#ifndef _GSSAPIP_EAP_H_
#define _GSSAPIP_EAP_H_ 1
-#include <gssapi/gssapi.h>
-#include <krb5.h>
+#include <assert.h>
+#include <string.h>
+#include <errno.h>
+#include <time.h>
+/* GSS includes */
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_ext.h>
#include "gssapi_eap.h"
+/* EAP includes */
+#define IEEE8021X_EAPOL 1
+
+#include <common.h>
+#include <eap_peer/eap.h>
+#include <eap_peer/eap_config.h>
+#include <wpabuf.h>
+
+/* Kerberos includes */
+#include <krb5.h>
+
struct gss_name_struct {
OM_uint32 flags;
- krb5_principal principal;
+ krb5_principal kerberosName;
void *aaa;
void *assertion;
};
struct gss_cred_id_struct {
OM_uint32 flags;
- gss_name_t initiatorName;
- gss_name_t acceptorName;
+ gss_name_t name;
gss_buffer_desc password;
+ time_t expiryTime;
};
#define CTX_FLAG_INITIATOR 0x00000001
+#define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0)
+
enum eap_gss_state {
EAP_STATE_AUTHENTICATE = 1,
EAP_STATE_KEY_TRANSPORT,
EAP_STATE_ESTABLISHED
};
+#define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == EAP_STATE_ESTABLISHED)
+
+/* Initiator context flags */
+#define CTX_FLAG_EAP_SUCCESS 0x00010000
+#define CTX_FLAG_EAP_RESTART 0x00020000
+#define CTX_FLAG_EAP_FAIL 0x00040000
+#define CTX_FLAG_EAP_RESP 0x00080000
+#define CTX_FLAG_EAP_NO_RESP 0x00100000
+#define CTX_FLAG_EAP_REQ 0x00200000
+#define CTX_FLAG_EAP_PORT_ENABLED 0x00400000
+#define CTX_FLAG_EAP_ALT_ACCEPT 0x00800000
+#define CTX_FLAG_EAP_ALT_REJECT 0x01000000
+
+struct eap_gss_initiator_ctx {
+ struct wpabuf *eapReqData;
+ unsigned int idleWhile;
+ struct eap_peer_config eapConfig;
+ struct eap_sm *eap;
+};
+
+/* Acceptor context flags */
+struct eap_gss_acceptor_ctx {
+};
+
struct gss_ctx_id_struct {
enum eap_gss_state state;
OM_uint32 flags;
OM_uint32 gssFlags;
krb5_context kerberosCtx;
gss_OID mechanismUsed;
+ krb5_enctype encryptionType;
krb5_cksumtype checksumType;
- krb5_keyblock *encryptionKey;
+ krb5_keyblock *rfc3961Key;
gss_name_t initiatorName;
gss_name_t acceptorName;
- OM_uint32 lifetime;
+ time_t expiryTime;
+ union {
+ struct eap_gss_initiator_ctx initiator;
+ #define initiatorCtx ctxU.initiator
+ struct eap_gss_acceptor_ctx acceptor;
+ #define acceptorCtx ctxU.acceptor
+ } ctxU;
+ uint64_t sendSeq, recvSeq;
+ void *seqState;
};
-#endif /* _GSSAPIP_EAP_H_ */
+#define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01
+#define TOK_FLAG_WRAP_CONFIDENTIAL 0x02
+#define TOK_FLAG_ACCEPTOR_SUBKEY 0x04
+
+#define KEY_USAGE_ACCEPTOR_SEAL 512
+#define KEY_USAGE_ACCEPTOR_SIGN 513
+#define KEY_USAGE_INITIATOR_SEAL 514
+#define KEY_USAGE_INITIATOR_SIGN 515
+
+enum gss_eap_token_type {
+ TOK_TYPE_EAP_RESP = 0x0601,
+ TOK_TYPE_EAP_REQ = 0x0602,
+ TOK_TYPE_GSS_CB = 0x0603,
+ TOK_TYPE_MIC = 0x0404,
+ TOK_TYPE_WRAP = 0x0504,
+ TOK_TYPE_DELETE = 0x0405,
+ TOK_TYPE_NONE = 0xFFFF
+};
+
+/* wrap_iov.c */
+OM_uint32
+gssEapWrapOrGetMIC(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ int conf_req_flag,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ enum gss_eap_token_type toktype);
+
+OM_uint32
+gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status,
+ gss_ctx_id_t ctx,
+ int *conf_state,
+ gss_qop_t *qop_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count,
+ enum gss_eap_token_type toktype);
+
+#include "util.h"
+
+#endif /* _GSSAPIP_EAP_H_ */