#include "radius/radius.h"
#include "util_radius.h"
#include "utils/radius_utils.h"
+#include "openssl/err.h"
+#ifdef HAVE_MOONSHOT_GET_IDENTITY
+#include "libmoonshot.h"
+#endif
+
+/* methods allowed for phase1 authentication*/
+static const struct eap_method_type allowed_eap_method_types[] = {
+ {EAP_VENDOR_IETF, EAP_TYPE_TTLS},
+ {EAP_VENDOR_IETF, EAP_TYPE_NONE}};
static OM_uint32
policyVariableToFlag(enum eapol_bool_var variable)
case EAPOL_altReject:
flag = CTX_FLAG_EAP_ALT_REJECT;
break;
+ case EAPOL_eapTriggerStart:
+ flag = CTX_FLAG_EAP_TRIGGER_START;
+ break;
}
return flag;
index = CONFIG_BLOB_CLIENT_CERT;
else if (strcmp(name, "private-key") == 0)
index = CONFIG_BLOB_PRIVATE_KEY;
+ else if (strcmp(name, "ca-cert") == 0)
+ index = CONFIG_BLOB_CA_CERT;
else
return NULL;
{
}
+
static struct eapol_callbacks gssEapPolicyCallbacks = {
peerGetConfig,
peerGetBool,
peerSetConfigBlob,
peerGetConfigBlob,
peerNotifyPending,
+ NULL, /* eap_param_needed */
+ NULL /* eap_notify_cert */
};
-#ifdef GSSEAP_DEBUG
-extern int wpa_debug_level;
-#endif
#define CHBIND_SERVICE_NAME_FLAG 0x01
#define CHBIND_HOST_NAME_FLAG 0x02
major = gssEapRadiusAddAttr(minor, &buf,
PW_GSS_ACCEPTOR_REALM_NAME,
0, &nameBuf);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
chbindReqFlags |= CHBIND_REALM_NAME_FLAG;
}
*minor = 0;
cleanup:
- krbFreeUnparsedName(krbContext, &nameBuf);
+ /*namebuf is freed when used and may be left with a unowned pointer*/
wpabuf_free(buf);
return major;
} /* else log failures? */
}
+#ifdef HAVE_MOONSHOT_GET_IDENTITY
+static int cert_to_byte_array(X509 *cert, unsigned char **bytes)
+{
+ unsigned char *buf;
+ unsigned char *p;
+
+ int len = i2d_X509(cert, NULL);
+ if (len <= 0) {
+ return -1;
+ }
+
+ p = buf = GSSEAP_MALLOC(len);
+ if (buf == NULL) {
+ return -1;
+ }
+
+ i2d_X509(cert, &buf);
+
+ *bytes = p;
+ return len;
+}
+
+static int sha256(unsigned char *bytes, int len, unsigned char *hash)
+{
+ EVP_MD_CTX ctx;
+ unsigned int hash_len;
+
+ EVP_MD_CTX_init(&ctx);
+ if (!EVP_DigestInit_ex(&ctx, EVP_sha256(), NULL)) {
+ printf("sha256(init_sec_context.c): EVP_DigestInit_ex failed: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+ if (!EVP_DigestUpdate(&ctx, bytes, len)) {
+ printf("sha256(init_sec_context.c): EVP_DigestUpdate failed: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+ if (!EVP_DigestFinal(&ctx, hash, &hash_len)) {
+ printf("sha256(init_sec_context.c): EVP_DigestFinal failed: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+
+ return hash_len;
+}
+
+static int peerValidateServerCert(int ok_so_far, X509* cert, void *ca_ctx)
+{
+ char *realm = NULL;
+ unsigned char *cert_bytes = NULL;
+ int cert_len;
+ unsigned char hash[32];
+ int hash_len;
+ MoonshotError *error = NULL;
+ struct eap_peer_config *eap_config = (struct eap_peer_config *) ca_ctx;
+ char *identity = strdup((const char *) eap_config->identity);
+
+ // Truncate the identity to just the username; make a separate string for the realm.
+ char* at = strchr(identity, '@');
+ if (at != NULL) {
+ realm = strdup(at + 1);
+ *at = '\0';
+ }
+
+ cert_len = cert_to_byte_array(cert, &cert_bytes);
+ hash_len = sha256(cert_bytes, cert_len, hash);
+ GSSEAP_FREE(cert_bytes);
+
+ if (hash_len != 32) {
+ fprintf(stderr, "peerValidateServerCert: Error: hash_len=%d, not 32!\n", hash_len);
+ return FALSE;
+ }
+
+ ok_so_far = moonshot_confirm_ca_certificate(identity, realm, hash, 32, &error);
+ free(identity);
+ if (realm != NULL) {
+ free(realm);
+ }
+
+ wpa_printf(MSG_INFO, "peerValidateServerCert: Returning %d\n", ok_so_far);
+ return ok_so_far;
+}
+#endif
+
static OM_uint32
peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
{
eapPeerConfig->anonymous_identity_len = 0;
eapPeerConfig->password = NULL;
eapPeerConfig->password_len = 0;
+ eapPeerConfig->eap_methods = (struct eap_method_type *) allowed_eap_method_types;
GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
GSSEAP_KRB_INIT(&krbContext);
eapPeerConfig->fragment_size = 1024;
-#ifdef GSSEAP_DEBUG
- wpa_debug_level = 0;
-#endif
-
+
GSSEAP_ASSERT(cred->name != GSS_C_NO_NAME);
if ((cred->name->flags & (NAME_FLAG_NAI | NAME_FLAG_SERVICE)) == 0) {
eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value;
eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value;
eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
+ configBlobs[CONFIG_BLOB_CA_CERT].data = cred->caCertificateBlob.value;
+ configBlobs[CONFIG_BLOB_CA_CERT].len = cred->caCertificateBlob.length;
/* eap channel binding */
if (ctx->initiatorCtx.chbindData != NULL) {
eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value;
eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value;
}
- eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value;
+ eapPeerConfig->private_key_passwd = (char *)cred->password.value;
}
+#ifdef HAVE_MOONSHOT_GET_IDENTITY
+ eapPeerConfig->server_cert_cb = peerValidateServerCert;
+#endif
+ eapPeerConfig->server_cert_ctx = eapPeerConfig;
+
*minor = 0;
return GSS_S_COMPLETE;
}
static OM_uint32
initBegin(OM_uint32 *minor,
gss_ctx_id_t ctx,
- gss_name_t target,
+ gss_const_name_t target,
gss_OID mech,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq,
return major;
if (target != GSS_C_NO_NAME) {
- GSSEAP_MUTEX_LOCK(&target->mutex);
+ GSSEAP_MUTEX_LOCK(&((gss_name_t)target)->mutex);
major = gssEapDuplicateName(minor, target, &ctx->acceptorName);
if (GSS_ERROR(major)) {
- GSSEAP_MUTEX_UNLOCK(&target->mutex);
+ GSSEAP_MUTEX_LOCK(&((gss_name_t)target)->mutex);
return major;
}
- GSSEAP_MUTEX_UNLOCK(&target->mutex);
+ GSSEAP_MUTEX_UNLOCK(&((gss_name_t)target)->mutex);
}
major = gssEapCanonicalizeOid(minor,
eapGssSmInitError(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx GSSEAP_UNUSED,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
p = (unsigned char *)inputToken->value;
major = load_uint32_be(&p[0]);
- *minor = ERROR_TABLE_BASE_eapg + load_uint32_be(&p[4]);
+ *minor = load_uint32_be(&p[4]);
+ if ((*minor >0) && (*minor < 128))
+ * minor += ERROR_TABLE_BASE_eapg;
+ else *minor = 0;
if (!GSS_ERROR(major) || !IS_WIRE_ERROR(*minor)) {
major = GSS_S_FAILURE;
eapGssSmInitGssReauth(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target,
+ gss_const_name_t target,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags,
OM_uint32 timeReq,
* context credential does not currently have the reauth creds.
*/
if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) {
- if (!gssEapCanReauthP(cred, target, timeReq))
+ if (!gssEapCanReauthP(cred, (gss_name_t) target, timeReq))
return GSS_S_CONTINUE_NEEDED;
ctx->flags |= CTX_FLAG_KRB_REAUTH;
GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
- major = gssEapMechToGlueName(minor, target, &mechTarget);
+ major = gssEapMechToGlueName(minor, (gss_name_t) target, &mechTarget);
if (GSS_ERROR(major))
goto cleanup;
eapGssSmInitVendorInfo(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx GSSEAP_UNUSED,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitAcceptorName(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitIdentity(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
OM_uint32 *smFlags)
{
struct eap_config eapConfig;
+ memset(&eapConfig, 0, sizeof(eapConfig));
+ eapConfig.cert_in_cb = 1;
#ifdef GSSEAP_ENABLE_REAUTH
if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE) {
GSSEAP_ASSERT((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0);
GSSEAP_ASSERT(inputToken == GSS_C_NO_BUFFER);
- memset(&eapConfig, 0, sizeof(eapConfig));
-
ctx->initiatorCtx.eap = eap_peer_sm_init(ctx,
&gssEapPolicyCallbacks,
- ctx,
+ NULL, /* ctx?? */
&eapConfig);
if (ctx->initiatorCtx.eap == NULL) {
*minor = GSSEAP_PEER_SM_INIT_FAILURE;
eapGssSmInitAuthenticate(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitGssFlags(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
unsigned char wireFlags[4];
gss_buffer_desc flagsBuf;
+ /*
+ * As a temporary measure, force mutual authentication until channel binding is
+ * more widely deployed.
+ */
+ ctx->gssFlags |= GSS_C_MUTUAL_FLAG;
store_uint32_be(ctx->gssFlags & GSSEAP_WIRE_FLAGS_MASK, wireFlags);
flagsBuf.length = sizeof(wireFlags);
eapGssSmInitGssChannelBindings(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
krb5_data data;
krb5_checksum cksum;
gss_buffer_desc cksumBuffer;
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto krbCrypto;
+#endif
if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS ||
chanBindings->application_data.length == 0)
gssBufferToKrbData(&chanBindings->application_data, &data);
+#ifdef HAVE_HEIMDAL_VERSION
+ code = krb5_crypto_init(krbContext, &ctx->rfc3961Key, 0, &krbCrypto);
+ if (code != 0) {
+ *minor = code;
+ return GSS_S_FAILURE;
+ }
+
+ code = krb5_create_checksum(krbContext, krbCrypto,
+ KEY_USAGE_GSSEAP_CHBIND_MIC,
+ ctx->checksumType,
+ data.data, data.length,
+ &cksum);
+ krb5_crypto_destroy(krbContext, krbCrypto);
+#else
code = krb5_c_make_checksum(krbContext, ctx->checksumType,
&ctx->rfc3961Key,
KEY_USAGE_GSSEAP_CHBIND_MIC,
&data, &cksum);
+#endif /* HAVE_HEIMDAL_VERSION */
if (code != 0) {
*minor = code;
return GSS_S_FAILURE;
major = duplicateBuffer(minor, &cksumBuffer, outputToken);
if (GSS_ERROR(major)) {
- krb5_free_checksum_contents(krbContext, &cksum);
+ KRB_CHECKSUM_FREE(krbContext, &cksum);
return major;
}
*minor = 0;
*smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
- krb5_free_checksum_contents(krbContext, &cksum);
+ KRB_CHECKSUM_FREE(krbContext, &cksum);
return GSS_S_CONTINUE_NEEDED;
}
eapGssSmInitInitiatorMIC(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitReauthCreds(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmInitAcceptorMIC(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
if (GSS_ERROR(major))
return major;
- /*
- * As a temporary measure, force mutual authentication until channel binding is
- * more widely deployed.
- */
- ctx->gssFlags |= GSS_C_MUTUAL_FLAG;
GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
*minor = 0;
gssEapInitSecContext(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target_name,
+ gss_const_name_t target_name,
gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
OM_uint32 GSSAPI_CALLCONV
gss_init_sec_context(OM_uint32 *minor,
+#ifdef HAVE_HEIMDAL_VERSION
+ gss_const_cred_id_t cred,
+#else
gss_cred_id_t cred,
+#endif
gss_ctx_id_t *context_handle,
+#ifdef HAVE_HEIMDAL_VERSION
+ gss_const_name_t target_name,
+#else
gss_name_t target_name,
+#endif
gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
GSSEAP_MUTEX_LOCK(&ctx->mutex);
major = gssEapInitSecContext(minor,
- cred,
+ (gss_cred_id_t)cred,
ctx,
target_name,
mech_type,
if (GSS_ERROR(major))
gssEapReleaseContext(&tmpMinor, context_handle);
+ gssEapTraceStatus("gss_init_sec_context", major, *minor);
+
return major;
}
+
projects / mech_eap.git / blobdiff