-DEAP_SERVER_GPSK \
-DEAP_SERVER_GPSK_SHA256 \
-DIEEE8021X_EAPOL";
- EAP_LIBS="-leap -lutils -lcrypto -ltls -lssl";
+ EAP_LIBS="-leap -lutils -lcrypto -ltls";
EAP_LDFLAGS="-L$eapdir/eap_example -L$eapdir/src/utils -L$eapdir/src/crypto -L$eapdir/src/tls";
AC_SUBST(EAP_CFLAGS)
AC_SUBST(EAP_LDFLAGS)
fi
])dnl
-AC_DEFUN([AX_CHECK_OPENSSL],
-[AC_MSG_CHECKING(for OpenSSL)
-OPENSSL_DIR=
-found_openssl="no"
-AC_ARG_WITH(openssl,
- AC_HELP_STRING([--with-openssl],
- [Use OpenSSL (in specified installation directory)]),
- [check_openssl_dir="$withval"],
- [check_openssl_dir=])
-for dir in $check_openssl_dir $prefix /usr /usr/local ; do
- openssldir="$dir"
- if test -f "$dir/include/openssl/opensslv.h"; then
- found_openssl="yes";
- OPENSSL_DIR="${openssldir}"
- OPENSSL_CFLAGS="-I$openssldir/include";
- break;
- fi
-done
-AC_MSG_RESULT($found_openssl)
-if test x_$found_openssl != x_yes; then
- AC_MSG_ERROR([
-----------------------------------------------------------------------
- Cannot find OpenSSL libraries.
-
- Please install libssl or specify installation directory with
- --with-openssl=(dir).
-----------------------------------------------------------------------
-])
-else
- printf "OpenSSL found in $openssldir\n";
- OPENSSL_LIBS="-lssl -lcrypto";
- OPENSSL_LDFLAGS="-L$openssldir/lib";
- AC_SUBST(OPENSSL_CFLAGS)
- AC_SUBST(OPENSSL_LDFLAGS)
- AC_SUBST(OPENSSL_LIBS)
-fi
-])dnl
-
AC_DEFUN([AX_CHECK_RADSEC],
[AC_MSG_CHECKING(for radsec)
RADSEC_DIR=
AX_CHECK_SHIBSP
fi
-AX_CHECK_OPENSSL
-
if test "x$acceptor" = "xyes" ; then
AX_CHECK_RADSEC
AX_CHECK_JANSSON
AUTOMAKE_OPTIONS = foreign
-AM_CPPFLAGS = -I$(srcdir)/src -I$(srcdir)/eap_example -I$(srcdir)/src/utils @OPENSSL_CFLAGS@
+AM_CPPFLAGS = -I$(srcdir)/src -I$(srcdir)/eap_example -I$(srcdir)/src/utils
noinst_HEADERS = \
src/common/defs.h \
src/common/eapol_common.h \
SOURCES_BOTH += src/eap_common/eap_sake_common.c
SOURCES_BOTH += src/eap_common/eap_gpsk_common.c
SOURCES_BOTH += src/eap_common/chap.c \
- src/eap_common/chap.h \
+src/eap_common/chap.h \
src/eap_common/eap_common.h \
src/eap_common/eap_defs.h \
src/eap_common/eap_fast_common.h \
CFLAGS += -DCONFIG_IPV6
CFLAGS += -DCONFIG_INTERNAL_LIBTOMMATH
-CFLAGS += -DCONFIG_INTERNAL_SHA1
-CFLAGS += -DEAP_TLS_OPENSSL
-CFLAGS += -DPKCS12_FUNCS
+CFLAGS += -DCONFIG_CRYPTO_INTERNAL
+CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
UTILS_SRCS = src/utils/base64.c \
src/utils/common.c \
src/crypto/aes-ctr.c \
src/crypto/aes-eax.c \
src/crypto/aes-encblock.c \
+ src/crypto/aes-internal.c \
+ src/crypto/aes-internal-dec.c \
+ src/crypto/aes-internal-enc.c \
src/crypto/aes-omac1.c \
src/crypto/aes-unwrap.c \
src/crypto/aes-wrap.c \
+ src/crypto/des-internal.c \
+ src/crypto/dh_group5.c \
+ src/crypto/dh_groups.c \
+ src/crypto/md4-internal.c \
src/crypto/md5.c \
+ src/crypto/md5-internal.c \
src/crypto/md5-non-fips.c \
src/crypto/milenage.c \
src/crypto/ms_funcs.c \
+ src/crypto/rc4.c \
src/crypto/sha1.c \
+ src/crypto/sha1-internal.c \
src/crypto/sha1-pbkdf2.c \
src/crypto/sha1-tlsprf.c \
src/crypto/sha1-tprf.c \
src/crypto/sha256.c \
- src/crypto/crypto_openssl.c \
- src/crypto/tls_openssl.c \
- src/crypto/aes.h \
- src/crypto/aes_i.h \
- src/crypto/aes_wrap.h \
- src/crypto/crypto.h \
- src/crypto/md5.h \
- src/crypto/milenage.h \
- src/crypto/ms_funcs.h \
- src/crypto/sha1.h \
- src/crypto/sha256.h \
- src/crypto/tls.h
+ src/crypto/sha256-internal.c \
+ src/crypto/crypto_internal.c \
+ src/crypto/crypto_internal-cipher.c \
+ src/crypto/crypto_internal-modexp.c \
+ src/crypto/crypto_internal-rsa.c \
+ src/crypto/tls_internal.c \
+ src/crypto/fips_prf_internal.c \
+ src/crypto/aes.h \
+ src/crypto/aes_i.h \
+ src/crypto/aes_wrap.h \
+ src/crypto/crypto.h \
+ src/crypto/des_i.h \
+ src/crypto/dh_group5.h \
+ src/crypto/dh_groups.h \
+ src/crypto/md5.h \
+ src/crypto/md5_i.h \
+ src/crypto/milenage.h \
+ src/crypto/ms_funcs.h \
+ src/crypto/sha1.h \
+ src/crypto/sha1_i.h \
+ src/crypto/sha256.h \
+ src/crypto/tls.h
+
TLS_SRCS = \
src/tls/asn1.c \
src/tls/tlsv1_server_read.c \
src/tls/tlsv1_server_write.c \
src/tls/x509v3.c \
- src/tls/asn1.h \
- src/tls/bignum.h \
- src/tls/pkcs1.h \
- src/tls/pkcs5.h \
- src/tls/pkcs8.h \
- src/tls/rsa.h \
- src/tls/tlsv1_client.h \
- src/tls/tlsv1_client_i.h \
- src/tls/tlsv1_common.h \
- src/tls/tlsv1_cred.h \
- src/tls/tlsv1_record.h \
- src/tls/tlsv1_server.h \
- src/tls/tlsv1_server_i.h \
- src/tls/x509v3.h
-
-libeap_la_SOURCES = $(SOURCES_BOTH) $(SOURCES_peer) $(UTILS_SRCS) $(CRYPTO_SRCS)
+ src/tls/asn1.h \
+ src/tls/bignum.h \
+ src/tls/pkcs1.h \
+ src/tls/pkcs5.h \
+ src/tls/pkcs8.h \
+ src/tls/rsa.h \
+ src/tls/tlsv1_client.h \
+ src/tls/tlsv1_client_i.h \
+ src/tls/tlsv1_common.h \
+ src/tls/tlsv1_cred.h \
+ src/tls/tlsv1_record.h \
+ src/tls/tlsv1_server.h \
+ src/tls/tlsv1_server_i.h \
+ src/tls/x509v3.h
+
+libeap_la_SOURCES = $(SOURCES_BOTH) $(SOURCES_peer) $(UTILS_SRCS) $(CRYPTO_SRCS) $(TLS_SRCS)
noinst_LTLIBRARIES = libeap.la
@TARGET_CFLAGS@ $(EAP_CFLAGS)
mech_eap_la_LDFLAGS = -avoid-version -module \
-export-symbols $(GSSEAP_EXPORTS) -no-undefined \
- @KRB5_LDFLAGS@ @RADSEC_LDFLAGS@ @OPENSSL_LDFLAGS@ @TARGET_LDFLAGS@
+ @KRB5_LDFLAGS@ @RADSEC_LDFLAGS@ @TARGET_LDFLAGS@
if TARGET_WINDOWS
mech_eap_la_LDFLAGS += -debug
endif
mech_eap_la_LIBADD = @KRB5_LIBS@ ../libeap/libeap.la @RADSEC_LIBS@ \
- @OPENSAML_LIBS@ @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@ \
- @OPENSSL_LIBS@
+ @OPENSAML_LIBS@ @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@
mech_eap_la_SOURCES = \
acquire_cred.c \
acquire_cred_with_password.c \
#define CRED_FLAG_DEFAULT_CCACHE 0x00080000
#define CRED_FLAG_RESOLVED 0x00100000
#define CRED_FLAG_TARGET 0x00200000
-#define CRED_FLAG_CERTIFICATE 0x00400000
-#define CRED_FLAG_CONFIG_BLOB 0x00800000
#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF
#ifdef HAVE_HEIMDAL_VERSION
gss_buffer_desc caCertificate;
gss_buffer_desc subjectNameConstraint;
gss_buffer_desc subjectAltNameConstraint;
- gss_buffer_desc clientCertificate;
- gss_buffer_desc privateKey;
#ifdef GSSEAP_ENABLE_REAUTH
krb5_ccache krbCredCache;
gss_cred_id_t reauthCred;
#define CTX_FLAG_EAP_ALT_REJECT 0x01000000
#define CTX_FLAG_EAP_MASK 0xFFFF0000
-#define CONFIG_BLOB_CLIENT_CERT 0
-#define CONFIG_BLOB_PRIVATE_KEY 1
-#define CONFIG_BLOB_MAX 2
-
struct gss_eap_initiator_ctx {
unsigned int idleWhile;
struct eap_peer_config eapPeerConfig;
struct eap_sm *eap;
struct wpabuf reqData;
- struct wpa_config_blob configBlobs[CONFIG_BLOB_MAX];
};
#ifdef GSSEAP_ENABLE_ACCEPTOR
extern gss_OID GSS_EAP_CRED_SET_CRED_PASSWORD;
/*
- * Path to PKCS#12 private key file for use with EAP-TLS
- * authentication.
- */
-extern gss_OID GSS_EAP_CRED_SET_CRED_PRIVATE_KEY;
-
-
-/*
* Credentials flag indicating the local attributes
* processing should be skipped.
*/
}
static const struct wpa_config_blob *
-peerGetConfigBlob(void *ctx,
- const char *name)
+peerGetConfigBlob(void *ctx GSSEAP_UNUSED,
+ const char *name GSSEAP_UNUSED)
{
- gss_ctx_id_t gssCtx = (gss_ctx_id_t)ctx;
- size_t index;
-
- if (strcmp(name, "client-cert") == 0)
- index = CONFIG_BLOB_CLIENT_CERT;
- else if (strcmp(name, "private-key") == 0)
- index = CONFIG_BLOB_PRIVATE_KEY;
- else
- return NULL;
-
- return &gssCtx->initiatorCtx.configBlobs[index];
+ return NULL;
}
static void
OM_uint32 major;
krb5_context krbContext;
struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
- struct wpa_config_blob *configBlobs = ctx->initiatorCtx.configBlobs;
gss_buffer_desc identity = GSS_C_EMPTY_BUFFER;
gss_buffer_desc realm = GSS_C_EMPTY_BUFFER;
gss_cred_id_t cred = ctx->cred;
eapPeerConfig->anonymous_identity_len = 1 + realm.length;
/* password */
- if ((cred->flags & CRED_FLAG_CERTIFICATE) == 0) {
- eapPeerConfig->password = (unsigned char *)cred->password.value;
- eapPeerConfig->password_len = cred->password.length;
- }
+ eapPeerConfig->password = (unsigned char *)cred->password.value;
+ eapPeerConfig->password_len = cred->password.length;
/* certs */
eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value;
eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value;
eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
- if (cred->flags & CRED_FLAG_CERTIFICATE) {
- /*
- * CRED_FLAG_CONFIG_BLOB is an internal flag which will be used in the
- * future to directly pass certificate and private key data to the
- * EAP implementation, rather than an indirected string pointer.
- */
- if (cred->flags & CRED_FLAG_CONFIG_BLOB) {
- eapPeerConfig->client_cert = (unsigned char *)"blob://client-cert";
- configBlobs[CONFIG_BLOB_CLIENT_CERT].data = cred->clientCertificate.value;
- configBlobs[CONFIG_BLOB_CLIENT_CERT].len = cred->clientCertificate.length;
-
- eapPeerConfig->client_cert = (unsigned char *)"blob://private-key";
- configBlobs[CONFIG_BLOB_PRIVATE_KEY].data = cred->clientCertificate.value;
- configBlobs[CONFIG_BLOB_PRIVATE_KEY].len = cred->privateKey.length;
- } else {
- eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value;
- eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value;
- }
- eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value;
- }
-
*minor = 0;
return GSS_S_COMPLETE;
}
return gssEapSetCredPassword(minor, cred, buffer);
}
-static OM_uint32
-setCredPrivateKey(OM_uint32 *minor,
- gss_cred_id_t cred,
- const gss_OID oid GSSEAP_UNUSED,
- const gss_buffer_t buffer)
-{
- return gssEapSetCredClientCertificate(minor, cred, GSS_C_NO_BUFFER, buffer);
-}
-
static struct {
gss_OID_desc oid;
OM_uint32 (*setOption)(OM_uint32 *, gss_cred_id_t cred,
{ 11, "\x2B\x06\x01\x04\x01\xA9\x4A\x16\x03\x03\x04" },
setCredPassword,
},
- /* 1.3.6.1.4.1.5322.22.3.3.5 */
- {
- { 11, "\x2B\x06\x01\x04\x01\xA9\x4A\x16\x03\x03\x05" },
- setCredPrivateKey,
- },
};
gss_OID GSS_EAP_CRED_SET_RADIUS_CONFIG_FILE = &setCredOps[0].oid;
gss_OID GSS_EAP_CRED_SET_RADIUS_CONFIG_STANZA = &setCredOps[1].oid;
gss_OID GSS_EAP_CRED_SET_CRED_FLAG = &setCredOps[2].oid;
gss_OID GSS_EAP_CRED_SET_CRED_PASSWORD = &setCredOps[3].oid;
-gss_OID GSS_EAP_CRED_SET_CRED_PRIVATE_KEY = &setCredOps[4].oid;
OM_uint32 GSSAPI_CALLCONV
gssspi_set_cred_option(OM_uint32 *minor,
const gss_buffer_t password);
OM_uint32
-gssEapSetCredClientCertificate(OM_uint32 *minor,
- gss_cred_id_t cred,
- const gss_buffer_t clientCert,
- const gss_buffer_t privateKey);
-
-OM_uint32
gssEapSetCredService(OM_uint32 *minor,
gss_cred_id_t cred,
const gss_name_t target);
gss_release_buffer(&tmpMinor, &cred->caCertificate);
gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint);
gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint);
- gss_release_buffer(&tmpMinor, &cred->clientCertificate);
- gss_release_buffer(&tmpMinor, &cred->privateKey);
#ifdef GSSEAP_ENABLE_REAUTH
if (cred->krbCredCache != NULL) {
static OM_uint32
readStaticIdentityFile(OM_uint32 *minor,
gss_buffer_t defaultIdentity,
- gss_buffer_t defaultPassword,
- gss_buffer_t defaultPrivateKey)
+ gss_buffer_t defaultPassword)
{
OM_uint32 major, tmpMinor;
FILE *fp = NULL;
defaultPassword->value = NULL;
}
- if (defaultPrivateKey != GSS_C_NO_BUFFER) {
- defaultPrivateKey->length = 0;
- defaultPrivateKey->value = NULL;
- }
-
ccacheName = getenv("GSSEAP_IDENTITY");
if (ccacheName == NULL) {
#ifdef WIN32
dst = defaultIdentity;
else if (i == 1)
dst = defaultPassword;
- else if (i == 2)
- dst = defaultPrivateKey;
else
break;
if (GSS_ERROR(major)) {
gss_release_buffer(&tmpMinor, defaultIdentity);
zeroAndReleasePassword(defaultPassword);
- gss_release_buffer(&tmpMinor, defaultPrivateKey);
}
memset(buf, 0, sizeof(buf));
*pName = GSS_C_NO_NAME;
- major = readStaticIdentityFile(minor, &defaultIdentity,
- GSS_C_NO_BUFFER, GSS_C_NO_BUFFER);
+ major = readStaticIdentityFile(minor, &defaultIdentity, GSS_C_NO_BUFFER);
if (major == GSS_S_COMPLETE) {
major = gssEapImportName(minor, &defaultIdentity, GSS_C_NT_USER_NAME,
nameMech, pName);
return major;
}
-/*
- * Currently only the privateKey path is exposed to the application
- * (via gss_set_cred_option() or the third line in ~/.gss_eap_id).
- * At some point in the future we may add support for setting the
- * client certificate separately.
- */
-OM_uint32
-gssEapSetCredClientCertificate(OM_uint32 *minor,
- gss_cred_id_t cred,
- const gss_buffer_t clientCert,
- const gss_buffer_t privateKey)
-{
- OM_uint32 major, tmpMinor;
- gss_buffer_desc newClientCert = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc newPrivateKey = GSS_C_EMPTY_BUFFER;
-
- if (cred->flags & CRED_FLAG_RESOLVED) {
- major = GSS_S_FAILURE;
- *minor = GSSEAP_CRED_RESOLVED;
- goto cleanup;
- }
-
- if (clientCert == GSS_C_NO_BUFFER &&
- privateKey == GSS_C_NO_BUFFER) {
- cred->flags &= ~(CRED_FLAG_CERTIFICATE);
- major = GSS_S_COMPLETE;
- *minor = 0;
- goto cleanup;
- }
-
- if (clientCert != GSS_C_NO_BUFFER) {
- major = duplicateBuffer(minor, clientCert, &newClientCert);
- if (GSS_ERROR(major))
- goto cleanup;
- }
-
- if (privateKey != GSS_C_NO_BUFFER) {
- major = duplicateBuffer(minor, privateKey, &newPrivateKey);
- if (GSS_ERROR(major))
- goto cleanup;
- }
-
- cred->flags |= CRED_FLAG_CERTIFICATE;
-
- gss_release_buffer(&tmpMinor, &cred->clientCertificate);
- cred->clientCertificate = newClientCert;
-
- gss_release_buffer(&tmpMinor, &cred->privateKey);
- cred->privateKey = newPrivateKey;
-
- major = GSS_S_COMPLETE;
- *minor = 0;
-
-cleanup:
- if (GSS_ERROR(major)) {
- gss_release_buffer(&tmpMinor, &newClientCert);
- gss_release_buffer(&tmpMinor, &newPrivateKey);
- }
-
- return major;
-}
-
OM_uint32
gssEapSetCredService(OM_uint32 *minor,
gss_cred_id_t cred,
duplicateBufferOrCleanup(&src->subjectNameConstraint, &dst->subjectNameConstraint);
if (src->subjectAltNameConstraint.value != NULL)
duplicateBufferOrCleanup(&src->subjectAltNameConstraint, &dst->subjectAltNameConstraint);
- if (src->clientCertificate.value != NULL)
- duplicateBufferOrCleanup(&src->clientCertificate, &dst->clientCertificate);
- if (src->privateKey.value != NULL)
- duplicateBufferOrCleanup(&src->privateKey, &dst->privateKey);
#ifdef GSSEAP_ENABLE_REAUTH
/* XXX krbCredCache, reauthCred */
gss_buffer_desc defaultIdentity = GSS_C_EMPTY_BUFFER;
gss_name_t defaultIdentityName = GSS_C_NO_NAME;
gss_buffer_desc defaultPassword = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc defaultPrivateKey = GSS_C_EMPTY_BUFFER;
int isDefaultIdentity = FALSE;
- major = readStaticIdentityFile(minor, &defaultIdentity,
- &defaultPassword, &defaultPrivateKey);
+ major = readStaticIdentityFile(minor, &defaultIdentity, &defaultPassword);
if (GSS_ERROR(major))
goto cleanup;
}
}
- if (isDefaultIdentity) {
- if (defaultPrivateKey.length != 0) {
- major = gssEapSetCredClientCertificate(minor, cred, GSS_C_NO_BUFFER,
- &defaultPrivateKey);
- if (GSS_ERROR(major))
- goto cleanup;
- }
-
- if ((cred->flags & CRED_FLAG_PASSWORD) == 0) {
- major = gssEapSetCredPassword(minor, cred, &defaultPassword);
- if (GSS_ERROR(major))
- goto cleanup;
- }
+ if (isDefaultIdentity &&
+ (cred->flags & CRED_FLAG_PASSWORD) == 0) {
+ major = gssEapSetCredPassword(minor, cred, &defaultPassword);
+ if (GSS_ERROR(major))
+ goto cleanup;
}
cleanup:
gssEapReleaseName(&tmpMinor, &defaultIdentityName);
zeroAndReleasePassword(&defaultPassword);
gss_release_buffer(&tmpMinor, &defaultIdentity);
- gss_release_buffer(&tmpMinor, &defaultPrivateKey);
return major;
}
goto cleanup;
/* If we have a caller-supplied password, the credential is resolved. */
- if ((resolvedCred->flags &
- (CRED_FLAG_PASSWORD | CRED_FLAG_CERTIFICATE)) == 0) {
+ if ((resolvedCred->flags & CRED_FLAG_PASSWORD) == 0) {
major = GSS_S_CRED_UNAVAIL;
*minor = GSSEAP_NO_DEFAULT_CRED;
goto cleanup;