Sam Hartman [Fri, 13 Sep 2013 19:41:19 +0000 (15:41 -0400)]
EAP Channel binding support
Merge remote-tracking branch 'origin/eap-chbind'
Conflicts:
mech_eap/accept_sec_context.c
mech_eap/dictionary.ukerna
mech_eap/gsseap_err.et
mech_eap/util_radius.h
Sam Hartman [Fri, 31 May 2013 13:35:01 +0000 (09:35 -0400)]
update for another redhat build
Sam Hartman [Tue, 28 May 2013 19:06:58 +0000 (15:06 -0400)]
Update RPM release to link against libmoonshot
Sam Hartman [Wed, 8 May 2013 11:58:28 +0000 (07:58 -0400)]
Increase version for redhat because of new OID and IETF changes; this should have been done back in May
Sam Hartman [Tue, 30 Apr 2013 19:55:05 +0000 (15:55 -0400)]
Update build deps for shibboleth
Sam Hartman [Mon, 29 Apr 2013 20:26:07 +0000 (16:26 -0400)]
Support curl-openssl-devel from shibboleth in RH spec files
Sam hartman [Fri, 26 Apr 2013 21:26:29 +0000 (22:26 +0100)]
Update spec for mech_eap
Luke Howard [Thu, 18 Apr 2013 22:55:24 +0000 (18:55 -0400)]
fix build without OpenSAML
Luke Howard [Thu, 18 Apr 2013 22:45:10 +0000 (18:45 -0400)]
Reindent
Luke Howard [Thu, 18 Apr 2013 22:41:59 +0000 (18:41 -0400)]
Reindent
Sam Hartman [Thu, 4 Apr 2013 16:25:17 +0000 (12:25 -0400)]
textual identities to UI
The call to moonshot_get_identity included exported name tokens; the
interface expected C strings. Use gssEapDisplayName instead.
Sam Hartman [Thu, 20 Sep 2012 00:26:58 +0000 (20:26 -0400)]
Clarify where else comes from for code clarity
Luke Howard [Tue, 2 Apr 2013 05:48:02 +0000 (16:48 +1100)]
Chbind cleanups
* indentation
* don't use non-booleans as truth values
* consistent cleanup handling
* improved variable names
Sam Hartman [Tue, 26 Mar 2013 00:25:22 +0000 (20:25 -0400)]
ttls: defer METHOD_DONE if cb pending
Allow a round trip including CB response.
Sam Hartman [Mon, 25 Mar 2013 20:19:36 +0000 (16:19 -0400)]
ttls: chbind_hdr is packed
Sam Hartman [Fri, 22 Mar 2013 19:39:43 +0000 (15:39 -0400)]
libeap: Use AM_CFLAGS not CFLAGS
Sam Hartman [Fri, 22 Mar 2013 18:01:23 +0000 (14:01 -0400)]
libeap: ttls: encapsulate using RADIUS VSA
It turns out that older version of FreeRADIUS will fail if they
receive a diameter VSA not in their dictionary. A RADIUS VSA is fine
though. This does not comply with the TTLS spec, but is the best we
can do in terms of interoperability, so do that.
Sam Hartman [Fri, 22 Mar 2013 17:13:28 +0000 (13:13 -0400)]
libeap: use attribute 135 not 134 for ttls chbind
Sam hartman [Tue, 19 Mar 2013 18:04:27 +0000 (14:04 -0400)]
chbind: use IETF attributes
Use non-VSA IETF attributes for channel binding. Also, permit more
attributes in response than request.
Kevin Wasserman [Fri, 17 Feb 2012 19:30:56 +0000 (14:30 -0500)]
Set GSS_C_MUTUAL_FLAG only on successful channel binding.
Previously, GSS_C_MUTUAL_FLAG was always set in the initiator context;
CTX_FLAG_EAP_CHBIND_ACCEPT was also set on successful channel binding.
Then GSS_C_MUTUAL_FLAG was properly specified in the return flags to
gssEapInitSecContext() depending on whether CTX_FLAG_EAP_CHBIND was set,
but eapGssSmInitGssFlags() was improperly sending GSS_C_MUTUAL_FLAG to
the acceptor even when no channel binding had occured.
Kevin Wasserman [Wed, 15 Feb 2012 20:22:26 +0000 (15:22 -0500)]
Fix bug in eap_ttls_avp_encapsulate() when >248 bytes are encapsulated.
src pointer wasn't being advanced, so the first 248 bytes were duplicated
in place of the remainder of the message.
Kevin Wasserman [Fri, 17 Feb 2012 20:09:28 +0000 (15:09 -0500)]
Eap channel bindings cleanup
Simplify radius buffer construction and parse service-specifics correctly.
Kevin Wasserman [Fri, 10 Feb 2012 16:51:12 +0000 (11:51 -0500)]
Simplify and document radius_utils.c and radius_utils.h
Luke Howard [Thu, 13 Dec 2012 19:14:15 +0000 (20:14 +0100)]
krb5_free_unparsed_name deprecated by Heimdal
use krb5_xfree
Luke Howard [Thu, 13 Dec 2012 19:09:42 +0000 (20:09 +0100)]
krb5_free_data_contents deprecated by Heimdal
Use krb5_data_free instead
Luke Howard [Thu, 13 Dec 2012 02:27:39 +0000 (13:27 +1100)]
indentation fix
Sam Hartman [Fri, 16 Nov 2012 02:38:27 +0000 (21:38 -0500)]
Return WRONG_ACCEPTOR_NAME
Create a new error for incorrect acceptor name received from acceptor
to aid in debugging.
Luke Howard [Tue, 13 Nov 2012 05:25:20 +0000 (16:25 +1100)]
allow empty acceptor names
Luke Howard [Wed, 26 Sep 2012 07:25:22 +0000 (17:25 +1000)]
indentation fix
Luke Howard [Fri, 21 Sep 2012 19:34:11 +0000 (05:34 +1000)]
Ignore empty realms comparing acceptor name hint
Conflicts:
mech_eap/util_name.c
Luke Howard [Wed, 19 Sep 2012 12:32:42 +0000 (22:32 +1000)]
Call gssEapReleaseName not gss_release_name
we have a mech name not a union name so use the local mechanism.
Luke Howard [Wed, 19 Sep 2012 12:09:11 +0000 (22:09 +1000)]
indentation fix
Luke Howard [Wed, 19 Sep 2012 12:06:02 +0000 (22:06 +1000)]
fix indentation
Sam Hartman [Wed, 19 Sep 2012 00:45:25 +0000 (20:45 -0400)]
Call gssEapCompareName not gss_compare_name
we have a mech name not a union name so use the local mechanism.
Luke Howard [Sun, 16 Sep 2012 04:11:31 +0000 (14:11 +1000)]
remove references to PADL mechanism OIDs
Luke Howard [Sun, 16 Sep 2012 04:07:44 +0000 (14:07 +1000)]
neglected gss-eap-v1 arc in OID comment table
Luke Howard [Sun, 16 Sep 2012 03:00:04 +0000 (13:00 +1000)]
Coding style conform
Sam Hartman [Fri, 14 Sep 2012 17:18:08 +0000 (13:18 -0400)]
Update to use IETF RADIUS attributes
draft-ietf-abfab-gss-eap is approved and IANA has assigned
standardized RADIUS attributes, so these are no longer vendor
specific.
Update dictionary file to change the names of the existing attributes.
Sam Hartman [Fri, 14 Sep 2012 17:53:34 +0000 (13:53 -0400)]
Update name OIDs
Add comment on where OIDs come from and update oid for EAP name type.
Kevin Wasserman [Wed, 12 Sep 2012 15:52:05 +0000 (11:52 -0400)]
Update mech oid to conform to draft-ietf-abfab-gss-eap-09
Sam Hartman [Wed, 12 Sep 2012 20:29:21 +0000 (16:29 -0400)]
Update gitignore
Sam Hartman [Wed, 12 Sep 2012 20:28:58 +0000 (16:28 -0400)]
Fix gcc 4.7 warnings
Sam Hartman [Tue, 11 Sep 2012 19:50:30 +0000 (15:50 -0400)]
Send acceptor name and verify
In extensions state, send the acceptor name.
When the acceptor name is sent, verify if we already have a name hint.
Sam Hartman [Tue, 11 Sep 2012 18:52:17 +0000 (14:52 -0400)]
Update to gss-eap-naming-04
Update attribute prefixes used to draft-ietf-abfab-gss-eap-naming-04.
Sam Hartman [Tue, 11 Sep 2012 18:15:49 +0000 (14:15 -0400)]
Merge remote-tracking branch 'origin/radius-new-client-pkcs12'
Sam Hartman [Tue, 11 Sep 2012 18:13:12 +0000 (14:13 -0400)]
Merge remote-tracking branch 'origin/rfc3961-mic'
Luke Howard [Sat, 8 Sep 2012 23:47:33 +0000 (09:47 +1000)]
fix ISCBO for gssEapPseudoRandom signature change
Luke Howard [Sat, 8 Sep 2012 02:28:30 +0000 (12:28 +1000)]
corresponding header change for gssEapPseudoRandom
Luke Howard [Fri, 7 Sep 2012 03:25:09 +0000 (13:25 +1000)]
Cleanup gssEapPseudoRandom()
Luke Howard [Wed, 5 Sep 2012 01:38:53 +0000 (11:38 +1000)]
Don't define inline if compiling C++ on Win32
Luke Howard [Sat, 11 Aug 2012 04:30:56 +0000 (14:30 +1000)]
Handle NULL sequence state in exported partial contexts
This could be further improved by not encoding the sequence state
if it is zero.
Luke Howard [Sat, 11 Aug 2012 04:23:05 +0000 (14:23 +1000)]
Don't expect OID for imported initiator name
Luke Howard [Tue, 19 Jun 2012 15:45:38 +0000 (01:45 +1000)]
allow GSS_C_NO_CREDENTIAL to gssEapPrimaryMechForCred
Luke Howard [Sat, 11 Aug 2012 00:54:38 +0000 (10:54 +1000)]
preserve name mechanism on imported contexts
Luke Howard [Tue, 19 Jun 2012 15:45:38 +0000 (01:45 +1000)]
allow GSS_C_NO_CREDENTIAL to gssEapPrimaryMechForCred
Kevin Wasserman [Wed, 8 Feb 2012 15:33:29 +0000 (10:33 -0500)]
Fix libeap/src/utils/common.h to support windows+ipv6.
Use winsock2.h + ws2tcpip.h instead of winsock.h
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
Sam hartman [Sun, 5 Feb 2012 22:33:23 +0000 (22:33 +0000)]
Fix pointer signedness issues
Kevin Wasserman [Sun, 5 Feb 2012 20:56:00 +0000 (15:56 -0500)]
Eap channel bindings fixes
Only specify GSS_C_MUTUAL_FLAG return flag on successful eap channel
binding.
Kevin Wasserman [Thu, 2 Feb 2012 21:32:50 +0000 (16:32 -0500)]
EAP Channel binding
Kevin Wasserman [Sun, 5 Feb 2012 20:45:19 +0000 (15:45 -0500)]
eap channel bindings: use ukerna vsa to encapsulate ttls chbind messages.
Kevin Wasserman [Thu, 2 Feb 2012 12:44:29 +0000 (07:44 -0500)]
eap channel binding support.
Kevin Wasserman [Tue, 20 Dec 2011 16:40:30 +0000 (11:40 -0500)]
channel binding WIP: add chbind_data, chbind_data_len to eap_peer_config
Luke Howard [Thu, 2 Feb 2012 21:04:00 +0000 (08:04 +1100)]
Merge branch 'master' into radius-new-client-pkcs12
Sam Hartman [Tue, 24 Jan 2012 17:39:42 +0000 (12:39 -0500)]
Bump spec version
Sam Hartman [Tue, 3 Jan 2012 20:41:17 +0000 (15:41 -0500)]
Initializeshib resolver before opensaml so catalog path is set
Sam Hartman [Tue, 24 Jan 2012 17:38:03 +0000 (12:38 -0500)]
util_moonshot.c: Handle empty strings in trust anchor arguments.
Sam Hartman [Wed, 18 Jan 2012 00:27:48 +0000 (19:27 -0500)]
Treat empty cert hash as NULL (LP: #917956)
Luke Howard [Wed, 11 Jan 2012 05:56:39 +0000 (16:56 +1100)]
fix order of operations merge regression
Luke Howard [Mon, 14 Nov 2011 07:54:59 +0000 (18:54 +1100)]
use rs_attr_display_name/rs_attr_parse_name
Luke Howard [Mon, 14 Nov 2011 07:23:49 +0000 (18:23 +1100)]
use "26" as prefix for vendor attributes
Luke Howard [Mon, 14 Nov 2011 06:36:59 +0000 (17:36 +1100)]
use urn:ietf:params:gssapi:aaa-radius prefix
Luke Howard [Mon, 14 Nov 2011 06:06:21 +0000 (17:06 +1100)]
remove dictionary param from sample radsec config
Luke Howard [Mon, 14 Nov 2011 03:41:11 +0000 (14:41 +1100)]
check rs_attr_find return code correctly
Luke Howard [Mon, 14 Nov 2011 01:44:01 +0000 (12:44 +1100)]
remove rs_context_init_freeradius_dict
Luke Howard [Mon, 14 Nov 2011 00:54:07 +0000 (11:54 +1100)]
port to new RADIUS client library
Sam Hartman [Tue, 3 Jan 2012 16:56:17 +0000 (11:56 -0500)]
Merge remote-tracking branch 'origin/master'
Pete Fotheringham [Mon, 2 Jan 2012 18:33:40 +0000 (18:33 +0000)]
Automated builds and creation fo installer package and disk image works
Luke Howard [Mon, 12 Dec 2011 09:30:38 +0000 (20:30 +1100)]
Revert "InitOnceExecuteOnce not present on XP"
This reverts commit
061ae16ba14ef7a70bdb4741a1e04ced4d5d7b09.
There is still a race in this lockless one-time initialization which
could cause an assertion failure. Until we decide whether XP support
for the acceptor is required, back this out.
Luke Howard [Sat, 10 Dec 2011 09:39:17 +0000 (20:39 +1100)]
InitOnceExecuteOnce not present on XP
Luke Howard [Sat, 10 Dec 2011 23:57:48 +0000 (10:57 +1100)]
Merge branch 'master' of ssh://moonshot.suchdamage.org:822/srv/git/moonshot
Luke Howard [Thu, 1 Dec 2011 03:19:18 +0000 (14:19 +1100)]
add MS-Windows-Group-Sid
Pete Fotheringham [Wed, 30 Nov 2011 18:33:33 +0000 (18:33 +0000)]
Merge branch 'master' of project-moonshot.org/git/moonshot
Conflicts:
moonshot/mech_eap/Makefile.am
Pete Fotheringham [Wed, 30 Nov 2011 17:31:26 +0000 (17:31 +0000)]
Link against the Kerberos library in /usr/local instead of the version in /usr
Luke Howard [Mon, 28 Nov 2011 15:01:39 +0000 (02:01 +1100)]
Revert "Support EAP-TLS in Moonshot (requires OpenSSL)"
This reverts commit
2ef42df0ecea8745a678fe26ff9b16072b93586b.
Luke Howard [Mon, 28 Nov 2011 15:01:34 +0000 (02:01 +1100)]
Revert "remember to duplicate clientCertificate"
This reverts commit
0bde9b2ad5a4a36f745f1c91e9155edb337922b8.
Luke Howard [Mon, 28 Nov 2011 15:01:28 +0000 (02:01 +1100)]
Revert "Allow certificate/private key to contain binary data"
This reverts commit
6196f93aaca970f23276407af0812179c51a29ea.
Luke Howard [Thu, 17 Nov 2011 11:15:47 +0000 (22:15 +1100)]
NFSv4 patch from Daniel Kouril
Luke Howard [Thu, 17 Nov 2011 09:34:12 +0000 (20:34 +1100)]
Allow certificate/private key to contain binary data
Luke Howard [Thu, 17 Nov 2011 09:04:08 +0000 (20:04 +1100)]
remember to duplicate clientCertificate
Luke Howard [Thu, 17 Nov 2011 08:33:22 +0000 (19:33 +1100)]
Support EAP-TLS in Moonshot (requires OpenSSL)
Luke Howard [Thu, 17 Nov 2011 08:32:47 +0000 (19:32 +1100)]
Merge branch 'moonshot' of ssh://moonshot.suchdamage.org:822/srv/git/libeap into moonshot
Conflicts:
Makefile.am
Luke Howard [Thu, 17 Nov 2011 05:37:06 +0000 (16:37 +1100)]
link against OpenSSL backend
Luke Howard [Sat, 22 Oct 2011 02:38:51 +0000 (13:38 +1100)]
wrap gssQueryMechanismInfo
Luke Howard [Fri, 21 Oct 2011 03:51:09 +0000 (14:51 +1100)]
Merge branch 'master' of ssh://moonshot.suchdamage.org:822/srv/git/moonshot
Luke Howard [Fri, 21 Oct 2011 03:50:05 +0000 (14:50 +1100)]
Fix for building without acceptor
Luke Howard [Wed, 5 Oct 2011 22:44:51 +0000 (09:44 +1100)]
use RFC3961 checksums for CB/exts MIC
Sam Hartman [Thu, 13 Oct 2011 13:55:00 +0000 (09:55 -0400)]
Fix merge conflict
Sam hartman [Mon, 10 Oct 2011 13:46:46 +0000 (14:46 +0100)]
Add freeradius to rpath; disable ui integration from spec for now
Sam hartman [Sat, 8 Oct 2011 14:54:59 +0000 (15:54 +0100)]
Spec file update
Sam hartman [Fri, 16 Sep 2011 18:56:38 +0000 (19:56 +0100)]
Update libeap to include make dist