From f5330a69f2af8699c0a8fc335cd18ec66cda1e98 Mon Sep 17 00:00:00 2001 From: Kevin Wasserman Date: Fri, 6 Jun 2014 08:11:03 -0400 Subject: [PATCH] Treat caCertificate as pem contents rather than pem filename --- mech_eap/gssapiP_eap.h | 4 +++- mech_eap/init_sec_context.c | 2 ++ mech_eap/util_cred.c | 3 +++ mech_eap/util_moonshot.c | 39 ++++++++++++++++++++++++++++++++++++++- 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h index 8a997d5..ebb42bf 100644 --- a/mech_eap/gssapiP_eap.h +++ b/mech_eap/gssapiP_eap.h @@ -157,6 +157,7 @@ struct gss_cred_id_struct gss_buffer_desc subjectAltNameConstraint; gss_buffer_desc clientCertificate; gss_buffer_desc privateKey; + gss_buffer_desc caCertificateBlob; #ifdef GSSEAP_ENABLE_REAUTH krb5_ccache krbCredCache; gss_cred_id_t reauthCred; @@ -186,7 +187,8 @@ struct gss_cred_id_struct #define CONFIG_BLOB_CLIENT_CERT 0 #define CONFIG_BLOB_PRIVATE_KEY 1 -#define CONFIG_BLOB_MAX 2 +#define CONFIG_BLOB_CA_CERT 2 +#define CONFIG_BLOB_MAX 3 struct gss_eap_initiator_ctx { unsigned int idleWhile; diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c index 4e8e550..2e3764c 100644 --- a/mech_eap/init_sec_context.c +++ b/mech_eap/init_sec_context.c @@ -415,6 +415,8 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value; eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value; eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value; + configBlobs[CONFIG_BLOB_CA_CERT].data = cred->caCertificateBlob.value; + configBlobs[CONFIG_BLOB_CA_CERT].len = cred->caCertificateBlob.length; /* eap channel binding */ if (ctx->initiatorCtx.chbindData != NULL) { diff --git a/mech_eap/util_cred.c b/mech_eap/util_cred.c index 06bea24..788a68a 100644 --- a/mech_eap/util_cred.c +++ b/mech_eap/util_cred.c @@ -104,6 +104,7 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred) gss_release_buffer(&tmpMinor, &cred->radiusConfigFile); gss_release_buffer(&tmpMinor, &cred->radiusConfigStanza); gss_release_buffer(&tmpMinor, &cred->caCertificate); + gss_release_buffer(&tmpMinor, &cred->caCertificateBlob); gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint); gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint); gss_release_buffer(&tmpMinor, &cred->clientCertificate); @@ -682,6 +683,8 @@ gssEapDuplicateCred(OM_uint32 *minor, duplicateBufferOrCleanup(&src->radiusConfigStanza, &dst->radiusConfigStanza); if (src->caCertificate.value != NULL) duplicateBufferOrCleanup(&src->caCertificate, &dst->caCertificate); + if (src->caCertificateBlob.value != NULL) + duplicateBufferOrCleanup(&src->caCertificateBlob, &dst->caCertificateBlob); if (src->subjectNameConstraint.value != NULL) duplicateBufferOrCleanup(&src->subjectNameConstraint, &dst->subjectNameConstraint); if (src->subjectAltNameConstraint.value != NULL) diff --git a/mech_eap/util_moonshot.c b/mech_eap/util_moonshot.c index 3e7d14f..79594da 100644 --- a/mech_eap/util_moonshot.c +++ b/mech_eap/util_moonshot.c @@ -31,6 +31,9 @@ */ #include "gssapiP_eap.h" +#include +#include +#include #ifdef HAVE_MOONSHOT_GET_IDENTITY #include @@ -155,6 +158,7 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor, char *subjectNameConstraint = NULL; char *subjectAltNameConstraint = NULL; MoonshotError *error = NULL; + BIO *bio = NULL; if (cred->name != GSS_C_NO_NAME) { major = gssEapDisplayName(minor, cred->name, &initiator, NULL); @@ -200,6 +204,7 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor, goto cleanup; gss_release_buffer(&tmpMinor, &cred->caCertificate); + gss_release_buffer(&tmpMinor, &cred->caCertificateBlob); gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint); gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint); @@ -223,7 +228,38 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor, cred->caCertificate.length = HASH_PREFIX_LEN + len; } else if (!stringEmpty(caCertificate)) { - makeStringBufferOrCleanup(caCertificate, &cred->caCertificate); + BUF_MEM *bptr; + X509 *cert; + gss_buffer_desc tmp; + + bio = BIO_new_mem_buf(caCertificate, -1); + if (bio == NULL) { + major = GSS_S_FAILURE; + *minor = ENOMEM; + goto cleanup; + } + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + if (cert == NULL) { + major = GSS_S_FAILURE; + *minor = ENOMEM; + goto cleanup; + } + BIO_free(bio); + bio = BIO_new(BIO_s_mem()); + if (i2d_X509_bio(bio, cert) < 0) { + major = GSS_S_FAILURE; + *minor = ENOMEM; /* TODO */ + goto cleanup; + } + BIO_get_mem_ptr(bio, &bptr); + tmp.value = bptr->data; + tmp.length = bptr->length; + major = duplicateBuffer(minor, &tmp, &cred->caCertificateBlob); + if (major != GSS_S_COMPLETE) { + goto cleanup; + } + BIO_free(bio); + makeStringBufferOrCleanup("blob://ca-cert", &cred->caCertificate); } if (!stringEmpty(subjectNameConstraint)) @@ -238,6 +274,7 @@ cleanup: moonshot_free(caCertificate); moonshot_free(subjectNameConstraint); moonshot_free(subjectAltNameConstraint); + BIO_free(bio); gss_release_buffer(&tmpMinor, &initiator); gss_release_buffer(&tmpMinor, &target); -- 2.1.4