From: Dan Breslau Date: Tue, 25 Oct 2016 20:30:32 +0000 (-0400) Subject: Merged the hostap_2.6 updates, and the Leap of Faith work, from the hostap_update... X-Git-Tag: v0.9.6~2 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=commitdiff_plain;h=f3746d009c6d7f50025af1f58a85e5fee9680be6;hp=d0c7f9be81ac68ecdd6d9d8db02f11666c038e1f Merged the hostap_2.6 updates, and the Leap of Faith work, from the hostap_update branch --- diff --git a/build-aux/compile b/build-aux/compile index 531136b..ea21c33 100755 --- a/build-aux/compile +++ b/build-aux/compile @@ -1,7 +1,7 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2012-10-14.11; # UTC +scriptversion=2016-06-08.14; # UTC # Copyright (C) 1999-2013 Free Software Foundation, Inc. # Written by Tom Tromey . @@ -328,9 +328,9 @@ trap "rmdir '$lockdir'; exit 1" 1 2 15 ret=$? if test -f "$cofile"; then - test "$cofile" = "$ofile" || mv "$cofile" "$ofile" + mv "$cofile" "$ofile" elif test -f "${cofile}bj"; then - test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" + mv "${cofile}bj" "$ofile" fi rmdir "$lockdir" diff --git a/libeap/src/eap_peer/eap_ttls.c b/libeap/src/eap_peer/eap_ttls.c index 12ea169..1e94345 100644 --- a/libeap/src/eap_peer/eap_ttls.c +++ b/libeap/src/eap_peer/eap_ttls.c @@ -1171,7 +1171,7 @@ static int eap_ttls_add_chbind_request(struct eap_sm *sm, struct eap_ttls_data *data, struct wpabuf **resp) { - struct wpabuf *chbind_req, *res; + struct wpabuf *chbind_req; int length = 1, i; struct eap_peer_config *config = eap_get_config(sm); diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c index 2b97665..c284e8b 100644 --- a/mech_eap/accept_sec_context.c +++ b/mech_eap/accept_sec_context.c @@ -42,7 +42,7 @@ static OM_uint32 eapGssSmAcceptGssReauth(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target, + gss_const_name_t target, gss_OID mech, OM_uint32 reqFlags, OM_uint32 timeReq, @@ -135,7 +135,7 @@ static OM_uint32 eapGssSmAcceptAcceptorName(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -164,7 +164,7 @@ static OM_uint32 eapGssSmAcceptVendorInfo(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx GSSEAP_UNUSED, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -190,7 +190,7 @@ static OM_uint32 eapGssSmAcceptIdentity(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -443,14 +443,13 @@ createRadiusHandle(OM_uint32 *minor, * Choose the correct error for an access reject packet. */ static OM_uint32 -eapGssAcceptHandleReject( - OM_uint32 *minor, +eapGssAcceptHandleReject(OM_uint32 *minor, struct rs_packet *response) { rs_avp **vps; - rs_const_avp *vp = NULL; + rs_const_avp *vp = NULL; OM_uint32 major; - const char * reply_message = NULL; + const char *reply_message = NULL; size_t reply_length = 0; rs_packet_avps(response, &vps); @@ -465,11 +464,11 @@ eapGssAcceptHandleReject( PW_ERROR_CAUSE, 0, &vp); if (!GSS_ERROR(major)) { switch (rs_avp_integer_value(vp)) { - /* Values from http://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-18 */ - case 502: /*request not routable (proxy)*/ + /* Values from http://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-18 */ + case 502: /* request not routable (proxy) */ *minor = GSSEAP_RADIUS_UNROUTABLE; break; - case 501: /*administratively prohibited*/ + case 501: /* administratively prohibited */ *minor = GSSEAP_RADIUS_ADMIN_PROHIBIT; break; @@ -477,14 +476,18 @@ eapGssAcceptHandleReject( *minor = GSSEAP_RADIUS_AUTH_FAILURE; break; } - } else *minor = GSSEAP_RADIUS_AUTH_FAILURE; + } else + *minor = GSSEAP_RADIUS_AUTH_FAILURE; - if (reply_message) + if (reply_message != NULL) gssEapSaveStatusInfo(*minor, "%s: %.*s", error_message(*minor), reply_length, reply_message); - else gssEapSaveStatusInfo( *minor, "%s", error_message(*minor)); + else + gssEapSaveStatusInfo(*minor, "%s", error_message(*minor)); + return GSS_S_DEFECTIVE_CREDENTIAL; } + /* * Process a EAP response from the initiator. */ @@ -492,7 +495,7 @@ static OM_uint32 eapGssSmAcceptAuthenticate(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -637,7 +640,7 @@ static OM_uint32 eapGssSmAcceptGssFlags(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -671,7 +674,7 @@ static OM_uint32 eapGssSmAcceptGssChannelBindings(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -721,7 +724,7 @@ static OM_uint32 eapGssSmAcceptInitiatorMIC(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -761,7 +764,7 @@ static OM_uint32 eapGssSmAcceptReauthCreds(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -790,7 +793,7 @@ static OM_uint32 eapGssSmAcceptAcceptorMIC(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1019,7 +1022,7 @@ static OM_uint32 eapGssSmAcceptGssReauth(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1077,7 +1080,11 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor, OM_uint32 GSSAPI_CALLCONV gss_accept_sec_context(OM_uint32 *minor, gss_ctx_id_t *context_handle, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_cred_id_t cred, +#else gss_cred_id_t cred, +#endif gss_buffer_t input_token, gss_channel_bindings_t input_chan_bindings, gss_name_t *src_name, @@ -1115,7 +1122,7 @@ gss_accept_sec_context(OM_uint32 *minor, major = gssEapAcceptSecContext(minor, ctx, - cred, + (gss_cred_id_t)cred, input_token, input_chan_bindings, src_name, @@ -1131,5 +1138,6 @@ gss_accept_sec_context(OM_uint32 *minor, gssEapReleaseContext(&tmpMinor, context_handle); gssEapTraceStatus("gss_accept_sec_context", major, *minor); + return major; } diff --git a/mech_eap/acquire_cred.c b/mech_eap/acquire_cred.c index ae2648e..6120532 100644 --- a/mech_eap/acquire_cred.c +++ b/mech_eap/acquire_cred.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_acquire_cred(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_name_t desired_name, +#else gss_name_t desired_name, +#endif OM_uint32 time_req, gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, diff --git a/mech_eap/add_cred.c b/mech_eap/add_cred.c index 64d97c0..95a1867 100644 --- a/mech_eap/add_cred.c +++ b/mech_eap/add_cred.c @@ -43,8 +43,13 @@ */ OM_uint32 GSSAPI_CALLCONV gss_add_cred(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_cred_id_t input_cred_handle GSSEAP_UNUSED, + gss_const_name_t desired_name, +#else gss_cred_id_t input_cred_handle GSSEAP_UNUSED, gss_name_t desired_name, +#endif gss_OID desired_mech, gss_cred_usage_t cred_usage, OM_uint32 initiator_time_req, diff --git a/mech_eap/add_cred_with_password.c b/mech_eap/add_cred_with_password.c index b982f0d..742e562 100644 --- a/mech_eap/add_cred_with_password.c +++ b/mech_eap/add_cred_with_password.c @@ -38,8 +38,13 @@ OM_uint32 GSSAPI_CALLCONV gss_add_cred_with_password(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_cred_id_t input_cred_handle GSSEAP_UNUSED, + gss_const_name_t desired_name, +#else const gss_cred_id_t input_cred_handle GSSEAP_UNUSED, const gss_name_t desired_name, +#endif const gss_OID desired_mech, const gss_buffer_t password, gss_cred_usage_t cred_usage, diff --git a/mech_eap/canonicalize_name.c b/mech_eap/canonicalize_name.c index 5e66798..06ed323 100644 --- a/mech_eap/canonicalize_name.c +++ b/mech_eap/canonicalize_name.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_canonicalize_name(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_name_t input_name, +#else const gss_name_t input_name, +#endif const gss_OID mech_type, gss_name_t *output_name) { @@ -54,11 +58,11 @@ gss_canonicalize_name(OM_uint32 *minor, return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME; } - GSSEAP_MUTEX_LOCK(&input_name->mutex); + GSSEAP_MUTEX_LOCK(&((gss_name_t)input_name)->mutex); major = gssEapCanonicalizeName(minor, input_name, mech_type, output_name); - GSSEAP_MUTEX_UNLOCK(&input_name->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_name_t)input_name)->mutex); return major; } diff --git a/mech_eap/compare_name.c b/mech_eap/compare_name.c index 1da8354..94fcecb 100644 --- a/mech_eap/compare_name.c +++ b/mech_eap/compare_name.c @@ -38,8 +38,13 @@ OM_uint32 GSSAPI_CALLCONV gss_compare_name(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_name_t name1, + gss_const_name_t name2, +#else gss_name_t name1, gss_name_t name2, +#endif int *name_equal) { return gssEapCompareName(minor, name1, name2, 0, name_equal); diff --git a/mech_eap/context_time.c b/mech_eap/context_time.c index ae47d6c..86a2761 100644 --- a/mech_eap/context_time.c +++ b/mech_eap/context_time.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_context_time(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_ctx_id_t ctx, +#else gss_ctx_id_t ctx, +#endif OM_uint32 *time_rec) { OM_uint32 major; @@ -50,7 +54,7 @@ gss_context_time(OM_uint32 *minor, *minor = 0; - GSSEAP_MUTEX_LOCK(&ctx->mutex); + GSSEAP_MUTEX_LOCK(&((gss_ctx_id_t)ctx)->mutex); if (!CTX_IS_ESTABLISHED(ctx)) { *minor = GSSEAP_CONTEXT_INCOMPLETE; @@ -63,7 +67,7 @@ gss_context_time(OM_uint32 *minor, goto cleanup; cleanup: - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); return major; } diff --git a/mech_eap/dictionary.ukerna b/mech_eap/dictionary.ukerna index 335796f..93141fb 100644 --- a/mech_eap/dictionary.ukerna +++ b/mech_eap/dictionary.ukerna @@ -16,11 +16,11 @@ ATTRIBUTE GSS-Acceptor-Realm-Name-VS 131 string ATTRIBUTE SAML-AAA-Assertion 132 string ATTRIBUTE MS-Windows-Auth-Data 133 octets ATTRIBUTE MS-Windows-Group-Sid 134 string -ATTRIBUTE EAP-Channel-Binding-Message 135 octets -ATTRIBUTE Trust-Router-COI 136 string -ATTRIBUTE Trust-Router-APC 137 string -attribute Moonshot-Host-TargetedId 138 string -attribute Moonshot-Realm-TargetedId 139 string -attribute Moonshot-TR-COI-TargetedId 140 string +ATTRIBUTE EAP-Channel-Binding-Message 135 octets +ATTRIBUTE Trust-Router-COI 136 string +ATTRIBUTE Trust-Router-APC 137 string +ATTRIBUTE Moonshot-Host-TargetedId 138 string +ATTRIBUTE Moonshot-Realm-TargetedId 139 string +ATTRIBUTE Moonshot-TR-COI-TargetedId 140 string END-VENDOR UKERNA diff --git a/mech_eap/display_name.c b/mech_eap/display_name.c index 2d87e66..b242fad 100644 --- a/mech_eap/display_name.c +++ b/mech_eap/display_name.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_display_name(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_name_t name, +#else gss_name_t name, +#endif gss_buffer_t output_name_buffer, gss_OID *output_name_type) { diff --git a/mech_eap/duplicate_name.c b/mech_eap/duplicate_name.c index 303619e..1f10c5d 100644 --- a/mech_eap/duplicate_name.c +++ b/mech_eap/duplicate_name.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_duplicate_name(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_name_t input_name, +#else const gss_name_t input_name, +#endif gss_name_t *dest_name) { OM_uint32 major; @@ -50,11 +54,11 @@ gss_duplicate_name(OM_uint32 *minor, return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME; } - GSSEAP_MUTEX_LOCK(&input_name->mutex); + GSSEAP_MUTEX_LOCK(&((gss_name_t)input_name)->mutex); major = gssEapDuplicateName(minor, input_name, dest_name); - GSSEAP_MUTEX_UNLOCK(&input_name->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_name_t)input_name)->mutex); return major; } diff --git a/mech_eap/export_name.c b/mech_eap/export_name.c index d91033f..5fd734d 100644 --- a/mech_eap/export_name.c +++ b/mech_eap/export_name.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_export_name(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_name_t input_name, +#else const gss_name_t input_name, +#endif gss_buffer_t exported_name) { OM_uint32 major; @@ -50,11 +54,11 @@ gss_export_name(OM_uint32 *minor, return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME; } - GSSEAP_MUTEX_LOCK(&input_name->mutex); + GSSEAP_MUTEX_LOCK(&((gss_name_t)input_name)->mutex); major = gssEapExportName(minor, input_name, exported_name); - GSSEAP_MUTEX_UNLOCK(&input_name->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_name_t)input_name)->mutex); return major; } diff --git a/mech_eap/get_mic.c b/mech_eap/get_mic.c index 7161e9c..08dda7d 100644 --- a/mech_eap/get_mic.c +++ b/mech_eap/get_mic.c @@ -37,14 +37,13 @@ #include "gssapiP_eap.h" OM_uint32 GSSAPI_CALLCONV -gss_get_mic(OM_uint32 *minor, - gss_ctx_id_t ctx, - gss_qop_t qop_req, - gss_buffer_t message_buffer, - gss_buffer_t message_token) +gss_get_mic_iov(OM_uint32 *minor, + gss_ctx_id_t ctx, + gss_qop_t qop_req, + gss_iov_buffer_desc *iov, + int iov_count) { OM_uint32 major; - gss_iov_buffer_desc iov[2]; if (ctx == GSS_C_NO_CONTEXT) { *minor = EINVAL; @@ -58,9 +57,6 @@ gss_get_mic(OM_uint32 *minor, *minor = 0; - message_token->value = NULL; - message_token->length = 0; - GSSEAP_MUTEX_LOCK(&ctx->mutex); if (!CTX_IS_ESTABLISHED(ctx)) { @@ -69,21 +65,45 @@ gss_get_mic(OM_uint32 *minor, goto cleanup; } + major = gssEapWrapOrGetMIC(minor, ctx, FALSE, NULL, + iov, iov_count, TOK_TYPE_MIC); + if (GSS_ERROR(major)) + goto cleanup; + +cleanup: + GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + + return major; +} + +OM_uint32 GSSAPI_CALLCONV +gss_get_mic(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_ctx_id_t ctx, +#else + gss_ctx_id_t ctx, +#endif + gss_qop_t qop_req, +#ifdef HAVE_HEIMDAL_VERSION + const gss_buffer_t message_buffer, +#else + gss_buffer_t message_buffer, +#endif + gss_buffer_t message_token) +{ + OM_uint32 major; + gss_iov_buffer_desc iov[2]; + iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; iov[0].buffer = *message_buffer; - iov[1].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; + iov[1].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[1].buffer.value = NULL; iov[1].buffer.length = 0; - major = gssEapWrapOrGetMIC(minor, ctx, FALSE, NULL, iov, 2, TOK_TYPE_MIC); - if (GSS_ERROR(major)) - goto cleanup; - - *message_token = iov[1].buffer; - -cleanup: - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + major = gss_get_mic_iov(minor, (gss_ctx_id_t)ctx, qop_req, iov, 2); + if (major == GSS_S_COMPLETE) + *message_token = iov[1].buffer; return major; } diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h index 38fe8ed..8a86569 100644 --- a/mech_eap/gssapiP_eap.h +++ b/mech_eap/gssapiP_eap.h @@ -77,8 +77,13 @@ typedef struct gss_any *gss_any_t; typedef const gss_OID_desc *gss_const_OID; #endif +#ifndef GSS_IOV_BUFFER_TYPE_MIC_TOKEN +#define GSS_IOV_BUFFER_TYPE_MIC_TOKEN 12 /* MIC token destination */ +#endif + /* Kerberos headers */ #include +#include /* EAP headers */ #include @@ -279,7 +284,7 @@ OM_uint32 gssEapInitSecContext(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target_name, + gss_const_name_t target_name, gss_OID mech_type, OM_uint32 req_flags, OM_uint32 time_req, @@ -311,12 +316,14 @@ gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status, OM_uint32 gssEapWrapIovLength(OM_uint32 *minor, - gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, - int iov_count); + int iov_count, + enum gss_eap_token_type tokType); + OM_uint32 gssEapWrap(OM_uint32 *minor, gss_ctx_id_t ctx, @@ -327,7 +334,7 @@ gssEapWrap(OM_uint32 *minor, gss_buffer_t output_message_buffer); unsigned char -rfc4121Flags(gss_ctx_id_t ctx, int receiving); +rfc4121Flags(gss_const_ctx_id_t ctx, int receiving); /* display_status.c */ void @@ -380,7 +387,7 @@ gssEapImportContext(OM_uint32 *minor, /* pseudo_random.c */ OM_uint32 gssEapPseudoRandom(OM_uint32 *minor, - gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, int prf_key, const gss_buffer_t prf_in, gss_buffer_t prf_out); @@ -408,14 +415,42 @@ gssEapInitiatorInit(OM_uint32 *minor); void gssEapFinalize(void); - /* Debugging and tracing*/ - #define gssEapTrace(_fmt, ...) wpa_printf(MSG_INFO, _fmt, __VA_ARGS__); - -void -gssEapTraceStatus(const char *function, OM_uint32 major, OM_uint32 minor); +/* Debugging and tracing */ +static inline void +gssEapTraceStatus(const char *function, + OM_uint32 major, + OM_uint32 minor) +{ + gss_buffer_desc gssErrorCodeBuf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc gssMechBuf = GSS_C_EMPTY_BUFFER; + OM_uint32 tmpMajor, tmpMinor; + OM_uint32 messageCtx = 0; + + tmpMajor = gss_display_status(&tmpMinor, major, + GSS_C_GSS_CODE, GSS_C_NO_OID, + &messageCtx, &gssErrorCodeBuf); + if (!GSS_ERROR(tmpMajor)) { + if (minor == 0) + tmpMajor = makeStringBuffer(&tmpMinor, "no minor", &gssMechBuf); + else + tmpMajor = gssEapDisplayStatus(&tmpMinor, minor, &gssMechBuf); + } + + if (!GSS_ERROR(tmpMajor)) + wpa_printf(MSG_INFO, "%s: %.*s/%.*s", + function, + (int)gssErrorCodeBuf.length, (char *)gssErrorCodeBuf.value, + (int)gssMechBuf.length, (char *)gssMechBuf.value); + else + wpa_printf(MSG_INFO, "%s: %u/%u", + function, major, minor); + + gss_release_buffer(&tmpMinor, &gssErrorCodeBuf); + gss_release_buffer(&tmpMinor, &gssMechBuf); +} - /*If built as a library on Linux, don't respect environment when set*uid*/ +/* If built as a library on Linux, don't respect environment when set*uid */ #ifdef HAVE_SECURE_GETENV #define getenv secure_getenv #endif diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c index 0181a4f..37bd3d0 100644 --- a/mech_eap/init_sec_context.c +++ b/mech_eap/init_sec_context.c @@ -639,7 +639,7 @@ initReady(OM_uint32 *minor, gss_ctx_id_t ctx) static OM_uint32 initBegin(OM_uint32 *minor, gss_ctx_id_t ctx, - gss_name_t target, + gss_const_name_t target, gss_OID mech, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq, @@ -667,15 +667,15 @@ initBegin(OM_uint32 *minor, return major; if (target != GSS_C_NO_NAME) { - GSSEAP_MUTEX_LOCK(&target->mutex); + GSSEAP_MUTEX_LOCK(&((gss_name_t)target)->mutex); major = gssEapDuplicateName(minor, target, &ctx->acceptorName); if (GSS_ERROR(major)) { - GSSEAP_MUTEX_UNLOCK(&target->mutex); + GSSEAP_MUTEX_LOCK(&((gss_name_t)target)->mutex); return major; } - GSSEAP_MUTEX_UNLOCK(&target->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_name_t)target)->mutex); } major = gssEapCanonicalizeOid(minor, @@ -699,7 +699,7 @@ static OM_uint32 eapGssSmInitError(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx GSSEAP_UNUSED, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -739,7 +739,7 @@ static OM_uint32 eapGssSmInitGssReauth(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target, + gss_const_name_t target, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags, OM_uint32 timeReq, @@ -815,7 +815,7 @@ static OM_uint32 eapGssSmInitVendorInfo(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx GSSEAP_UNUSED, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -838,7 +838,7 @@ static OM_uint32 eapGssSmInitAcceptorName(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -921,7 +921,7 @@ static OM_uint32 eapGssSmInitIdentity(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -977,7 +977,7 @@ static OM_uint32 eapGssSmInitAuthenticate(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1058,7 +1058,7 @@ static OM_uint32 eapGssSmInitGssFlags(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1087,7 +1087,7 @@ static OM_uint32 eapGssSmInitGssChannelBindings(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1143,7 +1143,7 @@ static OM_uint32 eapGssSmInitInitiatorMIC(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1171,7 +1171,7 @@ static OM_uint32 eapGssSmInitReauthCreds(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1197,7 +1197,7 @@ static OM_uint32 eapGssSmInitAcceptorMIC(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1314,7 +1314,7 @@ OM_uint32 gssEapInitSecContext(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target_name, + gss_const_name_t target_name, gss_OID mech_type, OM_uint32 req_flags, OM_uint32 time_req, @@ -1401,9 +1401,17 @@ cleanup: OM_uint32 GSSAPI_CALLCONV gss_init_sec_context(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_cred_id_t cred, +#else gss_cred_id_t cred, +#endif gss_ctx_id_t *context_handle, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_name_t target_name, +#else gss_name_t target_name, +#endif gss_OID mech_type, OM_uint32 req_flags, OM_uint32 time_req, @@ -1440,7 +1448,7 @@ gss_init_sec_context(OM_uint32 *minor, GSSEAP_MUTEX_LOCK(&ctx->mutex); major = gssEapInitSecContext(minor, - cred, + (gss_cred_id_t)cred, ctx, target_name, mech_type, @@ -1458,7 +1466,8 @@ gss_init_sec_context(OM_uint32 *minor, if (GSS_ERROR(major)) gssEapReleaseContext(&tmpMinor, context_handle); - gssEapTraceStatus( "gss_init_sec_context", major, *minor); + gssEapTraceStatus("gss_init_sec_context", major, *minor); + return major; } diff --git a/mech_eap/inquire_context.c b/mech_eap/inquire_context.c index 5d0e5b6..3dc31b8 100644 --- a/mech_eap/inquire_context.c +++ b/mech_eap/inquire_context.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_inquire_context(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_ctx_id_t ctx, +#else gss_ctx_id_t ctx, +#endif gss_name_t *src_name, gss_name_t *targ_name, OM_uint32 *lifetime_rec, @@ -54,7 +58,7 @@ gss_inquire_context(OM_uint32 *minor, return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT; } - GSSEAP_MUTEX_LOCK(&ctx->mutex); + GSSEAP_MUTEX_LOCK(&((gss_ctx_id_t)ctx)->mutex); if (src_name != NULL) { if (ctx->initiatorName != GSS_C_NO_NAME) { @@ -99,7 +103,7 @@ gss_inquire_context(OM_uint32 *minor, *minor = 0; cleanup: - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); if (GSS_ERROR(major)) { gssEapReleaseName(&tmpMinor, src_name); diff --git a/mech_eap/inquire_cred.c b/mech_eap/inquire_cred.c index 227ab16..f75ccf0 100644 --- a/mech_eap/inquire_cred.c +++ b/mech_eap/inquire_cred.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_inquire_cred(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_cred_id_t cred, +#else gss_cred_id_t cred, +#endif gss_name_t *name, OM_uint32 *pLifetime, gss_cred_usage_t *cred_usage, @@ -51,11 +55,12 @@ gss_inquire_cred(OM_uint32 *minor, return GSS_S_NO_CRED; } - GSSEAP_MUTEX_LOCK(&cred->mutex); + GSSEAP_MUTEX_LOCK(&((gss_cred_id_t)cred)->mutex); - major = gssEapInquireCred(minor, cred, name, pLifetime, cred_usage, mechanisms); + major = gssEapInquireCred(minor, (gss_cred_id_t)cred, name, pLifetime, + cred_usage, mechanisms); - GSSEAP_MUTEX_UNLOCK(&cred->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_cred_id_t)cred)->mutex); return major; } diff --git a/mech_eap/inquire_cred_by_mech.c b/mech_eap/inquire_cred_by_mech.c index 191902d..836e367 100644 --- a/mech_eap/inquire_cred_by_mech.c +++ b/mech_eap/inquire_cred_by_mech.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_inquire_cred_by_mech(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_cred_id_t cred, +#else gss_cred_id_t cred, +#endif gss_OID mech_type, gss_name_t *name, OM_uint32 *pInitiatorLifetime, @@ -52,7 +56,7 @@ gss_inquire_cred_by_mech(OM_uint32 *minor, return GSS_S_NO_CRED; } - GSSEAP_MUTEX_LOCK(&cred->mutex); + GSSEAP_MUTEX_LOCK(&((gss_cred_id_t)cred)->mutex); if (!gssEapCredAvailable(cred, mech_type)) { major = GSS_S_BAD_MECH; @@ -60,7 +64,8 @@ gss_inquire_cred_by_mech(OM_uint32 *minor, goto cleanup; } - major = gssEapInquireCred(minor, cred, name, &lifetime, cred_usage, NULL); + major = gssEapInquireCred(minor, (gss_cred_id_t)cred, name, + &lifetime, cred_usage, NULL); if (GSS_ERROR(major)) goto cleanup; @@ -70,7 +75,7 @@ gss_inquire_cred_by_mech(OM_uint32 *minor, *pAcceptorLifetime = (cred->flags & CRED_FLAG_ACCEPT) ? lifetime : 0; cleanup: - GSSEAP_MUTEX_UNLOCK(&cred->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_cred_id_t)cred)->mutex); return major; } diff --git a/mech_eap/inquire_cred_by_oid.c b/mech_eap/inquire_cred_by_oid.c index 2ad34ed..77c27fb 100644 --- a/mech_eap/inquire_cred_by_oid.c +++ b/mech_eap/inquire_cred_by_oid.c @@ -47,7 +47,11 @@ static struct { OM_uint32 GSSAPI_CALLCONV gss_inquire_cred_by_oid(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_cred_id_t cred_handle, +#else const gss_cred_id_t cred_handle, +#endif const gss_OID desired_object GSSEAP_UNUSED, gss_buffer_set_t *data_set) { @@ -62,7 +66,7 @@ gss_inquire_cred_by_oid(OM_uint32 *minor, return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CRED; } - GSSEAP_MUTEX_LOCK(&cred_handle->mutex); + GSSEAP_MUTEX_LOCK(&((gss_cred_id_t)cred_handle)->mutex); major = GSS_S_UNAVAILABLE; *minor = GSSEAP_BAD_CRED_OPTION; @@ -77,7 +81,7 @@ gss_inquire_cred_by_oid(OM_uint32 *minor, } #endif - GSSEAP_MUTEX_UNLOCK(&cred_handle->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_cred_id_t)cred_handle)->mutex); return major; } diff --git a/mech_eap/inquire_mechs_for_name.c b/mech_eap/inquire_mechs_for_name.c index 89c869c..6912ebf 100644 --- a/mech_eap/inquire_mechs_for_name.c +++ b/mech_eap/inquire_mechs_for_name.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_inquire_mechs_for_name(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_name_t input_name, +#else const gss_name_t input_name, +#endif gss_OID_set *mech_types) { OM_uint32 major, tmpMinor; diff --git a/mech_eap/inquire_sec_context_by_oid.c b/mech_eap/inquire_sec_context_by_oid.c index bde7e1c..4b2c0ed 100644 --- a/mech_eap/inquire_sec_context_by_oid.c +++ b/mech_eap/inquire_sec_context_by_oid.c @@ -83,7 +83,7 @@ zeroAndReleaseBufferSet(gss_buffer_set_t *dataSet) static OM_uint32 inquireSessionKey(OM_uint32 *minor, - const gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, const gss_OID desired_object GSSEAP_UNUSED, gss_buffer_set_t *dataSet) { @@ -119,7 +119,7 @@ cleanup: static OM_uint32 inquireNegoExKey(OM_uint32 *minor, - const gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, const gss_OID desired_object, gss_buffer_set_t *dataSet) { @@ -193,7 +193,7 @@ cleanup: static struct { gss_OID_desc oid; - OM_uint32 (*inquire)(OM_uint32 *, const gss_ctx_id_t, + OM_uint32 (*inquire)(OM_uint32 *, gss_const_ctx_id_t, const gss_OID, gss_buffer_set_t *); } inquireCtxOps[] = { { @@ -220,7 +220,11 @@ static struct { OM_uint32 GSSAPI_CALLCONV gss_inquire_sec_context_by_oid(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_ctx_id_t ctx, +#else const gss_ctx_id_t ctx, +#endif const gss_OID desired_object, gss_buffer_set_t *data_set) { @@ -229,7 +233,7 @@ gss_inquire_sec_context_by_oid(OM_uint32 *minor, *data_set = GSS_C_NO_BUFFER_SET; - GSSEAP_MUTEX_LOCK(&ctx->mutex); + GSSEAP_MUTEX_LOCK(&((gss_ctx_id_t)ctx)->mutex); #if 0 if (!CTX_IS_ESTABLISHED(ctx)) { @@ -250,7 +254,7 @@ gss_inquire_sec_context_by_oid(OM_uint32 *minor, } } - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); return major; } diff --git a/mech_eap/mech_eap-noacceptor.exports b/mech_eap/mech_eap-noacceptor.exports index f00df8a..6cdc110 100644 --- a/mech_eap/mech_eap-noacceptor.exports +++ b/mech_eap/mech_eap-noacceptor.exports @@ -13,6 +13,7 @@ gss_exchange_meta_data gss_export_name gss_export_sec_context gss_get_mic +gss_get_mic_iov gss_import_name gss_import_sec_context gss_indicate_mechs @@ -39,6 +40,7 @@ gss_store_cred gss_unwrap gss_unwrap_iov gss_verify_mic +gss_verify_mic_iov gss_wrap gss_wrap_iov gss_wrap_iov_length diff --git a/mech_eap/mech_eap.exports b/mech_eap/mech_eap.exports index 6a17a17..65f911e 100644 --- a/mech_eap/mech_eap.exports +++ b/mech_eap/mech_eap.exports @@ -16,6 +16,7 @@ gss_export_name gss_export_name_composite gss_export_sec_context gss_get_mic +gss_get_mic_iov gss_get_name_attribute gss_import_name gss_import_sec_context @@ -47,6 +48,7 @@ gss_store_cred gss_unwrap gss_unwrap_iov gss_verify_mic +gss_verify_mic_iov gss_wrap gss_wrap_iov gss_wrap_iov_length diff --git a/mech_eap/process_context_token.c b/mech_eap/process_context_token.c index 02a4b6d..a6f8838 100644 --- a/mech_eap/process_context_token.c +++ b/mech_eap/process_context_token.c @@ -34,7 +34,11 @@ OM_uint32 GSSAPI_CALLCONV gss_process_context_token(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_ctx_id_t ctx, +#else gss_ctx_id_t ctx, +#endif gss_buffer_t token_buffer) { OM_uint32 major; @@ -47,10 +51,10 @@ gss_process_context_token(OM_uint32 *minor, return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT; } - GSSEAP_MUTEX_LOCK(&ctx->mutex); + GSSEAP_MUTEX_LOCK(&((gss_ctx_id_t)ctx)->mutex); if (!CTX_IS_ESTABLISHED(ctx)) { - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); *minor = GSSEAP_CONTEXT_INCOMPLETE; return GSS_S_NO_CONTEXT; } @@ -58,14 +62,14 @@ gss_process_context_token(OM_uint32 *minor, iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; iov[0].buffer = *token_buffer; - major = gssEapUnwrapOrVerifyMIC(minor, ctx, NULL, NULL, + major = gssEapUnwrapOrVerifyMIC(minor, (gss_ctx_id_t)ctx, NULL, NULL, iov, 1, TOK_TYPE_DELETE_CONTEXT); if (GSS_ERROR(major)) { - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); return major; } - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); - return gssEapReleaseContext(minor, &ctx); + return gssEapReleaseContext(minor, (gss_ctx_id_t *)&ctx); } diff --git a/mech_eap/pseudo_random.c b/mech_eap/pseudo_random.c index ad079b4..b434282 100644 --- a/mech_eap/pseudo_random.c +++ b/mech_eap/pseudo_random.c @@ -61,7 +61,7 @@ OM_uint32 gssEapPseudoRandom(OM_uint32 *minor, - gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, int prf_key, const gss_buffer_t prf_in, gss_buffer_t prf_out) @@ -74,6 +74,9 @@ gssEapPseudoRandom(OM_uint32 *minor, unsigned char *p; krb5_context krbContext; ssize_t desired_output_len = prf_out->length; +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto krbCrypto = NULL; +#endif *minor = 0; @@ -88,9 +91,11 @@ gssEapPseudoRandom(OM_uint32 *minor, goto cleanup; } - code = krb5_c_prf_length(krbContext, - ctx->encryptionType, - &prflen); +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_crypto_prf_length(krbContext, ctx->encryptionType, &prflen); +#else + code = krb5_c_prf_length(krbContext, ctx->encryptionType, &prflen); +#endif if (code != 0) goto cleanup; @@ -101,8 +106,11 @@ gssEapPseudoRandom(OM_uint32 *minor, goto cleanup; } -#ifndef HAVE_HEIMDAL_VERSION - /* Same API, but different allocation rules, unfortunately. */ +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_crypto_init(krbContext, &ctx->rfc3961Key, 0, &krbCrypto); + if (code != 0) + goto cleanup; +#else t.length = prflen; t.data = GSSEAP_MALLOC(t.length); if (t.data == NULL) { @@ -117,7 +125,11 @@ gssEapPseudoRandom(OM_uint32 *minor, while (desired_output_len > 0) { store_uint32_be(i, ns.data); +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_crypto_prf(krbContext, krbCrypto, &ns, &t); +#else code = krb5_c_prf(krbContext, &ctx->rfc3961Key, &ns, &t); +#endif if (code != 0) goto cleanup; @@ -136,6 +148,7 @@ cleanup: GSSEAP_FREE(ns.data); } #ifdef HAVE_HEIMDAL_VERSION + krb5_crypto_destroy(krbContext, krbCrypto); krb5_data_free(&t); #else if (t.data != NULL) { diff --git a/mech_eap/unwrap.c b/mech_eap/unwrap.c index a185035..9bbf62b 100644 --- a/mech_eap/unwrap.c +++ b/mech_eap/unwrap.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_unwrap(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_ctx_id_t ctx, +#else gss_ctx_id_t ctx, +#endif gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int *conf_state, @@ -54,7 +58,7 @@ gss_unwrap(OM_uint32 *minor, *minor = 0; - GSSEAP_MUTEX_LOCK(&ctx->mutex); + GSSEAP_MUTEX_LOCK(&((gss_ctx_id_t)ctx)->mutex); if (!CTX_IS_ESTABLISHED(ctx)) { major = GSS_S_NO_CONTEXT; @@ -69,7 +73,8 @@ gss_unwrap(OM_uint32 *minor, iov[1].buffer.value = NULL; iov[1].buffer.length = 0; - major = gssEapUnwrapOrVerifyMIC(minor, ctx, conf_state, qop_state, + major = gssEapUnwrapOrVerifyMIC(minor, (gss_ctx_id_t)ctx, + conf_state, qop_state, iov, 2, TOK_TYPE_WRAP); if (major == GSS_S_COMPLETE) { *output_message_buffer = iov[1].buffer; @@ -79,7 +84,7 @@ gss_unwrap(OM_uint32 *minor, } cleanup: - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); return major; } diff --git a/mech_eap/unwrap_iov.c b/mech_eap/unwrap_iov.c index 39f7f1c..ba22079 100644 --- a/mech_eap/unwrap_iov.c +++ b/mech_eap/unwrap_iov.c @@ -102,7 +102,7 @@ unwrapToken(OM_uint32 *minor, if (qop_state != NULL) *qop_state = GSS_C_QOP_DEFAULT; - header = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); + header = gssEapLocateHeaderIov(iov, iov_count, toktype); GSSEAP_ASSERT(header != NULL); padding = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); @@ -226,7 +226,7 @@ unwrapToken(OM_uint32 *minor, code = gssEapVerify(krbContext, ctx->checksumType, rrc, KRB_CRYPTO_CONTEXT(ctx), keyUsage, - iov, iov_count, &valid); + iov, iov_count, toktype, &valid); if (code != 0 || valid == FALSE) { major = GSS_S_BAD_SIG; goto cleanup; @@ -245,16 +245,12 @@ unwrapToken(OM_uint32 *minor, goto defective; seqnum = load_uint64_be(ptr + 8); - /* - * Although MIC tokens don't have a RRC, they are similarly - * composed of a header and a checksum. So the verify_mic() - * can be implemented with a single header buffer, fake the - * RRC to the putative trailer length if no trailer buffer. - */ - code = gssEapVerify(krbContext, ctx->checksumType, - trailer != NULL ? 0 : header->buffer.length - 16, + /* For MIC tokens, the GSS header and checksum are in the same buffer. + * Fake up an RRC so that the checksum is expected in the header. */ + rrc = (trailer != NULL) ? 0 : header->buffer.length - 16; + code = gssEapVerify(krbContext, ctx->checksumType, rrc, KRB_CRYPTO_CONTEXT(ctx), keyUsage, - iov, iov_count, &valid); + iov, iov_count, toktype, &valid); if (code != 0 || valid == FALSE) { major = GSS_S_BAD_SIG; goto cleanup; diff --git a/mech_eap/util.h b/mech_eap/util.h index f1b4597..5475dca 100644 --- a/mech_eap/util.h +++ b/mech_eap/util.h @@ -142,6 +142,17 @@ bufferEqualString(const gss_buffer_t b1, const char *s) } /* util_cksum.c */ +enum gss_eap_token_type { + TOK_TYPE_NONE = 0x0000, /* no token */ + TOK_TYPE_MIC = 0x0404, /* RFC 4121 MIC token */ + TOK_TYPE_WRAP = 0x0504, /* RFC 4121 wrap token */ + TOK_TYPE_EXPORT_NAME = 0x0401, /* RFC 2743 exported name */ + TOK_TYPE_EXPORT_NAME_COMPOSITE = 0x0402, /* exported composite name */ + TOK_TYPE_DELETE_CONTEXT = 0x0405, /* RFC 2743 delete context */ + TOK_TYPE_INITIATOR_CONTEXT = 0x0601, /* initiator-sent context token */ + TOK_TYPE_ACCEPTOR_CONTEXT = 0x0602, /* acceptor-sent context token */ +}; + int gssEapSign(krb5_context context, krb5_cksumtype type, @@ -153,7 +164,8 @@ gssEapSign(krb5_context context, #endif krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, - int iov_count); + int iov_count, + enum gss_eap_token_type toktype); int gssEapVerify(krb5_context context, @@ -167,6 +179,7 @@ gssEapVerify(krb5_context context, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, + enum gss_eap_token_type toktype, int *valid); #if 0 @@ -179,17 +192,6 @@ gssEapEncodeGssChannelBindings(OM_uint32 *minor, /* util_context.c */ #define EAP_EXPORT_CONTEXT_V1 1 -enum gss_eap_token_type { - TOK_TYPE_NONE = 0x0000, /* no token */ - TOK_TYPE_MIC = 0x0404, /* RFC 4121 MIC token */ - TOK_TYPE_WRAP = 0x0504, /* RFC 4121 wrap token */ - TOK_TYPE_EXPORT_NAME = 0x0401, /* RFC 2743 exported name */ - TOK_TYPE_EXPORT_NAME_COMPOSITE = 0x0402, /* exported composite name */ - TOK_TYPE_DELETE_CONTEXT = 0x0405, /* RFC 2743 delete context */ - TOK_TYPE_INITIATOR_CONTEXT = 0x0601, /* initiator-sent context token */ - TOK_TYPE_ACCEPTOR_CONTEXT = 0x0602, /* acceptor-sent context token */ -}; - /* inner token types and flags */ #define ITOK_TYPE_NONE 0x00000000 #define ITOK_TYPE_CONTEXT_ERR 0x00000001 /* critical */ @@ -236,7 +238,7 @@ gssEapVerifyToken(OM_uint32 *minor, OM_uint32 gssEapContextTime(OM_uint32 *minor, - gss_ctx_id_t context_handle, + gss_const_ctx_id_t context_handle, OM_uint32 *time_rec); OM_uint32 @@ -258,7 +260,7 @@ gssEapPrimaryMechForCred(gss_cred_id_t cred); OM_uint32 gssEapAcquireCred(OM_uint32 *minor, - const gss_name_t desiredName, + gss_const_name_t desiredName, OM_uint32 timeReq, const gss_OID_set desiredMechs, int cred_usage, @@ -280,15 +282,15 @@ gssEapSetCredClientCertificate(OM_uint32 *minor, OM_uint32 gssEapSetCredService(OM_uint32 *minor, gss_cred_id_t cred, - const gss_name_t target); + gss_const_name_t target); OM_uint32 gssEapResolveInitiatorCred(OM_uint32 *minor, const gss_cred_id_t cred, - const gss_name_t target, + gss_const_name_t target, gss_cred_id_t *resolvedCred); -int gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech); +int gssEapCredAvailable(gss_const_cred_id_t cred, gss_OID mech); OM_uint32 gssEapInquireCred(OM_uint32 *minor, @@ -329,6 +331,11 @@ gssEapLocateIov(gss_iov_buffer_desc *iov, int iov_count, OM_uint32 type); +gss_iov_buffer_t +gssEapLocateHeaderIov(gss_iov_buffer_desc *iov, + int iov_count, + enum gss_eap_token_type toktype); + void gssEapIovMessageLength(gss_iov_buffer_desc *iov, int iov_count, @@ -463,7 +470,7 @@ krbCryptoLength(krb5_context krbContext, #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto, #else - krb5_keyblock *key, + const krb5_keyblock *key, #endif int type, size_t *length); @@ -473,7 +480,7 @@ krbPaddingLength(krb5_context krbContext, #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto, #else - krb5_keyblock *key, + const krb5_keyblock *key, #endif size_t dataLength, size_t *padLength); @@ -483,7 +490,7 @@ krbBlockSize(krb5_context krbContext, #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto, #else - krb5_keyblock *key, + const krb5_keyblock *key, #endif size_t *blockSize); @@ -515,7 +522,7 @@ krbMakeCred(krb5_context context, /* util_lucid.c */ OM_uint32 gssEapExportLucidSecContext(OM_uint32 *minor, - gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, const gss_OID desiredObject, gss_buffer_set_t *data_set); @@ -579,7 +586,7 @@ libMoonshotResolveDefaultIdentity(OM_uint32 *minor, OM_uint32 libMoonshotResolveInitiatorCred(OM_uint32 *minor, gss_cred_id_t cred, - const gss_name_t targetName); + gss_const_name_t targetName); /* util_name.c */ #define EXPORT_NAME_FLAG_OID 0x1 @@ -589,10 +596,10 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor, OM_uint32 gssEapAllocName(OM_uint32 *minor, gss_name_t *pName); OM_uint32 gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName); OM_uint32 gssEapExportName(OM_uint32 *minor, - const gss_name_t name, + gss_const_name_t name, gss_buffer_t exportedName); OM_uint32 gssEapExportNameInternal(OM_uint32 *minor, - const gss_name_t name, + gss_const_name_t name, gss_buffer_t exportedName, OM_uint32 flags); OM_uint32 gssEapImportName(OM_uint32 *minor, @@ -606,18 +613,18 @@ OM_uint32 gssEapImportNameInternal(OM_uint32 *minor, OM_uint32 flags); OM_uint32 gssEapDuplicateName(OM_uint32 *minor, - const gss_name_t input_name, + gss_const_name_t input_name, gss_name_t *dest_name); OM_uint32 gssEapCanonicalizeName(OM_uint32 *minor, - const gss_name_t input_name, + gss_const_name_t input_name, const gss_OID mech_type, gss_name_t *dest_name); OM_uint32 gssEapDisplayName(OM_uint32 *minor, - gss_name_t name, + gss_const_name_t name, gss_buffer_t output_name_buffer, gss_OID *output_name_type); @@ -625,8 +632,8 @@ gssEapDisplayName(OM_uint32 *minor, OM_uint32 gssEapCompareName(OM_uint32 *minor, - gss_name_t name1, - gss_name_t name2, + gss_const_name_t name1, + gss_const_name_t name2, OM_uint32 flags, int *name_equal); @@ -719,7 +726,7 @@ struct gss_eap_sm { OM_uint32 (*processToken)(OM_uint32 *, gss_cred_id_t, gss_ctx_id_t, - gss_name_t, + gss_const_name_t, gss_OID, OM_uint32, OM_uint32, @@ -742,7 +749,7 @@ OM_uint32 gssEapSmStep(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target, + gss_const_name_t target, gss_OID mech, OM_uint32 reqFlags, OM_uint32 timeReq, @@ -1046,7 +1053,7 @@ krbPrincUnparseServiceSpecifics(krb5_context krbContext, krb5_principal krbPrinc } static inline void -krbFreeUnparsedName(krb5_context krbContext, gss_buffer_t nameBuf) +krbFreeUnparsedName(krb5_context krbContext GSSEAP_UNUSED, gss_buffer_t nameBuf) { #ifdef HAVE_HEIMDAL_VERSION krb5_xfree((char *) nameBuf->value); diff --git a/mech_eap/util_attr.cpp b/mech_eap/util_attr.cpp index 6058f36..beb283c 100644 --- a/mech_eap/util_attr.cpp +++ b/mech_eap/util_attr.cpp @@ -985,7 +985,7 @@ gssEapSetNameAttribute(OM_uint32 *minor, OM_uint32 gssEapExportAttrContext(OM_uint32 *minor, - gss_name_t name, + gss_const_name_t name, gss_buffer_t buffer) { if (name->attrCtx == NULL) { @@ -1049,7 +1049,7 @@ gssEapImportAttrContext(OM_uint32 *minor, OM_uint32 gssEapDuplicateAttrContext(OM_uint32 *minor, - gss_name_t in, + gss_const_name_t in, gss_name_t out) { gss_eap_attr_ctx *ctx = NULL; diff --git a/mech_eap/util_attr.h b/mech_eap/util_attr.h index 28067a9..d6c0a0f 100644 --- a/mech_eap/util_attr.h +++ b/mech_eap/util_attr.h @@ -349,7 +349,7 @@ gssEapSetNameAttribute(OM_uint32 *minor, OM_uint32 gssEapExportAttrContext(OM_uint32 *minor, - gss_name_t name, + gss_const_name_t name, gss_buffer_t buffer); OM_uint32 @@ -359,7 +359,7 @@ gssEapImportAttrContext(OM_uint32 *minor, OM_uint32 gssEapDuplicateAttrContext(OM_uint32 *minor, - gss_name_t in, + gss_const_name_t in, gss_name_t out); OM_uint32 diff --git a/mech_eap/util_cksum.c b/mech_eap/util_cksum.c index aedc93e..7c1244f 100644 --- a/mech_eap/util_cksum.c +++ b/mech_eap/util_cksum.c @@ -69,6 +69,7 @@ gssEapChecksum(krb5_context context, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, + enum gss_eap_token_type toktype, int verify, int *valid) { @@ -87,7 +88,7 @@ gssEapChecksum(krb5_context context, if (code != 0) return code; - header = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); + header = gssEapLocateHeaderIov(iov, iov_count, toktype); GSSEAP_ASSERT(header != NULL); trailer = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); @@ -172,10 +173,11 @@ gssEapSign(krb5_context context, #endif krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, - int iov_count) + int iov_count, + enum gss_eap_token_type toktype) { return gssEapChecksum(context, type, rrc, crypto, - sign_usage, iov, iov_count, 0, NULL); + sign_usage, iov, iov_count, toktype, 0, NULL); } int @@ -190,10 +192,11 @@ gssEapVerify(krb5_context context, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, + enum gss_eap_token_type toktype, int *valid) { return gssEapChecksum(context, type, rrc, crypto, - sign_usage, iov, iov_count, 1, valid); + sign_usage, iov, iov_count, toktype, 1, valid); } #if 0 diff --git a/mech_eap/util_context.c b/mech_eap/util_context.c index 7663f3d..039cfdb 100644 --- a/mech_eap/util_context.c +++ b/mech_eap/util_context.c @@ -214,7 +214,7 @@ gssEapVerifyToken(OM_uint32 *minor, OM_uint32 gssEapContextTime(OM_uint32 *minor, - gss_ctx_id_t context_handle, + gss_const_ctx_id_t context_handle, OM_uint32 *time_rec) { *minor = 0; diff --git a/mech_eap/util_cred.c b/mech_eap/util_cred.c index cec7e71..707e029 100644 --- a/mech_eap/util_cred.c +++ b/mech_eap/util_cred.c @@ -258,7 +258,7 @@ gssEapPrimaryMechForCred(gss_cred_id_t cred) OM_uint32 gssEapAcquireCred(OM_uint32 *minor, - const gss_name_t desiredName, + gss_const_name_t desiredName, OM_uint32 timeReq GSSEAP_UNUSED, const gss_OID_set desiredMechs, int credUsage, @@ -302,15 +302,15 @@ gssEapAcquireCred(OM_uint32 *minor, goto cleanup; if (desiredName != GSS_C_NO_NAME) { - GSSEAP_MUTEX_LOCK(&desiredName->mutex); + GSSEAP_MUTEX_LOCK(&((gss_name_t)desiredName)->mutex); major = gssEapDuplicateName(minor, desiredName, &cred->name); if (GSS_ERROR(major)) { - GSSEAP_MUTEX_UNLOCK(&desiredName->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_name_t)desiredName)->mutex); goto cleanup; } - GSSEAP_MUTEX_UNLOCK(&desiredName->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_name_t)desiredName)->mutex); } #ifdef GSSEAP_ENABLE_ACCEPTOR @@ -344,6 +344,7 @@ cleanup: gssEapReleaseCred(&tmpMinor, &cred); gssEapTraceStatus("gss_acquire_cred", major, *minor); + return major; } @@ -352,7 +353,7 @@ cleanup: * lock because mechanisms list is immutable. */ int -gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech) +gssEapCredAvailable(gss_const_cred_id_t cred, gss_OID mech) { OM_uint32 minor; int present = 0; @@ -607,7 +608,7 @@ cleanup: OM_uint32 gssEapSetCredService(OM_uint32 *minor, gss_cred_id_t cred, - const gss_name_t target) + gss_const_name_t target) { OM_uint32 major, tmpMinor; gss_name_t newTarget = GSS_C_NO_NAME; @@ -767,7 +768,7 @@ cleanup: OM_uint32 gssEapResolveInitiatorCred(OM_uint32 *minor, const gss_cred_id_t cred, - const gss_name_t targetName + gss_const_name_t targetName #ifndef HAVE_MOONSHOT_GET_IDENTITY GSSEAP_UNUSED #endif diff --git a/mech_eap/util_crypt.c b/mech_eap/util_crypt.c index 7bb35aa..9906b83 100644 --- a/mech_eap/util_crypt.c +++ b/mech_eap/util_crypt.c @@ -315,6 +315,15 @@ gssEapLocateIov(gss_iov_buffer_desc *iov, int iov_count, OM_uint32 type) return p; } +gss_iov_buffer_t +gssEapLocateHeaderIov(gss_iov_buffer_desc *iov, int iov_count, enum gss_eap_token_type toktype) +{ + if (toktype == TOK_TYPE_MIC) + return gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_MIC_TOKEN); + else + return gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); +} + void gssEapIovMessageLength(gss_iov_buffer_desc *iov, int iov_count, diff --git a/mech_eap/util_krb.c b/mech_eap/util_krb.c index 78064f3..2a3e970 100644 --- a/mech_eap/util_krb.c +++ b/mech_eap/util_krb.c @@ -68,7 +68,11 @@ initKrbContext(krb5_context *pKrbContext) *pKrbContext = krbContext; cleanup: +#ifdef HAVE_HEIMDAL_VERSION + krb5_xfree(defaultRealm); +#else krb5_free_default_realm(krbContext, defaultRealm); +#endif if (code != 0 && krbContext != NULL) krb5_free_context(krbContext); @@ -121,7 +125,9 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, krb5_keyblock *pKey) { krb5_context krbContext; -#ifndef HAVE_HEIMDAL_VERSION +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto krbCrypto = NULL; +#else krb5_data data; #endif krb5_data ns, t, derivedKeyData; @@ -142,10 +148,22 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, KRB_DATA_INIT(&t); KRB_DATA_INIT(&derivedKeyData); +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_enctype_keybits(krbContext, encryptionType, &randomLength); + if (code != 0) + goto cleanup; + + randomLength = (randomLength + 7) / 8; /* from mit_glue.c */ + + code = krb5_enctype_keysize(krbContext, encryptionType, &keyLength); + if (code != 0) + goto cleanup; +#else code = krb5_c_keylengths(krbContext, encryptionType, &randomLength, &keyLength); if (code != 0) goto cleanup; +#endif /* HAVE_HEIMDAL_VERSION */ /* Convert EAP MSK into a Kerberos key */ @@ -175,12 +193,19 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, ns.data = (char *)constant; /* Plug derivation constant and key into PRF */ +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_crypto_prf_length(krbContext, encryptionType, &prfLength); +#else code = krb5_c_prf_length(krbContext, encryptionType, &prfLength); +#endif if (code != 0) goto cleanup; -#ifndef HAVE_HEIMDAL_VERSION - /* Same API, but different allocation rules, unfortunately. */ +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_crypto_init(krbContext, &kd, 0, &krbCrypto); + if (code != 0) + goto cleanup; +#else t.length = prfLength; t.data = GSSEAP_MALLOC(t.length); if (t.data == NULL) { @@ -202,7 +227,11 @@ gssEapDeriveRfc3961Key(OM_uint32 *minor, { store_uint32_be(i, ns.data); +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_crypto_prf(krbContext, krbCrypto, &ns, &t); +#else code = krb5_c_prf(krbContext, &kd, &ns, &t); +#endif if (code != 0) goto cleanup; @@ -229,6 +258,7 @@ cleanup: if (code != 0) krb5_free_keyblock_contents(krbContext, &kd); #ifdef HAVE_HEIMDAL_VERSION + krb5_crypto_destroy(krbContext, krbCrypto); krb5_data_free(&t); #else if (t.data != NULL) { @@ -257,10 +287,13 @@ rfc3961ChecksumTypeForKey(OM_uint32 *minor, krb5_cksumtype *cksumtype) { krb5_context krbContext; -#ifndef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE +#if !defined(HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE) && !defined(HAVE_HEIMDAL_VERSION) krb5_data data; krb5_checksum cksum; #endif +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto krbCrypto = NULL; +#endif GSSEAP_KRB_INIT(&krbContext); @@ -269,6 +302,17 @@ rfc3961ChecksumTypeForKey(OM_uint32 *minor, cksumtype); if (*minor != 0) return GSS_S_FAILURE; +#elif defined(HAVE_HEIMDAL_VERSION) + *minor = krb5_crypto_init(krbContext, key, 0, &krbCrypto); + if (*minor != 0) + return GSS_S_FAILURE; + + *minor = krb5_crypto_get_checksum_type(krbContext, krbCrypto, cksumtype); + + krb5_crypto_destroy(krbContext, krbCrypto); + + if (*minor != 0) + return GSS_S_FAILURE; #else KRB_DATA_INIT(&data); @@ -288,7 +332,12 @@ rfc3961ChecksumTypeForKey(OM_uint32 *minor, krb5_free_checksum_contents(krbContext, &cksum); #endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */ - if (!krb5_c_is_keyed_cksum(*cksumtype)) { +#ifdef HAVE_HEIMDAL_VERSION + if (!krb5_checksum_is_keyed(krbContext, *cksumtype)) +#else + if (!krb5_c_is_keyed_cksum(*cksumtype)) +#endif + { *minor = (OM_uint32)KRB5KRB_AP_ERR_INAPP_CKSUM; return GSS_S_FAILURE; } @@ -301,7 +350,7 @@ krbCryptoLength(krb5_context krbContext, #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto, #else - krb5_keyblock *key, + const krb5_keyblock *key, #endif int type, size_t *length) @@ -325,7 +374,7 @@ krbPaddingLength(krb5_context krbContext, #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto, #else - krb5_keyblock *key, + const krb5_keyblock *key, #endif size_t dataLength, size_t *padLength) @@ -368,7 +417,7 @@ krbBlockSize(krb5_context krbContext, #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto, #else - krb5_keyblock *key, + const krb5_keyblock *key, #endif size_t *blockSize) { diff --git a/mech_eap/util_lucid.c b/mech_eap/util_lucid.c index f9e9941..f50e498 100644 --- a/mech_eap/util_lucid.c +++ b/mech_eap/util_lucid.c @@ -38,7 +38,7 @@ OM_uint32 gssEapExportLucidSecContext(OM_uint32 *minor, - gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, const gss_OID desiredObject GSSEAP_UNUSED, gss_buffer_set_t *data_set) { diff --git a/mech_eap/util_mech.c b/mech_eap/util_mech.c index 8cb7e74..944a2fa 100644 --- a/mech_eap/util_mech.c +++ b/mech_eap/util_mech.c @@ -196,7 +196,11 @@ gssEapIndicateMechs(OM_uint32 *minor, GSSEAP_KRB_INIT(&krbContext); +#ifdef HAVE_HEIMDAL_VERSION + *minor = krb5_get_default_in_tkt_etypes(krbContext, KRB5_PDU_NONE, &etypes); +#else *minor = krb5_get_permitted_enctypes(krbContext, &etypes); +#endif if (*minor != 0) { return GSS_S_FAILURE; } diff --git a/mech_eap/util_moonshot.c b/mech_eap/util_moonshot.c index 68537a3..6d90eb2 100644 --- a/mech_eap/util_moonshot.c +++ b/mech_eap/util_moonshot.c @@ -141,7 +141,7 @@ static int stringEmpty(const char * s) OM_uint32 libMoonshotResolveInitiatorCred(OM_uint32 *minor, gss_cred_id_t cred, - const gss_name_t targetName) + gss_const_name_t targetName) { OM_uint32 major, tmpMinor; gss_OID nameMech = gssEapPrimaryMechForCred(cred); diff --git a/mech_eap/util_name.c b/mech_eap/util_name.c index 455e764..7a2e60b 100644 --- a/mech_eap/util_name.c +++ b/mech_eap/util_name.c @@ -270,10 +270,11 @@ importEapNameFlags(OM_uint32 *minor, if (KRB_PRINC_REALM(krbPrinc) == NULL) code = ENOMEM; } -#endif - + krb5_xfree(defaultRealm); +#else if (defaultRealm != NULL) krb5_free_default_realm(krbContext, defaultRealm); +#endif } if (nameBuffer != GSS_C_NO_BUFFER) @@ -533,7 +534,7 @@ gssEapImportName(OM_uint32 *minor, OM_uint32 gssEapExportName(OM_uint32 *minor, - const gss_name_t name, + gss_const_name_t name, gss_buffer_t exportedName) { return gssEapExportNameInternal(minor, name, exportedName, @@ -542,7 +543,7 @@ gssEapExportName(OM_uint32 *minor, OM_uint32 gssEapExportNameInternal(OM_uint32 *minor, - const gss_name_t name, + gss_const_name_t name, gss_buffer_t exportedName, OM_uint32 flags) { @@ -635,7 +636,7 @@ cleanup: OM_uint32 gssEapCanonicalizeName(OM_uint32 *minor, - const gss_name_t input_name, + gss_const_name_t input_name, const gss_OID mech_type, gss_name_t *dest_name) { @@ -697,7 +698,7 @@ cleanup: OM_uint32 gssEapDuplicateName(OM_uint32 *minor, - const gss_name_t input_name, + gss_const_name_t input_name, gss_name_t *dest_name) { return gssEapCanonicalizeName(minor, input_name, @@ -705,7 +706,7 @@ gssEapDuplicateName(OM_uint32 *minor, } static int -hasRealmP(gss_name_t name) +hasRealmP(gss_const_name_t name) { #ifdef HAVE_HEIMDAL_VERSION if (KRB_PRINC_REALM(name->krbPrincipal) != NULL && @@ -720,7 +721,7 @@ hasRealmP(gss_name_t name) OM_uint32 gssEapDisplayName(OM_uint32 *minor, - gss_name_t name, + gss_const_name_t name, gss_buffer_t output_name_buffer, gss_OID *output_name_type) { @@ -778,8 +779,8 @@ gssEapDisplayName(OM_uint32 *minor, OM_uint32 gssEapCompareName(OM_uint32 *minor, - gss_name_t name1, - gss_name_t name2, + gss_const_name_t name1, + gss_const_name_t name2, OM_uint32 flags, int *name_equal) { diff --git a/mech_eap/util_sm.c b/mech_eap/util_sm.c index a286bba..940ca66 100644 --- a/mech_eap/util_sm.c +++ b/mech_eap/util_sm.c @@ -151,7 +151,7 @@ OM_uint32 gssEapSmStep(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target, + gss_const_name_t target, gss_OID mech, OM_uint32 reqFlags, OM_uint32 timeReq, diff --git a/mech_eap/util_trace.c b/mech_eap/util_trace.c deleted file mode 100644 index ec74236..0000000 --- a/mech_eap/util_trace.c +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (c) 2016, JANET(UK) - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of JANET(UK) nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - - -#include "gssapiP_eap.h" - -void -gssEapTraceStatus(const char *function, - OM_uint32 major, OM_uint32 minor) -{ - gss_buffer_desc gss_code_buf, mech_buf; - OM_uint32 tmpmaj, tmpmin, ctx = 0; - gss_code_buf.value = NULL; - mech_buf.value = NULL; - tmpmaj = gss_display_status(&tmpmin, major, - GSS_C_GSS_CODE, GSS_C_NO_OID, &ctx, - &gss_code_buf); - if (!GSS_ERROR(tmpmaj)) { - if (minor == 0) - tmpmaj = makeStringBuffer(&tmpmin, "no minor", &mech_buf); - else tmpmaj = gssEapDisplayStatus(&tmpmin, minor, &mech_buf); - } - if (!GSS_ERROR(tmpmaj)) { - wpa_printf(MSG_INFO, "%s: %.*s/%.*s", - function, (int) gss_code_buf.length, (char *) gss_code_buf.value, - (int) mech_buf.length, (char *) mech_buf.value); - } - else { - wpa_printf(MSG_INFO, "%s: %08X/%08X", function, major, minor); - } - tmpmaj = gss_release_buffer(&tmpmin, &gss_code_buf); - tmpmaj = gss_release_buffer(&tmpmin, &mech_buf); -} - diff --git a/mech_eap/verify_mic.c b/mech_eap/verify_mic.c index c0829f5..bb9bf19 100644 --- a/mech_eap/verify_mic.c +++ b/mech_eap/verify_mic.c @@ -37,35 +37,47 @@ #include "gssapiP_eap.h" OM_uint32 GSSAPI_CALLCONV +gss_verify_mic_iov(OM_uint32 *minor, + gss_ctx_id_t ctx, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + OM_uint32 major; + + if (ctx == GSS_C_NO_CONTEXT) { + *minor = EINVAL; + return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT; + } + + GSSEAP_MUTEX_LOCK(&((gss_ctx_id_t)ctx)->mutex); + + major = gssEapUnwrapOrVerifyMIC(minor, (gss_ctx_id_t)ctx, NULL, qop_state, + iov, iov_count, TOK_TYPE_MIC); + + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); + + return major; +} + +OM_uint32 GSSAPI_CALLCONV gss_verify_mic(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_ctx_id_t ctx, +#else gss_ctx_id_t ctx, +#endif gss_buffer_t message_buffer, gss_buffer_t message_token, gss_qop_t *qop_state) { - OM_uint32 major; - gss_iov_buffer_desc iov[3]; - int conf_state; - - if (message_token->length < 16) { - *minor = GSSEAP_TOK_TRUNC; - return GSS_S_BAD_SIG; - } - - *minor = 0; + gss_iov_buffer_desc iov[2]; iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; iov[0].buffer = *message_buffer; - iov[1].type = GSS_IOV_BUFFER_TYPE_HEADER; + iov[1].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN; iov[1].buffer = *message_token; - GSSEAP_MUTEX_LOCK(&ctx->mutex); - - major = gssEapUnwrapOrVerifyMIC(minor, ctx, &conf_state, qop_state, - iov, 2, TOK_TYPE_MIC); - - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); - - return major; + return gss_verify_mic_iov(minor, (gss_ctx_id_t)ctx, qop_state, iov, 2); } diff --git a/mech_eap/wrap.c b/mech_eap/wrap.c index 2e27fb3..181bbb0 100644 --- a/mech_eap/wrap.c +++ b/mech_eap/wrap.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_wrap(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_ctx_id_t ctx, +#else gss_ctx_id_t ctx, +#endif int conf_req_flag, gss_qop_t qop_req, gss_buffer_t input_message_buffer, @@ -54,7 +58,7 @@ gss_wrap(OM_uint32 *minor, *minor = 0; - GSSEAP_MUTEX_LOCK(&ctx->mutex); + GSSEAP_MUTEX_LOCK(&((gss_ctx_id_t)ctx)->mutex); if (!CTX_IS_ESTABLISHED(ctx)) { major = GSS_S_NO_CONTEXT; @@ -62,14 +66,14 @@ gss_wrap(OM_uint32 *minor, goto cleanup; } - major = gssEapWrap(minor, ctx, conf_req_flag, qop_req, - input_message_buffer, + major = gssEapWrap(minor, (gss_ctx_id_t)ctx, conf_req_flag, + qop_req, input_message_buffer, conf_state, output_message_buffer); if (GSS_ERROR(major)) goto cleanup; cleanup: - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); return major; } @@ -104,7 +108,7 @@ gssEapWrap(OM_uint32 *minor, iov[3].buffer.length = 0; major = gssEapWrapIovLength(minor, ctx, conf_req_flag, qop_req, - NULL, iov, 4); + NULL, iov, 4, TOK_TYPE_WRAP); if (GSS_ERROR(major)) { return major; } diff --git a/mech_eap/wrap_iov.c b/mech_eap/wrap_iov.c index be890b6..4d5701f 100644 --- a/mech_eap/wrap_iov.c +++ b/mech_eap/wrap_iov.c @@ -60,7 +60,7 @@ #include "gssapiP_eap.h" unsigned char -rfc4121Flags(gss_ctx_id_t ctx, int receiving) +rfc4121Flags(gss_const_ctx_id_t ctx, int receiving) { unsigned char flags; int isAcceptor; @@ -126,7 +126,7 @@ gssEapWrapOrGetMIC(OM_uint32 *minor, gssEapIovMessageLength(iov, iov_count, &dataLen, &assocDataLen); - header = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); + header = gssEapLocateHeaderIov(iov, iov_count, toktype); if (header == NULL) { *minor = GSSEAP_MISSING_IOV; return GSS_S_FAILURE; @@ -297,7 +297,7 @@ gssEapWrapOrGetMIC(OM_uint32 *minor, code = gssEapSign(krbContext, ctx->checksumType, rrc, KRB_CRYPTO_CONTEXT(ctx), keyUsage, - iov, iov_count); + iov, iov_count, toktype); if (code != 0) goto cleanup; @@ -359,7 +359,7 @@ gss_wrap_iov(OM_uint32 *minor, *minor = 0; - GSSEAP_MUTEX_LOCK(&ctx->mutex); + GSSEAP_MUTEX_LOCK(&((gss_ctx_id_t)ctx)->mutex); if (!CTX_IS_ESTABLISHED(ctx)) { major = GSS_S_NO_CONTEXT; @@ -367,13 +367,14 @@ gss_wrap_iov(OM_uint32 *minor, goto cleanup; } - major = gssEapWrapOrGetMIC(minor, ctx, conf_req_flag, conf_state, + major = gssEapWrapOrGetMIC(minor, (gss_ctx_id_t)ctx, conf_req_flag, conf_state, iov, iov_count, TOK_TYPE_WRAP); if (GSS_ERROR(major)) goto cleanup; cleanup: - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); return major; } + diff --git a/mech_eap/wrap_iov_length.c b/mech_eap/wrap_iov_length.c index 5621aed..bd1f6fb 100644 --- a/mech_eap/wrap_iov_length.c +++ b/mech_eap/wrap_iov_length.c @@ -65,12 +65,13 @@ OM_uint32 gssEapWrapIovLength(OM_uint32 *minor, - gss_ctx_id_t ctx, + gss_const_ctx_id_t ctx, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, - int iov_count) + int iov_count, + enum gss_eap_token_type toktype) { gss_iov_buffer_t header, trailer, padding; size_t dataLength, assocDataLength; @@ -78,7 +79,7 @@ gssEapWrapIovLength(OM_uint32 *minor, size_t krbHeaderLen = 0, krbTrailerLen = 0, krbPadLen = 0; krb5_error_code code; krb5_context krbContext; - int dce_style; + int dce_or_mic; size_t ec; #ifdef HAVE_HEIMDAL_VERSION krb5_crypto krbCrypto = NULL; @@ -96,7 +97,7 @@ gssEapWrapIovLength(OM_uint32 *minor, GSSEAP_KRB_INIT(&krbContext); - header = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); + header = gssEapLocateHeaderIov(iov, iov_count, toktype); if (header == NULL) { *minor = GSSEAP_MISSING_IOV; return GSS_S_FAILURE; @@ -108,7 +109,10 @@ gssEapWrapIovLength(OM_uint32 *minor, INIT_IOV_DATA(trailer); } - dce_style = ((ctx->gssFlags & GSS_C_DCE_STYLE) != 0); + /* MIC tokens and DCE-style wrap tokens have similar length considerations: + * no padding, and the framing surrounds the header only, not the data. */ + dce_or_mic = ((ctx->gssFlags & GSS_C_DCE_STYLE) != 0 || + toktype == TOK_TYPE_MIC); /* For CFX, EC is used instead of padding, and is placed in header or trailer */ padding = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); @@ -160,7 +164,7 @@ gssEapWrapIovLength(OM_uint32 *minor, return GSS_S_FAILURE; } - if (krbPadLen == 0 && dce_style) { + if (krbPadLen == 0 && dce_or_mic) { /* Windows rejects AEAD tokens with non-zero EC */ code = krbBlockSize(krbContext, KRB_CRYPTO_CONTEXT(ctx), &ec); if (code != 0) { @@ -223,7 +227,42 @@ gss_wrap_iov_length(OM_uint32 *minor, } major = gssEapWrapIovLength(minor, ctx, conf_req_flag, qop_req, - conf_state, iov, iov_count); + conf_state, iov, iov_count, TOK_TYPE_WRAP); + if (GSS_ERROR(major)) + goto cleanup; + +cleanup: + GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + + return major; +} + +OM_uint32 GSSAPI_CALLCONV +gss_get_mic_iov_length(OM_uint32 *minor, + gss_ctx_id_t ctx, + gss_qop_t qop_req, + gss_iov_buffer_desc *iov, + int iov_count) +{ + OM_uint32 major; + + if (ctx == GSS_C_NO_CONTEXT) { + *minor = EINVAL; + return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT; + } + + *minor = 0; + + GSSEAP_MUTEX_LOCK(&ctx->mutex); + + if (!CTX_IS_ESTABLISHED(ctx)) { + major = GSS_S_NO_CONTEXT; + *minor = GSSEAP_CONTEXT_INCOMPLETE; + goto cleanup; + } + + major = gssEapWrapIovLength(minor, ctx, FALSE, qop_req, + NULL, iov, iov_count, TOK_TYPE_MIC); if (GSS_ERROR(major)) goto cleanup; diff --git a/mech_eap/wrap_size_limit.c b/mech_eap/wrap_size_limit.c index d11fd63..858b9a7 100644 --- a/mech_eap/wrap_size_limit.c +++ b/mech_eap/wrap_size_limit.c @@ -38,7 +38,11 @@ OM_uint32 GSSAPI_CALLCONV gss_wrap_size_limit(OM_uint32 *minor, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_ctx_id_t ctx, +#else gss_ctx_id_t ctx, +#endif int conf_req_flag, gss_qop_t qop_req, OM_uint32 req_output_size, @@ -54,7 +58,7 @@ gss_wrap_size_limit(OM_uint32 *minor, *minor = 0; - GSSEAP_MUTEX_LOCK(&ctx->mutex); + GSSEAP_MUTEX_LOCK(&((gss_ctx_id_t)ctx)->mutex); if (!CTX_IS_ESTABLISHED(ctx)) { major = GSS_S_NO_CONTEXT; @@ -79,7 +83,7 @@ gss_wrap_size_limit(OM_uint32 *minor, iov[3].buffer.length = 0; major = gssEapWrapIovLength(minor, ctx, conf_req_flag, qop_req, - NULL, iov, 4); + NULL, iov, TOK_TYPE_WRAP, 4); if (GSS_ERROR(major)) goto cleanup; @@ -91,7 +95,7 @@ gss_wrap_size_limit(OM_uint32 *minor, *max_input_size = 0; cleanup: - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + GSSEAP_MUTEX_UNLOCK(&((gss_ctx_id_t)ctx)->mutex); return major; }