From: Luke Howard Date: Tue, 25 Jul 2017 23:11:14 +0000 (+1000) Subject: Avoid MIT compat API when building with Heimdal X-Git-Tag: moonshot-1.0.6-centos6~6 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=commitdiff_plain;h=3f993b33bfbccc6ac801d665a3d77a6f911ff74a Avoid MIT compat API when building with Heimdal This enables linking against the OS X Heimdal.framework --- diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c index c284e8b..b594af0 100644 --- a/mech_eap/accept_sec_context.c +++ b/mech_eap/accept_sec_context.c @@ -688,6 +688,9 @@ eapGssSmAcceptGssChannelBindings(OM_uint32 *minor, krb5_data data; krb5_checksum cksum; krb5_boolean valid = FALSE; +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto krbCrypto; +#endif if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS || chanBindings->application_data.length == 0) @@ -701,9 +704,29 @@ eapGssSmAcceptGssChannelBindings(OM_uint32 *minor, KRB_CHECKSUM_INIT(&cksum, ctx->checksumType, inputToken); +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_crypto_init(krbContext, &ctx->rfc3961Key, 0, &krbCrypto); + if (code != 0) { + *minor = code; + return GSS_S_FAILURE; + } + + code = krb5_verify_checksum(krbContext, krbCrypto, + KEY_USAGE_GSSEAP_CHBIND_MIC, + data.data, data.length, &cksum); + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + code = 0; + valid = FALSE; + } else if (code == 0) { + valid = TRUE; + } + + krb5_crypto_destroy(krbContext, krbCrypto); +#else code = krb5_c_verify_checksum(krbContext, &ctx->rfc3961Key, KEY_USAGE_GSSEAP_CHBIND_MIC, &data, &cksum, &valid); +#endif /* HAVE_HEIMDAL_VERSION */ if (code != 0) { *minor = code; return GSS_S_FAILURE; diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c index 37bd3d0..7a2fb46 100644 --- a/mech_eap/init_sec_context.c +++ b/mech_eap/init_sec_context.c @@ -40,7 +40,9 @@ #include "util_radius.h" #include "utils/radius_utils.h" #include "openssl/err.h" +#ifdef HAVE_MOONSHOT_GET_IDENTITY #include "libmoonshot.h" +#endif /* methods allowed for phase1 authentication*/ static const struct eap_method_type allowed_eap_method_types[] = { @@ -361,6 +363,7 @@ peerProcessChbindResponse(void *context, int code, int nsid, } /* else log failures? */ } +#ifdef HAVE_MOONSHOT_GET_IDENTITY static int cert_to_byte_array(X509 *cert, unsigned char **bytes) { unsigned char *buf; @@ -407,7 +410,6 @@ static int sha256(unsigned char *bytes, int len, unsigned char *hash) return hash_len; } - static int peerValidateServerCert(int ok_so_far, X509* cert, void *ca_ctx) { char *realm = NULL; @@ -444,7 +446,7 @@ static int peerValidateServerCert(int ok_so_far, X509* cert, void *ca_ctx) wpa_printf(MSG_INFO, "peerValidateServerCert: Returning %d\n", ok_so_far); return ok_so_far; } - +#endif static OM_uint32 peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) @@ -554,7 +556,9 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) eapPeerConfig->private_key_passwd = (char *)cred->password.value; } +#ifdef HAVE_MOONSHOT_GET_IDENTITY eapPeerConfig->server_cert_cb = peerValidateServerCert; +#endif eapPeerConfig->server_cert_ctx = eapPeerConfig; *minor = 0; @@ -1102,6 +1106,9 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor, krb5_data data; krb5_checksum cksum; gss_buffer_desc cksumBuffer; +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto krbCrypto; +#endif if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS || chanBindings->application_data.length == 0) @@ -1113,10 +1120,25 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor, gssBufferToKrbData(&chanBindings->application_data, &data); +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_crypto_init(krbContext, &ctx->rfc3961Key, 0, &krbCrypto); + if (code != 0) { + *minor = code; + return GSS_S_FAILURE; + } + + code = krb5_create_checksum(krbContext, krbCrypto, + KEY_USAGE_GSSEAP_CHBIND_MIC, + ctx->checksumType, + data.data, data.length, + &cksum); + krb5_crypto_destroy(krbContext, krbCrypto); +#else code = krb5_c_make_checksum(krbContext, ctx->checksumType, &ctx->rfc3961Key, KEY_USAGE_GSSEAP_CHBIND_MIC, &data, &cksum); +#endif /* HAVE_HEIMDAL_VERSION */ if (code != 0) { *minor = code; return GSS_S_FAILURE; @@ -1127,14 +1149,14 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor, major = duplicateBuffer(minor, &cksumBuffer, outputToken); if (GSS_ERROR(major)) { - krb5_free_checksum_contents(krbContext, &cksum); + KRB_CHECKSUM_FREE(krbContext, &cksum); return major; } *minor = 0; *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL; - krb5_free_checksum_contents(krbContext, &cksum); + KRB_CHECKSUM_FREE(krbContext, &cksum); return GSS_S_CONTINUE_NEEDED; } diff --git a/mech_eap/util.h b/mech_eap/util.h index 5475dca..2238ac1 100644 --- a/mech_eap/util.h +++ b/mech_eap/util.h @@ -376,6 +376,8 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, #ifdef HAVE_HEIMDAL_VERSION +#include + #define KRB_TIME_FOREVER ((time_t)~0L) #define KRB_KEY_TYPE(key) ((key)->keytype) @@ -404,6 +406,11 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, (cksum)->checksum.data = (d)->value; \ } while (0) +#define KRB_CHECKSUM_FREE(ctx, cksum) do { \ + der_free_octet_string(&(cksum)->checksum); \ + memset((cksum), 0, sizeof(*(cksum))); \ + } while (0) + #else #define KRB_TIME_FOREVER KRB5_INT32_MAX @@ -440,6 +447,8 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, (cksum)->contents = (d)->value; \ } while (0) +#define KRB_CHECKSUM_FREE(ctx, cksum) krb5_free_checksum_contents((ctx), (cksum)) + #endif /* HAVE_HEIMDAL_VERSION */ #define KRB_KEY_INIT(key) do { \ diff --git a/mech_eap/util_context.c b/mech_eap/util_context.c index 039cfdb..b7a50c6 100644 --- a/mech_eap/util_context.c +++ b/mech_eap/util_context.c @@ -353,8 +353,13 @@ gssEapMakeOrVerifyTokenMIC(OM_uint32 *minor, } else { size_t checksumSize; +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_checksumsize(krbContext, ctx->checksumType, + &checksumSize); +#else code = krb5_c_checksum_length(krbContext, ctx->checksumType, &checksumSize); +#endif if (code != 0) goto cleanup; diff --git a/mech_eap/util_krb.c b/mech_eap/util_krb.c index 2a3e970..f629a32 100644 --- a/mech_eap/util_krb.c +++ b/mech_eap/util_krb.c @@ -329,7 +329,7 @@ rfc3961ChecksumTypeForKey(OM_uint32 *minor, *cksumtype = KRB_CHECKSUM_TYPE(&cksum); - krb5_free_checksum_contents(krbContext, &cksum); + KRB_CHECKSUM_FREE(krbContext, &cksum); #endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */ #ifdef HAVE_HEIMDAL_VERSION @@ -480,6 +480,7 @@ krbEnctypeToString( return 0; } +#ifdef GSSEAP_ENABLE_REAUTH krb5_error_code krbMakeAuthDataKdcIssued(krb5_context context, const krb5_keyblock *key, @@ -675,3 +676,4 @@ cleanup: return code; #endif /* HAVE_HEIMDAL_VERSION */ } +#endif /* GSSEAP_ENABLE_REAUTH */ diff --git a/mech_eap/util_name.c b/mech_eap/util_name.c index 7a2e60b..b85565c 100644 --- a/mech_eap/util_name.c +++ b/mech_eap/util_name.c @@ -206,8 +206,13 @@ importServiceName(OM_uint32 *minor, *minor = GSSEAP_BAD_SERVICE_NAME; } - if (realm != NULL) + if (realm != NULL) { +#ifdef HAVE_HEIMDAL_VERSION + krb5_xfree(realm); +#else krb5_free_default_realm(krbContext, realm); +#endif + } GSSEAP_FREE(service); return major;