From: Sam Hartman <hartmans@debian.org>
Date: Fri, 13 Sep 2013 19:41:19 +0000 (-0400)
Subject: EAP Channel binding support
X-Git-Tag: 0.9.2~43
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=commitdiff_plain;h=d81b9e4605c7bd3da62f3679effe124778592b13

EAP Channel binding support

Merge remote-tracking branch 'origin/eap-chbind'

Conflicts:
	mech_eap/accept_sec_context.c
	mech_eap/dictionary.ukerna
	mech_eap/gsseap_err.et
	mech_eap/util_radius.h
---

d81b9e4605c7bd3da62f3679effe124778592b13
diff --cc mech_eap/accept_sec_context.c
index 6dfb9b7,5b878b1..9888097
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@@ -380,20 -373,16 +374,17 @@@ setAcceptorIdentity(OM_uint32 *minor
          if (*minor != 0)
              return GSS_S_FAILURE;
  
-         nameBuf.value = ssi;
-         nameBuf.length = strlen(ssi);
- 
 -        major = gssEapRadiusAddAvp(minor, vps,
 -                                   PW_GSS_ACCEPTOR_SERVICE_SPECIFIC,
 -                                   VENDORPEC_UKERNA,
 +        major = gssEapRadiusAddAvp(minor, req,
 +                                   PW_GSS_ACCEPTOR_SERVICE_SPECIFICS,
 +                                   0,
                                     &nameBuf);
 -
 -        if (GSS_ERROR(major)) {
 -            krbFreeUnparsedName(krbContext, &nameBuf);
 +#ifdef HAVE_HEIMDAL_VERSION
 +        krb5_xfree(ssi);
 +#else
 +        krb5_free_unparsed_name(krbContext, ssi);
 +#endif
 +        if (GSS_ERROR(major))
              return major;
 -        }
 -        krbFreeUnparsedName(krbContext, &nameBuf);
      }
  
      krbPrincRealmToGssBuffer(krbPrinc, &nameBuf);
diff --cc mech_eap/dictionary.ukerna
index 2928151,8f3f296..235606f
--- a/mech_eap/dictionary.ukerna
+++ b/mech_eap/dictionary.ukerna
@@@ -9,12 -9,13 +9,13 @@@ VENDOR	UKERNA				2562
  
  BEGIN-VENDOR UKERNA
  
 -ATTRIBUTE	GSS-Acceptor-Service-Name	128	string
 -ATTRIBUTE	GSS-Acceptor-Host-Name		129	string
 -ATTRIBUTE	GSS-Acceptor-Service-Specific	130	string
 -ATTRIBUTE	GSS-Acceptor-Realm-Name		131	string
 -ATTRIBUTE	SAML-AAA-Assertion		132	string
 -ATTRIBUTE	MS-Windows-Auth-Data		133     octets
 -ATTRIBUTE	MS-Windows-Group-Sid		134     string
 +ATTRIBUTE	GSS-Acceptor-Service-Name-VS		128	string
 +ATTRIBUTE	GSS-Acceptor-Host-Name-VS		129	string
 +ATTRIBUTE	GSS-Acceptor-Service-Specific-VS	130	string
 +ATTRIBUTE	GSS-Acceptor-Realm-Name-VS		131	string
 +ATTRIBUTE	SAML-AAA-Assertion			132	string
 +ATTRIBUTE	MS-Windows-Auth-Data			133	octets
 +ATTRIBUTE	MS-Windows-Group-Sid			134	string
+ ATTRIBUTE	EAP-Channel-Binding-Message	135	octets
  
  END-VENDOR UKERNA
diff --cc mech_eap/gsseap_err.et
index 7383601,e26911a..2f0774b
--- a/mech_eap/gsseap_err.et
+++ b/mech_eap/gsseap_err.et
@@@ -70,7 -70,7 +70,8 @@@ error_code GSSEAP_BAD_SERVICE_NAME
  error_code GSSEAP_BAD_INITIATOR_NAME,           "Initiator identity must be a valid name"
  error_code GSSEAP_NO_HOSTNAME,                  "Could not determine local host name"
  error_code GSSEAP_NO_ACCEPTOR_NAME,             "Could not determine acceptor identity"
 +error_code GSSEAP_WRONG_ACCEPTOR_NAME,          "Acceptor identity different than expected"
+ error_code GSSEAP_BAD_ACCEPTOR_NAME,            "Acceptor name is too long or has too many components"
  error_code GSSEAP_BAD_NAME_TOKEN,               "Name token is malformed or corrupt"
  error_code GSSEAP_NO_LOCAL_MAPPING,             "Unable to map name to a local identity"
  
diff --cc mech_eap/util_radius.cpp
index 7d9b9e8,9c5f36f..d8ec3df
--- a/mech_eap/util_radius.cpp
+++ b/mech_eap/util_radius.cpp
@@@ -35,33 -35,24 +35,37 @@@
   */
  
  #include "gssapiP_eap.h"
+ #include "util_radius.h"
+ #include "utils/radius_utils.h"
+ 
+ #ifdef GSSEAP_ENABLE_ACCEPTOR
  
 -/* stuff that should be provided by libradsec/libfreeradius-radius */
 -#define VENDORATTR(vendor, attr)            (((vendor) << 16) | (attr))
 +#define RS_MAP_ERROR(code)  (ERROR_TABLE_BASE_rse + (code))
  
 -#ifndef ATTRID
 -#define ATTRID(attr)                        ((attr) & 0xFFFF)
 -#endif
 +static rs_avp *copyAvps(rs_const_avp *src);
  
 -static gss_buffer_desc radiusUrnPrefix = {
 -    sizeof("urn:x-radius:") - 1,
 -    (void *)"urn:x-radius:"
 -};
 +static OM_uint32
 +gssEapRadiusGetAvp(OM_uint32 *minor,
 +                   rs_avp *vps,
 +                   const gss_eap_attrid &attrid,
 +                   gss_buffer_t buffer,
 +                   int concat);
  
 -static VALUE_PAIR *copyAvps(const VALUE_PAIR *src);
 +static OM_uint32
 +gssEapRadiusAddAvp(OM_uint32 *minor,
 +                   rs_avp **vps,
 +                   const gss_eap_attrid &attrid,
 +                   const gss_buffer_t buffer);
 +
 +static gss_eap_attrid
 +avpToAttrId(rs_const_avp *vp)
 +{
 +    gss_eap_attrid attrid;
 +
 +    rs_avp_attrid(vp, &attrid.second, &attrid.first);
 +
 +    return attrid;
 +}
  
  gss_eap_radius_attr_provider::gss_eap_radius_attr_provider(void)
  {
diff --cc mech_eap/util_radius.h
index 4d1463d,8c34167..d4f86ec
--- a/mech_eap/util_radius.h
+++ b/mech_eap/util_radius.h
@@@ -39,8 -39,8 +39,10 @@@
  
  #ifdef __cplusplus
  
 +typedef std::pair <unsigned int, unsigned int> gss_eap_attrid;
+ #ifdef GSSEAP_ENABLE_ACCEPTOR
+ 
 +
  struct gss_eap_radius_attr_provider : gss_eap_attr_provider {
  public:
      gss_eap_radius_attr_provider(void);
@@@ -112,11 -126,13 +116,13 @@@ private
  extern "C" {
  #endif
  
+ #ifdef GSSEAP_ENABLE_ACCEPTOR
+ 
  OM_uint32
  gssEapRadiusAddAvp(OM_uint32 *minor,
 -                   VALUE_PAIR **vp,
 -                   uint16_t type,
 -                   uint16_t vendor,
 +                   struct rs_packet *pkt,
 +                   unsigned int type,
 +                   unsigned int vendor,
                     const gss_buffer_t buffer);
  
  OM_uint32