projects / mech_eap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
include com_err.h for error_message()
[mech_eap.git] / mech_eap / gssapiP_eap.h
1 /*
2  * Copyright (c) 2011, JANET(UK)
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * 3. Neither the name of JANET(UK) nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32
33 #ifndef _GSSAPIP_EAP_H_
34 #define _GSSAPIP_EAP_H_ 1
35
36 #include "config.h"
37
38 #ifdef HAVE_HEIMDAL_VERSION
39 #define KRB5_DEPRECATED         /* so we can use krb5_free_unparsed_name() */
40 #endif
41
42 #include <assert.h>
43 #include <string.h>
44 #include <errno.h>
45 #ifdef HAVE_UNISTD_H
46 #include <unistd.h>
47 #endif
48 #ifdef HAVE_STDLIB_H
49 #include <stdlib.h>
50 #endif
51 #ifdef HAVE_STDARG_H
52 #include <stdarg.h>
53 #endif
54 #include <time.h>
55 #ifdef HAVE_SYS_PARAM_H
56 #include <sys/param.h>
57 #endif
58
59 #ifdef WIN32
60 #ifndef MAXHOSTNAMELEN
61 # include <WinSock2.h>
62 # define MAXHOSTNAMELEN NI_MAXHOST
63 #endif
64 #endif
65
66 /* GSS headers */
67 #include <gssapi/gssapi.h>
68 #include <gssapi/gssapi_krb5.h>
69 #ifdef HAVE_HEIMDAL_VERSION
70 typedef struct gss_any *gss_any_t;
71 #else
72 #include <gssapi/gssapi_ext.h>
73 #endif
74 #include "gssapi_eap.h"
75
76 #ifndef HAVE_GSS_INQUIRE_ATTRS_FOR_MECH
77 typedef const gss_OID_desc *gss_const_OID;
78 #endif
79
80 #ifndef GSS_IOV_BUFFER_TYPE_MIC_TOKEN
81 #define GSS_IOV_BUFFER_TYPE_MIC_TOKEN      12  /* MIC token destination */
82 #endif
83
84 /* Kerberos headers */
85 #include <krb5.h>
86 #include <com_err.h>
87
88 /* EAP headers */
89 #include <includes.h>
90 #include <common.h>
91 #include <eap_peer/eap.h>
92 #include <eap_peer/eap_config.h>
93 #include <eap_peer/eap_methods.h>
94 #include <eap_common/eap_common.h>
95 #include <wpabuf.h>
96
97 #ifdef GSSEAP_ENABLE_ACCEPTOR
98 /* libradsec headers */
99 #include <radsec/radsec.h>
100 #include <radsec/request.h>
101 #include <radsec/radius.h>
102 #endif
103
104 #include "gsseap_err.h"
105 #include "radsec_err.h"
106 #include "util.h"
107
108 #ifdef __cplusplus
109 extern "C" {
110 #endif
111
112 /* These name flags are informative and not actually used by anything yet */
113 #define NAME_FLAG_NAI                       0x00000001
114 #define NAME_FLAG_SERVICE                   0x00000002
115 #define NAME_FLAG_COMPOSITE                 0x00000004
116
117 struct gss_eap_saml_attr_ctx;
118 struct gss_eap_attr_ctx;
119
120 #ifdef HAVE_HEIMDAL_VERSION
121 struct gss_name_t_desc_struct
122 #else
123 struct gss_name_struct
124 #endif
125 {
126     GSSEAP_MUTEX mutex; /* mutex protects attrCtx */
127     OM_uint32 flags;
128     gss_OID mechanismUsed; /* this is immutable */
129     krb5_principal krbPrincipal; /* this is immutable */
130 #ifdef GSSEAP_ENABLE_ACCEPTOR
131     struct gss_eap_attr_ctx *attrCtx;
132 #endif
133 };
134
135 #define CRED_FLAG_INITIATE                  0x00010000
136 #define CRED_FLAG_ACCEPT                    0x00020000
137 #define CRED_FLAG_PASSWORD                  0x00040000
138 #define CRED_FLAG_DEFAULT_CCACHE            0x00080000
139 #define CRED_FLAG_RESOLVED                  0x00100000
140 #define CRED_FLAG_TARGET                    0x00200000
141 #define CRED_FLAG_CERTIFICATE               0x00400000
142 #define CRED_FLAG_CONFIG_BLOB               0x00800000
143 #define CRED_FLAG_PUBLIC_MASK               0x0000FFFF
144
145 #ifdef HAVE_HEIMDAL_VERSION
146 struct gss_cred_id_t_desc_struct
147 #else
148 struct gss_cred_id_struct
149 #endif
150 {
151     GSSEAP_MUTEX mutex;
152     OM_uint32 flags;
153     gss_name_t name;
154     gss_name_t target; /* for initiator */
155     gss_buffer_desc password;
156     gss_OID_set mechanisms;
157     time_t expiryTime;
158     gss_buffer_desc radiusConfigFile;
159     gss_buffer_desc radiusConfigStanza;
160     gss_buffer_desc caCertificate;
161     gss_buffer_desc subjectNameConstraint;
162     gss_buffer_desc subjectAltNameConstraint;
163     gss_buffer_desc clientCertificate;
164     gss_buffer_desc privateKey;
165     gss_buffer_desc caCertificateBlob;
166 #ifdef GSSEAP_ENABLE_REAUTH
167     krb5_ccache krbCredCache;
168     gss_cred_id_t reauthCred;
169 #endif
170 };
171
172 #define CTX_FLAG_INITIATOR                  0x00000001
173 #define CTX_FLAG_KRB_REAUTH                 0x00000002
174 #define CTX_FLAG_CHANNEL_BINDINGS_VERIFIED  0x00000004
175
176 #define CTX_IS_INITIATOR(ctx)               (((ctx)->flags & CTX_FLAG_INITIATOR) != 0)
177
178 #define CTX_IS_ESTABLISHED(ctx)             ((ctx)->state == GSSEAP_STATE_ESTABLISHED)
179
180 /* Initiator context flags */
181 #define CTX_FLAG_EAP_SUCCESS                0x00010000
182 #define CTX_FLAG_EAP_RESTART                0x00020000
183 #define CTX_FLAG_EAP_FAIL                   0x00040000
184 #define CTX_FLAG_EAP_RESP                   0x00080000
185 #define CTX_FLAG_EAP_NO_RESP                0x00100000
186 #define CTX_FLAG_EAP_REQ                    0x00200000
187 #define CTX_FLAG_EAP_PORT_ENABLED           0x00400000
188 #define CTX_FLAG_EAP_ALT_ACCEPT             0x00800000
189 #define CTX_FLAG_EAP_ALT_REJECT             0x01000000
190 #define CTX_FLAG_EAP_CHBIND_ACCEPT          0x02000000
191 #define CTX_FLAG_EAP_MASK                   0xFFFF0000
192
193 #define CONFIG_BLOB_CLIENT_CERT             0
194 #define CONFIG_BLOB_PRIVATE_KEY             1
195 #define CONFIG_BLOB_CA_CERT                 2
196 #define CONFIG_BLOB_MAX                     3
197
198 struct gss_eap_initiator_ctx {
199     unsigned int idleWhile;
200     struct eap_peer_config eapPeerConfig;
201     struct eap_sm *eap;
202     struct wpabuf reqData;
203     struct wpabuf *chbindData;
204     unsigned int chbindReqFlags;
205     struct wpa_config_blob configBlobs[CONFIG_BLOB_MAX];
206 };
207
208 #ifdef GSSEAP_ENABLE_ACCEPTOR
209 struct gss_eap_acceptor_ctx {
210     struct rs_context *radContext;
211     struct rs_connection *radConn;
212     char *radServer;
213     gss_buffer_desc state;
214     rs_avp *vps;
215 };
216 #endif
217
218 #ifdef HAVE_HEIMDAL_VERSION
219 struct gss_ctx_id_t_desc_struct
220 #else
221 struct gss_ctx_id_struct
222 #endif
223 {
224     GSSEAP_MUTEX mutex;
225     enum gss_eap_state state;
226     OM_uint32 flags;
227     OM_uint32 gssFlags;
228     gss_OID mechanismUsed;
229     krb5_cksumtype checksumType;
230     krb5_enctype encryptionType;
231     krb5_keyblock rfc3961Key;
232     gss_name_t initiatorName;
233     gss_name_t acceptorName;
234     time_t expiryTime;
235     uint64_t sendSeq, recvSeq;
236     void *seqState;
237     gss_cred_id_t cred;
238     union {
239         struct gss_eap_initiator_ctx initiator;
240         #define initiatorCtx         ctxU.initiator
241 #ifdef GSSEAP_ENABLE_ACCEPTOR
242         struct gss_eap_acceptor_ctx  acceptor;
243         #define acceptorCtx          ctxU.acceptor
244 #endif
245 #ifdef GSSEAP_ENABLE_REAUTH
246         gss_ctx_id_t                 reauth;
247         #define reauthCtx            ctxU.reauth
248 #endif
249     } ctxU;
250     const struct gss_eap_token_buffer_set *inputTokens;
251     const struct gss_eap_token_buffer_set *outputTokens;
252 };
253
254 #define TOK_FLAG_SENDER_IS_ACCEPTOR         0x01
255 #define TOK_FLAG_WRAP_CONFIDENTIAL          0x02
256 #define TOK_FLAG_ACCEPTOR_SUBKEY            0x04
257
258 #define KEY_USAGE_ACCEPTOR_SEAL             22
259 #define KEY_USAGE_ACCEPTOR_SIGN             23
260 #define KEY_USAGE_INITIATOR_SEAL            24
261 #define KEY_USAGE_INITIATOR_SIGN            25
262
263 #define KEY_USAGE_GSSEAP_CHBIND_MIC         60
264 #define KEY_USAGE_GSSEAP_ACCTOKEN_MIC       61
265 #define KEY_USAGE_GSSEAP_INITOKEN_MIC       62
266
267 /* accept_sec_context.c */
268 OM_uint32
269 gssEapAcceptSecContext(OM_uint32 *minor,
270                        gss_ctx_id_t ctx,
271                        gss_cred_id_t cred,
272                        gss_buffer_t input_token,
273                        gss_channel_bindings_t input_chan_bindings,
274                        gss_name_t *src_name,
275                        gss_OID *mech_type,
276                        gss_buffer_t output_token,
277                        OM_uint32 *ret_flags,
278                        OM_uint32 *time_rec,
279                        gss_cred_id_t *delegated_cred_handle);
280
281 /* init_sec_context.c */
282 OM_uint32
283 gssEapInitSecContext(OM_uint32 *minor,
284                      gss_cred_id_t cred,
285                      gss_ctx_id_t ctx,
286                      gss_name_t target_name,
287                      gss_OID mech_type,
288                      OM_uint32 req_flags,
289                      OM_uint32 time_req,
290                      gss_channel_bindings_t input_chan_bindings,
291                      gss_buffer_t input_token,
292                      gss_OID *actual_mech_type,
293                      gss_buffer_t output_token,
294                      OM_uint32 *ret_flags,
295                      OM_uint32 *time_rec);
296
297 /* wrap_iov.c */
298 OM_uint32
299 gssEapWrapOrGetMIC(OM_uint32 *minor,
300                    gss_ctx_id_t ctx,
301                    int conf_req_flag,
302                    int *conf_state,
303                    gss_iov_buffer_desc *iov,
304                    int iov_count,
305                    enum gss_eap_token_type toktype);
306
307 OM_uint32
308 gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status,
309                         gss_ctx_id_t ctx,
310                         int *conf_state,
311                         gss_qop_t *qop_state,
312                         gss_iov_buffer_desc *iov,
313                         int iov_count,
314                         enum gss_eap_token_type toktype);
315
316 OM_uint32
317 gssEapWrapIovLength(OM_uint32 *minor,
318                     gss_ctx_id_t ctx,
319                     int conf_req_flag,
320                     gss_qop_t qop_req,
321                     int *conf_state,
322                     gss_iov_buffer_desc *iov,
323                     int iov_count,
324                     enum gss_eap_token_type tokType);
325
326 OM_uint32
327 gssEapWrap(OM_uint32 *minor,
328            gss_ctx_id_t ctx,
329            int conf_req_flag,
330            gss_qop_t qop_req,
331            gss_buffer_t input_message_buffer,
332            int *conf_state,
333            gss_buffer_t output_message_buffer);
334
335 unsigned char
336 rfc4121Flags(gss_ctx_id_t ctx, int receiving);
337
338 /* display_status.c */
339 void
340 gssEapSaveStatusInfo(OM_uint32 minor, const char *format, ...);
341
342 OM_uint32
343 gssEapDisplayStatus(OM_uint32 *minor,
344                     OM_uint32 status_value,
345                     gss_buffer_t status_string);
346
347 #define IS_WIRE_ERROR(err)              ((err) >= GSSEAP_RESERVED && \
348                                          (err) <= GSSEAP_RADIUS_PROT_FAILURE)
349
350 #ifdef GSSEAP_ENABLE_ACCEPTOR
351 #define IS_RADIUS_ERROR(err)            ((err) >= ERROR_TABLE_BASE_rse && \
352                                          (err) <= ERROR_TABLE_BASE_rse + RSE_MAX)
353 #else
354 #define IS_RADIUS_ERROR(err)            (0)
355 #endif
356
357 /* exchange_meta_data.c */
358 OM_uint32 GSSAPI_CALLCONV
359 gssEapExchangeMetaData(OM_uint32 *minor,
360                        gss_const_OID mech,
361                        gss_cred_id_t cred,
362                        gss_ctx_id_t *ctx,
363                        const gss_name_t name,
364                        OM_uint32 req_flags,
365                        gss_const_buffer_t meta_data);
366
367 /* export_sec_context.c */
368 OM_uint32
369 gssEapExportSecContext(OM_uint32 *minor,
370                        gss_ctx_id_t ctx,
371                        gss_buffer_t token);
372
373 /* import_sec_context.c */
374 OM_uint32
375 gssEapImportContext(OM_uint32 *minor,
376                     gss_buffer_t token,
377                     gss_ctx_id_t ctx);
378
379 /* inquire_sec_context_by_oid.c */
380 #define NEGOEX_INITIATOR_SALT      "gss-eap-negoex-initiator"
381 #define NEGOEX_INITIATOR_SALT_LEN  (sizeof(NEGOEX_INITIATOR_SALT) - 1)
382
383 #define NEGOEX_ACCEPTOR_SALT       "gss-eap-negoex-acceptor"
384 #define NEGOEX_ACCEPTOR_SALT_LEN   (sizeof(NEGOEX_ACCEPTOR_SALT) - 1)
385
386 /* pseudo_random.c */
387 OM_uint32
388 gssEapPseudoRandom(OM_uint32 *minor,
389                    gss_ctx_id_t ctx,
390                    int prf_key,
391                    const gss_buffer_t prf_in,
392                    gss_buffer_t prf_out);
393
394 /* query_mechanism_info.c */
395 OM_uint32
396 gssQueryMechanismInfo(OM_uint32 *minor,
397                       gss_const_OID mech_oid,
398                       unsigned char auth_scheme[16]);
399
400 /* query_meta_data.c */
401 OM_uint32
402 gssEapQueryMetaData(OM_uint32 *minor,
403                     gss_const_OID mech GSSEAP_UNUSED,
404                     gss_cred_id_t cred,
405                     gss_ctx_id_t *context_handle,
406                     const gss_name_t name,
407                     OM_uint32 req_flags GSSEAP_UNUSED,
408                     gss_buffer_t meta_data);
409
410 /* eap_mech.c */
411 OM_uint32
412 gssEapInitiatorInit(OM_uint32 *minor);
413
414 void
415 gssEapFinalize(void);
416
417 /* Debugging and tracing */
418
419 static inline void
420 gssEapTraceStatus(const char *function,
421                   OM_uint32 major,
422                   OM_uint32 minor)
423 {
424     gss_buffer_desc gssErrorCodeBuf = GSS_C_EMPTY_BUFFER;
425     gss_buffer_desc gssMechBuf = GSS_C_EMPTY_BUFFER;
426     OM_uint32 tmpMajor, tmpMinor;
427     OM_uint32 messageCtx = 0;
428
429     tmpMajor = gss_display_status(&tmpMinor, major,
430                                   GSS_C_GSS_CODE, GSS_C_NO_OID,
431                                   &messageCtx, &gssErrorCodeBuf);
432     if (!GSS_ERROR(tmpMajor)) {
433         if (minor == 0)
434             tmpMajor = makeStringBuffer(&tmpMinor, "no minor", &gssMechBuf);
435         else
436             tmpMajor = gssEapDisplayStatus(&tmpMinor, minor, &gssMechBuf);
437     }
438
439     if (!GSS_ERROR(tmpMajor))
440         wpa_printf(MSG_INFO, "%s: %.*s/%.*s",
441                    function,
442                    (int)gssErrorCodeBuf.length, (char *)gssErrorCodeBuf.value,
443                    (int)gssMechBuf.length, (char *)gssMechBuf.value);
444     else
445         wpa_printf(MSG_INFO, "%s: %u/%u",
446                     function, major, minor);
447
448     gss_release_buffer(&tmpMinor, &gssErrorCodeBuf);
449     gss_release_buffer(&tmpMinor, &gssMechBuf);
450 }
451
452 /* If built as a library on Linux, don't respect environment when set*uid */
453 #ifdef HAVE_SECURE_GETENV
454 #define getenv secure_getenv
455 #endif
456
457 #ifdef __cplusplus
458 }
459 #endif
460
461 #endif /* _GSSAPIP_EAP_H_ */
Moonshot GSS-API mechanism