Avoid MIT compat API when building with Heimdal

This enables linking against the OS X Heimdal.framework

diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c
index c284e8b..b594af0 100644 (file)
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -688,6 +688,9 @@ eapGssSmAcceptGssChannelBindings(OM_uint32 *minor,
     krb5_data data;
     krb5_checksum cksum;
     krb5_boolean valid = FALSE;
     krb5_data data;
     krb5_checksum cksum;
     krb5_boolean valid = FALSE;

+#ifdef HAVE_HEIMDAL_VERSION
+    krb5_crypto krbCrypto;
+#endif

 
     if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS ||
         chanBindings->application_data.length == 0)
 
     if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS ||
         chanBindings->application_data.length == 0)


@@ -701,9 +704,29 @@ eapGssSmAcceptGssChannelBindings(OM_uint32 *minor,
 
     KRB_CHECKSUM_INIT(&cksum, ctx->checksumType, inputToken);
 
 
     KRB_CHECKSUM_INIT(&cksum, ctx->checksumType, inputToken);
 

+#ifdef HAVE_HEIMDAL_VERSION
+    code = krb5_crypto_init(krbContext, &ctx->rfc3961Key, 0, &krbCrypto);
+    if (code != 0) {
+        *minor = code;
+        return GSS_S_FAILURE;
+    }
+
+    code = krb5_verify_checksum(krbContext, krbCrypto,
+                                KEY_USAGE_GSSEAP_CHBIND_MIC,
+                                data.data, data.length, &cksum);
+    if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+        code = 0;
+        valid = FALSE;
+    } else if (code == 0) {
+        valid = TRUE;
+    }
+
+    krb5_crypto_destroy(krbContext, krbCrypto);
+#else

     code = krb5_c_verify_checksum(krbContext, &ctx->rfc3961Key,
                                   KEY_USAGE_GSSEAP_CHBIND_MIC,
                                   &data, &cksum, &valid);
     code = krb5_c_verify_checksum(krbContext, &ctx->rfc3961Key,
                                   KEY_USAGE_GSSEAP_CHBIND_MIC,
                                   &data, &cksum, &valid);

+#endif /* HAVE_HEIMDAL_VERSION */

     if (code != 0) {
         *minor = code;
         return GSS_S_FAILURE;
     if (code != 0) {
         *minor = code;
         return GSS_S_FAILURE;

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index 37bd3d0..7a2fb46 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -40,7 +40,9 @@
 #include "util_radius.h"
 #include "utils/radius_utils.h"
 #include "openssl/err.h"
 #include "util_radius.h"
 #include "utils/radius_utils.h"
 #include "openssl/err.h"

+#ifdef HAVE_MOONSHOT_GET_IDENTITY

 #include "libmoonshot.h"
 #include "libmoonshot.h"

+#endif

 
 /* methods allowed for phase1 authentication*/
 static const struct eap_method_type allowed_eap_method_types[] = {
 
 /* methods allowed for phase1 authentication*/
 static const struct eap_method_type allowed_eap_method_types[] = {


@@ -361,6 +363,7 @@ peerProcessChbindResponse(void *context, int code, int nsid,
     } /* else log failures? */
 }
 
     } /* else log failures? */
 }
 

+#ifdef HAVE_MOONSHOT_GET_IDENTITY

 static int cert_to_byte_array(X509 *cert, unsigned char **bytes)
 {
        unsigned char *buf;
 static int cert_to_byte_array(X509 *cert, unsigned char **bytes)
 {
        unsigned char *buf;


@@ -407,7 +410,6 @@ static int sha256(unsigned char *bytes, int len, unsigned char *hash)
        return hash_len;
 }
 
        return hash_len;
 }
 

-

 static int peerValidateServerCert(int ok_so_far, X509* cert, void *ca_ctx)
 {
     char                 *realm = NULL;
 static int peerValidateServerCert(int ok_so_far, X509* cert, void *ca_ctx)
 {
     char                 *realm = NULL;


@@ -444,7 +446,7 @@ static int peerValidateServerCert(int ok_so_far, X509* cert, void *ca_ctx)
     wpa_printf(MSG_INFO, "peerValidateServerCert: Returning %d\n", ok_so_far);
     return ok_so_far;
 }
     wpa_printf(MSG_INFO, "peerValidateServerCert: Returning %d\n", ok_so_far);
     return ok_so_far;
 }

-
+#endif

 
 static OM_uint32
 peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
 
 static OM_uint32
 peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)


@@ -554,7 +556,9 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
         eapPeerConfig->private_key_passwd = (char *)cred->password.value;
     }
 
         eapPeerConfig->private_key_passwd = (char *)cred->password.value;
     }
 

+#ifdef HAVE_MOONSHOT_GET_IDENTITY

     eapPeerConfig->server_cert_cb = peerValidateServerCert;
     eapPeerConfig->server_cert_cb = peerValidateServerCert;

+#endif

     eapPeerConfig->server_cert_ctx = eapPeerConfig;
 
     *minor = 0;
     eapPeerConfig->server_cert_ctx = eapPeerConfig;
 
     *minor = 0;


@@ -1102,6 +1106,9 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor,
     krb5_data data;
     krb5_checksum cksum;
     gss_buffer_desc cksumBuffer;
     krb5_data data;
     krb5_checksum cksum;
     gss_buffer_desc cksumBuffer;

+#ifdef HAVE_HEIMDAL_VERSION
+    krb5_crypto krbCrypto;
+#endif

 
     if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS ||
         chanBindings->application_data.length == 0)
 
     if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS ||
         chanBindings->application_data.length == 0)


@@ -1113,10 +1120,25 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor,
 
     gssBufferToKrbData(&chanBindings->application_data, &data);
 
 
     gssBufferToKrbData(&chanBindings->application_data, &data);
 

+#ifdef HAVE_HEIMDAL_VERSION
+    code = krb5_crypto_init(krbContext, &ctx->rfc3961Key, 0, &krbCrypto);
+    if (code != 0) {
+        *minor = code;
+        return GSS_S_FAILURE;
+    }
+
+    code = krb5_create_checksum(krbContext, krbCrypto,
+                                KEY_USAGE_GSSEAP_CHBIND_MIC,
+                                ctx->checksumType,
+                                data.data, data.length,
+                                &cksum);
+    krb5_crypto_destroy(krbContext, krbCrypto);
+#else

     code = krb5_c_make_checksum(krbContext, ctx->checksumType,
                                 &ctx->rfc3961Key,
                                 KEY_USAGE_GSSEAP_CHBIND_MIC,
                                 &data, &cksum);
     code = krb5_c_make_checksum(krbContext, ctx->checksumType,
                                 &ctx->rfc3961Key,
                                 KEY_USAGE_GSSEAP_CHBIND_MIC,
                                 &data, &cksum);

+#endif /* HAVE_HEIMDAL_VERSION */

     if (code != 0) {
         *minor = code;
         return GSS_S_FAILURE;
     if (code != 0) {
         *minor = code;
         return GSS_S_FAILURE;


@@ -1127,14 +1149,14 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor,
 
     major = duplicateBuffer(minor, &cksumBuffer, outputToken);
     if (GSS_ERROR(major)) {
 
     major = duplicateBuffer(minor, &cksumBuffer, outputToken);
     if (GSS_ERROR(major)) {

-        krb5_free_checksum_contents(krbContext, &cksum);
+        KRB_CHECKSUM_FREE(krbContext, &cksum);

         return major;
     }
 
     *minor = 0;
     *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
 
         return major;
     }
 
     *minor = 0;
     *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
 

-    krb5_free_checksum_contents(krbContext, &cksum);
+    KRB_CHECKSUM_FREE(krbContext, &cksum);

 
     return GSS_S_CONTINUE_NEEDED;
 }
 
     return GSS_S_CONTINUE_NEEDED;
 }

diff --git a/mech_eap/util.h b/mech_eap/util.h
index 5475dca..2238ac1 100644 (file)
--- a/mech_eap/util.h
+++ b/mech_eap/util.h
@@ -376,6 +376,8 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor,
 
 #ifdef HAVE_HEIMDAL_VERSION
 
 
 #ifdef HAVE_HEIMDAL_VERSION
 

+#include <der.h>
+

 #define KRB_TIME_FOREVER        ((time_t)~0L)
 
 #define KRB_KEY_TYPE(key)       ((key)->keytype)
 #define KRB_TIME_FOREVER        ((time_t)~0L)
 
 #define KRB_KEY_TYPE(key)       ((key)->keytype)


@@ -404,6 +406,11 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor,
         (cksum)->checksum.data = (d)->value;        \
     } while (0)
 
         (cksum)->checksum.data = (d)->value;        \
     } while (0)
 

+#define KRB_CHECKSUM_FREE(ctx, cksum)          do { \
+        der_free_octet_string(&(cksum)->checksum);  \
+        memset((cksum), 0, sizeof(*(cksum)));       \
+    } while (0)
+                                    

 #else
 
 #define KRB_TIME_FOREVER        KRB5_INT32_MAX
 #else
 
 #define KRB_TIME_FOREVER        KRB5_INT32_MAX


@@ -440,6 +447,8 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor,
         (cksum)->contents = (d)->value;             \
     } while (0)
 
         (cksum)->contents = (d)->value;             \
     } while (0)
 

+#define KRB_CHECKSUM_FREE(ctx, cksum) krb5_free_checksum_contents((ctx), (cksum))
+

 #endif /* HAVE_HEIMDAL_VERSION */
 
 #define KRB_KEY_INIT(key)       do {        \
 #endif /* HAVE_HEIMDAL_VERSION */
 
 #define KRB_KEY_INIT(key)       do {        \

diff --git a/mech_eap/util_context.c b/mech_eap/util_context.c
index 039cfdb..b7a50c6 100644 (file)
--- a/mech_eap/util_context.c
+++ b/mech_eap/util_context.c
@@ -353,8 +353,13 @@ gssEapMakeOrVerifyTokenMIC(OM_uint32 *minor,
     } else {
         size_t checksumSize;
 
     } else {
         size_t checksumSize;
 

+#ifdef HAVE_HEIMDAL_VERSION
+        code = krb5_checksumsize(krbContext, ctx->checksumType,
+                                 &checksumSize);
+#else

         code = krb5_c_checksum_length(krbContext, ctx->checksumType,
                                       &checksumSize);
         code = krb5_c_checksum_length(krbContext, ctx->checksumType,
                                       &checksumSize);

+#endif

         if (code != 0)
             goto cleanup;
 
         if (code != 0)
             goto cleanup;
 

diff --git a/mech_eap/util_krb.c b/mech_eap/util_krb.c
index 2a3e970..f629a32 100644 (file)
--- a/mech_eap/util_krb.c
+++ b/mech_eap/util_krb.c
@@ -329,7 +329,7 @@ rfc3961ChecksumTypeForKey(OM_uint32 *minor,
 
     *cksumtype = KRB_CHECKSUM_TYPE(&cksum);
 
 
     *cksumtype = KRB_CHECKSUM_TYPE(&cksum);
 

-    krb5_free_checksum_contents(krbContext, &cksum);
+    KRB_CHECKSUM_FREE(krbContext, &cksum);

 #endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */
 
 #ifdef HAVE_HEIMDAL_VERSION
 #endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */
 
 #ifdef HAVE_HEIMDAL_VERSION


@@ -480,6 +480,7 @@ krbEnctypeToString(
     return 0;
 }
 
     return 0;
 }
 

+#ifdef GSSEAP_ENABLE_REAUTH

 krb5_error_code
 krbMakeAuthDataKdcIssued(krb5_context context,
                          const krb5_keyblock *key,
 krb5_error_code
 krbMakeAuthDataKdcIssued(krb5_context context,
                          const krb5_keyblock *key,


@@ -675,3 +676,4 @@ cleanup:
     return code;
 #endif /* HAVE_HEIMDAL_VERSION */
 }
     return code;
 #endif /* HAVE_HEIMDAL_VERSION */
 }

+#endif /* GSSEAP_ENABLE_REAUTH */

diff --git a/mech_eap/util_name.c b/mech_eap/util_name.c
index 7a2e60b..b85565c 100644 (file)
--- a/mech_eap/util_name.c
+++ b/mech_eap/util_name.c
@@ -206,8 +206,13 @@ importServiceName(OM_uint32 *minor,
         *minor = GSSEAP_BAD_SERVICE_NAME;
     }
 
         *minor = GSSEAP_BAD_SERVICE_NAME;
     }
 

-    if (realm != NULL)
+    if (realm != NULL) {
+#ifdef HAVE_HEIMDAL_VERSION
+        krb5_xfree(realm);
+#else

         krb5_free_default_realm(krbContext, realm);
         krb5_free_default_realm(krbContext, realm);

+#endif
+    }

     GSSEAP_FREE(service);
 
     return major;
     GSSEAP_FREE(service);
 
     return major;