#ifndef _GSSAPIP_EAP_H_
#define _GSSAPIP_EAP_H_ 1
+#include "config.h"
+
#include <assert.h>
#include <string.h>
#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
#include <time.h>
+#include <sys/param.h>
-/* GSS includes */
+/* GSS headers */
#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+#ifndef HAVE_HEIMDAL_VERSION
#include <gssapi/gssapi_ext.h>
+#endif
#include "gssapi_eap.h"
-/* EAP includes */
-#define IEEE8021X_EAPOL 1
+/* Kerberos headers */
+#include <krb5.h>
+/* EAP headers */
#include <common.h>
#include <eap_peer/eap.h>
#include <eap_peer/eap_config.h>
+#include <eap_peer/eap_methods.h>
#include <wpabuf.h>
-/* Kerberos includes */
-#include <krb5.h>
+/* FreeRADIUS headers */
+#ifdef __cplusplus
+extern "C" {
+#define operator fr_operator
+#endif
+#include <freeradius/libradius.h>
+#include <freeradius/radius.h>
+#include <radsec/radsec.h>
+#include <radsec/request.h>
+#ifdef __cplusplus
+#undef operator
+}
+#endif
+
+#include "gsseap_err.h"
+#include "radsec_err.h"
+#include "util.h"
-struct gss_name_struct {
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* These name flags are informative and not actually used by anything yet */
+#define NAME_FLAG_NAI 0x00000001
+#define NAME_FLAG_SERVICE 0x00000002
+#define NAME_FLAG_COMPOSITE 0x00000004
+
+struct gss_eap_saml_attr_ctx;
+struct gss_eap_attr_ctx;
+
+#ifdef HAVE_HEIMDAL_VERSION
+struct gss_name_t_desc_struct
+#else
+struct gss_name_struct
+#endif
+{
+ GSSEAP_MUTEX mutex; /* mutex protects attrCtx */
OM_uint32 flags;
- krb5_principal kerberosName;
- void *aaa;
- void *assertion;
+ krb5_principal krbPrincipal; /* this is immutable */
+ struct gss_eap_attr_ctx *attrCtx;
};
-#define CRED_FLAG_INITIATOR 0x00000001
-#define CRED_FLAG_ACCEPTOR 0x00000002
-#define CRED_FLAG_DEFAULT_IDENTITY 0x00000004
-#define CRED_FLAG_PASSWORD 0x00000008
+#define CRED_FLAG_INITIATE 0x00010000
+#define CRED_FLAG_ACCEPT 0x00020000
+#define CRED_FLAG_DEFAULT_IDENTITY 0x00040000
+#define CRED_FLAG_PASSWORD 0x00080000
+#define CRED_FLAG_DEFAULT_CCACHE 0x00100000
+#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF
-struct gss_cred_id_struct {
+#ifdef HAVE_HEIMDAL_VERSION
+struct gss_cred_id_t_desc_struct
+#else
+struct gss_cred_id_struct
+#endif
+{
+ GSSEAP_MUTEX mutex;
OM_uint32 flags;
gss_name_t name;
gss_buffer_desc password;
+ gss_OID_set mechanisms;
time_t expiryTime;
+ char *radiusConfigFile;
+ char *radiusConfigStanza;
+#ifdef GSSEAP_ENABLE_REAUTH
+ krb5_ccache krbCredCache;
+ gss_cred_id_t krbCred;
+#endif
};
#define CTX_FLAG_INITIATOR 0x00000001
+#define CTX_FLAG_KRB_REAUTH 0x00000002
#define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0)
-enum eap_gss_state {
- EAP_STATE_AUTHENTICATE = 1,
- EAP_STATE_KEY_TRANSPORT,
- EAP_STATE_SECURE_ASSOCIATION,
- EAP_STATE_GSS_CHANNEL_BINDINGS,
- EAP_STATE_ESTABLISHED
+enum gss_eap_state {
+ GSSEAP_STATE_IDENTITY = 0, /* identify peer */
+ GSSEAP_STATE_AUTHENTICATE, /* exchange EAP messages */
+ GSSEAP_STATE_EXTENSIONS_REQ, /* initiator extensions */
+ GSSEAP_STATE_EXTENSIONS_RESP, /* acceptor extensions */
+ GSSEAP_STATE_ESTABLISHED, /* context established */
+ GSSEAP_STATE_ERROR, /* context error */
+#ifdef GSSEAP_ENABLE_REAUTH
+ GSSEAP_STATE_KRB_REAUTH /* fast reauthentication */
+#endif
};
-#define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == EAP_STATE_ESTABLISHED)
+#define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == GSSEAP_STATE_ESTABLISHED)
/* Initiator context flags */
#define CTX_FLAG_EAP_SUCCESS 0x00010000
#define CTX_FLAG_EAP_PORT_ENABLED 0x00400000
#define CTX_FLAG_EAP_ALT_ACCEPT 0x00800000
#define CTX_FLAG_EAP_ALT_REJECT 0x01000000
+#define CTX_FLAG_EAP_MASK 0xFFFF0000
-struct eap_gss_initiator_ctx {
- struct wpabuf *eapReqData;
+struct gss_eap_initiator_ctx {
+ gss_cred_id_t defaultCred;
unsigned int idleWhile;
- struct eap_peer_config eapConfig;
+#ifndef __cplusplus
+ struct eap_peer_config eapPeerConfig;
struct eap_sm *eap;
+ struct wpabuf reqData;
+#endif
};
-/* Acceptor context flags */
-struct eap_gss_acceptor_ctx {
+struct gss_eap_acceptor_ctx {
+ struct rs_context *radContext;
+ struct rs_connection *radConn;
+ char *radServer;
+ gss_buffer_desc state;
+ VALUE_PAIR *vps;
};
-struct gss_ctx_id_struct {
- enum eap_gss_state state;
+#ifdef HAVE_HEIMDAL_VERSION
+struct gss_ctx_id_t_desc_struct
+#else
+struct gss_ctx_id_struct
+#endif
+{
+ GSSEAP_MUTEX mutex;
+ enum gss_eap_state state;
OM_uint32 flags;
OM_uint32 gssFlags;
- krb5_context kerberosCtx;
gss_OID mechanismUsed;
- krb5_enctype encryptionType;
krb5_cksumtype checksumType;
- krb5_keyblock *encryptionKey;
+ krb5_enctype encryptionType;
+ krb5_keyblock rfc3961Key;
gss_name_t initiatorName;
gss_name_t acceptorName;
time_t expiryTime;
+ uint64_t sendSeq, recvSeq;
+ void *seqState;
union {
- struct eap_gss_initiator_ctx initiator;
+ struct gss_eap_initiator_ctx initiator;
#define initiatorCtx ctxU.initiator
- struct eap_gss_acceptor_ctx acceptor;
+ struct gss_eap_acceptor_ctx acceptor;
#define acceptorCtx ctxU.acceptor
+#ifdef GSSEAP_ENABLE_REAUTH
+ gss_ctx_id_t kerberos;
+ #define kerberosCtx ctxU.kerberos
+#endif
} ctxU;
- uint64_t sendSeq, recvSeq;
- void *seqState;
};
#define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01
#define TOK_FLAG_WRAP_CONFIDENTIAL 0x02
#define TOK_FLAG_ACCEPTOR_SUBKEY 0x04
-enum gss_eap_token_type {
- TOK_TYPE_MIC = 0x0404,
- TOK_TYPE_WRAP = 0x0504,
- TOK_TYPE_DELETE = 0x0405
-};
-
-/* Helper APIs */
-OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
-OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
-
-OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName);
-OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName);
-
-OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
-OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
-
-/* Kerberos token services */
-#define KRB_USAGE_ACCEPTOR_SEAL 22
-#define KRB_USAGE_ACCEPTOR_SIGN 23
-#define KRB_USAGE_INITIATOR_SEAL 24
-#define KRB_USAGE_INITIATOR_SIGN 25
-
-#if 0
-#define KRB_KEYTYPE(key) ((key)->keytype)
-#else
-#define KRB_KEYTYPE(key) ((key)->enctype)
-#endif
-
-/* util_crypt.c */
-int
-gssEapEncrypt(krb5_context context, int dce_style, size_t ec,
- size_t rrc, krb5_keyblock *key, int usage, krb5_pointer iv,
- gss_iov_buffer_desc *iov, int iov_count);
-
-int
-gssEapDecrypt(krb5_context context, int dce_style, size_t ec,
- size_t rrc, krb5_keyblock *key, int usage, krb5_pointer iv,
- gss_iov_buffer_desc *iov, int iov_count);
-
-krb5_cryptotype
-gssEapTranslateCryptoFlag(OM_uint32 type);
-
-gss_iov_buffer_t
-gssEapLocateIov(gss_iov_buffer_desc *iov,
- int iov_count,
- OM_uint32 type);
-
-void
-gssEapIovMessageLength(gss_iov_buffer_desc *iov,
- int iov_count,
- size_t *data_length,
- size_t *assoc_data_length);
-
-void
-gssEapReleaseIov(gss_iov_buffer_desc *iov, int iov_count);
-
-int
-gssEapIsIntegrityOnly(gss_iov_buffer_desc *iov, int iov_count);
-
-int
-gssEapAllocIov(gss_iov_buffer_t iov, size_t size);
-
-/* util_cksum.c */
-int
-gssEapSign(krb5_context context,
- krb5_cksumtype type,
- size_t rrc,
- krb5_keyblock *key,
- krb5_keyusage sign_usage,
- gss_iov_buffer_desc *iov,
- int iov_count);
-
-int
-gssEapVerify(krb5_context context,
- krb5_cksumtype type,
- size_t rrc,
- krb5_keyblock *key,
- krb5_keyusage sign_usage,
- gss_iov_buffer_desc *iov,
- int iov_count,
- int *valid);
+#define KEY_USAGE_ACCEPTOR_SEAL 22
+#define KEY_USAGE_ACCEPTOR_SIGN 23
+#define KEY_USAGE_INITIATOR_SEAL 24
+#define KEY_USAGE_INITIATOR_SIGN 25
/* wrap_iov.c */
OM_uint32
int iov_count,
enum gss_eap_token_type toktype);
-/* Helper macros */
-#define GSSEAP_CALLOC(count, size) (calloc((count), (size)))
-#define GSSEAP_FREE(ptr) (free((ptr)))
-#define GSSEAP_MALLOC(size) (malloc((size)))
-#define GSSEAP_REALLOC(ptr, size) (realloc((ptr), (size)))
+OM_uint32
+gssEapWrapIovLength(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ int *conf_state,
+ gss_iov_buffer_desc *iov,
+ int iov_count);
+OM_uint32
+gssEapWrap(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ gss_buffer_t input_message_buffer,
+ int *conf_state,
+ gss_buffer_t output_message_buffer);
+
+unsigned char
+rfc4121Flags(gss_ctx_id_t ctx, int receiving);
+
+/* display_status.c */
+void
+gssEapSaveStatusInfo(OM_uint32 minor, const char *format, ...);
-#define GSSEAP_NOT_IMPLEMENTED do { \
- assert(0 && "not implemented"); \
- *minor = ENOSYS; \
- return GSS_S_FAILURE; \
- } while (0)
+#define IS_WIRE_ERROR(err) ((err) > GSSEAP_RESERVED && \
+ (err) <= GSSEAP_RADIUS_PROT_FAILURE)
-#endif /* _GSSAPIP_EAP_H_ */
+#ifdef __cplusplus
+}
+#endif
+#endif /* _GSSAPIP_EAP_H_ */
projects / mech_eap.git / blobdiff