#include "util_radius.h"
#include "utils/radius_utils.h"
#include "openssl/err.h"
+#ifdef HAVE_MOONSHOT_GET_IDENTITY
#include "libmoonshot.h"
+#endif
/* methods allowed for phase1 authentication*/
static const struct eap_method_type allowed_eap_method_types[] = {
{
}
-static void peerNotifyCert(void *ctx GSSEAP_UNUSED,
- int depth ,
- const char *subject GSSEAP_UNUSED,
- const char *altsubject[] GSSEAP_UNUSED,
- int num_altsubject GSSEAP_UNUSED,
- const char *cert_hash GSSEAP_UNUSED,
- const struct wpabuf *cert GSSEAP_UNUSED)
-{
- printf("peerNotifyCert: depth=%d; hash=%s (%p)\n", depth, cert_hash, cert_hash);
-}
-
static struct eapol_callbacks gssEapPolicyCallbacks = {
peerGetConfig,
peerGetConfigBlob,
peerNotifyPending,
NULL, /* eap_param_needed */
- peerNotifyCert
+ NULL /* eap_notify_cert */
};
} /* else log failures? */
}
+#ifdef HAVE_MOONSHOT_GET_IDENTITY
static int cert_to_byte_array(X509 *cert, unsigned char **bytes)
{
unsigned char *buf;
return hash_len;
}
-
-static int peerValidateServer(int ok_so_far, X509* cert, void *ca_ctx)
+static int peerValidateServerCert(int ok_so_far, X509* cert, void *ca_ctx)
{
- const char *realm = NULL;
+ char *realm = NULL;
unsigned char *cert_bytes = NULL;
int cert_len;
unsigned char hash[32];
struct eap_peer_config *eap_config = (struct eap_peer_config *) ca_ctx;
char *identity = strdup((const char *) eap_config->identity);
- // Truncate the identity to just the username
+ // Truncate the identity to just the username; make a separate string for the realm.
char* at = strchr(identity, '@');
if (at != NULL) {
+ realm = strdup(at + 1);
*at = '\0';
}
GSSEAP_FREE(cert_bytes);
if (hash_len != 32) {
- printf("peerValidateServer: Error: hash_len=%d, not 32!\n", hash_len);
+ fprintf(stderr, "peerValidateServerCert: Error: hash_len=%d, not 32!\n", hash_len);
return FALSE;
}
- /* This is ugly, but it works -- anonymous_identity is '@' + realm
- * (see peerConfigInit)
- */
- realm = ((char *) eap_config->anonymous_identity) + 1;
-
ok_so_far = moonshot_confirm_ca_certificate(identity, realm, hash, 32, &error);
free(identity);
-
- printf("peerValidateServer: Returning %d\n", ok_so_far);
+ if (realm != NULL) {
+ free(realm);
+ }
+
+ wpa_printf(MSG_INFO, "peerValidateServerCert: Returning %d\n", ok_so_far);
return ok_so_far;
}
-
+#endif
static OM_uint32
peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
eapPeerConfig->private_key_passwd = (char *)cred->password.value;
}
- eapPeerConfig->server_cert_cb = peerValidateServer;
+#ifdef HAVE_MOONSHOT_GET_IDENTITY
+ eapPeerConfig->server_cert_cb = peerValidateServerCert;
+#endif
eapPeerConfig->server_cert_ctx = eapPeerConfig;
*minor = 0;
static OM_uint32
initBegin(OM_uint32 *minor,
gss_ctx_id_t ctx,
- gss_name_t target,
+ gss_const_name_t target,
gss_OID mech,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq,
return major;
if (target != GSS_C_NO_NAME) {
- GSSEAP_MUTEX_LOCK(&target->mutex);
+ GSSEAP_MUTEX_LOCK(&((gss_name_t)target)->mutex);
major = gssEapDuplicateName(minor, target, &ctx->acceptorName);
if (GSS_ERROR(major)) {
- GSSEAP_MUTEX_UNLOCK(&target->mutex);
+ GSSEAP_MUTEX_LOCK(&((gss_name_t)target)->mutex);
return major;
}
- GSSEAP_MUTEX_UNLOCK(&target->mutex);
+ GSSEAP_MUTEX_UNLOCK(&((gss_name_t)target)->mutex);
}
major = gssEapCanonicalizeOid(minor,
eapGssSmInitError(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx GSSEAP_UNUSED,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitGssReauth(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target,
+ gss_const_name_t target,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags,
OM_uint32 timeReq,
eapGssSmInitVendorInfo(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx GSSEAP_UNUSED,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitAcceptorName(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitIdentity(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitAuthenticate(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitGssFlags(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitGssChannelBindings(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
krb5_data data;
krb5_checksum cksum;
gss_buffer_desc cksumBuffer;
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto krbCrypto;
+#endif
if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS ||
chanBindings->application_data.length == 0)
gssBufferToKrbData(&chanBindings->application_data, &data);
+#ifdef HAVE_HEIMDAL_VERSION
+ code = krb5_crypto_init(krbContext, &ctx->rfc3961Key, 0, &krbCrypto);
+ if (code != 0) {
+ *minor = code;
+ return GSS_S_FAILURE;
+ }
+
+ code = krb5_create_checksum(krbContext, krbCrypto,
+ KEY_USAGE_GSSEAP_CHBIND_MIC,
+ ctx->checksumType,
+ data.data, data.length,
+ &cksum);
+ krb5_crypto_destroy(krbContext, krbCrypto);
+#else
code = krb5_c_make_checksum(krbContext, ctx->checksumType,
&ctx->rfc3961Key,
KEY_USAGE_GSSEAP_CHBIND_MIC,
&data, &cksum);
+#endif /* HAVE_HEIMDAL_VERSION */
if (code != 0) {
*minor = code;
return GSS_S_FAILURE;
major = duplicateBuffer(minor, &cksumBuffer, outputToken);
if (GSS_ERROR(major)) {
- krb5_free_checksum_contents(krbContext, &cksum);
+ KRB_CHECKSUM_FREE(krbContext, &cksum);
return major;
}
*minor = 0;
*smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
- krb5_free_checksum_contents(krbContext, &cksum);
+ KRB_CHECKSUM_FREE(krbContext, &cksum);
return GSS_S_CONTINUE_NEEDED;
}
eapGssSmInitInitiatorMIC(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitReauthCreds(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitAcceptorMIC(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
gssEapInitSecContext(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target_name,
+ gss_const_name_t target_name,
gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
OM_uint32 GSSAPI_CALLCONV
gss_init_sec_context(OM_uint32 *minor,
+#ifdef HAVE_HEIMDAL_VERSION
+ gss_const_cred_id_t cred,
+#else
gss_cred_id_t cred,
+#endif
gss_ctx_id_t *context_handle,
+#ifdef HAVE_HEIMDAL_VERSION
+ gss_const_name_t target_name,
+#else
gss_name_t target_name,
+#endif
gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
GSSEAP_MUTEX_LOCK(&ctx->mutex);
major = gssEapInitSecContext(minor,
- cred,
+ (gss_cred_id_t)cred,
ctx,
target_name,
mech_type,
if (GSS_ERROR(major))
gssEapReleaseContext(&tmpMinor, context_handle);
- gssEapTraceStatus( "gss_init_sec_context", major, *minor);
+ gssEapTraceStatus("gss_init_sec_context", major, *minor);
+
return major;
}