" g="admin" p="33204"/><f n="prop.h" o="pete" g="admin" p="33204"/><f n="sasl.h" o="pete" g="admin" p="33204"/><f n="saslplug.h" o="pete" g="admin" p="33204"/><f n="saslutil.h" o="pete" g="admin" p="33204"/></f><f n="Resources" o="pete" g="admin" p="16893"><f n="Info.plist" o="pete" g="admin" p="33204"/></f><f n="SASL2" o="pete" g="wheel" p="41453"/></f><f n="Current" o="pete" g="wheel" p="41453"/></f></f></f></f><f n="usr" o="root" g="wheel" p="16877"><f n="lib" o="root" g="wheel" p="16877"><f n="sasl2" o="pete" g="wheel" p="41453"/></f><f n="local" o="root" g="admin" p="16893"><f n="include" o="pete" g="admin" p="16877"><f n="sasl" o="pete" g="admin" p="16893"><f n="hmac-md5.h" o="pete" g="admin" p="33204"/><f n="md5.h" o="pete" g="admin" p="33204"/><f n="md5global.h" o="pete" g="admin" p="33204"/><f n="prop.h" o="pete" g="admin" p="33204"/><f n="sasl.h" o="pete" g="admin" p="33204"/><f n="saslplug.h" o="pete" g="admin" p="33204"/><f n="saslutil.h" o="pete" g="admin" p="33204"/></f></f><f n="lib" o="pete" g="admin" p="16877"><f n="libsasl2.2.0.23.dylib" o="pete" g="wheel" p="41453"/><f n="libsasl2.2.dylib" o="pete" g="admin" p="33277" c="true"/><f n="libsasl2.dylib" o="pete" g="wheel" p="41453"/><f n="libsasl2.la" o="pete" g="admin" p="33277"/><f n="sasl2" o="pete" g="admin" p="16893"><f n="libanonymous.2.0.23.so" o="pete" g="wheel" p="41453"/><f n="libanonymous.2.so" o="pete" g="admin" p="33277" c="true"/><f n="libanonymous.la" o="pete" g="admin" p="33277"/><f n="libanonymous.so" o="pete" g="wheel" p="41453"/><f n="libcrammd5.2.0.23.so" o="pete" g="wheel" p="41453"/><f n="libcrammd5.2.so" o="pete" g="admin" p="33277" c="true"/><f n="libcrammd5.la" o="pete" g="admin" p="33277"/><f n="libcrammd5.so" o="pete" g="wheel" p="41453"/><f n="libdigestmd5.2.0.23.so" o="pete" g="wheel" p="41453"/><f n="libdigestmd5.2.so" o="pete" g="admin" p="33277" c="true"/><f n="libdigestmd5.la" o="pete" g="admin" p="33277"/><f n="libdigestmd5.so" o="pete" g="wheel" p="41453"/><f n="libgs2.2.0.23.so" o="pete" g="wheel" p="41453"/><f n="libgs2.2.so" o="pete" g="admin" p="33277" c="true"/><f n="libgs2.la" o="pete" g="admin" p="33277"/><f n="libgs2.so" o="pete" g="wheel" p="41453"/><f n="libgssapiv2.2.0.23.so" o="pete" g="wheel" p="41453"/><f n="libgssapiv2.2.so" o="pete" g="admin" p="33277" c="true"/><f n="libgssapiv2.la" o="pete" g="admin" p="33277"/><f n="libgssapiv2.so" o="pete" g="wheel" p="41453"/><f n="libotp.2.0.23.so" o="pete" g="wheel" p="41453"/><f n="libotp.2.so" o="pete" g="admin" p="33277" c="true"/><f n="libotp.la" o="pete" g="admin" p="33277"/><f n="libotp.so" o="pete" g="wheel" p="41453"/><f n="libplain.2.0.23.so" o="pete" g="wheel" p="41453"/><f n="libplain.2.so" o="pete" g="admin" p="33277" c="true"/><f n="libplain.la" o="pete" g="admin" p="33277"/><f n="libplain.so" o="pete" g="wheel" p="41453"/><f n="libsasldb.2.0.23.so" o="pete" g="wheel" p="41453"/><f n="libsasldb.2.so" o="pete" g="admin" p="33277" c="true"/><f n="libsasldb.la" o="pete" g="admin" p="33277"/><f n="libsasldb.so" o="pete" g="wheel" p="41453"/></f><f n="x" o="pete" g="wheel" p="41453"/></f><f n="sbin" o="root" g="admin" p="16877"><f n="pluginviewer" o="root" g="admin" p="33277" c="true"/><f n="saslauthd" o="root" g="admin" p="33277" c="true"/><f n="sasldblistusers2" o="root" g="admin" p="33277" c="true"/><f n="saslpasswd2" o="root" g="admin" p="33277" c="true"/><f n="testsaslauthd" o="root" g="admin" p="33277" c="true"/></f><f n="share" o="pete" g="admin" p="16877"><f n="man" o="pete" g="admin" p="16877"><f n="man3" o="pete" g="admin" p="16877"><f n="sasl.3" o="pete" g="admin" p="33204"/><f n="sasl_authorize_t.3" o="pete" g="admin" p="33204"/><f n="sasl_auxprop.3" o="pete" g="admin" p="33204"/><f n="sasl_auxprop_getctx.3" o="pete" g="admin" p="33204"/><f n="sasl_auxprop_request.3" o="pete" g="admin" p="33204"/><f n="sasl_callbacks.3" o="pete" g="admin" p="33204"/><f n="sasl_canon_user_t.3" o="pete" g="admin" p="33204"/><f n="sasl_chalprompt_t.3" o="pete" g="admin" p="33204"/><f n="sasl_checkapop.3" o="pete" g="admin" p="33204"/><f n="sasl_checkpass.3" o="pete" g="admin" p="33204"/><f n="sasl_client_init.3" o="pete" g="admin" p="33204"/><f n="sasl_client_new.3" o="pete" g="admin" p="33204"/><f n="sasl_client_start.3" o="pete" g="admin" p="33204"/><f n="sasl_client_step.3" o="pete" g="admin" p="33204"/><f n="sasl_decode.3" o="pete" g="admin" p="33204"/><f n="sasl_dispose.3" o="pete" g="admin" p="33204"/><f n="sasl_done.3" o="pete" g="admin" p="33204"/><f n="sasl_encode.3" o="pete" g="admin" p="33204"/><f n="sasl_encodev.3" o="pete" g="admin" p="33204"/><f n="sasl_errdetail.3" o="pete" g="admin" p="33204"/><f n="sasl_errors.3" o="pete" g="admin" p="33204"/><f n="sasl_errstring.3" o="pete" g="admin" p="33204"/><f n="sasl_getconfpath_t.3" o="pete" g="admin" p="33204"/><f n="sasl_getopt_t.3" o="pete" g="admin" p="33204"/><f n="sasl_getpath_t.3" o="pete" g="admin" p="33204"/><f n="sasl_getprop.3" o="pete" g="admin" p="33204"/><f n="sasl_getrealm_t.3" o="pete" g="admin" p="33204"/><f n="sasl_getsecret_t.3" o="pete" g="admin" p="33204"/><f n="sasl_getsimple_t.3" o="pete" g="admin" p="33204"/><f n="sasl_global_listmech.3" o="pete" g="admin" p="33204"/><f n="sasl_idle.3" o="pete" g="admin" p="33204"/><f n="sasl_listmech.3" o="pete" g="admin" p="33204"/><f n="sasl_log_t.3" o="pete" g="admin" p="33204"/><f n="sasl_server_init.3" o="pete" g="admin" p="33204"/><f n="sasl_server_new.3" o="pete" g="admin" p="33204"/><f n="sasl_server_start.3" o="pete" g="admin" p="33204"/><f n="sasl_server_step.3" o="pete" g="admin" p="33204"/><f n="sasl_server_userdb_checkpass_t.3" o="pete" g="admin" p="33204"/><f n="sasl_server_userdb_setpass_t.3" o="pete" g="admin" p="33204"/><f n="sasl_setpass.3" o="pete" g="admin" p="33204"/><f n="sasl_setprop.3" o="pete" g="admin" p="33204"/><f n="sasl_user_exists.3" o="pete" g="admin" p="33204"/><f n="sasl_verifyfile_t.3" o="pete" g="admin" p="33204"/></f><f n="man8" o="root" g="admin" p="16877"><f n="pluginviewer.8" o="root" g="admin" p="33204"/><f n="saslauthd.8" o="root" g="admin" p="33204"/><f n="sasldblistusers2.8" o="root" g="admin" p="33204"/><f n="saslpasswd2.8" o="root" g="admin" p="33204"/></f></f></f></f></f><mod>name</mod></f></pkg-contents>
\ No newline at end of file
--- /dev/null
+<pkgref spec="1.12" uuid="032139BC-6A2D-44A9-9290-8DCBCD5BAF73"><config><identifier>ja.net.moonshotClientSoftware.cyrusSasl.pkg</identifier><version>1.0</version><description></description><post-install type="none"/><requireAuthorization/><installTo>/</installTo><flags><followSymbolicLinks/></flags><packageStore type="internal"></packageStore><mod>installSizeKB</mod><mod>installTo</mod><mod>postInstall</mod><mod>hashDigest</mod><mod>filePrefix</mod><mod>requireAuthorization</mod><mod>identifier</mod><mod>version</mod><mod>parent</mod></config><contents><file-list>02sasl-contents.xml</file-list><filter>/CVS$</filter><filter>/\.svn$</filter><filter>/\.cvsignore$</filter><filter>/\.cvspass$</filter><filter>/\.DS_Store$</filter></contents><extra><packagePath>/Users/pete/installerbuild/Moonshot Client Software.pkg</packagePath><title>sasl</title><file-prefix>sasl.pkg</file-prefix></extra><additionalPkgInfoXML><pkg-info><payload installKBytes="1056" numberOfFiles="130"/></pkg-info></additionalPkgInfoXML></pkgref>
\ No newline at end of file
--- /dev/null
+<pkmkdoc spec="1.12"><properties><title>Moonshot Client Software</title><organization>ja.net</organization><userSees ui="both"/><min-target os="3"/><domain system="true"/></properties><distribution><versions min-spec="1.000000"/><scripts></scripts></distribution><contents><choice title="Kerberos with Moonshot GSS EAP Mechanism " id="choiceGssEap" starts_selected="true" starts_enabled="true" starts_hidden="false"><customLoc>/</customLoc><pkgref id="ja.net.moonshotClientSoftware.mech_eap.pkg"/></choice><choice title="Cyrus SASL" id="choiceCyrusSasl" starts_selected="true" starts_enabled="true" starts_hidden="false"><pkgref id="ja.net.moonshotClientSoftware.cyrusSasl.pkg"/></choice></contents><resources bg-scale="none" bg-align="topleft"/><flags/><item type="flat-pkgref">01krb.xml</item><item type="flat-pkgref">02sasl.xml</item><mod>properties.customizeOption</mod></pkmkdoc>
\ No newline at end of file
--- /dev/null
+total 0
+drwxr-xr-x 3 pete 102 30 Nov 08:29 usr/
+
+krb/usr:
+total 0
+drwxr-xr-x 8 pete 272 30 Nov 08:29 local/
+
+krb/usr/local:
+total 0
+drwxr-xr-x 16 pete 544 30 Nov 08:31 bin/
+drwxr-xr-x 11 pete 374 30 Nov 08:31 include/
+drwxr-xr-x 33 pete 1122 30 Nov 08:45 lib/
+drwxr-xr-x 14 pete 476 30 Nov 08:31 sbin/
+drwxr-xr-x 6 pete 204 30 Nov 08:31 share/
+drwxr-xr-x 3 pete 102 30 Nov 08:29 var/
+
+krb/usr/local/bin:
+total 608
+-rwxr-xr-x 1 pete 448 30 Nov 08:31 compile_et
+-rwxr-xr-x 1 pete 26292 30 Nov 08:31 gss-client
+-rwxr-xr-x@ 1 pete 1914 30 Nov 08:31 k5srvutil
+-rwxr-xr-x 1 pete 79988 30 Nov 08:31 kadmin
+-rwxr-xr-x 1 pete 9628 30 Nov 08:31 kdestroy
+-rwxr-xr-x 1 pete 22808 30 Nov 08:31 kinit
+-rwxr-xr-x 1 pete 22080 30 Nov 08:31 klist
+-rwxr-xr-x 1 pete 14920 30 Nov 08:31 kpasswd
+-rwxr-xr-x 1 pete 5738 30 Nov 08:31 krb5-config
+-rwxr-xr-x 1 pete 37460 30 Nov 08:31 ktutil
+-rwxr-xr-x 1 pete 15732 30 Nov 08:31 kvno
+-rwxr-xr-x 1 pete 15068 30 Nov 08:31 sclient
+-rwxr-xr-x 1 pete 15428 30 Nov 08:31 sim_client
+-rwxr-xr-x 1 pete 14956 30 Nov 08:31 uuclient
+
+krb/usr/local/include:
+total 152
+-rw-r--r--@ 1 pete 1978 30 Nov 08:31 com_err.h
+drwxr-xr-x 8 pete 272 30 Nov 08:45 gssapi/
+-rw-r--r--@ 1 pete 181 30 Nov 08:31 gssapi.h
+drwxr-xr-x 18 pete 612 30 Nov 08:31 gssrpc/
+drwxr-xr-x 5 pete 170 30 Nov 08:31 kadm5/
+-rw-r--r--@ 1 pete 56808 30 Nov 08:31 kdb.h
+drwxr-xr-x 7 pete 238 30 Nov 08:31 krb5/
+-rw-r--r--@ 1 pete 402 30 Nov 08:31 krb5.h
+-rw-r--r-- 1 pete 6105 30 Nov 08:31 profile.h
+
+krb/usr/local/include/gssapi:
+total 136
+-rw-r--r-- 1 pete 29935 30 Nov 08:31 gssapi.h
+-rw-r--r-- 1 pete 3051 30 Nov 08:45 gssapi_eap.h
+-rw-r--r--@ 1 pete 12088 30 Nov 08:31 gssapi_ext.h
+-rw-r--r--@ 1 pete 2268 30 Nov 08:31 gssapi_generic.h
+-rw-r--r-- 1 pete 11709 30 Nov 08:31 gssapi_krb5.h
+-rw-r--r--@ 1 pete 1652 30 Nov 08:31 mechglue.h
+
+krb/usr/local/include/gssrpc:
+total 224
+-rw-r--r--@ 1 pete 6789 30 Nov 08:31 auth.h
+-rw-r--r--@ 1 pete 4825 30 Nov 08:31 auth_gss.h
+-rw-r--r--@ 1 pete 3952 30 Nov 08:31 auth_gssapi.h
+-rw-r--r--@ 1 pete 2896 30 Nov 08:31 auth_unix.h
+-rw-r--r--@ 1 pete 9660 30 Nov 08:31 clnt.h
+-rw-r--r--@ 1 pete 2411 30 Nov 08:31 netdb.h
+-rw-r--r--@ 1 pete 3429 30 Nov 08:31 pmap_clnt.h
+-rw-r--r--@ 1 pete 3841 30 Nov 08:31 pmap_prot.h
+-rw-r--r--@ 1 pete 2303 30 Nov 08:31 pmap_rmt.h
+-rw-r--r--@ 1 pete 10734 30 Nov 08:31 rename.h
+-rw-r--r--@ 1 pete 3861 30 Nov 08:31 rpc.h
+-rw-r--r--@ 1 pete 5106 30 Nov 08:31 rpc_msg.h
+-rw-r--r--@ 1 pete 11595 30 Nov 08:31 svc.h
+-rw-r--r--@ 1 pete 3976 30 Nov 08:31 svc_auth.h
+-rw-r--r-- 1 pete 4947 30 Nov 08:31 types.h
+-rw-r--r--@ 1 pete 11779 30 Nov 08:31 xdr.h
+
+krb/usr/local/include/kadm5:
+total 64
+-rw-r--r--@ 1 pete 21418 30 Nov 08:31 admin.h
+-rw-r--r-- 1 pete 1572 30 Nov 08:31 chpass_util_strings.h
+-rw-r--r-- 1 pete 4064 30 Nov 08:31 kadm_err.h
+
+krb/usr/local/include/krb5:
+total 312
+-rw-r--r--@ 1 pete 5742 30 Nov 08:31 kadm5_hook_plugin.h
+-rw-r--r-- 1 pete 134599 30 Nov 08:31 krb5.h
+-rw-r--r--@ 1 pete 2648 30 Nov 08:31 locate_plugin.h
+-rw-r--r--@ 1 pete 2111 30 Nov 08:31 plugin.h
+-rw-r--r--@ 1 pete 4452 30 Nov 08:31 pwqual_plugin.h
+
+krb/usr/local/lib:
+total 3976
+drwxr-xr-x 4 pete 136 30 Nov 08:45 gss/
+drwxr-xr-x 3 pete 102 30 Nov 08:29 krb5/
+-rw-r--r-- 1 pete 16912 30 Nov 08:31 libcom_err.3.0.dylib
+lrwxr-xr-x 1 pete 20 30 Nov 08:31 libcom_err.3.dylib -> libcom_err.3.0.dylib
+lrwxr-xr-x 1 pete 20 30 Nov 08:31 libcom_err.dylib -> libcom_err.3.0.dylib
+-rw-r--r-- 1 pete 287084 30 Nov 08:31 libgssapi_krb5.2.2.dylib
+lrwxr-xr-x 1 pete 24 30 Nov 08:31 libgssapi_krb5.2.dylib -> libgssapi_krb5.2.2.dylib
+lrwxr-xr-x 1 pete 24 30 Nov 08:31 libgssapi_krb5.dylib -> libgssapi_krb5.2.2.dylib
+-rw-r--r-- 1 pete 142060 30 Nov 08:31 libgssrpc.4.1.dylib
+lrwxr-xr-x 1 pete 19 30 Nov 08:31 libgssrpc.4.dylib -> libgssrpc.4.1.dylib
+lrwxr-xr-x 1 pete 19 30 Nov 08:31 libgssrpc.dylib -> libgssrpc.4.1.dylib
+-rw-r--r-- 1 pete 195184 30 Nov 08:31 libk5crypto.3.1.dylib
+lrwxr-xr-x 1 pete 21 30 Nov 08:31 libk5crypto.3.dylib -> libk5crypto.3.1.dylib
+lrwxr-xr-x 1 pete 21 30 Nov 08:31 libk5crypto.dylib -> libk5crypto.3.1.dylib
+lrwxr-xr-x 1 pete 22 30 Nov 08:31 libkadm5clnt.dylib -> libkadm5clnt_mit.dylib
+-rw-r--r-- 1 pete 96332 30 Nov 08:31 libkadm5clnt_mit.8.0.dylib
+lrwxr-xr-x 1 pete 26 30 Nov 08:31 libkadm5clnt_mit.8.dylib -> libkadm5clnt_mit.8.0.dylib
+lrwxr-xr-x 1 pete 26 30 Nov 08:31 libkadm5clnt_mit.dylib -> libkadm5clnt_mit.8.0.dylib
+lrwxr-xr-x 1 pete 21 30 Nov 08:31 libkadm5srv.dylib -> libkadm5srv_mit.dylib
+-rw-r--r-- 1 pete 129380 30 Nov 08:31 libkadm5srv_mit.8.0.dylib
+lrwxr-xr-x 1 pete 25 30 Nov 08:31 libkadm5srv_mit.8.dylib -> libkadm5srv_mit.8.0.dylib
+lrwxr-xr-x 1 pete 25 30 Nov 08:31 libkadm5srv_mit.dylib -> libkadm5srv_mit.8.0.dylib
+-rw-r--r-- 1 pete 78932 30 Nov 08:31 libkdb5.5.0.dylib
+lrwxr-xr-x 1 pete 17 30 Nov 08:31 libkdb5.5.dylib -> libkdb5.5.0.dylib
+lrwxr-xr-x 1 pete 17 30 Nov 08:31 libkdb5.dylib -> libkdb5.5.0.dylib
+-rw-r--r-- 1 pete 950624 30 Nov 08:31 libkrb5.3.3.dylib
+lrwxr-xr-x 1 pete 17 30 Nov 08:31 libkrb5.3.dylib -> libkrb5.3.3.dylib
+lrwxr-xr-x 1 pete 17 30 Nov 08:31 libkrb5.dylib -> libkrb5.3.3.dylib
+-rw-r--r-- 1 pete 34888 30 Nov 08:31 libkrb5support.1.1.dylib
+lrwxr-xr-x 1 pete 24 30 Nov 08:31 libkrb5support.1.dylib -> libkrb5support.1.1.dylib
+lrwxr-xr-x 1 pete 24 30 Nov 08:31 libkrb5support.dylib -> libkrb5support.1.1.dylib
+
+krb/usr/local/lib/gss:
+total 688
+-rwxr-xr-x 1 pete 1067 30 Nov 08:45 mech_eap.la
+-rwxr-xr-x 1 pete 345264 30 Nov 08:45 mech_eap.so
+
+krb/usr/local/lib/krb5:
+total 0
+drwxr-xr-x 6 pete 204 30 Nov 08:29 plugins/
+
+krb/usr/local/lib/krb5/plugins:
+total 0
+drwxr-xr-x 2 pete 68 30 Nov 08:29 authdata/
+drwxr-xr-x 3 pete 102 30 Nov 08:31 kdb/
+drwxr-xr-x 2 pete 68 30 Nov 08:29 libkrb5/
+drwxr-xr-x 4 pete 136 30 Nov 08:31 preauth/
+
+krb/usr/local/lib/krb5/plugins/authdata:
+
+krb/usr/local/lib/krb5/plugins/kdb:
+total 240
+-rw-r--r-- 1 pete 122852 30 Nov 08:31 db2.so
+
+krb/usr/local/lib/krb5/plugins/libkrb5:
+
+krb/usr/local/lib/krb5/plugins/preauth:
+total 272
+-rw-r--r-- 1 pete 14792 30 Nov 08:31 encrypted_challenge.so
+-rw-r--r-- 1 pete 120376 30 Nov 08:31 pkinit.so
+
+krb/usr/local/sbin:
+total 1176
+-rwxr-xr-x 1 pete 21480 30 Nov 08:31 gss-server
+-rwxr-xr-x 1 pete 80220 30 Nov 08:31 kadmin.local
+-rwxr-xr-x 1 pete 108324 30 Nov 08:31 kadmind
+-rwxr-xr-x 1 pete 98652 30 Nov 08:31 kdb5_util
+-rwxr-xr-x 1 pete 23144 30 Nov 08:31 kprop
+-rwxr-xr-x 1 pete 36256 30 Nov 08:31 kpropd
+-rwxr-xr-x 1 pete 18628 30 Nov 08:31 kproplog
+-rwxr-xr-x 1 pete 14361 30 Nov 08:31 krb5-send-pr
+-rwxr-xr-x 1 pete 134792 30 Nov 08:31 krb5kdc
+-rwxr-xr-x 1 pete 14804 30 Nov 08:31 sim_server
+-rwxr-xr-x 1 pete 14936 30 Nov 08:31 sserver
+-rwxr-xr-x 1 pete 14504 30 Nov 08:31 uuserver
+
+krb/usr/local/share:
+total 0
+drwxr-xr-x 4 pete 136 30 Nov 08:31 et/
+drwxr-xr-x 3 pete 102 30 Nov 08:29 examples/
+drwxr-xr-x 3 pete 102 30 Nov 08:31 gnats/
+drwxr-xr-x 5 pete 170 30 Nov 08:29 man/
+
+krb/usr/local/share/et:
+total 24
+-rw-r--r--@ 1 pete 4901 30 Nov 08:31 et_c.awk
+-rw-r--r--@ 1 pete 3918 30 Nov 08:31 et_h.awk
+
+krb/usr/local/share/examples:
+total 0
+drwxr-xr-x 5 pete 170 30 Nov 08:31 krb5/
+
+krb/usr/local/share/examples/krb5:
+total 24
+-rw-r--r--@ 1 pete 362 30 Nov 08:31 kdc.conf
+-rw-r--r--@ 1 pete 546 30 Nov 08:31 krb5.conf
+-rw-r--r--@ 1 pete 1493 30 Nov 08:31 services.append
+
+krb/usr/local/share/gnats:
+total 8
+-rw-r--r--@ 1 pete 99 30 Nov 08:31 mit
+
+krb/usr/local/share/man:
+total 0
+drwxr-xr-x 16 pete 544 30 Nov 08:31 man1/
+drwxr-xr-x 5 pete 170 30 Nov 08:31 man5/
+drwxr-xr-x 10 pete 340 30 Nov 08:31 man8/
+
+krb/usr/local/share/man/man1:
+total 216
+-rw-r--r--@ 1 pete 2151 30 Nov 08:31 compile_et.1
+-rw-r--r--@ 1 pete 1724 30 Nov 08:31 k5srvutil.1
+-rw-r--r--@ 1 pete 25527 30 Nov 08:31 kadmin.1
+-rw-r--r--@ 1 pete 2920 30 Nov 08:31 kdestroy.1
+-rw-r--r--@ 1 pete 4327 30 Nov 08:31 kerberos.1
+-rw-r--r--@ 1 pete 7271 30 Nov 08:31 kinit.1
+-rw-r--r--@ 1 pete 3636 30 Nov 08:31 klist.1
+-rw-r--r--@ 1 pete 2665 30 Nov 08:31 kpasswd.1
+-rw-r--r--@ 1 pete 2602 30 Nov 08:31 krb5-config.1
+-rw-r--r-- 1 pete 8205 30 Nov 08:31 krb5-send-pr.1
+-rw-r--r--@ 1 pete 16269 30 Nov 08:31 ksu.1
+-rw-r--r--@ 1 pete 1340 30 Nov 08:31 ktutil.1
+-rw-r--r--@ 1 pete 3076 30 Nov 08:31 kvno.1
+-rw-r--r--@ 1 pete 1574 30 Nov 08:31 sclient.1
+
+krb/usr/local/share/man/man5:
+total 80
+-rw-r--r--@ 1 pete 8682 30 Nov 08:31 kdc.conf.5
+-rw-r--r--@ 1 pete 27435 30 Nov 08:31 krb5.conf.5
+
+krb/usr/local/share/man/man8:
+total 120
+-rw-r--r--@ 1 pete 18 30 Nov 08:31 kadmin.local.8
+-rw-r--r--@ 1 pete 9465 30 Nov 08:31 kadmind.8
+-rw-r--r--@ 1 pete 9198 30 Nov 08:31 kdb5_util.8
+-rw-r--r--@ 1 pete 2519 30 Nov 08:31 kprop.8
+-rw-r--r--@ 1 pete 4933 30 Nov 08:31 kpropd.8
+-rw-r--r--@ 1 pete 3518 30 Nov 08:31 kproplog.8
+-rw-r--r--@ 1 pete 5706 30 Nov 08:31 krb5kdc.8
+-rw-r--r--@ 1 pete 4433 30 Nov 08:31 sserver.8
+
+krb/usr/local/var:
+total 0
+drwxr-xr-x 2 pete 68 30 Nov 08:29 krb5kdc/
+
+krb/usr/local/var/krb5kdc:
--- /dev/null
+###Introduction
+
+This page contains notes on how to build and install the software necessary to run Moonshot clients on a computer running Max OS X 10.6 Snow Leopard and 10.7 Lion.
+
+It also contains instructions for creating an installer package allowing the Moonshot software to be installed on other machines running Mac OS X.
+
+These notes are also in the file mac-client-installer/README.MacOsBuildInstructions
+
+There are three components that need to be built and installed:
+
+1: the Cyrus SASL2 library, along with the SASL GS2 Library which implements the GS2 GSS-API->SASL bridge mechanism.
+
+2: the Moonshot GSS EAP library, implements the EAP mechanism for use by the GSS API. This library depends on having a recent version of Kerberos. Mac OS X ships with Kerberos 5 release 1.7-prerelease which is not recent enough. So. for the installer at least, we will get and build the latest stable release (1.9.2) from [MIT](from http://web.mit.edu/kerberos/dist/index.html).
+
+3: the Moonshot Identity Selector/Manager software which...
+ToDo: Complete this section when the client software is ported to Mac OS
+
+
+###Getting the Moonshot source code
+
+Follow the instructions at http://www.project-moonshot.org/developers/repository, cloning the repo in $HOME
+
+Working in $HOME/moonshot/mac-client-installer
+
+###Building the Cyrus SASL2 library
+
+ $ cd $HOME/moonshot/cyrus_sasl
+ $ ./autogen.sh
+
+You will see the following message
+
+ configure.in:14 error: possibly undefined macro: AC_DEFINE
+ If this token and others are legitimate, please use m4_pattern_allow.
+ See the Autoconf documentation
+
+ $ ./configure --with-gss_impl=mit
+ $ make
+
+To install to /usr/local in your build machine
+
+ $ sudo make install
+
+Create the link from /usr/lib/sasl2 (where the library looks for the plugins)->/usr/local/lib/sasl2 (where the plugins will be installed)
+
+ $ cd sasl/usr/lib
+ $ ln -fs ../local/lib/sasl2
+
+Or, if you are making the installer
+
+ $ make install DESTDIR=$HOME/moonshot/mac-client-installer/sasl
+
+Create the link from /usr/lib/sasl2 (where the library looks for the plugins)->/usr/local/lib/sasl2 (where the plugins will be installed)
+
+ $ mkdir sasl/usr/lib
+ $ cd sasl/usr/lib
+ $ ln -fs ../local/lib/sasl2
+ $ cd ../../..
+ $ cd ~/installerbuild
+
+The files and directories that are installed are as listed in README.saslInstalledFiles
+
+###Building the downloaded Kerberos
+
+Unpack the file to $HOME/krbbuild
+
+ $ cd $HOME/krbbuild/krb5-1.9.2-signed/krb5-1.9.2/src
+ $ ./configure
+ $ make
+
+To install to /usr/local in your build machine
+
+ $ sudo make install
+
+Or, if you are making the installer
+ $ make install DESTDIR=$HOME/moonshot/mac-client-installer/krb
+
+###Building the Moonshot GSS EAP library
+
+ $ cd $HOME/moonshot/moonshot
+ $ ./autogen.sh
+ $ ./configure --enable-acceptor=no
+
+You will see the following warnings
+
+ configure: WARNING:
+ ----------------------------------------------------------------------
+ Cannot find OpenSAML libraries, building without OpenSAML support.
+ Please install OpenSAML or specify installation directory with
+ --with-opensaml=(dir).
+ ----------------------------------------------------------------------
+
+ configure: WARNING:
+ ----------------------------------------------------------------------
+ Cannot find Shibboleth resolver libraries, building without
+ Shibboleth support.
+ Please install Shibboleth or specify installation directory with
+ --with-shibresolver=(dir).
+ ----------------------------------------------------------------------
+
+ $ make
+ $ cd mech_eap
+ $ sudo make install
+ $ libtool --finish /usr/local/lib/gss
+
+Or, if you are making the installer
+
+ $ ./configure --enable-acceptor=no --with-krb5=$HOME/moonshot/mac-client-installer/krb/usr/local
+ $ make
+
+We only need to install the mech_eap library
+
+ $ cd mech_eap
+ $ make install DESTDIR=$HOME/moonshot/mac-client-installer/krb
+
+The files and directories that are installed are as listed in README.KrbInstalledFiles
+
+###Building the Moonshot Identity Selector/Manager software
+ToDo: Complete this section when the client software is ported to Mac OS
+
+###Make the install package
+Ideally we would divide the installer into sub-packages (sasl and krb) within a single meta package. However this seems to be possible only from the packagemaker GUI: there are a number of problems with doing this from the packagemaker command line. We are therefore building a single package, with sasl and krb as choice items within the package.
+
+Ensure the permissions are correct for the files to be installed
+
+ $ sudo chown -R root:admin krb sasl
+ $ sudo chmod -R g+w krb sasl
+
+Build the package
+
+ $ /Developer/usr/bin/packagemaker --doc Moonshot\ Client\ Software.pmdoc \
+ --version 0.1 --filter "/.DS_Store" --resources ./resources/ --root-volume-only\
+ --domain system --verbose --no-relocate -l "/" --target 10.5 \
+ --id ja.net.moonshotClientSoftware --out Moonshot\ Client\ Software.pkg
+
+Instructions in DevWiki at http://www.project-moonshot.org/devwiki//building_client_software_for_mac_os
+
+###Making the Disk Image
+Create and mount the image - 2MB will be enough for now
+
+ $ hdiutil create -size 2m -fs HFS+ -volname "Moonshot Client Software" temp.dmg
+ $ hdiutil attach temp.dmg
+
+Copy the package and the READMEs
+ $ cp Moonshot\ Client\ Software.pkg /Volumes/Moonshot\ Client\ Software/
+ $ cp resources/* /Volumes/Moonshot\ Client\ Software/
+
+Get rid of hidden files and folders that we don't need
+
+ $ sudo rm -rf /Volumes/Moonshot\ Client\ Software/.fseventsd/
+ $ sudo rm -rf /Volumes/Moonshot\ Client\ Software/.Trashes/
+ $ sudo find /Volumes/Moonshot\ Client\ Software -name '.*' -type f -delete
+
+Unmount the image
+
+ $ hdiutil detach /Volumes/Moonshot\ Client\ Software
+
+Convert the disk image to read-only
+
+ $ hdiutil convert temp.dmg -format UDZO -o moonshotclientsoftware.dmg
+ $ rm temp.dmg
+
+The compressed disk image containing the installer package and the READMEs is now in file *moonshotclientsoftware.dmg*
+
--- /dev/null
+total 0
+drwxrwxr-x 4 root 136 30 Nov 07:41 Library/
+drwxrwxr-x 5 root 170 30 Nov 07:44 usr/
+
+./Library:
+total 0
+drwxrwxr-x 4 root 136 30 Nov 07:41 Frameworks/
+
+./Library/Frameworks:
+total 0
+drwxrwxr-x 6 root 204 30 Nov 07:41 SASL2.framework/
+
+./Library/Frameworks/SASL2.framework:
+total 16
+lrwxr-xr-x 1 root 18 30 Nov 07:27 Headers -> Versions/A/Headers
+lrwxr-xr-x 1 root 20 30 Nov 07:27 Resources -> Versions/A/Resources
+drwxrwxr-x 5 root 170 30 Nov 07:41 Versions/
+
+./Library/Frameworks/SASL2.framework/Versions:
+total 8
+drwxrwxr-x 4 root 136 30 Nov 07:27 A/
+lrwxr-xr-x 1 root 1 30 Nov 07:27 Current -> A
+
+./Library/Frameworks/SASL2.framework/Versions/A:
+total 0
+drwxrwxr-x 9 root 306 30 Nov 07:27 Headers/
+drwxrwxr-x 3 root 102 30 Nov 07:27 Resources/
+
+./Library/Frameworks/SASL2.framework/Versions/A/Headers:
+total 224
+-rw-rw-r-- 1 root 1368 30 Nov 07:27 hmac-md5.h
+-rw-rw-r-- 1 root 1442 30 Nov 07:27 md5.h
+-rw-rw-r-- 1 root 1026 30 Nov 07:27 md5global.h
+-rw-rw-r-- 1 root 7273 30 Nov 07:27 prop.h
+-rw-rw-r-- 1 root 50521 30 Nov 07:27 sasl.h
+-rw-rw-r-- 1 root 34290 30 Nov 07:27 saslplug.h
+-rw-rw-r-- 1 root 2648 30 Nov 07:27 saslutil.h
+
+./Library/Frameworks/SASL2.framework/Versions/A/Resources:
+total 8
+-rw-rw-r-- 1 root 845 30 Nov 07:27 Info.plist
+
+./usr:
+total 0
+drwxrwxr-x 4 root 136 30 Nov 07:54 lib/
+drwxrwxr-x 6 root 204 30 Nov 07:27 local/
+
+./usr/lib:
+total 8
+lrwxr-xr-x 1 pete 18 30 Nov 07:54 sasl2 -> ../local/lib/sasl2
+
+./usr/local:
+total 0
+drwxrwxr-x 3 root 102 30 Nov 07:27 include/
+drwxrwxr-x 7 root 238 30 Nov 07:27 lib/
+drwxrwxr-x 7 root 238 30 Nov 07:27 sbin/
+drwxrwxr-x 3 root 102 30 Nov 07:27 share/
+
+./usr/local/include:
+total 0
+drwxrwxr-x 9 root 306 30 Nov 07:27 sasl/
+
+./usr/local/include/sasl:
+total 224
+-rw-rw-r-- 1 root 1368 30 Nov 07:27 hmac-md5.h
+-rw-rw-r-- 1 root 1442 30 Nov 07:27 md5.h
+-rw-rw-r-- 1 root 1026 30 Nov 07:27 md5global.h
+-rw-rw-r-- 1 root 7273 30 Nov 07:27 prop.h
+-rw-rw-r-- 1 root 50521 30 Nov 07:27 sasl.h
+-rw-rw-r-- 1 root 34290 30 Nov 07:27 saslplug.h
+-rw-rw-r-- 1 root 2648 30 Nov 07:27 saslutil.h
+
+./usr/local/lib:
+total 264
+lrwxr-xr-x 1 root 16 30 Nov 07:27 libsasl2.2.0.23.dylib -> libsasl2.2.dylib
+-rwxrwxr-x 1 root 121592 30 Nov 07:27 libsasl2.2.dylib
+lrwxr-xr-x 1 root 16 30 Nov 07:27 libsasl2.dylib -> libsasl2.2.dylib
+-rwxrwxr-x 1 root 944 30 Nov 07:27 libsasl2.la
+drwxrwxr-x 34 root 1156 30 Nov 07:27 sasl2/
+
+./usr/local/lib/sasl2:
+total 800
+lrwxr-xr-x 1 root 17 30 Nov 07:27 libanonymous.2.0.23.so -> libanonymous.2.so
+-rwxrwxr-x 1 root 22312 30 Nov 07:27 libanonymous.2.so
+-rwxrwxr-x 1 root 952 30 Nov 07:27 libanonymous.la
+lrwxr-xr-x 1 root 17 30 Nov 07:27 libanonymous.so -> libanonymous.2.so
+lrwxr-xr-x 1 root 15 30 Nov 07:27 libcrammd5.2.0.23.so -> libcrammd5.2.so
+-rwxrwxr-x 1 root 26512 30 Nov 07:27 libcrammd5.2.so
+-rwxrwxr-x 1 root 940 30 Nov 07:27 libcrammd5.la
+lrwxr-xr-x 1 root 15 30 Nov 07:27 libcrammd5.so -> libcrammd5.2.so
+lrwxr-xr-x 1 root 17 30 Nov 07:27 libdigestmd5.2.0.23.so -> libdigestmd5.2.so
+-rwxrwxr-x 1 root 55600 30 Nov 07:27 libdigestmd5.2.so
+-rwxrwxr-x 1 root 961 30 Nov 07:27 libdigestmd5.la
+lrwxr-xr-x 1 root 17 30 Nov 07:27 libdigestmd5.so -> libdigestmd5.2.so
+lrwxr-xr-x 1 root 11 30 Nov 07:27 libgs2.2.0.23.so -> libgs2.2.so
+-rwxrwxr-x 1 root 39332 30 Nov 07:27 libgs2.2.so
+-rwxrwxr-x 1 root 958 30 Nov 07:27 libgs2.la
+lrwxr-xr-x 1 root 11 30 Nov 07:27 libgs2.so -> libgs2.2.so
+lrwxr-xr-x 1 root 16 30 Nov 07:27 libgssapiv2.2.0.23.so -> libgssapiv2.2.so
+-rwxrwxr-x 1 root 37680 30 Nov 07:27 libgssapiv2.2.so
+-rwxrwxr-x 1 root 988 30 Nov 07:27 libgssapiv2.la
+lrwxr-xr-x 1 root 16 30 Nov 07:27 libgssapiv2.so -> libgssapiv2.2.so
+lrwxr-xr-x 1 root 11 30 Nov 07:27 libotp.2.0.23.so -> libotp.2.so
+-rwxrwxr-x 1 root 61456 30 Nov 07:27 libotp.2.so
+-rwxrwxr-x 1 root 925 30 Nov 07:27 libotp.la
+lrwxr-xr-x 1 root 11 30 Nov 07:27 libotp.so -> libotp.2.so
+lrwxr-xr-x 1 root 13 30 Nov 07:27 libplain.2.0.23.so -> libplain.2.so
+-rwxrwxr-x 1 root 22032 30 Nov 07:27 libplain.2.so
+-rwxrwxr-x 1 root 928 30 Nov 07:27 libplain.la
+lrwxr-xr-x 1 root 13 30 Nov 07:27 libplain.so -> libplain.2.so
+lrwxr-xr-x 1 root 14 30 Nov 07:27 libsasldb.2.0.23.so -> libsasldb.2.so
+-rwxrwxr-x 1 root 27944 30 Nov 07:27 libsasldb.2.so
+-rwxrwxr-x 1 root 934 30 Nov 07:27 libsasldb.la
+lrwxr-xr-x 1 root 14 30 Nov 07:27 libsasldb.so -> libsasldb.2.so
+
+./usr/local/sbin:
+total 296
+-rwxrwxr-x 1 root 15828 30 Nov 07:27 pluginviewer
+-rwxrwxr-x 1 root 76704 30 Nov 07:27 saslauthd
+-rwxrwxr-x 1 root 21032 30 Nov 07:27 sasldblistusers2
+-rwxrwxr-x 1 root 15620 30 Nov 07:27 saslpasswd2
+-rwxrwxr-x 1 root 15332 30 Nov 07:27 testsaslauthd
+
+./usr/local/share:
+total 0
+drwxrwxr-x 4 root 136 30 Nov 07:27 man/
+
+./usr/local/share/man:
+total 0
+drwxrwxr-x 45 root 1530 30 Nov 07:27 man3/
+drwxrwxr-x 6 root 204 30 Nov 07:27 man8/
+
+./usr/local/share/man/man3:
+total 392
+-rw-rw-r-- 1 root 3255 30 Nov 07:27 sasl.3
+-rw-rw-r-- 1 root 2914 30 Nov 07:27 sasl_authorize_t.3
+-rw-rw-r-- 1 root 7376 30 Nov 07:27 sasl_auxprop.3
+-rw-rw-r-- 1 root 2507 30 Nov 07:27 sasl_auxprop_getctx.3
+-rw-rw-r-- 1 root 3027 30 Nov 07:27 sasl_auxprop_request.3
+-rw-rw-r-- 1 root 4187 30 Nov 07:27 sasl_callbacks.3
+-rw-rw-r-- 1 root 3401 30 Nov 07:27 sasl_canon_user_t.3
+-rw-rw-r-- 1 root 2871 30 Nov 07:27 sasl_chalprompt_t.3
+-rw-rw-r-- 1 root 3108 30 Nov 07:27 sasl_checkapop.3
+-rw-rw-r-- 1 root 2926 30 Nov 07:27 sasl_checkpass.3
+-rw-rw-r-- 1 root 3143 30 Nov 07:27 sasl_client_init.3
+-rw-rw-r-- 1 root 4477 30 Nov 07:27 sasl_client_new.3
+-rw-rw-r-- 1 root 4296 30 Nov 07:27 sasl_client_start.3
+-rw-rw-r-- 1 root 4148 30 Nov 07:27 sasl_client_step.3
+-rw-rw-r-- 1 root 3001 30 Nov 07:27 sasl_decode.3
+-rw-rw-r-- 1 root 2440 30 Nov 07:27 sasl_dispose.3
+-rw-rw-r-- 1 root 2279 30 Nov 07:27 sasl_done.3
+-rw-rw-r-- 1 root 3153 30 Nov 07:27 sasl_encode.3
+-rw-rw-r-- 1 root 3153 30 Nov 07:27 sasl_encodev.3
+-rw-rw-r-- 1 root 2498 30 Nov 07:27 sasl_errdetail.3
+-rw-rw-r-- 1 root 3934 30 Nov 07:27 sasl_errors.3
+-rw-rw-r-- 1 root 3137 30 Nov 07:27 sasl_errstring.3
+-rw-rw-r-- 1 root 2666 30 Nov 07:27 sasl_getconfpath_t.3
+-rw-rw-r-- 1 root 3245 30 Nov 07:27 sasl_getopt_t.3
+-rw-rw-r-- 1 root 2645 30 Nov 07:27 sasl_getpath_t.3
+-rw-rw-r-- 1 root 3487 30 Nov 07:27 sasl_getprop.3
+-rw-rw-r-- 1 root 2921 30 Nov 07:27 sasl_getrealm_t.3
+-rw-rw-r-- 1 root 2767 30 Nov 07:27 sasl_getsecret_t.3
+-rw-rw-r-- 1 root 2901 30 Nov 07:27 sasl_getsimple_t.3
+-rw-rw-r-- 1 root 2475 30 Nov 07:27 sasl_global_listmech.3
+-rw-rw-r-- 1 root 2423 30 Nov 07:27 sasl_idle.3
+-rw-rw-r-- 1 root 3443 30 Nov 07:27 sasl_listmech.3
+-rw-rw-r-- 1 root 2469 30 Nov 07:27 sasl_log_t.3
+-rw-rw-r-- 1 root 3175 30 Nov 07:27 sasl_server_init.3
+-rw-rw-r-- 1 root 4163 30 Nov 07:27 sasl_server_new.3
+-rw-rw-r-- 1 root 4044 30 Nov 07:27 sasl_server_start.3
+-rw-rw-r-- 1 root 3289 30 Nov 07:27 sasl_server_step.3
+-rw-rw-r-- 1 root 3109 30 Nov 07:27 sasl_server_userdb_checkpass_t.3
+-rw-rw-r-- 1 root 3201 30 Nov 07:27 sasl_server_userdb_setpass_t.3
+-rw-rw-r-- 1 root 3058 30 Nov 07:27 sasl_setpass.3
+-rw-rw-r-- 1 root 3198 30 Nov 07:27 sasl_setprop.3
+-rw-rw-r-- 1 root 2639 30 Nov 07:27 sasl_user_exists.3
+-rw-rw-r-- 1 root 2957 30 Nov 07:27 sasl_verifyfile_t.3
+
+./usr/local/share/man/man8:
+total 48
+-rw-rw-r-- 1 root 3927 30 Nov 07:27 pluginviewer.8
+-rw-rw-r-- 1 root 9369 30 Nov 07:27 saslauthd.8
+-rw-rw-r-- 1 root 2490 30 Nov 07:27 sasldblistusers2.8
+-rw-rw-r-- 1 root 3184 30 Nov 07:27 saslpasswd2.8
--- /dev/null
+----------------------------------------------------------------------
+ Libraries have been installed in:
+ /Users/pete/tmp/usr/local/lib/gss
+
+ If you ever happen to want to link against installed libraries
+ in a given directory, LIBDIR, you must either use libtool, and
+ specify the full pathname of the library, or use the `-LLIBDIR'
+ flag during linking and do at least one of the following:
+ - add LIBDIR to the `DYLD_LIBRARY_PATH' environment variable
+ during execution
+
+ See any operating system documentation about shared libraries for
+ more information, such as the ld(1) and ld.so(8) manual pages.
+ ----------------------------------------------------------------------
--- /dev/null
+********************************************************
+* WARNING:
+* Plugins are being installed into /usr/local/lib/sasl2,
+* but the library will look for them in /usr/lib/sasl2.
+* You need to make sure that the plugins will eventually
+* be in /usr/lib/sasl2 -- the easiest way is to make a
+* symbolic link from /usr/lib/sasl2 to /usr/local/lib/sasl2,
+* but this may not be appropriate for your site, so this
+* installation procedure won't do it for you.
+*
+* If you don't want to do this for some reason, you can
+* set the location where the library will look for plugins
+* by setting the environment variable SASL_PATH to the path
+* the library should use.
+********************************************************
--- /dev/null
+********************************************************
+* WARNING:
+* Plugins are being installed into /usr/local/lib/sasl2,
+* but the library will look for them in /usr/lib/sasl2.
+* You need to make sure that the plugins will eventually
+* be in /usr/lib/sasl2 -- the easiest way is to make a
+* symbolic link from /usr/lib/sasl2 to /usr/local/lib/sasl2,
+* but this may not be appropriate for your site, so this
+* installation procedure won't do it for you.
+*
+* If you don't want to do this for some reason, you can
+* set the location where the library will look for plugins
+* by setting the environment variable SASL_PATH to the path
+* the library should use.
+********************************************************
--- /dev/null
+hello this is a readme file
autom4te.cache
-
+mech_eap.spec
+mech_eap*tar*
AUTOMAKE_OPTIONS = foreign
-
+ACLOCAL_AMFLAGS = -I m4
SUBDIRS = libeap mech_eap
+EXTRA_DIST = mech_eap.spec
dnl Based on the one from the Boinc project by Reinhard
+AC_DEFUN([AX_CHECK_WINDOWS],
+[AC_MSG_CHECKING(for windows)
+target_windows="no"
+AC_CHECK_HEADER(windows.h,[target_windows="yes"],[target_windows="no"])
+AC_MSG_RESULT($target_windows)
+AM_CONDITIONAL(TARGET_WINDOWS,test "x$target_windows" = "xyes")
+])dnl
+
AC_DEFUN([AX_CHECK_KRB5],
[AC_MSG_CHECKING(for GSS-API and Kerberos implementation)
KRB5_DIR=
[Use krb5 (in specified installation directory)]),
[check_krb5_dir="$withval"],
[check_krb5_dir=])
-for dir in $check_krb5_dir $prefix /usr /usr/local ; do
+for dir in $check_krb5_dir $prefix /usr/local /usr ; do
krb5dir="$dir"
if test -x "$dir/bin/krb5-config"; then
found_krb5="yes";
- KRB5_CFLAGS=`$dir/bin/krb5-config gssapi --cflags`;
- KRB5_LIBS=`$dir/bin/krb5-config gssapi --libs`;
- COMPILE_ET="$dir/bin/compile_et";
+ if test "x$target_windows" = "xyes"; then
+ KRB5_CFLAGS=-I"$check_krb5_dir/include";
+ KRB5_LDFLAGS="-L$check_krb5_dir/lib/";
+ KRB5_LIBS="-lkrb5_32 -lgssapi32";
+ COMPILE_ET="$check_krb5_dir/bin/compile_et";
+ AC_MSG_RESULT([yes])
+ else
+ KRB5_CFLAGS=`$dir/bin/krb5-config gssapi --cflags`;
+ KRB5_LDFLAGS="-L$dir/lib";
+ KRB5_LIBS=`$dir/bin/krb5-config gssapi --libs`
+AC_MSG_RESULT([yes])
+ AC_PATH_PROG(COMPILE_ET, [compile_et], [compile_et], [$dir/bin$PATH_SEPARATOr])
+ fi
break;
fi
done
-AC_MSG_RESULT($found_krb5)
if test x_$found_krb5 != x_yes; then
+ AC_MSG_RESULT($found_krb5)
AC_MSG_ERROR([
----------------------------------------------------------------------
Cannot find GSS-API/Kerberos libraries.
else
printf "Kerberos found in $krb5dir\n";
AC_SUBST(KRB5_CFLAGS)
+ AC_SUBST(KRB5_LDFLAGS)
AC_SUBST(KRB5_LIBS)
AC_SUBST(COMPILE_ET)
AC_CHECK_LIB(krb5, GSS_C_NT_COMPOSITE_EXPORT, [AC_DEFINE_UNQUOTED([HAVE_GSS_C_NT_COMPOSITE_EXPORT], 1, [Define if GSS-API library supports recent naming extensions draft])], [], "$KRB5_LIBS")
if test x_$found_shibsp != x_yes; then
AC_MSG_ERROR([
----------------------------------------------------------------------
- Cannot find Shibboleth/OpenSAML libraries.
+ Cannot find Shibboleth libraries.
Please install Shibboleth or specify installation directory with
--with-shibsp=(dir).
])
else
printf "Shibboleth found in $shibspdir\n";
- SHIBSP_LIBS="-lshibsp -lsaml -lxml-security-c -lxmltooling -lxerces-c";
+ SHIBSP_LIBS="-lshibsp -lsaml -lxml-security-c -lxmltooling -lxerces-c";
SHIBSP_LDFLAGS="-L$shibspdir/lib";
AC_SUBST(SHIBSP_CXXFLAGS)
AC_SUBST(SHIBSP_LDFLAGS)
AC_SUBST(SHIBSP_LIBS)
+ AC_DEFINE_UNQUOTED([HAVE_SHIBSP], 1, [Define is Shibboleth SP is available])
fi
])dnl
[Use Shibboleth resolver (in specified installation directory)]),
[check_shibresolver_dir="$withval"],
[check_shibresolver_dir=])
+if test x_$check_shibresolver_dir != x_no; then
for dir in $check_shibresolver_dir $prefix /usr /usr/local ; do
shibresolverdir="$dir"
if test -f "$dir/include/shibresolver/resolver.h"; then
break;
fi
done
+fi
AC_MSG_RESULT($found_shibresolver)
+if test x_$check_shibresolver_dir != x_no; then
if test x_$found_shibresolver != x_yes; then
- AC_MSG_ERROR([
+ AC_MSG_WARN([
----------------------------------------------------------------------
- Cannot find Shibboleth resolver libraries.
+ Cannot find Shibboleth resolver libraries, building without
+ Shibboleth support.
Please install Shibboleth or specify installation directory with
--with-shibresolver=(dir).
AC_SUBST(SHIBRESOLVER_CXXFLAGS)
AC_SUBST(SHIBRESOLVER_LDFLAGS)
AC_SUBST(SHIBRESOLVER_LIBS)
+ AC_DEFINE_UNQUOTED([HAVE_SHIBRESOLVER], 1, [Define is Shibboleth resolver is available])
+fi
+fi
+])dnl
+
+AC_DEFUN([AX_CHECK_OPENSAML],
+[AC_MSG_CHECKING(for OpenSAML implementation)
+OPENSAML_DIR=
+found_opensaml="no"
+AC_ARG_WITH(opensaml,
+ AC_HELP_STRING([--with-opensaml],
+ [Use OpenSAML (in specified installation directory)]),
+ [check_opensaml_dir="$withval"],
+ [check_opensaml_dir=])
+if test x_$check_opensaml_dir != x_no; then
+for dir in $check_opensaml_dir $prefix /usr /usr/local ; do
+ opensamldir="$dir"
+ if test -f "$dir/include/saml/Assertion.h"; then
+ found_opensaml="yes";
+ OPENSAML_DIR="${opensamldir}"
+ OPENSAML_CXXFLAGS="-I$opensamldir/include";
+ break;
+ fi
+done
+fi
+AC_MSG_RESULT($found_opensaml)
+if test x_$check_opensaml_dir != x_no; then
+if test x_$found_opensaml != x_yes; then
+ AC_MSG_WARN([
+----------------------------------------------------------------------
+ Cannot find OpenSAML libraries, building without OpenSAML support.
+
+ Please install OpenSAML or specify installation directory with
+ --with-opensaml=(dir).
+----------------------------------------------------------------------
+])
+else
+ printf "OpenSAML found in $opensamldir\n";
+ OPENSAML_LIBS="-lsaml -lxml-security-c -lxmltooling -lxerces-c";
+ OPENSAML_LDFLAGS="-L$opensamldir/lib";
+ AC_SUBST(OPENSAML_CXXFLAGS)
+ AC_SUBST(OPENSAML_LDFLAGS)
+ AC_SUBST(OPENSAML_LIBS)
+ AC_DEFINE_UNQUOTED([HAVE_OPENSAML], 1, [Define is OpenSAML is available])
+fi
fi
])dnl
AC_SUBST(JANSSON_LIBS)
fi
])dnl
+
+AC_DEFUN([AX_CHECK_LIBMOONSHOT],
+[AC_MSG_CHECKING(for Moonshot identity selector implementation)
+LIBMOONSHOT_DIR=
+LIBMOONSHOT_CFLAGS=
+LIBMOONSHOT_LDFLAGS=
+LIBMOONSHOT_LIBS=
+found_libmoonshot="no"
+AC_ARG_WITH(libmoonshot,
+ AC_HELP_STRING([--with-libmoonshot],
+ [Use libmoonshot (in specified installation directory)]),
+ [check_libmoonshot_dir="$withval"],
+ [check_libmoonshot_dir=])
+for dir in $check_libmoonshot_dir $prefix /usr /usr/local ; do
+ libmoonshotdir="$dir"
+ if test -f "$dir/include/libmoonshot.h"; then
+ found_libmoonshot="yes";
+ LIBMOONSHOT_DIR="${libmoonshotdir}"
+ LIBMOONSHOT_CFLAGS="-I$libmoonshotdir/include";
+ break;
+ fi
+done
+AC_MSG_RESULT($found_libmoonshot)
+if test x_$found_libmoonshot = x_yes; then
+ printf "libmoonshot found in $libmoonshotdir\n";
+ LIBMOONSHOT_LIBS="-lmoonshot";
+ LIBMOONSHOT_LDFLAGS="-L$libmoonshot/lib";
+ AC_CHECK_LIB(moonshot, moonshot_get_identity, [AC_DEFINE_UNQUOTED([HAVE_MOONSHOT_GET_IDENTITY], 1, [Define if Moonshot identity selector is available])], [], "$LIBMOONSHOT_LIBS")
+fi
+ AC_SUBST(LIBMOONSHOT_CFLAGS)
+ AC_SUBST(LIBMOONSHOT_LDFLAGS)
+ AC_SUBST(LIBMOONSHOT_LIBS)
+ AM_CONDITIONAL(LIBMOONSHOT, test "x$found_libmoonshot" != "xno")
+])dnl
+
--- /dev/null
+#! /bin/sh
+# Wrapper for compilers which do not understand `-c -o'.
+
+scriptversion=2009-10-06.20; # UTC
+
+# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software
+# Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+case $1 in
+ '')
+ echo "$0: No command. Try \`$0 --help' for more information." 1>&2
+ exit 1;
+ ;;
+ -h | --h*)
+ cat <<\EOF
+Usage: compile [--help] [--version] PROGRAM [ARGS]
+
+Wrapper for compilers which do not understand `-c -o'.
+Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
+arguments, and rename the output as expected.
+
+If you are trying to build a whole package this is not the
+right script to run: please start by reading the file `INSTALL'.
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+ exit $?
+ ;;
+ -v | --v*)
+ echo "compile $scriptversion"
+ exit $?
+ ;;
+esac
+
+ofile=
+cfile=
+eat=
+
+for arg
+do
+ if test -n "$eat"; then
+ eat=
+ else
+ case $1 in
+ -o)
+ # configure might choose to run compile as `compile cc -o foo foo.c'.
+ # So we strip `-o arg' only if arg is an object.
+ eat=1
+ case $2 in
+ *.o | *.obj)
+ ofile=$2
+ ;;
+ *)
+ set x "$@" -o "$2"
+ shift
+ ;;
+ esac
+ ;;
+ *.c)
+ cfile=$1
+ set x "$@" "$1"
+ shift
+ ;;
+ *)
+ set x "$@" "$1"
+ shift
+ ;;
+ esac
+ fi
+ shift
+done
+
+if test -z "$ofile" || test -z "$cfile"; then
+ # If no `-o' option was seen then we might have been invoked from a
+ # pattern rule where we don't need one. That is ok -- this is a
+ # normal compilation that the losing compiler can handle. If no
+ # `.c' file was seen then we are probably linking. That is also
+ # ok.
+ exec "$@"
+fi
+
+# Name of file we expect compiler to create.
+cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
+
+# Create the lock directory.
+# Note: use `[/\\:.-]' here to ensure that we don't use the same name
+# that we are using for the .o file. Also, base the name on the expected
+# object file name, since that is what matters with a parallel build.
+lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
+while true; do
+ if mkdir "$lockdir" >/dev/null 2>&1; then
+ break
+ fi
+ sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir '$lockdir'; exit 1" 1 2 15
+
+# Run the compile.
+"$@"
+ret=$?
+
+if test -f "$cofile"; then
+ test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
+elif test -f "${cofile}bj"; then
+ test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
+fi
+
+rmdir "$lockdir"
+exit $ret
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:
AC_PREREQ([2.61])
AC_INIT([mech_eap], [0.1], [bugs@project-moonshot.org])
-dnl AC_CONFIG_MACRO_DIR([m4])
+AC_CONFIG_MACRO_DIR([m4])
+AC_CONFIG_AUX_DIR([build-aux])
+
dnl AM_INIT_AUTOMAKE([silent-rules])
+AC_USE_SYSTEM_EXTENSIONS
AM_INIT_AUTOMAKE
+AM_PROG_CC_C_O
+AM_MAINTAINER_MODE()
LT_PREREQ([2.2])
-LT_INIT([dlopen disable-static])
+LT_INIT([dlopen disable-static win32-dll])
-AC_PROG_CC
+dnl AC_PROG_CC
AC_PROG_CXX
AC_CONFIG_HEADERS([config.h])
-AC_GNU_SOURCE
+AC_CHECK_HEADERS(stdarg.h stdio.h stdint.h sys/param.h)
+AC_REPLACE_FUNCS(vasprintf)
dnl Check if we're on Solaris and set CFLAGS accordingly
dnl AC_CANONICAL_TARGET
fi
AM_CONDITIONAL(GSSEAP_ENABLE_REAUTH, test "x$reauth" != "xno")
+acceptor=yes
+AC_ARG_ENABLE(acceptor,
+ [ --enable-acceptor whether to enable acceptor codepaths: yes/no; default yes ],
+ [ if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then
+ acceptor=$enableval
+ else
+ echo "--enable-acceptor argument must be yes or no"
+ exit -1
+ fi
+ ])
+
+if test "x$acceptor" = "xyes" ; then
+ echo "acceptor enabled"
+ TARGET_CFLAGS="$TARGET_CFLAGS -DGSSEAP_ENABLE_ACCEPTOR"
+fi
+AM_CONDITIONAL(GSSEAP_ENABLE_ACCEPTOR, test "x$acceptor" != "xno")
+
AC_SUBST(TARGET_CFLAGS)
AC_SUBST(TARGET_LDFLAGS)
+AX_CHECK_WINDOWS
AX_CHECK_KRB5
-dnl AX_CHECK_EAP
-AX_CHECK_SHIBSP
+AX_CHECK_OPENSAML
+AM_CONDITIONAL(OPENSAML, test "x_$check_opensaml_dir" != "x_no")
+
AX_CHECK_SHIBRESOLVER
-AX_CHECK_RADSEC
-AX_CHECK_JANSSON
-AC_CONFIG_FILES([Makefile libeap/Makefile mech_eap/Makefile])
+AM_CONDITIONAL(SHIBRESOLVER, test "x_$check_shibresolver_dir" != "x_no")
+if test x_$found_shibresolver = x_yes; then
+ AX_CHECK_SHIBSP
+fi
+
+if test "x$acceptor" = "xyes" ; then
+ AX_CHECK_RADSEC
+ AX_CHECK_JANSSON
+fi
+
+AX_CHECK_LIBMOONSHOT
+AC_CONFIG_FILES([Makefile libeap/Makefile mech_eap/Makefile
+ mech_eap.spec])
AC_OUTPUT
-Subproject commit a7cc9675085b48b8933a96c32bd1e772e1c7a565
+Subproject commit 2ded56e2cb1ff52d09602073f8daf2b6df7482ba
--- /dev/null
+## -*- Autoconf -*-
+# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005, 2008
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 6
+
+# AM_PROG_CC_C_O
+# --------------
+# Like AC_PROG_CC_C_O, but changed for automake.
+AC_DEFUN([AM_PROG_CC_C_O],
+[AC_REQUIRE([AC_PROG_CC_C_O])dnl
+AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+AC_REQUIRE_AUX_FILE([compile])dnl
+# FIXME: we rely on the cache variable name because
+# there is no other way.
+set dummy $CC
+am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
+eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
+if test "$am_t" != yes; then
+ # Losing compiler, so override with the script.
+ # FIXME: It is wrong to rewrite CC.
+ # But if we don't then we get into trouble of one sort or another.
+ # A longer-term fix would be to have automake use am__CC in this case,
+ # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+ CC="$am_aux_dir/compile $CC"
+fi
+dnl Make sure AC_PROG_CC is never called again, or it will override our
+dnl setting of CC.
+m4_define([AC_PROG_CC],
+ [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
+])
--- /dev/null
+%global _moonshot_krb5 %{!?_moonshot_krb5:krb5-devel}%{?_moonshot_krb5}
+Name: moonshot-gss-eap
+Version: @VERSION@
+Release: 3%{?dist}
+Summary: Moonshot GSS-API Mechanism
+
+Group: Security Tools
+License: BSD
+URL: http://www.project-moonshot.org/
+Source0: mech_eap-%{version}.tar.gz
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+
+BuildRequires: %{_moonshot_krb5} >= 1.9.1
+BuildRequires: moonshot-ui-devel
+BuildRequires: jansson-devel
+Requires: moonshot-ui
+BuildRequires: libradsec-devel
+BuildRequires: shibboleth-devel >= 2.5
+BuildRequires: libshibresolver-devel
+
+
+
+%description
+Project Moonshot provides federated access management.
+
+
+%prep
+%setup -q -n mech_eap-%{version}
+
+
+%build
+ export LDFLAGS='-L/usr/%{_lib}/freeradius -Wl,--rpath=/usr/%{_lib}/freeradius'
+%configure --with-libmoonshot=%{_prefix} --with-krb5=%{_prefix} --disable-reauth
+make %{?_smp_mflags}
+
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make install DESTDIR=$RPM_BUILD_ROOT
+
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+
+%files
+%defattr(-,root,root,-)
+%doc mech_eap/README
+%doc mech_eap/LICENSE
+%doc mech_eap/AUTHORS
+%{_libdir}/gss/mech_eap.so
+%exclude %{_libdir}/gss/mech_eap.la
+%{_includedir}/gssapi/*.h
+#%exclude %{_libdir}/krb5/plugins/authdata/*la
+#%{_libdir}/krb5/plugins/authdata/*.so
+
+
+
+%changelog
+* Wed Sep 28 2011 <hartmans@moonbuildcentos.dev.ja.net> - @VERSION@-2
+- Add radius_ad plugin
+
AUTOMAKE_OPTIONS = foreign
+EXTRA_DIST = gsseap_err.et radsec_err.et \
+ mech_eap.exports mech_eap-noacceptor.exports radius_ad.exports \
+ LICENSE AUTHORS
+
+
gssincludedir = $(includedir)/gssapi
gssinclude_HEADERS = gssapi_eap.h
EAP_CFLAGS = -I$(srcdir)/../libeap/src -I$(srcdir)/../libeap/src/common -I$(srcdir)/../libeap/src/eap_common \
- -I$(srcdir)/../libeap/src/utils \
- -DEAP_TLS -DEAP_PEAP -DEAP_TTLS -DEAP_MD5 -DEAP_MSCHAPv2 -DEAP_GTC -DEAP_OTP -DEAP_LEAP -DEAP_PSK -DEAP_PAX -DEAP_SAKE -DEAP_GPSK -DEAP_GPSK_SHA256 -DEAP_SERVER_IDENTITY -DEAP_SERVER_TLS -DEAP_SERVER_PEAP -DEAP_SERVER_TTLS -DEAP_SERVER_MD5 -DEAP_SERVER_MSCHAPV2 -DEAP_SERVER_GTC -DEAP_SERVER_PSK -DEAP_SERVER_PAX -DEAP_SERVER_SAKE -DEAP_SERVER_GPSK -DEAP_SERVER_GPSK_SHA256 -DIEEE8021X_EAPOL
+ -I$(srcdir)/../libeap/src/utils
+
+if GSSEAP_ENABLE_ACCEPTOR
+GSSEAP_EXPORTS = mech_eap.exports
+else
+GSSEAP_EXPORTS = mech_eap-noacceptor.exports
+endif
gssdir = $(libdir)/gss
gss_LTLIBRARIES = mech_eap.la
+if TARGET_WINDOWS
+EAP_CFLAGS += -DCONFIG_WIN32_DEFAULTS -DUSE_INTERNAL_CRYPTO
+OS_LIBS = -lshell32 -ladvapi32 -lws2_32 -lcomerr32
+mech_eap_la_CFLAGS = -Zi
+mech_eap_la_CXXFLAGS = -Zi
+else
+EAP_CFLAGS += -DEAP_TLS -DEAP_PEAP -DEAP_TTLS -DEAP_MD5 -DEAP_MSCHAPv2 -DEAP_GTC -DEAP_OTP -DEAP_LEAP -DEAP_PSK -DEAP_PAX -DEAP_SAKE -DEAP_GPSK -DEAP_GPSK_SHA256 -DEAP_SERVER_IDENTITY -DEAP_SERVER_TLS -DEAP_SERVER_PEAP -DEAP_SERVER_TTLS -DEAP_SERVER_MD5 -DEAP_SERVER_MSCHAPV2 -DEAP_SERVER_GTC -DEAP_SERVER_PSK -DEAP_SERVER_PAX -DEAP_SERVER_SAKE -DEAP_SERVER_GPSK -DEAP_SERVER_GPSK_SHA256 -DIEEE8021X_EAPOL
+OS_LIBS =
+mech_eap_la_CFLAGS = -Werror -Wall -Wunused-parameter
+mech_eap_la_CXXFLAGS = -Werror -Wall -Wunused-parameter
+endif
+mech_eap_la_DEPENDENCIES = $(GSSEAP_EXPORTS)
+
mech_eap_la_CPPFLAGS = -DBUILD_GSSEAP_LIB -DSYSCONFDIR=\"${sysconfdir}\" -DDATAROOTDIR=\"${datarootdir}\"
-mech_eap_la_CFLAGS = -Werror -Wall -Wunused-parameter \
- @KRB5_CFLAGS@ @RADSEC_CFLAGS@ @TARGET_CFLAGS@ $(EAP_CFLAGS)
-mech_eap_la_CXXFLAGS = -Werror -Wall -Wunused-parameter \
- @KRB5_CFLAGS@ @RADSEC_CFLAGS@ \
- @SHIBRESOLVER_CXXFLAGS@ @SHIBSP_CXXFLAGS@ @TARGET_CFLAGS@ $(EAP_CFLAGS)
+mech_eap_la_CFLAGS += \
+ @KRB5_CFLAGS@ @RADSEC_CFLAGS@ @TARGET_CFLAGS@ $(EAP_CFLAGS)
+mech_eap_la_CXXFLAGS += \
+ @KRB5_CFLAGS@ @RADSEC_CFLAGS@ \
+ @OPENSAML_CXXFLAGS@ @SHIBRESOLVER_CXXFLAGS@ @SHIBSP_CXXFLAGS@ \
+ @TARGET_CFLAGS@ $(EAP_CFLAGS)
mech_eap_la_LDFLAGS = -avoid-version -module \
- -export-symbols mech_eap.exports -no-undefined \
- @RADSEC_LDFLAGS@ @TARGET_LDFLAGS@
-mech_eap_la_LIBADD = @KRB5_LIBS@ ../libeap/libeap.la @RADSEC_LIBS@ \
- @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@
+ -export-symbols $(GSSEAP_EXPORTS) -no-undefined \
+ @KRB5_LDFLAGS@ @RADSEC_LDFLAGS@ @TARGET_LDFLAGS@
+if TARGET_WINDOWS
+mech_eap_la_LDFLAGS += -debug
+endif
+mech_eap_la_LIBADD = @KRB5_LIBS@ ../libeap/libeap.la @RADSEC_LIBS@ \
+ @OPENSAML_LIBS@ @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@
mech_eap_la_SOURCES = \
- accept_sec_context.c \
acquire_cred.c \
acquire_cred_with_password.c \
add_cred.c \
canonicalize_name.c \
compare_name.c \
context_time.c \
- delete_name_attribute.c \
delete_sec_context.c \
display_name.c \
display_name_ext.c \
display_status.c \
duplicate_name.c \
eap_mech.c \
+ exchange_meta_data.c \
export_name.c \
- export_name_composite.c \
export_sec_context.c \
get_mic.c \
- get_name_attribute.c \
gsseap_err.c \
import_name.c \
import_sec_context.c \
inquire_cred_by_oid.c \
inquire_mech_for_saslname.c \
inquire_mechs_for_name.c \
- inquire_name.c \
inquire_names_for_mech.c \
inquire_saslname_for_mech.c \
inquire_sec_context_by_oid.c \
- map_name_to_any.c \
process_context_token.c \
pseudo_random.c \
+ query_mechanism_info.c \
+ query_meta_data.c \
radsec_err.c \
- release_any_name_mapping.c \
release_cred.c \
release_name.c \
release_oid.c \
- set_name_attribute.c \
set_cred_option.c \
set_sec_context_option.c \
store_cred.c \
unwrap.c \
unwrap_iov.c \
- util_attr.cpp \
- util_base64.c \
util_buffer.c \
util_context.c \
util_cksum.c \
util_cred.c \
util_crypt.c \
- util_json.cpp \
util_krb.c \
util_lucid.c \
util_mech.c \
util_name.c \
util_oid.c \
util_ordering.c \
- util_radius.cpp \
- util_saml.cpp \
- util_shib.cpp \
util_sm.c \
+ util_tld.c \
util_token.c \
verify_mic.c \
wrap.c \
wrap_iov.c \
wrap_iov_length.c \
- wrap_size_limit.c
+ wrap_size_limit.c \
+ gssapiP_eap.h \
+ util_attr.h \
+ util_base64.h \
+ util.h \
+ util_json.h \
+ util_radius.h \
+ util_reauth.h \
+ util_saml.h \
+ util_shib.h
+
+if LIBMOONSHOT
+mech_eap_la_SOURCES += util_moonshot.c
+mech_eap_la_CFLAGS += @LIBMOONSHOT_CFLAGS@
+mech_eap_la_LDFLAGS += @LIBMOONSHOT_LDFLAGS@
+mech_eap_la_LIBADD += @LIBMOONSHOT_LIBS@
+endif
-BUILT_SOURCES = gsseap_err.c radsec_err.c
-if GSSEAP_ENABLE_REAUTH
-mech_eap_la_SOURCES += util_reauth.c
+if GSSEAP_ENABLE_ACCEPTOR
+
+mech_eap_la_SOURCES += \
+ accept_sec_context.c \
+ delete_name_attribute.c \
+ export_name_composite.c \
+ get_name_attribute.c \
+ inquire_name.c \
+ map_name_to_any.c \
+ release_any_name_mapping.c \
+ set_name_attribute.c \
+ util_attr.cpp \
+ util_base64.c \
+ util_json.cpp \
+ util_radius.cpp
+
+if OPENSAML
+mech_eap_la_SOURCES += util_saml.cpp
+endif
+if SHIBRESOLVER
+mech_eap_la_SOURCES += util_shib.cpp
+endif
+endif
+
+BUILT_SOURCES = gsseap_err.c radsec_err.c gsseap_err.h radsec_err.h
+
+if GSSEAP_ENABLE_REAUTH
+mech_eap_la_SOURCES += util_reauth.c
if !HEIMDAL
krb5pluginsdir = $(libdir)/krb5/plugins/authdata
radius_ad_la_LDFLAGS = -avoid-version -module \
-export-symbols radius_ad.exports -no-undefined
radius_ad_la_LIBADD = @KRB5_LIBS@
-radius_ad_la_SOURCES = util_adshim.c
+radius_ad_la_SOURCES = util_adshim.c authdata_plugin.h
endif
endif
clean-generic:
rm -f gsseap_err.[ch] radsec_err.[ch]
-
- integration with initiator-side EAP channel bindings
-- integration with final supplicant architecture
-- test Heimdal port
-
-- fix ABNF: no slash in the case where there is no host
+- investigate initiator-side credential locking
- always intern OIDs so they never need to be freed
-
-- handle many-to-many Shibboleth attribute mappings; need to encode
- both attribute and value index into more
+- handle many-to-many Shibboleth attribute mappings; need to encode both attribute and value index into more
- add --with-xerces option
-- proper acquire_cred_ext implementation
-- MIC on flags token (merge ext-mic branch)
+- proper acquire_cred_ext implementation pending specification
krb5_principal krbPrinc;
struct rs_context *rc = ctx->acceptorCtx.radContext;
- assert(rc != NULL);
+ GSSEAP_ASSERT(rc != NULL);
if (ctx->acceptorName == GSS_C_NO_NAME) {
*minor = 0;
GSSEAP_KRB_INIT(&krbContext);
krbPrinc = ctx->acceptorName->krbPrincipal;
- assert(krbPrinc != NULL);
- assert(KRB_PRINC_LENGTH(krbPrinc) >= 2);
+ GSSEAP_ASSERT(krbPrinc != NULL);
+ GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc) >= 2);
/* Acceptor-Service-Name */
krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf);
gss_ctx_id_t ctx)
{
struct gss_eap_acceptor_ctx *actx = &ctx->acceptorCtx;
- const char *configFile = RS_CONFIG_FILE;
- const char *configStanza = "gss-eap";
- struct rs_alloc_scheme ralloc;
struct rs_error *err;
+ const char *configStanza = "gss-eap";
+ OM_uint32 major;
- assert(actx->radContext == NULL);
- assert(actx->radConn == NULL);
-
- if (rs_context_create(&actx->radContext) != 0) {
- *minor = GSSEAP_RADSEC_CONTEXT_FAILURE;
- return GSS_S_FAILURE;
- }
-
- if (cred->radiusConfigFile != NULL)
- configFile = cred->radiusConfigFile;
- if (cred->radiusConfigStanza != NULL)
- configStanza = cred->radiusConfigStanza;
-
- ralloc.calloc = GSSEAP_CALLOC;
- ralloc.malloc = GSSEAP_MALLOC;
- ralloc.free = GSSEAP_FREE;
- ralloc.realloc = GSSEAP_REALLOC;
-
- rs_context_set_alloc_scheme(actx->radContext, &ralloc);
+ GSSEAP_ASSERT(actx->radContext == NULL);
+ GSSEAP_ASSERT(actx->radConn == NULL);
+ GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
- if (rs_context_read_config(actx->radContext, configFile) != 0) {
- err = rs_err_ctx_pop(actx->radContext);
- goto fail;
- }
+ major = gssEapCreateRadiusContext(minor, cred, &actx->radContext);
+ if (GSS_ERROR(major))
+ return major;
- if (rs_context_init_freeradius_dict(actx->radContext, NULL) != 0) {
- err = rs_err_ctx_pop(actx->radContext);
- goto fail;
- }
+ if (cred->radiusConfigStanza.value != NULL)
+ configStanza = (const char *)cred->radiusConfigStanza.value;
if (rs_conn_create(actx->radContext, &actx->radConn, configStanza) != 0) {
err = rs_err_conn_pop(actx->radConn);
- goto fail;
+ return gssEapRadiusMapError(minor, err);
}
if (actx->radServer != NULL) {
if (rs_conn_select_peer(actx->radConn, actx->radServer) != 0) {
err = rs_err_conn_pop(actx->radConn);
- goto fail;
+ return gssEapRadiusMapError(minor, err);
}
}
*minor = 0;
return GSS_S_COMPLETE;
-
-fail:
- return gssEapRadiusMapError(minor, err);
}
/*
goto cleanup;
}
- assert(resp != NULL);
+ GSSEAP_ASSERT(resp != NULL);
frresp = rs_packet_frpkt(resp);
switch (frresp->code) {
if (resp != NULL)
rs_packet_destroy(resp);
if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIATOR_EXTS) {
- assert(major == GSS_S_CONTINUE_NEEDED);
+ GSSEAP_ASSERT(major == GSS_S_CONTINUE_NEEDED);
rs_conn_destroy(ctx->acceptorCtx.radConn);
ctx->acceptorCtx.radConn = NULL;
unsigned char *p;
OM_uint32 initiatorGssFlags;
- assert((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0);
+ GSSEAP_ASSERT((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0);
if (inputToken->length < 4) {
*minor = GSSEAP_TOK_TRUNC;
};
OM_uint32
-gss_accept_sec_context(OM_uint32 *minor,
- gss_ctx_id_t *context_handle,
+gssEapAcceptSecContext(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
gss_cred_id_t cred,
gss_buffer_t input_token,
gss_channel_bindings_t input_chan_bindings,
gss_cred_id_t *delegated_cred_handle)
{
OM_uint32 major, tmpMinor;
- gss_ctx_id_t ctx = *context_handle;
-
- *minor = 0;
-
- output_token->length = 0;
- output_token->value = NULL;
-
- if (src_name != NULL)
- *src_name = GSS_C_NO_NAME;
-
- if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
- *minor = GSSEAP_TOK_TRUNC;
- return GSS_S_DEFECTIVE_TOKEN;
- }
-
- if (ctx == GSS_C_NO_CONTEXT) {
- major = gssEapAllocContext(minor, &ctx);
- if (GSS_ERROR(major))
- return major;
-
- *context_handle = ctx;
- }
-
- GSSEAP_MUTEX_LOCK(&ctx->mutex);
if (cred == GSS_C_NO_CREDENTIAL) {
- if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) {
+ if (ctx->cred == GSS_C_NO_CREDENTIAL) {
major = gssEapAcquireCred(minor,
GSS_C_NO_NAME,
- GSS_C_NO_BUFFER,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_ACCEPT,
- &ctx->defaultCred,
+ &ctx->cred,
NULL,
NULL);
if (GSS_ERROR(major))
goto cleanup;
}
- cred = ctx->defaultCred;
+ cred = ctx->cred;
}
- GSSEAP_MUTEX_LOCK(&cred->mutex);
+ /*
+ * Previously we acquired the credential mutex here, but it should not be
+ * necessary as the acceptor does not access any mutable elements of the
+ * credential handle.
+ */
- if (cred->name != GSS_C_NO_NAME) {
- major = gssEapDuplicateName(minor, cred->name, &ctx->acceptorName);
- if (GSS_ERROR(major))
- goto cleanup;
- }
+ /*
+ * Calling gssEapInquireCred() forces the default acceptor credential name
+ * to be resolved.
+ */
+ major = gssEapInquireCred(minor, cred, &ctx->acceptorName, NULL, NULL, NULL);
+ if (GSS_ERROR(major))
+ goto cleanup;
major = gssEapSmStep(minor,
cred,
}
}
- assert(CTX_IS_ESTABLISHED(ctx) || major == GSS_S_CONTINUE_NEEDED);
+ GSSEAP_ASSERT(CTX_IS_ESTABLISHED(ctx) || major == GSS_S_CONTINUE_NEEDED);
cleanup:
- if (cred != GSS_C_NO_CREDENTIAL)
- GSSEAP_MUTEX_UNLOCK(&cred->mutex);
- GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
-
- if (GSS_ERROR(major))
- gssEapReleaseContext(&tmpMinor, context_handle);
-
return major;
}
return major;
}
#endif /* GSSEAP_ENABLE_REAUTH */
+
+OM_uint32 GSSAPI_CALLCONV
+gss_accept_sec_context(OM_uint32 *minor,
+ gss_ctx_id_t *context_handle,
+ gss_cred_id_t cred,
+ gss_buffer_t input_token,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_name_t *src_name,
+ gss_OID *mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ gss_cred_id_t *delegated_cred_handle)
+{
+ OM_uint32 major, tmpMinor;
+ gss_ctx_id_t ctx = *context_handle;
+
+ *minor = 0;
+
+ output_token->length = 0;
+ output_token->value = NULL;
+
+ if (src_name != NULL)
+ *src_name = GSS_C_NO_NAME;
+
+ if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
+ *minor = GSSEAP_TOK_TRUNC;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ if (ctx == GSS_C_NO_CONTEXT) {
+ major = gssEapAllocContext(minor, &ctx);
+ if (GSS_ERROR(major))
+ return major;
+
+ *context_handle = ctx;
+ }
+
+ GSSEAP_MUTEX_LOCK(&ctx->mutex);
+
+ major = gssEapAcceptSecContext(minor,
+ ctx,
+ cred,
+ input_token,
+ input_chan_bindings,
+ src_name,
+ mech_type,
+ output_token,
+ ret_flags,
+ time_rec,
+ delegated_cred_handle);
+
+ GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
+
+ if (GSS_ERROR(major))
+ gssEapReleaseContext(&tmpMinor, context_handle);
+
+ return major;
+}
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_acquire_cred(OM_uint32 *minor,
gss_name_t desired_name,
OM_uint32 time_req,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- return gssEapAcquireCred(minor, desired_name, GSS_C_NO_BUFFER,
+ return gssEapAcquireCred(minor, desired_name,
time_req, desired_mechs, cred_usage,
output_cred_handle, actual_mechs, time_rec);
}
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gssspi_acquire_cred_with_password(OM_uint32 *minor,
const gss_name_t desired_name,
const gss_buffer_t password,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- return gssEapAcquireCred(minor, desired_name, password,
- time_req, desired_mechs, cred_usage,
- output_cred_handle, actual_mechs, time_rec);
+ OM_uint32 major, tmpMinor;
+
+ major = gssEapAcquireCred(minor, desired_name,
+ time_req, desired_mechs, cred_usage,
+ output_cred_handle, actual_mechs, time_rec);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ major = gssEapSetCredPassword(minor, *output_cred_handle, password);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+cleanup:
+ if (GSS_ERROR(major))
+ gssEapReleaseCred(&tmpMinor, output_cred_handle);
+
+ return major;
}
* apart from the mechanism glue layer. However, Heimdal does call into the
* mechanism here.
*/
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_add_cred(OM_uint32 *minor,
gss_cred_id_t input_cred_handle GSSEAP_UNUSED,
gss_name_t desired_name,
major = gssEapAcquireCred(minor,
desired_name,
- GSS_C_NO_BUFFER,
time_req,
&mechs,
cred_usage,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_add_cred_with_password(OM_uint32 *minor,
const gss_cred_id_t input_cred_handle GSSEAP_UNUSED,
const gss_name_t desired_name,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
- OM_uint32 major;
+ OM_uint32 major, tmpMinor;
OM_uint32 time_req, time_rec = 0;
gss_OID_set_desc mechs;
major = gssEapAcquireCred(minor,
desired_name,
- password,
time_req,
&mechs,
cred_usage,
output_cred_handle,
actual_mechs,
&time_rec);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ major = gssEapSetCredPassword(minor, *output_cred_handle, password);
+ if (GSS_ERROR(major))
+ goto cleanup;
if (initiator_time_rec != NULL)
*initiator_time_rec = time_rec;
if (acceptor_time_rec != NULL)
*acceptor_time_rec = time_rec;
+cleanup:
+ if (GSS_ERROR(major))
+ gssEapReleaseCred(&tmpMinor, output_cred_handle);
+
return major;
}
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gssspi_authorize_localname(OM_uint32 *minor,
const gss_name_t name GSSEAP_UNUSED,
gss_const_buffer_t local_user GSSEAP_UNUSED,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_canonicalize_name(OM_uint32 *minor,
const gss_name_t input_name,
const gss_OID mech_type,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_compare_name(OM_uint32 *minor,
gss_name_t name1,
gss_name_t name2,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_context_time(OM_uint32 *minor,
gss_ctx_id_t ctx,
OM_uint32 *time_rec)
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_delete_name_attribute(OM_uint32 *minor,
gss_name_t name,
gss_buffer_t attr)
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_delete_sec_context(OM_uint32 *minor,
gss_ctx_id_t *context_handle,
gss_buffer_t output_token)
iov[1].buffer.value = NULL;
iov[1].buffer.length = 0;
- major = gssEapWrapOrGetMIC(minor, ctx, FALSE, FALSE,
+ major = gssEapWrapOrGetMIC(minor, ctx, FALSE, NULL,
iov, 2, TOK_TYPE_DELETE_CONTEXT);
if (GSS_ERROR(major)) {
GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_display_name(OM_uint32 *minor,
gss_name_t name,
gss_buffer_t output_name_buffer,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_display_name_ext(OM_uint32 *minor,
gss_name_t name GSSEAP_UNUSED,
gss_OID display_as_name_type GSSEAP_UNUSED,
#include "gssapiP_eap.h"
-static GSSEAP_THREAD_ONCE gssEapStatusInfoKeyOnce = GSSEAP_ONCE_INITIALIZER;
-static GSSEAP_THREAD_KEY gssEapStatusInfoKey;
-
struct gss_eap_status_info {
OM_uint32 code;
char *message;
struct gss_eap_status_info *next;
};
-static void
-destroyStatusInfo(void *arg)
+void
+gssEapDestroyStatusInfo(struct gss_eap_status_info *p)
{
- struct gss_eap_status_info *p = arg, *next;
+ struct gss_eap_status_info *next;
- for (p = arg; p != NULL; p = next) {
+ for (; p != NULL; p = next) {
next = p->next;
GSSEAP_FREE(p->message);
GSSEAP_FREE(p);
}
}
-static void
-createStatusInfoKey(void)
-{
- GSSEAP_KEY_CREATE(&gssEapStatusInfoKey, destroyStatusInfo);
-}
-
/*
* Associate a message with a mechanism (minor) status code. This function
* takes ownership of the message regardless of success. The message must
static void
saveStatusInfoNoCopy(OM_uint32 minor, char *message)
{
- struct gss_eap_status_info **next = NULL, *p;
-
- GSSEAP_ONCE(&gssEapStatusInfoKeyOnce, createStatusInfoKey);
-
- p = GSSEAP_GETSPECIFIC(gssEapStatusInfoKey);
- for (; p != NULL; p = p->next) {
- if (p->code == minor) {
- /* Set message in-place */
- if (p->message != NULL)
- GSSEAP_FREE(p->message);
- p->message = message;
- return;
+ struct gss_eap_status_info **next = NULL, *p = NULL;
+ struct gss_eap_thread_local_data *tld = gssEapGetThreadLocalData();
+
+ if (tld != NULL) {
+ for (p = tld->statusInfo; p != NULL; p = p->next) {
+ if (p->code == minor) {
+ /* Set message in-place */
+ if (p->message != NULL)
+ GSSEAP_FREE(p->message);
+ p->message = message;
+ return;
+ }
+ next = &p->next;
}
- next = &p->next;
+ p = GSSEAP_CALLOC(1, sizeof(*p));
}
- p = GSSEAP_CALLOC(1, sizeof(*p));
if (p == NULL) {
if (message != NULL)
GSSEAP_FREE(message);
if (next != NULL)
*next = p;
else
- GSSEAP_SETSPECIFIC(gssEapStatusInfoKey, p);
+ tld->statusInfo = p;
}
static const char *
getStatusInfo(OM_uint32 minor)
{
struct gss_eap_status_info *p;
+ struct gss_eap_thread_local_data *tld = gssEapGetThreadLocalData();
- GSSEAP_ONCE(&gssEapStatusInfoKeyOnce, createStatusInfoKey);
-
- for (p = GSSEAP_GETSPECIFIC(gssEapStatusInfoKey);
- p != NULL;
- p = p->next) {
- if (p->code == minor)
- return p->message;
+ if (tld != NULL) {
+ for (p = tld->statusInfo; p != NULL; p = p->next) {
+ if (p->code == minor)
+ return p->message;
+ }
}
-
return NULL;
}
void
gssEapSaveStatusInfo(OM_uint32 minor, const char *format, ...)
{
+#ifdef WIN32
+ OM_uint32 tmpMajor, tmpMinor;
+ char buf[BUFSIZ];
+ gss_buffer_desc s = GSS_C_EMPTY_BUFFER;
+ va_list ap;
+
+ if (format != NULL) {
+ va_start(ap, format);
+ snprintf(buf, sizeof(buf), format, ap);
+ va_end(ap);
+ }
+
+ tmpMajor = makeStringBuffer(&tmpMinor, buf, &s);
+ if (!GSS_ERROR(tmpMajor))
+ saveStatusInfoNoCopy(minor, (char *)s.value);
+#else
char *s = NULL;
int n;
va_list ap;
if (format != NULL) {
va_start(ap, format);
n = vasprintf(&s, format, ap);
+ if (n == -1)
+ s = NULL;
va_end(ap);
if (n == -1)
s = NULL;
}
saveStatusInfoNoCopy(minor, s);
+#endif /* WIN32 */
}
OM_uint32
-gss_display_status(OM_uint32 *minor,
- OM_uint32 status_value,
- int status_type,
- gss_OID mech_type,
- OM_uint32 *message_context,
- gss_buffer_t status_string)
+gssEapDisplayStatus(OM_uint32 *minor,
+ OM_uint32 status_value,
+ gss_buffer_t status_string)
{
OM_uint32 major;
krb5_context krbContext = NULL;
status_string->length = 0;
status_string->value = NULL;
- if (!gssEapIsMechanismOid(mech_type)) {
- *minor = GSSEAP_WRONG_MECH;
- return GSS_S_BAD_MECH;
- }
-
- if (status_type != GSS_C_MECH_CODE ||
- *message_context != 0) {
- /* we rely on the mechglue for GSS_C_GSS_CODE */
- *minor = 0;
- return GSS_S_BAD_STATUS;
- }
-
errMsg = getStatusInfo(status_value);
if (errMsg == NULL) {
GSSEAP_KRB_INIT(&krbContext);
return major;
}
+
+OM_uint32 GSSAPI_CALLCONV
+gss_display_status(OM_uint32 *minor,
+ OM_uint32 status_value,
+ int status_type,
+ gss_OID mech_type,
+ OM_uint32 *message_context,
+ gss_buffer_t status_string)
+{
+ if (!gssEapIsMechanismOid(mech_type)) {
+ *minor = GSSEAP_WRONG_MECH;
+ return GSS_S_BAD_MECH;
+ }
+
+ if (status_type != GSS_C_MECH_CODE ||
+ *message_context != 0) {
+ /* we rely on the mechglue for GSS_C_GSS_CODE */
+ *minor = 0;
+ return GSS_S_BAD_STATUS;
+ }
+
+ return gssEapDisplayStatus(minor, status_value, status_string);
+}
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_duplicate_name(OM_uint32 *minor,
const gss_name_t input_name,
gss_name_t *dest_name)
return GSS_S_COMPLETE;
}
-static void gssEapInitiatorInit(void) __attribute__((constructor));
-static void gssEapFinalize(void) __attribute__((destructor));
+void gssEapFinalize(void) GSSEAP_DESTRUCTOR;
-static void
-gssEapInitiatorInit(void)
+OM_uint32
+gssEapInitiatorInit(OM_uint32 *minor)
{
- OM_uint32 major, minor;
+ OM_uint32 major;
initialize_eapg_error_table();
initialize_rse_error_table();
- major = gssEapInitLibEap(&minor);
- assert(major == GSS_S_COMPLETE);
+ major = gssEapInitLibEap(minor);
+ if (GSS_ERROR(major))
+ return major;
- major = gssEapInitLibRadsec(&minor);
- assert(major == GSS_S_COMPLETE);
+ major = gssEapInitLibRadsec(minor);
+ if (GSS_ERROR(major))
+ return major;
#ifdef GSSEAP_ENABLE_REAUTH
- major = gssEapReauthInitialize(&minor);
- assert(major == GSS_S_COMPLETE);
+ major = gssEapReauthInitialize(minor);
+ if (GSS_ERROR(major))
+ return major;
#endif
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
}
-static void
+void
gssEapFinalize(void)
{
+#ifdef GSSEAP_ENABLE_ACCEPTOR
OM_uint32 minor;
gssEapAttrProvidersFinalize(&minor);
+#endif
eap_peer_unregister_methods();
}
+
+#ifdef GSSEAP_CONSTRUCTOR
+static void gssEapInitiatorInitAssert(void) GSSEAP_CONSTRUCTOR;
+
+static void
+gssEapInitiatorInitAssert(void)
+{
+ OM_uint32 major, minor;
+
+ major = gssEapInitiatorInit(&minor);
+
+ GSSEAP_ASSERT(!GSS_ERROR(major));
+}
+#endif
--- /dev/null
+/*
+ * Copyright (c) 2011, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ *
+ */
+
+#include "gssapiP_eap.h"
+
+OM_uint32 GSSAPI_CALLCONV
+gssEapExchangeMetaData(OM_uint32 *minor,
+ gss_const_OID mech GSSEAP_UNUSED,
+ gss_cred_id_t cred GSSEAP_UNUSED,
+ gss_ctx_id_t *ctx GSSEAP_UNUSED,
+ const gss_name_t name GSSEAP_UNUSED,
+ OM_uint32 req_flags GSSEAP_UNUSED,
+ gss_const_buffer_t meta_data GSSEAP_UNUSED)
+{
+ *minor = 0;
+ return GSS_S_COMPLETE;
+}
+
+OM_uint32 GSSAPI_CALLCONV
+gss_exchange_meta_data(OM_uint32 *minor,
+ gss_const_OID mech,
+ gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ const gss_name_t name,
+ OM_uint32 req_flags,
+ gss_const_buffer_t meta_data)
+{
+ gss_ctx_id_t ctx = *context_handle;
+ OM_uint32 major;
+
+ if (cred != GSS_C_NO_CREDENTIAL)
+ GSSEAP_MUTEX_LOCK(&cred->mutex);
+
+ if (*context_handle != GSS_C_NO_CONTEXT)
+ GSSEAP_MUTEX_LOCK(&ctx->mutex);
+
+ major = gssEapExchangeMetaData(minor, mech, cred, &ctx,
+ name, req_flags, meta_data);
+
+ if (*context_handle != GSS_C_NO_CONTEXT)
+ GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
+ else
+ *context_handle = ctx;
+
+ if (cred != GSS_C_NO_CREDENTIAL)
+ GSSEAP_MUTEX_UNLOCK(&cred->mutex);
+
+ return major;
+}
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_export_name(OM_uint32 *minor,
const gss_name_t input_name,
gss_buffer_t exported_name)
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_export_name_composite(OM_uint32 *minor,
gss_name_t input_name,
gss_buffer_t exported_name)
#include "gssapiP_eap.h"
+#ifdef GSSEAP_ENABLE_ACCEPTOR
static OM_uint32
gssEapExportPartialContext(OM_uint32 *minor,
gss_ctx_id_t ctx,
size_t length, serverLen = 0;
unsigned char *p;
char serverBuf[MAXHOSTNAMELEN];
-
if (ctx->acceptorCtx.radConn != NULL) {
if (rs_conn_get_current_peer(ctx->acceptorCtx.radConn,
serverBuf, sizeof(serverBuf)) != 0) {
}
serverLen = strlen(serverBuf);
}
-
length = 4 + serverLen + 4 + ctx->acceptorCtx.state.length;
token->value = GSSEAP_MALLOC(length);
p += ctx->acceptorCtx.state.length;
}
- assert(p == (unsigned char *)token->value + token->length);
+ GSSEAP_ASSERT(p == (unsigned char *)token->value + token->length);
major = GSS_S_COMPLETE;
*minor = 0;
return major;
}
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
OM_uint32
gssEapExportSecContext(OM_uint32 *minor,
goto cleanup;
}
+#ifdef GSSEAP_ENABLE_ACCEPTOR
/*
* The partial context is only transmitted for unestablished acceptor
* contexts.
if (GSS_ERROR(major))
goto cleanup;
}
+#endif
length = 16; /* version, state, flags, */
length += 4 + ctx->mechanismUsed->length; /* mechanismUsed */
if (partialCtx.value != NULL)
p = store_buffer(&partialCtx, p, FALSE);
- assert(p == (unsigned char *)token->value + token->length);
+ GSSEAP_ASSERT(p == (unsigned char *)token->value + token->length);
major = GSS_S_COMPLETE;
*minor = 0;
return major;
}
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_export_sec_context(OM_uint32 *minor,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token)
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_get_mic(OM_uint32 *minor,
gss_ctx_id_t ctx,
gss_qop_t qop_req,
* Wrapper for retrieving a naming attribute.
*/
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_get_name_attribute(OM_uint32 *minor,
gss_name_t name,
gss_buffer_t attr,
#include <assert.h>
#include <string.h>
#include <errno.h>
+#ifdef HAVE_UNISTD_H
#include <unistd.h>
+#endif
+#ifdef HAVE_STDLIB_H
#include <stdlib.h>
+#endif
+#ifdef HAVE_STDARG_H
#include <stdarg.h>
+#endif
#include <time.h>
+#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
+#endif
+
+#ifdef WIN32
+#ifndef MAXHOSTNAMELEN
+# include <WinSock2.h>
+# define MAXHOSTNAMELEN NI_MAXHOST
+#endif
+#endif
/* GSS headers */
#include <gssapi/gssapi.h>
#include <krb5.h>
/* EAP headers */
+#include <includes.h>
#include <common.h>
#include <eap_peer/eap.h>
#include <eap_peer/eap_config.h>
#include <eap_common/eap_common.h>
#include <wpabuf.h>
+#ifdef GSSEAP_ENABLE_ACCEPTOR
/* FreeRADIUS headers */
#ifdef __cplusplus
extern "C" {
+#ifndef WIN32
#define operator fr_operator
#endif
+#endif
#include <freeradius/libradius.h>
#include <freeradius/radius.h>
+
+#undef pid_t
+
+/* libradsec headers */
#include <radsec/radsec.h>
#include <radsec/request.h>
#ifdef __cplusplus
+#ifndef WIN32
#undef operator
+#endif
}
#endif
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
#include "gsseap_err.h"
#include "radsec_err.h"
OM_uint32 flags;
gss_OID mechanismUsed; /* this is immutable */
krb5_principal krbPrincipal; /* this is immutable */
+#ifdef GSSEAP_ENABLE_ACCEPTOR
struct gss_eap_attr_ctx *attrCtx;
+#endif
};
#define CRED_FLAG_INITIATE 0x00010000
#define CRED_FLAG_ACCEPT 0x00020000
-#define CRED_FLAG_DEFAULT_IDENTITY 0x00040000
-#define CRED_FLAG_PASSWORD 0x00080000
-#define CRED_FLAG_DEFAULT_CCACHE 0x00100000
+#define CRED_FLAG_PASSWORD 0x00040000
+#define CRED_FLAG_DEFAULT_CCACHE 0x00080000
+#define CRED_FLAG_RESOLVED 0x00100000
+#define CRED_FLAG_TARGET 0x00200000
#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF
#ifdef HAVE_HEIMDAL_VERSION
GSSEAP_MUTEX mutex;
OM_uint32 flags;
gss_name_t name;
+ gss_name_t target; /* for initiator */
gss_buffer_desc password;
gss_OID_set mechanisms;
time_t expiryTime;
- char *radiusConfigFile;
- char *radiusConfigStanza;
+ gss_buffer_desc radiusConfigFile;
+ gss_buffer_desc radiusConfigStanza;
+ gss_buffer_desc caCertificate;
+ gss_buffer_desc subjectNameConstraint;
+ gss_buffer_desc subjectAltNameConstraint;
#ifdef GSSEAP_ENABLE_REAUTH
krb5_ccache krbCredCache;
gss_cred_id_t reauthCred;
struct wpabuf reqData;
};
+#ifdef GSSEAP_ENABLE_ACCEPTOR
struct gss_eap_acceptor_ctx {
struct rs_context *radContext;
struct rs_connection *radConn;
gss_buffer_desc state;
VALUE_PAIR *vps;
};
+#endif
#ifdef HAVE_HEIMDAL_VERSION
struct gss_ctx_id_t_desc_struct
time_t expiryTime;
uint64_t sendSeq, recvSeq;
void *seqState;
- gss_cred_id_t defaultCred;
+ gss_cred_id_t cred;
union {
struct gss_eap_initiator_ctx initiator;
#define initiatorCtx ctxU.initiator
+#ifdef GSSEAP_ENABLE_ACCEPTOR
struct gss_eap_acceptor_ctx acceptor;
#define acceptorCtx ctxU.acceptor
+#endif
#ifdef GSSEAP_ENABLE_REAUTH
gss_ctx_id_t reauth;
#define reauthCtx ctxU.reauth
#define KEY_USAGE_INITIATOR_SEAL 24
#define KEY_USAGE_INITIATOR_SIGN 25
+/* accept_sec_context.c */
+OM_uint32
+gssEapAcceptSecContext(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ gss_cred_id_t cred,
+ gss_buffer_t input_token,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_name_t *src_name,
+ gss_OID *mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ gss_cred_id_t *delegated_cred_handle);
+
+/* init_sec_context.c */
+OM_uint32
+gssEapInitSecContext(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t ctx,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec);
+
/* wrap_iov.c */
OM_uint32
gssEapWrapOrGetMIC(OM_uint32 *minor,
void
gssEapSaveStatusInfo(OM_uint32 minor, const char *format, ...);
+OM_uint32
+gssEapDisplayStatus(OM_uint32 *minor,
+ OM_uint32 status_value,
+ gss_buffer_t status_string);
+
#define IS_WIRE_ERROR(err) ((err) > GSSEAP_RESERVED && \
(err) <= GSSEAP_RADIUS_PROT_FAILURE)
+/* upper bound of RADIUS error range must be kept in sync with radsec.h */
+#define IS_RADIUS_ERROR(err) ((err) >= ERROR_TABLE_BASE_rse && \
+ (err) <= ERROR_TABLE_BASE_rse + 20)
+
+/* exchange_meta_data.c */
+OM_uint32 GSSAPI_CALLCONV
+gssEapExchangeMetaData(OM_uint32 *minor,
+ gss_const_OID mech,
+ gss_cred_id_t cred,
+ gss_ctx_id_t *ctx,
+ const gss_name_t name,
+ OM_uint32 req_flags,
+ gss_const_buffer_t meta_data);
+
/* export_sec_context.c */
OM_uint32
gssEapExportSecContext(OM_uint32 *minor,
gss_ctx_id_t ctx,
gss_buffer_t token);
+/* import_sec_context.c */
+OM_uint32
+gssEapImportContext(OM_uint32 *minor,
+ gss_buffer_t token,
+ gss_ctx_id_t ctx);
+
+/* inquire_sec_context_by_oid.c */
+#define NEGOEX_INITIATOR_SALT "gss-eap-negoex-initiator"
+#define NEGOEX_INITIATOR_SALT_LEN (sizeof(NEGOEX_INITIATOR_SALT) - 1)
+
+#define NEGOEX_ACCEPTOR_SALT "gss-eap-negoex-acceptor"
+#define NEGOEX_ACCEPTOR_SALT_LEN (sizeof(NEGOEX_ACCEPTOR_SALT) - 1)
+
+/* pseudo_random.c */
+OM_uint32
+gssEapPseudoRandom(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ int prf_key,
+ const gss_buffer_t prf_in,
+ ssize_t desired_output_len,
+ gss_buffer_t prf_out);
+
+/* query_mechanism_info.c */
+OM_uint32
+gssQueryMechanismInfo(OM_uint32 *minor,
+ gss_const_OID mech_oid,
+ unsigned char auth_scheme[16]);
+
+/* query_meta_data.c */
+OM_uint32
+gssEapQueryMetaData(OM_uint32 *minor,
+ gss_const_OID mech GSSEAP_UNUSED,
+ gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ const gss_name_t name,
+ OM_uint32 req_flags GSSEAP_UNUSED,
+ gss_buffer_t meta_data);
+
+/* eap_mech.c */
+OM_uint32
+gssEapInitiatorInit(OM_uint32 *minor);
+
+void
+gssEapFinalize(void);
#ifdef __cplusplus
}
extern gss_OID GSS_EAP_CRED_SET_CRED_FLAG;
/*
+ * Password; for mechanism glues that do not support
+ * gss_acquire_cred_with_password(), this can be set
+ * on an existing credentials handle.
+ */
+extern gss_OID GSS_EAP_CRED_SET_CRED_PASSWORD;
+
+/*
* Credentials flag indicating the local attributes
* processing should be skipped.
*/
error_code GSSEAP_NO_HOSTNAME, "Could not determine local host name"
error_code GSSEAP_NO_ACCEPTOR_NAME, "Could not determine acceptor identity"
error_code GSSEAP_BAD_NAME_TOKEN, "Name token is malformed or corrupt"
+error_code GSSEAP_NO_LOCAL_MAPPING, "Unable to map name to a local identity"
#
# Credential errors
error_code GSSEAP_BAD_CRED_OPTION, "Bad credential option"
error_code GSSEAP_NO_DEFAULT_IDENTITY, "Default credentials identity unavailable"
error_code GSSEAP_NO_DEFAULT_CRED, "Missing default password or other credentials"
+error_code GSSEAP_CRED_RESOLVED, "Credential is already fully resolved"
+
+#
+# Local identity service errors
+#
+error_code GSSEAP_UNABLE_TO_START_IDENTITY_SERVICE, "Unable to start identity service"
+error_code GSSEAP_NO_IDENTITY_SELECTED, "No identity selected"
+error_code GSSEAP_IDENTITY_SERVICE_INSTALL_ERROR, "Identity service installation error"
+error_code GSSEAP_IDENTITY_SERVICE_OS_ERROR, "Identity service OS error"
+error_code GSSEAP_IDENTITY_SERVICE_IPC_ERROR, "Identity service IPC error"
+error_code GSSEAP_IDENTITY_SERVICE_UNKNOWN_ERROR, "Unknown identity service error"
+
#
# Wrap/unwrap/PRF errors
#
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_import_name(OM_uint32 *minor,
gss_buffer_t import_name_buffer,
gss_OID input_name_type,
} \
} while (0)
+#ifdef GSSEAP_ENABLE_ACCEPTOR
static OM_uint32
gssEapImportPartialContext(OM_uint32 *minor,
unsigned char **pBuf,
}
#ifdef GSSEAP_DEBUG
- assert(remain == 0);
+ GSSEAP_ASSERT(remain == 0);
#endif
*pBuf = p;
return GSS_S_COMPLETE;
}
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
static OM_uint32
importMechanismOid(OM_uint32 *minor,
size_t *pRemain,
krb5_cksumtype *checksumType,
krb5_enctype *pEncryptionType,
- krb5_keyblock *key)
+ krb5_keyblock *pKey)
{
unsigned char *p = *pBuf;
size_t remain = *pRemain;
OM_uint32 encryptionType;
OM_uint32 length;
- gss_buffer_desc tmp;
+ krb5_context krbContext;
+ krb5_keyblock key;
+ krb5_error_code code;
+
+ GSSEAP_KRB_INIT(&krbContext);
+
+ KRB_KEY_INIT(pKey);
if (remain < 12) {
*minor = GSSEAP_TOK_TRUNC;
return GSS_S_DEFECTIVE_TOKEN;
}
- if (load_buffer(&p[12], length, &tmp) == NULL) {
- *minor = ENOMEM;
- return GSS_S_FAILURE;
- }
+ if (encryptionType != ENCTYPE_NULL) {
+ KRB_KEY_INIT(&key);
- KRB_KEY_TYPE(key) = encryptionType;
- KRB_KEY_LENGTH(key) = tmp.length;
- KRB_KEY_DATA(key) = (unsigned char *)tmp.value;
+ KRB_KEY_TYPE(&key) = encryptionType;
+ KRB_KEY_LENGTH(&key) = length;
+ KRB_KEY_DATA(&key) = &p[12];
+
+ code = krb5_copy_keyblock_contents(krbContext, &key, pKey);
+ if (code != 0) {
+ *minor = code;
+ return GSS_S_FAILURE;
+ }
+ }
*pBuf += 12 + length;
*pRemain -= 12 + length;
return GSS_S_COMPLETE;
}
-static OM_uint32
+OM_uint32
gssEapImportContext(OM_uint32 *minor,
gss_buffer_t token,
gss_ctx_id_t ctx)
if (GSS_ERROR(major))
return major;
+#ifdef GSSEAP_ENABLE_ACCEPTOR
/*
* The partial context should only be expected for unestablished
* acceptor contexts.
}
#ifdef GSSEAP_DEBUG
- assert(remain == 0);
+ GSSEAP_ASSERT(remain == 0);
#endif
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
major = GSS_S_COMPLETE;
*minor = 0;
return major;
}
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_import_sec_context(OM_uint32 *minor,
gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_indicate_mechs(OM_uint32 *minor,
gss_OID_set *mech_set)
{
if (ctx == GSS_C_NO_CONTEXT)
return FALSE;
- assert(CTX_IS_INITIATOR(ctx));
+ GSSEAP_ASSERT(CTX_IS_INITIATOR(ctx));
switch (variable) {
case EAPOL_idleWhile:
if (ctx == GSS_C_NO_CONTEXT)
return;
- assert(CTX_IS_INITIATOR(ctx));
+ GSSEAP_ASSERT(CTX_IS_INITIATOR(ctx));
switch (variable) {
case EAPOL_idleWhile:
#endif
static OM_uint32
-peerConfigInit(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_ctx_id_t ctx)
+peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
{
OM_uint32 major;
krb5_context krbContext;
struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
gss_buffer_desc identity = GSS_C_EMPTY_BUFFER;
gss_buffer_desc realm = GSS_C_EMPTY_BUFFER;
+ gss_cred_id_t cred = ctx->cred;
eapPeerConfig->identity = NULL;
eapPeerConfig->identity_len = 0;
eapPeerConfig->password = NULL;
eapPeerConfig->password_len = 0;
- assert(cred != GSS_C_NO_CREDENTIAL);
+ GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
GSSEAP_KRB_INIT(&krbContext);
wpa_debug_level = 0;
#endif
- assert(cred->name != GSS_C_NO_NAME);
+ GSSEAP_ASSERT(cred->name != GSS_C_NO_NAME);
if ((cred->name->flags & (NAME_FLAG_NAI | NAME_FLAG_SERVICE)) == 0) {
*minor = GSSEAP_BAD_INITIATOR_NAME;
eapPeerConfig->password = (unsigned char *)cred->password.value;
eapPeerConfig->password_len = cred->password.length;
+ /* certs */
+ eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value;
+ eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value;
+ eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
+
*minor = 0;
return GSS_S_COMPLETE;
}
static OM_uint32
initBegin(OM_uint32 *minor,
- gss_cred_id_t cred,
gss_ctx_id_t ctx,
gss_name_t target,
gss_OID mech,
gss_channel_bindings_t chanBindings GSSEAP_UNUSED)
{
OM_uint32 major;
+ gss_cred_id_t cred = ctx->cred;
- assert(cred != GSS_C_NO_CREDENTIAL);
+ GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
if (cred->expiryTime)
ctx->expiryTime = cred->expiryTime;
*minor = GSSEAP_BAD_ERROR_TOKEN;
}
- assert(GSS_ERROR(major));
+ GSSEAP_ASSERT(GSS_ERROR(major));
return major;
}
gss_OID actualMech = GSS_C_NO_OID;
OM_uint32 gssFlags, timeRec;
- assert(cred != GSS_C_NO_CREDENTIAL);
-
+ /*
+ * Here we use the passed in credential handle because the resolved
+ * context credential does not currently have the reauth creds.
+ */
if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) {
if (!gssEapCanReauthP(cred, target, timeReq))
return GSS_S_CONTINUE_NEEDED;
goto cleanup;
}
+ GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
+
major = gssEapMechToGlueName(minor, target, &mechTarget);
if (GSS_ERROR(major))
goto cleanup;
ctx->gssFlags = gssFlags;
if (major == GSS_S_COMPLETE) {
- assert(GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE);
+ GSSEAP_ASSERT(GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE);
major = gssEapReauthComplete(minor, ctx, cred, actualMech, timeRec);
if (GSS_ERROR(major))
#endif
*smFlags |= SM_FLAG_FORCE_SEND_TOKEN;
- assert((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0);
- assert(inputToken == GSS_C_NO_BUFFER);
+ GSSEAP_ASSERT((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0);
+ GSSEAP_ASSERT(inputToken == GSS_C_NO_BUFFER);
memset(&eapConfig, 0, sizeof(eapConfig));
static OM_uint32
eapGssSmInitAuthenticate(OM_uint32 *minor,
- gss_cred_id_t cred,
+ gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
gss_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
*minor = 0;
- assert(inputToken != GSS_C_NO_BUFFER);
+ GSSEAP_ASSERT(inputToken != GSS_C_NO_BUFFER);
- major = peerConfigInit(minor, cred, ctx);
+ major = peerConfigInit(minor, ctx);
if (GSS_ERROR(major))
goto cleanup;
- assert(ctx->initiatorCtx.eap != NULL);
- assert(ctx->flags & CTX_FLAG_EAP_PORT_ENABLED);
+ GSSEAP_ASSERT(ctx->initiatorCtx.eap != NULL);
+ GSSEAP_ASSERT(ctx->flags & CTX_FLAG_EAP_PORT_ENABLED);
ctx->flags |= CTX_FLAG_EAP_REQ; /* we have a Request from the acceptor */
OM_uint32 tmpMajor;
gss_buffer_desc respBuf;
- assert(major == GSS_S_CONTINUE_NEEDED);
+ GSSEAP_ASSERT(major == GSS_S_CONTINUE_NEEDED);
respBuf.length = wpabuf_len(resp);
respBuf.value = (void *)wpabuf_head(resp);
if (GSS_ERROR(major))
return major;
- assert(outputToken->value != NULL);
+ GSSEAP_ASSERT(outputToken->value != NULL);
*minor = 0;
*smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
};
OM_uint32
-gss_init_sec_context(OM_uint32 *minor,
+gssEapInitSecContext(OM_uint32 *minor,
gss_cred_id_t cred,
- gss_ctx_id_t *context_handle,
+ gss_ctx_id_t ctx,
gss_name_t target_name,
gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 *time_rec)
{
OM_uint32 major, tmpMinor;
- gss_ctx_id_t ctx = *context_handle;
- int initialContextToken = 0;
+ int initialContextToken = (ctx->mechanismUsed == GSS_C_NO_OID);
- *minor = 0;
-
- output_token->length = 0;
- output_token->value = NULL;
-
- if (ctx == GSS_C_NO_CONTEXT) {
- if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
- *minor = GSSEAP_WRONG_SIZE;
- return GSS_S_DEFECTIVE_TOKEN;
- }
+ /*
+ * XXX is acquiring the credential lock here necessary? The password is
+ * mutable but the contract could specify that this is not updated whilst
+ * a context is being initialized.
+ */
+ if (cred != GSS_C_NO_CREDENTIAL)
+ GSSEAP_MUTEX_LOCK(&cred->mutex);
- major = gssEapAllocContext(minor, &ctx);
+ if (ctx->cred == GSS_C_NO_CREDENTIAL) {
+ major = gssEapResolveInitiatorCred(minor, cred, target_name, &ctx->cred);
if (GSS_ERROR(major))
- return major;
-
- ctx->flags |= CTX_FLAG_INITIATOR;
- initialContextToken = 1;
-
- *context_handle = ctx;
- }
-
- GSSEAP_MUTEX_LOCK(&ctx->mutex);
-
- if (cred == GSS_C_NO_CREDENTIAL) {
- if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) {
- major = gssEapAcquireCred(minor,
- GSS_C_NO_NAME,
- GSS_C_NO_BUFFER,
- time_req,
- GSS_C_NO_OID_SET,
- GSS_C_INITIATE,
- &ctx->defaultCred,
- NULL,
- NULL);
- if (GSS_ERROR(major))
- goto cleanup;
- }
+ goto cleanup;
- cred = ctx->defaultCred;
+ GSSEAP_ASSERT(ctx->cred != GSS_C_NO_CREDENTIAL);
}
- GSSEAP_MUTEX_LOCK(&cred->mutex);
+ GSSEAP_MUTEX_LOCK(&ctx->cred->mutex);
- if ((cred->flags & CRED_FLAG_INITIATE) == 0) {
- major = GSS_S_NO_CRED;
- *minor = GSSEAP_CRED_USAGE_MISMATCH;
- goto cleanup;
- }
+ GSSEAP_ASSERT(ctx->cred->flags & CRED_FLAG_RESOLVED);
+ GSSEAP_ASSERT(ctx->cred->flags & CRED_FLAG_INITIATE);
if (initialContextToken) {
- major = initBegin(minor, cred, ctx, target_name, mech_type,
+ major = initBegin(minor, ctx, target_name, mech_type,
req_flags, time_req, input_chan_bindings);
if (GSS_ERROR(major))
goto cleanup;
if (time_rec != NULL)
gssEapContextTime(&tmpMinor, ctx, time_rec);
- assert(CTX_IS_ESTABLISHED(ctx) || major == GSS_S_CONTINUE_NEEDED);
+ GSSEAP_ASSERT(CTX_IS_ESTABLISHED(ctx) || major == GSS_S_CONTINUE_NEEDED);
cleanup:
if (cred != GSS_C_NO_CREDENTIAL)
GSSEAP_MUTEX_UNLOCK(&cred->mutex);
+ if (ctx->cred != GSS_C_NO_CREDENTIAL)
+ GSSEAP_MUTEX_UNLOCK(&ctx->cred->mutex);
+
+ return major;
+}
+
+OM_uint32 GSSAPI_CALLCONV
+gss_init_sec_context(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec)
+{
+ OM_uint32 major, tmpMinor;
+ gss_ctx_id_t ctx = *context_handle;
+
+ *minor = 0;
+
+ output_token->length = 0;
+ output_token->value = NULL;
+
+ if (ctx == GSS_C_NO_CONTEXT) {
+ if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
+ *minor = GSSEAP_WRONG_SIZE;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ major = gssEapAllocContext(minor, &ctx);
+ if (GSS_ERROR(major))
+ return major;
+
+ ctx->flags |= CTX_FLAG_INITIATOR;
+
+ *context_handle = ctx;
+ }
+
+ GSSEAP_MUTEX_LOCK(&ctx->mutex);
+
+ major = gssEapInitSecContext(minor,
+ cred,
+ ctx,
+ target_name,
+ mech_type,
+ req_flags,
+ time_req,
+ input_chan_bindings,
+ input_token,
+ actual_mech_type,
+ output_token,
+ ret_flags,
+ time_rec);
+
GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
if (GSS_ERROR(major))
#define MA_SUPPORTED(ma) MA_ADD((ma), mech_attrs)
#define MA_KNOWN(ma) MA_ADD((ma), known_mech_attrs)
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_attrs_for_mech(OM_uint32 *minor,
gss_const_OID mech_oid,
gss_OID_set *mech_attrs,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_context(OM_uint32 *minor,
gss_ctx_id_t ctx,
gss_name_t *src_name,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_cred(OM_uint32 *minor,
gss_cred_id_t cred,
gss_name_t *name,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_cred_by_mech(OM_uint32 *minor,
gss_cred_id_t cred,
gss_OID mech_type,
#include "gssapiP_eap.h"
+#if 0
static struct {
gss_OID_desc oid;
OM_uint32 (*inquire)(OM_uint32 *, const gss_cred_id_t,
const gss_OID, gss_buffer_set_t *);
} inquireCredOps[] = {
};
+#endif
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_cred_by_oid(OM_uint32 *minor,
const gss_cred_id_t cred_handle,
- const gss_OID desired_object,
+ const gss_OID desired_object GSSEAP_UNUSED,
gss_buffer_set_t *data_set)
{
OM_uint32 major;
+#if 0
int i;
-
+#endif
*data_set = GSS_C_NO_BUFFER_SET;
if (cred_handle == GSS_C_NO_CREDENTIAL) {
major = GSS_S_UNAVAILABLE;
*minor = GSSEAP_BAD_CRED_OPTION;
+#if 0
for (i = 0; i < sizeof(inquireCredOps) / sizeof(inquireCredOps[0]); i++) {
if (oidEqual(&inquireCredOps[i].oid, desired_object)) {
major = (*inquireCredOps[i].inquire)(minor, cred_handle,
break;
}
}
+#endif
GSSEAP_MUTEX_UNLOCK(&cred_handle->mutex);
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_saslname_for_mech(OM_uint32 *minor,
const gss_OID mech,
gss_buffer_t sasl_mech_name,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_mechs_for_name(OM_uint32 *minor,
const gss_name_t input_name,
gss_OID_set *mech_types)
#include "gssapiP_eap.h"
-OM_uint32 gss_inquire_name(OM_uint32 *minor,
- gss_name_t name,
- int *name_is_MN,
- gss_OID *MN_mech,
- gss_buffer_set_t *attrs)
+OM_uint32 GSSAPI_CALLCONV
+gss_inquire_name(OM_uint32 *minor,
+ gss_name_t name,
+ int *name_is_MN,
+ gss_OID *MN_mech,
+ gss_buffer_set_t *attrs)
{
OM_uint32 major, tmpMinor;
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_names_for_mech(OM_uint32 *minor,
gss_OID mechanism,
gss_OID_set *ret_name_types)
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_mech_for_saslname(OM_uint32 *minor,
const gss_buffer_t sasl_mech_name,
gss_OID *mech_type)
#include "gssapiP_eap.h"
static OM_uint32
+addEnctypeOidToBufferSet(OM_uint32 *minor,
+ krb5_enctype encryptionType,
+ gss_buffer_set_t *dataSet)
+{
+ OM_uint32 major;
+ unsigned char oidBuf[16];
+ gss_OID_desc oid;
+ gss_buffer_desc buf;
+
+ oid.length = sizeof(oidBuf);
+ oid.elements = oidBuf;
+
+ major = composeOid(minor,
+ "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04",
+ 10,
+ encryptionType,
+ &oid);
+ if (GSS_ERROR(major))
+ return major;
+
+ buf.length = oid.length;
+ buf.value = oid.elements;
+
+ major = gss_add_buffer_set_member(minor, &buf, dataSet);
+
+ return major;
+}
+
+static void
+zeroAndReleaseBufferSet(gss_buffer_set_t *dataSet)
+{
+ OM_uint32 tmpMinor;
+ gss_buffer_set_t set = *dataSet;
+ size_t i;
+
+ if (set == GSS_C_NO_BUFFER_SET)
+ return;
+
+ for (i = 0; i <set->count; i++)
+ memset(set->elements[i].value, 0, set->elements[i].length);
+
+ gss_release_buffer_set(&tmpMinor, dataSet);
+}
+
+static OM_uint32
inquireSessionKey(OM_uint32 *minor,
const gss_ctx_id_t ctx,
const gss_OID desired_object GSSEAP_UNUSED,
gss_buffer_set_t *dataSet)
{
- OM_uint32 major, tmpMinor;
- unsigned char oidBuf[16];
+ OM_uint32 major;
gss_buffer_desc buf;
- gss_OID_desc oid;
+
+ if (ctx->encryptionType == ENCTYPE_NULL) {
+ major = GSS_S_UNAVAILABLE;
+ *minor = GSSEAP_KEY_UNAVAILABLE;
+ goto cleanup;
+ }
buf.length = KRB_KEY_LENGTH(&ctx->rfc3961Key);
buf.value = KRB_KEY_DATA(&ctx->rfc3961Key);
if (GSS_ERROR(major))
goto cleanup;
- oid.length = sizeof(oidBuf);
- oid.elements = oidBuf;
+ major = addEnctypeOidToBufferSet(minor, ctx->encryptionType, dataSet);
+ if (GSS_ERROR(major))
+ goto cleanup;
- major = composeOid(minor,
- "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04",
- 10,
- ctx->encryptionType,
- &oid);
+ major = GSS_S_COMPLETE;
+ *minor = 0;
+
+cleanup:
if (GSS_ERROR(major))
+ zeroAndReleaseBufferSet(dataSet);
+
+ return major;
+}
+
+static OM_uint32
+inquireNegoExKey(OM_uint32 *minor,
+ const gss_ctx_id_t ctx,
+ const gss_OID desired_object,
+ gss_buffer_set_t *dataSet)
+{
+ OM_uint32 major, tmpMinor;
+ int bInitiatorKey;
+ gss_buffer_desc salt;
+ gss_buffer_desc key = GSS_C_EMPTY_BUFFER;
+ size_t keySize;
+
+ bInitiatorKey = CTX_IS_INITIATOR(ctx);
+
+ if (ctx->encryptionType == ENCTYPE_NULL) {
+ major = GSS_S_UNAVAILABLE;
+ *minor = GSSEAP_KEY_UNAVAILABLE;
goto cleanup;
+ }
- buf.length = oid.length;
- buf.value = oid.elements;
+ /*
+ * If the caller supplied the verify key OID, then we need the acceptor
+ * key if we are the initiator, and vice versa.
+ */
+ if (desired_object->length == 11 &&
+ memcmp(desired_object->elements,
+ "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07", 11) == 0)
+ bInitiatorKey ^= 1;
+
+ if (bInitiatorKey) {
+ salt.length = NEGOEX_INITIATOR_SALT_LEN;
+ salt.value = NEGOEX_INITIATOR_SALT;
+ } else {
+ salt.length = NEGOEX_ACCEPTOR_SALT_LEN;
+ salt.value = NEGOEX_ACCEPTOR_SALT;
+ }
- major = gss_add_buffer_set_member(minor, &buf, dataSet);
+ keySize = KRB_KEY_LENGTH(&ctx->rfc3961Key);
+
+ major = gssEapPseudoRandom(minor, ctx, GSS_C_PRF_KEY_FULL, &salt,
+ keySize, &key);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ major = gss_add_buffer_set_member(minor, &key, dataSet);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ major = addEnctypeOidToBufferSet(minor, ctx->encryptionType, dataSet);
if (GSS_ERROR(major))
goto cleanup;
*minor = 0;
cleanup:
- if (GSS_ERROR(major) && *dataSet != GSS_C_NO_BUFFER_SET) {
- gss_buffer_set_t set = *dataSet;
-
- if (set->count != 0)
- memset(set->elements[0].value, 0, set->elements[0].length);
- gss_release_buffer_set(&tmpMinor, dataSet);
+ if (key.value != NULL) {
+ memset(key.value, 0, key.length);
+ gss_release_buffer(&tmpMinor, &key);
}
+ if (GSS_ERROR(major))
+ zeroAndReleaseBufferSet(dataSet);
return major;
}
{ 12, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06\x01" },
gssEapExportLucidSecContext
},
+ {
+ /* GSS_C_INQ_NEGOEX_KEY */
+ { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06" },
+ inquireNegoExKey
+ },
+ {
+ /* GSS_C_INQ_NEGOEX_VERIFY_KEY */
+ { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" },
+ inquireNegoExKey
+ },
};
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_inquire_sec_context_by_oid(OM_uint32 *minor,
const gss_ctx_id_t ctx,
const gss_OID desired_object,
GSSEAP_MUTEX_LOCK(&ctx->mutex);
+#if 0
if (!CTX_IS_ESTABLISHED(ctx)) {
*minor = GSSEAP_CONTEXT_INCOMPLETE;
major = GSS_S_NO_CONTEXT;
goto cleanup;
}
+#endif
major = GSS_S_UNAVAILABLE;
*minor = GSSEAP_BAD_CONTEXT_OPTION;
}
}
-cleanup:
GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
return major;
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_map_name_to_any(OM_uint32 *minor,
gss_name_t name,
int authenticated,
--- /dev/null
+gss_acquire_cred
+gss_add_cred
+gss_add_cred_with_password
+gss_canonicalize_name
+gss_compare_name
+gss_context_time
+gss_delete_sec_context
+gss_display_name
+gss_display_name_ext
+gss_display_status
+gss_duplicate_name
+gss_exchange_meta_data
+gss_export_name
+gss_export_sec_context
+gss_get_mic
+gss_import_name
+gss_import_sec_context
+gss_indicate_mechs
+gss_init_sec_context
+gss_inquire_attrs_for_mech
+gss_inquire_context
+gss_inquire_cred
+gss_inquire_cred_by_mech
+gss_inquire_cred_by_oid
+gss_inquire_mechs_for_name
+gss_inquire_mech_for_saslname
+gss_inquire_names_for_mech
+gss_inquire_saslname_for_mech
+gss_inquire_sec_context_by_oid
+gss_process_context_token
+gss_pseudo_random
+gss_query_mechanism_info
+gss_query_meta_data
+gss_release_cred
+gss_release_name
+gss_internal_release_oid
+gss_set_sec_context_option
+gss_store_cred
+gss_unwrap
+gss_unwrap_iov
+gss_verify_mic
+gss_wrap
+gss_wrap_iov
+gss_wrap_iov_length
+gss_wrap_size_limit
+GSS_EAP_AES128_CTS_HMAC_SHA1_96_MECHANISM
+GSS_EAP_AES256_CTS_HMAC_SHA1_96_MECHANISM
+GSS_EAP_NT_EAP_NAME
+GSS_EAP_CRED_SET_CRED_FLAG
+GSS_EAP_CRED_SET_CRED_PASSWORD
+GSS_EAP_CRED_SET_RADIUS_CONFIG_FILE
+GSS_EAP_CRED_SET_RADIUS_CONFIG_STANZA
+gssspi_acquire_cred_with_password
+gssspi_authorize_localname
+gssspi_set_cred_option
gss_canonicalize_name
gss_compare_name
gss_context_time
+gss_delete_name_attribute
gss_delete_sec_context
gss_display_name
gss_display_name_ext
gss_display_status
gss_duplicate_name
+gss_exchange_meta_data
gss_export_name
gss_export_name_composite
gss_export_sec_context
gss_map_name_to_any
gss_process_context_token
gss_pseudo_random
+gss_query_mechanism_info
+gss_query_meta_data
gss_release_any_name_mapping
gss_release_cred
gss_release_name
GSS_EAP_AES128_CTS_HMAC_SHA1_96_MECHANISM
GSS_EAP_AES256_CTS_HMAC_SHA1_96_MECHANISM
GSS_EAP_NT_EAP_NAME
+GSS_EAP_CRED_SET_CRED_FLAG
+GSS_EAP_CRED_SET_CRED_PASSWORD
+GSS_EAP_CRED_SET_RADIUS_CONFIG_FILE
+GSS_EAP_CRED_SET_RADIUS_CONFIG_STANZA
gssspi_acquire_cred_with_password
gssspi_authorize_localname
gssspi_set_cred_option
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gssspi_mech_invoke(OM_uint32 *minor,
const gss_OID desired_mech,
const gss_OID desired_object,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_process_context_token(OM_uint32 *minor,
gss_ctx_id_t ctx,
gss_buffer_t token_buffer)
#include "gssapiP_eap.h"
OM_uint32
-gss_pseudo_random(OM_uint32 *minor,
- gss_ctx_id_t ctx,
- int prf_key,
- const gss_buffer_t prf_in,
- ssize_t desired_output_len,
- gss_buffer_t prf_out)
+gssEapPseudoRandom(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ int prf_key,
+ const gss_buffer_t prf_in,
+ ssize_t desired_output_len,
+ gss_buffer_t prf_out)
{
krb5_error_code code;
int i;
prf_out->length = 0;
prf_out->value = NULL;
- if (ctx == GSS_C_NO_CONTEXT) {
- *minor = EINVAL;
- return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT;
- }
-
*minor = 0;
- GSSEAP_MUTEX_LOCK(&ctx->mutex);
-
- if (!CTX_IS_ESTABLISHED(ctx)) {
- GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
- *minor = GSSEAP_CONTEXT_INCOMPLETE;
- return GSS_S_NO_CONTEXT;
- }
-
GSSEAP_KRB_INIT(&krbContext);
- t.length = 0;
- t.data = NULL;
-
- ns.length = 0;
- ns.data = NULL;
+ KRB_DATA_INIT(&t);
+ KRB_DATA_INIT(&ns);
if (prf_key != GSS_C_PRF_KEY_PARTIAL &&
prf_key != GSS_C_PRF_KEY_FULL) {
goto cleanup;
}
+#ifndef HAVE_HEIMDAL_VERSION
+ /* Same API, but different allocation rules, unfortunately. */
t.length = prflen;
t.data = GSSEAP_MALLOC(t.length);
if (t.data == NULL) {
code = ENOMEM;
goto cleanup;
}
+#endif
- memcpy(ns.data + 4, prf_in->value, prf_in->length);
+ memcpy((unsigned char *)ns.data + 4, prf_in->value, prf_in->length);
i = 0;
p = (unsigned char *)prf_out->value;
while (desired_output_len > 0) {
}
cleanup:
- GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
-
if (code != 0)
gss_release_buffer(&tmpMinor, prf_out);
- krb5_free_data_contents(krbContext, &ns);
+ if (ns.data != NULL) {
+ memset(ns.data, 0, ns.length);
+ GSSEAP_FREE(ns.data);
+ }
+#ifdef HAVE_HEIMDAL_VERSION
krb5_free_data_contents(krbContext, &t);
+#else
+ if (t.data != NULL) {
+ memset(t.data, 0, t.length);
+ GSSEAP_FREE(t.data);
+ }
+#endif
*minor = code;
return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
+
+OM_uint32 GSSAPI_CALLCONV
+gss_pseudo_random(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ int prf_key,
+ const gss_buffer_t prf_in,
+ ssize_t desired_output_len,
+ gss_buffer_t prf_out)
+{
+ OM_uint32 major;
+
+ if (ctx == GSS_C_NO_CONTEXT) {
+ *minor = EINVAL;
+ return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT;
+ }
+
+ prf_out->length = 0;
+ prf_out->value = NULL;
+
+ *minor = 0;
+
+ GSSEAP_MUTEX_LOCK(&ctx->mutex);
+
+ if (CTX_IS_ESTABLISHED(ctx)) {
+ major = gssEapPseudoRandom(minor, ctx, prf_key,
+ prf_in, desired_output_len, prf_out);
+ } else {
+ major = GSS_S_NO_CONTEXT;
+ *minor = GSSEAP_CONTEXT_INCOMPLETE;
+ }
+
+ GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
+
+ return major;
+}
--- /dev/null
+/*
+ * Copyright (c) 2011, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ *
+ */
+
+#include "gssapiP_eap.h"
+
+OM_uint32
+gssQueryMechanismInfo(OM_uint32 *minor,
+ gss_const_OID mech_oid,
+ unsigned char auth_scheme[16])
+{
+ OM_uint32 major;
+ krb5_enctype enctype;
+
+ major = gssEapOidToEnctype(minor, (const gss_OID)mech_oid, &enctype);
+ if (GSS_ERROR(major))
+ return major;
+
+ /* the enctype is encoded in the increasing part of the GUID */
+ memcpy(auth_scheme,
+ "\x39\xd7\x7d\x00\xe5\x00\x11\xe0\xac\x64\xcd\x53\x46\x50\xac\xb9", 16);
+
+ auth_scheme[3] = (unsigned char)enctype;
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+}
+
+OM_uint32 GSSAPI_CALLCONV
+gss_query_mechanism_info(OM_uint32 *minor,
+ gss_const_OID mech_oid,
+ unsigned char auth_scheme[16])
+{
+ return gssQueryMechanismInfo(minor, mech_oid, auth_scheme);
+}
--- /dev/null
+/*
+ * Copyright (c) 2011, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ *
+ */
+
+#include "gssapiP_eap.h"
+
+OM_uint32
+gssEapQueryMetaData(OM_uint32 *minor,
+ gss_const_OID mech GSSEAP_UNUSED,
+ gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ const gss_name_t name,
+ OM_uint32 req_flags GSSEAP_UNUSED,
+ gss_buffer_t meta_data)
+{
+ OM_uint32 major = GSS_S_COMPLETE;
+ int isInitiator = (name != GSS_C_NO_NAME);
+ gss_ctx_id_t ctx = *context_handle;
+
+ meta_data->length = 0;
+ meta_data->value = NULL;
+
+ if (ctx == GSS_C_NO_CONTEXT) {
+ major = gssEapAllocContext(minor, &ctx);
+ if (GSS_ERROR(major))
+ return major;
+
+ if (isInitiator)
+ ctx->flags |= CTX_FLAG_INITIATOR;
+ }
+
+ if (ctx->cred == GSS_C_NO_CREDENTIAL) {
+ if (isInitiator) {
+ major = gssEapResolveInitiatorCred(minor, cred,
+ name, &ctx->cred);
+ } else {
+ major = gssEapAcquireCred(minor,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ GSS_C_NO_OID_SET,
+ GSS_C_ACCEPT,
+ &ctx->cred,
+ NULL,
+ NULL);
+ }
+ }
+
+ if (*context_handle == GSS_C_NO_CONTEXT)
+ *context_handle = ctx;
+
+ return major;
+}
+
+OM_uint32 GSSAPI_CALLCONV
+gss_query_meta_data(OM_uint32 *minor,
+ gss_const_OID mech,
+ gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ const gss_name_t name,
+ OM_uint32 req_flags,
+ gss_buffer_t meta_data)
+{
+ gss_ctx_id_t ctx = *context_handle;
+ OM_uint32 major;
+
+ if (cred != GSS_C_NO_CREDENTIAL)
+ GSSEAP_MUTEX_LOCK(&cred->mutex);
+
+ if (*context_handle != GSS_C_NO_CONTEXT)
+ GSSEAP_MUTEX_LOCK(&ctx->mutex);
+
+ major = gssEapQueryMetaData(minor, mech, cred, &ctx,
+ name, req_flags, meta_data);
+
+ if (*context_handle != GSS_C_NO_CONTEXT)
+ GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
+ else
+ *context_handle = ctx;
+
+ if (cred != GSS_C_NO_CREDENTIAL)
+ GSSEAP_MUTEX_UNLOCK(&cred->mutex);
+
+ return major;
+}
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_release_any_name_mapping(OM_uint32 *minor,
gss_name_t name,
gss_buffer_t type_id,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_release_cred(OM_uint32 *minor,
gss_cred_id_t *cred_handle)
{
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_release_name(OM_uint32 *minor,
gss_name_t *name)
{
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_internal_release_oid(OM_uint32 *minor,
gss_OID *oid)
{
const gss_OID oid GSSEAP_UNUSED,
const gss_buffer_t buffer)
{
- OM_uint32 major;
+ OM_uint32 major, tmpMinor;
gss_buffer_desc configFileBuffer = GSS_C_EMPTY_BUFFER;
if (buffer != GSS_C_NO_BUFFER && buffer->length != 0) {
return major;
}
- if (cred->radiusConfigFile != NULL)
- GSSEAP_FREE(cred->radiusConfigFile);
-
- cred->radiusConfigFile = (char *)configFileBuffer.value;
+ gss_release_buffer(&tmpMinor, &cred->radiusConfigFile);
+ cred->radiusConfigFile = configFileBuffer;
*minor = 0;
return GSS_S_COMPLETE;
const gss_OID oid GSSEAP_UNUSED,
const gss_buffer_t buffer)
{
- OM_uint32 major;
+ OM_uint32 major, tmpMinor;
gss_buffer_desc configStanzaBuffer = GSS_C_EMPTY_BUFFER;
if (buffer != GSS_C_NO_BUFFER && buffer->length != 0) {
return major;
}
- if (cred->radiusConfigStanza != NULL)
- GSSEAP_FREE(cred->radiusConfigStanza);
-
- cred->radiusConfigStanza = (char *)configStanzaBuffer.value;
+ gss_release_buffer(&tmpMinor, &cred->radiusConfigStanza);
+ cred->radiusConfigStanza = configStanzaBuffer;
*minor = 0;
return GSS_S_COMPLETE;
return GSS_S_COMPLETE;
}
+static OM_uint32
+setCredPassword(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ const gss_OID oid GSSEAP_UNUSED,
+ const gss_buffer_t buffer)
+{
+ return gssEapSetCredPassword(minor, cred, buffer);
+}
+
static struct {
gss_OID_desc oid;
OM_uint32 (*setOption)(OM_uint32 *, gss_cred_id_t cred,
{ 11, "\x2B\x06\x01\x04\x01\xA9\x4A\x16\x03\x03\x03" },
setCredFlag,
},
+ /* 1.3.6.1.4.1.5322.22.3.3.4 */
+ {
+ { 11, "\x2B\x06\x01\x04\x01\xA9\x4A\x16\x03\x03\x04" },
+ setCredPassword,
+ },
};
gss_OID GSS_EAP_CRED_SET_RADIUS_CONFIG_FILE = &setCredOps[0].oid;
gss_OID GSS_EAP_CRED_SET_RADIUS_CONFIG_STANZA = &setCredOps[1].oid;
gss_OID GSS_EAP_CRED_SET_CRED_FLAG = &setCredOps[2].oid;
+gss_OID GSS_EAP_CRED_SET_CRED_PASSWORD = &setCredOps[3].oid;
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gssspi_set_cred_option(OM_uint32 *minor,
gss_cred_id_t *pCred,
const gss_OID desired_object,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_set_name_attribute(OM_uint32 *minor,
gss_name_t name,
int complete,
#include "gssapiP_eap.h"
+#if 0
static struct {
gss_OID_desc oid;
OM_uint32 (*setOption)(OM_uint32 *, gss_ctx_id_t *pCtx,
const gss_OID, const gss_buffer_t);
} setCtxOps[] = {
};
+#endif
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_set_sec_context_option(OM_uint32 *minor,
gss_ctx_id_t *pCtx,
- const gss_OID desired_object,
- const gss_buffer_t value)
+ const gss_OID desired_object GSSEAP_UNUSED,
+ const gss_buffer_t value GSSEAP_UNUSED)
{
OM_uint32 major;
gss_ctx_id_t ctx;
+#if 0
int i;
+#endif
major = GSS_S_UNAVAILABLE;
*minor = GSSEAP_BAD_CONTEXT_OPTION;
if (ctx != GSS_C_NO_CONTEXT)
GSSEAP_MUTEX_LOCK(&ctx->mutex);
+#if 0
for (i = 0; i < sizeof(setCtxOps) / sizeof(setCtxOps[0]); i++) {
if (oidEqual(&setCtxOps[i].oid, desired_object)) {
major = (*setCtxOps[i].setOption)(minor, &ctx,
break;
}
}
+#endif
if (pCtx != NULL && *pCtx == NULL)
*pCtx = ctx;
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_store_cred(OM_uint32 *minor,
const gss_cred_id_t cred,
gss_cred_usage_t input_usage,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_unwrap(OM_uint32 *minor,
gss_ctx_id_t ctx,
gss_buffer_t input_message_buffer,
*qop_state = GSS_C_QOP_DEFAULT;
header = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
- assert(header != NULL);
+ GSSEAP_ASSERT(header != NULL);
padding = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
if (padding != NULL && padding->buffer.length != 0) {
goto defective;
seqnum = load_uint64_be(ptr + 8);
- code = gssEapVerify(krbContext, ctx->checksumType, 0,
+ /*
+ * Although MIC tokens don't have a RRC, they are similarly
+ * composed of a header and a checksum. So the verify_mic()
+ * can be implemented with a single header buffer, fake the
+ * RRC to the putative trailer length if no trailer buffer.
+ */
+ code = gssEapVerify(krbContext, ctx->checksumType,
+ trailer != NULL ? 0 : header->buffer.length - 16,
KRB_CRYPTO_CONTEXT(ctx), keyUsage,
iov, iov_count, &valid);
if (code != 0 || valid == FALSE) {
GSSEAP_KRB_INIT(&krbContext);
- assert(toktype == TOK_TYPE_WRAP);
+ GSSEAP_ASSERT(toktype == TOK_TYPE_WRAP);
if (toktype != TOK_TYPE_WRAP) {
code = GSSEAP_WRONG_TOK_ID;
}
stream = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_STREAM);
- assert(stream != NULL);
+ GSSEAP_ASSERT(stream != NULL);
if (stream->buffer.length < 16) {
major = GSS_S_DEFECTIVE_TOKEN;
}
ptr = (unsigned char *)stream->buffer.value;
- ptr += 2; /*skip token type*/
+ ptr += 2; /* skip token type */
tiov = (gss_iov_buffer_desc *)GSSEAP_CALLOC((size_t)iov_count + 2,
sizeof(gss_iov_buffer_desc));
tdata->buffer.length = stream->buffer.length - ttrailer->buffer.length -
tpadding->buffer.length - theader->buffer.length;
- assert(data != NULL);
+ GSSEAP_ASSERT(data != NULL);
if (data->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
code = gssEapAllocIov(tdata, tdata->buffer.length);
theader->buffer.length;
}
- assert(i <= iov_count + 2);
+ GSSEAP_ASSERT(i <= iov_count + 2);
major = unwrapToken(&code, ctx, KRB_CRYPTO_CONTEXT(ctx),
conf_state, qop_state, tiov, i, toktype);
return major;
}
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_unwrap_iov(OM_uint32 *minor,
gss_ctx_id_t ctx,
int *conf_state,
#ifndef _UTIL_H_
#define _UTIL_H_ 1
+#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
+#endif
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
#include <string.h>
#include <errno.h>
#include <krb5.h>
+#ifdef WIN32
+#define inline __inline
+#define snprintf _snprintf
+#endif
+
#ifdef __cplusplus
extern "C" {
#endif
#define MIN(_a,_b) ((_a)<(_b)?(_a):(_b))
#endif
-#if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
-#define GSSEAP_UNUSED __attribute__ ((__unused__))
+#if !defined(WIN32) && !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
+#define GSSEAP_UNUSED __attribute__ ((__unused__))
#else
#define GSSEAP_UNUSED
#endif
const char *string,
gss_buffer_t buffer);
+#define makeStringBufferOrCleanup(src, dst) \
+ do { \
+ major = makeStringBuffer((minor), (src), (dst));\
+ if (GSS_ERROR(major)) \
+ goto cleanup; \
+ } while (0)
+
OM_uint32
bufferToString(OM_uint32 *minor,
const gss_buffer_t buffer,
const gss_buffer_t src,
gss_buffer_t dst);
+#define duplicateBufferOrCleanup(src, dst) \
+ do { \
+ major = duplicateBuffer((minor), (src), (dst)); \
+ if (GSS_ERROR(major)) \
+ goto cleanup; \
+ } while (0)
+
static inline int
bufferEqual(const gss_buffer_t b1, const gss_buffer_t b2)
{
#define ITOK_TYPE_MASK (~(ITOK_FLAG_CRITICAL | ITOK_FLAG_VERIFIED))
-#define GSSEAP_WIRE_FLAGS_MASK GSS_C_MUTUAL_FLAG
+#define GSSEAP_WIRE_FLAGS_MASK ( GSS_C_MUTUAL_FLAG | \
+ GSS_C_DCE_STYLE | \
+ GSS_C_IDENTIFY_FLAG | \
+ GSS_C_EXTENDED_ERROR_FLAG )
OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
+gss_OID
+gssEapPrimaryMechForCred(gss_cred_id_t cred);
+
OM_uint32
gssEapAcquireCred(OM_uint32 *minor,
const gss_name_t desiredName,
- const gss_buffer_t password,
OM_uint32 timeReq,
const gss_OID_set desiredMechs,
int cred_usage,
gss_OID_set *pActualMechs,
OM_uint32 *timeRec);
+OM_uint32
+gssEapSetCredPassword(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ const gss_buffer_t password);
+
+OM_uint32
+gssEapSetCredService(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ const gss_name_t target);
+
+OM_uint32
+gssEapResolveInitiatorCred(OM_uint32 *minor,
+ const gss_cred_id_t cred,
+ const gss_name_t target,
+ gss_cred_id_t *resolvedCred);
+
int gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech);
OM_uint32
krb5_keyblock *pKey);
/* util_krb.c */
+
+#ifndef KRB_MALLOC
+/*
+ * If your Kerberos library uses a different allocator to your
+ * GSS mechanism glue, then you might wish to define these in
+ * config.h or elsewhere. This should eventually go away when
+ * we no longer need to allocate memory that is freed by the
+ * Kerberos library.
+ */
+#define KRB_CALLOC calloc
+#define KRB_MALLOC malloc
+#define KRB_FREE free
+#define KRB_REALLOC realloc
+#endif /* KRB_MALLOC */
+
#ifdef HAVE_HEIMDAL_VERSION
#define KRB_TIME_FOREVER ((time_t)~0L)
#define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto)
+#define KRB_DATA_INIT(d) krb5_data_zero((d))
+
#else
#define KRB_TIME_FOREVER KRB5_INT32_MAX
#define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key)
+#define KRB_DATA_INIT(d) do { \
+ (d)->magic = KV5M_DATA; \
+ (d)->length = 0; \
+ (d)->data = NULL; \
+ } while (0)
+
#endif /* HAVE_HEIMDAL_VERSION */
#define KRB_KEY_INIT(key) do { \
gss_OID
gssEapSaslNameToOid(const gss_buffer_t name);
+/* util_moonshot.c */
+OM_uint32
+libMoonshotResolveDefaultIdentity(OM_uint32 *minor,
+ const gss_cred_id_t cred,
+ gss_name_t *pName);
+
+OM_uint32
+libMoonshotResolveInitiatorCred(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ const gss_name_t targetName);
+
/* util_name.c */
#define EXPORT_NAME_FLAG_OID 0x1
#define EXPORT_NAME_FLAG_COMPOSITE 0x2
/* Helper macros */
+#ifndef GSSEAP_MALLOC
#define GSSEAP_CALLOC calloc
#define GSSEAP_MALLOC malloc
#define GSSEAP_FREE free
#define GSSEAP_REALLOC realloc
+#endif
+
+#ifndef GSSAPI_CALLCONV
+#define GSSAPI_CALLCONV KRB5_CALLCONV
+#endif
+
+#ifndef GSSEAP_ASSERT
+#include <assert.h>
+#define GSSEAP_ASSERT(x) assert((x))
+#endif /* !GSSEAP_ASSERT */
+
+#ifdef WIN32
+#define GSSEAP_CONSTRUCTOR
+#define GSSEAP_DESTRUCTOR
+#else
+#define GSSEAP_CONSTRUCTOR __attribute__((constructor))
+#define GSSEAP_DESTRUCTOR __attribute__((destructor))
+#endif
#define GSSEAP_NOT_IMPLEMENTED do { \
- assert(0 && "not implemented"); \
+ GSSEAP_ASSERT(0 && "not implemented"); \
*minor = ENOSYS; \
return GSS_S_FAILURE; \
} while (0)
+#ifdef WIN32
+
+#include <winbase.h>
+
+#define GSSEAP_GET_LAST_ERROR() (GetLastError()) /* XXX FIXME */
+
+#define GSSEAP_MUTEX CRITICAL_SECTION
+#define GSSEAP_MUTEX_INIT(m) (InitializeCriticalSection((m)), 0)
+#define GSSEAP_MUTEX_DESTROY(m) DeleteCriticalSection((m))
+#define GSSEAP_MUTEX_LOCK(m) EnterCriticalSection((m))
+#define GSSEAP_MUTEX_UNLOCK(m) LeaveCriticalSection((m))
+#define GSSEAP_ONCE_LEAVE do { return TRUE; } while (0)
+
+/* Thread-local is handled separately */
+
+#define GSSEAP_THREAD_ONCE INIT_ONCE
+#define GSSEAP_ONCE_CALLBACK(cb) BOOL CALLBACK cb(PINIT_ONCE InitOnce, PVOID Parameter, PVOID *Context)
+#define GSSEAP_ONCE(o, i) InitOnceExecuteOnce((o), (i), NULL, NULL)
+#define GSSEAP_ONCE_INITIALIZER INIT_ONCE_STATIC_INIT
+
+#else
+
#include <pthread.h>
-#define GSSEAP_MUTEX pthread_mutex_t
-#define GSSEAP_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
+#define GSSEAP_GET_LAST_ERROR() (errno)
+#define GSSEAP_MUTEX pthread_mutex_t
#define GSSEAP_MUTEX_INIT(m) pthread_mutex_init((m), NULL)
#define GSSEAP_MUTEX_DESTROY(m) pthread_mutex_destroy((m))
#define GSSEAP_MUTEX_LOCK(m) pthread_mutex_lock((m))
#define GSSEAP_SETSPECIFIC(k, d) pthread_setspecific((k), (d))
#define GSSEAP_THREAD_ONCE pthread_once_t
+#define GSSEAP_ONCE_CALLBACK(cb) void cb(void)
#define GSSEAP_ONCE(o, i) pthread_once((o), (i))
#define GSSEAP_ONCE_INITIALIZER PTHREAD_ONCE_INIT
+#define GSSEAP_ONCE_LEAVE do { } while (0)
+
+#endif /* WIN32 */
/* Helper functions */
static inline void
data->length = buffer->length;
}
+/* util_tld.c */
+struct gss_eap_status_info;
+
+struct gss_eap_thread_local_data {
+ krb5_context krbContext;
+ struct gss_eap_status_info *statusInfo;
+};
+
+struct gss_eap_thread_local_data *
+gssEapGetThreadLocalData(void);
+
+void
+gssEapDestroyStatusInfo(struct gss_eap_status_info *status);
+
+void
+gssEapDestroyKrbContext(krb5_context context);
+
#ifdef __cplusplus
}
#endif
+#ifdef GSSEAP_ENABLE_ACCEPTOR
#include "util_json.h"
#include "util_attr.h"
#include "util_base64.h"
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
#ifdef GSSEAP_ENABLE_REAUTH
#include "util_reauth.h"
#endif
krb5_free_data_contents(kcontext, &radius_ad->avpdata);
radius_ad->verified = FALSE;
- assert(authdata[0] != NULL);
+ GSSEAP_ASSERT(authdata[0] != NULL);
radius_ad->avpdata.data = GSSEAP_MALLOC(authdata[0]->length);
if (radius_ad->avpdata.data == NULL)
static GSSEAP_THREAD_ONCE gssEapAttrProvidersInitOnce = GSSEAP_ONCE_INITIALIZER;
static OM_uint32 gssEapAttrProvidersInitStatus = GSS_S_UNAVAILABLE;
-static void
-gssEapAttrProvidersInitInternal(void)
+GSSEAP_ONCE_CALLBACK(gssEapAttrProvidersInitInternal)
{
OM_uint32 major, minor;
- assert(gssEapAttrProvidersInitStatus == GSS_S_UNAVAILABLE);
+ GSSEAP_ASSERT(gssEapAttrProvidersInitStatus == GSS_S_UNAVAILABLE);
+
+ json_set_alloc_funcs(GSSEAP_MALLOC, GSSEAP_FREE);
major = gssEapRadiusAttrProviderInit(&minor);
if (GSS_ERROR(major))
goto cleanup;
+#ifdef HAVE_OPENSAML
major = gssEapSamlAttrProvidersInit(&minor);
if (GSS_ERROR(major))
goto cleanup;
+#endif
+#ifdef HAVE_SHIBRESOLVER
/* Allow Shibboleth initialization failure to be non-fatal */
gssEapLocalAttrProviderInit(&minor);
+#endif
cleanup:
#ifdef GSSEAP_DEBUG
- assert(major == GSS_S_COMPLETE);
+ GSSEAP_ASSERT(major == GSS_S_COMPLETE);
#endif
gssEapAttrProvidersInitStatus = major;
+
+ GSSEAP_ONCE_LEAVE;
}
static OM_uint32
OM_uint32
gssEapAttrProvidersFinalize(OM_uint32 *minor)
{
- OM_uint32 major = GSS_S_COMPLETE;
-
if (gssEapAttrProvidersInitStatus == GSS_S_COMPLETE) {
- major = gssEapLocalAttrProviderFinalize(minor);
- if (major == GSS_S_COMPLETE)
- major = gssEapSamlAttrProvidersFinalize(minor);
- if (major == GSS_S_COMPLETE)
- major = gssEapRadiusAttrProviderFinalize(minor);
+#ifdef HAVE_SHIBRESOLVER
+ gssEapLocalAttrProviderFinalize(minor);
+#endif
+#ifdef HAVE_OPENSAML
+ gssEapSamlAttrProvidersFinalize(minor);
+#endif
+ gssEapRadiusAttrProviderFinalize(minor);
gssEapAttrProvidersInitStatus = GSS_S_UNAVAILABLE;
}
- return major;
+ return GSS_S_COMPLETE;
}
static gss_eap_attr_create_provider gssEapAttrFactories[ATTR_TYPE_MAX + 1];
gss_eap_attr_ctx::registerProvider(unsigned int type,
gss_eap_attr_create_provider factory)
{
- assert(type <= ATTR_TYPE_MAX);
+ GSSEAP_ASSERT(type <= ATTR_TYPE_MAX);
- assert(gssEapAttrFactories[type] == NULL);
+ GSSEAP_ASSERT(gssEapAttrFactories[type] == NULL);
gssEapAttrFactories[type] = factory;
}
void
gss_eap_attr_ctx::unregisterProvider(unsigned int type)
{
- assert(type <= ATTR_TYPE_MAX);
+ GSSEAP_ASSERT(type <= ATTR_TYPE_MAX);
gssEapAttrFactories[type] = NULL;
}
gss_eap_attr_provider *
gss_eap_attr_ctx::getProvider(unsigned int type) const
{
- assert(type >= ATTR_TYPE_MIN && type <= ATTR_TYPE_MAX);
+ GSSEAP_ASSERT(type >= ATTR_TYPE_MIN && type <= ATTR_TYPE_MAX);
return m_providers[type];
}
}
cleanup:
- assert(GSS_ERROR(major));
+ GSSEAP_ASSERT(GSS_ERROR(major));
return major;
}
gss_eap_attr_ctx *ctx = NULL;
OM_uint32 major = GSS_S_FAILURE;
- assert(name->attrCtx == NULL);
+ GSSEAP_ASSERT(name->attrCtx == NULL);
if (GSS_ERROR(gssEapAttrProvidersInit(minor)))
return GSS_S_UNAVAILABLE;
major = ctx->mapException(minor, e);
}
- assert(major == GSS_S_COMPLETE || name->attrCtx == NULL);
+ GSSEAP_ASSERT(major == GSS_S_COMPLETE || name->attrCtx == NULL);
if (GSS_ERROR(major))
delete ctx;
gss_eap_attr_ctx *ctx = NULL;
OM_uint32 major = GSS_S_FAILURE;
- assert(out->attrCtx == NULL);
+ GSSEAP_ASSERT(out->attrCtx == NULL);
if (in->attrCtx == NULL) {
*minor = 0;
major = in->attrCtx->mapException(minor, e);
}
- assert(major == GSS_S_COMPLETE || out->attrCtx == NULL);
+ GSSEAP_ASSERT(major == GSS_S_COMPLETE || out->attrCtx == NULL);
if (GSS_ERROR(major))
delete ctx;
gss_eap_attr_ctx *ctx = NULL;
OM_uint32 major;
- assert(gssCtx != GSS_C_NO_CONTEXT);
+ GSSEAP_ASSERT(gssCtx != GSS_C_NO_CONTEXT);
*pAttrContext = NULL;
void *data);
#define ATTR_TYPE_RADIUS 0U /* RADIUS AVPs */
+#ifdef HAVE_OPENSAML
#define ATTR_TYPE_SAML_ASSERTION 1U /* SAML assertion */
#define ATTR_TYPE_SAML 2U /* SAML attributes */
+#endif
#define ATTR_TYPE_LOCAL 3U /* Local attributes */
#define ATTR_TYPE_MIN ATTR_TYPE_RADIUS
#define ATTR_TYPE_MAX ATTR_TYPE_LOCAL
return code;
header = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
- assert(header != NULL);
+ GSSEAP_ASSERT(header != NULL);
trailer = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
- assert(rrc != 0 || trailer != NULL);
+ GSSEAP_ASSERT(rrc != 0 || trailer != NULL);
if (trailer == NULL) {
if (rrc != k5_checksumlen)
OM_uint32 tmpMinor;
gss_ctx_id_t ctx;
- assert(*pCtx == GSS_C_NO_CONTEXT);
+ GSSEAP_ASSERT(*pCtx == GSS_C_NO_CONTEXT);
ctx = (gss_ctx_id_t)GSSEAP_CALLOC(1, sizeof(*ctx));
if (ctx == NULL) {
}
if (GSSEAP_MUTEX_INIT(&ctx->mutex) != 0) {
- *minor = errno;
+ *minor = GSSEAP_GET_LAST_ERROR();
gssEapReleaseContext(&tmpMinor, &ctx);
return GSS_S_FAILURE;
}
ctx->state = GSSEAP_STATE_INITIAL;
+ ctx->mechanismUsed = GSS_C_NO_OID;
/*
* Integrity, confidentiality, sequencing and replay detection are
eap_peer_sm_deinit(ctx->eap);
}
+#ifdef GSSEAP_ENABLE_ACCEPTOR
static void
releaseAcceptorContext(struct gss_eap_acceptor_ctx *ctx)
{
if (ctx->vps != NULL)
gssEapRadiusFreeAvps(&tmpMinor, &ctx->vps);
}
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
OM_uint32
gssEapReleaseContext(OM_uint32 *minor,
if (ctx->flags & CTX_FLAG_KRB_REAUTH) {
gssDeleteSecContext(&tmpMinor, &ctx->reauthCtx, GSS_C_NO_BUFFER);
} else
-#endif
+#endif /* GSSEAP_ENABLE_REAUTH */
if (CTX_IS_INITIATOR(ctx)) {
releaseInitiatorContext(&ctx->initiatorCtx);
- } else {
+ }
+#ifdef GSSEAP_ENABLE_ACCEPTOR
+ else {
releaseAcceptorContext(&ctx->acceptorCtx);
}
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
krb5_free_keyblock_contents(krbContext, &ctx->rfc3961Key);
gssEapReleaseName(&tmpMinor, &ctx->initiatorName);
gssEapReleaseName(&tmpMinor, &ctx->acceptorName);
gssEapReleaseOid(&tmpMinor, &ctx->mechanismUsed);
sequenceFree(&tmpMinor, &ctx->seqState);
- gssEapReleaseCred(&tmpMinor, &ctx->defaultCred);
+ gssEapReleaseCred(&tmpMinor, &ctx->cred);
GSSEAP_MUTEX_DESTROY(&ctx->mutex);
{
unsigned char *p;
+ GSSEAP_ASSERT(ctx->mechanismUsed != GSS_C_NO_OID);
+
outputToken->length = tokenSize(ctx->mechanismUsed, innerToken->length);
outputToken->value = GSSEAP_MALLOC(outputToken->length);
if (outputToken->value == NULL) {
tokens = verifyMIC ? ctx->inputTokens : ctx->outputTokens;
- assert(tokens != NULL);
+ GSSEAP_ASSERT(tokens != NULL);
iov = GSSEAP_CALLOC(2 + (3 * tokens->buffers.count) + 1, sizeof(*iov));
if (iov == NULL) {
}
/* Mechanism OID */
- assert(ctx->mechanismUsed != GSS_C_NO_OID);
+ GSSEAP_ASSERT(ctx->mechanismUsed != GSS_C_NO_OID);
iov[i].type = GSS_IOV_BUFFER_TYPE_DATA;
iov[i].buffer.length = ctx->mechanismUsed->length;
iov[i].buffer.value = ctx->mechanismUsed->elements;
}
if (verifyMIC) {
- assert(tokenMIC->length >= 16);
+ GSSEAP_ASSERT(tokenMIC->length >= 16);
- assert(i < 2 + (3 * tokens->buffers.count));
+ GSSEAP_ASSERT(i < 2 + (3 * tokens->buffers.count));
iov[i].type = GSS_IOV_BUFFER_TYPE_HEADER;
- iov[i].buffer.length = 16;
- iov[i].buffer.value = tokenMIC->value;
- i++;
-
- iov[i].type = GSS_IOV_BUFFER_TYPE_TRAILER;
- iov[i].buffer.length = tokenMIC->length - 16;
- iov[i].buffer.value = (unsigned char *)tokenMIC->value + 16;
+ iov[i].buffer = *tokenMIC;
i++;
major = gssEapUnwrapOrVerifyMIC(minor, ctx, NULL, NULL,
#include "gssapiP_eap.h"
-#include <pwd.h>
+#ifdef WIN32
+# include <shlobj.h> /* may need to use ShFolder.h instead */
+# include <stdio.h>
+#else
+# include <pwd.h>
+#endif
OM_uint32
gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred)
}
if (GSSEAP_MUTEX_INIT(&cred->mutex) != 0) {
- *minor = errno;
+ *minor = GSSEAP_GET_LAST_ERROR();
gssEapReleaseCred(&tmpMinor, &cred);
return GSS_S_FAILURE;
}
return GSS_S_COMPLETE;
}
+static void
+zeroAndReleasePassword(gss_buffer_t password)
+{
+ if (password->value != NULL) {
+ memset(password->value, 0, password->length);
+ GSSEAP_FREE(password->value);
+ }
+
+ password->value = NULL;
+ password->length = 0;
+}
+
OM_uint32
gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred)
{
GSSEAP_KRB_INIT(&krbContext);
gssEapReleaseName(&tmpMinor, &cred->name);
+ gssEapReleaseName(&tmpMinor, &cred->target);
- if (cred->password.value != NULL) {
- memset(cred->password.value, 0, cred->password.length);
- GSSEAP_FREE(cred->password.value);
- }
+ zeroAndReleasePassword(&cred->password);
- if (cred->radiusConfigFile != NULL)
- GSSEAP_FREE(cred->radiusConfigFile);
- if (cred->radiusConfigStanza != NULL)
- GSSEAP_FREE(cred->radiusConfigStanza);
+ gss_release_buffer(&tmpMinor, &cred->radiusConfigFile);
+ gss_release_buffer(&tmpMinor, &cred->radiusConfigStanza);
+ gss_release_buffer(&tmpMinor, &cred->caCertificate);
+ gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint);
+ gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint);
#ifdef GSSEAP_ENABLE_REAUTH
if (cred->krbCredCache != NULL) {
}
static OM_uint32
-readDefaultIdentityAndCreds(OM_uint32 *minor,
- gss_buffer_t defaultIdentity,
- gss_buffer_t defaultCreds)
+readStaticIdentityFile(OM_uint32 *minor,
+ gss_buffer_t defaultIdentity,
+ gss_buffer_t defaultPassword)
{
OM_uint32 major, tmpMinor;
FILE *fp = NULL;
- char pwbuf[BUFSIZ], buf[BUFSIZ];
+ char buf[BUFSIZ];
char *ccacheName;
+ int i = 0;
+#ifndef WIN32
struct passwd *pw = NULL, pwd;
+ char pwbuf[BUFSIZ];
+#endif
defaultIdentity->length = 0;
defaultIdentity->value = NULL;
- defaultCreds->length = 0;
- defaultCreds->value = NULL;
+ if (defaultPassword != GSS_C_NO_BUFFER) {
+ defaultPassword->length = 0;
+ defaultPassword->value = NULL;
+ }
ccacheName = getenv("GSSEAP_IDENTITY");
if (ccacheName == NULL) {
+#ifdef WIN32
+ TCHAR szPath[MAX_PATH];
+
+ if (!SUCCEEDED(SHGetFolderPath(NULL,
+ CSIDL_APPDATA, /* |CSIDL_FLAG_CREATE */
+ NULL, /* User access token */
+ 0, /* SHGFP_TYPE_CURRENT */
+ szPath))) {
+ major = GSS_S_CRED_UNAVAIL;
+ *minor = GSSEAP_GET_LAST_ERROR(); /* XXX */
+ goto cleanup;
+ }
+
+ snprintf(buf, sizeof(buf), "%s/.gss_eap_id", szPath);
+#else
if (getpwuid_r(getuid(), &pwd, pwbuf, sizeof(pwbuf), &pw) != 0 ||
pw == NULL || pw->pw_dir == NULL) {
major = GSS_S_CRED_UNAVAIL;
- *minor = errno;
+ *minor = GSSEAP_GET_LAST_ERROR();
goto cleanup;
}
snprintf(buf, sizeof(buf), "%s/.gss_eap_id", pw->pw_dir);
+#endif /* WIN32 */
ccacheName = buf;
}
break;
}
- if (defaultIdentity->value == NULL)
+ if (i == 0)
dst = defaultIdentity;
- else if (defaultCreds->value == NULL)
- dst = defaultCreds;
+ else if (i == 1)
+ dst = defaultPassword;
else
break;
- major = duplicateBuffer(minor, &src, dst);
- if (GSS_ERROR(major))
- goto cleanup;
+ if (dst != GSS_C_NO_BUFFER) {
+ major = duplicateBuffer(minor, &src, dst);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ i++;
}
if (defaultIdentity->length == 0) {
if (GSS_ERROR(major)) {
gss_release_buffer(&tmpMinor, defaultIdentity);
- gss_release_buffer(&tmpMinor, defaultCreds);
+ zeroAndReleasePassword(defaultPassword);
}
+ memset(buf, 0, sizeof(buf));
+
return major;
}
+gss_OID
+gssEapPrimaryMechForCred(gss_cred_id_t cred)
+{
+ gss_OID nameMech = GSS_C_NO_OID;
+
+ if (cred->mechanisms != GSS_C_NO_OID_SET &&
+ cred->mechanisms->count == 1)
+ nameMech = &cred->mechanisms->elements[0];
+
+ return nameMech;
+}
+
OM_uint32
gssEapAcquireCred(OM_uint32 *minor,
const gss_name_t desiredName,
- const gss_buffer_t password,
OM_uint32 timeReq GSSEAP_UNUSED,
const gss_OID_set desiredMechs,
int credUsage,
{
OM_uint32 major, tmpMinor;
gss_cred_id_t cred;
- gss_buffer_desc defaultIdentity = GSS_C_EMPTY_BUFFER;
- gss_name_t defaultIdentityName = GSS_C_NO_NAME;
- gss_buffer_desc defaultCreds = GSS_C_EMPTY_BUFFER;
- gss_OID nameMech = GSS_C_NO_OID;
/* XXX TODO validate with changed set_cred_option API */
*pCred = GSS_C_NO_CREDENTIAL;
if (GSS_ERROR(major))
goto cleanup;
- if (cred->mechanisms != GSS_C_NO_OID_SET &&
- cred->mechanisms->count == 1)
- nameMech = &cred->mechanisms->elements[0];
-
- if (cred->flags & CRED_FLAG_INITIATE) {
- major = readDefaultIdentityAndCreds(minor, &defaultIdentity, &defaultCreds);
- if (major == GSS_S_COMPLETE) {
- major = gssEapImportName(minor, &defaultIdentity, GSS_C_NT_USER_NAME,
- nameMech, &defaultIdentityName);
- if (GSS_ERROR(major))
- goto cleanup;
- } else if (major != GSS_S_CRED_UNAVAIL)
- goto cleanup;
- }
-
if (desiredName != GSS_C_NO_NAME) {
GSSEAP_MUTEX_LOCK(&desiredName->mutex);
}
GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
-
- if (defaultIdentityName != GSS_C_NO_NAME) {
- int nameEqual;
-
- major = gssEapCompareName(minor, desiredName,
- defaultIdentityName, &nameEqual);
- if (GSS_ERROR(major))
- goto cleanup;
- else if (nameEqual)
- cred->flags |= CRED_FLAG_DEFAULT_IDENTITY;
- }
- } else {
- if (cred->flags & CRED_FLAG_ACCEPT) {
- gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
- char serviceName[5 + MAXHOSTNAMELEN];
-
- /* default host-based service is host@localhost */
- memcpy(serviceName, "host@", 5);
- if (gethostname(&serviceName[5], MAXHOSTNAMELEN) != 0) {
- major = GSS_S_FAILURE;
- *minor = GSSEAP_NO_HOSTNAME;
- goto cleanup;
- }
-
- nameBuf.value = serviceName;
- nameBuf.length = strlen((char *)nameBuf.value);
-
- major = gssEapImportName(minor, &nameBuf, GSS_C_NT_HOSTBASED_SERVICE,
- nameMech, &cred->name);
- if (GSS_ERROR(major))
- goto cleanup;
- } else if (cred->flags & CRED_FLAG_INITIATE) {
- if (defaultIdentityName == GSS_C_NO_NAME) {
- major = GSS_S_CRED_UNAVAIL;
- *minor = GSSEAP_NO_DEFAULT_IDENTITY;
- goto cleanup;
- }
-
- cred->name = defaultIdentityName;
- defaultIdentityName = GSS_C_NO_NAME;
- }
- cred->flags |= CRED_FLAG_DEFAULT_IDENTITY;
}
- assert(cred->name != GSS_C_NO_NAME);
+#ifdef GSSEAP_ENABLE_ACCEPTOR
+ if (cred->flags & CRED_FLAG_ACCEPT) {
+ struct rs_context *radContext;
- if (password != GSS_C_NO_BUFFER) {
- major = duplicateBuffer(minor, password, &cred->password);
+ major = gssEapCreateRadiusContext(minor, cred, &radContext);
if (GSS_ERROR(major))
goto cleanup;
- cred->flags |= CRED_FLAG_PASSWORD;
- } else if (defaultCreds.value != NULL &&
- (cred->flags & CRED_FLAG_DEFAULT_IDENTITY)) {
- cred->password = defaultCreds;
-
- defaultCreds.length = 0;
- defaultCreds.value = NULL;
-
- cred->flags |= CRED_FLAG_PASSWORD;
- } else if (cred->flags & CRED_FLAG_INITIATE) {
- /*
- * OK, here we need to ask the supplicant if we have creds or it
- * will acquire them, so GS2 can know whether to prompt for a
- * password or not.
- */
-#if 0
- && !gssEapCanReauthP(cred, GSS_C_NO_NAME, timeReq)
-#endif
- major = GSS_S_CRED_UNAVAIL;
- *minor = GSSEAP_NO_DEFAULT_CRED;
- goto cleanup;
+ rs_context_destroy(radContext);
}
+#endif
if (pActualMechs != NULL) {
major = duplicateOidSet(minor, cred->mechanisms, pActualMechs);
cleanup:
if (GSS_ERROR(major))
gssEapReleaseCred(&tmpMinor, &cred);
- gssEapReleaseName(&tmpMinor, &defaultIdentityName);
- gss_release_buffer(&tmpMinor, &defaultIdentity);
- if (defaultCreds.value != NULL) {
- memset(defaultCreds.value, 0, defaultCreds.length);
- gss_release_buffer(&tmpMinor, &defaultCreds);
- }
return major;
}
OM_uint32 minor;
int present = 0;
- assert(mech != GSS_C_NO_OID);
+ GSSEAP_ASSERT(mech != GSS_C_NO_OID);
if (cred == GSS_C_NO_CREDENTIAL || cred->mechanisms == GSS_C_NO_OID_SET)
return TRUE;
return present;
}
+static OM_uint32
+staticIdentityFileResolveDefaultIdentity(OM_uint32 *minor,
+ const gss_cred_id_t cred,
+ gss_name_t *pName)
+{
+ OM_uint32 major, tmpMinor;
+ gss_OID nameMech = gssEapPrimaryMechForCred(cred);
+ gss_buffer_desc defaultIdentity = GSS_C_EMPTY_BUFFER;
+
+ *pName = GSS_C_NO_NAME;
+
+ major = readStaticIdentityFile(minor, &defaultIdentity, GSS_C_NO_BUFFER);
+ if (major == GSS_S_COMPLETE) {
+ major = gssEapImportName(minor, &defaultIdentity, GSS_C_NT_USER_NAME,
+ nameMech, pName);
+ }
+
+ gss_release_buffer(&tmpMinor, &defaultIdentity);
+
+ return major;
+}
+
+static OM_uint32
+gssEapResolveCredIdentity(OM_uint32 *minor,
+ gss_cred_id_t cred)
+{
+ OM_uint32 major;
+ gss_OID nameMech = gssEapPrimaryMechForCred(cred);
+
+ if (cred->name != GSS_C_NO_NAME) {
+ *minor = 0;
+ return GSS_S_COMPLETE;
+ }
+
+ if (cred->flags & CRED_FLAG_ACCEPT) {
+ gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
+ char serviceName[5 + MAXHOSTNAMELEN];
+
+ /* default host-based service is host@localhost */
+ memcpy(serviceName, "host@", 5);
+ if (gethostname(&serviceName[5], MAXHOSTNAMELEN) != 0) {
+ *minor = GSSEAP_NO_HOSTNAME;
+ return GSS_S_FAILURE;
+ }
+
+ nameBuf.value = serviceName;
+ nameBuf.length = strlen((char *)nameBuf.value);
+
+ major = gssEapImportName(minor, &nameBuf, GSS_C_NT_HOSTBASED_SERVICE,
+ nameMech, &cred->name);
+ if (GSS_ERROR(major))
+ return major;
+ } else if (cred->flags & CRED_FLAG_INITIATE) {
+#ifdef HAVE_MOONSHOT_GET_IDENTITY
+ major = libMoonshotResolveDefaultIdentity(minor, cred, &cred->name);
+ if (major == GSS_S_CRED_UNAVAIL)
+#endif
+ major = staticIdentityFileResolveDefaultIdentity(minor, cred, &cred->name);
+ if (major != GSS_S_CRED_UNAVAIL)
+ return major;
+ }
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+}
+
OM_uint32
gssEapInquireCred(OM_uint32 *minor,
gss_cred_id_t cred,
time_t now, lifetime;
if (name != NULL) {
- major = gssEapDuplicateName(minor, cred->name, name);
+ major = gssEapResolveCredIdentity(minor, cred);
if (GSS_ERROR(major))
- return major;
+ goto cleanup;
+
+ if (cred->name != GSS_C_NO_NAME) {
+ major = gssEapDuplicateName(minor, cred->name, name);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ } else
+ *name = GSS_C_NO_NAME;
}
if (cred_usage != NULL) {
else
major = gssEapIndicateMechs(minor, mechanisms);
if (GSS_ERROR(major))
- return major;
+ goto cleanup;
}
if (cred->expiryTime == 0) {
}
if (lifetime == 0) {
+ major = GSS_S_CREDENTIALS_EXPIRED;
*minor = GSSEAP_CRED_EXPIRED;
- return GSS_S_CREDENTIALS_EXPIRED;
+ goto cleanup;
}
major = GSS_S_COMPLETE;
*minor = 0;
+cleanup:
+ return major;
+}
+
+OM_uint32
+gssEapSetCredPassword(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ const gss_buffer_t password)
+{
+ OM_uint32 major, tmpMinor;
+ gss_buffer_desc newPassword = GSS_C_EMPTY_BUFFER;
+
+ if (cred->flags & CRED_FLAG_RESOLVED) {
+ major = GSS_S_FAILURE;
+ *minor = GSSEAP_CRED_RESOLVED;
+ goto cleanup;
+ }
+
+ if (password != GSS_C_NO_BUFFER) {
+ major = duplicateBuffer(minor, password, &newPassword);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ cred->flags |= CRED_FLAG_PASSWORD;
+ } else {
+ cred->flags &= ~(CRED_FLAG_PASSWORD);
+ }
+
+ gss_release_buffer(&tmpMinor, &cred->password);
+ cred->password = newPassword;
+
+ major = GSS_S_COMPLETE;
+ *minor = 0;
+
+cleanup:
+ return major;
+}
+
+OM_uint32
+gssEapSetCredService(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ const gss_name_t target)
+{
+ OM_uint32 major, tmpMinor;
+ gss_name_t newTarget = GSS_C_NO_NAME;
+
+ if (cred->flags & CRED_FLAG_RESOLVED) {
+ major = GSS_S_FAILURE;
+ *minor = GSSEAP_CRED_RESOLVED;
+ goto cleanup;
+ }
+
+ if (target != GSS_C_NO_NAME) {
+ major = gssEapDuplicateName(minor, target, &newTarget);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ cred->flags |= CRED_FLAG_TARGET;
+ } else {
+ cred->flags &= ~(CRED_FLAG_TARGET);
+ }
+
+ gssEapReleaseName(&tmpMinor, &cred->target);
+ cred->target = newTarget;
+
+ major = GSS_S_COMPLETE;
+ *minor = 0;
+
+cleanup:
+ return major;
+}
+
+static OM_uint32
+gssEapDuplicateCred(OM_uint32 *minor,
+ const gss_cred_id_t src,
+ gss_cred_id_t *pDst)
+{
+ OM_uint32 major, tmpMinor;
+ gss_cred_id_t dst = GSS_C_NO_CREDENTIAL;
+
+ *pDst = GSS_C_NO_CREDENTIAL;
+
+ major = gssEapAllocCred(minor, &dst);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ dst->flags = src->flags;
+
+ if (src->name != GSS_C_NO_NAME) {
+ major = gssEapDuplicateName(minor, src->name, &dst->name);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ if (src->target != GSS_C_NO_NAME) {
+ major = gssEapDuplicateName(minor, src->target, &dst->target);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ if (src->password.value != NULL) {
+ major = duplicateBuffer(minor, &src->password, &dst->password);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ major = duplicateOidSet(minor, src->mechanisms, &dst->mechanisms);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ dst->expiryTime = src->expiryTime;
+
+ if (src->radiusConfigFile.value != NULL)
+ duplicateBufferOrCleanup(&src->radiusConfigFile, &dst->radiusConfigFile);
+ if (src->radiusConfigStanza.value != NULL)
+ duplicateBufferOrCleanup(&src->radiusConfigStanza, &dst->radiusConfigStanza);
+ if (src->caCertificate.value != NULL)
+ duplicateBufferOrCleanup(&src->caCertificate, &dst->caCertificate);
+ if (src->subjectNameConstraint.value != NULL)
+ duplicateBufferOrCleanup(&src->subjectNameConstraint, &dst->subjectNameConstraint);
+ if (src->subjectAltNameConstraint.value != NULL)
+ duplicateBufferOrCleanup(&src->subjectAltNameConstraint, &dst->subjectAltNameConstraint);
+
+#ifdef GSSEAP_ENABLE_REAUTH
+ /* XXX krbCredCache, reauthCred */
+#endif
+
+ *pDst = dst;
+ dst = GSS_C_NO_CREDENTIAL;
+
+ major = GSS_S_COMPLETE;
+ *minor = 0;
+
+cleanup:
+ gssEapReleaseCred(&tmpMinor, &dst);
+
+ return major;
+}
+
+static OM_uint32
+staticIdentityFileResolveInitiatorCred(OM_uint32 *minor, gss_cred_id_t cred)
+{
+ OM_uint32 major, tmpMinor;
+ gss_buffer_desc defaultIdentity = GSS_C_EMPTY_BUFFER;
+ gss_name_t defaultIdentityName = GSS_C_NO_NAME;
+ gss_buffer_desc defaultPassword = GSS_C_EMPTY_BUFFER;
+ int isDefaultIdentity = FALSE;
+
+ major = readStaticIdentityFile(minor, &defaultIdentity, &defaultPassword);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ major = gssEapImportName(minor, &defaultIdentity, GSS_C_NT_USER_NAME,
+ gssEapPrimaryMechForCred(cred), &defaultIdentityName);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ if (defaultIdentityName == GSS_C_NO_NAME) {
+ if (cred->name == GSS_C_NO_NAME) {
+ major = GSS_S_CRED_UNAVAIL;
+ *minor = GSSEAP_NO_DEFAULT_IDENTITY;
+ goto cleanup;
+ }
+ } else {
+ if (cred->name == GSS_C_NO_NAME) {
+ cred->name = defaultIdentityName;
+ defaultIdentityName = GSS_C_NO_NAME;
+ isDefaultIdentity = TRUE;
+ } else {
+ major = gssEapCompareName(minor, cred->name,
+ defaultIdentityName, &isDefaultIdentity);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+ }
+
+ if (isDefaultIdentity &&
+ (cred->flags & CRED_FLAG_PASSWORD) == 0) {
+ major = gssEapSetCredPassword(minor, cred, &defaultPassword);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+cleanup:
+ gssEapReleaseName(&tmpMinor, &defaultIdentityName);
+ zeroAndReleasePassword(&defaultPassword);
+ gss_release_buffer(&tmpMinor, &defaultIdentity);
+
+ return major;
+}
+
+OM_uint32
+gssEapResolveInitiatorCred(OM_uint32 *minor,
+ const gss_cred_id_t cred,
+ const gss_name_t targetName
+#ifndef HAVE_MOONSHOT_GET_IDENTITY
+ GSSEAP_UNUSED
+#endif
+ ,
+ gss_cred_id_t *pResolvedCred)
+{
+ OM_uint32 major, tmpMinor;
+ gss_cred_id_t resolvedCred = GSS_C_NO_CREDENTIAL;
+
+ if (cred == GSS_C_NO_CREDENTIAL) {
+ major = gssEapAcquireCred(minor,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ GSS_C_NO_OID_SET,
+ GSS_C_INITIATE,
+ &resolvedCred,
+ NULL,
+ NULL);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ } else {
+ if ((cred->flags & CRED_FLAG_INITIATE) == 0) {
+ major = GSS_S_NO_CRED;
+ *minor = GSSEAP_CRED_USAGE_MISMATCH;
+ goto cleanup;
+ }
+
+ major = gssEapDuplicateCred(minor, cred, &resolvedCred);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ if ((resolvedCred->flags & CRED_FLAG_RESOLVED) == 0) {
+#ifdef HAVE_MOONSHOT_GET_IDENTITY
+ major = libMoonshotResolveInitiatorCred(minor, resolvedCred, targetName);
+ if (major == GSS_S_CRED_UNAVAIL)
+#endif
+ major = staticIdentityFileResolveInitiatorCred(minor, resolvedCred);
+ if (GSS_ERROR(major) && major != GSS_S_CRED_UNAVAIL)
+ goto cleanup;
+
+ /* If we have a caller-supplied password, the credential is resolved. */
+ if ((resolvedCred->flags & CRED_FLAG_PASSWORD) == 0) {
+ major = GSS_S_CRED_UNAVAIL;
+ *minor = GSSEAP_NO_DEFAULT_CRED;
+ goto cleanup;
+ }
+
+ resolvedCred->flags |= CRED_FLAG_RESOLVED;
+ }
+
+ *pResolvedCred = resolvedCred;
+ resolvedCred = GSS_C_NO_CREDENTIAL;
+
+ major = GSS_S_COMPLETE;
+ *minor = 0;
+
+cleanup:
+ gssEapReleaseCred(&tmpMinor, &resolvedCred);
+
return major;
}
*pkiov_count = 0;
header = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
- assert(header != NULL);
+ GSSEAP_ASSERT(header != NULL);
trailer = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
- assert(trailer == NULL || rrc == 0);
+ GSSEAP_ASSERT(trailer == NULL || rrc == 0);
code = krbCryptoLength(context, crypto, KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen);
if (code != 0)
*/
kiov[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
kiov[i].data.length = k5_trailerlen;
- kiov[i].data.data = kiov[i - 1].data.data + ec + 16; /* E(Header) */
+ kiov[i].data.data = (char *)kiov[i - 1].data.data + ec + 16; /* E(Header) */
i++;
*pkiov = kiov;
int i;
size_t data_length = 0, assoc_data_length = 0;
- assert(iov != GSS_C_NO_IOV_BUFFER);
+ GSSEAP_ASSERT(iov != GSS_C_NO_IOV_BUFFER);
*data_length_p = *assoc_data_length_p = 0;
int i;
OM_uint32 min_stat;
- assert(iov != GSS_C_NO_IOV_BUFFER);
+ GSSEAP_ASSERT(iov != GSS_C_NO_IOV_BUFFER);
for (i = 0; i < iov_count; i++) {
if (iov[i].type & GSS_IOV_BUFFER_FLAG_ALLOCATED) {
int i;
krb5_boolean has_conf_data = FALSE;
- assert(iov != GSS_C_NO_IOV_BUFFER);
+ GSSEAP_ASSERT(iov != GSS_C_NO_IOV_BUFFER);
for (i = 0; i < iov_count; i++) {
if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA) {
int
gssEapAllocIov(gss_iov_buffer_t iov, size_t size)
{
- assert(iov != GSS_C_NO_IOV_BUFFER);
- assert(iov->type & GSS_IOV_BUFFER_FLAG_ALLOCATE);
+ GSSEAP_ASSERT(iov != GSS_C_NO_IOV_BUFFER);
+ GSSEAP_ASSERT(iov->type & GSS_IOV_BUFFER_FLAG_ALLOCATE);
iov->buffer.length = size;
iov->buffer.value = GSSEAP_MALLOC(size);
return json_number_value(m_obj);
}
+#ifdef HAVE_SHIBRESOLVER
JSONObject
JSONObject::ddf(DDF &ddf)
{
return ddf;
}
+#endif /* HAVE_SHIBRESOLVER */
bool JSONObject::isObject(void) const
{
#include <new>
#include <jansson.h>
-#include <shibsp/remoting/ddf.h>
+#ifdef HAVE_SHIBRESOLVER
+#include <shibsp/remoting/ddf.h>
using namespace shibsp;
+#endif
namespace gss_eap_util {
class JSONObject;
static JSONObject object(void);
static JSONObject array(void);
static JSONObject null(void);
+#ifdef HAVE_SHIBRESOLVER
static JSONObject ddf(DDF &value);
+#endif
char *dump(size_t flags = 0) const;
void dump(FILE *fp, size_t flags = JSON_INDENT(4)) const;
json_int_t integer(void) const;
double real(void) const;
double number(void) const;
+#ifdef HAVE_SHIBRESOLVER
DDF ddf(void) const;
+#endif
bool isObject(void) const;
bool isArray(void) const;
#include "gssapiP_eap.h"
-static GSSEAP_THREAD_ONCE krbContextKeyOnce = GSSEAP_ONCE_INITIALIZER;
-static GSSEAP_THREAD_KEY krbContextKey;
-
-static void
-destroyKrbContext(void *arg)
+void
+gssEapDestroyKrbContext(krb5_context context)
{
- krb5_context context = (krb5_context)arg;
-
if (context != NULL)
krb5_free_context(context);
}
-static void
-createKrbContextKey(void)
-{
- GSSEAP_KEY_CREATE(&krbContextKey, destroyKrbContext);
-}
-
static krb5_error_code
initKrbContext(krb5_context *pKrbContext)
{
*pKrbContext = krbContext;
cleanup:
+ krb5_free_default_realm(krbContext, defaultRealm);
+
if (code != 0 && krbContext != NULL)
krb5_free_context(krbContext);
- if (defaultRealm != NULL)
- GSSEAP_FREE(defaultRealm);
-
return code;
}
OM_uint32
gssEapKerberosInit(OM_uint32 *minor, krb5_context *context)
{
- *minor = 0;
+ struct gss_eap_thread_local_data *tld;
- GSSEAP_ONCE(&krbContextKeyOnce, createKrbContextKey);
-
- *context = GSSEAP_GETSPECIFIC(krbContextKey);
- if (*context == NULL) {
- *minor = initKrbContext(context);
- if (*minor == 0) {
- if (GSSEAP_SETSPECIFIC(krbContextKey, *context) != 0) {
- *minor = errno;
- krb5_free_context(*context);
- *context = NULL;
- }
+ *minor = 0;
+ *context = NULL;
+
+ tld = gssEapGetThreadLocalData();
+ if (tld != NULL) {
+ if (tld->krbContext == NULL) {
+ *minor = initKrbContext(&tld->krbContext);
+ if (*minor != 0)
+ tld->krbContext = NULL;
}
+ *context = tld->krbContext;
+ } else {
+ *minor = GSSEAP_GET_LAST_ERROR();
}
- return *minor == 0 ? GSS_S_COMPLETE : GSS_S_FAILURE;
+ GSSEAP_ASSERT(*context != NULL || *minor != 0);
+
+ return (*minor == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
/*
* Tn = pseudo-random(KMSK, n || "rfc4121-gss-eap")
* L = output key size
* K = truncate(L, T1 || T2 || .. || Tn)
+ *
+ * The output must be freed by krb5_free_keyblock_contents(),
+ * not GSSEAP_FREE().
*/
OM_uint32
gssEapDeriveRfc3961Key(OM_uint32 *minor,
#ifndef HAVE_HEIMDAL_VERSION
krb5_data data;
#endif
- krb5_data ns, t, prfOut;
+ krb5_data ns, t, derivedKeyData;
krb5_keyblock kd;
krb5_error_code code;
size_t randomLength, keyLength, prfLength;
unsigned char constant[4 + sizeof("rfc4121-gss-eap") - 1], *p;
ssize_t i, remain;
- assert(encryptionType != ENCTYPE_NULL);
-
- memset(pKey, 0, sizeof(*pKey));
-
GSSEAP_KRB_INIT(&krbContext);
+ GSSEAP_ASSERT(encryptionType != ENCTYPE_NULL);
+ KRB_KEY_INIT(pKey);
KRB_KEY_INIT(&kd);
KRB_KEY_TYPE(&kd) = encryptionType;
- t.data = NULL;
- t.length = 0;
-
- prfOut.data = NULL;
- prfOut.length = 0;
+ KRB_DATA_INIT(&ns);
+ KRB_DATA_INIT(&t);
+ KRB_DATA_INIT(&derivedKeyData);
code = krb5_c_keylengths(krbContext, encryptionType,
&randomLength, &keyLength);
if (code != 0)
goto cleanup;
- KRB_KEY_DATA(&kd) = GSSEAP_MALLOC(keyLength);
- if (KRB_KEY_DATA(&kd) == NULL) {
- code = ENOMEM;
- goto cleanup;
- }
- KRB_KEY_LENGTH(&kd) = keyLength;
+ /* Convert EAP MSK into a Kerberos key */
- /* Convert MSK into a Kerberos key */
#ifdef HAVE_HEIMDAL_VERSION
code = krb5_random_to_key(krbContext, encryptionType, inputKey,
MIN(inputKeyLength, randomLength), &kd);
data.length = MIN(inputKeyLength, randomLength);
data.data = (char *)inputKey;
+ KRB_KEY_DATA(&kd) = KRB_MALLOC(keyLength);
+ if (KRB_KEY_DATA(&kd) == NULL) {
+ code = ENOMEM;
+ goto cleanup;
+ }
+ KRB_KEY_LENGTH(&kd) = keyLength;
+
code = krb5_c_random_to_key(krbContext, encryptionType, &data, &kd);
-#endif
+#endif /* HAVE_HEIMDAL_VERSION */
if (code != 0)
goto cleanup;
if (code != 0)
goto cleanup;
+#ifndef HAVE_HEIMDAL_VERSION
+ /* Same API, but different allocation rules, unfortunately. */
t.length = prfLength;
t.data = GSSEAP_MALLOC(t.length);
if (t.data == NULL) {
code = ENOMEM;
goto cleanup;
}
+#endif
- prfOut.length = randomLength;
- prfOut.data = GSSEAP_MALLOC(prfOut.length);
- if (prfOut.data == NULL) {
+ derivedKeyData.length = randomLength;
+ derivedKeyData.data = GSSEAP_MALLOC(derivedKeyData.length);
+ if (derivedKeyData.data == NULL) {
code = ENOMEM;
goto cleanup;
}
- for (i = 0, p = (unsigned char *)prfOut.data, remain = randomLength;
+ for (i = 0, p = (unsigned char *)derivedKeyData.data, remain = randomLength;
remain > 0;
p += t.length, remain -= t.length, i++)
{
/* Finally, convert PRF output into a new key which we will return */
#ifdef HAVE_HEIMDAL_VERSION
+ krb5_free_keyblock_contents(krbContext, &kd);
+ KRB_KEY_INIT(&kd);
+
code = krb5_random_to_key(krbContext, encryptionType,
- prfOut.data, prfOut.length, &kd);
+ derivedKeyData.data, derivedKeyData.length, &kd);
#else
- code = krb5_c_random_to_key(krbContext, encryptionType, &prfOut, &kd);
+ code = krb5_c_random_to_key(krbContext, encryptionType,
+ &derivedKeyData, &kd);
#endif
if (code != 0)
goto cleanup;
*pKey = kd;
- KRB_KEY_DATA(&kd) = NULL;
cleanup:
- if (KRB_KEY_DATA(&kd) != NULL) {
- memset(KRB_KEY_DATA(&kd), 0, KRB_KEY_LENGTH(&kd));
- GSSEAP_FREE(KRB_KEY_DATA(&kd));
- }
+ if (code != 0)
+ krb5_free_keyblock_contents(krbContext, &kd);
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_free_data_contents(krbContext, &t);
+#else
if (t.data != NULL) {
memset(t.data, 0, t.length);
GSSEAP_FREE(t.data);
}
- if (prfOut.data != NULL) {
- memset(prfOut.data, 0, prfOut.length);
- GSSEAP_FREE(prfOut.data);
+#endif
+ if (derivedKeyData.data != NULL) {
+ memset(derivedKeyData.data, 0, derivedKeyData.length);
+ GSSEAP_FREE(derivedKeyData.data);
}
+
*minor = code;
+
return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
if (*minor != 0)
return GSS_S_FAILURE;
#else
- data.length = 0;
- data.data = NULL;
+ KRB_DATA_INIT(&data);
memset(&cksum, 0, sizeof(cksum));
#endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */
if (!krb5_c_is_keyed_cksum(*cksumtype)) {
- *minor = KRB5KRB_AP_ERR_INAPP_CKSUM;
+ *minor = (OM_uint32)KRB5KRB_AP_ERR_INAPP_CKSUM;
return GSS_S_FAILURE;
}
if (code != 0)
goto cleanup;
- GSSEAP_FREE(buf);
+ free(buf); /* match ASN1_MALLOC_ENCODE */
buf = NULL;
ASN1_MALLOC_ENCODE(AD_KDCIssued, buf, buf_size, &kdcIssued, &len, code);
cleanup:
if (buf != NULL)
- GSSEAP_FREE(buf);
+ free(buf); /* match ASN1_MALLOC_ENCODE */
if (crypto != NULL)
krb5_crypto_destroy(context, crypto);
free_Checksum(&kdcIssued.ad_checksum);
lctx->version = 1;
lctx->initiate = CTX_IS_INITIATOR(ctx);
- lctx->endtime = ctx->expiryTime;
+ if (ctx->expiryTime == 0)
+ lctx->endtime = KRB_TIME_FOREVER;
+ else
+ lctx->endtime = ctx->expiryTime;
lctx->send_seq = ctx->sendSeq;
lctx->recv_seq = ctx->recvSeq;
lctx->protocol = 1;
lctx->cfx_kd.have_acceptor_subkey = haveAcceptorSubkey;
lkey = haveAcceptorSubkey
- ? &lctx->cfx_kd.ctx_key
- : &lctx->cfx_kd.acceptor_subkey;
+ ? &lctx->cfx_kd.acceptor_subkey
+ : &lctx->cfx_kd.ctx_key;
lkey->type = KRB_KEY_TYPE(&ctx->rfc3961Key);
lkey->data = GSSEAP_MALLOC(KRB_KEY_LENGTH(&ctx->rfc3961Key));
--- /dev/null
+/*
+ * Copyright (c) 2011, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "gssapiP_eap.h"
+
+#ifdef HAVE_MOONSHOT_GET_IDENTITY
+#include <libmoonshot.h>
+
+static OM_uint32
+libMoonshotMapError(OM_uint32 *minor,
+ MoonshotError **pError)
+{
+ MoonshotError *error = *pError;
+
+ GSSEAP_ASSERT(error != NULL);
+
+ switch (error->code) {
+ case MOONSHOT_ERROR_UNABLE_TO_START_SERVICE:
+ *minor = GSSEAP_UNABLE_TO_START_IDENTITY_SERVICE;
+ break;
+ case MOONSHOT_ERROR_NO_IDENTITY_SELECTED:
+ *minor = GSSEAP_NO_IDENTITY_SELECTED;
+ break;
+ case MOONSHOT_ERROR_INSTALLATION_ERROR:
+ *minor = GSSEAP_IDENTITY_SERVICE_INSTALL_ERROR;
+ break;
+ case MOONSHOT_ERROR_OS_ERROR:
+ *minor = GSSEAP_IDENTITY_SERVICE_OS_ERROR;
+ break;
+ case MOONSHOT_ERROR_IPC_ERROR:
+ *minor = GSSEAP_IDENTITY_SERVICE_IPC_ERROR;
+ break;
+ default:
+ *minor = GSSEAP_IDENTITY_SERVICE_UNKNOWN_ERROR;
+ break;
+ }
+
+ gssEapSaveStatusInfo(*minor, error->message);
+ moonshot_error_free(error);
+ *pError = NULL;
+
+ return GSS_S_CRED_UNAVAIL;
+}
+
+OM_uint32
+libMoonshotResolveDefaultIdentity(OM_uint32 *minor,
+ const gss_cred_id_t cred,
+ gss_name_t *pName)
+{
+ OM_uint32 major, tmpMinor;
+ gss_OID nameMech = gssEapPrimaryMechForCred(cred);
+ gss_name_t name = GSS_C_NO_NAME;
+ gss_buffer_desc tmpBuffer = GSS_C_EMPTY_BUFFER;
+ char *nai = NULL;
+ char *password = NULL;
+ char *serverCertificateHash = NULL;
+ char *caCertificate = NULL;
+ char *subjectNameConstraint = NULL;
+ char *subjectAltNameConstraint = NULL;
+ MoonshotError *error = NULL;
+
+ *pName = GSS_C_NO_NAME;
+
+ if (!moonshot_get_default_identity(&nai,
+ &password,
+ &serverCertificateHash,
+ &caCertificate,
+ &subjectNameConstraint,
+ &subjectAltNameConstraint,
+ &error)) {
+ if (error->code == MOONSHOT_ERROR_NO_IDENTITY_SELECTED) {
+ major = GSS_S_CRED_UNAVAIL;
+ *minor = GSSEAP_NO_DEFAULT_IDENTITY;
+ moonshot_error_free(error);
+ } else
+ major = libMoonshotMapError(minor, &error);
+ goto cleanup;
+ }
+
+ tmpBuffer.value = nai;
+ tmpBuffer.length = strlen(nai);
+
+ major = gssEapImportName(minor, &tmpBuffer, GSS_C_NT_USER_NAME, nameMech, &name);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ *pName = name;
+ name = GSS_C_NO_NAME;
+
+cleanup:
+ moonshot_free(nai);
+ moonshot_free(password);
+ moonshot_free(serverCertificateHash);
+ moonshot_free(caCertificate);
+ moonshot_free(subjectNameConstraint);
+ moonshot_free(subjectAltNameConstraint);
+
+ gssEapReleaseName(&tmpMinor, &name);
+
+ return major;
+}
+
+OM_uint32
+libMoonshotResolveInitiatorCred(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ const gss_name_t targetName)
+{
+ OM_uint32 major, tmpMinor;
+ gss_OID nameMech = gssEapPrimaryMechForCred(cred);
+ gss_buffer_desc initiator = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc target = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc tmpBuffer = GSS_C_EMPTY_BUFFER;
+ char *nai = NULL;
+ char *password = NULL;
+ char *serverCertificateHash = NULL;
+ char *caCertificate = NULL;
+ char *subjectNameConstraint = NULL;
+ char *subjectAltNameConstraint = NULL;
+ MoonshotError *error = NULL;
+
+ if (cred->name != GSS_C_NO_NAME) {
+ major = gssEapExportName(minor, cred->name, &initiator);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ if (targetName != GSS_C_NO_NAME) {
+ major = gssEapExportName(minor, targetName, &target);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
+ if (!moonshot_get_identity((const char *)initiator.value,
+ (const char *)cred->password.value,
+ (const char *)target.value,
+ &nai,
+ &password,
+ &serverCertificateHash,
+ &caCertificate,
+ &subjectNameConstraint,
+ &subjectAltNameConstraint,
+ &error)) {
+ major = libMoonshotMapError(minor, &error);
+ goto cleanup;
+ }
+
+ gssEapReleaseName(&tmpMinor, &cred->name);
+
+ tmpBuffer.value = nai;
+ tmpBuffer.length = strlen(nai);
+
+ major = gssEapImportName(minor, &tmpBuffer, GSS_C_NT_USER_NAME,
+ nameMech, &cred->name);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ tmpBuffer.value = password;
+ tmpBuffer.length = strlen(password);
+
+ major = gssEapSetCredPassword(minor, cred, &tmpBuffer);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ gss_release_buffer(&tmpMinor, &cred->caCertificate);
+ gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint);
+ gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint);
+
+ if (serverCertificateHash != NULL) {
+ size_t len = strlen(serverCertificateHash);
+
+ #define HASH_PREFIX "hash://server/sha256/"
+ #define HASH_PREFIX_LEN (sizeof(HASH_PREFIX) - 1)
+
+ cred->caCertificate.value = GSSEAP_MALLOC(HASH_PREFIX_LEN + len + 1);
+ if (cred->caCertificate.value == NULL) {
+ major = GSS_S_FAILURE;
+ *minor = ENOMEM;
+ goto cleanup;
+ }
+
+ memcpy(cred->caCertificate.value, HASH_PREFIX, HASH_PREFIX_LEN);
+ memcpy((char *)cred->caCertificate.value + HASH_PREFIX_LEN, serverCertificateHash, len);
+
+ ((char *)cred->caCertificate.value)[HASH_PREFIX_LEN + len] = '\0';
+
+ cred->caCertificate.length = HASH_PREFIX_LEN + len;
+ } else if (caCertificate != NULL) {
+ makeStringBufferOrCleanup(caCertificate, &cred->caCertificate);
+ }
+
+ if (subjectNameConstraint != NULL)
+ makeStringBufferOrCleanup(subjectNameConstraint, &cred->subjectNameConstraint);
+ if (subjectAltNameConstraint != NULL)
+ makeStringBufferOrCleanup(subjectAltNameConstraint, &cred->subjectAltNameConstraint);
+
+cleanup:
+ moonshot_free(nai);
+ moonshot_free(password);
+ moonshot_free(serverCertificateHash);
+ moonshot_free(caCertificate);
+ moonshot_free(subjectNameConstraint);
+ moonshot_free(subjectAltNameConstraint);
+
+ gss_release_buffer(&tmpMinor, &initiator);
+ gss_release_buffer(&tmpMinor, &target);
+
+ return major;
+}
+#endif /* HAVE_MOONSHOT_GET_IDENTITY */
}
if (GSSEAP_MUTEX_INIT(&name->mutex) != 0) {
- *minor = errno;
+ *minor = GSSEAP_GET_LAST_ERROR();
gssEapReleaseName(&tmpMinor, &name);
return GSS_S_FAILURE;
}
GSSEAP_KRB_INIT(&krbContext);
krb5_free_principal(krbContext, name->krbPrincipal);
gssEapReleaseOid(&tmpMinor, &name->mechanismUsed);
-
+#ifdef GSSEAP_ENABLE_ACCEPTOR
gssEapReleaseAttrContext(&tmpMinor, name);
+#endif
GSSEAP_MUTEX_DESTROY(&name->mutex);
GSSEAP_FREE(name);
}
if (realm != NULL)
- GSSEAP_FREE(realm);
+ krb5_free_default_realm(krbContext, realm);
GSSEAP_FREE(service);
return major;
#ifdef HAVE_HEIMDAL_VERSION
if (code == 0 && KRB_PRINC_REALM(krbPrinc) == NULL) {
- KRB_PRINC_REALM(krbPrinc) = GSSEAP_CALLOC(1, sizeof(char));
+ KRB_PRINC_REALM(krbPrinc) = KRB_CALLOC(1, sizeof(char));
if (KRB_PRINC_REALM(krbPrinc) == NULL)
code = ENOMEM;
}
#endif
if (defaultRealm != NULL)
- GSSEAP_FREE(defaultRealm);
+ krb5_free_default_realm(krbContext, defaultRealm);
}
if (nameBuffer != GSS_C_NO_BUFFER)
return GSS_S_FAILURE;
}
- assert(krbPrinc != NULL);
+ GSSEAP_ASSERT(krbPrinc != NULL);
major = krbPrincipalToName(minor, &krbPrinc, pName);
if (GSS_ERROR(major))
name->mechanismUsed = mechanismUsed;
mechanismUsed = GSS_C_NO_OID;
+#ifdef GSSEAP_ENABLE_ACCEPTOR
if (flags & EXPORT_NAME_FLAG_COMPOSITE) {
gss_buffer_desc buf;
if (GSS_ERROR(major))
goto cleanup;
}
+#endif
major = GSS_S_COMPLETE;
*minor = 0;
if (major == GSS_S_COMPLETE &&
mechType != GSS_C_NO_OID) {
- assert(gssEapIsConcreteMechanismOid(mechType));
- assert(name->mechanismUsed == GSS_C_NO_OID);
+ GSSEAP_ASSERT(gssEapIsConcreteMechanismOid(mechType));
+ GSSEAP_ASSERT(name->mechanismUsed == GSS_C_NO_OID);
major = gssEapCanonicalizeOid(minor, mechType, 0, &name->mechanismUsed);
}
exportedNameLen += 6 + mech->length;
}
exportedNameLen += 4 + nameBuf.length;
+#ifdef GSSEAP_ENABLE_ACCEPTOR
if (flags & EXPORT_NAME_FLAG_COMPOSITE) {
major = gssEapExportAttrContext(minor, name, &attrs);
if (GSS_ERROR(major))
goto cleanup;
exportedNameLen += attrs.length;
}
+#endif
exportedName->value = GSSEAP_MALLOC(exportedNameLen);
if (exportedName->value == NULL) {
p += attrs.length;
}
- assert(p == (unsigned char *)exportedName->value + exportedNameLen);
+ GSSEAP_ASSERT(p == (unsigned char *)exportedName->value + exportedNameLen);
major = GSS_S_COMPLETE;
*minor = 0;
goto cleanup;
}
+#ifdef GSSEAP_ENABLE_ACCEPTOR
if (input_name->attrCtx != NULL) {
major = gssEapDuplicateAttrContext(minor, input_name, name);
if (GSS_ERROR(major))
goto cleanup;
}
+#endif
*dest_name = name;
return false;
/* We assume libradsec validated this for us */
- assert(pairfind(m_vps, PW_MESSAGE_AUTHENTICATOR) != NULL);
+ GSSEAP_ASSERT(pairfind(m_vps, PW_MESSAGE_AUTHENTICATOR) != NULL);
m_authenticated = true;
}
}
bool bInternalAttribute = false;
/* should have been filtered */
- assert(!isSecretAttributeP(attrid, vendor));
+ GSSEAP_ASSERT(!isSecretAttributeP(attrid, vendor));
switch (vendor) {
case VENDORPEC_UKERNA:
{
gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS, createAttrContext);
-#ifdef GSSEAP_ENABLE_REAUTH
- struct rs_context *radContext;
-
- /*
- * This hack is necessary in order to force the loading of the global
- * dictionary, otherwise accepting reauthentication tokens fails unless
- * the acceptor has already accepted a normal authentication token.
- */
- if (rs_context_create(&radContext) != 0)
- return false;
-
- if (rs_context_read_config(radContext, RS_CONFIG_FILE) != 0) {
- rs_context_destroy(radContext);
- return false;
- }
-
- if (rs_context_init_freeradius_dict(radContext, NULL)) {
- rs_context_destroy(radContext);
- return false;
- }
-
- rs_context_destroy(radContext);
-#endif
-
return true;
}
{
JSONObject obj;
- assert(vp->length <= MAX_STRING_LEN);
+ GSSEAP_ASSERT(vp->length <= MAX_STRING_LEN);
switch (vp->type) {
case PW_TYPE_INTEGER:
pNext = &vp->next;
}
- m_authenticated = obj["authenticated"].integer();
+ m_authenticated = obj["authenticated"].integer() ? true : false;
return true;
}
{
int code;
- assert(err != NULL);
+ GSSEAP_ASSERT(err != NULL);
code = rs_err_code(err, 0);
return GSS_S_FAILURE;
}
+
+OM_uint32
+gssEapCreateRadiusContext(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ struct rs_context **pRadContext)
+{
+ const char *configFile = RS_CONFIG_FILE;
+ struct rs_context *radContext;
+ struct rs_alloc_scheme ralloc;
+ struct rs_error *err;
+ OM_uint32 major;
+
+ *pRadContext = NULL;
+
+ if (rs_context_create(&radContext) != 0) {
+ *minor = GSSEAP_RADSEC_CONTEXT_FAILURE;
+ return GSS_S_FAILURE;
+ }
+
+ if (cred->radiusConfigFile.value != NULL)
+ configFile = (const char *)cred->radiusConfigFile.value;
+
+ ralloc.calloc = GSSEAP_CALLOC;
+ ralloc.malloc = GSSEAP_MALLOC;
+ ralloc.free = GSSEAP_FREE;
+ ralloc.realloc = GSSEAP_REALLOC;
+
+ rs_context_set_alloc_scheme(radContext, &ralloc);
+
+ if (rs_context_read_config(radContext, configFile) != 0) {
+ err = rs_err_ctx_pop(radContext);
+ goto fail;
+ }
+
+ if (rs_context_init_freeradius_dict(radContext, NULL) != 0) {
+ err = rs_err_ctx_pop(radContext);
+ goto fail;
+ }
+
+ *pRadContext = radContext;
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+
+fail:
+ major = gssEapRadiusMapError(minor, err);
+ rs_context_destroy(radContext);
+
+ return major;
+}
gssEapRadiusMapError(OM_uint32 *minor,
struct rs_error *err);
+OM_uint32
+gssEapCreateRadiusContext(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ struct rs_context **pRadContext);
+
+/* This really needs to be a function call on Windows */
#define RS_CONFIG_FILE SYSCONFDIR "/radsec.conf"
#define VENDORPEC_MS 311 /* RFC 2548 */
#define PW_SAML_AAA_ASSERTION 132
#define PW_MS_WINDOWS_AUTH_DATA 133
-#define IS_RADIUS_ERROR(code) ((code) >= ERROR_TABLE_BASE_rse && \
- (code) <= ERROR_TABLE_BASE_rse + RSE_TIMEOUT_IO)
-
#ifdef __cplusplus
}
#endif
if (code != 0)
goto cleanup;
+#ifdef HAVE_HEIMDAL_VERSION
+ code = krb5_auth_con_setlocalsubkey(krbContext, authContext,
+ &ctx->rfc3961Key);
+#else
code = krb5_auth_con_setsendsubkey(krbContext, authContext,
&ctx->rfc3961Key);
+#endif
if (code != 0)
goto cleanup;
GSSEAP_KRB_INIT(&krbContext);
- assert(cred != GSS_C_NO_CREDENTIAL);
- assert(target != GSS_C_NO_NAME);
+ GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
+ GSSEAP_ASSERT(target != GSS_C_NO_NAME);
if (cred->name == GSS_C_NO_NAME ||
!reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
time_t now, expiryReq;
OM_uint32 minor;
- assert(cred != GSS_C_NO_CREDENTIAL);
+ if (cred == GSS_C_NO_CREDENTIAL)
+ return FALSE;
now = time(NULL);
expiryReq = now;
#include <xmltooling/util/DateTime.h>
#include <saml/exceptions.h>
+#include <saml/SAMLConfig.h>
#include <saml/saml1/core/Assertions.h>
#include <saml/saml2/core/Assertions.h>
#include <saml/saml2/metadata/Metadata.h>
/* Then we may be creating from an existing attribute context */
const gss_eap_saml_assertion_provider *saml;
- assert(m_assertion == NULL);
+ GSSEAP_ASSERT(m_assertion == NULL);
if (!gss_eap_attr_provider::initWithExistingContext(manager, ctx))
return false;
int authenticated, complete;
OM_uint32 minor;
- assert(m_assertion == NULL);
+ GSSEAP_ASSERT(m_assertion == NULL);
if (!gss_eap_attr_provider::initWithGssContext(manager, gssCred, gssCtx))
return false;
bool
gss_eap_saml_assertion_provider::init(void)
{
- gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext);
- return true;
+ bool ret = false;
+
+ try {
+ ret = SAMLConfig::getConfig().init();
+ } catch (exception &e) {
+ }
+
+ if (ret)
+ gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext);
+
+ return ret;
}
void
attribute->getAttributeValues().push_back(attributeValue);
- assert(attributeStatement != NULL);
+ GSSEAP_ASSERT(attributeStatement != NULL);
attributeStatement->getAttributes().push_back(attribute);
delete components;
* Local attribute provider implementation.
*/
+#include "gssapiP_eap.h"
+
#include <xmltooling/XMLObject.h>
+#ifndef HAVE_OPENSAML
+#include <xmltooling/XMLToolingConfig.h>
+#include <xmltooling/util/ParserPool.h>
+#endif
#include <saml/saml2/core/Assertions.h>
#include <sstream>
-#include "gssapiP_eap.h"
-
using namespace shibsp;
using namespace shibresolver;
-using namespace opensaml::saml2md;
-using namespace opensaml;
using namespace xmltooling;
using namespace std;
+#ifdef HAVE_OPENSAML
+using namespace opensaml::saml2md;
+using namespace opensaml;
+#else
+using namespace xercesc;
+#endif
gss_eap_shib_attr_provider::gss_eap_shib_attr_provider(void)
{
gss_release_buffer(&minor, &mechName);
}
+#ifdef HAVE_OPENSAML
const gss_eap_saml_assertion_provider *saml;
saml = static_cast<const gss_eap_saml_assertion_provider *>
(m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
if (saml != NULL && saml->getAssertion() != NULL) {
resolver->addToken(saml->getAssertion());
}
+#else
+ /* If no OpenSAML, parse the XML assertion explicitly */
+ const gss_eap_radius_attr_provider *radius;
+ int authenticated, complete;
+ gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
+
+ radius = static_cast<const gss_eap_radius_attr_provider *>
+ (m_manager->getProvider(ATTR_TYPE_RADIUS));
+ if (radius != NULL &&
+ radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION,
+ VENDORPEC_UKERNA,
+ &authenticated, &complete, &value)) {
+ string str((char *)value.value, value.length);
+ istringstream istream(str);
+ DOMDocument *doc = XMLToolingConfig::getConfig().getParser().parse(istream);
+ const XMLObjectBuilder *b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
+ resolver->addToken(b->buildFromDocument(doc));
+ gss_release_buffer(&minor, &value);
+ }
+#endif /* HAVE_OPENSAML */
try {
resolver->resolve();
{
int i = 0;
- assert(m_initialized);
+ GSSEAP_ASSERT(m_initialized);
for (vector<Attribute *>::const_iterator a = m_attributes.begin();
a != m_attributes.end();
vector <string> ids(1, attrStr);
BinaryAttribute *a = new BinaryAttribute(ids);
- assert(m_initialized);
+ GSSEAP_ASSERT(m_initialized);
if (value->length != 0) {
string valueStr((char *)value->value, value->length);
{
int i;
- assert(m_initialized);
+ GSSEAP_ASSERT(m_initialized);
i = getAttributeIndex(attr);
if (i >= 0)
gss_eap_shib_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
void *data) const
{
- assert(m_initialized);
+ GSSEAP_ASSERT(m_initialized);
for (vector<Attribute*>::const_iterator a = m_attributes.begin();
a != m_attributes.end();
{
const Attribute *ret = NULL;
- assert(m_initialized);
+ GSSEAP_ASSERT(m_initialized);
for (vector<Attribute *>::const_iterator a = m_attributes.begin();
a != m_attributes.end();
gss_buffer_desc displayValueBuf = GSS_C_EMPTY_BUFFER;
int nvalues, i = *more;
- assert(m_initialized);
+ GSSEAP_ASSERT(m_initialized);
*more = 0;
{
gss_any_t output;
- assert(m_initialized);
+ GSSEAP_ASSERT(m_initialized);
if (authenticated && !m_authenticated)
return (gss_any_t)NULL;
gss_eap_shib_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
gss_any_t input) const
{
- assert(m_initialized);
+ GSSEAP_ASSERT(m_initialized);
vector <Attribute *> *v = ((vector <Attribute *> *)input);
delete v;
if (!gss_eap_attr_provider::initWithJsonObject(ctx, obj))
return false;
- assert(m_authenticated == false);
- assert(m_attributes.size() == 0);
+ GSSEAP_ASSERT(m_authenticated == false);
+ GSSEAP_ASSERT(m_attributes.size() == 0);
JSONObject jattrs = obj["attributes"];
size_t nelems = jattrs.size();
#define SM_FLAG_TRANSITED 0x80000000
#define SM_ASSERT_VALID(ctx, status) do { \
- assert(GSS_ERROR((status)) || \
+ GSSEAP_ASSERT(GSS_ERROR((status)) || \
((status) == GSS_S_CONTINUE_NEEDED && ((ctx)->state > GSSEAP_STATE_INITIAL && (ctx)->state < GSSEAP_STATE_ESTABLISHED)) || \
((status) == GSS_S_COMPLETE && (ctx)->state == GSSEAP_STATE_ESTABLISHED)); \
} while (0)
void
gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state)
{
- assert(state >= GSSEAP_STATE_INITIAL);
- assert(state <= GSSEAP_STATE_ESTABLISHED);
+ GSSEAP_ASSERT(state >= GSSEAP_STATE_INITIAL);
+ GSSEAP_ASSERT(state <= GSSEAP_STATE_ESTABLISHED);
fprintf(stderr, "GSS-EAP: state transition %s->%s\n",
gssEapStateToString(GSSEAP_SM_STATE(ctx)),
unsigned char errorData[8];
gss_buffer_desc errorBuffer;
- assert(GSS_ERROR(majorStatus));
+ GSSEAP_ASSERT(GSS_ERROR(majorStatus));
/*
* Only return error codes that the initiator could have caused,
return major;
}
+ token->buffers.count = 1;
token->types[0] = ITOK_TYPE_CONTEXT_ERR | ITOK_FLAG_CRITICAL;
*minor = 0;
int initialContextToken = 0;
enum gss_eap_token_type tokType;
- assert(smCount > 0);
+ GSSEAP_ASSERT(smCount > 0);
*minor = 0;
goto cleanup;
}
- assert(ctx->state < GSSEAP_STATE_ESTABLISHED);
+ GSSEAP_ASSERT(ctx->state < GSSEAP_STATE_ESTABLISHED);
major = gssEapDecodeInnerTokens(minor, &unwrappedInputToken, &inputTokens);
if (GSS_ERROR(major))
if (innerOutputToken.value != NULL) {
outputTokens.buffers.elements[outputTokens.buffers.count] = innerOutputToken;
- assert(smp->outputTokenType != ITOK_TYPE_NONE);
+ GSSEAP_ASSERT(smp->outputTokenType != ITOK_TYPE_NONE);
outputTokens.types[outputTokens.buffers.count] = smp->outputTokenType;
if (smFlags & SM_FLAG_OUTPUT_TOKEN_CRITICAL)
outputTokens.types[outputTokens.buffers.count] |= ITOK_FLAG_CRITICAL;
}
}
- assert(outputTokens.buffers.count <= smCount);
+ GSSEAP_ASSERT(outputTokens.buffers.count <= smCount);
/* Check we understood all critical tokens sent by peer */
if (!GSS_ERROR(major)) {
}
/* If the context is established, empty tokens only to be emitted by initiator */
- assert(!CTX_IS_ESTABLISHED(ctx) || ((outputToken->length == 0) == CTX_IS_INITIATOR(ctx)));
+ GSSEAP_ASSERT(!CTX_IS_ESTABLISHED(ctx) || ((outputToken->length == 0) == CTX_IS_INITIATOR(ctx)));
SM_ASSERT_VALID(ctx, major);
--- /dev/null
+/*
+ * Copyright (c) 2011, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Thread local data abstraction, using pthreads on Unix and the TlsXXX
+ * APIs on Windows.
+ */
+
+#include "gssapiP_eap.h"
+
+/* Clean up thread-local data; called on thread detach */
+static void
+destroyThreadLocalData(struct gss_eap_thread_local_data *tld)
+{
+ if (tld->statusInfo != NULL)
+ gssEapDestroyStatusInfo(tld->statusInfo);
+ if (tld->krbContext != NULL)
+ gssEapDestroyKrbContext(tld->krbContext);
+ GSSEAP_FREE(tld);
+}
+
+#ifdef WIN32
+
+/*
+ * This is the TLS index returned by TlsAlloc() on process init.
+ * Each thread, on thread attach in DllMain(), allocates its thread-local
+ * data and uses this index with TlsSetValue() to store it.
+ * It can then subsequently be retrieved with TlsGetValue().
+ */
+static DWORD tlsIndex = TLS_OUT_OF_INDEXES;
+
+/* Access thread-local data */
+struct gss_eap_thread_local_data *
+gssEapGetThreadLocalData(void)
+{
+ struct gss_eap_thread_local_data *tlsData;
+
+ GSSEAP_ASSERT(tlsIndex != TLS_OUT_OF_INDEXES);
+
+ tlsData = TlsGetValue(tlsIndex);
+ if (tlsData == NULL) {
+ tlsData = GSSEAP_CALLOC(1, sizeof(*tlsData));
+ TlsSetValue(tlsIndex, tlsData);
+ }
+
+ return tlsData;
+}
+
+BOOL WINAPI
+DllMain(HINSTANCE hDLL, /* DLL module handle */
+ DWORD reason, /* reason called */
+ LPVOID reserved) /* reserved */
+{
+ struct gss_eap_thread_local_data *tlsData;
+ OM_uint32 major, minor;
+
+ switch (reason) {
+ case DLL_PROCESS_ATTACH:
+ /* Allocate a TLS index. */
+ major = gssEapInitiatorInit(&minor);
+ if (GSS_ERROR(major))
+ return FALSE;
+
+ tlsIndex = TlsAlloc();
+ if (tlsIndex == TLS_OUT_OF_INDEXES)
+ return FALSE;
+ /* No break: Initialize the index for first thread.*/
+ case DLL_THREAD_ATTACH:
+ /* Initialize the TLS index for this thread. */
+ tlsData = GSSEAP_CALLOC(1, sizeof(*tlsData));
+ if (tlsData == NULL)
+ return FALSE;
+ TlsSetValue(tlsIndex, tlsData);
+ break;
+ case DLL_THREAD_DETACH:
+ /* Release the allocated memory for this thread. */
+ tlsData = TlsGetValue(tlsIndex);
+ if (tlsData != NULL) {
+ destroyThreadLocalData(tlsData);
+ TlsSetValue(tlsIndex, NULL);
+ }
+ break;
+ case DLL_PROCESS_DETACH:
+ /* Release the TLS index. */
+ TlsFree(tlsIndex);
+ gssEapFinalize();
+ break;
+ default:
+ break;
+ }
+
+ return TRUE;
+ UNREFERENCED_PARAMETER(hDLL);
+ UNREFERENCED_PARAMETER(reserved);
+}
+
+#else /* WIN32 */
+
+/* pthreads implementation */
+
+static GSSEAP_THREAD_ONCE tldKeyOnce = GSSEAP_ONCE_INITIALIZER;
+static GSSEAP_THREAD_KEY tldKey;
+
+static void
+pthreadDestroyThreadLocalData(void *arg)
+{
+ struct gss_eap_thread_local_data* tld = arg;
+
+ if (tld != NULL)
+ destroyThreadLocalData(tld);
+}
+
+static void
+createThreadLocalDataKey(void)
+{
+ GSSEAP_KEY_CREATE(&tldKey, pthreadDestroyThreadLocalData);
+}
+
+struct gss_eap_thread_local_data *
+gssEapGetThreadLocalData()
+{
+ struct gss_eap_thread_local_data *tld;
+
+ GSSEAP_ONCE(&tldKeyOnce, createThreadLocalDataKey);
+
+ tld = GSSEAP_GETSPECIFIC(tldKey);
+ if (tld == NULL) {
+ tld = GSSEAP_CALLOC(1, sizeof(*tld));
+ if (tld == NULL)
+ return NULL;
+
+ GSSEAP_SETSPECIFIC(tldKey, tld);
+ }
+
+ return tld;
+}
+
+#endif /* WIN32 */
for (i = 0; i < tokens->buffers.count; i++) {
gss_buffer_t tokenBuffer = &tokens->buffers.elements[i];
- assert((tokens->types[i] & ITOK_FLAG_VERIFIED) == 0); /* private flag */
+ GSSEAP_ASSERT((tokens->types[i] & ITOK_FLAG_VERIFIED) == 0); /* private flag */
/*
* Extensions are encoded as type-length-value, where the upper
p += 8 + tokenBuffer->length;
}
- assert(p == (unsigned char *)buffer->value + required);
- assert(buffer->value != NULL);
+ GSSEAP_ASSERT(p == (unsigned char *)buffer->value + required);
+ GSSEAP_ASSERT(buffer->value != NULL);
major = GSS_S_COMPLETE;
*minor = 0;
{
OM_uint32 major, tmpMinor;
unsigned char *p;
+ size_t count = 0;
size_t remain;
tokens->buffers.count = 0;
goto cleanup;
}
- ntypes = GSSEAP_REALLOC(tokens->types,
- (tokens->buffers.count + 1) * sizeof(OM_uint32));
- if (ntypes == NULL) {
- major = GSS_S_FAILURE;
- *minor = ENOMEM;
- goto cleanup;
+ if (tokens->buffers.count <= count) {
+ if (count == 0)
+ count = 1;
+ else
+ count *= 2;
+
+ ntypes = GSSEAP_MALLOC(count * sizeof(OM_uint32));
+ if (ntypes == NULL) {
+ major = GSS_S_FAILURE;
+ *minor = ENOMEM;
+ goto cleanup;
+ }
+ if (tokens->types != NULL) {
+ memcpy(ntypes, tokens->types, tokens->buffers.count * sizeof(OM_uint32));
+ GSSEAP_FREE(tokens->types);
+ }
+ tokens->types = ntypes;
+
+ newTokenBuffers = GSSEAP_MALLOC(count * sizeof(gss_buffer_desc));
+ if (newTokenBuffers == NULL) {
+ major = GSS_S_FAILURE;
+ *minor = ENOMEM;
+ goto cleanup;
+ }
+ if (tokens->buffers.elements != NULL) {
+ memcpy(newTokenBuffers, tokens->buffers.elements,
+ tokens->buffers.count * sizeof(gss_buffer_desc));
+ GSSEAP_FREE(tokens->buffers.elements);
+ }
+ tokens->buffers.elements = newTokenBuffers;
}
- tokens->types = ntypes;
tokens->types[tokens->buffers.count] = load_uint32_be(&p[0]);
tokenBuffer.length = load_uint32_be(&p[4]);
}
tokenBuffer.value = &p[8];
- newTokenBuffers = GSSEAP_REALLOC(tokens->buffers.elements,
- (tokens->buffers.count + 1) * sizeof(gss_buffer_desc));
- if (newTokenBuffers == NULL) {
- major = GSS_S_FAILURE;
- *minor = ENOMEM;
- goto cleanup;
- }
-
- tokens->buffers.elements = newTokenBuffers;
tokens->buffers.elements[tokens->buffers.count] = tokenBuffer;
tokens->buffers.count++;
p += 8 + tokenBuffer.length;
remain -= 8 + tokenBuffer.length;
-
} while (remain != 0);
major = GSS_S_COMPLETE;
size_t
tokenSize(const gss_OID_desc *mech, size_t body_size)
{
- assert(mech != GSS_C_NO_OID);
+ GSSEAP_ASSERT(mech != GSS_C_NO_OID);
/* set body_size to sequence contents size */
body_size += 4 + (size_t) mech->length; /* NEED overflow check */
*(*buf)++ = (unsigned char)mech->length;
memcpy(*buf, mech->elements, mech->length);
*buf += mech->length;
- assert(tok_type != TOK_TYPE_NONE);
+ GSSEAP_ASSERT(tok_type != TOK_TYPE_NONE);
*(*buf)++ = (unsigned char)((tok_type>>8) & 0xff);
*(*buf)++ = (unsigned char)(tok_type & 0xff);
}
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_verify_mic(OM_uint32 *minor,
gss_ctx_id_t ctx,
gss_buffer_t message_buffer,
iov[0].buffer = *message_buffer;
iov[1].type = GSS_IOV_BUFFER_TYPE_HEADER;
- iov[1].buffer.length = 16;
- iov[1].buffer.value = message_token->value;
-
- iov[2].type = GSS_IOV_BUFFER_TYPE_TRAILER;
- iov[2].buffer.length = message_token->length - 16;
- iov[2].buffer.value = (unsigned char *)message_token->value + 16;
+ iov[1].buffer = *message_token;
GSSEAP_MUTEX_LOCK(&ctx->mutex);
major = gssEapUnwrapOrVerifyMIC(minor, ctx, &conf_state, qop_state,
- iov, 3, TOK_TYPE_MIC);
+ iov, 2, TOK_TYPE_MIC);
GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_wrap(OM_uint32 *minor,
gss_ctx_id_t ctx,
int conf_req_flag,
if (code != 0)
goto cleanup;
- assert(gssTrailerLen <= 0xFFFF);
+ GSSEAP_ASSERT(gssTrailerLen <= 0xFFFF);
if (trailer == NULL) {
rrc = gssTrailerLen;
return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_wrap_iov(OM_uint32 *minor,
gss_ctx_id_t ctx,
int conf_req_flag,
else
trailer->buffer.length = gssTrailerLen;
- assert(gssPadLen == 0 || padding != NULL);
+ GSSEAP_ASSERT(gssPadLen == 0 || padding != NULL);
if (padding != NULL)
padding->buffer.length = gssPadLen;
return GSS_S_COMPLETE;
}
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_wrap_iov_length(OM_uint32 *minor,
gss_ctx_id_t ctx,
int conf_req_flag,
#include "gssapiP_eap.h"
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
gss_wrap_size_limit(OM_uint32 *minor,
gss_ctx_id_t ctx,
int conf_req_flag,
-Subproject commit 2da7444ecb963a45d0eeb98a41e1532f6cc4c19b
+Subproject commit 09f67dd916b3f4f4b2b31d1fa7bd63f4a4e027f4
-Subproject commit 2c57c433b4b96c94c0291d6b5e4d534cea5b6fe1
+Subproject commit 4efcb740f55f974db739457da340c6adac29c652
-Subproject commit 4d71b0b2f8f0ef6093b383ad9102ec6eec51a090
+Subproject commit 80db697dccef157a81a55328130371b99c916a18