X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=blobdiff_plain;f=mech_eap%2FgssapiP_eap.h;h=aae76be574bcec36707006574d324eba2291ff3b;hp=cd5315d6d457743ce8c34c8d42935b4a83b253ec;hb=HEAD;hpb=5bf61a81066da96847e6317c00db9d4f96447db2 diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h index cd5315d..aae76be 100644 --- a/mech_eap/gssapiP_eap.h +++ b/mech_eap/gssapiP_eap.h @@ -77,8 +77,17 @@ typedef struct gss_any *gss_any_t; typedef const gss_OID_desc *gss_const_OID; #endif +#ifndef GSS_IOV_BUFFER_TYPE_MIC_TOKEN +#define GSS_IOV_BUFFER_TYPE_MIC_TOKEN 12 /* MIC token destination */ +#endif + /* Kerberos headers */ #include +#ifdef HAVE_HEIMDAL_VERSION +#include +#else +#include +#endif /* EAP headers */ #include @@ -90,25 +99,15 @@ typedef const gss_OID_desc *gss_const_OID; #include #ifdef GSSEAP_ENABLE_ACCEPTOR -/* FreeRADIUS headers */ -#ifdef __cplusplus -extern "C" { -#define operator fr_operator -#endif -#include -#include - -#undef pid_t - /* libradsec headers */ #include #include -#ifdef __cplusplus -#undef operator -} +#include #endif -#endif /* GSSEAP_ENABLE_ACCEPTOR */ +#ifndef HAVE_HEIMDAL_VERSION +#include "gssapi_headerfix.h" +#endif #include "gsseap_err.h" #include "radsec_err.h" #include "util.h" @@ -145,6 +144,9 @@ struct gss_name_struct #define CRED_FLAG_PASSWORD 0x00040000 #define CRED_FLAG_DEFAULT_CCACHE 0x00080000 #define CRED_FLAG_RESOLVED 0x00100000 +#define CRED_FLAG_TARGET 0x00200000 +#define CRED_FLAG_CERTIFICATE 0x00400000 +#define CRED_FLAG_CONFIG_BLOB 0x00800000 #define CRED_FLAG_PUBLIC_MASK 0x0000FFFF #ifdef HAVE_HEIMDAL_VERSION @@ -165,6 +167,9 @@ struct gss_cred_id_struct gss_buffer_desc caCertificate; gss_buffer_desc subjectNameConstraint; gss_buffer_desc subjectAltNameConstraint; + gss_buffer_desc clientCertificate; + gss_buffer_desc privateKey; + gss_buffer_desc caCertificateBlob; #ifdef GSSEAP_ENABLE_REAUTH krb5_ccache krbCredCache; gss_cred_id_t reauthCred; @@ -173,6 +178,7 @@ struct gss_cred_id_struct #define CTX_FLAG_INITIATOR 0x00000001 #define CTX_FLAG_KRB_REAUTH 0x00000002 +#define CTX_FLAG_CHANNEL_BINDINGS_VERIFIED 0x00000004 #define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0) @@ -188,13 +194,23 @@ struct gss_cred_id_struct #define CTX_FLAG_EAP_PORT_ENABLED 0x00400000 #define CTX_FLAG_EAP_ALT_ACCEPT 0x00800000 #define CTX_FLAG_EAP_ALT_REJECT 0x01000000 +#define CTX_FLAG_EAP_CHBIND_ACCEPT 0x02000000 +#define CTX_FLAG_EAP_TRIGGER_START 0x04000000 #define CTX_FLAG_EAP_MASK 0xFFFF0000 +#define CONFIG_BLOB_CLIENT_CERT 0 +#define CONFIG_BLOB_PRIVATE_KEY 1 +#define CONFIG_BLOB_CA_CERT 2 +#define CONFIG_BLOB_MAX 3 + struct gss_eap_initiator_ctx { unsigned int idleWhile; struct eap_peer_config eapPeerConfig; struct eap_sm *eap; struct wpabuf reqData; + struct wpabuf *chbindData; + unsigned int chbindReqFlags; + struct wpa_config_blob configBlobs[CONFIG_BLOB_MAX]; }; #ifdef GSSEAP_ENABLE_ACCEPTOR @@ -203,7 +219,7 @@ struct gss_eap_acceptor_ctx { struct rs_connection *radConn; char *radServer; gss_buffer_desc state; - VALUE_PAIR *vps; + rs_avp *vps; }; #endif @@ -243,6 +259,7 @@ struct gss_ctx_id_struct const struct gss_eap_token_buffer_set *outputTokens; }; + #define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01 #define TOK_FLAG_WRAP_CONFIDENTIAL 0x02 #define TOK_FLAG_ACCEPTOR_SUBKEY 0x04 @@ -252,6 +269,10 @@ struct gss_ctx_id_struct #define KEY_USAGE_INITIATOR_SEAL 24 #define KEY_USAGE_INITIATOR_SIGN 25 +#define KEY_USAGE_GSSEAP_CHBIND_MIC 60 +#define KEY_USAGE_GSSEAP_ACCTOKEN_MIC 61 +#define KEY_USAGE_GSSEAP_INITOKEN_MIC 62 + /* accept_sec_context.c */ OM_uint32 gssEapAcceptSecContext(OM_uint32 *minor, @@ -271,7 +292,7 @@ OM_uint32 gssEapInitSecContext(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target_name, + gss_const_name_t target_name, gss_OID mech_type, OM_uint32 req_flags, OM_uint32 time_req, @@ -303,12 +324,14 @@ gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status, OM_uint32 gssEapWrapIovLength(OM_uint32 *minor, - gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, - int iov_count); + int iov_count, + enum gss_eap_token_type tokType); + OM_uint32 gssEapWrap(OM_uint32 *minor, gss_ctx_id_t ctx, @@ -319,7 +342,7 @@ gssEapWrap(OM_uint32 *minor, gss_buffer_t output_message_buffer); unsigned char -rfc4121Flags(gss_ctx_id_t ctx, int receiving); +rfc4121Flags(gss_const_ctx_id_t ctx, int receiving); /* display_status.c */ void @@ -330,12 +353,25 @@ gssEapDisplayStatus(OM_uint32 *minor, OM_uint32 status_value, gss_buffer_t status_string); -#define IS_WIRE_ERROR(err) ((err) > GSSEAP_RESERVED && \ +#define IS_WIRE_ERROR(err) ((err) >= GSSEAP_RESERVED && \ (err) <= GSSEAP_RADIUS_PROT_FAILURE) -/* upper bound of RADIUS error range must be kept in sync with radsec.h */ +#ifdef GSSEAP_ENABLE_ACCEPTOR #define IS_RADIUS_ERROR(err) ((err) >= ERROR_TABLE_BASE_rse && \ - (err) <= ERROR_TABLE_BASE_rse + 20) + (err) <= ERROR_TABLE_BASE_rse + RSE_MAX) +#else +#define IS_RADIUS_ERROR(err) (0) +#endif + +/* exchange_meta_data.c */ +OM_uint32 GSSAPI_CALLCONV +gssEapExchangeMetaData(OM_uint32 *minor, + gss_const_OID mech, + gss_cred_id_t cred, + gss_ctx_id_t *ctx, + const gss_name_t name, + OM_uint32 req_flags, + gss_const_buffer_t meta_data); /* export_sec_context.c */ OM_uint32 @@ -343,14 +379,90 @@ gssEapExportSecContext(OM_uint32 *minor, gss_ctx_id_t ctx, gss_buffer_t token); +/* import_sec_context.c */ +OM_uint32 +gssEapImportContext(OM_uint32 *minor, + gss_buffer_t token, + gss_ctx_id_t ctx); + +/* inquire_sec_context_by_oid.c */ +#define NEGOEX_INITIATOR_SALT "gss-eap-negoex-initiator" +#define NEGOEX_INITIATOR_SALT_LEN (sizeof(NEGOEX_INITIATOR_SALT) - 1) + +#define NEGOEX_ACCEPTOR_SALT "gss-eap-negoex-acceptor" +#define NEGOEX_ACCEPTOR_SALT_LEN (sizeof(NEGOEX_ACCEPTOR_SALT) - 1) + +/* pseudo_random.c */ +OM_uint32 +gssEapPseudoRandom(OM_uint32 *minor, + gss_const_ctx_id_t ctx, + int prf_key, + const gss_buffer_t prf_in, + gss_buffer_t prf_out); + +/* query_mechanism_info.c */ +OM_uint32 +gssQueryMechanismInfo(OM_uint32 *minor, + gss_const_OID mech_oid, + unsigned char auth_scheme[16]); + +/* query_meta_data.c */ +OM_uint32 +gssEapQueryMetaData(OM_uint32 *minor, + gss_const_OID mech GSSEAP_UNUSED, + gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + const gss_name_t name, + OM_uint32 req_flags GSSEAP_UNUSED, + gss_buffer_t meta_data); /* eap_mech.c */ -void -gssEapInitiatorInit(void); +OM_uint32 +gssEapInitiatorInit(OM_uint32 *minor); void gssEapFinalize(void); +/* Debugging and tracing */ + +static inline void +gssEapTraceStatus(const char *function, + OM_uint32 major, + OM_uint32 minor) +{ + gss_buffer_desc gssErrorCodeBuf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc gssMechBuf = GSS_C_EMPTY_BUFFER; + OM_uint32 tmpMajor, tmpMinor; + OM_uint32 messageCtx = 0; + + tmpMajor = gss_display_status(&tmpMinor, major, + GSS_C_GSS_CODE, GSS_C_NO_OID, + &messageCtx, &gssErrorCodeBuf); + if (!GSS_ERROR(tmpMajor)) { + if (minor == 0) + tmpMajor = makeStringBuffer(&tmpMinor, "no minor", &gssMechBuf); + else + tmpMajor = gssEapDisplayStatus(&tmpMinor, minor, &gssMechBuf); + } + + if (!GSS_ERROR(tmpMajor)) + wpa_printf(MSG_INFO, "%s: %.*s/%.*s", + function, + (int)gssErrorCodeBuf.length, (char *)gssErrorCodeBuf.value, + (int)gssMechBuf.length, (char *)gssMechBuf.value); + else + wpa_printf(MSG_INFO, "%s: %u/%u", + function, major, minor); + + gss_release_buffer(&tmpMinor, &gssErrorCodeBuf); + gss_release_buffer(&tmpMinor, &gssMechBuf); +} + +/* If built as a library on Linux, don't respect environment when set*uid */ +#ifdef HAVE_SECURE_GETENV +#define getenv secure_getenv +#endif + #ifdef __cplusplus } #endif